[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240719150618.197991-3-mic@digikod.net>
Date: Fri, 19 Jul 2024 17:06:17 +0200
From: Mickaël Salaün <mic@...ikod.net>
To: Günther Noack <gnoack@...gle.com>,
Ivanov Mikhail <ivanov.mikhail1@...wei-partners.com>,
Konstantin Meskhidze <konstantin.meskhidze@...wei.com>,
Paul Moore <paul@...l-moore.com>
Cc: Mickaël Salaün <mic@...ikod.net>,
Casey Schaufler <casey@...aufler-ca.com>,
Jeff Xu <jeffxu@...gle.com>,
Kees Cook <keescook@...omium.org>,
"Serge E . Hallyn" <serge@...lyn.com>,
Shervin Oloumi <enlightened@...omium.org>,
Tahera Fahimi <fahimitahera@...il.com>,
linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
stable@...r.kernel.org
Subject: [RFC PATCH v1 2/3] selftests/landlock: Add test for socket's domain
This new ipv4_tcp.socket_domain test checks that the restrictions are
tied to the socket at creation time, but not tied to the thread
requesting a bind action.
Properly close file descriptor in ipv4.with_fs test.
Cc: Günther Noack <gnoack@...gle.com>
Cc: Ivanov Mikhail <ivanov.mikhail1@...wei-partners.com>
Cc: Konstantin Meskhidze <konstantin.meskhidze@...wei.com>
Cc: Paul Moore <paul@...l-moore.com>
Cc: Tahera Fahimi <fahimitahera@...il.com>
Cc: stable@...r.kernel.org
Fixes: a549d055a22e ("selftests/landlock: Add network tests")
Signed-off-by: Mickaël Salaün <mic@...ikod.net>
Link: https://lore.kernel.org/r/20240719150618.197991-3-mic@digikod.net
---
tools/testing/selftests/landlock/net_test.c | 29 +++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c
index f21cfbbc3638..79251e27d26d 100644
--- a/tools/testing/selftests/landlock/net_test.c
+++ b/tools/testing/selftests/landlock/net_test.c
@@ -1579,6 +1579,35 @@ TEST_F(ipv4_tcp, with_fs)
bind_fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
ASSERT_LE(0, bind_fd);
EXPECT_EQ(-EACCES, bind_variant(bind_fd, &self->srv1));
+ EXPECT_EQ(0, close(bind_fd));
+}
+
+TEST_F(ipv4_tcp, socket_domain)
+{
+ const struct landlock_ruleset_attr ruleset_attr = {
+ .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP,
+ };
+ int ruleset_fd, bind_fd;
+
+ /* Creates socket before sandboxing. */
+ bind_fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
+ ASSERT_LE(0, bind_fd);
+
+ ruleset_fd =
+ landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
+ ASSERT_LE(0, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd);
+ EXPECT_EQ(0, close(ruleset_fd));
+
+ /* Tests port binding with unsandboxed socket. */
+ EXPECT_EQ(0, bind_variant(bind_fd, &self->srv1));
+ EXPECT_EQ(0, close(bind_fd));
+
+ /* Tests port binding with new sandboxed socket. */
+ bind_fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
+ ASSERT_LE(0, bind_fd);
+ EXPECT_EQ(-EACCES, bind_variant(bind_fd, &self->srv1));
+ EXPECT_EQ(0, close(bind_fd));
}
FIXTURE(port_specific)
--
2.45.2
Powered by blists - more mailing lists