[PATCH v11 4/9] selftests/landlock: Test IOCTL with memfds
Günther Noack
gnoack at google.com
Fri Mar 22 15:09:57 UTC 2024
Because the LANDLOCK_ACCESS_FS_IOCTL_DEV right is associated with the
opened file during open(2), IOCTLs are supposed to work with files
which are opened by means other than open(2).
Signed-off-by: Günther Noack <gnoack at google.com>
---
tools/testing/selftests/landlock/fs_test.c | 36 ++++++++++++++++------
1 file changed, 27 insertions(+), 9 deletions(-)
diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
index 22229fe3e403..32a77757462b 100644
--- a/tools/testing/selftests/landlock/fs_test.c
+++ b/tools/testing/selftests/landlock/fs_test.c
@@ -3850,20 +3850,38 @@ static int test_fs_ioc_getflags_ioctl(int fd)
return 0;
}
-TEST(memfd_ftruncate)
+TEST(memfd_ftruncate_and_ioctl)
{
- int fd;
-
- fd = memfd_create("name", MFD_CLOEXEC);
- ASSERT_LE(0, fd);
+ const struct landlock_ruleset_attr attr = {
+ .handled_access_fs = ACCESS_ALL,
+ };
+ int ruleset_fd, fd, i;
/*
- * Checks that ftruncate is permitted on file descriptors that are
- * created in ways other than open(2).
+ * We exercise the same test both with and without Landlock enabled, to
+ * ensure that it behaves the same in both cases.
*/
- EXPECT_EQ(0, test_ftruncate(fd));
+ for (i = 0; i < 2; i++) {
+ /* Creates a new memfd. */
+ fd = memfd_create("name", MFD_CLOEXEC);
+ ASSERT_LE(0, fd);
- ASSERT_EQ(0, close(fd));
+ /*
+ * Checks that operations associated with the opened file
+ * (ftruncate, ioctl) are permitted on file descriptors that are
+ * created in ways other than open(2).
+ */
+ EXPECT_EQ(0, test_ftruncate(fd));
+ EXPECT_EQ(0, test_fs_ioc_getflags_ioctl(fd));
+
+ ASSERT_EQ(0, close(fd));
+
+ /* Enables Landlock. */
+ ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
+ ASSERT_LE(0, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd);
+ ASSERT_EQ(0, close(ruleset_fd));
+ }
}
static int test_fionread_ioctl(int fd)
--
2.44.0.396.g6e790dbe36-goog
More information about the Linux-security-module-archive
mailing list