From a2e1314e4dc6b1ae80dc161d947034813986999e Mon Sep 17 00:00:00 2001
From: Mickaël Salaün <mic@linux.microsoft.com>
Date: Wed, 27 Jan 2021 10:33:41 +0000
Subject: sys/linux/test: add landlock_layers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This test helps cover security/landlock/fs.c:check_access_path()

Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
---
 sys/linux/test/landlock_layers | 49 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 sys/linux/test/landlock_layers

(limited to 'sys/linux')

diff --git a/sys/linux/test/landlock_layers b/sys/linux/test/landlock_layers
new file mode 100644
index 000000000..fdc044963
--- /dev/null
+++ b/sys/linux/test/landlock_layers
@@ -0,0 +1,49 @@
+# Creates a file hierarchy.
+
+mkdirat(0xffffffffffffff9c, &AUTO='./file0\x00', 0x1c0)
+mkdirat(0xffffffffffffff9c, &AUTO='./file0/file0\x00', 0x1c0)
+
+# Creates a first ruleset to restrict file creation.
+
+r0 = landlock_create_ruleset(&AUTO={0x100}, AUTO, 0x0)
+r1 = openat$dir(0xffffffffffffff9c, &AUTO='./file0\x00', 0x200000, 0x0)
+landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(r0, AUTO, &AUTO={0x100, r1}, 0x0)
+
+# No need to close FDs for this test.
+
+# Enforces the first ruleset.
+
+prctl$PR_SET_NO_NEW_PRIVS(0x26, 0x1)
+landlock_restrict_self(r0, 0x0)
+
+# Creates and remove a file: allowed by the first ruleset.
+
+mknodat(0xffffffffffffff9c, &AUTO='./file0/file1\x00', 0x81c0, 0x0)
+unlinkat(0xffffffffffffff9c, &AUTO='./file0/file1\x00', 0x0)
+
+# Tries to create a file: denied by the first ruleset.
+
+mknodat(0xffffffffffffff9c, &AUTO='./file1\x00', 0x81c0, 0x0) # EACCES
+
+# Creates a second ruleset to restrict file removal.
+
+r2 = landlock_create_ruleset(&AUTO={0x20}, AUTO, 0x0)
+r3 = openat$dir(0xffffffffffffff9c, &AUTO='./file0/file0\x00', 0x200000, 0x0)
+landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(r2, AUTO, &AUTO={0x20, r3}, 0x0)
+
+# Enforces the second ruleset.
+
+landlock_restrict_self(r2, 0x0)
+
+# Creates and remove files: allowed by both rulesets.
+
+mknodat(0xffffffffffffff9c, &AUTO='./file0/file0/file0\x00', 0x81c0, 0x0)
+unlinkat(0xffffffffffffff9c, &AUTO='./file0/file0/file0\x00', 0x0)
+
+# Creates a file: allowed by the first ruleset.
+
+mknodat(0xffffffffffffff9c, &AUTO='./file0/file1\x00', 0x81c0, 0x0)
+
+# Tries to remove a file: denied by the second ruleset.
+
+unlinkat(0xffffffffffffff9c, &AUTO='./file0/file1\x00', 0x0) # EACCES
-- 
cgit mrf-deployment