1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3 * Landlock variants for three processes with various domains.
4 *
5 * Copyright © 2024 Tahera Fahimi <fahimitahera@gmail.com>
6 */
7
8 enum sandbox_type {
9 NO_SANDBOX,
10 SCOPE_SANDBOX,
11 /* Any other type of sandboxing domain */
12 OTHER_SANDBOX,
13 };
14
15 /* clang-format on */
FIXTURE_VARIANT(scoped_vs_unscoped)16 FIXTURE_VARIANT(scoped_vs_unscoped)
17 {
18 const int domain_all;
19 const int domain_parent;
20 const int domain_children;
21 const int domain_child;
22 const int domain_grand_child;
23 };
24
25 /*
26 * .-----------------.
27 * | ####### | P3 -> P2 : allow
28 * | P1----# P2 # | P3 -> P1 : deny
29 * | # | # |
30 * | # P3 # |
31 * | ####### |
32 * '-----------------'
33 */
34 /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_vs_unscoped,deny_scoped)35 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, deny_scoped) {
36 .domain_all = OTHER_SANDBOX,
37 .domain_parent = NO_SANDBOX,
38 .domain_children = SCOPE_SANDBOX,
39 .domain_child = NO_SANDBOX,
40 .domain_grand_child = NO_SANDBOX,
41 /* clang-format on */
42 };
43
44 /*
45 * ###################
46 * # ####### # P3 -> P2 : allow
47 * # P1----# P2 # # P3 -> P1 : deny
48 * # # | # #
49 * # # P3 # #
50 * # ####### #
51 * ###################
52 */
53 /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_vs_unscoped,all_scoped)54 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, all_scoped) {
55 .domain_all = SCOPE_SANDBOX,
56 .domain_parent = NO_SANDBOX,
57 .domain_children = SCOPE_SANDBOX,
58 .domain_child = NO_SANDBOX,
59 .domain_grand_child = NO_SANDBOX,
60 /* clang-format on */
61 };
62
63 /*
64 * .-----------------.
65 * | .-----. | P3 -> P2 : allow
66 * | P1----| P2 | | P3 -> P1 : allow
67 * | | | |
68 * | | P3 | |
69 * | '-----' |
70 * '-----------------'
71 */
72 /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_vs_unscoped,allow_with_other_domain)73 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, allow_with_other_domain) {
74 .domain_all = OTHER_SANDBOX,
75 .domain_parent = NO_SANDBOX,
76 .domain_children = OTHER_SANDBOX,
77 .domain_child = NO_SANDBOX,
78 .domain_grand_child = NO_SANDBOX,
79 /* clang-format on */
80 };
81
82 /*
83 * .----. ###### P3 -> P2 : allow
84 * | P1 |----# P2 # P3 -> P1 : allow
85 * '----' ######
86 * |
87 * P3
88 */
89 /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_vs_unscoped,allow_with_one_domain)90 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, allow_with_one_domain) {
91 .domain_all = NO_SANDBOX,
92 .domain_parent = OTHER_SANDBOX,
93 .domain_children = NO_SANDBOX,
94 .domain_child = SCOPE_SANDBOX,
95 .domain_grand_child = NO_SANDBOX,
96 /* clang-format on */
97 };
98
99 /*
100 * ###### .-----. P3 -> P2 : allow
101 * # P1 #----| P2 | P3 -> P1 : allow
102 * ###### '-----'
103 * |
104 * P3
105 */
106 /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_vs_unscoped,allow_with_grand_parent_scoped)107 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, allow_with_grand_parent_scoped) {
108 .domain_all = NO_SANDBOX,
109 .domain_parent = SCOPE_SANDBOX,
110 .domain_children = NO_SANDBOX,
111 .domain_child = OTHER_SANDBOX,
112 .domain_grand_child = NO_SANDBOX,
113 /* clang-format on */
114 };
115
116 /*
117 * ###### ###### P3 -> P2 : allow
118 * # P1 #----# P2 # P3 -> P1 : allow
119 * ###### ######
120 * |
121 * .----.
122 * | P3 |
123 * '----'
124 */
125 /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_vs_unscoped,allow_with_parents_domain)126 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, allow_with_parents_domain) {
127 .domain_all = NO_SANDBOX,
128 .domain_parent = SCOPE_SANDBOX,
129 .domain_children = NO_SANDBOX,
130 .domain_child = SCOPE_SANDBOX,
131 .domain_grand_child = NO_SANDBOX,
132 /* clang-format on */
133 };
134
135 /*
136 * ###### P3 -> P2 : deny
137 * # P1 #----P2 P3 -> P1 : deny
138 * ###### |
139 * |
140 * ######
141 * # P3 #
142 * ######
143 */
144 /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_vs_unscoped,deny_with_self_and_grandparent_domain)145 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, deny_with_self_and_grandparent_domain) {
146 .domain_all = NO_SANDBOX,
147 .domain_parent = SCOPE_SANDBOX,
148 .domain_children = NO_SANDBOX,
149 .domain_child = NO_SANDBOX,
150 .domain_grand_child = SCOPE_SANDBOX,
151 /* clang-format on */
152 };
153