From: "Mickaël Salaün" <mic@digikod.net>
To: "Eric Paris" <eparis@redhat.com>,
"Paul Moore" <paul@paul-moore.com>,
"Günther Noack" <gnoack@google.com>,
"Serge E . Hallyn" <serge@hallyn.com>
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Ben Scarlato" <akhna@google.com>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Charles Zaffery" <czaffery@roblox.com>,
"Daniel Burgener" <dburgener@linux.microsoft.com>,
"Francis Laniel" <flaniel@linux.microsoft.com>,
"James Morris" <jmorris@namei.org>,
"Jann Horn" <jannh@google.com>, "Jeff Xu" <jeffxu@google.com>,
"Jorge Lucangeli Obes" <jorgelo@google.com>,
"Kees Cook" <kees@kernel.org>,
"Konstantin Meskhidze" <konstantin.meskhidze@huawei.com>,
"Matt Bobrowski" <mattbobrowski@google.com>,
"Mikhail Ivanov" <ivanov.mikhail1@huawei-partners.com>,
"Phil Sutter" <phil@nwl.cc>,
"Praveen K Paladugu" <prapal@linux.microsoft.com>,
"Robert Salvet" <robert.salvet@roblox.com>,
"Shervin Oloumi" <enlightened@google.com>,
"Song Liu" <song@kernel.org>,
"Tahera Fahimi" <fahimitahera@gmail.com>,
"Tyler Hicks" <code@tyhicks.com>,
audit@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: [PATCH v4 25/30] selftests/landlock: Add audit tests for ptrace
Date: Wed, 8 Jan 2025 16:43:33 +0100 [thread overview]
Message-ID: <20250108154338.1129069-26-mic@digikod.net> (raw)
In-Reply-To: <20250108154338.1129069-1-mic@digikod.net>
Add tests for all ptrace actions. This improves all the ptrace tests by
making sure that the restrictions comes from Landlock, and with the
expected objects. These extended tests are like enhanced errno checks
that make sure Landlock enforcement is consistent.
Test coverage for security/landlock is 93.4% of 1619 lines according to
gcc/gcov-14.
Cc: Günther Noack <gnoack@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20250108154338.1129069-26-mic@digikod.net
---
Changes since v3:
- Update test coverage.
Changes since v2:
- New patch.
---
.../testing/selftests/landlock/ptrace_test.c | 67 +++++++++++++++++--
1 file changed, 63 insertions(+), 4 deletions(-)
diff --git a/tools/testing/selftests/landlock/ptrace_test.c b/tools/testing/selftests/landlock/ptrace_test.c
index a19db4d0b3bd..20a1ca7801aa 100644
--- a/tools/testing/selftests/landlock/ptrace_test.c
+++ b/tools/testing/selftests/landlock/ptrace_test.c
@@ -4,6 +4,7 @@
*
* Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
* Copyright © 2019-2020 ANSSI
+ * Copyright © 2024-2025 Microsoft Corporation
*/
#define _GNU_SOURCE
@@ -17,6 +18,7 @@
#include <sys/wait.h>
#include <unistd.h>
+#include "audit.h"
#include "common.h"
/* Copied from security/yama/yama_lsm.c */
@@ -85,9 +87,27 @@ static int get_yama_ptrace_scope(void)
return ret;
}
-/* clang-format off */
-FIXTURE(hierarchy) {};
-/* clang-format on */
+static int matches_log_ptrace(struct __test_metadata *const _metadata,
+ int audit_fd, const pid_t opid)
+{
+ static const char log_template[] = REGEX_LANDLOCK_PREFIX
+ " blockers=ptrace opid=%d ocomm=\"ptrace_test\"$";
+ char log_match[sizeof(log_template) + 10];
+ int log_match_len;
+
+ log_match_len =
+ snprintf(log_match, sizeof(log_match), log_template, opid);
+ if (log_match_len > sizeof(log_match))
+ return -E2BIG;
+
+ return audit_match_record(audit_fd, AUDIT_LANDLOCK_DENY, log_match);
+}
+
+FIXTURE(hierarchy)
+{
+ struct audit_filter audit_filter;
+ int audit_fd;
+};
FIXTURE_VARIANT(hierarchy)
{
@@ -245,10 +265,16 @@ FIXTURE_VARIANT_ADD(hierarchy, deny_with_forked_domain) {
FIXTURE_SETUP(hierarchy)
{
+ disable_caps(_metadata);
+ set_cap(_metadata, CAP_AUDIT_CONTROL);
+ self->audit_fd = audit_init_with_exe_filter(&self->audit_filter);
+ EXPECT_LE(0, self->audit_fd);
+ clear_cap(_metadata, CAP_AUDIT_CONTROL);
}
-FIXTURE_TEARDOWN(hierarchy)
+FIXTURE_TEARDOWN_PARENT(hierarchy)
{
+ EXPECT_EQ(0, audit_cleanup(-1, NULL));
}
/* Test PTRACE_TRACEME and PTRACE_ATTACH for parent and child. */
@@ -261,6 +287,7 @@ TEST_F(hierarchy, trace)
char buf_parent;
long ret;
bool can_read_child, can_trace_child, can_read_parent, can_trace_parent;
+ struct audit_records records;
yama_ptrace_scope = get_yama_ptrace_scope();
ASSERT_LE(0, yama_ptrace_scope);
@@ -336,17 +363,29 @@ TEST_F(hierarchy, trace)
err_proc_read = test_ptrace_read(parent);
if (can_read_parent) {
EXPECT_EQ(0, err_proc_read);
+ EXPECT_EQ(-EAGAIN,
+ matches_log_ptrace(_metadata, self->audit_fd,
+ parent));
} else {
EXPECT_EQ(EACCES, err_proc_read);
+ EXPECT_EQ(0,
+ matches_log_ptrace(_metadata, self->audit_fd,
+ parent));
}
/* Tests PTRACE_ATTACH on the parent. */
ret = ptrace(PTRACE_ATTACH, parent, NULL, 0);
if (can_trace_parent) {
EXPECT_EQ(0, ret);
+ EXPECT_EQ(-EAGAIN,
+ matches_log_ptrace(_metadata, self->audit_fd,
+ parent));
} else {
EXPECT_EQ(-1, ret);
EXPECT_EQ(EPERM, errno);
+ EXPECT_EQ(can_read_parent ? -EAGAIN : 0,
+ matches_log_ptrace(_metadata, self->audit_fd,
+ parent));
}
if (ret == 0) {
ASSERT_EQ(parent, waitpid(parent, &status, 0));
@@ -358,9 +397,16 @@ TEST_F(hierarchy, trace)
ret = ptrace(PTRACE_TRACEME);
if (can_trace_child) {
EXPECT_EQ(0, ret);
+ EXPECT_EQ(-EAGAIN,
+ matches_log_ptrace(_metadata, self->audit_fd,
+ parent));
} else {
EXPECT_EQ(-1, ret);
EXPECT_EQ(EPERM, errno);
+ /* We should indeed see the parent process. */
+ EXPECT_EQ(can_read_child ? -EAGAIN : 0,
+ matches_log_ptrace(_metadata, self->audit_fd,
+ parent));
}
/*
@@ -408,17 +454,25 @@ TEST_F(hierarchy, trace)
err_proc_read = test_ptrace_read(child);
if (can_read_child) {
EXPECT_EQ(0, err_proc_read);
+ EXPECT_EQ(-EAGAIN,
+ matches_log_ptrace(_metadata, self->audit_fd, child));
} else {
EXPECT_EQ(EACCES, err_proc_read);
+ EXPECT_EQ(0,
+ matches_log_ptrace(_metadata, self->audit_fd, child));
}
/* Tests PTRACE_ATTACH on the child. */
ret = ptrace(PTRACE_ATTACH, child, NULL, 0);
if (can_trace_child) {
EXPECT_EQ(0, ret);
+ EXPECT_EQ(-EAGAIN,
+ matches_log_ptrace(_metadata, self->audit_fd, child));
} else {
EXPECT_EQ(-1, ret);
EXPECT_EQ(EPERM, errno);
+ EXPECT_EQ(can_read_child ? -EAGAIN : 0,
+ matches_log_ptrace(_metadata, self->audit_fd, child));
}
if (ret == 0) {
@@ -434,6 +488,11 @@ TEST_F(hierarchy, trace)
if (WIFSIGNALED(status) || !WIFEXITED(status) ||
WEXITSTATUS(status) != EXIT_SUCCESS)
_metadata->exit_code = KSFT_FAIL;
+
+ /* Makes sure there is no superfluous logged records. */
+ audit_count_records(self->audit_fd, &records);
+ EXPECT_EQ(0, records.deny);
+ EXPECT_EQ(0, records.info);
}
TEST_HARNESS_MAIN
--
2.47.1
next prev parent reply other threads:[~2025-01-08 15:44 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-08 15:43 [PATCH v4 00/30] Landlock audit support Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 01/30] lsm: Only build lsm_audit.c if CONFIG_SECURITY and CONFIG_AUDIT are set Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 02/30] lsm: Add audit_log_lsm_data() helper Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 03/30] landlock: Factor out check_access_path() Mickaël Salaün
2025-01-10 11:23 ` Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 04/30] landlock: Add unique ID generator Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 05/30] landlock: Move access types Mickaël Salaün
2025-01-10 11:23 ` Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 06/30] landlock: Simplify initially denied access rights Mickaël Salaün
2025-01-10 11:24 ` Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 07/30] landlock: Move domain hierarchy management and export helpers Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 08/30] landlock: Add AUDIT_LANDLOCK_DENY and log ptrace denials Mickaël Salaün
2025-01-15 23:53 ` [PATCH v4 8/30] " Paul Moore
2025-01-16 10:49 ` Mickaël Salaün
2025-01-16 20:00 ` Paul Moore
2025-01-08 15:43 ` [PATCH v4 09/30] landlock: Add AUDIT_LANDLOCK_DOM_{INFO,DROP} and log domain properties Mickaël Salaün
2025-01-15 23:53 ` [PATCH v4 9/30] " Paul Moore
2025-01-16 10:51 ` Mickaël Salaün
2025-01-16 20:19 ` Paul Moore
2025-01-08 15:43 ` [PATCH v4 10/30] landlock: Log mount-related denials Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 11/30] landlock: Align partial refer access checks with final ones Mickaël Salaün
2025-01-10 11:24 ` Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 12/30] selftests/landlock: Add test to check partial access in a mount tree Mickaël Salaün
2025-01-10 11:24 ` Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 13/30] landlock: Optimize file path walks and prepare for audit support Mickaël Salaün
2025-01-10 11:24 ` Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 14/30] landlock: Log file-related denials Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 15/30] landlock: Log truncate and IOCTL denials Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 16/30] landlock: Log TCP bind and connect denials Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 17/30] landlock: Log scoped denials Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 18/30] landlock: Control log events with LANDLOCK_RESTRICT_SELF_QUIET Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 19/30] samples/landlock: Do not log denials from the sandboxer by default Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 20/30] selftests/landlock: Fix error message Mickaël Salaün
2025-01-10 11:24 ` Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 21/30] selftests/landlock: Add wrappers.h Mickaël Salaün
2025-01-10 11:24 ` Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 22/30] selftests/landlock: Add layout1.umount_sandboxer tests Mickaël Salaün
2025-01-10 11:25 ` Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 23/30] selftests/landlock: Extend tests for landlock_restrict_self()'s flags Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 24/30] selftests/landlock: Add tests for audit and LANDLOCK_RESTRICT_SELF_QUIET Mickaël Salaün
2025-01-08 15:43 ` Mickaël Salaün [this message]
2025-01-08 15:43 ` [PATCH v4 26/30] landlock: Export and rename landlock_get_inode_object() Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 27/30] fs: Add iput() cleanup helper Mickaël Salaün
2025-01-13 11:15 ` Mickaël Salaün
2025-01-13 16:45 ` Al Viro
2025-01-13 14:00 ` Jann Horn
2025-01-13 15:00 ` Christian Brauner
2025-01-13 16:55 ` Mickaël Salaün
2025-01-13 14:36 ` (subset) " Christian Brauner
2025-01-08 15:43 ` [PATCH v4 28/30] audit,landlock: Add AUDIT_EXE_LANDLOCK_DENY rule type Mickaël Salaün
2025-01-13 14:55 ` Jann Horn
2025-01-13 15:02 ` Christian Brauner
2025-01-13 16:55 ` Mickaël Salaün
2025-01-15 23:53 ` Paul Moore
2025-01-16 10:57 ` Mickaël Salaün
2025-01-16 20:24 ` Paul Moore
2025-01-08 15:43 ` [PATCH v4 29/30] selftests/landlock: Test audit rule with AUDIT_EXE_LANDLOCK_DOM Mickaël Salaün
2025-01-08 15:43 ` [PATCH v4 30/30] selftests/landlock: Test compatibility with audit rule lists Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250108154338.1129069-26-mic@digikod.net \
--to=mic@digikod.net \
--cc=akhna@google.com \
--cc=audit@vger.kernel.org \
--cc=casey@schaufler-ca.com \
--cc=code@tyhicks.com \
--cc=czaffery@roblox.com \
--cc=dburgener@linux.microsoft.com \
--cc=enlightened@google.com \
--cc=eparis@redhat.com \
--cc=fahimitahera@gmail.com \
--cc=flaniel@linux.microsoft.com \
--cc=gnoack@google.com \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=jannh@google.com \
--cc=jeffxu@google.com \
--cc=jmorris@namei.org \
--cc=jorgelo@google.com \
--cc=kees@kernel.org \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mattbobrowski@google.com \
--cc=paul@paul-moore.com \
--cc=phil@nwl.cc \
--cc=prapal@linux.microsoft.com \
--cc=robert.salvet@roblox.com \
--cc=serge@hallyn.com \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox