[PATCH v2 3/6] selftests/landlock: Test ioctl support
Günther Noack
gnoack at google.com
Fri Jun 23 14:43:26 UTC 2023
Exercise the use of Landlock's ioctl restriction: If ioctl is
restricted, the use of ioctl fails with a freshly opened /dev/tty
file.
Signed-off-by: Günther Noack <gnoack at google.com>
---
tools/testing/selftests/landlock/fs_test.c | 62 ++++++++++++++++++++++
1 file changed, 62 insertions(+)
diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
index 09dd1eaac8a9..0f0899768fe7 100644
--- a/tools/testing/selftests/landlock/fs_test.c
+++ b/tools/testing/selftests/landlock/fs_test.c
@@ -3732,6 +3732,68 @@ TEST(memfd_ftruncate)
ASSERT_EQ(0, close(fd));
}
+/*
+ * Invokes ioctl(2) and returns its errno or 0.
+ * The provided fd needs to be a tty for this to work.
+ */
+static int test_tty_ioctl(int fd)
+{
+ struct winsize ws;
+
+ if (ioctl(fd, TIOCGWINSZ, &ws) < 0)
+ return errno;
+ return 0;
+}
+
+/*
+ * Attempt ioctl on /dev/tty0 and /dev/tty1,
+ * with file descriptors opened before and after landlocking.
+ */
+TEST_F_FORK(layout0, ioctl)
+{
+ const struct rule rules[] = {
+ {
+ .path = "/dev/tty1",
+ .access = LANDLOCK_ACCESS_FS_IOCTL,
+ },
+ /* Implicitly: No ioctl access on /dev/tty0. */
+ {},
+ };
+ const __u64 handled = LANDLOCK_ACCESS_FS_IOCTL;
+ int ruleset_fd;
+ int old_tty0_fd, tty0_fd, tty1_fd;
+
+ old_tty0_fd = open("/dev/tty0", O_RDWR);
+ ASSERT_LE(0, old_tty0_fd);
+
+ /* Checks that ioctl works before landlocking. */
+ EXPECT_EQ(0, test_tty_ioctl(old_tty0_fd));
+
+ /* Enable Landlock. */
+ ruleset_fd = create_ruleset(_metadata, handled, rules);
+ ASSERT_LE(0, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd);
+ ASSERT_EQ(0, close(ruleset_fd));
+
+ /* Checks that ioctl with existing FD works after landlocking. */
+ EXPECT_EQ(0, test_tty_ioctl(old_tty0_fd));
+
+ /* Checks that same ioctl fails when file is opened after landlocking. */
+ tty0_fd = open("/dev/tty0", O_RDWR);
+ ASSERT_LE(0, tty0_fd);
+ EXPECT_EQ(EACCES, test_tty_ioctl(tty0_fd));
+
+ /* Checks that same ioctl fails when file is opened after landlocking. */
+ tty1_fd = open("/dev/tty1", O_RDWR);
+ ASSERT_LE(0, tty1_fd);
+ EXPECT_EQ(0, test_tty_ioctl(tty1_fd));
+
+ /* Close all TTY file descriptors. */
+ ASSERT_EQ(0, close(old_tty0_fd));
+ ASSERT_EQ(0, close(tty0_fd));
+ ASSERT_EQ(0, close(tty1_fd));
+}
+
/* clang-format off */
FIXTURE(layout1_bind) {};
/* clang-format on */
--
2.41.0.162.gfafddb0af9-goog
More information about the Linux-security-module-archive
mailing list