[PATCH v5 5/9] landlock/selftests: Audit test for LANDLOCK_ACCESS_FS_RESOLVE_UNIX
Günther Noack
gnoack3000 at gmail.com
Sun Feb 15 10:51:53 UTC 2026
Add an audit test to check that Landlock denials from
LANDLOCK_ACCESS_FS_RESOLVE_UNIX result in audit logs in the expected
format. (There is one audit test for each filesystem access right, so
we should add one for LANDLOCK_ACCESS_FS_RESOLVE_UNIX as well.)
Signed-off-by: Günther Noack <gnoack3000 at gmail.com>
---
tools/testing/selftests/landlock/fs_test.c | 42 +++++++++++++++++++++-
1 file changed, 41 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
index bdeff2e0e029..8fa9d7c49ac3 100644
--- a/tools/testing/selftests/landlock/fs_test.c
+++ b/tools/testing/selftests/landlock/fs_test.c
@@ -7530,7 +7530,8 @@ static const __u64 access_fs_16 =
LANDLOCK_ACCESS_FS_MAKE_SYM |
LANDLOCK_ACCESS_FS_REFER |
LANDLOCK_ACCESS_FS_TRUNCATE |
- LANDLOCK_ACCESS_FS_IOCTL_DEV;
+ LANDLOCK_ACCESS_FS_IOCTL_DEV |
+ LANDLOCK_ACCESS_FS_RESOLVE_UNIX;
/* clang-format on */
TEST_F(audit_layout1, execute_read)
@@ -7975,6 +7976,45 @@ TEST_F(audit_layout1, ioctl_dev)
EXPECT_EQ(1, records.domain);
}
+TEST_F(audit_layout1, resolve_unix)
+{
+ struct audit_records records;
+ const char *const path = "sock";
+ int srv_fd, cli_fd, status;
+ pid_t child_pid;
+
+ srv_fd = set_up_named_unix_server(_metadata, SOCK_STREAM, path);
+
+ child_pid = fork();
+ ASSERT_LE(0, child_pid);
+ if (!child_pid) {
+ drop_access_rights(_metadata,
+ &(struct landlock_ruleset_attr){
+ .handled_access_fs = access_fs_16,
+ });
+
+ cli_fd = socket(AF_UNIX, SOCK_STREAM, 0);
+ ASSERT_LE(0, cli_fd);
+ EXPECT_EQ(EACCES, test_connect_named_unix(cli_fd, path));
+
+ EXPECT_EQ(0, close(cli_fd));
+ _exit(_metadata->exit_code);
+ }
+
+ ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
+ EXPECT_EQ(1, WIFEXITED(status));
+ EXPECT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
+
+ EXPECT_EQ(0, matches_log_fs_extra(_metadata, self->audit_fd,
+ "fs\\.resolve_unix", path, NULL));
+
+ EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
+ EXPECT_EQ(0, records.access);
+ EXPECT_EQ(1, records.domain);
+
+ EXPECT_EQ(0, close(srv_fd));
+}
+
TEST_F(audit_layout1, mount)
{
struct audit_records records;
--
2.52.0
More information about the Linux-security-module-archive
mailing list