diff options
| author | Mickaël Salaün <mic@linux.microsoft.com> | 2021-01-27 10:33:41 +0000 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2021-03-19 16:08:51 +0100 |
| commit | a2e1314e4dc6b1ae80dc161d947034813986999e (patch) | |
| tree | 7d1dc92861a70d875fb1ced5ab07e6170aa29477 /sys/linux | |
| parent | 0229717260806271dff5da89af0114fd2631b974 (diff) | |
sys/linux/test: add landlock_layers
This test helps cover security/landlock/fs.c:check_access_path()
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Diffstat (limited to 'sys/linux')
| -rw-r--r-- | sys/linux/test/landlock_layers | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/sys/linux/test/landlock_layers b/sys/linux/test/landlock_layers new file mode 100644 index 000000000..fdc044963 --- /dev/null +++ b/sys/linux/test/landlock_layers @@ -0,0 +1,49 @@ +# Creates a file hierarchy. + +mkdirat(0xffffffffffffff9c, &AUTO='./file0\x00', 0x1c0) +mkdirat(0xffffffffffffff9c, &AUTO='./file0/file0\x00', 0x1c0) + +# Creates a first ruleset to restrict file creation. + +r0 = landlock_create_ruleset(&AUTO={0x100}, AUTO, 0x0) +r1 = openat$dir(0xffffffffffffff9c, &AUTO='./file0\x00', 0x200000, 0x0) +landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(r0, AUTO, &AUTO={0x100, r1}, 0x0) + +# No need to close FDs for this test. + +# Enforces the first ruleset. + +prctl$PR_SET_NO_NEW_PRIVS(0x26, 0x1) +landlock_restrict_self(r0, 0x0) + +# Creates and remove a file: allowed by the first ruleset. + +mknodat(0xffffffffffffff9c, &AUTO='./file0/file1\x00', 0x81c0, 0x0) +unlinkat(0xffffffffffffff9c, &AUTO='./file0/file1\x00', 0x0) + +# Tries to create a file: denied by the first ruleset. + +mknodat(0xffffffffffffff9c, &AUTO='./file1\x00', 0x81c0, 0x0) # EACCES + +# Creates a second ruleset to restrict file removal. + +r2 = landlock_create_ruleset(&AUTO={0x20}, AUTO, 0x0) +r3 = openat$dir(0xffffffffffffff9c, &AUTO='./file0/file0\x00', 0x200000, 0x0) +landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(r2, AUTO, &AUTO={0x20, r3}, 0x0) + +# Enforces the second ruleset. + +landlock_restrict_self(r2, 0x0) + +# Creates and remove files: allowed by both rulesets. + +mknodat(0xffffffffffffff9c, &AUTO='./file0/file0/file0\x00', 0x81c0, 0x0) +unlinkat(0xffffffffffffff9c, &AUTO='./file0/file0/file0\x00', 0x0) + +# Creates a file: allowed by the first ruleset. + +mknodat(0xffffffffffffff9c, &AUTO='./file0/file1\x00', 0x81c0, 0x0) + +# Tries to remove a file: denied by the second ruleset. + +unlinkat(0xffffffffffffff9c, &AUTO='./file0/file1\x00', 0x0) # EACCES |