[PATCH v7 16/18] seltests/landlock: add invalid input data test
Konstantin Meskhidze
konstantin.meskhidze at huawei.com
Mon Aug 29 17:03:59 UTC 2022
This patch adds rules with invalid user space supplied data:
- out of range ruleset attribute;
- unhandled allowed access;
- zero port value;
- zero access value;
Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze at huawei.com>
---
Changes since v6:
* Adds invalid ruleset attribute test.
Changes since v5:
* Formats code with clang-format-14.
Changes since v4:
* Refactors code with self->port variable.
Changes since v3:
* Adds inval test.
---
tools/testing/selftests/landlock/net_test.c | 66 ++++++++++++++++++++-
1 file changed, 65 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c
index a93224d1521b..067ba45f58a5 100644
--- a/tools/testing/selftests/landlock/net_test.c
+++ b/tools/testing/selftests/landlock/net_test.c
@@ -26,9 +26,12 @@
#define IP_ADDRESS "127.0.0.1"
-/* Number pending connections queue to be hold */
+/* Number pending connections queue to be hold. */
#define BACKLOG 10
+/* Invalid attribute, out of landlock network access range. */
+#define LANDLOCK_INVAL_ATTR 7
+
FIXTURE(socket)
{
uint port[MAX_SOCKET_NUM];
@@ -719,4 +722,65 @@ TEST_F(socket, ruleset_expanding)
/* Closes socket 1. */
ASSERT_EQ(0, close(sockfd_1));
}
+
+TEST_F(socket, inval)
+{
+ struct landlock_ruleset_attr ruleset_attr = {
+ .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP
+ };
+ struct landlock_ruleset_attr ruleset_attr_inval = {
+ .handled_access_net = LANDLOCK_INVAL_ATTR
+ };
+ struct landlock_net_service_attr net_service_1 = {
+ .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
+ LANDLOCK_ACCESS_NET_CONNECT_TCP,
+ .port = self->port[0],
+ };
+ struct landlock_net_service_attr net_service_2 = {
+ .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
+ .port = 0,
+ };
+ struct landlock_net_service_attr net_service_3 = {
+ .allowed_access = 0,
+ .port = self->port[1],
+ };
+ struct landlock_net_service_attr net_service_4 = {
+ .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
+ .port = self->port[2],
+ };
+
+ /* Checks invalid ruleset attribute. */
+ const int ruleset_fd_inv = landlock_create_ruleset(
+ &ruleset_attr_inval, sizeof(ruleset_attr_inval), 0);
+ ASSERT_EQ(-1, ruleset_fd_inv);
+ ASSERT_EQ(EINVAL, errno);
+
+ /* Gets ruleset. */
+ const int ruleset_fd =
+ landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
+ ASSERT_LE(0, ruleset_fd);
+
+ /* Checks unhandled allowed_access. */
+ ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE,
+ &net_service_1, 0));
+ ASSERT_EQ(EINVAL, errno);
+
+ /* Checks zero port value. */
+ ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE,
+ &net_service_2, 0));
+ ASSERT_EQ(EINVAL, errno);
+
+ /* Checks zero access value. */
+ ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE,
+ &net_service_3, 0));
+ ASSERT_EQ(ENOMSG, errno);
+
+ /* Adds with legitimate values. */
+ ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE,
+ &net_service_4, 0));
+
+ /* Enforces the ruleset. */
+ enforce_ruleset(_metadata, ruleset_fd);
+ ASSERT_EQ(0, close(ruleset_fd));
+}
TEST_HARNESS_MAIN
--
2.25.1
More information about the Linux-security-module-archive
mailing list