[PATCH v4 4/6] landlock/selftests: Test named UNIX domain socket restrictions
Tingmao Wang
m at maowtm.org
Sun Feb 15 03:01:46 UTC 2026
On 2/9/26 17:29, Mickaël Salaün wrote:
> On Mon, Feb 09, 2026 at 12:10:14AM +0100, Günther Noack wrote:
>> * Exercise the access right for connect() and sendmsg() on named UNIX
>> domain sockets, in various combinations of Landlock domains and
>> socket types.
>> * Extract common helpers from an existing IOCTL test that
>> also uses pathname unix(7) sockets.
>>
>> The tested combinations are the cross product of these sets of fixture
>> fields:
>>
>> * {{.handled=RESOLVE_UNIX},
>> {.handled=RESOLVE_UNIX, .allowed=RESOLVE_UNIX}}
>> * {{.sock_type=SOCK_STREAM},
>> {.sock_type=SOCK_DGRAM},
>> {.sock_type=SOCK_DGRAM, .use_sendto=true},
>> {.sock_type=SOCK_SEQPACKET}}
>> * {{.server_in_same_domain=false},
>> {.server_in_same_domain=true}}
>
> It would improve test clarity to follow the same approach as Tingmao to
> check the scope, especially to use the scoped_base_variant.h:
> https://lore.kernel.org/all/88de5bed60b06ba97088d87803f7bb3dbcc9a808.1767115163.git.m@maowtm.org/
> Even if there is no more explicit scoped flag anymore, this test suite
> is still relevant.
>
> The fs_test.c part would then mostly check the
> LANDLOCK_ACCESS_FS_RESOLVE_UNIX rules/exceptions.
>
Günther, if you have not already started working on this but agrees with
the suggestion here, I'm happy to take a stab at rebasing the relevant
selftests patches in the scope series to test this new series.
Kind regards,
Tingmao
More information about the Linux-security-module-archive
mailing list