1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* |
3 | * Landlock tests - Filesystem |
4 | * |
5 | * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net> |
6 | * Copyright © 2020 ANSSI |
7 | * Copyright © 2020-2022 Microsoft Corporation |
8 | */ |
9 | |
10 | #define _GNU_SOURCE |
11 | #include <fcntl.h> |
12 | #include <linux/landlock.h> |
13 | #include <linux/magic.h> |
14 | #include <sched.h> |
15 | #include <stdio.h> |
16 | #include <string.h> |
17 | #include <sys/capability.h> |
18 | #include <sys/mount.h> |
19 | #include <sys/prctl.h> |
20 | #include <sys/sendfile.h> |
21 | #include <sys/stat.h> |
22 | #include <sys/sysmacros.h> |
23 | #include <sys/vfs.h> |
24 | #include <unistd.h> |
25 | |
26 | #include "common.h" |
27 | |
28 | #ifndef renameat2 |
29 | int renameat2(int olddirfd, const char *oldpath, int newdirfd, |
30 | const char *newpath, unsigned int flags) |
31 | { |
32 | return syscall(__NR_renameat2, olddirfd, oldpath, newdirfd, newpath, |
33 | flags); |
34 | } |
35 | #endif |
36 | |
37 | #ifndef RENAME_EXCHANGE |
38 | #define RENAME_EXCHANGE (1 << 1) |
39 | #endif |
40 | |
41 | #define TMP_DIR "tmp" |
42 | #define BINARY_PATH "./true" |
43 | |
44 | /* Paths (sibling number and depth) */ |
45 | static const char dir_s1d1[] = TMP_DIR "/s1d1" ; |
46 | static const char file1_s1d1[] = TMP_DIR "/s1d1/f1" ; |
47 | static const char file2_s1d1[] = TMP_DIR "/s1d1/f2" ; |
48 | static const char dir_s1d2[] = TMP_DIR "/s1d1/s1d2" ; |
49 | static const char file1_s1d2[] = TMP_DIR "/s1d1/s1d2/f1" ; |
50 | static const char file2_s1d2[] = TMP_DIR "/s1d1/s1d2/f2" ; |
51 | static const char dir_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3" ; |
52 | static const char file1_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3/f1" ; |
53 | static const char file2_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3/f2" ; |
54 | |
55 | static const char dir_s2d1[] = TMP_DIR "/s2d1" ; |
56 | static const char file1_s2d1[] = TMP_DIR "/s2d1/f1" ; |
57 | static const char dir_s2d2[] = TMP_DIR "/s2d1/s2d2" ; |
58 | static const char file1_s2d2[] = TMP_DIR "/s2d1/s2d2/f1" ; |
59 | static const char dir_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3" ; |
60 | static const char file1_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3/f1" ; |
61 | static const char file2_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3/f2" ; |
62 | |
63 | static const char dir_s3d1[] = TMP_DIR "/s3d1" ; |
64 | static const char file1_s3d1[] = TMP_DIR "/s3d1/f1" ; |
65 | /* dir_s3d2 is a mount point. */ |
66 | static const char dir_s3d2[] = TMP_DIR "/s3d1/s3d2" ; |
67 | static const char dir_s3d3[] = TMP_DIR "/s3d1/s3d2/s3d3" ; |
68 | |
69 | /* |
70 | * layout1 hierarchy: |
71 | * |
72 | * tmp |
73 | * ├── s1d1 |
74 | * │ ├── f1 |
75 | * │ ├── f2 |
76 | * │ └── s1d2 |
77 | * │ ├── f1 |
78 | * │ ├── f2 |
79 | * │ └── s1d3 |
80 | * │ ├── f1 |
81 | * │ └── f2 |
82 | * ├── s2d1 |
83 | * │ ├── f1 |
84 | * │ └── s2d2 |
85 | * │ ├── f1 |
86 | * │ └── s2d3 |
87 | * │ ├── f1 |
88 | * │ └── f2 |
89 | * └── s3d1 |
90 | * ├── f1 |
91 | * └── s3d2 |
92 | * └── s3d3 |
93 | */ |
94 | |
95 | static bool fgrep(FILE *const inf, const char *const str) |
96 | { |
97 | char line[32]; |
98 | const int slen = strlen(str); |
99 | |
100 | while (!feof(inf)) { |
101 | if (!fgets(line, sizeof(line), inf)) |
102 | break; |
103 | if (strncmp(line, str, slen)) |
104 | continue; |
105 | |
106 | return true; |
107 | } |
108 | |
109 | return false; |
110 | } |
111 | |
112 | static bool supports_filesystem(const char *const filesystem) |
113 | { |
114 | char str[32]; |
115 | int len; |
116 | bool res = true; |
117 | FILE *const inf = fopen("/proc/filesystems" , "r" ); |
118 | |
119 | /* |
120 | * Consider that the filesystem is supported if we cannot get the |
121 | * supported ones. |
122 | */ |
123 | if (!inf) |
124 | return true; |
125 | |
126 | /* filesystem can be null for bind mounts. */ |
127 | if (!filesystem) |
128 | goto out; |
129 | |
130 | len = snprintf(str, sizeof(str), "nodev\t%s\n" , filesystem); |
131 | if (len >= sizeof(str)) |
132 | /* Ignores too-long filesystem names. */ |
133 | goto out; |
134 | |
135 | res = fgrep(inf, str); |
136 | |
137 | out: |
138 | fclose(inf); |
139 | return res; |
140 | } |
141 | |
142 | static bool cwd_matches_fs(unsigned int fs_magic) |
143 | { |
144 | struct statfs statfs_buf; |
145 | |
146 | if (!fs_magic) |
147 | return true; |
148 | |
149 | if (statfs("." , &statfs_buf)) |
150 | return true; |
151 | |
152 | return statfs_buf.f_type == fs_magic; |
153 | } |
154 | |
155 | static void mkdir_parents(struct __test_metadata *const _metadata, |
156 | const char *const path) |
157 | { |
158 | char *walker; |
159 | const char *parent; |
160 | int i, err; |
161 | |
162 | ASSERT_NE(path[0], '\0'); |
163 | walker = strdup(path); |
164 | ASSERT_NE(NULL, walker); |
165 | parent = walker; |
166 | for (i = 1; walker[i]; i++) { |
167 | if (walker[i] != '/') |
168 | continue; |
169 | walker[i] = '\0'; |
170 | err = mkdir(parent, 0700); |
171 | ASSERT_FALSE(err && errno != EEXIST) |
172 | { |
173 | TH_LOG("Failed to create directory \"%s\": %s" , parent, |
174 | strerror(errno)); |
175 | } |
176 | walker[i] = '/'; |
177 | } |
178 | free(walker); |
179 | } |
180 | |
181 | static void create_directory(struct __test_metadata *const _metadata, |
182 | const char *const path) |
183 | { |
184 | mkdir_parents(_metadata, path); |
185 | ASSERT_EQ(0, mkdir(path, 0700)) |
186 | { |
187 | TH_LOG("Failed to create directory \"%s\": %s" , path, |
188 | strerror(errno)); |
189 | } |
190 | } |
191 | |
192 | static void create_file(struct __test_metadata *const _metadata, |
193 | const char *const path) |
194 | { |
195 | mkdir_parents(_metadata, path); |
196 | ASSERT_EQ(0, mknod(path, S_IFREG | 0700, 0)) |
197 | { |
198 | TH_LOG("Failed to create file \"%s\": %s" , path, |
199 | strerror(errno)); |
200 | } |
201 | } |
202 | |
203 | static int remove_path(const char *const path) |
204 | { |
205 | char *walker; |
206 | int i, ret, err = 0; |
207 | |
208 | walker = strdup(path); |
209 | if (!walker) { |
210 | err = ENOMEM; |
211 | goto out; |
212 | } |
213 | if (unlink(path) && rmdir(path)) { |
214 | if (errno != ENOENT && errno != ENOTDIR) |
215 | err = errno; |
216 | goto out; |
217 | } |
218 | for (i = strlen(walker); i > 0; i--) { |
219 | if (walker[i] != '/') |
220 | continue; |
221 | walker[i] = '\0'; |
222 | ret = rmdir(walker); |
223 | if (ret) { |
224 | if (errno != ENOTEMPTY && errno != EBUSY) |
225 | err = errno; |
226 | goto out; |
227 | } |
228 | if (strcmp(walker, TMP_DIR) == 0) |
229 | goto out; |
230 | } |
231 | |
232 | out: |
233 | free(walker); |
234 | return err; |
235 | } |
236 | |
237 | struct mnt_opt { |
238 | const char *const source; |
239 | const char *const type; |
240 | const unsigned long flags; |
241 | const char *const data; |
242 | }; |
243 | |
244 | #define MNT_TMP_DATA "size=4m,mode=700" |
245 | |
246 | static const struct mnt_opt mnt_tmp = { |
247 | .type = "tmpfs" , |
248 | .data = MNT_TMP_DATA, |
249 | }; |
250 | |
251 | static int mount_opt(const struct mnt_opt *const mnt, const char *const target) |
252 | { |
253 | return mount(mnt->source ?: mnt->type, target, mnt->type, mnt->flags, |
254 | mnt->data); |
255 | } |
256 | |
257 | static void prepare_layout_opt(struct __test_metadata *const _metadata, |
258 | const struct mnt_opt *const mnt) |
259 | { |
260 | disable_caps(_metadata); |
261 | umask(0077); |
262 | create_directory(_metadata, TMP_DIR); |
263 | |
264 | /* |
265 | * Do not pollute the rest of the system: creates a private mount point |
266 | * for tests relying on pivot_root(2) and move_mount(2). |
267 | */ |
268 | set_cap(_metadata, CAP_SYS_ADMIN); |
269 | ASSERT_EQ(0, unshare(CLONE_NEWNS | CLONE_NEWCGROUP)); |
270 | ASSERT_EQ(0, mount_opt(mnt, TMP_DIR)) |
271 | { |
272 | TH_LOG("Failed to mount the %s filesystem: %s" , mnt->type, |
273 | strerror(errno)); |
274 | /* |
275 | * FIXTURE_TEARDOWN() is not called when FIXTURE_SETUP() |
276 | * failed, so we need to explicitly do a minimal cleanup to |
277 | * avoid cascading errors with other tests that don't depend on |
278 | * the same filesystem. |
279 | */ |
280 | remove_path(TMP_DIR); |
281 | } |
282 | ASSERT_EQ(0, mount(NULL, TMP_DIR, NULL, MS_PRIVATE | MS_REC, NULL)); |
283 | clear_cap(_metadata, CAP_SYS_ADMIN); |
284 | } |
285 | |
286 | static void prepare_layout(struct __test_metadata *const _metadata) |
287 | { |
288 | _metadata->teardown_parent = true; |
289 | |
290 | prepare_layout_opt(_metadata, mnt: &mnt_tmp); |
291 | } |
292 | |
293 | static void cleanup_layout(struct __test_metadata *const _metadata) |
294 | { |
295 | set_cap(_metadata, CAP_SYS_ADMIN); |
296 | EXPECT_EQ(0, umount(TMP_DIR)); |
297 | clear_cap(_metadata, CAP_SYS_ADMIN); |
298 | EXPECT_EQ(0, remove_path(TMP_DIR)); |
299 | } |
300 | |
301 | /* clang-format off */ |
302 | FIXTURE(layout0) {}; |
303 | /* clang-format on */ |
304 | |
305 | FIXTURE_SETUP(layout0) |
306 | { |
307 | prepare_layout(_metadata); |
308 | } |
309 | |
310 | FIXTURE_TEARDOWN(layout0) |
311 | { |
312 | cleanup_layout(_metadata); |
313 | } |
314 | |
315 | static void create_layout1(struct __test_metadata *const _metadata) |
316 | { |
317 | create_file(_metadata, path: file1_s1d1); |
318 | create_file(_metadata, path: file1_s1d2); |
319 | create_file(_metadata, path: file1_s1d3); |
320 | create_file(_metadata, path: file2_s1d1); |
321 | create_file(_metadata, path: file2_s1d2); |
322 | create_file(_metadata, path: file2_s1d3); |
323 | |
324 | create_file(_metadata, path: file1_s2d1); |
325 | create_file(_metadata, path: file1_s2d2); |
326 | create_file(_metadata, path: file1_s2d3); |
327 | create_file(_metadata, path: file2_s2d3); |
328 | |
329 | create_file(_metadata, path: file1_s3d1); |
330 | create_directory(_metadata, path: dir_s3d2); |
331 | set_cap(_metadata, CAP_SYS_ADMIN); |
332 | ASSERT_EQ(0, mount_opt(&mnt_tmp, dir_s3d2)); |
333 | clear_cap(_metadata, CAP_SYS_ADMIN); |
334 | |
335 | ASSERT_EQ(0, mkdir(dir_s3d3, 0700)); |
336 | } |
337 | |
338 | static void remove_layout1(struct __test_metadata *const _metadata) |
339 | { |
340 | EXPECT_EQ(0, remove_path(file2_s1d3)); |
341 | EXPECT_EQ(0, remove_path(file2_s1d2)); |
342 | EXPECT_EQ(0, remove_path(file2_s1d1)); |
343 | EXPECT_EQ(0, remove_path(file1_s1d3)); |
344 | EXPECT_EQ(0, remove_path(file1_s1d2)); |
345 | EXPECT_EQ(0, remove_path(file1_s1d1)); |
346 | EXPECT_EQ(0, remove_path(dir_s1d3)); |
347 | |
348 | EXPECT_EQ(0, remove_path(file2_s2d3)); |
349 | EXPECT_EQ(0, remove_path(file1_s2d3)); |
350 | EXPECT_EQ(0, remove_path(file1_s2d2)); |
351 | EXPECT_EQ(0, remove_path(file1_s2d1)); |
352 | EXPECT_EQ(0, remove_path(dir_s2d2)); |
353 | |
354 | EXPECT_EQ(0, remove_path(file1_s3d1)); |
355 | EXPECT_EQ(0, remove_path(dir_s3d3)); |
356 | set_cap(_metadata, CAP_SYS_ADMIN); |
357 | umount(dir_s3d2); |
358 | clear_cap(_metadata, CAP_SYS_ADMIN); |
359 | EXPECT_EQ(0, remove_path(dir_s3d2)); |
360 | } |
361 | |
362 | /* clang-format off */ |
363 | FIXTURE(layout1) {}; |
364 | /* clang-format on */ |
365 | |
366 | FIXTURE_SETUP(layout1) |
367 | { |
368 | prepare_layout(_metadata); |
369 | |
370 | create_layout1(_metadata); |
371 | } |
372 | |
373 | FIXTURE_TEARDOWN(layout1) |
374 | { |
375 | remove_layout1(_metadata); |
376 | |
377 | cleanup_layout(_metadata); |
378 | } |
379 | |
380 | /* |
381 | * This helper enables to use the ASSERT_* macros and print the line number |
382 | * pointing to the test caller. |
383 | */ |
384 | static int test_open_rel(const int dirfd, const char *const path, |
385 | const int flags) |
386 | { |
387 | int fd; |
388 | |
389 | /* Works with file and directories. */ |
390 | fd = openat(dirfd, path, flags | O_CLOEXEC); |
391 | if (fd < 0) |
392 | return errno; |
393 | /* |
394 | * Mixing error codes from close(2) and open(2) should not lead to any |
395 | * (access type) confusion for this test. |
396 | */ |
397 | if (close(fd) != 0) |
398 | return errno; |
399 | return 0; |
400 | } |
401 | |
402 | static int test_open(const char *const path, const int flags) |
403 | { |
404 | return test_open_rel(AT_FDCWD, path, flags); |
405 | } |
406 | |
407 | TEST_F_FORK(layout1, no_restriction) |
408 | { |
409 | ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY)); |
410 | ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY)); |
411 | ASSERT_EQ(0, test_open(file2_s1d1, O_RDONLY)); |
412 | ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY)); |
413 | ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); |
414 | ASSERT_EQ(0, test_open(file2_s1d2, O_RDONLY)); |
415 | ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY)); |
416 | ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); |
417 | |
418 | ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY)); |
419 | ASSERT_EQ(0, test_open(file1_s2d1, O_RDONLY)); |
420 | ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY)); |
421 | ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY)); |
422 | ASSERT_EQ(0, test_open(dir_s2d3, O_RDONLY)); |
423 | ASSERT_EQ(0, test_open(file1_s2d3, O_RDONLY)); |
424 | |
425 | ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY)); |
426 | ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY)); |
427 | ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY)); |
428 | } |
429 | |
430 | TEST_F_FORK(layout1, inval) |
431 | { |
432 | struct landlock_path_beneath_attr path_beneath = { |
433 | .allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | |
434 | LANDLOCK_ACCESS_FS_WRITE_FILE, |
435 | .parent_fd = -1, |
436 | }; |
437 | struct landlock_ruleset_attr ruleset_attr = { |
438 | .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | |
439 | LANDLOCK_ACCESS_FS_WRITE_FILE, |
440 | }; |
441 | int ruleset_fd; |
442 | |
443 | path_beneath.parent_fd = |
444 | open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC); |
445 | ASSERT_LE(0, path_beneath.parent_fd); |
446 | |
447 | ruleset_fd = open(dir_s1d1, O_PATH | O_DIRECTORY | O_CLOEXEC); |
448 | ASSERT_LE(0, ruleset_fd); |
449 | ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, |
450 | &path_beneath, 0)); |
451 | /* Returns EBADF because ruleset_fd is not a landlock-ruleset FD. */ |
452 | ASSERT_EQ(EBADF, errno); |
453 | ASSERT_EQ(0, close(ruleset_fd)); |
454 | |
455 | ruleset_fd = open(dir_s1d1, O_DIRECTORY | O_CLOEXEC); |
456 | ASSERT_LE(0, ruleset_fd); |
457 | ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, |
458 | &path_beneath, 0)); |
459 | /* Returns EBADFD because ruleset_fd is not a valid ruleset. */ |
460 | ASSERT_EQ(EBADFD, errno); |
461 | ASSERT_EQ(0, close(ruleset_fd)); |
462 | |
463 | /* Gets a real ruleset. */ |
464 | ruleset_fd = |
465 | landlock_create_ruleset(attr: &ruleset_attr, size: sizeof(ruleset_attr), flags: 0); |
466 | ASSERT_LE(0, ruleset_fd); |
467 | ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, |
468 | &path_beneath, 0)); |
469 | ASSERT_EQ(0, close(path_beneath.parent_fd)); |
470 | |
471 | /* Tests without O_PATH. */ |
472 | path_beneath.parent_fd = open(dir_s1d2, O_DIRECTORY | O_CLOEXEC); |
473 | ASSERT_LE(0, path_beneath.parent_fd); |
474 | ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, |
475 | &path_beneath, 0)); |
476 | ASSERT_EQ(0, close(path_beneath.parent_fd)); |
477 | |
478 | /* Tests with a ruleset FD. */ |
479 | path_beneath.parent_fd = ruleset_fd; |
480 | ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, |
481 | &path_beneath, 0)); |
482 | ASSERT_EQ(EBADFD, errno); |
483 | |
484 | /* Checks unhandled allowed_access. */ |
485 | path_beneath.parent_fd = |
486 | open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC); |
487 | ASSERT_LE(0, path_beneath.parent_fd); |
488 | |
489 | /* Test with legitimate values. */ |
490 | path_beneath.allowed_access |= LANDLOCK_ACCESS_FS_EXECUTE; |
491 | ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, |
492 | &path_beneath, 0)); |
493 | ASSERT_EQ(EINVAL, errno); |
494 | path_beneath.allowed_access &= ~LANDLOCK_ACCESS_FS_EXECUTE; |
495 | |
496 | /* Tests with denied-by-default access right. */ |
497 | path_beneath.allowed_access |= LANDLOCK_ACCESS_FS_REFER; |
498 | ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, |
499 | &path_beneath, 0)); |
500 | ASSERT_EQ(EINVAL, errno); |
501 | path_beneath.allowed_access &= ~LANDLOCK_ACCESS_FS_REFER; |
502 | |
503 | /* Test with unknown (64-bits) value. */ |
504 | path_beneath.allowed_access |= (1ULL << 60); |
505 | ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, |
506 | &path_beneath, 0)); |
507 | ASSERT_EQ(EINVAL, errno); |
508 | path_beneath.allowed_access &= ~(1ULL << 60); |
509 | |
510 | /* Test with no access. */ |
511 | path_beneath.allowed_access = 0; |
512 | ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, |
513 | &path_beneath, 0)); |
514 | ASSERT_EQ(ENOMSG, errno); |
515 | path_beneath.allowed_access &= ~(1ULL << 60); |
516 | |
517 | ASSERT_EQ(0, close(path_beneath.parent_fd)); |
518 | |
519 | /* Enforces the ruleset. */ |
520 | ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)); |
521 | ASSERT_EQ(0, landlock_restrict_self(ruleset_fd, 0)); |
522 | |
523 | ASSERT_EQ(0, close(ruleset_fd)); |
524 | } |
525 | |
526 | /* clang-format off */ |
527 | |
528 | #define ACCESS_FILE ( \ |
529 | LANDLOCK_ACCESS_FS_EXECUTE | \ |
530 | LANDLOCK_ACCESS_FS_WRITE_FILE | \ |
531 | LANDLOCK_ACCESS_FS_READ_FILE | \ |
532 | LANDLOCK_ACCESS_FS_TRUNCATE) |
533 | |
534 | #define ACCESS_LAST LANDLOCK_ACCESS_FS_TRUNCATE |
535 | |
536 | #define ACCESS_ALL ( \ |
537 | ACCESS_FILE | \ |
538 | LANDLOCK_ACCESS_FS_READ_DIR | \ |
539 | LANDLOCK_ACCESS_FS_REMOVE_DIR | \ |
540 | LANDLOCK_ACCESS_FS_REMOVE_FILE | \ |
541 | LANDLOCK_ACCESS_FS_MAKE_CHAR | \ |
542 | LANDLOCK_ACCESS_FS_MAKE_DIR | \ |
543 | LANDLOCK_ACCESS_FS_MAKE_REG | \ |
544 | LANDLOCK_ACCESS_FS_MAKE_SOCK | \ |
545 | LANDLOCK_ACCESS_FS_MAKE_FIFO | \ |
546 | LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ |
547 | LANDLOCK_ACCESS_FS_MAKE_SYM | \ |
548 | LANDLOCK_ACCESS_FS_REFER) |
549 | |
550 | /* clang-format on */ |
551 | |
552 | TEST_F_FORK(layout1, file_and_dir_access_rights) |
553 | { |
554 | __u64 access; |
555 | int err; |
556 | struct landlock_path_beneath_attr path_beneath_file = {}, |
557 | path_beneath_dir = {}; |
558 | struct landlock_ruleset_attr ruleset_attr = { |
559 | .handled_access_fs = ACCESS_ALL, |
560 | }; |
561 | const int ruleset_fd = |
562 | landlock_create_ruleset(attr: &ruleset_attr, size: sizeof(ruleset_attr), flags: 0); |
563 | |
564 | ASSERT_LE(0, ruleset_fd); |
565 | |
566 | /* Tests access rights for files. */ |
567 | path_beneath_file.parent_fd = open(file1_s1d2, O_PATH | O_CLOEXEC); |
568 | ASSERT_LE(0, path_beneath_file.parent_fd); |
569 | |
570 | /* Tests access rights for directories. */ |
571 | path_beneath_dir.parent_fd = |
572 | open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC); |
573 | ASSERT_LE(0, path_beneath_dir.parent_fd); |
574 | |
575 | for (access = 1; access <= ACCESS_LAST; access <<= 1) { |
576 | path_beneath_dir.allowed_access = access; |
577 | ASSERT_EQ(0, landlock_add_rule(ruleset_fd, |
578 | LANDLOCK_RULE_PATH_BENEATH, |
579 | &path_beneath_dir, 0)); |
580 | |
581 | path_beneath_file.allowed_access = access; |
582 | err = landlock_add_rule(ruleset_fd, rule_type: LANDLOCK_RULE_PATH_BENEATH, |
583 | rule_attr: &path_beneath_file, flags: 0); |
584 | if (access & ACCESS_FILE) { |
585 | ASSERT_EQ(0, err); |
586 | } else { |
587 | ASSERT_EQ(-1, err); |
588 | ASSERT_EQ(EINVAL, errno); |
589 | } |
590 | } |
591 | ASSERT_EQ(0, close(path_beneath_file.parent_fd)); |
592 | ASSERT_EQ(0, close(path_beneath_dir.parent_fd)); |
593 | ASSERT_EQ(0, close(ruleset_fd)); |
594 | } |
595 | |
596 | TEST_F_FORK(layout0, ruleset_with_unknown_access) |
597 | { |
598 | __u64 access_mask; |
599 | |
600 | for (access_mask = 1ULL << 63; access_mask != ACCESS_LAST; |
601 | access_mask >>= 1) { |
602 | struct landlock_ruleset_attr ruleset_attr = { |
603 | .handled_access_fs = access_mask, |
604 | }; |
605 | |
606 | ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, |
607 | sizeof(ruleset_attr), 0)); |
608 | ASSERT_EQ(EINVAL, errno); |
609 | } |
610 | } |
611 | |
612 | TEST_F_FORK(layout0, rule_with_unknown_access) |
613 | { |
614 | __u64 access; |
615 | struct landlock_path_beneath_attr path_beneath = {}; |
616 | const struct landlock_ruleset_attr ruleset_attr = { |
617 | .handled_access_fs = ACCESS_ALL, |
618 | }; |
619 | const int ruleset_fd = |
620 | landlock_create_ruleset(attr: &ruleset_attr, size: sizeof(ruleset_attr), flags: 0); |
621 | |
622 | ASSERT_LE(0, ruleset_fd); |
623 | |
624 | path_beneath.parent_fd = |
625 | open(TMP_DIR, O_PATH | O_DIRECTORY | O_CLOEXEC); |
626 | ASSERT_LE(0, path_beneath.parent_fd); |
627 | |
628 | for (access = 1ULL << 63; access != ACCESS_LAST; access >>= 1) { |
629 | path_beneath.allowed_access = access; |
630 | EXPECT_EQ(-1, landlock_add_rule(ruleset_fd, |
631 | LANDLOCK_RULE_PATH_BENEATH, |
632 | &path_beneath, 0)); |
633 | EXPECT_EQ(EINVAL, errno); |
634 | } |
635 | ASSERT_EQ(0, close(path_beneath.parent_fd)); |
636 | ASSERT_EQ(0, close(ruleset_fd)); |
637 | } |
638 | |
639 | TEST_F_FORK(layout1, rule_with_unhandled_access) |
640 | { |
641 | struct landlock_ruleset_attr ruleset_attr = { |
642 | .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE, |
643 | }; |
644 | struct landlock_path_beneath_attr path_beneath = {}; |
645 | int ruleset_fd; |
646 | __u64 access; |
647 | |
648 | ruleset_fd = |
649 | landlock_create_ruleset(attr: &ruleset_attr, size: sizeof(ruleset_attr), flags: 0); |
650 | ASSERT_LE(0, ruleset_fd); |
651 | |
652 | path_beneath.parent_fd = open(file1_s1d2, O_PATH | O_CLOEXEC); |
653 | ASSERT_LE(0, path_beneath.parent_fd); |
654 | |
655 | for (access = 1; access > 0; access <<= 1) { |
656 | int err; |
657 | |
658 | path_beneath.allowed_access = access; |
659 | err = landlock_add_rule(ruleset_fd, rule_type: LANDLOCK_RULE_PATH_BENEATH, |
660 | rule_attr: &path_beneath, flags: 0); |
661 | if (access == ruleset_attr.handled_access_fs) { |
662 | EXPECT_EQ(0, err); |
663 | } else { |
664 | EXPECT_EQ(-1, err); |
665 | EXPECT_EQ(EINVAL, errno); |
666 | } |
667 | } |
668 | |
669 | EXPECT_EQ(0, close(path_beneath.parent_fd)); |
670 | EXPECT_EQ(0, close(ruleset_fd)); |
671 | } |
672 | |
673 | static void add_path_beneath(struct __test_metadata *const _metadata, |
674 | const int ruleset_fd, const __u64 allowed_access, |
675 | const char *const path) |
676 | { |
677 | struct landlock_path_beneath_attr path_beneath = { |
678 | .allowed_access = allowed_access, |
679 | }; |
680 | |
681 | path_beneath.parent_fd = open(path, O_PATH | O_CLOEXEC); |
682 | ASSERT_LE(0, path_beneath.parent_fd) |
683 | { |
684 | TH_LOG("Failed to open directory \"%s\": %s" , path, |
685 | strerror(errno)); |
686 | } |
687 | ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, |
688 | &path_beneath, 0)) |
689 | { |
690 | TH_LOG("Failed to update the ruleset with \"%s\": %s" , path, |
691 | strerror(errno)); |
692 | } |
693 | ASSERT_EQ(0, close(path_beneath.parent_fd)); |
694 | } |
695 | |
696 | struct rule { |
697 | const char *path; |
698 | __u64 access; |
699 | }; |
700 | |
701 | /* clang-format off */ |
702 | |
703 | #define ACCESS_RO ( \ |
704 | LANDLOCK_ACCESS_FS_READ_FILE | \ |
705 | LANDLOCK_ACCESS_FS_READ_DIR) |
706 | |
707 | #define ACCESS_RW ( \ |
708 | ACCESS_RO | \ |
709 | LANDLOCK_ACCESS_FS_WRITE_FILE) |
710 | |
711 | /* clang-format on */ |
712 | |
713 | static int create_ruleset(struct __test_metadata *const _metadata, |
714 | const __u64 handled_access_fs, |
715 | const struct rule rules[]) |
716 | { |
717 | int ruleset_fd, i; |
718 | struct landlock_ruleset_attr ruleset_attr = { |
719 | .handled_access_fs = handled_access_fs, |
720 | }; |
721 | |
722 | ASSERT_NE(NULL, rules) |
723 | { |
724 | TH_LOG("No rule list" ); |
725 | } |
726 | ASSERT_NE(NULL, rules[0].path) |
727 | { |
728 | TH_LOG("Empty rule list" ); |
729 | } |
730 | |
731 | ruleset_fd = |
732 | landlock_create_ruleset(attr: &ruleset_attr, size: sizeof(ruleset_attr), flags: 0); |
733 | ASSERT_LE(0, ruleset_fd) |
734 | { |
735 | TH_LOG("Failed to create a ruleset: %s" , strerror(errno)); |
736 | } |
737 | |
738 | for (i = 0; rules[i].path; i++) { |
739 | add_path_beneath(_metadata, ruleset_fd, allowed_access: rules[i].access, |
740 | path: rules[i].path); |
741 | } |
742 | return ruleset_fd; |
743 | } |
744 | |
745 | TEST_F_FORK(layout0, proc_nsfs) |
746 | { |
747 | const struct rule rules[] = { |
748 | { |
749 | .path = "/dev/null" , |
750 | .access = LANDLOCK_ACCESS_FS_READ_FILE | |
751 | LANDLOCK_ACCESS_FS_WRITE_FILE, |
752 | }, |
753 | {}, |
754 | }; |
755 | struct landlock_path_beneath_attr path_beneath; |
756 | const int ruleset_fd = create_ruleset( |
757 | _metadata, handled_access_fs: rules[0].access | LANDLOCK_ACCESS_FS_READ_DIR, |
758 | rules); |
759 | |
760 | ASSERT_LE(0, ruleset_fd); |
761 | ASSERT_EQ(0, test_open("/proc/self/ns/mnt" , O_RDONLY)); |
762 | |
763 | enforce_ruleset(_metadata, ruleset_fd); |
764 | |
765 | ASSERT_EQ(EACCES, test_open("/" , O_RDONLY)); |
766 | ASSERT_EQ(EACCES, test_open("/dev" , O_RDONLY)); |
767 | ASSERT_EQ(0, test_open("/dev/null" , O_RDONLY)); |
768 | ASSERT_EQ(EACCES, test_open("/dev/full" , O_RDONLY)); |
769 | |
770 | ASSERT_EQ(EACCES, test_open("/proc" , O_RDONLY)); |
771 | ASSERT_EQ(EACCES, test_open("/proc/self" , O_RDONLY)); |
772 | ASSERT_EQ(EACCES, test_open("/proc/self/ns" , O_RDONLY)); |
773 | /* |
774 | * Because nsfs is an internal filesystem, /proc/self/ns/mnt is a |
775 | * disconnected path. Such path cannot be identified and must then be |
776 | * allowed. |
777 | */ |
778 | ASSERT_EQ(0, test_open("/proc/self/ns/mnt" , O_RDONLY)); |
779 | |
780 | /* |
781 | * Checks that it is not possible to add nsfs-like filesystem |
782 | * references to a ruleset. |
783 | */ |
784 | path_beneath.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | |
785 | LANDLOCK_ACCESS_FS_WRITE_FILE, |
786 | path_beneath.parent_fd = open("/proc/self/ns/mnt" , O_PATH | O_CLOEXEC); |
787 | ASSERT_LE(0, path_beneath.parent_fd); |
788 | ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, |
789 | &path_beneath, 0)); |
790 | ASSERT_EQ(EBADFD, errno); |
791 | ASSERT_EQ(0, close(path_beneath.parent_fd)); |
792 | } |
793 | |
794 | TEST_F_FORK(layout0, unpriv) |
795 | { |
796 | const struct rule rules[] = { |
797 | { |
798 | .path = TMP_DIR, |
799 | .access = ACCESS_RO, |
800 | }, |
801 | {}, |
802 | }; |
803 | int ruleset_fd; |
804 | |
805 | drop_caps(_metadata); |
806 | |
807 | ruleset_fd = create_ruleset(_metadata, ACCESS_RO, rules); |
808 | ASSERT_LE(0, ruleset_fd); |
809 | ASSERT_EQ(-1, landlock_restrict_self(ruleset_fd, 0)); |
810 | ASSERT_EQ(EPERM, errno); |
811 | |
812 | /* enforce_ruleset() calls prctl(no_new_privs). */ |
813 | enforce_ruleset(_metadata, ruleset_fd); |
814 | ASSERT_EQ(0, close(ruleset_fd)); |
815 | } |
816 | |
817 | TEST_F_FORK(layout1, effective_access) |
818 | { |
819 | const struct rule rules[] = { |
820 | { |
821 | .path = dir_s1d2, |
822 | .access = ACCESS_RO, |
823 | }, |
824 | { |
825 | .path = file1_s2d2, |
826 | .access = LANDLOCK_ACCESS_FS_READ_FILE | |
827 | LANDLOCK_ACCESS_FS_WRITE_FILE, |
828 | }, |
829 | {}, |
830 | }; |
831 | const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); |
832 | char buf; |
833 | int reg_fd; |
834 | |
835 | ASSERT_LE(0, ruleset_fd); |
836 | enforce_ruleset(_metadata, ruleset_fd); |
837 | ASSERT_EQ(0, close(ruleset_fd)); |
838 | |
839 | /* Tests on a directory (with or without O_PATH). */ |
840 | ASSERT_EQ(EACCES, test_open("/" , O_RDONLY)); |
841 | ASSERT_EQ(0, test_open("/" , O_RDONLY | O_PATH)); |
842 | ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY)); |
843 | ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY | O_PATH)); |
844 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY)); |
845 | ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY | O_PATH)); |
846 | |
847 | ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY)); |
848 | ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); |
849 | ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY)); |
850 | ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); |
851 | |
852 | /* Tests on a file (with or without O_PATH). */ |
853 | ASSERT_EQ(EACCES, test_open(dir_s2d2, O_RDONLY)); |
854 | ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_PATH)); |
855 | |
856 | ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY)); |
857 | |
858 | /* Checks effective read and write actions. */ |
859 | reg_fd = open(file1_s2d2, O_RDWR | O_CLOEXEC); |
860 | ASSERT_LE(0, reg_fd); |
861 | ASSERT_EQ(1, write(reg_fd, "." , 1)); |
862 | ASSERT_LE(0, lseek(reg_fd, 0, SEEK_SET)); |
863 | ASSERT_EQ(1, read(reg_fd, &buf, 1)); |
864 | ASSERT_EQ('.', buf); |
865 | ASSERT_EQ(0, close(reg_fd)); |
866 | |
867 | /* Just in case, double-checks effective actions. */ |
868 | reg_fd = open(file1_s2d2, O_RDONLY | O_CLOEXEC); |
869 | ASSERT_LE(0, reg_fd); |
870 | ASSERT_EQ(-1, write(reg_fd, &buf, 1)); |
871 | ASSERT_EQ(EBADF, errno); |
872 | ASSERT_EQ(0, close(reg_fd)); |
873 | } |
874 | |
875 | TEST_F_FORK(layout1, unhandled_access) |
876 | { |
877 | const struct rule rules[] = { |
878 | { |
879 | .path = dir_s1d2, |
880 | .access = ACCESS_RO, |
881 | }, |
882 | {}, |
883 | }; |
884 | /* Here, we only handle read accesses, not write accesses. */ |
885 | const int ruleset_fd = create_ruleset(_metadata, ACCESS_RO, rules); |
886 | |
887 | ASSERT_LE(0, ruleset_fd); |
888 | enforce_ruleset(_metadata, ruleset_fd); |
889 | ASSERT_EQ(0, close(ruleset_fd)); |
890 | |
891 | /* |
892 | * Because the policy does not handle LANDLOCK_ACCESS_FS_WRITE_FILE, |
893 | * opening for write-only should be allowed, but not read-write. |
894 | */ |
895 | ASSERT_EQ(0, test_open(file1_s1d1, O_WRONLY)); |
896 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR)); |
897 | |
898 | ASSERT_EQ(0, test_open(file1_s1d2, O_WRONLY)); |
899 | ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR)); |
900 | } |
901 | |
902 | TEST_F_FORK(layout1, ruleset_overlap) |
903 | { |
904 | const struct rule rules[] = { |
905 | /* These rules should be ORed among them. */ |
906 | { |
907 | .path = dir_s1d2, |
908 | .access = LANDLOCK_ACCESS_FS_READ_FILE | |
909 | LANDLOCK_ACCESS_FS_WRITE_FILE, |
910 | }, |
911 | { |
912 | .path = dir_s1d2, |
913 | .access = LANDLOCK_ACCESS_FS_READ_FILE | |
914 | LANDLOCK_ACCESS_FS_READ_DIR, |
915 | }, |
916 | {}, |
917 | }; |
918 | const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); |
919 | |
920 | ASSERT_LE(0, ruleset_fd); |
921 | enforce_ruleset(_metadata, ruleset_fd); |
922 | ASSERT_EQ(0, close(ruleset_fd)); |
923 | |
924 | /* Checks s1d1 hierarchy. */ |
925 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY)); |
926 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); |
927 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR)); |
928 | ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); |
929 | |
930 | /* Checks s1d2 hierarchy. */ |
931 | ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); |
932 | ASSERT_EQ(0, test_open(file1_s1d2, O_WRONLY)); |
933 | ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR)); |
934 | ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); |
935 | |
936 | /* Checks s1d3 hierarchy. */ |
937 | ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); |
938 | ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY)); |
939 | ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR)); |
940 | ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY)); |
941 | } |
942 | |
943 | TEST_F_FORK(layout1, layer_rule_unions) |
944 | { |
945 | const struct rule layer1[] = { |
946 | { |
947 | .path = dir_s1d2, |
948 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
949 | }, |
950 | /* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */ |
951 | { |
952 | .path = dir_s1d3, |
953 | .access = LANDLOCK_ACCESS_FS_WRITE_FILE, |
954 | }, |
955 | {}, |
956 | }; |
957 | const struct rule layer2[] = { |
958 | /* Doesn't change anything from layer1. */ |
959 | { |
960 | .path = dir_s1d2, |
961 | .access = LANDLOCK_ACCESS_FS_READ_FILE | |
962 | LANDLOCK_ACCESS_FS_WRITE_FILE, |
963 | }, |
964 | {}, |
965 | }; |
966 | const struct rule layer3[] = { |
967 | /* Only allows write (but not read) to dir_s1d3. */ |
968 | { |
969 | .path = dir_s1d2, |
970 | .access = LANDLOCK_ACCESS_FS_WRITE_FILE, |
971 | }, |
972 | {}, |
973 | }; |
974 | int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules: layer1); |
975 | |
976 | ASSERT_LE(0, ruleset_fd); |
977 | enforce_ruleset(_metadata, ruleset_fd); |
978 | ASSERT_EQ(0, close(ruleset_fd)); |
979 | |
980 | /* Checks s1d1 hierarchy with layer1. */ |
981 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY)); |
982 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); |
983 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR)); |
984 | ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); |
985 | |
986 | /* Checks s1d2 hierarchy with layer1. */ |
987 | ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); |
988 | ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY)); |
989 | ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR)); |
990 | ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); |
991 | |
992 | /* Checks s1d3 hierarchy with layer1. */ |
993 | ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); |
994 | ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY)); |
995 | /* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */ |
996 | ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR)); |
997 | ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); |
998 | |
999 | /* Doesn't change anything from layer1. */ |
1000 | ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules: layer2); |
1001 | ASSERT_LE(0, ruleset_fd); |
1002 | enforce_ruleset(_metadata, ruleset_fd); |
1003 | ASSERT_EQ(0, close(ruleset_fd)); |
1004 | |
1005 | /* Checks s1d1 hierarchy with layer2. */ |
1006 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY)); |
1007 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); |
1008 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR)); |
1009 | ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); |
1010 | |
1011 | /* Checks s1d2 hierarchy with layer2. */ |
1012 | ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); |
1013 | ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY)); |
1014 | ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR)); |
1015 | ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); |
1016 | |
1017 | /* Checks s1d3 hierarchy with layer2. */ |
1018 | ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); |
1019 | ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY)); |
1020 | /* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */ |
1021 | ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR)); |
1022 | ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); |
1023 | |
1024 | /* Only allows write (but not read) to dir_s1d3. */ |
1025 | ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules: layer3); |
1026 | ASSERT_LE(0, ruleset_fd); |
1027 | enforce_ruleset(_metadata, ruleset_fd); |
1028 | ASSERT_EQ(0, close(ruleset_fd)); |
1029 | |
1030 | /* Checks s1d1 hierarchy with layer3. */ |
1031 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY)); |
1032 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); |
1033 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR)); |
1034 | ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); |
1035 | |
1036 | /* Checks s1d2 hierarchy with layer3. */ |
1037 | ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDONLY)); |
1038 | ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY)); |
1039 | ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR)); |
1040 | ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); |
1041 | |
1042 | /* Checks s1d3 hierarchy with layer3. */ |
1043 | ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY)); |
1044 | ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY)); |
1045 | /* dir_s1d3 should now deny READ_FILE and WRITE_FILE (O_RDWR). */ |
1046 | ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDWR)); |
1047 | ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); |
1048 | } |
1049 | |
1050 | TEST_F_FORK(layout1, non_overlapping_accesses) |
1051 | { |
1052 | const struct rule layer1[] = { |
1053 | { |
1054 | .path = dir_s1d2, |
1055 | .access = LANDLOCK_ACCESS_FS_MAKE_REG, |
1056 | }, |
1057 | {}, |
1058 | }; |
1059 | const struct rule layer2[] = { |
1060 | { |
1061 | .path = dir_s1d3, |
1062 | .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, |
1063 | }, |
1064 | {}, |
1065 | }; |
1066 | int ruleset_fd; |
1067 | |
1068 | ASSERT_EQ(0, unlink(file1_s1d1)); |
1069 | ASSERT_EQ(0, unlink(file1_s1d2)); |
1070 | |
1071 | ruleset_fd = |
1072 | create_ruleset(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, rules: layer1); |
1073 | ASSERT_LE(0, ruleset_fd); |
1074 | enforce_ruleset(_metadata, ruleset_fd); |
1075 | ASSERT_EQ(0, close(ruleset_fd)); |
1076 | |
1077 | ASSERT_EQ(-1, mknod(file1_s1d1, S_IFREG | 0700, 0)); |
1078 | ASSERT_EQ(EACCES, errno); |
1079 | ASSERT_EQ(0, mknod(file1_s1d2, S_IFREG | 0700, 0)); |
1080 | ASSERT_EQ(0, unlink(file1_s1d2)); |
1081 | |
1082 | ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_REMOVE_FILE, |
1083 | rules: layer2); |
1084 | ASSERT_LE(0, ruleset_fd); |
1085 | enforce_ruleset(_metadata, ruleset_fd); |
1086 | ASSERT_EQ(0, close(ruleset_fd)); |
1087 | |
1088 | /* Unchanged accesses for file creation. */ |
1089 | ASSERT_EQ(-1, mknod(file1_s1d1, S_IFREG | 0700, 0)); |
1090 | ASSERT_EQ(EACCES, errno); |
1091 | ASSERT_EQ(0, mknod(file1_s1d2, S_IFREG | 0700, 0)); |
1092 | |
1093 | /* Checks file removing. */ |
1094 | ASSERT_EQ(-1, unlink(file1_s1d2)); |
1095 | ASSERT_EQ(EACCES, errno); |
1096 | ASSERT_EQ(0, unlink(file1_s1d3)); |
1097 | } |
1098 | |
1099 | TEST_F_FORK(layout1, interleaved_masked_accesses) |
1100 | { |
1101 | /* |
1102 | * Checks overly restrictive rules: |
1103 | * layer 1: allows R s1d1/s1d2/s1d3/file1 |
1104 | * layer 2: allows RW s1d1/s1d2/s1d3 |
1105 | * allows W s1d1/s1d2 |
1106 | * denies R s1d1/s1d2 |
1107 | * layer 3: allows R s1d1 |
1108 | * layer 4: allows R s1d1/s1d2 |
1109 | * denies W s1d1/s1d2 |
1110 | * layer 5: allows R s1d1/s1d2 |
1111 | * layer 6: allows X ---- |
1112 | * layer 7: allows W s1d1/s1d2 |
1113 | * denies R s1d1/s1d2 |
1114 | */ |
1115 | const struct rule layer1_read[] = { |
1116 | /* Allows read access to file1_s1d3 with the first layer. */ |
1117 | { |
1118 | .path = file1_s1d3, |
1119 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
1120 | }, |
1121 | {}, |
1122 | }; |
1123 | /* First rule with write restrictions. */ |
1124 | const struct rule layer2_read_write[] = { |
1125 | /* Start by granting read-write access via its parent directory... */ |
1126 | { |
1127 | .path = dir_s1d3, |
1128 | .access = LANDLOCK_ACCESS_FS_READ_FILE | |
1129 | LANDLOCK_ACCESS_FS_WRITE_FILE, |
1130 | }, |
1131 | /* ...but also denies read access via its grandparent directory. */ |
1132 | { |
1133 | .path = dir_s1d2, |
1134 | .access = LANDLOCK_ACCESS_FS_WRITE_FILE, |
1135 | }, |
1136 | {}, |
1137 | }; |
1138 | const struct rule layer3_read[] = { |
1139 | /* Allows read access via its great-grandparent directory. */ |
1140 | { |
1141 | .path = dir_s1d1, |
1142 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
1143 | }, |
1144 | {}, |
1145 | }; |
1146 | const struct rule layer4_read_write[] = { |
1147 | /* |
1148 | * Try to confuse the deny access by denying write (but not |
1149 | * read) access via its grandparent directory. |
1150 | */ |
1151 | { |
1152 | .path = dir_s1d2, |
1153 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
1154 | }, |
1155 | {}, |
1156 | }; |
1157 | const struct rule layer5_read[] = { |
1158 | /* |
1159 | * Try to override layer2's deny read access by explicitly |
1160 | * allowing read access via file1_s1d3's grandparent. |
1161 | */ |
1162 | { |
1163 | .path = dir_s1d2, |
1164 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
1165 | }, |
1166 | {}, |
1167 | }; |
1168 | const struct rule layer6_execute[] = { |
1169 | /* |
1170 | * Restricts an unrelated file hierarchy with a new access |
1171 | * (non-overlapping) type. |
1172 | */ |
1173 | { |
1174 | .path = dir_s2d1, |
1175 | .access = LANDLOCK_ACCESS_FS_EXECUTE, |
1176 | }, |
1177 | {}, |
1178 | }; |
1179 | const struct rule layer7_read_write[] = { |
1180 | /* |
1181 | * Finally, denies read access to file1_s1d3 via its |
1182 | * grandparent. |
1183 | */ |
1184 | { |
1185 | .path = dir_s1d2, |
1186 | .access = LANDLOCK_ACCESS_FS_WRITE_FILE, |
1187 | }, |
1188 | {}, |
1189 | }; |
1190 | int ruleset_fd; |
1191 | |
1192 | ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE, |
1193 | rules: layer1_read); |
1194 | ASSERT_LE(0, ruleset_fd); |
1195 | enforce_ruleset(_metadata, ruleset_fd); |
1196 | ASSERT_EQ(0, close(ruleset_fd)); |
1197 | |
1198 | /* Checks that read access is granted for file1_s1d3 with layer 1. */ |
1199 | ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR)); |
1200 | ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY)); |
1201 | ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY)); |
1202 | |
1203 | ruleset_fd = create_ruleset(_metadata, |
1204 | LANDLOCK_ACCESS_FS_READ_FILE | |
1205 | LANDLOCK_ACCESS_FS_WRITE_FILE, |
1206 | rules: layer2_read_write); |
1207 | ASSERT_LE(0, ruleset_fd); |
1208 | enforce_ruleset(_metadata, ruleset_fd); |
1209 | ASSERT_EQ(0, close(ruleset_fd)); |
1210 | |
1211 | /* Checks that previous access rights are unchanged with layer 2. */ |
1212 | ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR)); |
1213 | ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY)); |
1214 | ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY)); |
1215 | |
1216 | ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE, |
1217 | rules: layer3_read); |
1218 | ASSERT_LE(0, ruleset_fd); |
1219 | enforce_ruleset(_metadata, ruleset_fd); |
1220 | ASSERT_EQ(0, close(ruleset_fd)); |
1221 | |
1222 | /* Checks that previous access rights are unchanged with layer 3. */ |
1223 | ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR)); |
1224 | ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY)); |
1225 | ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY)); |
1226 | |
1227 | /* This time, denies write access for the file hierarchy. */ |
1228 | ruleset_fd = create_ruleset(_metadata, |
1229 | LANDLOCK_ACCESS_FS_READ_FILE | |
1230 | LANDLOCK_ACCESS_FS_WRITE_FILE, |
1231 | rules: layer4_read_write); |
1232 | ASSERT_LE(0, ruleset_fd); |
1233 | enforce_ruleset(_metadata, ruleset_fd); |
1234 | ASSERT_EQ(0, close(ruleset_fd)); |
1235 | |
1236 | /* |
1237 | * Checks that the only change with layer 4 is that write access is |
1238 | * denied. |
1239 | */ |
1240 | ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); |
1241 | ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY)); |
1242 | ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY)); |
1243 | ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY)); |
1244 | |
1245 | ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE, |
1246 | rules: layer5_read); |
1247 | ASSERT_LE(0, ruleset_fd); |
1248 | enforce_ruleset(_metadata, ruleset_fd); |
1249 | ASSERT_EQ(0, close(ruleset_fd)); |
1250 | |
1251 | /* Checks that previous access rights are unchanged with layer 5. */ |
1252 | ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); |
1253 | ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY)); |
1254 | ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY)); |
1255 | ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY)); |
1256 | |
1257 | ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_EXECUTE, |
1258 | rules: layer6_execute); |
1259 | ASSERT_LE(0, ruleset_fd); |
1260 | enforce_ruleset(_metadata, ruleset_fd); |
1261 | ASSERT_EQ(0, close(ruleset_fd)); |
1262 | |
1263 | /* Checks that previous access rights are unchanged with layer 6. */ |
1264 | ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); |
1265 | ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY)); |
1266 | ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY)); |
1267 | ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY)); |
1268 | |
1269 | ruleset_fd = create_ruleset(_metadata, |
1270 | LANDLOCK_ACCESS_FS_READ_FILE | |
1271 | LANDLOCK_ACCESS_FS_WRITE_FILE, |
1272 | rules: layer7_read_write); |
1273 | ASSERT_LE(0, ruleset_fd); |
1274 | enforce_ruleset(_metadata, ruleset_fd); |
1275 | ASSERT_EQ(0, close(ruleset_fd)); |
1276 | |
1277 | /* Checks read access is now denied with layer 7. */ |
1278 | ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY)); |
1279 | ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY)); |
1280 | ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY)); |
1281 | ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY)); |
1282 | } |
1283 | |
1284 | TEST_F_FORK(layout1, inherit_subset) |
1285 | { |
1286 | const struct rule rules[] = { |
1287 | { |
1288 | .path = dir_s1d2, |
1289 | .access = LANDLOCK_ACCESS_FS_READ_FILE | |
1290 | LANDLOCK_ACCESS_FS_READ_DIR, |
1291 | }, |
1292 | {}, |
1293 | }; |
1294 | const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); |
1295 | |
1296 | ASSERT_LE(0, ruleset_fd); |
1297 | enforce_ruleset(_metadata, ruleset_fd); |
1298 | |
1299 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); |
1300 | ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); |
1301 | |
1302 | /* Write access is forbidden. */ |
1303 | ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY)); |
1304 | /* Readdir access is allowed. */ |
1305 | ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); |
1306 | |
1307 | /* Write access is forbidden. */ |
1308 | ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY)); |
1309 | /* Readdir access is allowed. */ |
1310 | ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY)); |
1311 | |
1312 | /* |
1313 | * Tests shared rule extension: the following rules should not grant |
1314 | * any new access, only remove some. Once enforced, these rules are |
1315 | * ANDed with the previous ones. |
1316 | */ |
1317 | add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_WRITE_FILE, |
1318 | path: dir_s1d2); |
1319 | /* |
1320 | * According to ruleset_fd, dir_s1d2 should now have the |
1321 | * LANDLOCK_ACCESS_FS_READ_FILE and LANDLOCK_ACCESS_FS_WRITE_FILE |
1322 | * access rights (even if this directory is opened a second time). |
1323 | * However, when enforcing this updated ruleset, the ruleset tied to |
1324 | * the current process (i.e. its domain) will still only have the |
1325 | * dir_s1d2 with LANDLOCK_ACCESS_FS_READ_FILE and |
1326 | * LANDLOCK_ACCESS_FS_READ_DIR accesses, but |
1327 | * LANDLOCK_ACCESS_FS_WRITE_FILE must not be allowed because it would |
1328 | * be a privilege escalation. |
1329 | */ |
1330 | enforce_ruleset(_metadata, ruleset_fd); |
1331 | |
1332 | /* Same tests and results as above. */ |
1333 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); |
1334 | ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); |
1335 | |
1336 | /* It is still forbidden to write in file1_s1d2. */ |
1337 | ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY)); |
1338 | /* Readdir access is still allowed. */ |
1339 | ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); |
1340 | |
1341 | /* It is still forbidden to write in file1_s1d3. */ |
1342 | ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY)); |
1343 | /* Readdir access is still allowed. */ |
1344 | ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY)); |
1345 | |
1346 | /* |
1347 | * Try to get more privileges by adding new access rights to the parent |
1348 | * directory: dir_s1d1. |
1349 | */ |
1350 | add_path_beneath(_metadata, ruleset_fd, ACCESS_RW, path: dir_s1d1); |
1351 | enforce_ruleset(_metadata, ruleset_fd); |
1352 | |
1353 | /* Same tests and results as above. */ |
1354 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); |
1355 | ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); |
1356 | |
1357 | /* It is still forbidden to write in file1_s1d2. */ |
1358 | ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY)); |
1359 | /* Readdir access is still allowed. */ |
1360 | ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); |
1361 | |
1362 | /* It is still forbidden to write in file1_s1d3. */ |
1363 | ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY)); |
1364 | /* Readdir access is still allowed. */ |
1365 | ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY)); |
1366 | |
1367 | /* |
1368 | * Now, dir_s1d3 get a new rule tied to it, only allowing |
1369 | * LANDLOCK_ACCESS_FS_WRITE_FILE. The (kernel internal) difference is |
1370 | * that there was no rule tied to it before. |
1371 | */ |
1372 | add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_WRITE_FILE, |
1373 | path: dir_s1d3); |
1374 | enforce_ruleset(_metadata, ruleset_fd); |
1375 | ASSERT_EQ(0, close(ruleset_fd)); |
1376 | |
1377 | /* |
1378 | * Same tests and results as above, except for open(dir_s1d3) which is |
1379 | * now denied because the new rule mask the rule previously inherited |
1380 | * from dir_s1d2. |
1381 | */ |
1382 | |
1383 | /* Same tests and results as above. */ |
1384 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); |
1385 | ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); |
1386 | |
1387 | /* It is still forbidden to write in file1_s1d2. */ |
1388 | ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY)); |
1389 | /* Readdir access is still allowed. */ |
1390 | ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); |
1391 | |
1392 | /* It is still forbidden to write in file1_s1d3. */ |
1393 | ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY)); |
1394 | /* |
1395 | * Readdir of dir_s1d3 is still allowed because of the OR policy inside |
1396 | * the same layer. |
1397 | */ |
1398 | ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY)); |
1399 | } |
1400 | |
1401 | TEST_F_FORK(layout1, inherit_superset) |
1402 | { |
1403 | const struct rule rules[] = { |
1404 | { |
1405 | .path = dir_s1d3, |
1406 | .access = ACCESS_RO, |
1407 | }, |
1408 | {}, |
1409 | }; |
1410 | const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); |
1411 | |
1412 | ASSERT_LE(0, ruleset_fd); |
1413 | enforce_ruleset(_metadata, ruleset_fd); |
1414 | |
1415 | /* Readdir access is denied for dir_s1d2. */ |
1416 | ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); |
1417 | /* Readdir access is allowed for dir_s1d3. */ |
1418 | ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY)); |
1419 | /* File access is allowed for file1_s1d3. */ |
1420 | ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); |
1421 | |
1422 | /* Now dir_s1d2, parent of dir_s1d3, gets a new rule tied to it. */ |
1423 | add_path_beneath(_metadata, ruleset_fd, |
1424 | LANDLOCK_ACCESS_FS_READ_FILE | |
1425 | LANDLOCK_ACCESS_FS_READ_DIR, |
1426 | path: dir_s1d2); |
1427 | enforce_ruleset(_metadata, ruleset_fd); |
1428 | ASSERT_EQ(0, close(ruleset_fd)); |
1429 | |
1430 | /* Readdir access is still denied for dir_s1d2. */ |
1431 | ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); |
1432 | /* Readdir access is still allowed for dir_s1d3. */ |
1433 | ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY)); |
1434 | /* File access is still allowed for file1_s1d3. */ |
1435 | ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); |
1436 | } |
1437 | |
1438 | TEST_F_FORK(layout0, max_layers) |
1439 | { |
1440 | int i, err; |
1441 | const struct rule rules[] = { |
1442 | { |
1443 | .path = TMP_DIR, |
1444 | .access = ACCESS_RO, |
1445 | }, |
1446 | {}, |
1447 | }; |
1448 | const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); |
1449 | |
1450 | ASSERT_LE(0, ruleset_fd); |
1451 | for (i = 0; i < 16; i++) |
1452 | enforce_ruleset(_metadata, ruleset_fd); |
1453 | |
1454 | for (i = 0; i < 2; i++) { |
1455 | err = landlock_restrict_self(ruleset_fd, flags: 0); |
1456 | ASSERT_EQ(-1, err); |
1457 | ASSERT_EQ(E2BIG, errno); |
1458 | } |
1459 | ASSERT_EQ(0, close(ruleset_fd)); |
1460 | } |
1461 | |
1462 | TEST_F_FORK(layout1, empty_or_same_ruleset) |
1463 | { |
1464 | struct landlock_ruleset_attr ruleset_attr = {}; |
1465 | int ruleset_fd; |
1466 | |
1467 | /* Tests empty handled_access_fs. */ |
1468 | ruleset_fd = |
1469 | landlock_create_ruleset(attr: &ruleset_attr, size: sizeof(ruleset_attr), flags: 0); |
1470 | ASSERT_LE(-1, ruleset_fd); |
1471 | ASSERT_EQ(ENOMSG, errno); |
1472 | |
1473 | /* Enforces policy which deny read access to all files. */ |
1474 | ruleset_attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE; |
1475 | ruleset_fd = |
1476 | landlock_create_ruleset(attr: &ruleset_attr, size: sizeof(ruleset_attr), flags: 0); |
1477 | ASSERT_LE(0, ruleset_fd); |
1478 | enforce_ruleset(_metadata, ruleset_fd); |
1479 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY)); |
1480 | ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY)); |
1481 | |
1482 | /* Nests a policy which deny read access to all directories. */ |
1483 | ruleset_attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_DIR; |
1484 | ruleset_fd = |
1485 | landlock_create_ruleset(attr: &ruleset_attr, size: sizeof(ruleset_attr), flags: 0); |
1486 | ASSERT_LE(0, ruleset_fd); |
1487 | enforce_ruleset(_metadata, ruleset_fd); |
1488 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY)); |
1489 | ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY)); |
1490 | |
1491 | /* Enforces a second time with the same ruleset. */ |
1492 | enforce_ruleset(_metadata, ruleset_fd); |
1493 | ASSERT_EQ(0, close(ruleset_fd)); |
1494 | } |
1495 | |
1496 | TEST_F_FORK(layout1, rule_on_mountpoint) |
1497 | { |
1498 | const struct rule rules[] = { |
1499 | { |
1500 | .path = dir_s1d1, |
1501 | .access = ACCESS_RO, |
1502 | }, |
1503 | { |
1504 | /* dir_s3d2 is a mount point. */ |
1505 | .path = dir_s3d2, |
1506 | .access = ACCESS_RO, |
1507 | }, |
1508 | {}, |
1509 | }; |
1510 | const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); |
1511 | |
1512 | ASSERT_LE(0, ruleset_fd); |
1513 | enforce_ruleset(_metadata, ruleset_fd); |
1514 | ASSERT_EQ(0, close(ruleset_fd)); |
1515 | |
1516 | ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY)); |
1517 | |
1518 | ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY)); |
1519 | |
1520 | ASSERT_EQ(EACCES, test_open(dir_s3d1, O_RDONLY)); |
1521 | ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY)); |
1522 | ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY)); |
1523 | } |
1524 | |
1525 | TEST_F_FORK(layout1, rule_over_mountpoint) |
1526 | { |
1527 | const struct rule rules[] = { |
1528 | { |
1529 | .path = dir_s1d1, |
1530 | .access = ACCESS_RO, |
1531 | }, |
1532 | { |
1533 | /* dir_s3d2 is a mount point. */ |
1534 | .path = dir_s3d1, |
1535 | .access = ACCESS_RO, |
1536 | }, |
1537 | {}, |
1538 | }; |
1539 | const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); |
1540 | |
1541 | ASSERT_LE(0, ruleset_fd); |
1542 | enforce_ruleset(_metadata, ruleset_fd); |
1543 | ASSERT_EQ(0, close(ruleset_fd)); |
1544 | |
1545 | ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY)); |
1546 | |
1547 | ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY)); |
1548 | |
1549 | ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY)); |
1550 | ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY)); |
1551 | ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY)); |
1552 | } |
1553 | |
1554 | /* |
1555 | * This test verifies that we can apply a landlock rule on the root directory |
1556 | * (which might require special handling). |
1557 | */ |
1558 | TEST_F_FORK(layout1, rule_over_root_allow_then_deny) |
1559 | { |
1560 | struct rule rules[] = { |
1561 | { |
1562 | .path = "/" , |
1563 | .access = ACCESS_RO, |
1564 | }, |
1565 | {}, |
1566 | }; |
1567 | int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); |
1568 | |
1569 | ASSERT_LE(0, ruleset_fd); |
1570 | enforce_ruleset(_metadata, ruleset_fd); |
1571 | ASSERT_EQ(0, close(ruleset_fd)); |
1572 | |
1573 | /* Checks allowed access. */ |
1574 | ASSERT_EQ(0, test_open("/" , O_RDONLY)); |
1575 | ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY)); |
1576 | |
1577 | rules[0].access = LANDLOCK_ACCESS_FS_READ_FILE; |
1578 | ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); |
1579 | ASSERT_LE(0, ruleset_fd); |
1580 | enforce_ruleset(_metadata, ruleset_fd); |
1581 | ASSERT_EQ(0, close(ruleset_fd)); |
1582 | |
1583 | /* Checks denied access (on a directory). */ |
1584 | ASSERT_EQ(EACCES, test_open("/" , O_RDONLY)); |
1585 | ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY)); |
1586 | } |
1587 | |
1588 | TEST_F_FORK(layout1, rule_over_root_deny) |
1589 | { |
1590 | const struct rule rules[] = { |
1591 | { |
1592 | .path = "/" , |
1593 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
1594 | }, |
1595 | {}, |
1596 | }; |
1597 | const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); |
1598 | |
1599 | ASSERT_LE(0, ruleset_fd); |
1600 | enforce_ruleset(_metadata, ruleset_fd); |
1601 | ASSERT_EQ(0, close(ruleset_fd)); |
1602 | |
1603 | /* Checks denied access (on a directory). */ |
1604 | ASSERT_EQ(EACCES, test_open("/" , O_RDONLY)); |
1605 | ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY)); |
1606 | } |
1607 | |
1608 | TEST_F_FORK(layout1, rule_inside_mount_ns) |
1609 | { |
1610 | const struct rule rules[] = { |
1611 | { |
1612 | .path = "s3d3" , |
1613 | .access = ACCESS_RO, |
1614 | }, |
1615 | {}, |
1616 | }; |
1617 | int ruleset_fd; |
1618 | |
1619 | set_cap(_metadata, CAP_SYS_ADMIN); |
1620 | ASSERT_EQ(0, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3)) |
1621 | { |
1622 | TH_LOG("Failed to pivot root: %s" , strerror(errno)); |
1623 | }; |
1624 | ASSERT_EQ(0, chdir("/" )); |
1625 | clear_cap(_metadata, CAP_SYS_ADMIN); |
1626 | |
1627 | ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); |
1628 | ASSERT_LE(0, ruleset_fd); |
1629 | enforce_ruleset(_metadata, ruleset_fd); |
1630 | ASSERT_EQ(0, close(ruleset_fd)); |
1631 | |
1632 | ASSERT_EQ(0, test_open("s3d3" , O_RDONLY)); |
1633 | ASSERT_EQ(EACCES, test_open("/" , O_RDONLY)); |
1634 | } |
1635 | |
1636 | TEST_F_FORK(layout1, mount_and_pivot) |
1637 | { |
1638 | const struct rule rules[] = { |
1639 | { |
1640 | .path = dir_s3d2, |
1641 | .access = ACCESS_RO, |
1642 | }, |
1643 | {}, |
1644 | }; |
1645 | const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); |
1646 | |
1647 | ASSERT_LE(0, ruleset_fd); |
1648 | enforce_ruleset(_metadata, ruleset_fd); |
1649 | ASSERT_EQ(0, close(ruleset_fd)); |
1650 | |
1651 | set_cap(_metadata, CAP_SYS_ADMIN); |
1652 | ASSERT_EQ(-1, mount(NULL, dir_s3d2, NULL, MS_RDONLY, NULL)); |
1653 | ASSERT_EQ(EPERM, errno); |
1654 | ASSERT_EQ(-1, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3)); |
1655 | ASSERT_EQ(EPERM, errno); |
1656 | clear_cap(_metadata, CAP_SYS_ADMIN); |
1657 | } |
1658 | |
1659 | TEST_F_FORK(layout1, move_mount) |
1660 | { |
1661 | const struct rule rules[] = { |
1662 | { |
1663 | .path = dir_s3d2, |
1664 | .access = ACCESS_RO, |
1665 | }, |
1666 | {}, |
1667 | }; |
1668 | const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); |
1669 | |
1670 | ASSERT_LE(0, ruleset_fd); |
1671 | |
1672 | set_cap(_metadata, CAP_SYS_ADMIN); |
1673 | ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD, |
1674 | dir_s1d2, 0)) |
1675 | { |
1676 | TH_LOG("Failed to move mount: %s" , strerror(errno)); |
1677 | } |
1678 | |
1679 | ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s1d2, AT_FDCWD, |
1680 | dir_s3d2, 0)); |
1681 | clear_cap(_metadata, CAP_SYS_ADMIN); |
1682 | |
1683 | enforce_ruleset(_metadata, ruleset_fd); |
1684 | ASSERT_EQ(0, close(ruleset_fd)); |
1685 | |
1686 | set_cap(_metadata, CAP_SYS_ADMIN); |
1687 | ASSERT_EQ(-1, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD, |
1688 | dir_s1d2, 0)); |
1689 | ASSERT_EQ(EPERM, errno); |
1690 | clear_cap(_metadata, CAP_SYS_ADMIN); |
1691 | } |
1692 | |
1693 | TEST_F_FORK(layout1, topology_changes_with_net_only) |
1694 | { |
1695 | const struct landlock_ruleset_attr ruleset_net = { |
1696 | .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP | |
1697 | LANDLOCK_ACCESS_NET_CONNECT_TCP, |
1698 | }; |
1699 | int ruleset_fd; |
1700 | |
1701 | /* Add network restrictions. */ |
1702 | ruleset_fd = |
1703 | landlock_create_ruleset(attr: &ruleset_net, size: sizeof(ruleset_net), flags: 0); |
1704 | ASSERT_LE(0, ruleset_fd); |
1705 | enforce_ruleset(_metadata, ruleset_fd); |
1706 | ASSERT_EQ(0, close(ruleset_fd)); |
1707 | |
1708 | /* Mount, remount, move_mount, umount, and pivot_root checks. */ |
1709 | set_cap(_metadata, CAP_SYS_ADMIN); |
1710 | ASSERT_EQ(0, mount_opt(&mnt_tmp, dir_s1d2)); |
1711 | ASSERT_EQ(0, mount(NULL, dir_s1d2, NULL, MS_PRIVATE | MS_REC, NULL)); |
1712 | ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s1d2, AT_FDCWD, |
1713 | dir_s2d2, 0)); |
1714 | ASSERT_EQ(0, umount(dir_s2d2)); |
1715 | ASSERT_EQ(0, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3)); |
1716 | ASSERT_EQ(0, chdir("/" )); |
1717 | clear_cap(_metadata, CAP_SYS_ADMIN); |
1718 | } |
1719 | |
1720 | TEST_F_FORK(layout1, topology_changes_with_net_and_fs) |
1721 | { |
1722 | const struct landlock_ruleset_attr ruleset_net_fs = { |
1723 | .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP | |
1724 | LANDLOCK_ACCESS_NET_CONNECT_TCP, |
1725 | .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE, |
1726 | }; |
1727 | int ruleset_fd; |
1728 | |
1729 | /* Add network and filesystem restrictions. */ |
1730 | ruleset_fd = landlock_create_ruleset(attr: &ruleset_net_fs, |
1731 | size: sizeof(ruleset_net_fs), flags: 0); |
1732 | ASSERT_LE(0, ruleset_fd); |
1733 | enforce_ruleset(_metadata, ruleset_fd); |
1734 | ASSERT_EQ(0, close(ruleset_fd)); |
1735 | |
1736 | /* Mount, remount, move_mount, umount, and pivot_root checks. */ |
1737 | set_cap(_metadata, CAP_SYS_ADMIN); |
1738 | ASSERT_EQ(-1, mount_opt(&mnt_tmp, dir_s1d2)); |
1739 | ASSERT_EQ(EPERM, errno); |
1740 | ASSERT_EQ(-1, mount(NULL, dir_s3d2, NULL, MS_PRIVATE | MS_REC, NULL)); |
1741 | ASSERT_EQ(EPERM, errno); |
1742 | ASSERT_EQ(-1, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD, |
1743 | dir_s2d2, 0)); |
1744 | ASSERT_EQ(EPERM, errno); |
1745 | ASSERT_EQ(-1, umount(dir_s3d2)); |
1746 | ASSERT_EQ(EPERM, errno); |
1747 | ASSERT_EQ(-1, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3)); |
1748 | ASSERT_EQ(EPERM, errno); |
1749 | clear_cap(_metadata, CAP_SYS_ADMIN); |
1750 | } |
1751 | |
1752 | TEST_F_FORK(layout1, release_inodes) |
1753 | { |
1754 | const struct rule rules[] = { |
1755 | { |
1756 | .path = dir_s1d1, |
1757 | .access = ACCESS_RO, |
1758 | }, |
1759 | { |
1760 | .path = dir_s3d2, |
1761 | .access = ACCESS_RO, |
1762 | }, |
1763 | { |
1764 | .path = dir_s3d3, |
1765 | .access = ACCESS_RO, |
1766 | }, |
1767 | {}, |
1768 | }; |
1769 | const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); |
1770 | |
1771 | ASSERT_LE(0, ruleset_fd); |
1772 | /* Unmount a file hierarchy while it is being used by a ruleset. */ |
1773 | set_cap(_metadata, CAP_SYS_ADMIN); |
1774 | ASSERT_EQ(0, umount(dir_s3d2)); |
1775 | clear_cap(_metadata, CAP_SYS_ADMIN); |
1776 | |
1777 | enforce_ruleset(_metadata, ruleset_fd); |
1778 | ASSERT_EQ(0, close(ruleset_fd)); |
1779 | |
1780 | ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY)); |
1781 | ASSERT_EQ(EACCES, test_open(dir_s3d2, O_RDONLY)); |
1782 | /* This dir_s3d3 would not be allowed and does not exist anyway. */ |
1783 | ASSERT_EQ(ENOENT, test_open(dir_s3d3, O_RDONLY)); |
1784 | } |
1785 | |
1786 | enum relative_access { |
1787 | REL_OPEN, |
1788 | REL_CHDIR, |
1789 | REL_CHROOT_ONLY, |
1790 | REL_CHROOT_CHDIR, |
1791 | }; |
1792 | |
1793 | static void test_relative_path(struct __test_metadata *const _metadata, |
1794 | const enum relative_access rel) |
1795 | { |
1796 | /* |
1797 | * Common layer to check that chroot doesn't ignore it (i.e. a chroot |
1798 | * is not a disconnected root directory). |
1799 | */ |
1800 | const struct rule layer1_base[] = { |
1801 | { |
1802 | .path = TMP_DIR, |
1803 | .access = ACCESS_RO, |
1804 | }, |
1805 | {}, |
1806 | }; |
1807 | const struct rule layer2_subs[] = { |
1808 | { |
1809 | .path = dir_s1d2, |
1810 | .access = ACCESS_RO, |
1811 | }, |
1812 | { |
1813 | .path = dir_s2d2, |
1814 | .access = ACCESS_RO, |
1815 | }, |
1816 | {}, |
1817 | }; |
1818 | int dirfd, ruleset_fd; |
1819 | |
1820 | ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules: layer1_base); |
1821 | ASSERT_LE(0, ruleset_fd); |
1822 | enforce_ruleset(_metadata, ruleset_fd); |
1823 | ASSERT_EQ(0, close(ruleset_fd)); |
1824 | |
1825 | ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules: layer2_subs); |
1826 | |
1827 | ASSERT_LE(0, ruleset_fd); |
1828 | switch (rel) { |
1829 | case REL_OPEN: |
1830 | case REL_CHDIR: |
1831 | break; |
1832 | case REL_CHROOT_ONLY: |
1833 | ASSERT_EQ(0, chdir(dir_s2d2)); |
1834 | break; |
1835 | case REL_CHROOT_CHDIR: |
1836 | ASSERT_EQ(0, chdir(dir_s1d2)); |
1837 | break; |
1838 | default: |
1839 | ASSERT_TRUE(false); |
1840 | return; |
1841 | } |
1842 | |
1843 | set_cap(_metadata, CAP_SYS_CHROOT); |
1844 | enforce_ruleset(_metadata, ruleset_fd); |
1845 | |
1846 | switch (rel) { |
1847 | case REL_OPEN: |
1848 | dirfd = open(dir_s1d2, O_DIRECTORY); |
1849 | ASSERT_LE(0, dirfd); |
1850 | break; |
1851 | case REL_CHDIR: |
1852 | ASSERT_EQ(0, chdir(dir_s1d2)); |
1853 | dirfd = AT_FDCWD; |
1854 | break; |
1855 | case REL_CHROOT_ONLY: |
1856 | /* Do chroot into dir_s1d2 (relative to dir_s2d2). */ |
1857 | ASSERT_EQ(0, chroot("../../s1d1/s1d2" )) |
1858 | { |
1859 | TH_LOG("Failed to chroot: %s" , strerror(errno)); |
1860 | } |
1861 | dirfd = AT_FDCWD; |
1862 | break; |
1863 | case REL_CHROOT_CHDIR: |
1864 | /* Do chroot into dir_s1d2. */ |
1865 | ASSERT_EQ(0, chroot("." )) |
1866 | { |
1867 | TH_LOG("Failed to chroot: %s" , strerror(errno)); |
1868 | } |
1869 | dirfd = AT_FDCWD; |
1870 | break; |
1871 | } |
1872 | |
1873 | ASSERT_EQ((rel == REL_CHROOT_CHDIR) ? 0 : EACCES, |
1874 | test_open_rel(dirfd, ".." , O_RDONLY)); |
1875 | ASSERT_EQ(0, test_open_rel(dirfd, "." , O_RDONLY)); |
1876 | |
1877 | if (rel == REL_CHROOT_ONLY) { |
1878 | /* The current directory is dir_s2d2. */ |
1879 | ASSERT_EQ(0, test_open_rel(dirfd, "./s2d3" , O_RDONLY)); |
1880 | } else { |
1881 | /* The current directory is dir_s1d2. */ |
1882 | ASSERT_EQ(0, test_open_rel(dirfd, "./s1d3" , O_RDONLY)); |
1883 | } |
1884 | |
1885 | if (rel == REL_CHROOT_ONLY || rel == REL_CHROOT_CHDIR) { |
1886 | /* Checks the root dir_s1d2. */ |
1887 | ASSERT_EQ(0, test_open_rel(dirfd, "/.." , O_RDONLY)); |
1888 | ASSERT_EQ(0, test_open_rel(dirfd, "/" , O_RDONLY)); |
1889 | ASSERT_EQ(0, test_open_rel(dirfd, "/f1" , O_RDONLY)); |
1890 | ASSERT_EQ(0, test_open_rel(dirfd, "/s1d3" , O_RDONLY)); |
1891 | } |
1892 | |
1893 | if (rel != REL_CHROOT_CHDIR) { |
1894 | ASSERT_EQ(EACCES, test_open_rel(dirfd, "../../s1d1" , O_RDONLY)); |
1895 | ASSERT_EQ(0, test_open_rel(dirfd, "../../s1d1/s1d2" , O_RDONLY)); |
1896 | ASSERT_EQ(0, test_open_rel(dirfd, "../../s1d1/s1d2/s1d3" , |
1897 | O_RDONLY)); |
1898 | |
1899 | ASSERT_EQ(EACCES, test_open_rel(dirfd, "../../s2d1" , O_RDONLY)); |
1900 | ASSERT_EQ(0, test_open_rel(dirfd, "../../s2d1/s2d2" , O_RDONLY)); |
1901 | ASSERT_EQ(0, test_open_rel(dirfd, "../../s2d1/s2d2/s2d3" , |
1902 | O_RDONLY)); |
1903 | } |
1904 | |
1905 | if (rel == REL_OPEN) |
1906 | ASSERT_EQ(0, close(dirfd)); |
1907 | ASSERT_EQ(0, close(ruleset_fd)); |
1908 | } |
1909 | |
1910 | TEST_F_FORK(layout1, relative_open) |
1911 | { |
1912 | test_relative_path(_metadata, rel: REL_OPEN); |
1913 | } |
1914 | |
1915 | TEST_F_FORK(layout1, relative_chdir) |
1916 | { |
1917 | test_relative_path(_metadata, rel: REL_CHDIR); |
1918 | } |
1919 | |
1920 | TEST_F_FORK(layout1, relative_chroot_only) |
1921 | { |
1922 | test_relative_path(_metadata, rel: REL_CHROOT_ONLY); |
1923 | } |
1924 | |
1925 | TEST_F_FORK(layout1, relative_chroot_chdir) |
1926 | { |
1927 | test_relative_path(_metadata, rel: REL_CHROOT_CHDIR); |
1928 | } |
1929 | |
1930 | static void copy_binary(struct __test_metadata *const _metadata, |
1931 | const char *const dst_path) |
1932 | { |
1933 | int dst_fd, src_fd; |
1934 | struct stat statbuf; |
1935 | |
1936 | dst_fd = open(dst_path, O_WRONLY | O_TRUNC | O_CLOEXEC); |
1937 | ASSERT_LE(0, dst_fd) |
1938 | { |
1939 | TH_LOG("Failed to open \"%s\": %s" , dst_path, strerror(errno)); |
1940 | } |
1941 | src_fd = open(BINARY_PATH, O_RDONLY | O_CLOEXEC); |
1942 | ASSERT_LE(0, src_fd) |
1943 | { |
1944 | TH_LOG("Failed to open \"" BINARY_PATH "\": %s" , |
1945 | strerror(errno)); |
1946 | } |
1947 | ASSERT_EQ(0, fstat(src_fd, &statbuf)); |
1948 | ASSERT_EQ(statbuf.st_size, |
1949 | sendfile(dst_fd, src_fd, 0, statbuf.st_size)); |
1950 | ASSERT_EQ(0, close(src_fd)); |
1951 | ASSERT_EQ(0, close(dst_fd)); |
1952 | } |
1953 | |
1954 | static void test_execute(struct __test_metadata *const _metadata, const int err, |
1955 | const char *const path) |
1956 | { |
1957 | int status; |
1958 | char *const argv[] = { (char *)path, NULL }; |
1959 | const pid_t child = fork(); |
1960 | |
1961 | ASSERT_LE(0, child); |
1962 | if (child == 0) { |
1963 | ASSERT_EQ(err ? -1 : 0, execve(path, argv, NULL)) |
1964 | { |
1965 | TH_LOG("Failed to execute \"%s\": %s" , path, |
1966 | strerror(errno)); |
1967 | }; |
1968 | ASSERT_EQ(err, errno); |
1969 | _exit(__test_passed(metadata: _metadata) ? 2 : 1); |
1970 | return; |
1971 | } |
1972 | ASSERT_EQ(child, waitpid(child, &status, 0)); |
1973 | ASSERT_EQ(1, WIFEXITED(status)); |
1974 | ASSERT_EQ(err ? 2 : 0, WEXITSTATUS(status)) |
1975 | { |
1976 | TH_LOG("Unexpected return code for \"%s\": %s" , path, |
1977 | strerror(errno)); |
1978 | }; |
1979 | } |
1980 | |
1981 | TEST_F_FORK(layout1, execute) |
1982 | { |
1983 | const struct rule rules[] = { |
1984 | { |
1985 | .path = dir_s1d2, |
1986 | .access = LANDLOCK_ACCESS_FS_EXECUTE, |
1987 | }, |
1988 | {}, |
1989 | }; |
1990 | const int ruleset_fd = |
1991 | create_ruleset(_metadata, handled_access_fs: rules[0].access, rules); |
1992 | |
1993 | ASSERT_LE(0, ruleset_fd); |
1994 | copy_binary(_metadata, dst_path: file1_s1d1); |
1995 | copy_binary(_metadata, dst_path: file1_s1d2); |
1996 | copy_binary(_metadata, dst_path: file1_s1d3); |
1997 | |
1998 | enforce_ruleset(_metadata, ruleset_fd); |
1999 | ASSERT_EQ(0, close(ruleset_fd)); |
2000 | |
2001 | ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY)); |
2002 | ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY)); |
2003 | test_execute(_metadata, EACCES, file1_s1d1); |
2004 | |
2005 | ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY)); |
2006 | ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); |
2007 | test_execute(_metadata, err: 0, path: file1_s1d2); |
2008 | |
2009 | ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY)); |
2010 | ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); |
2011 | test_execute(_metadata, err: 0, path: file1_s1d3); |
2012 | } |
2013 | |
2014 | TEST_F_FORK(layout1, link) |
2015 | { |
2016 | const struct rule layer1[] = { |
2017 | { |
2018 | .path = dir_s1d2, |
2019 | .access = LANDLOCK_ACCESS_FS_MAKE_REG, |
2020 | }, |
2021 | {}, |
2022 | }; |
2023 | const struct rule layer2[] = { |
2024 | { |
2025 | .path = dir_s1d3, |
2026 | .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, |
2027 | }, |
2028 | {}, |
2029 | }; |
2030 | int ruleset_fd = create_ruleset(_metadata, handled_access_fs: layer1[0].access, rules: layer1); |
2031 | |
2032 | ASSERT_LE(0, ruleset_fd); |
2033 | |
2034 | ASSERT_EQ(0, unlink(file1_s1d1)); |
2035 | ASSERT_EQ(0, unlink(file1_s1d2)); |
2036 | ASSERT_EQ(0, unlink(file1_s1d3)); |
2037 | |
2038 | enforce_ruleset(_metadata, ruleset_fd); |
2039 | ASSERT_EQ(0, close(ruleset_fd)); |
2040 | |
2041 | ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1)); |
2042 | ASSERT_EQ(EACCES, errno); |
2043 | |
2044 | /* Denies linking because of reparenting. */ |
2045 | ASSERT_EQ(-1, link(file1_s2d1, file1_s1d2)); |
2046 | ASSERT_EQ(EXDEV, errno); |
2047 | ASSERT_EQ(-1, link(file2_s1d2, file1_s1d3)); |
2048 | ASSERT_EQ(EXDEV, errno); |
2049 | ASSERT_EQ(-1, link(file2_s1d3, file1_s1d2)); |
2050 | ASSERT_EQ(EXDEV, errno); |
2051 | |
2052 | ASSERT_EQ(0, link(file2_s1d2, file1_s1d2)); |
2053 | ASSERT_EQ(0, link(file2_s1d3, file1_s1d3)); |
2054 | |
2055 | /* Prepares for next unlinks. */ |
2056 | ASSERT_EQ(0, unlink(file2_s1d2)); |
2057 | ASSERT_EQ(0, unlink(file2_s1d3)); |
2058 | |
2059 | ruleset_fd = create_ruleset(_metadata, handled_access_fs: layer2[0].access, rules: layer2); |
2060 | ASSERT_LE(0, ruleset_fd); |
2061 | enforce_ruleset(_metadata, ruleset_fd); |
2062 | ASSERT_EQ(0, close(ruleset_fd)); |
2063 | |
2064 | /* Checks that linkind doesn't require the ability to delete a file. */ |
2065 | ASSERT_EQ(0, link(file1_s1d2, file2_s1d2)); |
2066 | ASSERT_EQ(0, link(file1_s1d3, file2_s1d3)); |
2067 | } |
2068 | |
2069 | static int test_rename(const char *const oldpath, const char *const newpath) |
2070 | { |
2071 | if (rename(oldpath, newpath)) |
2072 | return errno; |
2073 | return 0; |
2074 | } |
2075 | |
2076 | static int test_exchange(const char *const oldpath, const char *const newpath) |
2077 | { |
2078 | if (renameat2(AT_FDCWD, oldpath, AT_FDCWD, newpath, RENAME_EXCHANGE)) |
2079 | return errno; |
2080 | return 0; |
2081 | } |
2082 | |
2083 | TEST_F_FORK(layout1, rename_file) |
2084 | { |
2085 | const struct rule rules[] = { |
2086 | { |
2087 | .path = dir_s1d3, |
2088 | .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, |
2089 | }, |
2090 | { |
2091 | .path = dir_s2d2, |
2092 | .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, |
2093 | }, |
2094 | {}, |
2095 | }; |
2096 | const int ruleset_fd = |
2097 | create_ruleset(_metadata, handled_access_fs: rules[0].access, rules); |
2098 | |
2099 | ASSERT_LE(0, ruleset_fd); |
2100 | |
2101 | ASSERT_EQ(0, unlink(file1_s1d2)); |
2102 | |
2103 | enforce_ruleset(_metadata, ruleset_fd); |
2104 | ASSERT_EQ(0, close(ruleset_fd)); |
2105 | |
2106 | /* |
2107 | * Tries to replace a file, from a directory that allows file removal, |
2108 | * but to a different directory (which also allows file removal). |
2109 | */ |
2110 | ASSERT_EQ(-1, rename(file1_s2d3, file1_s1d3)); |
2111 | ASSERT_EQ(EXDEV, errno); |
2112 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d3, |
2113 | RENAME_EXCHANGE)); |
2114 | ASSERT_EQ(EXDEV, errno); |
2115 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, dir_s1d3, |
2116 | RENAME_EXCHANGE)); |
2117 | ASSERT_EQ(EXDEV, errno); |
2118 | |
2119 | /* |
2120 | * Tries to replace a file, from a directory that denies file removal, |
2121 | * to a different directory (which allows file removal). |
2122 | */ |
2123 | ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3)); |
2124 | ASSERT_EQ(EACCES, errno); |
2125 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file1_s1d3, |
2126 | RENAME_EXCHANGE)); |
2127 | ASSERT_EQ(EACCES, errno); |
2128 | ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d2, AT_FDCWD, file1_s1d3, |
2129 | RENAME_EXCHANGE)); |
2130 | ASSERT_EQ(EXDEV, errno); |
2131 | |
2132 | /* Exchanges files and directories that partially allow removal. */ |
2133 | ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d2, AT_FDCWD, file1_s2d1, |
2134 | RENAME_EXCHANGE)); |
2135 | ASSERT_EQ(EACCES, errno); |
2136 | /* Checks that file1_s2d1 cannot be removed (instead of ENOTDIR). */ |
2137 | ASSERT_EQ(-1, rename(dir_s2d2, file1_s2d1)); |
2138 | ASSERT_EQ(EACCES, errno); |
2139 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, dir_s2d2, |
2140 | RENAME_EXCHANGE)); |
2141 | ASSERT_EQ(EACCES, errno); |
2142 | /* Checks that file1_s1d1 cannot be removed (instead of EISDIR). */ |
2143 | ASSERT_EQ(-1, rename(file1_s1d1, dir_s1d2)); |
2144 | ASSERT_EQ(EACCES, errno); |
2145 | |
2146 | /* Renames files with different parents. */ |
2147 | ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d2)); |
2148 | ASSERT_EQ(EXDEV, errno); |
2149 | ASSERT_EQ(0, unlink(file1_s1d3)); |
2150 | ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3)); |
2151 | ASSERT_EQ(EACCES, errno); |
2152 | |
2153 | /* Exchanges and renames files with same parent. */ |
2154 | ASSERT_EQ(0, renameat2(AT_FDCWD, file2_s2d3, AT_FDCWD, file1_s2d3, |
2155 | RENAME_EXCHANGE)); |
2156 | ASSERT_EQ(0, rename(file2_s2d3, file1_s2d3)); |
2157 | |
2158 | /* Exchanges files and directories with same parent, twice. */ |
2159 | ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s2d3, |
2160 | RENAME_EXCHANGE)); |
2161 | ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s2d3, |
2162 | RENAME_EXCHANGE)); |
2163 | } |
2164 | |
2165 | TEST_F_FORK(layout1, rename_dir) |
2166 | { |
2167 | const struct rule rules[] = { |
2168 | { |
2169 | .path = dir_s1d2, |
2170 | .access = LANDLOCK_ACCESS_FS_REMOVE_DIR, |
2171 | }, |
2172 | { |
2173 | .path = dir_s2d1, |
2174 | .access = LANDLOCK_ACCESS_FS_REMOVE_DIR, |
2175 | }, |
2176 | {}, |
2177 | }; |
2178 | const int ruleset_fd = |
2179 | create_ruleset(_metadata, handled_access_fs: rules[0].access, rules); |
2180 | |
2181 | ASSERT_LE(0, ruleset_fd); |
2182 | |
2183 | /* Empties dir_s1d3 to allow renaming. */ |
2184 | ASSERT_EQ(0, unlink(file1_s1d3)); |
2185 | ASSERT_EQ(0, unlink(file2_s1d3)); |
2186 | |
2187 | enforce_ruleset(_metadata, ruleset_fd); |
2188 | ASSERT_EQ(0, close(ruleset_fd)); |
2189 | |
2190 | /* Exchanges and renames directory to a different parent. */ |
2191 | ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3, |
2192 | RENAME_EXCHANGE)); |
2193 | ASSERT_EQ(EXDEV, errno); |
2194 | ASSERT_EQ(-1, rename(dir_s2d3, dir_s1d3)); |
2195 | ASSERT_EQ(EXDEV, errno); |
2196 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3, |
2197 | RENAME_EXCHANGE)); |
2198 | ASSERT_EQ(EXDEV, errno); |
2199 | |
2200 | /* |
2201 | * Exchanges directory to the same parent, which doesn't allow |
2202 | * directory removal. |
2203 | */ |
2204 | ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d1, AT_FDCWD, dir_s2d1, |
2205 | RENAME_EXCHANGE)); |
2206 | ASSERT_EQ(EACCES, errno); |
2207 | /* Checks that dir_s1d2 cannot be removed (instead of ENOTDIR). */ |
2208 | ASSERT_EQ(-1, rename(dir_s1d2, file1_s1d1)); |
2209 | ASSERT_EQ(EACCES, errno); |
2210 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s1d2, |
2211 | RENAME_EXCHANGE)); |
2212 | ASSERT_EQ(EACCES, errno); |
2213 | /* Checks that dir_s1d2 cannot be removed (instead of EISDIR). */ |
2214 | ASSERT_EQ(-1, rename(file1_s1d1, dir_s1d2)); |
2215 | ASSERT_EQ(EACCES, errno); |
2216 | |
2217 | /* |
2218 | * Exchanges and renames directory to the same parent, which allows |
2219 | * directory removal. |
2220 | */ |
2221 | ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, file1_s1d2, |
2222 | RENAME_EXCHANGE)); |
2223 | ASSERT_EQ(0, unlink(dir_s1d3)); |
2224 | ASSERT_EQ(0, mkdir(dir_s1d3, 0700)); |
2225 | ASSERT_EQ(0, rename(file1_s1d2, dir_s1d3)); |
2226 | ASSERT_EQ(0, rmdir(dir_s1d3)); |
2227 | } |
2228 | |
2229 | TEST_F_FORK(layout1, reparent_refer) |
2230 | { |
2231 | const struct rule layer1[] = { |
2232 | { |
2233 | .path = dir_s1d2, |
2234 | .access = LANDLOCK_ACCESS_FS_REFER, |
2235 | }, |
2236 | { |
2237 | .path = dir_s2d2, |
2238 | .access = LANDLOCK_ACCESS_FS_REFER, |
2239 | }, |
2240 | {}, |
2241 | }; |
2242 | int ruleset_fd = |
2243 | create_ruleset(_metadata, LANDLOCK_ACCESS_FS_REFER, rules: layer1); |
2244 | |
2245 | ASSERT_LE(0, ruleset_fd); |
2246 | enforce_ruleset(_metadata, ruleset_fd); |
2247 | ASSERT_EQ(0, close(ruleset_fd)); |
2248 | |
2249 | ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d1)); |
2250 | ASSERT_EQ(EXDEV, errno); |
2251 | ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d2)); |
2252 | ASSERT_EQ(EXDEV, errno); |
2253 | ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d3)); |
2254 | ASSERT_EQ(EXDEV, errno); |
2255 | |
2256 | ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d1)); |
2257 | ASSERT_EQ(EXDEV, errno); |
2258 | ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d2)); |
2259 | ASSERT_EQ(EXDEV, errno); |
2260 | /* |
2261 | * Moving should only be allowed when the source and the destination |
2262 | * parent directory have REFER. |
2263 | */ |
2264 | ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d3)); |
2265 | ASSERT_EQ(ENOTEMPTY, errno); |
2266 | ASSERT_EQ(0, unlink(file1_s2d3)); |
2267 | ASSERT_EQ(0, unlink(file2_s2d3)); |
2268 | ASSERT_EQ(0, rename(dir_s1d3, dir_s2d3)); |
2269 | } |
2270 | |
2271 | /* Checks renames beneath dir_s1d1. */ |
2272 | static void refer_denied_by_default(struct __test_metadata *const _metadata, |
2273 | const struct rule layer1[], |
2274 | const int layer1_err, |
2275 | const struct rule layer2[]) |
2276 | { |
2277 | int ruleset_fd; |
2278 | |
2279 | ASSERT_EQ(0, unlink(file1_s1d2)); |
2280 | |
2281 | ruleset_fd = create_ruleset(_metadata, handled_access_fs: layer1[0].access, rules: layer1); |
2282 | ASSERT_LE(0, ruleset_fd); |
2283 | enforce_ruleset(_metadata, ruleset_fd); |
2284 | ASSERT_EQ(0, close(ruleset_fd)); |
2285 | |
2286 | /* |
2287 | * If the first layer handles LANDLOCK_ACCESS_FS_REFER (according to |
2288 | * layer1_err), then it allows some different-parent renames and links. |
2289 | */ |
2290 | ASSERT_EQ(layer1_err, test_rename(file1_s1d1, file1_s1d2)); |
2291 | if (layer1_err == 0) |
2292 | ASSERT_EQ(layer1_err, test_rename(file1_s1d2, file1_s1d1)); |
2293 | ASSERT_EQ(layer1_err, test_exchange(file2_s1d1, file2_s1d2)); |
2294 | ASSERT_EQ(layer1_err, test_exchange(file2_s1d2, file2_s1d1)); |
2295 | |
2296 | ruleset_fd = create_ruleset(_metadata, handled_access_fs: layer2[0].access, rules: layer2); |
2297 | ASSERT_LE(0, ruleset_fd); |
2298 | enforce_ruleset(_metadata, ruleset_fd); |
2299 | ASSERT_EQ(0, close(ruleset_fd)); |
2300 | |
2301 | /* |
2302 | * Now, either the first or the second layer does not handle |
2303 | * LANDLOCK_ACCESS_FS_REFER, which means that any different-parent |
2304 | * renames and links are denied, thus making the layer handling |
2305 | * LANDLOCK_ACCESS_FS_REFER null and void. |
2306 | */ |
2307 | ASSERT_EQ(EXDEV, test_rename(file1_s1d1, file1_s1d2)); |
2308 | ASSERT_EQ(EXDEV, test_exchange(file2_s1d1, file2_s1d2)); |
2309 | ASSERT_EQ(EXDEV, test_exchange(file2_s1d2, file2_s1d1)); |
2310 | } |
2311 | |
2312 | const struct rule layer_dir_s1d1_refer[] = { |
2313 | { |
2314 | .path = dir_s1d1, |
2315 | .access = LANDLOCK_ACCESS_FS_REFER, |
2316 | }, |
2317 | {}, |
2318 | }; |
2319 | |
2320 | const struct rule layer_dir_s1d1_execute[] = { |
2321 | { |
2322 | /* Matches a parent directory. */ |
2323 | .path = dir_s1d1, |
2324 | .access = LANDLOCK_ACCESS_FS_EXECUTE, |
2325 | }, |
2326 | {}, |
2327 | }; |
2328 | |
2329 | const struct rule layer_dir_s2d1_execute[] = { |
2330 | { |
2331 | /* Does not match a parent directory. */ |
2332 | .path = dir_s2d1, |
2333 | .access = LANDLOCK_ACCESS_FS_EXECUTE, |
2334 | }, |
2335 | {}, |
2336 | }; |
2337 | |
2338 | /* |
2339 | * Tests precedence over renames: denied by default for different parent |
2340 | * directories, *with* a rule matching a parent directory, but not directly |
2341 | * denying access (with MAKE_REG nor REMOVE). |
2342 | */ |
2343 | TEST_F_FORK(layout1, refer_denied_by_default1) |
2344 | { |
2345 | refer_denied_by_default(_metadata, layer1: layer_dir_s1d1_refer, layer1_err: 0, |
2346 | layer2: layer_dir_s1d1_execute); |
2347 | } |
2348 | |
2349 | /* |
2350 | * Same test but this time turning around the ABI version order: the first |
2351 | * layer does not handle LANDLOCK_ACCESS_FS_REFER. |
2352 | */ |
2353 | TEST_F_FORK(layout1, refer_denied_by_default2) |
2354 | { |
2355 | refer_denied_by_default(_metadata, layer_dir_s1d1_execute, EXDEV, |
2356 | layer_dir_s1d1_refer); |
2357 | } |
2358 | |
2359 | /* |
2360 | * Tests precedence over renames: denied by default for different parent |
2361 | * directories, *without* a rule matching a parent directory, but not directly |
2362 | * denying access (with MAKE_REG nor REMOVE). |
2363 | */ |
2364 | TEST_F_FORK(layout1, refer_denied_by_default3) |
2365 | { |
2366 | refer_denied_by_default(_metadata, layer1: layer_dir_s1d1_refer, layer1_err: 0, |
2367 | layer2: layer_dir_s2d1_execute); |
2368 | } |
2369 | |
2370 | /* |
2371 | * Same test but this time turning around the ABI version order: the first |
2372 | * layer does not handle LANDLOCK_ACCESS_FS_REFER. |
2373 | */ |
2374 | TEST_F_FORK(layout1, refer_denied_by_default4) |
2375 | { |
2376 | refer_denied_by_default(_metadata, layer_dir_s2d1_execute, EXDEV, |
2377 | layer_dir_s1d1_refer); |
2378 | } |
2379 | |
2380 | TEST_F_FORK(layout1, reparent_link) |
2381 | { |
2382 | const struct rule layer1[] = { |
2383 | { |
2384 | .path = dir_s1d2, |
2385 | .access = LANDLOCK_ACCESS_FS_MAKE_REG, |
2386 | }, |
2387 | { |
2388 | .path = dir_s1d3, |
2389 | .access = LANDLOCK_ACCESS_FS_REFER, |
2390 | }, |
2391 | { |
2392 | .path = dir_s2d2, |
2393 | .access = LANDLOCK_ACCESS_FS_REFER, |
2394 | }, |
2395 | { |
2396 | .path = dir_s2d3, |
2397 | .access = LANDLOCK_ACCESS_FS_MAKE_REG, |
2398 | }, |
2399 | {}, |
2400 | }; |
2401 | const int ruleset_fd = create_ruleset( |
2402 | _metadata, |
2403 | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, rules: layer1); |
2404 | |
2405 | ASSERT_LE(0, ruleset_fd); |
2406 | enforce_ruleset(_metadata, ruleset_fd); |
2407 | ASSERT_EQ(0, close(ruleset_fd)); |
2408 | |
2409 | ASSERT_EQ(0, unlink(file1_s1d1)); |
2410 | ASSERT_EQ(0, unlink(file1_s1d2)); |
2411 | ASSERT_EQ(0, unlink(file1_s1d3)); |
2412 | |
2413 | /* Denies linking because of missing MAKE_REG. */ |
2414 | ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1)); |
2415 | ASSERT_EQ(EACCES, errno); |
2416 | /* Denies linking because of missing source and destination REFER. */ |
2417 | ASSERT_EQ(-1, link(file1_s2d1, file1_s1d2)); |
2418 | ASSERT_EQ(EXDEV, errno); |
2419 | /* Denies linking because of missing source REFER. */ |
2420 | ASSERT_EQ(-1, link(file1_s2d1, file1_s1d3)); |
2421 | ASSERT_EQ(EXDEV, errno); |
2422 | |
2423 | /* Denies linking because of missing MAKE_REG. */ |
2424 | ASSERT_EQ(-1, link(file1_s2d2, file1_s1d1)); |
2425 | ASSERT_EQ(EACCES, errno); |
2426 | /* Denies linking because of missing destination REFER. */ |
2427 | ASSERT_EQ(-1, link(file1_s2d2, file1_s1d2)); |
2428 | ASSERT_EQ(EXDEV, errno); |
2429 | |
2430 | /* Allows linking because of REFER and MAKE_REG. */ |
2431 | ASSERT_EQ(0, link(file1_s2d2, file1_s1d3)); |
2432 | ASSERT_EQ(0, unlink(file1_s2d2)); |
2433 | /* Reverse linking denied because of missing MAKE_REG. */ |
2434 | ASSERT_EQ(-1, link(file1_s1d3, file1_s2d2)); |
2435 | ASSERT_EQ(EACCES, errno); |
2436 | ASSERT_EQ(0, unlink(file1_s2d3)); |
2437 | /* Checks reverse linking. */ |
2438 | ASSERT_EQ(0, link(file1_s1d3, file1_s2d3)); |
2439 | ASSERT_EQ(0, unlink(file1_s1d3)); |
2440 | |
2441 | /* |
2442 | * This is OK for a file link, but it should not be allowed for a |
2443 | * directory rename (because of the superset of access rights. |
2444 | */ |
2445 | ASSERT_EQ(0, link(file1_s2d3, file1_s1d3)); |
2446 | ASSERT_EQ(0, unlink(file1_s1d3)); |
2447 | |
2448 | ASSERT_EQ(-1, link(file2_s1d2, file1_s1d3)); |
2449 | ASSERT_EQ(EXDEV, errno); |
2450 | ASSERT_EQ(-1, link(file2_s1d3, file1_s1d2)); |
2451 | ASSERT_EQ(EXDEV, errno); |
2452 | |
2453 | ASSERT_EQ(0, link(file2_s1d2, file1_s1d2)); |
2454 | ASSERT_EQ(0, link(file2_s1d3, file1_s1d3)); |
2455 | } |
2456 | |
2457 | TEST_F_FORK(layout1, reparent_rename) |
2458 | { |
2459 | /* Same rules as for reparent_link. */ |
2460 | const struct rule layer1[] = { |
2461 | { |
2462 | .path = dir_s1d2, |
2463 | .access = LANDLOCK_ACCESS_FS_MAKE_REG, |
2464 | }, |
2465 | { |
2466 | .path = dir_s1d3, |
2467 | .access = LANDLOCK_ACCESS_FS_REFER, |
2468 | }, |
2469 | { |
2470 | .path = dir_s2d2, |
2471 | .access = LANDLOCK_ACCESS_FS_REFER, |
2472 | }, |
2473 | { |
2474 | .path = dir_s2d3, |
2475 | .access = LANDLOCK_ACCESS_FS_MAKE_REG, |
2476 | }, |
2477 | {}, |
2478 | }; |
2479 | const int ruleset_fd = create_ruleset( |
2480 | _metadata, |
2481 | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, rules: layer1); |
2482 | |
2483 | ASSERT_LE(0, ruleset_fd); |
2484 | enforce_ruleset(_metadata, ruleset_fd); |
2485 | ASSERT_EQ(0, close(ruleset_fd)); |
2486 | |
2487 | ASSERT_EQ(0, unlink(file1_s1d2)); |
2488 | ASSERT_EQ(0, unlink(file1_s1d3)); |
2489 | |
2490 | /* Denies renaming because of missing MAKE_REG. */ |
2491 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file1_s1d1, |
2492 | RENAME_EXCHANGE)); |
2493 | ASSERT_EQ(EACCES, errno); |
2494 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file2_s1d1, |
2495 | RENAME_EXCHANGE)); |
2496 | ASSERT_EQ(EACCES, errno); |
2497 | ASSERT_EQ(0, unlink(file1_s1d1)); |
2498 | ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1)); |
2499 | ASSERT_EQ(EACCES, errno); |
2500 | /* Even denies same file exchange. */ |
2501 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file2_s1d1, |
2502 | RENAME_EXCHANGE)); |
2503 | ASSERT_EQ(EACCES, errno); |
2504 | |
2505 | /* Denies renaming because of missing source and destination REFER. */ |
2506 | ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d2)); |
2507 | ASSERT_EQ(EXDEV, errno); |
2508 | /* |
2509 | * Denies renaming because of missing MAKE_REG, source and destination |
2510 | * REFER. |
2511 | */ |
2512 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file2_s1d1, |
2513 | RENAME_EXCHANGE)); |
2514 | ASSERT_EQ(EACCES, errno); |
2515 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file1_s2d1, |
2516 | RENAME_EXCHANGE)); |
2517 | ASSERT_EQ(EACCES, errno); |
2518 | |
2519 | /* Denies renaming because of missing source REFER. */ |
2520 | ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3)); |
2521 | ASSERT_EQ(EXDEV, errno); |
2522 | /* Denies renaming because of missing MAKE_REG. */ |
2523 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file2_s1d3, |
2524 | RENAME_EXCHANGE)); |
2525 | ASSERT_EQ(EACCES, errno); |
2526 | |
2527 | /* Denies renaming because of missing MAKE_REG. */ |
2528 | ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d1)); |
2529 | ASSERT_EQ(EACCES, errno); |
2530 | /* Denies renaming because of missing destination REFER*/ |
2531 | ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d2)); |
2532 | ASSERT_EQ(EXDEV, errno); |
2533 | |
2534 | /* Denies exchange because of one missing MAKE_REG. */ |
2535 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, file2_s1d3, |
2536 | RENAME_EXCHANGE)); |
2537 | ASSERT_EQ(EACCES, errno); |
2538 | /* Allows renaming because of REFER and MAKE_REG. */ |
2539 | ASSERT_EQ(0, rename(file1_s2d2, file1_s1d3)); |
2540 | |
2541 | /* Reverse renaming denied because of missing MAKE_REG. */ |
2542 | ASSERT_EQ(-1, rename(file1_s1d3, file1_s2d2)); |
2543 | ASSERT_EQ(EACCES, errno); |
2544 | ASSERT_EQ(0, unlink(file1_s2d3)); |
2545 | ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3)); |
2546 | |
2547 | /* Tests reverse renaming. */ |
2548 | ASSERT_EQ(0, rename(file1_s2d3, file1_s1d3)); |
2549 | ASSERT_EQ(0, renameat2(AT_FDCWD, file2_s2d3, AT_FDCWD, file1_s1d3, |
2550 | RENAME_EXCHANGE)); |
2551 | ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3)); |
2552 | |
2553 | /* |
2554 | * This is OK for a file rename, but it should not be allowed for a |
2555 | * directory rename (because of the superset of access rights). |
2556 | */ |
2557 | ASSERT_EQ(0, rename(file1_s2d3, file1_s1d3)); |
2558 | ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3)); |
2559 | |
2560 | /* |
2561 | * Tests superset restrictions applied to directories. Not only the |
2562 | * dir_s2d3's parent (dir_s2d2) should be taken into account but also |
2563 | * access rights tied to dir_s2d3. dir_s2d2 is missing one access right |
2564 | * compared to dir_s1d3/file1_s1d3 (MAKE_REG) but it is provided |
2565 | * directly by the moved dir_s2d3. |
2566 | */ |
2567 | ASSERT_EQ(0, rename(dir_s2d3, file1_s1d3)); |
2568 | ASSERT_EQ(0, rename(file1_s1d3, dir_s2d3)); |
2569 | /* |
2570 | * The first rename is allowed but not the exchange because dir_s1d3's |
2571 | * parent (dir_s1d2) doesn't have REFER. |
2572 | */ |
2573 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, dir_s1d3, |
2574 | RENAME_EXCHANGE)); |
2575 | ASSERT_EQ(EXDEV, errno); |
2576 | ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, file1_s2d3, |
2577 | RENAME_EXCHANGE)); |
2578 | ASSERT_EQ(EXDEV, errno); |
2579 | ASSERT_EQ(-1, rename(file1_s2d3, dir_s1d3)); |
2580 | ASSERT_EQ(EXDEV, errno); |
2581 | |
2582 | ASSERT_EQ(-1, rename(file2_s1d2, file1_s1d3)); |
2583 | ASSERT_EQ(EXDEV, errno); |
2584 | ASSERT_EQ(-1, rename(file2_s1d3, file1_s1d2)); |
2585 | ASSERT_EQ(EXDEV, errno); |
2586 | |
2587 | /* Renaming in the same directory is always allowed. */ |
2588 | ASSERT_EQ(0, rename(file2_s1d2, file1_s1d2)); |
2589 | ASSERT_EQ(0, rename(file2_s1d3, file1_s1d3)); |
2590 | |
2591 | ASSERT_EQ(0, unlink(file1_s1d2)); |
2592 | /* Denies because of missing source MAKE_REG and destination REFER. */ |
2593 | ASSERT_EQ(-1, rename(dir_s2d3, file1_s1d2)); |
2594 | ASSERT_EQ(EXDEV, errno); |
2595 | |
2596 | ASSERT_EQ(0, unlink(file1_s1d3)); |
2597 | /* Denies because of missing source MAKE_REG and REFER. */ |
2598 | ASSERT_EQ(-1, rename(dir_s2d2, file1_s1d3)); |
2599 | ASSERT_EQ(EXDEV, errno); |
2600 | } |
2601 | |
2602 | static void |
2603 | reparent_exdev_layers_enforce1(struct __test_metadata *const _metadata) |
2604 | { |
2605 | const struct rule layer1[] = { |
2606 | { |
2607 | .path = dir_s1d2, |
2608 | .access = LANDLOCK_ACCESS_FS_REFER, |
2609 | }, |
2610 | { |
2611 | /* Interesting for the layer2 tests. */ |
2612 | .path = dir_s1d3, |
2613 | .access = LANDLOCK_ACCESS_FS_MAKE_REG, |
2614 | }, |
2615 | { |
2616 | .path = dir_s2d2, |
2617 | .access = LANDLOCK_ACCESS_FS_REFER, |
2618 | }, |
2619 | { |
2620 | .path = dir_s2d3, |
2621 | .access = LANDLOCK_ACCESS_FS_MAKE_REG, |
2622 | }, |
2623 | {}, |
2624 | }; |
2625 | const int ruleset_fd = create_ruleset( |
2626 | _metadata, |
2627 | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, rules: layer1); |
2628 | |
2629 | ASSERT_LE(0, ruleset_fd); |
2630 | enforce_ruleset(_metadata, ruleset_fd); |
2631 | ASSERT_EQ(0, close(ruleset_fd)); |
2632 | } |
2633 | |
2634 | static void |
2635 | reparent_exdev_layers_enforce2(struct __test_metadata *const _metadata) |
2636 | { |
2637 | const struct rule layer2[] = { |
2638 | { |
2639 | .path = dir_s2d3, |
2640 | .access = LANDLOCK_ACCESS_FS_MAKE_DIR, |
2641 | }, |
2642 | {}, |
2643 | }; |
2644 | /* |
2645 | * Same checks as before but with a second layer and a new MAKE_DIR |
2646 | * rule (and no explicit handling of REFER). |
2647 | */ |
2648 | const int ruleset_fd = |
2649 | create_ruleset(_metadata, LANDLOCK_ACCESS_FS_MAKE_DIR, rules: layer2); |
2650 | |
2651 | ASSERT_LE(0, ruleset_fd); |
2652 | enforce_ruleset(_metadata, ruleset_fd); |
2653 | ASSERT_EQ(0, close(ruleset_fd)); |
2654 | } |
2655 | |
2656 | TEST_F_FORK(layout1, reparent_exdev_layers_rename1) |
2657 | { |
2658 | ASSERT_EQ(0, unlink(file1_s2d2)); |
2659 | ASSERT_EQ(0, unlink(file1_s2d3)); |
2660 | |
2661 | reparent_exdev_layers_enforce1(_metadata); |
2662 | |
2663 | /* |
2664 | * Moving the dir_s1d3 directory below dir_s2d2 is allowed by Landlock |
2665 | * because it doesn't inherit new access rights. |
2666 | */ |
2667 | ASSERT_EQ(0, rename(dir_s1d3, file1_s2d2)); |
2668 | ASSERT_EQ(0, rename(file1_s2d2, dir_s1d3)); |
2669 | |
2670 | /* |
2671 | * Moving the dir_s1d3 directory below dir_s2d3 is allowed, even if it |
2672 | * gets a new inherited access rights (MAKE_REG), because MAKE_REG is |
2673 | * already allowed for dir_s1d3. |
2674 | */ |
2675 | ASSERT_EQ(0, rename(dir_s1d3, file1_s2d3)); |
2676 | ASSERT_EQ(0, rename(file1_s2d3, dir_s1d3)); |
2677 | |
2678 | /* |
2679 | * However, moving the file1_s1d3 file below dir_s2d3 is allowed |
2680 | * because it cannot inherit MAKE_REG right (which is dedicated to |
2681 | * directories). |
2682 | */ |
2683 | ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3)); |
2684 | |
2685 | reparent_exdev_layers_enforce2(_metadata); |
2686 | |
2687 | /* |
2688 | * Moving the dir_s1d3 directory below dir_s2d2 is now denied because |
2689 | * MAKE_DIR is not tied to dir_s2d2. |
2690 | */ |
2691 | ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d2)); |
2692 | ASSERT_EQ(EACCES, errno); |
2693 | |
2694 | /* |
2695 | * Moving the dir_s1d3 directory below dir_s2d3 is forbidden because it |
2696 | * would grants MAKE_REG and MAKE_DIR rights to it. |
2697 | */ |
2698 | ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d3)); |
2699 | ASSERT_EQ(EXDEV, errno); |
2700 | |
2701 | /* |
2702 | * Moving the file2_s1d3 file below dir_s2d3 is denied because the |
2703 | * second layer does not handle REFER, which is always denied by |
2704 | * default. |
2705 | */ |
2706 | ASSERT_EQ(-1, rename(file2_s1d3, file1_s2d3)); |
2707 | ASSERT_EQ(EXDEV, errno); |
2708 | } |
2709 | |
2710 | TEST_F_FORK(layout1, reparent_exdev_layers_rename2) |
2711 | { |
2712 | reparent_exdev_layers_enforce1(_metadata); |
2713 | |
2714 | /* Checks EACCES predominance over EXDEV. */ |
2715 | ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d2)); |
2716 | ASSERT_EQ(EACCES, errno); |
2717 | ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d2)); |
2718 | ASSERT_EQ(EACCES, errno); |
2719 | ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d3)); |
2720 | ASSERT_EQ(EXDEV, errno); |
2721 | /* Modify layout! */ |
2722 | ASSERT_EQ(0, rename(file1_s1d2, file1_s2d3)); |
2723 | |
2724 | /* Without REFER source. */ |
2725 | ASSERT_EQ(-1, rename(dir_s1d1, file1_s2d2)); |
2726 | ASSERT_EQ(EXDEV, errno); |
2727 | ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d2)); |
2728 | ASSERT_EQ(EXDEV, errno); |
2729 | |
2730 | reparent_exdev_layers_enforce2(_metadata); |
2731 | |
2732 | /* Checks EACCES predominance over EXDEV. */ |
2733 | ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d2)); |
2734 | ASSERT_EQ(EACCES, errno); |
2735 | /* Checks with actual file2_s1d2. */ |
2736 | ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d2)); |
2737 | ASSERT_EQ(EACCES, errno); |
2738 | ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d3)); |
2739 | ASSERT_EQ(EXDEV, errno); |
2740 | /* |
2741 | * Modifying the layout is now denied because the second layer does not |
2742 | * handle REFER, which is always denied by default. |
2743 | */ |
2744 | ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d3)); |
2745 | ASSERT_EQ(EXDEV, errno); |
2746 | |
2747 | /* Without REFER source, EACCES wins over EXDEV. */ |
2748 | ASSERT_EQ(-1, rename(dir_s1d1, file1_s2d2)); |
2749 | ASSERT_EQ(EACCES, errno); |
2750 | ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d2)); |
2751 | ASSERT_EQ(EACCES, errno); |
2752 | } |
2753 | |
2754 | TEST_F_FORK(layout1, reparent_exdev_layers_exchange1) |
2755 | { |
2756 | const char *const dir_file1_s1d2 = file1_s1d2, *const dir_file2_s2d3 = |
2757 | file2_s2d3; |
2758 | |
2759 | ASSERT_EQ(0, unlink(file1_s1d2)); |
2760 | ASSERT_EQ(0, mkdir(file1_s1d2, 0700)); |
2761 | ASSERT_EQ(0, unlink(file2_s2d3)); |
2762 | ASSERT_EQ(0, mkdir(file2_s2d3, 0700)); |
2763 | |
2764 | reparent_exdev_layers_enforce1(_metadata); |
2765 | |
2766 | /* Error predominance with file exchange: returns EXDEV and EACCES. */ |
2767 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file1_s2d3, |
2768 | RENAME_EXCHANGE)); |
2769 | ASSERT_EQ(EACCES, errno); |
2770 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d1, |
2771 | RENAME_EXCHANGE)); |
2772 | ASSERT_EQ(EACCES, errno); |
2773 | |
2774 | /* |
2775 | * Checks with directories which creation could be allowed, but denied |
2776 | * because of access rights that would be inherited. |
2777 | */ |
2778 | ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, |
2779 | dir_file2_s2d3, RENAME_EXCHANGE)); |
2780 | ASSERT_EQ(EXDEV, errno); |
2781 | ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, |
2782 | dir_file1_s1d2, RENAME_EXCHANGE)); |
2783 | ASSERT_EQ(EXDEV, errno); |
2784 | |
2785 | /* Checks with same access rights. */ |
2786 | ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, dir_s2d3, |
2787 | RENAME_EXCHANGE)); |
2788 | ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3, |
2789 | RENAME_EXCHANGE)); |
2790 | |
2791 | /* Checks with different (child-only) access rights. */ |
2792 | ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_file1_s1d2, |
2793 | RENAME_EXCHANGE)); |
2794 | ASSERT_EQ(0, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, dir_s2d3, |
2795 | RENAME_EXCHANGE)); |
2796 | |
2797 | /* |
2798 | * Checks that exchange between file and directory are consistent. |
2799 | * |
2800 | * Moving a file (file1_s2d2) to a directory which only grants more |
2801 | * directory-related access rights is allowed, and at the same time |
2802 | * moving a directory (dir_file2_s2d3) to another directory which |
2803 | * grants less access rights is allowed too. |
2804 | * |
2805 | * See layout1.reparent_exdev_layers_exchange3 for inverted arguments. |
2806 | */ |
2807 | ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3, |
2808 | RENAME_EXCHANGE)); |
2809 | /* |
2810 | * However, moving back the directory is denied because it would get |
2811 | * more access rights than the current state and because file creation |
2812 | * is forbidden (in dir_s2d2). |
2813 | */ |
2814 | ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2, |
2815 | RENAME_EXCHANGE)); |
2816 | ASSERT_EQ(EACCES, errno); |
2817 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3, |
2818 | RENAME_EXCHANGE)); |
2819 | ASSERT_EQ(EACCES, errno); |
2820 | |
2821 | reparent_exdev_layers_enforce2(_metadata); |
2822 | |
2823 | /* Error predominance with file exchange: returns EXDEV and EACCES. */ |
2824 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file1_s2d3, |
2825 | RENAME_EXCHANGE)); |
2826 | ASSERT_EQ(EACCES, errno); |
2827 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d1, |
2828 | RENAME_EXCHANGE)); |
2829 | ASSERT_EQ(EACCES, errno); |
2830 | |
2831 | /* Checks with directories which creation is now denied. */ |
2832 | ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, |
2833 | dir_file2_s2d3, RENAME_EXCHANGE)); |
2834 | ASSERT_EQ(EACCES, errno); |
2835 | ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, |
2836 | dir_file1_s1d2, RENAME_EXCHANGE)); |
2837 | ASSERT_EQ(EACCES, errno); |
2838 | |
2839 | /* Checks with different (child-only) access rights. */ |
2840 | ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, dir_s2d3, |
2841 | RENAME_EXCHANGE)); |
2842 | /* Denied because of MAKE_DIR. */ |
2843 | ASSERT_EQ(EACCES, errno); |
2844 | ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3, |
2845 | RENAME_EXCHANGE)); |
2846 | ASSERT_EQ(EACCES, errno); |
2847 | |
2848 | /* Checks with different (child-only) access rights. */ |
2849 | ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_file1_s1d2, |
2850 | RENAME_EXCHANGE)); |
2851 | /* Denied because of MAKE_DIR. */ |
2852 | ASSERT_EQ(EACCES, errno); |
2853 | ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, dir_s2d3, |
2854 | RENAME_EXCHANGE)); |
2855 | ASSERT_EQ(EACCES, errno); |
2856 | |
2857 | /* See layout1.reparent_exdev_layers_exchange2 for complement. */ |
2858 | } |
2859 | |
2860 | TEST_F_FORK(layout1, reparent_exdev_layers_exchange2) |
2861 | { |
2862 | const char *const dir_file2_s2d3 = file2_s2d3; |
2863 | |
2864 | ASSERT_EQ(0, unlink(file2_s2d3)); |
2865 | ASSERT_EQ(0, mkdir(file2_s2d3, 0700)); |
2866 | |
2867 | reparent_exdev_layers_enforce1(_metadata); |
2868 | reparent_exdev_layers_enforce2(_metadata); |
2869 | |
2870 | /* Checks that exchange between file and directory are consistent. */ |
2871 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3, |
2872 | RENAME_EXCHANGE)); |
2873 | ASSERT_EQ(EACCES, errno); |
2874 | ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2, |
2875 | RENAME_EXCHANGE)); |
2876 | ASSERT_EQ(EACCES, errno); |
2877 | } |
2878 | |
2879 | TEST_F_FORK(layout1, reparent_exdev_layers_exchange3) |
2880 | { |
2881 | const char *const dir_file2_s2d3 = file2_s2d3; |
2882 | |
2883 | ASSERT_EQ(0, unlink(file2_s2d3)); |
2884 | ASSERT_EQ(0, mkdir(file2_s2d3, 0700)); |
2885 | |
2886 | reparent_exdev_layers_enforce1(_metadata); |
2887 | |
2888 | /* |
2889 | * Checks that exchange between file and directory are consistent, |
2890 | * including with inverted arguments (see |
2891 | * layout1.reparent_exdev_layers_exchange1). |
2892 | */ |
2893 | ASSERT_EQ(0, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2, |
2894 | RENAME_EXCHANGE)); |
2895 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3, |
2896 | RENAME_EXCHANGE)); |
2897 | ASSERT_EQ(EACCES, errno); |
2898 | ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2, |
2899 | RENAME_EXCHANGE)); |
2900 | ASSERT_EQ(EACCES, errno); |
2901 | } |
2902 | |
2903 | TEST_F_FORK(layout1, reparent_remove) |
2904 | { |
2905 | const struct rule layer1[] = { |
2906 | { |
2907 | .path = dir_s1d1, |
2908 | .access = LANDLOCK_ACCESS_FS_REFER | |
2909 | LANDLOCK_ACCESS_FS_REMOVE_DIR, |
2910 | }, |
2911 | { |
2912 | .path = dir_s1d2, |
2913 | .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, |
2914 | }, |
2915 | { |
2916 | .path = dir_s2d1, |
2917 | .access = LANDLOCK_ACCESS_FS_REFER | |
2918 | LANDLOCK_ACCESS_FS_REMOVE_FILE, |
2919 | }, |
2920 | {}, |
2921 | }; |
2922 | const int ruleset_fd = create_ruleset( |
2923 | _metadata, |
2924 | LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_REMOVE_DIR | |
2925 | LANDLOCK_ACCESS_FS_REMOVE_FILE, |
2926 | rules: layer1); |
2927 | |
2928 | ASSERT_LE(0, ruleset_fd); |
2929 | enforce_ruleset(_metadata, ruleset_fd); |
2930 | ASSERT_EQ(0, close(ruleset_fd)); |
2931 | |
2932 | /* Access denied because of wrong/swapped remove file/dir. */ |
2933 | ASSERT_EQ(-1, rename(file1_s1d1, dir_s2d2)); |
2934 | ASSERT_EQ(EACCES, errno); |
2935 | ASSERT_EQ(-1, rename(dir_s2d2, file1_s1d1)); |
2936 | ASSERT_EQ(EACCES, errno); |
2937 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s2d2, |
2938 | RENAME_EXCHANGE)); |
2939 | ASSERT_EQ(EACCES, errno); |
2940 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s2d3, |
2941 | RENAME_EXCHANGE)); |
2942 | ASSERT_EQ(EACCES, errno); |
2943 | |
2944 | /* Access allowed thanks to the matching rights. */ |
2945 | ASSERT_EQ(-1, rename(file1_s2d1, dir_s1d2)); |
2946 | ASSERT_EQ(EISDIR, errno); |
2947 | ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d1)); |
2948 | ASSERT_EQ(ENOTDIR, errno); |
2949 | ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d1)); |
2950 | ASSERT_EQ(ENOTDIR, errno); |
2951 | ASSERT_EQ(0, unlink(file1_s2d1)); |
2952 | ASSERT_EQ(0, unlink(file1_s1d3)); |
2953 | ASSERT_EQ(0, unlink(file2_s1d3)); |
2954 | ASSERT_EQ(0, rename(dir_s1d3, file1_s2d1)); |
2955 | |
2956 | /* Effectively removes a file and a directory by exchanging them. */ |
2957 | ASSERT_EQ(0, mkdir(dir_s1d3, 0700)); |
2958 | ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3, |
2959 | RENAME_EXCHANGE)); |
2960 | ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3, |
2961 | RENAME_EXCHANGE)); |
2962 | ASSERT_EQ(EACCES, errno); |
2963 | } |
2964 | |
2965 | TEST_F_FORK(layout1, reparent_dom_superset) |
2966 | { |
2967 | const struct rule layer1[] = { |
2968 | { |
2969 | .path = dir_s1d2, |
2970 | .access = LANDLOCK_ACCESS_FS_REFER, |
2971 | }, |
2972 | { |
2973 | .path = file1_s1d2, |
2974 | .access = LANDLOCK_ACCESS_FS_EXECUTE, |
2975 | }, |
2976 | { |
2977 | .path = dir_s1d3, |
2978 | .access = LANDLOCK_ACCESS_FS_MAKE_SOCK | |
2979 | LANDLOCK_ACCESS_FS_EXECUTE, |
2980 | }, |
2981 | { |
2982 | .path = dir_s2d2, |
2983 | .access = LANDLOCK_ACCESS_FS_REFER | |
2984 | LANDLOCK_ACCESS_FS_EXECUTE | |
2985 | LANDLOCK_ACCESS_FS_MAKE_SOCK, |
2986 | }, |
2987 | { |
2988 | .path = dir_s2d3, |
2989 | .access = LANDLOCK_ACCESS_FS_READ_FILE | |
2990 | LANDLOCK_ACCESS_FS_MAKE_FIFO, |
2991 | }, |
2992 | {}, |
2993 | }; |
2994 | int ruleset_fd = create_ruleset(_metadata, |
2995 | LANDLOCK_ACCESS_FS_REFER | |
2996 | LANDLOCK_ACCESS_FS_EXECUTE | |
2997 | LANDLOCK_ACCESS_FS_MAKE_SOCK | |
2998 | LANDLOCK_ACCESS_FS_READ_FILE | |
2999 | LANDLOCK_ACCESS_FS_MAKE_FIFO, |
3000 | rules: layer1); |
3001 | |
3002 | ASSERT_LE(0, ruleset_fd); |
3003 | enforce_ruleset(_metadata, ruleset_fd); |
3004 | ASSERT_EQ(0, close(ruleset_fd)); |
3005 | |
3006 | ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d1)); |
3007 | ASSERT_EQ(EXDEV, errno); |
3008 | /* |
3009 | * Moving file1_s1d2 beneath dir_s2d3 would grant it the READ_FILE |
3010 | * access right. |
3011 | */ |
3012 | ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d3)); |
3013 | ASSERT_EQ(EXDEV, errno); |
3014 | /* |
3015 | * Moving file1_s1d2 should be allowed even if dir_s2d2 grants a |
3016 | * superset of access rights compared to dir_s1d2, because file1_s1d2 |
3017 | * already has these access rights anyway. |
3018 | */ |
3019 | ASSERT_EQ(0, rename(file1_s1d2, file1_s2d2)); |
3020 | ASSERT_EQ(0, rename(file1_s2d2, file1_s1d2)); |
3021 | |
3022 | ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d1)); |
3023 | ASSERT_EQ(EXDEV, errno); |
3024 | /* |
3025 | * Moving dir_s1d3 beneath dir_s2d3 would grant it the MAKE_FIFO access |
3026 | * right. |
3027 | */ |
3028 | ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d3)); |
3029 | ASSERT_EQ(EXDEV, errno); |
3030 | /* |
3031 | * Moving dir_s1d3 should be allowed even if dir_s2d2 grants a superset |
3032 | * of access rights compared to dir_s1d2, because dir_s1d3 already has |
3033 | * these access rights anyway. |
3034 | */ |
3035 | ASSERT_EQ(0, rename(dir_s1d3, file1_s2d2)); |
3036 | ASSERT_EQ(0, rename(file1_s2d2, dir_s1d3)); |
3037 | |
3038 | /* |
3039 | * Moving file1_s2d3 beneath dir_s1d2 is allowed, but moving it back |
3040 | * will be denied because the new inherited access rights from dir_s1d2 |
3041 | * will be less than the destination (original) dir_s2d3. This is a |
3042 | * sinkhole scenario where we cannot move back files or directories. |
3043 | */ |
3044 | ASSERT_EQ(0, rename(file1_s2d3, file2_s1d2)); |
3045 | ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d3)); |
3046 | ASSERT_EQ(EXDEV, errno); |
3047 | ASSERT_EQ(0, unlink(file2_s1d2)); |
3048 | ASSERT_EQ(0, unlink(file2_s2d3)); |
3049 | /* |
3050 | * Checks similar directory one-way move: dir_s2d3 loses EXECUTE and |
3051 | * MAKE_SOCK which were inherited from dir_s1d3. |
3052 | */ |
3053 | ASSERT_EQ(0, rename(dir_s2d3, file2_s1d2)); |
3054 | ASSERT_EQ(-1, rename(file2_s1d2, dir_s2d3)); |
3055 | ASSERT_EQ(EXDEV, errno); |
3056 | } |
3057 | |
3058 | TEST_F_FORK(layout1, remove_dir) |
3059 | { |
3060 | const struct rule rules[] = { |
3061 | { |
3062 | .path = dir_s1d2, |
3063 | .access = LANDLOCK_ACCESS_FS_REMOVE_DIR, |
3064 | }, |
3065 | {}, |
3066 | }; |
3067 | const int ruleset_fd = |
3068 | create_ruleset(_metadata, handled_access_fs: rules[0].access, rules); |
3069 | |
3070 | ASSERT_LE(0, ruleset_fd); |
3071 | |
3072 | ASSERT_EQ(0, unlink(file1_s1d1)); |
3073 | ASSERT_EQ(0, unlink(file1_s1d2)); |
3074 | ASSERT_EQ(0, unlink(file1_s1d3)); |
3075 | ASSERT_EQ(0, unlink(file2_s1d3)); |
3076 | |
3077 | enforce_ruleset(_metadata, ruleset_fd); |
3078 | ASSERT_EQ(0, close(ruleset_fd)); |
3079 | |
3080 | ASSERT_EQ(0, rmdir(dir_s1d3)); |
3081 | ASSERT_EQ(0, mkdir(dir_s1d3, 0700)); |
3082 | ASSERT_EQ(0, unlinkat(AT_FDCWD, dir_s1d3, AT_REMOVEDIR)); |
3083 | |
3084 | /* dir_s1d2 itself cannot be removed. */ |
3085 | ASSERT_EQ(-1, rmdir(dir_s1d2)); |
3086 | ASSERT_EQ(EACCES, errno); |
3087 | ASSERT_EQ(-1, unlinkat(AT_FDCWD, dir_s1d2, AT_REMOVEDIR)); |
3088 | ASSERT_EQ(EACCES, errno); |
3089 | ASSERT_EQ(-1, rmdir(dir_s1d1)); |
3090 | ASSERT_EQ(EACCES, errno); |
3091 | ASSERT_EQ(-1, unlinkat(AT_FDCWD, dir_s1d1, AT_REMOVEDIR)); |
3092 | ASSERT_EQ(EACCES, errno); |
3093 | } |
3094 | |
3095 | TEST_F_FORK(layout1, remove_file) |
3096 | { |
3097 | const struct rule rules[] = { |
3098 | { |
3099 | .path = dir_s1d2, |
3100 | .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, |
3101 | }, |
3102 | {}, |
3103 | }; |
3104 | const int ruleset_fd = |
3105 | create_ruleset(_metadata, handled_access_fs: rules[0].access, rules); |
3106 | |
3107 | ASSERT_LE(0, ruleset_fd); |
3108 | enforce_ruleset(_metadata, ruleset_fd); |
3109 | ASSERT_EQ(0, close(ruleset_fd)); |
3110 | |
3111 | ASSERT_EQ(-1, unlink(file1_s1d1)); |
3112 | ASSERT_EQ(EACCES, errno); |
3113 | ASSERT_EQ(-1, unlinkat(AT_FDCWD, file1_s1d1, 0)); |
3114 | ASSERT_EQ(EACCES, errno); |
3115 | ASSERT_EQ(0, unlink(file1_s1d2)); |
3116 | ASSERT_EQ(0, unlinkat(AT_FDCWD, file1_s1d3, 0)); |
3117 | } |
3118 | |
3119 | static void test_make_file(struct __test_metadata *const _metadata, |
3120 | const __u64 access, const mode_t mode, |
3121 | const dev_t dev) |
3122 | { |
3123 | const struct rule rules[] = { |
3124 | { |
3125 | .path = dir_s1d2, |
3126 | .access = access, |
3127 | }, |
3128 | {}, |
3129 | }; |
3130 | const int ruleset_fd = create_ruleset(_metadata, handled_access_fs: access, rules); |
3131 | |
3132 | ASSERT_LE(0, ruleset_fd); |
3133 | |
3134 | ASSERT_EQ(0, unlink(file1_s1d1)); |
3135 | ASSERT_EQ(0, unlink(file2_s1d1)); |
3136 | ASSERT_EQ(0, mknod(file2_s1d1, mode | 0400, dev)) |
3137 | { |
3138 | TH_LOG("Failed to make file \"%s\": %s" , file2_s1d1, |
3139 | strerror(errno)); |
3140 | }; |
3141 | |
3142 | ASSERT_EQ(0, unlink(file1_s1d2)); |
3143 | ASSERT_EQ(0, unlink(file2_s1d2)); |
3144 | |
3145 | ASSERT_EQ(0, unlink(file1_s1d3)); |
3146 | ASSERT_EQ(0, unlink(file2_s1d3)); |
3147 | |
3148 | enforce_ruleset(_metadata, ruleset_fd); |
3149 | ASSERT_EQ(0, close(ruleset_fd)); |
3150 | |
3151 | ASSERT_EQ(-1, mknod(file1_s1d1, mode | 0400, dev)); |
3152 | ASSERT_EQ(EACCES, errno); |
3153 | ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1)); |
3154 | ASSERT_EQ(EACCES, errno); |
3155 | ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1)); |
3156 | ASSERT_EQ(EACCES, errno); |
3157 | |
3158 | ASSERT_EQ(0, mknod(file1_s1d2, mode | 0400, dev)) |
3159 | { |
3160 | TH_LOG("Failed to make file \"%s\": %s" , file1_s1d2, |
3161 | strerror(errno)); |
3162 | }; |
3163 | ASSERT_EQ(0, link(file1_s1d2, file2_s1d2)); |
3164 | ASSERT_EQ(0, unlink(file2_s1d2)); |
3165 | ASSERT_EQ(0, rename(file1_s1d2, file2_s1d2)); |
3166 | |
3167 | ASSERT_EQ(0, mknod(file1_s1d3, mode | 0400, dev)); |
3168 | ASSERT_EQ(0, link(file1_s1d3, file2_s1d3)); |
3169 | ASSERT_EQ(0, unlink(file2_s1d3)); |
3170 | ASSERT_EQ(0, rename(file1_s1d3, file2_s1d3)); |
3171 | } |
3172 | |
3173 | TEST_F_FORK(layout1, make_char) |
3174 | { |
3175 | /* Creates a /dev/null device. */ |
3176 | set_cap(_metadata, CAP_MKNOD); |
3177 | test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_CHAR, S_IFCHR, |
3178 | makedev(1, 3)); |
3179 | } |
3180 | |
3181 | TEST_F_FORK(layout1, make_block) |
3182 | { |
3183 | /* Creates a /dev/loop0 device. */ |
3184 | set_cap(_metadata, CAP_MKNOD); |
3185 | test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_BLOCK, S_IFBLK, |
3186 | makedev(7, 0)); |
3187 | } |
3188 | |
3189 | TEST_F_FORK(layout1, make_reg_1) |
3190 | { |
3191 | test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, S_IFREG, 0); |
3192 | } |
3193 | |
3194 | TEST_F_FORK(layout1, make_reg_2) |
3195 | { |
3196 | test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, mode: 0, dev: 0); |
3197 | } |
3198 | |
3199 | TEST_F_FORK(layout1, make_sock) |
3200 | { |
3201 | test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_SOCK, S_IFSOCK, 0); |
3202 | } |
3203 | |
3204 | TEST_F_FORK(layout1, make_fifo) |
3205 | { |
3206 | test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_FIFO, S_IFIFO, 0); |
3207 | } |
3208 | |
3209 | TEST_F_FORK(layout1, make_sym) |
3210 | { |
3211 | const struct rule rules[] = { |
3212 | { |
3213 | .path = dir_s1d2, |
3214 | .access = LANDLOCK_ACCESS_FS_MAKE_SYM, |
3215 | }, |
3216 | {}, |
3217 | }; |
3218 | const int ruleset_fd = |
3219 | create_ruleset(_metadata, handled_access_fs: rules[0].access, rules); |
3220 | |
3221 | ASSERT_LE(0, ruleset_fd); |
3222 | |
3223 | ASSERT_EQ(0, unlink(file1_s1d1)); |
3224 | ASSERT_EQ(0, unlink(file2_s1d1)); |
3225 | ASSERT_EQ(0, symlink("none" , file2_s1d1)); |
3226 | |
3227 | ASSERT_EQ(0, unlink(file1_s1d2)); |
3228 | ASSERT_EQ(0, unlink(file2_s1d2)); |
3229 | |
3230 | ASSERT_EQ(0, unlink(file1_s1d3)); |
3231 | ASSERT_EQ(0, unlink(file2_s1d3)); |
3232 | |
3233 | enforce_ruleset(_metadata, ruleset_fd); |
3234 | ASSERT_EQ(0, close(ruleset_fd)); |
3235 | |
3236 | ASSERT_EQ(-1, symlink("none" , file1_s1d1)); |
3237 | ASSERT_EQ(EACCES, errno); |
3238 | ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1)); |
3239 | ASSERT_EQ(EACCES, errno); |
3240 | ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1)); |
3241 | ASSERT_EQ(EACCES, errno); |
3242 | |
3243 | ASSERT_EQ(0, symlink("none" , file1_s1d2)); |
3244 | ASSERT_EQ(0, link(file1_s1d2, file2_s1d2)); |
3245 | ASSERT_EQ(0, unlink(file2_s1d2)); |
3246 | ASSERT_EQ(0, rename(file1_s1d2, file2_s1d2)); |
3247 | |
3248 | ASSERT_EQ(0, symlink("none" , file1_s1d3)); |
3249 | ASSERT_EQ(0, link(file1_s1d3, file2_s1d3)); |
3250 | ASSERT_EQ(0, unlink(file2_s1d3)); |
3251 | ASSERT_EQ(0, rename(file1_s1d3, file2_s1d3)); |
3252 | } |
3253 | |
3254 | TEST_F_FORK(layout1, make_dir) |
3255 | { |
3256 | const struct rule rules[] = { |
3257 | { |
3258 | .path = dir_s1d2, |
3259 | .access = LANDLOCK_ACCESS_FS_MAKE_DIR, |
3260 | }, |
3261 | {}, |
3262 | }; |
3263 | const int ruleset_fd = |
3264 | create_ruleset(_metadata, handled_access_fs: rules[0].access, rules); |
3265 | |
3266 | ASSERT_LE(0, ruleset_fd); |
3267 | |
3268 | ASSERT_EQ(0, unlink(file1_s1d1)); |
3269 | ASSERT_EQ(0, unlink(file1_s1d2)); |
3270 | ASSERT_EQ(0, unlink(file1_s1d3)); |
3271 | |
3272 | enforce_ruleset(_metadata, ruleset_fd); |
3273 | ASSERT_EQ(0, close(ruleset_fd)); |
3274 | |
3275 | /* Uses file_* as directory names. */ |
3276 | ASSERT_EQ(-1, mkdir(file1_s1d1, 0700)); |
3277 | ASSERT_EQ(EACCES, errno); |
3278 | ASSERT_EQ(0, mkdir(file1_s1d2, 0700)); |
3279 | ASSERT_EQ(0, mkdir(file1_s1d3, 0700)); |
3280 | } |
3281 | |
3282 | static int open_proc_fd(struct __test_metadata *const _metadata, const int fd, |
3283 | const int open_flags) |
3284 | { |
3285 | static const char path_template[] = "/proc/self/fd/%d" ; |
3286 | char procfd_path[sizeof(path_template) + 10]; |
3287 | const int procfd_path_size = |
3288 | snprintf(procfd_path, sizeof(procfd_path), path_template, fd); |
3289 | |
3290 | ASSERT_LT(procfd_path_size, sizeof(procfd_path)); |
3291 | return open(procfd_path, open_flags); |
3292 | } |
3293 | |
3294 | TEST_F_FORK(layout1, proc_unlinked_file) |
3295 | { |
3296 | const struct rule rules[] = { |
3297 | { |
3298 | .path = file1_s1d2, |
3299 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
3300 | }, |
3301 | {}, |
3302 | }; |
3303 | int reg_fd, proc_fd; |
3304 | const int ruleset_fd = create_ruleset( |
3305 | _metadata, |
3306 | LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_WRITE_FILE, |
3307 | rules); |
3308 | |
3309 | ASSERT_LE(0, ruleset_fd); |
3310 | enforce_ruleset(_metadata, ruleset_fd); |
3311 | ASSERT_EQ(0, close(ruleset_fd)); |
3312 | |
3313 | ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR)); |
3314 | ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); |
3315 | reg_fd = open(file1_s1d2, O_RDONLY | O_CLOEXEC); |
3316 | ASSERT_LE(0, reg_fd); |
3317 | ASSERT_EQ(0, unlink(file1_s1d2)); |
3318 | |
3319 | proc_fd = open_proc_fd(_metadata, reg_fd, O_RDONLY | O_CLOEXEC); |
3320 | ASSERT_LE(0, proc_fd); |
3321 | ASSERT_EQ(0, close(proc_fd)); |
3322 | |
3323 | proc_fd = open_proc_fd(_metadata, reg_fd, O_RDWR | O_CLOEXEC); |
3324 | ASSERT_EQ(-1, proc_fd) |
3325 | { |
3326 | TH_LOG("Successfully opened /proc/self/fd/%d: %s" , reg_fd, |
3327 | strerror(errno)); |
3328 | } |
3329 | ASSERT_EQ(EACCES, errno); |
3330 | |
3331 | ASSERT_EQ(0, close(reg_fd)); |
3332 | } |
3333 | |
3334 | TEST_F_FORK(layout1, proc_pipe) |
3335 | { |
3336 | int proc_fd; |
3337 | int pipe_fds[2]; |
3338 | char buf = '\0'; |
3339 | const struct rule rules[] = { |
3340 | { |
3341 | .path = dir_s1d2, |
3342 | .access = LANDLOCK_ACCESS_FS_READ_FILE | |
3343 | LANDLOCK_ACCESS_FS_WRITE_FILE, |
3344 | }, |
3345 | {}, |
3346 | }; |
3347 | /* Limits read and write access to files tied to the filesystem. */ |
3348 | const int ruleset_fd = |
3349 | create_ruleset(_metadata, handled_access_fs: rules[0].access, rules); |
3350 | |
3351 | ASSERT_LE(0, ruleset_fd); |
3352 | enforce_ruleset(_metadata, ruleset_fd); |
3353 | ASSERT_EQ(0, close(ruleset_fd)); |
3354 | |
3355 | /* Checks enforcement for normal files. */ |
3356 | ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR)); |
3357 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR)); |
3358 | |
3359 | /* Checks access to pipes through FD. */ |
3360 | ASSERT_EQ(0, pipe2(pipe_fds, O_CLOEXEC)); |
3361 | ASSERT_EQ(1, write(pipe_fds[1], "." , 1)) |
3362 | { |
3363 | TH_LOG("Failed to write in pipe: %s" , strerror(errno)); |
3364 | } |
3365 | ASSERT_EQ(1, read(pipe_fds[0], &buf, 1)); |
3366 | ASSERT_EQ('.', buf); |
3367 | |
3368 | /* Checks write access to pipe through /proc/self/fd . */ |
3369 | proc_fd = open_proc_fd(_metadata, pipe_fds[1], O_WRONLY | O_CLOEXEC); |
3370 | ASSERT_LE(0, proc_fd); |
3371 | ASSERT_EQ(1, write(proc_fd, "." , 1)) |
3372 | { |
3373 | TH_LOG("Failed to write through /proc/self/fd/%d: %s" , |
3374 | pipe_fds[1], strerror(errno)); |
3375 | } |
3376 | ASSERT_EQ(0, close(proc_fd)); |
3377 | |
3378 | /* Checks read access to pipe through /proc/self/fd . */ |
3379 | proc_fd = open_proc_fd(_metadata, pipe_fds[0], O_RDONLY | O_CLOEXEC); |
3380 | ASSERT_LE(0, proc_fd); |
3381 | buf = '\0'; |
3382 | ASSERT_EQ(1, read(proc_fd, &buf, 1)) |
3383 | { |
3384 | TH_LOG("Failed to read through /proc/self/fd/%d: %s" , |
3385 | pipe_fds[1], strerror(errno)); |
3386 | } |
3387 | ASSERT_EQ(0, close(proc_fd)); |
3388 | |
3389 | ASSERT_EQ(0, close(pipe_fds[0])); |
3390 | ASSERT_EQ(0, close(pipe_fds[1])); |
3391 | } |
3392 | |
3393 | /* Invokes truncate(2) and returns its errno or 0. */ |
3394 | static int test_truncate(const char *const path) |
3395 | { |
3396 | if (truncate(path, 10) < 0) |
3397 | return errno; |
3398 | return 0; |
3399 | } |
3400 | |
3401 | /* |
3402 | * Invokes creat(2) and returns its errno or 0. |
3403 | * Closes the opened file descriptor on success. |
3404 | */ |
3405 | static int test_creat(const char *const path) |
3406 | { |
3407 | int fd = creat(path, 0600); |
3408 | |
3409 | if (fd < 0) |
3410 | return errno; |
3411 | |
3412 | /* |
3413 | * Mixing error codes from close(2) and creat(2) should not lead to any |
3414 | * (access type) confusion for this test. |
3415 | */ |
3416 | if (close(fd) < 0) |
3417 | return errno; |
3418 | return 0; |
3419 | } |
3420 | |
3421 | /* |
3422 | * Exercises file truncation when it's not restricted, |
3423 | * as it was the case before LANDLOCK_ACCESS_FS_TRUNCATE existed. |
3424 | */ |
3425 | TEST_F_FORK(layout1, truncate_unhandled) |
3426 | { |
3427 | const char *const file_r = file1_s1d1; |
3428 | const char *const file_w = file2_s1d1; |
3429 | const char *const file_none = file1_s1d2; |
3430 | const struct rule rules[] = { |
3431 | { |
3432 | .path = file_r, |
3433 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
3434 | }, |
3435 | { |
3436 | .path = file_w, |
3437 | .access = LANDLOCK_ACCESS_FS_WRITE_FILE, |
3438 | }, |
3439 | /* Implicitly: No rights for file_none. */ |
3440 | {}, |
3441 | }; |
3442 | |
3443 | const __u64 handled = LANDLOCK_ACCESS_FS_READ_FILE | |
3444 | LANDLOCK_ACCESS_FS_WRITE_FILE; |
3445 | int ruleset_fd; |
3446 | |
3447 | /* Enable Landlock. */ |
3448 | ruleset_fd = create_ruleset(_metadata, handled_access_fs: handled, rules); |
3449 | |
3450 | ASSERT_LE(0, ruleset_fd); |
3451 | enforce_ruleset(_metadata, ruleset_fd); |
3452 | ASSERT_EQ(0, close(ruleset_fd)); |
3453 | |
3454 | /* |
3455 | * Checks read right: truncate and open with O_TRUNC work, unless the |
3456 | * file is attempted to be opened for writing. |
3457 | */ |
3458 | EXPECT_EQ(0, test_truncate(file_r)); |
3459 | EXPECT_EQ(0, test_open(file_r, O_RDONLY | O_TRUNC)); |
3460 | EXPECT_EQ(EACCES, test_open(file_r, O_WRONLY | O_TRUNC)); |
3461 | EXPECT_EQ(EACCES, test_creat(file_r)); |
3462 | |
3463 | /* |
3464 | * Checks write right: truncate and open with O_TRUNC work, unless the |
3465 | * file is attempted to be opened for reading. |
3466 | */ |
3467 | EXPECT_EQ(0, test_truncate(file_w)); |
3468 | EXPECT_EQ(EACCES, test_open(file_w, O_RDONLY | O_TRUNC)); |
3469 | EXPECT_EQ(0, test_open(file_w, O_WRONLY | O_TRUNC)); |
3470 | EXPECT_EQ(0, test_creat(file_w)); |
3471 | |
3472 | /* |
3473 | * Checks "no rights" case: truncate works but all open attempts fail, |
3474 | * including creat. |
3475 | */ |
3476 | EXPECT_EQ(0, test_truncate(file_none)); |
3477 | EXPECT_EQ(EACCES, test_open(file_none, O_RDONLY | O_TRUNC)); |
3478 | EXPECT_EQ(EACCES, test_open(file_none, O_WRONLY | O_TRUNC)); |
3479 | EXPECT_EQ(EACCES, test_creat(file_none)); |
3480 | } |
3481 | |
3482 | TEST_F_FORK(layout1, truncate) |
3483 | { |
3484 | const char *const file_rwt = file1_s1d1; |
3485 | const char *const file_rw = file2_s1d1; |
3486 | const char *const file_rt = file1_s1d2; |
3487 | const char *const file_t = file2_s1d2; |
3488 | const char *const file_none = file1_s1d3; |
3489 | const char *const dir_t = dir_s2d1; |
3490 | const char *const file_in_dir_t = file1_s2d1; |
3491 | const char *const dir_w = dir_s3d1; |
3492 | const char *const file_in_dir_w = file1_s3d1; |
3493 | const struct rule rules[] = { |
3494 | { |
3495 | .path = file_rwt, |
3496 | .access = LANDLOCK_ACCESS_FS_READ_FILE | |
3497 | LANDLOCK_ACCESS_FS_WRITE_FILE | |
3498 | LANDLOCK_ACCESS_FS_TRUNCATE, |
3499 | }, |
3500 | { |
3501 | .path = file_rw, |
3502 | .access = LANDLOCK_ACCESS_FS_READ_FILE | |
3503 | LANDLOCK_ACCESS_FS_WRITE_FILE, |
3504 | }, |
3505 | { |
3506 | .path = file_rt, |
3507 | .access = LANDLOCK_ACCESS_FS_READ_FILE | |
3508 | LANDLOCK_ACCESS_FS_TRUNCATE, |
3509 | }, |
3510 | { |
3511 | .path = file_t, |
3512 | .access = LANDLOCK_ACCESS_FS_TRUNCATE, |
3513 | }, |
3514 | /* Implicitly: No access rights for file_none. */ |
3515 | { |
3516 | .path = dir_t, |
3517 | .access = LANDLOCK_ACCESS_FS_TRUNCATE, |
3518 | }, |
3519 | { |
3520 | .path = dir_w, |
3521 | .access = LANDLOCK_ACCESS_FS_WRITE_FILE, |
3522 | }, |
3523 | {}, |
3524 | }; |
3525 | const __u64 handled = LANDLOCK_ACCESS_FS_READ_FILE | |
3526 | LANDLOCK_ACCESS_FS_WRITE_FILE | |
3527 | LANDLOCK_ACCESS_FS_TRUNCATE; |
3528 | int ruleset_fd; |
3529 | |
3530 | /* Enable Landlock. */ |
3531 | ruleset_fd = create_ruleset(_metadata, handled_access_fs: handled, rules); |
3532 | |
3533 | ASSERT_LE(0, ruleset_fd); |
3534 | enforce_ruleset(_metadata, ruleset_fd); |
3535 | ASSERT_EQ(0, close(ruleset_fd)); |
3536 | |
3537 | /* Checks read, write and truncate rights: truncation works. */ |
3538 | EXPECT_EQ(0, test_truncate(file_rwt)); |
3539 | EXPECT_EQ(0, test_open(file_rwt, O_RDONLY | O_TRUNC)); |
3540 | EXPECT_EQ(0, test_open(file_rwt, O_WRONLY | O_TRUNC)); |
3541 | |
3542 | /* Checks read and write rights: no truncate variant works. */ |
3543 | EXPECT_EQ(EACCES, test_truncate(file_rw)); |
3544 | EXPECT_EQ(EACCES, test_open(file_rw, O_RDONLY | O_TRUNC)); |
3545 | EXPECT_EQ(EACCES, test_open(file_rw, O_WRONLY | O_TRUNC)); |
3546 | |
3547 | /* |
3548 | * Checks read and truncate rights: truncation works. |
3549 | * |
3550 | * Note: Files can get truncated using open() even with O_RDONLY. |
3551 | */ |
3552 | EXPECT_EQ(0, test_truncate(file_rt)); |
3553 | EXPECT_EQ(0, test_open(file_rt, O_RDONLY | O_TRUNC)); |
3554 | EXPECT_EQ(EACCES, test_open(file_rt, O_WRONLY | O_TRUNC)); |
3555 | |
3556 | /* Checks truncate right: truncate works, but can't open file. */ |
3557 | EXPECT_EQ(0, test_truncate(file_t)); |
3558 | EXPECT_EQ(EACCES, test_open(file_t, O_RDONLY | O_TRUNC)); |
3559 | EXPECT_EQ(EACCES, test_open(file_t, O_WRONLY | O_TRUNC)); |
3560 | |
3561 | /* Checks "no rights" case: No form of truncation works. */ |
3562 | EXPECT_EQ(EACCES, test_truncate(file_none)); |
3563 | EXPECT_EQ(EACCES, test_open(file_none, O_RDONLY | O_TRUNC)); |
3564 | EXPECT_EQ(EACCES, test_open(file_none, O_WRONLY | O_TRUNC)); |
3565 | |
3566 | /* |
3567 | * Checks truncate right on directory: truncate works on contained |
3568 | * files. |
3569 | */ |
3570 | EXPECT_EQ(0, test_truncate(file_in_dir_t)); |
3571 | EXPECT_EQ(EACCES, test_open(file_in_dir_t, O_RDONLY | O_TRUNC)); |
3572 | EXPECT_EQ(EACCES, test_open(file_in_dir_t, O_WRONLY | O_TRUNC)); |
3573 | |
3574 | /* |
3575 | * Checks creat in dir_w: This requires the truncate right when |
3576 | * overwriting an existing file, but does not require it when the file |
3577 | * is new. |
3578 | */ |
3579 | EXPECT_EQ(EACCES, test_creat(file_in_dir_w)); |
3580 | |
3581 | ASSERT_EQ(0, unlink(file_in_dir_w)); |
3582 | EXPECT_EQ(0, test_creat(file_in_dir_w)); |
3583 | } |
3584 | |
3585 | /* Invokes ftruncate(2) and returns its errno or 0. */ |
3586 | static int test_ftruncate(int fd) |
3587 | { |
3588 | if (ftruncate(fd, 10) < 0) |
3589 | return errno; |
3590 | return 0; |
3591 | } |
3592 | |
3593 | TEST_F_FORK(layout1, ftruncate) |
3594 | { |
3595 | /* |
3596 | * This test opens a new file descriptor at different stages of |
3597 | * Landlock restriction: |
3598 | * |
3599 | * without restriction: ftruncate works |
3600 | * something else but truncate restricted: ftruncate works |
3601 | * truncate restricted and permitted: ftruncate works |
3602 | * truncate restricted and not permitted: ftruncate fails |
3603 | * |
3604 | * Whether this works or not is expected to depend on the time when the |
3605 | * FD was opened, not to depend on the time when ftruncate() was |
3606 | * called. |
3607 | */ |
3608 | const char *const path = file1_s1d1; |
3609 | const __u64 handled1 = LANDLOCK_ACCESS_FS_READ_FILE | |
3610 | LANDLOCK_ACCESS_FS_WRITE_FILE; |
3611 | const struct rule layer1[] = { |
3612 | { |
3613 | .path = path, |
3614 | .access = LANDLOCK_ACCESS_FS_WRITE_FILE, |
3615 | }, |
3616 | {}, |
3617 | }; |
3618 | const __u64 handled2 = LANDLOCK_ACCESS_FS_TRUNCATE; |
3619 | const struct rule layer2[] = { |
3620 | { |
3621 | .path = path, |
3622 | .access = LANDLOCK_ACCESS_FS_TRUNCATE, |
3623 | }, |
3624 | {}, |
3625 | }; |
3626 | const __u64 handled3 = LANDLOCK_ACCESS_FS_TRUNCATE | |
3627 | LANDLOCK_ACCESS_FS_WRITE_FILE; |
3628 | const struct rule layer3[] = { |
3629 | { |
3630 | .path = path, |
3631 | .access = LANDLOCK_ACCESS_FS_WRITE_FILE, |
3632 | }, |
3633 | {}, |
3634 | }; |
3635 | int fd_layer0, fd_layer1, fd_layer2, fd_layer3, ruleset_fd; |
3636 | |
3637 | fd_layer0 = open(path, O_WRONLY); |
3638 | EXPECT_EQ(0, test_ftruncate(fd_layer0)); |
3639 | |
3640 | ruleset_fd = create_ruleset(_metadata, handled_access_fs: handled1, rules: layer1); |
3641 | ASSERT_LE(0, ruleset_fd); |
3642 | enforce_ruleset(_metadata, ruleset_fd); |
3643 | ASSERT_EQ(0, close(ruleset_fd)); |
3644 | |
3645 | fd_layer1 = open(path, O_WRONLY); |
3646 | EXPECT_EQ(0, test_ftruncate(fd_layer0)); |
3647 | EXPECT_EQ(0, test_ftruncate(fd_layer1)); |
3648 | |
3649 | ruleset_fd = create_ruleset(_metadata, handled_access_fs: handled2, rules: layer2); |
3650 | ASSERT_LE(0, ruleset_fd); |
3651 | enforce_ruleset(_metadata, ruleset_fd); |
3652 | ASSERT_EQ(0, close(ruleset_fd)); |
3653 | |
3654 | fd_layer2 = open(path, O_WRONLY); |
3655 | EXPECT_EQ(0, test_ftruncate(fd_layer0)); |
3656 | EXPECT_EQ(0, test_ftruncate(fd_layer1)); |
3657 | EXPECT_EQ(0, test_ftruncate(fd_layer2)); |
3658 | |
3659 | ruleset_fd = create_ruleset(_metadata, handled_access_fs: handled3, rules: layer3); |
3660 | ASSERT_LE(0, ruleset_fd); |
3661 | enforce_ruleset(_metadata, ruleset_fd); |
3662 | ASSERT_EQ(0, close(ruleset_fd)); |
3663 | |
3664 | fd_layer3 = open(path, O_WRONLY); |
3665 | EXPECT_EQ(0, test_ftruncate(fd_layer0)); |
3666 | EXPECT_EQ(0, test_ftruncate(fd_layer1)); |
3667 | EXPECT_EQ(0, test_ftruncate(fd_layer2)); |
3668 | EXPECT_EQ(EACCES, test_ftruncate(fd_layer3)); |
3669 | |
3670 | ASSERT_EQ(0, close(fd_layer0)); |
3671 | ASSERT_EQ(0, close(fd_layer1)); |
3672 | ASSERT_EQ(0, close(fd_layer2)); |
3673 | ASSERT_EQ(0, close(fd_layer3)); |
3674 | } |
3675 | |
3676 | /* clang-format off */ |
3677 | FIXTURE(ftruncate) {}; |
3678 | /* clang-format on */ |
3679 | |
3680 | FIXTURE_SETUP(ftruncate) |
3681 | { |
3682 | prepare_layout(_metadata); |
3683 | create_file(_metadata, path: file1_s1d1); |
3684 | } |
3685 | |
3686 | FIXTURE_TEARDOWN(ftruncate) |
3687 | { |
3688 | EXPECT_EQ(0, remove_path(file1_s1d1)); |
3689 | cleanup_layout(_metadata); |
3690 | } |
3691 | |
3692 | FIXTURE_VARIANT(ftruncate) |
3693 | { |
3694 | const __u64 handled; |
3695 | const __u64 allowed; |
3696 | const int expected_open_result; |
3697 | const int expected_ftruncate_result; |
3698 | }; |
3699 | |
3700 | /* clang-format off */ |
3701 | FIXTURE_VARIANT_ADD(ftruncate, w_w) { |
3702 | /* clang-format on */ |
3703 | .handled = LANDLOCK_ACCESS_FS_WRITE_FILE, |
3704 | .allowed = LANDLOCK_ACCESS_FS_WRITE_FILE, |
3705 | .expected_open_result = 0, |
3706 | .expected_ftruncate_result = 0, |
3707 | }; |
3708 | |
3709 | /* clang-format off */ |
3710 | FIXTURE_VARIANT_ADD(ftruncate, t_t) { |
3711 | /* clang-format on */ |
3712 | .handled = LANDLOCK_ACCESS_FS_TRUNCATE, |
3713 | .allowed = LANDLOCK_ACCESS_FS_TRUNCATE, |
3714 | .expected_open_result = 0, |
3715 | .expected_ftruncate_result = 0, |
3716 | }; |
3717 | |
3718 | /* clang-format off */ |
3719 | FIXTURE_VARIANT_ADD(ftruncate, wt_w) { |
3720 | /* clang-format on */ |
3721 | .handled = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE, |
3722 | .allowed = LANDLOCK_ACCESS_FS_WRITE_FILE, |
3723 | .expected_open_result = 0, |
3724 | .expected_ftruncate_result = EACCES, |
3725 | }; |
3726 | |
3727 | /* clang-format off */ |
3728 | FIXTURE_VARIANT_ADD(ftruncate, wt_wt) { |
3729 | /* clang-format on */ |
3730 | .handled = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE, |
3731 | .allowed = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE, |
3732 | .expected_open_result = 0, |
3733 | .expected_ftruncate_result = 0, |
3734 | }; |
3735 | |
3736 | /* clang-format off */ |
3737 | FIXTURE_VARIANT_ADD(ftruncate, wt_t) { |
3738 | /* clang-format on */ |
3739 | .handled = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE, |
3740 | .allowed = LANDLOCK_ACCESS_FS_TRUNCATE, |
3741 | .expected_open_result = EACCES, |
3742 | }; |
3743 | |
3744 | TEST_F_FORK(ftruncate, open_and_ftruncate) |
3745 | { |
3746 | const char *const path = file1_s1d1; |
3747 | const struct rule rules[] = { |
3748 | { |
3749 | .path = path, |
3750 | .access = variant->allowed, |
3751 | }, |
3752 | {}, |
3753 | }; |
3754 | int fd, ruleset_fd; |
3755 | |
3756 | /* Enable Landlock. */ |
3757 | ruleset_fd = create_ruleset(_metadata, handled_access_fs: variant->handled, rules); |
3758 | ASSERT_LE(0, ruleset_fd); |
3759 | enforce_ruleset(_metadata, ruleset_fd); |
3760 | ASSERT_EQ(0, close(ruleset_fd)); |
3761 | |
3762 | fd = open(path, O_WRONLY); |
3763 | EXPECT_EQ(variant->expected_open_result, (fd < 0 ? errno : 0)); |
3764 | if (fd >= 0) { |
3765 | EXPECT_EQ(variant->expected_ftruncate_result, |
3766 | test_ftruncate(fd)); |
3767 | ASSERT_EQ(0, close(fd)); |
3768 | } |
3769 | } |
3770 | |
3771 | TEST_F_FORK(ftruncate, open_and_ftruncate_in_different_processes) |
3772 | { |
3773 | int child, fd, status; |
3774 | int socket_fds[2]; |
3775 | |
3776 | ASSERT_EQ(0, socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, |
3777 | socket_fds)); |
3778 | |
3779 | child = fork(); |
3780 | ASSERT_LE(0, child); |
3781 | if (child == 0) { |
3782 | /* |
3783 | * Enables Landlock in the child process, open a file descriptor |
3784 | * where truncation is forbidden and send it to the |
3785 | * non-landlocked parent process. |
3786 | */ |
3787 | const char *const path = file1_s1d1; |
3788 | const struct rule rules[] = { |
3789 | { |
3790 | .path = path, |
3791 | .access = variant->allowed, |
3792 | }, |
3793 | {}, |
3794 | }; |
3795 | int fd, ruleset_fd; |
3796 | |
3797 | ruleset_fd = create_ruleset(_metadata, handled_access_fs: variant->handled, rules); |
3798 | ASSERT_LE(0, ruleset_fd); |
3799 | enforce_ruleset(_metadata, ruleset_fd); |
3800 | ASSERT_EQ(0, close(ruleset_fd)); |
3801 | |
3802 | fd = open(path, O_WRONLY); |
3803 | ASSERT_EQ(variant->expected_open_result, (fd < 0 ? errno : 0)); |
3804 | |
3805 | if (fd >= 0) { |
3806 | ASSERT_EQ(0, send_fd(socket_fds[0], fd)); |
3807 | ASSERT_EQ(0, close(fd)); |
3808 | } |
3809 | |
3810 | ASSERT_EQ(0, close(socket_fds[0])); |
3811 | |
3812 | _exit(_metadata->exit_code); |
3813 | return; |
3814 | } |
3815 | |
3816 | if (variant->expected_open_result == 0) { |
3817 | fd = recv_fd(usock: socket_fds[1]); |
3818 | ASSERT_LE(0, fd); |
3819 | |
3820 | EXPECT_EQ(variant->expected_ftruncate_result, |
3821 | test_ftruncate(fd)); |
3822 | ASSERT_EQ(0, close(fd)); |
3823 | } |
3824 | |
3825 | ASSERT_EQ(child, waitpid(child, &status, 0)); |
3826 | ASSERT_EQ(1, WIFEXITED(status)); |
3827 | ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status)); |
3828 | |
3829 | ASSERT_EQ(0, close(socket_fds[0])); |
3830 | ASSERT_EQ(0, close(socket_fds[1])); |
3831 | } |
3832 | |
3833 | TEST(memfd_ftruncate) |
3834 | { |
3835 | int fd; |
3836 | |
3837 | fd = memfd_create("name" , MFD_CLOEXEC); |
3838 | ASSERT_LE(0, fd); |
3839 | |
3840 | /* |
3841 | * Checks that ftruncate is permitted on file descriptors that are |
3842 | * created in ways other than open(2). |
3843 | */ |
3844 | EXPECT_EQ(0, test_ftruncate(fd)); |
3845 | |
3846 | ASSERT_EQ(0, close(fd)); |
3847 | } |
3848 | |
3849 | /* clang-format off */ |
3850 | FIXTURE(layout1_bind) {}; |
3851 | /* clang-format on */ |
3852 | |
3853 | FIXTURE_SETUP(layout1_bind) |
3854 | { |
3855 | prepare_layout(_metadata); |
3856 | |
3857 | create_layout1(_metadata); |
3858 | |
3859 | set_cap(_metadata, CAP_SYS_ADMIN); |
3860 | ASSERT_EQ(0, mount(dir_s1d2, dir_s2d2, NULL, MS_BIND, NULL)); |
3861 | clear_cap(_metadata, CAP_SYS_ADMIN); |
3862 | } |
3863 | |
3864 | FIXTURE_TEARDOWN(layout1_bind) |
3865 | { |
3866 | /* umount(dir_s2d2)) is handled by namespace lifetime. */ |
3867 | |
3868 | remove_layout1(_metadata); |
3869 | |
3870 | cleanup_layout(_metadata); |
3871 | } |
3872 | |
3873 | static const char bind_dir_s1d3[] = TMP_DIR "/s2d1/s2d2/s1d3" ; |
3874 | static const char bind_file1_s1d3[] = TMP_DIR "/s2d1/s2d2/s1d3/f1" ; |
3875 | |
3876 | /* |
3877 | * layout1_bind hierarchy: |
3878 | * |
3879 | * tmp |
3880 | * ├── s1d1 |
3881 | * │ ├── f1 |
3882 | * │ ├── f2 |
3883 | * │ └── s1d2 |
3884 | * │ ├── f1 |
3885 | * │ ├── f2 |
3886 | * │ └── s1d3 |
3887 | * │ ├── f1 |
3888 | * │ └── f2 |
3889 | * ├── s2d1 |
3890 | * │ ├── f1 |
3891 | * │ └── s2d2 |
3892 | * │ ├── f1 |
3893 | * │ ├── f2 |
3894 | * │ └── s1d3 |
3895 | * │ ├── f1 |
3896 | * │ └── f2 |
3897 | * └── s3d1 |
3898 | * └── s3d2 |
3899 | * └── s3d3 |
3900 | */ |
3901 | |
3902 | TEST_F_FORK(layout1_bind, no_restriction) |
3903 | { |
3904 | ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY)); |
3905 | ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY)); |
3906 | ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY)); |
3907 | ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); |
3908 | ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY)); |
3909 | ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); |
3910 | |
3911 | ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY)); |
3912 | ASSERT_EQ(0, test_open(file1_s2d1, O_RDONLY)); |
3913 | ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY)); |
3914 | ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY)); |
3915 | ASSERT_EQ(ENOENT, test_open(dir_s2d3, O_RDONLY)); |
3916 | ASSERT_EQ(ENOENT, test_open(file1_s2d3, O_RDONLY)); |
3917 | |
3918 | ASSERT_EQ(0, test_open(bind_dir_s1d3, O_RDONLY)); |
3919 | ASSERT_EQ(0, test_open(bind_file1_s1d3, O_RDONLY)); |
3920 | |
3921 | ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY)); |
3922 | } |
3923 | |
3924 | TEST_F_FORK(layout1_bind, same_content_same_file) |
3925 | { |
3926 | /* |
3927 | * Sets access right on parent directories of both source and |
3928 | * destination mount points. |
3929 | */ |
3930 | const struct rule layer1_parent[] = { |
3931 | { |
3932 | .path = dir_s1d1, |
3933 | .access = ACCESS_RO, |
3934 | }, |
3935 | { |
3936 | .path = dir_s2d1, |
3937 | .access = ACCESS_RW, |
3938 | }, |
3939 | {}, |
3940 | }; |
3941 | /* |
3942 | * Sets access rights on the same bind-mounted directories. The result |
3943 | * should be ACCESS_RW for both directories, but not both hierarchies |
3944 | * because of the first layer. |
3945 | */ |
3946 | const struct rule layer2_mount_point[] = { |
3947 | { |
3948 | .path = dir_s1d2, |
3949 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
3950 | }, |
3951 | { |
3952 | .path = dir_s2d2, |
3953 | .access = ACCESS_RW, |
3954 | }, |
3955 | {}, |
3956 | }; |
3957 | /* Only allow read-access to the s1d3 hierarchies. */ |
3958 | const struct rule layer3_source[] = { |
3959 | { |
3960 | .path = dir_s1d3, |
3961 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
3962 | }, |
3963 | {}, |
3964 | }; |
3965 | /* Removes all access rights. */ |
3966 | const struct rule layer4_destination[] = { |
3967 | { |
3968 | .path = bind_file1_s1d3, |
3969 | .access = LANDLOCK_ACCESS_FS_WRITE_FILE, |
3970 | }, |
3971 | {}, |
3972 | }; |
3973 | int ruleset_fd; |
3974 | |
3975 | /* Sets rules for the parent directories. */ |
3976 | ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules: layer1_parent); |
3977 | ASSERT_LE(0, ruleset_fd); |
3978 | enforce_ruleset(_metadata, ruleset_fd); |
3979 | ASSERT_EQ(0, close(ruleset_fd)); |
3980 | |
3981 | /* Checks source hierarchy. */ |
3982 | ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY)); |
3983 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); |
3984 | ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); |
3985 | |
3986 | ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); |
3987 | ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY)); |
3988 | ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); |
3989 | |
3990 | /* Checks destination hierarchy. */ |
3991 | ASSERT_EQ(0, test_open(file1_s2d1, O_RDWR)); |
3992 | ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY | O_DIRECTORY)); |
3993 | |
3994 | ASSERT_EQ(0, test_open(file1_s2d2, O_RDWR)); |
3995 | ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY)); |
3996 | |
3997 | /* Sets rules for the mount points. */ |
3998 | ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules: layer2_mount_point); |
3999 | ASSERT_LE(0, ruleset_fd); |
4000 | enforce_ruleset(_metadata, ruleset_fd); |
4001 | ASSERT_EQ(0, close(ruleset_fd)); |
4002 | |
4003 | /* Checks source hierarchy. */ |
4004 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY)); |
4005 | ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); |
4006 | ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); |
4007 | |
4008 | ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); |
4009 | ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY)); |
4010 | ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); |
4011 | |
4012 | /* Checks destination hierarchy. */ |
4013 | ASSERT_EQ(EACCES, test_open(file1_s2d1, O_RDONLY)); |
4014 | ASSERT_EQ(EACCES, test_open(file1_s2d1, O_WRONLY)); |
4015 | ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY | O_DIRECTORY)); |
4016 | |
4017 | ASSERT_EQ(0, test_open(file1_s2d2, O_RDWR)); |
4018 | ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY)); |
4019 | ASSERT_EQ(0, test_open(bind_dir_s1d3, O_RDONLY | O_DIRECTORY)); |
4020 | |
4021 | /* Sets a (shared) rule only on the source. */ |
4022 | ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules: layer3_source); |
4023 | ASSERT_LE(0, ruleset_fd); |
4024 | enforce_ruleset(_metadata, ruleset_fd); |
4025 | ASSERT_EQ(0, close(ruleset_fd)); |
4026 | |
4027 | /* Checks source hierarchy. */ |
4028 | ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDONLY)); |
4029 | ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY)); |
4030 | ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); |
4031 | |
4032 | ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); |
4033 | ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY)); |
4034 | ASSERT_EQ(EACCES, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY)); |
4035 | |
4036 | /* Checks destination hierarchy. */ |
4037 | ASSERT_EQ(EACCES, test_open(file1_s2d2, O_RDONLY)); |
4038 | ASSERT_EQ(EACCES, test_open(file1_s2d2, O_WRONLY)); |
4039 | ASSERT_EQ(EACCES, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY)); |
4040 | |
4041 | ASSERT_EQ(0, test_open(bind_file1_s1d3, O_RDONLY)); |
4042 | ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_WRONLY)); |
4043 | ASSERT_EQ(EACCES, test_open(bind_dir_s1d3, O_RDONLY | O_DIRECTORY)); |
4044 | |
4045 | /* Sets a (shared) rule only on the destination. */ |
4046 | ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules: layer4_destination); |
4047 | ASSERT_LE(0, ruleset_fd); |
4048 | enforce_ruleset(_metadata, ruleset_fd); |
4049 | ASSERT_EQ(0, close(ruleset_fd)); |
4050 | |
4051 | /* Checks source hierarchy. */ |
4052 | ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY)); |
4053 | ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY)); |
4054 | |
4055 | /* Checks destination hierarchy. */ |
4056 | ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_RDONLY)); |
4057 | ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_WRONLY)); |
4058 | } |
4059 | |
4060 | TEST_F_FORK(layout1_bind, reparent_cross_mount) |
4061 | { |
4062 | const struct rule layer1[] = { |
4063 | { |
4064 | /* dir_s2d1 is beneath the dir_s2d2 mount point. */ |
4065 | .path = dir_s2d1, |
4066 | .access = LANDLOCK_ACCESS_FS_REFER, |
4067 | }, |
4068 | { |
4069 | .path = bind_dir_s1d3, |
4070 | .access = LANDLOCK_ACCESS_FS_EXECUTE, |
4071 | }, |
4072 | {}, |
4073 | }; |
4074 | int ruleset_fd = create_ruleset( |
4075 | _metadata, |
4076 | LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_EXECUTE, rules: layer1); |
4077 | |
4078 | ASSERT_LE(0, ruleset_fd); |
4079 | enforce_ruleset(_metadata, ruleset_fd); |
4080 | ASSERT_EQ(0, close(ruleset_fd)); |
4081 | |
4082 | /* Checks basic denied move. */ |
4083 | ASSERT_EQ(-1, rename(file1_s1d1, file1_s1d2)); |
4084 | ASSERT_EQ(EXDEV, errno); |
4085 | |
4086 | /* Checks real cross-mount move (Landlock is not involved). */ |
4087 | ASSERT_EQ(-1, rename(file1_s2d1, file1_s2d2)); |
4088 | ASSERT_EQ(EXDEV, errno); |
4089 | |
4090 | /* Checks move that will give more accesses. */ |
4091 | ASSERT_EQ(-1, rename(file1_s2d2, bind_file1_s1d3)); |
4092 | ASSERT_EQ(EXDEV, errno); |
4093 | |
4094 | /* Checks legitimate downgrade move. */ |
4095 | ASSERT_EQ(0, rename(bind_file1_s1d3, file1_s2d2)); |
4096 | } |
4097 | |
4098 | #define LOWER_BASE TMP_DIR "/lower" |
4099 | #define LOWER_DATA LOWER_BASE "/data" |
4100 | static const char lower_fl1[] = LOWER_DATA "/fl1" ; |
4101 | static const char lower_dl1[] = LOWER_DATA "/dl1" ; |
4102 | static const char lower_dl1_fl2[] = LOWER_DATA "/dl1/fl2" ; |
4103 | static const char lower_fo1[] = LOWER_DATA "/fo1" ; |
4104 | static const char lower_do1[] = LOWER_DATA "/do1" ; |
4105 | static const char lower_do1_fo2[] = LOWER_DATA "/do1/fo2" ; |
4106 | static const char lower_do1_fl3[] = LOWER_DATA "/do1/fl3" ; |
4107 | |
4108 | static const char (*lower_base_files[])[] = { |
4109 | &lower_fl1, |
4110 | &lower_fo1, |
4111 | NULL, |
4112 | }; |
4113 | static const char (*lower_base_directories[])[] = { |
4114 | &lower_dl1, |
4115 | &lower_do1, |
4116 | NULL, |
4117 | }; |
4118 | static const char (*lower_sub_files[])[] = { |
4119 | &lower_dl1_fl2, |
4120 | &lower_do1_fo2, |
4121 | &lower_do1_fl3, |
4122 | NULL, |
4123 | }; |
4124 | |
4125 | #define UPPER_BASE TMP_DIR "/upper" |
4126 | #define UPPER_DATA UPPER_BASE "/data" |
4127 | #define UPPER_WORK UPPER_BASE "/work" |
4128 | static const char upper_fu1[] = UPPER_DATA "/fu1" ; |
4129 | static const char upper_du1[] = UPPER_DATA "/du1" ; |
4130 | static const char upper_du1_fu2[] = UPPER_DATA "/du1/fu2" ; |
4131 | static const char upper_fo1[] = UPPER_DATA "/fo1" ; |
4132 | static const char upper_do1[] = UPPER_DATA "/do1" ; |
4133 | static const char upper_do1_fo2[] = UPPER_DATA "/do1/fo2" ; |
4134 | static const char upper_do1_fu3[] = UPPER_DATA "/do1/fu3" ; |
4135 | |
4136 | static const char (*upper_base_files[])[] = { |
4137 | &upper_fu1, |
4138 | &upper_fo1, |
4139 | NULL, |
4140 | }; |
4141 | static const char (*upper_base_directories[])[] = { |
4142 | &upper_du1, |
4143 | &upper_do1, |
4144 | NULL, |
4145 | }; |
4146 | static const char (*upper_sub_files[])[] = { |
4147 | &upper_du1_fu2, |
4148 | &upper_do1_fo2, |
4149 | &upper_do1_fu3, |
4150 | NULL, |
4151 | }; |
4152 | |
4153 | #define MERGE_BASE TMP_DIR "/merge" |
4154 | #define MERGE_DATA MERGE_BASE "/data" |
4155 | static const char merge_fl1[] = MERGE_DATA "/fl1" ; |
4156 | static const char merge_dl1[] = MERGE_DATA "/dl1" ; |
4157 | static const char merge_dl1_fl2[] = MERGE_DATA "/dl1/fl2" ; |
4158 | static const char merge_fu1[] = MERGE_DATA "/fu1" ; |
4159 | static const char merge_du1[] = MERGE_DATA "/du1" ; |
4160 | static const char merge_du1_fu2[] = MERGE_DATA "/du1/fu2" ; |
4161 | static const char merge_fo1[] = MERGE_DATA "/fo1" ; |
4162 | static const char merge_do1[] = MERGE_DATA "/do1" ; |
4163 | static const char merge_do1_fo2[] = MERGE_DATA "/do1/fo2" ; |
4164 | static const char merge_do1_fl3[] = MERGE_DATA "/do1/fl3" ; |
4165 | static const char merge_do1_fu3[] = MERGE_DATA "/do1/fu3" ; |
4166 | |
4167 | static const char (*merge_base_files[])[] = { |
4168 | &merge_fl1, |
4169 | &merge_fu1, |
4170 | &merge_fo1, |
4171 | NULL, |
4172 | }; |
4173 | static const char (*merge_base_directories[])[] = { |
4174 | &merge_dl1, |
4175 | &merge_du1, |
4176 | &merge_do1, |
4177 | NULL, |
4178 | }; |
4179 | static const char (*merge_sub_files[])[] = { |
4180 | &merge_dl1_fl2, &merge_du1_fu2, &merge_do1_fo2, |
4181 | &merge_do1_fl3, &merge_do1_fu3, NULL, |
4182 | }; |
4183 | |
4184 | /* |
4185 | * layout2_overlay hierarchy: |
4186 | * |
4187 | * tmp |
4188 | * ├── lower |
4189 | * │ └── data |
4190 | * │ ├── dl1 |
4191 | * │ │ └── fl2 |
4192 | * │ ├── do1 |
4193 | * │ │ ├── fl3 |
4194 | * │ │ └── fo2 |
4195 | * │ ├── fl1 |
4196 | * │ └── fo1 |
4197 | * ├── merge |
4198 | * │ └── data |
4199 | * │ ├── dl1 |
4200 | * │ │ └── fl2 |
4201 | * │ ├── do1 |
4202 | * │ │ ├── fl3 |
4203 | * │ │ ├── fo2 |
4204 | * │ │ └── fu3 |
4205 | * │ ├── du1 |
4206 | * │ │ └── fu2 |
4207 | * │ ├── fl1 |
4208 | * │ ├── fo1 |
4209 | * │ └── fu1 |
4210 | * └── upper |
4211 | * ├── data |
4212 | * │ ├── do1 |
4213 | * │ │ ├── fo2 |
4214 | * │ │ └── fu3 |
4215 | * │ ├── du1 |
4216 | * │ │ └── fu2 |
4217 | * │ ├── fo1 |
4218 | * │ └── fu1 |
4219 | * └── work |
4220 | * └── work |
4221 | */ |
4222 | |
4223 | FIXTURE(layout2_overlay) |
4224 | { |
4225 | bool skip_test; |
4226 | }; |
4227 | |
4228 | FIXTURE_SETUP(layout2_overlay) |
4229 | { |
4230 | if (!supports_filesystem(filesystem: "overlay" )) { |
4231 | self->skip_test = true; |
4232 | SKIP(return, "overlayfs is not supported (setup)" ); |
4233 | } |
4234 | |
4235 | prepare_layout(_metadata); |
4236 | |
4237 | create_directory(_metadata, LOWER_BASE); |
4238 | set_cap(_metadata, CAP_SYS_ADMIN); |
4239 | /* Creates tmpfs mount points to get deterministic overlayfs. */ |
4240 | ASSERT_EQ(0, mount_opt(&mnt_tmp, LOWER_BASE)); |
4241 | clear_cap(_metadata, CAP_SYS_ADMIN); |
4242 | create_file(_metadata, path: lower_fl1); |
4243 | create_file(_metadata, path: lower_dl1_fl2); |
4244 | create_file(_metadata, path: lower_fo1); |
4245 | create_file(_metadata, path: lower_do1_fo2); |
4246 | create_file(_metadata, path: lower_do1_fl3); |
4247 | |
4248 | create_directory(_metadata, UPPER_BASE); |
4249 | set_cap(_metadata, CAP_SYS_ADMIN); |
4250 | ASSERT_EQ(0, mount_opt(&mnt_tmp, UPPER_BASE)); |
4251 | clear_cap(_metadata, CAP_SYS_ADMIN); |
4252 | create_file(_metadata, path: upper_fu1); |
4253 | create_file(_metadata, path: upper_du1_fu2); |
4254 | create_file(_metadata, path: upper_fo1); |
4255 | create_file(_metadata, path: upper_do1_fo2); |
4256 | create_file(_metadata, path: upper_do1_fu3); |
4257 | ASSERT_EQ(0, mkdir(UPPER_WORK, 0700)); |
4258 | |
4259 | create_directory(_metadata, MERGE_DATA); |
4260 | set_cap(_metadata, CAP_SYS_ADMIN); |
4261 | set_cap(_metadata, CAP_DAC_OVERRIDE); |
4262 | ASSERT_EQ(0, mount("overlay" , MERGE_DATA, "overlay" , 0, |
4263 | "lowerdir=" LOWER_DATA ",upperdir=" UPPER_DATA |
4264 | ",workdir=" UPPER_WORK)); |
4265 | clear_cap(_metadata, CAP_DAC_OVERRIDE); |
4266 | clear_cap(_metadata, CAP_SYS_ADMIN); |
4267 | } |
4268 | |
4269 | FIXTURE_TEARDOWN(layout2_overlay) |
4270 | { |
4271 | if (self->skip_test) |
4272 | SKIP(return, "overlayfs is not supported (teardown)" ); |
4273 | |
4274 | EXPECT_EQ(0, remove_path(lower_do1_fl3)); |
4275 | EXPECT_EQ(0, remove_path(lower_dl1_fl2)); |
4276 | EXPECT_EQ(0, remove_path(lower_fl1)); |
4277 | EXPECT_EQ(0, remove_path(lower_do1_fo2)); |
4278 | EXPECT_EQ(0, remove_path(lower_fo1)); |
4279 | |
4280 | /* umount(LOWER_BASE)) is handled by namespace lifetime. */ |
4281 | EXPECT_EQ(0, remove_path(LOWER_BASE)); |
4282 | |
4283 | EXPECT_EQ(0, remove_path(upper_do1_fu3)); |
4284 | EXPECT_EQ(0, remove_path(upper_du1_fu2)); |
4285 | EXPECT_EQ(0, remove_path(upper_fu1)); |
4286 | EXPECT_EQ(0, remove_path(upper_do1_fo2)); |
4287 | EXPECT_EQ(0, remove_path(upper_fo1)); |
4288 | EXPECT_EQ(0, remove_path(UPPER_WORK "/work" )); |
4289 | |
4290 | /* umount(UPPER_BASE)) is handled by namespace lifetime. */ |
4291 | EXPECT_EQ(0, remove_path(UPPER_BASE)); |
4292 | |
4293 | /* umount(MERGE_DATA)) is handled by namespace lifetime. */ |
4294 | EXPECT_EQ(0, remove_path(MERGE_DATA)); |
4295 | |
4296 | cleanup_layout(_metadata); |
4297 | } |
4298 | |
4299 | TEST_F_FORK(layout2_overlay, no_restriction) |
4300 | { |
4301 | if (self->skip_test) |
4302 | SKIP(return, "overlayfs is not supported (test)" ); |
4303 | |
4304 | ASSERT_EQ(0, test_open(lower_fl1, O_RDONLY)); |
4305 | ASSERT_EQ(0, test_open(lower_dl1, O_RDONLY)); |
4306 | ASSERT_EQ(0, test_open(lower_dl1_fl2, O_RDONLY)); |
4307 | ASSERT_EQ(0, test_open(lower_fo1, O_RDONLY)); |
4308 | ASSERT_EQ(0, test_open(lower_do1, O_RDONLY)); |
4309 | ASSERT_EQ(0, test_open(lower_do1_fo2, O_RDONLY)); |
4310 | ASSERT_EQ(0, test_open(lower_do1_fl3, O_RDONLY)); |
4311 | |
4312 | ASSERT_EQ(0, test_open(upper_fu1, O_RDONLY)); |
4313 | ASSERT_EQ(0, test_open(upper_du1, O_RDONLY)); |
4314 | ASSERT_EQ(0, test_open(upper_du1_fu2, O_RDONLY)); |
4315 | ASSERT_EQ(0, test_open(upper_fo1, O_RDONLY)); |
4316 | ASSERT_EQ(0, test_open(upper_do1, O_RDONLY)); |
4317 | ASSERT_EQ(0, test_open(upper_do1_fo2, O_RDONLY)); |
4318 | ASSERT_EQ(0, test_open(upper_do1_fu3, O_RDONLY)); |
4319 | |
4320 | ASSERT_EQ(0, test_open(merge_fl1, O_RDONLY)); |
4321 | ASSERT_EQ(0, test_open(merge_dl1, O_RDONLY)); |
4322 | ASSERT_EQ(0, test_open(merge_dl1_fl2, O_RDONLY)); |
4323 | ASSERT_EQ(0, test_open(merge_fu1, O_RDONLY)); |
4324 | ASSERT_EQ(0, test_open(merge_du1, O_RDONLY)); |
4325 | ASSERT_EQ(0, test_open(merge_du1_fu2, O_RDONLY)); |
4326 | ASSERT_EQ(0, test_open(merge_fo1, O_RDONLY)); |
4327 | ASSERT_EQ(0, test_open(merge_do1, O_RDONLY)); |
4328 | ASSERT_EQ(0, test_open(merge_do1_fo2, O_RDONLY)); |
4329 | ASSERT_EQ(0, test_open(merge_do1_fl3, O_RDONLY)); |
4330 | ASSERT_EQ(0, test_open(merge_do1_fu3, O_RDONLY)); |
4331 | } |
4332 | |
4333 | #define for_each_path(path_list, path_entry, i) \ |
4334 | for (i = 0, path_entry = *path_list[i]; path_list[i]; \ |
4335 | path_entry = *path_list[++i]) |
4336 | |
4337 | TEST_F_FORK(layout2_overlay, same_content_different_file) |
4338 | { |
4339 | /* Sets access right on parent directories of both layers. */ |
4340 | const struct rule layer1_base[] = { |
4341 | { |
4342 | .path = LOWER_BASE, |
4343 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
4344 | }, |
4345 | { |
4346 | .path = UPPER_BASE, |
4347 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
4348 | }, |
4349 | { |
4350 | .path = MERGE_BASE, |
4351 | .access = ACCESS_RW, |
4352 | }, |
4353 | {}, |
4354 | }; |
4355 | const struct rule layer2_data[] = { |
4356 | { |
4357 | .path = LOWER_DATA, |
4358 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
4359 | }, |
4360 | { |
4361 | .path = UPPER_DATA, |
4362 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
4363 | }, |
4364 | { |
4365 | .path = MERGE_DATA, |
4366 | .access = ACCESS_RW, |
4367 | }, |
4368 | {}, |
4369 | }; |
4370 | /* Sets access right on directories inside both layers. */ |
4371 | const struct rule layer3_subdirs[] = { |
4372 | { |
4373 | .path = lower_dl1, |
4374 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
4375 | }, |
4376 | { |
4377 | .path = lower_do1, |
4378 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
4379 | }, |
4380 | { |
4381 | .path = upper_du1, |
4382 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
4383 | }, |
4384 | { |
4385 | .path = upper_do1, |
4386 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
4387 | }, |
4388 | { |
4389 | .path = merge_dl1, |
4390 | .access = ACCESS_RW, |
4391 | }, |
4392 | { |
4393 | .path = merge_du1, |
4394 | .access = ACCESS_RW, |
4395 | }, |
4396 | { |
4397 | .path = merge_do1, |
4398 | .access = ACCESS_RW, |
4399 | }, |
4400 | {}, |
4401 | }; |
4402 | /* Tighten access rights to the files. */ |
4403 | const struct rule layer4_files[] = { |
4404 | { |
4405 | .path = lower_dl1_fl2, |
4406 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
4407 | }, |
4408 | { |
4409 | .path = lower_do1_fo2, |
4410 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
4411 | }, |
4412 | { |
4413 | .path = lower_do1_fl3, |
4414 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
4415 | }, |
4416 | { |
4417 | .path = upper_du1_fu2, |
4418 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
4419 | }, |
4420 | { |
4421 | .path = upper_do1_fo2, |
4422 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
4423 | }, |
4424 | { |
4425 | .path = upper_do1_fu3, |
4426 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
4427 | }, |
4428 | { |
4429 | .path = merge_dl1_fl2, |
4430 | .access = LANDLOCK_ACCESS_FS_READ_FILE | |
4431 | LANDLOCK_ACCESS_FS_WRITE_FILE, |
4432 | }, |
4433 | { |
4434 | .path = merge_du1_fu2, |
4435 | .access = LANDLOCK_ACCESS_FS_READ_FILE | |
4436 | LANDLOCK_ACCESS_FS_WRITE_FILE, |
4437 | }, |
4438 | { |
4439 | .path = merge_do1_fo2, |
4440 | .access = LANDLOCK_ACCESS_FS_READ_FILE | |
4441 | LANDLOCK_ACCESS_FS_WRITE_FILE, |
4442 | }, |
4443 | { |
4444 | .path = merge_do1_fl3, |
4445 | .access = LANDLOCK_ACCESS_FS_READ_FILE | |
4446 | LANDLOCK_ACCESS_FS_WRITE_FILE, |
4447 | }, |
4448 | { |
4449 | .path = merge_do1_fu3, |
4450 | .access = LANDLOCK_ACCESS_FS_READ_FILE | |
4451 | LANDLOCK_ACCESS_FS_WRITE_FILE, |
4452 | }, |
4453 | {}, |
4454 | }; |
4455 | const struct rule layer5_merge_only[] = { |
4456 | { |
4457 | .path = MERGE_DATA, |
4458 | .access = LANDLOCK_ACCESS_FS_READ_FILE | |
4459 | LANDLOCK_ACCESS_FS_WRITE_FILE, |
4460 | }, |
4461 | {}, |
4462 | }; |
4463 | int ruleset_fd; |
4464 | size_t i; |
4465 | const char *path_entry; |
4466 | |
4467 | if (self->skip_test) |
4468 | SKIP(return, "overlayfs is not supported (test)" ); |
4469 | |
4470 | /* Sets rules on base directories (i.e. outside overlay scope). */ |
4471 | ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules: layer1_base); |
4472 | ASSERT_LE(0, ruleset_fd); |
4473 | enforce_ruleset(_metadata, ruleset_fd); |
4474 | ASSERT_EQ(0, close(ruleset_fd)); |
4475 | |
4476 | /* Checks lower layer. */ |
4477 | for_each_path(lower_base_files, path_entry, i) { |
4478 | ASSERT_EQ(0, test_open(path_entry, O_RDONLY)); |
4479 | ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY)); |
4480 | } |
4481 | for_each_path(lower_base_directories, path_entry, i) { |
4482 | ASSERT_EQ(EACCES, |
4483 | test_open(path_entry, O_RDONLY | O_DIRECTORY)); |
4484 | } |
4485 | for_each_path(lower_sub_files, path_entry, i) { |
4486 | ASSERT_EQ(0, test_open(path_entry, O_RDONLY)); |
4487 | ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY)); |
4488 | } |
4489 | /* Checks upper layer. */ |
4490 | for_each_path(upper_base_files, path_entry, i) { |
4491 | ASSERT_EQ(0, test_open(path_entry, O_RDONLY)); |
4492 | ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY)); |
4493 | } |
4494 | for_each_path(upper_base_directories, path_entry, i) { |
4495 | ASSERT_EQ(EACCES, |
4496 | test_open(path_entry, O_RDONLY | O_DIRECTORY)); |
4497 | } |
4498 | for_each_path(upper_sub_files, path_entry, i) { |
4499 | ASSERT_EQ(0, test_open(path_entry, O_RDONLY)); |
4500 | ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY)); |
4501 | } |
4502 | /* |
4503 | * Checks that access rights are independent from the lower and upper |
4504 | * layers: write access to upper files viewed through the merge point |
4505 | * is still allowed, and write access to lower file viewed (and copied) |
4506 | * through the merge point is still allowed. |
4507 | */ |
4508 | for_each_path(merge_base_files, path_entry, i) { |
4509 | ASSERT_EQ(0, test_open(path_entry, O_RDWR)); |
4510 | } |
4511 | for_each_path(merge_base_directories, path_entry, i) { |
4512 | ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY)); |
4513 | } |
4514 | for_each_path(merge_sub_files, path_entry, i) { |
4515 | ASSERT_EQ(0, test_open(path_entry, O_RDWR)); |
4516 | } |
4517 | |
4518 | /* Sets rules on data directories (i.e. inside overlay scope). */ |
4519 | ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules: layer2_data); |
4520 | ASSERT_LE(0, ruleset_fd); |
4521 | enforce_ruleset(_metadata, ruleset_fd); |
4522 | ASSERT_EQ(0, close(ruleset_fd)); |
4523 | |
4524 | /* Checks merge. */ |
4525 | for_each_path(merge_base_files, path_entry, i) { |
4526 | ASSERT_EQ(0, test_open(path_entry, O_RDWR)); |
4527 | } |
4528 | for_each_path(merge_base_directories, path_entry, i) { |
4529 | ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY)); |
4530 | } |
4531 | for_each_path(merge_sub_files, path_entry, i) { |
4532 | ASSERT_EQ(0, test_open(path_entry, O_RDWR)); |
4533 | } |
4534 | |
4535 | /* Same checks with tighter rules. */ |
4536 | ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules: layer3_subdirs); |
4537 | ASSERT_LE(0, ruleset_fd); |
4538 | enforce_ruleset(_metadata, ruleset_fd); |
4539 | ASSERT_EQ(0, close(ruleset_fd)); |
4540 | |
4541 | /* Checks changes for lower layer. */ |
4542 | for_each_path(lower_base_files, path_entry, i) { |
4543 | ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY)); |
4544 | } |
4545 | /* Checks changes for upper layer. */ |
4546 | for_each_path(upper_base_files, path_entry, i) { |
4547 | ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY)); |
4548 | } |
4549 | /* Checks all merge accesses. */ |
4550 | for_each_path(merge_base_files, path_entry, i) { |
4551 | ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR)); |
4552 | } |
4553 | for_each_path(merge_base_directories, path_entry, i) { |
4554 | ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY)); |
4555 | } |
4556 | for_each_path(merge_sub_files, path_entry, i) { |
4557 | ASSERT_EQ(0, test_open(path_entry, O_RDWR)); |
4558 | } |
4559 | |
4560 | /* Sets rules directly on overlayed files. */ |
4561 | ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules: layer4_files); |
4562 | ASSERT_LE(0, ruleset_fd); |
4563 | enforce_ruleset(_metadata, ruleset_fd); |
4564 | ASSERT_EQ(0, close(ruleset_fd)); |
4565 | |
4566 | /* Checks unchanged accesses on lower layer. */ |
4567 | for_each_path(lower_sub_files, path_entry, i) { |
4568 | ASSERT_EQ(0, test_open(path_entry, O_RDONLY)); |
4569 | ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY)); |
4570 | } |
4571 | /* Checks unchanged accesses on upper layer. */ |
4572 | for_each_path(upper_sub_files, path_entry, i) { |
4573 | ASSERT_EQ(0, test_open(path_entry, O_RDONLY)); |
4574 | ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY)); |
4575 | } |
4576 | /* Checks all merge accesses. */ |
4577 | for_each_path(merge_base_files, path_entry, i) { |
4578 | ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR)); |
4579 | } |
4580 | for_each_path(merge_base_directories, path_entry, i) { |
4581 | ASSERT_EQ(EACCES, |
4582 | test_open(path_entry, O_RDONLY | O_DIRECTORY)); |
4583 | } |
4584 | for_each_path(merge_sub_files, path_entry, i) { |
4585 | ASSERT_EQ(0, test_open(path_entry, O_RDWR)); |
4586 | } |
4587 | |
4588 | /* Only allowes access to the merge hierarchy. */ |
4589 | ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules: layer5_merge_only); |
4590 | ASSERT_LE(0, ruleset_fd); |
4591 | enforce_ruleset(_metadata, ruleset_fd); |
4592 | ASSERT_EQ(0, close(ruleset_fd)); |
4593 | |
4594 | /* Checks new accesses on lower layer. */ |
4595 | for_each_path(lower_sub_files, path_entry, i) { |
4596 | ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY)); |
4597 | } |
4598 | /* Checks new accesses on upper layer. */ |
4599 | for_each_path(upper_sub_files, path_entry, i) { |
4600 | ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY)); |
4601 | } |
4602 | /* Checks all merge accesses. */ |
4603 | for_each_path(merge_base_files, path_entry, i) { |
4604 | ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR)); |
4605 | } |
4606 | for_each_path(merge_base_directories, path_entry, i) { |
4607 | ASSERT_EQ(EACCES, |
4608 | test_open(path_entry, O_RDONLY | O_DIRECTORY)); |
4609 | } |
4610 | for_each_path(merge_sub_files, path_entry, i) { |
4611 | ASSERT_EQ(0, test_open(path_entry, O_RDWR)); |
4612 | } |
4613 | } |
4614 | |
4615 | FIXTURE(layout3_fs) |
4616 | { |
4617 | bool has_created_dir; |
4618 | bool has_created_file; |
4619 | char *dir_path; |
4620 | bool skip_test; |
4621 | }; |
4622 | |
4623 | FIXTURE_VARIANT(layout3_fs) |
4624 | { |
4625 | const struct mnt_opt mnt; |
4626 | const char *const file_path; |
4627 | unsigned int cwd_fs_magic; |
4628 | }; |
4629 | |
4630 | /* clang-format off */ |
4631 | FIXTURE_VARIANT_ADD(layout3_fs, tmpfs) { |
4632 | /* clang-format on */ |
4633 | .mnt = { |
4634 | .type = "tmpfs" , |
4635 | .data = MNT_TMP_DATA, |
4636 | }, |
4637 | .file_path = file1_s1d1, |
4638 | }; |
4639 | |
4640 | FIXTURE_VARIANT_ADD(layout3_fs, ramfs) { |
4641 | .mnt = { |
4642 | .type = "ramfs" , |
4643 | .data = "mode=700" , |
4644 | }, |
4645 | .file_path = TMP_DIR "/dir/file" , |
4646 | }; |
4647 | |
4648 | FIXTURE_VARIANT_ADD(layout3_fs, cgroup2) { |
4649 | .mnt = { |
4650 | .type = "cgroup2" , |
4651 | }, |
4652 | .file_path = TMP_DIR "/test/cgroup.procs" , |
4653 | }; |
4654 | |
4655 | FIXTURE_VARIANT_ADD(layout3_fs, proc) { |
4656 | .mnt = { |
4657 | .type = "proc" , |
4658 | }, |
4659 | .file_path = TMP_DIR "/self/status" , |
4660 | }; |
4661 | |
4662 | FIXTURE_VARIANT_ADD(layout3_fs, sysfs) { |
4663 | .mnt = { |
4664 | .type = "sysfs" , |
4665 | }, |
4666 | .file_path = TMP_DIR "/kernel/notes" , |
4667 | }; |
4668 | |
4669 | FIXTURE_VARIANT_ADD(layout3_fs, hostfs) { |
4670 | .mnt = { |
4671 | .source = TMP_DIR, |
4672 | .flags = MS_BIND, |
4673 | }, |
4674 | .file_path = TMP_DIR "/dir/file" , |
4675 | .cwd_fs_magic = HOSTFS_SUPER_MAGIC, |
4676 | }; |
4677 | |
4678 | FIXTURE_SETUP(layout3_fs) |
4679 | { |
4680 | struct stat statbuf; |
4681 | const char *slash; |
4682 | size_t dir_len; |
4683 | |
4684 | if (!supports_filesystem(filesystem: variant->mnt.type) || |
4685 | !cwd_matches_fs(fs_magic: variant->cwd_fs_magic)) { |
4686 | self->skip_test = true; |
4687 | SKIP(return, "this filesystem is not supported (setup)" ); |
4688 | } |
4689 | |
4690 | _metadata->teardown_parent = true; |
4691 | |
4692 | slash = strrchr(variant->file_path, '/'); |
4693 | ASSERT_NE(slash, NULL); |
4694 | dir_len = (size_t)slash - (size_t)variant->file_path; |
4695 | ASSERT_LT(0, dir_len); |
4696 | self->dir_path = malloc(dir_len + 1); |
4697 | self->dir_path[dir_len] = '\0'; |
4698 | strncpy(self->dir_path, variant->file_path, dir_len); |
4699 | |
4700 | prepare_layout_opt(_metadata, mnt: &variant->mnt); |
4701 | |
4702 | /* Creates directory when required. */ |
4703 | if (stat(self->dir_path, &statbuf)) { |
4704 | set_cap(_metadata, CAP_DAC_OVERRIDE); |
4705 | EXPECT_EQ(0, mkdir(self->dir_path, 0700)) |
4706 | { |
4707 | TH_LOG("Failed to create directory \"%s\": %s" , |
4708 | self->dir_path, strerror(errno)); |
4709 | free(self->dir_path); |
4710 | self->dir_path = NULL; |
4711 | } |
4712 | self->has_created_dir = true; |
4713 | clear_cap(_metadata, CAP_DAC_OVERRIDE); |
4714 | } |
4715 | |
4716 | /* Creates file when required. */ |
4717 | if (stat(variant->file_path, &statbuf)) { |
4718 | int fd; |
4719 | |
4720 | set_cap(_metadata, CAP_DAC_OVERRIDE); |
4721 | fd = creat(variant->file_path, 0600); |
4722 | EXPECT_LE(0, fd) |
4723 | { |
4724 | TH_LOG("Failed to create file \"%s\": %s" , |
4725 | variant->file_path, strerror(errno)); |
4726 | } |
4727 | EXPECT_EQ(0, close(fd)); |
4728 | self->has_created_file = true; |
4729 | clear_cap(_metadata, CAP_DAC_OVERRIDE); |
4730 | } |
4731 | } |
4732 | |
4733 | FIXTURE_TEARDOWN(layout3_fs) |
4734 | { |
4735 | if (self->skip_test) |
4736 | SKIP(return, "this filesystem is not supported (teardown)" ); |
4737 | |
4738 | if (self->has_created_file) { |
4739 | set_cap(_metadata, CAP_DAC_OVERRIDE); |
4740 | /* |
4741 | * Don't check for error because the file might already |
4742 | * have been removed (cf. release_inode test). |
4743 | */ |
4744 | unlink(variant->file_path); |
4745 | clear_cap(_metadata, CAP_DAC_OVERRIDE); |
4746 | } |
4747 | |
4748 | if (self->has_created_dir) { |
4749 | set_cap(_metadata, CAP_DAC_OVERRIDE); |
4750 | /* |
4751 | * Don't check for error because the directory might already |
4752 | * have been removed (cf. release_inode test). |
4753 | */ |
4754 | rmdir(self->dir_path); |
4755 | clear_cap(_metadata, CAP_DAC_OVERRIDE); |
4756 | } |
4757 | free(self->dir_path); |
4758 | self->dir_path = NULL; |
4759 | |
4760 | cleanup_layout(_metadata); |
4761 | } |
4762 | |
4763 | static void layer3_fs_tag_inode(struct __test_metadata *const _metadata, |
4764 | FIXTURE_DATA(layout3_fs) * self, |
4765 | const FIXTURE_VARIANT(layout3_fs) * variant, |
4766 | const char *const rule_path) |
4767 | { |
4768 | const struct rule layer1_allow_read_file[] = { |
4769 | { |
4770 | .path = rule_path, |
4771 | .access = LANDLOCK_ACCESS_FS_READ_FILE, |
4772 | }, |
4773 | {}, |
4774 | }; |
4775 | const struct landlock_ruleset_attr layer2_deny_everything_attr = { |
4776 | .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE, |
4777 | }; |
4778 | const char *const dev_null_path = "/dev/null" ; |
4779 | int ruleset_fd; |
4780 | |
4781 | if (self->skip_test) |
4782 | SKIP(return, "this filesystem is not supported (test)" ); |
4783 | |
4784 | /* Checks without Landlock. */ |
4785 | EXPECT_EQ(0, test_open(dev_null_path, O_RDONLY | O_CLOEXEC)); |
4786 | EXPECT_EQ(0, test_open(variant->file_path, O_RDONLY | O_CLOEXEC)); |
4787 | |
4788 | ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE, |
4789 | rules: layer1_allow_read_file); |
4790 | EXPECT_LE(0, ruleset_fd); |
4791 | enforce_ruleset(_metadata, ruleset_fd); |
4792 | EXPECT_EQ(0, close(ruleset_fd)); |
4793 | |
4794 | EXPECT_EQ(EACCES, test_open(dev_null_path, O_RDONLY | O_CLOEXEC)); |
4795 | EXPECT_EQ(0, test_open(variant->file_path, O_RDONLY | O_CLOEXEC)); |
4796 | |
4797 | /* Forbids directory reading. */ |
4798 | ruleset_fd = |
4799 | landlock_create_ruleset(attr: &layer2_deny_everything_attr, |
4800 | size: sizeof(layer2_deny_everything_attr), flags: 0); |
4801 | EXPECT_LE(0, ruleset_fd); |
4802 | enforce_ruleset(_metadata, ruleset_fd); |
4803 | EXPECT_EQ(0, close(ruleset_fd)); |
4804 | |
4805 | /* Checks with Landlock and forbidden access. */ |
4806 | EXPECT_EQ(EACCES, test_open(dev_null_path, O_RDONLY | O_CLOEXEC)); |
4807 | EXPECT_EQ(EACCES, test_open(variant->file_path, O_RDONLY | O_CLOEXEC)); |
4808 | } |
4809 | |
4810 | /* Matrix of tests to check file hierarchy evaluation. */ |
4811 | |
4812 | TEST_F_FORK(layout3_fs, tag_inode_dir_parent) |
4813 | { |
4814 | /* The current directory must not be the root for this test. */ |
4815 | layer3_fs_tag_inode(_metadata, self, variant, rule_path: "." ); |
4816 | } |
4817 | |
4818 | TEST_F_FORK(layout3_fs, tag_inode_dir_mnt) |
4819 | { |
4820 | layer3_fs_tag_inode(_metadata, self, variant, TMP_DIR); |
4821 | } |
4822 | |
4823 | TEST_F_FORK(layout3_fs, tag_inode_dir_child) |
4824 | { |
4825 | layer3_fs_tag_inode(_metadata, self, variant, rule_path: self->dir_path); |
4826 | } |
4827 | |
4828 | TEST_F_FORK(layout3_fs, tag_inode_file) |
4829 | { |
4830 | layer3_fs_tag_inode(_metadata, self, variant, rule_path: variant->file_path); |
4831 | } |
4832 | |
4833 | /* Light version of layout1.release_inodes */ |
4834 | TEST_F_FORK(layout3_fs, release_inodes) |
4835 | { |
4836 | const struct rule layer1[] = { |
4837 | { |
4838 | .path = TMP_DIR, |
4839 | .access = LANDLOCK_ACCESS_FS_READ_DIR, |
4840 | }, |
4841 | {}, |
4842 | }; |
4843 | int ruleset_fd; |
4844 | |
4845 | if (self->skip_test) |
4846 | SKIP(return, "this filesystem is not supported (test)" ); |
4847 | |
4848 | /* Clean up for the teardown to not fail. */ |
4849 | if (self->has_created_file) |
4850 | EXPECT_EQ(0, remove_path(variant->file_path)); |
4851 | |
4852 | if (self->has_created_dir) |
4853 | /* Don't check for error because of cgroup specificities. */ |
4854 | remove_path(path: self->dir_path); |
4855 | |
4856 | ruleset_fd = |
4857 | create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_DIR, rules: layer1); |
4858 | ASSERT_LE(0, ruleset_fd); |
4859 | |
4860 | /* Unmount the filesystem while it is being used by a ruleset. */ |
4861 | set_cap(_metadata, CAP_SYS_ADMIN); |
4862 | ASSERT_EQ(0, umount(TMP_DIR)); |
4863 | clear_cap(_metadata, CAP_SYS_ADMIN); |
4864 | |
4865 | /* Replaces with a new mount point to simplify FIXTURE_TEARDOWN. */ |
4866 | set_cap(_metadata, CAP_SYS_ADMIN); |
4867 | ASSERT_EQ(0, mount_opt(&mnt_tmp, TMP_DIR)); |
4868 | clear_cap(_metadata, CAP_SYS_ADMIN); |
4869 | |
4870 | enforce_ruleset(_metadata, ruleset_fd); |
4871 | ASSERT_EQ(0, close(ruleset_fd)); |
4872 | |
4873 | /* Checks that access to the new mount point is denied. */ |
4874 | ASSERT_EQ(EACCES, test_open(TMP_DIR, O_RDONLY)); |
4875 | } |
4876 | |
4877 | TEST_HARNESS_MAIN |
4878 | |