From 924661f4beda6a647079237cc843df44626fc44b Mon Sep 17 00:00:00 2001
From: Mickaël Salaün <mic@linux.microsoft.com>
Date: Fri, 15 Dec 2023 13:16:47 +0100
Subject: sys/linux/test: add landlock_fs_ioctl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This test covers regular file IOCTL checks handled in
security/landlock/fs.c

Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
---
 sys/linux/test/landlock_fs_ioctl | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 sys/linux/test/landlock_fs_ioctl

(limited to 'sys/linux')

diff --git a/sys/linux/test/landlock_fs_ioctl b/sys/linux/test/landlock_fs_ioctl
new file mode 100644
index 000000000..bfdb3e916
--- /dev/null
+++ b/sys/linux/test/landlock_fs_ioctl
@@ -0,0 +1,26 @@
+# Makes a regular file.
+
+mknodat(0xffffffffffffff9c, &AUTO='./file0\x00', 0x81c0, 0x0)
+
+# Creates a ruleset to restrict most filesystem IOCTLs: LANDLOCK_ACCESS_FS_IOCTL.
+
+r0 = landlock_create_ruleset(&AUTO={0x8000, 0x0}, AUTO, 0x0)
+
+# No need to close FDs for this test.
+
+# Enforces the first ruleset.
+
+prctl$PR_SET_NO_NEW_PRIVS(0x26, 0x1)
+landlock_restrict_self(r0, 0x0)
+
+# Opens file in read-write mode after sandboxing.
+
+r1 = openat$dir(0xffffffffffffff9c, &AUTO='./file0\x00', 0x2, 0x0)
+
+# Denied FIOQSIZE IOCTL.
+
+ioctl(r1, 0x5460, 0x0) # EACCES
+
+# Allowed FIOCLEX IOCTL.
+
+ioctl(r1, 0x5451, 0x0)
-- 
cgit mrf-deployment