| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250719-landlock_abstractions-v1-2-2c4fd61f8973@gmail.com>
Date: Sat, 19 Jul 2025 06:41:25 -0600
From: Abhinav Saxena <xandfury@...il.com>
To: Mickaël Salaün <mic@...ikod.net>,
Günther Noack <gnoack@...gle.com>,
Shuah Khan <shuah@...nel.org>
Cc: linux-security-module@...r.kernel.org, linux-kselftest@...r.kernel.org,
linux-kernel@...r.kernel.org, Abhinav Saxena <xandfury@...il.com>
Subject: [PATCH RFC 2/3] selftests/landlock: add cross-domain variants
Add scoped_cross_domain_variants.h providing shared test variants for
interactions between two independent Landlock domains. Current tests
only cover hierarchical (parent-child) relationships but miss the
case where unrelated processes establish peer domains.
The header defines four canonical variants:
- none_to_none: both processes unrestricted
- none_to_scoped: only accessor process scoped
- scoped_to_none: only resource process scoped
- scoped_to_scoped: both processes scoped (peer domains)
This abstraction will be shared across signal, abstract UNIX socket,
and future scope types (like memfd execution) to ensure comprehensive
cross-domain test coverage.
Signed-off-by: Abhinav Saxena <xandfury@...il.com>
---
.../landlock/scoped_cross_domain_variants.h | 54 ++++++++++++++++++++++
1 file changed, 54 insertions(+)
diff --git a/tools/testing/selftests/landlock/scoped_cross_domain_variants.h b/tools/testing/selftests/landlock/scoped_cross_domain_variants.h
new file mode 100644
index 000000000000..6068987a52c8
--- /dev/null
+++ b/tools/testing/selftests/landlock/scoped_cross_domain_variants.h
@@ -0,0 +1,54 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Landlock self-tests - cross-domain scope variants
+ *
+ * Provides one FIXTURE_VARIANT and the four canonical combinations
+ * (none->none, none->scoped, scoped->none, scoped->scoped). Every test that
+ * checks interactions between two independently created domains
+ * includes this header and iterates over the variants.
+ *
+ * Variant structure: which domain each side of the interaction lives in.
+ * resource_domain - process that creates/owns the resource
+ * accessor_domain - process that uses the resource
+ *
+ * Copyright © 2025 Abhinav Saxena <xandfury@...il.com>
+ *
+ */
+
+FIXTURE_VARIANT(cross_domain_scope)
+{
+ enum sandbox_type resource_domain;
+ enum sandbox_type accessor_domain;
+};
+
+/* Four concrete combinations */
+FIXTURE_VARIANT_ADD(cross_domain_scope, none_to_none) {
+ .resource_domain = NO_SANDBOX,
+ .accessor_domain = NO_SANDBOX,
+};
+
+FIXTURE_VARIANT_ADD(cross_domain_scope, none_to_scoped) {
+ .resource_domain = NO_SANDBOX,
+ .accessor_domain = SCOPE_SANDBOX,
+};
+
+FIXTURE_VARIANT_ADD(cross_domain_scope, scoped_to_none) {
+ .resource_domain = SCOPE_SANDBOX,
+ .accessor_domain = NO_SANDBOX,
+};
+
+FIXTURE_VARIANT_ADD(cross_domain_scope, scoped_to_scoped) {
+ .resource_domain = SCOPE_SANDBOX,
+ .accessor_domain = SCOPE_SANDBOX,
+};
+
+/*
+ * Mapping reminder:
+ * SIGNAL resource = receiver accessor = sender
+ * ABSTRACT UNIX resource = server accessor = client
+ * future scopes resource = creator accessor = user
+ *
+ * Only the accessor domain is enforced; tests therefore expect:
+ * accessor NO_SANDBOX -> ALLOW operation
+ * accessor SCOPE_SANDBOX -> DENY if resource is outside its domain
+ */
--
2.43.0
Powered by blists - more mailing lists