Changes in audit_test.c

149367545331dbadb4940540f2a43e726aab046d - selftests/landlock: Add tests for quiet flag with scope

Fri, 12 Jun 2026 03:48:54 +0200

selftests/landlock: Add tests for quiet flag with scopeEnhance scoped_audit.connect_to_child and audit_flags.signal to testinteraction with various quiet flag settings.Signed-off-by: Tingmao Wang Link: https://patch.msgid.link/032849ca97bd45b2e14f96192b61537ed9405a0d.1781228815.git.m@maowtm.org[mic: Fix comment formatting]Signed-off-by: Mickaël Salaün List of files: /linux/tools/testing/selftests/landlock/audit_test.c

73c2f82b3253bb5448d7e26170feaa03189c436a - selftests/landlock: Replace hard-coded 16 with a constant

Fri, 12 Jun 2026 03:48:51 +0200

selftests/landlock: Replace hard-coded 16 with a constantThe next commit will reuse this number. Make it a shared constant tofuture-proof changes.Signed-off-by: Tingmao Wang Link: https://patch.msgid.link/eff35caa9b4ac51aa83a88d67c4dd67f4f8b3a4a.1781228815.git.m@maowtm.orgSigned-off-by: Mickaël Salaün List of files: /linux/tools/testing/selftests/landlock/audit_test.c

0302cd72fe196aee933e3fb76f6d175d1ab0e843 - selftests/landlock: Explicitly disable audit in teardowns

Fri, 29 May 2026 22:03:41 +0200

selftests/landlock: Explicitly disable audit in teardownsI'm seeing sporadic selftest failures, such as # RUN scoped_audit.connect_to_child ... # scoped_abstract_unix_test.c:314:connect_to_child:Expected 0 (0) == records.access (8) # connect_to_child: Test failed # FAIL scoped_audit.connect_to_child not ok 19 scoped_audit.connect_to_childThis seems similar to what commit 3647a4977fb73d ("selftests/landlock:Drain stale audit records on init") tried to fix. However, the addeddrain loop is not effective. When setting the AUDIT_STATUS_PID, thekauditd_thread is woken up starting to send messages from the hold queueto the netlink. Depending on scheduling of this kthread not all messagesmight be send via the netlink in the 1 us interval.Therefore, instead of trying to drain the queue, let's just disableaudit when running non-audit tests or more precisely disable it afteraudit-tests. This way we won't generate any new audit message that couldinterfere with the other tests.The comment saying that on process exit audit will be disabled is wrong.The closed file descriptor just causes an auditd_reset(), not adisablement. So future messages will be queued in the hold queue.Cc: stable@vger.kernel.orgFixes: 6a500b22971c ("selftests/landlock: Add tests for audit flags and domain IDs")Signed-off-by: Maximilian Heyne Link: https://patch.msgid.link/20260529-welsh-nagoya-b4d9ca60@mheyne-amazon[mic: Fix FD leak, update subject, call audit_cleanup() in audit_exec teardown]Signed-off-by: Mickaël Salaün List of files: /linux/tools/testing/selftests/landlock/audit_test.c

26679fad81a471428707d2dd7b0418204c52b7e4 - selftests/landlock: Filter dealloc records in audit_count_records()

Wed, 13 May 2026 12:51:08 +0200

selftests/landlock: Filter dealloc records in audit_count_records()audit_count_records() counts both AUDIT_LANDLOCK_DOMAIN allocation anddeallocation records in records.domain . Domain deallocation is tied toasynchronous credential freeing via kworker threads(landlock_put_ruleset_deferred), so the dealloc record can arrive afterthe drain in audit_init() and after the preceding audit_match_record()call. This causes flaky failures in tests that assert an exactrecords.domain count: a stale dealloc record from a previous test'sdomain inflates the count by one.Observed on x86_64 under build configurations that delay the kworkerfiring the dealloc callback (e.g. coverage instrumentation): theaudit_layout1 tests in fs_test.c intermittently saw records.domain == 2where 1 was expected. The fix is in the shared helper, so thoseexisting checks become robust without needing a fs_test.c edit.Filter audit_count_records() with a regex to skip records containingdeallocation status. The remaining domain records (allocation, emittedsynchronously during landlock_log_denial()) are deterministic.Deallocation records are already tested explicitly viamatches_log_domain_deallocated() in audit_test.c, which uses its owndomain-ID-based filtering and longer timeout.With this filter in place, re-add the records.domain == 0 checks thatwere removed in commit 3647a4977fb7 ("selftests/landlock: Drain staleaudit records on init") as a workaround for this race.Cc: Günther Noack Cc: stable@vger.kernel.orgDepends-on: 07c2572a8757 ("selftests/landlock: Skip stale records in audit_match_record()")Fixes: 6a500b22971c ("selftests/landlock: Add tests for audit flags and domain IDs")Tested-by: Günther Noack Link: https://patch.msgid.link/20260513105112.140137-1-mic@digikod.netSigned-off-by: Mickaël Salaün List of files: /linux/tools/testing/selftests/landlock/audit_test.c

07c2572a87573b2a2f0fd6b9f538cd1aeef2eee7 - selftests/landlock: Skip stale records in audit_match_record()

Thu, 02 Apr 2026 21:26:05 +0200

selftests/landlock: Skip stale records in audit_match_record()Domain deallocation records are emitted asynchronously from kworkerthreads (via free_ruleset_work()). Stale deallocation records from aprevious test can arrive during the current test's deallocation readloop and be picked up by audit_match_record() instead of the expectedrecord, causing a domain ID mismatch. The audit.layers test (whichcreates 16 nested domains) is particularly vulnerable because it reads16 deallocation records in sequence, providing a large window for stalerecords to interleave.The same issue affects audit_flags.signal, where deallocation recordsfrom a previous test (audit.layers) can leak into the next test and bepicked up by audit_match_record() instead of the expected record.Fix this by continuing to read records when the type matches but thecontent pattern does not. Stale records are silently consumed, and theloop only stops when both type and pattern match (or the socket timesout with -EAGAIN).Additionally, extend matches_log_domain_deallocated() with anexpected_domain_id parameter. When set, the regex pattern includes thespecific domain ID as a literal hex value, so that deallocation recordsfor a different domain do not match the pattern at all. This handlesthe case where the stale record has the same denial count as theexpected one (e.g. both have denials=1), which the type+pattern loopalone cannot distinguish. Callers that already know the expected domainID (from a prior denial or allocation record) now pass it to filterprecisely.When expected_domain_id is set, matches_log_domain_deallocated() alsotemporarily increases the socket timeout to audit_tv_dom_drop (1 second)to wait for the asynchronous kworker deallocation, and restoresaudit_tv_default afterward. This removes the need for callers to managethe timeout switch manually.Cc: Günther Noack Cc: stable@vger.kernel.orgFixes: 6a500b22971c ("selftests/landlock: Add tests for audit flags and domain IDs")Link: https://lore.kernel.org/r/20260402192608.1458252-5-mic@digikod.netSigned-off-by: Mickaël Salaün List of files: /linux/tools/testing/selftests/landlock/audit_test.c

3647a4977fb73da385e5a29b9775a4749733470d - selftests/landlock: Drain stale audit records on init

Thu, 02 Apr 2026 21:26:04 +0200

selftests/landlock: Drain stale audit records on initNon-audit Landlock tests generate audit records as side effects whenaudit_enabled is non-zero (e.g. from boot configuration). These recordsaccumulate in the kernel audit backlog while no audit daemon socket isopen. When the next test opens a new netlink socket and registers asthe audit daemon, the stale backlog is delivered, causing baselinerecord count checks to fail spuriously.Fix this by draining all pending records in audit_init() right aftersetting the receive timeout. The 1-usec SO_RCVTIMEO causes audit_recv()to return -EAGAIN once the backlog is empty, naturally terminating thedrain loop.Domain deallocation records are emitted asynchronously from a workqueue, so they may still arrive after the drain. Remove records.domain== 0 checks that are not preceded by audit_match_record() calls, whichwould otherwise consume stale records before the count. Document thisconstraint above audit_count_records().Increasing the drain timeout to catch in-flight deallocation records wasconsidered but rejected: a longer timeout adds latency to everyaudit_init() call even when no stale record is pending, and any fixedtimeout is still not guaranteed to catch all records under load.Removing the unprotected checks is simpler and avoids the spuriousfailures.Cc: Günther Noack Cc: stable@vger.kernel.orgFixes: 6a500b22971c ("selftests/landlock: Add tests for audit flags and domain IDs")Reviewed-by: Günther Noack Link: https://lore.kernel.org/r/20260402192608.1458252-4-mic@digikod.netSigned-off-by: Mickaël Salaün List of files: /linux/tools/testing/selftests/landlock/audit_test.c

e75e38055b9df5eafd663c6db00e634f534dc426 - landlock: Allow TSYNC with LOG_SUBDOMAINS_OFF and fd=-1

Tue, 07 Apr 2026 18:41:05 +0200

landlock: Allow TSYNC with LOG_SUBDOMAINS_OFF and fd=-1LANDLOCK_RESTRICT_SELF_TSYNC does not allowLANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF with ruleset_fd=-1, preventinga multithreaded process from atomically propagating subdomain log mutingto all threads without creating a domain layer. Relax the fd=-1condition to accept TSYNC alongside LOG_SUBDOMAINS_OFF, and update thedocumentation accordingly.Add flag validation tests for all TSYNC combinations with ruleset_fd=-1,and audit tests verifying both transition directions: muting via TSYNC(logged to not logged) and override via TSYNC (not logged to logged).Cc: Günther Noack Cc: stable@vger.kernel.orgFixes: 42fc7e6543f6 ("landlock: Multithreading support for landlock_restrict_self()")Reviewed-by: Günther Noack Link: https://lore.kernel.org/r/20260407164107.2012589-2-mic@digikod.netSigned-off-by: Mickaël Salaün List of files: /linux/tools/testing/selftests/landlock/audit_test.c

874c8f83826c95c62c21d9edfe9ef43e5c346724 - landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork()

Tue, 07 Apr 2026 18:41:04 +0200

landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork()hook_cred_transfer() only copies the Landlock security blob when thesource credential has a domain. This is inconsistent withlandlock_restrict_self() which can set LOG_SUBDOMAINS_OFF on acredential without creating a domain (via the ruleset_fd=-1 path): thefield is committed but not preserved across fork() because the child'sprepare_creds() calls hook_cred_transfer() which skips the copy whendomain is NULL.This breaks the documented use case where a process mutes subdomain logsbefore forking sandboxed children: the children lose the muting andtheir domains produce unexpected audit records.Fix this by unconditionally copying the Landlock credential blob.Cc: Günther Noack Cc: Jann Horn Cc: stable@vger.kernel.orgFixes: ead9079f7569 ("landlock: Add LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF")Reviewed-by: Günther Noack Link: https://lore.kernel.org/r/20260407164107.2012589-1-mic@digikod.netSigned-off-by: Mickaël Salaün List of files: /linux/tools/testing/selftests/landlock/audit_test.c

dc58130bc38f09b162aa3b216f8b8f1e0a56127b - selftests/landlock: Fix build of audit_test

Thu, 05 Jun 2025 23:44:16 +0200

selftests/landlock: Fix build of audit_testWe are hitting build error on CentOS 9:audit_test.c:232:40: error: ‘O_CLOEXEC’ undeclared (...)Fix this by including fcntl.h.Signed-off-by: Song Liu Link: https://lore.kernel.org/r/20250605214416.1885878-1-song@kernel.orgFixes: 6b4566400a29 ("selftests/landlock: Add PID tests for audit records")Signed-off-by: Mickaël Salaün List of files: /linux/tools/testing/selftests/landlock/audit_test.c

6b4566400a2919e6c1137404c53d7cf1ada559aa - selftests/landlock: Add PID tests for audit records

Thu, 10 Apr 2025 19:17:23 +0200

selftests/landlock: Add PID tests for audit recordsAdd audit.thread tests to check that the PID tied to a domain is not athread ID but the thread group ID. These new tests would not passwithout the previous TGID fix.Extend matches_log_domain_allocated() to check against the PID thatcreated the domain.Test coverage for security/landlock is 93.6% of 1524 lines according togcc/gcov-14.Cc: Christian Brauner Cc: Günther Noack Cc: Paul Moore Link: https://lore.kernel.org/r/20250410171725.1265860-3-mic@digikod.netSigned-off-by: Mickaël Salaün List of files: /linux/tools/testing/selftests/landlock/audit_test.c

e4a0f9e0cacd93094b619616426a273e0bc9107e - selftests/landlock: Factor out audit fixture in audit_test

Thu, 10 Apr 2025 19:17:22 +0200

selftests/landlock: Factor out audit fixture in audit_testThe audit fixture needlessly stores and manages domain_stack. Move itto the audit.layers tests. This will be useful to reuse the auditfixture with the next patch.Cc: Günther Noack Link: https://lore.kernel.org/r/20250410171725.1265860-2-mic@digikod.netSigned-off-by: Mickaël Salaün List of files: /linux/tools/testing/selftests/landlock/audit_test.c

960ed6ca4c46c1e7a44f3f7b8be2c147757459e4 - selftests/landlock: Test audit with restrict flags

Thu, 20 Mar 2025 20:07:12 +0100

selftests/landlock: Test audit with restrict flagsAdd audit_exec tests to filter Landlock denials according tocross-execution or muted subdomains.Add a wait-pipe-sandbox.c test program to sandbox itself and send a(denied) signals to its parent.Cc: Günther Noack Cc: Paul Moore Link: https://lore.kernel.org/r/20250320190717.2287696-24-mic@digikod.netSigned-off-by: Mickaël Salaün List of files: /linux/tools/testing/selftests/landlock/audit_test.c

6a500b22971c42da4037ff95481dd6c5535b01bd - selftests/landlock: Add tests for audit flags and domain IDs

Thu, 20 Mar 2025 20:07:11 +0100

selftests/landlock: Add tests for audit flags and domain IDsAdd audit_test.c to check with and without LANDLOCK_RESTRICT_SELF_*flags against the two Landlock audit record types:AUDIT_LANDLOCK_ACCESS and AUDIT_LANDLOCK_DOMAIN.Check consistency of domain IDs per layer in AUDIT_LANDLOCK_ACCESS andAUDIT_LANDLOCK_DOMAIN messages: denied access, domain allocation, anddomain deallocation.These tests use signal scoping to make it simple. They are not in thescoped_signal_test.c file but in the new dedicated audit_test.c file.Tests are run with audit filters to ensure the audit records come fromthe test program. Moreover, because there can only be one auditprocess, tests would failed if run in parallel. Because of auditlimitations, tests can only be run in the initial namespace.The audit test helpers were inspired by libaudit andtools/testing/selftests/net/netfilter/audit_logread.cCc: Günther Noack Cc: Paul Moore Cc: Phil Sutter Link: https://lore.kernel.org/r/20250320190717.2287696-23-mic@digikod.netSigned-off-by: Mickaël Salaün List of files: /linux/tools/testing/selftests/landlock/audit_test.c