[PATCH RFC 2/3] selftests/landlock: add cross-domain variants

Sat Jul 19 12:41:25 UTC 2025

Add scoped_cross_domain_variants.h providing shared test variants for
interactions between two independent Landlock domains. Current tests
only cover hierarchical (parent-child) relationships but miss the
case where unrelated processes establish peer domains.

The header defines four canonical variants:
  - none_to_none: both processes unrestricted
  - none_to_scoped: only accessor process scoped
  - scoped_to_none: only resource process scoped
  - scoped_to_scoped: both processes scoped (peer domains)

This abstraction will be shared across signal, abstract UNIX socket,
and future scope types (like memfd execution) to ensure comprehensive
cross-domain test coverage.

Signed-off-by: Abhinav Saxena <xandfury at gmail.com>
---
 .../landlock/scoped_cross_domain_variants.h        | 54 ++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/tools/testing/selftests/landlock/scoped_cross_domain_variants.h b/tools/testing/selftests/landlock/scoped_cross_domain_variants.h
new file mode 100644
index 000000000000..6068987a52c8
--- /dev/null
+++ b/tools/testing/selftests/landlock/scoped_cross_domain_variants.h
@@ -0,0 +1,54 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Landlock self-tests - cross-domain scope variants
+ *
+ * Provides one FIXTURE_VARIANT and the four canonical combinations
+ * (none->none, none->scoped, scoped->none, scoped->scoped). Every test that
+ * checks interactions between two independently created domains
+ * includes this header and iterates over the variants.
+ *
+ * Variant structure: which domain each side of the interaction lives in.
+ *   resource_domain  - process that creates/owns the resource
+ *   accessor_domain  - process that uses the resource
+ *
+ * Copyright © 2025 Abhinav Saxena <xandfury at gmail.com>
+ *
+ */
+
+FIXTURE_VARIANT(cross_domain_scope)
+{
+	enum sandbox_type resource_domain;
+	enum sandbox_type accessor_domain;
+};
+
+/* Four concrete combinations */
+FIXTURE_VARIANT_ADD(cross_domain_scope, none_to_none) {
+	.resource_domain = NO_SANDBOX,
+	.accessor_domain = NO_SANDBOX,
+};
+
+FIXTURE_VARIANT_ADD(cross_domain_scope, none_to_scoped) {
+	.resource_domain = NO_SANDBOX,
+	.accessor_domain = SCOPE_SANDBOX,
+};
+
+FIXTURE_VARIANT_ADD(cross_domain_scope, scoped_to_none) {
+	.resource_domain = SCOPE_SANDBOX,
+	.accessor_domain = NO_SANDBOX,
+};
+
+FIXTURE_VARIANT_ADD(cross_domain_scope, scoped_to_scoped) {
+	.resource_domain = SCOPE_SANDBOX,
+	.accessor_domain = SCOPE_SANDBOX,
+};
+
+/*
+ * Mapping reminder:
+ *   SIGNAL               resource = receiver    accessor = sender
+ *   ABSTRACT UNIX        resource = server      accessor = client
+ *   future scopes        resource = creator     accessor = user
+ *
+ * Only the accessor domain is enforced; tests therefore expect:
+ *   accessor NO_SANDBOX      -> ALLOW operation
+ *   accessor SCOPE_SANDBOX   -> DENY if resource is outside its domain
+ */

-- 
2.43.0


