sys/linux/test: add landlock_fs_ioctl

This test covers regular file IOCTL checks handled in security/landlock/fs.c Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
author: Mickaël Salaün <mic@linux.microsoft.com> 2023-12-15 13:16:47 +0100
committer: Aleksandr Nogikh <nogikh@google.com> 2023-12-18 16:15:07 +0000
commit: 924661f4beda6a647079237cc843df44626fc44b (patch)
tree: 12cacad722e69865faab065bb485029e599af7d6 /sys/linux/test
parent: 6d8a48b8d86cd8f81373c1f2cd36a4a6f783d8d8 (diff)
1 files changed, 26 insertions, 0 deletions
diff --git a/sys/linux/test/landlock_fs_ioctl b/sys/linux/test/landlock_fs_ioctl
new file mode 100644
index 000000000..bfdb3e916
--- /dev/null
+++ b/sys/linux/test/landlock_fs_ioctl
@@ -0,0 +1,26 @@
+# Makes a regular file.
+
+mknodat(0xffffffffffffff9c, &AUTO='./file0\x00', 0x81c0, 0x0)
+
+# Creates a ruleset to restrict most filesystem IOCTLs: LANDLOCK_ACCESS_FS_IOCTL.
+
+r0 = landlock_create_ruleset(&AUTO={0x8000, 0x0}, AUTO, 0x0)
+
+# No need to close FDs for this test.
+
+# Enforces the first ruleset.
+
+prctl$PR_SET_NO_NEW_PRIVS(0x26, 0x1)
+landlock_restrict_self(r0, 0x0)
+
+# Opens file in read-write mode after sandboxing.
+
+r1 = openat$dir(0xffffffffffffff9c, &AUTO='./file0\x00', 0x2, 0x0)
+
+# Denied FIOQSIZE IOCTL.
+
+ioctl(r1, 0x5460, 0x0) # EACCES
+
+# Allowed FIOCLEX IOCTL.
+
+ioctl(r1, 0x5451, 0x0)
author	Mickaël Salaün <mic@linux.microsoft.com>	2023-12-15 13:16:47 +0100
committer	Aleksandr Nogikh <nogikh@google.com>	2023-12-18 16:15:07 +0000
commit	924661f4beda6a647079237cc843df44626fc44b (patch)
tree	12cacad722e69865faab065bb485029e599af7d6 /sys/linux/test
parent	6d8a48b8d86cd8f81373c1f2cd36a4a6f783d8d8 (diff)