From: Justin Suess <utilityemal77@gmail.com>
To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net,
viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org
Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org,
serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev,
martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com,
john.fastabend@gmail.com, sdf@fomichev.me,
skhan@linuxfoundation.org, bpf@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
Justin Suess <utilityemal77@gmail.com>
Subject: [RFC PATCH 04/20] selftests/landlock: Cover LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS
Date: Tue, 7 Apr 2026 16:01:26 -0400 [thread overview]
Message-ID: <20260407200157.3874806-5-utilityemal77@gmail.com> (raw)
In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com>
Add tests to cover LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS.
Add a new field to the scoped domain variant specifying whether
the test is to be run by manually calling
prctl(PR_SET_NO_NEW_PRIVS,...) or to call it with this flag. Add
variants for the scoped domain tests validating the flag works
identically to the manual prctl call for userspace code.
Fix a small issue in restrict_self_checks_ordering which assumed
-1 was always an invalid flag by properly computing an invalid
flag from the last known flag.
Signed-off-by: Justin Suess <utilityemal77@gmail.com>
---
tools/testing/selftests/landlock/base_test.c | 8 +-
tools/testing/selftests/landlock/common.h | 24 +++-
tools/testing/selftests/landlock/fs_test.c | 103 ++++++++++--------
tools/testing/selftests/landlock/net_test.c | 55 ++++++----
.../testing/selftests/landlock/ptrace_test.c | 14 +--
.../landlock/scoped_abstract_unix_test.c | 51 ++++++---
.../selftests/landlock/scoped_base_variants.h | 23 ++++
.../selftests/landlock/scoped_common.h | 5 +-
.../selftests/landlock/scoped_signal_test.c | 30 +++--
9 files changed, 206 insertions(+), 107 deletions(-)
diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c
index 30d37234086c..a4c38541de70 100644
--- a/tools/testing/selftests/landlock/base_test.c
+++ b/tools/testing/selftests/landlock/base_test.c
@@ -244,6 +244,8 @@ TEST(restrict_self_checks_ordering)
};
const int ruleset_fd =
landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
+ const int last_flag = LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS;
+ const int invalid_flag = last_flag << 1;
ASSERT_LE(0, ruleset_fd);
path_beneath_attr.parent_fd =
@@ -255,7 +257,7 @@ TEST(restrict_self_checks_ordering)
/* Checks unprivileged enforcement without no_new_privs. */
drop_caps(_metadata);
- ASSERT_EQ(-1, landlock_restrict_self(-1, -1));
+ ASSERT_EQ(-1, landlock_restrict_self(-1, invalid_flag));
ASSERT_EQ(EPERM, errno);
ASSERT_EQ(-1, landlock_restrict_self(-1, 0));
ASSERT_EQ(EPERM, errno);
@@ -265,7 +267,7 @@ TEST(restrict_self_checks_ordering)
ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
/* Checks invalid flags. */
- ASSERT_EQ(-1, landlock_restrict_self(-1, -1));
+ ASSERT_EQ(-1, landlock_restrict_self(-1, invalid_flag));
ASSERT_EQ(EINVAL, errno);
/* Checks invalid ruleset FD. */
@@ -306,7 +308,7 @@ TEST(restrict_self_fd_logging_flags)
TEST(restrict_self_logging_flags)
{
- const __u32 last_flag = LANDLOCK_RESTRICT_SELF_TSYNC;
+ const __u32 last_flag = LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS;
/* Tests invalid flag combinations. */
diff --git a/tools/testing/selftests/landlock/common.h b/tools/testing/selftests/landlock/common.h
index 90551650299c..f6d6a6a99c52 100644
--- a/tools/testing/selftests/landlock/common.h
+++ b/tools/testing/selftests/landlock/common.h
@@ -194,11 +194,27 @@ static int __maybe_unused send_fd(int usock, int fd_tx)
return 0;
}
+/*
+ * Scoped domain options
+ */
+struct scoped_domain_opts {
+ bool use_restrict_self_no_new_privs;
+};
+
+static const struct scoped_domain_opts default_scoped_domain_opts = { 0 };
+
static void __maybe_unused
-enforce_ruleset(struct __test_metadata *const _metadata, const int ruleset_fd)
+enforce_ruleset(struct __test_metadata *const _metadata, const int ruleset_fd,
+ const struct scoped_domain_opts opts)
{
- ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
- ASSERT_EQ(0, landlock_restrict_self(ruleset_fd, 0))
+ /* Skip the explicit prctl() when the syscall flag sets no_new_privs. */
+ if (!opts.use_restrict_self_no_new_privs)
+ ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
+ ASSERT_EQ(0,
+ landlock_restrict_self(ruleset_fd,
+ opts.use_restrict_self_no_new_privs ?
+ LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS :
+ 0))
{
TH_LOG("Failed to enforce ruleset: %s", strerror(errno));
}
@@ -216,7 +232,7 @@ drop_access_rights(struct __test_metadata *const _metadata,
{
TH_LOG("Failed to create a ruleset: %s", strerror(errno));
}
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
}
diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
index cdb47fc1fc0a..b82b44405dbe 100644
--- a/tools/testing/selftests/landlock/fs_test.c
+++ b/tools/testing/selftests/landlock/fs_test.c
@@ -790,7 +790,18 @@ static void enforce_fs(struct __test_metadata *const _metadata,
{
const int ruleset_fd = create_ruleset(_metadata, access_fs, rules);
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
+ EXPECT_EQ(0, close(ruleset_fd));
+}
+
+static void enforce_resolve_unix(struct __test_metadata *const _metadata,
+ const struct rule rules[],
+ const struct scoped_domain_opts opts)
+{
+ const int ruleset_fd =
+ create_ruleset(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, rules);
+
+ enforce_ruleset(_metadata, ruleset_fd, opts);
EXPECT_EQ(0, close(ruleset_fd));
}
@@ -805,14 +816,15 @@ TEST_F_FORK(layout0, proc_nsfs)
{},
};
struct landlock_path_beneath_attr path_beneath;
- const int ruleset_fd = create_ruleset(
- _metadata, rules[0].access | LANDLOCK_ACCESS_FS_READ_DIR,
- rules);
+ const int ruleset_fd =
+ create_ruleset(_metadata,
+ rules[0].access | LANDLOCK_ACCESS_FS_READ_DIR,
+ rules);
ASSERT_LE(0, ruleset_fd);
ASSERT_EQ(0, test_open("/proc/self/ns/mnt", O_RDONLY));
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
ASSERT_EQ(EACCES, test_open("/dev", O_RDONLY));
@@ -862,7 +874,7 @@ TEST_F_FORK(layout0, unpriv)
ASSERT_EQ(EPERM, errno);
/* enforce_ruleset() calls prctl(no_new_privs). */
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
ASSERT_EQ(0, close(ruleset_fd));
}
@@ -1289,7 +1301,7 @@ TEST_F_FORK(layout1, inherit_subset)
};
const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
@@ -1322,7 +1334,7 @@ TEST_F_FORK(layout1, inherit_subset)
* LANDLOCK_ACCESS_FS_WRITE_FILE must not be allowed because it would
* be a privilege escalation.
*/
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
/* Same tests and results as above. */
ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
@@ -1343,7 +1355,7 @@ TEST_F_FORK(layout1, inherit_subset)
* directory: dir_s1d1.
*/
add_path_beneath(_metadata, ruleset_fd, ACCESS_RW, dir_s1d1);
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
/* Same tests and results as above. */
ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
@@ -1366,7 +1378,7 @@ TEST_F_FORK(layout1, inherit_subset)
*/
add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_WRITE_FILE,
dir_s1d3);
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
ASSERT_EQ(0, close(ruleset_fd));
/*
@@ -1404,7 +1416,7 @@ TEST_F_FORK(layout1, inherit_superset)
};
const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
/* Readdir access is denied for dir_s1d2. */
ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
@@ -1418,7 +1430,7 @@ TEST_F_FORK(layout1, inherit_superset)
LANDLOCK_ACCESS_FS_READ_FILE |
LANDLOCK_ACCESS_FS_READ_DIR,
dir_s1d2);
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
/* Readdir access is still denied for dir_s1d2. */
@@ -1442,7 +1454,8 @@ TEST_F_FORK(layout0, max_layers)
const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
for (i = 0; i < 16; i++)
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd,
+ default_scoped_domain_opts);
for (i = 0; i < 2; i++) {
err = landlock_restrict_self(ruleset_fd, 0);
@@ -1472,12 +1485,12 @@ TEST_F_FORK(layout1, empty_or_same_ruleset)
/* Nests a policy which denies read access to all directories. */
ruleset_fd =
create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_DIR, NULL);
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
/* Enforces a second time with the same ruleset. */
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
ASSERT_EQ(0, close(ruleset_fd));
}
@@ -1725,7 +1738,7 @@ TEST_F_FORK(layout1, release_inodes)
ASSERT_EQ(0, umount(dir_s3d2));
clear_cap(_metadata, CAP_SYS_ADMIN);
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
@@ -1766,7 +1779,7 @@ TEST_F_FORK(layout1, covered_rule)
ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY));
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
ASSERT_EQ(0, close(ruleset_fd));
/* Checks that access to the new mount point is denied. */
@@ -1828,7 +1841,7 @@ static void test_relative_path(struct __test_metadata *const _metadata,
}
set_cap(_metadata, CAP_SYS_CHROOT);
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
switch (rel) {
case REL_OPEN:
@@ -4402,9 +4415,9 @@ static void test_connect_to_parent(struct __test_metadata *const _metadata,
char buf[1];
if (variant->domain_both)
- enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, NULL);
+ enforce_resolve_unix(_metadata, NULL, variant->domain_opts);
else if (flags & ENFORCE_ALL)
- enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, rules);
+ enforce_resolve_unix(_metadata, rules, variant->domain_opts);
unlink(path);
ASSERT_EQ(0, pipe2(readiness_pipe, O_CLOEXEC));
@@ -4414,11 +4427,11 @@ static void test_connect_to_parent(struct __test_metadata *const _metadata,
if (child_pid == 0) {
if (variant->domain_child)
- enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX,
- NULL);
+ enforce_resolve_unix(_metadata, NULL,
+ variant->domain_opts);
else if (flags & ENFORCE_ALL)
- enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX,
- rules);
+ enforce_resolve_unix(_metadata, rules,
+ variant->domain_opts);
/* Wait for server to be available. */
EXPECT_EQ(0, close(readiness_pipe[1]));
@@ -4444,9 +4457,9 @@ static void test_connect_to_parent(struct __test_metadata *const _metadata,
}
if (variant->domain_parent)
- enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, NULL);
+ enforce_resolve_unix(_metadata, NULL, variant->domain_opts);
else if (flags & ENFORCE_ALL)
- enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, rules);
+ enforce_resolve_unix(_metadata, rules, variant->domain_opts);
srv_fd = set_up_named_unix_server(_metadata, sock_type, path);
@@ -4485,9 +4498,9 @@ static void test_connect_to_child(struct __test_metadata *const _metadata,
char buf[1];
if (variant->domain_both)
- enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, NULL);
+ enforce_resolve_unix(_metadata, NULL, variant->domain_opts);
else if (flags & ENFORCE_ALL)
- enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, rules);
+ enforce_resolve_unix(_metadata, rules, variant->domain_opts);
unlink(path);
ASSERT_EQ(0, pipe2(readiness_pipe, O_CLOEXEC));
@@ -4498,11 +4511,11 @@ static void test_connect_to_child(struct __test_metadata *const _metadata,
if (child_pid == 0) {
if (variant->domain_child)
- enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX,
- NULL);
+ enforce_resolve_unix(_metadata, NULL,
+ variant->domain_opts);
else if (flags & ENFORCE_ALL)
- enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX,
- rules);
+ enforce_resolve_unix(_metadata, rules,
+ variant->domain_opts);
srv_fd = set_up_named_unix_server(_metadata, sock_type, path);
@@ -4526,9 +4539,9 @@ static void test_connect_to_child(struct __test_metadata *const _metadata,
}
if (variant->domain_parent)
- enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, NULL);
+ enforce_resolve_unix(_metadata, NULL, variant->domain_opts);
else if (flags & ENFORCE_ALL)
- enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, rules);
+ enforce_resolve_unix(_metadata, rules, variant->domain_opts);
/* Wait for server to be available. */
EXPECT_EQ(0, close(readiness_pipe[1]));
@@ -5072,7 +5085,7 @@ TEST_F_FORK(layout1_bind, path_disconnected)
create_ruleset(_metadata, ACCESS_RW, layer3_only_s1d2);
int bind_s1d3_fd;
- enforce_ruleset(_metadata, ruleset_fd_l1);
+ enforce_ruleset(_metadata, ruleset_fd_l1, default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd_l1));
bind_s1d3_fd = open(bind_dir_s1d3, O_PATH | O_CLOEXEC);
@@ -5102,7 +5115,7 @@ TEST_F_FORK(layout1_bind, path_disconnected)
test_open_rel(bind_s1d3_fd, "..", O_RDONLY | O_DIRECTORY));
/* This should still work with a narrower rule. */
- enforce_ruleset(_metadata, ruleset_fd_l2);
+ enforce_ruleset(_metadata, ruleset_fd_l2, default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd_l2));
EXPECT_EQ(0, test_open(file1_s4d1, O_RDONLY));
@@ -5114,7 +5127,7 @@ TEST_F_FORK(layout1_bind, path_disconnected)
EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
EXPECT_EQ(EACCES, test_open_rel(bind_s1d3_fd, file2_name, O_RDONLY));
- enforce_ruleset(_metadata, ruleset_fd_l3);
+ enforce_ruleset(_metadata, ruleset_fd_l3, default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd_l3));
EXPECT_EQ(EACCES, test_open(file1_s4d1, O_RDONLY));
@@ -5176,7 +5189,7 @@ TEST_F_FORK(layout1_bind, path_disconnected_rename)
ruleset_fd_l2 = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
layer2_only_s1d2);
- enforce_ruleset(_metadata, ruleset_fd_l1);
+ enforce_ruleset(_metadata, ruleset_fd_l1, default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd_l1));
bind_s1d3_fd = open(bind_dir_s1d3, O_PATH | O_CLOEXEC);
@@ -5201,7 +5214,8 @@ TEST_F_FORK(layout1_bind, path_disconnected_rename)
child_pid = fork();
ASSERT_LE(0, child_pid);
if (child_pid == 0) {
- enforce_ruleset(_metadata, ruleset_fd_l2);
+ enforce_ruleset(_metadata, ruleset_fd_l2,
+ default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd_l2));
EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
EXPECT_EQ(EACCES, test_open(file1_s4d2, O_RDONLY));
@@ -5238,7 +5252,8 @@ TEST_F_FORK(layout1_bind, path_disconnected_rename)
child_pid = fork();
ASSERT_LE(0, child_pid);
if (child_pid == 0) {
- enforce_ruleset(_metadata, ruleset_fd_l2);
+ enforce_ruleset(_metadata, ruleset_fd_l2,
+ default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd_l2));
EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
EXPECT_EQ(0, test_open(file1_s1d3, O_RDONLY));
@@ -5290,7 +5305,7 @@ TEST_F_FORK(layout1_bind, path_disconnected_rename)
}
/* Checks again that we can access it under l2. */
- enforce_ruleset(_metadata, ruleset_fd_l2);
+ enforce_ruleset(_metadata, ruleset_fd_l2, default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd_l2));
EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
EXPECT_EQ(0, test_open(file1_s1d3, O_RDONLY));
@@ -5914,7 +5929,7 @@ TEST_F_FORK(layout4_disconnected_leafs, read_rename_exchange)
EXPECT_EQ(ENOENT, test_open_rel(s1d41_bind_fd, "..", O_DIRECTORY));
EXPECT_EQ(ENOENT, test_open_rel(s1d42_bind_fd, "..", O_DIRECTORY));
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
EXPECT_EQ(variant->expected_read_result,
@@ -6430,7 +6445,7 @@ TEST_F_FORK(layout5_disconnected_branch, read_rename_exchange)
EXPECT_EQ(0, test_open_rel(s1d3_bind_fd, "..", O_DIRECTORY));
EXPECT_EQ(ENOENT, test_open_rel(s1d3_bind_fd, "../..", O_DIRECTORY));
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
EXPECT_EQ(variant->expected_read_result,
@@ -7201,7 +7216,7 @@ TEST_F_FORK(layout3_fs, release_inodes)
ASSERT_EQ(0, mount_opt(&mnt_tmp, TMP_DIR));
clear_cap(_metadata, CAP_SYS_ADMIN);
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
ASSERT_EQ(0, close(ruleset_fd));
/* Checks that access to the new mount point is denied. */
diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c
index 4c528154ea92..33a39a264f6b 100644
--- a/tools/testing/selftests/landlock/net_test.c
+++ b/tools/testing/selftests/landlock/net_test.c
@@ -671,7 +671,8 @@ TEST_F(protocol, bind)
landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
&tcp_connect_p1, 0));
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd,
+ default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
}
@@ -721,7 +722,8 @@ TEST_F(protocol, connect)
landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
&tcp_bind_p1, 0));
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd,
+ default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
}
@@ -755,7 +757,8 @@ TEST_F(protocol, bind_unspec)
ASSERT_EQ(0,
landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
&tcp_bind, 0));
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd,
+ default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
}
@@ -788,7 +791,8 @@ TEST_F(protocol, bind_unspec)
ASSERT_LE(0, ruleset_fd);
/* Denies bind. */
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd,
+ default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
}
@@ -874,7 +878,8 @@ TEST_F(protocol, connect_unspec)
ASSERT_EQ(0, landlock_add_rule(ruleset_fd,
LANDLOCK_RULE_NET_PORT,
&tcp_connect, 0));
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd,
+ default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
}
@@ -902,7 +907,8 @@ TEST_F(protocol, connect_unspec)
ASSERT_LE(0, ruleset_fd);
/* Denies connect. */
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd,
+ default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
}
@@ -1034,7 +1040,8 @@ TEST_F(ipv4, from_unix_to_inet)
landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
&tcp_bind_connect_p0, 0));
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd,
+ default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
}
@@ -1181,7 +1188,8 @@ TEST_F(tcp_layers, ruleset_overlap)
ASSERT_EQ(0,
landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
&tcp_bind_connect, 0));
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd,
+ default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
}
@@ -1197,7 +1205,8 @@ TEST_F(tcp_layers, ruleset_overlap)
ASSERT_EQ(0,
landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
&tcp_bind, 0));
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd,
+ default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
}
@@ -1213,7 +1222,8 @@ TEST_F(tcp_layers, ruleset_overlap)
ASSERT_EQ(0,
landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
&tcp_bind_connect, 0));
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd,
+ default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
}
@@ -1244,7 +1254,8 @@ TEST_F(tcp_layers, ruleset_expand)
ASSERT_EQ(0,
landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
&bind_srv0, 0));
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd,
+ default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
}
@@ -1276,7 +1287,8 @@ TEST_F(tcp_layers, ruleset_expand)
ASSERT_EQ(0,
landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
&tcp_bind_p1, 0));
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd,
+ default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
}
@@ -1298,7 +1310,8 @@ TEST_F(tcp_layers, ruleset_expand)
ASSERT_EQ(0,
landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
&tcp_bind_p0, 0));
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd,
+ default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
}
@@ -1546,7 +1559,7 @@ TEST_F(mini, tcp_port_overflow)
&port_overflow4, 0));
EXPECT_EQ(EINVAL, errno);
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
test_bind_and_connect(_metadata, &srv_denied, true, true);
test_bind_and_connect(_metadata, &srv_max_allowed, false, false);
@@ -1611,7 +1624,7 @@ TEST_F(ipv4_tcp, port_endianness)
&connect_big_endian_p0, 0));
ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
&bind_connect_host_endian_p1, 0));
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
/* No restriction for big endinan CPU. */
test_bind_and_connect(_metadata, &self->srv0, false, little_endian);
@@ -1652,7 +1665,7 @@ TEST_F(ipv4_tcp, with_fs)
ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
&tcp_bind, 0));
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
/* Tests file access. */
@@ -1766,7 +1779,8 @@ TEST_F(port_specific, bind_connect_zero)
landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
&tcp_bind_connect_zero, 0));
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd,
+ default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
}
@@ -1843,7 +1857,8 @@ TEST_F(port_specific, bind_connect_1023)
landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
&tcp_bind_connect, 0));
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd,
+ default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
}
@@ -1982,7 +1997,7 @@ TEST_F(audit, bind)
ruleset_fd =
landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
sock_fd = socket_variant(&self->srv0);
@@ -2010,7 +2025,7 @@ TEST_F(audit, connect)
ruleset_fd =
landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts);
EXPECT_EQ(0, close(ruleset_fd));
sock_fd = socket_variant(&self->srv0);
diff --git a/tools/testing/selftests/landlock/ptrace_test.c b/tools/testing/selftests/landlock/ptrace_test.c
index 1b6c8b53bf33..1c29cde8707a 100644
--- a/tools/testing/selftests/landlock/ptrace_test.c
+++ b/tools/testing/selftests/landlock/ptrace_test.c
@@ -25,7 +25,8 @@
#define YAMA_SCOPE_DISABLED 0
#define YAMA_SCOPE_RELATIONAL 1
-static void create_domain(struct __test_metadata *const _metadata)
+static void create_domain(struct __test_metadata *const _metadata,
+ const struct scoped_domain_opts opts)
{
int ruleset_fd;
struct landlock_ruleset_attr ruleset_attr = {
@@ -38,8 +39,7 @@ static void create_domain(struct __test_metadata *const _metadata)
{
TH_LOG("Failed to create a ruleset: %s", strerror(errno));
}
- EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
- EXPECT_EQ(0, landlock_restrict_self(ruleset_fd, 0));
+ enforce_ruleset(_metadata, ruleset_fd, opts);
EXPECT_EQ(0, close(ruleset_fd));
}
@@ -169,7 +169,7 @@ TEST_F(scoped_domains, trace)
ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC));
ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC));
if (variant->domain_both) {
- create_domain(_metadata);
+ create_domain(_metadata, variant->domain_opts);
if (!__test_passed(_metadata))
/* Aborts before forking. */
return;
@@ -183,7 +183,7 @@ TEST_F(scoped_domains, trace)
ASSERT_EQ(0, close(pipe_parent[1]));
ASSERT_EQ(0, close(pipe_child[0]));
if (variant->domain_child)
- create_domain(_metadata);
+ create_domain(_metadata, variant->domain_opts);
/* Waits for the parent to be in a domain, if any. */
ASSERT_EQ(1, read(pipe_parent[0], &buf_child, 1));
@@ -238,7 +238,7 @@ TEST_F(scoped_domains, trace)
ASSERT_EQ(0, close(pipe_child[1]));
ASSERT_EQ(0, close(pipe_parent[0]));
if (variant->domain_parent)
- create_domain(_metadata);
+ create_domain(_metadata, variant->domain_opts);
/* Signals that the parent is in a domain, if any. */
ASSERT_EQ(1, write(pipe_parent[1], ".", 1));
@@ -396,7 +396,7 @@ TEST_F(audit, trace)
ASSERT_EQ(0, close(pipe_child[1]));
ASSERT_EQ(0, close(pipe_parent[0]));
- create_domain(_metadata);
+ create_domain(_metadata, default_scoped_domain_opts);
/* Signals that the parent is in a domain. */
ASSERT_EQ(1, write(pipe_parent[1], ".", 1));
diff --git a/tools/testing/selftests/landlock/scoped_abstract_unix_test.c b/tools/testing/selftests/landlock/scoped_abstract_unix_test.c
index c47491d2d1c1..d89f54edf9d5 100644
--- a/tools/testing/selftests/landlock/scoped_abstract_unix_test.c
+++ b/tools/testing/selftests/landlock/scoped_abstract_unix_test.c
@@ -88,7 +88,8 @@ TEST_F(scoped_domains, connect_to_parent)
ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC));
if (variant->domain_both) {
create_scoped_domain(_metadata,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
+ variant->domain_opts);
if (!__test_passed(_metadata))
return;
}
@@ -103,7 +104,8 @@ TEST_F(scoped_domains, connect_to_parent)
EXPECT_EQ(0, close(pipe_parent[1]));
if (variant->domain_child)
create_scoped_domain(
- _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
+ variant->domain_opts);
stream_client = socket(AF_UNIX, SOCK_STREAM, 0);
ASSERT_LE(0, stream_client);
@@ -138,7 +140,8 @@ TEST_F(scoped_domains, connect_to_parent)
EXPECT_EQ(0, close(pipe_parent[0]));
if (variant->domain_parent)
create_scoped_domain(_metadata,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
+ variant->domain_opts);
stream_server = socket(AF_UNIX, SOCK_STREAM, 0);
ASSERT_LE(0, stream_server);
@@ -186,7 +189,8 @@ TEST_F(scoped_domains, connect_to_child)
ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC));
if (variant->domain_both) {
create_scoped_domain(_metadata,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
+ variant->domain_opts);
if (!__test_passed(_metadata))
return;
}
@@ -200,7 +204,8 @@ TEST_F(scoped_domains, connect_to_child)
EXPECT_EQ(0, close(pipe_child[0]));
if (variant->domain_child)
create_scoped_domain(
- _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
+ variant->domain_opts);
/* Waits for the parent to be in a domain, if any. */
ASSERT_EQ(1, read(pipe_parent[0], &buf, 1));
@@ -231,7 +236,8 @@ TEST_F(scoped_domains, connect_to_child)
if (variant->domain_parent)
create_scoped_domain(_metadata,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
+ variant->domain_opts);
/* Signals that the parent is in a domain, if any. */
ASSERT_EQ(1, write(pipe_parent[1], ".", 1));
@@ -344,7 +350,8 @@ TEST_F(scoped_audit, connect_to_child)
EXPECT_EQ(0, close(pipe_child[1]));
EXPECT_EQ(0, close(pipe_parent[0]));
- create_scoped_domain(_metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ create_scoped_domain(_metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
+ default_scoped_domain_opts);
/* Signals that the parent is in a domain, if any. */
ASSERT_EQ(1, write(pipe_parent[1], ".", 1));
@@ -429,7 +436,8 @@ TEST_F(scoped_vs_unscoped, unix_scoping)
create_fs_domain(_metadata);
else if (variant->domain_all == SCOPE_SANDBOX)
create_scoped_domain(_metadata,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
+ default_scoped_domain_opts);
child = fork();
ASSERT_LE(0, child);
@@ -444,7 +452,8 @@ TEST_F(scoped_vs_unscoped, unix_scoping)
create_fs_domain(_metadata);
else if (variant->domain_children == SCOPE_SANDBOX)
create_scoped_domain(
- _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
+ default_scoped_domain_opts);
grand_child = fork();
ASSERT_LE(0, grand_child);
@@ -461,7 +470,8 @@ TEST_F(scoped_vs_unscoped, unix_scoping)
else if (variant->domain_grand_child == SCOPE_SANDBOX)
create_scoped_domain(
_metadata,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
+ default_scoped_domain_opts);
stream_client = socket(AF_UNIX, SOCK_STREAM, 0);
ASSERT_LE(0, stream_client);
@@ -525,7 +535,8 @@ TEST_F(scoped_vs_unscoped, unix_scoping)
create_fs_domain(_metadata);
else if (variant->domain_child == SCOPE_SANDBOX)
create_scoped_domain(
- _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
+ default_scoped_domain_opts);
stream_server_child = socket(AF_UNIX, SOCK_STREAM, 0);
ASSERT_LE(0, stream_server_child);
@@ -552,7 +563,8 @@ TEST_F(scoped_vs_unscoped, unix_scoping)
create_fs_domain(_metadata);
else if (variant->domain_parent == SCOPE_SANDBOX)
create_scoped_domain(_metadata,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
+ default_scoped_domain_opts);
stream_server_parent = socket(AF_UNIX, SOCK_STREAM, 0);
ASSERT_LE(0, stream_server_parent);
@@ -656,7 +668,8 @@ TEST_F(outside_socket, socket_with_different_domain)
/* Client always has a domain. */
create_scoped_domain(_metadata,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
+ default_scoped_domain_opts);
if (variant->child_socket) {
int data_socket, passed_socket, stream_server;
@@ -713,7 +726,8 @@ TEST_F(outside_socket, socket_with_different_domain)
ASSERT_LE(0, server_socket);
/* Server always has a domain. */
- create_scoped_domain(_metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ create_scoped_domain(_metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
+ default_scoped_domain_opts);
ASSERT_EQ(0, bind(server_socket, &self->address.unix_addr,
self->address.unix_addr_len));
@@ -820,7 +834,8 @@ TEST_F(various_address_sockets, scoped_pathname_sockets)
if (variant->domain == SCOPE_SANDBOX)
create_scoped_domain(
- _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
+ default_scoped_domain_opts);
else if (variant->domain == OTHER_SANDBOX)
create_fs_domain(_metadata);
@@ -1027,7 +1042,8 @@ TEST(datagram_sockets)
/* Scopes the domain. */
create_scoped_domain(_metadata,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
+ default_scoped_domain_opts);
/*
* Connected socket sends data to the receiver, but the
@@ -1108,7 +1124,8 @@ TEST(self_connect)
if (child == 0) {
/* Child's domain is scoped. */
create_scoped_domain(_metadata,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
+ default_scoped_domain_opts);
/*
* The child inherits the sockets, and cannot connect or
diff --git a/tools/testing/selftests/landlock/scoped_base_variants.h b/tools/testing/selftests/landlock/scoped_base_variants.h
index 7116728ebc68..bbdf19ef18ef 100644
--- a/tools/testing/selftests/landlock/scoped_base_variants.h
+++ b/tools/testing/selftests/landlock/scoped_base_variants.h
@@ -20,6 +20,7 @@ FIXTURE_VARIANT(scoped_domains)
bool domain_both;
bool domain_parent;
bool domain_child;
+ struct scoped_domain_opts domain_opts;
};
/*
@@ -54,6 +55,17 @@ FIXTURE_VARIANT_ADD(scoped_domains, child_domain) {
.domain_child = true,
};
+/* clang-format off */
+FIXTURE_VARIANT_ADD(scoped_domains, child_domain_restrict_self_no_new_privs) {
+ /* clang-format on */
+ .domain_both = false,
+ .domain_parent = false,
+ .domain_child = true,
+ .domain_opts = {
+ .use_restrict_self_no_new_privs = true,
+ },
+};
+
/*
* Parent domain
* .------.
@@ -70,6 +82,17 @@ FIXTURE_VARIANT_ADD(scoped_domains, parent_domain) {
.domain_child = false,
};
+/* clang-format off */
+FIXTURE_VARIANT_ADD(scoped_domains, parent_domain_restrict_self_no_new_privs) {
+ /* clang-format on */
+ .domain_both = false,
+ .domain_parent = true,
+ .domain_child = false,
+ .domain_opts = {
+ .use_restrict_self_no_new_privs = true,
+ },
+};
+
/*
* Parent + child domain (siblings)
* .------.
diff --git a/tools/testing/selftests/landlock/scoped_common.h b/tools/testing/selftests/landlock/scoped_common.h
index a9a912d30c4d..23990758eef8 100644
--- a/tools/testing/selftests/landlock/scoped_common.h
+++ b/tools/testing/selftests/landlock/scoped_common.h
@@ -10,7 +10,8 @@
#include <sys/types.h>
static void create_scoped_domain(struct __test_metadata *const _metadata,
- const __u16 scope)
+ const __u16 scope,
+ const struct scoped_domain_opts opts)
{
int ruleset_fd;
const struct landlock_ruleset_attr ruleset_attr = {
@@ -23,6 +24,6 @@ static void create_scoped_domain(struct __test_metadata *const _metadata,
{
TH_LOG("Failed to create a ruleset: %s", strerror(errno));
}
- enforce_ruleset(_metadata, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd, opts);
EXPECT_EQ(0, close(ruleset_fd));
}
diff --git a/tools/testing/selftests/landlock/scoped_signal_test.c b/tools/testing/selftests/landlock/scoped_signal_test.c
index d8bf33417619..dfda4a3e5374 100644
--- a/tools/testing/selftests/landlock/scoped_signal_test.c
+++ b/tools/testing/selftests/landlock/scoped_signal_test.c
@@ -111,7 +111,8 @@ TEST_F(scoping_signals, send_sig_to_parent)
ASSERT_EQ(1, read(pipe_parent[0], &buf_child, 1));
EXPECT_EQ(0, close(pipe_parent[0]));
- create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL);
+ create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL,
+ default_scoped_domain_opts);
/*
* The child process cannot send signal to the parent
@@ -183,7 +184,8 @@ TEST_F(scoped_domains, check_access_signal)
can_signal_child = !variant->domain_parent;
if (variant->domain_both)
- create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL);
+ create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL,
+ variant->domain_opts);
ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC));
ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC));
@@ -197,7 +199,8 @@ TEST_F(scoped_domains, check_access_signal)
EXPECT_EQ(0, close(pipe_parent[1]));
if (variant->domain_child)
- create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL);
+ create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL,
+ variant->domain_opts);
ASSERT_EQ(1, write(pipe_child[1], ".", 1));
EXPECT_EQ(0, close(pipe_child[1]));
@@ -226,7 +229,8 @@ TEST_F(scoped_domains, check_access_signal)
EXPECT_EQ(0, close(pipe_child[1]));
if (variant->domain_parent)
- create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL);
+ create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL,
+ variant->domain_opts);
ASSERT_EQ(1, read(pipe_child[0], &buf_parent, 1));
EXPECT_EQ(0, close(pipe_child[0]));
@@ -280,7 +284,8 @@ TEST(signal_scoping_thread_before)
&thread_pipe[0]));
/* Enforces restriction after creating the thread. */
- create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL);
+ create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL,
+ default_scoped_domain_opts);
EXPECT_EQ(0, pthread_kill(no_sandbox_thread, 0));
EXPECT_EQ(1, write(thread_pipe[1], ".", 1));
@@ -302,7 +307,8 @@ TEST(signal_scoping_thread_after)
ASSERT_EQ(0, pipe2(thread_pipe, O_CLOEXEC));
/* Enforces restriction before creating the thread. */
- create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL);
+ create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL,
+ default_scoped_domain_opts);
ASSERT_EQ(0, pthread_create(&scoped_thread, NULL, thread_sync,
&thread_pipe[0]));
@@ -360,7 +366,8 @@ TEST(signal_scoping_thread_setuid)
&arg));
/* Enforces restriction after creating the thread. */
- create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL);
+ create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL,
+ default_scoped_domain_opts);
EXPECT_NE(arg.new_uid, getuid());
EXPECT_EQ(0, setuid(arg.new_uid));
@@ -469,7 +476,8 @@ TEST_F(fown, sigurg_socket)
ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC));
if (variant->sandbox_setown == SANDBOX_BEFORE_FORK)
- create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL);
+ create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL,
+ default_scoped_domain_opts);
child = fork();
ASSERT_LE(0, child);
@@ -531,7 +539,8 @@ TEST_F(fown, sigurg_socket)
ASSERT_LE(0, recv_socket);
if (variant->sandbox_setown == SANDBOX_BEFORE_SETOWN)
- create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL);
+ create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL,
+ default_scoped_domain_opts);
/*
* Sets the child to receive SIGURG for MSG_OOB. This uncommon use is
@@ -540,7 +549,8 @@ TEST_F(fown, sigurg_socket)
ASSERT_EQ(0, fcntl(recv_socket, F_SETOWN, child));
if (variant->sandbox_setown == SANDBOX_AFTER_SETOWN)
- create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL);
+ create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL,
+ default_scoped_domain_opts);
ASSERT_EQ(1, write(pipe_parent[1], ".", 1));
--
2.53.0
next prev parent reply other threads:[~2026-04-07 20:02 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-07 20:01 [RFC PATCH 00/20] BPF interface for applying Landlock rulesets Justin Suess
2026-04-07 20:01 ` [RFC PATCH 01/20] landlock: Move operations from syscall into ruleset code Justin Suess
2026-04-07 20:01 ` [RFC PATCH 02/20] execve: Add set_nnp_on_point_of_no_return Justin Suess
2026-04-07 20:01 ` [RFC PATCH 03/20] landlock: Implement LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS Justin Suess
2026-04-07 20:01 ` Justin Suess [this message]
2026-04-07 20:01 ` [RFC PATCH 05/20] landlock: Make ruleset deferred free RCU safe Justin Suess
2026-04-07 20:01 ` [RFC PATCH 06/20] bpf: lsm: Add Landlock kfuncs Justin Suess
2026-04-07 20:01 ` [RFC PATCH 07/20] bpf: arraymap: Implement Landlock ruleset map Justin Suess
2026-04-07 20:01 ` [RFC PATCH 08/20] bpf: Add Landlock ruleset map type Justin Suess
2026-04-16 21:12 ` Song Liu
2026-04-16 21:53 ` Justin Suess
2026-04-16 23:47 ` Song Liu
2026-04-17 14:09 ` Justin Suess
2026-04-17 15:18 ` Mickaël Salaün
2026-04-17 16:10 ` Song Liu
2026-04-17 18:01 ` Mickaël Salaün
2026-04-17 16:51 ` Justin Suess
2026-04-17 18:03 ` Mickaël Salaün
2026-04-17 20:33 ` Justin Suess
2026-04-17 20:42 ` Song Liu
2026-04-18 21:50 ` Justin Suess
2026-04-17 16:01 ` Song Liu
2026-04-07 20:01 ` [RFC PATCH 09/20] bpf: syscall: Handle Landlock ruleset maps Justin Suess
2026-04-07 20:01 ` [RFC PATCH 10/20] bpf: verifier: Add Landlock ruleset map support Justin Suess
2026-04-07 20:01 ` [RFC PATCH 11/20] selftests/bpf: Add Landlock kfunc declarations Justin Suess
2026-04-07 20:01 ` [RFC PATCH 12/20] selftests/landlock: Rename gettid wrapper for BPF reuse Justin Suess
2026-04-07 20:01 ` [RFC PATCH 13/20] selftests/bpf: Enable Landlock in selftests kernel Justin Suess
2026-04-07 20:01 ` [RFC PATCH 14/20] selftests/bpf: Add Landlock kfunc test program Justin Suess
2026-04-07 20:01 ` [RFC PATCH 15/20] selftests/bpf: Add Landlock kfunc test runner Justin Suess
2026-04-07 20:01 ` [RFC PATCH 16/20] landlock: Bump ABI version Justin Suess
2026-04-07 20:01 ` [RFC PATCH 17/20] tools: bpftool: Add documentation for landlock_ruleset Justin Suess
2026-04-07 20:01 ` [RFC PATCH 18/20] landlock: Document LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS Justin Suess
2026-04-07 20:01 ` [RFC PATCH 19/20] bpf: Document BPF_MAP_TYPE_LANDLOCK_RULESET Justin Suess
2026-04-07 20:01 ` [RFC PATCH 20/20] MAINTAINERS: update entry for the Landlock subsystem Justin Suess
2026-04-08 4:40 ` [RFC PATCH 00/20] BPF interface for applying Landlock rulesets Ihor Solodrai
2026-04-08 11:41 ` Justin Suess
2026-04-08 14:00 ` Mickaël Salaün
2026-04-08 17:10 ` Justin Suess
2026-04-08 19:21 ` Mickaël Salaün
2026-04-10 12:43 ` Justin Suess
2026-04-13 15:06 ` Justin Suess
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260407200157.3874806-5-utilityemal77@gmail.com \
--to=utilityemal77@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=gnoack@google.com \
--cc=jack@suse.cz \
--cc=jmorris@namei.org \
--cc=john.fastabend@gmail.com \
--cc=kees@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=m@maowtm.org \
--cc=martin.lau@linux.dev \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=sdf@fomichev.me \
--cc=serge@hallyn.com \
--cc=skhan@linuxfoundation.org \
--cc=song@kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.