Skip to content

Commit f5534d5

Browse files
sm1ling-knightl0kod
sm1ling-knight
authored and
l0kod
committed
selftests/landlock: Test TCP accesses with protocol=IPPROTO_TCP
Extend protocol_variant structure with protocol field (Cf. socket(2)). Extend protocol fixture with TCP test suits with protocol=IPPROTO_TCP which can be used as an alias for IPPROTO_IP (=0) in socket(2). Signed-off-by: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com> Link: https://lore.kernel.org/r/20250205093651.1424339-3-ivanov.mikhail1@huawei-partners.com Cc: <stable@vger.kernel.org> # 6.7.x Signed-off-by: Mickaël Salaün <mic@digikod.net>
1 parent 854277e commit f5534d5

File tree

2 files changed

+67
-14
lines changed

2 files changed

+67
-14
lines changed

tools/testing/selftests/landlock/common.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -207,6 +207,7 @@ enforce_ruleset(struct __test_metadata *const _metadata, const int ruleset_fd)
207207
struct protocol_variant {
208208
int domain;
209209
int type;
210+
int protocol;
210211
};
211212

212213
struct service_fixture {

tools/testing/selftests/landlock/net_test.c

Lines changed: 66 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -85,18 +85,18 @@ static void setup_loopback(struct __test_metadata *const _metadata)
8585
clear_ambient_cap(_metadata, CAP_NET_ADMIN);
8686
}
8787

88+
static bool prot_is_tcp(const struct protocol_variant *const prot)
89+
{
90+
return (prot->domain == AF_INET || prot->domain == AF_INET6) &&
91+
prot->type == SOCK_STREAM &&
92+
(prot->protocol == IPPROTO_TCP || prot->protocol == IPPROTO_IP);
93+
}
94+
8895
static bool is_restricted(const struct protocol_variant *const prot,
8996
const enum sandbox_type sandbox)
9097
{
91-
switch (prot->domain) {
92-
case AF_INET:
93-
case AF_INET6:
94-
switch (prot->type) {
95-
case SOCK_STREAM:
96-
return sandbox == TCP_SANDBOX;
97-
}
98-
break;
99-
}
98+
if (sandbox == TCP_SANDBOX)
99+
return prot_is_tcp(prot);
100100
return false;
101101
}
102102

@@ -105,7 +105,7 @@ static int socket_variant(const struct service_fixture *const srv)
105105
int ret;
106106

107107
ret = socket(srv->protocol.domain, srv->protocol.type | SOCK_CLOEXEC,
108-
0);
108+
srv->protocol.protocol);
109109
if (ret < 0)
110110
return -errno;
111111
return ret;
@@ -290,22 +290,48 @@ FIXTURE_TEARDOWN(protocol)
290290
}
291291

292292
/* clang-format off */
293-
FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_tcp) {
293+
FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_tcp1) {
294294
/* clang-format on */
295295
.sandbox = NO_SANDBOX,
296296
.prot = {
297297
.domain = AF_INET,
298298
.type = SOCK_STREAM,
299+
/* IPPROTO_IP == 0 */
300+
.protocol = IPPROTO_IP,
299301
},
300302
};
301303

302304
/* clang-format off */
303-
FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp) {
305+
FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_tcp2) {
306+
/* clang-format on */
307+
.sandbox = NO_SANDBOX,
308+
.prot = {
309+
.domain = AF_INET,
310+
.type = SOCK_STREAM,
311+
.protocol = IPPROTO_TCP,
312+
},
313+
};
314+
315+
/* clang-format off */
316+
FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp1) {
304317
/* clang-format on */
305318
.sandbox = NO_SANDBOX,
306319
.prot = {
307320
.domain = AF_INET6,
308321
.type = SOCK_STREAM,
322+
/* IPPROTO_IP == 0 */
323+
.protocol = IPPROTO_IP,
324+
},
325+
};
326+
327+
/* clang-format off */
328+
FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp2) {
329+
/* clang-format on */
330+
.sandbox = NO_SANDBOX,
331+
.prot = {
332+
.domain = AF_INET6,
333+
.type = SOCK_STREAM,
334+
.protocol = IPPROTO_TCP,
309335
},
310336
};
311337

@@ -350,22 +376,48 @@ FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_unix_datagram) {
350376
};
351377

352378
/* clang-format off */
353-
FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_tcp) {
379+
FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_tcp1) {
380+
/* clang-format on */
381+
.sandbox = TCP_SANDBOX,
382+
.prot = {
383+
.domain = AF_INET,
384+
.type = SOCK_STREAM,
385+
/* IPPROTO_IP == 0 */
386+
.protocol = IPPROTO_IP,
387+
},
388+
};
389+
390+
/* clang-format off */
391+
FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_tcp2) {
354392
/* clang-format on */
355393
.sandbox = TCP_SANDBOX,
356394
.prot = {
357395
.domain = AF_INET,
358396
.type = SOCK_STREAM,
397+
.protocol = IPPROTO_TCP,
398+
},
399+
};
400+
401+
/* clang-format off */
402+
FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp1) {
403+
/* clang-format on */
404+
.sandbox = TCP_SANDBOX,
405+
.prot = {
406+
.domain = AF_INET6,
407+
.type = SOCK_STREAM,
408+
/* IPPROTO_IP == 0 */
409+
.protocol = IPPROTO_IP,
359410
},
360411
};
361412

362413
/* clang-format off */
363-
FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp) {
414+
FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp2) {
364415
/* clang-format on */
365416
.sandbox = TCP_SANDBOX,
366417
.prot = {
367418
.domain = AF_INET6,
368419
.type = SOCK_STREAM,
420+
.protocol = IPPROTO_TCP,
369421
},
370422
};
371423

0 commit comments

Comments
 (0)