[LTP] [PATCH v5 0/6] landlock testing suite

[LTP] [PATCH v5 0/6] landlock testing suite

[Andrea Cervesato]

This testing suite is meant to test the following syscalls:

- landlock_create_ruleset
- landlock_add_rule
- landlock_restrict_self

Documentation can be found in kernel manuals and inside the official
kernel documentation at

https://www.kernel.org/doc/html/latest/userspace-api/landlock.html

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
Changes in v5:
- landlock0[123]: remove minimum kernel check
- landlock04: cleanup/setup for sandbox folder, enforce_ruleset() inside
  the child, skip vfat and exfat for some tests, now working with -i >= 0
- landlock05: remove minimum kernel check
- landlock06: remove exfat from skip
- Link to v4: https://lore.kernel.org/r/20240725-landlock-v4-0-66f5a1c0c693@suse.com

Changes in v4:
- landlock03: fix TBROK on -i usage
- landlock04: fix EINVAL caused by namespace sharing on kernel <=6.6
- Link to v3: https://lore.kernel.org/r/20240711-landlock-v3-0-c7b0e9edf9b0@suse.com

Changes in v3:
- landlock01: 1 byte less when
  HAVE_STRUCT_LANDLOCK_RULESET_ATTR_HANDLED_ACCESS_NET is defined
- landlock04: dynamically assign read/exec permissions to dependences
- landlock05: estetic fix and skip exfat
- landlock06: estetic fix and skip exfat
- Link to v2: https://lore.kernel.org/r/20240710-landlock-v2-0-ff79db017d57@suse.com

Changes in v2:
- remove -lc unused dependency from Makefile
- move SAFE_LANDLOCK_* macros in lapi/landlock.h
- define CAP_MKNOD in the lapi/capability.h
- fix landlock fallback in order to let LTP build properly
- fix landlock01 EINVAL test when "struct landlock_ruleset_attr" size is
  too small
- Link to v1: https://lore.kernel.org/r/20240701-landlock-v1-0-58e9af649a72@suse.com

---
Andrea Cervesato (6):
      Get ABI version from landlock common library
      Add CAP_MKNOD fallback in lapi/capability.h
      Disable kernel version check in landlock tests
      Add landlock04 test
      Add landlock05 test
      Add landlock06 test

 include/lapi/capability.h                          |  12 +-
 runtest/syscalls                                   |   3 +
 testcases/kernel/syscalls/landlock/.gitignore      |   4 +
 testcases/kernel/syscalls/landlock/landlock01.c    |   1 -
 testcases/kernel/syscalls/landlock/landlock02.c    |   1 -
 testcases/kernel/syscalls/landlock/landlock03.c    |   1 -
 testcases/kernel/syscalls/landlock/landlock04.c    | 212 +++++++++++
 testcases/kernel/syscalls/landlock/landlock05.c    | 118 +++++++
 testcases/kernel/syscalls/landlock/landlock06.c    | 107 ++++++
 .../kernel/syscalls/landlock/landlock_common.h     |   4 +-
 testcases/kernel/syscalls/landlock/landlock_exec.c |   9 +
 .../kernel/syscalls/landlock/landlock_tester.h     | 393 +++++++++++++++++++++
 12 files changed, 857 insertions(+), 8 deletions(-)
---
base-commit: eee3b2dd6d9dae6120646bc14c30e460989d7df6
change-id: 20240617-landlock-c48a4623a447

Best regards,
-- 
Andrea Cervesato <andrea.cervesato@suse.com>


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH v5 1/6] Get ABI version from landlock common library

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

Return the ABI version when verify_landlock_is_enabled() is called.

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 testcases/kernel/syscalls/landlock/landlock_common.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/testcases/kernel/syscalls/landlock/landlock_common.h b/testcases/kernel/syscalls/landlock/landlock_common.h
index 66f8fd19a..1d3864934 100644
--- a/testcases/kernel/syscalls/landlock/landlock_common.h
+++ b/testcases/kernel/syscalls/landlock/landlock_common.h
@@ -10,7 +10,7 @@
 #include "lapi/fcntl.h"
 #include "lapi/landlock.h"
 
-static inline void verify_landlock_is_enabled(void)
+static inline int verify_landlock_is_enabled(void)
 {
 	int abi;
 
@@ -28,6 +28,8 @@ static inline void verify_landlock_is_enabled(void)
 	}
 
 	tst_res(TINFO, "Landlock ABI v%d", abi);
+
+	return abi;
 }
 
 static inline void apply_landlock_rule(

-- 
2.43.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH v5 2/6] Add CAP_MKNOD fallback in lapi/capability.h

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

Reviewed-by: Li Wang <liwang@redhat.com>
Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 include/lapi/capability.h | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/include/lapi/capability.h b/include/lapi/capability.h
index 2b593797c..0f317d6d7 100644
--- a/include/lapi/capability.h
+++ b/include/lapi/capability.h
@@ -44,14 +44,18 @@
 # define CAP_SYS_TIME         25
 #endif
 
-#ifndef CAP_AUDIT_READ
-# define CAP_AUDIT_READ       37
-#endif
-
 #ifndef CAP_SYS_RESOURCE
 # define CAP_SYS_RESOURCE     24
 #endif
 
+#ifndef CAP_MKNOD
+# define CAP_MKNOD            27
+#endif
+
+#ifndef CAP_AUDIT_READ
+# define CAP_AUDIT_READ       37
+#endif
+
 #ifndef CAP_BPF
 # define CAP_BPF              39
 #endif

-- 
2.43.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH v5 3/6] Disable kernel version check in landlock tests

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

The reason why we remove kernel version check is that we use
verify_landlock_is_enabled() function in order to check if landlock is
present in the system. This is really helpful when landlock support has
been backported into old kernels.

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 testcases/kernel/syscalls/landlock/landlock01.c | 1 -
 testcases/kernel/syscalls/landlock/landlock02.c | 1 -
 testcases/kernel/syscalls/landlock/landlock03.c | 1 -
 3 files changed, 3 deletions(-)

diff --git a/testcases/kernel/syscalls/landlock/landlock01.c b/testcases/kernel/syscalls/landlock/landlock01.c
index 0c50b55d8..db2ffe89b 100644
--- a/testcases/kernel/syscalls/landlock/landlock01.c
+++ b/testcases/kernel/syscalls/landlock/landlock01.c
@@ -75,7 +75,6 @@ static struct tst_test test = {
 	.test = run,
 	.tcnt = ARRAY_SIZE(tcases),
 	.setup = setup,
-	.min_kver = "5.13",
 	.needs_root = 1,
 	.needs_kconfigs = (const char *[]) {
 		"CONFIG_SECURITY_LANDLOCK=y",
diff --git a/testcases/kernel/syscalls/landlock/landlock02.c b/testcases/kernel/syscalls/landlock/landlock02.c
index c29ff1e83..2b3e31f69 100644
--- a/testcases/kernel/syscalls/landlock/landlock02.c
+++ b/testcases/kernel/syscalls/landlock/landlock02.c
@@ -120,7 +120,6 @@ static struct tst_test test = {
 	.tcnt = ARRAY_SIZE(tcases),
 	.setup = setup,
 	.cleanup = cleanup,
-	.min_kver = "5.13",
 	.needs_root = 1,
 	.needs_kconfigs = (const char *[]) {
 		"CONFIG_SECURITY_LANDLOCK=y",
diff --git a/testcases/kernel/syscalls/landlock/landlock03.c b/testcases/kernel/syscalls/landlock/landlock03.c
index 9bf358d1c..5661b6b29 100644
--- a/testcases/kernel/syscalls/landlock/landlock03.c
+++ b/testcases/kernel/syscalls/landlock/landlock03.c
@@ -108,7 +108,6 @@ static struct tst_test test = {
 	.tcnt = ARRAY_SIZE(tcases),
 	.setup = setup,
 	.cleanup = cleanup,
-	.min_kver = "5.13",
 	.needs_tmpdir = 1,
 	.needs_root = 1,
 	.forks_child = 1,

-- 
2.43.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH v5 4/6] Add landlock04 test

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

This test verifies that all landlock rules are working properly.
The way we do it is to verify that all disabled syscalls are not
working but the one we enabled via specifc landlock rules.

Reviewed-by: Li Wang <liwang@redhat.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 runtest/syscalls                                   |   1 +
 testcases/kernel/syscalls/landlock/.gitignore      |   2 +
 testcases/kernel/syscalls/landlock/landlock04.c    | 212 +++++++++++
 testcases/kernel/syscalls/landlock/landlock_exec.c |   9 +
 .../kernel/syscalls/landlock/landlock_tester.h     | 393 +++++++++++++++++++++
 5 files changed, 617 insertions(+)

diff --git a/runtest/syscalls b/runtest/syscalls
index 9b3cba667..67b2e2758 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -699,6 +699,7 @@ kill13 kill13
 landlock01 landlock01
 landlock02 landlock02
 landlock03 landlock03
+landlock04 landlock04
 
 lchown01 lchown01
 lchown01_16 lchown01_16
diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore
index f79cd090b..4fe8d7cba 100644
--- a/testcases/kernel/syscalls/landlock/.gitignore
+++ b/testcases/kernel/syscalls/landlock/.gitignore
@@ -1,3 +1,5 @@
+landlock_exec
 landlock01
 landlock02
 landlock03
+landlock04
diff --git a/testcases/kernel/syscalls/landlock/landlock04.c b/testcases/kernel/syscalls/landlock/landlock04.c
new file mode 100644
index 000000000..82d9a5a4e
--- /dev/null
+++ b/testcases/kernel/syscalls/landlock/landlock04.c
@@ -0,0 +1,212 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2024 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
+ */
+
+/*\
+ * [Description]
+ *
+ * This test verifies that all landlock filesystem rules are working properly.
+ * The way we do it is to verify that all disabled syscalls are not working but
+ * the one we enabled via specifc landlock rules.
+ */
+
+#include "landlock_common.h"
+#include "landlock_tester.h"
+#include "tst_safe_stdio.h"
+
+static struct landlock_ruleset_attr *ruleset_attr;
+static struct landlock_path_beneath_attr *path_beneath_attr;
+static int ruleset_fd = -1;
+
+static struct tvariant {
+	int access;
+	char *desc;
+} tvariants[] = {
+	{
+		LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_EXECUTE,
+		TST_TO_STR_(LANDLOCK_ACCESS_FS_EXECUTE)
+	},
+	{
+		LANDLOCK_ACCESS_FS_WRITE_FILE,
+		TST_TO_STR_(LANDLOCK_ACCESS_FS_WRITE_FILE)
+	},
+	{
+		LANDLOCK_ACCESS_FS_READ_FILE,
+		TST_TO_STR_(LANDLOCK_ACCESS_FS_READ_FILE)
+	},
+	{
+		LANDLOCK_ACCESS_FS_READ_DIR,
+		TST_TO_STR_(LANDLOCK_ACCESS_FS_READ_DIR)
+	},
+	{
+		LANDLOCK_ACCESS_FS_REMOVE_DIR,
+		TST_TO_STR_(LANDLOCK_ACCESS_FS_REMOVE_DIR)
+	},
+	{
+		LANDLOCK_ACCESS_FS_REMOVE_FILE,
+		TST_TO_STR_(LANDLOCK_ACCESS_FS_REMOVE_FILE)
+	},
+	{
+		LANDLOCK_ACCESS_FS_MAKE_CHAR,
+		TST_TO_STR_(LANDLOCK_ACCESS_FS_MAKE_CHAR)
+	},
+	{
+		LANDLOCK_ACCESS_FS_MAKE_BLOCK,
+		TST_TO_STR_(LANDLOCK_ACCESS_FS_MAKE_BLOCK)
+	},
+	{
+		LANDLOCK_ACCESS_FS_MAKE_REG,
+		TST_TO_STR_(LANDLOCK_ACCESS_FS_MAKE_REG)
+	},
+	{
+		LANDLOCK_ACCESS_FS_MAKE_SOCK,
+		TST_TO_STR_(LANDLOCK_ACCESS_FS_MAKE_SOCK)
+	},
+	{
+		LANDLOCK_ACCESS_FS_MAKE_FIFO,
+		TST_TO_STR_(LANDLOCK_ACCESS_FS_MAKE_FIFO)
+	},
+	{
+		LANDLOCK_ACCESS_FS_MAKE_SYM,
+		TST_TO_STR_(LANDLOCK_ACCESS_FS_MAKE_SYM)
+	},
+	{
+		LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE,
+		TST_TO_STR_(LANDLOCK_ACCESS_FS_TRUNCATE)
+	},
+};
+
+static void run(void)
+{
+	struct tvariant  variant = tvariants[tst_variant];
+
+	tester_setup_files();
+
+	if (!SAFE_FORK()) {
+		enforce_ruleset(ruleset_fd);
+		tester_run_all_fs_rules(variant.access);
+
+		_exit(0);
+	}
+
+	tst_reap_children();
+	tester_cleanup_files();
+}
+
+static void enable_exec_libs(const int ruleset_fd)
+{
+	FILE *fp;
+	char line[1024];
+	char path[PATH_MAX];
+	char dependency[8][PATH_MAX];
+	int count = 0;
+	int duplicate = 0;
+
+	fp = SAFE_FOPEN("/proc/self/maps", "r");
+
+	while (fgets(line, sizeof(line), fp)) {
+		if (strstr(line, ".so") == NULL)
+			continue;
+
+		SAFE_SSCANF(line, "%*x-%*x %*s %*x %*s %*d %s", path);
+
+		for (int i = 0; i < count; i++) {
+			if (strcmp(path, dependency[i]) == 0) {
+				duplicate = 1;
+				break;
+			}
+		}
+
+		if (duplicate) {
+			duplicate = 0;
+			continue;
+		}
+
+		strncpy(dependency[count], path, PATH_MAX);
+		count++;
+
+		tst_res(TINFO, "Enable read/exec permissions for %s", path);
+
+		path_beneath_attr->allowed_access =
+			LANDLOCK_ACCESS_FS_READ_FILE |
+			LANDLOCK_ACCESS_FS_EXECUTE;
+		path_beneath_attr->parent_fd = SAFE_OPEN(path, O_PATH | O_CLOEXEC);
+
+		SAFE_LANDLOCK_ADD_RULE(
+			ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,	path_beneath_attr, 0);
+
+		SAFE_CLOSE(path_beneath_attr->parent_fd);
+	}
+
+	SAFE_FCLOSE(fp);
+}
+
+static void setup(void)
+{
+	struct tvariant variant = tvariants[tst_variant];
+
+	verify_landlock_is_enabled();
+
+	tst_res(TINFO, "Testing %s", variant.desc);
+
+	ruleset_attr->handled_access_fs = tester_get_all_fs_rules();
+
+	ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
+		ruleset_attr, sizeof(struct landlock_ruleset_attr), 0);
+
+	/* since our binary is dynamically linked, we need to enable dependences
+	 * to be read and executed
+	 */
+	enable_exec_libs(ruleset_fd);
+
+	/* sandbox folder has to exist before creating the rule */
+	if (access(SANDBOX_FOLDER, F_OK) == -1)
+		SAFE_MKDIR(SANDBOX_FOLDER, PERM_MODE);
+
+	path_beneath_attr->allowed_access = variant.access;
+	path_beneath_attr->parent_fd = SAFE_OPEN(
+		SANDBOX_FOLDER, O_PATH | O_CLOEXEC);
+
+	SAFE_LANDLOCK_ADD_RULE(
+		ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,	path_beneath_attr, 0);
+
+	SAFE_CLOSE(path_beneath_attr->parent_fd);
+}
+
+static void cleanup(void)
+{
+	if (ruleset_fd != -1)
+		SAFE_CLOSE(ruleset_fd);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.cleanup = cleanup,
+	.forks_child = 1,
+	.needs_root = 1,
+	.test_variants = ARRAY_SIZE(tvariants),
+	.resource_files = (const char *[]) {
+		TESTAPP,
+		NULL,
+	},
+	.needs_kconfigs = (const char *[]) {
+		"CONFIG_SECURITY_LANDLOCK=y",
+		NULL
+	},
+	.bufs = (struct tst_buffers []) {
+		{&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)},
+		{&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)},
+		{},
+	},
+	.caps = (struct tst_cap []) {
+		TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN),
+		TST_CAP(TST_CAP_REQ, CAP_MKNOD),
+		{}
+	},
+	.mount_device = 1,
+	.mntpoint = SANDBOX_FOLDER,
+	.all_filesystems = 1,
+	.max_runtime = 360,
+};
diff --git a/testcases/kernel/syscalls/landlock/landlock_exec.c b/testcases/kernel/syscalls/landlock/landlock_exec.c
new file mode 100644
index 000000000..aae5c76b2
--- /dev/null
+++ b/testcases/kernel/syscalls/landlock/landlock_exec.c
@@ -0,0 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2024 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
+ */
+
+int main(void)
+{
+	return 0;
+}
diff --git a/testcases/kernel/syscalls/landlock/landlock_tester.h b/testcases/kernel/syscalls/landlock/landlock_tester.h
new file mode 100644
index 000000000..dcebc45cd
--- /dev/null
+++ b/testcases/kernel/syscalls/landlock/landlock_tester.h
@@ -0,0 +1,393 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/*
+ * Copyright (C) 2024 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
+ */
+
+#ifndef LANDLOCK_TESTER_H__
+
+#include "tst_test.h"
+#include "lapi/landlock.h"
+#include <sys/sysmacros.h>
+
+#define PERM_MODE 0700
+
+#define SANDBOX_FOLDER	"sandbox"
+#define TESTAPP			"landlock_exec"
+
+#define FILE_EXEC		SANDBOX_FOLDER"/"TESTAPP
+#define FILE_READ		SANDBOX_FOLDER"/file_read"
+#define FILE_WRITE		SANDBOX_FOLDER"/file_write"
+#define FILE_REMOVE		SANDBOX_FOLDER"/file_remove"
+#define FILE_UNLINK		SANDBOX_FOLDER"/file_unlink"
+#define FILE_UNLINKAT	SANDBOX_FOLDER"/file_unlinkat"
+#define FILE_TRUNCATE	SANDBOX_FOLDER"/file_truncate"
+#define FILE_REGULAR	SANDBOX_FOLDER"/regular0"
+#define FILE_SOCKET		SANDBOX_FOLDER"/socket0"
+#define FILE_FIFO		SANDBOX_FOLDER"/fifo0"
+#define FILE_SYM0		SANDBOX_FOLDER"/symbolic0"
+#define FILE_SYM1		SANDBOX_FOLDER"/symbolic1"
+#define DIR_READDIR		SANDBOX_FOLDER"/dir_readdir"
+#define DIR_RMDIR		SANDBOX_FOLDER"/dir_rmdir"
+#define DEV_CHAR0		SANDBOX_FOLDER"/chardev0"
+#define DEV_BLK0		SANDBOX_FOLDER"/blkdev0"
+
+#define ALL_RULES (\
+	LANDLOCK_ACCESS_FS_EXECUTE | \
+	LANDLOCK_ACCESS_FS_WRITE_FILE | \
+	LANDLOCK_ACCESS_FS_READ_FILE | \
+	LANDLOCK_ACCESS_FS_READ_DIR | \
+	LANDLOCK_ACCESS_FS_REMOVE_DIR | \
+	LANDLOCK_ACCESS_FS_REMOVE_FILE | \
+	LANDLOCK_ACCESS_FS_MAKE_CHAR | \
+	LANDLOCK_ACCESS_FS_MAKE_DIR | \
+	LANDLOCK_ACCESS_FS_MAKE_REG | \
+	LANDLOCK_ACCESS_FS_MAKE_SOCK | \
+	LANDLOCK_ACCESS_FS_MAKE_FIFO | \
+	LANDLOCK_ACCESS_FS_MAKE_BLOCK | \
+	LANDLOCK_ACCESS_FS_MAKE_SYM | \
+	LANDLOCK_ACCESS_FS_REFER | \
+	LANDLOCK_ACCESS_FS_TRUNCATE | \
+	LANDLOCK_ACCESS_FS_IOCTL_DEV)
+
+static char *readdir_files[] = {
+	DIR_READDIR"/file0",
+	DIR_READDIR"/file1",
+	DIR_READDIR"/file2",
+};
+
+static int dev_chr;
+static int dev_blk;
+
+static int tester_get_all_fs_rules(void)
+{
+	int abi;
+	int all_rules = ALL_RULES;
+
+	abi = SAFE_LANDLOCK_CREATE_RULESET(
+		NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
+
+	if (abi < 2)
+		all_rules &= ~LANDLOCK_ACCESS_FS_REFER;
+
+	if (abi < 3)
+		all_rules &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
+
+	if (abi < 5)
+		all_rules &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;
+
+	return all_rules;
+}
+
+/* This function setup the sandbox folder before running the test.
+ * Run it __before__ enforcing the sandbox rules and ensure that SANDBOX_FOLDER
+ * has been created already.
+ */
+static void tester_setup_files(void)
+{
+	/* folders */
+	SAFE_MKDIR(DIR_RMDIR, PERM_MODE);
+	SAFE_MKDIR(DIR_READDIR, PERM_MODE);
+	for (size_t i = 0; i < ARRAY_SIZE(readdir_files); i++)
+		SAFE_TOUCH(readdir_files[i], PERM_MODE, NULL);
+
+	/* files */
+	tst_fill_file(FILE_READ, 'a', getpagesize(), 1);
+	SAFE_TOUCH(FILE_WRITE, PERM_MODE, NULL);
+	SAFE_TOUCH(FILE_REMOVE, PERM_MODE, NULL);
+	SAFE_TOUCH(FILE_UNLINK, PERM_MODE, NULL);
+	SAFE_TOUCH(FILE_UNLINKAT, PERM_MODE, NULL);
+	SAFE_TOUCH(FILE_TRUNCATE, PERM_MODE, NULL);
+	SAFE_TOUCH(FILE_SYM0, PERM_MODE, NULL);
+	SAFE_CP(TESTAPP, FILE_EXEC);
+
+	/* devices */
+	dev_chr = makedev(1, 3);
+	dev_blk = makedev(7, 0);
+}
+
+static void _remove_file(const char *path)
+{
+	if (access(path, F_OK) != -1)
+		SAFE_UNLINK(path);
+}
+
+/* This function cleanup the sandbox folder after running the tests.
+ * Run it after getting out from the sandbox.
+ */
+static void tester_cleanup_files(void)
+{
+	if (access(DIR_RMDIR, F_OK) != -1)
+		SAFE_RMDIR(DIR_RMDIR);
+
+	for (size_t i = 0; i < ARRAY_SIZE(readdir_files); i++)
+		_remove_file(readdir_files[i]);
+
+	if (access(DIR_READDIR, F_OK) != -1)
+		SAFE_RMDIR(DIR_READDIR);
+
+	struct stat st;
+
+	if (lstat(FILE_SYM1, &st) != -1)
+		SAFE_UNLINK(FILE_SYM1);
+
+	_remove_file(FILE_READ);
+	_remove_file(FILE_WRITE);
+	_remove_file(FILE_REMOVE);
+	_remove_file(FILE_UNLINK);
+	_remove_file(FILE_UNLINKAT);
+	_remove_file(FILE_TRUNCATE);
+	_remove_file(FILE_SYM0);
+	_remove_file(FILE_EXEC);
+
+	_remove_file(DEV_BLK0);
+	_remove_file(DEV_CHAR0);
+	_remove_file(FILE_FIFO);
+	_remove_file(FILE_SOCKET);
+	_remove_file(FILE_REGULAR);
+}
+
+static void _test_exec(const int result)
+{
+	int status;
+	pid_t pid;
+	char *const args[] = {(char *)FILE_EXEC, NULL};
+
+	tst_res(TINFO, "Test binary execution");
+
+	pid = SAFE_FORK();
+	if (!pid) {
+		int rval;
+
+		if (result == TPASS) {
+			rval = execve(FILE_EXEC, args, NULL);
+			if (rval == -1)
+				tst_res(TFAIL | TERRNO, "Failed to execute test binary");
+		} else {
+			TST_EXP_FAIL(execve(FILE_EXEC, args, NULL), EACCES);
+		}
+
+		_exit(1);
+	}
+
+	SAFE_WAITPID(pid, &status, 0);
+	if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
+		return;
+
+	tst_res(result, "Test binary has been executed");
+}
+
+static void _test_write(const int result)
+{
+	tst_res(TINFO, "Test writing file");
+
+	if (result == TPASS)
+		TST_EXP_FD(open(FILE_WRITE, O_WRONLY, PERM_MODE));
+	else
+		TST_EXP_FAIL(open(FILE_WRITE, O_WRONLY, PERM_MODE), EACCES);
+
+	if (TST_RET != -1)
+		SAFE_CLOSE(TST_RET);
+}
+
+static void _test_read(const int result)
+{
+	tst_res(TINFO, "Test reading file");
+
+	if (result == TPASS)
+		TST_EXP_FD(open(FILE_READ, O_RDONLY, PERM_MODE));
+	else
+		TST_EXP_FAIL(open(FILE_READ, O_RDONLY, PERM_MODE), EACCES);
+
+	if (TST_RET != -1)
+		SAFE_CLOSE(TST_RET);
+}
+
+static void _test_readdir(const int result)
+{
+	tst_res(TINFO, "Test reading directory");
+
+	DIR *dir;
+	struct dirent *de;
+	int files_counted = 0;
+
+	dir = opendir(DIR_READDIR);
+	if (!dir) {
+		tst_res(result == TPASS ? TFAIL : TPASS,
+			"Can't read '%s' directory", DIR_READDIR);
+
+		return;
+	}
+
+	tst_res(result, "Can read '%s' directory", DIR_READDIR);
+	if (result == TFAIL)
+		return;
+
+	while ((de = readdir(dir)) != NULL) {
+		if (de->d_type != DT_REG)
+			continue;
+
+		for (size_t i = 0; i < ARRAY_SIZE(readdir_files); i++) {
+			if (readdir_files[i] == NULL)
+				continue;
+
+			if (strstr(readdir_files[i], de->d_name) != NULL)
+				files_counted++;
+		}
+	}
+
+	SAFE_CLOSEDIR(dir);
+
+	TST_EXP_EQ_LI(files_counted, ARRAY_SIZE(readdir_files));
+}
+
+static void _test_rmdir(const int result)
+{
+	tst_res(TINFO, "Test removing directory");
+
+	if (result == TPASS)
+		TST_EXP_PASS(rmdir(DIR_RMDIR));
+	else
+		TST_EXP_FAIL(rmdir(DIR_RMDIR), EACCES);
+}
+
+static void _test_rmfile(const int result)
+{
+	tst_res(TINFO, "Test removing file");
+
+	if (result == TPASS) {
+		TST_EXP_PASS(unlink(FILE_UNLINK));
+		TST_EXP_PASS(remove(FILE_REMOVE));
+	} else {
+		TST_EXP_FAIL(unlink(FILE_UNLINK), EACCES);
+		TST_EXP_FAIL(remove(FILE_REMOVE), EACCES);
+	}
+}
+
+static void _test_make(
+	const char *path,
+	const int type,
+	const int dev,
+	const int result)
+{
+	tst_res(TINFO, "Test normal or special files creation");
+
+	if (result == TPASS)
+		TST_EXP_PASS(mknod(path, type | 0400, dev));
+	else
+		TST_EXP_FAIL(mknod(path, type | 0400, dev), EACCES);
+}
+
+static void _test_symbolic(const int result)
+{
+	tst_res(TINFO, "Test symbolic links");
+
+	if (result == TPASS)
+		TST_EXP_PASS(symlink(FILE_SYM0, FILE_SYM1));
+	else
+		TST_EXP_FAIL(symlink(FILE_SYM0, FILE_SYM1), EACCES);
+}
+
+static void _test_truncate(const int result)
+{
+	int fd;
+
+	tst_res(TINFO, "Test truncating file");
+
+	if (result == TPASS) {
+		TST_EXP_PASS(truncate(FILE_TRUNCATE, 10));
+
+		fd = SAFE_OPEN(FILE_TRUNCATE, O_WRONLY, PERM_MODE);
+		if (fd != -1) {
+			TST_EXP_PASS(ftruncate(fd, 10));
+			SAFE_CLOSE(fd);
+		}
+
+		fd = TST_EXP_FD(open(FILE_TRUNCATE, O_WRONLY | O_TRUNC, PERM_MODE));
+		if (fd != -1)
+			SAFE_CLOSE(fd);
+	} else {
+		TST_EXP_FAIL(truncate(FILE_TRUNCATE, 10), EACCES);
+
+		fd = open(FILE_TRUNCATE, O_WRONLY, PERM_MODE);
+		if (fd != -1) {
+			TST_EXP_FAIL(ftruncate(fd, 10), EACCES);
+			SAFE_CLOSE(fd);
+		}
+
+		TST_EXP_FAIL(open(FILE_TRUNCATE, O_WRONLY | O_TRUNC, PERM_MODE),
+			EACCES);
+
+		if (TST_RET != -1)
+			SAFE_CLOSE(TST_RET);
+	}
+}
+
+static void tester_run_fs_rules(const int rules, const int result)
+{
+	if (rules & LANDLOCK_ACCESS_FS_EXECUTE)
+		_test_exec(result);
+
+	if (rules & LANDLOCK_ACCESS_FS_WRITE_FILE)
+		_test_write(result);
+
+	if (rules & LANDLOCK_ACCESS_FS_READ_FILE)
+		_test_read(result);
+
+	if (rules & LANDLOCK_ACCESS_FS_READ_DIR)
+		_test_readdir(result);
+
+	if (rules & LANDLOCK_ACCESS_FS_REMOVE_DIR)
+		_test_rmdir(result);
+
+	if (rules & LANDLOCK_ACCESS_FS_REMOVE_FILE)
+		_test_rmfile(result);
+
+	if (rules & LANDLOCK_ACCESS_FS_MAKE_REG)
+		_test_make(FILE_REGULAR, S_IFREG, 0, result);
+
+	if (strcmp(tst_device->fs_type, "vfat") &&
+		strcmp(tst_device->fs_type, "exfat")) {
+		if (rules & LANDLOCK_ACCESS_FS_MAKE_CHAR)
+			_test_make(DEV_CHAR0, S_IFCHR, dev_chr, result);
+
+		if (rules & LANDLOCK_ACCESS_FS_MAKE_BLOCK)
+			_test_make(DEV_BLK0, S_IFBLK, dev_blk, result);
+
+		if (rules & LANDLOCK_ACCESS_FS_MAKE_SOCK)
+			_test_make(FILE_SOCKET, S_IFSOCK, 0, result);
+
+		if (rules & LANDLOCK_ACCESS_FS_MAKE_FIFO)
+			_test_make(FILE_FIFO, S_IFIFO, 0, result);
+
+		if (rules & LANDLOCK_ACCESS_FS_MAKE_SYM)
+			_test_symbolic(result);
+	}
+
+	if (rules & LANDLOCK_ACCESS_FS_TRUNCATE) {
+		int abi;
+
+		abi = SAFE_LANDLOCK_CREATE_RULESET(
+			NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
+
+		if (abi < 3) {
+			tst_res(TINFO, "Skip truncate test. Minimum ABI version is 3");
+			return;
+		}
+
+		_test_truncate(result);
+	}
+}
+
+static inline void tester_run_all_fs_rules(const int pass_rules)
+{
+	int fail_rules;
+	int all_rules;
+
+	all_rules = tester_get_all_fs_rules();
+	fail_rules = all_rules & ~pass_rules;
+
+	tester_run_fs_rules(pass_rules, TPASS);
+	tester_run_fs_rules(fail_rules, TFAIL);
+}
+
+#endif

-- 
2.43.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH v5 5/6] Add landlock05 test

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

This test verifies LANDLOCK_ACCESS_FS_REFER access in the
landlock sandbox. The feature is available since kernel 5.19.

Reviewed-by: Li Wang <liwang@redhat.com>
Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 runtest/syscalls                                |   1 +
 testcases/kernel/syscalls/landlock/.gitignore   |   1 +
 testcases/kernel/syscalls/landlock/landlock05.c | 118 ++++++++++++++++++++++++
 3 files changed, 120 insertions(+)

diff --git a/runtest/syscalls b/runtest/syscalls
index 67b2e2758..6522f5bc7 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -700,6 +700,7 @@ landlock01 landlock01
 landlock02 landlock02
 landlock03 landlock03
 landlock04 landlock04
+landlock05 landlock05
 
 lchown01 lchown01
 lchown01_16 lchown01_16
diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore
index 4fe8d7cba..a7ea6be2e 100644
--- a/testcases/kernel/syscalls/landlock/.gitignore
+++ b/testcases/kernel/syscalls/landlock/.gitignore
@@ -3,3 +3,4 @@ landlock01
 landlock02
 landlock03
 landlock04
+landlock05
diff --git a/testcases/kernel/syscalls/landlock/landlock05.c b/testcases/kernel/syscalls/landlock/landlock05.c
new file mode 100644
index 000000000..5083fe12b
--- /dev/null
+++ b/testcases/kernel/syscalls/landlock/landlock05.c
@@ -0,0 +1,118 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2024 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
+ */
+
+/*\
+ * [Description]
+ *
+ * This test verifies LANDLOCK_ACCESS_FS_REFER access in the
+ * landlock sandbox.
+ *
+ * [Algorithm]
+ *
+ * - apply LANDLOCK_ACCESS_FS_REFER in the folder1
+ * - apply LANDLOCK_ACCESS_FS_REFER in the folder2
+ * - create folder3
+ * - verify that file can be moved from folder1 to folder2
+ * - verify that file can't be moved from folder1 to folder3
+ */
+
+#include "landlock_common.h"
+
+#define MNTPOINT "sandbox"
+#define DIR1 MNTPOINT"/folder1"
+#define DIR2 MNTPOINT"/folder2"
+#define DIR3 MNTPOINT"/folder3"
+#define FILENAME1 DIR1"/file"
+#define FILENAME2 DIR2"/file"
+#define FILENAME3 DIR3"/file"
+
+static struct landlock_ruleset_attr *ruleset_attr;
+static struct landlock_path_beneath_attr *path_beneath_attr;
+
+static void run(void)
+{
+	if (SAFE_FORK())
+		return;
+
+	TST_EXP_PASS(rename(FILENAME1, FILENAME2));
+	if (TST_RET == -1)
+		return;
+
+	TST_EXP_FAIL(rename(FILENAME2, FILENAME3), EXDEV);
+	TST_EXP_PASS(rename(FILENAME2, FILENAME1));
+
+	_exit(0);
+}
+
+static void setup(void)
+{
+	int abi;
+	int ruleset_fd;
+
+	abi = verify_landlock_is_enabled();
+	if (abi < 2)
+		tst_brk(TCONF, "LANDLOCK_ACCESS_FS_REFER is unsupported on ABI < 2");
+
+	SAFE_MKDIR(DIR1, 0640);
+	SAFE_MKDIR(DIR2, 0640);
+	SAFE_MKDIR(DIR3, 0640);
+	SAFE_TOUCH(FILENAME1, 0640, NULL);
+
+	tst_res(TINFO, "Applying LANDLOCK_ACCESS_FS_REFER");
+
+	ruleset_attr->handled_access_fs =
+		LANDLOCK_ACCESS_FS_READ_FILE |
+		LANDLOCK_ACCESS_FS_WRITE_FILE |
+		LANDLOCK_ACCESS_FS_REFER;
+
+	ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
+		ruleset_attr, sizeof(struct landlock_ruleset_attr), 0);
+
+	apply_landlock_rule(
+		path_beneath_attr,
+		ruleset_fd,
+		LANDLOCK_ACCESS_FS_REFER,
+		DIR1);
+
+	apply_landlock_rule(
+		path_beneath_attr,
+		ruleset_fd,
+		LANDLOCK_ACCESS_FS_REFER,
+		DIR2);
+
+	enforce_ruleset(ruleset_fd);
+
+	SAFE_CLOSE(ruleset_fd);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.needs_tmpdir = 1,
+	.needs_root = 1,
+	.forks_child = 1,
+	.needs_kconfigs = (const char *[]) {
+		"CONFIG_SECURITY_LANDLOCK=y",
+		NULL
+	},
+	.bufs = (struct tst_buffers []) {
+		{&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)},
+		{&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)},
+		{},
+	},
+	.caps = (struct tst_cap []) {
+		TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN),
+		{}
+	},
+	.format_device = 1,
+	.mount_device = 1,
+	.mntpoint = MNTPOINT,
+	.all_filesystems = 1,
+	.skip_filesystems = (const char *[]) {
+		"vfat",
+		"exfat",
+		NULL
+	},
+};

-- 
2.43.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH v5 6/6] Add landlock06 test

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

This test verifies LANDLOCK_ACCESS_FS_IOCTL_DEV access in the
landlock sandbox by creating a pipe and testing that ioctl() can
be executed on it. The test is also verifying that some of the I/O
operations can be always executed no matter the sandbox rules.
This feature is available since kernel 6.10.

Reviewed-by: Li Wang <liwang@redhat.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 runtest/syscalls                                |   1 +
 testcases/kernel/syscalls/landlock/.gitignore   |   1 +
 testcases/kernel/syscalls/landlock/landlock06.c | 107 ++++++++++++++++++++++++
 3 files changed, 109 insertions(+)

diff --git a/runtest/syscalls b/runtest/syscalls
index 6522f5bc7..7ebdb41d8 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -701,6 +701,7 @@ landlock02 landlock02
 landlock03 landlock03
 landlock04 landlock04
 landlock05 landlock05
+landlock06 landlock06
 
 lchown01 lchown01
 lchown01_16 lchown01_16
diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore
index a7ea6be2e..315ac1dca 100644
--- a/testcases/kernel/syscalls/landlock/.gitignore
+++ b/testcases/kernel/syscalls/landlock/.gitignore
@@ -4,3 +4,4 @@ landlock02
 landlock03
 landlock04
 landlock05
+landlock06
diff --git a/testcases/kernel/syscalls/landlock/landlock06.c b/testcases/kernel/syscalls/landlock/landlock06.c
new file mode 100644
index 000000000..2b6e475e8
--- /dev/null
+++ b/testcases/kernel/syscalls/landlock/landlock06.c
@@ -0,0 +1,107 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2024 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
+ */
+
+/*\
+ * [Description]
+ *
+ * This test verifies LANDLOCK_ACCESS_FS_IOCTL_DEV access in the
+ * landlock sandbox by creating a pipe and testing that ioctl() can be executed
+ * on it. The test is also verifying that some of the I/O operations can be
+ * always executed no matter the sandbox rules.
+ */
+
+#include "landlock_common.h"
+#include <sys/ioctl.h>
+
+#define MNTPOINT "sandbox"
+#define FILENAME MNTPOINT"/fifo"
+
+static struct landlock_ruleset_attr *ruleset_attr;
+static struct landlock_path_beneath_attr *path_beneath_attr;
+static int file_fd = -1;
+static int dev_fd = -1;
+
+static void run(void)
+{
+	if (SAFE_FORK())
+		return;
+
+	int flag;
+	size_t sz = 0;
+
+	TST_EXP_PASS(ioctl(file_fd, FIONREAD, &sz));
+	TST_EXP_PASS(ioctl(dev_fd, FIOCLEX));
+	TST_EXP_PASS(ioctl(dev_fd, FIONCLEX));
+	TST_EXP_PASS(ioctl(dev_fd, FIONBIO, &flag));
+	TST_EXP_PASS(ioctl(dev_fd, FIOASYNC, &flag));
+
+	_exit(0);
+}
+
+static void setup(void)
+{
+	int ruleset_fd;
+
+	if (verify_landlock_is_enabled() < 5)
+		tst_brk(TCONF, "LANDLOCK_ACCESS_FS_IOCTL_DEV is not supported");
+
+	SAFE_TOUCH(FILENAME, 0640, NULL);
+
+	file_fd = SAFE_OPEN(FILENAME, O_RDONLY | O_NONBLOCK, 0640);
+	dev_fd = SAFE_OPEN("/dev/zero", O_RDONLY | O_NONBLOCK, 0640);
+
+	tst_res(TINFO, "Applying LANDLOCK_ACCESS_FS_IOCTL_DEV");
+
+	ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV;
+
+	ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
+		ruleset_attr, sizeof(struct landlock_ruleset_attr), 0);
+
+	apply_landlock_layer(
+		ruleset_attr,
+		path_beneath_attr,
+		MNTPOINT,
+		LANDLOCK_ACCESS_FS_IOCTL_DEV
+	);
+
+	SAFE_CLOSE(ruleset_fd);
+}
+
+static void cleanup(void)
+{
+	if (dev_fd != -1)
+		SAFE_CLOSE(dev_fd);
+
+	if (file_fd != -1)
+		SAFE_CLOSE(file_fd);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.cleanup = cleanup,
+	.needs_root = 1,
+	.forks_child = 1,
+	.needs_kconfigs = (const char *[]) {
+		"CONFIG_SECURITY_LANDLOCK=y",
+		NULL
+	},
+	.bufs = (struct tst_buffers []) {
+		{&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)},
+		{&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)},
+		{},
+	},
+	.caps = (struct tst_cap []) {
+		TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN),
+		{}
+	},
+	.mount_device = 1,
+	.mntpoint = MNTPOINT,
+	.all_filesystems = 1,
+	.skip_filesystems = (const char *[]) {
+		"vfat",
+		NULL
+	},
+};

-- 
2.43.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v5 1/6] Get ABI version from landlock common library

[Petr Vorel]

Hi Andrea,

obviously correct, thanks!

Reviewed-by: Petr Vorel <pvorel@suse.cz>

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v5 2/6] Add CAP_MKNOD fallback in lapi/capability.h

[Petr Vorel]

Hi Andrea,

Reviewed-by: Petr Vorel <pvorel@suse.cz>
(I added it already in v4)

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v5 3/6] Disable kernel version check in landlock tests

[Petr Vorel]

Hi Andrea,

> The reason why we remove kernel version check is that we use
> verify_landlock_is_enabled() function in order to check if landlock is
> present in the system. This is really helpful when landlock support has
> been backported into old kernels.

Great, I'm glad you removed it from all landlock tests. It really did not make
sense to guard correct version with 3 guards (kernel version, kernel config and
ABI). Could you please remove also CONFIG_SECURITY_LANDLOCK=y, because you
check EOPNOTSUPP in verify_landlock_is_enabled().

Anyway, feel free to merge these first 3 patches (ideally remove also
CONFIG_SECURITY_LANDLOCK=y before merge).

Reviewed-by: Petr Vorel <pvorel@suse.cz>

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v5 3/6] Disable kernel version check in landlock tests

[Andrea Cervesato via ltp]

Hi!

I send 1 more patch to fix all tests removing CONFIG_SECURITY_LANDLOCK=y

Regards,
Andrea

On 8/8/24 11:58, Petr Vorel wrote:
> Hi Andrea,
>
>> The reason why we remove kernel version check is that we use
>> verify_landlock_is_enabled() function in order to check if landlock is
>> present in the system. This is really helpful when landlock support has
>> been backported into old kernels.
> Great, I'm glad you removed it from all landlock tests. It really did not make
> sense to guard correct version with 3 guards (kernel version, kernel config and
> ABI). Could you please remove also CONFIG_SECURITY_LANDLOCK=y, because you
> check EOPNOTSUPP in verify_landlock_is_enabled().
>
> Anyway, feel free to merge these first 3 patches (ideally remove also
> CONFIG_SECURITY_LANDLOCK=y before merge).
>
> Reviewed-by: Petr Vorel <pvorel@suse.cz>
>
> Kind regards,
> Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v5 0/6] landlock testing suite

[Andrea Cervesato via ltp]

Pushed with 
https://github.com/linux-test-project/ltp/commit/e7ebc637d0d99295490adf57660a3b3a177d65d3 
on top of it, in order to remove CONFIG_SECURITY_LANDLOCK from all 
landlock tests.

Best regards,
Andrea

On 8/1/24 14:08, Andrea Cervesato wrote:
> This testing suite is meant to test the following syscalls:
>
> - landlock_create_ruleset
> - landlock_add_rule
> - landlock_restrict_self
>
> Documentation can be found in kernel manuals and inside the official
> kernel documentation at
>
> https://www.kernel.org/doc/html/latest/userspace-api/landlock.html
>
> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
> Changes in v5:
> - landlock0[123]: remove minimum kernel check
> - landlock04: cleanup/setup for sandbox folder, enforce_ruleset() inside
>    the child, skip vfat and exfat for some tests, now working with -i >= 0
> - landlock05: remove minimum kernel check
> - landlock06: remove exfat from skip
> - Link to v4: https://lore.kernel.org/r/20240725-landlock-v4-0-66f5a1c0c693@suse.com
>
> Changes in v4:
> - landlock03: fix TBROK on -i usage
> - landlock04: fix EINVAL caused by namespace sharing on kernel <=6.6
> - Link to v3: https://lore.kernel.org/r/20240711-landlock-v3-0-c7b0e9edf9b0@suse.com
>
> Changes in v3:
> - landlock01: 1 byte less when
>    HAVE_STRUCT_LANDLOCK_RULESET_ATTR_HANDLED_ACCESS_NET is defined
> - landlock04: dynamically assign read/exec permissions to dependences
> - landlock05: estetic fix and skip exfat
> - landlock06: estetic fix and skip exfat
> - Link to v2: https://lore.kernel.org/r/20240710-landlock-v2-0-ff79db017d57@suse.com
>
> Changes in v2:
> - remove -lc unused dependency from Makefile
> - move SAFE_LANDLOCK_* macros in lapi/landlock.h
> - define CAP_MKNOD in the lapi/capability.h
> - fix landlock fallback in order to let LTP build properly
> - fix landlock01 EINVAL test when "struct landlock_ruleset_attr" size is
>    too small
> - Link to v1: https://lore.kernel.org/r/20240701-landlock-v1-0-58e9af649a72@suse.com
>
> ---
> Andrea Cervesato (6):
>        Get ABI version from landlock common library
>        Add CAP_MKNOD fallback in lapi/capability.h
>        Disable kernel version check in landlock tests
>        Add landlock04 test
>        Add landlock05 test
>        Add landlock06 test
>
>   include/lapi/capability.h                          |  12 +-
>   runtest/syscalls                                   |   3 +
>   testcases/kernel/syscalls/landlock/.gitignore      |   4 +
>   testcases/kernel/syscalls/landlock/landlock01.c    |   1 -
>   testcases/kernel/syscalls/landlock/landlock02.c    |   1 -
>   testcases/kernel/syscalls/landlock/landlock03.c    |   1 -
>   testcases/kernel/syscalls/landlock/landlock04.c    | 212 +++++++++++
>   testcases/kernel/syscalls/landlock/landlock05.c    | 118 +++++++
>   testcases/kernel/syscalls/landlock/landlock06.c    | 107 ++++++
>   .../kernel/syscalls/landlock/landlock_common.h     |   4 +-
>   testcases/kernel/syscalls/landlock/landlock_exec.c |   9 +
>   .../kernel/syscalls/landlock/landlock_tester.h     | 393 +++++++++++++++++++++
>   12 files changed, 857 insertions(+), 8 deletions(-)
> ---
> base-commit: eee3b2dd6d9dae6120646bc14c30e460989d7df6
> change-id: 20240617-landlock-c48a4623a447
>
> Best regards,

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v5 3/6] Disable kernel version check in landlock tests

[Mickaël Salaün]

On Thu, Aug 08, 2024 at 11:58:24AM +0200, Petr Vorel wrote:
> is is really helpful when landlock support has
> > been backported into old kernels.
> 
> Great, I'm glad you removed it from all landlock tests. It really did not make
> sense to guard correct version with 3 guards (kernel version, kernel config and
> ABI). Could you please remove also CONFIG_SECURITY_LANDLOCK=y, because you
> check EOPNOTSUPP in verify_landlock_is_enabled().
> 
> Anyway, feel free to merge these first 3 patches (ideally remove also
> CONFIG_SECURITY_LANDLOCK=y before merge).

My understanding is that LTP only tests supported features to make sure
they work as expected, if enabled.  Is it correct?

I'm then wondering what is the purpose of needs_kconfigs.  If there is
no "needed" config, does that means that Landlock tests will always run
and detect at run time if tests are skipped or not?  If yes, it looks
good to me.

Andrea's commit to remove needs_kconfig:
https://github.com/linux-test-project/ltp/commit/e7ebc637d0d99295490adf57660a3b3a177d65d3

Is there an online dashboard to see some tested kernels?

> 
> Reviewed-by: Petr Vorel <pvorel@suse.cz>
> 
> Kind regards,
> Petr
> 
> -- 
> Mailing list info: https://lists.linux.it/listinfo/ltp

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v5 3/6] Disable kernel version check in landlock tests

[Andrea Cervesato via ltp]

Hi Meckael,

On 8/9/24 16:36, Mickaël Salaün wrote:
> On Thu, Aug 08, 2024 at 11:58:24AM +0200, Petr Vorel wrote:
>> is is really helpful when landlock support has
>>> been backported into old kernels.
>> Great, I'm glad you removed it from all landlock tests. It really did not make
>> sense to guard correct version with 3 guards (kernel version, kernel config and
>> ABI). Could you please remove also CONFIG_SECURITY_LANDLOCK=y, because you
>> check EOPNOTSUPP in verify_landlock_is_enabled().
>>
>> Anyway, feel free to merge these first 3 patches (ideally remove also
>> CONFIG_SECURITY_LANDLOCK=y before merge).
> My understanding is that LTP only tests supported features to make sure
> they work as expected, if enabled.  Is it correct?
Yes, landlock in particular can be a backported feature, so we need to 
remove CONFIG flags and kernel version, raising an error just in case we 
have ENOSYS.
> I'm then wondering what is the purpose of needs_kconfigs.  If there is
> no "needed" config, does that means that Landlock tests will always run
> and detect at run time if tests are skipped or not?  If yes, it looks
> good to me.
>
> Andrea's commit to remove needs_kconfig:
> https://github.com/linux-test-project/ltp/commit/e7ebc637d0d99295490adf57660a3b3a177d65d3
>
> Is there an online dashboard to see some tested kernels?
@Petr Vorel
>
>> Reviewed-by: Petr Vorel <pvorel@suse.cz>
>>
>> Kind regards,
>> Petr
>>
>> -- 
>> Mailing list info: https://lists.linux.it/listinfo/ltp
Regards,
Andrea

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v5 3/6] Disable kernel version check in landlock tests

[Petr Vorel]

Hi all,

> Hi Meckael,

> On 8/9/24 16:36, Mickaël Salaün wrote:
> > On Thu, Aug 08, 2024 at 11:58:24AM +0200, Petr Vorel wrote:
> > > is is really helpful when landlock support has
> > > > been backported into old kernels.
> > > Great, I'm glad you removed it from all landlock tests. It really did not make
> > > sense to guard correct version with 3 guards (kernel version, kernel config and
> > > ABI). Could you please remove also CONFIG_SECURITY_LANDLOCK=y, because you
> > > check EOPNOTSUPP in verify_landlock_is_enabled().

> > > Anyway, feel free to merge these first 3 patches (ideally remove also
> > > CONFIG_SECURITY_LANDLOCK=y before merge).
> > My understanding is that LTP only tests supported features to make sure
> > they work as expected, if enabled.  Is it correct?
> Yes, landlock in particular can be a backported feature, so we need to
> remove CONFIG flags and kernel version, raising an error just in case we
> have ENOSYS.
> > I'm then wondering what is the purpose of needs_kconfigs.  If there is
> > no "needed" config, does that means that Landlock tests will always run
> > and detect at run time if tests are skipped or not?  If yes, it looks
> > good to me.

> > Andrea's commit to remove needs_kconfig:
> > https://github.com/linux-test-project/ltp/commit/e7ebc637d0d99295490adf57660a3b3a177d65d3

> > Is there an online dashboard to see some tested kernels?
> @Petr Vorel

I suppose folks at Linaro, Nikolai (CKI) or other companies which do public
testing have some public logs.

We have openSUSE tests on 6.10.3-1 for various archs on [1] and [2]. Here is
x86_64 [3][4] and riscv64 [5] failing on landlock06.c:38: TFAIL: ioctl(dev_fd,
FIOASYNC, &flag) failed: ENOTTY (25).

# landlock06; echo "### TEST landlock06 COMPLETE >>> $?."
tst_buffers.c:57: TINFO: Test is using guarded buffers
tst_tmpdir.c:316: TINFO: Using /var/tmp/LTP_lan8lXtC5 as tmpdir (btrfs filesystem)
tst_device.c:96: TINFO: Found free device 0 '/dev/loop0'
tst_test.c:1807: TINFO: LTP version: 20240524
tst_test.c:1651: TINFO: Timeout per run is 0h 00m 30s
tst_supported_fs_types.c:97: TINFO: Kernel supports ext2
tst_supported_fs_types.c:62: TINFO: mkfs.ext2 does exist
tst_supported_fs_types.c:97: TINFO: Kernel supports ext3
tst_supported_fs_types.c:62: TINFO: mkfs.ext3 does exist
tst_supported_fs_types.c:97: TINFO: Kernel supports ext4
tst_supported_fs_types.c:62: TINFO: mkfs.ext4 does exist
tst_supported_fs_types.c:97: TINFO: Kernel supports xfs
tst_supported_fs_types.c:62: TINFO: mkfs.xfs does exist
tst_supported_fs_types.c:97: TINFO: Kernel supports btrfs
tst_supported_fs_types.c:62: TINFO: mkfs.btrfs does exist
tst_supported_fs_types.c:97: TINFO: Kernel supports bcachefs
tst_supported_fs_types.c:62: TINFO: mkfs.bcachefs does exist
tst_supported_fs_types.c:169: TINFO: Skipping vfat as requested by the test
tst_supported_fs_types.c:97: TINFO: Kernel supports exfat
tst_supported_fs_types.c:62: TINFO: mkfs.exfat does exist
tst_supported_fs_types.c:132: TINFO: FUSE does support ntfs
tst_supported_fs_types.c:62: TINFO: mkfs.ntfs does exist
tst_supported_fs_types.c:97: TINFO: Kernel supports tmpfs
tst_supported_fs_types.c:49: TINFO: mkfs is not needed for tmpfs
tst_test.c:1747: TINFO: === Testing on ext2 ===
tst_test.c:1111: TINFO: Formatting /dev/loop0 with ext2 opts='' extra opts=''
mke2fs 1.47.0 (5-Feb-2023)
tst_test.c:1123: TINFO: Mounting /dev/loop0 to /var/tmp/LTP_lan8lXtC5/sandbox fstyp=ext2 flags=0
landlock_common.h:31: TINFO: Landlock ABI v5
landlock06.c:55: TINFO: Applying LANDLOCK_ACCESS_FS_IOCTL_DEV
landlock06.c:34: TPASS: ioctl(file_fd, FIONREAD, &sz) passed
landlock06.c:35: TPASS: ioctl(dev_fd, FIOCLEX) passed
landlock06.c:36: TPASS: ioctl(dev_fd, FIONCLEX) passed
landlock06.c:37: TPASS: ioctl(dev_fd, FIONBIO, &flag) passed
landlock06.c:38: TFAIL: ioctl(dev_fd, FIOASYNC, &flag) failed: ENOTTY (25)
tst_test.c:1747: TINFO: === Testing on ext3 ===
tst_test.c:1111: TINFO: Formatting /dev/loop0 with ext3 opts='' extra opts=''
mke2fs 1.47.0 (5-Feb-2023)
tst_test.c:1123: TINFO: Mounting /dev/loop0 to /var/tmp/LTP_lan8lXtC5/sandbox fstyp=ext3 flags=0
landlock_common.h:31: TINFO: Landlock ABI v5
landlock06.c:55: TINFO: Applying LANDLOCK_ACCESS_FS_IOCTL_DEV
landlock06.c:34: TPASS: ioctl(file_fd, FIONREAD, &sz) passed
landlock06.c:35: TPASS: ioctl(dev_fd, FIOCLEX) passed
landlock06.c:36: TPASS: ioctl(dev_fd, FIONCLEX) passed
landlock06.c:37: TPASS: ioctl(dev_fd, FIONBIO, &flag) passed
landlock06.c:38: TFAIL: ioctl(dev_fd, FIOASYNC, &flag) failed: ENOTTY (25)
tst_test.c:1747: TINFO: === Testing on ext4 ===
tst_test.c:1111: TINFO: Formatting /dev/loop0 with ext4 opts='' extra opts=''
mke2fs 1.47.0 (5-Feb-2023)
tst_test.c:1123: TINFO: Mounting /dev/loop0 to /var/tmp/LTP_lan8lXtC5/sandbox fstyp=ext4 flags=0
landlock_common.h:31: TINFO: Landlock ABI v5
landlock06.c:55: TINFO: Applying LANDLOCK_ACCESS_FS_IOCTL_DEV
landlock06.c:34: TPASS: ioctl(file_fd, FIONREAD, &sz) passed
landlock06.c:35: TPASS: ioctl(dev_fd, FIOCLEX) passed
landlock06.c:36: TPASS: ioctl(dev_fd, FIONCLEX) passed
landlock06.c:37: TPASS: ioctl(dev_fd, FIONBIO, &flag) passed
landlock06.c:38: TFAIL: ioctl(dev_fd, FIOASYNC, &flag) failed: ENOTTY (25)
tst_test.c:1747: TINFO: === Testing on xfs ===
tst_test.c:1111: TINFO: Formatting /dev/loop0 with xfs opts='' extra opts=''
tst_test.c:1123: TINFO: Mounting /dev/loop0 to /var/tmp/LTP_lan8lXtC5/sandbox fstyp=xfs flags=0
landlock_common.h:31: TINFO: Landlock ABI v5
landlock06.c:55: TINFO: Applying LANDLOCK_ACCESS_FS_IOCTL_DEV
landlock06.c:34: TPASS: ioctl(file_fd, FIONREAD, &sz) passed
landlock06.c:35: TPASS: ioctl(dev_fd, FIOCLEX) passed
landlock06.c:36: TPASS: ioctl(dev_fd, FIONCLEX) passed
landlock06.c:37: TPASS: ioctl(dev_fd, FIONBIO, &flag) passed
landlock06.c:38: TFAIL: ioctl(dev_fd, FIOASYNC, &flag) failed: ENOTTY (25)
tst_test.c:1747: TINFO: === Testing on btrfs ===
tst_test.c:1111: TINFO: Formatting /dev/loop0 with btrfs opts='' extra opts=''
tst_test.c:1123: TINFO: Mounting /dev/loop0 to /var/tmp/LTP_lan8lXtC5/sandbox fstyp=btrfs flags=0
landlock_common.h:31: TINFO: Landlock ABI v5
landlock06.c:55: TINFO: Applying LANDLOCK_ACCESS_FS_IOCTL_DEV
landlock06.c:34: TPASS: ioctl(file_fd, FIONREAD, &sz) passed
landlock06.c:35: TPASS: ioctl(dev_fd, FIOCLEX) passed
landlock06.c:36: TPASS: ioctl(dev_fd, FIONCLEX) passed
landlock06.c:37: TPASS: ioctl(dev_fd, FIONBIO, &flag) passed
landlock06.c:38: TFAIL: ioctl(dev_fd, FIOASYNC, &flag) failed: ENOTTY (25)
tst_test.c:1747: TINFO: === Testing on bcachefs ===
tst_test.c:1111: TINFO: Formatting /dev/loop0 with bcachefs opts='' extra opts=''
tst_test.c:1123: TINFO: Mounting /dev/loop0 to /var/tmp/LTP_lan8lXtC5/sandbox fstyp=bcachefs flags=0
landlock_common.h:31: TINFO: Landlock ABI v5
landlock06.c:55: TINFO: Applying LANDLOCK_ACCESS_FS_IOCTL_DEV
landlock06.c:34: TPASS: ioctl(file_fd, FIONREAD, &sz) passed
landlock06.c:35: TPASS: ioctl(dev_fd, FIOCLEX) passed
landlock06.c:36: TPASS: ioctl(dev_fd, FIONCLEX) passed
landlock06.c:37: TPASS: ioctl(dev_fd, FIONBIO, &flag) passed
landlock06.c:38: TFAIL: ioctl(dev_fd, FIOASYNC, &flag) failed: ENOTTY (25)
tst_test.c:1747: TINFO: === Testing on exfat ===
tst_test.c:1111: TINFO: Formatting /dev/loop0 with exfat opts='' extra opts=''
tst_test.c:1123: TINFO: Mounting /dev/loop0 to /var/tmp/LTP_lan8lXtC5/sandbox fstyp=exfat flags=0
landlock_common.h:31: TINFO: Landlock ABI v5
landlock06.c:55: TINFO: Applying LANDLOCK_ACCESS_FS_IOCTL_DEV
landlock06.c:34: TPASS: ioctl(file_fd, FIONREAD, &sz) passed
landlock06.c:35: TPASS: ioctl(dev_fd, FIOCLEX) passed
landlock06.c:36: TPASS: ioctl(dev_fd, FIONCLEX) passed
landlock06.c:37: TPASS: ioctl(dev_fd, FIONBIO, &flag) passed
landlock06.c:38: TFAIL: ioctl(dev_fd, FIOASYNC, &flag) failed: ENOTTY (25)
tst_test.c:1747: TINFO: === Testing on ntfs ===
tst_test.c:1111: TINFO: Formatting /dev/loop0 with ntfs opts='' extra opts=''
The partition start sector was not specified for /dev/loop0 and it could not be obtained automatically.  It has been set to 0.
The number of sectors per track was not specified for /dev/loop0 and it could not be obtained automatically.  It has been set to 0.
The number of heads was not specified for /dev/loop0 and it could not be obtained automatically.  It has been set to 0.
To boot from a device, Windows needs the 'partition start sector', the 'sectors per track' and the 'number of heads' to be set.
Windows will not be able to boot from this device.
tst_test.c:1123: TINFO: Mounting /dev/loop0 to /var/tmp/LTP_lan8lXtC5/sandbox fstyp=ntfs flags=0
tst_test.c:1123: TINFO: Trying FUSE...
landlock_common.h:31: TINFO: Landlock ABI v5
landlock06.c:55: TINFO: Applying LANDLOCK_ACCESS_FS_IOCTL_DEV
landlock06.c:34: TPASS: ioctl(file_fd, FIONREAD, &sz) passed
landlock06.c:35: TPASS: ioctl(dev_fd, FIOCLEX) passed
landlock06.c:36: TPASS: ioctl(dev_fd, FIONCLEX) passed
landlock06.c:37: TPASS: ioctl(dev_fd, FIONBIO, &flag) passed
landlock06.c:38: TFAIL: ioctl(dev_fd, FIOASYNC, &flag) failed: ENOTTY (25)
tst_test.c:1747: TINFO: === Testing on tmpfs ===
tst_test.c:1111: TINFO: Skipping mkfs for TMPFS filesystem
tst_test.c:1087: TINFO: Limiting tmpfs size to 32MB
tst_test.c:1123: TINFO: Mounting ltp-tmpfs to /var/tmp/LTP_lan8lXtC5/sandbox fstyp=tmpfs flags=0
landlock_common.h:31: TINFO: Landlock ABI v5
landlock06.c:55: TINFO: Applying LANDLOCK_ACCESS_FS_IOCTL_DEV
landlock06.c:34: TPASS: ioctl(file_fd, FIONREAD, &sz) passed
landlock06.c:35: TPASS: ioctl(dev_fd, FIOCLEX) passed
landlock06.c:36: TPASS: ioctl(dev_fd, FIONCLEX) passed
landlock06.c:37: TPASS: ioctl(dev_fd, FIONBIO, &flag) passed
landlock06.c:38: TFAIL: ioctl(dev_fd, FIOASYNC, &flag) failed: ENOTTY (25)

Summary:
passed   36
failed   9
broken   0
skipped  0
warnings 0
### TEST landlock06 COMPLETE >>> 1.

dmesg [6]:

OpenQA::run_ltp.pm: Starting landlock06
[ 1050.979179][T110531] loop0: detected capacity change from 0 to 614400
[ 1050.998116][T110531] /dev/zero: Can't lookup blockdev
[ 1051.004764][T110531] /dev/zero: Can't lookup blockdev
[ 1051.010525][T110531] /dev/zero: Can't lookup blockdev
[ 1051.014325][T110531] /dev/zero: Can't lookup blockdev
[ 1051.021487][T110531] bcachefs (/dev/zero): error reading superblock: error opening /dev/zero: ENOTBLK
[ 1051.022857][T110531] bcachefs: bch2_mount() error: ENOTBLK
[ 1051.058671][T110531] /dev/zero: Can't lookup blockdev
[ 1051.105329][T110531] EXT4-fs (loop0): mounting ext2 file system using the ext4 subsystem
[ 1051.117949][T110531] EXT4-fs (loop0): mounted filesystem 2c8afdbf-6fa5-42e8-8fd4-28954bdde347 r/w without journal. Quota mode: none.
[ 1051.127872][T110531] EXT4-fs (loop0): unmounting filesystem 2c8afdbf-6fa5-42e8-8fd4-28954bdde347.
[ 1051.204843][T110531] EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem
[ 1051.213928][T110531] EXT4-fs (loop0): mounted filesystem d61f27f7-7dce-4f66-ad8e-70b4a33b9222 r/w with ordered data mode. Quota mode: none.
[ 1051.218709][T110531] EXT4-fs (loop0): unmounting filesystem d61f27f7-7dce-4f66-ad8e-70b4a33b9222.
[ 1051.251190][T110531] EXT4-fs (loop0): mounted filesystem b3d3c34a-d06b-4950-9317-facae9d51858 r/w with ordered data mode. Quota mode: none.
[ 1051.255995][T110531] EXT4-fs (loop0): unmounting filesystem b3d3c34a-d06b-4950-9317-facae9d51858.
[ 1051.287117][T110531] XFS (loop0): Mounting V5 Filesystem 8b3dafa3-3d09-42ad-974f-a4f6b64dbc21
[ 1051.292956][T110531] XFS (loop0): Ending clean mount
[ 1051.299264][T110531] XFS (loop0): Unmounting Filesystem 8b3dafa3-3d09-42ad-974f-a4f6b64dbc21
[ 1051.349548][T110531] BTRFS: device fsid 773dda9f-d706-4408-9de1-6cbf1aeb810c devid 1 transid 8 /dev/loop0 (7:0) scanned by landlock06 (110531)
[ 1051.356250][T110531] BTRFS info (device loop0): first mount of filesystem 773dda9f-d706-4408-9de1-6cbf1aeb810c
[ 1051.360300][T110531] BTRFS info (device loop0): using crc32c (crc32c-intel) checksum algorithm
[ 1051.361782][T110531] BTRFS info (device loop0): using free-space-tree
[ 1051.399193][T110531] BTRFS info (device loop0): checking UUID tree
[ 1051.403606][T110531] BTRFS info (device loop0): last unmount of filesystem 773dda9f-d706-4408-9de1-6cbf1aeb810c
[ 1051.470051][T110531] bcachefs (loop0): mounting version 1.7: mi_btree_bitmap
[ 1051.472754][T110531] bcachefs (loop0): initializing new filesystem
[ 1051.474263][T110531] bcachefs (loop0): going read-write
[ 1051.475613][T110531] bcachefs (loop0): initializing freespace
[ 1051.511331][T110531] bcachefs (loop0): shutdown complete, journal seq 7

They are not failing on aarch64 [7] and ppc64le [8].

We have 6.11.0-rc2 build, which also fails on x86_64 for the same reason [9].
There is also unique bcachefs related failure (which is probably not related to
landlock):

tst_cmd.c:113: TBROK: failed to exec cmd 'mkfs.bcachefs' at tst_cmd.c:113

(also landlock04 and landlock05 fails with it).

Kind regards,
Petr

[1] https://openqa.opensuse.org/group_overview/32
[2] https://openqa.opensuse.org/group_overview/125
[3] https://openqa.opensuse.org/tests/4397937#step/landlock06/6
[4] https://openqa.opensuse.org/tests/4397937/file/serial_terminal.txt
[5] https://openqa.opensuse.org/tests/4398174#step/landlock06/6
[6] https://openqa.opensuse.org/tests/4397937/file/serial0.txt
[7] https://openqa.opensuse.org/tests/4397935#step/landlock06/8
[8] https://openqa.opensuse.org/tests/4397936#step/landlock06/8
[9] https://openqa.opensuse.org/tests/4394746#step/landlock06/8

> > > Reviewed-by: Petr Vorel <pvorel@suse.cz>

> > > Kind regards,
> > > Petr

> > > -- 
> > > Mailing list info: https://lists.linux.it/listinfo/ltp
> Regards,
> Andrea

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v5 3/6] Disable kernel version check in landlock tests

[Petr Vorel]

> On Thu, Aug 08, 2024 at 11:58:24AM +0200, Petr Vorel wrote:
> > is is really helpful when landlock support has
> > > been backported into old kernels.

> > Great, I'm glad you removed it from all landlock tests. It really did not make
> > sense to guard correct version with 3 guards (kernel version, kernel config and
> > ABI). Could you please remove also CONFIG_SECURITY_LANDLOCK=y, because you
> > check EOPNOTSUPP in verify_landlock_is_enabled().

> > Anyway, feel free to merge these first 3 patches (ideally remove also
> > CONFIG_SECURITY_LANDLOCK=y before merge).

> My understanding is that LTP only tests supported features to make sure
> they work as expected, if enabled.  Is it correct?

FYI LTP should skip the test if feature is not enabled (instead of false
positive result). And LTP tries to support various kernels (mainline,
stable/LTS, enterprise kernels), various glibc (and other libc) versions [1].

If possible (like in landlock case) it's best to avoid hardcoding minimal kernel
version (features can be backported). Also, when not needed, it's better to
avoid kernel config check (e.g. for landlock).

Kind regards,
Petr

[1] https://linux-test-project.readthedocs.io/en/latest/users/supported_systems.html

> I'm then wondering what is the purpose of needs_kconfigs.  If there is
> no "needed" config, does that means that Landlock tests will always run
> and detect at run time if tests are skipped or not?  If yes, it looks
> good to me.

> Andrea's commit to remove needs_kconfig:
> https://github.com/linux-test-project/ltp/commit/e7ebc637d0d99295490adf57660a3b3a177d65d3

> Is there an online dashboard to see some tested kernels?


> > Reviewed-by: Petr Vorel <pvorel@suse.cz>

> > Kind regards,
> > Petr

> > -- 
> > Mailing list info: https://lists.linux.it/listinfo/ltp

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp