[PATCH v13 02/10] selftests/landlock: Test IOCTL support
Mickaël Salaün
mic at digikod.net
Wed Mar 27 16:58:09 UTC 2024
On Wed, Mar 27, 2024 at 01:10:32PM +0000, Günther Noack wrote:
> Exercises Landlock's IOCTL feature in different combinations of
> handling and permitting the LANDLOCK_ACCESS_FS_IOCTL_DEV right, and in
> different combinations of using files and directories.
>
> Signed-off-by: Günther Noack <gnoack at google.com>
> ---
> tools/testing/selftests/landlock/fs_test.c | 227 ++++++++++++++++++++-
> 1 file changed, 224 insertions(+), 3 deletions(-)
>
> diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
> index 418ad745a5dd..8a72e26d4977 100644
> --- a/tools/testing/selftests/landlock/fs_test.c
> +++ b/tools/testing/selftests/landlock/fs_test.c
> @@ -8,6 +8,7 @@
> */
>
> #define _GNU_SOURCE
> +#include <asm/termbits.h>
> #include <fcntl.h>
> #include <linux/landlock.h>
> #include <linux/magic.h>
> @@ -15,6 +16,7 @@
> #include <stdio.h>
> #include <string.h>
> #include <sys/capability.h>
> +#include <sys/ioctl.h>
> #include <sys/mount.h>
> #include <sys/prctl.h>
> #include <sys/sendfile.h>
> @@ -23,6 +25,12 @@
> #include <sys/vfs.h>
> #include <unistd.h>
>
> +/*
> + * Intentionally included last to work around header conflict.
> + * See https://sourceware.org/glibc/wiki/Synchronizing_Headers.
> + */
> +#include <linux/fs.h>
> +
> #include "common.h"
>
> #ifndef renameat2
> @@ -737,6 +745,9 @@ static int create_ruleset(struct __test_metadata *const _metadata,
> }
>
> for (i = 0; rules[i].path; i++) {
> + if (!rules[i].access)
> + continue;
> +
> add_path_beneath(_metadata, ruleset_fd, rules[i].access,
> rules[i].path);
> }
> @@ -3445,7 +3456,7 @@ TEST_F_FORK(layout1, truncate_unhandled)
> LANDLOCK_ACCESS_FS_WRITE_FILE;
> int ruleset_fd;
>
> - /* Enable Landlock. */
> + /* Enables Landlock. */
> ruleset_fd = create_ruleset(_metadata, handled, rules);
>
> ASSERT_LE(0, ruleset_fd);
> @@ -3528,7 +3539,7 @@ TEST_F_FORK(layout1, truncate)
> LANDLOCK_ACCESS_FS_TRUNCATE;
> int ruleset_fd;
>
> - /* Enable Landlock. */
> + /* Enables Landlock. */
> ruleset_fd = create_ruleset(_metadata, handled, rules);
>
> ASSERT_LE(0, ruleset_fd);
> @@ -3754,7 +3765,7 @@ TEST_F_FORK(ftruncate, open_and_ftruncate)
> };
> int fd, ruleset_fd;
>
> - /* Enable Landlock. */
> + /* Enables Landlock. */
> ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
> ASSERT_LE(0, ruleset_fd);
> enforce_ruleset(_metadata, ruleset_fd);
> @@ -3831,6 +3842,16 @@ TEST_F_FORK(ftruncate, open_and_ftruncate_in_different_processes)
> ASSERT_EQ(0, close(socket_fds[1]));
> }
>
> +/* Invokes the FS_IOC_GETFLAGS IOCTL and returns its errno or 0. */
> +static int test_fs_ioc_getflags_ioctl(int fd)
This function is not used by this patch, only the next one.
You can catch this kind of issues with check-linux.sh from
https://github.com/landlock-lsm/landlock-test-tools
> +{
> + uint32_t flags;
> +
> + if (ioctl(fd, FS_IOC_GETFLAGS, &flags) < 0)
> + return errno;
> + return 0;
> +}
> +
More information about the Linux-security-module-archive
mailing list