From: "Mickaël Salaün" <mic@digikod.net>
To: "Günther Noack" <gnoack3000@gmail.com>
Cc: John Johansen <john.johansen@canonical.com>,
linux-security-module@vger.kernel.org,
Tingmao Wang <m@maowtm.org>,
Justin Suess <utilityemal77@gmail.com>,
Samasth Norway Ananda <samasth.norway.ananda@oracle.com>,
Matthieu Buffet <matthieu@buffet.re>,
Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>,
konstantin.meskhidze@huawei.com,
Demi Marie Obenour <demiobenour@gmail.com>,
Alyssa Ross <hi@alyssa.is>, Jann Horn <jannh@google.com>,
Tahera Fahimi <fahimitahera@gmail.com>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
Kuniyuki Iwashima <kuniyu@google.com>
Subject: Re: [PATCH v6 6/9] landlock/selftests: Audit test for LANDLOCK_ACCESS_FS_RESOLVE_UNIX
Date: Wed, 18 Mar 2026 17:53:38 +0100 [thread overview]
Message-ID: <20260318.chiMaiyuf6mo@digikod.net> (raw)
In-Reply-To: <20260315222150.121952-7-gnoack3000@gmail.com>
On Sun, Mar 15, 2026 at 11:21:47PM +0100, Günther Noack wrote:
> Add an audit test to check that Landlock denials from
> LANDLOCK_ACCESS_FS_RESOLVE_UNIX result in audit logs in the expected
> format. (There is one audit test for each filesystem access right, so
> we should add one for LANDLOCK_ACCESS_FS_RESOLVE_UNIX as well.)
>
> Signed-off-by: Günther Noack <gnoack3000@gmail.com>
> ---
> tools/testing/selftests/landlock/fs_test.c | 43 +++++++++++++++++++++-
> 1 file changed, 42 insertions(+), 1 deletion(-)
>
> diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
> index fdbb024da774..4198148e172f 100644
> --- a/tools/testing/selftests/landlock/fs_test.c
> +++ b/tools/testing/selftests/landlock/fs_test.c
> @@ -7538,7 +7538,8 @@ static const __u64 access_fs_16 =
> LANDLOCK_ACCESS_FS_MAKE_SYM |
> LANDLOCK_ACCESS_FS_REFER |
> LANDLOCK_ACCESS_FS_TRUNCATE |
> - LANDLOCK_ACCESS_FS_IOCTL_DEV;
> + LANDLOCK_ACCESS_FS_IOCTL_DEV |
> + LANDLOCK_ACCESS_FS_RESOLVE_UNIX;
The variable access_fs_16 contains 16 access rights. The idea was to
not need to change this variable with new FS access rights because the
tests should not change. I guess that was not a good choice because
new tests like audit_layout1.resolve_unix may not change the result of
existing tests (and then improve coverage). This variable can then be
replaced with ACCESS_ALL (in a dedicated patch please). If we need
exceptions we can mask the problematic access rights (see
audit_layout1.ioctl_dev).
> /* clang-format on */
>
> TEST_F(audit_layout1, execute_read)
> @@ -7983,6 +7984,46 @@ TEST_F(audit_layout1, ioctl_dev)
> EXPECT_EQ(1, records.domain);
> }
>
> +TEST_F(audit_layout1, resolve_unix)
> +{
> + struct audit_records records;
> + const char *const path = "sock";
> + int srv_fd, cli_fd, status;
> + pid_t child_pid;
> +
> + srv_fd = set_up_named_unix_server(_metadata, SOCK_STREAM, path);
> +
> + child_pid = fork();
> + ASSERT_LE(0, child_pid);
> + if (!child_pid) {
> + drop_access_rights(_metadata,
> + &(struct landlock_ruleset_attr){
> + .handled_access_fs = access_fs_16,
> + });
> +
> + cli_fd = socket(AF_UNIX, SOCK_STREAM, 0);
> + ASSERT_LE(0, cli_fd);
> + EXPECT_EQ(EACCES,
> + test_connect_named_unix(_metadata, cli_fd, path));
> +
> + EXPECT_EQ(0, close(cli_fd));
> + _exit(_metadata->exit_code);
> + }
> +
> + ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
> + EXPECT_EQ(1, WIFEXITED(status));
> + EXPECT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
> +
> + EXPECT_EQ(0, matches_log_fs_extra(_metadata, self->audit_fd,
> + "fs\\.resolve_unix", path, NULL));
> +
> + EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
> + EXPECT_EQ(0, records.access);
> + EXPECT_EQ(1, records.domain);
> +
> + EXPECT_EQ(0, close(srv_fd));
> +}
> +
> TEST_F(audit_layout1, mount)
> {
> struct audit_records records;
> --
> 2.53.0
>
next prev parent reply other threads:[~2026-03-18 16:53 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-15 22:21 [PATCH v6 0/9] landlock: UNIX connect() control by pathname and scope Günther Noack
2026-03-15 22:21 ` [PATCH v6 1/9] lsm: Add LSM hook security_unix_find Günther Noack
2026-03-17 21:14 ` Mickaël Salaün
2026-03-17 21:34 ` Paul Moore
2026-03-17 23:20 ` [PATCH v7 " Justin Suess
2026-03-18 1:28 ` Paul Moore
2026-03-18 8:48 ` [PATCH v6 " Mickaël Salaün
2026-03-18 14:44 ` Paul Moore
2026-03-18 16:22 ` Mickaël Salaün
2026-03-18 16:43 ` Paul Moore
2026-03-23 14:37 ` Georgia Garcia
2026-03-23 20:26 ` Paul Moore
2026-03-18 16:51 ` Mickaël Salaün
2026-03-15 22:21 ` [PATCH v6 2/9] landlock: use mem_is_zero() in is_layer_masks_allowed() Günther Noack
2026-03-18 16:52 ` Mickaël Salaün
2026-03-20 10:50 ` Günther Noack
2026-03-15 22:21 ` [PATCH v6 3/9] landlock: Control pathname UNIX domain socket resolution by path Günther Noack
2026-03-18 11:15 ` Sebastian Andrzej Siewior
2026-03-18 14:14 ` Justin Suess
2026-03-18 15:05 ` Sebastian Andrzej Siewior
2026-03-18 16:26 ` Mickaël Salaün
2026-03-18 16:43 ` Justin Suess
2026-03-18 17:52 ` Mickaël Salaün
2026-03-20 12:28 ` Günther Noack
2026-03-18 16:52 ` Mickaël Salaün
2026-03-20 16:15 ` Günther Noack
2026-03-20 17:51 ` Mickaël Salaün
2026-03-20 22:25 ` Günther Noack
2026-03-21 9:09 ` Mickaël Salaün
2026-03-23 15:31 ` Günther Noack
2026-03-15 22:21 ` [PATCH v6 4/9] samples/landlock: Add support for named UNIX domain socket restrictions Günther Noack
2026-03-15 22:21 ` [PATCH v6 5/9] landlock/selftests: Test LANDLOCK_ACCESS_FS_RESOLVE_UNIX Günther Noack
2026-03-18 16:53 ` Mickaël Salaün
2026-03-20 10:51 ` Günther Noack
2026-03-15 22:21 ` [PATCH v6 6/9] landlock/selftests: Audit test for LANDLOCK_ACCESS_FS_RESOLVE_UNIX Günther Noack
2026-03-18 16:53 ` Mickaël Salaün [this message]
2026-03-15 22:21 ` [PATCH v6 7/9] landlock/selftests: Check that coredump sockets stay unrestricted Günther Noack
2026-03-18 16:53 ` Mickaël Salaün
2026-03-20 16:44 ` Günther Noack
2026-03-15 22:21 ` [PATCH v6 8/9] landlock/selftests: fs_test: Simplify ruleset creation and enforcement Günther Noack
2026-03-15 22:21 ` [PATCH v6 9/9] landlock: Document FS access right for pathname UNIX sockets Günther Noack
2026-03-18 16:54 ` Mickaël Salaün
2026-03-20 17:04 ` Günther Noack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260318.chiMaiyuf6mo@digikod.net \
--to=mic@digikod.net \
--cc=bigeasy@linutronix.de \
--cc=demiobenour@gmail.com \
--cc=fahimitahera@gmail.com \
--cc=gnoack3000@gmail.com \
--cc=hi@alyssa.is \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=jannh@google.com \
--cc=john.johansen@canonical.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=kuniyu@google.com \
--cc=linux-security-module@vger.kernel.org \
--cc=m@maowtm.org \
--cc=matthieu@buffet.re \
--cc=samasth.norway.ananda@oracle.com \
--cc=utilityemal77@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox