[PATCH 2/3] selftests/landlock: Print a warning about directory permissions
Tingmao Wang
m at maowtm.org
Sat May 24 17:56:33 UTC 2025
Because we drop capabilities (most importantly, CAP_DAC_OVERRIDE), if a
user runs the selftests under a Linux source checked out by a non-root
user, the test will fail even when ran under sudo, and will print a
"Permission denied" error. This creates a confusing situation if they
does not realize that the test drops capabilities, and can mislead users
to think there's something wrong with the test or landlock.
This patch produces output that looks like:
# # RUN layout0.ruleset_with_unknown_access ...
# # fs_test.c:240:ruleset_with_unknown_access:Expected 0 (0) == mkdir(path, 0700) (-1)
# # fs_test.c:244:ruleset_with_unknown_access:Failed to create directory "tmp": Permission denied
# # fs_test.c:230:ruleset_with_unknown_access:Hint: fs_tests requires permissions for uid 0 on test directory /home/mao/landlock-selftests/tools/testing/selftests/landlock and files under it (even when running as root).
# # fs_test.c:232:ruleset_with_unknown_access: Try chmod a+rwX -R /home/mao/landlock-selftests/tools/testing/selftests/landlock
# # ruleset_with_unknown_access: Test terminated by assertion
# # FAIL layout0.ruleset_with_unknown_access
Signed-off-by: Tingmao Wang <m at maowtm.org>
---
tools/testing/selftests/landlock/fs_test.c | 35 +++++++++++++++++++---
1 file changed, 31 insertions(+), 4 deletions(-)
diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
index e65e6cc80e22..21ed8afcc060 100644
--- a/tools/testing/selftests/landlock/fs_test.c
+++ b/tools/testing/selftests/landlock/fs_test.c
@@ -216,14 +216,37 @@ static void mkdir_parents(struct __test_metadata *const _metadata,
free(walker);
}
+static void
+maybe_warn_about_permission_on_cwd(struct __test_metadata *const _metadata,
+ int err)
+{
+ char abspath_buf[255];
+
+ if (err == EACCES) {
+ const char *realp = realpath(".", abspath_buf);
+ if (realp == NULL) {
+ realp = ".";
+ }
+ TH_LOG("Hint: fs_tests requires permissions for uid %u on test directory %s and files under it (even when running as root).",
+ getuid(), realp);
+ TH_LOG(" Try chmod a+rwX -R %s", realp);
+ }
+}
+
static void create_directory(struct __test_metadata *const _metadata,
const char *const path)
{
mkdir_parents(_metadata, path);
ASSERT_EQ(0, mkdir(path, 0700))
{
+ int err = errno;
+
TH_LOG("Failed to create directory \"%s\": %s", path,
- strerror(errno));
+ strerror(err));
+
+ if (strcmp(path, TMP_DIR) == 0) {
+ maybe_warn_about_permission_on_cwd(_metadata, err);
+ }
}
}
@@ -1985,18 +2008,22 @@ TEST_F_FORK(layout1, relative_chroot_chdir)
static void copy_file(struct __test_metadata *const _metadata,
const char *const src_path, const char *const dst_path)
{
- int dst_fd, src_fd;
+ int dst_fd, src_fd, err;
struct stat statbuf;
dst_fd = open(dst_path, O_WRONLY | O_TRUNC | O_CLOEXEC);
ASSERT_LE(0, dst_fd)
{
- TH_LOG("Failed to open \"%s\": %s", dst_path, strerror(errno));
+ err = errno;
+ TH_LOG("Failed to open \"%s\": %s", dst_path, strerror(err));
+ maybe_warn_about_permission_on_cwd(_metadata, err);
}
src_fd = open(src_path, O_RDONLY | O_CLOEXEC);
ASSERT_LE(0, src_fd)
{
- TH_LOG("Failed to open \"%s\": %s", src_path, strerror(errno));
+ err = errno;
+ TH_LOG("Failed to open \"%s\": %s", src_path, strerror(err));
+ maybe_warn_about_permission_on_cwd(_metadata, err);
}
ASSERT_EQ(0, fstat(src_fd, &statbuf));
ASSERT_EQ(statbuf.st_size,
--
2.49.0
More information about the Linux-security-module-archive
mailing list