From e2081262e70215eeca19da6dfbee917d78b449de Mon Sep 17 00:00:00 2001
From: Mickaël Salaün <mic@linux.microsoft.com>
Date: Wed, 17 Feb 2021 19:10:07 +0100
Subject: sys/linux/test: add landlock_fs_forbidden
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This test covers mount namespace manipulation forbidden in
security/landlock/fs.c

Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
---
 sys/linux/test/landlock_fs_forbidden | 39 ++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 sys/linux/test/landlock_fs_forbidden

(limited to 'sys/linux')

diff --git a/sys/linux/test/landlock_fs_forbidden b/sys/linux/test/landlock_fs_forbidden
new file mode 100644
index 000000000..29f70e848
--- /dev/null
+++ b/sys/linux/test/landlock_fs_forbidden
@@ -0,0 +1,39 @@
+# Access denied to whole syscalls, which return EPERM.
+#
+# Manipuling namespaces requires some privileges:
+# requires: -sandbox=setuid
+
+# Makes a private mount point for MS_MOVE.
+
+mkdirat(0xffffffffffffff9c, &AUTO='./file0\x00', 0x1c0)
+mount$tmpfs(0x0, &AUTO='./file0\x00', &AUTO='tmpfs\x00', 0x0, 0x0)
+mount$bind(&AUTO='\x00', &AUTO='./file0\x00', &AUTO='pipefs\x00', 0x40000, 0x0)
+mkdirat(0xffffffffffffff9c, &AUTO='./file0/file0\x00', 0x1c0)
+mount$tmpfs(0x0, &AUTO='./file0/file0\x00', &AUTO='tmpfs\x00', 0x0, 0x0)
+mkdirat(0xffffffffffffff9c, &AUTO='./file0/file1\x00', 0x1c0)
+
+# Creates a first ruleset to restrict execution.
+
+r0 = landlock_create_ruleset(&AUTO={0x1}, AUTO, 0x0)
+prctl$PR_SET_NO_NEW_PRIVS(0x26, 0x1)
+landlock_restrict_self(r0, 0x0)
+
+# Checks hook_sb_mount().
+
+mount$tmpfs(0x0, &AUTO='./file0/file1\x00', &AUTO='tmpfs\x00', 0x0, 0x0) # EPERM
+
+# Checks hook_sb_umount().
+
+umount2(&AUTO='./file0/file0\x00', 0x0) # EPERM
+
+# Checks hook_move_mount().
+
+move_mount(0xffffffffffffff9c, &AUTO='./file0/file0\x00', 0xffffffffffffff9c, &AUTO='./file0/file0\x00', 0x0) # EPERM
+
+# Checks hook_sb_remount().
+
+mount$bind(&AUTO='\x00', &AUTO='./file0/file0\x00', &AUTO='pipefs\x00', 0x21, 0x0) # EPERM
+
+# Checks hook_sb_pivotroot().
+
+pivot_root(&AUTO='./file0\x00', &AUTO='./file0/file0\x00') # EPERM
-- 
cgit mrf-deployment