xref: /linux/tools/testing/selftests/landlock/fs_test.c (revision 24bce201d79807b668bf9d9e0aca801c5c0d5f78)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * Landlock tests - Filesystem
4  *
5  * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
6  * Copyright © 2020 ANSSI
7  * Copyright © 2020-2021 Microsoft Corporation
8  */
9 
10 #define _GNU_SOURCE
11 #include <fcntl.h>
12 #include <linux/landlock.h>
13 #include <sched.h>
14 #include <string.h>
15 #include <sys/capability.h>
16 #include <sys/mount.h>
17 #include <sys/prctl.h>
18 #include <sys/sendfile.h>
19 #include <sys/stat.h>
20 #include <sys/sysmacros.h>
21 #include <unistd.h>
22 
23 #include "common.h"
24 
25 #ifndef renameat2
26 int renameat2(int olddirfd, const char *oldpath, int newdirfd,
27 	      const char *newpath, unsigned int flags)
28 {
29 	return syscall(__NR_renameat2, olddirfd, oldpath, newdirfd, newpath,
30 		       flags);
31 }
32 #endif
33 
34 #ifndef RENAME_EXCHANGE
35 #define RENAME_EXCHANGE (1 << 1)
36 #endif
37 
38 #define TMP_DIR "tmp"
39 #define BINARY_PATH "./true"
40 
41 /* Paths (sibling number and depth) */
42 static const char dir_s1d1[] = TMP_DIR "/s1d1";
43 static const char file1_s1d1[] = TMP_DIR "/s1d1/f1";
44 static const char file2_s1d1[] = TMP_DIR "/s1d1/f2";
45 static const char dir_s1d2[] = TMP_DIR "/s1d1/s1d2";
46 static const char file1_s1d2[] = TMP_DIR "/s1d1/s1d2/f1";
47 static const char file2_s1d2[] = TMP_DIR "/s1d1/s1d2/f2";
48 static const char dir_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3";
49 static const char file1_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3/f1";
50 static const char file2_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3/f2";
51 
52 static const char dir_s2d1[] = TMP_DIR "/s2d1";
53 static const char file1_s2d1[] = TMP_DIR "/s2d1/f1";
54 static const char dir_s2d2[] = TMP_DIR "/s2d1/s2d2";
55 static const char file1_s2d2[] = TMP_DIR "/s2d1/s2d2/f1";
56 static const char dir_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3";
57 static const char file1_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3/f1";
58 static const char file2_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3/f2";
59 
60 static const char dir_s3d1[] = TMP_DIR "/s3d1";
61 /* dir_s3d2 is a mount point. */
62 static const char dir_s3d2[] = TMP_DIR "/s3d1/s3d2";
63 static const char dir_s3d3[] = TMP_DIR "/s3d1/s3d2/s3d3";
64 
65 /*
66  * layout1 hierarchy:
67  *
68  * tmp
69  * ├── s1d1
70  * │   ├── f1
71  * │   ├── f2
72  * │   └── s1d2
73  * │       ├── f1
74  * │       ├── f2
75  * │       └── s1d3
76  * │           ├── f1
77  * │           └── f2
78  * ├── s2d1
79  * │   ├── f1
80  * │   └── s2d2
81  * │       ├── f1
82  * │       └── s2d3
83  * │           ├── f1
84  * │           └── f2
85  * └── s3d1
86  *     └── s3d2
87  *         └── s3d3
88  */
89 
90 static void mkdir_parents(struct __test_metadata *const _metadata,
91 			  const char *const path)
92 {
93 	char *walker;
94 	const char *parent;
95 	int i, err;
96 
97 	ASSERT_NE(path[0], '\0');
98 	walker = strdup(path);
99 	ASSERT_NE(NULL, walker);
100 	parent = walker;
101 	for (i = 1; walker[i]; i++) {
102 		if (walker[i] != '/')
103 			continue;
104 		walker[i] = '\0';
105 		err = mkdir(parent, 0700);
106 		ASSERT_FALSE(err && errno != EEXIST)
107 		{
108 			TH_LOG("Failed to create directory \"%s\": %s", parent,
109 			       strerror(errno));
110 		}
111 		walker[i] = '/';
112 	}
113 	free(walker);
114 }
115 
116 static void create_directory(struct __test_metadata *const _metadata,
117 			     const char *const path)
118 {
119 	mkdir_parents(_metadata, path);
120 	ASSERT_EQ(0, mkdir(path, 0700))
121 	{
122 		TH_LOG("Failed to create directory \"%s\": %s", path,
123 		       strerror(errno));
124 	}
125 }
126 
127 static void create_file(struct __test_metadata *const _metadata,
128 			const char *const path)
129 {
130 	mkdir_parents(_metadata, path);
131 	ASSERT_EQ(0, mknod(path, S_IFREG | 0700, 0))
132 	{
133 		TH_LOG("Failed to create file \"%s\": %s", path,
134 		       strerror(errno));
135 	}
136 }
137 
138 static int remove_path(const char *const path)
139 {
140 	char *walker;
141 	int i, ret, err = 0;
142 
143 	walker = strdup(path);
144 	if (!walker) {
145 		err = ENOMEM;
146 		goto out;
147 	}
148 	if (unlink(path) && rmdir(path)) {
149 		if (errno != ENOENT && errno != ENOTDIR)
150 			err = errno;
151 		goto out;
152 	}
153 	for (i = strlen(walker); i > 0; i--) {
154 		if (walker[i] != '/')
155 			continue;
156 		walker[i] = '\0';
157 		ret = rmdir(walker);
158 		if (ret) {
159 			if (errno != ENOTEMPTY && errno != EBUSY)
160 				err = errno;
161 			goto out;
162 		}
163 		if (strcmp(walker, TMP_DIR) == 0)
164 			goto out;
165 	}
166 
167 out:
168 	free(walker);
169 	return err;
170 }
171 
172 static void prepare_layout(struct __test_metadata *const _metadata)
173 {
174 	disable_caps(_metadata);
175 	umask(0077);
176 	create_directory(_metadata, TMP_DIR);
177 
178 	/*
179 	 * Do not pollute the rest of the system: creates a private mount point
180 	 * for tests relying on pivot_root(2) and move_mount(2).
181 	 */
182 	set_cap(_metadata, CAP_SYS_ADMIN);
183 	ASSERT_EQ(0, unshare(CLONE_NEWNS));
184 	ASSERT_EQ(0, mount("tmp", TMP_DIR, "tmpfs", 0, "size=4m,mode=700"));
185 	ASSERT_EQ(0, mount(NULL, TMP_DIR, NULL, MS_PRIVATE | MS_REC, NULL));
186 	clear_cap(_metadata, CAP_SYS_ADMIN);
187 }
188 
189 static void cleanup_layout(struct __test_metadata *const _metadata)
190 {
191 	set_cap(_metadata, CAP_SYS_ADMIN);
192 	EXPECT_EQ(0, umount(TMP_DIR));
193 	clear_cap(_metadata, CAP_SYS_ADMIN);
194 	EXPECT_EQ(0, remove_path(TMP_DIR));
195 }
196 
197 static void create_layout1(struct __test_metadata *const _metadata)
198 {
199 	create_file(_metadata, file1_s1d1);
200 	create_file(_metadata, file1_s1d2);
201 	create_file(_metadata, file1_s1d3);
202 	create_file(_metadata, file2_s1d1);
203 	create_file(_metadata, file2_s1d2);
204 	create_file(_metadata, file2_s1d3);
205 
206 	create_file(_metadata, file1_s2d1);
207 	create_file(_metadata, file1_s2d2);
208 	create_file(_metadata, file1_s2d3);
209 	create_file(_metadata, file2_s2d3);
210 
211 	create_directory(_metadata, dir_s3d2);
212 	set_cap(_metadata, CAP_SYS_ADMIN);
213 	ASSERT_EQ(0, mount("tmp", dir_s3d2, "tmpfs", 0, "size=4m,mode=700"));
214 	clear_cap(_metadata, CAP_SYS_ADMIN);
215 
216 	ASSERT_EQ(0, mkdir(dir_s3d3, 0700));
217 }
218 
219 static void remove_layout1(struct __test_metadata *const _metadata)
220 {
221 	EXPECT_EQ(0, remove_path(file2_s1d3));
222 	EXPECT_EQ(0, remove_path(file2_s1d2));
223 	EXPECT_EQ(0, remove_path(file2_s1d1));
224 	EXPECT_EQ(0, remove_path(file1_s1d3));
225 	EXPECT_EQ(0, remove_path(file1_s1d2));
226 	EXPECT_EQ(0, remove_path(file1_s1d1));
227 
228 	EXPECT_EQ(0, remove_path(file2_s2d3));
229 	EXPECT_EQ(0, remove_path(file1_s2d3));
230 	EXPECT_EQ(0, remove_path(file1_s2d2));
231 	EXPECT_EQ(0, remove_path(file1_s2d1));
232 
233 	EXPECT_EQ(0, remove_path(dir_s3d3));
234 	set_cap(_metadata, CAP_SYS_ADMIN);
235 	umount(dir_s3d2);
236 	clear_cap(_metadata, CAP_SYS_ADMIN);
237 	EXPECT_EQ(0, remove_path(dir_s3d2));
238 }
239 
240 /* clang-format off */
241 FIXTURE(layout1) {};
242 /* clang-format on */
243 
244 FIXTURE_SETUP(layout1)
245 {
246 	prepare_layout(_metadata);
247 
248 	create_layout1(_metadata);
249 }
250 
251 FIXTURE_TEARDOWN(layout1)
252 {
253 	remove_layout1(_metadata);
254 
255 	cleanup_layout(_metadata);
256 }
257 
258 /*
259  * This helper enables to use the ASSERT_* macros and print the line number
260  * pointing to the test caller.
261  */
262 static int test_open_rel(const int dirfd, const char *const path,
263 			 const int flags)
264 {
265 	int fd;
266 
267 	/* Works with file and directories. */
268 	fd = openat(dirfd, path, flags | O_CLOEXEC);
269 	if (fd < 0)
270 		return errno;
271 	/*
272 	 * Mixing error codes from close(2) and open(2) should not lead to any
273 	 * (access type) confusion for this test.
274 	 */
275 	if (close(fd) != 0)
276 		return errno;
277 	return 0;
278 }
279 
280 static int test_open(const char *const path, const int flags)
281 {
282 	return test_open_rel(AT_FDCWD, path, flags);
283 }
284 
285 TEST_F_FORK(layout1, no_restriction)
286 {
287 	ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
288 	ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
289 	ASSERT_EQ(0, test_open(file2_s1d1, O_RDONLY));
290 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
291 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
292 	ASSERT_EQ(0, test_open(file2_s1d2, O_RDONLY));
293 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
294 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
295 
296 	ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY));
297 	ASSERT_EQ(0, test_open(file1_s2d1, O_RDONLY));
298 	ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY));
299 	ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY));
300 	ASSERT_EQ(0, test_open(dir_s2d3, O_RDONLY));
301 	ASSERT_EQ(0, test_open(file1_s2d3, O_RDONLY));
302 
303 	ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY));
304 	ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY));
305 	ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY));
306 }
307 
308 TEST_F_FORK(layout1, inval)
309 {
310 	struct landlock_path_beneath_attr path_beneath = {
311 		.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE |
312 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
313 		.parent_fd = -1,
314 	};
315 	struct landlock_ruleset_attr ruleset_attr = {
316 		.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE |
317 				     LANDLOCK_ACCESS_FS_WRITE_FILE,
318 	};
319 	int ruleset_fd;
320 
321 	path_beneath.parent_fd =
322 		open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC);
323 	ASSERT_LE(0, path_beneath.parent_fd);
324 
325 	ruleset_fd = open(dir_s1d1, O_PATH | O_DIRECTORY | O_CLOEXEC);
326 	ASSERT_LE(0, ruleset_fd);
327 	ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
328 					&path_beneath, 0));
329 	/* Returns EBADF because ruleset_fd is not a landlock-ruleset FD. */
330 	ASSERT_EQ(EBADF, errno);
331 	ASSERT_EQ(0, close(ruleset_fd));
332 
333 	ruleset_fd = open(dir_s1d1, O_DIRECTORY | O_CLOEXEC);
334 	ASSERT_LE(0, ruleset_fd);
335 	ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
336 					&path_beneath, 0));
337 	/* Returns EBADFD because ruleset_fd is not a valid ruleset. */
338 	ASSERT_EQ(EBADFD, errno);
339 	ASSERT_EQ(0, close(ruleset_fd));
340 
341 	/* Gets a real ruleset. */
342 	ruleset_fd =
343 		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
344 	ASSERT_LE(0, ruleset_fd);
345 	ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
346 				       &path_beneath, 0));
347 	ASSERT_EQ(0, close(path_beneath.parent_fd));
348 
349 	/* Tests without O_PATH. */
350 	path_beneath.parent_fd = open(dir_s1d2, O_DIRECTORY | O_CLOEXEC);
351 	ASSERT_LE(0, path_beneath.parent_fd);
352 	ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
353 				       &path_beneath, 0));
354 	ASSERT_EQ(0, close(path_beneath.parent_fd));
355 
356 	/* Tests with a ruleset FD. */
357 	path_beneath.parent_fd = ruleset_fd;
358 	ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
359 					&path_beneath, 0));
360 	ASSERT_EQ(EBADFD, errno);
361 
362 	/* Checks unhandled allowed_access. */
363 	path_beneath.parent_fd =
364 		open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC);
365 	ASSERT_LE(0, path_beneath.parent_fd);
366 
367 	/* Test with legitimate values. */
368 	path_beneath.allowed_access |= LANDLOCK_ACCESS_FS_EXECUTE;
369 	ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
370 					&path_beneath, 0));
371 	ASSERT_EQ(EINVAL, errno);
372 	path_beneath.allowed_access &= ~LANDLOCK_ACCESS_FS_EXECUTE;
373 
374 	/* Test with unknown (64-bits) value. */
375 	path_beneath.allowed_access |= (1ULL << 60);
376 	ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
377 					&path_beneath, 0));
378 	ASSERT_EQ(EINVAL, errno);
379 	path_beneath.allowed_access &= ~(1ULL << 60);
380 
381 	/* Test with no access. */
382 	path_beneath.allowed_access = 0;
383 	ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
384 					&path_beneath, 0));
385 	ASSERT_EQ(ENOMSG, errno);
386 	path_beneath.allowed_access &= ~(1ULL << 60);
387 
388 	ASSERT_EQ(0, close(path_beneath.parent_fd));
389 
390 	/* Enforces the ruleset. */
391 	ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
392 	ASSERT_EQ(0, landlock_restrict_self(ruleset_fd, 0));
393 
394 	ASSERT_EQ(0, close(ruleset_fd));
395 }
396 
397 /* clang-format off */
398 
399 #define ACCESS_FILE ( \
400 	LANDLOCK_ACCESS_FS_EXECUTE | \
401 	LANDLOCK_ACCESS_FS_WRITE_FILE | \
402 	LANDLOCK_ACCESS_FS_READ_FILE)
403 
404 #define ACCESS_LAST LANDLOCK_ACCESS_FS_REFER
405 
406 #define ACCESS_ALL ( \
407 	ACCESS_FILE | \
408 	LANDLOCK_ACCESS_FS_READ_DIR | \
409 	LANDLOCK_ACCESS_FS_REMOVE_DIR | \
410 	LANDLOCK_ACCESS_FS_REMOVE_FILE | \
411 	LANDLOCK_ACCESS_FS_MAKE_CHAR | \
412 	LANDLOCK_ACCESS_FS_MAKE_DIR | \
413 	LANDLOCK_ACCESS_FS_MAKE_REG | \
414 	LANDLOCK_ACCESS_FS_MAKE_SOCK | \
415 	LANDLOCK_ACCESS_FS_MAKE_FIFO | \
416 	LANDLOCK_ACCESS_FS_MAKE_BLOCK | \
417 	LANDLOCK_ACCESS_FS_MAKE_SYM | \
418 	ACCESS_LAST)
419 
420 /* clang-format on */
421 
422 TEST_F_FORK(layout1, file_and_dir_access_rights)
423 {
424 	__u64 access;
425 	int err;
426 	struct landlock_path_beneath_attr path_beneath_file = {},
427 					  path_beneath_dir = {};
428 	struct landlock_ruleset_attr ruleset_attr = {
429 		.handled_access_fs = ACCESS_ALL,
430 	};
431 	const int ruleset_fd =
432 		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
433 
434 	ASSERT_LE(0, ruleset_fd);
435 
436 	/* Tests access rights for files. */
437 	path_beneath_file.parent_fd = open(file1_s1d2, O_PATH | O_CLOEXEC);
438 	ASSERT_LE(0, path_beneath_file.parent_fd);
439 
440 	/* Tests access rights for directories. */
441 	path_beneath_dir.parent_fd =
442 		open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC);
443 	ASSERT_LE(0, path_beneath_dir.parent_fd);
444 
445 	for (access = 1; access <= ACCESS_LAST; access <<= 1) {
446 		path_beneath_dir.allowed_access = access;
447 		ASSERT_EQ(0, landlock_add_rule(ruleset_fd,
448 					       LANDLOCK_RULE_PATH_BENEATH,
449 					       &path_beneath_dir, 0));
450 
451 		path_beneath_file.allowed_access = access;
452 		err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
453 					&path_beneath_file, 0);
454 		if (access & ACCESS_FILE) {
455 			ASSERT_EQ(0, err);
456 		} else {
457 			ASSERT_EQ(-1, err);
458 			ASSERT_EQ(EINVAL, errno);
459 		}
460 	}
461 	ASSERT_EQ(0, close(path_beneath_file.parent_fd));
462 	ASSERT_EQ(0, close(path_beneath_dir.parent_fd));
463 	ASSERT_EQ(0, close(ruleset_fd));
464 }
465 
466 TEST_F_FORK(layout1, unknown_access_rights)
467 {
468 	__u64 access_mask;
469 
470 	for (access_mask = 1ULL << 63; access_mask != ACCESS_LAST;
471 	     access_mask >>= 1) {
472 		struct landlock_ruleset_attr ruleset_attr = {
473 			.handled_access_fs = access_mask,
474 		};
475 
476 		ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr,
477 						      sizeof(ruleset_attr), 0));
478 		ASSERT_EQ(EINVAL, errno);
479 	}
480 }
481 
482 static void add_path_beneath(struct __test_metadata *const _metadata,
483 			     const int ruleset_fd, const __u64 allowed_access,
484 			     const char *const path)
485 {
486 	struct landlock_path_beneath_attr path_beneath = {
487 		.allowed_access = allowed_access,
488 	};
489 
490 	path_beneath.parent_fd = open(path, O_PATH | O_CLOEXEC);
491 	ASSERT_LE(0, path_beneath.parent_fd)
492 	{
493 		TH_LOG("Failed to open directory \"%s\": %s", path,
494 		       strerror(errno));
495 	}
496 	ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
497 				       &path_beneath, 0))
498 	{
499 		TH_LOG("Failed to update the ruleset with \"%s\": %s", path,
500 		       strerror(errno));
501 	}
502 	ASSERT_EQ(0, close(path_beneath.parent_fd));
503 }
504 
505 struct rule {
506 	const char *path;
507 	__u64 access;
508 };
509 
510 /* clang-format off */
511 
512 #define ACCESS_RO ( \
513 	LANDLOCK_ACCESS_FS_READ_FILE | \
514 	LANDLOCK_ACCESS_FS_READ_DIR)
515 
516 #define ACCESS_RW ( \
517 	ACCESS_RO | \
518 	LANDLOCK_ACCESS_FS_WRITE_FILE)
519 
520 /* clang-format on */
521 
522 static int create_ruleset(struct __test_metadata *const _metadata,
523 			  const __u64 handled_access_fs,
524 			  const struct rule rules[])
525 {
526 	int ruleset_fd, i;
527 	struct landlock_ruleset_attr ruleset_attr = {
528 		.handled_access_fs = handled_access_fs,
529 	};
530 
531 	ASSERT_NE(NULL, rules)
532 	{
533 		TH_LOG("No rule list");
534 	}
535 	ASSERT_NE(NULL, rules[0].path)
536 	{
537 		TH_LOG("Empty rule list");
538 	}
539 
540 	ruleset_fd =
541 		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
542 	ASSERT_LE(0, ruleset_fd)
543 	{
544 		TH_LOG("Failed to create a ruleset: %s", strerror(errno));
545 	}
546 
547 	for (i = 0; rules[i].path; i++) {
548 		add_path_beneath(_metadata, ruleset_fd, rules[i].access,
549 				 rules[i].path);
550 	}
551 	return ruleset_fd;
552 }
553 
554 static void enforce_ruleset(struct __test_metadata *const _metadata,
555 			    const int ruleset_fd)
556 {
557 	ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
558 	ASSERT_EQ(0, landlock_restrict_self(ruleset_fd, 0))
559 	{
560 		TH_LOG("Failed to enforce ruleset: %s", strerror(errno));
561 	}
562 }
563 
564 TEST_F_FORK(layout1, proc_nsfs)
565 {
566 	const struct rule rules[] = {
567 		{
568 			.path = "/dev/null",
569 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
570 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
571 		},
572 		{},
573 	};
574 	struct landlock_path_beneath_attr path_beneath;
575 	const int ruleset_fd = create_ruleset(
576 		_metadata, rules[0].access | LANDLOCK_ACCESS_FS_READ_DIR,
577 		rules);
578 
579 	ASSERT_LE(0, ruleset_fd);
580 	ASSERT_EQ(0, test_open("/proc/self/ns/mnt", O_RDONLY));
581 
582 	enforce_ruleset(_metadata, ruleset_fd);
583 
584 	ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
585 	ASSERT_EQ(EACCES, test_open("/dev", O_RDONLY));
586 	ASSERT_EQ(0, test_open("/dev/null", O_RDONLY));
587 	ASSERT_EQ(EACCES, test_open("/dev/full", O_RDONLY));
588 
589 	ASSERT_EQ(EACCES, test_open("/proc", O_RDONLY));
590 	ASSERT_EQ(EACCES, test_open("/proc/self", O_RDONLY));
591 	ASSERT_EQ(EACCES, test_open("/proc/self/ns", O_RDONLY));
592 	/*
593 	 * Because nsfs is an internal filesystem, /proc/self/ns/mnt is a
594 	 * disconnected path.  Such path cannot be identified and must then be
595 	 * allowed.
596 	 */
597 	ASSERT_EQ(0, test_open("/proc/self/ns/mnt", O_RDONLY));
598 
599 	/*
600 	 * Checks that it is not possible to add nsfs-like filesystem
601 	 * references to a ruleset.
602 	 */
603 	path_beneath.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE |
604 				      LANDLOCK_ACCESS_FS_WRITE_FILE,
605 	path_beneath.parent_fd = open("/proc/self/ns/mnt", O_PATH | O_CLOEXEC);
606 	ASSERT_LE(0, path_beneath.parent_fd);
607 	ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
608 					&path_beneath, 0));
609 	ASSERT_EQ(EBADFD, errno);
610 	ASSERT_EQ(0, close(path_beneath.parent_fd));
611 }
612 
613 TEST_F_FORK(layout1, unpriv)
614 {
615 	const struct rule rules[] = {
616 		{
617 			.path = dir_s1d2,
618 			.access = ACCESS_RO,
619 		},
620 		{},
621 	};
622 	int ruleset_fd;
623 
624 	drop_caps(_metadata);
625 
626 	ruleset_fd = create_ruleset(_metadata, ACCESS_RO, rules);
627 	ASSERT_LE(0, ruleset_fd);
628 	ASSERT_EQ(-1, landlock_restrict_self(ruleset_fd, 0));
629 	ASSERT_EQ(EPERM, errno);
630 
631 	/* enforce_ruleset() calls prctl(no_new_privs). */
632 	enforce_ruleset(_metadata, ruleset_fd);
633 	ASSERT_EQ(0, close(ruleset_fd));
634 }
635 
636 TEST_F_FORK(layout1, effective_access)
637 {
638 	const struct rule rules[] = {
639 		{
640 			.path = dir_s1d2,
641 			.access = ACCESS_RO,
642 		},
643 		{
644 			.path = file1_s2d2,
645 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
646 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
647 		},
648 		{},
649 	};
650 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
651 	char buf;
652 	int reg_fd;
653 
654 	ASSERT_LE(0, ruleset_fd);
655 	enforce_ruleset(_metadata, ruleset_fd);
656 	ASSERT_EQ(0, close(ruleset_fd));
657 
658 	/* Tests on a directory (with or without O_PATH). */
659 	ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
660 	ASSERT_EQ(0, test_open("/", O_RDONLY | O_PATH));
661 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
662 	ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY | O_PATH));
663 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
664 	ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY | O_PATH));
665 
666 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
667 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
668 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
669 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
670 
671 	/* Tests on a file (with or without O_PATH). */
672 	ASSERT_EQ(EACCES, test_open(dir_s2d2, O_RDONLY));
673 	ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_PATH));
674 
675 	ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY));
676 
677 	/* Checks effective read and write actions. */
678 	reg_fd = open(file1_s2d2, O_RDWR | O_CLOEXEC);
679 	ASSERT_LE(0, reg_fd);
680 	ASSERT_EQ(1, write(reg_fd, ".", 1));
681 	ASSERT_LE(0, lseek(reg_fd, 0, SEEK_SET));
682 	ASSERT_EQ(1, read(reg_fd, &buf, 1));
683 	ASSERT_EQ('.', buf);
684 	ASSERT_EQ(0, close(reg_fd));
685 
686 	/* Just in case, double-checks effective actions. */
687 	reg_fd = open(file1_s2d2, O_RDONLY | O_CLOEXEC);
688 	ASSERT_LE(0, reg_fd);
689 	ASSERT_EQ(-1, write(reg_fd, &buf, 1));
690 	ASSERT_EQ(EBADF, errno);
691 	ASSERT_EQ(0, close(reg_fd));
692 }
693 
694 TEST_F_FORK(layout1, unhandled_access)
695 {
696 	const struct rule rules[] = {
697 		{
698 			.path = dir_s1d2,
699 			.access = ACCESS_RO,
700 		},
701 		{},
702 	};
703 	/* Here, we only handle read accesses, not write accesses. */
704 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RO, rules);
705 
706 	ASSERT_LE(0, ruleset_fd);
707 	enforce_ruleset(_metadata, ruleset_fd);
708 	ASSERT_EQ(0, close(ruleset_fd));
709 
710 	/*
711 	 * Because the policy does not handle LANDLOCK_ACCESS_FS_WRITE_FILE,
712 	 * opening for write-only should be allowed, but not read-write.
713 	 */
714 	ASSERT_EQ(0, test_open(file1_s1d1, O_WRONLY));
715 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
716 
717 	ASSERT_EQ(0, test_open(file1_s1d2, O_WRONLY));
718 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR));
719 }
720 
721 TEST_F_FORK(layout1, ruleset_overlap)
722 {
723 	const struct rule rules[] = {
724 		/* These rules should be ORed among them. */
725 		{
726 			.path = dir_s1d2,
727 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
728 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
729 		},
730 		{
731 			.path = dir_s1d2,
732 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
733 				  LANDLOCK_ACCESS_FS_READ_DIR,
734 		},
735 		{},
736 	};
737 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
738 
739 	ASSERT_LE(0, ruleset_fd);
740 	enforce_ruleset(_metadata, ruleset_fd);
741 	ASSERT_EQ(0, close(ruleset_fd));
742 
743 	/* Checks s1d1 hierarchy. */
744 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
745 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
746 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
747 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
748 
749 	/* Checks s1d2 hierarchy. */
750 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
751 	ASSERT_EQ(0, test_open(file1_s1d2, O_WRONLY));
752 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR));
753 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
754 
755 	/* Checks s1d3 hierarchy. */
756 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
757 	ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY));
758 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
759 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
760 }
761 
762 TEST_F_FORK(layout1, layer_rule_unions)
763 {
764 	const struct rule layer1[] = {
765 		{
766 			.path = dir_s1d2,
767 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
768 		},
769 		/* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */
770 		{
771 			.path = dir_s1d3,
772 			.access = LANDLOCK_ACCESS_FS_WRITE_FILE,
773 		},
774 		{},
775 	};
776 	const struct rule layer2[] = {
777 		/* Doesn't change anything from layer1. */
778 		{
779 			.path = dir_s1d2,
780 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
781 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
782 		},
783 		{},
784 	};
785 	const struct rule layer3[] = {
786 		/* Only allows write (but not read) to dir_s1d3. */
787 		{
788 			.path = dir_s1d2,
789 			.access = LANDLOCK_ACCESS_FS_WRITE_FILE,
790 		},
791 		{},
792 	};
793 	int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1);
794 
795 	ASSERT_LE(0, ruleset_fd);
796 	enforce_ruleset(_metadata, ruleset_fd);
797 	ASSERT_EQ(0, close(ruleset_fd));
798 
799 	/* Checks s1d1 hierarchy with layer1. */
800 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
801 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
802 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
803 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
804 
805 	/* Checks s1d2 hierarchy with layer1. */
806 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
807 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
808 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR));
809 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
810 
811 	/* Checks s1d3 hierarchy with layer1. */
812 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
813 	ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY));
814 	/* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */
815 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
816 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
817 
818 	/* Doesn't change anything from layer1. */
819 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2);
820 	ASSERT_LE(0, ruleset_fd);
821 	enforce_ruleset(_metadata, ruleset_fd);
822 	ASSERT_EQ(0, close(ruleset_fd));
823 
824 	/* Checks s1d1 hierarchy with layer2. */
825 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
826 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
827 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
828 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
829 
830 	/* Checks s1d2 hierarchy with layer2. */
831 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
832 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
833 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR));
834 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
835 
836 	/* Checks s1d3 hierarchy with layer2. */
837 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
838 	ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY));
839 	/* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */
840 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
841 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
842 
843 	/* Only allows write (but not read) to dir_s1d3. */
844 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3);
845 	ASSERT_LE(0, ruleset_fd);
846 	enforce_ruleset(_metadata, ruleset_fd);
847 	ASSERT_EQ(0, close(ruleset_fd));
848 
849 	/* Checks s1d1 hierarchy with layer3. */
850 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
851 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
852 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
853 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
854 
855 	/* Checks s1d2 hierarchy with layer3. */
856 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDONLY));
857 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
858 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR));
859 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
860 
861 	/* Checks s1d3 hierarchy with layer3. */
862 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY));
863 	ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY));
864 	/* dir_s1d3 should now deny READ_FILE and WRITE_FILE (O_RDWR). */
865 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDWR));
866 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
867 }
868 
869 TEST_F_FORK(layout1, non_overlapping_accesses)
870 {
871 	const struct rule layer1[] = {
872 		{
873 			.path = dir_s1d2,
874 			.access = LANDLOCK_ACCESS_FS_MAKE_REG,
875 		},
876 		{},
877 	};
878 	const struct rule layer2[] = {
879 		{
880 			.path = dir_s1d3,
881 			.access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
882 		},
883 		{},
884 	};
885 	int ruleset_fd;
886 
887 	ASSERT_EQ(0, unlink(file1_s1d1));
888 	ASSERT_EQ(0, unlink(file1_s1d2));
889 
890 	ruleset_fd =
891 		create_ruleset(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, layer1);
892 	ASSERT_LE(0, ruleset_fd);
893 	enforce_ruleset(_metadata, ruleset_fd);
894 	ASSERT_EQ(0, close(ruleset_fd));
895 
896 	ASSERT_EQ(-1, mknod(file1_s1d1, S_IFREG | 0700, 0));
897 	ASSERT_EQ(EACCES, errno);
898 	ASSERT_EQ(0, mknod(file1_s1d2, S_IFREG | 0700, 0));
899 	ASSERT_EQ(0, unlink(file1_s1d2));
900 
901 	ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_REMOVE_FILE,
902 				    layer2);
903 	ASSERT_LE(0, ruleset_fd);
904 	enforce_ruleset(_metadata, ruleset_fd);
905 	ASSERT_EQ(0, close(ruleset_fd));
906 
907 	/* Unchanged accesses for file creation. */
908 	ASSERT_EQ(-1, mknod(file1_s1d1, S_IFREG | 0700, 0));
909 	ASSERT_EQ(EACCES, errno);
910 	ASSERT_EQ(0, mknod(file1_s1d2, S_IFREG | 0700, 0));
911 
912 	/* Checks file removing. */
913 	ASSERT_EQ(-1, unlink(file1_s1d2));
914 	ASSERT_EQ(EACCES, errno);
915 	ASSERT_EQ(0, unlink(file1_s1d3));
916 }
917 
918 TEST_F_FORK(layout1, interleaved_masked_accesses)
919 {
920 	/*
921 	 * Checks overly restrictive rules:
922 	 * layer 1: allows R   s1d1/s1d2/s1d3/file1
923 	 * layer 2: allows RW  s1d1/s1d2/s1d3
924 	 *          allows  W  s1d1/s1d2
925 	 *          denies R   s1d1/s1d2
926 	 * layer 3: allows R   s1d1
927 	 * layer 4: allows R   s1d1/s1d2
928 	 *          denies  W  s1d1/s1d2
929 	 * layer 5: allows R   s1d1/s1d2
930 	 * layer 6: allows   X ----
931 	 * layer 7: allows  W  s1d1/s1d2
932 	 *          denies R   s1d1/s1d2
933 	 */
934 	const struct rule layer1_read[] = {
935 		/* Allows read access to file1_s1d3 with the first layer. */
936 		{
937 			.path = file1_s1d3,
938 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
939 		},
940 		{},
941 	};
942 	/* First rule with write restrictions. */
943 	const struct rule layer2_read_write[] = {
944 		/* Start by granting read-write access via its parent directory... */
945 		{
946 			.path = dir_s1d3,
947 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
948 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
949 		},
950 		/* ...but also denies read access via its grandparent directory. */
951 		{
952 			.path = dir_s1d2,
953 			.access = LANDLOCK_ACCESS_FS_WRITE_FILE,
954 		},
955 		{},
956 	};
957 	const struct rule layer3_read[] = {
958 		/* Allows read access via its great-grandparent directory. */
959 		{
960 			.path = dir_s1d1,
961 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
962 		},
963 		{},
964 	};
965 	const struct rule layer4_read_write[] = {
966 		/*
967 		 * Try to confuse the deny access by denying write (but not
968 		 * read) access via its grandparent directory.
969 		 */
970 		{
971 			.path = dir_s1d2,
972 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
973 		},
974 		{},
975 	};
976 	const struct rule layer5_read[] = {
977 		/*
978 		 * Try to override layer2's deny read access by explicitly
979 		 * allowing read access via file1_s1d3's grandparent.
980 		 */
981 		{
982 			.path = dir_s1d2,
983 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
984 		},
985 		{},
986 	};
987 	const struct rule layer6_execute[] = {
988 		/*
989 		 * Restricts an unrelated file hierarchy with a new access
990 		 * (non-overlapping) type.
991 		 */
992 		{
993 			.path = dir_s2d1,
994 			.access = LANDLOCK_ACCESS_FS_EXECUTE,
995 		},
996 		{},
997 	};
998 	const struct rule layer7_read_write[] = {
999 		/*
1000 		 * Finally, denies read access to file1_s1d3 via its
1001 		 * grandparent.
1002 		 */
1003 		{
1004 			.path = dir_s1d2,
1005 			.access = LANDLOCK_ACCESS_FS_WRITE_FILE,
1006 		},
1007 		{},
1008 	};
1009 	int ruleset_fd;
1010 
1011 	ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
1012 				    layer1_read);
1013 	ASSERT_LE(0, ruleset_fd);
1014 	enforce_ruleset(_metadata, ruleset_fd);
1015 	ASSERT_EQ(0, close(ruleset_fd));
1016 
1017 	/* Checks that read access is granted for file1_s1d3 with layer 1. */
1018 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
1019 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1020 	ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY));
1021 
1022 	ruleset_fd = create_ruleset(_metadata,
1023 				    LANDLOCK_ACCESS_FS_READ_FILE |
1024 					    LANDLOCK_ACCESS_FS_WRITE_FILE,
1025 				    layer2_read_write);
1026 	ASSERT_LE(0, ruleset_fd);
1027 	enforce_ruleset(_metadata, ruleset_fd);
1028 	ASSERT_EQ(0, close(ruleset_fd));
1029 
1030 	/* Checks that previous access rights are unchanged with layer 2. */
1031 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
1032 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1033 	ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY));
1034 
1035 	ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
1036 				    layer3_read);
1037 	ASSERT_LE(0, ruleset_fd);
1038 	enforce_ruleset(_metadata, ruleset_fd);
1039 	ASSERT_EQ(0, close(ruleset_fd));
1040 
1041 	/* Checks that previous access rights are unchanged with layer 3. */
1042 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
1043 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1044 	ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY));
1045 
1046 	/* This time, denies write access for the file hierarchy. */
1047 	ruleset_fd = create_ruleset(_metadata,
1048 				    LANDLOCK_ACCESS_FS_READ_FILE |
1049 					    LANDLOCK_ACCESS_FS_WRITE_FILE,
1050 				    layer4_read_write);
1051 	ASSERT_LE(0, ruleset_fd);
1052 	enforce_ruleset(_metadata, ruleset_fd);
1053 	ASSERT_EQ(0, close(ruleset_fd));
1054 
1055 	/*
1056 	 * Checks that the only change with layer 4 is that write access is
1057 	 * denied.
1058 	 */
1059 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
1060 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1061 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1062 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY));
1063 
1064 	ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
1065 				    layer5_read);
1066 	ASSERT_LE(0, ruleset_fd);
1067 	enforce_ruleset(_metadata, ruleset_fd);
1068 	ASSERT_EQ(0, close(ruleset_fd));
1069 
1070 	/* Checks that previous access rights are unchanged with layer 5. */
1071 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
1072 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1073 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY));
1074 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1075 
1076 	ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_EXECUTE,
1077 				    layer6_execute);
1078 	ASSERT_LE(0, ruleset_fd);
1079 	enforce_ruleset(_metadata, ruleset_fd);
1080 	ASSERT_EQ(0, close(ruleset_fd));
1081 
1082 	/* Checks that previous access rights are unchanged with layer 6. */
1083 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
1084 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1085 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY));
1086 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1087 
1088 	ruleset_fd = create_ruleset(_metadata,
1089 				    LANDLOCK_ACCESS_FS_READ_FILE |
1090 					    LANDLOCK_ACCESS_FS_WRITE_FILE,
1091 				    layer7_read_write);
1092 	ASSERT_LE(0, ruleset_fd);
1093 	enforce_ruleset(_metadata, ruleset_fd);
1094 	ASSERT_EQ(0, close(ruleset_fd));
1095 
1096 	/* Checks read access is now denied with layer 7. */
1097 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY));
1098 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1099 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY));
1100 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1101 }
1102 
1103 TEST_F_FORK(layout1, inherit_subset)
1104 {
1105 	const struct rule rules[] = {
1106 		{
1107 			.path = dir_s1d2,
1108 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
1109 				  LANDLOCK_ACCESS_FS_READ_DIR,
1110 		},
1111 		{},
1112 	};
1113 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1114 
1115 	ASSERT_LE(0, ruleset_fd);
1116 	enforce_ruleset(_metadata, ruleset_fd);
1117 
1118 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
1119 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1120 
1121 	/* Write access is forbidden. */
1122 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
1123 	/* Readdir access is allowed. */
1124 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
1125 
1126 	/* Write access is forbidden. */
1127 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1128 	/* Readdir access is allowed. */
1129 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
1130 
1131 	/*
1132 	 * Tests shared rule extension: the following rules should not grant
1133 	 * any new access, only remove some.  Once enforced, these rules are
1134 	 * ANDed with the previous ones.
1135 	 */
1136 	add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_WRITE_FILE,
1137 			 dir_s1d2);
1138 	/*
1139 	 * According to ruleset_fd, dir_s1d2 should now have the
1140 	 * LANDLOCK_ACCESS_FS_READ_FILE and LANDLOCK_ACCESS_FS_WRITE_FILE
1141 	 * access rights (even if this directory is opened a second time).
1142 	 * However, when enforcing this updated ruleset, the ruleset tied to
1143 	 * the current process (i.e. its domain) will still only have the
1144 	 * dir_s1d2 with LANDLOCK_ACCESS_FS_READ_FILE and
1145 	 * LANDLOCK_ACCESS_FS_READ_DIR accesses, but
1146 	 * LANDLOCK_ACCESS_FS_WRITE_FILE must not be allowed because it would
1147 	 * be a privilege escalation.
1148 	 */
1149 	enforce_ruleset(_metadata, ruleset_fd);
1150 
1151 	/* Same tests and results as above. */
1152 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
1153 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1154 
1155 	/* It is still forbidden to write in file1_s1d2. */
1156 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
1157 	/* Readdir access is still allowed. */
1158 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
1159 
1160 	/* It is still forbidden to write in file1_s1d3. */
1161 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1162 	/* Readdir access is still allowed. */
1163 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
1164 
1165 	/*
1166 	 * Try to get more privileges by adding new access rights to the parent
1167 	 * directory: dir_s1d1.
1168 	 */
1169 	add_path_beneath(_metadata, ruleset_fd, ACCESS_RW, dir_s1d1);
1170 	enforce_ruleset(_metadata, ruleset_fd);
1171 
1172 	/* Same tests and results as above. */
1173 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
1174 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1175 
1176 	/* It is still forbidden to write in file1_s1d2. */
1177 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
1178 	/* Readdir access is still allowed. */
1179 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
1180 
1181 	/* It is still forbidden to write in file1_s1d3. */
1182 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1183 	/* Readdir access is still allowed. */
1184 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
1185 
1186 	/*
1187 	 * Now, dir_s1d3 get a new rule tied to it, only allowing
1188 	 * LANDLOCK_ACCESS_FS_WRITE_FILE.  The (kernel internal) difference is
1189 	 * that there was no rule tied to it before.
1190 	 */
1191 	add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_WRITE_FILE,
1192 			 dir_s1d3);
1193 	enforce_ruleset(_metadata, ruleset_fd);
1194 	ASSERT_EQ(0, close(ruleset_fd));
1195 
1196 	/*
1197 	 * Same tests and results as above, except for open(dir_s1d3) which is
1198 	 * now denied because the new rule mask the rule previously inherited
1199 	 * from dir_s1d2.
1200 	 */
1201 
1202 	/* Same tests and results as above. */
1203 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
1204 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1205 
1206 	/* It is still forbidden to write in file1_s1d2. */
1207 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
1208 	/* Readdir access is still allowed. */
1209 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
1210 
1211 	/* It is still forbidden to write in file1_s1d3. */
1212 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1213 	/*
1214 	 * Readdir of dir_s1d3 is still allowed because of the OR policy inside
1215 	 * the same layer.
1216 	 */
1217 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
1218 }
1219 
1220 TEST_F_FORK(layout1, inherit_superset)
1221 {
1222 	const struct rule rules[] = {
1223 		{
1224 			.path = dir_s1d3,
1225 			.access = ACCESS_RO,
1226 		},
1227 		{},
1228 	};
1229 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1230 
1231 	ASSERT_LE(0, ruleset_fd);
1232 	enforce_ruleset(_metadata, ruleset_fd);
1233 
1234 	/* Readdir access is denied for dir_s1d2. */
1235 	ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
1236 	/* Readdir access is allowed for dir_s1d3. */
1237 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
1238 	/* File access is allowed for file1_s1d3. */
1239 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
1240 
1241 	/* Now dir_s1d2, parent of dir_s1d3, gets a new rule tied to it. */
1242 	add_path_beneath(_metadata, ruleset_fd,
1243 			 LANDLOCK_ACCESS_FS_READ_FILE |
1244 				 LANDLOCK_ACCESS_FS_READ_DIR,
1245 			 dir_s1d2);
1246 	enforce_ruleset(_metadata, ruleset_fd);
1247 	ASSERT_EQ(0, close(ruleset_fd));
1248 
1249 	/* Readdir access is still denied for dir_s1d2. */
1250 	ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
1251 	/* Readdir access is still allowed for dir_s1d3. */
1252 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
1253 	/* File access is still allowed for file1_s1d3. */
1254 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
1255 }
1256 
1257 TEST_F_FORK(layout1, max_layers)
1258 {
1259 	int i, err;
1260 	const struct rule rules[] = {
1261 		{
1262 			.path = dir_s1d2,
1263 			.access = ACCESS_RO,
1264 		},
1265 		{},
1266 	};
1267 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1268 
1269 	ASSERT_LE(0, ruleset_fd);
1270 	for (i = 0; i < 16; i++)
1271 		enforce_ruleset(_metadata, ruleset_fd);
1272 
1273 	for (i = 0; i < 2; i++) {
1274 		err = landlock_restrict_self(ruleset_fd, 0);
1275 		ASSERT_EQ(-1, err);
1276 		ASSERT_EQ(E2BIG, errno);
1277 	}
1278 	ASSERT_EQ(0, close(ruleset_fd));
1279 }
1280 
1281 TEST_F_FORK(layout1, empty_or_same_ruleset)
1282 {
1283 	struct landlock_ruleset_attr ruleset_attr = {};
1284 	int ruleset_fd;
1285 
1286 	/* Tests empty handled_access_fs. */
1287 	ruleset_fd =
1288 		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
1289 	ASSERT_LE(-1, ruleset_fd);
1290 	ASSERT_EQ(ENOMSG, errno);
1291 
1292 	/* Enforces policy which deny read access to all files. */
1293 	ruleset_attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE;
1294 	ruleset_fd =
1295 		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
1296 	ASSERT_LE(0, ruleset_fd);
1297 	enforce_ruleset(_metadata, ruleset_fd);
1298 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
1299 	ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
1300 
1301 	/* Nests a policy which deny read access to all directories. */
1302 	ruleset_attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_DIR;
1303 	ruleset_fd =
1304 		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
1305 	ASSERT_LE(0, ruleset_fd);
1306 	enforce_ruleset(_metadata, ruleset_fd);
1307 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
1308 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
1309 
1310 	/* Enforces a second time with the same ruleset. */
1311 	enforce_ruleset(_metadata, ruleset_fd);
1312 	ASSERT_EQ(0, close(ruleset_fd));
1313 }
1314 
1315 TEST_F_FORK(layout1, rule_on_mountpoint)
1316 {
1317 	const struct rule rules[] = {
1318 		{
1319 			.path = dir_s1d1,
1320 			.access = ACCESS_RO,
1321 		},
1322 		{
1323 			/* dir_s3d2 is a mount point. */
1324 			.path = dir_s3d2,
1325 			.access = ACCESS_RO,
1326 		},
1327 		{},
1328 	};
1329 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1330 
1331 	ASSERT_LE(0, ruleset_fd);
1332 	enforce_ruleset(_metadata, ruleset_fd);
1333 	ASSERT_EQ(0, close(ruleset_fd));
1334 
1335 	ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
1336 
1337 	ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY));
1338 
1339 	ASSERT_EQ(EACCES, test_open(dir_s3d1, O_RDONLY));
1340 	ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY));
1341 	ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY));
1342 }
1343 
1344 TEST_F_FORK(layout1, rule_over_mountpoint)
1345 {
1346 	const struct rule rules[] = {
1347 		{
1348 			.path = dir_s1d1,
1349 			.access = ACCESS_RO,
1350 		},
1351 		{
1352 			/* dir_s3d2 is a mount point. */
1353 			.path = dir_s3d1,
1354 			.access = ACCESS_RO,
1355 		},
1356 		{},
1357 	};
1358 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1359 
1360 	ASSERT_LE(0, ruleset_fd);
1361 	enforce_ruleset(_metadata, ruleset_fd);
1362 	ASSERT_EQ(0, close(ruleset_fd));
1363 
1364 	ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
1365 
1366 	ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY));
1367 
1368 	ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY));
1369 	ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY));
1370 	ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY));
1371 }
1372 
1373 /*
1374  * This test verifies that we can apply a landlock rule on the root directory
1375  * (which might require special handling).
1376  */
1377 TEST_F_FORK(layout1, rule_over_root_allow_then_deny)
1378 {
1379 	struct rule rules[] = {
1380 		{
1381 			.path = "/",
1382 			.access = ACCESS_RO,
1383 		},
1384 		{},
1385 	};
1386 	int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1387 
1388 	ASSERT_LE(0, ruleset_fd);
1389 	enforce_ruleset(_metadata, ruleset_fd);
1390 	ASSERT_EQ(0, close(ruleset_fd));
1391 
1392 	/* Checks allowed access. */
1393 	ASSERT_EQ(0, test_open("/", O_RDONLY));
1394 	ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
1395 
1396 	rules[0].access = LANDLOCK_ACCESS_FS_READ_FILE;
1397 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1398 	ASSERT_LE(0, ruleset_fd);
1399 	enforce_ruleset(_metadata, ruleset_fd);
1400 	ASSERT_EQ(0, close(ruleset_fd));
1401 
1402 	/* Checks denied access (on a directory). */
1403 	ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
1404 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
1405 }
1406 
1407 TEST_F_FORK(layout1, rule_over_root_deny)
1408 {
1409 	const struct rule rules[] = {
1410 		{
1411 			.path = "/",
1412 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
1413 		},
1414 		{},
1415 	};
1416 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1417 
1418 	ASSERT_LE(0, ruleset_fd);
1419 	enforce_ruleset(_metadata, ruleset_fd);
1420 	ASSERT_EQ(0, close(ruleset_fd));
1421 
1422 	/* Checks denied access (on a directory). */
1423 	ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
1424 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
1425 }
1426 
1427 TEST_F_FORK(layout1, rule_inside_mount_ns)
1428 {
1429 	const struct rule rules[] = {
1430 		{
1431 			.path = "s3d3",
1432 			.access = ACCESS_RO,
1433 		},
1434 		{},
1435 	};
1436 	int ruleset_fd;
1437 
1438 	set_cap(_metadata, CAP_SYS_ADMIN);
1439 	ASSERT_EQ(0, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3))
1440 	{
1441 		TH_LOG("Failed to pivot root: %s", strerror(errno));
1442 	};
1443 	ASSERT_EQ(0, chdir("/"));
1444 	clear_cap(_metadata, CAP_SYS_ADMIN);
1445 
1446 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1447 	ASSERT_LE(0, ruleset_fd);
1448 	enforce_ruleset(_metadata, ruleset_fd);
1449 	ASSERT_EQ(0, close(ruleset_fd));
1450 
1451 	ASSERT_EQ(0, test_open("s3d3", O_RDONLY));
1452 	ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
1453 }
1454 
1455 TEST_F_FORK(layout1, mount_and_pivot)
1456 {
1457 	const struct rule rules[] = {
1458 		{
1459 			.path = dir_s3d2,
1460 			.access = ACCESS_RO,
1461 		},
1462 		{},
1463 	};
1464 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1465 
1466 	ASSERT_LE(0, ruleset_fd);
1467 	enforce_ruleset(_metadata, ruleset_fd);
1468 	ASSERT_EQ(0, close(ruleset_fd));
1469 
1470 	set_cap(_metadata, CAP_SYS_ADMIN);
1471 	ASSERT_EQ(-1, mount(NULL, dir_s3d2, NULL, MS_RDONLY, NULL));
1472 	ASSERT_EQ(EPERM, errno);
1473 	ASSERT_EQ(-1, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3));
1474 	ASSERT_EQ(EPERM, errno);
1475 	clear_cap(_metadata, CAP_SYS_ADMIN);
1476 }
1477 
1478 TEST_F_FORK(layout1, move_mount)
1479 {
1480 	const struct rule rules[] = {
1481 		{
1482 			.path = dir_s3d2,
1483 			.access = ACCESS_RO,
1484 		},
1485 		{},
1486 	};
1487 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1488 
1489 	ASSERT_LE(0, ruleset_fd);
1490 
1491 	set_cap(_metadata, CAP_SYS_ADMIN);
1492 	ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD,
1493 			     dir_s1d2, 0))
1494 	{
1495 		TH_LOG("Failed to move mount: %s", strerror(errno));
1496 	}
1497 
1498 	ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s1d2, AT_FDCWD,
1499 			     dir_s3d2, 0));
1500 	clear_cap(_metadata, CAP_SYS_ADMIN);
1501 
1502 	enforce_ruleset(_metadata, ruleset_fd);
1503 	ASSERT_EQ(0, close(ruleset_fd));
1504 
1505 	set_cap(_metadata, CAP_SYS_ADMIN);
1506 	ASSERT_EQ(-1, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD,
1507 			      dir_s1d2, 0));
1508 	ASSERT_EQ(EPERM, errno);
1509 	clear_cap(_metadata, CAP_SYS_ADMIN);
1510 }
1511 
1512 TEST_F_FORK(layout1, release_inodes)
1513 {
1514 	const struct rule rules[] = {
1515 		{
1516 			.path = dir_s1d1,
1517 			.access = ACCESS_RO,
1518 		},
1519 		{
1520 			.path = dir_s3d2,
1521 			.access = ACCESS_RO,
1522 		},
1523 		{
1524 			.path = dir_s3d3,
1525 			.access = ACCESS_RO,
1526 		},
1527 		{},
1528 	};
1529 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1530 
1531 	ASSERT_LE(0, ruleset_fd);
1532 	/* Unmount a file hierarchy while it is being used by a ruleset. */
1533 	set_cap(_metadata, CAP_SYS_ADMIN);
1534 	ASSERT_EQ(0, umount(dir_s3d2));
1535 	clear_cap(_metadata, CAP_SYS_ADMIN);
1536 
1537 	enforce_ruleset(_metadata, ruleset_fd);
1538 	ASSERT_EQ(0, close(ruleset_fd));
1539 
1540 	ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
1541 	ASSERT_EQ(EACCES, test_open(dir_s3d2, O_RDONLY));
1542 	/* This dir_s3d3 would not be allowed and does not exist anyway. */
1543 	ASSERT_EQ(ENOENT, test_open(dir_s3d3, O_RDONLY));
1544 }
1545 
1546 enum relative_access {
1547 	REL_OPEN,
1548 	REL_CHDIR,
1549 	REL_CHROOT_ONLY,
1550 	REL_CHROOT_CHDIR,
1551 };
1552 
1553 static void test_relative_path(struct __test_metadata *const _metadata,
1554 			       const enum relative_access rel)
1555 {
1556 	/*
1557 	 * Common layer to check that chroot doesn't ignore it (i.e. a chroot
1558 	 * is not a disconnected root directory).
1559 	 */
1560 	const struct rule layer1_base[] = {
1561 		{
1562 			.path = TMP_DIR,
1563 			.access = ACCESS_RO,
1564 		},
1565 		{},
1566 	};
1567 	const struct rule layer2_subs[] = {
1568 		{
1569 			.path = dir_s1d2,
1570 			.access = ACCESS_RO,
1571 		},
1572 		{
1573 			.path = dir_s2d2,
1574 			.access = ACCESS_RO,
1575 		},
1576 		{},
1577 	};
1578 	int dirfd, ruleset_fd;
1579 
1580 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_base);
1581 	ASSERT_LE(0, ruleset_fd);
1582 	enforce_ruleset(_metadata, ruleset_fd);
1583 	ASSERT_EQ(0, close(ruleset_fd));
1584 
1585 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_subs);
1586 
1587 	ASSERT_LE(0, ruleset_fd);
1588 	switch (rel) {
1589 	case REL_OPEN:
1590 	case REL_CHDIR:
1591 		break;
1592 	case REL_CHROOT_ONLY:
1593 		ASSERT_EQ(0, chdir(dir_s2d2));
1594 		break;
1595 	case REL_CHROOT_CHDIR:
1596 		ASSERT_EQ(0, chdir(dir_s1d2));
1597 		break;
1598 	default:
1599 		ASSERT_TRUE(false);
1600 		return;
1601 	}
1602 
1603 	set_cap(_metadata, CAP_SYS_CHROOT);
1604 	enforce_ruleset(_metadata, ruleset_fd);
1605 
1606 	switch (rel) {
1607 	case REL_OPEN:
1608 		dirfd = open(dir_s1d2, O_DIRECTORY);
1609 		ASSERT_LE(0, dirfd);
1610 		break;
1611 	case REL_CHDIR:
1612 		ASSERT_EQ(0, chdir(dir_s1d2));
1613 		dirfd = AT_FDCWD;
1614 		break;
1615 	case REL_CHROOT_ONLY:
1616 		/* Do chroot into dir_s1d2 (relative to dir_s2d2). */
1617 		ASSERT_EQ(0, chroot("../../s1d1/s1d2"))
1618 		{
1619 			TH_LOG("Failed to chroot: %s", strerror(errno));
1620 		}
1621 		dirfd = AT_FDCWD;
1622 		break;
1623 	case REL_CHROOT_CHDIR:
1624 		/* Do chroot into dir_s1d2. */
1625 		ASSERT_EQ(0, chroot("."))
1626 		{
1627 			TH_LOG("Failed to chroot: %s", strerror(errno));
1628 		}
1629 		dirfd = AT_FDCWD;
1630 		break;
1631 	}
1632 
1633 	ASSERT_EQ((rel == REL_CHROOT_CHDIR) ? 0 : EACCES,
1634 		  test_open_rel(dirfd, "..", O_RDONLY));
1635 	ASSERT_EQ(0, test_open_rel(dirfd, ".", O_RDONLY));
1636 
1637 	if (rel == REL_CHROOT_ONLY) {
1638 		/* The current directory is dir_s2d2. */
1639 		ASSERT_EQ(0, test_open_rel(dirfd, "./s2d3", O_RDONLY));
1640 	} else {
1641 		/* The current directory is dir_s1d2. */
1642 		ASSERT_EQ(0, test_open_rel(dirfd, "./s1d3", O_RDONLY));
1643 	}
1644 
1645 	if (rel == REL_CHROOT_ONLY || rel == REL_CHROOT_CHDIR) {
1646 		/* Checks the root dir_s1d2. */
1647 		ASSERT_EQ(0, test_open_rel(dirfd, "/..", O_RDONLY));
1648 		ASSERT_EQ(0, test_open_rel(dirfd, "/", O_RDONLY));
1649 		ASSERT_EQ(0, test_open_rel(dirfd, "/f1", O_RDONLY));
1650 		ASSERT_EQ(0, test_open_rel(dirfd, "/s1d3", O_RDONLY));
1651 	}
1652 
1653 	if (rel != REL_CHROOT_CHDIR) {
1654 		ASSERT_EQ(EACCES, test_open_rel(dirfd, "../../s1d1", O_RDONLY));
1655 		ASSERT_EQ(0, test_open_rel(dirfd, "../../s1d1/s1d2", O_RDONLY));
1656 		ASSERT_EQ(0, test_open_rel(dirfd, "../../s1d1/s1d2/s1d3",
1657 					   O_RDONLY));
1658 
1659 		ASSERT_EQ(EACCES, test_open_rel(dirfd, "../../s2d1", O_RDONLY));
1660 		ASSERT_EQ(0, test_open_rel(dirfd, "../../s2d1/s2d2", O_RDONLY));
1661 		ASSERT_EQ(0, test_open_rel(dirfd, "../../s2d1/s2d2/s2d3",
1662 					   O_RDONLY));
1663 	}
1664 
1665 	if (rel == REL_OPEN)
1666 		ASSERT_EQ(0, close(dirfd));
1667 	ASSERT_EQ(0, close(ruleset_fd));
1668 }
1669 
1670 TEST_F_FORK(layout1, relative_open)
1671 {
1672 	test_relative_path(_metadata, REL_OPEN);
1673 }
1674 
1675 TEST_F_FORK(layout1, relative_chdir)
1676 {
1677 	test_relative_path(_metadata, REL_CHDIR);
1678 }
1679 
1680 TEST_F_FORK(layout1, relative_chroot_only)
1681 {
1682 	test_relative_path(_metadata, REL_CHROOT_ONLY);
1683 }
1684 
1685 TEST_F_FORK(layout1, relative_chroot_chdir)
1686 {
1687 	test_relative_path(_metadata, REL_CHROOT_CHDIR);
1688 }
1689 
1690 static void copy_binary(struct __test_metadata *const _metadata,
1691 			const char *const dst_path)
1692 {
1693 	int dst_fd, src_fd;
1694 	struct stat statbuf;
1695 
1696 	dst_fd = open(dst_path, O_WRONLY | O_TRUNC | O_CLOEXEC);
1697 	ASSERT_LE(0, dst_fd)
1698 	{
1699 		TH_LOG("Failed to open \"%s\": %s", dst_path, strerror(errno));
1700 	}
1701 	src_fd = open(BINARY_PATH, O_RDONLY | O_CLOEXEC);
1702 	ASSERT_LE(0, src_fd)
1703 	{
1704 		TH_LOG("Failed to open \"" BINARY_PATH "\": %s",
1705 		       strerror(errno));
1706 	}
1707 	ASSERT_EQ(0, fstat(src_fd, &statbuf));
1708 	ASSERT_EQ(statbuf.st_size,
1709 		  sendfile(dst_fd, src_fd, 0, statbuf.st_size));
1710 	ASSERT_EQ(0, close(src_fd));
1711 	ASSERT_EQ(0, close(dst_fd));
1712 }
1713 
1714 static void test_execute(struct __test_metadata *const _metadata, const int err,
1715 			 const char *const path)
1716 {
1717 	int status;
1718 	char *const argv[] = { (char *)path, NULL };
1719 	const pid_t child = fork();
1720 
1721 	ASSERT_LE(0, child);
1722 	if (child == 0) {
1723 		ASSERT_EQ(err ? -1 : 0, execve(path, argv, NULL))
1724 		{
1725 			TH_LOG("Failed to execute \"%s\": %s", path,
1726 			       strerror(errno));
1727 		};
1728 		ASSERT_EQ(err, errno);
1729 		_exit(_metadata->passed ? 2 : 1);
1730 		return;
1731 	}
1732 	ASSERT_EQ(child, waitpid(child, &status, 0));
1733 	ASSERT_EQ(1, WIFEXITED(status));
1734 	ASSERT_EQ(err ? 2 : 0, WEXITSTATUS(status))
1735 	{
1736 		TH_LOG("Unexpected return code for \"%s\": %s", path,
1737 		       strerror(errno));
1738 	};
1739 }
1740 
1741 TEST_F_FORK(layout1, execute)
1742 {
1743 	const struct rule rules[] = {
1744 		{
1745 			.path = dir_s1d2,
1746 			.access = LANDLOCK_ACCESS_FS_EXECUTE,
1747 		},
1748 		{},
1749 	};
1750 	const int ruleset_fd =
1751 		create_ruleset(_metadata, rules[0].access, rules);
1752 
1753 	ASSERT_LE(0, ruleset_fd);
1754 	copy_binary(_metadata, file1_s1d1);
1755 	copy_binary(_metadata, file1_s1d2);
1756 	copy_binary(_metadata, file1_s1d3);
1757 
1758 	enforce_ruleset(_metadata, ruleset_fd);
1759 	ASSERT_EQ(0, close(ruleset_fd));
1760 
1761 	ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
1762 	ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
1763 	test_execute(_metadata, EACCES, file1_s1d1);
1764 
1765 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
1766 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
1767 	test_execute(_metadata, 0, file1_s1d2);
1768 
1769 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
1770 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
1771 	test_execute(_metadata, 0, file1_s1d3);
1772 }
1773 
1774 TEST_F_FORK(layout1, link)
1775 {
1776 	const struct rule layer1[] = {
1777 		{
1778 			.path = dir_s1d2,
1779 			.access = LANDLOCK_ACCESS_FS_MAKE_REG,
1780 		},
1781 		{},
1782 	};
1783 	const struct rule layer2[] = {
1784 		{
1785 			.path = dir_s1d3,
1786 			.access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
1787 		},
1788 		{},
1789 	};
1790 	int ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1);
1791 
1792 	ASSERT_LE(0, ruleset_fd);
1793 
1794 	ASSERT_EQ(0, unlink(file1_s1d1));
1795 	ASSERT_EQ(0, unlink(file1_s1d2));
1796 	ASSERT_EQ(0, unlink(file1_s1d3));
1797 
1798 	enforce_ruleset(_metadata, ruleset_fd);
1799 	ASSERT_EQ(0, close(ruleset_fd));
1800 
1801 	ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1));
1802 	ASSERT_EQ(EACCES, errno);
1803 
1804 	/* Denies linking because of reparenting. */
1805 	ASSERT_EQ(-1, link(file1_s2d1, file1_s1d2));
1806 	ASSERT_EQ(EXDEV, errno);
1807 	ASSERT_EQ(-1, link(file2_s1d2, file1_s1d3));
1808 	ASSERT_EQ(EXDEV, errno);
1809 	ASSERT_EQ(-1, link(file2_s1d3, file1_s1d2));
1810 	ASSERT_EQ(EXDEV, errno);
1811 
1812 	ASSERT_EQ(0, link(file2_s1d2, file1_s1d2));
1813 	ASSERT_EQ(0, link(file2_s1d3, file1_s1d3));
1814 
1815 	/* Prepares for next unlinks. */
1816 	ASSERT_EQ(0, unlink(file2_s1d2));
1817 	ASSERT_EQ(0, unlink(file2_s1d3));
1818 
1819 	ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2);
1820 	ASSERT_LE(0, ruleset_fd);
1821 	enforce_ruleset(_metadata, ruleset_fd);
1822 	ASSERT_EQ(0, close(ruleset_fd));
1823 
1824 	/* Checks that linkind doesn't require the ability to delete a file. */
1825 	ASSERT_EQ(0, link(file1_s1d2, file2_s1d2));
1826 	ASSERT_EQ(0, link(file1_s1d3, file2_s1d3));
1827 }
1828 
1829 TEST_F_FORK(layout1, rename_file)
1830 {
1831 	const struct rule rules[] = {
1832 		{
1833 			.path = dir_s1d3,
1834 			.access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
1835 		},
1836 		{
1837 			.path = dir_s2d2,
1838 			.access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
1839 		},
1840 		{},
1841 	};
1842 	const int ruleset_fd =
1843 		create_ruleset(_metadata, rules[0].access, rules);
1844 
1845 	ASSERT_LE(0, ruleset_fd);
1846 
1847 	ASSERT_EQ(0, unlink(file1_s1d2));
1848 
1849 	enforce_ruleset(_metadata, ruleset_fd);
1850 	ASSERT_EQ(0, close(ruleset_fd));
1851 
1852 	/*
1853 	 * Tries to replace a file, from a directory that allows file removal,
1854 	 * but to a different directory (which also allows file removal).
1855 	 */
1856 	ASSERT_EQ(-1, rename(file1_s2d3, file1_s1d3));
1857 	ASSERT_EQ(EXDEV, errno);
1858 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d3,
1859 				RENAME_EXCHANGE));
1860 	ASSERT_EQ(EXDEV, errno);
1861 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, dir_s1d3,
1862 				RENAME_EXCHANGE));
1863 	ASSERT_EQ(EXDEV, errno);
1864 
1865 	/*
1866 	 * Tries to replace a file, from a directory that denies file removal,
1867 	 * to a different directory (which allows file removal).
1868 	 */
1869 	ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3));
1870 	ASSERT_EQ(EXDEV, errno);
1871 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file1_s1d3,
1872 				RENAME_EXCHANGE));
1873 	ASSERT_EQ(EXDEV, errno);
1874 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d2, AT_FDCWD, file1_s1d3,
1875 				RENAME_EXCHANGE));
1876 	ASSERT_EQ(EXDEV, errno);
1877 
1878 	/* Exchanges files and directories that partially allow removal. */
1879 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d2, AT_FDCWD, file1_s2d1,
1880 				RENAME_EXCHANGE));
1881 	ASSERT_EQ(EACCES, errno);
1882 	/* Checks that file1_s2d1 cannot be removed (instead of ENOTDIR). */
1883 	ASSERT_EQ(-1, rename(dir_s2d2, file1_s2d1));
1884 	ASSERT_EQ(EACCES, errno);
1885 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, dir_s2d2,
1886 				RENAME_EXCHANGE));
1887 	ASSERT_EQ(EACCES, errno);
1888 	/* Checks that file1_s1d1 cannot be removed (instead of EISDIR). */
1889 	ASSERT_EQ(-1, rename(file1_s1d1, dir_s1d2));
1890 	ASSERT_EQ(EACCES, errno);
1891 
1892 	/* Renames files with different parents. */
1893 	ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d2));
1894 	ASSERT_EQ(EXDEV, errno);
1895 	ASSERT_EQ(0, unlink(file1_s1d3));
1896 	ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3));
1897 	ASSERT_EQ(EXDEV, errno);
1898 
1899 	/* Exchanges and renames files with same parent. */
1900 	ASSERT_EQ(0, renameat2(AT_FDCWD, file2_s2d3, AT_FDCWD, file1_s2d3,
1901 			       RENAME_EXCHANGE));
1902 	ASSERT_EQ(0, rename(file2_s2d3, file1_s2d3));
1903 
1904 	/* Exchanges files and directories with same parent, twice. */
1905 	ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s2d3,
1906 			       RENAME_EXCHANGE));
1907 	ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s2d3,
1908 			       RENAME_EXCHANGE));
1909 }
1910 
1911 TEST_F_FORK(layout1, rename_dir)
1912 {
1913 	const struct rule rules[] = {
1914 		{
1915 			.path = dir_s1d2,
1916 			.access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
1917 		},
1918 		{
1919 			.path = dir_s2d1,
1920 			.access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
1921 		},
1922 		{},
1923 	};
1924 	const int ruleset_fd =
1925 		create_ruleset(_metadata, rules[0].access, rules);
1926 
1927 	ASSERT_LE(0, ruleset_fd);
1928 
1929 	/* Empties dir_s1d3 to allow renaming. */
1930 	ASSERT_EQ(0, unlink(file1_s1d3));
1931 	ASSERT_EQ(0, unlink(file2_s1d3));
1932 
1933 	enforce_ruleset(_metadata, ruleset_fd);
1934 	ASSERT_EQ(0, close(ruleset_fd));
1935 
1936 	/* Exchanges and renames directory to a different parent. */
1937 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3,
1938 				RENAME_EXCHANGE));
1939 	ASSERT_EQ(EXDEV, errno);
1940 	ASSERT_EQ(-1, rename(dir_s2d3, dir_s1d3));
1941 	ASSERT_EQ(EXDEV, errno);
1942 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3,
1943 				RENAME_EXCHANGE));
1944 	ASSERT_EQ(EXDEV, errno);
1945 
1946 	/*
1947 	 * Exchanges directory to the same parent, which doesn't allow
1948 	 * directory removal.
1949 	 */
1950 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d1, AT_FDCWD, dir_s2d1,
1951 				RENAME_EXCHANGE));
1952 	ASSERT_EQ(EACCES, errno);
1953 	/* Checks that dir_s1d2 cannot be removed (instead of ENOTDIR). */
1954 	ASSERT_EQ(-1, rename(dir_s1d2, file1_s1d1));
1955 	ASSERT_EQ(EACCES, errno);
1956 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s1d2,
1957 				RENAME_EXCHANGE));
1958 	ASSERT_EQ(EACCES, errno);
1959 	/* Checks that dir_s1d2 cannot be removed (instead of EISDIR). */
1960 	ASSERT_EQ(-1, rename(file1_s1d1, dir_s1d2));
1961 	ASSERT_EQ(EACCES, errno);
1962 
1963 	/*
1964 	 * Exchanges and renames directory to the same parent, which allows
1965 	 * directory removal.
1966 	 */
1967 	ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, file1_s1d2,
1968 			       RENAME_EXCHANGE));
1969 	ASSERT_EQ(0, unlink(dir_s1d3));
1970 	ASSERT_EQ(0, mkdir(dir_s1d3, 0700));
1971 	ASSERT_EQ(0, rename(file1_s1d2, dir_s1d3));
1972 	ASSERT_EQ(0, rmdir(dir_s1d3));
1973 }
1974 
1975 TEST_F_FORK(layout1, reparent_refer)
1976 {
1977 	const struct rule layer1[] = {
1978 		{
1979 			.path = dir_s1d2,
1980 			.access = LANDLOCK_ACCESS_FS_REFER,
1981 		},
1982 		{
1983 			.path = dir_s2d2,
1984 			.access = LANDLOCK_ACCESS_FS_REFER,
1985 		},
1986 		{},
1987 	};
1988 	int ruleset_fd =
1989 		create_ruleset(_metadata, LANDLOCK_ACCESS_FS_REFER, layer1);
1990 
1991 	ASSERT_LE(0, ruleset_fd);
1992 	enforce_ruleset(_metadata, ruleset_fd);
1993 	ASSERT_EQ(0, close(ruleset_fd));
1994 
1995 	ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d1));
1996 	ASSERT_EQ(EXDEV, errno);
1997 	ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d2));
1998 	ASSERT_EQ(EXDEV, errno);
1999 	ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d3));
2000 	ASSERT_EQ(EXDEV, errno);
2001 
2002 	ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d1));
2003 	ASSERT_EQ(EXDEV, errno);
2004 	ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d2));
2005 	ASSERT_EQ(EXDEV, errno);
2006 	/*
2007 	 * Moving should only be allowed when the source and the destination
2008 	 * parent directory have REFER.
2009 	 */
2010 	ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d3));
2011 	ASSERT_EQ(ENOTEMPTY, errno);
2012 	ASSERT_EQ(0, unlink(file1_s2d3));
2013 	ASSERT_EQ(0, unlink(file2_s2d3));
2014 	ASSERT_EQ(0, rename(dir_s1d3, dir_s2d3));
2015 }
2016 
2017 TEST_F_FORK(layout1, reparent_link)
2018 {
2019 	const struct rule layer1[] = {
2020 		{
2021 			.path = dir_s1d2,
2022 			.access = LANDLOCK_ACCESS_FS_MAKE_REG,
2023 		},
2024 		{
2025 			.path = dir_s1d3,
2026 			.access = LANDLOCK_ACCESS_FS_REFER,
2027 		},
2028 		{
2029 			.path = dir_s2d2,
2030 			.access = LANDLOCK_ACCESS_FS_REFER,
2031 		},
2032 		{
2033 			.path = dir_s2d3,
2034 			.access = LANDLOCK_ACCESS_FS_MAKE_REG,
2035 		},
2036 		{},
2037 	};
2038 	const int ruleset_fd = create_ruleset(
2039 		_metadata,
2040 		LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, layer1);
2041 
2042 	ASSERT_LE(0, ruleset_fd);
2043 	enforce_ruleset(_metadata, ruleset_fd);
2044 	ASSERT_EQ(0, close(ruleset_fd));
2045 
2046 	ASSERT_EQ(0, unlink(file1_s1d1));
2047 	ASSERT_EQ(0, unlink(file1_s1d2));
2048 	ASSERT_EQ(0, unlink(file1_s1d3));
2049 
2050 	/* Denies linking because of missing MAKE_REG. */
2051 	ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1));
2052 	ASSERT_EQ(EACCES, errno);
2053 	/* Denies linking because of missing source and destination REFER. */
2054 	ASSERT_EQ(-1, link(file1_s2d1, file1_s1d2));
2055 	ASSERT_EQ(EXDEV, errno);
2056 	/* Denies linking because of missing source REFER. */
2057 	ASSERT_EQ(-1, link(file1_s2d1, file1_s1d3));
2058 	ASSERT_EQ(EXDEV, errno);
2059 
2060 	/* Denies linking because of missing MAKE_REG. */
2061 	ASSERT_EQ(-1, link(file1_s2d2, file1_s1d1));
2062 	ASSERT_EQ(EACCES, errno);
2063 	/* Denies linking because of missing destination REFER. */
2064 	ASSERT_EQ(-1, link(file1_s2d2, file1_s1d2));
2065 	ASSERT_EQ(EXDEV, errno);
2066 
2067 	/* Allows linking because of REFER and MAKE_REG. */
2068 	ASSERT_EQ(0, link(file1_s2d2, file1_s1d3));
2069 	ASSERT_EQ(0, unlink(file1_s2d2));
2070 	/* Reverse linking denied because of missing MAKE_REG. */
2071 	ASSERT_EQ(-1, link(file1_s1d3, file1_s2d2));
2072 	ASSERT_EQ(EACCES, errno);
2073 	ASSERT_EQ(0, unlink(file1_s2d3));
2074 	/* Checks reverse linking. */
2075 	ASSERT_EQ(0, link(file1_s1d3, file1_s2d3));
2076 	ASSERT_EQ(0, unlink(file1_s1d3));
2077 
2078 	/*
2079 	 * This is OK for a file link, but it should not be allowed for a
2080 	 * directory rename (because of the superset of access rights.
2081 	 */
2082 	ASSERT_EQ(0, link(file1_s2d3, file1_s1d3));
2083 	ASSERT_EQ(0, unlink(file1_s1d3));
2084 
2085 	ASSERT_EQ(-1, link(file2_s1d2, file1_s1d3));
2086 	ASSERT_EQ(EXDEV, errno);
2087 	ASSERT_EQ(-1, link(file2_s1d3, file1_s1d2));
2088 	ASSERT_EQ(EXDEV, errno);
2089 
2090 	ASSERT_EQ(0, link(file2_s1d2, file1_s1d2));
2091 	ASSERT_EQ(0, link(file2_s1d3, file1_s1d3));
2092 }
2093 
2094 TEST_F_FORK(layout1, reparent_rename)
2095 {
2096 	/* Same rules as for reparent_link. */
2097 	const struct rule layer1[] = {
2098 		{
2099 			.path = dir_s1d2,
2100 			.access = LANDLOCK_ACCESS_FS_MAKE_REG,
2101 		},
2102 		{
2103 			.path = dir_s1d3,
2104 			.access = LANDLOCK_ACCESS_FS_REFER,
2105 		},
2106 		{
2107 			.path = dir_s2d2,
2108 			.access = LANDLOCK_ACCESS_FS_REFER,
2109 		},
2110 		{
2111 			.path = dir_s2d3,
2112 			.access = LANDLOCK_ACCESS_FS_MAKE_REG,
2113 		},
2114 		{},
2115 	};
2116 	const int ruleset_fd = create_ruleset(
2117 		_metadata,
2118 		LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, layer1);
2119 
2120 	ASSERT_LE(0, ruleset_fd);
2121 	enforce_ruleset(_metadata, ruleset_fd);
2122 	ASSERT_EQ(0, close(ruleset_fd));
2123 
2124 	ASSERT_EQ(0, unlink(file1_s1d2));
2125 	ASSERT_EQ(0, unlink(file1_s1d3));
2126 
2127 	/* Denies renaming because of missing MAKE_REG. */
2128 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file1_s1d1,
2129 				RENAME_EXCHANGE));
2130 	ASSERT_EQ(EACCES, errno);
2131 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file2_s1d1,
2132 				RENAME_EXCHANGE));
2133 	ASSERT_EQ(EACCES, errno);
2134 	ASSERT_EQ(0, unlink(file1_s1d1));
2135 	ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1));
2136 	ASSERT_EQ(EACCES, errno);
2137 	/* Even denies same file exchange. */
2138 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file2_s1d1,
2139 				RENAME_EXCHANGE));
2140 	ASSERT_EQ(EACCES, errno);
2141 
2142 	/* Denies renaming because of missing source and destination REFER. */
2143 	ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d2));
2144 	ASSERT_EQ(EXDEV, errno);
2145 	/*
2146 	 * Denies renaming because of missing MAKE_REG, source and destination
2147 	 * REFER.
2148 	 */
2149 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file2_s1d1,
2150 				RENAME_EXCHANGE));
2151 	ASSERT_EQ(EACCES, errno);
2152 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file1_s2d1,
2153 				RENAME_EXCHANGE));
2154 	ASSERT_EQ(EACCES, errno);
2155 
2156 	/* Denies renaming because of missing source REFER. */
2157 	ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3));
2158 	ASSERT_EQ(EXDEV, errno);
2159 	/* Denies renaming because of missing MAKE_REG. */
2160 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file2_s1d3,
2161 				RENAME_EXCHANGE));
2162 	ASSERT_EQ(EACCES, errno);
2163 
2164 	/* Denies renaming because of missing MAKE_REG. */
2165 	ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d1));
2166 	ASSERT_EQ(EACCES, errno);
2167 	/* Denies renaming because of missing destination REFER*/
2168 	ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d2));
2169 	ASSERT_EQ(EXDEV, errno);
2170 
2171 	/* Denies exchange because of one missing MAKE_REG. */
2172 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, file2_s1d3,
2173 				RENAME_EXCHANGE));
2174 	ASSERT_EQ(EACCES, errno);
2175 	/* Allows renaming because of REFER and MAKE_REG. */
2176 	ASSERT_EQ(0, rename(file1_s2d2, file1_s1d3));
2177 
2178 	/* Reverse renaming denied because of missing MAKE_REG. */
2179 	ASSERT_EQ(-1, rename(file1_s1d3, file1_s2d2));
2180 	ASSERT_EQ(EACCES, errno);
2181 	ASSERT_EQ(0, unlink(file1_s2d3));
2182 	ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3));
2183 
2184 	/* Tests reverse renaming. */
2185 	ASSERT_EQ(0, rename(file1_s2d3, file1_s1d3));
2186 	ASSERT_EQ(0, renameat2(AT_FDCWD, file2_s2d3, AT_FDCWD, file1_s1d3,
2187 			       RENAME_EXCHANGE));
2188 	ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3));
2189 
2190 	/*
2191 	 * This is OK for a file rename, but it should not be allowed for a
2192 	 * directory rename (because of the superset of access rights).
2193 	 */
2194 	ASSERT_EQ(0, rename(file1_s2d3, file1_s1d3));
2195 	ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3));
2196 
2197 	/*
2198 	 * Tests superset restrictions applied to directories.  Not only the
2199 	 * dir_s2d3's parent (dir_s2d2) should be taken into account but also
2200 	 * access rights tied to dir_s2d3. dir_s2d2 is missing one access right
2201 	 * compared to dir_s1d3/file1_s1d3 (MAKE_REG) but it is provided
2202 	 * directly by the moved dir_s2d3.
2203 	 */
2204 	ASSERT_EQ(0, rename(dir_s2d3, file1_s1d3));
2205 	ASSERT_EQ(0, rename(file1_s1d3, dir_s2d3));
2206 	/*
2207 	 * The first rename is allowed but not the exchange because dir_s1d3's
2208 	 * parent (dir_s1d2) doesn't have REFER.
2209 	 */
2210 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, dir_s1d3,
2211 				RENAME_EXCHANGE));
2212 	ASSERT_EQ(EXDEV, errno);
2213 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, file1_s2d3,
2214 				RENAME_EXCHANGE));
2215 	ASSERT_EQ(EXDEV, errno);
2216 	ASSERT_EQ(-1, rename(file1_s2d3, dir_s1d3));
2217 	ASSERT_EQ(EXDEV, errno);
2218 
2219 	ASSERT_EQ(-1, rename(file2_s1d2, file1_s1d3));
2220 	ASSERT_EQ(EXDEV, errno);
2221 	ASSERT_EQ(-1, rename(file2_s1d3, file1_s1d2));
2222 	ASSERT_EQ(EXDEV, errno);
2223 
2224 	/* Renaming in the same directory is always allowed. */
2225 	ASSERT_EQ(0, rename(file2_s1d2, file1_s1d2));
2226 	ASSERT_EQ(0, rename(file2_s1d3, file1_s1d3));
2227 
2228 	ASSERT_EQ(0, unlink(file1_s1d2));
2229 	/* Denies because of missing source MAKE_REG and destination REFER. */
2230 	ASSERT_EQ(-1, rename(dir_s2d3, file1_s1d2));
2231 	ASSERT_EQ(EXDEV, errno);
2232 
2233 	ASSERT_EQ(0, unlink(file1_s1d3));
2234 	/* Denies because of missing source MAKE_REG and REFER. */
2235 	ASSERT_EQ(-1, rename(dir_s2d2, file1_s1d3));
2236 	ASSERT_EQ(EXDEV, errno);
2237 }
2238 
2239 static void
2240 reparent_exdev_layers_enforce1(struct __test_metadata *const _metadata)
2241 {
2242 	const struct rule layer1[] = {
2243 		{
2244 			.path = dir_s1d2,
2245 			.access = LANDLOCK_ACCESS_FS_REFER,
2246 		},
2247 		{
2248 			/* Interesting for the layer2 tests. */
2249 			.path = dir_s1d3,
2250 			.access = LANDLOCK_ACCESS_FS_MAKE_REG,
2251 		},
2252 		{
2253 			.path = dir_s2d2,
2254 			.access = LANDLOCK_ACCESS_FS_REFER,
2255 		},
2256 		{
2257 			.path = dir_s2d3,
2258 			.access = LANDLOCK_ACCESS_FS_MAKE_REG,
2259 		},
2260 		{},
2261 	};
2262 	const int ruleset_fd = create_ruleset(
2263 		_metadata,
2264 		LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, layer1);
2265 
2266 	ASSERT_LE(0, ruleset_fd);
2267 	enforce_ruleset(_metadata, ruleset_fd);
2268 	ASSERT_EQ(0, close(ruleset_fd));
2269 }
2270 
2271 static void
2272 reparent_exdev_layers_enforce2(struct __test_metadata *const _metadata)
2273 {
2274 	const struct rule layer2[] = {
2275 		{
2276 			.path = dir_s2d3,
2277 			.access = LANDLOCK_ACCESS_FS_MAKE_DIR,
2278 		},
2279 		{},
2280 	};
2281 	/*
2282 	 * Same checks as before but with a second layer and a new MAKE_DIR
2283 	 * rule (and no explicit handling of REFER).
2284 	 */
2285 	const int ruleset_fd =
2286 		create_ruleset(_metadata, LANDLOCK_ACCESS_FS_MAKE_DIR, layer2);
2287 
2288 	ASSERT_LE(0, ruleset_fd);
2289 	enforce_ruleset(_metadata, ruleset_fd);
2290 	ASSERT_EQ(0, close(ruleset_fd));
2291 }
2292 
2293 TEST_F_FORK(layout1, reparent_exdev_layers_rename1)
2294 {
2295 	ASSERT_EQ(0, unlink(file1_s2d2));
2296 	ASSERT_EQ(0, unlink(file1_s2d3));
2297 
2298 	reparent_exdev_layers_enforce1(_metadata);
2299 
2300 	/*
2301 	 * Moving the dir_s1d3 directory below dir_s2d2 is allowed by Landlock
2302 	 * because it doesn't inherit new access rights.
2303 	 */
2304 	ASSERT_EQ(0, rename(dir_s1d3, file1_s2d2));
2305 	ASSERT_EQ(0, rename(file1_s2d2, dir_s1d3));
2306 
2307 	/*
2308 	 * Moving the dir_s1d3 directory below dir_s2d3 is allowed, even if it
2309 	 * gets a new inherited access rights (MAKE_REG), because MAKE_REG is
2310 	 * already allowed for dir_s1d3.
2311 	 */
2312 	ASSERT_EQ(0, rename(dir_s1d3, file1_s2d3));
2313 	ASSERT_EQ(0, rename(file1_s2d3, dir_s1d3));
2314 
2315 	/*
2316 	 * However, moving the file1_s1d3 file below dir_s2d3 is allowed
2317 	 * because it cannot inherit MAKE_REG right (which is dedicated to
2318 	 * directories).
2319 	 */
2320 	ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3));
2321 
2322 	reparent_exdev_layers_enforce2(_metadata);
2323 
2324 	/*
2325 	 * Moving the dir_s1d3 directory below dir_s2d2 is now denied because
2326 	 * MAKE_DIR is not tied to dir_s2d2.
2327 	 */
2328 	ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d2));
2329 	ASSERT_EQ(EACCES, errno);
2330 
2331 	/*
2332 	 * Moving the dir_s1d3 directory below dir_s2d3 is forbidden because it
2333 	 * would grants MAKE_REG and MAKE_DIR rights to it.
2334 	 */
2335 	ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d3));
2336 	ASSERT_EQ(EXDEV, errno);
2337 
2338 	/*
2339 	 * However, moving the file2_s1d3 file below dir_s2d3 is allowed
2340 	 * because it cannot inherit MAKE_REG nor MAKE_DIR rights (which are
2341 	 * dedicated to directories).
2342 	 */
2343 	ASSERT_EQ(0, rename(file2_s1d3, file1_s2d3));
2344 }
2345 
2346 TEST_F_FORK(layout1, reparent_exdev_layers_rename2)
2347 {
2348 	reparent_exdev_layers_enforce1(_metadata);
2349 
2350 	/* Checks EACCES predominance over EXDEV. */
2351 	ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d2));
2352 	ASSERT_EQ(EACCES, errno);
2353 	ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d2));
2354 	ASSERT_EQ(EACCES, errno);
2355 	ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d3));
2356 	ASSERT_EQ(EXDEV, errno);
2357 	/* Modify layout! */
2358 	ASSERT_EQ(0, rename(file1_s1d2, file1_s2d3));
2359 
2360 	/* Without REFER source. */
2361 	ASSERT_EQ(-1, rename(dir_s1d1, file1_s2d2));
2362 	ASSERT_EQ(EXDEV, errno);
2363 	ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d2));
2364 	ASSERT_EQ(EXDEV, errno);
2365 
2366 	reparent_exdev_layers_enforce2(_metadata);
2367 
2368 	/* Checks EACCES predominance over EXDEV. */
2369 	ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d2));
2370 	ASSERT_EQ(EACCES, errno);
2371 	/* Checks with actual file2_s1d2. */
2372 	ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d2));
2373 	ASSERT_EQ(EACCES, errno);
2374 	ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d3));
2375 	ASSERT_EQ(EXDEV, errno);
2376 	/* Modify layout! */
2377 	ASSERT_EQ(0, rename(file2_s1d2, file1_s2d3));
2378 
2379 	/* Without REFER source, EACCES wins over EXDEV. */
2380 	ASSERT_EQ(-1, rename(dir_s1d1, file1_s2d2));
2381 	ASSERT_EQ(EACCES, errno);
2382 	ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d2));
2383 	ASSERT_EQ(EACCES, errno);
2384 }
2385 
2386 TEST_F_FORK(layout1, reparent_exdev_layers_exchange1)
2387 {
2388 	const char *const dir_file1_s1d2 = file1_s1d2, *const dir_file2_s2d3 =
2389 							       file2_s2d3;
2390 
2391 	ASSERT_EQ(0, unlink(file1_s1d2));
2392 	ASSERT_EQ(0, mkdir(file1_s1d2, 0700));
2393 	ASSERT_EQ(0, unlink(file2_s2d3));
2394 	ASSERT_EQ(0, mkdir(file2_s2d3, 0700));
2395 
2396 	reparent_exdev_layers_enforce1(_metadata);
2397 
2398 	/* Error predominance with file exchange: returns EXDEV and EACCES. */
2399 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file1_s2d3,
2400 				RENAME_EXCHANGE));
2401 	ASSERT_EQ(EACCES, errno);
2402 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d1,
2403 				RENAME_EXCHANGE));
2404 	ASSERT_EQ(EACCES, errno);
2405 
2406 	/*
2407 	 * Checks with directories which creation could be allowed, but denied
2408 	 * because of access rights that would be inherited.
2409 	 */
2410 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD,
2411 				dir_file2_s2d3, RENAME_EXCHANGE));
2412 	ASSERT_EQ(EXDEV, errno);
2413 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD,
2414 				dir_file1_s1d2, RENAME_EXCHANGE));
2415 	ASSERT_EQ(EXDEV, errno);
2416 
2417 	/* Checks with same access rights. */
2418 	ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, dir_s2d3,
2419 			       RENAME_EXCHANGE));
2420 	ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3,
2421 			       RENAME_EXCHANGE));
2422 
2423 	/* Checks with different (child-only) access rights. */
2424 	ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_file1_s1d2,
2425 			       RENAME_EXCHANGE));
2426 	ASSERT_EQ(0, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, dir_s2d3,
2427 			       RENAME_EXCHANGE));
2428 
2429 	/*
2430 	 * Checks that exchange between file and directory are consistent.
2431 	 *
2432 	 * Moving a file (file1_s2d2) to a directory which only grants more
2433 	 * directory-related access rights is allowed, and at the same time
2434 	 * moving a directory (dir_file2_s2d3) to another directory which
2435 	 * grants less access rights is allowed too.
2436 	 *
2437 	 * See layout1.reparent_exdev_layers_exchange3 for inverted arguments.
2438 	 */
2439 	ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3,
2440 			       RENAME_EXCHANGE));
2441 	/*
2442 	 * However, moving back the directory is denied because it would get
2443 	 * more access rights than the current state and because file creation
2444 	 * is forbidden (in dir_s2d2).
2445 	 */
2446 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2,
2447 				RENAME_EXCHANGE));
2448 	ASSERT_EQ(EACCES, errno);
2449 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3,
2450 				RENAME_EXCHANGE));
2451 	ASSERT_EQ(EACCES, errno);
2452 
2453 	reparent_exdev_layers_enforce2(_metadata);
2454 
2455 	/* Error predominance with file exchange: returns EXDEV and EACCES. */
2456 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file1_s2d3,
2457 				RENAME_EXCHANGE));
2458 	ASSERT_EQ(EACCES, errno);
2459 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d1,
2460 				RENAME_EXCHANGE));
2461 	ASSERT_EQ(EACCES, errno);
2462 
2463 	/* Checks with directories which creation is now denied. */
2464 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD,
2465 				dir_file2_s2d3, RENAME_EXCHANGE));
2466 	ASSERT_EQ(EACCES, errno);
2467 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD,
2468 				dir_file1_s1d2, RENAME_EXCHANGE));
2469 	ASSERT_EQ(EACCES, errno);
2470 
2471 	/* Checks with different (child-only) access rights. */
2472 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, dir_s2d3,
2473 				RENAME_EXCHANGE));
2474 	/* Denied because of MAKE_DIR. */
2475 	ASSERT_EQ(EACCES, errno);
2476 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3,
2477 				RENAME_EXCHANGE));
2478 	ASSERT_EQ(EACCES, errno);
2479 
2480 	/* Checks with different (child-only) access rights. */
2481 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_file1_s1d2,
2482 				RENAME_EXCHANGE));
2483 	/* Denied because of MAKE_DIR. */
2484 	ASSERT_EQ(EACCES, errno);
2485 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, dir_s2d3,
2486 				RENAME_EXCHANGE));
2487 	ASSERT_EQ(EACCES, errno);
2488 
2489 	/* See layout1.reparent_exdev_layers_exchange2 for complement. */
2490 }
2491 
2492 TEST_F_FORK(layout1, reparent_exdev_layers_exchange2)
2493 {
2494 	const char *const dir_file2_s2d3 = file2_s2d3;
2495 
2496 	ASSERT_EQ(0, unlink(file2_s2d3));
2497 	ASSERT_EQ(0, mkdir(file2_s2d3, 0700));
2498 
2499 	reparent_exdev_layers_enforce1(_metadata);
2500 	reparent_exdev_layers_enforce2(_metadata);
2501 
2502 	/* Checks that exchange between file and directory are consistent. */
2503 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3,
2504 				RENAME_EXCHANGE));
2505 	ASSERT_EQ(EACCES, errno);
2506 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2,
2507 				RENAME_EXCHANGE));
2508 	ASSERT_EQ(EACCES, errno);
2509 }
2510 
2511 TEST_F_FORK(layout1, reparent_exdev_layers_exchange3)
2512 {
2513 	const char *const dir_file2_s2d3 = file2_s2d3;
2514 
2515 	ASSERT_EQ(0, unlink(file2_s2d3));
2516 	ASSERT_EQ(0, mkdir(file2_s2d3, 0700));
2517 
2518 	reparent_exdev_layers_enforce1(_metadata);
2519 
2520 	/*
2521 	 * Checks that exchange between file and directory are consistent,
2522 	 * including with inverted arguments (see
2523 	 * layout1.reparent_exdev_layers_exchange1).
2524 	 */
2525 	ASSERT_EQ(0, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2,
2526 			       RENAME_EXCHANGE));
2527 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3,
2528 				RENAME_EXCHANGE));
2529 	ASSERT_EQ(EACCES, errno);
2530 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2,
2531 				RENAME_EXCHANGE));
2532 	ASSERT_EQ(EACCES, errno);
2533 }
2534 
2535 TEST_F_FORK(layout1, reparent_remove)
2536 {
2537 	const struct rule layer1[] = {
2538 		{
2539 			.path = dir_s1d1,
2540 			.access = LANDLOCK_ACCESS_FS_REFER |
2541 				  LANDLOCK_ACCESS_FS_REMOVE_DIR,
2542 		},
2543 		{
2544 			.path = dir_s1d2,
2545 			.access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
2546 		},
2547 		{
2548 			.path = dir_s2d1,
2549 			.access = LANDLOCK_ACCESS_FS_REFER |
2550 				  LANDLOCK_ACCESS_FS_REMOVE_FILE,
2551 		},
2552 		{},
2553 	};
2554 	const int ruleset_fd = create_ruleset(
2555 		_metadata,
2556 		LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_REMOVE_DIR |
2557 			LANDLOCK_ACCESS_FS_REMOVE_FILE,
2558 		layer1);
2559 
2560 	ASSERT_LE(0, ruleset_fd);
2561 	enforce_ruleset(_metadata, ruleset_fd);
2562 	ASSERT_EQ(0, close(ruleset_fd));
2563 
2564 	/* Access denied because of wrong/swapped remove file/dir. */
2565 	ASSERT_EQ(-1, rename(file1_s1d1, dir_s2d2));
2566 	ASSERT_EQ(EACCES, errno);
2567 	ASSERT_EQ(-1, rename(dir_s2d2, file1_s1d1));
2568 	ASSERT_EQ(EACCES, errno);
2569 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s2d2,
2570 				RENAME_EXCHANGE));
2571 	ASSERT_EQ(EACCES, errno);
2572 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s2d3,
2573 				RENAME_EXCHANGE));
2574 	ASSERT_EQ(EACCES, errno);
2575 
2576 	/* Access allowed thanks to the matching rights. */
2577 	ASSERT_EQ(-1, rename(file1_s2d1, dir_s1d2));
2578 	ASSERT_EQ(EISDIR, errno);
2579 	ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d1));
2580 	ASSERT_EQ(ENOTDIR, errno);
2581 	ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d1));
2582 	ASSERT_EQ(ENOTDIR, errno);
2583 	ASSERT_EQ(0, unlink(file1_s2d1));
2584 	ASSERT_EQ(0, unlink(file1_s1d3));
2585 	ASSERT_EQ(0, unlink(file2_s1d3));
2586 	ASSERT_EQ(0, rename(dir_s1d3, file1_s2d1));
2587 
2588 	/* Effectively removes a file and a directory by exchanging them. */
2589 	ASSERT_EQ(0, mkdir(dir_s1d3, 0700));
2590 	ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3,
2591 			       RENAME_EXCHANGE));
2592 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3,
2593 				RENAME_EXCHANGE));
2594 	ASSERT_EQ(EACCES, errno);
2595 }
2596 
2597 TEST_F_FORK(layout1, reparent_dom_superset)
2598 {
2599 	const struct rule layer1[] = {
2600 		{
2601 			.path = dir_s1d2,
2602 			.access = LANDLOCK_ACCESS_FS_REFER,
2603 		},
2604 		{
2605 			.path = file1_s1d2,
2606 			.access = LANDLOCK_ACCESS_FS_EXECUTE,
2607 		},
2608 		{
2609 			.path = dir_s1d3,
2610 			.access = LANDLOCK_ACCESS_FS_MAKE_SOCK |
2611 				  LANDLOCK_ACCESS_FS_EXECUTE,
2612 		},
2613 		{
2614 			.path = dir_s2d2,
2615 			.access = LANDLOCK_ACCESS_FS_REFER |
2616 				  LANDLOCK_ACCESS_FS_EXECUTE |
2617 				  LANDLOCK_ACCESS_FS_MAKE_SOCK,
2618 		},
2619 		{
2620 			.path = dir_s2d3,
2621 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
2622 				  LANDLOCK_ACCESS_FS_MAKE_FIFO,
2623 		},
2624 		{},
2625 	};
2626 	int ruleset_fd = create_ruleset(_metadata,
2627 					LANDLOCK_ACCESS_FS_REFER |
2628 						LANDLOCK_ACCESS_FS_EXECUTE |
2629 						LANDLOCK_ACCESS_FS_MAKE_SOCK |
2630 						LANDLOCK_ACCESS_FS_READ_FILE |
2631 						LANDLOCK_ACCESS_FS_MAKE_FIFO,
2632 					layer1);
2633 
2634 	ASSERT_LE(0, ruleset_fd);
2635 	enforce_ruleset(_metadata, ruleset_fd);
2636 	ASSERT_EQ(0, close(ruleset_fd));
2637 
2638 	ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d1));
2639 	ASSERT_EQ(EXDEV, errno);
2640 	/*
2641 	 * Moving file1_s1d2 beneath dir_s2d3 would grant it the READ_FILE
2642 	 * access right.
2643 	 */
2644 	ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d3));
2645 	ASSERT_EQ(EXDEV, errno);
2646 	/*
2647 	 * Moving file1_s1d2 should be allowed even if dir_s2d2 grants a
2648 	 * superset of access rights compared to dir_s1d2, because file1_s1d2
2649 	 * already has these access rights anyway.
2650 	 */
2651 	ASSERT_EQ(0, rename(file1_s1d2, file1_s2d2));
2652 	ASSERT_EQ(0, rename(file1_s2d2, file1_s1d2));
2653 
2654 	ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d1));
2655 	ASSERT_EQ(EXDEV, errno);
2656 	/*
2657 	 * Moving dir_s1d3 beneath dir_s2d3 would grant it the MAKE_FIFO access
2658 	 * right.
2659 	 */
2660 	ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d3));
2661 	ASSERT_EQ(EXDEV, errno);
2662 	/*
2663 	 * Moving dir_s1d3 should be allowed even if dir_s2d2 grants a superset
2664 	 * of access rights compared to dir_s1d2, because dir_s1d3 already has
2665 	 * these access rights anyway.
2666 	 */
2667 	ASSERT_EQ(0, rename(dir_s1d3, file1_s2d2));
2668 	ASSERT_EQ(0, rename(file1_s2d2, dir_s1d3));
2669 
2670 	/*
2671 	 * Moving file1_s2d3 beneath dir_s1d2 is allowed, but moving it back
2672 	 * will be denied because the new inherited access rights from dir_s1d2
2673 	 * will be less than the destination (original) dir_s2d3.  This is a
2674 	 * sinkhole scenario where we cannot move back files or directories.
2675 	 */
2676 	ASSERT_EQ(0, rename(file1_s2d3, file2_s1d2));
2677 	ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d3));
2678 	ASSERT_EQ(EXDEV, errno);
2679 	ASSERT_EQ(0, unlink(file2_s1d2));
2680 	ASSERT_EQ(0, unlink(file2_s2d3));
2681 	/*
2682 	 * Checks similar directory one-way move: dir_s2d3 loses EXECUTE and
2683 	 * MAKE_SOCK which were inherited from dir_s1d3.
2684 	 */
2685 	ASSERT_EQ(0, rename(dir_s2d3, file2_s1d2));
2686 	ASSERT_EQ(-1, rename(file2_s1d2, dir_s2d3));
2687 	ASSERT_EQ(EXDEV, errno);
2688 }
2689 
2690 TEST_F_FORK(layout1, remove_dir)
2691 {
2692 	const struct rule rules[] = {
2693 		{
2694 			.path = dir_s1d2,
2695 			.access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
2696 		},
2697 		{},
2698 	};
2699 	const int ruleset_fd =
2700 		create_ruleset(_metadata, rules[0].access, rules);
2701 
2702 	ASSERT_LE(0, ruleset_fd);
2703 
2704 	ASSERT_EQ(0, unlink(file1_s1d1));
2705 	ASSERT_EQ(0, unlink(file1_s1d2));
2706 	ASSERT_EQ(0, unlink(file1_s1d3));
2707 	ASSERT_EQ(0, unlink(file2_s1d3));
2708 
2709 	enforce_ruleset(_metadata, ruleset_fd);
2710 	ASSERT_EQ(0, close(ruleset_fd));
2711 
2712 	ASSERT_EQ(0, rmdir(dir_s1d3));
2713 	ASSERT_EQ(0, mkdir(dir_s1d3, 0700));
2714 	ASSERT_EQ(0, unlinkat(AT_FDCWD, dir_s1d3, AT_REMOVEDIR));
2715 
2716 	/* dir_s1d2 itself cannot be removed. */
2717 	ASSERT_EQ(-1, rmdir(dir_s1d2));
2718 	ASSERT_EQ(EACCES, errno);
2719 	ASSERT_EQ(-1, unlinkat(AT_FDCWD, dir_s1d2, AT_REMOVEDIR));
2720 	ASSERT_EQ(EACCES, errno);
2721 	ASSERT_EQ(-1, rmdir(dir_s1d1));
2722 	ASSERT_EQ(EACCES, errno);
2723 	ASSERT_EQ(-1, unlinkat(AT_FDCWD, dir_s1d1, AT_REMOVEDIR));
2724 	ASSERT_EQ(EACCES, errno);
2725 }
2726 
2727 TEST_F_FORK(layout1, remove_file)
2728 {
2729 	const struct rule rules[] = {
2730 		{
2731 			.path = dir_s1d2,
2732 			.access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
2733 		},
2734 		{},
2735 	};
2736 	const int ruleset_fd =
2737 		create_ruleset(_metadata, rules[0].access, rules);
2738 
2739 	ASSERT_LE(0, ruleset_fd);
2740 	enforce_ruleset(_metadata, ruleset_fd);
2741 	ASSERT_EQ(0, close(ruleset_fd));
2742 
2743 	ASSERT_EQ(-1, unlink(file1_s1d1));
2744 	ASSERT_EQ(EACCES, errno);
2745 	ASSERT_EQ(-1, unlinkat(AT_FDCWD, file1_s1d1, 0));
2746 	ASSERT_EQ(EACCES, errno);
2747 	ASSERT_EQ(0, unlink(file1_s1d2));
2748 	ASSERT_EQ(0, unlinkat(AT_FDCWD, file1_s1d3, 0));
2749 }
2750 
2751 static void test_make_file(struct __test_metadata *const _metadata,
2752 			   const __u64 access, const mode_t mode,
2753 			   const dev_t dev)
2754 {
2755 	const struct rule rules[] = {
2756 		{
2757 			.path = dir_s1d2,
2758 			.access = access,
2759 		},
2760 		{},
2761 	};
2762 	const int ruleset_fd = create_ruleset(_metadata, access, rules);
2763 
2764 	ASSERT_LE(0, ruleset_fd);
2765 
2766 	ASSERT_EQ(0, unlink(file1_s1d1));
2767 	ASSERT_EQ(0, unlink(file2_s1d1));
2768 	ASSERT_EQ(0, mknod(file2_s1d1, mode | 0400, dev))
2769 	{
2770 		TH_LOG("Failed to make file \"%s\": %s", file2_s1d1,
2771 		       strerror(errno));
2772 	};
2773 
2774 	ASSERT_EQ(0, unlink(file1_s1d2));
2775 	ASSERT_EQ(0, unlink(file2_s1d2));
2776 
2777 	ASSERT_EQ(0, unlink(file1_s1d3));
2778 	ASSERT_EQ(0, unlink(file2_s1d3));
2779 
2780 	enforce_ruleset(_metadata, ruleset_fd);
2781 	ASSERT_EQ(0, close(ruleset_fd));
2782 
2783 	ASSERT_EQ(-1, mknod(file1_s1d1, mode | 0400, dev));
2784 	ASSERT_EQ(EACCES, errno);
2785 	ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1));
2786 	ASSERT_EQ(EACCES, errno);
2787 	ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1));
2788 	ASSERT_EQ(EACCES, errno);
2789 
2790 	ASSERT_EQ(0, mknod(file1_s1d2, mode | 0400, dev))
2791 	{
2792 		TH_LOG("Failed to make file \"%s\": %s", file1_s1d2,
2793 		       strerror(errno));
2794 	};
2795 	ASSERT_EQ(0, link(file1_s1d2, file2_s1d2));
2796 	ASSERT_EQ(0, unlink(file2_s1d2));
2797 	ASSERT_EQ(0, rename(file1_s1d2, file2_s1d2));
2798 
2799 	ASSERT_EQ(0, mknod(file1_s1d3, mode | 0400, dev));
2800 	ASSERT_EQ(0, link(file1_s1d3, file2_s1d3));
2801 	ASSERT_EQ(0, unlink(file2_s1d3));
2802 	ASSERT_EQ(0, rename(file1_s1d3, file2_s1d3));
2803 }
2804 
2805 TEST_F_FORK(layout1, make_char)
2806 {
2807 	/* Creates a /dev/null device. */
2808 	set_cap(_metadata, CAP_MKNOD);
2809 	test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_CHAR, S_IFCHR,
2810 		       makedev(1, 3));
2811 }
2812 
2813 TEST_F_FORK(layout1, make_block)
2814 {
2815 	/* Creates a /dev/loop0 device. */
2816 	set_cap(_metadata, CAP_MKNOD);
2817 	test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_BLOCK, S_IFBLK,
2818 		       makedev(7, 0));
2819 }
2820 
2821 TEST_F_FORK(layout1, make_reg_1)
2822 {
2823 	test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, S_IFREG, 0);
2824 }
2825 
2826 TEST_F_FORK(layout1, make_reg_2)
2827 {
2828 	test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, 0, 0);
2829 }
2830 
2831 TEST_F_FORK(layout1, make_sock)
2832 {
2833 	test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_SOCK, S_IFSOCK, 0);
2834 }
2835 
2836 TEST_F_FORK(layout1, make_fifo)
2837 {
2838 	test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_FIFO, S_IFIFO, 0);
2839 }
2840 
2841 TEST_F_FORK(layout1, make_sym)
2842 {
2843 	const struct rule rules[] = {
2844 		{
2845 			.path = dir_s1d2,
2846 			.access = LANDLOCK_ACCESS_FS_MAKE_SYM,
2847 		},
2848 		{},
2849 	};
2850 	const int ruleset_fd =
2851 		create_ruleset(_metadata, rules[0].access, rules);
2852 
2853 	ASSERT_LE(0, ruleset_fd);
2854 
2855 	ASSERT_EQ(0, unlink(file1_s1d1));
2856 	ASSERT_EQ(0, unlink(file2_s1d1));
2857 	ASSERT_EQ(0, symlink("none", file2_s1d1));
2858 
2859 	ASSERT_EQ(0, unlink(file1_s1d2));
2860 	ASSERT_EQ(0, unlink(file2_s1d2));
2861 
2862 	ASSERT_EQ(0, unlink(file1_s1d3));
2863 	ASSERT_EQ(0, unlink(file2_s1d3));
2864 
2865 	enforce_ruleset(_metadata, ruleset_fd);
2866 	ASSERT_EQ(0, close(ruleset_fd));
2867 
2868 	ASSERT_EQ(-1, symlink("none", file1_s1d1));
2869 	ASSERT_EQ(EACCES, errno);
2870 	ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1));
2871 	ASSERT_EQ(EACCES, errno);
2872 	ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1));
2873 	ASSERT_EQ(EACCES, errno);
2874 
2875 	ASSERT_EQ(0, symlink("none", file1_s1d2));
2876 	ASSERT_EQ(0, link(file1_s1d2, file2_s1d2));
2877 	ASSERT_EQ(0, unlink(file2_s1d2));
2878 	ASSERT_EQ(0, rename(file1_s1d2, file2_s1d2));
2879 
2880 	ASSERT_EQ(0, symlink("none", file1_s1d3));
2881 	ASSERT_EQ(0, link(file1_s1d3, file2_s1d3));
2882 	ASSERT_EQ(0, unlink(file2_s1d3));
2883 	ASSERT_EQ(0, rename(file1_s1d3, file2_s1d3));
2884 }
2885 
2886 TEST_F_FORK(layout1, make_dir)
2887 {
2888 	const struct rule rules[] = {
2889 		{
2890 			.path = dir_s1d2,
2891 			.access = LANDLOCK_ACCESS_FS_MAKE_DIR,
2892 		},
2893 		{},
2894 	};
2895 	const int ruleset_fd =
2896 		create_ruleset(_metadata, rules[0].access, rules);
2897 
2898 	ASSERT_LE(0, ruleset_fd);
2899 
2900 	ASSERT_EQ(0, unlink(file1_s1d1));
2901 	ASSERT_EQ(0, unlink(file1_s1d2));
2902 	ASSERT_EQ(0, unlink(file1_s1d3));
2903 
2904 	enforce_ruleset(_metadata, ruleset_fd);
2905 	ASSERT_EQ(0, close(ruleset_fd));
2906 
2907 	/* Uses file_* as directory names. */
2908 	ASSERT_EQ(-1, mkdir(file1_s1d1, 0700));
2909 	ASSERT_EQ(EACCES, errno);
2910 	ASSERT_EQ(0, mkdir(file1_s1d2, 0700));
2911 	ASSERT_EQ(0, mkdir(file1_s1d3, 0700));
2912 }
2913 
2914 static int open_proc_fd(struct __test_metadata *const _metadata, const int fd,
2915 			const int open_flags)
2916 {
2917 	static const char path_template[] = "/proc/self/fd/%d";
2918 	char procfd_path[sizeof(path_template) + 10];
2919 	const int procfd_path_size =
2920 		snprintf(procfd_path, sizeof(procfd_path), path_template, fd);
2921 
2922 	ASSERT_LT(procfd_path_size, sizeof(procfd_path));
2923 	return open(procfd_path, open_flags);
2924 }
2925 
2926 TEST_F_FORK(layout1, proc_unlinked_file)
2927 {
2928 	const struct rule rules[] = {
2929 		{
2930 			.path = file1_s1d2,
2931 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
2932 		},
2933 		{},
2934 	};
2935 	int reg_fd, proc_fd;
2936 	const int ruleset_fd = create_ruleset(
2937 		_metadata,
2938 		LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_WRITE_FILE,
2939 		rules);
2940 
2941 	ASSERT_LE(0, ruleset_fd);
2942 	enforce_ruleset(_metadata, ruleset_fd);
2943 	ASSERT_EQ(0, close(ruleset_fd));
2944 
2945 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR));
2946 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
2947 	reg_fd = open(file1_s1d2, O_RDONLY | O_CLOEXEC);
2948 	ASSERT_LE(0, reg_fd);
2949 	ASSERT_EQ(0, unlink(file1_s1d2));
2950 
2951 	proc_fd = open_proc_fd(_metadata, reg_fd, O_RDONLY | O_CLOEXEC);
2952 	ASSERT_LE(0, proc_fd);
2953 	ASSERT_EQ(0, close(proc_fd));
2954 
2955 	proc_fd = open_proc_fd(_metadata, reg_fd, O_RDWR | O_CLOEXEC);
2956 	ASSERT_EQ(-1, proc_fd)
2957 	{
2958 		TH_LOG("Successfully opened /proc/self/fd/%d: %s", reg_fd,
2959 		       strerror(errno));
2960 	}
2961 	ASSERT_EQ(EACCES, errno);
2962 
2963 	ASSERT_EQ(0, close(reg_fd));
2964 }
2965 
2966 TEST_F_FORK(layout1, proc_pipe)
2967 {
2968 	int proc_fd;
2969 	int pipe_fds[2];
2970 	char buf = '\0';
2971 	const struct rule rules[] = {
2972 		{
2973 			.path = dir_s1d2,
2974 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
2975 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
2976 		},
2977 		{},
2978 	};
2979 	/* Limits read and write access to files tied to the filesystem. */
2980 	const int ruleset_fd =
2981 		create_ruleset(_metadata, rules[0].access, rules);
2982 
2983 	ASSERT_LE(0, ruleset_fd);
2984 	enforce_ruleset(_metadata, ruleset_fd);
2985 	ASSERT_EQ(0, close(ruleset_fd));
2986 
2987 	/* Checks enforcement for normal files. */
2988 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR));
2989 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
2990 
2991 	/* Checks access to pipes through FD. */
2992 	ASSERT_EQ(0, pipe2(pipe_fds, O_CLOEXEC));
2993 	ASSERT_EQ(1, write(pipe_fds[1], ".", 1))
2994 	{
2995 		TH_LOG("Failed to write in pipe: %s", strerror(errno));
2996 	}
2997 	ASSERT_EQ(1, read(pipe_fds[0], &buf, 1));
2998 	ASSERT_EQ('.', buf);
2999 
3000 	/* Checks write access to pipe through /proc/self/fd . */
3001 	proc_fd = open_proc_fd(_metadata, pipe_fds[1], O_WRONLY | O_CLOEXEC);
3002 	ASSERT_LE(0, proc_fd);
3003 	ASSERT_EQ(1, write(proc_fd, ".", 1))
3004 	{
3005 		TH_LOG("Failed to write through /proc/self/fd/%d: %s",
3006 		       pipe_fds[1], strerror(errno));
3007 	}
3008 	ASSERT_EQ(0, close(proc_fd));
3009 
3010 	/* Checks read access to pipe through /proc/self/fd . */
3011 	proc_fd = open_proc_fd(_metadata, pipe_fds[0], O_RDONLY | O_CLOEXEC);
3012 	ASSERT_LE(0, proc_fd);
3013 	buf = '\0';
3014 	ASSERT_EQ(1, read(proc_fd, &buf, 1))
3015 	{
3016 		TH_LOG("Failed to read through /proc/self/fd/%d: %s",
3017 		       pipe_fds[1], strerror(errno));
3018 	}
3019 	ASSERT_EQ(0, close(proc_fd));
3020 
3021 	ASSERT_EQ(0, close(pipe_fds[0]));
3022 	ASSERT_EQ(0, close(pipe_fds[1]));
3023 }
3024 
3025 /* clang-format off */
3026 FIXTURE(layout1_bind) {};
3027 /* clang-format on */
3028 
3029 FIXTURE_SETUP(layout1_bind)
3030 {
3031 	prepare_layout(_metadata);
3032 
3033 	create_layout1(_metadata);
3034 
3035 	set_cap(_metadata, CAP_SYS_ADMIN);
3036 	ASSERT_EQ(0, mount(dir_s1d2, dir_s2d2, NULL, MS_BIND, NULL));
3037 	clear_cap(_metadata, CAP_SYS_ADMIN);
3038 }
3039 
3040 FIXTURE_TEARDOWN(layout1_bind)
3041 {
3042 	set_cap(_metadata, CAP_SYS_ADMIN);
3043 	EXPECT_EQ(0, umount(dir_s2d2));
3044 	clear_cap(_metadata, CAP_SYS_ADMIN);
3045 
3046 	remove_layout1(_metadata);
3047 
3048 	cleanup_layout(_metadata);
3049 }
3050 
3051 static const char bind_dir_s1d3[] = TMP_DIR "/s2d1/s2d2/s1d3";
3052 static const char bind_file1_s1d3[] = TMP_DIR "/s2d1/s2d2/s1d3/f1";
3053 
3054 /*
3055  * layout1_bind hierarchy:
3056  *
3057  * tmp
3058  * ├── s1d1
3059  * │   ├── f1
3060  * │   ├── f2
3061  * │   └── s1d2
3062  * │       ├── f1
3063  * │       ├── f2
3064  * │       └── s1d3
3065  * │           ├── f1
3066  * │           └── f2
3067  * ├── s2d1
3068  * │   ├── f1
3069  * │   └── s2d2
3070  * │       ├── f1
3071  * │       ├── f2
3072  * │       └── s1d3
3073  * │           ├── f1
3074  * │           └── f2
3075  * └── s3d1
3076  *     └── s3d2
3077  *         └── s3d3
3078  */
3079 
3080 TEST_F_FORK(layout1_bind, no_restriction)
3081 {
3082 	ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
3083 	ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
3084 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
3085 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
3086 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
3087 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
3088 
3089 	ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY));
3090 	ASSERT_EQ(0, test_open(file1_s2d1, O_RDONLY));
3091 	ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY));
3092 	ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY));
3093 	ASSERT_EQ(ENOENT, test_open(dir_s2d3, O_RDONLY));
3094 	ASSERT_EQ(ENOENT, test_open(file1_s2d3, O_RDONLY));
3095 
3096 	ASSERT_EQ(0, test_open(bind_dir_s1d3, O_RDONLY));
3097 	ASSERT_EQ(0, test_open(bind_file1_s1d3, O_RDONLY));
3098 
3099 	ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY));
3100 }
3101 
3102 TEST_F_FORK(layout1_bind, same_content_same_file)
3103 {
3104 	/*
3105 	 * Sets access right on parent directories of both source and
3106 	 * destination mount points.
3107 	 */
3108 	const struct rule layer1_parent[] = {
3109 		{
3110 			.path = dir_s1d1,
3111 			.access = ACCESS_RO,
3112 		},
3113 		{
3114 			.path = dir_s2d1,
3115 			.access = ACCESS_RW,
3116 		},
3117 		{},
3118 	};
3119 	/*
3120 	 * Sets access rights on the same bind-mounted directories.  The result
3121 	 * should be ACCESS_RW for both directories, but not both hierarchies
3122 	 * because of the first layer.
3123 	 */
3124 	const struct rule layer2_mount_point[] = {
3125 		{
3126 			.path = dir_s1d2,
3127 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
3128 		},
3129 		{
3130 			.path = dir_s2d2,
3131 			.access = ACCESS_RW,
3132 		},
3133 		{},
3134 	};
3135 	/* Only allow read-access to the s1d3 hierarchies. */
3136 	const struct rule layer3_source[] = {
3137 		{
3138 			.path = dir_s1d3,
3139 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
3140 		},
3141 		{},
3142 	};
3143 	/* Removes all access rights. */
3144 	const struct rule layer4_destination[] = {
3145 		{
3146 			.path = bind_file1_s1d3,
3147 			.access = LANDLOCK_ACCESS_FS_WRITE_FILE,
3148 		},
3149 		{},
3150 	};
3151 	int ruleset_fd;
3152 
3153 	/* Sets rules for the parent directories. */
3154 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_parent);
3155 	ASSERT_LE(0, ruleset_fd);
3156 	enforce_ruleset(_metadata, ruleset_fd);
3157 	ASSERT_EQ(0, close(ruleset_fd));
3158 
3159 	/* Checks source hierarchy. */
3160 	ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
3161 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
3162 	ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
3163 
3164 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
3165 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
3166 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
3167 
3168 	/* Checks destination hierarchy. */
3169 	ASSERT_EQ(0, test_open(file1_s2d1, O_RDWR));
3170 	ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY | O_DIRECTORY));
3171 
3172 	ASSERT_EQ(0, test_open(file1_s2d2, O_RDWR));
3173 	ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY));
3174 
3175 	/* Sets rules for the mount points. */
3176 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_mount_point);
3177 	ASSERT_LE(0, ruleset_fd);
3178 	enforce_ruleset(_metadata, ruleset_fd);
3179 	ASSERT_EQ(0, close(ruleset_fd));
3180 
3181 	/* Checks source hierarchy. */
3182 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
3183 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
3184 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
3185 
3186 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
3187 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
3188 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
3189 
3190 	/* Checks destination hierarchy. */
3191 	ASSERT_EQ(EACCES, test_open(file1_s2d1, O_RDONLY));
3192 	ASSERT_EQ(EACCES, test_open(file1_s2d1, O_WRONLY));
3193 	ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY | O_DIRECTORY));
3194 
3195 	ASSERT_EQ(0, test_open(file1_s2d2, O_RDWR));
3196 	ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY));
3197 	ASSERT_EQ(0, test_open(bind_dir_s1d3, O_RDONLY | O_DIRECTORY));
3198 
3199 	/* Sets a (shared) rule only on the source. */
3200 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3_source);
3201 	ASSERT_LE(0, ruleset_fd);
3202 	enforce_ruleset(_metadata, ruleset_fd);
3203 	ASSERT_EQ(0, close(ruleset_fd));
3204 
3205 	/* Checks source hierarchy. */
3206 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDONLY));
3207 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
3208 	ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
3209 
3210 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
3211 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
3212 	ASSERT_EQ(EACCES, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
3213 
3214 	/* Checks destination hierarchy. */
3215 	ASSERT_EQ(EACCES, test_open(file1_s2d2, O_RDONLY));
3216 	ASSERT_EQ(EACCES, test_open(file1_s2d2, O_WRONLY));
3217 	ASSERT_EQ(EACCES, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY));
3218 
3219 	ASSERT_EQ(0, test_open(bind_file1_s1d3, O_RDONLY));
3220 	ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_WRONLY));
3221 	ASSERT_EQ(EACCES, test_open(bind_dir_s1d3, O_RDONLY | O_DIRECTORY));
3222 
3223 	/* Sets a (shared) rule only on the destination. */
3224 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer4_destination);
3225 	ASSERT_LE(0, ruleset_fd);
3226 	enforce_ruleset(_metadata, ruleset_fd);
3227 	ASSERT_EQ(0, close(ruleset_fd));
3228 
3229 	/* Checks source hierarchy. */
3230 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY));
3231 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
3232 
3233 	/* Checks destination hierarchy. */
3234 	ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_RDONLY));
3235 	ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_WRONLY));
3236 }
3237 
3238 TEST_F_FORK(layout1_bind, reparent_cross_mount)
3239 {
3240 	const struct rule layer1[] = {
3241 		{
3242 			/* dir_s2d1 is beneath the dir_s2d2 mount point. */
3243 			.path = dir_s2d1,
3244 			.access = LANDLOCK_ACCESS_FS_REFER,
3245 		},
3246 		{
3247 			.path = bind_dir_s1d3,
3248 			.access = LANDLOCK_ACCESS_FS_EXECUTE,
3249 		},
3250 		{},
3251 	};
3252 	int ruleset_fd = create_ruleset(
3253 		_metadata,
3254 		LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_EXECUTE, layer1);
3255 
3256 	ASSERT_LE(0, ruleset_fd);
3257 	enforce_ruleset(_metadata, ruleset_fd);
3258 	ASSERT_EQ(0, close(ruleset_fd));
3259 
3260 	/* Checks basic denied move. */
3261 	ASSERT_EQ(-1, rename(file1_s1d1, file1_s1d2));
3262 	ASSERT_EQ(EXDEV, errno);
3263 
3264 	/* Checks real cross-mount move (Landlock is not involved). */
3265 	ASSERT_EQ(-1, rename(file1_s2d1, file1_s2d2));
3266 	ASSERT_EQ(EXDEV, errno);
3267 
3268 	/* Checks move that will give more accesses. */
3269 	ASSERT_EQ(-1, rename(file1_s2d2, bind_file1_s1d3));
3270 	ASSERT_EQ(EXDEV, errno);
3271 
3272 	/* Checks legitimate downgrade move. */
3273 	ASSERT_EQ(0, rename(bind_file1_s1d3, file1_s2d2));
3274 }
3275 
3276 #define LOWER_BASE TMP_DIR "/lower"
3277 #define LOWER_DATA LOWER_BASE "/data"
3278 static const char lower_fl1[] = LOWER_DATA "/fl1";
3279 static const char lower_dl1[] = LOWER_DATA "/dl1";
3280 static const char lower_dl1_fl2[] = LOWER_DATA "/dl1/fl2";
3281 static const char lower_fo1[] = LOWER_DATA "/fo1";
3282 static const char lower_do1[] = LOWER_DATA "/do1";
3283 static const char lower_do1_fo2[] = LOWER_DATA "/do1/fo2";
3284 static const char lower_do1_fl3[] = LOWER_DATA "/do1/fl3";
3285 
3286 static const char (*lower_base_files[])[] = {
3287 	&lower_fl1,
3288 	&lower_fo1,
3289 	NULL,
3290 };
3291 static const char (*lower_base_directories[])[] = {
3292 	&lower_dl1,
3293 	&lower_do1,
3294 	NULL,
3295 };
3296 static const char (*lower_sub_files[])[] = {
3297 	&lower_dl1_fl2,
3298 	&lower_do1_fo2,
3299 	&lower_do1_fl3,
3300 	NULL,
3301 };
3302 
3303 #define UPPER_BASE TMP_DIR "/upper"
3304 #define UPPER_DATA UPPER_BASE "/data"
3305 #define UPPER_WORK UPPER_BASE "/work"
3306 static const char upper_fu1[] = UPPER_DATA "/fu1";
3307 static const char upper_du1[] = UPPER_DATA "/du1";
3308 static const char upper_du1_fu2[] = UPPER_DATA "/du1/fu2";
3309 static const char upper_fo1[] = UPPER_DATA "/fo1";
3310 static const char upper_do1[] = UPPER_DATA "/do1";
3311 static const char upper_do1_fo2[] = UPPER_DATA "/do1/fo2";
3312 static const char upper_do1_fu3[] = UPPER_DATA "/do1/fu3";
3313 
3314 static const char (*upper_base_files[])[] = {
3315 	&upper_fu1,
3316 	&upper_fo1,
3317 	NULL,
3318 };
3319 static const char (*upper_base_directories[])[] = {
3320 	&upper_du1,
3321 	&upper_do1,
3322 	NULL,
3323 };
3324 static const char (*upper_sub_files[])[] = {
3325 	&upper_du1_fu2,
3326 	&upper_do1_fo2,
3327 	&upper_do1_fu3,
3328 	NULL,
3329 };
3330 
3331 #define MERGE_BASE TMP_DIR "/merge"
3332 #define MERGE_DATA MERGE_BASE "/data"
3333 static const char merge_fl1[] = MERGE_DATA "/fl1";
3334 static const char merge_dl1[] = MERGE_DATA "/dl1";
3335 static const char merge_dl1_fl2[] = MERGE_DATA "/dl1/fl2";
3336 static const char merge_fu1[] = MERGE_DATA "/fu1";
3337 static const char merge_du1[] = MERGE_DATA "/du1";
3338 static const char merge_du1_fu2[] = MERGE_DATA "/du1/fu2";
3339 static const char merge_fo1[] = MERGE_DATA "/fo1";
3340 static const char merge_do1[] = MERGE_DATA "/do1";
3341 static const char merge_do1_fo2[] = MERGE_DATA "/do1/fo2";
3342 static const char merge_do1_fl3[] = MERGE_DATA "/do1/fl3";
3343 static const char merge_do1_fu3[] = MERGE_DATA "/do1/fu3";
3344 
3345 static const char (*merge_base_files[])[] = {
3346 	&merge_fl1,
3347 	&merge_fu1,
3348 	&merge_fo1,
3349 	NULL,
3350 };
3351 static const char (*merge_base_directories[])[] = {
3352 	&merge_dl1,
3353 	&merge_du1,
3354 	&merge_do1,
3355 	NULL,
3356 };
3357 static const char (*merge_sub_files[])[] = {
3358 	&merge_dl1_fl2, &merge_du1_fu2, &merge_do1_fo2,
3359 	&merge_do1_fl3, &merge_do1_fu3, NULL,
3360 };
3361 
3362 /*
3363  * layout2_overlay hierarchy:
3364  *
3365  * tmp
3366  * ├── lower
3367  * │   └── data
3368  * │       ├── dl1
3369  * │       │   └── fl2
3370  * │       ├── do1
3371  * │       │   ├── fl3
3372  * │       │   └── fo2
3373  * │       ├── fl1
3374  * │       └── fo1
3375  * ├── merge
3376  * │   └── data
3377  * │       ├── dl1
3378  * │       │   └── fl2
3379  * │       ├── do1
3380  * │       │   ├── fl3
3381  * │       │   ├── fo2
3382  * │       │   └── fu3
3383  * │       ├── du1
3384  * │       │   └── fu2
3385  * │       ├── fl1
3386  * │       ├── fo1
3387  * │       └── fu1
3388  * └── upper
3389  *     ├── data
3390  *     │   ├── do1
3391  *     │   │   ├── fo2
3392  *     │   │   └── fu3
3393  *     │   ├── du1
3394  *     │   │   └── fu2
3395  *     │   ├── fo1
3396  *     │   └── fu1
3397  *     └── work
3398  *         └── work
3399  */
3400 
3401 /* clang-format off */
3402 FIXTURE(layout2_overlay) {};
3403 /* clang-format on */
3404 
3405 FIXTURE_SETUP(layout2_overlay)
3406 {
3407 	prepare_layout(_metadata);
3408 
3409 	create_directory(_metadata, LOWER_BASE);
3410 	set_cap(_metadata, CAP_SYS_ADMIN);
3411 	/* Creates tmpfs mount points to get deterministic overlayfs. */
3412 	ASSERT_EQ(0, mount("tmp", LOWER_BASE, "tmpfs", 0, "size=4m,mode=700"));
3413 	clear_cap(_metadata, CAP_SYS_ADMIN);
3414 	create_file(_metadata, lower_fl1);
3415 	create_file(_metadata, lower_dl1_fl2);
3416 	create_file(_metadata, lower_fo1);
3417 	create_file(_metadata, lower_do1_fo2);
3418 	create_file(_metadata, lower_do1_fl3);
3419 
3420 	create_directory(_metadata, UPPER_BASE);
3421 	set_cap(_metadata, CAP_SYS_ADMIN);
3422 	ASSERT_EQ(0, mount("tmp", UPPER_BASE, "tmpfs", 0, "size=4m,mode=700"));
3423 	clear_cap(_metadata, CAP_SYS_ADMIN);
3424 	create_file(_metadata, upper_fu1);
3425 	create_file(_metadata, upper_du1_fu2);
3426 	create_file(_metadata, upper_fo1);
3427 	create_file(_metadata, upper_do1_fo2);
3428 	create_file(_metadata, upper_do1_fu3);
3429 	ASSERT_EQ(0, mkdir(UPPER_WORK, 0700));
3430 
3431 	create_directory(_metadata, MERGE_DATA);
3432 	set_cap(_metadata, CAP_SYS_ADMIN);
3433 	set_cap(_metadata, CAP_DAC_OVERRIDE);
3434 	ASSERT_EQ(0, mount("overlay", MERGE_DATA, "overlay", 0,
3435 			   "lowerdir=" LOWER_DATA ",upperdir=" UPPER_DATA
3436 			   ",workdir=" UPPER_WORK));
3437 	clear_cap(_metadata, CAP_DAC_OVERRIDE);
3438 	clear_cap(_metadata, CAP_SYS_ADMIN);
3439 }
3440 
3441 FIXTURE_TEARDOWN(layout2_overlay)
3442 {
3443 	EXPECT_EQ(0, remove_path(lower_do1_fl3));
3444 	EXPECT_EQ(0, remove_path(lower_dl1_fl2));
3445 	EXPECT_EQ(0, remove_path(lower_fl1));
3446 	EXPECT_EQ(0, remove_path(lower_do1_fo2));
3447 	EXPECT_EQ(0, remove_path(lower_fo1));
3448 	set_cap(_metadata, CAP_SYS_ADMIN);
3449 	EXPECT_EQ(0, umount(LOWER_BASE));
3450 	clear_cap(_metadata, CAP_SYS_ADMIN);
3451 	EXPECT_EQ(0, remove_path(LOWER_BASE));
3452 
3453 	EXPECT_EQ(0, remove_path(upper_do1_fu3));
3454 	EXPECT_EQ(0, remove_path(upper_du1_fu2));
3455 	EXPECT_EQ(0, remove_path(upper_fu1));
3456 	EXPECT_EQ(0, remove_path(upper_do1_fo2));
3457 	EXPECT_EQ(0, remove_path(upper_fo1));
3458 	EXPECT_EQ(0, remove_path(UPPER_WORK "/work"));
3459 	set_cap(_metadata, CAP_SYS_ADMIN);
3460 	EXPECT_EQ(0, umount(UPPER_BASE));
3461 	clear_cap(_metadata, CAP_SYS_ADMIN);
3462 	EXPECT_EQ(0, remove_path(UPPER_BASE));
3463 
3464 	set_cap(_metadata, CAP_SYS_ADMIN);
3465 	EXPECT_EQ(0, umount(MERGE_DATA));
3466 	clear_cap(_metadata, CAP_SYS_ADMIN);
3467 	EXPECT_EQ(0, remove_path(MERGE_DATA));
3468 
3469 	cleanup_layout(_metadata);
3470 }
3471 
3472 TEST_F_FORK(layout2_overlay, no_restriction)
3473 {
3474 	ASSERT_EQ(0, test_open(lower_fl1, O_RDONLY));
3475 	ASSERT_EQ(0, test_open(lower_dl1, O_RDONLY));
3476 	ASSERT_EQ(0, test_open(lower_dl1_fl2, O_RDONLY));
3477 	ASSERT_EQ(0, test_open(lower_fo1, O_RDONLY));
3478 	ASSERT_EQ(0, test_open(lower_do1, O_RDONLY));
3479 	ASSERT_EQ(0, test_open(lower_do1_fo2, O_RDONLY));
3480 	ASSERT_EQ(0, test_open(lower_do1_fl3, O_RDONLY));
3481 
3482 	ASSERT_EQ(0, test_open(upper_fu1, O_RDONLY));
3483 	ASSERT_EQ(0, test_open(upper_du1, O_RDONLY));
3484 	ASSERT_EQ(0, test_open(upper_du1_fu2, O_RDONLY));
3485 	ASSERT_EQ(0, test_open(upper_fo1, O_RDONLY));
3486 	ASSERT_EQ(0, test_open(upper_do1, O_RDONLY));
3487 	ASSERT_EQ(0, test_open(upper_do1_fo2, O_RDONLY));
3488 	ASSERT_EQ(0, test_open(upper_do1_fu3, O_RDONLY));
3489 
3490 	ASSERT_EQ(0, test_open(merge_fl1, O_RDONLY));
3491 	ASSERT_EQ(0, test_open(merge_dl1, O_RDONLY));
3492 	ASSERT_EQ(0, test_open(merge_dl1_fl2, O_RDONLY));
3493 	ASSERT_EQ(0, test_open(merge_fu1, O_RDONLY));
3494 	ASSERT_EQ(0, test_open(merge_du1, O_RDONLY));
3495 	ASSERT_EQ(0, test_open(merge_du1_fu2, O_RDONLY));
3496 	ASSERT_EQ(0, test_open(merge_fo1, O_RDONLY));
3497 	ASSERT_EQ(0, test_open(merge_do1, O_RDONLY));
3498 	ASSERT_EQ(0, test_open(merge_do1_fo2, O_RDONLY));
3499 	ASSERT_EQ(0, test_open(merge_do1_fl3, O_RDONLY));
3500 	ASSERT_EQ(0, test_open(merge_do1_fu3, O_RDONLY));
3501 }
3502 
3503 #define for_each_path(path_list, path_entry, i)               \
3504 	for (i = 0, path_entry = *path_list[i]; path_list[i]; \
3505 	     path_entry = *path_list[++i])
3506 
3507 TEST_F_FORK(layout2_overlay, same_content_different_file)
3508 {
3509 	/* Sets access right on parent directories of both layers. */
3510 	const struct rule layer1_base[] = {
3511 		{
3512 			.path = LOWER_BASE,
3513 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
3514 		},
3515 		{
3516 			.path = UPPER_BASE,
3517 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
3518 		},
3519 		{
3520 			.path = MERGE_BASE,
3521 			.access = ACCESS_RW,
3522 		},
3523 		{},
3524 	};
3525 	const struct rule layer2_data[] = {
3526 		{
3527 			.path = LOWER_DATA,
3528 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
3529 		},
3530 		{
3531 			.path = UPPER_DATA,
3532 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
3533 		},
3534 		{
3535 			.path = MERGE_DATA,
3536 			.access = ACCESS_RW,
3537 		},
3538 		{},
3539 	};
3540 	/* Sets access right on directories inside both layers. */
3541 	const struct rule layer3_subdirs[] = {
3542 		{
3543 			.path = lower_dl1,
3544 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
3545 		},
3546 		{
3547 			.path = lower_do1,
3548 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
3549 		},
3550 		{
3551 			.path = upper_du1,
3552 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
3553 		},
3554 		{
3555 			.path = upper_do1,
3556 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
3557 		},
3558 		{
3559 			.path = merge_dl1,
3560 			.access = ACCESS_RW,
3561 		},
3562 		{
3563 			.path = merge_du1,
3564 			.access = ACCESS_RW,
3565 		},
3566 		{
3567 			.path = merge_do1,
3568 			.access = ACCESS_RW,
3569 		},
3570 		{},
3571 	};
3572 	/* Tighten access rights to the files. */
3573 	const struct rule layer4_files[] = {
3574 		{
3575 			.path = lower_dl1_fl2,
3576 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
3577 		},
3578 		{
3579 			.path = lower_do1_fo2,
3580 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
3581 		},
3582 		{
3583 			.path = lower_do1_fl3,
3584 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
3585 		},
3586 		{
3587 			.path = upper_du1_fu2,
3588 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
3589 		},
3590 		{
3591 			.path = upper_do1_fo2,
3592 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
3593 		},
3594 		{
3595 			.path = upper_do1_fu3,
3596 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
3597 		},
3598 		{
3599 			.path = merge_dl1_fl2,
3600 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
3601 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
3602 		},
3603 		{
3604 			.path = merge_du1_fu2,
3605 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
3606 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
3607 		},
3608 		{
3609 			.path = merge_do1_fo2,
3610 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
3611 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
3612 		},
3613 		{
3614 			.path = merge_do1_fl3,
3615 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
3616 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
3617 		},
3618 		{
3619 			.path = merge_do1_fu3,
3620 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
3621 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
3622 		},
3623 		{},
3624 	};
3625 	const struct rule layer5_merge_only[] = {
3626 		{
3627 			.path = MERGE_DATA,
3628 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
3629 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
3630 		},
3631 		{},
3632 	};
3633 	int ruleset_fd;
3634 	size_t i;
3635 	const char *path_entry;
3636 
3637 	/* Sets rules on base directories (i.e. outside overlay scope). */
3638 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_base);
3639 	ASSERT_LE(0, ruleset_fd);
3640 	enforce_ruleset(_metadata, ruleset_fd);
3641 	ASSERT_EQ(0, close(ruleset_fd));
3642 
3643 	/* Checks lower layer. */
3644 	for_each_path(lower_base_files, path_entry, i) {
3645 		ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
3646 		ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
3647 	}
3648 	for_each_path(lower_base_directories, path_entry, i) {
3649 		ASSERT_EQ(EACCES,
3650 			  test_open(path_entry, O_RDONLY | O_DIRECTORY));
3651 	}
3652 	for_each_path(lower_sub_files, path_entry, i) {
3653 		ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
3654 		ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
3655 	}
3656 	/* Checks upper layer. */
3657 	for_each_path(upper_base_files, path_entry, i) {
3658 		ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
3659 		ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
3660 	}
3661 	for_each_path(upper_base_directories, path_entry, i) {
3662 		ASSERT_EQ(EACCES,
3663 			  test_open(path_entry, O_RDONLY | O_DIRECTORY));
3664 	}
3665 	for_each_path(upper_sub_files, path_entry, i) {
3666 		ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
3667 		ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
3668 	}
3669 	/*
3670 	 * Checks that access rights are independent from the lower and upper
3671 	 * layers: write access to upper files viewed through the merge point
3672 	 * is still allowed, and write access to lower file viewed (and copied)
3673 	 * through the merge point is still allowed.
3674 	 */
3675 	for_each_path(merge_base_files, path_entry, i) {
3676 		ASSERT_EQ(0, test_open(path_entry, O_RDWR));
3677 	}
3678 	for_each_path(merge_base_directories, path_entry, i) {
3679 		ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY));
3680 	}
3681 	for_each_path(merge_sub_files, path_entry, i) {
3682 		ASSERT_EQ(0, test_open(path_entry, O_RDWR));
3683 	}
3684 
3685 	/* Sets rules on data directories (i.e. inside overlay scope). */
3686 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_data);
3687 	ASSERT_LE(0, ruleset_fd);
3688 	enforce_ruleset(_metadata, ruleset_fd);
3689 	ASSERT_EQ(0, close(ruleset_fd));
3690 
3691 	/* Checks merge. */
3692 	for_each_path(merge_base_files, path_entry, i) {
3693 		ASSERT_EQ(0, test_open(path_entry, O_RDWR));
3694 	}
3695 	for_each_path(merge_base_directories, path_entry, i) {
3696 		ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY));
3697 	}
3698 	for_each_path(merge_sub_files, path_entry, i) {
3699 		ASSERT_EQ(0, test_open(path_entry, O_RDWR));
3700 	}
3701 
3702 	/* Same checks with tighter rules. */
3703 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3_subdirs);
3704 	ASSERT_LE(0, ruleset_fd);
3705 	enforce_ruleset(_metadata, ruleset_fd);
3706 	ASSERT_EQ(0, close(ruleset_fd));
3707 
3708 	/* Checks changes for lower layer. */
3709 	for_each_path(lower_base_files, path_entry, i) {
3710 		ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY));
3711 	}
3712 	/* Checks changes for upper layer. */
3713 	for_each_path(upper_base_files, path_entry, i) {
3714 		ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY));
3715 	}
3716 	/* Checks all merge accesses. */
3717 	for_each_path(merge_base_files, path_entry, i) {
3718 		ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR));
3719 	}
3720 	for_each_path(merge_base_directories, path_entry, i) {
3721 		ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY));
3722 	}
3723 	for_each_path(merge_sub_files, path_entry, i) {
3724 		ASSERT_EQ(0, test_open(path_entry, O_RDWR));
3725 	}
3726 
3727 	/* Sets rules directly on overlayed files. */
3728 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer4_files);
3729 	ASSERT_LE(0, ruleset_fd);
3730 	enforce_ruleset(_metadata, ruleset_fd);
3731 	ASSERT_EQ(0, close(ruleset_fd));
3732 
3733 	/* Checks unchanged accesses on lower layer. */
3734 	for_each_path(lower_sub_files, path_entry, i) {
3735 		ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
3736 		ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
3737 	}
3738 	/* Checks unchanged accesses on upper layer. */
3739 	for_each_path(upper_sub_files, path_entry, i) {
3740 		ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
3741 		ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
3742 	}
3743 	/* Checks all merge accesses. */
3744 	for_each_path(merge_base_files, path_entry, i) {
3745 		ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR));
3746 	}
3747 	for_each_path(merge_base_directories, path_entry, i) {
3748 		ASSERT_EQ(EACCES,
3749 			  test_open(path_entry, O_RDONLY | O_DIRECTORY));
3750 	}
3751 	for_each_path(merge_sub_files, path_entry, i) {
3752 		ASSERT_EQ(0, test_open(path_entry, O_RDWR));
3753 	}
3754 
3755 	/* Only allowes access to the merge hierarchy. */
3756 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer5_merge_only);
3757 	ASSERT_LE(0, ruleset_fd);
3758 	enforce_ruleset(_metadata, ruleset_fd);
3759 	ASSERT_EQ(0, close(ruleset_fd));
3760 
3761 	/* Checks new accesses on lower layer. */
3762 	for_each_path(lower_sub_files, path_entry, i) {
3763 		ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY));
3764 	}
3765 	/* Checks new accesses on upper layer. */
3766 	for_each_path(upper_sub_files, path_entry, i) {
3767 		ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY));
3768 	}
3769 	/* Checks all merge accesses. */
3770 	for_each_path(merge_base_files, path_entry, i) {
3771 		ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR));
3772 	}
3773 	for_each_path(merge_base_directories, path_entry, i) {
3774 		ASSERT_EQ(EACCES,
3775 			  test_open(path_entry, O_RDONLY | O_DIRECTORY));
3776 	}
3777 	for_each_path(merge_sub_files, path_entry, i) {
3778 		ASSERT_EQ(0, test_open(path_entry, O_RDWR));
3779 	}
3780 }
3781 
3782 TEST_HARNESS_MAIN
3783