[LTP] [PATCH 0/4] Landlock tests for ABI v6

[LTP] [PATCH 0/4] Landlock tests for ABI v6

[Andrea Cervesato]

Landlock released a new feature for IPC scoping in the new ABI.
This includes the following new rules which will be tested in
this patch-set:

- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
- LANDLOCK_SCOPE_SIGNAL

https://docs.kernel.org/userspace-api/landlock.html#ipc-scoping

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
Andrea Cervesato (4):
      Add landlock ABI v6 fallback
      landlock02: support landlock ABI v6
      landlock: add landlock09 test
      landlock: add landlock10 test

 include/lapi/landlock.h                            |  23 +++-
 testcases/kernel/syscalls/landlock/.gitignore      |   2 +
 testcases/kernel/syscalls/landlock/landlock02.c    |  10 +-
 testcases/kernel/syscalls/landlock/landlock09.c    | 132 +++++++++++++++++++++
 testcases/kernel/syscalls/landlock/landlock10.c    | 110 +++++++++++++++++
 .../kernel/syscalls/landlock/landlock_common.h     |  11 ++
 6 files changed, 280 insertions(+), 8 deletions(-)
---
base-commit: 753bd13472d4be44eb70ff183b007fe9c5fffa07
change-id: 20250325-landlock_unix_socket-592bb00535be

Best regards,
-- 
Andrea Cervesato <andrea.cervesato@suse.com>


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH 1/4] Add landlock ABI v6 fallback

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

The new ABI v6 is defining the following IPC scoped operations:

* LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
* LANDLOCK_SCOPE_SIGNAL

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 include/lapi/landlock.h | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/include/lapi/landlock.h b/include/lapi/landlock.h
index b3c8c548e661680541cdf6e4a8fb68a3f5029fec..e579500ec26cdc0a568620bc35386f3d2b68952e 100644
--- a/include/lapi/landlock.h
+++ b/include/lapi/landlock.h
@@ -15,15 +15,19 @@
 
 #include "lapi/syscalls.h"
 
-struct tst_landlock_ruleset_attr_abi1
-{
+struct tst_landlock_ruleset_attr_abi1 {
 	uint64_t handled_access_fs;
 };
 
-struct tst_landlock_ruleset_attr_abi4
-{
+struct tst_landlock_ruleset_attr_abi4 {
+	uint64_t handled_access_fs;
+	uint64_t handled_access_net;
+};
+
+struct tst_landlock_ruleset_attr_abi6 {
 	uint64_t handled_access_fs;
 	uint64_t handled_access_net;
+	uint64_t scoped;
 };
 
 #ifndef HAVE_STRUCT_LANDLOCK_PATH_BENEATH_ATTR
@@ -43,8 +47,7 @@ struct landlock_path_beneath_attr
 #endif
 
 #ifndef HAVE_STRUCT_LANDLOCK_NET_PORT_ATTR
-struct landlock_net_port_attr
-{
+struct landlock_net_port_attr {
 	uint64_t allowed_access;
 	uint64_t port;
 };
@@ -126,6 +129,14 @@ struct landlock_net_port_attr
 # define LANDLOCK_ACCESS_NET_CONNECT_TCP	(1ULL << 1)
 #endif
 
+#ifndef LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
+# define LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET		(1ULL << 0)
+#endif
+
+#ifndef LANDLOCK_SCOPE_SIGNAL
+# define LANDLOCK_SCOPE_SIGNAL		                (1ULL << 1)
+#endif
+
 static inline int safe_landlock_create_ruleset(const char *file, const int lineno,
 	const void *attr, size_t size , uint32_t flags)
 {

-- 
2.43.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH 2/4] landlock02: support landlock ABI v6

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 testcases/kernel/syscalls/landlock/landlock02.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/testcases/kernel/syscalls/landlock/landlock02.c b/testcases/kernel/syscalls/landlock/landlock02.c
index 60010f554b001156f3feb30283bb5c22a5fea1fc..601164794109a61714bb005001d6a94de83e41c2 100644
--- a/testcases/kernel/syscalls/landlock/landlock02.c
+++ b/testcases/kernel/syscalls/landlock/landlock02.c
@@ -20,6 +20,7 @@
 
 static struct tst_landlock_ruleset_attr_abi1 *attr_abi1;
 static struct tst_landlock_ruleset_attr_abi4 *attr_abi4;
+static struct tst_landlock_ruleset_attr_abi6 *attr_abi6;
 static struct landlock_path_beneath_attr *path_beneath_attr;
 static struct landlock_path_beneath_attr *rule_null;
 static struct landlock_net_port_attr *net_port_attr;
@@ -145,14 +146,18 @@ static void setup(void)
 	abi_current = verify_landlock_is_enabled();
 
 	attr_abi1->handled_access_fs =
-		attr_abi4->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;
+		attr_abi4->handled_access_fs =
+		attr_abi6->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;
 
 	if (abi_current < 4) {
 		ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset,
 			attr_abi1, sizeof(struct tst_landlock_ruleset_attr_abi1), 0));
-	} else {
+	} else if (abi_current < 6) {
 		ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset,
 			attr_abi4, sizeof(struct tst_landlock_ruleset_attr_abi4), 0));
+	} else {
+		ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset,
+			attr_abi6, sizeof(struct tst_landlock_ruleset_attr_abi6), 0));
 	}
 }
 
@@ -171,6 +176,7 @@ static struct tst_test test = {
 	.bufs = (struct tst_buffers []) {
 		{&attr_abi1, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)},
 		{&attr_abi4, .size = sizeof(struct tst_landlock_ruleset_attr_abi4)},
+		{&attr_abi6, .size = sizeof(struct tst_landlock_ruleset_attr_abi6)},
 		{&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)},
 		{&net_port_attr, .size = sizeof(struct landlock_net_port_attr)},
 		{},

-- 
2.43.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH 3/4] landlock: add landlock09 test

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

Create landlock09 test in order to verify that sandboxed processes
enforced with LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET rule can't
connect to any UNIX socket from non-sandboxed processes.

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 testcases/kernel/syscalls/landlock/.gitignore      |   1 +
 testcases/kernel/syscalls/landlock/landlock09.c    | 132 +++++++++++++++++++++
 .../kernel/syscalls/landlock/landlock_common.h     |  11 ++
 3 files changed, 144 insertions(+)

diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore
index fc7317394948c4ac20cd14c3cd7ba7a47282b2bf..cda8d871e051ec88abba4634a2bcda4b10470d9f 100644
--- a/testcases/kernel/syscalls/landlock/.gitignore
+++ b/testcases/kernel/syscalls/landlock/.gitignore
@@ -7,3 +7,4 @@ landlock05
 landlock06
 landlock07
 landlock08
+landlock09
diff --git a/testcases/kernel/syscalls/landlock/landlock09.c b/testcases/kernel/syscalls/landlock/landlock09.c
new file mode 100644
index 0000000000000000000000000000000000000000..7e5b5183953d3255cd24c09b12461993aee8482c
--- /dev/null
+++ b/testcases/kernel/syscalls/landlock/landlock09.c
@@ -0,0 +1,132 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2025 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
+ */
+
+/*\
+ * Verify that landlock's LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET rule reject any
+ * connect() coming from a client on a different server domain, but accept any
+ * connection.
+ */
+
+#include "tst_test.h"
+#include "landlock_common.h"
+
+#define SOCKET_NAME "test.sock"
+#define ABSTRACT_SOCKET_NAME "\0"SOCKET_NAME
+#define SOCKET_LENGTH (offsetof(struct sockaddr_un, sun_path) + strlen(SOCKET_NAME) + 1)
+
+enum {
+	DOMAIN_CLIENT = 0,
+	DOMAIN_SERVER,
+	DOMAIN_BOTH,
+	DOMAIN_LENGTH,
+};
+
+static struct tst_landlock_ruleset_attr_abi6 *ruleset_attr;
+
+static void scoped_sandbox(const char *from)
+{
+	tst_res(TINFO, "Enforcing rule LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET on %s", from);
+
+	ruleset_attr->scoped = LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET;
+	apply_landlock_scoped_layer(ruleset_attr, sizeof(*ruleset_attr));
+}
+
+static void run_client(void)
+{
+	if (tst_variant == DOMAIN_CLIENT)
+		scoped_sandbox("client");
+
+	int sendsock;
+	struct sockaddr_un addr = {
+		.sun_family = AF_UNIX,
+		.sun_path = ABSTRACT_SOCKET_NAME,
+	};
+
+	TST_CHECKPOINT_WAIT(0);
+
+	tst_res(TINFO, "Connecting to UNIX socket");
+
+	sendsock = SAFE_SOCKET(AF_UNIX, SOCK_STREAM, 0);
+
+	if (tst_variant != DOMAIN_CLIENT)
+		TST_EXP_PASS(connect(sendsock, (struct sockaddr *)&addr, SOCKET_LENGTH));
+	else
+		TST_EXP_FAIL(connect(sendsock, (struct sockaddr *)&addr, SOCKET_LENGTH), EPERM);
+
+	SAFE_CLOSE(sendsock);
+
+	TST_CHECKPOINT_WAKE(0);
+}
+
+static void run_server(void)
+{
+	if (tst_variant == DOMAIN_SERVER)
+		scoped_sandbox("server");
+
+	int recvsock;
+	struct sockaddr_un addr = {
+		.sun_family = AF_UNIX,
+		.sun_path = ABSTRACT_SOCKET_NAME,
+	};
+
+	recvsock = SAFE_SOCKET(AF_UNIX, SOCK_STREAM, 0);
+
+	SAFE_BIND(recvsock, (struct sockaddr *)&addr, SOCKET_LENGTH);
+	SAFE_LISTEN(recvsock, 5);
+
+	tst_res(TINFO, "Listening on UNIX socket");
+
+	TST_CHECKPOINT_WAKE_AND_WAIT(0);
+
+	SAFE_CLOSE(recvsock);
+}
+
+static void run(void)
+{
+	/* isolate test inside a process so we won't stack too many
+	 * layers (-E2BIG) when there are multiple test's iterations
+	 */
+	if (SAFE_FORK())
+		return;
+
+	if (tst_variant == DOMAIN_BOTH)
+		scoped_sandbox("server and client");
+
+	if (!SAFE_FORK()) {
+		run_client();
+		exit(0);
+	}
+
+	run_server();
+
+	tst_reap_children();
+}
+
+static void setup(void)
+{
+	int abi;
+
+	abi = verify_landlock_is_enabled();
+	if (abi < 6)
+		tst_brk(TCONF, "LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET is unsupported on ABI < 6");
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.needs_root = 1,
+	.forks_child = 1,
+	.needs_tmpdir = 1,
+	.needs_checkpoints = 1,
+	.test_variants = DOMAIN_LENGTH,
+	.bufs = (struct tst_buffers []) {
+		{&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi6)},
+		{},
+	},
+	.caps = (struct tst_cap []) {
+		TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN),
+		{}
+	},
+};
diff --git a/testcases/kernel/syscalls/landlock/landlock_common.h b/testcases/kernel/syscalls/landlock/landlock_common.h
index 4aa11b7d2ad46915cd1ce1592bdaa2fb6ad77628..8857745d6f1c1c30fc914924b8d0da381b36059f 100644
--- a/testcases/kernel/syscalls/landlock/landlock_common.h
+++ b/testcases/kernel/syscalls/landlock/landlock_common.h
@@ -115,6 +115,17 @@ static inline void apply_landlock_net_layer(
 	SAFE_CLOSE(ruleset_fd);
 }
 
+static inline void apply_landlock_scoped_layer(
+	void *ruleset_attr, size_t attr_size)
+{
+	int ruleset_fd;
+
+	ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(ruleset_attr, attr_size, 0);
+	enforce_ruleset(ruleset_fd);
+
+	SAFE_CLOSE(ruleset_fd);
+}
+
 static inline in_port_t getsocket_port(struct socket_data *socket,
 	const int addr_family)
 {

-- 
2.43.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH 4/4] landlock: add landlock10 test

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

Verify that landlock's LANDLOCK_SCOPE_SIGNAL rule rejects any
signal coming from a process on a different domain, but accept
signals from processes in the same domain.

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 testcases/kernel/syscalls/landlock/.gitignore   |   1 +
 testcases/kernel/syscalls/landlock/landlock10.c | 110 ++++++++++++++++++++++++
 2 files changed, 111 insertions(+)

diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore
index cda8d871e051ec88abba4634a2bcda4b10470d9f..8c88803df4580605da800c414ada62994b35d268 100644
--- a/testcases/kernel/syscalls/landlock/.gitignore
+++ b/testcases/kernel/syscalls/landlock/.gitignore
@@ -8,3 +8,4 @@ landlock06
 landlock07
 landlock08
 landlock09
+landlock10
diff --git a/testcases/kernel/syscalls/landlock/landlock10.c b/testcases/kernel/syscalls/landlock/landlock10.c
new file mode 100644
index 0000000000000000000000000000000000000000..572c3dfe35810e2da301aae4b9807bcc55682f91
--- /dev/null
+++ b/testcases/kernel/syscalls/landlock/landlock10.c
@@ -0,0 +1,110 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2025 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
+ */
+
+/*\
+ * Verify that landlock's LANDLOCK_SCOPE_SIGNAL rule rejects any signal coming
+ * from a process on a different domain, but accept signals from processes in
+ * the same domain.
+ */
+
+#include "tst_test.h"
+#include "landlock_common.h"
+
+static struct tst_landlock_ruleset_attr_abi6 *ruleset_attr;
+
+enum {
+	DOMAIN_PAUSED = 0,
+	DOMAIN_KILLER,
+	DOMAIN_BOTH,
+	DOMAIN_LENGTH,
+};
+
+static void scoped_sandbox(const char *from)
+{
+	tst_res(TINFO, "Enforcing rule LANDLOCK_SCOPE_SIGNAL for %s process", from);
+
+	ruleset_attr->scoped = LANDLOCK_SCOPE_SIGNAL;
+	apply_landlock_scoped_layer(ruleset_attr, sizeof(*ruleset_attr));
+}
+
+static void run(void)
+{
+	/* isolate test inside a process so we won't stack too many
+	 * layers (-E2BIG) when there are multiple test's iterations
+	 */
+	if (SAFE_FORK())
+		return;
+
+	if (tst_variant == DOMAIN_BOTH)
+		scoped_sandbox("paused and killer");
+
+	pid_t paused_pid;
+	pid_t killer_pid;
+
+	paused_pid = SAFE_FORK();
+	if (!paused_pid) {
+		if (tst_variant == DOMAIN_PAUSED)
+			scoped_sandbox("paused");
+
+		TST_CHECKPOINT_WAKE(0);
+		pause();
+		exit(0);
+	}
+
+	TST_CHECKPOINT_WAIT(0);
+	TST_PROCESS_STATE_WAIT(paused_pid, 'S', 10000);
+
+	killer_pid = SAFE_FORK();
+	if (!killer_pid) {
+		if (tst_variant == DOMAIN_KILLER)
+			scoped_sandbox("killer");
+
+		TST_CHECKPOINT_WAKE(0);
+
+		if (tst_variant == DOMAIN_KILLER)
+			TST_EXP_FAIL(kill(paused_pid, SIGKILL), EPERM);
+		else
+			TST_EXP_PASS(kill(paused_pid, SIGKILL));
+
+		exit(0);
+	}
+
+	TST_CHECKPOINT_WAIT(0);
+	SAFE_WAITPID(killer_pid, NULL, 0);
+
+	if (kill(paused_pid, SIGKILL) == -1) {
+		if (errno != ESRCH)
+			tst_brk(TBROK | TERRNO, "kill(%u, SIGKILL) error", paused_pid);
+	}
+
+	SAFE_WAITPID(paused_pid, NULL, 0);
+}
+
+static void setup(void)
+{
+	int abi;
+
+	abi = verify_landlock_is_enabled();
+	if (abi < 6)
+		tst_brk(TCONF, "LANDLOCK_SCOPE_SIGNAL is unsupported on ABI < 6");
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.needs_root = 1,
+	.forks_child = 1,
+	.needs_tmpdir = 1,
+	.needs_checkpoints = 1,
+	.test_variants = DOMAIN_LENGTH,
+	.bufs = (struct tst_buffers []) {
+		{&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi6)},
+		{},
+	},
+	.caps = (struct tst_cap []) {
+		TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN),
+		{}
+	},
+};

-- 
2.43.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 0/4] Landlock tests for ABI v6

[Petr Vorel]

Hi all,

FYI new batch of Andrea's work on landlock test coverage in LTP.
Feel free to have a look.

https://patchwork.ozlabs.org/project/ltp/list/?series=450223&archive=both
https://lore.kernel.org/ltp/20250327-landlock_unix_socket-v1-0-584653f66d9c@suse.com/T/#t

Kind regards,
Petr

> Landlock released a new feature for IPC scoping in the new ABI.
> This includes the following new rules which will be tested in
> this patch-set:

> - LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
> - LANDLOCK_SCOPE_SIGNAL

> https://docs.kernel.org/userspace-api/landlock.html#ipc-scoping

> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
> Andrea Cervesato (4):
>       Add landlock ABI v6 fallback
>       landlock02: support landlock ABI v6
>       landlock: add landlock09 test
>       landlock: add landlock10 test

>  include/lapi/landlock.h                            |  23 +++-
>  testcases/kernel/syscalls/landlock/.gitignore      |   2 +
>  testcases/kernel/syscalls/landlock/landlock02.c    |  10 +-
>  testcases/kernel/syscalls/landlock/landlock09.c    | 132 +++++++++++++++++++++
>  testcases/kernel/syscalls/landlock/landlock10.c    | 110 +++++++++++++++++
>  .../kernel/syscalls/landlock/landlock_common.h     |  11 ++
>  6 files changed, 280 insertions(+), 8 deletions(-)

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 3/4] landlock: add landlock09 test

[Cyril Hrubis]

Hi!
> Create landlock09 test in order to verify that sandboxed processes
> enforced with LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET rule can't
> connect to any UNIX socket from non-sandboxed processes.
> 
> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
>  testcases/kernel/syscalls/landlock/.gitignore      |   1 +
>  testcases/kernel/syscalls/landlock/landlock09.c    | 132 +++++++++++++++++++++
>  .../kernel/syscalls/landlock/landlock_common.h     |  11 ++
>  3 files changed, 144 insertions(+)

Runtest entry?

> +/*\
> + * Verify that landlock's LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET rule reject any
> + * connect() coming from a client on a different server domain, but accept any
> + * connection.
> + */
> +
> +#include "tst_test.h"
> +#include "landlock_common.h"
> +
> +#define SOCKET_NAME "test.sock"
> +#define ABSTRACT_SOCKET_NAME "\0"SOCKET_NAME
> +#define SOCKET_LENGTH (offsetof(struct sockaddr_un, sun_path) + strlen(SOCKET_NAME) + 1)
                    ^
		    SIZE

> +enum {
> +	DOMAIN_CLIENT = 0,
> +	DOMAIN_SERVER,
> +	DOMAIN_BOTH,
> +	DOMAIN_LENGTH,
               ^
	       CNT


Other than that:

Reviewed-by: Cyril Hrubis <chrubis@suse.cz>

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 4/4] landlock: add landlock10 test

[Cyril Hrubis]

Hi!
> Verify that landlock's LANDLOCK_SCOPE_SIGNAL rule rejects any
> signal coming from a process on a different domain, but accept
> signals from processes in the same domain.
> 
> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
>  testcases/kernel/syscalls/landlock/.gitignore   |   1 +
>  testcases/kernel/syscalls/landlock/landlock10.c | 110 ++++++++++++++++++++++++
>  2 files changed, 111 insertions(+)

Here as well, runtest entry?

> diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore
> index cda8d871e051ec88abba4634a2bcda4b10470d9f..8c88803df4580605da800c414ada62994b35d268 100644
> --- a/testcases/kernel/syscalls/landlock/.gitignore
> +++ b/testcases/kernel/syscalls/landlock/.gitignore
> @@ -8,3 +8,4 @@ landlock06
>  landlock07
>  landlock08
>  landlock09
> +landlock10
> diff --git a/testcases/kernel/syscalls/landlock/landlock10.c b/testcases/kernel/syscalls/landlock/landlock10.c
> new file mode 100644
> index 0000000000000000000000000000000000000000..572c3dfe35810e2da301aae4b9807bcc55682f91
> --- /dev/null
> +++ b/testcases/kernel/syscalls/landlock/landlock10.c
> @@ -0,0 +1,110 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (C) 2025 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
> + */
> +
> +/*\
> + * Verify that landlock's LANDLOCK_SCOPE_SIGNAL rule rejects any signal coming
> + * from a process on a different domain, but accept signals from processes in
> + * the same domain.
> + */
> +
> +#include "tst_test.h"
> +#include "landlock_common.h"
> +
> +static struct tst_landlock_ruleset_attr_abi6 *ruleset_attr;
> +
> +enum {
> +	DOMAIN_PAUSED = 0,
> +	DOMAIN_KILLER,
> +	DOMAIN_BOTH,
> +	DOMAIN_LENGTH,
                ^
		CNT

Otherwise it looks good:

Reviewed-by: Cyril Hrubis <chrubis@suse.cz>

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 2/4] landlock02: support landlock ABI v6

[Cyril Hrubis]

Hi!
>  	attr_abi1->handled_access_fs =
> -		attr_abi4->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;
> +		attr_abi4->handled_access_fs =
> +		attr_abi6->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;

While this is perfectly valid C I would just intialize each of them
separately since that would be easier to read.


Other than that:

Reviewed-by: Cyril Hrubis <chrubis@suse.cz>

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 1/4] Add landlock ABI v6 fallback

[Cyril Hrubis]

Hi!
Reviewed-by: Cyril Hrubis <chrubis@suse.cz>

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp