public inbox for linux-security-module@vger.kernel.org
 help / color / mirror / Atom feed
From: "Günther Noack" <gnoack3000@gmail.com>
To: "Mickaël Salaün" <mic@digikod.net>,
	"John Johansen" <john.johansen@canonical.com>
Cc: "Günther Noack" <gnoack3000@gmail.com>,
	linux-security-module@vger.kernel.org,
	"Tingmao Wang" <m@maowtm.org>,
	"Justin Suess" <utilityemal77@gmail.com>,
	"Samasth Norway Ananda" <samasth.norway.ananda@oracle.com>,
	"Matthieu Buffet" <matthieu@buffet.re>,
	"Mikhail Ivanov" <ivanov.mikhail1@huawei-partners.com>,
	konstantin.meskhidze@huawei.com,
	"Demi Marie Obenour" <demiobenour@gmail.com>,
	"Alyssa Ross" <hi@alyssa.is>, "Jann Horn" <jannh@google.com>,
	"Tahera Fahimi" <fahimitahera@gmail.com>
Subject: [PATCH v5 6/9] landlock/selftests: Check that coredump sockets stay unrestricted
Date: Sun, 15 Feb 2026 11:51:54 +0100	[thread overview]
Message-ID: <20260215105158.28132-7-gnoack3000@gmail.com> (raw)
In-Reply-To: <20260215105158.28132-1-gnoack3000@gmail.com>

Even when a process is restricted with the new
LANDLOCK_ACCESS_FS_RESOLVE_SOCKET right, the kernel can continue
writing its coredump to the configured coredump socket.

In the test, we create a local server and rewire the system to write
coredumps into it.  We then create a child process within a Landlock
domain where LANDLOCK_ACCESS_FS_RESOLVE_SOCKET is restricted and make
the process crash.  The test uses SO_PEERCRED to check that the
connecting client process is the expected one.

Signed-off-by: Günther Noack <gnoack3000@gmail.com>
---
 tools/testing/selftests/landlock/fs_test.c | 122 +++++++++++++++++++++
 1 file changed, 122 insertions(+)

diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
index 8fa9d7c49ac3..705d8a13d2e0 100644
--- a/tools/testing/selftests/landlock/fs_test.c
+++ b/tools/testing/selftests/landlock/fs_test.c
@@ -22,6 +22,7 @@
 #include <sys/ioctl.h>
 #include <sys/mount.h>
 #include <sys/prctl.h>
+#include <sys/resource.h>
 #include <sys/sendfile.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
@@ -4922,6 +4923,127 @@ TEST_F(scoped_domains, unix_seqpacket_connect_to_child_full)
 #undef USE_SENDTO
 #undef ENFORCE_ALL
 
+static void read_core_pattern(struct __test_metadata *const _metadata,
+			      char *buf, size_t buf_size)
+{
+	int fd;
+	ssize_t ret;
+
+	fd = open("/proc/sys/kernel/core_pattern", O_RDONLY | O_CLOEXEC);
+	ASSERT_LE(0, fd);
+
+	ret = read(fd, buf, buf_size - 1);
+	ASSERT_LE(0, ret);
+	EXPECT_EQ(0, close(fd));
+
+	buf[ret] = '\0';
+}
+
+static void set_core_pattern(struct __test_metadata *const _metadata,
+			     const char *pattern)
+{
+	int fd;
+	size_t len = strlen(pattern);
+
+	fd = open("/proc/sys/kernel/core_pattern", O_WRONLY | O_CLOEXEC);
+	ASSERT_LE(0, fd);
+
+	ASSERT_EQ(len, write(fd, pattern, len));
+	EXPECT_EQ(0, close(fd));
+}
+
+FIXTURE(coredump)
+{
+	char original_core_pattern[256];
+};
+
+FIXTURE_SETUP(coredump)
+{
+	disable_caps(_metadata);
+	read_core_pattern(_metadata, self->original_core_pattern,
+			  sizeof(self->original_core_pattern));
+}
+
+FIXTURE_TEARDOWN_PARENT(coredump)
+{
+	set_cap(_metadata, CAP_SYS_ADMIN);
+	set_core_pattern(_metadata, self->original_core_pattern);
+	clear_cap(_metadata, CAP_SYS_ADMIN);
+}
+
+/*
+ * Test that even when a process is restricted with
+ * LANDLOCK_ACCESS_FS_RESOLVE_UNIX, the kernel can still initiate a connection
+ * to the coredump socket on the processes' behalf.
+ */
+TEST_F_FORK(coredump, socket_not_restricted)
+{
+	static const char core_pattern[] = "@/tmp/landlock_coredump_test.sock";
+	const char *const sock_path = core_pattern + 1;
+	int srv_fd, conn_fd, status;
+	pid_t child_pid;
+	struct ucred cred;
+	socklen_t cred_len = sizeof(cred);
+	char buf[4096];
+
+	/* Set up the coredump server socket. */
+	unlink(sock_path);
+	srv_fd = set_up_named_unix_server(_metadata, SOCK_STREAM, sock_path);
+
+	/* Point coredumps at our socket. */
+	set_cap(_metadata, CAP_SYS_ADMIN);
+	set_core_pattern(_metadata, core_pattern);
+	clear_cap(_metadata, CAP_SYS_ADMIN);
+
+	/* Restrict LANDLOCK_ACCESS_FS_RESOLVE_UNIX. */
+	drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
+		.handled_access_fs = LANDLOCK_ACCESS_FS_RESOLVE_UNIX,
+	});
+
+	/* Fork a child that crashes. */
+	child_pid = fork();
+	ASSERT_LE(0, child_pid);
+	if (child_pid == 0) {
+		struct rlimit rl = {
+			.rlim_cur = RLIM_INFINITY,
+			.rlim_max = RLIM_INFINITY,
+		};
+
+		ASSERT_EQ(0, setrlimit(RLIMIT_CORE, &rl));
+
+		/* Crash on purpose. */
+		kill(getpid(), SIGSEGV);
+		_exit(1);
+	}
+
+	/*
+	 * Accept the coredump connection.  If Landlock incorrectly denies the
+	 * kernel's coredump connect, accept() will block forever, so the test
+	 * would time out.
+	 */
+	conn_fd = accept(srv_fd, NULL, NULL);
+	ASSERT_LE(0, conn_fd);
+
+	/* Check that the connection came from the crashing child. */
+	ASSERT_EQ(0, getsockopt(conn_fd, SOL_SOCKET, SO_PEERCRED, &cred,
+				&cred_len));
+	EXPECT_EQ(child_pid, cred.pid);
+
+	/* Drain the coredump data so the kernel can finish. */
+	while (read(conn_fd, buf, sizeof(buf)) > 0)
+		;
+
+	EXPECT_EQ(0, close(conn_fd));
+
+	/* Wait for the child and verify it coredumped. */
+	ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
+	ASSERT_TRUE(WIFSIGNALED(status));
+	ASSERT_TRUE(WCOREDUMP(status));
+
+	EXPECT_EQ(0, close(srv_fd));
+	EXPECT_EQ(0, unlink(sock_path));
+}
+
 /* clang-format off */
 FIXTURE(layout1_bind) {};
 /* clang-format on */
-- 
2.52.0


  parent reply	other threads:[~2026-02-15 10:52 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-15 10:51 [PATCH v5 0/9] landlock: UNIX connect() control by pathname and scope Günther Noack
2026-02-15 10:51 ` [PATCH v5 1/9] lsm: Add LSM hook security_unix_find Günther Noack
2026-02-18  9:36   ` Mickaël Salaün
2026-02-19 13:26     ` Justin Suess
2026-02-19 20:04       ` [PATCH v6] " Justin Suess
2026-02-19 20:26         ` Günther Noack
2026-03-10 22:39           ` Paul Moore
2026-03-11 12:34             ` Justin Suess
2026-03-11 16:08               ` Paul Moore
2026-03-12 11:57                 ` Günther Noack
2026-02-20 15:49         ` Günther Noack
2026-02-21 13:22           ` Justin Suess
2026-02-23 16:09             ` Mickaël Salaün
2026-02-15 10:51 ` [PATCH v5 2/9] landlock: Control pathname UNIX domain socket resolution by path Günther Noack
2026-02-18  9:37   ` Mickaël Salaün
2026-02-19  9:45     ` Mickaël Salaün
2026-02-19 13:59       ` Günther Noack
2026-03-08  9:09         ` Mickaël Salaün
2026-03-08 11:50           ` Mickaël Salaün
2026-03-14 23:15             ` Günther Noack
2026-03-17 21:14               ` Mickaël Salaün
2026-02-20 14:33     ` Günther Noack
2026-03-08  9:18       ` Mickaël Salaün
2026-03-10 15:19         ` Sebastian Andrzej Siewior
2026-03-11  4:46         ` Kuniyuki Iwashima
2026-03-08  9:09   ` Mickaël Salaün
2026-03-15 20:58     ` Günther Noack
2026-02-15 10:51 ` [PATCH v5 3/9] samples/landlock: Add support for named UNIX domain socket restrictions Günther Noack
2026-02-18  9:37   ` Mickaël Salaün
2026-02-20 16:08     ` Günther Noack
2026-02-15 10:51 ` [PATCH v5 4/9] landlock/selftests: Test LANDLOCK_ACCESS_FS_RESOLVE_UNIX Günther Noack
2026-02-18 19:11   ` Mickaël Salaün
2026-02-20 16:27     ` Günther Noack
2026-02-20 17:04       ` Günther Noack
2026-02-15 10:51 ` [PATCH v5 5/9] landlock/selftests: Audit test for LANDLOCK_ACCESS_FS_RESOLVE_UNIX Günther Noack
2026-02-15 10:51 ` Günther Noack [this message]
2026-02-18 20:05   ` [PATCH v5 6/9] landlock/selftests: Check that coredump sockets stay unrestricted Mickaël Salaün
2026-02-15 10:51 ` [PATCH v5 7/9] landlock/selftests: fs_test: Simplify ruleset creation and enforcement Günther Noack
2026-02-15 10:51 ` [PATCH v5 8/9] landlock: Document FS access right for pathname UNIX sockets Günther Noack
2026-02-18  9:39   ` Mickaël Salaün
2026-03-14 21:16     ` Günther Noack
2026-02-15 10:51 ` [PATCH v5 9/9] landlock: Document design rationale for scoped access rights Günther Noack
2026-02-15 18:09   ` Alyssa Ross

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260215105158.28132-7-gnoack3000@gmail.com \
    --to=gnoack3000@gmail.com \
    --cc=demiobenour@gmail.com \
    --cc=fahimitahera@gmail.com \
    --cc=hi@alyssa.is \
    --cc=ivanov.mikhail1@huawei-partners.com \
    --cc=jannh@google.com \
    --cc=john.johansen@canonical.com \
    --cc=konstantin.meskhidze@huawei.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=m@maowtm.org \
    --cc=matthieu@buffet.re \
    --cc=mic@digikod.net \
    --cc=samasth.norway.ananda@oracle.com \
    --cc=utilityemal77@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox