Skip to content

Commit e178b40

Browse files
l0kodl0kod
committed
selftests/landlock: Extend tests for landlock_restrict_self(2)'s flags
Add the base_test's restrict_self_fd_flags tests to align with previous restrict_self_fd tests but with the new LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF flag. Add the restrict_self_flags tests to check that LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF, LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON, and LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF are valid but not the next bit. Some checks are similar to restrict_self_checks_ordering's ones. Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20250320190717.2287696-22-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
1 parent ec12a8d commit e178b40

File tree

1 file changed

+71
-0
lines changed

1 file changed

+71
-0
lines changed

tools/testing/selftests/landlock/base_test.c

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -288,6 +288,77 @@ TEST(restrict_self_fd)
288288
EXPECT_EQ(EBADFD, errno);
289289
}
290290

291+
TEST(restrict_self_fd_flags)
292+
{
293+
int fd;
294+
295+
fd = open("/dev/null", O_RDONLY | O_CLOEXEC);
296+
ASSERT_LE(0, fd);
297+
298+
/*
299+
* LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF accepts -1 but not any file
300+
* descriptor.
301+
*/
302+
EXPECT_EQ(-1, landlock_restrict_self(
303+
fd, LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF));
304+
EXPECT_EQ(EBADFD, errno);
305+
}
306+
307+
TEST(restrict_self_flags)
308+
{
309+
const __u32 last_flag = LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF;
310+
311+
/* Tests invalid flag combinations. */
312+
313+
EXPECT_EQ(-1, landlock_restrict_self(-1, last_flag << 1));
314+
EXPECT_EQ(EINVAL, errno);
315+
316+
EXPECT_EQ(-1, landlock_restrict_self(-1, -1));
317+
EXPECT_EQ(EINVAL, errno);
318+
319+
/* Tests valid flag combinations. */
320+
321+
EXPECT_EQ(-1, landlock_restrict_self(-1, 0));
322+
EXPECT_EQ(EBADF, errno);
323+
324+
EXPECT_EQ(-1, landlock_restrict_self(
325+
-1, LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF));
326+
EXPECT_EQ(EBADF, errno);
327+
328+
EXPECT_EQ(-1,
329+
landlock_restrict_self(
330+
-1,
331+
LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
332+
LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF));
333+
EXPECT_EQ(EBADF, errno);
334+
335+
EXPECT_EQ(-1,
336+
landlock_restrict_self(
337+
-1,
338+
LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
339+
LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF));
340+
EXPECT_EQ(EBADF, errno);
341+
342+
EXPECT_EQ(-1, landlock_restrict_self(
343+
-1, LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON));
344+
EXPECT_EQ(EBADF, errno);
345+
346+
EXPECT_EQ(-1,
347+
landlock_restrict_self(
348+
-1, LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
349+
LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON));
350+
EXPECT_EQ(EBADF, errno);
351+
352+
/* Tests with an invalid ruleset_fd. */
353+
354+
EXPECT_EQ(-1, landlock_restrict_self(
355+
-2, LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF));
356+
EXPECT_EQ(EBADF, errno);
357+
358+
EXPECT_EQ(0, landlock_restrict_self(
359+
-1, LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF));
360+
}
361+
291362
TEST(ruleset_fd_io)
292363
{
293364
struct landlock_ruleset_attr ruleset_attr = {

0 commit comments

Comments
 (0)