[PATCH v4 4/4] selftests/landlock: Add disconnected leafs and branch test suites

Thu Nov 27 16:49:45 UTC 2025

On Wed, Nov 26, 2025 at 08:11:57PM +0100, Mickaël Salaün wrote:
> Test disconnected directories with two test suites and 31 variants to
> cover the main corner cases.
> 
> These tests are complementary to the previous commit.
> 
> Add test_renameat() and test_exchangeat() helpers.
> 
> Test coverage for security/landlock is 92.1% of 1927 lines according to
> LLVM 20.
> 
> Cc: Günther Noack <gnoack at google.com>
> Cc: Song Liu <song at kernel.org>
> Cc: Tingmao Wang <m at maowtm.org>
> Signed-off-by: Mickaël Salaün <mic at digikod.net>
> ---
> 
> Changes since v3:
> - Update tests to reflect the new approach:
>   * layout4_disconnected_leafs.s1d41_s1d42_disconnected: allow all
>   * layout4_disconnected_leafs.s3d1_s4d1_new_parent: allow all
>   * layout4_disconnected_leafs.f1_f2_f3: allow read
>   * layout5_disconnected_branch.s2d3_mount1_dst_parent: allow all
>   * layout5_disconnected_branch.s4d1_rename_parent: allow all
> - Update test coverage.
> 
> Changes since v2:
> - Update test coverage.
> 
> Changes since v1:
> - Rename layout4_disconnected to layout4_disconnected_leafs.
> - Fix variable names.
> - Add layout5_disconnected_branch test suite with 19 variants to cover
>   potential implementation issues.
> ---
>  tools/testing/selftests/landlock/fs_test.c | 912 +++++++++++++++++++++
>  1 file changed, 912 insertions(+)

> +/*
> + * layout5_disconnected_branch before rename:
> + *
> + * tmp
> + * ├── s1d1
> + * │   └── s1d2 [source of the first bind mount]
> + * │       └── s1d3
> + * │           ├── s1d41
> + * │           │   ├── f1
> + * │           │   └── f2
> + * │           └── s1d42
> + * │               ├── f3
> + * │               └── f4
> + * ├── s2d1
> + * │   └── s2d2 [source of the second bind mount]
> + * │       └── s2d3
> + * │           └── s2d4 [first s1d2 bind mount]
> + * │               └── s1d3
> + * │                   ├── s1d41
> + * │                   │   ├── f1
> + * │                   │   └── f2
> + * │                   └── s1d42
> + * │                       ├── f3
> + * │                       └── f4
> + * ├── s3d1
> + * │   └── s3d2 [second s2d2 bind mount]
> + * │       └── s2d3
> + * │           └── s2d4 [first s1d2 bind mount]
> + * │               └── s1d3
> + * │                   ├── s1d41
> + * │                   │   ├── f1
> + * │                   │   └── f2
> + * │                   └── s1d42
> + * │                       ├── f3
> + * │                       └── f4
> + * └── s4d1
> + *
> + * After rename:
> + *
> + * tmp
> + * ├── s1d1
> + * │   └── s1d2 [source of the first bind mount]
> + * │       └── s1d3
> + * │           ├── s1d41
> + * │           │   ├── f1
> + * │           │   └── f2
> + * │           └── s1d42
> + * │               ├── f3
> + * │               └── f4
> + * ├── s2d1
> + * │   └── s2d2 [source of the second bind mount]
> + * ├── s3d1
> + * │   └── s3d2 [second s2d2 bind mount]
> + * └── s4d1
> + *     └── s2d3 [renamed here]
> + *         └── s2d4 [first s1d2 bind mount]
> + *             └── s1d3
> + *                 ├── s1d41
> + *                 │   ├── f1
> + *                 │   └── f2
> + *                 └── s1d42
> + *                     ├── f3
> + *                     └── f4
> + *
> + * Decision path: s1d3 -> s1d2 -> s2d2 -> s3d1 -> tmp
> + * s2d3 is ignored, as well as the directories under the mount points.

I didn't update this comment, here is the new one:

 * Decision path for access from the s3d1/s3d2/s2d3/s2d4/s1d3 file descriptor:
 *   1. first bind mount:   s1d3 -> s1d2
 *   2. second bind mount:    s2d3
 *   3. tmp mount:              s4d1 -> tmp [disconnected branch]
 *   4. second bind mount:        s2d2
 *   5. tmp mount:                  s3d1 -> tmp
 *   6. parent mounts:                [...] -> /
 *
 * The s4d1 directory is evaluated even if it is not in the s2d2 mount.