1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3 * Landlock scoped_domains test variant definition.
4 *
5 * This file defines a fixture variant "scoped_domains" that has all
6 * permutations of parent/child process being in separate or shared
7 * Landlock domain, or not being in a Landlock domain at all.
8 *
9 * Scoped access tests can include this file to avoid repeating these
10 * combinations.
11 *
12 * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
13 * Copyright © 2019-2020 ANSSI
14 * Copyright © 2024 Tahera Fahimi <fahimitahera@gmail.com>
15 */
16
17 /* clang-format on */
FIXTURE_VARIANT(scoped_domains)18 FIXTURE_VARIANT(scoped_domains)
19 {
20 bool domain_both;
21 bool domain_parent;
22 bool domain_child;
23 };
24
25 /*
26 * No domain
27 *
28 * P1-. P1 -> P2 : allow
29 * \ P2 -> P1 : allow
30 * 'P2
31 */
32 /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_domains,without_domain)33 FIXTURE_VARIANT_ADD(scoped_domains, without_domain) {
34 /* clang-format on */
35 .domain_both = false,
36 .domain_parent = false,
37 .domain_child = false,
38 };
39
40 /*
41 * Child domain
42 *
43 * P1--. P1 -> P2 : allow
44 * \ P2 -> P1 : deny
45 * .'-----.
46 * | P2 |
47 * '------'
48 */
49 /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_domains,child_domain)50 FIXTURE_VARIANT_ADD(scoped_domains, child_domain) {
51 /* clang-format on */
52 .domain_both = false,
53 .domain_parent = false,
54 .domain_child = true,
55 };
56
57 /*
58 * Parent domain
59 * .------.
60 * | P1 --. P1 -> P2 : deny
61 * '------' \ P2 -> P1 : allow
62 * '
63 * P2
64 */
65 /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_domains,parent_domain)66 FIXTURE_VARIANT_ADD(scoped_domains, parent_domain) {
67 /* clang-format on */
68 .domain_both = false,
69 .domain_parent = true,
70 .domain_child = false,
71 };
72
73 /*
74 * Parent + child domain (siblings)
75 * .------.
76 * | P1 ---. P1 -> P2 : deny
77 * '------' \ P2 -> P1 : deny
78 * .---'--.
79 * | P2 |
80 * '------'
81 */
82 /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_domains,sibling_domain)83 FIXTURE_VARIANT_ADD(scoped_domains, sibling_domain) {
84 /* clang-format on */
85 .domain_both = false,
86 .domain_parent = true,
87 .domain_child = true,
88 };
89
90 /*
91 * Same domain (inherited)
92 * .-------------.
93 * | P1----. | P1 -> P2 : allow
94 * | \ | P2 -> P1 : allow
95 * | ' |
96 * | P2 |
97 * '-------------'
98 */
99 /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_domains,inherited_domain)100 FIXTURE_VARIANT_ADD(scoped_domains, inherited_domain) {
101 /* clang-format on */
102 .domain_both = true,
103 .domain_parent = false,
104 .domain_child = false,
105 };
106
107 /*
108 * Inherited + child domain
109 * .-----------------.
110 * | P1----. | P1 -> P2 : allow
111 * | \ | P2 -> P1 : deny
112 * | .-'----. |
113 * | | P2 | |
114 * | '------' |
115 * '-----------------'
116 */
117 /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_domains,nested_domain)118 FIXTURE_VARIANT_ADD(scoped_domains, nested_domain) {
119 /* clang-format on */
120 .domain_both = true,
121 .domain_parent = false,
122 .domain_child = true,
123 };
124
125 /*
126 * Inherited + parent domain
127 * .-----------------.
128 * |.------. | P1 -> P2 : deny
129 * || P1 ----. | P2 -> P1 : allow
130 * |'------' \ |
131 * | ' |
132 * | P2 |
133 * '-----------------'
134 */
135 /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_domains,nested_and_parent_domain)136 FIXTURE_VARIANT_ADD(scoped_domains, nested_and_parent_domain) {
137 /* clang-format on */
138 .domain_both = true,
139 .domain_parent = true,
140 .domain_child = false,
141 };
142
143 /*
144 * Inherited + parent and child domain (siblings)
145 * .-----------------.
146 * | .------. | P1 -> P2 : deny
147 * | | P1 . | P2 -> P1 : deny
148 * | '------'\ |
149 * | \ |
150 * | .--'---. |
151 * | | P2 | |
152 * | '------' |
153 * '-----------------'
154 */
155 /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_domains,forked_domains)156 FIXTURE_VARIANT_ADD(scoped_domains, forked_domains) {
157 /* clang-format on */
158 .domain_both = true,
159 .domain_parent = true,
160 .domain_child = true,
161 };
162