| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251118134639.3314803-10-ivanov.mikhail1@huawei-partners.com>
Date: Tue, 18 Nov 2025 21:46:29 +0800
From: Mikhail Ivanov <ivanov.mikhail1@...wei-partners.com>
To: <mic@...ikod.net>, <gnoack@...gle.com>
CC: <willemdebruijn.kernel@...il.com>, <matthieu@...fet.re>,
<linux-security-module@...r.kernel.org>, <netdev@...r.kernel.org>,
<netfilter-devel@...r.kernel.org>, <yusongping@...wei.com>,
<artem.kuzin@...wei.com>, <konstantin.meskhidze@...wei.com>
Subject: [RFC PATCH v4 09/19] selftests/landlock: Test overlapped rulesets with rules of protocol ranges
Add test that validates Landlock behaviour with overlapped socket
restriction.
Add test that validates behaviour of using multiple layers that
define access for protocol ranges using wildcard values.
Signed-off-by: Mikhail Ivanov <ivanov.mikhail1@...wei-partners.com>
---
Changes since v3:
* Adds test "ruleset_with_wildcards_overlap".
Changes since v2:
* Removes `tcp_layers` fixture and replaces it with `protocol` fixture
for this test. protocol.ruleset_overlap tests every layers depth
in a single run.
* Adds add_ruleset_layer() helper that enforces ruleset and allows access
if such is given.
* Replaces EXPECT_EQ with ASSERT_EQ for close().
* Refactors commit message and title.
Changes since v1:
* Replaces test_socket_create() with test_socket().
* Formats code with clang-format.
* Refactors commit message.
* Minor fixes.
---
.../testing/selftests/landlock/socket_test.c | 92 +++++++++++++++++++
1 file changed, 92 insertions(+)
diff --git a/tools/testing/selftests/landlock/socket_test.c b/tools/testing/selftests/landlock/socket_test.c
index ebb39cbf9211..8b8913290a64 100644
--- a/tools/testing/selftests/landlock/socket_test.c
+++ b/tools/testing/selftests/landlock/socket_test.c
@@ -578,4 +578,96 @@ TEST_F(mini, unsupported_af_and_prot)
EXPECT_EQ(EACCES, test_socket(AF_UNIX, SOCK_STREAM, PF_UNIX + 1));
}
+static void add_ruleset_layer(struct __test_metadata *const _metadata,
+ const struct landlock_socket_attr *socket_attr)
+{
+ const struct landlock_ruleset_attr ruleset_attr = {
+ .handled_access_socket = LANDLOCK_ACCESS_SOCKET_CREATE,
+ };
+ int ruleset_fd =
+ landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
+ ASSERT_LE(0, ruleset_fd);
+
+ if (socket_attr) {
+ ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_SOCKET,
+ socket_attr, 0));
+ }
+
+ enforce_ruleset(_metadata, ruleset_fd);
+ ASSERT_EQ(0, close(ruleset_fd));
+}
+
+TEST_F(mini, ruleset_overlap)
+{
+ const struct landlock_socket_attr create_socket_attr = {
+ .allowed_access = LANDLOCK_ACCESS_SOCKET_CREATE,
+ .family = AF_INET,
+ .type = SOCK_STREAM,
+ .protocol = 0,
+ };
+
+ /* socket(2) is allowed if there are no restrictions. */
+ ASSERT_EQ(0, test_socket(AF_INET, SOCK_STREAM, 0));
+
+ /* Creates ruleset with socket(2) allowed. */
+ add_ruleset_layer(_metadata, &create_socket_attr);
+ EXPECT_EQ(0, test_socket(AF_INET, SOCK_STREAM, 0));
+
+ /* Adds ruleset layer with socket(2) restricted. */
+ add_ruleset_layer(_metadata, NULL);
+ EXPECT_EQ(EACCES, test_socket(AF_INET, SOCK_STREAM, 0));
+
+ /*
+ * Adds ruleset layer with socket(2) allowed. socket(2) is restricted
+ * by second layer of the ruleset.
+ */
+ add_ruleset_layer(_metadata, &create_socket_attr);
+ EXPECT_EQ(EACCES, test_socket(AF_INET, SOCK_STREAM, 0));
+}
+
+TEST_F(mini, ruleset_with_wildcards_overlap)
+{
+ const struct landlock_socket_attr create_socket_attr = {
+ .allowed_access = LANDLOCK_ACCESS_SOCKET_CREATE,
+ .family = AF_INET,
+ .type = (-1),
+ .protocol = (-1),
+ };
+
+ /* socket(2) is allowed if there are no restrictions. */
+ ASSERT_EQ(0, test_socket(AF_INET, SOCK_STREAM, 0));
+ ASSERT_EQ(0, test_socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP));
+ ASSERT_EQ(0, test_socket(AF_INET, SOCK_DGRAM, 0));
+
+ /* Creates ruleset with AF_INET allowed. */
+ add_ruleset_layer(_metadata, &create_socket_attr);
+ EXPECT_EQ(0, test_socket(AF_INET, SOCK_STREAM, 0));
+ EXPECT_EQ(0, test_socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP));
+ EXPECT_EQ(0, test_socket(AF_INET, SOCK_DGRAM, 0));
+
+ const struct landlock_socket_attr create_socket_attr2 = {
+ .allowed_access = LANDLOCK_ACCESS_SOCKET_CREATE,
+ .family = AF_INET,
+ .type = SOCK_STREAM,
+ .protocol = (-1),
+ };
+ /* Creates layer with AF_INET + SOCK_STREAM allowed. */
+ add_ruleset_layer(_metadata, &create_socket_attr2);
+ EXPECT_EQ(0, test_socket(AF_INET, SOCK_STREAM, 0));
+ EXPECT_EQ(0, test_socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP));
+ EXPECT_EQ(EACCES, test_socket(AF_INET, SOCK_DGRAM, 0));
+
+ const struct landlock_socket_attr create_socket_attr3 = {
+ .allowed_access = LANDLOCK_ACCESS_SOCKET_CREATE,
+ .family = AF_INET,
+ .type = SOCK_STREAM,
+ .protocol = 0,
+ };
+ /* Creates layer with AF_INET + SOCK_STREAM + 0 allowed. */
+ add_ruleset_layer(_metadata, &create_socket_attr3);
+ EXPECT_EQ(0, test_socket(AF_INET, SOCK_STREAM, 0));
+ EXPECT_EQ(EACCES, test_socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP));
+ EXPECT_EQ(EACCES, test_socket(AF_INET, SOCK_DGRAM, 0));
+}
+
TEST_HARNESS_MAIN
--
2.34.1
Powered by blists - more mailing lists