1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Landlock tests - Network 4 * 5 * Copyright © 2022-2023 Huawei Tech. Co., Ltd. 6 * Copyright © 2023 Microsoft Corporation 7 */ 8 9 #define _GNU_SOURCE 10 #include <arpa/inet.h> 11 #include <errno.h> 12 #include <fcntl.h> 13 #include <linux/landlock.h> 14 #include <linux/in.h> 15 #include <sched.h> 16 #include <stdint.h> 17 #include <string.h> 18 #include <sys/prctl.h> 19 #include <sys/socket.h> 20 #include <sys/syscall.h> 21 #include <sys/un.h> 22 23 #include "audit.h" 24 #include "common.h" 25 26 const short sock_port_start = (1 << 10); 27 28 static const char loopback_ipv4[] = "127.0.0.1"; 29 static const char loopback_ipv6[] = "::1"; 30 31 /* Number pending connections queue to be hold. */ 32 const short backlog = 10; 33 34 enum sandbox_type { 35 NO_SANDBOX, 36 /* This may be used to test rules that allow *and* deny accesses. */ 37 TCP_SANDBOX, 38 UDP_SANDBOX, 39 }; 40 41 static int set_service(struct service_fixture *const srv, 42 const struct protocol_variant prot, 43 const unsigned short index) 44 { 45 memset(srv, 0, sizeof(*srv)); 46 47 /* 48 * Copies all protocol properties in case of the variant only contains 49 * a subset of them. 50 */ 51 srv->protocol = prot; 52 53 /* Checks for port overflow. */ 54 if (index > 2) 55 return 1; 56 srv->port = sock_port_start << (2 * index); 57 58 switch (prot.domain) { 59 case AF_UNSPEC: 60 case AF_INET: 61 srv->ipv4_addr.sin_family = prot.domain; 62 srv->ipv4_addr.sin_port = htons(srv->port); 63 srv->ipv4_addr.sin_addr.s_addr = inet_addr(loopback_ipv4); 64 return 0; 65 66 case AF_INET6: 67 srv->ipv6_addr.sin6_family = prot.domain; 68 srv->ipv6_addr.sin6_port = htons(srv->port); 69 inet_pton(AF_INET6, loopback_ipv6, &srv->ipv6_addr.sin6_addr); 70 return 0; 71 72 case AF_UNIX: 73 set_unix_address(srv, index); 74 return 0; 75 } 76 return 1; 77 } 78 79 static void setup_loopback(struct __test_metadata *const _metadata) 80 { 81 set_cap(_metadata, CAP_SYS_ADMIN); 82 ASSERT_EQ(0, unshare(CLONE_NEWNET)); 83 clear_cap(_metadata, CAP_SYS_ADMIN); 84 85 set_ambient_cap(_metadata, CAP_NET_ADMIN); 86 ASSERT_EQ(0, system("ip link set dev lo up")); 87 clear_ambient_cap(_metadata, CAP_NET_ADMIN); 88 } 89 90 static bool prot_is_tcp(const struct protocol_variant *const prot) 91 { 92 return (prot->domain == AF_INET || prot->domain == AF_INET6) && 93 prot->type == SOCK_STREAM && 94 (prot->protocol == IPPROTO_TCP || prot->protocol == IPPROTO_IP); 95 } 96 97 static bool prot_is_udp(const struct protocol_variant *const prot) 98 { 99 return (prot->domain == AF_INET || prot->domain == AF_INET6) && 100 prot->type == SOCK_DGRAM && 101 (prot->protocol == IPPROTO_UDP || prot->protocol == IPPROTO_IP); 102 } 103 104 static bool is_restricted(const struct protocol_variant *const prot, 105 const enum sandbox_type sandbox) 106 { 107 if (sandbox == TCP_SANDBOX) 108 return prot_is_tcp(prot); 109 else if (sandbox == UDP_SANDBOX) 110 return prot_is_udp(prot); 111 return false; 112 } 113 114 static int socket_variant(const struct service_fixture *const srv) 115 { 116 /* Arbitrary value just to not block other tests indefinitely. */ 117 const struct timeval timeout = { 118 .tv_sec = 0, 119 .tv_usec = 100000, 120 }; 121 int sockfd; 122 int ret; 123 124 sockfd = socket(srv->protocol.domain, srv->protocol.type | SOCK_CLOEXEC, 125 srv->protocol.protocol); 126 if (sockfd < 0) 127 return -errno; 128 129 ret = setsockopt(sockfd, SOL_SOCKET, SO_RCVTIMEO, &timeout, 130 sizeof(timeout)); 131 if (ret != 0) { 132 ret = -errno; 133 close(sockfd); 134 return ret; 135 } 136 ret = setsockopt(sockfd, SOL_SOCKET, SO_SNDTIMEO, &timeout, 137 sizeof(timeout)); 138 if (ret != 0) { 139 ret = -errno; 140 close(sockfd); 141 return ret; 142 } 143 return sockfd; 144 } 145 146 #ifndef SIN6_LEN_RFC2133 147 #define SIN6_LEN_RFC2133 24 148 #endif 149 150 static socklen_t get_addrlen(const struct service_fixture *const srv, 151 const bool minimal) 152 { 153 switch (srv->protocol.domain) { 154 case AF_UNSPEC: 155 if (minimal) 156 return sizeof(sa_family_t); 157 return sizeof(struct sockaddr_storage); 158 159 case AF_INET: 160 return sizeof(srv->ipv4_addr); 161 162 case AF_INET6: 163 if (minimal) 164 return SIN6_LEN_RFC2133; 165 return sizeof(srv->ipv6_addr); 166 167 case AF_UNIX: 168 if (minimal) 169 return sizeof(srv->unix_addr) - 170 sizeof(srv->unix_addr.sun_path); 171 return srv->unix_addr_len; 172 173 default: 174 return 0; 175 } 176 } 177 178 static void set_port(struct service_fixture *const srv, uint16_t port) 179 { 180 switch (srv->protocol.domain) { 181 case AF_UNSPEC: 182 case AF_INET: 183 srv->ipv4_addr.sin_port = htons(port); 184 return; 185 186 case AF_INET6: 187 srv->ipv6_addr.sin6_port = htons(port); 188 return; 189 190 default: 191 return; 192 } 193 } 194 195 static uint16_t get_binded_port(int socket_fd, 196 const struct protocol_variant *const prot) 197 { 198 struct sockaddr_in ipv4_addr; 199 struct sockaddr_in6 ipv6_addr; 200 socklen_t ipv4_addr_len, ipv6_addr_len; 201 202 /* Gets binded port. */ 203 switch (prot->domain) { 204 case AF_UNSPEC: 205 case AF_INET: 206 ipv4_addr_len = sizeof(ipv4_addr); 207 getsockname(socket_fd, &ipv4_addr, &ipv4_addr_len); 208 return ntohs(ipv4_addr.sin_port); 209 210 case AF_INET6: 211 ipv6_addr_len = sizeof(ipv6_addr); 212 getsockname(socket_fd, &ipv6_addr, &ipv6_addr_len); 213 return ntohs(ipv6_addr.sin6_port); 214 215 default: 216 return 0; 217 } 218 } 219 220 static int bind_variant_addrlen(const int sock_fd, 221 const struct service_fixture *const srv, 222 const socklen_t addrlen) 223 { 224 int ret; 225 226 switch (srv->protocol.domain) { 227 case AF_UNSPEC: 228 case AF_INET: 229 ret = bind(sock_fd, &srv->ipv4_addr, addrlen); 230 break; 231 232 case AF_INET6: 233 ret = bind(sock_fd, &srv->ipv6_addr, addrlen); 234 break; 235 236 case AF_UNIX: 237 ret = bind(sock_fd, &srv->unix_addr, addrlen); 238 break; 239 240 default: 241 errno = EAFNOSUPPORT; 242 return -errno; 243 } 244 245 if (ret < 0) 246 return -errno; 247 return ret; 248 } 249 250 static int bind_variant(const int sock_fd, 251 const struct service_fixture *const srv) 252 { 253 return bind_variant_addrlen(sock_fd, srv, get_addrlen(srv, false)); 254 } 255 256 static int connect_variant_addrlen(const int sock_fd, 257 const struct service_fixture *const srv, 258 const socklen_t addrlen) 259 { 260 int ret; 261 262 switch (srv->protocol.domain) { 263 case AF_UNSPEC: 264 case AF_INET: 265 ret = connect(sock_fd, &srv->ipv4_addr, addrlen); 266 break; 267 268 case AF_INET6: 269 ret = connect(sock_fd, &srv->ipv6_addr, addrlen); 270 break; 271 272 case AF_UNIX: 273 ret = connect(sock_fd, &srv->unix_addr, addrlen); 274 break; 275 276 default: 277 errno = -EAFNOSUPPORT; 278 return -errno; 279 } 280 281 if (ret < 0) 282 return -errno; 283 return ret; 284 } 285 286 static int connect_variant(const int sock_fd, 287 const struct service_fixture *const srv) 288 { 289 return connect_variant_addrlen(sock_fd, srv, get_addrlen(srv, false)); 290 } 291 292 static int sendto_variant_addrlen(const int sock_fd, 293 const struct service_fixture *const srv, 294 const socklen_t addrlen, void *buf, 295 size_t len, size_t flags) 296 { 297 const struct sockaddr *dst = NULL; 298 ssize_t ret; 299 300 /* 301 * We never want our processes to be killed by SIGPIPE: we check return 302 * codes and errno, so that we have actual error messages. 303 */ 304 flags |= MSG_NOSIGNAL; 305 306 if (srv != NULL) { 307 switch (srv->protocol.domain) { 308 case AF_UNSPEC: 309 case AF_INET: 310 dst = (const struct sockaddr *)&srv->ipv4_addr; 311 break; 312 313 case AF_INET6: 314 dst = (const struct sockaddr *)&srv->ipv6_addr; 315 break; 316 317 case AF_UNIX: 318 dst = (const struct sockaddr *)&srv->unix_addr; 319 break; 320 321 default: 322 errno = EAFNOSUPPORT; 323 return -errno; 324 } 325 } 326 327 ret = sendto(sock_fd, buf, len, flags, dst, addrlen); 328 if (ret < 0) 329 return -errno; 330 331 /* errno is not set in cases of partial writes. */ 332 if (ret != len) 333 return -EINTR; 334 335 return 0; 336 } 337 338 static int sendto_variant(const int sock_fd, 339 const struct service_fixture *const srv, void *buf, 340 size_t len, size_t flags) 341 { 342 socklen_t addrlen = 0; 343 344 if (srv != NULL) 345 addrlen = get_addrlen(srv, false); 346 347 return sendto_variant_addrlen(sock_fd, srv, addrlen, buf, len, flags); 348 } 349 350 static int test_sendmsg(struct __test_metadata *const _metadata, 351 const struct protocol_variant *prot, int client_fd, 352 int server_fd, const struct service_fixture *srv, 353 bool bind_denied, bool send_denied) 354 { 355 int ret; 356 socklen_t opt_len; 357 int sock_type; 358 int addr_family; 359 struct sockaddr_storage peer_addr = { 0 }; 360 bool has_remote_port; 361 bool needs_autobind; 362 char read_buf[1] = { 0 }; 363 364 /* 365 * Prepare the test by inspecting the socket type and whether it has a 366 * local/remote address set (all of which determine the expected 367 * outcomes). 368 */ 369 opt_len = sizeof(sock_type); 370 ASSERT_EQ(0, getsockopt(client_fd, SOL_SOCKET, SO_TYPE, &sock_type, 371 &opt_len)); 372 opt_len = sizeof(addr_family); 373 ASSERT_EQ(0, getsockopt(client_fd, SOL_SOCKET, SO_DOMAIN, &addr_family, 374 &opt_len)); 375 opt_len = sizeof(peer_addr); 376 has_remote_port = (getpeername(client_fd, (struct sockaddr *)&peer_addr, 377 &opt_len) == 0); 378 needs_autobind = (addr_family == AF_INET || addr_family == AF_INET6) && 379 get_binded_port(client_fd, prot) == 0; 380 381 /* First, check error code with truncated explicit address. */ 382 if (srv != NULL) { 383 ret = sendto_variant_addrlen( 384 client_fd, srv, get_addrlen(srv, true) - 1, "A", 1, 0); 385 if (sock_type == SOCK_STREAM && !has_remote_port) { 386 EXPECT_EQ(-EPIPE, ret) 387 { 388 return -1; 389 } 390 } else if (bind_denied && needs_autobind) { 391 EXPECT_EQ(-EACCES, ret) 392 { 393 return -1; 394 } 395 } else { 396 EXPECT_EQ(-EINVAL, ret) 397 { 398 return -1; 399 } 400 } 401 } 402 403 /* With or without explicit destination address (srv can be NULL). */ 404 ret = sendto_variant(client_fd, srv, "B", 1, 0); 405 if (sock_type == SOCK_STREAM && !has_remote_port) { 406 EXPECT_EQ(-EPIPE, ret) 407 { 408 return -1; 409 } 410 } else if ((send_denied && srv != NULL) || 411 (bind_denied && needs_autobind)) { 412 ASSERT_EQ(-EACCES, ret) 413 { 414 return -1; 415 } 416 } else if (srv == NULL && !has_remote_port) { 417 if (addr_family == AF_UNIX) { 418 ASSERT_EQ(-ENOTCONN, ret) 419 { 420 return -1; 421 } 422 } else if (sock_type == SOCK_STREAM) { 423 ASSERT_EQ(-EPIPE, ret) 424 { 425 return -1; 426 } 427 } else { 428 ASSERT_EQ(-EDESTADDRREQ, ret) 429 { 430 return -1; 431 } 432 } 433 } else { 434 ASSERT_EQ(0, ret); 435 ASSERT_EQ(1, recv(server_fd, read_buf, 1, 0)); 436 ASSERT_EQ(read_buf[0], 'B') 437 { 438 return -1; 439 } 440 } 441 442 return 0; 443 } 444 445 FIXTURE(protocol) 446 { 447 struct service_fixture srv0, srv1, srv2; 448 struct service_fixture unspec_any0, unspec_srv0, unspec_srv1; 449 }; 450 451 FIXTURE_VARIANT(protocol) 452 { 453 const enum sandbox_type sandbox; 454 const struct protocol_variant prot; 455 }; 456 457 FIXTURE_SETUP(protocol) 458 { 459 struct protocol_variant prot_unspec = variant->prot; 460 461 prot_unspec.domain = AF_UNSPEC; 462 463 disable_caps(_metadata); 464 465 ASSERT_EQ(0, set_service(&self->srv0, variant->prot, 0)); 466 ASSERT_EQ(0, set_service(&self->srv1, variant->prot, 1)); 467 ASSERT_EQ(0, set_service(&self->srv2, variant->prot, 2)); 468 469 ASSERT_EQ(0, set_service(&self->unspec_srv0, prot_unspec, 0)); 470 ASSERT_EQ(0, set_service(&self->unspec_srv1, prot_unspec, 1)); 471 472 ASSERT_EQ(0, set_service(&self->unspec_any0, prot_unspec, 0)); 473 self->unspec_any0.ipv4_addr.sin_addr.s_addr = htonl(INADDR_ANY); 474 475 setup_loopback(_metadata); 476 }; 477 478 FIXTURE_TEARDOWN(protocol) 479 { 480 } 481 482 /* clang-format off */ 483 FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_tcp1) { 484 /* clang-format on */ 485 .sandbox = NO_SANDBOX, 486 .prot = { 487 .domain = AF_INET, 488 .type = SOCK_STREAM, 489 /* IPPROTO_IP == 0 */ 490 .protocol = IPPROTO_IP, 491 }, 492 }; 493 494 /* clang-format off */ 495 FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_tcp2) { 496 /* clang-format on */ 497 .sandbox = NO_SANDBOX, 498 .prot = { 499 .domain = AF_INET, 500 .type = SOCK_STREAM, 501 .protocol = IPPROTO_TCP, 502 }, 503 }; 504 505 /* clang-format off */ 506 FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_mptcp) { 507 /* clang-format on */ 508 .sandbox = NO_SANDBOX, 509 .prot = { 510 .domain = AF_INET, 511 .type = SOCK_STREAM, 512 .protocol = IPPROTO_MPTCP, 513 }, 514 }; 515 516 /* clang-format off */ 517 FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp1) { 518 /* clang-format on */ 519 .sandbox = NO_SANDBOX, 520 .prot = { 521 .domain = AF_INET6, 522 .type = SOCK_STREAM, 523 /* IPPROTO_IP == 0 */ 524 .protocol = IPPROTO_IP, 525 }, 526 }; 527 528 /* clang-format off */ 529 FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp2) { 530 /* clang-format on */ 531 .sandbox = NO_SANDBOX, 532 .prot = { 533 .domain = AF_INET6, 534 .type = SOCK_STREAM, 535 .protocol = IPPROTO_TCP, 536 }, 537 }; 538 539 /* clang-format off */ 540 FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_mptcp) { 541 /* clang-format on */ 542 .sandbox = NO_SANDBOX, 543 .prot = { 544 .domain = AF_INET6, 545 .type = SOCK_STREAM, 546 .protocol = IPPROTO_MPTCP, 547 }, 548 }; 549 550 /* clang-format off */ 551 FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_udp) { 552 /* clang-format on */ 553 .sandbox = NO_SANDBOX, 554 .prot = { 555 .domain = AF_INET, 556 .type = SOCK_DGRAM, 557 }, 558 }; 559 560 /* clang-format off */ 561 FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_udp) { 562 /* clang-format on */ 563 .sandbox = NO_SANDBOX, 564 .prot = { 565 .domain = AF_INET6, 566 .type = SOCK_DGRAM, 567 }, 568 }; 569 570 /* clang-format off */ 571 FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_unix_stream) { 572 /* clang-format on */ 573 .sandbox = NO_SANDBOX, 574 .prot = { 575 .domain = AF_UNIX, 576 .type = SOCK_STREAM, 577 }, 578 }; 579 580 /* clang-format off */ 581 FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_unix_datagram) { 582 /* clang-format on */ 583 .sandbox = NO_SANDBOX, 584 .prot = { 585 .domain = AF_UNIX, 586 .type = SOCK_DGRAM, 587 }, 588 }; 589 590 /* clang-format off */ 591 FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_tcp1) { 592 /* clang-format on */ 593 .sandbox = TCP_SANDBOX, 594 .prot = { 595 .domain = AF_INET, 596 .type = SOCK_STREAM, 597 /* IPPROTO_IP == 0 */ 598 .protocol = IPPROTO_IP, 599 }, 600 }; 601 602 /* clang-format off */ 603 FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_tcp2) { 604 /* clang-format on */ 605 .sandbox = TCP_SANDBOX, 606 .prot = { 607 .domain = AF_INET, 608 .type = SOCK_STREAM, 609 .protocol = IPPROTO_TCP, 610 }, 611 }; 612 613 /* clang-format off */ 614 FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_mptcp) { 615 /* clang-format on */ 616 .sandbox = TCP_SANDBOX, 617 .prot = { 618 .domain = AF_INET, 619 .type = SOCK_STREAM, 620 .protocol = IPPROTO_MPTCP, 621 }, 622 }; 623 624 /* clang-format off */ 625 FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp1) { 626 /* clang-format on */ 627 .sandbox = TCP_SANDBOX, 628 .prot = { 629 .domain = AF_INET6, 630 .type = SOCK_STREAM, 631 /* IPPROTO_IP == 0 */ 632 .protocol = IPPROTO_IP, 633 }, 634 }; 635 636 /* clang-format off */ 637 FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp2) { 638 /* clang-format on */ 639 .sandbox = TCP_SANDBOX, 640 .prot = { 641 .domain = AF_INET6, 642 .type = SOCK_STREAM, 643 .protocol = IPPROTO_TCP, 644 }, 645 }; 646 647 /* clang-format off */ 648 FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_mptcp) { 649 /* clang-format on */ 650 .sandbox = TCP_SANDBOX, 651 .prot = { 652 .domain = AF_INET6, 653 .type = SOCK_STREAM, 654 .protocol = IPPROTO_MPTCP, 655 }, 656 }; 657 658 /* clang-format off */ 659 FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_udp) { 660 /* clang-format on */ 661 .sandbox = TCP_SANDBOX, 662 .prot = { 663 .domain = AF_INET, 664 .type = SOCK_DGRAM, 665 }, 666 }; 667 668 /* clang-format off */ 669 FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_udp) { 670 /* clang-format on */ 671 .sandbox = TCP_SANDBOX, 672 .prot = { 673 .domain = AF_INET6, 674 .type = SOCK_DGRAM, 675 }, 676 }; 677 678 /* clang-format off */ 679 FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_unix_stream) { 680 /* clang-format on */ 681 .sandbox = TCP_SANDBOX, 682 .prot = { 683 .domain = AF_UNIX, 684 .type = SOCK_STREAM, 685 }, 686 }; 687 688 /* clang-format off */ 689 FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_unix_datagram) { 690 /* clang-format on */ 691 .sandbox = TCP_SANDBOX, 692 .prot = { 693 .domain = AF_UNIX, 694 .type = SOCK_DGRAM, 695 }, 696 }; 697 698 /* clang-format off */ 699 FIXTURE_VARIANT_ADD(protocol, udp_sandbox_with_ipv4_udp1) { 700 /* clang-format on */ 701 .sandbox = UDP_SANDBOX, 702 .prot = { 703 .domain = AF_INET, 704 .type = SOCK_DGRAM, 705 .protocol = IPPROTO_UDP, 706 }, 707 }; 708 709 /* clang-format off */ 710 FIXTURE_VARIANT_ADD(protocol, udp_sandbox_with_ipv4_udp2) { 711 /* clang-format on */ 712 .sandbox = UDP_SANDBOX, 713 .prot = { 714 .domain = AF_INET, 715 .type = SOCK_DGRAM, 716 /* IPPROTO_IP == 0 */ 717 .protocol = IPPROTO_IP, 718 }, 719 }; 720 721 /* clang-format off */ 722 FIXTURE_VARIANT_ADD(protocol, udp_sandbox_with_ipv6_udp1) { 723 /* clang-format on */ 724 .sandbox = UDP_SANDBOX, 725 .prot = { 726 .domain = AF_INET6, 727 .type = SOCK_DGRAM, 728 .protocol = IPPROTO_UDP, 729 }, 730 }; 731 732 /* clang-format off */ 733 FIXTURE_VARIANT_ADD(protocol, udp_sandbox_with_ipv6_udp2) { 734 /* clang-format on */ 735 .sandbox = UDP_SANDBOX, 736 .prot = { 737 .domain = AF_INET6, 738 .type = SOCK_DGRAM, 739 /* IPPROTO_IP == 0 */ 740 .protocol = IPPROTO_IP, 741 }, 742 }; 743 744 /* clang-format off */ 745 FIXTURE_VARIANT_ADD(protocol, udp_sandbox_with_ipv4_tcp) { 746 /* clang-format on */ 747 .sandbox = UDP_SANDBOX, 748 .prot = { 749 .domain = AF_INET, 750 .type = SOCK_STREAM, 751 }, 752 }; 753 754 /* clang-format off */ 755 FIXTURE_VARIANT_ADD(protocol, udp_sandbox_with_ipv6_tcp) { 756 /* clang-format on */ 757 .sandbox = UDP_SANDBOX, 758 .prot = { 759 .domain = AF_INET6, 760 .type = SOCK_STREAM, 761 }, 762 }; 763 764 /* clang-format off */ 765 FIXTURE_VARIANT_ADD(protocol, udp_sandbox_with_unix_stream) { 766 /* clang-format on */ 767 .sandbox = UDP_SANDBOX, 768 .prot = { 769 .domain = AF_UNIX, 770 .type = SOCK_STREAM, 771 }, 772 }; 773 774 /* clang-format off */ 775 FIXTURE_VARIANT_ADD(protocol, udp_sandbox_with_unix_datagram) { 776 /* clang-format on */ 777 .sandbox = UDP_SANDBOX, 778 .prot = { 779 .domain = AF_UNIX, 780 .type = SOCK_DGRAM, 781 }, 782 }; 783 784 static void test_bind_and_connect(struct __test_metadata *const _metadata, 785 const struct service_fixture *const srv, 786 const bool deny_bind, const bool deny_connect) 787 { 788 char buf = '\0'; 789 int inval_fd, bind_fd, client_fd, status, ret; 790 pid_t child; 791 792 /* Starts invalid addrlen tests with bind. */ 793 inval_fd = socket_variant(srv); 794 ASSERT_LE(0, inval_fd) 795 { 796 TH_LOG("Failed to create socket: %s", strerror(errno)); 797 } 798 799 /* Tries to bind with zero as addrlen. */ 800 EXPECT_EQ(-EINVAL, bind_variant_addrlen(inval_fd, srv, 0)); 801 802 /* Tries to bind with too small addrlen. */ 803 EXPECT_EQ(-EINVAL, bind_variant_addrlen(inval_fd, srv, 804 get_addrlen(srv, true) - 1)); 805 806 /* Tries to bind with minimal addrlen. */ 807 ret = bind_variant_addrlen(inval_fd, srv, get_addrlen(srv, true)); 808 if (deny_bind) { 809 EXPECT_EQ(-EACCES, ret); 810 } else { 811 EXPECT_EQ(0, ret) 812 { 813 TH_LOG("Failed to bind to socket: %s", strerror(errno)); 814 } 815 } 816 EXPECT_EQ(0, close(inval_fd)); 817 818 /* Starts invalid addrlen tests with connect. */ 819 inval_fd = socket_variant(srv); 820 ASSERT_LE(0, inval_fd); 821 822 /* Tries to connect with zero as addrlen. */ 823 EXPECT_EQ(-EINVAL, connect_variant_addrlen(inval_fd, srv, 0)); 824 825 /* Tries to connect with too small addrlen. */ 826 EXPECT_EQ(-EINVAL, connect_variant_addrlen(inval_fd, srv, 827 get_addrlen(srv, true) - 1)); 828 829 /* Tries to connect with minimal addrlen. */ 830 ret = connect_variant_addrlen(inval_fd, srv, get_addrlen(srv, true)); 831 if (srv->protocol.domain == AF_UNIX) { 832 EXPECT_EQ(-EINVAL, ret); 833 } else if (deny_connect) { 834 EXPECT_EQ(-EACCES, ret); 835 } else if (srv->protocol.type == SOCK_STREAM) { 836 /* No listening server, whatever the value of deny_bind. */ 837 EXPECT_EQ(-ECONNREFUSED, ret); 838 } else { 839 EXPECT_EQ(0, ret) 840 { 841 TH_LOG("Failed to connect to socket: %s", 842 strerror(errno)); 843 } 844 } 845 EXPECT_EQ(0, close(inval_fd)); 846 847 /* Starts connection tests. */ 848 bind_fd = socket_variant(srv); 849 ASSERT_LE(0, bind_fd); 850 851 ret = bind_variant(bind_fd, srv); 852 if (deny_bind) { 853 EXPECT_EQ(-EACCES, ret); 854 } else { 855 EXPECT_EQ(0, ret); 856 857 /* Creates a listening socket. */ 858 if (srv->protocol.type == SOCK_STREAM) 859 EXPECT_EQ(0, listen(bind_fd, backlog)); 860 } 861 862 child = fork(); 863 ASSERT_LE(0, child); 864 if (child == 0) { 865 int connect_fd, ret; 866 867 /* Closes listening socket for the child. */ 868 EXPECT_EQ(0, close(bind_fd)); 869 870 /* Starts connection tests. */ 871 connect_fd = socket_variant(srv); 872 ASSERT_LE(0, connect_fd); 873 ret = connect_variant(connect_fd, srv); 874 if (deny_connect) { 875 EXPECT_EQ(-EACCES, ret); 876 } else if (deny_bind && srv->protocol.type == SOCK_STREAM) { 877 /* No listening server. */ 878 EXPECT_EQ(-ECONNREFUSED, ret); 879 } else { 880 EXPECT_EQ(0, ret); 881 EXPECT_EQ(1, write(connect_fd, ".", 1)); 882 } 883 884 EXPECT_EQ(0, close(connect_fd)); 885 _exit(_metadata->exit_code); 886 return; 887 } 888 889 /* Accepts connection from the child. */ 890 client_fd = bind_fd; 891 if (!deny_bind && !deny_connect) { 892 if (srv->protocol.type == SOCK_STREAM) { 893 client_fd = accept(bind_fd, NULL, 0); 894 ASSERT_LE(0, client_fd); 895 } 896 897 EXPECT_EQ(1, read(client_fd, &buf, 1)); 898 EXPECT_EQ('.', buf); 899 } 900 901 EXPECT_EQ(child, waitpid(child, &status, 0)); 902 EXPECT_EQ(1, WIFEXITED(status)); 903 EXPECT_EQ(EXIT_SUCCESS, WEXITSTATUS(status)); 904 905 /* Closes connection, if any. */ 906 if (client_fd != bind_fd) 907 EXPECT_LE(0, close(client_fd)); 908 909 /* Closes listening socket. */ 910 EXPECT_EQ(0, close(bind_fd)); 911 } 912 913 TEST_F(protocol, bind) 914 { 915 if (variant->sandbox == TCP_SANDBOX || 916 variant->sandbox == UDP_SANDBOX) { 917 const __u64 bind_access = 918 (variant->sandbox == TCP_SANDBOX ? 919 LANDLOCK_ACCESS_NET_BIND_TCP : 920 LANDLOCK_ACCESS_NET_BIND_UDP); 921 const __u64 conn_access = 922 (variant->sandbox == TCP_SANDBOX ? 923 LANDLOCK_ACCESS_NET_CONNECT_TCP : 924 LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP); 925 const struct landlock_ruleset_attr ruleset_attr = { 926 .handled_access_net = bind_access | conn_access, 927 }; 928 const struct landlock_net_port_attr bind_connect_p0 = { 929 .allowed_access = bind_access | conn_access, 930 .port = self->srv0.port, 931 }; 932 const struct landlock_net_port_attr connect_p1 = { 933 .allowed_access = conn_access, 934 .port = self->srv1.port, 935 }; 936 int ruleset_fd; 937 938 ruleset_fd = landlock_create_ruleset(&ruleset_attr, 939 sizeof(ruleset_attr), 0); 940 ASSERT_LE(0, ruleset_fd); 941 942 /* Allows connect and bind for the first port. */ 943 ASSERT_EQ(0, 944 landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 945 &bind_connect_p0, 0)); 946 947 /* Allows connect and denies bind for the second port. */ 948 ASSERT_EQ(0, 949 landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 950 &connect_p1, 0)); 951 952 /* 953 * For UDP sockets, allows binding to ephemeral ports (required 954 * to connect or send a first datagram) 955 */ 956 if (variant->sandbox == UDP_SANDBOX) { 957 const struct landlock_net_port_attr bind_ephemeral = { 958 .allowed_access = bind_access, 959 .port = 0, 960 }; 961 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, 962 LANDLOCK_RULE_NET_PORT, 963 &bind_ephemeral, 0)); 964 } 965 966 enforce_ruleset(_metadata, ruleset_fd); 967 EXPECT_EQ(0, close(ruleset_fd)); 968 } 969 970 /* Binds a socket to the first port. */ 971 test_bind_and_connect(_metadata, &self->srv0, false, false); 972 973 /* Binds a socket to the second port. */ 974 test_bind_and_connect(_metadata, &self->srv1, 975 is_restricted(&variant->prot, variant->sandbox), 976 false); 977 978 /* Binds a socket to the third port. */ 979 test_bind_and_connect(_metadata, &self->srv2, 980 is_restricted(&variant->prot, variant->sandbox), 981 is_restricted(&variant->prot, variant->sandbox)); 982 } 983 984 TEST_F(protocol, connect) 985 { 986 if (variant->sandbox == TCP_SANDBOX || 987 variant->sandbox == UDP_SANDBOX) { 988 const __u64 bind_access = 989 (variant->sandbox == TCP_SANDBOX ? 990 LANDLOCK_ACCESS_NET_BIND_TCP : 991 LANDLOCK_ACCESS_NET_BIND_UDP); 992 const __u64 conn_access = 993 (variant->sandbox == TCP_SANDBOX ? 994 LANDLOCK_ACCESS_NET_CONNECT_TCP : 995 LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP); 996 const struct landlock_ruleset_attr ruleset_attr = { 997 .handled_access_net = bind_access | conn_access, 998 }; 999 const struct landlock_net_port_attr bind_connect_p0 = { 1000 .allowed_access = bind_access | conn_access, 1001 .port = self->srv0.port, 1002 }; 1003 const struct landlock_net_port_attr bind_p1 = { 1004 .allowed_access = bind_access, 1005 .port = self->srv1.port, 1006 }; 1007 int ruleset_fd; 1008 1009 ruleset_fd = landlock_create_ruleset(&ruleset_attr, 1010 sizeof(ruleset_attr), 0); 1011 ASSERT_LE(0, ruleset_fd); 1012 1013 /* Allows connect and bind for the first port. */ 1014 ASSERT_EQ(0, 1015 landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 1016 &bind_connect_p0, 0)); 1017 1018 /* Allows bind and denies connect for the second port. */ 1019 ASSERT_EQ(0, 1020 landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 1021 &bind_p1, 0)); 1022 1023 /* 1024 * For UDP sockets, allows binding to ephemeral ports (required 1025 * to connect or send a first datagram) 1026 */ 1027 if (variant->sandbox == UDP_SANDBOX) { 1028 const struct landlock_net_port_attr bind_ephemeral = { 1029 .allowed_access = bind_access, 1030 .port = 0, 1031 }; 1032 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, 1033 LANDLOCK_RULE_NET_PORT, 1034 &bind_ephemeral, 0)); 1035 } 1036 1037 enforce_ruleset(_metadata, ruleset_fd); 1038 EXPECT_EQ(0, close(ruleset_fd)); 1039 } 1040 1041 test_bind_and_connect(_metadata, &self->srv0, false, false); 1042 1043 test_bind_and_connect(_metadata, &self->srv1, false, 1044 is_restricted(&variant->prot, variant->sandbox)); 1045 1046 test_bind_and_connect(_metadata, &self->srv2, 1047 is_restricted(&variant->prot, variant->sandbox), 1048 is_restricted(&variant->prot, variant->sandbox)); 1049 } 1050 1051 TEST_F(protocol, bind_unspec) 1052 { 1053 const __u64 bind_access = (variant->sandbox == TCP_SANDBOX ? 1054 LANDLOCK_ACCESS_NET_BIND_TCP : 1055 LANDLOCK_ACCESS_NET_BIND_UDP); 1056 const struct landlock_ruleset_attr ruleset_attr = { 1057 .handled_access_net = bind_access, 1058 }; 1059 const struct landlock_net_port_attr rule_bind = { 1060 .allowed_access = bind_access, 1061 .port = self->srv0.port, 1062 }; 1063 int bind_fd, ret; 1064 1065 if (variant->sandbox == TCP_SANDBOX || 1066 variant->sandbox == UDP_SANDBOX) { 1067 const int ruleset_fd = landlock_create_ruleset( 1068 &ruleset_attr, sizeof(ruleset_attr), 0); 1069 ASSERT_LE(0, ruleset_fd); 1070 1071 /* Allows bind. */ 1072 ASSERT_EQ(0, 1073 landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 1074 &rule_bind, 0)); 1075 enforce_ruleset(_metadata, ruleset_fd); 1076 EXPECT_EQ(0, close(ruleset_fd)); 1077 } 1078 1079 bind_fd = socket_variant(&self->srv0); 1080 ASSERT_LE(0, bind_fd); 1081 1082 /* Tries to bind with too small addrlen. */ 1083 EXPECT_EQ(-EINVAL, bind_variant_addrlen( 1084 bind_fd, &self->unspec_any0, 1085 get_addrlen(&self->unspec_any0, true) - 1)); 1086 1087 /* Allowed bind on AF_UNSPEC/INADDR_ANY. */ 1088 ret = bind_variant(bind_fd, &self->unspec_any0); 1089 if (variant->prot.domain == AF_INET) { 1090 EXPECT_EQ(0, ret) 1091 { 1092 TH_LOG("Failed to bind to unspec/any socket: %s", 1093 strerror(errno)); 1094 } 1095 } else if (variant->prot.domain == AF_INET6) { 1096 EXPECT_EQ(-EAFNOSUPPORT, ret); 1097 } else { 1098 EXPECT_EQ(-EINVAL, ret); 1099 } 1100 EXPECT_EQ(0, close(bind_fd)); 1101 1102 if (variant->sandbox == TCP_SANDBOX || 1103 variant->sandbox == UDP_SANDBOX) { 1104 const int ruleset_fd = landlock_create_ruleset( 1105 &ruleset_attr, sizeof(ruleset_attr), 0); 1106 ASSERT_LE(0, ruleset_fd); 1107 1108 /* Denies bind. */ 1109 enforce_ruleset(_metadata, ruleset_fd); 1110 EXPECT_EQ(0, close(ruleset_fd)); 1111 } 1112 1113 bind_fd = socket_variant(&self->srv0); 1114 ASSERT_LE(0, bind_fd); 1115 1116 /* Denied bind on AF_UNSPEC/INADDR_ANY. */ 1117 ret = bind_variant(bind_fd, &self->unspec_any0); 1118 if (variant->prot.domain == AF_INET) { 1119 if (is_restricted(&variant->prot, variant->sandbox)) { 1120 EXPECT_EQ(-EACCES, ret); 1121 } else { 1122 EXPECT_EQ(0, ret); 1123 } 1124 } else if (variant->prot.domain == AF_INET6) { 1125 EXPECT_EQ(-EAFNOSUPPORT, ret); 1126 } else { 1127 EXPECT_EQ(-EINVAL, ret); 1128 } 1129 EXPECT_EQ(0, close(bind_fd)); 1130 1131 /* Checks bind with AF_UNSPEC and the loopback address. */ 1132 bind_fd = socket_variant(&self->srv0); 1133 ASSERT_LE(0, bind_fd); 1134 ret = bind_variant(bind_fd, &self->unspec_srv0); 1135 if (variant->prot.domain == AF_INET || 1136 variant->prot.domain == AF_INET6) { 1137 EXPECT_EQ(-EAFNOSUPPORT, ret); 1138 } else { 1139 EXPECT_EQ(-EINVAL, ret) 1140 { 1141 TH_LOG("Wrong bind error: %s", strerror(errno)); 1142 } 1143 } 1144 EXPECT_EQ(0, close(bind_fd)); 1145 } 1146 1147 TEST_F(protocol, connect_unspec) 1148 { 1149 const __u64 connect_right = 1150 (variant->sandbox == TCP_SANDBOX ? 1151 LANDLOCK_ACCESS_NET_CONNECT_TCP : 1152 LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP); 1153 const __u64 bind_right = (variant->sandbox == TCP_SANDBOX ? 1154 LANDLOCK_ACCESS_NET_BIND_TCP : 1155 LANDLOCK_ACCESS_NET_BIND_UDP); 1156 const struct landlock_ruleset_attr ruleset_conn = { 1157 .handled_access_net = connect_right, 1158 }; 1159 const struct landlock_ruleset_attr ruleset_conn_bind = { 1160 .handled_access_net = connect_right | bind_right, 1161 }; 1162 const struct landlock_net_port_attr rule_connect = { 1163 .allowed_access = connect_right, 1164 .port = self->srv0.port, 1165 }; 1166 int bind_fd, client_fd, status; 1167 pid_t child; 1168 1169 /* Specific connection tests. */ 1170 bind_fd = socket_variant(&self->srv0); 1171 ASSERT_LE(0, bind_fd); 1172 EXPECT_EQ(0, bind_variant(bind_fd, &self->srv0)); 1173 if (self->srv0.protocol.type == SOCK_STREAM) 1174 EXPECT_EQ(0, listen(bind_fd, backlog)); 1175 1176 child = fork(); 1177 ASSERT_LE(0, child); 1178 if (child == 0) { 1179 int connect_fd, ret; 1180 1181 /* Closes listening socket for the child. */ 1182 EXPECT_EQ(0, close(bind_fd)); 1183 1184 connect_fd = socket_variant(&self->srv0); 1185 ASSERT_LE(0, connect_fd); 1186 EXPECT_EQ(0, connect_variant(connect_fd, &self->srv0)); 1187 1188 /* Tries to connect again, or set peer. */ 1189 ret = connect_variant(connect_fd, &self->srv0); 1190 if (self->srv0.protocol.type == SOCK_STREAM) { 1191 EXPECT_EQ(-EISCONN, ret); 1192 } else { 1193 EXPECT_EQ(0, ret); 1194 } 1195 1196 if (variant->sandbox == TCP_SANDBOX || 1197 variant->sandbox == UDP_SANDBOX) { 1198 const int ruleset_fd = landlock_create_ruleset( 1199 &ruleset_conn, sizeof(ruleset_conn), 0); 1200 ASSERT_LE(0, ruleset_fd); 1201 1202 /* Allows connect. */ 1203 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, 1204 LANDLOCK_RULE_NET_PORT, 1205 &rule_connect, 0)); 1206 enforce_ruleset(_metadata, ruleset_fd); 1207 EXPECT_EQ(0, close(ruleset_fd)); 1208 } 1209 1210 /* Disconnects already connected socket, or set peer. */ 1211 ret = connect_variant(connect_fd, &self->unspec_any0); 1212 if (self->srv0.protocol.domain == AF_UNIX && 1213 self->srv0.protocol.type == SOCK_STREAM) { 1214 EXPECT_EQ(-EINVAL, ret); 1215 } else { 1216 EXPECT_EQ(0, ret); 1217 } 1218 1219 /* Tries to reconnect, or set peer. */ 1220 ret = connect_variant(connect_fd, &self->srv0); 1221 if (self->srv0.protocol.domain == AF_UNIX && 1222 self->srv0.protocol.type == SOCK_STREAM) { 1223 EXPECT_EQ(-EISCONN, ret); 1224 } else { 1225 EXPECT_EQ(0, ret); 1226 } 1227 1228 if (variant->sandbox == TCP_SANDBOX || 1229 variant->sandbox == UDP_SANDBOX) { 1230 const int ruleset_fd = landlock_create_ruleset( 1231 &ruleset_conn_bind, sizeof(ruleset_conn_bind), 1232 0); 1233 ASSERT_LE(0, ruleset_fd); 1234 1235 /* Denies connect and bind. */ 1236 enforce_ruleset(_metadata, ruleset_fd); 1237 EXPECT_EQ(0, close(ruleset_fd)); 1238 } 1239 1240 /* Try to re-disconnect with a truncated address struct. */ 1241 EXPECT_EQ(-EINVAL, 1242 connect_variant_addrlen( 1243 connect_fd, &self->unspec_any0, 1244 get_addrlen(&self->unspec_any0, true) - 1)); 1245 1246 /* 1247 * Re-disconnect, with a minimal sockaddr struct (just a 1248 * bare af_family=AF_UNSPEC field). 1249 */ 1250 ret = connect_variant_addrlen(connect_fd, &self->unspec_any0, 1251 get_addrlen(&self->unspec_any0, 1252 true)); 1253 if (self->srv0.protocol.domain == AF_UNIX && 1254 self->srv0.protocol.type == SOCK_STREAM) { 1255 EXPECT_EQ(-EINVAL, ret); 1256 } else { 1257 /* Always allowed to disconnect. */ 1258 EXPECT_EQ(0, ret); 1259 } 1260 1261 EXPECT_EQ(0, close(connect_fd)); 1262 _exit(_metadata->exit_code); 1263 return; 1264 } 1265 1266 client_fd = bind_fd; 1267 if (self->srv0.protocol.type == SOCK_STREAM) { 1268 client_fd = accept(bind_fd, NULL, 0); 1269 ASSERT_LE(0, client_fd); 1270 } 1271 1272 EXPECT_EQ(child, waitpid(child, &status, 0)); 1273 EXPECT_EQ(1, WIFEXITED(status)); 1274 EXPECT_EQ(EXIT_SUCCESS, WEXITSTATUS(status)); 1275 1276 /* Closes connection, if any. */ 1277 if (client_fd != bind_fd) 1278 EXPECT_LE(0, close(client_fd)); 1279 1280 /* Closes listening socket. */ 1281 EXPECT_EQ(0, close(bind_fd)); 1282 } 1283 1284 TEST_F(protocol, sendmsg_stream) 1285 { 1286 int srv0_fd, tmp_fd, client_fd, res; 1287 char read_buf[1] = { 0 }; 1288 1289 /* 1290 * Simple test for stream sockets: just deny all connect()/ 1291 * send(explicit addr)/bind(), and make sure we don't interfere with any 1292 * operation. 1293 */ 1294 if (variant->prot.type != SOCK_STREAM) 1295 return; 1296 1297 if (variant->sandbox == UDP_SANDBOX) { 1298 const struct landlock_ruleset_attr ruleset_attr = { 1299 .handled_access_net = 1300 LANDLOCK_ACCESS_NET_BIND_UDP | 1301 LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP, 1302 }; 1303 const int ruleset_fd = landlock_create_ruleset( 1304 &ruleset_attr, sizeof(ruleset_attr), 0); 1305 ASSERT_LE(0, ruleset_fd); 1306 enforce_ruleset(_metadata, ruleset_fd); 1307 EXPECT_EQ(0, close(ruleset_fd)); 1308 } 1309 1310 ASSERT_LE(0, client_fd = socket_variant(&self->srv0)); 1311 ASSERT_LE(0, srv0_fd = socket_variant(&self->srv0)); 1312 ASSERT_EQ(0, bind_variant(srv0_fd, &self->srv0)); 1313 ASSERT_EQ(0, listen(srv0_fd, backlog)); 1314 1315 /* Send on a non-connected socket. */ 1316 res = sendto_variant(client_fd, NULL, "A", 1, 0); 1317 if (variant->prot.domain == AF_UNIX) { 1318 EXPECT_EQ(-ENOTCONN, res); 1319 } else { 1320 EXPECT_EQ(-EPIPE, res); 1321 } 1322 1323 /* Send to a truncated (invalid) address on a non-connected socket. */ 1324 res = sendto_variant_addrlen(client_fd, &self->srv0, 1325 get_addrlen(&self->srv0, true) - 1, "B", 1, 1326 0); 1327 if (variant->prot.domain == AF_UNIX) { 1328 EXPECT_EQ(-EOPNOTSUPP, res); 1329 } else { 1330 EXPECT_EQ(-EPIPE, res); 1331 } 1332 1333 /* Connect. */ 1334 ASSERT_EQ(0, connect_variant(client_fd, &self->srv0)); 1335 tmp_fd = accept(srv0_fd, NULL, 0); 1336 ASSERT_LE(0, tmp_fd); 1337 EXPECT_EQ(0, close(srv0_fd)); 1338 srv0_fd = tmp_fd; 1339 1340 /* Send without an explicit address. */ 1341 EXPECT_EQ(0, sendto_variant(client_fd, NULL, "C", 1, 0)); 1342 EXPECT_EQ(1, recv(srv0_fd, read_buf, 1, 0)) 1343 { 1344 TH_LOG("recv() failed: %s", strerror(errno)); 1345 } 1346 EXPECT_EQ(read_buf[0], 'C'); 1347 1348 /* Send to a truncated (invalid) address. */ 1349 res = sendto_variant_addrlen(client_fd, &self->srv0, 1350 get_addrlen(&self->srv0, true) - 1, "D", 1, 1351 0); 1352 if (variant->prot.domain == AF_UNIX) { 1353 EXPECT_EQ(-EISCONN, res); 1354 } else { 1355 ASSERT_EQ(0, res); 1356 EXPECT_EQ(1, recv(srv0_fd, read_buf, 1, 0)) 1357 { 1358 TH_LOG("recv() failed: %s", strerror(errno)); 1359 } 1360 EXPECT_EQ(read_buf[0], 'D'); 1361 } 1362 1363 /* Send to a valid but different address. */ 1364 res = sendto_variant(client_fd, &self->srv1, "E", 1, 0); 1365 if (variant->prot.domain == AF_UNIX) { 1366 EXPECT_EQ(-EISCONN, res); 1367 } else { 1368 ASSERT_EQ(0, res); 1369 EXPECT_EQ(1, recv(srv0_fd, read_buf, 1, 0)) 1370 { 1371 TH_LOG("recv() failed: %s", strerror(errno)); 1372 } 1373 EXPECT_EQ(read_buf[0], 'E'); 1374 } 1375 1376 EXPECT_EQ(0, close(client_fd)); 1377 } 1378 1379 TEST_F(protocol, sendmsg_dgram) 1380 { 1381 const bool restricted = is_restricted(&variant->prot, variant->sandbox); 1382 int srv0_fd, srv1_fd, client_fd, child, status, res; 1383 1384 if (variant->prot.type != SOCK_DGRAM) 1385 return; 1386 1387 /* Prepare server on port #0 to be allowed. */ 1388 ASSERT_LE(0, srv0_fd = socket_variant(&self->srv0)); 1389 ASSERT_EQ(0, bind_variant(srv0_fd, &self->srv0)); 1390 1391 /* And another server on port #1 to be denied. */ 1392 ASSERT_LE(0, srv1_fd = socket_variant(&self->srv1)); 1393 ASSERT_EQ(0, bind_variant(srv1_fd, &self->srv1)); 1394 1395 /* 1396 * Check that sockets connected before restrictions are not impacted in 1397 * any way. 1398 */ 1399 child = fork(); 1400 ASSERT_LE(0, child); 1401 if (child == 0) { 1402 ASSERT_LE(0, client_fd = socket_variant(&self->srv0)); 1403 ASSERT_EQ(0, connect_variant(client_fd, &self->srv0)); 1404 if (variant->sandbox == UDP_SANDBOX) { 1405 /* Deny all connect()/send(explicit addr)/bind(). */ 1406 const struct landlock_ruleset_attr ruleset_attr = { 1407 .handled_access_net = 1408 LANDLOCK_ACCESS_NET_BIND_UDP | 1409 LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP, 1410 }; 1411 const int ruleset_fd = landlock_create_ruleset( 1412 &ruleset_attr, sizeof(ruleset_attr), 0); 1413 ASSERT_LE(0, ruleset_fd); 1414 enforce_ruleset(_metadata, ruleset_fd); 1415 EXPECT_EQ(0, close(ruleset_fd)); 1416 } 1417 EXPECT_EQ(0, 1418 test_sendmsg(_metadata, &variant->prot, client_fd, 1419 srv0_fd, NULL, restricted, restricted)); 1420 EXPECT_EQ(0, test_sendmsg(_metadata, &variant->prot, client_fd, 1421 srv0_fd, &self->srv0, restricted, 1422 restricted)); 1423 EXPECT_EQ(0, test_sendmsg(_metadata, &variant->prot, client_fd, 1424 srv1_fd, &self->srv1, restricted, 1425 restricted)); 1426 EXPECT_EQ(0, close(client_fd)); 1427 _exit(_metadata->exit_code); 1428 } 1429 EXPECT_EQ(child, waitpid(child, &status, 0)); 1430 EXPECT_EQ(1, WIFEXITED(status)); 1431 EXPECT_EQ(EXIT_SUCCESS, WEXITSTATUS(status)); 1432 1433 /* 1434 * Restrict connect/send, but not bind(). Then try sending with no 1435 * destination (and no remote peer set), an allowed destination, then a 1436 * denied destination. 1437 */ 1438 child = fork(); 1439 ASSERT_LE(0, child); 1440 if (child == 0) { 1441 if (variant->sandbox == UDP_SANDBOX) { 1442 const struct landlock_ruleset_attr ruleset_attr = { 1443 .handled_access_net = 1444 LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP, 1445 }; 1446 const struct landlock_net_port_attr send_p0 = { 1447 .allowed_access = 1448 LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP, 1449 .port = self->srv0.port, 1450 }; 1451 const int ruleset_fd = landlock_create_ruleset( 1452 &ruleset_attr, sizeof(ruleset_attr), 0); 1453 ASSERT_LE(0, ruleset_fd); 1454 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, 1455 LANDLOCK_RULE_NET_PORT, 1456 &send_p0, 0)); 1457 enforce_ruleset(_metadata, ruleset_fd); 1458 EXPECT_EQ(0, close(ruleset_fd)); 1459 } 1460 ASSERT_LE(0, client_fd = socket_variant(&self->srv0)); 1461 EXPECT_EQ(0, test_sendmsg(_metadata, &variant->prot, client_fd, 1462 -1, NULL, false, false)); 1463 EXPECT_EQ(0, test_sendmsg(_metadata, &variant->prot, client_fd, 1464 srv0_fd, &self->srv0, false, false)); 1465 EXPECT_EQ(0, test_sendmsg(_metadata, &variant->prot, client_fd, 1466 srv1_fd, &self->srv1, false, 1467 restricted)); 1468 EXPECT_EQ(0, close(client_fd)); 1469 _exit(_metadata->exit_code); 1470 return; 1471 } 1472 EXPECT_EQ(child, waitpid(child, &status, 0)); 1473 EXPECT_EQ(1, WIFEXITED(status)); 1474 EXPECT_EQ(EXIT_SUCCESS, WEXITSTATUS(status)); 1475 1476 /* 1477 * Rest of this test is just for autobind enforcement, which only exists 1478 * in IP sockets. 1479 */ 1480 if (variant->prot.domain != AF_INET && variant->prot.domain != AF_INET6) 1481 return; 1482 1483 /* Restrict bind() to explicit calls with an arbitrary (non-0) port. */ 1484 child = fork(); 1485 ASSERT_LE(0, child); 1486 if (child == 0) { 1487 const uint16_t allowed_src_port = 42424; 1488 struct service_fixture allowed_src; 1489 1490 allowed_src = self->srv0; 1491 set_port(&allowed_src, allowed_src_port); 1492 if (variant->sandbox == UDP_SANDBOX) { 1493 const struct landlock_ruleset_attr ruleset_attr = { 1494 .handled_access_net = 1495 LANDLOCK_ACCESS_NET_BIND_UDP, 1496 }; 1497 const struct landlock_net_port_attr rule = { 1498 .allowed_access = LANDLOCK_ACCESS_NET_BIND_UDP, 1499 .port = allowed_src_port, 1500 }; 1501 const int ruleset_fd = landlock_create_ruleset( 1502 &ruleset_attr, sizeof(ruleset_attr), 0); 1503 ASSERT_LE(0, ruleset_fd); 1504 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, 1505 LANDLOCK_RULE_NET_PORT, 1506 &rule, 0)); 1507 enforce_ruleset(_metadata, ruleset_fd); 1508 EXPECT_EQ(0, close(ruleset_fd)); 1509 } 1510 ASSERT_LE(0, client_fd = socket_variant(&self->srv0)); 1511 1512 /* Check that implicit bind(0) in sendmsg() is denied. */ 1513 EXPECT_EQ(0, test_sendmsg(_metadata, &variant->prot, client_fd, 1514 srv0_fd, &self->srv0, restricted, 1515 false)); 1516 1517 /* Same thing for autobind in connect(). */ 1518 res = connect_variant(client_fd, &self->srv0); 1519 if (restricted) { 1520 EXPECT_EQ(-EACCES, res); 1521 } else { 1522 EXPECT_EQ(0, res); 1523 } 1524 EXPECT_EQ(0, close(client_fd)); 1525 1526 /* Make sendmsg() work by explicitly binding to the only allowed port. */ 1527 ASSERT_LE(0, client_fd = socket_variant(&self->srv0)); 1528 EXPECT_EQ(0, bind_variant(client_fd, &allowed_src)); 1529 EXPECT_EQ(0, test_sendmsg(_metadata, &variant->prot, client_fd, 1530 srv0_fd, &self->srv0, restricted, 1531 false)); 1532 EXPECT_EQ(0, close(client_fd)); 1533 1534 /* Make connect() work by explicitly binding to the only allowed port. */ 1535 ASSERT_LE(0, client_fd = socket_variant(&self->srv0)); 1536 EXPECT_EQ(0, bind_variant(client_fd, &allowed_src)); 1537 EXPECT_EQ(0, connect_variant(client_fd, &self->srv0)); 1538 EXPECT_EQ(0, close(client_fd)); 1539 1540 _exit(_metadata->exit_code); 1541 return; 1542 } 1543 EXPECT_EQ(child, waitpid(child, &status, 0)); 1544 EXPECT_EQ(1, WIFEXITED(status)); 1545 EXPECT_EQ(EXIT_SUCCESS, WEXITSTATUS(status)); 1546 1547 /* 1548 * Check that %LANDLOCK_ACCESS_NET_BIND_UDP on port 0 allows implicit 1549 * autobinds. 1550 */ 1551 child = fork(); 1552 ASSERT_LE(0, child); 1553 if (child == 0) { 1554 if (variant->sandbox == UDP_SANDBOX) { 1555 const struct landlock_ruleset_attr ruleset_attr = { 1556 .handled_access_net = 1557 LANDLOCK_ACCESS_NET_BIND_UDP, 1558 }; 1559 const struct landlock_net_port_attr rule = { 1560 .allowed_access = LANDLOCK_ACCESS_NET_BIND_UDP, 1561 .port = 0, 1562 }; 1563 const int ruleset_fd = landlock_create_ruleset( 1564 &ruleset_attr, sizeof(ruleset_attr), 0); 1565 ASSERT_LE(0, ruleset_fd); 1566 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, 1567 LANDLOCK_RULE_NET_PORT, 1568 &rule, 0)); 1569 enforce_ruleset(_metadata, ruleset_fd); 1570 EXPECT_EQ(0, close(ruleset_fd)); 1571 } 1572 ASSERT_LE(0, client_fd = socket_variant(&self->srv0)); 1573 EXPECT_EQ(0, test_sendmsg(_metadata, &variant->prot, client_fd, 1574 srv0_fd, &self->srv0, false, false)); 1575 EXPECT_EQ(0, close(client_fd)); 1576 _exit(_metadata->exit_code); 1577 } 1578 EXPECT_EQ(child, waitpid(child, &status, 0)); 1579 EXPECT_EQ(1, WIFEXITED(status)); 1580 EXPECT_EQ(EXIT_SUCCESS, WEXITSTATUS(status)); 1581 } 1582 1583 TEST_F(protocol, sendmsg_unspec) 1584 { 1585 const bool restricted = is_restricted(&variant->prot, variant->sandbox); 1586 int client_fd, srv0_fd, srv1_fd, res; 1587 char read_buf[1] = { 0 }; 1588 1589 /* 1590 * We already test for the absence of influence on sendmsg for other 1591 * socket types and other address families, there's no point in adapting 1592 * this test for stream sockets too. 1593 */ 1594 if (variant->prot.type != SOCK_DGRAM) 1595 return; 1596 1597 /* Prepare client of the right family. */ 1598 ASSERT_LE(0, client_fd = socket_variant(&self->srv0)); 1599 1600 /* Prepare server on port #0 to be allowed. */ 1601 ASSERT_LE(0, srv0_fd = socket_variant(&self->srv0)); 1602 ASSERT_EQ(0, bind_variant(srv0_fd, &self->srv0)); 1603 1604 /* And another server on port #1 to be denied. */ 1605 ASSERT_LE(0, srv1_fd = socket_variant(&self->srv1)); 1606 ASSERT_EQ(0, bind_variant(srv1_fd, &self->srv1)); 1607 1608 if (variant->sandbox == UDP_SANDBOX) { 1609 const struct landlock_ruleset_attr ruleset_attr = { 1610 .handled_access_net = 1611 LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP, 1612 }; 1613 const struct landlock_net_port_attr rule = { 1614 .allowed_access = LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP, 1615 .port = self->srv0.port, 1616 }; 1617 const int ruleset_fd = landlock_create_ruleset( 1618 &ruleset_attr, sizeof(ruleset_attr), 0); 1619 ASSERT_LE(0, ruleset_fd); 1620 ASSERT_EQ(0, 1621 landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 1622 &rule, 0)); 1623 enforce_ruleset(_metadata, ruleset_fd); 1624 EXPECT_EQ(0, close(ruleset_fd)); 1625 } 1626 1627 /* Explicit AF_UNSPEC address but truncated. */ 1628 EXPECT_EQ(-EINVAL, sendto_variant_addrlen( 1629 client_fd, &self->unspec_srv0, 1630 get_addrlen(&self->unspec_srv0, true) - 1, 1631 "A", 1, 0)); 1632 1633 /* 1634 * Explicit AF_UNSPEC address, should be treated as AF_INET by IPv4 1635 * sockets (and thus map to srv0, allowed), but be denied by IPv6 1636 * sockets. 1637 */ 1638 res = sendto_variant(client_fd, &self->unspec_srv0, "B", 1, 0); 1639 if (variant->prot.domain == AF_INET6) { 1640 if (restricted) { 1641 /* Always denied on IPv6 socket. */ 1642 EXPECT_EQ(-EACCES, res); 1643 } else { 1644 /* IPv6 sockets treat AF_UNSPEC as a NULL address. */ 1645 EXPECT_EQ(-EDESTADDRREQ, res); 1646 } 1647 } else if (variant->prot.domain == AF_INET) { 1648 ASSERT_EQ(0, res); 1649 EXPECT_EQ(1, read(srv0_fd, read_buf, 1)) 1650 { 1651 TH_LOG("read() failed: %s", strerror(errno)); 1652 } 1653 EXPECT_EQ(read_buf[0], 'B'); 1654 } else { 1655 /* Unix sockets don't accept AF_UNSPEC. */ 1656 EXPECT_EQ(-EINVAL, res); 1657 } 1658 1659 /* 1660 * Explicit AF_UNSPEC address, should be treated as AF_INET on IPv4 1661 * sockets (and thus map to srv1, denied), and be denied on IPv6 sockets 1662 * as always. 1663 */ 1664 res = sendto_variant(client_fd, &self->unspec_srv1, "C", 1, 0); 1665 if (variant->prot.domain == AF_INET6) { 1666 if (restricted) { 1667 /* Always denied on IPv6 socket. */ 1668 EXPECT_EQ(-EACCES, res); 1669 } else { 1670 /* IPv6 sockets treat AF_UNSPEC as a NULL address. */ 1671 EXPECT_EQ(-EDESTADDRREQ, res); 1672 } 1673 } else if (variant->prot.domain == AF_INET) { 1674 if (restricted) { 1675 /* Sending to srv1 is not allowed, only srv0. */ 1676 EXPECT_EQ(-EACCES, res); 1677 } else { 1678 ASSERT_EQ(0, res); 1679 EXPECT_EQ(1, read(srv1_fd, read_buf, 1)) 1680 { 1681 TH_LOG("read() failed: %s", strerror(errno)); 1682 } 1683 EXPECT_EQ(read_buf[0], 'C'); 1684 } 1685 } else { 1686 /* Unix sockets don't accept AF_UNSPEC. */ 1687 EXPECT_EQ(-EINVAL, res); 1688 } 1689 1690 ASSERT_EQ(0, connect_variant(client_fd, &self->srv0)); 1691 1692 /* Minimal explicit AF_UNSPEC address (just the sa_family_t field) */ 1693 res = sendto_variant_addrlen(client_fd, &self->unspec_srv0, 1694 get_addrlen(&self->unspec_srv0, true), "D", 1695 1, 0); 1696 if (variant->prot.domain == AF_INET6) { 1697 if (restricted) { 1698 /* AF_UNSPEC is always denied in IPv6. */ 1699 EXPECT_EQ(-EACCES, res); 1700 } else { 1701 /* 1702 * IPv6 sockets treat AF_UNSPEC as a NULL address, 1703 * falling back to the connected address. 1704 */ 1705 ASSERT_EQ(0, res); 1706 EXPECT_EQ(1, read(srv0_fd, read_buf, 1)); 1707 EXPECT_EQ(read_buf[0], 'D'); 1708 } 1709 } else { 1710 /* 1711 * IPv4 socket will expect a struct sockaddr_in, our address is 1712 * considered truncated. And Unix sockets don't accept 1713 * AF_UNSPEC at all. 1714 */ 1715 EXPECT_EQ(-EINVAL, res); 1716 } 1717 } 1718 1719 FIXTURE(ipv4) 1720 { 1721 struct service_fixture srv0, srv1; 1722 }; 1723 1724 FIXTURE_VARIANT(ipv4) 1725 { 1726 const enum sandbox_type sandbox; 1727 const int type; 1728 }; 1729 1730 /* clang-format off */ 1731 FIXTURE_VARIANT_ADD(ipv4, no_sandbox_with_tcp) { 1732 /* clang-format on */ 1733 .sandbox = NO_SANDBOX, 1734 .type = SOCK_STREAM, 1735 }; 1736 1737 /* clang-format off */ 1738 FIXTURE_VARIANT_ADD(ipv4, tcp_sandbox_with_tcp) { 1739 /* clang-format on */ 1740 .sandbox = TCP_SANDBOX, 1741 .type = SOCK_STREAM, 1742 }; 1743 1744 /* clang-format off */ 1745 FIXTURE_VARIANT_ADD(ipv4, udp_sandbox_with_tcp) { 1746 /* clang-format on */ 1747 .sandbox = UDP_SANDBOX, 1748 .type = SOCK_STREAM, 1749 }; 1750 1751 /* clang-format off */ 1752 FIXTURE_VARIANT_ADD(ipv4, no_sandbox_with_udp) { 1753 /* clang-format on */ 1754 .sandbox = NO_SANDBOX, 1755 .type = SOCK_DGRAM, 1756 }; 1757 1758 /* clang-format off */ 1759 FIXTURE_VARIANT_ADD(ipv4, tcp_sandbox_with_udp) { 1760 /* clang-format on */ 1761 .sandbox = TCP_SANDBOX, 1762 .type = SOCK_DGRAM, 1763 }; 1764 1765 /* clang-format off */ 1766 FIXTURE_VARIANT_ADD(ipv4, udp_sandbox_with_udp) { 1767 /* clang-format on */ 1768 .sandbox = UDP_SANDBOX, 1769 .type = SOCK_DGRAM, 1770 }; 1771 1772 FIXTURE_SETUP(ipv4) 1773 { 1774 const struct protocol_variant prot = { 1775 .domain = AF_INET, 1776 .type = variant->type, 1777 }; 1778 1779 disable_caps(_metadata); 1780 1781 set_service(&self->srv0, prot, 0); 1782 set_service(&self->srv1, prot, 1); 1783 1784 setup_loopback(_metadata); 1785 }; 1786 1787 FIXTURE_TEARDOWN(ipv4) 1788 { 1789 } 1790 1791 TEST_F(ipv4, from_unix_to_inet) 1792 { 1793 int unix_stream_fd, unix_dgram_fd; 1794 1795 if (variant->sandbox == TCP_SANDBOX || 1796 variant->sandbox == UDP_SANDBOX) { 1797 const __u64 access_rights = 1798 (variant->sandbox == TCP_SANDBOX ? 1799 LANDLOCK_ACCESS_NET_BIND_TCP | 1800 LANDLOCK_ACCESS_NET_CONNECT_TCP : 1801 LANDLOCK_ACCESS_NET_BIND_UDP | 1802 LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP); 1803 const struct landlock_ruleset_attr ruleset_attr = { 1804 .handled_access_net = access_rights, 1805 }; 1806 const struct landlock_net_port_attr tcp_bind_connect_p0 = { 1807 .allowed_access = access_rights, 1808 .port = self->srv0.port, 1809 }; 1810 int ruleset_fd; 1811 1812 /* Denies connect and bind to check errno value. */ 1813 ruleset_fd = landlock_create_ruleset(&ruleset_attr, 1814 sizeof(ruleset_attr), 0); 1815 ASSERT_LE(0, ruleset_fd); 1816 1817 /* Allows connect and bind for srv0. */ 1818 ASSERT_EQ(0, 1819 landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 1820 &tcp_bind_connect_p0, 0)); 1821 1822 enforce_ruleset(_metadata, ruleset_fd); 1823 EXPECT_EQ(0, close(ruleset_fd)); 1824 } 1825 1826 unix_stream_fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0); 1827 ASSERT_LE(0, unix_stream_fd); 1828 1829 unix_dgram_fd = socket(AF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0); 1830 ASSERT_LE(0, unix_dgram_fd); 1831 1832 /* Checks unix stream bind and connect for srv0. */ 1833 EXPECT_EQ(-EINVAL, bind_variant(unix_stream_fd, &self->srv0)); 1834 EXPECT_EQ(-EINVAL, connect_variant(unix_stream_fd, &self->srv0)); 1835 1836 /* Checks unix stream bind and connect for srv1. */ 1837 EXPECT_EQ(-EINVAL, bind_variant(unix_stream_fd, &self->srv1)) 1838 { 1839 TH_LOG("Wrong bind error: %s", strerror(errno)); 1840 } 1841 EXPECT_EQ(-EINVAL, connect_variant(unix_stream_fd, &self->srv1)); 1842 1843 /* Checks unix datagram bind and connect for srv0. */ 1844 EXPECT_EQ(-EINVAL, bind_variant(unix_dgram_fd, &self->srv0)); 1845 EXPECT_EQ(-EINVAL, connect_variant(unix_dgram_fd, &self->srv0)); 1846 1847 /* Checks unix datagram bind and connect for srv1. */ 1848 EXPECT_EQ(-EINVAL, bind_variant(unix_dgram_fd, &self->srv1)); 1849 EXPECT_EQ(-EINVAL, connect_variant(unix_dgram_fd, &self->srv1)); 1850 } 1851 1852 FIXTURE(tcp_layers) 1853 { 1854 struct service_fixture srv0, srv1; 1855 }; 1856 1857 FIXTURE_VARIANT(tcp_layers) 1858 { 1859 const size_t num_layers; 1860 const int domain; 1861 }; 1862 1863 FIXTURE_SETUP(tcp_layers) 1864 { 1865 const struct protocol_variant prot = { 1866 .domain = variant->domain, 1867 .type = SOCK_STREAM, 1868 }; 1869 1870 disable_caps(_metadata); 1871 1872 ASSERT_EQ(0, set_service(&self->srv0, prot, 0)); 1873 ASSERT_EQ(0, set_service(&self->srv1, prot, 1)); 1874 1875 setup_loopback(_metadata); 1876 }; 1877 1878 FIXTURE_TEARDOWN(tcp_layers) 1879 { 1880 } 1881 1882 /* clang-format off */ 1883 FIXTURE_VARIANT_ADD(tcp_layers, no_sandbox_with_ipv4) { 1884 /* clang-format on */ 1885 .domain = AF_INET, 1886 .num_layers = 0, 1887 }; 1888 1889 /* clang-format off */ 1890 FIXTURE_VARIANT_ADD(tcp_layers, one_sandbox_with_ipv4) { 1891 /* clang-format on */ 1892 .domain = AF_INET, 1893 .num_layers = 1, 1894 }; 1895 1896 /* clang-format off */ 1897 FIXTURE_VARIANT_ADD(tcp_layers, two_sandboxes_with_ipv4) { 1898 /* clang-format on */ 1899 .domain = AF_INET, 1900 .num_layers = 2, 1901 }; 1902 1903 /* clang-format off */ 1904 FIXTURE_VARIANT_ADD(tcp_layers, three_sandboxes_with_ipv4) { 1905 /* clang-format on */ 1906 .domain = AF_INET, 1907 .num_layers = 3, 1908 }; 1909 1910 /* clang-format off */ 1911 FIXTURE_VARIANT_ADD(tcp_layers, no_sandbox_with_ipv6) { 1912 /* clang-format on */ 1913 .domain = AF_INET6, 1914 .num_layers = 0, 1915 }; 1916 1917 /* clang-format off */ 1918 FIXTURE_VARIANT_ADD(tcp_layers, one_sandbox_with_ipv6) { 1919 /* clang-format on */ 1920 .domain = AF_INET6, 1921 .num_layers = 1, 1922 }; 1923 1924 /* clang-format off */ 1925 FIXTURE_VARIANT_ADD(tcp_layers, two_sandboxes_with_ipv6) { 1926 /* clang-format on */ 1927 .domain = AF_INET6, 1928 .num_layers = 2, 1929 }; 1930 1931 /* clang-format off */ 1932 FIXTURE_VARIANT_ADD(tcp_layers, three_sandboxes_with_ipv6) { 1933 /* clang-format on */ 1934 .domain = AF_INET6, 1935 .num_layers = 3, 1936 }; 1937 1938 TEST_F(tcp_layers, ruleset_overlap) 1939 { 1940 const struct landlock_ruleset_attr ruleset_attr = { 1941 .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP | 1942 LANDLOCK_ACCESS_NET_CONNECT_TCP, 1943 }; 1944 const struct landlock_net_port_attr tcp_bind = { 1945 .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP, 1946 .port = self->srv0.port, 1947 }; 1948 const struct landlock_net_port_attr tcp_bind_connect = { 1949 .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP | 1950 LANDLOCK_ACCESS_NET_CONNECT_TCP, 1951 .port = self->srv0.port, 1952 }; 1953 1954 if (variant->num_layers >= 1) { 1955 int ruleset_fd; 1956 1957 ruleset_fd = landlock_create_ruleset(&ruleset_attr, 1958 sizeof(ruleset_attr), 0); 1959 ASSERT_LE(0, ruleset_fd); 1960 1961 /* Allows bind. */ 1962 ASSERT_EQ(0, 1963 landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 1964 &tcp_bind, 0)); 1965 /* Also allows bind, but allows connect too. */ 1966 ASSERT_EQ(0, 1967 landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 1968 &tcp_bind_connect, 0)); 1969 enforce_ruleset(_metadata, ruleset_fd); 1970 EXPECT_EQ(0, close(ruleset_fd)); 1971 } 1972 1973 if (variant->num_layers >= 2) { 1974 int ruleset_fd; 1975 1976 /* Creates another ruleset layer. */ 1977 ruleset_fd = landlock_create_ruleset(&ruleset_attr, 1978 sizeof(ruleset_attr), 0); 1979 ASSERT_LE(0, ruleset_fd); 1980 1981 /* Only allows bind. */ 1982 ASSERT_EQ(0, 1983 landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 1984 &tcp_bind, 0)); 1985 enforce_ruleset(_metadata, ruleset_fd); 1986 EXPECT_EQ(0, close(ruleset_fd)); 1987 } 1988 1989 if (variant->num_layers >= 3) { 1990 int ruleset_fd; 1991 1992 /* Creates another ruleset layer. */ 1993 ruleset_fd = landlock_create_ruleset(&ruleset_attr, 1994 sizeof(ruleset_attr), 0); 1995 ASSERT_LE(0, ruleset_fd); 1996 1997 /* Try to allow bind and connect. */ 1998 ASSERT_EQ(0, 1999 landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2000 &tcp_bind_connect, 0)); 2001 enforce_ruleset(_metadata, ruleset_fd); 2002 EXPECT_EQ(0, close(ruleset_fd)); 2003 } 2004 2005 /* 2006 * Forbids to connect to the socket because only one ruleset layer 2007 * allows connect. 2008 */ 2009 test_bind_and_connect(_metadata, &self->srv0, false, 2010 variant->num_layers >= 2); 2011 } 2012 2013 TEST_F(tcp_layers, ruleset_expand) 2014 { 2015 if (variant->num_layers >= 1) { 2016 const struct landlock_ruleset_attr ruleset_attr = { 2017 .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP, 2018 }; 2019 /* Allows bind for srv0. */ 2020 const struct landlock_net_port_attr bind_srv0 = { 2021 .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP, 2022 .port = self->srv0.port, 2023 }; 2024 int ruleset_fd; 2025 2026 ruleset_fd = landlock_create_ruleset(&ruleset_attr, 2027 sizeof(ruleset_attr), 0); 2028 ASSERT_LE(0, ruleset_fd); 2029 ASSERT_EQ(0, 2030 landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2031 &bind_srv0, 0)); 2032 enforce_ruleset(_metadata, ruleset_fd); 2033 EXPECT_EQ(0, close(ruleset_fd)); 2034 } 2035 2036 if (variant->num_layers >= 2) { 2037 /* Expands network mask with connect action. */ 2038 const struct landlock_ruleset_attr ruleset_attr = { 2039 .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP | 2040 LANDLOCK_ACCESS_NET_CONNECT_TCP, 2041 }; 2042 /* Allows bind for srv0 and connect to srv0. */ 2043 const struct landlock_net_port_attr tcp_bind_connect_p0 = { 2044 .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP | 2045 LANDLOCK_ACCESS_NET_CONNECT_TCP, 2046 .port = self->srv0.port, 2047 }; 2048 /* Try to allow bind for srv1. */ 2049 const struct landlock_net_port_attr tcp_bind_p1 = { 2050 .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP, 2051 .port = self->srv1.port, 2052 }; 2053 int ruleset_fd; 2054 2055 ruleset_fd = landlock_create_ruleset(&ruleset_attr, 2056 sizeof(ruleset_attr), 0); 2057 ASSERT_LE(0, ruleset_fd); 2058 ASSERT_EQ(0, 2059 landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2060 &tcp_bind_connect_p0, 0)); 2061 ASSERT_EQ(0, 2062 landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2063 &tcp_bind_p1, 0)); 2064 enforce_ruleset(_metadata, ruleset_fd); 2065 EXPECT_EQ(0, close(ruleset_fd)); 2066 } 2067 2068 if (variant->num_layers >= 3) { 2069 const struct landlock_ruleset_attr ruleset_attr = { 2070 .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP | 2071 LANDLOCK_ACCESS_NET_CONNECT_TCP, 2072 }; 2073 /* Allows connect to srv0, without bind rule. */ 2074 const struct landlock_net_port_attr tcp_bind_p0 = { 2075 .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP, 2076 .port = self->srv0.port, 2077 }; 2078 int ruleset_fd; 2079 2080 ruleset_fd = landlock_create_ruleset(&ruleset_attr, 2081 sizeof(ruleset_attr), 0); 2082 ASSERT_LE(0, ruleset_fd); 2083 ASSERT_EQ(0, 2084 landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2085 &tcp_bind_p0, 0)); 2086 enforce_ruleset(_metadata, ruleset_fd); 2087 EXPECT_EQ(0, close(ruleset_fd)); 2088 } 2089 2090 test_bind_and_connect(_metadata, &self->srv0, false, 2091 variant->num_layers >= 3); 2092 2093 test_bind_and_connect(_metadata, &self->srv1, variant->num_layers >= 1, 2094 variant->num_layers >= 2); 2095 } 2096 2097 /* clang-format off */ 2098 FIXTURE(mini) {}; 2099 /* clang-format on */ 2100 2101 FIXTURE_SETUP(mini) 2102 { 2103 disable_caps(_metadata); 2104 2105 setup_loopback(_metadata); 2106 }; 2107 2108 FIXTURE_TEARDOWN(mini) 2109 { 2110 } 2111 2112 /* clang-format off */ 2113 2114 #define ACCESS_LAST LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP 2115 2116 #define ACCESS_ALL ( \ 2117 LANDLOCK_ACCESS_NET_BIND_TCP | \ 2118 LANDLOCK_ACCESS_NET_CONNECT_TCP | \ 2119 LANDLOCK_ACCESS_NET_BIND_UDP | \ 2120 LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP) 2121 2122 /* clang-format on */ 2123 2124 TEST_F(mini, network_access_rights) 2125 { 2126 const struct landlock_ruleset_attr ruleset_attr = { 2127 .handled_access_net = ACCESS_ALL, 2128 }; 2129 struct landlock_net_port_attr net_port = { 2130 .port = sock_port_start, 2131 }; 2132 int ruleset_fd; 2133 __u64 access; 2134 2135 ruleset_fd = 2136 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); 2137 ASSERT_LE(0, ruleset_fd); 2138 2139 for (access = 1; access <= ACCESS_LAST; access <<= 1) { 2140 net_port.allowed_access = access; 2141 EXPECT_EQ(0, 2142 landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2143 &net_port, 0)) 2144 { 2145 TH_LOG("Failed to add rule with access 0x%llx: %s", 2146 (unsigned long long)access, strerror(errno)); 2147 } 2148 } 2149 EXPECT_EQ(0, close(ruleset_fd)); 2150 } 2151 2152 /* Checks invalid attribute, out of landlock network access range. */ 2153 TEST_F(mini, ruleset_with_unknown_access) 2154 { 2155 __u64 access_mask; 2156 2157 for (access_mask = 1ULL << 63; access_mask != ACCESS_LAST; 2158 access_mask >>= 1) { 2159 const struct landlock_ruleset_attr ruleset_attr = { 2160 .handled_access_net = access_mask, 2161 }; 2162 2163 EXPECT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 2164 sizeof(ruleset_attr), 0)); 2165 EXPECT_EQ(EINVAL, errno); 2166 } 2167 } 2168 2169 TEST_F(mini, rule_with_unknown_access) 2170 { 2171 const struct landlock_ruleset_attr ruleset_attr = { 2172 .handled_access_net = ACCESS_ALL, 2173 }; 2174 struct landlock_net_port_attr net_port = { 2175 .port = sock_port_start, 2176 }; 2177 int ruleset_fd; 2178 __u64 access; 2179 2180 ruleset_fd = 2181 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); 2182 ASSERT_LE(0, ruleset_fd); 2183 2184 for (access = 1ULL << 63; access != ACCESS_LAST; access >>= 1) { 2185 net_port.allowed_access = access; 2186 EXPECT_EQ(-1, 2187 landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2188 &net_port, 0)); 2189 EXPECT_EQ(EINVAL, errno); 2190 } 2191 EXPECT_EQ(0, close(ruleset_fd)); 2192 } 2193 2194 TEST_F(mini, rule_with_unhandled_access) 2195 { 2196 struct landlock_ruleset_attr ruleset_attr = { 2197 .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP, 2198 }; 2199 struct landlock_net_port_attr net_port = { 2200 .port = sock_port_start, 2201 }; 2202 int ruleset_fd; 2203 __u64 access; 2204 2205 ruleset_fd = 2206 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); 2207 ASSERT_LE(0, ruleset_fd); 2208 2209 for (access = 1; access > 0; access <<= 1) { 2210 int err; 2211 2212 net_port.allowed_access = access; 2213 err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2214 &net_port, 0); 2215 if (access == ruleset_attr.handled_access_net) { 2216 EXPECT_EQ(0, err); 2217 } else { 2218 EXPECT_EQ(-1, err); 2219 EXPECT_EQ(EINVAL, errno); 2220 } 2221 } 2222 2223 EXPECT_EQ(0, close(ruleset_fd)); 2224 } 2225 2226 TEST_F(mini, inval) 2227 { 2228 const struct landlock_ruleset_attr ruleset_attr = { 2229 .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP 2230 }; 2231 const struct landlock_net_port_attr tcp_bind_connect = { 2232 .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP | 2233 LANDLOCK_ACCESS_NET_CONNECT_TCP, 2234 .port = sock_port_start, 2235 }; 2236 const struct landlock_net_port_attr tcp_denied = { 2237 .allowed_access = 0, 2238 .port = sock_port_start, 2239 }; 2240 const struct landlock_net_port_attr tcp_bind = { 2241 .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP, 2242 .port = sock_port_start, 2243 }; 2244 int ruleset_fd; 2245 2246 ruleset_fd = 2247 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); 2248 ASSERT_LE(0, ruleset_fd); 2249 2250 /* Checks unhandled allowed_access. */ 2251 EXPECT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2252 &tcp_bind_connect, 0)); 2253 EXPECT_EQ(EINVAL, errno); 2254 2255 /* Checks zero access value. */ 2256 EXPECT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2257 &tcp_denied, 0)); 2258 EXPECT_EQ(ENOMSG, errno); 2259 2260 /* Adds with legitimate values. */ 2261 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2262 &tcp_bind, 0)); 2263 } 2264 2265 TEST_F(mini, tcp_port_overflow) 2266 { 2267 const struct landlock_ruleset_attr ruleset_attr = { 2268 .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP | 2269 LANDLOCK_ACCESS_NET_CONNECT_TCP, 2270 }; 2271 const struct landlock_net_port_attr port_max_bind = { 2272 .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP, 2273 .port = UINT16_MAX, 2274 }; 2275 const struct landlock_net_port_attr port_max_connect = { 2276 .allowed_access = LANDLOCK_ACCESS_NET_CONNECT_TCP, 2277 .port = UINT16_MAX, 2278 }; 2279 const struct landlock_net_port_attr port_overflow1 = { 2280 .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP, 2281 .port = UINT16_MAX + 1, 2282 }; 2283 const struct landlock_net_port_attr port_overflow2 = { 2284 .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP, 2285 .port = UINT16_MAX + 2, 2286 }; 2287 const struct landlock_net_port_attr port_overflow3 = { 2288 .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP, 2289 .port = UINT32_MAX + 1UL, 2290 }; 2291 const struct landlock_net_port_attr port_overflow4 = { 2292 .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP, 2293 .port = UINT32_MAX + 2UL, 2294 }; 2295 const struct protocol_variant ipv4_tcp = { 2296 .domain = AF_INET, 2297 .type = SOCK_STREAM, 2298 }; 2299 struct service_fixture srv_denied, srv_max_allowed; 2300 int ruleset_fd; 2301 2302 ASSERT_EQ(0, set_service(&srv_denied, ipv4_tcp, 0)); 2303 2304 /* Be careful to avoid port inconsistencies. */ 2305 srv_max_allowed = srv_denied; 2306 srv_max_allowed.port = port_max_bind.port; 2307 srv_max_allowed.ipv4_addr.sin_port = htons(port_max_bind.port); 2308 2309 ruleset_fd = 2310 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); 2311 ASSERT_LE(0, ruleset_fd); 2312 2313 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2314 &port_max_bind, 0)); 2315 2316 EXPECT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2317 &port_overflow1, 0)); 2318 EXPECT_EQ(EINVAL, errno); 2319 2320 EXPECT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2321 &port_overflow2, 0)); 2322 EXPECT_EQ(EINVAL, errno); 2323 2324 EXPECT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2325 &port_overflow3, 0)); 2326 EXPECT_EQ(EINVAL, errno); 2327 2328 /* Interleaves with invalid rule additions. */ 2329 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2330 &port_max_connect, 0)); 2331 2332 EXPECT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2333 &port_overflow4, 0)); 2334 EXPECT_EQ(EINVAL, errno); 2335 2336 enforce_ruleset(_metadata, ruleset_fd); 2337 2338 test_bind_and_connect(_metadata, &srv_denied, true, true); 2339 test_bind_and_connect(_metadata, &srv_max_allowed, false, false); 2340 } 2341 2342 FIXTURE(ipv4_tcp) 2343 { 2344 struct service_fixture srv0, srv1; 2345 }; 2346 2347 FIXTURE_SETUP(ipv4_tcp) 2348 { 2349 const struct protocol_variant ipv4_tcp = { 2350 .domain = AF_INET, 2351 .type = SOCK_STREAM, 2352 }; 2353 2354 disable_caps(_metadata); 2355 2356 ASSERT_EQ(0, set_service(&self->srv0, ipv4_tcp, 0)); 2357 ASSERT_EQ(0, set_service(&self->srv1, ipv4_tcp, 1)); 2358 2359 setup_loopback(_metadata); 2360 }; 2361 2362 FIXTURE_TEARDOWN(ipv4_tcp) 2363 { 2364 } 2365 2366 TEST_F(ipv4_tcp, port_endianness) 2367 { 2368 const struct landlock_ruleset_attr ruleset_attr = { 2369 .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP | 2370 LANDLOCK_ACCESS_NET_CONNECT_TCP, 2371 }; 2372 const struct landlock_net_port_attr bind_host_endian_p0 = { 2373 .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP, 2374 /* Host port format. */ 2375 .port = self->srv0.port, 2376 }; 2377 const struct landlock_net_port_attr connect_big_endian_p0 = { 2378 .allowed_access = LANDLOCK_ACCESS_NET_CONNECT_TCP, 2379 /* Big endian port format. */ 2380 .port = htons(self->srv0.port), 2381 }; 2382 const struct landlock_net_port_attr bind_connect_host_endian_p1 = { 2383 .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP | 2384 LANDLOCK_ACCESS_NET_CONNECT_TCP, 2385 /* Host port format. */ 2386 .port = self->srv1.port, 2387 }; 2388 const unsigned int one = 1; 2389 const char little_endian = *(const char *)&one; 2390 int ruleset_fd; 2391 2392 ruleset_fd = 2393 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); 2394 ASSERT_LE(0, ruleset_fd); 2395 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2396 &bind_host_endian_p0, 0)); 2397 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2398 &connect_big_endian_p0, 0)); 2399 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2400 &bind_connect_host_endian_p1, 0)); 2401 enforce_ruleset(_metadata, ruleset_fd); 2402 2403 /* No restriction for big endinan CPU. */ 2404 test_bind_and_connect(_metadata, &self->srv0, false, little_endian); 2405 2406 /* No restriction for any CPU. */ 2407 test_bind_and_connect(_metadata, &self->srv1, false, false); 2408 } 2409 2410 TEST_F(ipv4_tcp, with_fs) 2411 { 2412 const struct landlock_ruleset_attr ruleset_attr_fs_net = { 2413 .handled_access_fs = LANDLOCK_ACCESS_FS_READ_DIR, 2414 .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP, 2415 }; 2416 struct landlock_path_beneath_attr path_beneath = { 2417 .allowed_access = LANDLOCK_ACCESS_FS_READ_DIR, 2418 .parent_fd = -1, 2419 }; 2420 struct landlock_net_port_attr tcp_bind = { 2421 .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP, 2422 .port = self->srv0.port, 2423 }; 2424 int ruleset_fd, bind_fd, dir_fd; 2425 2426 /* Creates ruleset both for filesystem and network access. */ 2427 ruleset_fd = landlock_create_ruleset(&ruleset_attr_fs_net, 2428 sizeof(ruleset_attr_fs_net), 0); 2429 ASSERT_LE(0, ruleset_fd); 2430 2431 /* Adds a filesystem rule. */ 2432 path_beneath.parent_fd = open("/dev", O_PATH | O_DIRECTORY | O_CLOEXEC); 2433 ASSERT_LE(0, path_beneath.parent_fd); 2434 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, 2435 &path_beneath, 0)); 2436 EXPECT_EQ(0, close(path_beneath.parent_fd)); 2437 2438 /* Adds a network rule. */ 2439 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2440 &tcp_bind, 0)); 2441 2442 enforce_ruleset(_metadata, ruleset_fd); 2443 EXPECT_EQ(0, close(ruleset_fd)); 2444 2445 /* Tests file access. */ 2446 dir_fd = open("/dev", O_RDONLY); 2447 EXPECT_LE(0, dir_fd); 2448 EXPECT_EQ(0, close(dir_fd)); 2449 2450 dir_fd = open("/", O_RDONLY); 2451 EXPECT_EQ(-1, dir_fd); 2452 EXPECT_EQ(EACCES, errno); 2453 2454 /* Tests port binding. */ 2455 bind_fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); 2456 ASSERT_LE(0, bind_fd); 2457 EXPECT_EQ(0, bind_variant(bind_fd, &self->srv0)); 2458 EXPECT_EQ(0, close(bind_fd)); 2459 2460 bind_fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); 2461 ASSERT_LE(0, bind_fd); 2462 EXPECT_EQ(-EACCES, bind_variant(bind_fd, &self->srv1)); 2463 } 2464 2465 FIXTURE(port_specific) 2466 { 2467 struct service_fixture srv0; 2468 struct service_fixture cli1; 2469 }; 2470 2471 FIXTURE_VARIANT(port_specific) 2472 { 2473 const enum sandbox_type sandbox; 2474 const struct protocol_variant prot; 2475 }; 2476 2477 /* clang-format off */ 2478 FIXTURE_VARIANT_ADD(port_specific, no_sandbox_with_ipv4) { 2479 /* clang-format on */ 2480 .sandbox = NO_SANDBOX, 2481 .prot = { 2482 .domain = AF_INET, 2483 .type = SOCK_STREAM, 2484 }, 2485 }; 2486 2487 /* clang-format off */ 2488 FIXTURE_VARIANT_ADD(port_specific, tcp_sandbox_with_ipv4) { 2489 /* clang-format on */ 2490 .sandbox = TCP_SANDBOX, 2491 .prot = { 2492 .domain = AF_INET, 2493 .type = SOCK_STREAM, 2494 }, 2495 }; 2496 2497 /* clang-format off */ 2498 FIXTURE_VARIANT_ADD(port_specific, udp_sandbox_with_ipv4) { 2499 /* clang-format on */ 2500 .sandbox = UDP_SANDBOX, 2501 .prot = { 2502 .domain = AF_INET, 2503 .type = SOCK_DGRAM, 2504 }, 2505 }; 2506 2507 /* clang-format off */ 2508 FIXTURE_VARIANT_ADD(port_specific, no_sandbox_with_ipv6) { 2509 /* clang-format on */ 2510 .sandbox = NO_SANDBOX, 2511 .prot = { 2512 .domain = AF_INET6, 2513 .type = SOCK_STREAM, 2514 }, 2515 }; 2516 2517 /* clang-format off */ 2518 FIXTURE_VARIANT_ADD(port_specific, tcp_sandbox_with_ipv6) { 2519 /* clang-format on */ 2520 .sandbox = TCP_SANDBOX, 2521 .prot = { 2522 .domain = AF_INET6, 2523 .type = SOCK_STREAM, 2524 }, 2525 }; 2526 2527 /* clang-format off */ 2528 FIXTURE_VARIANT_ADD(port_specific, udp_sandbox_with_ipv6) { 2529 /* clang-format on */ 2530 .sandbox = UDP_SANDBOX, 2531 .prot = { 2532 .domain = AF_INET6, 2533 .type = SOCK_DGRAM, 2534 }, 2535 }; 2536 2537 FIXTURE_SETUP(port_specific) 2538 { 2539 disable_caps(_metadata); 2540 2541 ASSERT_EQ(0, set_service(&self->srv0, variant->prot, 0)); 2542 ASSERT_EQ(0, set_service(&self->cli1, variant->prot, 1)); 2543 2544 setup_loopback(_metadata); 2545 }; 2546 2547 FIXTURE_TEARDOWN(port_specific) 2548 { 2549 } 2550 2551 TEST_F(port_specific, bind_connect_zero) 2552 { 2553 int bind_fd, connect_fd, ret; 2554 uint16_t port; 2555 2556 /* Adds a rule layer with bind and connect actions. */ 2557 if (variant->sandbox == TCP_SANDBOX || 2558 variant->sandbox == UDP_SANDBOX) { 2559 const __u64 access_rights = 2560 (variant->sandbox == TCP_SANDBOX ? 2561 LANDLOCK_ACCESS_NET_BIND_TCP | 2562 LANDLOCK_ACCESS_NET_CONNECT_TCP : 2563 LANDLOCK_ACCESS_NET_BIND_UDP | 2564 LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP); 2565 const struct landlock_ruleset_attr ruleset_attr = { 2566 .handled_access_net = access_rights, 2567 }; 2568 const struct landlock_net_port_attr bind_connect_zero = { 2569 .allowed_access = access_rights, 2570 .port = 0, 2571 }; 2572 int ruleset_fd; 2573 2574 ruleset_fd = landlock_create_ruleset(&ruleset_attr, 2575 sizeof(ruleset_attr), 0); 2576 ASSERT_LE(0, ruleset_fd); 2577 2578 /* Checks zero port value on bind and connect actions. */ 2579 EXPECT_EQ(0, 2580 landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2581 &bind_connect_zero, 0)); 2582 2583 enforce_ruleset(_metadata, ruleset_fd); 2584 EXPECT_EQ(0, close(ruleset_fd)); 2585 } 2586 2587 bind_fd = socket_variant(&self->srv0); 2588 ASSERT_LE(0, bind_fd); 2589 2590 connect_fd = socket_variant(&self->srv0); 2591 ASSERT_LE(0, connect_fd); 2592 2593 /* Sets address port to 0 for both protocol families. */ 2594 set_port(&self->srv0, 0); 2595 /* 2596 * Binds on port 0, which selects a random port within 2597 * ip_local_port_range. 2598 */ 2599 ret = bind_variant(bind_fd, &self->srv0); 2600 EXPECT_EQ(0, ret); 2601 2602 if (variant->prot.type == SOCK_STREAM) 2603 EXPECT_EQ(0, listen(bind_fd, backlog)); 2604 2605 /* Connects on port 0. */ 2606 ret = connect_variant(connect_fd, &self->srv0); 2607 if (variant->prot.type == SOCK_STREAM) { 2608 EXPECT_EQ(-ECONNREFUSED, ret); 2609 } else { 2610 EXPECT_EQ(0, ret); 2611 } 2612 2613 /* Sets binded port for both protocol families. */ 2614 port = get_binded_port(bind_fd, &variant->prot); 2615 EXPECT_NE(0, port); 2616 set_port(&self->srv0, port); 2617 /* Connects on the binded port. */ 2618 ret = connect_variant(connect_fd, &self->srv0); 2619 if (is_restricted(&variant->prot, variant->sandbox)) { 2620 /* Denied by Landlock. */ 2621 EXPECT_EQ(-EACCES, ret); 2622 } else { 2623 EXPECT_EQ(0, ret); 2624 } 2625 2626 EXPECT_EQ(0, close(connect_fd)); 2627 EXPECT_EQ(0, close(bind_fd)); 2628 } 2629 2630 TEST_F(port_specific, bind_connect_1023) 2631 { 2632 int bind_fd, connect_fd, ret; 2633 2634 /* Adds a rule layer with bind and connect actions. */ 2635 if (variant->sandbox == TCP_SANDBOX || 2636 variant->sandbox == UDP_SANDBOX) { 2637 const __u64 bind_right = (variant->sandbox == TCP_SANDBOX ? 2638 LANDLOCK_ACCESS_NET_BIND_TCP : 2639 LANDLOCK_ACCESS_NET_BIND_UDP); 2640 const __u64 access_rights = 2641 (variant->sandbox == TCP_SANDBOX ? 2642 (LANDLOCK_ACCESS_NET_BIND_TCP | 2643 LANDLOCK_ACCESS_NET_CONNECT_TCP) : 2644 (LANDLOCK_ACCESS_NET_BIND_UDP | 2645 LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP)); 2646 const struct landlock_ruleset_attr ruleset_attr = { 2647 .handled_access_net = access_rights, 2648 }; 2649 /* A rule with port value less than 1024. */ 2650 const struct landlock_net_port_attr bind_connect_low_range = { 2651 .allowed_access = access_rights, 2652 .port = 1023, 2653 }; 2654 /* A rule with 1024 port. */ 2655 const struct landlock_net_port_attr bind_connect = { 2656 .allowed_access = access_rights, 2657 .port = 1024, 2658 }; 2659 /* A rule with cli1's port, to use as source port. */ 2660 const struct landlock_net_port_attr srcport = { 2661 .allowed_access = bind_right, 2662 .port = self->cli1.port, 2663 }; 2664 int ruleset_fd; 2665 2666 ruleset_fd = landlock_create_ruleset(&ruleset_attr, 2667 sizeof(ruleset_attr), 0); 2668 ASSERT_LE(0, ruleset_fd); 2669 2670 ASSERT_EQ(0, 2671 landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2672 &bind_connect_low_range, 0)); 2673 ASSERT_EQ(0, 2674 landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2675 &bind_connect, 0)); 2676 if (variant->sandbox == UDP_SANDBOX) { 2677 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, 2678 LANDLOCK_RULE_NET_PORT, 2679 &srcport, 0)); 2680 } 2681 2682 enforce_ruleset(_metadata, ruleset_fd); 2683 EXPECT_EQ(0, close(ruleset_fd)); 2684 } 2685 2686 bind_fd = socket_variant(&self->srv0); 2687 ASSERT_LE(0, bind_fd); 2688 2689 /* Sets address port to 1023 for both protocol families. */ 2690 set_port(&self->srv0, 1023); 2691 /* Binds on port 1023. */ 2692 ret = bind_variant(bind_fd, &self->srv0); 2693 /* Denied by the system. */ 2694 EXPECT_EQ(-EACCES, ret); 2695 2696 /* Binds on port 1023. */ 2697 set_cap(_metadata, CAP_NET_BIND_SERVICE); 2698 ret = bind_variant(bind_fd, &self->srv0); 2699 clear_cap(_metadata, CAP_NET_BIND_SERVICE); 2700 EXPECT_EQ(0, ret); 2701 if (variant->prot.type == SOCK_STREAM) 2702 EXPECT_EQ(0, listen(bind_fd, backlog)); 2703 2704 connect_fd = socket_variant(&self->srv0); 2705 ASSERT_LE(0, connect_fd); 2706 if (variant->prot.type == SOCK_DGRAM) { 2707 /* 2708 * We are about to connect(), but bind() is restricted, so for 2709 * UDP sockets we need to use cli1's port as source port (the 2710 * only one we are allowed to use). 2711 */ 2712 EXPECT_EQ(0, bind_variant(connect_fd, &self->cli1)); 2713 } 2714 /* Connects on the binded port 1023. */ 2715 ret = connect_variant(connect_fd, &self->srv0); 2716 EXPECT_EQ(0, ret); 2717 2718 EXPECT_EQ(0, close(connect_fd)); 2719 EXPECT_EQ(0, close(bind_fd)); 2720 2721 bind_fd = socket_variant(&self->srv0); 2722 ASSERT_LE(0, bind_fd); 2723 2724 connect_fd = socket_variant(&self->srv0); 2725 ASSERT_LE(0, connect_fd); 2726 2727 /* Sets address port to 1024 for both protocol families. */ 2728 set_port(&self->srv0, 1024); 2729 /* Binds on port 1024. */ 2730 ret = bind_variant(bind_fd, &self->srv0); 2731 EXPECT_EQ(0, ret); 2732 if (variant->prot.type == SOCK_STREAM) 2733 EXPECT_EQ(0, listen(bind_fd, backlog)); 2734 if (variant->prot.type == SOCK_DGRAM) 2735 EXPECT_EQ(0, bind_variant(connect_fd, &self->cli1)); 2736 2737 /* Connects on the binded port 1024. */ 2738 ret = connect_variant(connect_fd, &self->srv0); 2739 EXPECT_EQ(0, ret); 2740 2741 EXPECT_EQ(0, close(connect_fd)); 2742 EXPECT_EQ(0, close(bind_fd)); 2743 } 2744 2745 /** 2746 * matches_auditlog - Check audit log for a network access denial 2747 * 2748 * @audit_fd: Audit file descriptor. 2749 * @blockers: A regex-escaped blocker string, e.g., "net\.bind_tcp". 2750 * @dir_addr: Either "saddr" or "daddr", ignored if addr is NULL. 2751 * @addr: A regex-escaped IP address string, or NULL. 2752 * @dir_port: Either "src" or "dest", ignored if addr is NULL. 2753 * @port: A port number, ignored if addr is NULL. 2754 */ 2755 static int matches_auditlog(const int audit_fd, const char *const blockers, 2756 const char *const dir_addr, const char *const addr, 2757 const char *const dir_port, const __u16 port) 2758 { 2759 static const char log_with_addrport_tmpl[] = REGEX_LANDLOCK_PREFIX 2760 " blockers=%s %s=%s %s=%u$"; 2761 static const char log_without_addrport_tmpl[] = REGEX_LANDLOCK_PREFIX 2762 " blockers=%s"; 2763 /* 2764 * Max strlen(blockers): 16 2765 * Max strlen(dir_addr): 5 2766 * Max strlen(addr): 12 2767 * Max strlen(dir_port): 4 2768 * Max strlen(%u port): 5 2769 */ 2770 char log_match[sizeof(log_with_addrport_tmpl) + 42]; 2771 int log_match_len; 2772 2773 if (addr == NULL) 2774 log_match_len = snprintf(log_match, sizeof(log_match), 2775 log_without_addrport_tmpl, blockers); 2776 else 2777 log_match_len = snprintf(log_match, sizeof(log_match), 2778 log_with_addrport_tmpl, blockers, 2779 dir_addr, addr, dir_port, port); 2780 if (log_match_len > sizeof(log_match)) 2781 return -E2BIG; 2782 2783 return audit_match_record(audit_fd, AUDIT_LANDLOCK_ACCESS, log_match, 2784 NULL); 2785 } 2786 2787 FIXTURE(audit) 2788 { 2789 struct service_fixture srv0; 2790 struct service_fixture srv1; 2791 /* srv2 has a rule with no access but quiet bit set. */ 2792 struct service_fixture srv2; 2793 struct service_fixture unspec_srv0; 2794 struct audit_filter audit_filter; 2795 int audit_fd; 2796 }; 2797 2798 FIXTURE_VARIANT(audit) 2799 { 2800 const char *const addr; 2801 const struct protocol_variant prot; 2802 }; 2803 2804 /* clang-format off */ 2805 FIXTURE_VARIANT_ADD(audit, ipv4_tcp) { 2806 /* clang-format on */ 2807 .addr = "127\\.0\\.0\\.1", 2808 .prot = { 2809 .domain = AF_INET, 2810 .type = SOCK_STREAM, 2811 }, 2812 }; 2813 2814 /* clang-format off */ 2815 FIXTURE_VARIANT_ADD(audit, ipv4_udp) { 2816 /* clang-format on */ 2817 .addr = "127\\.0\\.0\\.1", 2818 .prot = { 2819 .domain = AF_INET, 2820 .type = SOCK_DGRAM, 2821 }, 2822 }; 2823 2824 /* clang-format off */ 2825 FIXTURE_VARIANT_ADD(audit, ipv6_tcp) { 2826 /* clang-format on */ 2827 .addr = "::1", 2828 .prot = { 2829 .domain = AF_INET6, 2830 .type = SOCK_STREAM, 2831 }, 2832 }; 2833 2834 /* clang-format off */ 2835 FIXTURE_VARIANT_ADD(audit, ipv6_udp) { 2836 /* clang-format on */ 2837 .addr = "::1", 2838 .prot = { 2839 .domain = AF_INET6, 2840 .type = SOCK_DGRAM, 2841 }, 2842 }; 2843 2844 FIXTURE_SETUP(audit) 2845 { 2846 struct protocol_variant prot_unspec = variant->prot; 2847 2848 prot_unspec.domain = AF_UNSPEC; 2849 2850 ASSERT_EQ(0, set_service(&self->srv0, variant->prot, 0)); 2851 ASSERT_EQ(0, set_service(&self->srv1, variant->prot, 1)); 2852 ASSERT_EQ(0, set_service(&self->srv2, variant->prot, 2)); 2853 ASSERT_EQ(0, set_service(&self->unspec_srv0, prot_unspec, 0)); 2854 2855 setup_loopback(_metadata); 2856 2857 set_cap(_metadata, CAP_AUDIT_CONTROL); 2858 self->audit_fd = audit_init_with_exe_filter(&self->audit_filter); 2859 EXPECT_LE(0, self->audit_fd); 2860 disable_caps(_metadata); 2861 }; 2862 2863 FIXTURE_TEARDOWN(audit) 2864 { 2865 set_cap(_metadata, CAP_AUDIT_CONTROL); 2866 EXPECT_EQ(0, audit_cleanup(self->audit_fd, &self->audit_filter)); 2867 clear_cap(_metadata, CAP_AUDIT_CONTROL); 2868 } 2869 2870 TEST_F(audit, bind) 2871 { 2872 const char *audit_evt = (variant->prot.type == SOCK_STREAM ? 2873 "net\\.bind_tcp" : 2874 "net\\.bind_udp"); 2875 const __u64 access_rights = 2876 (variant->prot.type == SOCK_STREAM ? 2877 LANDLOCK_ACCESS_NET_BIND_TCP | 2878 LANDLOCK_ACCESS_NET_CONNECT_TCP : 2879 LANDLOCK_ACCESS_NET_BIND_UDP | 2880 LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP); 2881 const struct landlock_ruleset_attr ruleset_attr = { 2882 .handled_access_net = access_rights, 2883 .quiet_access_net = access_rights, 2884 }; 2885 const struct landlock_net_port_attr quiet_rule = { 2886 .allowed_access = 0, 2887 .port = self->srv2.port, 2888 }; 2889 struct audit_records records; 2890 int ruleset_fd, sock_fd; 2891 2892 ruleset_fd = 2893 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); 2894 ASSERT_LE(0, ruleset_fd); 2895 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2896 &quiet_rule, LANDLOCK_ADD_RULE_QUIET)); 2897 enforce_ruleset(_metadata, ruleset_fd); 2898 EXPECT_EQ(0, close(ruleset_fd)); 2899 2900 sock_fd = socket_variant(&self->srv0); 2901 ASSERT_LE(0, sock_fd); 2902 EXPECT_EQ(-EACCES, bind_variant(sock_fd, &self->srv0)); 2903 EXPECT_EQ(0, matches_auditlog(self->audit_fd, audit_evt, "saddr", 2904 variant->addr, "src", self->srv0.port)); 2905 2906 EXPECT_EQ(0, audit_count_records(self->audit_fd, &records)); 2907 EXPECT_EQ(0, records.access); 2908 EXPECT_EQ(1, records.domain); 2909 2910 EXPECT_EQ(0, close(sock_fd)); 2911 2912 /* Bind to srv2 (with quiet rule): no new audit logs. */ 2913 sock_fd = socket_variant(&self->srv2); 2914 ASSERT_LE(0, sock_fd); 2915 EXPECT_EQ(-EACCES, bind_variant(sock_fd, &self->srv2)); 2916 2917 EXPECT_EQ(0, audit_count_records(self->audit_fd, &records)); 2918 EXPECT_EQ(0, records.access); 2919 EXPECT_EQ(0, records.domain); 2920 2921 EXPECT_EQ(0, close(sock_fd)); 2922 } 2923 2924 TEST_F(audit, connect) 2925 { 2926 const char *audit_evt = (variant->prot.type == SOCK_STREAM ? 2927 "net\\.connect_tcp" : 2928 "net\\.connect_send_udp"); 2929 const __u64 bind_right = (variant->prot.type == SOCK_STREAM ? 2930 LANDLOCK_ACCESS_NET_BIND_TCP : 2931 LANDLOCK_ACCESS_NET_BIND_UDP); 2932 const __u64 conn_right = (variant->prot.type == SOCK_STREAM ? 2933 LANDLOCK_ACCESS_NET_CONNECT_TCP : 2934 LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP); 2935 const __u64 access_rights = bind_right | conn_right; 2936 const struct landlock_ruleset_attr ruleset_attr = { 2937 .handled_access_net = access_rights, 2938 .quiet_access_net = access_rights, 2939 }; 2940 const struct landlock_net_port_attr rule_connect_p1 = { 2941 .allowed_access = conn_right, 2942 .port = self->srv1.port, 2943 }; 2944 const struct landlock_net_port_attr quiet_rule = { 2945 .allowed_access = 0, 2946 .port = self->srv2.port, 2947 }; 2948 struct audit_records records; 2949 int ruleset_fd, sock_fd; 2950 2951 ruleset_fd = 2952 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); 2953 ASSERT_LE(0, ruleset_fd); 2954 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2955 &rule_connect_p1, 0)); 2956 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 2957 &quiet_rule, LANDLOCK_ADD_RULE_QUIET)); 2958 enforce_ruleset(_metadata, ruleset_fd); 2959 EXPECT_EQ(0, close(ruleset_fd)); 2960 2961 sock_fd = socket_variant(&self->srv0); 2962 ASSERT_LE(0, sock_fd); 2963 EXPECT_EQ(-EACCES, connect_variant(sock_fd, &self->srv0)); 2964 EXPECT_EQ(0, matches_auditlog(self->audit_fd, audit_evt, "daddr", 2965 variant->addr, "dest", self->srv0.port)); 2966 2967 EXPECT_EQ(0, audit_count_records(self->audit_fd, &records)); 2968 EXPECT_EQ(0, records.access); 2969 EXPECT_EQ(1, records.domain); 2970 2971 if (variant->prot.type == SOCK_DGRAM) { 2972 /* Check that autobind generates a denied bind event. */ 2973 EXPECT_EQ(-EACCES, connect_variant(sock_fd, &self->srv1)); 2974 2975 EXPECT_EQ(0, matches_auditlog(self->audit_fd, "net\\.bind_udp", 2976 NULL, NULL, NULL, 0)); 2977 EXPECT_EQ(0, audit_count_records(self->audit_fd, &records)); 2978 EXPECT_EQ(0, records.access); 2979 EXPECT_EQ(0, records.domain); 2980 } 2981 2982 EXPECT_EQ(0, close(sock_fd)); 2983 2984 /* Connect to srv2 (with quiet rule): no new audit logs. */ 2985 sock_fd = socket_variant(&self->srv2); 2986 ASSERT_LE(0, sock_fd); 2987 EXPECT_EQ(-EACCES, connect_variant(sock_fd, &self->srv2)); 2988 2989 EXPECT_EQ(0, audit_count_records(self->audit_fd, &records)); 2990 EXPECT_EQ(0, records.access); 2991 EXPECT_EQ(0, records.domain); 2992 2993 EXPECT_EQ(0, close(sock_fd)); 2994 } 2995 2996 /* Quieting bind access has no effect on connect. */ 2997 TEST_F(audit, connect_quiet_bind) 2998 { 2999 const char *audit_evt = (variant->prot.type == SOCK_STREAM ? 3000 "net\\.connect_tcp" : 3001 "net\\.connect_send_udp"); 3002 const int bind_right = (variant->prot.type == SOCK_STREAM ? 3003 LANDLOCK_ACCESS_NET_BIND_TCP : 3004 LANDLOCK_ACCESS_NET_BIND_UDP); 3005 const int conn_right = (variant->prot.type == SOCK_STREAM ? 3006 LANDLOCK_ACCESS_NET_CONNECT_TCP : 3007 LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP); 3008 const int access_rights = bind_right | conn_right; 3009 const struct landlock_ruleset_attr ruleset_attr = { 3010 .handled_access_net = access_rights, 3011 .quiet_access_net = bind_right, 3012 }; 3013 const struct landlock_ruleset_attr ruleset_attr_2 = { 3014 .handled_access_net = access_rights, 3015 .quiet_access_net = conn_right, 3016 }; 3017 const struct landlock_net_port_attr quiet_rule = { 3018 .allowed_access = 0, 3019 .port = self->srv2.port, 3020 }; 3021 struct audit_records records; 3022 int ruleset_fd, sock_fd; 3023 3024 ruleset_fd = 3025 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); 3026 ASSERT_LE(0, ruleset_fd); 3027 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 3028 &quiet_rule, LANDLOCK_ADD_RULE_QUIET)); 3029 enforce_ruleset(_metadata, ruleset_fd); 3030 EXPECT_EQ(0, close(ruleset_fd)); 3031 3032 sock_fd = socket_variant(&self->srv2); 3033 ASSERT_LE(0, sock_fd); 3034 EXPECT_EQ(-EACCES, connect_variant(sock_fd, &self->srv2)); 3035 EXPECT_EQ(0, matches_auditlog(self->audit_fd, audit_evt, "daddr", 3036 variant->addr, "dest", self->srv2.port)); 3037 3038 EXPECT_EQ(0, audit_count_records(self->audit_fd, &records)); 3039 EXPECT_EQ(0, records.access); 3040 3041 EXPECT_EQ(0, close(sock_fd)); 3042 3043 /* New layer that also denies connect but has the correct quiet bit. */ 3044 ruleset_fd = landlock_create_ruleset(&ruleset_attr_2, 3045 sizeof(ruleset_attr_2), 0); 3046 ASSERT_LE(0, ruleset_fd); 3047 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 3048 &quiet_rule, LANDLOCK_ADD_RULE_QUIET)); 3049 enforce_ruleset(_metadata, ruleset_fd); 3050 EXPECT_EQ(0, close(ruleset_fd)); 3051 3052 sock_fd = socket_variant(&self->srv2); 3053 ASSERT_LE(0, sock_fd); 3054 EXPECT_EQ(-EACCES, connect_variant(sock_fd, &self->srv2)); 3055 3056 /* Quieted - no logs expected. */ 3057 EXPECT_EQ(0, audit_count_records(self->audit_fd, &records)); 3058 EXPECT_EQ(0, records.access); 3059 3060 EXPECT_EQ(0, close(sock_fd)); 3061 } 3062 3063 static int matches_log_connect_bound(int audit_fd, const char *const blockers, 3064 const char *const addr, __u16 lport, 3065 __u16 dport) 3066 { 3067 static const char log_template[] = REGEX_LANDLOCK_PREFIX 3068 " blockers=%s laddr=%s lport=%u daddr=%s dest=%u$"; 3069 /* Slack for the blockers, two addresses and two port numbers. */ 3070 char log_match[sizeof(log_template) + 60]; 3071 int log_match_len; 3072 3073 log_match_len = snprintf(log_match, sizeof(log_match), log_template, 3074 blockers, addr, lport, addr, dport); 3075 if (log_match_len > sizeof(log_match)) 3076 return -E2BIG; 3077 3078 return audit_match_record(audit_fd, AUDIT_LANDLOCK_ACCESS, log_match, 3079 NULL); 3080 } 3081 3082 /* 3083 * After a bind() to an allowed port, a denied connect must report laddr/lport 3084 * from the bound socket (made available through audit_net.sk) in addition to 3085 * the connect sockaddr's daddr/dest. 3086 */ 3087 TEST_F(audit, connect_bound) 3088 { 3089 const __u64 bind_right = (variant->prot.type == SOCK_STREAM ? 3090 LANDLOCK_ACCESS_NET_BIND_TCP : 3091 LANDLOCK_ACCESS_NET_BIND_UDP); 3092 const __u64 conn_right = (variant->prot.type == SOCK_STREAM ? 3093 LANDLOCK_ACCESS_NET_CONNECT_TCP : 3094 LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP); 3095 const char *const audit_evt = (variant->prot.type == SOCK_STREAM ? 3096 "net\\.connect_tcp" : 3097 "net\\.connect_send_udp"); 3098 const struct landlock_ruleset_attr ruleset_attr = { 3099 .handled_access_net = bind_right | conn_right, 3100 }; 3101 const struct landlock_net_port_attr rule_bind = { 3102 .allowed_access = bind_right, 3103 .port = self->srv0.port, 3104 }; 3105 struct service_fixture srv_remote; 3106 struct audit_records records; 3107 int ruleset_fd, sock_fd; 3108 3109 /* Uses a second port as the denied connect target. */ 3110 ASSERT_EQ(0, set_service(&srv_remote, variant->prot, 1)); 3111 3112 ruleset_fd = 3113 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); 3114 ASSERT_LE(0, ruleset_fd); 3115 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 3116 &rule_bind, 0)); 3117 enforce_ruleset(_metadata, ruleset_fd); 3118 EXPECT_EQ(0, close(ruleset_fd)); 3119 3120 sock_fd = socket_variant(&self->srv0); 3121 ASSERT_LE(0, sock_fd); 3122 EXPECT_EQ(0, bind_variant(sock_fd, &self->srv0)); 3123 EXPECT_EQ(-EACCES, connect_variant(sock_fd, &srv_remote)); 3124 EXPECT_EQ(0, matches_log_connect_bound(self->audit_fd, audit_evt, 3125 variant->addr, self->srv0.port, 3126 srv_remote.port)); 3127 3128 EXPECT_EQ(0, audit_count_records(self->audit_fd, &records)); 3129 EXPECT_EQ(0, records.access); 3130 EXPECT_EQ(1, records.domain); 3131 3132 EXPECT_EQ(0, close(sock_fd)); 3133 } 3134 3135 TEST_F(audit, sendmsg) 3136 { 3137 const struct landlock_ruleset_attr ruleset_attr = { 3138 .handled_access_net = LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP | 3139 LANDLOCK_ACCESS_NET_BIND_UDP, 3140 }; 3141 const struct landlock_net_port_attr rule = { 3142 .allowed_access = LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP, 3143 .port = self->srv1.port, 3144 }; 3145 struct audit_records records; 3146 int ruleset_fd; 3147 int sock_fd; 3148 3149 /* Sendmsg on stream sockets is never denied. */ 3150 if (variant->prot.type != SOCK_DGRAM) 3151 return; 3152 3153 ruleset_fd = 3154 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); 3155 ASSERT_LE(0, ruleset_fd); 3156 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 3157 &rule, 0)); 3158 enforce_ruleset(_metadata, ruleset_fd); 3159 EXPECT_EQ(0, close(ruleset_fd)); 3160 3161 sock_fd = socket_variant(&self->srv0); 3162 ASSERT_LE(0, sock_fd); 3163 EXPECT_EQ(-EACCES, sendto_variant(sock_fd, &self->srv0, "A", 1, 0)); 3164 EXPECT_EQ(0, matches_auditlog(self->audit_fd, "net\\.connect_send_udp", 3165 "daddr", variant->addr, "dest", 3166 self->srv0.port)); 3167 3168 EXPECT_EQ(0, audit_count_records(self->audit_fd, &records)); 3169 EXPECT_EQ(0, records.access); 3170 EXPECT_EQ(1, records.domain); 3171 3172 /* Check that autobind generates a denied bind event. */ 3173 EXPECT_EQ(-EACCES, sendto_variant(sock_fd, &self->srv1, "A", 1, 0)); 3174 EXPECT_EQ(0, matches_auditlog(self->audit_fd, "net\\.bind_udp", NULL, 3175 NULL, NULL, 0)); 3176 EXPECT_EQ(0, audit_count_records(self->audit_fd, &records)); 3177 EXPECT_EQ(0, records.access); 3178 EXPECT_EQ(0, records.domain); 3179 3180 EXPECT_EQ(-EACCES, 3181 sendto_variant(sock_fd, &self->unspec_srv0, "B", 1, 0)); 3182 EXPECT_EQ(0, matches_auditlog(self->audit_fd, "net\\.connect_send_udp", 3183 "daddr", NULL, "dest", 0)); 3184 EXPECT_EQ(0, audit_count_records(self->audit_fd, &records)); 3185 EXPECT_EQ(0, records.access); 3186 EXPECT_EQ(0, records.domain); 3187 3188 EXPECT_EQ(0, close(sock_fd)); 3189 } 3190 3191 TEST_HARNESS_MAIN 3192