lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <bc365e13-f02d-4518-801a-a02e51f4f72e@collabora.com>
Date: Wed, 20 Dec 2023 16:19:44 +0500
From: Muhammad Usama Anjum <usama.anjum@...labora.com>
To: Mickaël Salaün <mic@...ikod.net>,
 Eric Dumazet <edumazet@...gle.com>
Cc: Muhammad Usama Anjum <usama.anjum@...labora.com>,
 Konstantin Meskhidze <konstantin.meskhidze@...wei.com>,
 willemdebruijn.kernel@...il.com, gnoack3000@...il.com,
 linux-security-module@...r.kernel.org, netdev@...r.kernel.org,
 netfilter-devel@...r.kernel.org, yusongping@...wei.com,
 artem.kuzin@...wei.com,
 "open list : KERNEL SELFTEST FRAMEWORK" <linux-kselftest@...r.kernel.org>,
 bpf@...r.kernel.org
Subject: Re: [PATCH v14 10/12] selftests/landlock: Add network tests

On 12/20/23 2:17 PM, Mickaël Salaün wrote:
> Hi Muhammad,
> 
> Thanks for the report.
> 
> On Tue, Dec 19, 2023 at 03:38:55PM +0500, Muhammad Usama Anjum wrote:
>> Hi Konstantin,
>>
>> There are some errors being reported in KernelCI:
>> https://linux.kernelci.org/test/plan/id/657ab2240c761c0bd1e134ee/
>>
>> The following sub-tests are failing:
>> landlock_net_test_protocol_no_sandbox_with_ipv6_tcp_bind_unspec
>> landlock_net_test_protocol_no_sandbox_with_ipv6_udp_bind_unspec
>> landlock_net_test_protocol_tcp_sandbox_with_ipv6_udp_bind_unspec
>>
>> From my initial investigation, I can see that these failures are coming
>> from just finding the wrong return error code (-97 instead of -22). It may
>> be test's issue or the kernel's, not sure yet.
> 
> I cannot reproduce these errors (with the same kernel commit), the
> Defconfig URL is broken. Could you please share the config used for
> tests?
I've also attached the config. I'm generated the config by following:
make defconfig && make kvm_guest.config
scripts/kconfig/merge_config.sh .config tools/testing/selftests/landlock/config

> 
> According to the failing tests, it looks like the network stack returns
> EAFNOSUPPORT instead of EINVAL, which should happen because addr_len <
> SIN6_LEN_RFC2133 (cf. inet6_bind_sk).  I then think that the issue comes
> from an inconsistent error priority with the prot->bind() call in
> inet6_bind_sk() that may return EAFNOSUPPORT when uaddr contains
> AF_UNSPEC. I didn't find such bind() implementations though.
> 
> Could you please validate this theory by removing this call in
> inet6_bind_sk() and run the tests again?
I'll have a look if I can find anything.

> 
> Eric, do you know where are such struct proto bind() implementations and
> why they may return EAFNOSUPPORT?
> 
> Regards,
>  Mickaël
> 
> 
>>
>> Thanks,
>> Usama
>>
>> On 10/26/23 6:47 AM, Konstantin Meskhidze wrote:
>>> Add 82 test suites to check edge cases related to bind() and connect()
>>> actions. They are defined with 6 fixtures and their variants:
>>>
>>> The "protocol" fixture is extended with 12 variants defined as a matrix
>>> of: sandboxed/not-sandboxed, IPv4/IPv6/unix network domain, and
>>> stream/datagram socket. 4 related tests suites are defined:
>>> * bind: Tests with non-landlocked/landlocked ipv4, ipv6 and unix sockets.
>>> * connect: Tests with non-landlocked/landlocked ipv4, ipv6 and unix
>>> sockets.
>>> * bind_unspec: Tests with non-landlocked/landlocked restrictions
>>> for bind action with AF_UNSPEC socket family.
>>> * connect_unspec: Tests with non-landlocked/landlocked restrictions
>>> for connect action with AF_UNSPEC socket family.
>>>
>>> The "ipv4" fixture is extended with 4 variants defined as a matrix
>>> of: sandboxed/not-sandboxed, IPv4/unix network domain, and
>>> stream/datagram socket. 1 related test suite is defined:
>>> * from_unix_to_inet: Tests to make sure unix sockets' actions are not
>>> restricted by Landlock rules applied to TCP ones.
>>>
>>> The "tcp_layers" fixture is extended with 8 variants defined as a matrix
>>> of: IPv4/IPv6 network domain, and different number of landlock rule layers.
>>> 2 related tests suites are defined:
>>> * ruleset_overlap.
>>> * ruleset_expand.
>>>
>>> In the "mini" fixture 4 tests suites are defined:
>>> * network_access_rights: Tests with legitimate access values.
>>> * unknown_access_rights: Tests with invalid attributes, out of access
>>>   range.
>>> * inval:
>>>   - unhandled allowed access.
>>>   - zero access value.
>>> * tcp_port_overflow: Tests with wrong port values more than U16_MAX.
>>>
>>> In the "ipv4_tcp" fixture supports IPv4 network domain, stream socket.
>>> 2 tests suites are defined:
>>> * port_endianness: Tests with big/little endian port formats.
>>> * with_fs: Tests with network bind() socket action within
>>> filesystem directory access test.
>>>
>>> The "port_specific" fixture is extended with 4 variants defined
>>> as a matrix of: sandboxed/not-sandboxed, IPv4/IPv6 network domain,
>>> and stream socket. 2 related tests suites are defined:
>>> * bind_connect_zero: Tests with port 0 value.
>>> * bind_connect_1023: Tests with port 1023 value.
>>>
>>> Test coverage for security/landlock is 94.5% of 932 lines according to
>>> gcc/gcov-9.
>>>
>>> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@...wei.com>
>>> Co-developed-by: Mickaël Salaün <mic@...ikod.net>
>>> Signed-off-by: Mickaël Salaün <mic@...ikod.net>
>>> ---
>>>
>>> Changes since v13:
>>> * Refactors "port_specific" test fixture:
>>>     - Deletes useless if .. else.
>>>     - Deletes repeating bind to port 0.
>>>     - Deletes useless lines.
>>>     - Adds 2 file descriptors per socket.
>>>     - Updates get_binded helper.
>>>     - Split test suite to bind_connect_zero
>>>       and bind_connect_1023.
>>> * Adds CAP_NET_BIND_SERVICE to set_cap(); it helps
>>> in bind_connect_1023 test.
>>> * Moves with_net test from fs_test.c.
>>> * Renames with_net test to with_fs.
>>> * Refactors with_fs test by adding different
>>> rule types per one ruleset layer.
>>> * Minor fixes.
>>> * Refactors commit message.
>>>
>>> Changes since v12:
>>> * Renames port_zero to port_specific fixture.
>>> * Refactors port_specific test:
>>>     - Adds set_port() and get_binded_port() helpers.
>>>     - Adds checks for port 0, allowed by Landlock in this version.
>>>     - Adds checks for port 1023.
>>> * Refactors commit message.
>>>
>>> Changes since v11:
>>> * Adds ipv4.from_unix_to_tcp test suite to check that socket family is
>>>   the same between a socket and a sockaddr by trying to connect/bind on
>>>   a unix socket (stream or dgram) using an inet family.  Landlock should
>>>   not change the error code.  This found a bug (which needs to be fixed)
>>>   with the TCP restriction.
>>> * Revamps the inet.{bind,connect} tests into protocol.{bind,connect}:
>>>   - Merge bind_connect_unix_dgram_socket, bind_connect_unix_dgram_socket
>>>     and bind_connect_inval_addrlen into it: add a full test matrix of
>>>     IPv4/TCP, IPv6/TCP, IPv4/UDP, IPv6/UDP, unix/stream, unix/dgram, all
>>>     of them with or without sandboxing. This improve coverage and it
>>>     enables to check that a TCP restriction work as expected but doesn't
>>>     restrict other stream or datagram protocols. This also enables to
>>>     check consistency of the network stack with or without Landlock.
>>>     We now have 76 test suites for the network.
>>>   - Add full send/recv checks.
>>>   - Make a generic framework that will be ready for future
>>>     protocol supports.
>>> * Replaces most ASSERT with EXPECT according to the criticity of an
>>>   action: if we can get more meaningful information with following
>>>   checks.  For instance, failure to create a kernel object (e.g.
>>>   socket(), accept() or fork() call) is critical if it is used by
>>>   following checks. For Landlock ruleset building, the following checks
>>>   don't make sense if the sandbox is not complete.  However, it doesn't
>>>   make sense to continue a FIXTURE_SETUP() if any check failed.
>>> * Adds a new unspec fixture to replace inet.bind_afunspec with
>>>   unspec.bind and inet.connect_afunspec with unspec.connect, factoring
>>>   and simplifying code.
>>> * Replaces inet.bind_afunspec with protocol.bind_unspec, and
>>>   inet.connect_afunspec with protocol.connect_unspec.  Extend these
>>>   tests with the matrix of all "protocol" variants.  Don't test connect
>>>   with the same socket which is already binded/listening (I guess this
>>>   was an copy-paste error).  The protocol.bind_unspec tests found a bug
>>>   (which needs to be fixed).
>>> * Add* and use set_service() and setup_loopback() helpers to configure
>>>   network services.  Add and use and test_bind_and_connect() to factor
>>>   out a lot of checks.
>>> * Adds new types (protocol_variant, service_fixture) and update related
>>>   helpers to get more generic test code.
>>> * Replaces static (port) arrays with service_fixture variables.
>>> * Adds new helpers: {bind,connect}_variant_addrlen() and get_addrlen() to
>>>   cover all protocols with previous bind_connect_inval_addrlen tests.
>>>   Make them return -errno in case of error.
>>> * Switchs from a unix socket path address to an abstract one. This
>>>   enables to avoid file cleanup in test teardowns.
>>> * Closes all rulesets after enforcement.
>>> * Removes the duplicate "empty access" test.
>>> * Replaces inet.ruleset_overlay with tcp_layers.ruleset_overlap and
>>>   simplify test:
>>>   - Always run sandbox tests because test were always run sandboxed and
>>>     it doesn't give more guarantees to do it not sandboxed.
>>>   - Rewrite test with variant->num_layers to make it simpler and
>>>     configurable.
>>>   - Add another test layer to tcp_layers used for ruleset_overlap and
>>>     test without sandbox.
>>>   - Leverage test_bind_and_connect() and avoid using SO_REUSEADDR
>>>     because the socket was not listened to, and don't use the same
>>>     socket/FD for server and client.
>>>   - Replace inet.ruleset_expanding with tcp_layers.ruleset_expand.
>>> * Drops capabilities in all FIXTURE_SETUP().
>>> * Changes test ports to cover more ranges.
>>> * Adds "mini" tests:
>>>   - Replace the invalid ruleset attribute test from port.inval with
>>>     mini.unknow_access_rights.
>>>   - Simplify port.inval and move some code to other mini.* tests.
>>>   - Add new mini.network_access_rights test.
>>> * Rewrites inet.inval_port_format into mini.tcp_port_overflow:
>>>   - Remove useless is_sandbox checks.
>>>   - Extend tests with bind/connect checks.
>>>   - Interleave valid requests with invalid ones.
>>> * Adds two_srv.port_endianness test, extracted and extended from
>>>   inet.inval_port_format .
>>> * Adds Microsoft copyright.
>>> * Rename some variables to make them easier to read.
>>> * Constifies variables.
>>> * Adds minimal logs to help debug test failures.
>>> * Renames inet test to ipv4 and deletes is_sandboxed and prot vars from
>>>   FIXTURE_VARIANT.
>>> * Adds port_zero tests.
>>> * Renames all "net_service" to "net_port".
>>>
>>> Changes since v10:
>>> * Replaces FIXTURE_VARIANT() with struct _fixture_variant_ .
>>> * Changes tests names socket -> inet, standalone -> port.
>>> * Gets rid of some DEFINEs.
>>> * Changes names and groups tests' variables.
>>> * Changes create_socket_variant() helper name to socket_variant().
>>> * Refactors FIXTURE_SETUP(port) logic.
>>> * Changes TEST_F_FORK -> TEST_F since there no teardown.
>>> * Refactors some tests' logic.
>>> * Minor fixes.
>>> * Refactors commit message.
>>>
>>> Changes since v9:
>>> * Fixes mixing code declaration and code.
>>> * Refactors FIXTURE_TEARDOWN() with clang-format.
>>> * Replaces struct _fixture_variant_socket with
>>> FIXTURE_VARIANT(socket).
>>> * Deletes useless condition if (variant->is_sandboxed)
>>> in multiple locations.
>>> * Deletes zero_size argument in bind_variant() and
>>> connect_variant().
>>> * Adds tests for port values exceeding U16_MAX.
>>>
>>> Changes since v8:
>>> * Adds is_sandboxed const for FIXTURE_VARIANT(socket).
>>> * Refactors AF_UNSPEC tests.
>>> * Adds address length checking tests.
>>> * Convert ports in all tests to __be16.
>>> * Adds invalid port values tests.
>>> * Minor fixes.
>>>
>>> Changes since v7:
>>> * Squashes all selftest commits.
>>> * Adds fs test with network bind() socket action.
>>> * Minor fixes.
>>>
>>> ---
>>>  tools/testing/selftests/landlock/common.h   |    3 +
>>>  tools/testing/selftests/landlock/config     |    4 +
>>>  tools/testing/selftests/landlock/net_test.c | 1744 +++++++++++++++++++
>>>  3 files changed, 1751 insertions(+)
>>>  create mode 100644 tools/testing/selftests/landlock/net_test.c
>>>
>>> diff --git a/tools/testing/selftests/landlock/common.h b/tools/testing/selftests/landlock/common.h
>>> index 0fd6c4cf5e6f..5b79758cae62 100644
>>> --- a/tools/testing/selftests/landlock/common.h
>>> +++ b/tools/testing/selftests/landlock/common.h
>>> @@ -112,10 +112,13 @@ static void _init_caps(struct __test_metadata *const _metadata, bool drop_all)
>>>  	cap_t cap_p;
>>>  	/* Only these three capabilities are useful for the tests. */
>>>  	const cap_value_t caps[] = {
>>> +		/* clang-format off */
>>>  		CAP_DAC_OVERRIDE,
>>>  		CAP_MKNOD,
>>>  		CAP_SYS_ADMIN,
>>>  		CAP_SYS_CHROOT,
>>> +		CAP_NET_BIND_SERVICE,
>>> +		/* clang-format on */
>>>  	};
>>>
>>>  	cap_p = cap_get_proc();
>>> diff --git a/tools/testing/selftests/landlock/config b/tools/testing/selftests/landlock/config
>>> index 3dc9e438eab1..0086efaa7b68 100644
>>> --- a/tools/testing/selftests/landlock/config
>>> +++ b/tools/testing/selftests/landlock/config
>>> @@ -1,5 +1,9 @@
>>>  CONFIG_CGROUPS=y
>>>  CONFIG_CGROUP_SCHED=y
>>> +CONFIG_INET=y
>>> +CONFIG_IPV6=y
>>> +CONFIG_NET=y
>>> +CONFIG_NET_NS=y
>>>  CONFIG_OVERLAY_FS=y
>>>  CONFIG_PROC_FS=y
>>>  CONFIG_SECURITY=y
>>> diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c
>>> new file mode 100644
>>> index 000000000000..3c0a10f9811a
>>> --- /dev/null
>>> +++ b/tools/testing/selftests/landlock/net_test.c
>>> @@ -0,0 +1,1744 @@
>>> +// SPDX-License-Identifier: GPL-2.0-only
>>> +/*
>>> + * Landlock tests - Network
>>> + *
>>> + * Copyright © 2022-2023 Huawei Tech. Co., Ltd.
>>> + * Copyright © 2023 Microsoft Corporation
>>> + */
>>> +
>>> +#define _GNU_SOURCE
>>> +#include <arpa/inet.h>
>>> +#include <errno.h>
>>> +#include <fcntl.h>
>>> +#include <linux/landlock.h>
>>> +#include <linux/in.h>
>>> +#include <sched.h>
>>> +#include <stdint.h>
>>> +#include <string.h>
>>> +#include <sys/prctl.h>
>>> +#include <sys/socket.h>
>>> +#include <sys/un.h>
>>> +
>>> +#include "common.h"
>>> +
>>> +const short sock_port_start = (1 << 10);
>>> +
>>> +static const char loopback_ipv4[] = "127.0.0.1";
>>> +static const char loopback_ipv6[] = "::1";
>>> +
>>> +/* Number pending connections queue to be hold. */
>>> +const short backlog = 10;
>>> +
>>> +enum sandbox_type {
>>> +	NO_SANDBOX,
>>> +	/* This may be used to test rules that allow *and* deny accesses. */
>>> +	TCP_SANDBOX,
>>> +};
>>> +
>>> +struct protocol_variant {
>>> +	int domain;
>>> +	int type;
>>> +};
>>> +
>>> +struct service_fixture {
>>> +	struct protocol_variant protocol;
>>> +	/* port is also stored in ipv4_addr.sin_port or ipv6_addr.sin6_port */
>>> +	unsigned short port;
>>> +	union {
>>> +		struct sockaddr_in ipv4_addr;
>>> +		struct sockaddr_in6 ipv6_addr;
>>> +		struct {
>>> +			struct sockaddr_un unix_addr;
>>> +			socklen_t unix_addr_len;
>>> +		};
>>> +	};
>>> +};
>>> +
>>> +static int set_service(struct service_fixture *const srv,
>>> +		       const struct protocol_variant prot,
>>> +		       const unsigned short index)
>>> +{
>>> +	memset(srv, 0, sizeof(*srv));
>>> +
>>> +	/*
>>> +	 * Copies all protocol properties in case of the variant only contains
>>> +	 * a subset of them.
>>> +	 */
>>> +	srv->protocol = prot;
>>> +
>>> +	/* Checks for port overflow. */
>>> +	if (index > 2)
>>> +		return 1;
>>> +	srv->port = sock_port_start << (2 * index);
>>> +
>>> +	switch (prot.domain) {
>>> +	case AF_UNSPEC:
>>> +	case AF_INET:
>>> +		srv->ipv4_addr.sin_family = prot.domain;
>>> +		srv->ipv4_addr.sin_port = htons(srv->port);
>>> +		srv->ipv4_addr.sin_addr.s_addr = inet_addr(loopback_ipv4);
>>> +		return 0;
>>> +
>>> +	case AF_INET6:
>>> +		srv->ipv6_addr.sin6_family = prot.domain;
>>> +		srv->ipv6_addr.sin6_port = htons(srv->port);
>>> +		inet_pton(AF_INET6, loopback_ipv6, &srv->ipv6_addr.sin6_addr);
>>> +		return 0;
>>> +
>>> +	case AF_UNIX:
>>> +		srv->unix_addr.sun_family = prot.domain;
>>> +		sprintf(srv->unix_addr.sun_path,
>>> +			"_selftests-landlock-net-tid%d-index%d", gettid(),
>>> +			index);
>>> +		srv->unix_addr_len = SUN_LEN(&srv->unix_addr);
>>> +		srv->unix_addr.sun_path[0] = '\0';
>>> +		return 0;
>>> +	}
>>> +	return 1;
>>> +}
>>> +
>>> +static void setup_loopback(struct __test_metadata *const _metadata)
>>> +{
>>> +	set_cap(_metadata, CAP_SYS_ADMIN);
>>> +	ASSERT_EQ(0, unshare(CLONE_NEWNET));
>>> +	ASSERT_EQ(0, system("ip link set dev lo up"));
>>> +	clear_cap(_metadata, CAP_SYS_ADMIN);
>>> +}
>>> +
>>> +static bool is_restricted(const struct protocol_variant *const prot,
>>> +			  const enum sandbox_type sandbox)
>>> +{
>>> +	switch (prot->domain) {
>>> +	case AF_INET:
>>> +	case AF_INET6:
>>> +		switch (prot->type) {
>>> +		case SOCK_STREAM:
>>> +			return sandbox == TCP_SANDBOX;
>>> +		}
>>> +		break;
>>> +	}
>>> +	return false;
>>> +}
>>> +
>>> +static int socket_variant(const struct service_fixture *const srv)
>>> +{
>>> +	int ret;
>>> +
>>> +	ret = socket(srv->protocol.domain, srv->protocol.type | SOCK_CLOEXEC,
>>> +		     0);
>>> +	if (ret < 0)
>>> +		return -errno;
>>> +	return ret;
>>> +}
>>> +
>>> +#ifndef SIN6_LEN_RFC2133
>>> +#define SIN6_LEN_RFC2133 24
>>> +#endif
>>> +
>>> +static socklen_t get_addrlen(const struct service_fixture *const srv,
>>> +			     const bool minimal)
>>> +{
>>> +	switch (srv->protocol.domain) {
>>> +	case AF_UNSPEC:
>>> +	case AF_INET:
>>> +		return sizeof(srv->ipv4_addr);
>>> +
>>> +	case AF_INET6:
>>> +		if (minimal)
>>> +			return SIN6_LEN_RFC2133;
>>> +		return sizeof(srv->ipv6_addr);
>>> +
>>> +	case AF_UNIX:
>>> +		if (minimal)
>>> +			return sizeof(srv->unix_addr) -
>>> +			       sizeof(srv->unix_addr.sun_path);
>>> +		return srv->unix_addr_len;
>>> +
>>> +	default:
>>> +		return 0;
>>> +	}
>>> +}
>>> +
>>> +static void set_port(struct service_fixture *const srv, uint16_t port)
>>> +{
>>> +	switch (srv->protocol.domain) {
>>> +	case AF_UNSPEC:
>>> +	case AF_INET:
>>> +		srv->ipv4_addr.sin_port = htons(port);
>>> +		return;
>>> +
>>> +	case AF_INET6:
>>> +		srv->ipv6_addr.sin6_port = htons(port);
>>> +		return;
>>> +
>>> +	default:
>>> +		return;
>>> +	}
>>> +}
>>> +
>>> +static uint16_t get_binded_port(int socket_fd,
>>> +				const struct protocol_variant *const prot)
>>> +{
>>> +	struct sockaddr_in ipv4_addr;
>>> +	struct sockaddr_in6 ipv6_addr;
>>> +	socklen_t ipv4_addr_len, ipv6_addr_len;
>>> +
>>> +	/* Gets binded port. */
>>> +	switch (prot->domain) {
>>> +	case AF_UNSPEC:
>>> +	case AF_INET:
>>> +		ipv4_addr_len = sizeof(ipv4_addr);
>>> +		getsockname(socket_fd, &ipv4_addr, &ipv4_addr_len);
>>> +		return ntohs(ipv4_addr.sin_port);
>>> +
>>> +	case AF_INET6:
>>> +		ipv6_addr_len = sizeof(ipv6_addr);
>>> +		getsockname(socket_fd, &ipv6_addr, &ipv6_addr_len);
>>> +		return ntohs(ipv6_addr.sin6_port);
>>> +
>>> +	default:
>>> +		return 0;
>>> +	}
>>> +}
>>> +
>>> +static int bind_variant_addrlen(const int sock_fd,
>>> +				const struct service_fixture *const srv,
>>> +				const socklen_t addrlen)
>>> +{
>>> +	int ret;
>>> +
>>> +	switch (srv->protocol.domain) {
>>> +	case AF_UNSPEC:
>>> +	case AF_INET:
>>> +		ret = bind(sock_fd, &srv->ipv4_addr, addrlen);
>>> +		break;
>>> +
>>> +	case AF_INET6:
>>> +		ret = bind(sock_fd, &srv->ipv6_addr, addrlen);
>>> +		break;
>>> +
>>> +	case AF_UNIX:
>>> +		ret = bind(sock_fd, &srv->unix_addr, addrlen);
>>> +		break;
>>> +
>>> +	default:
>>> +		errno = EAFNOSUPPORT;
>>> +		return -errno;
>>> +	}
>>> +
>>> +	if (ret < 0)
>>> +		return -errno;
>>> +	return ret;
>>> +}
>>> +
>>> +static int bind_variant(const int sock_fd,
>>> +			const struct service_fixture *const srv)
>>> +{
>>> +	return bind_variant_addrlen(sock_fd, srv, get_addrlen(srv, false));
>>> +}
>>> +
>>> +static int connect_variant_addrlen(const int sock_fd,
>>> +				   const struct service_fixture *const srv,
>>> +				   const socklen_t addrlen)
>>> +{
>>> +	int ret;
>>> +
>>> +	switch (srv->protocol.domain) {
>>> +	case AF_UNSPEC:
>>> +	case AF_INET:
>>> +		ret = connect(sock_fd, &srv->ipv4_addr, addrlen);
>>> +		break;
>>> +
>>> +	case AF_INET6:
>>> +		ret = connect(sock_fd, &srv->ipv6_addr, addrlen);
>>> +		break;
>>> +
>>> +	case AF_UNIX:
>>> +		ret = connect(sock_fd, &srv->unix_addr, addrlen);
>>> +		break;
>>> +
>>> +	default:
>>> +		errno = -EAFNOSUPPORT;
>>> +		return -errno;
>>> +	}
>>> +
>>> +	if (ret < 0)
>>> +		return -errno;
>>> +	return ret;
>>> +}
>>> +
>>> +static int connect_variant(const int sock_fd,
>>> +			   const struct service_fixture *const srv)
>>> +{
>>> +	return connect_variant_addrlen(sock_fd, srv, get_addrlen(srv, false));
>>> +}
>>> +
>>> +FIXTURE(protocol)
>>> +{
>>> +	struct service_fixture srv0, srv1, srv2, unspec_any0, unspec_srv0;
>>> +};
>>> +
>>> +FIXTURE_VARIANT(protocol)
>>> +{
>>> +	const enum sandbox_type sandbox;
>>> +	const struct protocol_variant prot;
>>> +};
>>> +
>>> +FIXTURE_SETUP(protocol)
>>> +{
>>> +	const struct protocol_variant prot_unspec = {
>>> +		.domain = AF_UNSPEC,
>>> +		.type = SOCK_STREAM,
>>> +	};
>>> +
>>> +	disable_caps(_metadata);
>>> +
>>> +	ASSERT_EQ(0, set_service(&self->srv0, variant->prot, 0));
>>> +	ASSERT_EQ(0, set_service(&self->srv1, variant->prot, 1));
>>> +	ASSERT_EQ(0, set_service(&self->srv2, variant->prot, 2));
>>> +
>>> +	ASSERT_EQ(0, set_service(&self->unspec_srv0, prot_unspec, 0));
>>> +
>>> +	ASSERT_EQ(0, set_service(&self->unspec_any0, prot_unspec, 0));
>>> +	self->unspec_any0.ipv4_addr.sin_addr.s_addr = htonl(INADDR_ANY);
>>> +
>>> +	setup_loopback(_metadata);
>>> +};
>>> +
>>> +FIXTURE_TEARDOWN(protocol)
>>> +{
>>> +}
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_tcp) {
>>> +	/* clang-format on */
>>> +	.sandbox = NO_SANDBOX,
>>> +	.prot = {
>>> +		.domain = AF_INET,
>>> +		.type = SOCK_STREAM,
>>> +	},
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp) {
>>> +	/* clang-format on */
>>> +	.sandbox = NO_SANDBOX,
>>> +	.prot = {
>>> +		.domain = AF_INET6,
>>> +		.type = SOCK_STREAM,
>>> +	},
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_udp) {
>>> +	/* clang-format on */
>>> +	.sandbox = NO_SANDBOX,
>>> +	.prot = {
>>> +		.domain = AF_INET,
>>> +		.type = SOCK_DGRAM,
>>> +	},
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_udp) {
>>> +	/* clang-format on */
>>> +	.sandbox = NO_SANDBOX,
>>> +	.prot = {
>>> +		.domain = AF_INET6,
>>> +		.type = SOCK_DGRAM,
>>> +	},
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_unix_stream) {
>>> +	/* clang-format on */
>>> +	.sandbox = NO_SANDBOX,
>>> +	.prot = {
>>> +		.domain = AF_UNIX,
>>> +		.type = SOCK_STREAM,
>>> +	},
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_unix_datagram) {
>>> +	/* clang-format on */
>>> +	.sandbox = NO_SANDBOX,
>>> +	.prot = {
>>> +		.domain = AF_UNIX,
>>> +		.type = SOCK_DGRAM,
>>> +	},
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_tcp) {
>>> +	/* clang-format on */
>>> +	.sandbox = TCP_SANDBOX,
>>> +	.prot = {
>>> +		.domain = AF_INET,
>>> +		.type = SOCK_STREAM,
>>> +	},
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp) {
>>> +	/* clang-format on */
>>> +	.sandbox = TCP_SANDBOX,
>>> +	.prot = {
>>> +		.domain = AF_INET6,
>>> +		.type = SOCK_STREAM,
>>> +	},
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_udp) {
>>> +	/* clang-format on */
>>> +	.sandbox = TCP_SANDBOX,
>>> +	.prot = {
>>> +		.domain = AF_INET,
>>> +		.type = SOCK_DGRAM,
>>> +	},
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_udp) {
>>> +	/* clang-format on */
>>> +	.sandbox = TCP_SANDBOX,
>>> +	.prot = {
>>> +		.domain = AF_INET6,
>>> +		.type = SOCK_DGRAM,
>>> +	},
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_unix_stream) {
>>> +	/* clang-format on */
>>> +	.sandbox = TCP_SANDBOX,
>>> +	.prot = {
>>> +		.domain = AF_UNIX,
>>> +		.type = SOCK_STREAM,
>>> +	},
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_unix_datagram) {
>>> +	/* clang-format on */
>>> +	.sandbox = TCP_SANDBOX,
>>> +	.prot = {
>>> +		.domain = AF_UNIX,
>>> +		.type = SOCK_DGRAM,
>>> +	},
>>> +};
>>> +
>>> +static void test_bind_and_connect(struct __test_metadata *const _metadata,
>>> +				  const struct service_fixture *const srv,
>>> +				  const bool deny_bind, const bool deny_connect)
>>> +{
>>> +	char buf = '\0';
>>> +	int inval_fd, bind_fd, client_fd, status, ret;
>>> +	pid_t child;
>>> +
>>> +	/* Starts invalid addrlen tests with bind. */
>>> +	inval_fd = socket_variant(srv);
>>> +	ASSERT_LE(0, inval_fd)
>>> +	{
>>> +		TH_LOG("Failed to create socket: %s", strerror(errno));
>>> +	}
>>> +
>>> +	/* Tries to bind with zero as addrlen. */
>>> +	EXPECT_EQ(-EINVAL, bind_variant_addrlen(inval_fd, srv, 0));
>>> +
>>> +	/* Tries to bind with too small addrlen. */
>>> +	EXPECT_EQ(-EINVAL, bind_variant_addrlen(inval_fd, srv,
>>> +						get_addrlen(srv, true) - 1));
>>> +
>>> +	/* Tries to bind with minimal addrlen. */
>>> +	ret = bind_variant_addrlen(inval_fd, srv, get_addrlen(srv, true));
>>> +	if (deny_bind) {
>>> +		EXPECT_EQ(-EACCES, ret);
>>> +	} else {
>>> +		EXPECT_EQ(0, ret)
>>> +		{
>>> +			TH_LOG("Failed to bind to socket: %s", strerror(errno));
>>> +		}
>>> +	}
>>> +	EXPECT_EQ(0, close(inval_fd));
>>> +
>>> +	/* Starts invalid addrlen tests with connect. */
>>> +	inval_fd = socket_variant(srv);
>>> +	ASSERT_LE(0, inval_fd);
>>> +
>>> +	/* Tries to connect with zero as addrlen. */
>>> +	EXPECT_EQ(-EINVAL, connect_variant_addrlen(inval_fd, srv, 0));
>>> +
>>> +	/* Tries to connect with too small addrlen. */
>>> +	EXPECT_EQ(-EINVAL, connect_variant_addrlen(inval_fd, srv,
>>> +						   get_addrlen(srv, true) - 1));
>>> +
>>> +	/* Tries to connect with minimal addrlen. */
>>> +	ret = connect_variant_addrlen(inval_fd, srv, get_addrlen(srv, true));
>>> +	if (srv->protocol.domain == AF_UNIX) {
>>> +		EXPECT_EQ(-EINVAL, ret);
>>> +	} else if (deny_connect) {
>>> +		EXPECT_EQ(-EACCES, ret);
>>> +	} else if (srv->protocol.type == SOCK_STREAM) {
>>> +		/* No listening server, whatever the value of deny_bind. */
>>> +		EXPECT_EQ(-ECONNREFUSED, ret);
>>> +	} else {
>>> +		EXPECT_EQ(0, ret)
>>> +		{
>>> +			TH_LOG("Failed to connect to socket: %s",
>>> +			       strerror(errno));
>>> +		}
>>> +	}
>>> +	EXPECT_EQ(0, close(inval_fd));
>>> +
>>> +	/* Starts connection tests. */
>>> +	bind_fd = socket_variant(srv);
>>> +	ASSERT_LE(0, bind_fd);
>>> +
>>> +	ret = bind_variant(bind_fd, srv);
>>> +	if (deny_bind) {
>>> +		EXPECT_EQ(-EACCES, ret);
>>> +	} else {
>>> +		EXPECT_EQ(0, ret);
>>> +
>>> +		/* Creates a listening socket. */
>>> +		if (srv->protocol.type == SOCK_STREAM)
>>> +			EXPECT_EQ(0, listen(bind_fd, backlog));
>>> +	}
>>> +
>>> +	child = fork();
>>> +	ASSERT_LE(0, child);
>>> +	if (child == 0) {
>>> +		int connect_fd, ret;
>>> +
>>> +		/* Closes listening socket for the child. */
>>> +		EXPECT_EQ(0, close(bind_fd));
>>> +
>>> +		/* Starts connection tests. */
>>> +		connect_fd = socket_variant(srv);
>>> +		ASSERT_LE(0, connect_fd);
>>> +		ret = connect_variant(connect_fd, srv);
>>> +		if (deny_connect) {
>>> +			EXPECT_EQ(-EACCES, ret);
>>> +		} else if (deny_bind) {
>>> +			/* No listening server. */
>>> +			EXPECT_EQ(-ECONNREFUSED, ret);
>>> +		} else {
>>> +			EXPECT_EQ(0, ret);
>>> +			EXPECT_EQ(1, write(connect_fd, ".", 1));
>>> +		}
>>> +
>>> +		EXPECT_EQ(0, close(connect_fd));
>>> +		_exit(_metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE);
>>> +		return;
>>> +	}
>>> +
>>> +	/* Accepts connection from the child. */
>>> +	client_fd = bind_fd;
>>> +	if (!deny_bind && !deny_connect) {
>>> +		if (srv->protocol.type == SOCK_STREAM) {
>>> +			client_fd = accept(bind_fd, NULL, 0);
>>> +			ASSERT_LE(0, client_fd);
>>> +		}
>>> +
>>> +		EXPECT_EQ(1, read(client_fd, &buf, 1));
>>> +		EXPECT_EQ('.', buf);
>>> +	}
>>> +
>>> +	EXPECT_EQ(child, waitpid(child, &status, 0));
>>> +	EXPECT_EQ(1, WIFEXITED(status));
>>> +	EXPECT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
>>> +
>>> +	/* Closes connection, if any. */
>>> +	if (client_fd != bind_fd)
>>> +		EXPECT_LE(0, close(client_fd));
>>> +
>>> +	/* Closes listening socket. */
>>> +	EXPECT_EQ(0, close(bind_fd));
>>> +}
>>> +
>>> +TEST_F(protocol, bind)
>>> +{
>>> +	if (variant->sandbox == TCP_SANDBOX) {
>>> +		const struct landlock_ruleset_attr ruleset_attr = {
>>> +			.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
>>> +					      LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +		};
>>> +		const struct landlock_net_port_attr tcp_bind_connect_p0 = {
>>> +			.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
>>> +					  LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +			.port = self->srv0.port,
>>> +		};
>>> +		const struct landlock_net_port_attr tcp_connect_p1 = {
>>> +			.allowed_access = LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +			.port = self->srv1.port,
>>> +		};
>>> +		int ruleset_fd;
>>> +
>>> +		ruleset_fd = landlock_create_ruleset(&ruleset_attr,
>>> +						     sizeof(ruleset_attr), 0);
>>> +		ASSERT_LE(0, ruleset_fd);
>>> +
>>> +		/* Allows connect and bind for the first port.  */
>>> +		ASSERT_EQ(0,
>>> +			  landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					    &tcp_bind_connect_p0, 0));
>>> +
>>> +		/* Allows connect and denies bind for the second port. */
>>> +		ASSERT_EQ(0,
>>> +			  landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					    &tcp_connect_p1, 0));
>>> +
>>> +		enforce_ruleset(_metadata, ruleset_fd);
>>> +		EXPECT_EQ(0, close(ruleset_fd));
>>> +	}
>>> +
>>> +	/* Binds a socket to the first port. */
>>> +	test_bind_and_connect(_metadata, &self->srv0, false, false);
>>> +
>>> +	/* Binds a socket to the second port. */
>>> +	test_bind_and_connect(_metadata, &self->srv1,
>>> +			      is_restricted(&variant->prot, variant->sandbox),
>>> +			      false);
>>> +
>>> +	/* Binds a socket to the third port. */
>>> +	test_bind_and_connect(_metadata, &self->srv2,
>>> +			      is_restricted(&variant->prot, variant->sandbox),
>>> +			      is_restricted(&variant->prot, variant->sandbox));
>>> +}
>>> +
>>> +TEST_F(protocol, connect)
>>> +{
>>> +	if (variant->sandbox == TCP_SANDBOX) {
>>> +		const struct landlock_ruleset_attr ruleset_attr = {
>>> +			.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
>>> +					      LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +		};
>>> +		const struct landlock_net_port_attr tcp_bind_connect_p0 = {
>>> +			.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
>>> +					  LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +			.port = self->srv0.port,
>>> +		};
>>> +		const struct landlock_net_port_attr tcp_bind_p1 = {
>>> +			.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
>>> +			.port = self->srv1.port,
>>> +		};
>>> +		int ruleset_fd;
>>> +
>>> +		ruleset_fd = landlock_create_ruleset(&ruleset_attr,
>>> +						     sizeof(ruleset_attr), 0);
>>> +		ASSERT_LE(0, ruleset_fd);
>>> +
>>> +		/* Allows connect and bind for the first port. */
>>> +		ASSERT_EQ(0,
>>> +			  landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					    &tcp_bind_connect_p0, 0));
>>> +
>>> +		/* Allows bind and denies connect for the second port. */
>>> +		ASSERT_EQ(0,
>>> +			  landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					    &tcp_bind_p1, 0));
>>> +
>>> +		enforce_ruleset(_metadata, ruleset_fd);
>>> +		EXPECT_EQ(0, close(ruleset_fd));
>>> +	}
>>> +
>>> +	test_bind_and_connect(_metadata, &self->srv0, false, false);
>>> +
>>> +	test_bind_and_connect(_metadata, &self->srv1, false,
>>> +			      is_restricted(&variant->prot, variant->sandbox));
>>> +
>>> +	test_bind_and_connect(_metadata, &self->srv2,
>>> +			      is_restricted(&variant->prot, variant->sandbox),
>>> +			      is_restricted(&variant->prot, variant->sandbox));
>>> +}
>>> +
>>> +TEST_F(protocol, bind_unspec)
>>> +{
>>> +	const struct landlock_ruleset_attr ruleset_attr = {
>>> +		.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP,
>>> +	};
>>> +	const struct landlock_net_port_attr tcp_bind = {
>>> +		.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
>>> +		.port = self->srv0.port,
>>> +	};
>>> +	int bind_fd, ret;
>>> +
>>> +	if (variant->sandbox == TCP_SANDBOX) {
>>> +		const int ruleset_fd = landlock_create_ruleset(
>>> +			&ruleset_attr, sizeof(ruleset_attr), 0);
>>> +		ASSERT_LE(0, ruleset_fd);
>>> +
>>> +		/* Allows bind. */
>>> +		ASSERT_EQ(0,
>>> +			  landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					    &tcp_bind, 0));
>>> +		enforce_ruleset(_metadata, ruleset_fd);
>>> +		EXPECT_EQ(0, close(ruleset_fd));
>>> +	}
>>> +
>>> +	bind_fd = socket_variant(&self->srv0);
>>> +	ASSERT_LE(0, bind_fd);
>>> +
>>> +	/* Allowed bind on AF_UNSPEC/INADDR_ANY. */
>>> +	ret = bind_variant(bind_fd, &self->unspec_any0);
>>> +	if (variant->prot.domain == AF_INET) {
>>> +		EXPECT_EQ(0, ret)
>>> +		{
>>> +			TH_LOG("Failed to bind to unspec/any socket: %s",
>>> +			       strerror(errno));
>>> +		}
>>> +	} else {
>>> +		EXPECT_EQ(-EINVAL, ret);
>>> +	}
>>> +	EXPECT_EQ(0, close(bind_fd));
>>> +
>>> +	if (variant->sandbox == TCP_SANDBOX) {
>>> +		const int ruleset_fd = landlock_create_ruleset(
>>> +			&ruleset_attr, sizeof(ruleset_attr), 0);
>>> +		ASSERT_LE(0, ruleset_fd);
>>> +
>>> +		/* Denies bind. */
>>> +		enforce_ruleset(_metadata, ruleset_fd);
>>> +		EXPECT_EQ(0, close(ruleset_fd));
>>> +	}
>>> +
>>> +	bind_fd = socket_variant(&self->srv0);
>>> +	ASSERT_LE(0, bind_fd);
>>> +
>>> +	/* Denied bind on AF_UNSPEC/INADDR_ANY. */
>>> +	ret = bind_variant(bind_fd, &self->unspec_any0);
>>> +	if (variant->prot.domain == AF_INET) {
>>> +		if (is_restricted(&variant->prot, variant->sandbox)) {
>>> +			EXPECT_EQ(-EACCES, ret);
>>> +		} else {
>>> +			EXPECT_EQ(0, ret);
>>> +		}
>>> +	} else {
>>> +		EXPECT_EQ(-EINVAL, ret);
>>> +	}
>>> +	EXPECT_EQ(0, close(bind_fd));
>>> +
>>> +	/* Checks bind with AF_UNSPEC and the loopback address. */
>>> +	bind_fd = socket_variant(&self->srv0);
>>> +	ASSERT_LE(0, bind_fd);
>>> +	ret = bind_variant(bind_fd, &self->unspec_srv0);
>>> +	if (variant->prot.domain == AF_INET) {
>>> +		EXPECT_EQ(-EAFNOSUPPORT, ret);
>>> +	} else {
>>> +		EXPECT_EQ(-EINVAL, ret)
>>> +		{
>>> +			TH_LOG("Wrong bind error: %s", strerror(errno));
>>> +		}
>>> +	}
>>> +	EXPECT_EQ(0, close(bind_fd));
>>> +}
>>> +
>>> +TEST_F(protocol, connect_unspec)
>>> +{
>>> +	const struct landlock_ruleset_attr ruleset_attr = {
>>> +		.handled_access_net = LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +	};
>>> +	const struct landlock_net_port_attr tcp_connect = {
>>> +		.allowed_access = LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +		.port = self->srv0.port,
>>> +	};
>>> +	int bind_fd, client_fd, status;
>>> +	pid_t child;
>>> +
>>> +	/* Specific connection tests. */
>>> +	bind_fd = socket_variant(&self->srv0);
>>> +	ASSERT_LE(0, bind_fd);
>>> +	EXPECT_EQ(0, bind_variant(bind_fd, &self->srv0));
>>> +	if (self->srv0.protocol.type == SOCK_STREAM)
>>> +		EXPECT_EQ(0, listen(bind_fd, backlog));
>>> +
>>> +	child = fork();
>>> +	ASSERT_LE(0, child);
>>> +	if (child == 0) {
>>> +		int connect_fd, ret;
>>> +
>>> +		/* Closes listening socket for the child. */
>>> +		EXPECT_EQ(0, close(bind_fd));
>>> +
>>> +		connect_fd = socket_variant(&self->srv0);
>>> +		ASSERT_LE(0, connect_fd);
>>> +		EXPECT_EQ(0, connect_variant(connect_fd, &self->srv0));
>>> +
>>> +		/* Tries to connect again, or set peer. */
>>> +		ret = connect_variant(connect_fd, &self->srv0);
>>> +		if (self->srv0.protocol.type == SOCK_STREAM) {
>>> +			EXPECT_EQ(-EISCONN, ret);
>>> +		} else {
>>> +			EXPECT_EQ(0, ret);
>>> +		}
>>> +
>>> +		if (variant->sandbox == TCP_SANDBOX) {
>>> +			const int ruleset_fd = landlock_create_ruleset(
>>> +				&ruleset_attr, sizeof(ruleset_attr), 0);
>>> +			ASSERT_LE(0, ruleset_fd);
>>> +
>>> +			/* Allows connect. */
>>> +			ASSERT_EQ(0, landlock_add_rule(ruleset_fd,
>>> +						       LANDLOCK_RULE_NET_PORT,
>>> +						       &tcp_connect, 0));
>>> +			enforce_ruleset(_metadata, ruleset_fd);
>>> +			EXPECT_EQ(0, close(ruleset_fd));
>>> +		}
>>> +
>>> +		/* Disconnects already connected socket, or set peer. */
>>> +		ret = connect_variant(connect_fd, &self->unspec_any0);
>>> +		if (self->srv0.protocol.domain == AF_UNIX &&
>>> +		    self->srv0.protocol.type == SOCK_STREAM) {
>>> +			EXPECT_EQ(-EINVAL, ret);
>>> +		} else {
>>> +			EXPECT_EQ(0, ret);
>>> +		}
>>> +
>>> +		/* Tries to reconnect, or set peer. */
>>> +		ret = connect_variant(connect_fd, &self->srv0);
>>> +		if (self->srv0.protocol.domain == AF_UNIX &&
>>> +		    self->srv0.protocol.type == SOCK_STREAM) {
>>> +			EXPECT_EQ(-EISCONN, ret);
>>> +		} else {
>>> +			EXPECT_EQ(0, ret);
>>> +		}
>>> +
>>> +		if (variant->sandbox == TCP_SANDBOX) {
>>> +			const int ruleset_fd = landlock_create_ruleset(
>>> +				&ruleset_attr, sizeof(ruleset_attr), 0);
>>> +			ASSERT_LE(0, ruleset_fd);
>>> +
>>> +			/* Denies connect. */
>>> +			enforce_ruleset(_metadata, ruleset_fd);
>>> +			EXPECT_EQ(0, close(ruleset_fd));
>>> +		}
>>> +
>>> +		ret = connect_variant(connect_fd, &self->unspec_any0);
>>> +		if (self->srv0.protocol.domain == AF_UNIX &&
>>> +		    self->srv0.protocol.type == SOCK_STREAM) {
>>> +			EXPECT_EQ(-EINVAL, ret);
>>> +		} else {
>>> +			/* Always allowed to disconnect. */
>>> +			EXPECT_EQ(0, ret);
>>> +		}
>>> +
>>> +		EXPECT_EQ(0, close(connect_fd));
>>> +		_exit(_metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE);
>>> +		return;
>>> +	}
>>> +
>>> +	client_fd = bind_fd;
>>> +	if (self->srv0.protocol.type == SOCK_STREAM) {
>>> +		client_fd = accept(bind_fd, NULL, 0);
>>> +		ASSERT_LE(0, client_fd);
>>> +	}
>>> +
>>> +	EXPECT_EQ(child, waitpid(child, &status, 0));
>>> +	EXPECT_EQ(1, WIFEXITED(status));
>>> +	EXPECT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
>>> +
>>> +	/* Closes connection, if any. */
>>> +	if (client_fd != bind_fd)
>>> +		EXPECT_LE(0, close(client_fd));
>>> +
>>> +	/* Closes listening socket. */
>>> +	EXPECT_EQ(0, close(bind_fd));
>>> +}
>>> +
>>> +FIXTURE(ipv4)
>>> +{
>>> +	struct service_fixture srv0, srv1;
>>> +};
>>> +
>>> +FIXTURE_VARIANT(ipv4)
>>> +{
>>> +	const enum sandbox_type sandbox;
>>> +	const int type;
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(ipv4, no_sandbox_with_tcp) {
>>> +	/* clang-format on */
>>> +	.sandbox = NO_SANDBOX,
>>> +	.type = SOCK_STREAM,
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(ipv4, tcp_sandbox_with_tcp) {
>>> +	/* clang-format on */
>>> +	.sandbox = TCP_SANDBOX,
>>> +	.type = SOCK_STREAM,
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(ipv4, no_sandbox_with_udp) {
>>> +	/* clang-format on */
>>> +	.sandbox = NO_SANDBOX,
>>> +	.type = SOCK_DGRAM,
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(ipv4, tcp_sandbox_with_udp) {
>>> +	/* clang-format on */
>>> +	.sandbox = TCP_SANDBOX,
>>> +	.type = SOCK_DGRAM,
>>> +};
>>> +
>>> +FIXTURE_SETUP(ipv4)
>>> +{
>>> +	const struct protocol_variant prot = {
>>> +		.domain = AF_INET,
>>> +		.type = variant->type,
>>> +	};
>>> +
>>> +	disable_caps(_metadata);
>>> +
>>> +	set_service(&self->srv0, prot, 0);
>>> +	set_service(&self->srv1, prot, 1);
>>> +
>>> +	setup_loopback(_metadata);
>>> +};
>>> +
>>> +FIXTURE_TEARDOWN(ipv4)
>>> +{
>>> +}
>>> +
>>> +TEST_F(ipv4, from_unix_to_inet)
>>> +{
>>> +	int unix_stream_fd, unix_dgram_fd;
>>> +
>>> +	if (variant->sandbox == TCP_SANDBOX) {
>>> +		const struct landlock_ruleset_attr ruleset_attr = {
>>> +			.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
>>> +					      LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +		};
>>> +		const struct landlock_net_port_attr tcp_bind_connect_p0 = {
>>> +			.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
>>> +					  LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +			.port = self->srv0.port,
>>> +		};
>>> +		int ruleset_fd;
>>> +
>>> +		/* Denies connect and bind to check errno value. */
>>> +		ruleset_fd = landlock_create_ruleset(&ruleset_attr,
>>> +						     sizeof(ruleset_attr), 0);
>>> +		ASSERT_LE(0, ruleset_fd);
>>> +
>>> +		/* Allows connect and bind for srv0.  */
>>> +		ASSERT_EQ(0,
>>> +			  landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					    &tcp_bind_connect_p0, 0));
>>> +
>>> +		enforce_ruleset(_metadata, ruleset_fd);
>>> +		EXPECT_EQ(0, close(ruleset_fd));
>>> +	}
>>> +
>>> +	unix_stream_fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
>>> +	ASSERT_LE(0, unix_stream_fd);
>>> +
>>> +	unix_dgram_fd = socket(AF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0);
>>> +	ASSERT_LE(0, unix_dgram_fd);
>>> +
>>> +	/* Checks unix stream bind and connect for srv0. */
>>> +	EXPECT_EQ(-EINVAL, bind_variant(unix_stream_fd, &self->srv0));
>>> +	EXPECT_EQ(-EINVAL, connect_variant(unix_stream_fd, &self->srv0));
>>> +
>>> +	/* Checks unix stream bind and connect for srv1. */
>>> +	EXPECT_EQ(-EINVAL, bind_variant(unix_stream_fd, &self->srv1))
>>> +	{
>>> +		TH_LOG("Wrong bind error: %s", strerror(errno));
>>> +	}
>>> +	EXPECT_EQ(-EINVAL, connect_variant(unix_stream_fd, &self->srv1));
>>> +
>>> +	/* Checks unix datagram bind and connect for srv0. */
>>> +	EXPECT_EQ(-EINVAL, bind_variant(unix_dgram_fd, &self->srv0));
>>> +	EXPECT_EQ(-EINVAL, connect_variant(unix_dgram_fd, &self->srv0));
>>> +
>>> +	/* Checks unix datagram bind and connect for srv1. */
>>> +	EXPECT_EQ(-EINVAL, bind_variant(unix_dgram_fd, &self->srv1));
>>> +	EXPECT_EQ(-EINVAL, connect_variant(unix_dgram_fd, &self->srv1));
>>> +}
>>> +
>>> +FIXTURE(tcp_layers)
>>> +{
>>> +	struct service_fixture srv0, srv1;
>>> +};
>>> +
>>> +FIXTURE_VARIANT(tcp_layers)
>>> +{
>>> +	const size_t num_layers;
>>> +	const int domain;
>>> +};
>>> +
>>> +FIXTURE_SETUP(tcp_layers)
>>> +{
>>> +	const struct protocol_variant prot = {
>>> +		.domain = variant->domain,
>>> +		.type = SOCK_STREAM,
>>> +	};
>>> +
>>> +	disable_caps(_metadata);
>>> +
>>> +	ASSERT_EQ(0, set_service(&self->srv0, prot, 0));
>>> +	ASSERT_EQ(0, set_service(&self->srv1, prot, 1));
>>> +
>>> +	setup_loopback(_metadata);
>>> +};
>>> +
>>> +FIXTURE_TEARDOWN(tcp_layers)
>>> +{
>>> +}
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(tcp_layers, no_sandbox_with_ipv4) {
>>> +	/* clang-format on */
>>> +	.domain = AF_INET,
>>> +	.num_layers = 0,
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(tcp_layers, one_sandbox_with_ipv4) {
>>> +	/* clang-format on */
>>> +	.domain = AF_INET,
>>> +	.num_layers = 1,
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(tcp_layers, two_sandboxes_with_ipv4) {
>>> +	/* clang-format on */
>>> +	.domain = AF_INET,
>>> +	.num_layers = 2,
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(tcp_layers, three_sandboxes_with_ipv4) {
>>> +	/* clang-format on */
>>> +	.domain = AF_INET,
>>> +	.num_layers = 3,
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(tcp_layers, no_sandbox_with_ipv6) {
>>> +	/* clang-format on */
>>> +	.domain = AF_INET6,
>>> +	.num_layers = 0,
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(tcp_layers, one_sandbox_with_ipv6) {
>>> +	/* clang-format on */
>>> +	.domain = AF_INET6,
>>> +	.num_layers = 1,
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(tcp_layers, two_sandboxes_with_ipv6) {
>>> +	/* clang-format on */
>>> +	.domain = AF_INET6,
>>> +	.num_layers = 2,
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(tcp_layers, three_sandboxes_with_ipv6) {
>>> +	/* clang-format on */
>>> +	.domain = AF_INET6,
>>> +	.num_layers = 3,
>>> +};
>>> +
>>> +TEST_F(tcp_layers, ruleset_overlap)
>>> +{
>>> +	const struct landlock_ruleset_attr ruleset_attr = {
>>> +		.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
>>> +				      LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +	};
>>> +	const struct landlock_net_port_attr tcp_bind = {
>>> +		.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
>>> +		.port = self->srv0.port,
>>> +	};
>>> +	const struct landlock_net_port_attr tcp_bind_connect = {
>>> +		.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
>>> +				  LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +		.port = self->srv0.port,
>>> +	};
>>> +
>>> +	if (variant->num_layers >= 1) {
>>> +		int ruleset_fd;
>>> +
>>> +		ruleset_fd = landlock_create_ruleset(&ruleset_attr,
>>> +						     sizeof(ruleset_attr), 0);
>>> +		ASSERT_LE(0, ruleset_fd);
>>> +
>>> +		/* Allows bind. */
>>> +		ASSERT_EQ(0,
>>> +			  landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					    &tcp_bind, 0));
>>> +		/* Also allows bind, but allows connect too. */
>>> +		ASSERT_EQ(0,
>>> +			  landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					    &tcp_bind_connect, 0));
>>> +		enforce_ruleset(_metadata, ruleset_fd);
>>> +		EXPECT_EQ(0, close(ruleset_fd));
>>> +	}
>>> +
>>> +	if (variant->num_layers >= 2) {
>>> +		int ruleset_fd;
>>> +
>>> +		/* Creates another ruleset layer. */
>>> +		ruleset_fd = landlock_create_ruleset(&ruleset_attr,
>>> +						     sizeof(ruleset_attr), 0);
>>> +		ASSERT_LE(0, ruleset_fd);
>>> +
>>> +		/* Only allows bind. */
>>> +		ASSERT_EQ(0,
>>> +			  landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					    &tcp_bind, 0));
>>> +		enforce_ruleset(_metadata, ruleset_fd);
>>> +		EXPECT_EQ(0, close(ruleset_fd));
>>> +	}
>>> +
>>> +	if (variant->num_layers >= 3) {
>>> +		int ruleset_fd;
>>> +
>>> +		/* Creates another ruleset layer. */
>>> +		ruleset_fd = landlock_create_ruleset(&ruleset_attr,
>>> +						     sizeof(ruleset_attr), 0);
>>> +		ASSERT_LE(0, ruleset_fd);
>>> +
>>> +		/* Try to allow bind and connect. */
>>> +		ASSERT_EQ(0,
>>> +			  landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					    &tcp_bind_connect, 0));
>>> +		enforce_ruleset(_metadata, ruleset_fd);
>>> +		EXPECT_EQ(0, close(ruleset_fd));
>>> +	}
>>> +
>>> +	/*
>>> +	 * Forbids to connect to the socket because only one ruleset layer
>>> +	 * allows connect.
>>> +	 */
>>> +	test_bind_and_connect(_metadata, &self->srv0, false,
>>> +			      variant->num_layers >= 2);
>>> +}
>>> +
>>> +TEST_F(tcp_layers, ruleset_expand)
>>> +{
>>> +	if (variant->num_layers >= 1) {
>>> +		const struct landlock_ruleset_attr ruleset_attr = {
>>> +			.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP,
>>> +		};
>>> +		/* Allows bind for srv0. */
>>> +		const struct landlock_net_port_attr bind_srv0 = {
>>> +			.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
>>> +			.port = self->srv0.port,
>>> +		};
>>> +		int ruleset_fd;
>>> +
>>> +		ruleset_fd = landlock_create_ruleset(&ruleset_attr,
>>> +						     sizeof(ruleset_attr), 0);
>>> +		ASSERT_LE(0, ruleset_fd);
>>> +		ASSERT_EQ(0,
>>> +			  landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					    &bind_srv0, 0));
>>> +		enforce_ruleset(_metadata, ruleset_fd);
>>> +		EXPECT_EQ(0, close(ruleset_fd));
>>> +	}
>>> +
>>> +	if (variant->num_layers >= 2) {
>>> +		/* Expands network mask with connect action. */
>>> +		const struct landlock_ruleset_attr ruleset_attr = {
>>> +			.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
>>> +					      LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +		};
>>> +		/* Allows bind for srv0 and connect to srv0. */
>>> +		const struct landlock_net_port_attr tcp_bind_connect_p0 = {
>>> +			.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
>>> +					  LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +			.port = self->srv0.port,
>>> +		};
>>> +		/* Try to allow bind for srv1. */
>>> +		const struct landlock_net_port_attr tcp_bind_p1 = {
>>> +			.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
>>> +			.port = self->srv1.port,
>>> +		};
>>> +		int ruleset_fd;
>>> +
>>> +		ruleset_fd = landlock_create_ruleset(&ruleset_attr,
>>> +						     sizeof(ruleset_attr), 0);
>>> +		ASSERT_LE(0, ruleset_fd);
>>> +		ASSERT_EQ(0,
>>> +			  landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					    &tcp_bind_connect_p0, 0));
>>> +		ASSERT_EQ(0,
>>> +			  landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					    &tcp_bind_p1, 0));
>>> +		enforce_ruleset(_metadata, ruleset_fd);
>>> +		EXPECT_EQ(0, close(ruleset_fd));
>>> +	}
>>> +
>>> +	if (variant->num_layers >= 3) {
>>> +		const struct landlock_ruleset_attr ruleset_attr = {
>>> +			.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
>>> +					      LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +		};
>>> +		/* Allows connect to srv0, without bind rule. */
>>> +		const struct landlock_net_port_attr tcp_bind_p0 = {
>>> +			.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
>>> +			.port = self->srv0.port,
>>> +		};
>>> +		int ruleset_fd;
>>> +
>>> +		ruleset_fd = landlock_create_ruleset(&ruleset_attr,
>>> +						     sizeof(ruleset_attr), 0);
>>> +		ASSERT_LE(0, ruleset_fd);
>>> +		ASSERT_EQ(0,
>>> +			  landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					    &tcp_bind_p0, 0));
>>> +		enforce_ruleset(_metadata, ruleset_fd);
>>> +		EXPECT_EQ(0, close(ruleset_fd));
>>> +	}
>>> +
>>> +	test_bind_and_connect(_metadata, &self->srv0, false,
>>> +			      variant->num_layers >= 3);
>>> +
>>> +	test_bind_and_connect(_metadata, &self->srv1, variant->num_layers >= 1,
>>> +			      variant->num_layers >= 2);
>>> +}
>>> +
>>> +/* clang-format off */
>>> +FIXTURE(mini) {};
>>> +/* clang-format on */
>>> +
>>> +FIXTURE_SETUP(mini)
>>> +{
>>> +	disable_caps(_metadata);
>>> +
>>> +	setup_loopback(_metadata);
>>> +};
>>> +
>>> +FIXTURE_TEARDOWN(mini)
>>> +{
>>> +}
>>> +
>>> +/* clang-format off */
>>> +
>>> +#define ACCESS_LAST LANDLOCK_ACCESS_NET_CONNECT_TCP
>>> +
>>> +#define ACCESS_ALL ( \
>>> +	LANDLOCK_ACCESS_NET_BIND_TCP | \
>>> +	LANDLOCK_ACCESS_NET_CONNECT_TCP)
>>> +
>>> +/* clang-format on */
>>> +
>>> +TEST_F(mini, network_access_rights)
>>> +{
>>> +	const struct landlock_ruleset_attr ruleset_attr = {
>>> +		.handled_access_net = ACCESS_ALL,
>>> +	};
>>> +	struct landlock_net_port_attr net_port = {
>>> +		.port = sock_port_start,
>>> +	};
>>> +	int ruleset_fd;
>>> +	__u64 access;
>>> +
>>> +	ruleset_fd =
>>> +		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
>>> +	ASSERT_LE(0, ruleset_fd);
>>> +
>>> +	for (access = 1; access <= ACCESS_LAST; access <<= 1) {
>>> +		net_port.allowed_access = access;
>>> +		EXPECT_EQ(0,
>>> +			  landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					    &net_port, 0))
>>> +		{
>>> +			TH_LOG("Failed to add rule with access 0x%llx: %s",
>>> +			       access, strerror(errno));
>>> +		}
>>> +	}
>>> +	EXPECT_EQ(0, close(ruleset_fd));
>>> +}
>>> +
>>> +/* Checks invalid attribute, out of landlock network access range. */
>>> +TEST_F(mini, unknown_access_rights)
>>> +{
>>> +	__u64 access_mask;
>>> +
>>> +	for (access_mask = 1ULL << 63; access_mask != ACCESS_LAST;
>>> +	     access_mask >>= 1) {
>>> +		const struct landlock_ruleset_attr ruleset_attr = {
>>> +			.handled_access_net = access_mask,
>>> +		};
>>> +
>>> +		EXPECT_EQ(-1, landlock_create_ruleset(&ruleset_attr,
>>> +						      sizeof(ruleset_attr), 0));
>>> +		EXPECT_EQ(EINVAL, errno);
>>> +	}
>>> +}
>>> +
>>> +TEST_F(mini, inval)
>>> +{
>>> +	const struct landlock_ruleset_attr ruleset_attr = {
>>> +		.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP
>>> +	};
>>> +	const struct landlock_net_port_attr tcp_bind_connect = {
>>> +		.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
>>> +				  LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +		.port = sock_port_start,
>>> +	};
>>> +	const struct landlock_net_port_attr tcp_denied = {
>>> +		.allowed_access = 0,
>>> +		.port = sock_port_start,
>>> +	};
>>> +	const struct landlock_net_port_attr tcp_bind = {
>>> +		.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
>>> +		.port = sock_port_start,
>>> +	};
>>> +	int ruleset_fd;
>>> +
>>> +	ruleset_fd =
>>> +		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
>>> +	ASSERT_LE(0, ruleset_fd);
>>> +
>>> +	/* Checks unhandled allowed_access. */
>>> +	EXPECT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					&tcp_bind_connect, 0));
>>> +	EXPECT_EQ(EINVAL, errno);
>>> +
>>> +	/* Checks zero access value. */
>>> +	EXPECT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					&tcp_denied, 0));
>>> +	EXPECT_EQ(ENOMSG, errno);
>>> +
>>> +	/* Adds with legitimate values. */
>>> +	ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +				       &tcp_bind, 0));
>>> +}
>>> +
>>> +TEST_F(mini, tcp_port_overflow)
>>> +{
>>> +	const struct landlock_ruleset_attr ruleset_attr = {
>>> +		.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
>>> +				      LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +	};
>>> +	const struct landlock_net_port_attr port_max_bind = {
>>> +		.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
>>> +		.port = UINT16_MAX,
>>> +	};
>>> +	const struct landlock_net_port_attr port_max_connect = {
>>> +		.allowed_access = LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +		.port = UINT16_MAX,
>>> +	};
>>> +	const struct landlock_net_port_attr port_overflow1 = {
>>> +		.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
>>> +		.port = UINT16_MAX + 1,
>>> +	};
>>> +	const struct landlock_net_port_attr port_overflow2 = {
>>> +		.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
>>> +		.port = UINT16_MAX + 2,
>>> +	};
>>> +	const struct landlock_net_port_attr port_overflow3 = {
>>> +		.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
>>> +		.port = UINT32_MAX + 1UL,
>>> +	};
>>> +	const struct landlock_net_port_attr port_overflow4 = {
>>> +		.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
>>> +		.port = UINT32_MAX + 2UL,
>>> +	};
>>> +	const struct protocol_variant ipv4_tcp = {
>>> +		.domain = AF_INET,
>>> +		.type = SOCK_STREAM,
>>> +	};
>>> +	struct service_fixture srv_denied, srv_max_allowed;
>>> +	int ruleset_fd;
>>> +
>>> +	ASSERT_EQ(0, set_service(&srv_denied, ipv4_tcp, 0));
>>> +
>>> +	/* Be careful to avoid port inconsistencies. */
>>> +	srv_max_allowed = srv_denied;
>>> +	srv_max_allowed.port = port_max_bind.port;
>>> +	srv_max_allowed.ipv4_addr.sin_port = htons(port_max_bind.port);
>>> +
>>> +	ruleset_fd =
>>> +		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
>>> +	ASSERT_LE(0, ruleset_fd);
>>> +
>>> +	ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +				       &port_max_bind, 0));
>>> +
>>> +	EXPECT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					&port_overflow1, 0));
>>> +	EXPECT_EQ(EINVAL, errno);
>>> +
>>> +	EXPECT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					&port_overflow2, 0));
>>> +	EXPECT_EQ(EINVAL, errno);
>>> +
>>> +	EXPECT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					&port_overflow3, 0));
>>> +	EXPECT_EQ(EINVAL, errno);
>>> +
>>> +	/* Interleaves with invalid rule additions. */
>>> +	ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +				       &port_max_connect, 0));
>>> +
>>> +	EXPECT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					&port_overflow4, 0));
>>> +	EXPECT_EQ(EINVAL, errno);
>>> +
>>> +	enforce_ruleset(_metadata, ruleset_fd);
>>> +
>>> +	test_bind_and_connect(_metadata, &srv_denied, true, true);
>>> +	test_bind_and_connect(_metadata, &srv_max_allowed, false, false);
>>> +}
>>> +
>>> +FIXTURE(ipv4_tcp)
>>> +{
>>> +	struct service_fixture srv0, srv1;
>>> +};
>>> +
>>> +FIXTURE_SETUP(ipv4_tcp)
>>> +{
>>> +	const struct protocol_variant ipv4_tcp = {
>>> +		.domain = AF_INET,
>>> +		.type = SOCK_STREAM,
>>> +	};
>>> +
>>> +	disable_caps(_metadata);
>>> +
>>> +	ASSERT_EQ(0, set_service(&self->srv0, ipv4_tcp, 0));
>>> +	ASSERT_EQ(0, set_service(&self->srv1, ipv4_tcp, 1));
>>> +
>>> +	setup_loopback(_metadata);
>>> +};
>>> +
>>> +FIXTURE_TEARDOWN(ipv4_tcp)
>>> +{
>>> +}
>>> +
>>> +TEST_F(ipv4_tcp, port_endianness)
>>> +{
>>> +	const struct landlock_ruleset_attr ruleset_attr = {
>>> +		.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
>>> +				      LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +	};
>>> +	const struct landlock_net_port_attr bind_host_endian_p0 = {
>>> +		.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
>>> +		/* Host port format. */
>>> +		.port = self->srv0.port,
>>> +	};
>>> +	const struct landlock_net_port_attr connect_big_endian_p0 = {
>>> +		.allowed_access = LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +		/* Big endian port format. */
>>> +		.port = htons(self->srv0.port),
>>> +	};
>>> +	const struct landlock_net_port_attr bind_connect_host_endian_p1 = {
>>> +		.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
>>> +				  LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +		/* Host port format. */
>>> +		.port = self->srv1.port,
>>> +	};
>>> +	const unsigned int one = 1;
>>> +	const char little_endian = *(const char *)&one;
>>> +	int ruleset_fd;
>>> +
>>> +	ruleset_fd =
>>> +		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
>>> +	ASSERT_LE(0, ruleset_fd);
>>> +	ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +				       &bind_host_endian_p0, 0));
>>> +	ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +				       &connect_big_endian_p0, 0));
>>> +	ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +				       &bind_connect_host_endian_p1, 0));
>>> +	enforce_ruleset(_metadata, ruleset_fd);
>>> +
>>> +	/* No restriction for big endinan CPU. */
>>> +	test_bind_and_connect(_metadata, &self->srv0, false, little_endian);
>>> +
>>> +	/* No restriction for any CPU. */
>>> +	test_bind_and_connect(_metadata, &self->srv1, false, false);
>>> +}
>>> +
>>> +TEST_F_FORK(ipv4_tcp, with_fs)
>>> +{
>>> +	const struct landlock_ruleset_attr ruleset_attr_fs_net = {
>>> +		.handled_access_fs = LANDLOCK_ACCESS_FS_READ_DIR,
>>> +		.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP,
>>> +	};
>>> +	struct landlock_path_beneath_attr path_beneath = {
>>> +		.allowed_access = LANDLOCK_ACCESS_FS_READ_DIR,
>>> +		.parent_fd = -1,
>>> +	};
>>> +	struct landlock_net_port_attr tcp_bind = {
>>> +		.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
>>> +		.port = sock_port_start,
>>> +	};
>>> +	int sockfd, ruleset_fd, dirfd, open_dir1, open_dir2;
>>> +	struct sockaddr_in addr4;
>>> +
>>> +	dirfd = open("/dev", O_PATH | O_DIRECTORY | O_CLOEXEC);
>>> +	ASSERT_LE(0, dirfd);
>>> +	path_beneath.parent_fd = dirfd;
>>> +
>>> +	addr4.sin_family = AF_INET;
>>> +	addr4.sin_port = htons(sock_port_start);
>>> +	addr4.sin_addr.s_addr = inet_addr(loopback_ipv4);
>>> +	memset(&addr4.sin_zero, '\0', 8);
>>> +
>>> +	/* Creates ruleset both for filesystem and network access. */
>>> +	ruleset_fd = landlock_create_ruleset(&ruleset_attr_fs_net,
>>> +					     sizeof(ruleset_attr_fs_net), 0);
>>> +	ASSERT_LE(0, ruleset_fd);
>>> +
>>> +	/* Adds a filesystem rule. */
>>> +	ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
>>> +				       &path_beneath, 0));
>>> +	/* Adds a network rule. */
>>> +	ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +				       &tcp_bind, 0));
>>> +
>>> +	enforce_ruleset(_metadata, ruleset_fd);
>>> +	ASSERT_EQ(0, close(ruleset_fd));
>>> +
>>> +	/* Tests on a directories with the network rule loaded. */
>>> +	open_dir1 = open("/dev", O_RDONLY);
>>> +	ASSERT_LE(0, open_dir1);
>>> +	ASSERT_EQ(0, close(open_dir1));
>>> +
>>> +	open_dir2 = open("/", O_RDONLY);
>>> +	/* Denied by Landlock. */
>>> +	ASSERT_EQ(-1, open_dir2);
>>> +	EXPECT_EQ(EACCES, errno);
>>> +
>>> +	sockfd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
>>> +	ASSERT_LE(0, sockfd);
>>> +	/* Binds a socket to port 1024. */
>>> +	ASSERT_EQ(0, bind(sockfd, &addr4, sizeof(addr4)));
>>> +
>>> +	/* Closes bounded socket. */
>>> +	ASSERT_EQ(0, close(sockfd));
>>> +}
>>> +
>>> +FIXTURE(port_specific)
>>> +{
>>> +	struct service_fixture srv0;
>>> +};
>>> +
>>> +FIXTURE_VARIANT(port_specific)
>>> +{
>>> +	const enum sandbox_type sandbox;
>>> +	const struct protocol_variant prot;
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(port_specific, no_sandbox_with_ipv4) {
>>> +	/* clang-format on */
>>> +	.sandbox = NO_SANDBOX,
>>> +	.prot = {
>>> +		.domain = AF_INET,
>>> +		.type = SOCK_STREAM,
>>> +	},
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(port_specific, sandbox_with_ipv4) {
>>> +	/* clang-format on */
>>> +	.sandbox = TCP_SANDBOX,
>>> +	.prot = {
>>> +		.domain = AF_INET,
>>> +		.type = SOCK_STREAM,
>>> +	},
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(port_specific, no_sandbox_with_ipv6) {
>>> +	/* clang-format on */
>>> +	.sandbox = NO_SANDBOX,
>>> +	.prot = {
>>> +		.domain = AF_INET6,
>>> +		.type = SOCK_STREAM,
>>> +	},
>>> +};
>>> +
>>> +/* clang-format off */
>>> +FIXTURE_VARIANT_ADD(port_specific, sandbox_with_ipv6) {
>>> +	/* clang-format on */
>>> +	.sandbox = TCP_SANDBOX,
>>> +	.prot = {
>>> +		.domain = AF_INET6,
>>> +		.type = SOCK_STREAM,
>>> +	},
>>> +};
>>> +
>>> +FIXTURE_SETUP(port_specific)
>>> +{
>>> +	disable_caps(_metadata);
>>> +
>>> +	ASSERT_EQ(0, set_service(&self->srv0, variant->prot, 0));
>>> +
>>> +	setup_loopback(_metadata);
>>> +};
>>> +
>>> +FIXTURE_TEARDOWN(port_specific)
>>> +{
>>> +}
>>> +
>>> +TEST_F(port_specific, bind_connect_zero)
>>> +{
>>> +	int bind_fd, connect_fd, ret;
>>> +	uint16_t port;
>>> +
>>> +	/* Adds a rule layer with bind and connect actions. */
>>> +	if (variant->sandbox == TCP_SANDBOX) {
>>> +		const struct landlock_ruleset_attr ruleset_attr = {
>>> +			.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
>>> +					      LANDLOCK_ACCESS_NET_CONNECT_TCP
>>> +		};
>>> +		const struct landlock_net_port_attr tcp_bind_connect_zero = {
>>> +			.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
>>> +					  LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +			.port = 0,
>>> +		};
>>> +		int ruleset_fd;
>>> +
>>> +		ruleset_fd = landlock_create_ruleset(&ruleset_attr,
>>> +						     sizeof(ruleset_attr), 0);
>>> +		ASSERT_LE(0, ruleset_fd);
>>> +
>>> +		/* Checks zero port value on bind and connect actions. */
>>> +		EXPECT_EQ(0,
>>> +			  landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					    &tcp_bind_connect_zero, 0));
>>> +
>>> +		enforce_ruleset(_metadata, ruleset_fd);
>>> +		EXPECT_EQ(0, close(ruleset_fd));
>>> +	}
>>> +
>>> +	bind_fd = socket_variant(&self->srv0);
>>> +	ASSERT_LE(0, bind_fd);
>>> +
>>> +	connect_fd = socket_variant(&self->srv0);
>>> +	ASSERT_LE(0, connect_fd);
>>> +
>>> +	/* Sets address port to 0 for both protocol families. */
>>> +	set_port(&self->srv0, 0);
>>> +	/*
>>> +	 * Binds on port 0, which selects a random port within
>>> +	 * ip_local_port_range.
>>> +	 */
>>> +	ret = bind_variant(bind_fd, &self->srv0);
>>> +	EXPECT_EQ(0, ret);
>>> +
>>> +	EXPECT_EQ(0, listen(bind_fd, backlog));
>>> +
>>> +	/* Connects on port 0. */
>>> +	ret = connect_variant(connect_fd, &self->srv0);
>>> +	EXPECT_EQ(-ECONNREFUSED, ret);
>>> +
>>> +	/* Sets binded port for both protocol families. */
>>> +	port = get_binded_port(bind_fd, &variant->prot);
>>> +	EXPECT_NE(0, port);
>>> +	set_port(&self->srv0, port);
>>> +	/* Connects on the binded port. */
>>> +	ret = connect_variant(connect_fd, &self->srv0);
>>> +	if (is_restricted(&variant->prot, variant->sandbox)) {
>>> +		/* Denied by Landlock. */
>>> +		EXPECT_EQ(-EACCES, ret);
>>> +	} else {
>>> +		EXPECT_EQ(0, ret);
>>> +	}
>>> +
>>> +	EXPECT_EQ(0, close(connect_fd));
>>> +	EXPECT_EQ(0, close(bind_fd));
>>> +}
>>> +
>>> +TEST_F(port_specific, bind_connect_1023)
>>> +{
>>> +	int bind_fd, connect_fd, ret;
>>> +
>>> +	/* Adds a rule layer with bind and connect actions. */
>>> +	if (variant->sandbox == TCP_SANDBOX) {
>>> +		const struct landlock_ruleset_attr ruleset_attr = {
>>> +			.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
>>> +					      LANDLOCK_ACCESS_NET_CONNECT_TCP
>>> +		};
>>> +		/* A rule with port value less than 1024. */
>>> +		const struct landlock_net_port_attr tcp_bind_connect_low_range = {
>>> +			.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
>>> +					  LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +			.port = 1023,
>>> +		};
>>> +		/* A rule with 1024 port. */
>>> +		const struct landlock_net_port_attr tcp_bind_connect = {
>>> +			.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
>>> +					  LANDLOCK_ACCESS_NET_CONNECT_TCP,
>>> +			.port = 1024,
>>> +		};
>>> +		int ruleset_fd;
>>> +
>>> +		ruleset_fd = landlock_create_ruleset(&ruleset_attr,
>>> +						     sizeof(ruleset_attr), 0);
>>> +		ASSERT_LE(0, ruleset_fd);
>>> +
>>> +		ASSERT_EQ(0,
>>> +			  landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					    &tcp_bind_connect_low_range, 0));
>>> +		ASSERT_EQ(0,
>>> +			  landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>>> +					    &tcp_bind_connect, 0));
>>> +
>>> +		enforce_ruleset(_metadata, ruleset_fd);
>>> +		EXPECT_EQ(0, close(ruleset_fd));
>>> +	}
>>> +
>>> +	bind_fd = socket_variant(&self->srv0);
>>> +	ASSERT_LE(0, bind_fd);
>>> +
>>> +	connect_fd = socket_variant(&self->srv0);
>>> +	ASSERT_LE(0, connect_fd);
>>> +
>>> +	/* Sets address port to 1023 for both protocol families. */
>>> +	set_port(&self->srv0, 1023);
>>> +	/* Binds on port 1023. */
>>> +	ret = bind_variant(bind_fd, &self->srv0);
>>> +	/* Denied by the system. */
>>> +	EXPECT_EQ(-EACCES, ret);
>>> +
>>> +	set_cap(_metadata, CAP_NET_BIND_SERVICE);
>>> +	/* Binds on port 1023. */
>>> +	ret = bind_variant(bind_fd, &self->srv0);
>>> +	EXPECT_EQ(0, ret);
>>> +	EXPECT_EQ(0, listen(bind_fd, backlog));
>>> +	clear_cap(_metadata, CAP_NET_BIND_SERVICE);
>>> +
>>> +	/* Connects on the binded port 1023. */
>>> +	ret = connect_variant(connect_fd, &self->srv0);
>>> +	EXPECT_EQ(0, ret);
>>> +
>>> +	EXPECT_EQ(0, close(connect_fd));
>>> +	EXPECT_EQ(0, close(bind_fd));
>>> +
>>> +	bind_fd = socket_variant(&self->srv0);
>>> +	ASSERT_LE(0, bind_fd);
>>> +
>>> +	connect_fd = socket_variant(&self->srv0);
>>> +	ASSERT_LE(0, connect_fd);
>>> +
>>> +	/* Sets address port to 1024 for both protocol families. */
>>> +	set_port(&self->srv0, 1024);
>>> +	/* Binds on port 1024. */
>>> +	ret = bind_variant(bind_fd, &self->srv0);
>>> +	EXPECT_EQ(0, ret);
>>> +	EXPECT_EQ(0, listen(bind_fd, backlog));
>>> +	clear_cap(_metadata, CAP_NET_BIND_SERVICE);
>>> +
>>> +	/* Connects on the binded port 1024. */
>>> +	ret = connect_variant(connect_fd, &self->srv0);
>>> +	EXPECT_EQ(0, ret);
>>> +
>>> +	EXPECT_EQ(0, close(connect_fd));
>>> +	EXPECT_EQ(0, close(bind_fd));
>>> +}
>>> +
>>> +TEST_HARNESS_MAIN
>>> --
>>> 2.25.1
>>>
>>>
>>
>> -- 
>> BR,
>> Muhammad Usama Anjum
>>

-- 
BR,
Muhammad Usama Anjum
View attachment ".config" of type "text/plain" (140526 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ