[PATCH v6 6/9] landlock/selftests: Audit test for LANDLOCK_ACCESS_FS_RESOLVE_UNIX

Wed Mar 18 16:53:38 UTC 2026

On Sun, Mar 15, 2026 at 11:21:47PM +0100, Günther Noack wrote:
> Add an audit test to check that Landlock denials from
> LANDLOCK_ACCESS_FS_RESOLVE_UNIX result in audit logs in the expected
> format.  (There is one audit test for each filesystem access right, so
> we should add one for LANDLOCK_ACCESS_FS_RESOLVE_UNIX as well.)
> 
> Signed-off-by: Günther Noack <gnoack3000 at gmail.com>
> ---
>  tools/testing/selftests/landlock/fs_test.c | 43 +++++++++++++++++++++-
>  1 file changed, 42 insertions(+), 1 deletion(-)
> 
> diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
> index fdbb024da774..4198148e172f 100644
> --- a/tools/testing/selftests/landlock/fs_test.c
> +++ b/tools/testing/selftests/landlock/fs_test.c
> @@ -7538,7 +7538,8 @@ static const __u64 access_fs_16 =
>  	LANDLOCK_ACCESS_FS_MAKE_SYM |
>  	LANDLOCK_ACCESS_FS_REFER |
>  	LANDLOCK_ACCESS_FS_TRUNCATE |
> -	LANDLOCK_ACCESS_FS_IOCTL_DEV;
> +	LANDLOCK_ACCESS_FS_IOCTL_DEV |
> +	LANDLOCK_ACCESS_FS_RESOLVE_UNIX;

The variable access_fs_16 contains 16 access rights.  The idea was to
not need to change this variable with new FS access rights because the
tests should not change.  I guess that was not a good choice because
new tests like audit_layout1.resolve_unix may not change the result of
existing tests (and then improve coverage).  This variable can then be
replaced with ACCESS_ALL (in a dedicated patch please).  If we need
exceptions we can mask the problematic access rights (see
audit_layout1.ioctl_dev).

>  /* clang-format on */
>  
>  TEST_F(audit_layout1, execute_read)
> @@ -7983,6 +7984,46 @@ TEST_F(audit_layout1, ioctl_dev)
>  	EXPECT_EQ(1, records.domain);
>  }
>  
> +TEST_F(audit_layout1, resolve_unix)
> +{
> +	struct audit_records records;
> +	const char *const path = "sock";
> +	int srv_fd, cli_fd, status;
> +	pid_t child_pid;
> +
> +	srv_fd = set_up_named_unix_server(_metadata, SOCK_STREAM, path);
> +
> +	child_pid = fork();
> +	ASSERT_LE(0, child_pid);
> +	if (!child_pid) {
> +		drop_access_rights(_metadata,
> +				   &(struct landlock_ruleset_attr){
> +					   .handled_access_fs = access_fs_16,
> +				   });
> +
> +		cli_fd = socket(AF_UNIX, SOCK_STREAM, 0);
> +		ASSERT_LE(0, cli_fd);
> +		EXPECT_EQ(EACCES,
> +			  test_connect_named_unix(_metadata, cli_fd, path));
> +
> +		EXPECT_EQ(0, close(cli_fd));
> +		_exit(_metadata->exit_code);
> +	}
> +
> +	ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
> +	EXPECT_EQ(1, WIFEXITED(status));
> +	EXPECT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
> +
> +	EXPECT_EQ(0, matches_log_fs_extra(_metadata, self->audit_fd,
> +					  "fs\\.resolve_unix", path, NULL));
> +
> +	EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
> +	EXPECT_EQ(0, records.access);
> +	EXPECT_EQ(1, records.domain);
> +
> +	EXPECT_EQ(0, close(srv_fd));
> +}
> +
>  TEST_F(audit_layout1, mount)
>  {
>  	struct audit_records records;
> -- 
> 2.53.0
> 