xref: /linux/tools/testing/selftests/landlock/fs_test.c (revision 6e7fd890f1d6ac83805409e9c346240de2705584)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * Landlock tests - Filesystem
4  *
5  * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
6  * Copyright © 2020 ANSSI
7  * Copyright © 2020-2022 Microsoft Corporation
8  */
9 
10 #define _GNU_SOURCE
11 #include <asm/termbits.h>
12 #include <fcntl.h>
13 #include <libgen.h>
14 #include <linux/fiemap.h>
15 #include <linux/landlock.h>
16 #include <linux/magic.h>
17 #include <sched.h>
18 #include <stddef.h>
19 #include <stdio.h>
20 #include <string.h>
21 #include <sys/capability.h>
22 #include <sys/ioctl.h>
23 #include <sys/mount.h>
24 #include <sys/prctl.h>
25 #include <sys/sendfile.h>
26 #include <sys/socket.h>
27 #include <sys/stat.h>
28 #include <sys/sysmacros.h>
29 #include <sys/un.h>
30 #include <sys/vfs.h>
31 #include <unistd.h>
32 
33 /*
34  * Intentionally included last to work around header conflict.
35  * See https://sourceware.org/glibc/wiki/Synchronizing_Headers.
36  */
37 #include <linux/fs.h>
38 #include <linux/mount.h>
39 
40 #include "common.h"
41 
42 #ifndef renameat2
43 int renameat2(int olddirfd, const char *oldpath, int newdirfd,
44 	      const char *newpath, unsigned int flags)
45 {
46 	return syscall(__NR_renameat2, olddirfd, oldpath, newdirfd, newpath,
47 		       flags);
48 }
49 #endif
50 
51 #ifndef open_tree
52 int open_tree(int dfd, const char *filename, unsigned int flags)
53 {
54 	return syscall(__NR_open_tree, dfd, filename, flags);
55 }
56 #endif
57 
58 #ifndef RENAME_EXCHANGE
59 #define RENAME_EXCHANGE (1 << 1)
60 #endif
61 
62 #define TMP_DIR "tmp"
63 #define BINARY_PATH "./true"
64 
65 /* Paths (sibling number and depth) */
66 static const char dir_s1d1[] = TMP_DIR "/s1d1";
67 static const char file1_s1d1[] = TMP_DIR "/s1d1/f1";
68 static const char file2_s1d1[] = TMP_DIR "/s1d1/f2";
69 static const char dir_s1d2[] = TMP_DIR "/s1d1/s1d2";
70 static const char file1_s1d2[] = TMP_DIR "/s1d1/s1d2/f1";
71 static const char file2_s1d2[] = TMP_DIR "/s1d1/s1d2/f2";
72 static const char dir_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3";
73 static const char file1_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3/f1";
74 static const char file2_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3/f2";
75 
76 static const char dir_s2d1[] = TMP_DIR "/s2d1";
77 static const char file1_s2d1[] = TMP_DIR "/s2d1/f1";
78 static const char dir_s2d2[] = TMP_DIR "/s2d1/s2d2";
79 static const char file1_s2d2[] = TMP_DIR "/s2d1/s2d2/f1";
80 static const char dir_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3";
81 static const char file1_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3/f1";
82 static const char file2_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3/f2";
83 
84 static const char dir_s3d1[] = TMP_DIR "/s3d1";
85 static const char file1_s3d1[] = TMP_DIR "/s3d1/f1";
86 /* dir_s3d2 is a mount point. */
87 static const char dir_s3d2[] = TMP_DIR "/s3d1/s3d2";
88 static const char dir_s3d3[] = TMP_DIR "/s3d1/s3d2/s3d3";
89 
90 /*
91  * layout1 hierarchy:
92  *
93  * tmp
94  * ├── s1d1
95  * │   ├── f1
96  * │   ├── f2
97  * │   └── s1d2
98  * │       ├── f1
99  * │       ├── f2
100  * │       └── s1d3
101  * │           ├── f1
102  * │           └── f2
103  * ├── s2d1
104  * │   ├── f1
105  * │   └── s2d2
106  * │       ├── f1
107  * │       └── s2d3
108  * │           ├── f1
109  * │           └── f2
110  * └── s3d1
111  *     ├── f1
112  *     └── s3d2
113  *         └── s3d3
114  */
115 
116 static bool fgrep(FILE *const inf, const char *const str)
117 {
118 	char line[32];
119 	const int slen = strlen(str);
120 
121 	while (!feof(inf)) {
122 		if (!fgets(line, sizeof(line), inf))
123 			break;
124 		if (strncmp(line, str, slen))
125 			continue;
126 
127 		return true;
128 	}
129 
130 	return false;
131 }
132 
133 static bool supports_filesystem(const char *const filesystem)
134 {
135 	char str[32];
136 	int len;
137 	bool res = true;
138 	FILE *const inf = fopen("/proc/filesystems", "r");
139 
140 	/*
141 	 * Consider that the filesystem is supported if we cannot get the
142 	 * supported ones.
143 	 */
144 	if (!inf)
145 		return true;
146 
147 	/* filesystem can be null for bind mounts. */
148 	if (!filesystem)
149 		goto out;
150 
151 	len = snprintf(str, sizeof(str), "nodev\t%s\n", filesystem);
152 	if (len >= sizeof(str))
153 		/* Ignores too-long filesystem names. */
154 		goto out;
155 
156 	res = fgrep(inf, str);
157 
158 out:
159 	fclose(inf);
160 	return res;
161 }
162 
163 static bool cwd_matches_fs(unsigned int fs_magic)
164 {
165 	struct statfs statfs_buf;
166 
167 	if (!fs_magic)
168 		return true;
169 
170 	if (statfs(".", &statfs_buf))
171 		return true;
172 
173 	return statfs_buf.f_type == fs_magic;
174 }
175 
176 static void mkdir_parents(struct __test_metadata *const _metadata,
177 			  const char *const path)
178 {
179 	char *walker;
180 	const char *parent;
181 	int i, err;
182 
183 	ASSERT_NE(path[0], '\0');
184 	walker = strdup(path);
185 	ASSERT_NE(NULL, walker);
186 	parent = walker;
187 	for (i = 1; walker[i]; i++) {
188 		if (walker[i] != '/')
189 			continue;
190 		walker[i] = '\0';
191 		err = mkdir(parent, 0700);
192 		ASSERT_FALSE(err && errno != EEXIST)
193 		{
194 			TH_LOG("Failed to create directory \"%s\": %s", parent,
195 			       strerror(errno));
196 		}
197 		walker[i] = '/';
198 	}
199 	free(walker);
200 }
201 
202 static void create_directory(struct __test_metadata *const _metadata,
203 			     const char *const path)
204 {
205 	mkdir_parents(_metadata, path);
206 	ASSERT_EQ(0, mkdir(path, 0700))
207 	{
208 		TH_LOG("Failed to create directory \"%s\": %s", path,
209 		       strerror(errno));
210 	}
211 }
212 
213 static void create_file(struct __test_metadata *const _metadata,
214 			const char *const path)
215 {
216 	mkdir_parents(_metadata, path);
217 	ASSERT_EQ(0, mknod(path, S_IFREG | 0700, 0))
218 	{
219 		TH_LOG("Failed to create file \"%s\": %s", path,
220 		       strerror(errno));
221 	}
222 }
223 
224 static int remove_path(const char *const path)
225 {
226 	char *walker;
227 	int i, ret, err = 0;
228 
229 	walker = strdup(path);
230 	if (!walker) {
231 		err = ENOMEM;
232 		goto out;
233 	}
234 	if (unlink(path) && rmdir(path)) {
235 		if (errno != ENOENT && errno != ENOTDIR)
236 			err = errno;
237 		goto out;
238 	}
239 	for (i = strlen(walker); i > 0; i--) {
240 		if (walker[i] != '/')
241 			continue;
242 		walker[i] = '\0';
243 		ret = rmdir(walker);
244 		if (ret) {
245 			if (errno != ENOTEMPTY && errno != EBUSY)
246 				err = errno;
247 			goto out;
248 		}
249 		if (strcmp(walker, TMP_DIR) == 0)
250 			goto out;
251 	}
252 
253 out:
254 	free(walker);
255 	return err;
256 }
257 
258 struct mnt_opt {
259 	const char *const source;
260 	const char *const type;
261 	const unsigned long flags;
262 	const char *const data;
263 };
264 
265 #define MNT_TMP_DATA "size=4m,mode=700"
266 
267 static const struct mnt_opt mnt_tmp = {
268 	.type = "tmpfs",
269 	.data = MNT_TMP_DATA,
270 };
271 
272 static int mount_opt(const struct mnt_opt *const mnt, const char *const target)
273 {
274 	return mount(mnt->source ?: mnt->type, target, mnt->type, mnt->flags,
275 		     mnt->data);
276 }
277 
278 static void prepare_layout_opt(struct __test_metadata *const _metadata,
279 			       const struct mnt_opt *const mnt)
280 {
281 	disable_caps(_metadata);
282 	umask(0077);
283 	create_directory(_metadata, TMP_DIR);
284 
285 	/*
286 	 * Do not pollute the rest of the system: creates a private mount point
287 	 * for tests relying on pivot_root(2) and move_mount(2).
288 	 */
289 	set_cap(_metadata, CAP_SYS_ADMIN);
290 	ASSERT_EQ(0, unshare(CLONE_NEWNS | CLONE_NEWCGROUP));
291 	ASSERT_EQ(0, mount_opt(mnt, TMP_DIR))
292 	{
293 		TH_LOG("Failed to mount the %s filesystem: %s", mnt->type,
294 		       strerror(errno));
295 		/*
296 		 * FIXTURE_TEARDOWN() is not called when FIXTURE_SETUP()
297 		 * failed, so we need to explicitly do a minimal cleanup to
298 		 * avoid cascading errors with other tests that don't depend on
299 		 * the same filesystem.
300 		 */
301 		remove_path(TMP_DIR);
302 	}
303 	ASSERT_EQ(0, mount(NULL, TMP_DIR, NULL, MS_PRIVATE | MS_REC, NULL));
304 	clear_cap(_metadata, CAP_SYS_ADMIN);
305 }
306 
307 static void prepare_layout(struct __test_metadata *const _metadata)
308 {
309 	prepare_layout_opt(_metadata, &mnt_tmp);
310 }
311 
312 static void cleanup_layout(struct __test_metadata *const _metadata)
313 {
314 	set_cap(_metadata, CAP_SYS_ADMIN);
315 	if (umount(TMP_DIR)) {
316 		/*
317 		 * According to the test environment, the mount point of the
318 		 * current directory may be shared or not, which changes the
319 		 * visibility of the nested TMP_DIR mount point for the test's
320 		 * parent process doing this cleanup.
321 		 */
322 		ASSERT_EQ(EINVAL, errno);
323 	}
324 	clear_cap(_metadata, CAP_SYS_ADMIN);
325 	EXPECT_EQ(0, remove_path(TMP_DIR));
326 }
327 
328 /* clang-format off */
329 FIXTURE(layout0) {};
330 /* clang-format on */
331 
332 FIXTURE_SETUP(layout0)
333 {
334 	prepare_layout(_metadata);
335 }
336 
337 FIXTURE_TEARDOWN_PARENT(layout0)
338 {
339 	cleanup_layout(_metadata);
340 }
341 
342 static void create_layout1(struct __test_metadata *const _metadata)
343 {
344 	create_file(_metadata, file1_s1d1);
345 	create_file(_metadata, file1_s1d2);
346 	create_file(_metadata, file1_s1d3);
347 	create_file(_metadata, file2_s1d1);
348 	create_file(_metadata, file2_s1d2);
349 	create_file(_metadata, file2_s1d3);
350 
351 	create_file(_metadata, file1_s2d1);
352 	create_file(_metadata, file1_s2d2);
353 	create_file(_metadata, file1_s2d3);
354 	create_file(_metadata, file2_s2d3);
355 
356 	create_file(_metadata, file1_s3d1);
357 	create_directory(_metadata, dir_s3d2);
358 	set_cap(_metadata, CAP_SYS_ADMIN);
359 	ASSERT_EQ(0, mount_opt(&mnt_tmp, dir_s3d2));
360 	clear_cap(_metadata, CAP_SYS_ADMIN);
361 
362 	ASSERT_EQ(0, mkdir(dir_s3d3, 0700));
363 }
364 
365 static void remove_layout1(struct __test_metadata *const _metadata)
366 {
367 	EXPECT_EQ(0, remove_path(file2_s1d3));
368 	EXPECT_EQ(0, remove_path(file2_s1d2));
369 	EXPECT_EQ(0, remove_path(file2_s1d1));
370 	EXPECT_EQ(0, remove_path(file1_s1d3));
371 	EXPECT_EQ(0, remove_path(file1_s1d2));
372 	EXPECT_EQ(0, remove_path(file1_s1d1));
373 	EXPECT_EQ(0, remove_path(dir_s1d3));
374 
375 	EXPECT_EQ(0, remove_path(file2_s2d3));
376 	EXPECT_EQ(0, remove_path(file1_s2d3));
377 	EXPECT_EQ(0, remove_path(file1_s2d2));
378 	EXPECT_EQ(0, remove_path(file1_s2d1));
379 	EXPECT_EQ(0, remove_path(dir_s2d2));
380 
381 	EXPECT_EQ(0, remove_path(file1_s3d1));
382 	EXPECT_EQ(0, remove_path(dir_s3d3));
383 	set_cap(_metadata, CAP_SYS_ADMIN);
384 	umount(dir_s3d2);
385 	clear_cap(_metadata, CAP_SYS_ADMIN);
386 	EXPECT_EQ(0, remove_path(dir_s3d2));
387 }
388 
389 /* clang-format off */
390 FIXTURE(layout1) {};
391 /* clang-format on */
392 
393 FIXTURE_SETUP(layout1)
394 {
395 	prepare_layout(_metadata);
396 
397 	create_layout1(_metadata);
398 }
399 
400 FIXTURE_TEARDOWN_PARENT(layout1)
401 {
402 	remove_layout1(_metadata);
403 
404 	cleanup_layout(_metadata);
405 }
406 
407 /*
408  * This helper enables to use the ASSERT_* macros and print the line number
409  * pointing to the test caller.
410  */
411 static int test_open_rel(const int dirfd, const char *const path,
412 			 const int flags)
413 {
414 	int fd;
415 
416 	/* Works with file and directories. */
417 	fd = openat(dirfd, path, flags | O_CLOEXEC);
418 	if (fd < 0)
419 		return errno;
420 	/*
421 	 * Mixing error codes from close(2) and open(2) should not lead to any
422 	 * (access type) confusion for this test.
423 	 */
424 	if (close(fd) != 0)
425 		return errno;
426 	return 0;
427 }
428 
429 static int test_open(const char *const path, const int flags)
430 {
431 	return test_open_rel(AT_FDCWD, path, flags);
432 }
433 
434 TEST_F_FORK(layout1, no_restriction)
435 {
436 	ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
437 	ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
438 	ASSERT_EQ(0, test_open(file2_s1d1, O_RDONLY));
439 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
440 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
441 	ASSERT_EQ(0, test_open(file2_s1d2, O_RDONLY));
442 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
443 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
444 
445 	ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY));
446 	ASSERT_EQ(0, test_open(file1_s2d1, O_RDONLY));
447 	ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY));
448 	ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY));
449 	ASSERT_EQ(0, test_open(dir_s2d3, O_RDONLY));
450 	ASSERT_EQ(0, test_open(file1_s2d3, O_RDONLY));
451 
452 	ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY));
453 	ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY));
454 	ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY));
455 }
456 
457 TEST_F_FORK(layout1, inval)
458 {
459 	struct landlock_path_beneath_attr path_beneath = {
460 		.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE |
461 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
462 		.parent_fd = -1,
463 	};
464 	struct landlock_ruleset_attr ruleset_attr = {
465 		.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE |
466 				     LANDLOCK_ACCESS_FS_WRITE_FILE,
467 	};
468 	int ruleset_fd;
469 
470 	path_beneath.parent_fd =
471 		open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC);
472 	ASSERT_LE(0, path_beneath.parent_fd);
473 
474 	ruleset_fd = open(dir_s1d1, O_PATH | O_DIRECTORY | O_CLOEXEC);
475 	ASSERT_LE(0, ruleset_fd);
476 	ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
477 					&path_beneath, 0));
478 	/* Returns EBADF because ruleset_fd is not a landlock-ruleset FD. */
479 	ASSERT_EQ(EBADF, errno);
480 	ASSERT_EQ(0, close(ruleset_fd));
481 
482 	ruleset_fd = open(dir_s1d1, O_DIRECTORY | O_CLOEXEC);
483 	ASSERT_LE(0, ruleset_fd);
484 	ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
485 					&path_beneath, 0));
486 	/* Returns EBADFD because ruleset_fd is not a valid ruleset. */
487 	ASSERT_EQ(EBADFD, errno);
488 	ASSERT_EQ(0, close(ruleset_fd));
489 
490 	/* Gets a real ruleset. */
491 	ruleset_fd =
492 		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
493 	ASSERT_LE(0, ruleset_fd);
494 	ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
495 				       &path_beneath, 0));
496 	ASSERT_EQ(0, close(path_beneath.parent_fd));
497 
498 	/* Tests without O_PATH. */
499 	path_beneath.parent_fd = open(dir_s1d2, O_DIRECTORY | O_CLOEXEC);
500 	ASSERT_LE(0, path_beneath.parent_fd);
501 	ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
502 				       &path_beneath, 0));
503 	ASSERT_EQ(0, close(path_beneath.parent_fd));
504 
505 	/* Tests with a ruleset FD. */
506 	path_beneath.parent_fd = ruleset_fd;
507 	ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
508 					&path_beneath, 0));
509 	ASSERT_EQ(EBADFD, errno);
510 
511 	/* Checks unhandled allowed_access. */
512 	path_beneath.parent_fd =
513 		open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC);
514 	ASSERT_LE(0, path_beneath.parent_fd);
515 
516 	/* Test with legitimate values. */
517 	path_beneath.allowed_access |= LANDLOCK_ACCESS_FS_EXECUTE;
518 	ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
519 					&path_beneath, 0));
520 	ASSERT_EQ(EINVAL, errno);
521 	path_beneath.allowed_access &= ~LANDLOCK_ACCESS_FS_EXECUTE;
522 
523 	/* Tests with denied-by-default access right. */
524 	path_beneath.allowed_access |= LANDLOCK_ACCESS_FS_REFER;
525 	ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
526 					&path_beneath, 0));
527 	ASSERT_EQ(EINVAL, errno);
528 	path_beneath.allowed_access &= ~LANDLOCK_ACCESS_FS_REFER;
529 
530 	/* Test with unknown (64-bits) value. */
531 	path_beneath.allowed_access |= (1ULL << 60);
532 	ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
533 					&path_beneath, 0));
534 	ASSERT_EQ(EINVAL, errno);
535 	path_beneath.allowed_access &= ~(1ULL << 60);
536 
537 	/* Test with no access. */
538 	path_beneath.allowed_access = 0;
539 	ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
540 					&path_beneath, 0));
541 	ASSERT_EQ(ENOMSG, errno);
542 	path_beneath.allowed_access &= ~(1ULL << 60);
543 
544 	ASSERT_EQ(0, close(path_beneath.parent_fd));
545 
546 	/* Enforces the ruleset. */
547 	ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
548 	ASSERT_EQ(0, landlock_restrict_self(ruleset_fd, 0));
549 
550 	ASSERT_EQ(0, close(ruleset_fd));
551 }
552 
553 /* clang-format off */
554 
555 #define ACCESS_FILE ( \
556 	LANDLOCK_ACCESS_FS_EXECUTE | \
557 	LANDLOCK_ACCESS_FS_WRITE_FILE | \
558 	LANDLOCK_ACCESS_FS_READ_FILE | \
559 	LANDLOCK_ACCESS_FS_TRUNCATE | \
560 	LANDLOCK_ACCESS_FS_IOCTL_DEV)
561 
562 #define ACCESS_LAST LANDLOCK_ACCESS_FS_IOCTL_DEV
563 
564 #define ACCESS_ALL ( \
565 	ACCESS_FILE | \
566 	LANDLOCK_ACCESS_FS_READ_DIR | \
567 	LANDLOCK_ACCESS_FS_REMOVE_DIR | \
568 	LANDLOCK_ACCESS_FS_REMOVE_FILE | \
569 	LANDLOCK_ACCESS_FS_MAKE_CHAR | \
570 	LANDLOCK_ACCESS_FS_MAKE_DIR | \
571 	LANDLOCK_ACCESS_FS_MAKE_REG | \
572 	LANDLOCK_ACCESS_FS_MAKE_SOCK | \
573 	LANDLOCK_ACCESS_FS_MAKE_FIFO | \
574 	LANDLOCK_ACCESS_FS_MAKE_BLOCK | \
575 	LANDLOCK_ACCESS_FS_MAKE_SYM | \
576 	LANDLOCK_ACCESS_FS_REFER)
577 
578 /* clang-format on */
579 
580 TEST_F_FORK(layout1, file_and_dir_access_rights)
581 {
582 	__u64 access;
583 	int err;
584 	struct landlock_path_beneath_attr path_beneath_file = {},
585 					  path_beneath_dir = {};
586 	struct landlock_ruleset_attr ruleset_attr = {
587 		.handled_access_fs = ACCESS_ALL,
588 	};
589 	const int ruleset_fd =
590 		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
591 
592 	ASSERT_LE(0, ruleset_fd);
593 
594 	/* Tests access rights for files. */
595 	path_beneath_file.parent_fd = open(file1_s1d2, O_PATH | O_CLOEXEC);
596 	ASSERT_LE(0, path_beneath_file.parent_fd);
597 
598 	/* Tests access rights for directories. */
599 	path_beneath_dir.parent_fd =
600 		open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC);
601 	ASSERT_LE(0, path_beneath_dir.parent_fd);
602 
603 	for (access = 1; access <= ACCESS_LAST; access <<= 1) {
604 		path_beneath_dir.allowed_access = access;
605 		ASSERT_EQ(0, landlock_add_rule(ruleset_fd,
606 					       LANDLOCK_RULE_PATH_BENEATH,
607 					       &path_beneath_dir, 0));
608 
609 		path_beneath_file.allowed_access = access;
610 		err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
611 					&path_beneath_file, 0);
612 		if (access & ACCESS_FILE) {
613 			ASSERT_EQ(0, err);
614 		} else {
615 			ASSERT_EQ(-1, err);
616 			ASSERT_EQ(EINVAL, errno);
617 		}
618 	}
619 	ASSERT_EQ(0, close(path_beneath_file.parent_fd));
620 	ASSERT_EQ(0, close(path_beneath_dir.parent_fd));
621 	ASSERT_EQ(0, close(ruleset_fd));
622 }
623 
624 TEST_F_FORK(layout0, ruleset_with_unknown_access)
625 {
626 	__u64 access_mask;
627 
628 	for (access_mask = 1ULL << 63; access_mask != ACCESS_LAST;
629 	     access_mask >>= 1) {
630 		struct landlock_ruleset_attr ruleset_attr = {
631 			.handled_access_fs = access_mask,
632 		};
633 
634 		ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr,
635 						      sizeof(ruleset_attr), 0));
636 		ASSERT_EQ(EINVAL, errno);
637 	}
638 }
639 
640 TEST_F_FORK(layout0, rule_with_unknown_access)
641 {
642 	__u64 access;
643 	struct landlock_path_beneath_attr path_beneath = {};
644 	const struct landlock_ruleset_attr ruleset_attr = {
645 		.handled_access_fs = ACCESS_ALL,
646 	};
647 	const int ruleset_fd =
648 		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
649 
650 	ASSERT_LE(0, ruleset_fd);
651 
652 	path_beneath.parent_fd =
653 		open(TMP_DIR, O_PATH | O_DIRECTORY | O_CLOEXEC);
654 	ASSERT_LE(0, path_beneath.parent_fd);
655 
656 	for (access = 1ULL << 63; access != ACCESS_LAST; access >>= 1) {
657 		path_beneath.allowed_access = access;
658 		EXPECT_EQ(-1, landlock_add_rule(ruleset_fd,
659 						LANDLOCK_RULE_PATH_BENEATH,
660 						&path_beneath, 0));
661 		EXPECT_EQ(EINVAL, errno);
662 	}
663 	ASSERT_EQ(0, close(path_beneath.parent_fd));
664 	ASSERT_EQ(0, close(ruleset_fd));
665 }
666 
667 TEST_F_FORK(layout1, rule_with_unhandled_access)
668 {
669 	struct landlock_ruleset_attr ruleset_attr = {
670 		.handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE,
671 	};
672 	struct landlock_path_beneath_attr path_beneath = {};
673 	int ruleset_fd;
674 	__u64 access;
675 
676 	ruleset_fd =
677 		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
678 	ASSERT_LE(0, ruleset_fd);
679 
680 	path_beneath.parent_fd = open(file1_s1d2, O_PATH | O_CLOEXEC);
681 	ASSERT_LE(0, path_beneath.parent_fd);
682 
683 	for (access = 1; access > 0; access <<= 1) {
684 		int err;
685 
686 		path_beneath.allowed_access = access;
687 		err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
688 					&path_beneath, 0);
689 		if (access == ruleset_attr.handled_access_fs) {
690 			EXPECT_EQ(0, err);
691 		} else {
692 			EXPECT_EQ(-1, err);
693 			EXPECT_EQ(EINVAL, errno);
694 		}
695 	}
696 
697 	EXPECT_EQ(0, close(path_beneath.parent_fd));
698 	EXPECT_EQ(0, close(ruleset_fd));
699 }
700 
701 static void add_path_beneath(struct __test_metadata *const _metadata,
702 			     const int ruleset_fd, const __u64 allowed_access,
703 			     const char *const path)
704 {
705 	struct landlock_path_beneath_attr path_beneath = {
706 		.allowed_access = allowed_access,
707 	};
708 
709 	path_beneath.parent_fd = open(path, O_PATH | O_CLOEXEC);
710 	ASSERT_LE(0, path_beneath.parent_fd)
711 	{
712 		TH_LOG("Failed to open directory \"%s\": %s", path,
713 		       strerror(errno));
714 	}
715 	ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
716 				       &path_beneath, 0))
717 	{
718 		TH_LOG("Failed to update the ruleset with \"%s\": %s", path,
719 		       strerror(errno));
720 	}
721 	ASSERT_EQ(0, close(path_beneath.parent_fd));
722 }
723 
724 struct rule {
725 	const char *path;
726 	__u64 access;
727 };
728 
729 /* clang-format off */
730 
731 #define ACCESS_RO ( \
732 	LANDLOCK_ACCESS_FS_READ_FILE | \
733 	LANDLOCK_ACCESS_FS_READ_DIR)
734 
735 #define ACCESS_RW ( \
736 	ACCESS_RO | \
737 	LANDLOCK_ACCESS_FS_WRITE_FILE)
738 
739 /* clang-format on */
740 
741 static int create_ruleset(struct __test_metadata *const _metadata,
742 			  const __u64 handled_access_fs,
743 			  const struct rule rules[])
744 {
745 	int ruleset_fd, i;
746 	struct landlock_ruleset_attr ruleset_attr = {
747 		.handled_access_fs = handled_access_fs,
748 	};
749 
750 	ASSERT_NE(NULL, rules)
751 	{
752 		TH_LOG("No rule list");
753 	}
754 	ASSERT_NE(NULL, rules[0].path)
755 	{
756 		TH_LOG("Empty rule list");
757 	}
758 
759 	ruleset_fd =
760 		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
761 	ASSERT_LE(0, ruleset_fd)
762 	{
763 		TH_LOG("Failed to create a ruleset: %s", strerror(errno));
764 	}
765 
766 	for (i = 0; rules[i].path; i++) {
767 		if (!rules[i].access)
768 			continue;
769 
770 		add_path_beneath(_metadata, ruleset_fd, rules[i].access,
771 				 rules[i].path);
772 	}
773 	return ruleset_fd;
774 }
775 
776 TEST_F_FORK(layout0, proc_nsfs)
777 {
778 	const struct rule rules[] = {
779 		{
780 			.path = "/dev/null",
781 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
782 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
783 		},
784 		{},
785 	};
786 	struct landlock_path_beneath_attr path_beneath;
787 	const int ruleset_fd = create_ruleset(
788 		_metadata, rules[0].access | LANDLOCK_ACCESS_FS_READ_DIR,
789 		rules);
790 
791 	ASSERT_LE(0, ruleset_fd);
792 	ASSERT_EQ(0, test_open("/proc/self/ns/mnt", O_RDONLY));
793 
794 	enforce_ruleset(_metadata, ruleset_fd);
795 
796 	ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
797 	ASSERT_EQ(EACCES, test_open("/dev", O_RDONLY));
798 	ASSERT_EQ(0, test_open("/dev/null", O_RDONLY));
799 	ASSERT_EQ(EACCES, test_open("/dev/full", O_RDONLY));
800 
801 	ASSERT_EQ(EACCES, test_open("/proc", O_RDONLY));
802 	ASSERT_EQ(EACCES, test_open("/proc/self", O_RDONLY));
803 	ASSERT_EQ(EACCES, test_open("/proc/self/ns", O_RDONLY));
804 	/*
805 	 * Because nsfs is an internal filesystem, /proc/self/ns/mnt is a
806 	 * disconnected path.  Such path cannot be identified and must then be
807 	 * allowed.
808 	 */
809 	ASSERT_EQ(0, test_open("/proc/self/ns/mnt", O_RDONLY));
810 
811 	/*
812 	 * Checks that it is not possible to add nsfs-like filesystem
813 	 * references to a ruleset.
814 	 */
815 	path_beneath.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE |
816 				      LANDLOCK_ACCESS_FS_WRITE_FILE,
817 	path_beneath.parent_fd = open("/proc/self/ns/mnt", O_PATH | O_CLOEXEC);
818 	ASSERT_LE(0, path_beneath.parent_fd);
819 	ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
820 					&path_beneath, 0));
821 	ASSERT_EQ(EBADFD, errno);
822 	ASSERT_EQ(0, close(path_beneath.parent_fd));
823 }
824 
825 TEST_F_FORK(layout0, unpriv)
826 {
827 	const struct rule rules[] = {
828 		{
829 			.path = TMP_DIR,
830 			.access = ACCESS_RO,
831 		},
832 		{},
833 	};
834 	int ruleset_fd;
835 
836 	drop_caps(_metadata);
837 
838 	ruleset_fd = create_ruleset(_metadata, ACCESS_RO, rules);
839 	ASSERT_LE(0, ruleset_fd);
840 	ASSERT_EQ(-1, landlock_restrict_self(ruleset_fd, 0));
841 	ASSERT_EQ(EPERM, errno);
842 
843 	/* enforce_ruleset() calls prctl(no_new_privs). */
844 	enforce_ruleset(_metadata, ruleset_fd);
845 	ASSERT_EQ(0, close(ruleset_fd));
846 }
847 
848 TEST_F_FORK(layout1, effective_access)
849 {
850 	const struct rule rules[] = {
851 		{
852 			.path = dir_s1d2,
853 			.access = ACCESS_RO,
854 		},
855 		{
856 			.path = file1_s2d2,
857 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
858 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
859 		},
860 		{},
861 	};
862 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
863 	char buf;
864 	int reg_fd;
865 
866 	ASSERT_LE(0, ruleset_fd);
867 	enforce_ruleset(_metadata, ruleset_fd);
868 	ASSERT_EQ(0, close(ruleset_fd));
869 
870 	/* Tests on a directory (with or without O_PATH). */
871 	ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
872 	ASSERT_EQ(0, test_open("/", O_RDONLY | O_PATH));
873 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
874 	ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY | O_PATH));
875 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
876 	ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY | O_PATH));
877 
878 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
879 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
880 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
881 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
882 
883 	/* Tests on a file (with or without O_PATH). */
884 	ASSERT_EQ(EACCES, test_open(dir_s2d2, O_RDONLY));
885 	ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_PATH));
886 
887 	ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY));
888 
889 	/* Checks effective read and write actions. */
890 	reg_fd = open(file1_s2d2, O_RDWR | O_CLOEXEC);
891 	ASSERT_LE(0, reg_fd);
892 	ASSERT_EQ(1, write(reg_fd, ".", 1));
893 	ASSERT_LE(0, lseek(reg_fd, 0, SEEK_SET));
894 	ASSERT_EQ(1, read(reg_fd, &buf, 1));
895 	ASSERT_EQ('.', buf);
896 	ASSERT_EQ(0, close(reg_fd));
897 
898 	/* Just in case, double-checks effective actions. */
899 	reg_fd = open(file1_s2d2, O_RDONLY | O_CLOEXEC);
900 	ASSERT_LE(0, reg_fd);
901 	ASSERT_EQ(-1, write(reg_fd, &buf, 1));
902 	ASSERT_EQ(EBADF, errno);
903 	ASSERT_EQ(0, close(reg_fd));
904 }
905 
906 TEST_F_FORK(layout1, unhandled_access)
907 {
908 	const struct rule rules[] = {
909 		{
910 			.path = dir_s1d2,
911 			.access = ACCESS_RO,
912 		},
913 		{},
914 	};
915 	/* Here, we only handle read accesses, not write accesses. */
916 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RO, rules);
917 
918 	ASSERT_LE(0, ruleset_fd);
919 	enforce_ruleset(_metadata, ruleset_fd);
920 	ASSERT_EQ(0, close(ruleset_fd));
921 
922 	/*
923 	 * Because the policy does not handle LANDLOCK_ACCESS_FS_WRITE_FILE,
924 	 * opening for write-only should be allowed, but not read-write.
925 	 */
926 	ASSERT_EQ(0, test_open(file1_s1d1, O_WRONLY));
927 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
928 
929 	ASSERT_EQ(0, test_open(file1_s1d2, O_WRONLY));
930 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR));
931 }
932 
933 TEST_F_FORK(layout1, ruleset_overlap)
934 {
935 	const struct rule rules[] = {
936 		/* These rules should be ORed among them. */
937 		{
938 			.path = dir_s1d2,
939 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
940 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
941 		},
942 		{
943 			.path = dir_s1d2,
944 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
945 				  LANDLOCK_ACCESS_FS_READ_DIR,
946 		},
947 		{},
948 	};
949 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
950 
951 	ASSERT_LE(0, ruleset_fd);
952 	enforce_ruleset(_metadata, ruleset_fd);
953 	ASSERT_EQ(0, close(ruleset_fd));
954 
955 	/* Checks s1d1 hierarchy. */
956 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
957 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
958 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
959 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
960 
961 	/* Checks s1d2 hierarchy. */
962 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
963 	ASSERT_EQ(0, test_open(file1_s1d2, O_WRONLY));
964 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR));
965 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
966 
967 	/* Checks s1d3 hierarchy. */
968 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
969 	ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY));
970 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
971 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
972 }
973 
974 TEST_F_FORK(layout1, layer_rule_unions)
975 {
976 	const struct rule layer1[] = {
977 		{
978 			.path = dir_s1d2,
979 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
980 		},
981 		/* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */
982 		{
983 			.path = dir_s1d3,
984 			.access = LANDLOCK_ACCESS_FS_WRITE_FILE,
985 		},
986 		{},
987 	};
988 	const struct rule layer2[] = {
989 		/* Doesn't change anything from layer1. */
990 		{
991 			.path = dir_s1d2,
992 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
993 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
994 		},
995 		{},
996 	};
997 	const struct rule layer3[] = {
998 		/* Only allows write (but not read) to dir_s1d3. */
999 		{
1000 			.path = dir_s1d2,
1001 			.access = LANDLOCK_ACCESS_FS_WRITE_FILE,
1002 		},
1003 		{},
1004 	};
1005 	int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1);
1006 
1007 	ASSERT_LE(0, ruleset_fd);
1008 	enforce_ruleset(_metadata, ruleset_fd);
1009 	ASSERT_EQ(0, close(ruleset_fd));
1010 
1011 	/* Checks s1d1 hierarchy with layer1. */
1012 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
1013 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
1014 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
1015 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1016 
1017 	/* Checks s1d2 hierarchy with layer1. */
1018 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
1019 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
1020 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR));
1021 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1022 
1023 	/* Checks s1d3 hierarchy with layer1. */
1024 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
1025 	ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY));
1026 	/* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */
1027 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
1028 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1029 
1030 	/* Doesn't change anything from layer1. */
1031 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2);
1032 	ASSERT_LE(0, ruleset_fd);
1033 	enforce_ruleset(_metadata, ruleset_fd);
1034 	ASSERT_EQ(0, close(ruleset_fd));
1035 
1036 	/* Checks s1d1 hierarchy with layer2. */
1037 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
1038 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
1039 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
1040 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1041 
1042 	/* Checks s1d2 hierarchy with layer2. */
1043 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
1044 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
1045 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR));
1046 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1047 
1048 	/* Checks s1d3 hierarchy with layer2. */
1049 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
1050 	ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY));
1051 	/* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */
1052 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
1053 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1054 
1055 	/* Only allows write (but not read) to dir_s1d3. */
1056 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3);
1057 	ASSERT_LE(0, ruleset_fd);
1058 	enforce_ruleset(_metadata, ruleset_fd);
1059 	ASSERT_EQ(0, close(ruleset_fd));
1060 
1061 	/* Checks s1d1 hierarchy with layer3. */
1062 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
1063 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
1064 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
1065 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1066 
1067 	/* Checks s1d2 hierarchy with layer3. */
1068 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDONLY));
1069 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
1070 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR));
1071 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1072 
1073 	/* Checks s1d3 hierarchy with layer3. */
1074 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY));
1075 	ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY));
1076 	/* dir_s1d3 should now deny READ_FILE and WRITE_FILE (O_RDWR). */
1077 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDWR));
1078 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1079 }
1080 
1081 TEST_F_FORK(layout1, non_overlapping_accesses)
1082 {
1083 	const struct rule layer1[] = {
1084 		{
1085 			.path = dir_s1d2,
1086 			.access = LANDLOCK_ACCESS_FS_MAKE_REG,
1087 		},
1088 		{},
1089 	};
1090 	const struct rule layer2[] = {
1091 		{
1092 			.path = dir_s1d3,
1093 			.access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
1094 		},
1095 		{},
1096 	};
1097 	int ruleset_fd;
1098 
1099 	ASSERT_EQ(0, unlink(file1_s1d1));
1100 	ASSERT_EQ(0, unlink(file1_s1d2));
1101 
1102 	ruleset_fd =
1103 		create_ruleset(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, layer1);
1104 	ASSERT_LE(0, ruleset_fd);
1105 	enforce_ruleset(_metadata, ruleset_fd);
1106 	ASSERT_EQ(0, close(ruleset_fd));
1107 
1108 	ASSERT_EQ(-1, mknod(file1_s1d1, S_IFREG | 0700, 0));
1109 	ASSERT_EQ(EACCES, errno);
1110 	ASSERT_EQ(0, mknod(file1_s1d2, S_IFREG | 0700, 0));
1111 	ASSERT_EQ(0, unlink(file1_s1d2));
1112 
1113 	ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_REMOVE_FILE,
1114 				    layer2);
1115 	ASSERT_LE(0, ruleset_fd);
1116 	enforce_ruleset(_metadata, ruleset_fd);
1117 	ASSERT_EQ(0, close(ruleset_fd));
1118 
1119 	/* Unchanged accesses for file creation. */
1120 	ASSERT_EQ(-1, mknod(file1_s1d1, S_IFREG | 0700, 0));
1121 	ASSERT_EQ(EACCES, errno);
1122 	ASSERT_EQ(0, mknod(file1_s1d2, S_IFREG | 0700, 0));
1123 
1124 	/* Checks file removing. */
1125 	ASSERT_EQ(-1, unlink(file1_s1d2));
1126 	ASSERT_EQ(EACCES, errno);
1127 	ASSERT_EQ(0, unlink(file1_s1d3));
1128 }
1129 
1130 TEST_F_FORK(layout1, interleaved_masked_accesses)
1131 {
1132 	/*
1133 	 * Checks overly restrictive rules:
1134 	 * layer 1: allows R   s1d1/s1d2/s1d3/file1
1135 	 * layer 2: allows RW  s1d1/s1d2/s1d3
1136 	 *          allows  W  s1d1/s1d2
1137 	 *          denies R   s1d1/s1d2
1138 	 * layer 3: allows R   s1d1
1139 	 * layer 4: allows R   s1d1/s1d2
1140 	 *          denies  W  s1d1/s1d2
1141 	 * layer 5: allows R   s1d1/s1d2
1142 	 * layer 6: allows   X ----
1143 	 * layer 7: allows  W  s1d1/s1d2
1144 	 *          denies R   s1d1/s1d2
1145 	 */
1146 	const struct rule layer1_read[] = {
1147 		/* Allows read access to file1_s1d3 with the first layer. */
1148 		{
1149 			.path = file1_s1d3,
1150 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
1151 		},
1152 		{},
1153 	};
1154 	/* First rule with write restrictions. */
1155 	const struct rule layer2_read_write[] = {
1156 		/* Start by granting read-write access via its parent directory... */
1157 		{
1158 			.path = dir_s1d3,
1159 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
1160 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
1161 		},
1162 		/* ...but also denies read access via its grandparent directory. */
1163 		{
1164 			.path = dir_s1d2,
1165 			.access = LANDLOCK_ACCESS_FS_WRITE_FILE,
1166 		},
1167 		{},
1168 	};
1169 	const struct rule layer3_read[] = {
1170 		/* Allows read access via its great-grandparent directory. */
1171 		{
1172 			.path = dir_s1d1,
1173 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
1174 		},
1175 		{},
1176 	};
1177 	const struct rule layer4_read_write[] = {
1178 		/*
1179 		 * Try to confuse the deny access by denying write (but not
1180 		 * read) access via its grandparent directory.
1181 		 */
1182 		{
1183 			.path = dir_s1d2,
1184 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
1185 		},
1186 		{},
1187 	};
1188 	const struct rule layer5_read[] = {
1189 		/*
1190 		 * Try to override layer2's deny read access by explicitly
1191 		 * allowing read access via file1_s1d3's grandparent.
1192 		 */
1193 		{
1194 			.path = dir_s1d2,
1195 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
1196 		},
1197 		{},
1198 	};
1199 	const struct rule layer6_execute[] = {
1200 		/*
1201 		 * Restricts an unrelated file hierarchy with a new access
1202 		 * (non-overlapping) type.
1203 		 */
1204 		{
1205 			.path = dir_s2d1,
1206 			.access = LANDLOCK_ACCESS_FS_EXECUTE,
1207 		},
1208 		{},
1209 	};
1210 	const struct rule layer7_read_write[] = {
1211 		/*
1212 		 * Finally, denies read access to file1_s1d3 via its
1213 		 * grandparent.
1214 		 */
1215 		{
1216 			.path = dir_s1d2,
1217 			.access = LANDLOCK_ACCESS_FS_WRITE_FILE,
1218 		},
1219 		{},
1220 	};
1221 	int ruleset_fd;
1222 
1223 	ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
1224 				    layer1_read);
1225 	ASSERT_LE(0, ruleset_fd);
1226 	enforce_ruleset(_metadata, ruleset_fd);
1227 	ASSERT_EQ(0, close(ruleset_fd));
1228 
1229 	/* Checks that read access is granted for file1_s1d3 with layer 1. */
1230 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
1231 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1232 	ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY));
1233 
1234 	ruleset_fd = create_ruleset(_metadata,
1235 				    LANDLOCK_ACCESS_FS_READ_FILE |
1236 					    LANDLOCK_ACCESS_FS_WRITE_FILE,
1237 				    layer2_read_write);
1238 	ASSERT_LE(0, ruleset_fd);
1239 	enforce_ruleset(_metadata, ruleset_fd);
1240 	ASSERT_EQ(0, close(ruleset_fd));
1241 
1242 	/* Checks that previous access rights are unchanged with layer 2. */
1243 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
1244 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1245 	ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY));
1246 
1247 	ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
1248 				    layer3_read);
1249 	ASSERT_LE(0, ruleset_fd);
1250 	enforce_ruleset(_metadata, ruleset_fd);
1251 	ASSERT_EQ(0, close(ruleset_fd));
1252 
1253 	/* Checks that previous access rights are unchanged with layer 3. */
1254 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
1255 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1256 	ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY));
1257 
1258 	/* This time, denies write access for the file hierarchy. */
1259 	ruleset_fd = create_ruleset(_metadata,
1260 				    LANDLOCK_ACCESS_FS_READ_FILE |
1261 					    LANDLOCK_ACCESS_FS_WRITE_FILE,
1262 				    layer4_read_write);
1263 	ASSERT_LE(0, ruleset_fd);
1264 	enforce_ruleset(_metadata, ruleset_fd);
1265 	ASSERT_EQ(0, close(ruleset_fd));
1266 
1267 	/*
1268 	 * Checks that the only change with layer 4 is that write access is
1269 	 * denied.
1270 	 */
1271 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
1272 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1273 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1274 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY));
1275 
1276 	ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
1277 				    layer5_read);
1278 	ASSERT_LE(0, ruleset_fd);
1279 	enforce_ruleset(_metadata, ruleset_fd);
1280 	ASSERT_EQ(0, close(ruleset_fd));
1281 
1282 	/* Checks that previous access rights are unchanged with layer 5. */
1283 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
1284 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1285 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY));
1286 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1287 
1288 	ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_EXECUTE,
1289 				    layer6_execute);
1290 	ASSERT_LE(0, ruleset_fd);
1291 	enforce_ruleset(_metadata, ruleset_fd);
1292 	ASSERT_EQ(0, close(ruleset_fd));
1293 
1294 	/* Checks that previous access rights are unchanged with layer 6. */
1295 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
1296 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1297 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY));
1298 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1299 
1300 	ruleset_fd = create_ruleset(_metadata,
1301 				    LANDLOCK_ACCESS_FS_READ_FILE |
1302 					    LANDLOCK_ACCESS_FS_WRITE_FILE,
1303 				    layer7_read_write);
1304 	ASSERT_LE(0, ruleset_fd);
1305 	enforce_ruleset(_metadata, ruleset_fd);
1306 	ASSERT_EQ(0, close(ruleset_fd));
1307 
1308 	/* Checks read access is now denied with layer 7. */
1309 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY));
1310 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1311 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY));
1312 	ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1313 }
1314 
1315 TEST_F_FORK(layout1, inherit_subset)
1316 {
1317 	const struct rule rules[] = {
1318 		{
1319 			.path = dir_s1d2,
1320 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
1321 				  LANDLOCK_ACCESS_FS_READ_DIR,
1322 		},
1323 		{},
1324 	};
1325 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1326 
1327 	ASSERT_LE(0, ruleset_fd);
1328 	enforce_ruleset(_metadata, ruleset_fd);
1329 
1330 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
1331 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1332 
1333 	/* Write access is forbidden. */
1334 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
1335 	/* Readdir access is allowed. */
1336 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
1337 
1338 	/* Write access is forbidden. */
1339 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1340 	/* Readdir access is allowed. */
1341 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
1342 
1343 	/*
1344 	 * Tests shared rule extension: the following rules should not grant
1345 	 * any new access, only remove some.  Once enforced, these rules are
1346 	 * ANDed with the previous ones.
1347 	 */
1348 	add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_WRITE_FILE,
1349 			 dir_s1d2);
1350 	/*
1351 	 * According to ruleset_fd, dir_s1d2 should now have the
1352 	 * LANDLOCK_ACCESS_FS_READ_FILE and LANDLOCK_ACCESS_FS_WRITE_FILE
1353 	 * access rights (even if this directory is opened a second time).
1354 	 * However, when enforcing this updated ruleset, the ruleset tied to
1355 	 * the current process (i.e. its domain) will still only have the
1356 	 * dir_s1d2 with LANDLOCK_ACCESS_FS_READ_FILE and
1357 	 * LANDLOCK_ACCESS_FS_READ_DIR accesses, but
1358 	 * LANDLOCK_ACCESS_FS_WRITE_FILE must not be allowed because it would
1359 	 * be a privilege escalation.
1360 	 */
1361 	enforce_ruleset(_metadata, ruleset_fd);
1362 
1363 	/* Same tests and results as above. */
1364 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
1365 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1366 
1367 	/* It is still forbidden to write in file1_s1d2. */
1368 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
1369 	/* Readdir access is still allowed. */
1370 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
1371 
1372 	/* It is still forbidden to write in file1_s1d3. */
1373 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1374 	/* Readdir access is still allowed. */
1375 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
1376 
1377 	/*
1378 	 * Try to get more privileges by adding new access rights to the parent
1379 	 * directory: dir_s1d1.
1380 	 */
1381 	add_path_beneath(_metadata, ruleset_fd, ACCESS_RW, dir_s1d1);
1382 	enforce_ruleset(_metadata, ruleset_fd);
1383 
1384 	/* Same tests and results as above. */
1385 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
1386 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1387 
1388 	/* It is still forbidden to write in file1_s1d2. */
1389 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
1390 	/* Readdir access is still allowed. */
1391 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
1392 
1393 	/* It is still forbidden to write in file1_s1d3. */
1394 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1395 	/* Readdir access is still allowed. */
1396 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
1397 
1398 	/*
1399 	 * Now, dir_s1d3 get a new rule tied to it, only allowing
1400 	 * LANDLOCK_ACCESS_FS_WRITE_FILE.  The (kernel internal) difference is
1401 	 * that there was no rule tied to it before.
1402 	 */
1403 	add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_WRITE_FILE,
1404 			 dir_s1d3);
1405 	enforce_ruleset(_metadata, ruleset_fd);
1406 	ASSERT_EQ(0, close(ruleset_fd));
1407 
1408 	/*
1409 	 * Same tests and results as above, except for open(dir_s1d3) which is
1410 	 * now denied because the new rule mask the rule previously inherited
1411 	 * from dir_s1d2.
1412 	 */
1413 
1414 	/* Same tests and results as above. */
1415 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
1416 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1417 
1418 	/* It is still forbidden to write in file1_s1d2. */
1419 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
1420 	/* Readdir access is still allowed. */
1421 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
1422 
1423 	/* It is still forbidden to write in file1_s1d3. */
1424 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1425 	/*
1426 	 * Readdir of dir_s1d3 is still allowed because of the OR policy inside
1427 	 * the same layer.
1428 	 */
1429 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
1430 }
1431 
1432 TEST_F_FORK(layout1, inherit_superset)
1433 {
1434 	const struct rule rules[] = {
1435 		{
1436 			.path = dir_s1d3,
1437 			.access = ACCESS_RO,
1438 		},
1439 		{},
1440 	};
1441 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1442 
1443 	ASSERT_LE(0, ruleset_fd);
1444 	enforce_ruleset(_metadata, ruleset_fd);
1445 
1446 	/* Readdir access is denied for dir_s1d2. */
1447 	ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
1448 	/* Readdir access is allowed for dir_s1d3. */
1449 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
1450 	/* File access is allowed for file1_s1d3. */
1451 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
1452 
1453 	/* Now dir_s1d2, parent of dir_s1d3, gets a new rule tied to it. */
1454 	add_path_beneath(_metadata, ruleset_fd,
1455 			 LANDLOCK_ACCESS_FS_READ_FILE |
1456 				 LANDLOCK_ACCESS_FS_READ_DIR,
1457 			 dir_s1d2);
1458 	enforce_ruleset(_metadata, ruleset_fd);
1459 	ASSERT_EQ(0, close(ruleset_fd));
1460 
1461 	/* Readdir access is still denied for dir_s1d2. */
1462 	ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
1463 	/* Readdir access is still allowed for dir_s1d3. */
1464 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
1465 	/* File access is still allowed for file1_s1d3. */
1466 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
1467 }
1468 
1469 TEST_F_FORK(layout0, max_layers)
1470 {
1471 	int i, err;
1472 	const struct rule rules[] = {
1473 		{
1474 			.path = TMP_DIR,
1475 			.access = ACCESS_RO,
1476 		},
1477 		{},
1478 	};
1479 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1480 
1481 	ASSERT_LE(0, ruleset_fd);
1482 	for (i = 0; i < 16; i++)
1483 		enforce_ruleset(_metadata, ruleset_fd);
1484 
1485 	for (i = 0; i < 2; i++) {
1486 		err = landlock_restrict_self(ruleset_fd, 0);
1487 		ASSERT_EQ(-1, err);
1488 		ASSERT_EQ(E2BIG, errno);
1489 	}
1490 	ASSERT_EQ(0, close(ruleset_fd));
1491 }
1492 
1493 TEST_F_FORK(layout1, empty_or_same_ruleset)
1494 {
1495 	struct landlock_ruleset_attr ruleset_attr = {};
1496 	int ruleset_fd;
1497 
1498 	/* Tests empty handled_access_fs. */
1499 	ruleset_fd =
1500 		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
1501 	ASSERT_LE(-1, ruleset_fd);
1502 	ASSERT_EQ(ENOMSG, errno);
1503 
1504 	/* Enforces policy which deny read access to all files. */
1505 	ruleset_attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE;
1506 	ruleset_fd =
1507 		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
1508 	ASSERT_LE(0, ruleset_fd);
1509 	enforce_ruleset(_metadata, ruleset_fd);
1510 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
1511 	ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
1512 
1513 	/* Nests a policy which deny read access to all directories. */
1514 	ruleset_attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_DIR;
1515 	ruleset_fd =
1516 		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
1517 	ASSERT_LE(0, ruleset_fd);
1518 	enforce_ruleset(_metadata, ruleset_fd);
1519 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
1520 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
1521 
1522 	/* Enforces a second time with the same ruleset. */
1523 	enforce_ruleset(_metadata, ruleset_fd);
1524 	ASSERT_EQ(0, close(ruleset_fd));
1525 }
1526 
1527 TEST_F_FORK(layout1, rule_on_mountpoint)
1528 {
1529 	const struct rule rules[] = {
1530 		{
1531 			.path = dir_s1d1,
1532 			.access = ACCESS_RO,
1533 		},
1534 		{
1535 			/* dir_s3d2 is a mount point. */
1536 			.path = dir_s3d2,
1537 			.access = ACCESS_RO,
1538 		},
1539 		{},
1540 	};
1541 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1542 
1543 	ASSERT_LE(0, ruleset_fd);
1544 	enforce_ruleset(_metadata, ruleset_fd);
1545 	ASSERT_EQ(0, close(ruleset_fd));
1546 
1547 	ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
1548 
1549 	ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY));
1550 
1551 	ASSERT_EQ(EACCES, test_open(dir_s3d1, O_RDONLY));
1552 	ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY));
1553 	ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY));
1554 }
1555 
1556 TEST_F_FORK(layout1, rule_over_mountpoint)
1557 {
1558 	const struct rule rules[] = {
1559 		{
1560 			.path = dir_s1d1,
1561 			.access = ACCESS_RO,
1562 		},
1563 		{
1564 			/* dir_s3d2 is a mount point. */
1565 			.path = dir_s3d1,
1566 			.access = ACCESS_RO,
1567 		},
1568 		{},
1569 	};
1570 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1571 
1572 	ASSERT_LE(0, ruleset_fd);
1573 	enforce_ruleset(_metadata, ruleset_fd);
1574 	ASSERT_EQ(0, close(ruleset_fd));
1575 
1576 	ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
1577 
1578 	ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY));
1579 
1580 	ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY));
1581 	ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY));
1582 	ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY));
1583 }
1584 
1585 /*
1586  * This test verifies that we can apply a landlock rule on the root directory
1587  * (which might require special handling).
1588  */
1589 TEST_F_FORK(layout1, rule_over_root_allow_then_deny)
1590 {
1591 	struct rule rules[] = {
1592 		{
1593 			.path = "/",
1594 			.access = ACCESS_RO,
1595 		},
1596 		{},
1597 	};
1598 	int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1599 
1600 	ASSERT_LE(0, ruleset_fd);
1601 	enforce_ruleset(_metadata, ruleset_fd);
1602 	ASSERT_EQ(0, close(ruleset_fd));
1603 
1604 	/* Checks allowed access. */
1605 	ASSERT_EQ(0, test_open("/", O_RDONLY));
1606 	ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
1607 
1608 	rules[0].access = LANDLOCK_ACCESS_FS_READ_FILE;
1609 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1610 	ASSERT_LE(0, ruleset_fd);
1611 	enforce_ruleset(_metadata, ruleset_fd);
1612 	ASSERT_EQ(0, close(ruleset_fd));
1613 
1614 	/* Checks denied access (on a directory). */
1615 	ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
1616 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
1617 }
1618 
1619 TEST_F_FORK(layout1, rule_over_root_deny)
1620 {
1621 	const struct rule rules[] = {
1622 		{
1623 			.path = "/",
1624 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
1625 		},
1626 		{},
1627 	};
1628 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1629 
1630 	ASSERT_LE(0, ruleset_fd);
1631 	enforce_ruleset(_metadata, ruleset_fd);
1632 	ASSERT_EQ(0, close(ruleset_fd));
1633 
1634 	/* Checks denied access (on a directory). */
1635 	ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
1636 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
1637 }
1638 
1639 TEST_F_FORK(layout1, rule_inside_mount_ns)
1640 {
1641 	const struct rule rules[] = {
1642 		{
1643 			.path = "s3d3",
1644 			.access = ACCESS_RO,
1645 		},
1646 		{},
1647 	};
1648 	int ruleset_fd;
1649 
1650 	set_cap(_metadata, CAP_SYS_ADMIN);
1651 	ASSERT_EQ(0, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3))
1652 	{
1653 		TH_LOG("Failed to pivot root: %s", strerror(errno));
1654 	};
1655 	ASSERT_EQ(0, chdir("/"));
1656 	clear_cap(_metadata, CAP_SYS_ADMIN);
1657 
1658 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1659 	ASSERT_LE(0, ruleset_fd);
1660 	enforce_ruleset(_metadata, ruleset_fd);
1661 	ASSERT_EQ(0, close(ruleset_fd));
1662 
1663 	ASSERT_EQ(0, test_open("s3d3", O_RDONLY));
1664 	ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
1665 }
1666 
1667 TEST_F_FORK(layout1, mount_and_pivot)
1668 {
1669 	const struct rule rules[] = {
1670 		{
1671 			.path = dir_s3d2,
1672 			.access = ACCESS_RO,
1673 		},
1674 		{},
1675 	};
1676 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1677 
1678 	ASSERT_LE(0, ruleset_fd);
1679 	enforce_ruleset(_metadata, ruleset_fd);
1680 	ASSERT_EQ(0, close(ruleset_fd));
1681 
1682 	set_cap(_metadata, CAP_SYS_ADMIN);
1683 	ASSERT_EQ(-1, mount(NULL, dir_s3d2, NULL, MS_RDONLY, NULL));
1684 	ASSERT_EQ(EPERM, errno);
1685 	ASSERT_EQ(-1, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3));
1686 	ASSERT_EQ(EPERM, errno);
1687 	clear_cap(_metadata, CAP_SYS_ADMIN);
1688 }
1689 
1690 TEST_F_FORK(layout1, move_mount)
1691 {
1692 	const struct rule rules[] = {
1693 		{
1694 			.path = dir_s3d2,
1695 			.access = ACCESS_RO,
1696 		},
1697 		{},
1698 	};
1699 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1700 
1701 	ASSERT_LE(0, ruleset_fd);
1702 
1703 	set_cap(_metadata, CAP_SYS_ADMIN);
1704 	ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD,
1705 			     dir_s1d2, 0))
1706 	{
1707 		TH_LOG("Failed to move mount: %s", strerror(errno));
1708 	}
1709 
1710 	ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s1d2, AT_FDCWD,
1711 			     dir_s3d2, 0));
1712 	clear_cap(_metadata, CAP_SYS_ADMIN);
1713 
1714 	enforce_ruleset(_metadata, ruleset_fd);
1715 	ASSERT_EQ(0, close(ruleset_fd));
1716 
1717 	set_cap(_metadata, CAP_SYS_ADMIN);
1718 	ASSERT_EQ(-1, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD,
1719 			      dir_s1d2, 0));
1720 	ASSERT_EQ(EPERM, errno);
1721 	clear_cap(_metadata, CAP_SYS_ADMIN);
1722 }
1723 
1724 TEST_F_FORK(layout1, topology_changes_with_net_only)
1725 {
1726 	const struct landlock_ruleset_attr ruleset_net = {
1727 		.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
1728 				      LANDLOCK_ACCESS_NET_CONNECT_TCP,
1729 	};
1730 	int ruleset_fd;
1731 
1732 	/* Add network restrictions. */
1733 	ruleset_fd =
1734 		landlock_create_ruleset(&ruleset_net, sizeof(ruleset_net), 0);
1735 	ASSERT_LE(0, ruleset_fd);
1736 	enforce_ruleset(_metadata, ruleset_fd);
1737 	ASSERT_EQ(0, close(ruleset_fd));
1738 
1739 	/* Mount, remount, move_mount, umount, and pivot_root checks. */
1740 	set_cap(_metadata, CAP_SYS_ADMIN);
1741 	ASSERT_EQ(0, mount_opt(&mnt_tmp, dir_s1d2));
1742 	ASSERT_EQ(0, mount(NULL, dir_s1d2, NULL, MS_PRIVATE | MS_REC, NULL));
1743 	ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s1d2, AT_FDCWD,
1744 			     dir_s2d2, 0));
1745 	ASSERT_EQ(0, umount(dir_s2d2));
1746 	ASSERT_EQ(0, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3));
1747 	ASSERT_EQ(0, chdir("/"));
1748 	clear_cap(_metadata, CAP_SYS_ADMIN);
1749 }
1750 
1751 TEST_F_FORK(layout1, topology_changes_with_net_and_fs)
1752 {
1753 	const struct landlock_ruleset_attr ruleset_net_fs = {
1754 		.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
1755 				      LANDLOCK_ACCESS_NET_CONNECT_TCP,
1756 		.handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE,
1757 	};
1758 	int ruleset_fd;
1759 
1760 	/* Add network and filesystem restrictions. */
1761 	ruleset_fd = landlock_create_ruleset(&ruleset_net_fs,
1762 					     sizeof(ruleset_net_fs), 0);
1763 	ASSERT_LE(0, ruleset_fd);
1764 	enforce_ruleset(_metadata, ruleset_fd);
1765 	ASSERT_EQ(0, close(ruleset_fd));
1766 
1767 	/* Mount, remount, move_mount, umount, and pivot_root checks. */
1768 	set_cap(_metadata, CAP_SYS_ADMIN);
1769 	ASSERT_EQ(-1, mount_opt(&mnt_tmp, dir_s1d2));
1770 	ASSERT_EQ(EPERM, errno);
1771 	ASSERT_EQ(-1, mount(NULL, dir_s3d2, NULL, MS_PRIVATE | MS_REC, NULL));
1772 	ASSERT_EQ(EPERM, errno);
1773 	ASSERT_EQ(-1, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD,
1774 			      dir_s2d2, 0));
1775 	ASSERT_EQ(EPERM, errno);
1776 	ASSERT_EQ(-1, umount(dir_s3d2));
1777 	ASSERT_EQ(EPERM, errno);
1778 	ASSERT_EQ(-1, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3));
1779 	ASSERT_EQ(EPERM, errno);
1780 	clear_cap(_metadata, CAP_SYS_ADMIN);
1781 }
1782 
1783 TEST_F_FORK(layout1, release_inodes)
1784 {
1785 	const struct rule rules[] = {
1786 		{
1787 			.path = dir_s1d1,
1788 			.access = ACCESS_RO,
1789 		},
1790 		{
1791 			.path = dir_s3d2,
1792 			.access = ACCESS_RO,
1793 		},
1794 		{
1795 			.path = dir_s3d3,
1796 			.access = ACCESS_RO,
1797 		},
1798 		{},
1799 	};
1800 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1801 
1802 	ASSERT_LE(0, ruleset_fd);
1803 	/* Unmount a file hierarchy while it is being used by a ruleset. */
1804 	set_cap(_metadata, CAP_SYS_ADMIN);
1805 	ASSERT_EQ(0, umount(dir_s3d2));
1806 	clear_cap(_metadata, CAP_SYS_ADMIN);
1807 
1808 	enforce_ruleset(_metadata, ruleset_fd);
1809 	ASSERT_EQ(0, close(ruleset_fd));
1810 
1811 	ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
1812 	ASSERT_EQ(EACCES, test_open(dir_s3d2, O_RDONLY));
1813 	/* This dir_s3d3 would not be allowed and does not exist anyway. */
1814 	ASSERT_EQ(ENOENT, test_open(dir_s3d3, O_RDONLY));
1815 }
1816 
1817 enum relative_access {
1818 	REL_OPEN,
1819 	REL_CHDIR,
1820 	REL_CHROOT_ONLY,
1821 	REL_CHROOT_CHDIR,
1822 };
1823 
1824 static void test_relative_path(struct __test_metadata *const _metadata,
1825 			       const enum relative_access rel)
1826 {
1827 	/*
1828 	 * Common layer to check that chroot doesn't ignore it (i.e. a chroot
1829 	 * is not a disconnected root directory).
1830 	 */
1831 	const struct rule layer1_base[] = {
1832 		{
1833 			.path = TMP_DIR,
1834 			.access = ACCESS_RO,
1835 		},
1836 		{},
1837 	};
1838 	const struct rule layer2_subs[] = {
1839 		{
1840 			.path = dir_s1d2,
1841 			.access = ACCESS_RO,
1842 		},
1843 		{
1844 			.path = dir_s2d2,
1845 			.access = ACCESS_RO,
1846 		},
1847 		{},
1848 	};
1849 	int dirfd, ruleset_fd;
1850 
1851 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_base);
1852 	ASSERT_LE(0, ruleset_fd);
1853 	enforce_ruleset(_metadata, ruleset_fd);
1854 	ASSERT_EQ(0, close(ruleset_fd));
1855 
1856 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_subs);
1857 
1858 	ASSERT_LE(0, ruleset_fd);
1859 	switch (rel) {
1860 	case REL_OPEN:
1861 	case REL_CHDIR:
1862 		break;
1863 	case REL_CHROOT_ONLY:
1864 		ASSERT_EQ(0, chdir(dir_s2d2));
1865 		break;
1866 	case REL_CHROOT_CHDIR:
1867 		ASSERT_EQ(0, chdir(dir_s1d2));
1868 		break;
1869 	default:
1870 		ASSERT_TRUE(false);
1871 		return;
1872 	}
1873 
1874 	set_cap(_metadata, CAP_SYS_CHROOT);
1875 	enforce_ruleset(_metadata, ruleset_fd);
1876 
1877 	switch (rel) {
1878 	case REL_OPEN:
1879 		dirfd = open(dir_s1d2, O_DIRECTORY);
1880 		ASSERT_LE(0, dirfd);
1881 		break;
1882 	case REL_CHDIR:
1883 		ASSERT_EQ(0, chdir(dir_s1d2));
1884 		dirfd = AT_FDCWD;
1885 		break;
1886 	case REL_CHROOT_ONLY:
1887 		/* Do chroot into dir_s1d2 (relative to dir_s2d2). */
1888 		ASSERT_EQ(0, chroot("../../s1d1/s1d2"))
1889 		{
1890 			TH_LOG("Failed to chroot: %s", strerror(errno));
1891 		}
1892 		dirfd = AT_FDCWD;
1893 		break;
1894 	case REL_CHROOT_CHDIR:
1895 		/* Do chroot into dir_s1d2. */
1896 		ASSERT_EQ(0, chroot("."))
1897 		{
1898 			TH_LOG("Failed to chroot: %s", strerror(errno));
1899 		}
1900 		dirfd = AT_FDCWD;
1901 		break;
1902 	}
1903 
1904 	ASSERT_EQ((rel == REL_CHROOT_CHDIR) ? 0 : EACCES,
1905 		  test_open_rel(dirfd, "..", O_RDONLY));
1906 	ASSERT_EQ(0, test_open_rel(dirfd, ".", O_RDONLY));
1907 
1908 	if (rel == REL_CHROOT_ONLY) {
1909 		/* The current directory is dir_s2d2. */
1910 		ASSERT_EQ(0, test_open_rel(dirfd, "./s2d3", O_RDONLY));
1911 	} else {
1912 		/* The current directory is dir_s1d2. */
1913 		ASSERT_EQ(0, test_open_rel(dirfd, "./s1d3", O_RDONLY));
1914 	}
1915 
1916 	if (rel == REL_CHROOT_ONLY || rel == REL_CHROOT_CHDIR) {
1917 		/* Checks the root dir_s1d2. */
1918 		ASSERT_EQ(0, test_open_rel(dirfd, "/..", O_RDONLY));
1919 		ASSERT_EQ(0, test_open_rel(dirfd, "/", O_RDONLY));
1920 		ASSERT_EQ(0, test_open_rel(dirfd, "/f1", O_RDONLY));
1921 		ASSERT_EQ(0, test_open_rel(dirfd, "/s1d3", O_RDONLY));
1922 	}
1923 
1924 	if (rel != REL_CHROOT_CHDIR) {
1925 		ASSERT_EQ(EACCES, test_open_rel(dirfd, "../../s1d1", O_RDONLY));
1926 		ASSERT_EQ(0, test_open_rel(dirfd, "../../s1d1/s1d2", O_RDONLY));
1927 		ASSERT_EQ(0, test_open_rel(dirfd, "../../s1d1/s1d2/s1d3",
1928 					   O_RDONLY));
1929 
1930 		ASSERT_EQ(EACCES, test_open_rel(dirfd, "../../s2d1", O_RDONLY));
1931 		ASSERT_EQ(0, test_open_rel(dirfd, "../../s2d1/s2d2", O_RDONLY));
1932 		ASSERT_EQ(0, test_open_rel(dirfd, "../../s2d1/s2d2/s2d3",
1933 					   O_RDONLY));
1934 	}
1935 
1936 	if (rel == REL_OPEN)
1937 		ASSERT_EQ(0, close(dirfd));
1938 	ASSERT_EQ(0, close(ruleset_fd));
1939 }
1940 
1941 TEST_F_FORK(layout1, relative_open)
1942 {
1943 	test_relative_path(_metadata, REL_OPEN);
1944 }
1945 
1946 TEST_F_FORK(layout1, relative_chdir)
1947 {
1948 	test_relative_path(_metadata, REL_CHDIR);
1949 }
1950 
1951 TEST_F_FORK(layout1, relative_chroot_only)
1952 {
1953 	test_relative_path(_metadata, REL_CHROOT_ONLY);
1954 }
1955 
1956 TEST_F_FORK(layout1, relative_chroot_chdir)
1957 {
1958 	test_relative_path(_metadata, REL_CHROOT_CHDIR);
1959 }
1960 
1961 static void copy_binary(struct __test_metadata *const _metadata,
1962 			const char *const dst_path)
1963 {
1964 	int dst_fd, src_fd;
1965 	struct stat statbuf;
1966 
1967 	dst_fd = open(dst_path, O_WRONLY | O_TRUNC | O_CLOEXEC);
1968 	ASSERT_LE(0, dst_fd)
1969 	{
1970 		TH_LOG("Failed to open \"%s\": %s", dst_path, strerror(errno));
1971 	}
1972 	src_fd = open(BINARY_PATH, O_RDONLY | O_CLOEXEC);
1973 	ASSERT_LE(0, src_fd)
1974 	{
1975 		TH_LOG("Failed to open \"" BINARY_PATH "\": %s",
1976 		       strerror(errno));
1977 	}
1978 	ASSERT_EQ(0, fstat(src_fd, &statbuf));
1979 	ASSERT_EQ(statbuf.st_size,
1980 		  sendfile(dst_fd, src_fd, 0, statbuf.st_size));
1981 	ASSERT_EQ(0, close(src_fd));
1982 	ASSERT_EQ(0, close(dst_fd));
1983 }
1984 
1985 static void test_execute(struct __test_metadata *const _metadata, const int err,
1986 			 const char *const path)
1987 {
1988 	int status;
1989 	char *const argv[] = { (char *)path, NULL };
1990 	const pid_t child = fork();
1991 
1992 	ASSERT_LE(0, child);
1993 	if (child == 0) {
1994 		ASSERT_EQ(err ? -1 : 0, execve(path, argv, NULL))
1995 		{
1996 			TH_LOG("Failed to execute \"%s\": %s", path,
1997 			       strerror(errno));
1998 		};
1999 		ASSERT_EQ(err, errno);
2000 		_exit(__test_passed(_metadata) ? 2 : 1);
2001 		return;
2002 	}
2003 	ASSERT_EQ(child, waitpid(child, &status, 0));
2004 	ASSERT_EQ(1, WIFEXITED(status));
2005 	ASSERT_EQ(err ? 2 : 0, WEXITSTATUS(status))
2006 	{
2007 		TH_LOG("Unexpected return code for \"%s\": %s", path,
2008 		       strerror(errno));
2009 	};
2010 }
2011 
2012 TEST_F_FORK(layout1, execute)
2013 {
2014 	const struct rule rules[] = {
2015 		{
2016 			.path = dir_s1d2,
2017 			.access = LANDLOCK_ACCESS_FS_EXECUTE,
2018 		},
2019 		{},
2020 	};
2021 	const int ruleset_fd =
2022 		create_ruleset(_metadata, rules[0].access, rules);
2023 
2024 	ASSERT_LE(0, ruleset_fd);
2025 	copy_binary(_metadata, file1_s1d1);
2026 	copy_binary(_metadata, file1_s1d2);
2027 	copy_binary(_metadata, file1_s1d3);
2028 
2029 	enforce_ruleset(_metadata, ruleset_fd);
2030 	ASSERT_EQ(0, close(ruleset_fd));
2031 
2032 	ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
2033 	ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
2034 	test_execute(_metadata, EACCES, file1_s1d1);
2035 
2036 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
2037 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
2038 	test_execute(_metadata, 0, file1_s1d2);
2039 
2040 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
2041 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
2042 	test_execute(_metadata, 0, file1_s1d3);
2043 }
2044 
2045 TEST_F_FORK(layout1, link)
2046 {
2047 	const struct rule layer1[] = {
2048 		{
2049 			.path = dir_s1d2,
2050 			.access = LANDLOCK_ACCESS_FS_MAKE_REG,
2051 		},
2052 		{},
2053 	};
2054 	const struct rule layer2[] = {
2055 		{
2056 			.path = dir_s1d3,
2057 			.access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
2058 		},
2059 		{},
2060 	};
2061 	int ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1);
2062 
2063 	ASSERT_LE(0, ruleset_fd);
2064 
2065 	ASSERT_EQ(0, unlink(file1_s1d1));
2066 	ASSERT_EQ(0, unlink(file1_s1d2));
2067 	ASSERT_EQ(0, unlink(file1_s1d3));
2068 
2069 	enforce_ruleset(_metadata, ruleset_fd);
2070 	ASSERT_EQ(0, close(ruleset_fd));
2071 
2072 	ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1));
2073 	ASSERT_EQ(EACCES, errno);
2074 
2075 	/* Denies linking because of reparenting. */
2076 	ASSERT_EQ(-1, link(file1_s2d1, file1_s1d2));
2077 	ASSERT_EQ(EXDEV, errno);
2078 	ASSERT_EQ(-1, link(file2_s1d2, file1_s1d3));
2079 	ASSERT_EQ(EXDEV, errno);
2080 	ASSERT_EQ(-1, link(file2_s1d3, file1_s1d2));
2081 	ASSERT_EQ(EXDEV, errno);
2082 
2083 	ASSERT_EQ(0, link(file2_s1d2, file1_s1d2));
2084 	ASSERT_EQ(0, link(file2_s1d3, file1_s1d3));
2085 
2086 	/* Prepares for next unlinks. */
2087 	ASSERT_EQ(0, unlink(file2_s1d2));
2088 	ASSERT_EQ(0, unlink(file2_s1d3));
2089 
2090 	ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2);
2091 	ASSERT_LE(0, ruleset_fd);
2092 	enforce_ruleset(_metadata, ruleset_fd);
2093 	ASSERT_EQ(0, close(ruleset_fd));
2094 
2095 	/* Checks that linkind doesn't require the ability to delete a file. */
2096 	ASSERT_EQ(0, link(file1_s1d2, file2_s1d2));
2097 	ASSERT_EQ(0, link(file1_s1d3, file2_s1d3));
2098 }
2099 
2100 static int test_rename(const char *const oldpath, const char *const newpath)
2101 {
2102 	if (rename(oldpath, newpath))
2103 		return errno;
2104 	return 0;
2105 }
2106 
2107 static int test_exchange(const char *const oldpath, const char *const newpath)
2108 {
2109 	if (renameat2(AT_FDCWD, oldpath, AT_FDCWD, newpath, RENAME_EXCHANGE))
2110 		return errno;
2111 	return 0;
2112 }
2113 
2114 TEST_F_FORK(layout1, rename_file)
2115 {
2116 	const struct rule rules[] = {
2117 		{
2118 			.path = dir_s1d3,
2119 			.access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
2120 		},
2121 		{
2122 			.path = dir_s2d2,
2123 			.access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
2124 		},
2125 		{},
2126 	};
2127 	const int ruleset_fd =
2128 		create_ruleset(_metadata, rules[0].access, rules);
2129 
2130 	ASSERT_LE(0, ruleset_fd);
2131 
2132 	ASSERT_EQ(0, unlink(file1_s1d2));
2133 
2134 	enforce_ruleset(_metadata, ruleset_fd);
2135 	ASSERT_EQ(0, close(ruleset_fd));
2136 
2137 	/*
2138 	 * Tries to replace a file, from a directory that allows file removal,
2139 	 * but to a different directory (which also allows file removal).
2140 	 */
2141 	ASSERT_EQ(-1, rename(file1_s2d3, file1_s1d3));
2142 	ASSERT_EQ(EXDEV, errno);
2143 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d3,
2144 				RENAME_EXCHANGE));
2145 	ASSERT_EQ(EXDEV, errno);
2146 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, dir_s1d3,
2147 				RENAME_EXCHANGE));
2148 	ASSERT_EQ(EXDEV, errno);
2149 
2150 	/*
2151 	 * Tries to replace a file, from a directory that denies file removal,
2152 	 * to a different directory (which allows file removal).
2153 	 */
2154 	ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3));
2155 	ASSERT_EQ(EACCES, errno);
2156 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file1_s1d3,
2157 				RENAME_EXCHANGE));
2158 	ASSERT_EQ(EACCES, errno);
2159 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d2, AT_FDCWD, file1_s1d3,
2160 				RENAME_EXCHANGE));
2161 	ASSERT_EQ(EXDEV, errno);
2162 
2163 	/* Exchanges files and directories that partially allow removal. */
2164 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d2, AT_FDCWD, file1_s2d1,
2165 				RENAME_EXCHANGE));
2166 	ASSERT_EQ(EACCES, errno);
2167 	/* Checks that file1_s2d1 cannot be removed (instead of ENOTDIR). */
2168 	ASSERT_EQ(-1, rename(dir_s2d2, file1_s2d1));
2169 	ASSERT_EQ(EACCES, errno);
2170 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, dir_s2d2,
2171 				RENAME_EXCHANGE));
2172 	ASSERT_EQ(EACCES, errno);
2173 	/* Checks that file1_s1d1 cannot be removed (instead of EISDIR). */
2174 	ASSERT_EQ(-1, rename(file1_s1d1, dir_s1d2));
2175 	ASSERT_EQ(EACCES, errno);
2176 
2177 	/* Renames files with different parents. */
2178 	ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d2));
2179 	ASSERT_EQ(EXDEV, errno);
2180 	ASSERT_EQ(0, unlink(file1_s1d3));
2181 	ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3));
2182 	ASSERT_EQ(EACCES, errno);
2183 
2184 	/* Exchanges and renames files with same parent. */
2185 	ASSERT_EQ(0, renameat2(AT_FDCWD, file2_s2d3, AT_FDCWD, file1_s2d3,
2186 			       RENAME_EXCHANGE));
2187 	ASSERT_EQ(0, rename(file2_s2d3, file1_s2d3));
2188 
2189 	/* Exchanges files and directories with same parent, twice. */
2190 	ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s2d3,
2191 			       RENAME_EXCHANGE));
2192 	ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s2d3,
2193 			       RENAME_EXCHANGE));
2194 }
2195 
2196 TEST_F_FORK(layout1, rename_dir)
2197 {
2198 	const struct rule rules[] = {
2199 		{
2200 			.path = dir_s1d2,
2201 			.access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
2202 		},
2203 		{
2204 			.path = dir_s2d1,
2205 			.access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
2206 		},
2207 		{},
2208 	};
2209 	const int ruleset_fd =
2210 		create_ruleset(_metadata, rules[0].access, rules);
2211 
2212 	ASSERT_LE(0, ruleset_fd);
2213 
2214 	/* Empties dir_s1d3 to allow renaming. */
2215 	ASSERT_EQ(0, unlink(file1_s1d3));
2216 	ASSERT_EQ(0, unlink(file2_s1d3));
2217 
2218 	enforce_ruleset(_metadata, ruleset_fd);
2219 	ASSERT_EQ(0, close(ruleset_fd));
2220 
2221 	/* Exchanges and renames directory to a different parent. */
2222 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3,
2223 				RENAME_EXCHANGE));
2224 	ASSERT_EQ(EXDEV, errno);
2225 	ASSERT_EQ(-1, rename(dir_s2d3, dir_s1d3));
2226 	ASSERT_EQ(EXDEV, errno);
2227 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3,
2228 				RENAME_EXCHANGE));
2229 	ASSERT_EQ(EXDEV, errno);
2230 
2231 	/*
2232 	 * Exchanges directory to the same parent, which doesn't allow
2233 	 * directory removal.
2234 	 */
2235 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d1, AT_FDCWD, dir_s2d1,
2236 				RENAME_EXCHANGE));
2237 	ASSERT_EQ(EACCES, errno);
2238 	/* Checks that dir_s1d2 cannot be removed (instead of ENOTDIR). */
2239 	ASSERT_EQ(-1, rename(dir_s1d2, file1_s1d1));
2240 	ASSERT_EQ(EACCES, errno);
2241 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s1d2,
2242 				RENAME_EXCHANGE));
2243 	ASSERT_EQ(EACCES, errno);
2244 	/* Checks that dir_s1d2 cannot be removed (instead of EISDIR). */
2245 	ASSERT_EQ(-1, rename(file1_s1d1, dir_s1d2));
2246 	ASSERT_EQ(EACCES, errno);
2247 
2248 	/*
2249 	 * Exchanges and renames directory to the same parent, which allows
2250 	 * directory removal.
2251 	 */
2252 	ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, file1_s1d2,
2253 			       RENAME_EXCHANGE));
2254 	ASSERT_EQ(0, unlink(dir_s1d3));
2255 	ASSERT_EQ(0, mkdir(dir_s1d3, 0700));
2256 	ASSERT_EQ(0, rename(file1_s1d2, dir_s1d3));
2257 	ASSERT_EQ(0, rmdir(dir_s1d3));
2258 }
2259 
2260 TEST_F_FORK(layout1, reparent_refer)
2261 {
2262 	const struct rule layer1[] = {
2263 		{
2264 			.path = dir_s1d2,
2265 			.access = LANDLOCK_ACCESS_FS_REFER,
2266 		},
2267 		{
2268 			.path = dir_s2d2,
2269 			.access = LANDLOCK_ACCESS_FS_REFER,
2270 		},
2271 		{},
2272 	};
2273 	int ruleset_fd =
2274 		create_ruleset(_metadata, LANDLOCK_ACCESS_FS_REFER, layer1);
2275 
2276 	ASSERT_LE(0, ruleset_fd);
2277 	enforce_ruleset(_metadata, ruleset_fd);
2278 	ASSERT_EQ(0, close(ruleset_fd));
2279 
2280 	ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d1));
2281 	ASSERT_EQ(EXDEV, errno);
2282 	ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d2));
2283 	ASSERT_EQ(EXDEV, errno);
2284 	ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d3));
2285 	ASSERT_EQ(EXDEV, errno);
2286 
2287 	ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d1));
2288 	ASSERT_EQ(EXDEV, errno);
2289 	ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d2));
2290 	ASSERT_EQ(EXDEV, errno);
2291 	/*
2292 	 * Moving should only be allowed when the source and the destination
2293 	 * parent directory have REFER.
2294 	 */
2295 	ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d3));
2296 	ASSERT_EQ(ENOTEMPTY, errno);
2297 	ASSERT_EQ(0, unlink(file1_s2d3));
2298 	ASSERT_EQ(0, unlink(file2_s2d3));
2299 	ASSERT_EQ(0, rename(dir_s1d3, dir_s2d3));
2300 }
2301 
2302 /* Checks renames beneath dir_s1d1. */
2303 static void refer_denied_by_default(struct __test_metadata *const _metadata,
2304 				    const struct rule layer1[],
2305 				    const int layer1_err,
2306 				    const struct rule layer2[])
2307 {
2308 	int ruleset_fd;
2309 
2310 	ASSERT_EQ(0, unlink(file1_s1d2));
2311 
2312 	ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1);
2313 	ASSERT_LE(0, ruleset_fd);
2314 	enforce_ruleset(_metadata, ruleset_fd);
2315 	ASSERT_EQ(0, close(ruleset_fd));
2316 
2317 	/*
2318 	 * If the first layer handles LANDLOCK_ACCESS_FS_REFER (according to
2319 	 * layer1_err), then it allows some different-parent renames and links.
2320 	 */
2321 	ASSERT_EQ(layer1_err, test_rename(file1_s1d1, file1_s1d2));
2322 	if (layer1_err == 0)
2323 		ASSERT_EQ(layer1_err, test_rename(file1_s1d2, file1_s1d1));
2324 	ASSERT_EQ(layer1_err, test_exchange(file2_s1d1, file2_s1d2));
2325 	ASSERT_EQ(layer1_err, test_exchange(file2_s1d2, file2_s1d1));
2326 
2327 	ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2);
2328 	ASSERT_LE(0, ruleset_fd);
2329 	enforce_ruleset(_metadata, ruleset_fd);
2330 	ASSERT_EQ(0, close(ruleset_fd));
2331 
2332 	/*
2333 	 * Now, either the first or the second layer does not handle
2334 	 * LANDLOCK_ACCESS_FS_REFER, which means that any different-parent
2335 	 * renames and links are denied, thus making the layer handling
2336 	 * LANDLOCK_ACCESS_FS_REFER null and void.
2337 	 */
2338 	ASSERT_EQ(EXDEV, test_rename(file1_s1d1, file1_s1d2));
2339 	ASSERT_EQ(EXDEV, test_exchange(file2_s1d1, file2_s1d2));
2340 	ASSERT_EQ(EXDEV, test_exchange(file2_s1d2, file2_s1d1));
2341 }
2342 
2343 const struct rule layer_dir_s1d1_refer[] = {
2344 	{
2345 		.path = dir_s1d1,
2346 		.access = LANDLOCK_ACCESS_FS_REFER,
2347 	},
2348 	{},
2349 };
2350 
2351 const struct rule layer_dir_s1d1_execute[] = {
2352 	{
2353 		/* Matches a parent directory. */
2354 		.path = dir_s1d1,
2355 		.access = LANDLOCK_ACCESS_FS_EXECUTE,
2356 	},
2357 	{},
2358 };
2359 
2360 const struct rule layer_dir_s2d1_execute[] = {
2361 	{
2362 		/* Does not match a parent directory. */
2363 		.path = dir_s2d1,
2364 		.access = LANDLOCK_ACCESS_FS_EXECUTE,
2365 	},
2366 	{},
2367 };
2368 
2369 /*
2370  * Tests precedence over renames: denied by default for different parent
2371  * directories, *with* a rule matching a parent directory, but not directly
2372  * denying access (with MAKE_REG nor REMOVE).
2373  */
2374 TEST_F_FORK(layout1, refer_denied_by_default1)
2375 {
2376 	refer_denied_by_default(_metadata, layer_dir_s1d1_refer, 0,
2377 				layer_dir_s1d1_execute);
2378 }
2379 
2380 /*
2381  * Same test but this time turning around the ABI version order: the first
2382  * layer does not handle LANDLOCK_ACCESS_FS_REFER.
2383  */
2384 TEST_F_FORK(layout1, refer_denied_by_default2)
2385 {
2386 	refer_denied_by_default(_metadata, layer_dir_s1d1_execute, EXDEV,
2387 				layer_dir_s1d1_refer);
2388 }
2389 
2390 /*
2391  * Tests precedence over renames: denied by default for different parent
2392  * directories, *without* a rule matching a parent directory, but not directly
2393  * denying access (with MAKE_REG nor REMOVE).
2394  */
2395 TEST_F_FORK(layout1, refer_denied_by_default3)
2396 {
2397 	refer_denied_by_default(_metadata, layer_dir_s1d1_refer, 0,
2398 				layer_dir_s2d1_execute);
2399 }
2400 
2401 /*
2402  * Same test but this time turning around the ABI version order: the first
2403  * layer does not handle LANDLOCK_ACCESS_FS_REFER.
2404  */
2405 TEST_F_FORK(layout1, refer_denied_by_default4)
2406 {
2407 	refer_denied_by_default(_metadata, layer_dir_s2d1_execute, EXDEV,
2408 				layer_dir_s1d1_refer);
2409 }
2410 
2411 /*
2412  * Tests walking through a denied root mount.
2413  */
2414 TEST_F_FORK(layout1, refer_mount_root_deny)
2415 {
2416 	const struct landlock_ruleset_attr ruleset_attr = {
2417 		.handled_access_fs = LANDLOCK_ACCESS_FS_MAKE_DIR,
2418 	};
2419 	int root_fd, ruleset_fd;
2420 
2421 	/* Creates a mount object from a non-mount point. */
2422 	set_cap(_metadata, CAP_SYS_ADMIN);
2423 	root_fd =
2424 		open_tree(AT_FDCWD, dir_s1d1,
2425 			  AT_EMPTY_PATH | OPEN_TREE_CLONE | OPEN_TREE_CLOEXEC);
2426 	clear_cap(_metadata, CAP_SYS_ADMIN);
2427 	ASSERT_LE(0, root_fd);
2428 
2429 	ruleset_fd =
2430 		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
2431 	ASSERT_LE(0, ruleset_fd);
2432 
2433 	ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
2434 	ASSERT_EQ(0, landlock_restrict_self(ruleset_fd, 0));
2435 	EXPECT_EQ(0, close(ruleset_fd));
2436 
2437 	/* Link denied by Landlock: EACCES. */
2438 	EXPECT_EQ(-1, linkat(root_fd, ".", root_fd, "does_not_exist", 0));
2439 	EXPECT_EQ(EACCES, errno);
2440 
2441 	/* renameat2() always returns EBUSY. */
2442 	EXPECT_EQ(-1, renameat2(root_fd, ".", root_fd, "does_not_exist", 0));
2443 	EXPECT_EQ(EBUSY, errno);
2444 
2445 	EXPECT_EQ(0, close(root_fd));
2446 }
2447 
2448 TEST_F_FORK(layout1, reparent_link)
2449 {
2450 	const struct rule layer1[] = {
2451 		{
2452 			.path = dir_s1d2,
2453 			.access = LANDLOCK_ACCESS_FS_MAKE_REG,
2454 		},
2455 		{
2456 			.path = dir_s1d3,
2457 			.access = LANDLOCK_ACCESS_FS_REFER,
2458 		},
2459 		{
2460 			.path = dir_s2d2,
2461 			.access = LANDLOCK_ACCESS_FS_REFER,
2462 		},
2463 		{
2464 			.path = dir_s2d3,
2465 			.access = LANDLOCK_ACCESS_FS_MAKE_REG,
2466 		},
2467 		{},
2468 	};
2469 	const int ruleset_fd = create_ruleset(
2470 		_metadata,
2471 		LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, layer1);
2472 
2473 	ASSERT_LE(0, ruleset_fd);
2474 	enforce_ruleset(_metadata, ruleset_fd);
2475 	ASSERT_EQ(0, close(ruleset_fd));
2476 
2477 	ASSERT_EQ(0, unlink(file1_s1d1));
2478 	ASSERT_EQ(0, unlink(file1_s1d2));
2479 	ASSERT_EQ(0, unlink(file1_s1d3));
2480 
2481 	/* Denies linking because of missing MAKE_REG. */
2482 	ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1));
2483 	ASSERT_EQ(EACCES, errno);
2484 	/* Denies linking because of missing source and destination REFER. */
2485 	ASSERT_EQ(-1, link(file1_s2d1, file1_s1d2));
2486 	ASSERT_EQ(EXDEV, errno);
2487 	/* Denies linking because of missing source REFER. */
2488 	ASSERT_EQ(-1, link(file1_s2d1, file1_s1d3));
2489 	ASSERT_EQ(EXDEV, errno);
2490 
2491 	/* Denies linking because of missing MAKE_REG. */
2492 	ASSERT_EQ(-1, link(file1_s2d2, file1_s1d1));
2493 	ASSERT_EQ(EACCES, errno);
2494 	/* Denies linking because of missing destination REFER. */
2495 	ASSERT_EQ(-1, link(file1_s2d2, file1_s1d2));
2496 	ASSERT_EQ(EXDEV, errno);
2497 
2498 	/* Allows linking because of REFER and MAKE_REG. */
2499 	ASSERT_EQ(0, link(file1_s2d2, file1_s1d3));
2500 	ASSERT_EQ(0, unlink(file1_s2d2));
2501 	/* Reverse linking denied because of missing MAKE_REG. */
2502 	ASSERT_EQ(-1, link(file1_s1d3, file1_s2d2));
2503 	ASSERT_EQ(EACCES, errno);
2504 	ASSERT_EQ(0, unlink(file1_s2d3));
2505 	/* Checks reverse linking. */
2506 	ASSERT_EQ(0, link(file1_s1d3, file1_s2d3));
2507 	ASSERT_EQ(0, unlink(file1_s1d3));
2508 
2509 	/*
2510 	 * This is OK for a file link, but it should not be allowed for a
2511 	 * directory rename (because of the superset of access rights.
2512 	 */
2513 	ASSERT_EQ(0, link(file1_s2d3, file1_s1d3));
2514 	ASSERT_EQ(0, unlink(file1_s1d3));
2515 
2516 	ASSERT_EQ(-1, link(file2_s1d2, file1_s1d3));
2517 	ASSERT_EQ(EXDEV, errno);
2518 	ASSERT_EQ(-1, link(file2_s1d3, file1_s1d2));
2519 	ASSERT_EQ(EXDEV, errno);
2520 
2521 	ASSERT_EQ(0, link(file2_s1d2, file1_s1d2));
2522 	ASSERT_EQ(0, link(file2_s1d3, file1_s1d3));
2523 }
2524 
2525 TEST_F_FORK(layout1, reparent_rename)
2526 {
2527 	/* Same rules as for reparent_link. */
2528 	const struct rule layer1[] = {
2529 		{
2530 			.path = dir_s1d2,
2531 			.access = LANDLOCK_ACCESS_FS_MAKE_REG,
2532 		},
2533 		{
2534 			.path = dir_s1d3,
2535 			.access = LANDLOCK_ACCESS_FS_REFER,
2536 		},
2537 		{
2538 			.path = dir_s2d2,
2539 			.access = LANDLOCK_ACCESS_FS_REFER,
2540 		},
2541 		{
2542 			.path = dir_s2d3,
2543 			.access = LANDLOCK_ACCESS_FS_MAKE_REG,
2544 		},
2545 		{},
2546 	};
2547 	const int ruleset_fd = create_ruleset(
2548 		_metadata,
2549 		LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, layer1);
2550 
2551 	ASSERT_LE(0, ruleset_fd);
2552 	enforce_ruleset(_metadata, ruleset_fd);
2553 	ASSERT_EQ(0, close(ruleset_fd));
2554 
2555 	ASSERT_EQ(0, unlink(file1_s1d2));
2556 	ASSERT_EQ(0, unlink(file1_s1d3));
2557 
2558 	/* Denies renaming because of missing MAKE_REG. */
2559 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file1_s1d1,
2560 				RENAME_EXCHANGE));
2561 	ASSERT_EQ(EACCES, errno);
2562 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file2_s1d1,
2563 				RENAME_EXCHANGE));
2564 	ASSERT_EQ(EACCES, errno);
2565 	ASSERT_EQ(0, unlink(file1_s1d1));
2566 	ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1));
2567 	ASSERT_EQ(EACCES, errno);
2568 	/* Even denies same file exchange. */
2569 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file2_s1d1,
2570 				RENAME_EXCHANGE));
2571 	ASSERT_EQ(EACCES, errno);
2572 
2573 	/* Denies renaming because of missing source and destination REFER. */
2574 	ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d2));
2575 	ASSERT_EQ(EXDEV, errno);
2576 	/*
2577 	 * Denies renaming because of missing MAKE_REG, source and destination
2578 	 * REFER.
2579 	 */
2580 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file2_s1d1,
2581 				RENAME_EXCHANGE));
2582 	ASSERT_EQ(EACCES, errno);
2583 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file1_s2d1,
2584 				RENAME_EXCHANGE));
2585 	ASSERT_EQ(EACCES, errno);
2586 
2587 	/* Denies renaming because of missing source REFER. */
2588 	ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3));
2589 	ASSERT_EQ(EXDEV, errno);
2590 	/* Denies renaming because of missing MAKE_REG. */
2591 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file2_s1d3,
2592 				RENAME_EXCHANGE));
2593 	ASSERT_EQ(EACCES, errno);
2594 
2595 	/* Denies renaming because of missing MAKE_REG. */
2596 	ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d1));
2597 	ASSERT_EQ(EACCES, errno);
2598 	/* Denies renaming because of missing destination REFER*/
2599 	ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d2));
2600 	ASSERT_EQ(EXDEV, errno);
2601 
2602 	/* Denies exchange because of one missing MAKE_REG. */
2603 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, file2_s1d3,
2604 				RENAME_EXCHANGE));
2605 	ASSERT_EQ(EACCES, errno);
2606 	/* Allows renaming because of REFER and MAKE_REG. */
2607 	ASSERT_EQ(0, rename(file1_s2d2, file1_s1d3));
2608 
2609 	/* Reverse renaming denied because of missing MAKE_REG. */
2610 	ASSERT_EQ(-1, rename(file1_s1d3, file1_s2d2));
2611 	ASSERT_EQ(EACCES, errno);
2612 	ASSERT_EQ(0, unlink(file1_s2d3));
2613 	ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3));
2614 
2615 	/* Tests reverse renaming. */
2616 	ASSERT_EQ(0, rename(file1_s2d3, file1_s1d3));
2617 	ASSERT_EQ(0, renameat2(AT_FDCWD, file2_s2d3, AT_FDCWD, file1_s1d3,
2618 			       RENAME_EXCHANGE));
2619 	ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3));
2620 
2621 	/*
2622 	 * This is OK for a file rename, but it should not be allowed for a
2623 	 * directory rename (because of the superset of access rights).
2624 	 */
2625 	ASSERT_EQ(0, rename(file1_s2d3, file1_s1d3));
2626 	ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3));
2627 
2628 	/*
2629 	 * Tests superset restrictions applied to directories.  Not only the
2630 	 * dir_s2d3's parent (dir_s2d2) should be taken into account but also
2631 	 * access rights tied to dir_s2d3. dir_s2d2 is missing one access right
2632 	 * compared to dir_s1d3/file1_s1d3 (MAKE_REG) but it is provided
2633 	 * directly by the moved dir_s2d3.
2634 	 */
2635 	ASSERT_EQ(0, rename(dir_s2d3, file1_s1d3));
2636 	ASSERT_EQ(0, rename(file1_s1d3, dir_s2d3));
2637 	/*
2638 	 * The first rename is allowed but not the exchange because dir_s1d3's
2639 	 * parent (dir_s1d2) doesn't have REFER.
2640 	 */
2641 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, dir_s1d3,
2642 				RENAME_EXCHANGE));
2643 	ASSERT_EQ(EXDEV, errno);
2644 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, file1_s2d3,
2645 				RENAME_EXCHANGE));
2646 	ASSERT_EQ(EXDEV, errno);
2647 	ASSERT_EQ(-1, rename(file1_s2d3, dir_s1d3));
2648 	ASSERT_EQ(EXDEV, errno);
2649 
2650 	ASSERT_EQ(-1, rename(file2_s1d2, file1_s1d3));
2651 	ASSERT_EQ(EXDEV, errno);
2652 	ASSERT_EQ(-1, rename(file2_s1d3, file1_s1d2));
2653 	ASSERT_EQ(EXDEV, errno);
2654 
2655 	/* Renaming in the same directory is always allowed. */
2656 	ASSERT_EQ(0, rename(file2_s1d2, file1_s1d2));
2657 	ASSERT_EQ(0, rename(file2_s1d3, file1_s1d3));
2658 
2659 	ASSERT_EQ(0, unlink(file1_s1d2));
2660 	/* Denies because of missing source MAKE_REG and destination REFER. */
2661 	ASSERT_EQ(-1, rename(dir_s2d3, file1_s1d2));
2662 	ASSERT_EQ(EXDEV, errno);
2663 
2664 	ASSERT_EQ(0, unlink(file1_s1d3));
2665 	/* Denies because of missing source MAKE_REG and REFER. */
2666 	ASSERT_EQ(-1, rename(dir_s2d2, file1_s1d3));
2667 	ASSERT_EQ(EXDEV, errno);
2668 }
2669 
2670 static void
2671 reparent_exdev_layers_enforce1(struct __test_metadata *const _metadata)
2672 {
2673 	const struct rule layer1[] = {
2674 		{
2675 			.path = dir_s1d2,
2676 			.access = LANDLOCK_ACCESS_FS_REFER,
2677 		},
2678 		{
2679 			/* Interesting for the layer2 tests. */
2680 			.path = dir_s1d3,
2681 			.access = LANDLOCK_ACCESS_FS_MAKE_REG,
2682 		},
2683 		{
2684 			.path = dir_s2d2,
2685 			.access = LANDLOCK_ACCESS_FS_REFER,
2686 		},
2687 		{
2688 			.path = dir_s2d3,
2689 			.access = LANDLOCK_ACCESS_FS_MAKE_REG,
2690 		},
2691 		{},
2692 	};
2693 	const int ruleset_fd = create_ruleset(
2694 		_metadata,
2695 		LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, layer1);
2696 
2697 	ASSERT_LE(0, ruleset_fd);
2698 	enforce_ruleset(_metadata, ruleset_fd);
2699 	ASSERT_EQ(0, close(ruleset_fd));
2700 }
2701 
2702 static void
2703 reparent_exdev_layers_enforce2(struct __test_metadata *const _metadata)
2704 {
2705 	const struct rule layer2[] = {
2706 		{
2707 			.path = dir_s2d3,
2708 			.access = LANDLOCK_ACCESS_FS_MAKE_DIR,
2709 		},
2710 		{},
2711 	};
2712 	/*
2713 	 * Same checks as before but with a second layer and a new MAKE_DIR
2714 	 * rule (and no explicit handling of REFER).
2715 	 */
2716 	const int ruleset_fd =
2717 		create_ruleset(_metadata, LANDLOCK_ACCESS_FS_MAKE_DIR, layer2);
2718 
2719 	ASSERT_LE(0, ruleset_fd);
2720 	enforce_ruleset(_metadata, ruleset_fd);
2721 	ASSERT_EQ(0, close(ruleset_fd));
2722 }
2723 
2724 TEST_F_FORK(layout1, reparent_exdev_layers_rename1)
2725 {
2726 	ASSERT_EQ(0, unlink(file1_s2d2));
2727 	ASSERT_EQ(0, unlink(file1_s2d3));
2728 
2729 	reparent_exdev_layers_enforce1(_metadata);
2730 
2731 	/*
2732 	 * Moving the dir_s1d3 directory below dir_s2d2 is allowed by Landlock
2733 	 * because it doesn't inherit new access rights.
2734 	 */
2735 	ASSERT_EQ(0, rename(dir_s1d3, file1_s2d2));
2736 	ASSERT_EQ(0, rename(file1_s2d2, dir_s1d3));
2737 
2738 	/*
2739 	 * Moving the dir_s1d3 directory below dir_s2d3 is allowed, even if it
2740 	 * gets a new inherited access rights (MAKE_REG), because MAKE_REG is
2741 	 * already allowed for dir_s1d3.
2742 	 */
2743 	ASSERT_EQ(0, rename(dir_s1d3, file1_s2d3));
2744 	ASSERT_EQ(0, rename(file1_s2d3, dir_s1d3));
2745 
2746 	/*
2747 	 * However, moving the file1_s1d3 file below dir_s2d3 is allowed
2748 	 * because it cannot inherit MAKE_REG right (which is dedicated to
2749 	 * directories).
2750 	 */
2751 	ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3));
2752 
2753 	reparent_exdev_layers_enforce2(_metadata);
2754 
2755 	/*
2756 	 * Moving the dir_s1d3 directory below dir_s2d2 is now denied because
2757 	 * MAKE_DIR is not tied to dir_s2d2.
2758 	 */
2759 	ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d2));
2760 	ASSERT_EQ(EACCES, errno);
2761 
2762 	/*
2763 	 * Moving the dir_s1d3 directory below dir_s2d3 is forbidden because it
2764 	 * would grants MAKE_REG and MAKE_DIR rights to it.
2765 	 */
2766 	ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d3));
2767 	ASSERT_EQ(EXDEV, errno);
2768 
2769 	/*
2770 	 * Moving the file2_s1d3 file below dir_s2d3 is denied because the
2771 	 * second layer does not handle REFER, which is always denied by
2772 	 * default.
2773 	 */
2774 	ASSERT_EQ(-1, rename(file2_s1d3, file1_s2d3));
2775 	ASSERT_EQ(EXDEV, errno);
2776 }
2777 
2778 TEST_F_FORK(layout1, reparent_exdev_layers_rename2)
2779 {
2780 	reparent_exdev_layers_enforce1(_metadata);
2781 
2782 	/* Checks EACCES predominance over EXDEV. */
2783 	ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d2));
2784 	ASSERT_EQ(EACCES, errno);
2785 	ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d2));
2786 	ASSERT_EQ(EACCES, errno);
2787 	ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d3));
2788 	ASSERT_EQ(EXDEV, errno);
2789 	/* Modify layout! */
2790 	ASSERT_EQ(0, rename(file1_s1d2, file1_s2d3));
2791 
2792 	/* Without REFER source. */
2793 	ASSERT_EQ(-1, rename(dir_s1d1, file1_s2d2));
2794 	ASSERT_EQ(EXDEV, errno);
2795 	ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d2));
2796 	ASSERT_EQ(EXDEV, errno);
2797 
2798 	reparent_exdev_layers_enforce2(_metadata);
2799 
2800 	/* Checks EACCES predominance over EXDEV. */
2801 	ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d2));
2802 	ASSERT_EQ(EACCES, errno);
2803 	/* Checks with actual file2_s1d2. */
2804 	ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d2));
2805 	ASSERT_EQ(EACCES, errno);
2806 	ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d3));
2807 	ASSERT_EQ(EXDEV, errno);
2808 	/*
2809 	 * Modifying the layout is now denied because the second layer does not
2810 	 * handle REFER, which is always denied by default.
2811 	 */
2812 	ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d3));
2813 	ASSERT_EQ(EXDEV, errno);
2814 
2815 	/* Without REFER source, EACCES wins over EXDEV. */
2816 	ASSERT_EQ(-1, rename(dir_s1d1, file1_s2d2));
2817 	ASSERT_EQ(EACCES, errno);
2818 	ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d2));
2819 	ASSERT_EQ(EACCES, errno);
2820 }
2821 
2822 TEST_F_FORK(layout1, reparent_exdev_layers_exchange1)
2823 {
2824 	const char *const dir_file1_s1d2 = file1_s1d2, *const dir_file2_s2d3 =
2825 							       file2_s2d3;
2826 
2827 	ASSERT_EQ(0, unlink(file1_s1d2));
2828 	ASSERT_EQ(0, mkdir(file1_s1d2, 0700));
2829 	ASSERT_EQ(0, unlink(file2_s2d3));
2830 	ASSERT_EQ(0, mkdir(file2_s2d3, 0700));
2831 
2832 	reparent_exdev_layers_enforce1(_metadata);
2833 
2834 	/* Error predominance with file exchange: returns EXDEV and EACCES. */
2835 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file1_s2d3,
2836 				RENAME_EXCHANGE));
2837 	ASSERT_EQ(EACCES, errno);
2838 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d1,
2839 				RENAME_EXCHANGE));
2840 	ASSERT_EQ(EACCES, errno);
2841 
2842 	/*
2843 	 * Checks with directories which creation could be allowed, but denied
2844 	 * because of access rights that would be inherited.
2845 	 */
2846 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD,
2847 				dir_file2_s2d3, RENAME_EXCHANGE));
2848 	ASSERT_EQ(EXDEV, errno);
2849 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD,
2850 				dir_file1_s1d2, RENAME_EXCHANGE));
2851 	ASSERT_EQ(EXDEV, errno);
2852 
2853 	/* Checks with same access rights. */
2854 	ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, dir_s2d3,
2855 			       RENAME_EXCHANGE));
2856 	ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3,
2857 			       RENAME_EXCHANGE));
2858 
2859 	/* Checks with different (child-only) access rights. */
2860 	ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_file1_s1d2,
2861 			       RENAME_EXCHANGE));
2862 	ASSERT_EQ(0, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, dir_s2d3,
2863 			       RENAME_EXCHANGE));
2864 
2865 	/*
2866 	 * Checks that exchange between file and directory are consistent.
2867 	 *
2868 	 * Moving a file (file1_s2d2) to a directory which only grants more
2869 	 * directory-related access rights is allowed, and at the same time
2870 	 * moving a directory (dir_file2_s2d3) to another directory which
2871 	 * grants less access rights is allowed too.
2872 	 *
2873 	 * See layout1.reparent_exdev_layers_exchange3 for inverted arguments.
2874 	 */
2875 	ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3,
2876 			       RENAME_EXCHANGE));
2877 	/*
2878 	 * However, moving back the directory is denied because it would get
2879 	 * more access rights than the current state and because file creation
2880 	 * is forbidden (in dir_s2d2).
2881 	 */
2882 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2,
2883 				RENAME_EXCHANGE));
2884 	ASSERT_EQ(EACCES, errno);
2885 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3,
2886 				RENAME_EXCHANGE));
2887 	ASSERT_EQ(EACCES, errno);
2888 
2889 	reparent_exdev_layers_enforce2(_metadata);
2890 
2891 	/* Error predominance with file exchange: returns EXDEV and EACCES. */
2892 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file1_s2d3,
2893 				RENAME_EXCHANGE));
2894 	ASSERT_EQ(EACCES, errno);
2895 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d1,
2896 				RENAME_EXCHANGE));
2897 	ASSERT_EQ(EACCES, errno);
2898 
2899 	/* Checks with directories which creation is now denied. */
2900 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD,
2901 				dir_file2_s2d3, RENAME_EXCHANGE));
2902 	ASSERT_EQ(EACCES, errno);
2903 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD,
2904 				dir_file1_s1d2, RENAME_EXCHANGE));
2905 	ASSERT_EQ(EACCES, errno);
2906 
2907 	/* Checks with different (child-only) access rights. */
2908 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, dir_s2d3,
2909 				RENAME_EXCHANGE));
2910 	/* Denied because of MAKE_DIR. */
2911 	ASSERT_EQ(EACCES, errno);
2912 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3,
2913 				RENAME_EXCHANGE));
2914 	ASSERT_EQ(EACCES, errno);
2915 
2916 	/* Checks with different (child-only) access rights. */
2917 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_file1_s1d2,
2918 				RENAME_EXCHANGE));
2919 	/* Denied because of MAKE_DIR. */
2920 	ASSERT_EQ(EACCES, errno);
2921 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, dir_s2d3,
2922 				RENAME_EXCHANGE));
2923 	ASSERT_EQ(EACCES, errno);
2924 
2925 	/* See layout1.reparent_exdev_layers_exchange2 for complement. */
2926 }
2927 
2928 TEST_F_FORK(layout1, reparent_exdev_layers_exchange2)
2929 {
2930 	const char *const dir_file2_s2d3 = file2_s2d3;
2931 
2932 	ASSERT_EQ(0, unlink(file2_s2d3));
2933 	ASSERT_EQ(0, mkdir(file2_s2d3, 0700));
2934 
2935 	reparent_exdev_layers_enforce1(_metadata);
2936 	reparent_exdev_layers_enforce2(_metadata);
2937 
2938 	/* Checks that exchange between file and directory are consistent. */
2939 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3,
2940 				RENAME_EXCHANGE));
2941 	ASSERT_EQ(EACCES, errno);
2942 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2,
2943 				RENAME_EXCHANGE));
2944 	ASSERT_EQ(EACCES, errno);
2945 }
2946 
2947 TEST_F_FORK(layout1, reparent_exdev_layers_exchange3)
2948 {
2949 	const char *const dir_file2_s2d3 = file2_s2d3;
2950 
2951 	ASSERT_EQ(0, unlink(file2_s2d3));
2952 	ASSERT_EQ(0, mkdir(file2_s2d3, 0700));
2953 
2954 	reparent_exdev_layers_enforce1(_metadata);
2955 
2956 	/*
2957 	 * Checks that exchange between file and directory are consistent,
2958 	 * including with inverted arguments (see
2959 	 * layout1.reparent_exdev_layers_exchange1).
2960 	 */
2961 	ASSERT_EQ(0, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2,
2962 			       RENAME_EXCHANGE));
2963 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3,
2964 				RENAME_EXCHANGE));
2965 	ASSERT_EQ(EACCES, errno);
2966 	ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2,
2967 				RENAME_EXCHANGE));
2968 	ASSERT_EQ(EACCES, errno);
2969 }
2970 
2971 TEST_F_FORK(layout1, reparent_remove)
2972 {
2973 	const struct rule layer1[] = {
2974 		{
2975 			.path = dir_s1d1,
2976 			.access = LANDLOCK_ACCESS_FS_REFER |
2977 				  LANDLOCK_ACCESS_FS_REMOVE_DIR,
2978 		},
2979 		{
2980 			.path = dir_s1d2,
2981 			.access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
2982 		},
2983 		{
2984 			.path = dir_s2d1,
2985 			.access = LANDLOCK_ACCESS_FS_REFER |
2986 				  LANDLOCK_ACCESS_FS_REMOVE_FILE,
2987 		},
2988 		{},
2989 	};
2990 	const int ruleset_fd = create_ruleset(
2991 		_metadata,
2992 		LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_REMOVE_DIR |
2993 			LANDLOCK_ACCESS_FS_REMOVE_FILE,
2994 		layer1);
2995 
2996 	ASSERT_LE(0, ruleset_fd);
2997 	enforce_ruleset(_metadata, ruleset_fd);
2998 	ASSERT_EQ(0, close(ruleset_fd));
2999 
3000 	/* Access denied because of wrong/swapped remove file/dir. */
3001 	ASSERT_EQ(-1, rename(file1_s1d1, dir_s2d2));
3002 	ASSERT_EQ(EACCES, errno);
3003 	ASSERT_EQ(-1, rename(dir_s2d2, file1_s1d1));
3004 	ASSERT_EQ(EACCES, errno);
3005 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s2d2,
3006 				RENAME_EXCHANGE));
3007 	ASSERT_EQ(EACCES, errno);
3008 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s2d3,
3009 				RENAME_EXCHANGE));
3010 	ASSERT_EQ(EACCES, errno);
3011 
3012 	/* Access allowed thanks to the matching rights. */
3013 	ASSERT_EQ(-1, rename(file1_s2d1, dir_s1d2));
3014 	ASSERT_EQ(EISDIR, errno);
3015 	ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d1));
3016 	ASSERT_EQ(ENOTDIR, errno);
3017 	ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d1));
3018 	ASSERT_EQ(ENOTDIR, errno);
3019 	ASSERT_EQ(0, unlink(file1_s2d1));
3020 	ASSERT_EQ(0, unlink(file1_s1d3));
3021 	ASSERT_EQ(0, unlink(file2_s1d3));
3022 	ASSERT_EQ(0, rename(dir_s1d3, file1_s2d1));
3023 
3024 	/* Effectively removes a file and a directory by exchanging them. */
3025 	ASSERT_EQ(0, mkdir(dir_s1d3, 0700));
3026 	ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3,
3027 			       RENAME_EXCHANGE));
3028 	ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3,
3029 				RENAME_EXCHANGE));
3030 	ASSERT_EQ(EACCES, errno);
3031 }
3032 
3033 TEST_F_FORK(layout1, reparent_dom_superset)
3034 {
3035 	const struct rule layer1[] = {
3036 		{
3037 			.path = dir_s1d2,
3038 			.access = LANDLOCK_ACCESS_FS_REFER,
3039 		},
3040 		{
3041 			.path = file1_s1d2,
3042 			.access = LANDLOCK_ACCESS_FS_EXECUTE,
3043 		},
3044 		{
3045 			.path = dir_s1d3,
3046 			.access = LANDLOCK_ACCESS_FS_MAKE_SOCK |
3047 				  LANDLOCK_ACCESS_FS_EXECUTE,
3048 		},
3049 		{
3050 			.path = dir_s2d2,
3051 			.access = LANDLOCK_ACCESS_FS_REFER |
3052 				  LANDLOCK_ACCESS_FS_EXECUTE |
3053 				  LANDLOCK_ACCESS_FS_MAKE_SOCK,
3054 		},
3055 		{
3056 			.path = dir_s2d3,
3057 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
3058 				  LANDLOCK_ACCESS_FS_MAKE_FIFO,
3059 		},
3060 		{},
3061 	};
3062 	int ruleset_fd = create_ruleset(_metadata,
3063 					LANDLOCK_ACCESS_FS_REFER |
3064 						LANDLOCK_ACCESS_FS_EXECUTE |
3065 						LANDLOCK_ACCESS_FS_MAKE_SOCK |
3066 						LANDLOCK_ACCESS_FS_READ_FILE |
3067 						LANDLOCK_ACCESS_FS_MAKE_FIFO,
3068 					layer1);
3069 
3070 	ASSERT_LE(0, ruleset_fd);
3071 	enforce_ruleset(_metadata, ruleset_fd);
3072 	ASSERT_EQ(0, close(ruleset_fd));
3073 
3074 	ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d1));
3075 	ASSERT_EQ(EXDEV, errno);
3076 	/*
3077 	 * Moving file1_s1d2 beneath dir_s2d3 would grant it the READ_FILE
3078 	 * access right.
3079 	 */
3080 	ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d3));
3081 	ASSERT_EQ(EXDEV, errno);
3082 	/*
3083 	 * Moving file1_s1d2 should be allowed even if dir_s2d2 grants a
3084 	 * superset of access rights compared to dir_s1d2, because file1_s1d2
3085 	 * already has these access rights anyway.
3086 	 */
3087 	ASSERT_EQ(0, rename(file1_s1d2, file1_s2d2));
3088 	ASSERT_EQ(0, rename(file1_s2d2, file1_s1d2));
3089 
3090 	ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d1));
3091 	ASSERT_EQ(EXDEV, errno);
3092 	/*
3093 	 * Moving dir_s1d3 beneath dir_s2d3 would grant it the MAKE_FIFO access
3094 	 * right.
3095 	 */
3096 	ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d3));
3097 	ASSERT_EQ(EXDEV, errno);
3098 	/*
3099 	 * Moving dir_s1d3 should be allowed even if dir_s2d2 grants a superset
3100 	 * of access rights compared to dir_s1d2, because dir_s1d3 already has
3101 	 * these access rights anyway.
3102 	 */
3103 	ASSERT_EQ(0, rename(dir_s1d3, file1_s2d2));
3104 	ASSERT_EQ(0, rename(file1_s2d2, dir_s1d3));
3105 
3106 	/*
3107 	 * Moving file1_s2d3 beneath dir_s1d2 is allowed, but moving it back
3108 	 * will be denied because the new inherited access rights from dir_s1d2
3109 	 * will be less than the destination (original) dir_s2d3.  This is a
3110 	 * sinkhole scenario where we cannot move back files or directories.
3111 	 */
3112 	ASSERT_EQ(0, rename(file1_s2d3, file2_s1d2));
3113 	ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d3));
3114 	ASSERT_EQ(EXDEV, errno);
3115 	ASSERT_EQ(0, unlink(file2_s1d2));
3116 	ASSERT_EQ(0, unlink(file2_s2d3));
3117 	/*
3118 	 * Checks similar directory one-way move: dir_s2d3 loses EXECUTE and
3119 	 * MAKE_SOCK which were inherited from dir_s1d3.
3120 	 */
3121 	ASSERT_EQ(0, rename(dir_s2d3, file2_s1d2));
3122 	ASSERT_EQ(-1, rename(file2_s1d2, dir_s2d3));
3123 	ASSERT_EQ(EXDEV, errno);
3124 }
3125 
3126 TEST_F_FORK(layout1, remove_dir)
3127 {
3128 	const struct rule rules[] = {
3129 		{
3130 			.path = dir_s1d2,
3131 			.access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
3132 		},
3133 		{},
3134 	};
3135 	const int ruleset_fd =
3136 		create_ruleset(_metadata, rules[0].access, rules);
3137 
3138 	ASSERT_LE(0, ruleset_fd);
3139 
3140 	ASSERT_EQ(0, unlink(file1_s1d1));
3141 	ASSERT_EQ(0, unlink(file1_s1d2));
3142 	ASSERT_EQ(0, unlink(file1_s1d3));
3143 	ASSERT_EQ(0, unlink(file2_s1d3));
3144 
3145 	enforce_ruleset(_metadata, ruleset_fd);
3146 	ASSERT_EQ(0, close(ruleset_fd));
3147 
3148 	ASSERT_EQ(0, rmdir(dir_s1d3));
3149 	ASSERT_EQ(0, mkdir(dir_s1d3, 0700));
3150 	ASSERT_EQ(0, unlinkat(AT_FDCWD, dir_s1d3, AT_REMOVEDIR));
3151 
3152 	/* dir_s1d2 itself cannot be removed. */
3153 	ASSERT_EQ(-1, rmdir(dir_s1d2));
3154 	ASSERT_EQ(EACCES, errno);
3155 	ASSERT_EQ(-1, unlinkat(AT_FDCWD, dir_s1d2, AT_REMOVEDIR));
3156 	ASSERT_EQ(EACCES, errno);
3157 	ASSERT_EQ(-1, rmdir(dir_s1d1));
3158 	ASSERT_EQ(EACCES, errno);
3159 	ASSERT_EQ(-1, unlinkat(AT_FDCWD, dir_s1d1, AT_REMOVEDIR));
3160 	ASSERT_EQ(EACCES, errno);
3161 }
3162 
3163 TEST_F_FORK(layout1, remove_file)
3164 {
3165 	const struct rule rules[] = {
3166 		{
3167 			.path = dir_s1d2,
3168 			.access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
3169 		},
3170 		{},
3171 	};
3172 	const int ruleset_fd =
3173 		create_ruleset(_metadata, rules[0].access, rules);
3174 
3175 	ASSERT_LE(0, ruleset_fd);
3176 	enforce_ruleset(_metadata, ruleset_fd);
3177 	ASSERT_EQ(0, close(ruleset_fd));
3178 
3179 	ASSERT_EQ(-1, unlink(file1_s1d1));
3180 	ASSERT_EQ(EACCES, errno);
3181 	ASSERT_EQ(-1, unlinkat(AT_FDCWD, file1_s1d1, 0));
3182 	ASSERT_EQ(EACCES, errno);
3183 	ASSERT_EQ(0, unlink(file1_s1d2));
3184 	ASSERT_EQ(0, unlinkat(AT_FDCWD, file1_s1d3, 0));
3185 }
3186 
3187 static void test_make_file(struct __test_metadata *const _metadata,
3188 			   const __u64 access, const mode_t mode,
3189 			   const dev_t dev)
3190 {
3191 	const struct rule rules[] = {
3192 		{
3193 			.path = dir_s1d2,
3194 			.access = access,
3195 		},
3196 		{},
3197 	};
3198 	const int ruleset_fd = create_ruleset(_metadata, access, rules);
3199 
3200 	ASSERT_LE(0, ruleset_fd);
3201 
3202 	ASSERT_EQ(0, unlink(file1_s1d1));
3203 	ASSERT_EQ(0, unlink(file2_s1d1));
3204 	ASSERT_EQ(0, mknod(file2_s1d1, mode | 0400, dev))
3205 	{
3206 		TH_LOG("Failed to make file \"%s\": %s", file2_s1d1,
3207 		       strerror(errno));
3208 	};
3209 
3210 	ASSERT_EQ(0, unlink(file1_s1d2));
3211 	ASSERT_EQ(0, unlink(file2_s1d2));
3212 
3213 	ASSERT_EQ(0, unlink(file1_s1d3));
3214 	ASSERT_EQ(0, unlink(file2_s1d3));
3215 
3216 	enforce_ruleset(_metadata, ruleset_fd);
3217 	ASSERT_EQ(0, close(ruleset_fd));
3218 
3219 	ASSERT_EQ(-1, mknod(file1_s1d1, mode | 0400, dev));
3220 	ASSERT_EQ(EACCES, errno);
3221 	ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1));
3222 	ASSERT_EQ(EACCES, errno);
3223 	ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1));
3224 	ASSERT_EQ(EACCES, errno);
3225 
3226 	ASSERT_EQ(0, mknod(file1_s1d2, mode | 0400, dev))
3227 	{
3228 		TH_LOG("Failed to make file \"%s\": %s", file1_s1d2,
3229 		       strerror(errno));
3230 	};
3231 	ASSERT_EQ(0, link(file1_s1d2, file2_s1d2));
3232 	ASSERT_EQ(0, unlink(file2_s1d2));
3233 	ASSERT_EQ(0, rename(file1_s1d2, file2_s1d2));
3234 
3235 	ASSERT_EQ(0, mknod(file1_s1d3, mode | 0400, dev));
3236 	ASSERT_EQ(0, link(file1_s1d3, file2_s1d3));
3237 	ASSERT_EQ(0, unlink(file2_s1d3));
3238 	ASSERT_EQ(0, rename(file1_s1d3, file2_s1d3));
3239 }
3240 
3241 TEST_F_FORK(layout1, make_char)
3242 {
3243 	/* Creates a /dev/null device. */
3244 	set_cap(_metadata, CAP_MKNOD);
3245 	test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_CHAR, S_IFCHR,
3246 		       makedev(1, 3));
3247 }
3248 
3249 TEST_F_FORK(layout1, make_block)
3250 {
3251 	/* Creates a /dev/loop0 device. */
3252 	set_cap(_metadata, CAP_MKNOD);
3253 	test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_BLOCK, S_IFBLK,
3254 		       makedev(7, 0));
3255 }
3256 
3257 TEST_F_FORK(layout1, make_reg_1)
3258 {
3259 	test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, S_IFREG, 0);
3260 }
3261 
3262 TEST_F_FORK(layout1, make_reg_2)
3263 {
3264 	test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, 0, 0);
3265 }
3266 
3267 TEST_F_FORK(layout1, make_sock)
3268 {
3269 	test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_SOCK, S_IFSOCK, 0);
3270 }
3271 
3272 TEST_F_FORK(layout1, make_fifo)
3273 {
3274 	test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_FIFO, S_IFIFO, 0);
3275 }
3276 
3277 TEST_F_FORK(layout1, make_sym)
3278 {
3279 	const struct rule rules[] = {
3280 		{
3281 			.path = dir_s1d2,
3282 			.access = LANDLOCK_ACCESS_FS_MAKE_SYM,
3283 		},
3284 		{},
3285 	};
3286 	const int ruleset_fd =
3287 		create_ruleset(_metadata, rules[0].access, rules);
3288 
3289 	ASSERT_LE(0, ruleset_fd);
3290 
3291 	ASSERT_EQ(0, unlink(file1_s1d1));
3292 	ASSERT_EQ(0, unlink(file2_s1d1));
3293 	ASSERT_EQ(0, symlink("none", file2_s1d1));
3294 
3295 	ASSERT_EQ(0, unlink(file1_s1d2));
3296 	ASSERT_EQ(0, unlink(file2_s1d2));
3297 
3298 	ASSERT_EQ(0, unlink(file1_s1d3));
3299 	ASSERT_EQ(0, unlink(file2_s1d3));
3300 
3301 	enforce_ruleset(_metadata, ruleset_fd);
3302 	ASSERT_EQ(0, close(ruleset_fd));
3303 
3304 	ASSERT_EQ(-1, symlink("none", file1_s1d1));
3305 	ASSERT_EQ(EACCES, errno);
3306 	ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1));
3307 	ASSERT_EQ(EACCES, errno);
3308 	ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1));
3309 	ASSERT_EQ(EACCES, errno);
3310 
3311 	ASSERT_EQ(0, symlink("none", file1_s1d2));
3312 	ASSERT_EQ(0, link(file1_s1d2, file2_s1d2));
3313 	ASSERT_EQ(0, unlink(file2_s1d2));
3314 	ASSERT_EQ(0, rename(file1_s1d2, file2_s1d2));
3315 
3316 	ASSERT_EQ(0, symlink("none", file1_s1d3));
3317 	ASSERT_EQ(0, link(file1_s1d3, file2_s1d3));
3318 	ASSERT_EQ(0, unlink(file2_s1d3));
3319 	ASSERT_EQ(0, rename(file1_s1d3, file2_s1d3));
3320 }
3321 
3322 TEST_F_FORK(layout1, make_dir)
3323 {
3324 	const struct rule rules[] = {
3325 		{
3326 			.path = dir_s1d2,
3327 			.access = LANDLOCK_ACCESS_FS_MAKE_DIR,
3328 		},
3329 		{},
3330 	};
3331 	const int ruleset_fd =
3332 		create_ruleset(_metadata, rules[0].access, rules);
3333 
3334 	ASSERT_LE(0, ruleset_fd);
3335 
3336 	ASSERT_EQ(0, unlink(file1_s1d1));
3337 	ASSERT_EQ(0, unlink(file1_s1d2));
3338 	ASSERT_EQ(0, unlink(file1_s1d3));
3339 
3340 	enforce_ruleset(_metadata, ruleset_fd);
3341 	ASSERT_EQ(0, close(ruleset_fd));
3342 
3343 	/* Uses file_* as directory names. */
3344 	ASSERT_EQ(-1, mkdir(file1_s1d1, 0700));
3345 	ASSERT_EQ(EACCES, errno);
3346 	ASSERT_EQ(0, mkdir(file1_s1d2, 0700));
3347 	ASSERT_EQ(0, mkdir(file1_s1d3, 0700));
3348 }
3349 
3350 static int open_proc_fd(struct __test_metadata *const _metadata, const int fd,
3351 			const int open_flags)
3352 {
3353 	static const char path_template[] = "/proc/self/fd/%d";
3354 	char procfd_path[sizeof(path_template) + 10];
3355 	const int procfd_path_size =
3356 		snprintf(procfd_path, sizeof(procfd_path), path_template, fd);
3357 
3358 	ASSERT_LT(procfd_path_size, sizeof(procfd_path));
3359 	return open(procfd_path, open_flags);
3360 }
3361 
3362 TEST_F_FORK(layout1, proc_unlinked_file)
3363 {
3364 	const struct rule rules[] = {
3365 		{
3366 			.path = file1_s1d2,
3367 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
3368 		},
3369 		{},
3370 	};
3371 	int reg_fd, proc_fd;
3372 	const int ruleset_fd = create_ruleset(
3373 		_metadata,
3374 		LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_WRITE_FILE,
3375 		rules);
3376 
3377 	ASSERT_LE(0, ruleset_fd);
3378 	enforce_ruleset(_metadata, ruleset_fd);
3379 	ASSERT_EQ(0, close(ruleset_fd));
3380 
3381 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR));
3382 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
3383 	reg_fd = open(file1_s1d2, O_RDONLY | O_CLOEXEC);
3384 	ASSERT_LE(0, reg_fd);
3385 	ASSERT_EQ(0, unlink(file1_s1d2));
3386 
3387 	proc_fd = open_proc_fd(_metadata, reg_fd, O_RDONLY | O_CLOEXEC);
3388 	ASSERT_LE(0, proc_fd);
3389 	ASSERT_EQ(0, close(proc_fd));
3390 
3391 	proc_fd = open_proc_fd(_metadata, reg_fd, O_RDWR | O_CLOEXEC);
3392 	ASSERT_EQ(-1, proc_fd)
3393 	{
3394 		TH_LOG("Successfully opened /proc/self/fd/%d: %s", reg_fd,
3395 		       strerror(errno));
3396 	}
3397 	ASSERT_EQ(EACCES, errno);
3398 
3399 	ASSERT_EQ(0, close(reg_fd));
3400 }
3401 
3402 TEST_F_FORK(layout1, proc_pipe)
3403 {
3404 	int proc_fd;
3405 	int pipe_fds[2];
3406 	char buf = '\0';
3407 	const struct rule rules[] = {
3408 		{
3409 			.path = dir_s1d2,
3410 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
3411 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
3412 		},
3413 		{},
3414 	};
3415 	/* Limits read and write access to files tied to the filesystem. */
3416 	const int ruleset_fd =
3417 		create_ruleset(_metadata, rules[0].access, rules);
3418 
3419 	ASSERT_LE(0, ruleset_fd);
3420 	enforce_ruleset(_metadata, ruleset_fd);
3421 	ASSERT_EQ(0, close(ruleset_fd));
3422 
3423 	/* Checks enforcement for normal files. */
3424 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR));
3425 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
3426 
3427 	/* Checks access to pipes through FD. */
3428 	ASSERT_EQ(0, pipe2(pipe_fds, O_CLOEXEC));
3429 	ASSERT_EQ(1, write(pipe_fds[1], ".", 1))
3430 	{
3431 		TH_LOG("Failed to write in pipe: %s", strerror(errno));
3432 	}
3433 	ASSERT_EQ(1, read(pipe_fds[0], &buf, 1));
3434 	ASSERT_EQ('.', buf);
3435 
3436 	/* Checks write access to pipe through /proc/self/fd . */
3437 	proc_fd = open_proc_fd(_metadata, pipe_fds[1], O_WRONLY | O_CLOEXEC);
3438 	ASSERT_LE(0, proc_fd);
3439 	ASSERT_EQ(1, write(proc_fd, ".", 1))
3440 	{
3441 		TH_LOG("Failed to write through /proc/self/fd/%d: %s",
3442 		       pipe_fds[1], strerror(errno));
3443 	}
3444 	ASSERT_EQ(0, close(proc_fd));
3445 
3446 	/* Checks read access to pipe through /proc/self/fd . */
3447 	proc_fd = open_proc_fd(_metadata, pipe_fds[0], O_RDONLY | O_CLOEXEC);
3448 	ASSERT_LE(0, proc_fd);
3449 	buf = '\0';
3450 	ASSERT_EQ(1, read(proc_fd, &buf, 1))
3451 	{
3452 		TH_LOG("Failed to read through /proc/self/fd/%d: %s",
3453 		       pipe_fds[1], strerror(errno));
3454 	}
3455 	ASSERT_EQ(0, close(proc_fd));
3456 
3457 	ASSERT_EQ(0, close(pipe_fds[0]));
3458 	ASSERT_EQ(0, close(pipe_fds[1]));
3459 }
3460 
3461 /* Invokes truncate(2) and returns its errno or 0. */
3462 static int test_truncate(const char *const path)
3463 {
3464 	if (truncate(path, 10) < 0)
3465 		return errno;
3466 	return 0;
3467 }
3468 
3469 /*
3470  * Invokes creat(2) and returns its errno or 0.
3471  * Closes the opened file descriptor on success.
3472  */
3473 static int test_creat(const char *const path)
3474 {
3475 	int fd = creat(path, 0600);
3476 
3477 	if (fd < 0)
3478 		return errno;
3479 
3480 	/*
3481 	 * Mixing error codes from close(2) and creat(2) should not lead to any
3482 	 * (access type) confusion for this test.
3483 	 */
3484 	if (close(fd) < 0)
3485 		return errno;
3486 	return 0;
3487 }
3488 
3489 /*
3490  * Exercises file truncation when it's not restricted,
3491  * as it was the case before LANDLOCK_ACCESS_FS_TRUNCATE existed.
3492  */
3493 TEST_F_FORK(layout1, truncate_unhandled)
3494 {
3495 	const char *const file_r = file1_s1d1;
3496 	const char *const file_w = file2_s1d1;
3497 	const char *const file_none = file1_s1d2;
3498 	const struct rule rules[] = {
3499 		{
3500 			.path = file_r,
3501 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
3502 		},
3503 		{
3504 			.path = file_w,
3505 			.access = LANDLOCK_ACCESS_FS_WRITE_FILE,
3506 		},
3507 		/* Implicitly: No rights for file_none. */
3508 		{},
3509 	};
3510 
3511 	const __u64 handled = LANDLOCK_ACCESS_FS_READ_FILE |
3512 			      LANDLOCK_ACCESS_FS_WRITE_FILE;
3513 	int ruleset_fd;
3514 
3515 	/* Enables Landlock. */
3516 	ruleset_fd = create_ruleset(_metadata, handled, rules);
3517 
3518 	ASSERT_LE(0, ruleset_fd);
3519 	enforce_ruleset(_metadata, ruleset_fd);
3520 	ASSERT_EQ(0, close(ruleset_fd));
3521 
3522 	/*
3523 	 * Checks read right: truncate and open with O_TRUNC work, unless the
3524 	 * file is attempted to be opened for writing.
3525 	 */
3526 	EXPECT_EQ(0, test_truncate(file_r));
3527 	EXPECT_EQ(0, test_open(file_r, O_RDONLY | O_TRUNC));
3528 	EXPECT_EQ(EACCES, test_open(file_r, O_WRONLY | O_TRUNC));
3529 	EXPECT_EQ(EACCES, test_creat(file_r));
3530 
3531 	/*
3532 	 * Checks write right: truncate and open with O_TRUNC work, unless the
3533 	 * file is attempted to be opened for reading.
3534 	 */
3535 	EXPECT_EQ(0, test_truncate(file_w));
3536 	EXPECT_EQ(EACCES, test_open(file_w, O_RDONLY | O_TRUNC));
3537 	EXPECT_EQ(0, test_open(file_w, O_WRONLY | O_TRUNC));
3538 	EXPECT_EQ(0, test_creat(file_w));
3539 
3540 	/*
3541 	 * Checks "no rights" case: truncate works but all open attempts fail,
3542 	 * including creat.
3543 	 */
3544 	EXPECT_EQ(0, test_truncate(file_none));
3545 	EXPECT_EQ(EACCES, test_open(file_none, O_RDONLY | O_TRUNC));
3546 	EXPECT_EQ(EACCES, test_open(file_none, O_WRONLY | O_TRUNC));
3547 	EXPECT_EQ(EACCES, test_creat(file_none));
3548 }
3549 
3550 TEST_F_FORK(layout1, truncate)
3551 {
3552 	const char *const file_rwt = file1_s1d1;
3553 	const char *const file_rw = file2_s1d1;
3554 	const char *const file_rt = file1_s1d2;
3555 	const char *const file_t = file2_s1d2;
3556 	const char *const file_none = file1_s1d3;
3557 	const char *const dir_t = dir_s2d1;
3558 	const char *const file_in_dir_t = file1_s2d1;
3559 	const char *const dir_w = dir_s3d1;
3560 	const char *const file_in_dir_w = file1_s3d1;
3561 	const struct rule rules[] = {
3562 		{
3563 			.path = file_rwt,
3564 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
3565 				  LANDLOCK_ACCESS_FS_WRITE_FILE |
3566 				  LANDLOCK_ACCESS_FS_TRUNCATE,
3567 		},
3568 		{
3569 			.path = file_rw,
3570 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
3571 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
3572 		},
3573 		{
3574 			.path = file_rt,
3575 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
3576 				  LANDLOCK_ACCESS_FS_TRUNCATE,
3577 		},
3578 		{
3579 			.path = file_t,
3580 			.access = LANDLOCK_ACCESS_FS_TRUNCATE,
3581 		},
3582 		/* Implicitly: No access rights for file_none. */
3583 		{
3584 			.path = dir_t,
3585 			.access = LANDLOCK_ACCESS_FS_TRUNCATE,
3586 		},
3587 		{
3588 			.path = dir_w,
3589 			.access = LANDLOCK_ACCESS_FS_WRITE_FILE,
3590 		},
3591 		{},
3592 	};
3593 	const __u64 handled = LANDLOCK_ACCESS_FS_READ_FILE |
3594 			      LANDLOCK_ACCESS_FS_WRITE_FILE |
3595 			      LANDLOCK_ACCESS_FS_TRUNCATE;
3596 	int ruleset_fd;
3597 
3598 	/* Enables Landlock. */
3599 	ruleset_fd = create_ruleset(_metadata, handled, rules);
3600 
3601 	ASSERT_LE(0, ruleset_fd);
3602 	enforce_ruleset(_metadata, ruleset_fd);
3603 	ASSERT_EQ(0, close(ruleset_fd));
3604 
3605 	/* Checks read, write and truncate rights: truncation works. */
3606 	EXPECT_EQ(0, test_truncate(file_rwt));
3607 	EXPECT_EQ(0, test_open(file_rwt, O_RDONLY | O_TRUNC));
3608 	EXPECT_EQ(0, test_open(file_rwt, O_WRONLY | O_TRUNC));
3609 
3610 	/* Checks read and write rights: no truncate variant works. */
3611 	EXPECT_EQ(EACCES, test_truncate(file_rw));
3612 	EXPECT_EQ(EACCES, test_open(file_rw, O_RDONLY | O_TRUNC));
3613 	EXPECT_EQ(EACCES, test_open(file_rw, O_WRONLY | O_TRUNC));
3614 
3615 	/*
3616 	 * Checks read and truncate rights: truncation works.
3617 	 *
3618 	 * Note: Files can get truncated using open() even with O_RDONLY.
3619 	 */
3620 	EXPECT_EQ(0, test_truncate(file_rt));
3621 	EXPECT_EQ(0, test_open(file_rt, O_RDONLY | O_TRUNC));
3622 	EXPECT_EQ(EACCES, test_open(file_rt, O_WRONLY | O_TRUNC));
3623 
3624 	/* Checks truncate right: truncate works, but can't open file. */
3625 	EXPECT_EQ(0, test_truncate(file_t));
3626 	EXPECT_EQ(EACCES, test_open(file_t, O_RDONLY | O_TRUNC));
3627 	EXPECT_EQ(EACCES, test_open(file_t, O_WRONLY | O_TRUNC));
3628 
3629 	/* Checks "no rights" case: No form of truncation works. */
3630 	EXPECT_EQ(EACCES, test_truncate(file_none));
3631 	EXPECT_EQ(EACCES, test_open(file_none, O_RDONLY | O_TRUNC));
3632 	EXPECT_EQ(EACCES, test_open(file_none, O_WRONLY | O_TRUNC));
3633 
3634 	/*
3635 	 * Checks truncate right on directory: truncate works on contained
3636 	 * files.
3637 	 */
3638 	EXPECT_EQ(0, test_truncate(file_in_dir_t));
3639 	EXPECT_EQ(EACCES, test_open(file_in_dir_t, O_RDONLY | O_TRUNC));
3640 	EXPECT_EQ(EACCES, test_open(file_in_dir_t, O_WRONLY | O_TRUNC));
3641 
3642 	/*
3643 	 * Checks creat in dir_w: This requires the truncate right when
3644 	 * overwriting an existing file, but does not require it when the file
3645 	 * is new.
3646 	 */
3647 	EXPECT_EQ(EACCES, test_creat(file_in_dir_w));
3648 
3649 	ASSERT_EQ(0, unlink(file_in_dir_w));
3650 	EXPECT_EQ(0, test_creat(file_in_dir_w));
3651 }
3652 
3653 /* Invokes ftruncate(2) and returns its errno or 0. */
3654 static int test_ftruncate(int fd)
3655 {
3656 	if (ftruncate(fd, 10) < 0)
3657 		return errno;
3658 	return 0;
3659 }
3660 
3661 TEST_F_FORK(layout1, ftruncate)
3662 {
3663 	/*
3664 	 * This test opens a new file descriptor at different stages of
3665 	 * Landlock restriction:
3666 	 *
3667 	 * without restriction:                    ftruncate works
3668 	 * something else but truncate restricted: ftruncate works
3669 	 * truncate restricted and permitted:      ftruncate works
3670 	 * truncate restricted and not permitted:  ftruncate fails
3671 	 *
3672 	 * Whether this works or not is expected to depend on the time when the
3673 	 * FD was opened, not to depend on the time when ftruncate() was
3674 	 * called.
3675 	 */
3676 	const char *const path = file1_s1d1;
3677 	const __u64 handled1 = LANDLOCK_ACCESS_FS_READ_FILE |
3678 			       LANDLOCK_ACCESS_FS_WRITE_FILE;
3679 	const struct rule layer1[] = {
3680 		{
3681 			.path = path,
3682 			.access = LANDLOCK_ACCESS_FS_WRITE_FILE,
3683 		},
3684 		{},
3685 	};
3686 	const __u64 handled2 = LANDLOCK_ACCESS_FS_TRUNCATE;
3687 	const struct rule layer2[] = {
3688 		{
3689 			.path = path,
3690 			.access = LANDLOCK_ACCESS_FS_TRUNCATE,
3691 		},
3692 		{},
3693 	};
3694 	const __u64 handled3 = LANDLOCK_ACCESS_FS_TRUNCATE |
3695 			       LANDLOCK_ACCESS_FS_WRITE_FILE;
3696 	const struct rule layer3[] = {
3697 		{
3698 			.path = path,
3699 			.access = LANDLOCK_ACCESS_FS_WRITE_FILE,
3700 		},
3701 		{},
3702 	};
3703 	int fd_layer0, fd_layer1, fd_layer2, fd_layer3, ruleset_fd;
3704 
3705 	fd_layer0 = open(path, O_WRONLY);
3706 	EXPECT_EQ(0, test_ftruncate(fd_layer0));
3707 
3708 	ruleset_fd = create_ruleset(_metadata, handled1, layer1);
3709 	ASSERT_LE(0, ruleset_fd);
3710 	enforce_ruleset(_metadata, ruleset_fd);
3711 	ASSERT_EQ(0, close(ruleset_fd));
3712 
3713 	fd_layer1 = open(path, O_WRONLY);
3714 	EXPECT_EQ(0, test_ftruncate(fd_layer0));
3715 	EXPECT_EQ(0, test_ftruncate(fd_layer1));
3716 
3717 	ruleset_fd = create_ruleset(_metadata, handled2, layer2);
3718 	ASSERT_LE(0, ruleset_fd);
3719 	enforce_ruleset(_metadata, ruleset_fd);
3720 	ASSERT_EQ(0, close(ruleset_fd));
3721 
3722 	fd_layer2 = open(path, O_WRONLY);
3723 	EXPECT_EQ(0, test_ftruncate(fd_layer0));
3724 	EXPECT_EQ(0, test_ftruncate(fd_layer1));
3725 	EXPECT_EQ(0, test_ftruncate(fd_layer2));
3726 
3727 	ruleset_fd = create_ruleset(_metadata, handled3, layer3);
3728 	ASSERT_LE(0, ruleset_fd);
3729 	enforce_ruleset(_metadata, ruleset_fd);
3730 	ASSERT_EQ(0, close(ruleset_fd));
3731 
3732 	fd_layer3 = open(path, O_WRONLY);
3733 	EXPECT_EQ(0, test_ftruncate(fd_layer0));
3734 	EXPECT_EQ(0, test_ftruncate(fd_layer1));
3735 	EXPECT_EQ(0, test_ftruncate(fd_layer2));
3736 	EXPECT_EQ(EACCES, test_ftruncate(fd_layer3));
3737 
3738 	ASSERT_EQ(0, close(fd_layer0));
3739 	ASSERT_EQ(0, close(fd_layer1));
3740 	ASSERT_EQ(0, close(fd_layer2));
3741 	ASSERT_EQ(0, close(fd_layer3));
3742 }
3743 
3744 /* clang-format off */
3745 FIXTURE(ftruncate) {};
3746 /* clang-format on */
3747 
3748 FIXTURE_SETUP(ftruncate)
3749 {
3750 	prepare_layout(_metadata);
3751 	create_file(_metadata, file1_s1d1);
3752 }
3753 
3754 FIXTURE_TEARDOWN_PARENT(ftruncate)
3755 {
3756 	EXPECT_EQ(0, remove_path(file1_s1d1));
3757 	cleanup_layout(_metadata);
3758 }
3759 
3760 FIXTURE_VARIANT(ftruncate)
3761 {
3762 	const __u64 handled;
3763 	const __u64 allowed;
3764 	const int expected_open_result;
3765 	const int expected_ftruncate_result;
3766 };
3767 
3768 /* clang-format off */
3769 FIXTURE_VARIANT_ADD(ftruncate, w_w) {
3770 	/* clang-format on */
3771 	.handled = LANDLOCK_ACCESS_FS_WRITE_FILE,
3772 	.allowed = LANDLOCK_ACCESS_FS_WRITE_FILE,
3773 	.expected_open_result = 0,
3774 	.expected_ftruncate_result = 0,
3775 };
3776 
3777 /* clang-format off */
3778 FIXTURE_VARIANT_ADD(ftruncate, t_t) {
3779 	/* clang-format on */
3780 	.handled = LANDLOCK_ACCESS_FS_TRUNCATE,
3781 	.allowed = LANDLOCK_ACCESS_FS_TRUNCATE,
3782 	.expected_open_result = 0,
3783 	.expected_ftruncate_result = 0,
3784 };
3785 
3786 /* clang-format off */
3787 FIXTURE_VARIANT_ADD(ftruncate, wt_w) {
3788 	/* clang-format on */
3789 	.handled = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE,
3790 	.allowed = LANDLOCK_ACCESS_FS_WRITE_FILE,
3791 	.expected_open_result = 0,
3792 	.expected_ftruncate_result = EACCES,
3793 };
3794 
3795 /* clang-format off */
3796 FIXTURE_VARIANT_ADD(ftruncate, wt_wt) {
3797 	/* clang-format on */
3798 	.handled = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE,
3799 	.allowed = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE,
3800 	.expected_open_result = 0,
3801 	.expected_ftruncate_result = 0,
3802 };
3803 
3804 /* clang-format off */
3805 FIXTURE_VARIANT_ADD(ftruncate, wt_t) {
3806 	/* clang-format on */
3807 	.handled = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE,
3808 	.allowed = LANDLOCK_ACCESS_FS_TRUNCATE,
3809 	.expected_open_result = EACCES,
3810 };
3811 
3812 TEST_F_FORK(ftruncate, open_and_ftruncate)
3813 {
3814 	const char *const path = file1_s1d1;
3815 	const struct rule rules[] = {
3816 		{
3817 			.path = path,
3818 			.access = variant->allowed,
3819 		},
3820 		{},
3821 	};
3822 	int fd, ruleset_fd;
3823 
3824 	/* Enables Landlock. */
3825 	ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
3826 	ASSERT_LE(0, ruleset_fd);
3827 	enforce_ruleset(_metadata, ruleset_fd);
3828 	ASSERT_EQ(0, close(ruleset_fd));
3829 
3830 	fd = open(path, O_WRONLY);
3831 	EXPECT_EQ(variant->expected_open_result, (fd < 0 ? errno : 0));
3832 	if (fd >= 0) {
3833 		EXPECT_EQ(variant->expected_ftruncate_result,
3834 			  test_ftruncate(fd));
3835 		ASSERT_EQ(0, close(fd));
3836 	}
3837 }
3838 
3839 TEST_F_FORK(ftruncate, open_and_ftruncate_in_different_processes)
3840 {
3841 	int child, fd, status;
3842 	int socket_fds[2];
3843 
3844 	ASSERT_EQ(0, socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0,
3845 				socket_fds));
3846 
3847 	child = fork();
3848 	ASSERT_LE(0, child);
3849 	if (child == 0) {
3850 		/*
3851 		 * Enables Landlock in the child process, open a file descriptor
3852 		 * where truncation is forbidden and send it to the
3853 		 * non-landlocked parent process.
3854 		 */
3855 		const char *const path = file1_s1d1;
3856 		const struct rule rules[] = {
3857 			{
3858 				.path = path,
3859 				.access = variant->allowed,
3860 			},
3861 			{},
3862 		};
3863 		int fd, ruleset_fd;
3864 
3865 		ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
3866 		ASSERT_LE(0, ruleset_fd);
3867 		enforce_ruleset(_metadata, ruleset_fd);
3868 		ASSERT_EQ(0, close(ruleset_fd));
3869 
3870 		fd = open(path, O_WRONLY);
3871 		ASSERT_EQ(variant->expected_open_result, (fd < 0 ? errno : 0));
3872 
3873 		if (fd >= 0) {
3874 			ASSERT_EQ(0, send_fd(socket_fds[0], fd));
3875 			ASSERT_EQ(0, close(fd));
3876 		}
3877 
3878 		ASSERT_EQ(0, close(socket_fds[0]));
3879 
3880 		_exit(_metadata->exit_code);
3881 		return;
3882 	}
3883 
3884 	if (variant->expected_open_result == 0) {
3885 		fd = recv_fd(socket_fds[1]);
3886 		ASSERT_LE(0, fd);
3887 
3888 		EXPECT_EQ(variant->expected_ftruncate_result,
3889 			  test_ftruncate(fd));
3890 		ASSERT_EQ(0, close(fd));
3891 	}
3892 
3893 	ASSERT_EQ(child, waitpid(child, &status, 0));
3894 	ASSERT_EQ(1, WIFEXITED(status));
3895 	ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
3896 
3897 	ASSERT_EQ(0, close(socket_fds[0]));
3898 	ASSERT_EQ(0, close(socket_fds[1]));
3899 }
3900 
3901 /* Invokes the FS_IOC_GETFLAGS IOCTL and returns its errno or 0. */
3902 static int test_fs_ioc_getflags_ioctl(int fd)
3903 {
3904 	uint32_t flags;
3905 
3906 	if (ioctl(fd, FS_IOC_GETFLAGS, &flags) < 0)
3907 		return errno;
3908 	return 0;
3909 }
3910 
3911 TEST(memfd_ftruncate_and_ioctl)
3912 {
3913 	const struct landlock_ruleset_attr attr = {
3914 		.handled_access_fs = ACCESS_ALL,
3915 	};
3916 	int ruleset_fd, fd, i;
3917 
3918 	/*
3919 	 * We exercise the same test both with and without Landlock enabled, to
3920 	 * ensure that it behaves the same in both cases.
3921 	 */
3922 	for (i = 0; i < 2; i++) {
3923 		/* Creates a new memfd. */
3924 		fd = memfd_create("name", MFD_CLOEXEC);
3925 		ASSERT_LE(0, fd);
3926 
3927 		/*
3928 		 * Checks that operations associated with the opened file
3929 		 * (ftruncate, ioctl) are permitted on file descriptors that are
3930 		 * created in ways other than open(2).
3931 		 */
3932 		EXPECT_EQ(0, test_ftruncate(fd));
3933 		EXPECT_EQ(0, test_fs_ioc_getflags_ioctl(fd));
3934 
3935 		ASSERT_EQ(0, close(fd));
3936 
3937 		/* Enables Landlock. */
3938 		ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
3939 		ASSERT_LE(0, ruleset_fd);
3940 		enforce_ruleset(_metadata, ruleset_fd);
3941 		ASSERT_EQ(0, close(ruleset_fd));
3942 	}
3943 }
3944 
3945 static int test_fionread_ioctl(int fd)
3946 {
3947 	size_t sz = 0;
3948 
3949 	if (ioctl(fd, FIONREAD, &sz) < 0 && errno == EACCES)
3950 		return errno;
3951 	return 0;
3952 }
3953 
3954 TEST_F_FORK(layout1, o_path_ftruncate_and_ioctl)
3955 {
3956 	const struct landlock_ruleset_attr attr = {
3957 		.handled_access_fs = ACCESS_ALL,
3958 	};
3959 	int ruleset_fd, fd;
3960 
3961 	/*
3962 	 * Checks that for files opened with O_PATH, both ioctl(2) and
3963 	 * ftruncate(2) yield EBADF, as it is documented in open(2) for the
3964 	 * O_PATH flag.
3965 	 */
3966 	fd = open(dir_s1d1, O_PATH | O_CLOEXEC);
3967 	ASSERT_LE(0, fd);
3968 
3969 	EXPECT_EQ(EBADF, test_ftruncate(fd));
3970 	EXPECT_EQ(EBADF, test_fs_ioc_getflags_ioctl(fd));
3971 
3972 	ASSERT_EQ(0, close(fd));
3973 
3974 	/* Enables Landlock. */
3975 	ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
3976 	ASSERT_LE(0, ruleset_fd);
3977 	enforce_ruleset(_metadata, ruleset_fd);
3978 	ASSERT_EQ(0, close(ruleset_fd));
3979 
3980 	/*
3981 	 * Checks that after enabling Landlock,
3982 	 * - the file can still be opened with O_PATH
3983 	 * - both ioctl and truncate still yield EBADF (not EACCES).
3984 	 */
3985 	fd = open(dir_s1d1, O_PATH | O_CLOEXEC);
3986 	ASSERT_LE(0, fd);
3987 
3988 	EXPECT_EQ(EBADF, test_ftruncate(fd));
3989 	EXPECT_EQ(EBADF, test_fs_ioc_getflags_ioctl(fd));
3990 
3991 	ASSERT_EQ(0, close(fd));
3992 }
3993 
3994 /*
3995  * ioctl_error - generically call the given ioctl with a pointer to a
3996  * sufficiently large zeroed-out memory region.
3997  *
3998  * Returns the IOCTLs error, or 0.
3999  */
4000 static int ioctl_error(struct __test_metadata *const _metadata, int fd,
4001 		       unsigned int cmd)
4002 {
4003 	char buf[128]; /* sufficiently large */
4004 	int res, stdinbak_fd;
4005 
4006 	/*
4007 	 * Depending on the IOCTL command, parts of the zeroed-out buffer might
4008 	 * be interpreted as file descriptor numbers.  We do not want to
4009 	 * accidentally operate on file descriptor 0 (stdin), so we temporarily
4010 	 * move stdin to a different FD and close FD 0 for the IOCTL call.
4011 	 */
4012 	stdinbak_fd = dup(0);
4013 	ASSERT_LT(0, stdinbak_fd);
4014 	ASSERT_EQ(0, close(0));
4015 
4016 	/* Invokes the IOCTL with a zeroed-out buffer. */
4017 	bzero(&buf, sizeof(buf));
4018 	res = ioctl(fd, cmd, &buf);
4019 
4020 	/* Restores the old FD 0 and closes the backup FD. */
4021 	ASSERT_EQ(0, dup2(stdinbak_fd, 0));
4022 	ASSERT_EQ(0, close(stdinbak_fd));
4023 
4024 	if (res < 0)
4025 		return errno;
4026 
4027 	return 0;
4028 }
4029 
4030 /* Define some linux/falloc.h IOCTL commands which are not available in uapi headers. */
4031 struct space_resv {
4032 	__s16 l_type;
4033 	__s16 l_whence;
4034 	__s64 l_start;
4035 	__s64 l_len; /* len == 0 means until end of file */
4036 	__s32 l_sysid;
4037 	__u32 l_pid;
4038 	__s32 l_pad[4]; /* reserved area */
4039 };
4040 
4041 #define FS_IOC_RESVSP _IOW('X', 40, struct space_resv)
4042 #define FS_IOC_UNRESVSP _IOW('X', 41, struct space_resv)
4043 #define FS_IOC_RESVSP64 _IOW('X', 42, struct space_resv)
4044 #define FS_IOC_UNRESVSP64 _IOW('X', 43, struct space_resv)
4045 #define FS_IOC_ZERO_RANGE _IOW('X', 57, struct space_resv)
4046 
4047 /*
4048  * Tests a series of blanket-permitted and denied IOCTLs.
4049  */
4050 TEST_F_FORK(layout1, blanket_permitted_ioctls)
4051 {
4052 	const struct landlock_ruleset_attr attr = {
4053 		.handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV,
4054 	};
4055 	int ruleset_fd, fd;
4056 
4057 	/* Enables Landlock. */
4058 	ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
4059 	ASSERT_LE(0, ruleset_fd);
4060 	enforce_ruleset(_metadata, ruleset_fd);
4061 	ASSERT_EQ(0, close(ruleset_fd));
4062 
4063 	fd = open("/dev/null", O_RDWR | O_CLOEXEC);
4064 	ASSERT_LE(0, fd);
4065 
4066 	/*
4067 	 * Checks permitted commands.
4068 	 * These ones may return errors, but should not be blocked by Landlock.
4069 	 */
4070 	EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIOCLEX));
4071 	EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIONCLEX));
4072 	EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIONBIO));
4073 	EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIOASYNC));
4074 	EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIOQSIZE));
4075 	EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIFREEZE));
4076 	EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FITHAW));
4077 	EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FS_IOC_FIEMAP));
4078 	EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIGETBSZ));
4079 	EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FICLONE));
4080 	EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FICLONERANGE));
4081 	EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIDEDUPERANGE));
4082 	EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FS_IOC_GETFSUUID));
4083 	EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FS_IOC_GETFSSYSFSPATH));
4084 
4085 	/*
4086 	 * Checks blocked commands.
4087 	 * A call to a blocked IOCTL command always returns EACCES.
4088 	 */
4089 	EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FIONREAD));
4090 	EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_GETFLAGS));
4091 	EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_SETFLAGS));
4092 	EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_FSGETXATTR));
4093 	EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_FSSETXATTR));
4094 	EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FIBMAP));
4095 	EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_RESVSP));
4096 	EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_RESVSP64));
4097 	EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_UNRESVSP));
4098 	EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_UNRESVSP64));
4099 	EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_ZERO_RANGE));
4100 
4101 	/* Default case is also blocked. */
4102 	EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, 0xc00ffeee));
4103 
4104 	ASSERT_EQ(0, close(fd));
4105 }
4106 
4107 /*
4108  * Named pipes are not governed by the LANDLOCK_ACCESS_FS_IOCTL_DEV right,
4109  * because they are not character or block devices.
4110  */
4111 TEST_F_FORK(layout1, named_pipe_ioctl)
4112 {
4113 	pid_t child_pid;
4114 	int fd, ruleset_fd;
4115 	const char *const path = file1_s1d1;
4116 	const struct landlock_ruleset_attr attr = {
4117 		.handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV,
4118 	};
4119 
4120 	ASSERT_EQ(0, unlink(path));
4121 	ASSERT_EQ(0, mkfifo(path, 0600));
4122 
4123 	/* Enables Landlock. */
4124 	ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
4125 	ASSERT_LE(0, ruleset_fd);
4126 	enforce_ruleset(_metadata, ruleset_fd);
4127 	ASSERT_EQ(0, close(ruleset_fd));
4128 
4129 	/* The child process opens the pipe for writing. */
4130 	child_pid = fork();
4131 	ASSERT_NE(-1, child_pid);
4132 	if (child_pid == 0) {
4133 		fd = open(path, O_WRONLY);
4134 		close(fd);
4135 		exit(0);
4136 	}
4137 
4138 	fd = open(path, O_RDONLY);
4139 	ASSERT_LE(0, fd);
4140 
4141 	/* FIONREAD is implemented by pipefifo_fops. */
4142 	EXPECT_EQ(0, test_fionread_ioctl(fd));
4143 
4144 	ASSERT_EQ(0, close(fd));
4145 	ASSERT_EQ(0, unlink(path));
4146 
4147 	ASSERT_EQ(child_pid, waitpid(child_pid, NULL, 0));
4148 }
4149 
4150 /* For named UNIX domain sockets, no IOCTL restrictions apply. */
4151 TEST_F_FORK(layout1, named_unix_domain_socket_ioctl)
4152 {
4153 	const char *const path = file1_s1d1;
4154 	int srv_fd, cli_fd, ruleset_fd;
4155 	socklen_t size;
4156 	struct sockaddr_un srv_un, cli_un;
4157 	const struct landlock_ruleset_attr attr = {
4158 		.handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV,
4159 	};
4160 
4161 	/* Sets up a server */
4162 	srv_un.sun_family = AF_UNIX;
4163 	strncpy(srv_un.sun_path, path, sizeof(srv_un.sun_path));
4164 
4165 	ASSERT_EQ(0, unlink(path));
4166 	srv_fd = socket(AF_UNIX, SOCK_STREAM, 0);
4167 	ASSERT_LE(0, srv_fd);
4168 
4169 	size = offsetof(struct sockaddr_un, sun_path) + strlen(srv_un.sun_path);
4170 	ASSERT_EQ(0, bind(srv_fd, (struct sockaddr *)&srv_un, size));
4171 	ASSERT_EQ(0, listen(srv_fd, 10 /* qlen */));
4172 
4173 	/* Enables Landlock. */
4174 	ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
4175 	ASSERT_LE(0, ruleset_fd);
4176 	enforce_ruleset(_metadata, ruleset_fd);
4177 	ASSERT_EQ(0, close(ruleset_fd));
4178 
4179 	/* Sets up a client connection to it */
4180 	cli_un.sun_family = AF_UNIX;
4181 	cli_fd = socket(AF_UNIX, SOCK_STREAM, 0);
4182 	ASSERT_LE(0, cli_fd);
4183 
4184 	size = offsetof(struct sockaddr_un, sun_path) + strlen(cli_un.sun_path);
4185 	ASSERT_EQ(0, bind(cli_fd, (struct sockaddr *)&cli_un, size));
4186 
4187 	bzero(&cli_un, sizeof(cli_un));
4188 	cli_un.sun_family = AF_UNIX;
4189 	strncpy(cli_un.sun_path, path, sizeof(cli_un.sun_path));
4190 	size = offsetof(struct sockaddr_un, sun_path) + strlen(cli_un.sun_path);
4191 
4192 	ASSERT_EQ(0, connect(cli_fd, (struct sockaddr *)&cli_un, size));
4193 
4194 	/* FIONREAD and other IOCTLs should not be forbidden. */
4195 	EXPECT_EQ(0, test_fionread_ioctl(cli_fd));
4196 
4197 	ASSERT_EQ(0, close(cli_fd));
4198 }
4199 
4200 /* clang-format off */
4201 FIXTURE(ioctl) {};
4202 
4203 FIXTURE_SETUP(ioctl) {};
4204 
4205 FIXTURE_TEARDOWN(ioctl) {};
4206 /* clang-format on */
4207 
4208 FIXTURE_VARIANT(ioctl)
4209 {
4210 	const __u64 handled;
4211 	const __u64 allowed;
4212 	const mode_t open_mode;
4213 	/*
4214 	 * FIONREAD is used as a characteristic device-specific IOCTL command.
4215 	 * It is implemented in fs/ioctl.c for regular files,
4216 	 * but we do not blanket-permit it for devices.
4217 	 */
4218 	const int expected_fionread_result;
4219 };
4220 
4221 /* clang-format off */
4222 FIXTURE_VARIANT_ADD(ioctl, handled_i_allowed_none) {
4223 	/* clang-format on */
4224 	.handled = LANDLOCK_ACCESS_FS_IOCTL_DEV,
4225 	.allowed = 0,
4226 	.open_mode = O_RDWR,
4227 	.expected_fionread_result = EACCES,
4228 };
4229 
4230 /* clang-format off */
4231 FIXTURE_VARIANT_ADD(ioctl, handled_i_allowed_i) {
4232 	/* clang-format on */
4233 	.handled = LANDLOCK_ACCESS_FS_IOCTL_DEV,
4234 	.allowed = LANDLOCK_ACCESS_FS_IOCTL_DEV,
4235 	.open_mode = O_RDWR,
4236 	.expected_fionread_result = 0,
4237 };
4238 
4239 /* clang-format off */
4240 FIXTURE_VARIANT_ADD(ioctl, unhandled) {
4241 	/* clang-format on */
4242 	.handled = LANDLOCK_ACCESS_FS_EXECUTE,
4243 	.allowed = LANDLOCK_ACCESS_FS_EXECUTE,
4244 	.open_mode = O_RDWR,
4245 	.expected_fionread_result = 0,
4246 };
4247 
4248 TEST_F_FORK(ioctl, handle_dir_access_file)
4249 {
4250 	const int flag = 0;
4251 	const struct rule rules[] = {
4252 		{
4253 			.path = "/dev",
4254 			.access = variant->allowed,
4255 		},
4256 		{},
4257 	};
4258 	int file_fd, ruleset_fd;
4259 
4260 	/* Enables Landlock. */
4261 	ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
4262 	ASSERT_LE(0, ruleset_fd);
4263 	enforce_ruleset(_metadata, ruleset_fd);
4264 	ASSERT_EQ(0, close(ruleset_fd));
4265 
4266 	file_fd = open("/dev/zero", variant->open_mode);
4267 	ASSERT_LE(0, file_fd);
4268 
4269 	/* Checks that IOCTL commands return the expected errors. */
4270 	EXPECT_EQ(variant->expected_fionread_result,
4271 		  test_fionread_ioctl(file_fd));
4272 
4273 	/* Checks that unrestrictable commands are unrestricted. */
4274 	EXPECT_EQ(0, ioctl(file_fd, FIOCLEX));
4275 	EXPECT_EQ(0, ioctl(file_fd, FIONCLEX));
4276 	EXPECT_EQ(0, ioctl(file_fd, FIONBIO, &flag));
4277 	EXPECT_EQ(0, ioctl(file_fd, FIOASYNC, &flag));
4278 	EXPECT_EQ(0, ioctl(file_fd, FIGETBSZ, &flag));
4279 
4280 	ASSERT_EQ(0, close(file_fd));
4281 }
4282 
4283 TEST_F_FORK(ioctl, handle_dir_access_dir)
4284 {
4285 	const int flag = 0;
4286 	const struct rule rules[] = {
4287 		{
4288 			.path = "/dev",
4289 			.access = variant->allowed,
4290 		},
4291 		{},
4292 	};
4293 	int dir_fd, ruleset_fd;
4294 
4295 	/* Enables Landlock. */
4296 	ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
4297 	ASSERT_LE(0, ruleset_fd);
4298 	enforce_ruleset(_metadata, ruleset_fd);
4299 	ASSERT_EQ(0, close(ruleset_fd));
4300 
4301 	/*
4302 	 * Ignore variant->open_mode for this test, as we intend to open a
4303 	 * directory.  If the directory can not be opened, the variant is
4304 	 * infeasible to test with an opened directory.
4305 	 */
4306 	dir_fd = open("/dev", O_RDONLY);
4307 	if (dir_fd < 0)
4308 		return;
4309 
4310 	/*
4311 	 * Checks that IOCTL commands return the expected errors.
4312 	 * We do not use the expected values from the fixture here.
4313 	 *
4314 	 * When using IOCTL on a directory, no Landlock restrictions apply.
4315 	 */
4316 	EXPECT_EQ(0, test_fionread_ioctl(dir_fd));
4317 
4318 	/* Checks that unrestrictable commands are unrestricted. */
4319 	EXPECT_EQ(0, ioctl(dir_fd, FIOCLEX));
4320 	EXPECT_EQ(0, ioctl(dir_fd, FIONCLEX));
4321 	EXPECT_EQ(0, ioctl(dir_fd, FIONBIO, &flag));
4322 	EXPECT_EQ(0, ioctl(dir_fd, FIOASYNC, &flag));
4323 	EXPECT_EQ(0, ioctl(dir_fd, FIGETBSZ, &flag));
4324 
4325 	ASSERT_EQ(0, close(dir_fd));
4326 }
4327 
4328 TEST_F_FORK(ioctl, handle_file_access_file)
4329 {
4330 	const int flag = 0;
4331 	const struct rule rules[] = {
4332 		{
4333 			.path = "/dev/zero",
4334 			.access = variant->allowed,
4335 		},
4336 		{},
4337 	};
4338 	int file_fd, ruleset_fd;
4339 
4340 	/* Enables Landlock. */
4341 	ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
4342 	ASSERT_LE(0, ruleset_fd);
4343 	enforce_ruleset(_metadata, ruleset_fd);
4344 	ASSERT_EQ(0, close(ruleset_fd));
4345 
4346 	file_fd = open("/dev/zero", variant->open_mode);
4347 	ASSERT_LE(0, file_fd)
4348 	{
4349 		TH_LOG("Failed to open /dev/zero: %s", strerror(errno));
4350 	}
4351 
4352 	/* Checks that IOCTL commands return the expected errors. */
4353 	EXPECT_EQ(variant->expected_fionread_result,
4354 		  test_fionread_ioctl(file_fd));
4355 
4356 	/* Checks that unrestrictable commands are unrestricted. */
4357 	EXPECT_EQ(0, ioctl(file_fd, FIOCLEX));
4358 	EXPECT_EQ(0, ioctl(file_fd, FIONCLEX));
4359 	EXPECT_EQ(0, ioctl(file_fd, FIONBIO, &flag));
4360 	EXPECT_EQ(0, ioctl(file_fd, FIOASYNC, &flag));
4361 	EXPECT_EQ(0, ioctl(file_fd, FIGETBSZ, &flag));
4362 
4363 	ASSERT_EQ(0, close(file_fd));
4364 }
4365 
4366 /* clang-format off */
4367 FIXTURE(layout1_bind) {};
4368 /* clang-format on */
4369 
4370 FIXTURE_SETUP(layout1_bind)
4371 {
4372 	prepare_layout(_metadata);
4373 
4374 	create_layout1(_metadata);
4375 
4376 	set_cap(_metadata, CAP_SYS_ADMIN);
4377 	ASSERT_EQ(0, mount(dir_s1d2, dir_s2d2, NULL, MS_BIND, NULL));
4378 	clear_cap(_metadata, CAP_SYS_ADMIN);
4379 }
4380 
4381 FIXTURE_TEARDOWN_PARENT(layout1_bind)
4382 {
4383 	/* umount(dir_s2d2)) is handled by namespace lifetime. */
4384 
4385 	remove_layout1(_metadata);
4386 
4387 	cleanup_layout(_metadata);
4388 }
4389 
4390 static const char bind_dir_s1d3[] = TMP_DIR "/s2d1/s2d2/s1d3";
4391 static const char bind_file1_s1d3[] = TMP_DIR "/s2d1/s2d2/s1d3/f1";
4392 
4393 /*
4394  * layout1_bind hierarchy:
4395  *
4396  * tmp
4397  * ├── s1d1
4398  * │   ├── f1
4399  * │   ├── f2
4400  * │   └── s1d2
4401  * │       ├── f1
4402  * │       ├── f2
4403  * │       └── s1d3
4404  * │           ├── f1
4405  * │           └── f2
4406  * ├── s2d1
4407  * │   ├── f1
4408  * │   └── s2d2
4409  * │       ├── f1
4410  * │       ├── f2
4411  * │       └── s1d3
4412  * │           ├── f1
4413  * │           └── f2
4414  * └── s3d1
4415  *     └── s3d2
4416  *         └── s3d3
4417  */
4418 
4419 TEST_F_FORK(layout1_bind, no_restriction)
4420 {
4421 	ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
4422 	ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
4423 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
4424 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
4425 	ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
4426 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
4427 
4428 	ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY));
4429 	ASSERT_EQ(0, test_open(file1_s2d1, O_RDONLY));
4430 	ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY));
4431 	ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY));
4432 	ASSERT_EQ(ENOENT, test_open(dir_s2d3, O_RDONLY));
4433 	ASSERT_EQ(ENOENT, test_open(file1_s2d3, O_RDONLY));
4434 
4435 	ASSERT_EQ(0, test_open(bind_dir_s1d3, O_RDONLY));
4436 	ASSERT_EQ(0, test_open(bind_file1_s1d3, O_RDONLY));
4437 
4438 	ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY));
4439 }
4440 
4441 TEST_F_FORK(layout1_bind, same_content_same_file)
4442 {
4443 	/*
4444 	 * Sets access right on parent directories of both source and
4445 	 * destination mount points.
4446 	 */
4447 	const struct rule layer1_parent[] = {
4448 		{
4449 			.path = dir_s1d1,
4450 			.access = ACCESS_RO,
4451 		},
4452 		{
4453 			.path = dir_s2d1,
4454 			.access = ACCESS_RW,
4455 		},
4456 		{},
4457 	};
4458 	/*
4459 	 * Sets access rights on the same bind-mounted directories.  The result
4460 	 * should be ACCESS_RW for both directories, but not both hierarchies
4461 	 * because of the first layer.
4462 	 */
4463 	const struct rule layer2_mount_point[] = {
4464 		{
4465 			.path = dir_s1d2,
4466 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
4467 		},
4468 		{
4469 			.path = dir_s2d2,
4470 			.access = ACCESS_RW,
4471 		},
4472 		{},
4473 	};
4474 	/* Only allow read-access to the s1d3 hierarchies. */
4475 	const struct rule layer3_source[] = {
4476 		{
4477 			.path = dir_s1d3,
4478 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
4479 		},
4480 		{},
4481 	};
4482 	/* Removes all access rights. */
4483 	const struct rule layer4_destination[] = {
4484 		{
4485 			.path = bind_file1_s1d3,
4486 			.access = LANDLOCK_ACCESS_FS_WRITE_FILE,
4487 		},
4488 		{},
4489 	};
4490 	int ruleset_fd;
4491 
4492 	/* Sets rules for the parent directories. */
4493 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_parent);
4494 	ASSERT_LE(0, ruleset_fd);
4495 	enforce_ruleset(_metadata, ruleset_fd);
4496 	ASSERT_EQ(0, close(ruleset_fd));
4497 
4498 	/* Checks source hierarchy. */
4499 	ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
4500 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
4501 	ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
4502 
4503 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
4504 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
4505 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
4506 
4507 	/* Checks destination hierarchy. */
4508 	ASSERT_EQ(0, test_open(file1_s2d1, O_RDWR));
4509 	ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY | O_DIRECTORY));
4510 
4511 	ASSERT_EQ(0, test_open(file1_s2d2, O_RDWR));
4512 	ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY));
4513 
4514 	/* Sets rules for the mount points. */
4515 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_mount_point);
4516 	ASSERT_LE(0, ruleset_fd);
4517 	enforce_ruleset(_metadata, ruleset_fd);
4518 	ASSERT_EQ(0, close(ruleset_fd));
4519 
4520 	/* Checks source hierarchy. */
4521 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
4522 	ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
4523 	ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
4524 
4525 	ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
4526 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
4527 	ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
4528 
4529 	/* Checks destination hierarchy. */
4530 	ASSERT_EQ(EACCES, test_open(file1_s2d1, O_RDONLY));
4531 	ASSERT_EQ(EACCES, test_open(file1_s2d1, O_WRONLY));
4532 	ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY | O_DIRECTORY));
4533 
4534 	ASSERT_EQ(0, test_open(file1_s2d2, O_RDWR));
4535 	ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY));
4536 	ASSERT_EQ(0, test_open(bind_dir_s1d3, O_RDONLY | O_DIRECTORY));
4537 
4538 	/* Sets a (shared) rule only on the source. */
4539 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3_source);
4540 	ASSERT_LE(0, ruleset_fd);
4541 	enforce_ruleset(_metadata, ruleset_fd);
4542 	ASSERT_EQ(0, close(ruleset_fd));
4543 
4544 	/* Checks source hierarchy. */
4545 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDONLY));
4546 	ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
4547 	ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
4548 
4549 	ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
4550 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
4551 	ASSERT_EQ(EACCES, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
4552 
4553 	/* Checks destination hierarchy. */
4554 	ASSERT_EQ(EACCES, test_open(file1_s2d2, O_RDONLY));
4555 	ASSERT_EQ(EACCES, test_open(file1_s2d2, O_WRONLY));
4556 	ASSERT_EQ(EACCES, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY));
4557 
4558 	ASSERT_EQ(0, test_open(bind_file1_s1d3, O_RDONLY));
4559 	ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_WRONLY));
4560 	ASSERT_EQ(EACCES, test_open(bind_dir_s1d3, O_RDONLY | O_DIRECTORY));
4561 
4562 	/* Sets a (shared) rule only on the destination. */
4563 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer4_destination);
4564 	ASSERT_LE(0, ruleset_fd);
4565 	enforce_ruleset(_metadata, ruleset_fd);
4566 	ASSERT_EQ(0, close(ruleset_fd));
4567 
4568 	/* Checks source hierarchy. */
4569 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY));
4570 	ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
4571 
4572 	/* Checks destination hierarchy. */
4573 	ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_RDONLY));
4574 	ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_WRONLY));
4575 }
4576 
4577 TEST_F_FORK(layout1_bind, reparent_cross_mount)
4578 {
4579 	const struct rule layer1[] = {
4580 		{
4581 			/* dir_s2d1 is beneath the dir_s2d2 mount point. */
4582 			.path = dir_s2d1,
4583 			.access = LANDLOCK_ACCESS_FS_REFER,
4584 		},
4585 		{
4586 			.path = bind_dir_s1d3,
4587 			.access = LANDLOCK_ACCESS_FS_EXECUTE,
4588 		},
4589 		{},
4590 	};
4591 	int ruleset_fd = create_ruleset(
4592 		_metadata,
4593 		LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_EXECUTE, layer1);
4594 
4595 	ASSERT_LE(0, ruleset_fd);
4596 	enforce_ruleset(_metadata, ruleset_fd);
4597 	ASSERT_EQ(0, close(ruleset_fd));
4598 
4599 	/* Checks basic denied move. */
4600 	ASSERT_EQ(-1, rename(file1_s1d1, file1_s1d2));
4601 	ASSERT_EQ(EXDEV, errno);
4602 
4603 	/* Checks real cross-mount move (Landlock is not involved). */
4604 	ASSERT_EQ(-1, rename(file1_s2d1, file1_s2d2));
4605 	ASSERT_EQ(EXDEV, errno);
4606 
4607 	/* Checks move that will give more accesses. */
4608 	ASSERT_EQ(-1, rename(file1_s2d2, bind_file1_s1d3));
4609 	ASSERT_EQ(EXDEV, errno);
4610 
4611 	/* Checks legitimate downgrade move. */
4612 	ASSERT_EQ(0, rename(bind_file1_s1d3, file1_s2d2));
4613 }
4614 
4615 #define LOWER_BASE TMP_DIR "/lower"
4616 #define LOWER_DATA LOWER_BASE "/data"
4617 static const char lower_fl1[] = LOWER_DATA "/fl1";
4618 static const char lower_dl1[] = LOWER_DATA "/dl1";
4619 static const char lower_dl1_fl2[] = LOWER_DATA "/dl1/fl2";
4620 static const char lower_fo1[] = LOWER_DATA "/fo1";
4621 static const char lower_do1[] = LOWER_DATA "/do1";
4622 static const char lower_do1_fo2[] = LOWER_DATA "/do1/fo2";
4623 static const char lower_do1_fl3[] = LOWER_DATA "/do1/fl3";
4624 
4625 static const char (*lower_base_files[])[] = {
4626 	&lower_fl1,
4627 	&lower_fo1,
4628 	NULL,
4629 };
4630 static const char (*lower_base_directories[])[] = {
4631 	&lower_dl1,
4632 	&lower_do1,
4633 	NULL,
4634 };
4635 static const char (*lower_sub_files[])[] = {
4636 	&lower_dl1_fl2,
4637 	&lower_do1_fo2,
4638 	&lower_do1_fl3,
4639 	NULL,
4640 };
4641 
4642 #define UPPER_BASE TMP_DIR "/upper"
4643 #define UPPER_DATA UPPER_BASE "/data"
4644 #define UPPER_WORK UPPER_BASE "/work"
4645 static const char upper_fu1[] = UPPER_DATA "/fu1";
4646 static const char upper_du1[] = UPPER_DATA "/du1";
4647 static const char upper_du1_fu2[] = UPPER_DATA "/du1/fu2";
4648 static const char upper_fo1[] = UPPER_DATA "/fo1";
4649 static const char upper_do1[] = UPPER_DATA "/do1";
4650 static const char upper_do1_fo2[] = UPPER_DATA "/do1/fo2";
4651 static const char upper_do1_fu3[] = UPPER_DATA "/do1/fu3";
4652 
4653 static const char (*upper_base_files[])[] = {
4654 	&upper_fu1,
4655 	&upper_fo1,
4656 	NULL,
4657 };
4658 static const char (*upper_base_directories[])[] = {
4659 	&upper_du1,
4660 	&upper_do1,
4661 	NULL,
4662 };
4663 static const char (*upper_sub_files[])[] = {
4664 	&upper_du1_fu2,
4665 	&upper_do1_fo2,
4666 	&upper_do1_fu3,
4667 	NULL,
4668 };
4669 
4670 #define MERGE_BASE TMP_DIR "/merge"
4671 #define MERGE_DATA MERGE_BASE "/data"
4672 static const char merge_fl1[] = MERGE_DATA "/fl1";
4673 static const char merge_dl1[] = MERGE_DATA "/dl1";
4674 static const char merge_dl1_fl2[] = MERGE_DATA "/dl1/fl2";
4675 static const char merge_fu1[] = MERGE_DATA "/fu1";
4676 static const char merge_du1[] = MERGE_DATA "/du1";
4677 static const char merge_du1_fu2[] = MERGE_DATA "/du1/fu2";
4678 static const char merge_fo1[] = MERGE_DATA "/fo1";
4679 static const char merge_do1[] = MERGE_DATA "/do1";
4680 static const char merge_do1_fo2[] = MERGE_DATA "/do1/fo2";
4681 static const char merge_do1_fl3[] = MERGE_DATA "/do1/fl3";
4682 static const char merge_do1_fu3[] = MERGE_DATA "/do1/fu3";
4683 
4684 static const char (*merge_base_files[])[] = {
4685 	&merge_fl1,
4686 	&merge_fu1,
4687 	&merge_fo1,
4688 	NULL,
4689 };
4690 static const char (*merge_base_directories[])[] = {
4691 	&merge_dl1,
4692 	&merge_du1,
4693 	&merge_do1,
4694 	NULL,
4695 };
4696 static const char (*merge_sub_files[])[] = {
4697 	&merge_dl1_fl2, &merge_du1_fu2, &merge_do1_fo2,
4698 	&merge_do1_fl3, &merge_do1_fu3, NULL,
4699 };
4700 
4701 /*
4702  * layout2_overlay hierarchy:
4703  *
4704  * tmp
4705  * ├── lower
4706  * │   └── data
4707  * │       ├── dl1
4708  * │       │   └── fl2
4709  * │       ├── do1
4710  * │       │   ├── fl3
4711  * │       │   └── fo2
4712  * │       ├── fl1
4713  * │       └── fo1
4714  * ├── merge
4715  * │   └── data
4716  * │       ├── dl1
4717  * │       │   └── fl2
4718  * │       ├── do1
4719  * │       │   ├── fl3
4720  * │       │   ├── fo2
4721  * │       │   └── fu3
4722  * │       ├── du1
4723  * │       │   └── fu2
4724  * │       ├── fl1
4725  * │       ├── fo1
4726  * │       └── fu1
4727  * └── upper
4728  *     ├── data
4729  *     │   ├── do1
4730  *     │   │   ├── fo2
4731  *     │   │   └── fu3
4732  *     │   ├── du1
4733  *     │   │   └── fu2
4734  *     │   ├── fo1
4735  *     │   └── fu1
4736  *     └── work
4737  *         └── work
4738  */
4739 
4740 FIXTURE(layout2_overlay)
4741 {
4742 	bool skip_test;
4743 };
4744 
4745 FIXTURE_SETUP(layout2_overlay)
4746 {
4747 	if (!supports_filesystem("overlay")) {
4748 		self->skip_test = true;
4749 		SKIP(return, "overlayfs is not supported (setup)");
4750 	}
4751 
4752 	prepare_layout(_metadata);
4753 
4754 	create_directory(_metadata, LOWER_BASE);
4755 	set_cap(_metadata, CAP_SYS_ADMIN);
4756 	/* Creates tmpfs mount points to get deterministic overlayfs. */
4757 	ASSERT_EQ(0, mount_opt(&mnt_tmp, LOWER_BASE));
4758 	clear_cap(_metadata, CAP_SYS_ADMIN);
4759 	create_file(_metadata, lower_fl1);
4760 	create_file(_metadata, lower_dl1_fl2);
4761 	create_file(_metadata, lower_fo1);
4762 	create_file(_metadata, lower_do1_fo2);
4763 	create_file(_metadata, lower_do1_fl3);
4764 
4765 	create_directory(_metadata, UPPER_BASE);
4766 	set_cap(_metadata, CAP_SYS_ADMIN);
4767 	ASSERT_EQ(0, mount_opt(&mnt_tmp, UPPER_BASE));
4768 	clear_cap(_metadata, CAP_SYS_ADMIN);
4769 	create_file(_metadata, upper_fu1);
4770 	create_file(_metadata, upper_du1_fu2);
4771 	create_file(_metadata, upper_fo1);
4772 	create_file(_metadata, upper_do1_fo2);
4773 	create_file(_metadata, upper_do1_fu3);
4774 	ASSERT_EQ(0, mkdir(UPPER_WORK, 0700));
4775 
4776 	create_directory(_metadata, MERGE_DATA);
4777 	set_cap(_metadata, CAP_SYS_ADMIN);
4778 	set_cap(_metadata, CAP_DAC_OVERRIDE);
4779 	ASSERT_EQ(0, mount("overlay", MERGE_DATA, "overlay", 0,
4780 			   "lowerdir=" LOWER_DATA ",upperdir=" UPPER_DATA
4781 			   ",workdir=" UPPER_WORK));
4782 	clear_cap(_metadata, CAP_DAC_OVERRIDE);
4783 	clear_cap(_metadata, CAP_SYS_ADMIN);
4784 }
4785 
4786 FIXTURE_TEARDOWN_PARENT(layout2_overlay)
4787 {
4788 	if (self->skip_test)
4789 		SKIP(return, "overlayfs is not supported (teardown)");
4790 
4791 	EXPECT_EQ(0, remove_path(lower_do1_fl3));
4792 	EXPECT_EQ(0, remove_path(lower_dl1_fl2));
4793 	EXPECT_EQ(0, remove_path(lower_fl1));
4794 	EXPECT_EQ(0, remove_path(lower_do1_fo2));
4795 	EXPECT_EQ(0, remove_path(lower_fo1));
4796 
4797 	/* umount(LOWER_BASE)) is handled by namespace lifetime. */
4798 	EXPECT_EQ(0, remove_path(LOWER_BASE));
4799 
4800 	EXPECT_EQ(0, remove_path(upper_do1_fu3));
4801 	EXPECT_EQ(0, remove_path(upper_du1_fu2));
4802 	EXPECT_EQ(0, remove_path(upper_fu1));
4803 	EXPECT_EQ(0, remove_path(upper_do1_fo2));
4804 	EXPECT_EQ(0, remove_path(upper_fo1));
4805 	EXPECT_EQ(0, remove_path(UPPER_WORK "/work"));
4806 
4807 	/* umount(UPPER_BASE)) is handled by namespace lifetime. */
4808 	EXPECT_EQ(0, remove_path(UPPER_BASE));
4809 
4810 	/* umount(MERGE_DATA)) is handled by namespace lifetime. */
4811 	EXPECT_EQ(0, remove_path(MERGE_DATA));
4812 
4813 	cleanup_layout(_metadata);
4814 }
4815 
4816 TEST_F_FORK(layout2_overlay, no_restriction)
4817 {
4818 	if (self->skip_test)
4819 		SKIP(return, "overlayfs is not supported (test)");
4820 
4821 	ASSERT_EQ(0, test_open(lower_fl1, O_RDONLY));
4822 	ASSERT_EQ(0, test_open(lower_dl1, O_RDONLY));
4823 	ASSERT_EQ(0, test_open(lower_dl1_fl2, O_RDONLY));
4824 	ASSERT_EQ(0, test_open(lower_fo1, O_RDONLY));
4825 	ASSERT_EQ(0, test_open(lower_do1, O_RDONLY));
4826 	ASSERT_EQ(0, test_open(lower_do1_fo2, O_RDONLY));
4827 	ASSERT_EQ(0, test_open(lower_do1_fl3, O_RDONLY));
4828 
4829 	ASSERT_EQ(0, test_open(upper_fu1, O_RDONLY));
4830 	ASSERT_EQ(0, test_open(upper_du1, O_RDONLY));
4831 	ASSERT_EQ(0, test_open(upper_du1_fu2, O_RDONLY));
4832 	ASSERT_EQ(0, test_open(upper_fo1, O_RDONLY));
4833 	ASSERT_EQ(0, test_open(upper_do1, O_RDONLY));
4834 	ASSERT_EQ(0, test_open(upper_do1_fo2, O_RDONLY));
4835 	ASSERT_EQ(0, test_open(upper_do1_fu3, O_RDONLY));
4836 
4837 	ASSERT_EQ(0, test_open(merge_fl1, O_RDONLY));
4838 	ASSERT_EQ(0, test_open(merge_dl1, O_RDONLY));
4839 	ASSERT_EQ(0, test_open(merge_dl1_fl2, O_RDONLY));
4840 	ASSERT_EQ(0, test_open(merge_fu1, O_RDONLY));
4841 	ASSERT_EQ(0, test_open(merge_du1, O_RDONLY));
4842 	ASSERT_EQ(0, test_open(merge_du1_fu2, O_RDONLY));
4843 	ASSERT_EQ(0, test_open(merge_fo1, O_RDONLY));
4844 	ASSERT_EQ(0, test_open(merge_do1, O_RDONLY));
4845 	ASSERT_EQ(0, test_open(merge_do1_fo2, O_RDONLY));
4846 	ASSERT_EQ(0, test_open(merge_do1_fl3, O_RDONLY));
4847 	ASSERT_EQ(0, test_open(merge_do1_fu3, O_RDONLY));
4848 }
4849 
4850 #define for_each_path(path_list, path_entry, i)               \
4851 	for (i = 0, path_entry = *path_list[i]; path_list[i]; \
4852 	     path_entry = *path_list[++i])
4853 
4854 TEST_F_FORK(layout2_overlay, same_content_different_file)
4855 {
4856 	/* Sets access right on parent directories of both layers. */
4857 	const struct rule layer1_base[] = {
4858 		{
4859 			.path = LOWER_BASE,
4860 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
4861 		},
4862 		{
4863 			.path = UPPER_BASE,
4864 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
4865 		},
4866 		{
4867 			.path = MERGE_BASE,
4868 			.access = ACCESS_RW,
4869 		},
4870 		{},
4871 	};
4872 	const struct rule layer2_data[] = {
4873 		{
4874 			.path = LOWER_DATA,
4875 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
4876 		},
4877 		{
4878 			.path = UPPER_DATA,
4879 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
4880 		},
4881 		{
4882 			.path = MERGE_DATA,
4883 			.access = ACCESS_RW,
4884 		},
4885 		{},
4886 	};
4887 	/* Sets access right on directories inside both layers. */
4888 	const struct rule layer3_subdirs[] = {
4889 		{
4890 			.path = lower_dl1,
4891 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
4892 		},
4893 		{
4894 			.path = lower_do1,
4895 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
4896 		},
4897 		{
4898 			.path = upper_du1,
4899 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
4900 		},
4901 		{
4902 			.path = upper_do1,
4903 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
4904 		},
4905 		{
4906 			.path = merge_dl1,
4907 			.access = ACCESS_RW,
4908 		},
4909 		{
4910 			.path = merge_du1,
4911 			.access = ACCESS_RW,
4912 		},
4913 		{
4914 			.path = merge_do1,
4915 			.access = ACCESS_RW,
4916 		},
4917 		{},
4918 	};
4919 	/* Tighten access rights to the files. */
4920 	const struct rule layer4_files[] = {
4921 		{
4922 			.path = lower_dl1_fl2,
4923 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
4924 		},
4925 		{
4926 			.path = lower_do1_fo2,
4927 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
4928 		},
4929 		{
4930 			.path = lower_do1_fl3,
4931 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
4932 		},
4933 		{
4934 			.path = upper_du1_fu2,
4935 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
4936 		},
4937 		{
4938 			.path = upper_do1_fo2,
4939 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
4940 		},
4941 		{
4942 			.path = upper_do1_fu3,
4943 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
4944 		},
4945 		{
4946 			.path = merge_dl1_fl2,
4947 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
4948 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
4949 		},
4950 		{
4951 			.path = merge_du1_fu2,
4952 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
4953 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
4954 		},
4955 		{
4956 			.path = merge_do1_fo2,
4957 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
4958 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
4959 		},
4960 		{
4961 			.path = merge_do1_fl3,
4962 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
4963 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
4964 		},
4965 		{
4966 			.path = merge_do1_fu3,
4967 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
4968 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
4969 		},
4970 		{},
4971 	};
4972 	const struct rule layer5_merge_only[] = {
4973 		{
4974 			.path = MERGE_DATA,
4975 			.access = LANDLOCK_ACCESS_FS_READ_FILE |
4976 				  LANDLOCK_ACCESS_FS_WRITE_FILE,
4977 		},
4978 		{},
4979 	};
4980 	int ruleset_fd;
4981 	size_t i;
4982 	const char *path_entry;
4983 
4984 	if (self->skip_test)
4985 		SKIP(return, "overlayfs is not supported (test)");
4986 
4987 	/* Sets rules on base directories (i.e. outside overlay scope). */
4988 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_base);
4989 	ASSERT_LE(0, ruleset_fd);
4990 	enforce_ruleset(_metadata, ruleset_fd);
4991 	ASSERT_EQ(0, close(ruleset_fd));
4992 
4993 	/* Checks lower layer. */
4994 	for_each_path(lower_base_files, path_entry, i) {
4995 		ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
4996 		ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
4997 	}
4998 	for_each_path(lower_base_directories, path_entry, i) {
4999 		ASSERT_EQ(EACCES,
5000 			  test_open(path_entry, O_RDONLY | O_DIRECTORY));
5001 	}
5002 	for_each_path(lower_sub_files, path_entry, i) {
5003 		ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
5004 		ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
5005 	}
5006 	/* Checks upper layer. */
5007 	for_each_path(upper_base_files, path_entry, i) {
5008 		ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
5009 		ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
5010 	}
5011 	for_each_path(upper_base_directories, path_entry, i) {
5012 		ASSERT_EQ(EACCES,
5013 			  test_open(path_entry, O_RDONLY | O_DIRECTORY));
5014 	}
5015 	for_each_path(upper_sub_files, path_entry, i) {
5016 		ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
5017 		ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
5018 	}
5019 	/*
5020 	 * Checks that access rights are independent from the lower and upper
5021 	 * layers: write access to upper files viewed through the merge point
5022 	 * is still allowed, and write access to lower file viewed (and copied)
5023 	 * through the merge point is still allowed.
5024 	 */
5025 	for_each_path(merge_base_files, path_entry, i) {
5026 		ASSERT_EQ(0, test_open(path_entry, O_RDWR));
5027 	}
5028 	for_each_path(merge_base_directories, path_entry, i) {
5029 		ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY));
5030 	}
5031 	for_each_path(merge_sub_files, path_entry, i) {
5032 		ASSERT_EQ(0, test_open(path_entry, O_RDWR));
5033 	}
5034 
5035 	/* Sets rules on data directories (i.e. inside overlay scope). */
5036 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_data);
5037 	ASSERT_LE(0, ruleset_fd);
5038 	enforce_ruleset(_metadata, ruleset_fd);
5039 	ASSERT_EQ(0, close(ruleset_fd));
5040 
5041 	/* Checks merge. */
5042 	for_each_path(merge_base_files, path_entry, i) {
5043 		ASSERT_EQ(0, test_open(path_entry, O_RDWR));
5044 	}
5045 	for_each_path(merge_base_directories, path_entry, i) {
5046 		ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY));
5047 	}
5048 	for_each_path(merge_sub_files, path_entry, i) {
5049 		ASSERT_EQ(0, test_open(path_entry, O_RDWR));
5050 	}
5051 
5052 	/* Same checks with tighter rules. */
5053 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3_subdirs);
5054 	ASSERT_LE(0, ruleset_fd);
5055 	enforce_ruleset(_metadata, ruleset_fd);
5056 	ASSERT_EQ(0, close(ruleset_fd));
5057 
5058 	/* Checks changes for lower layer. */
5059 	for_each_path(lower_base_files, path_entry, i) {
5060 		ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY));
5061 	}
5062 	/* Checks changes for upper layer. */
5063 	for_each_path(upper_base_files, path_entry, i) {
5064 		ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY));
5065 	}
5066 	/* Checks all merge accesses. */
5067 	for_each_path(merge_base_files, path_entry, i) {
5068 		ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR));
5069 	}
5070 	for_each_path(merge_base_directories, path_entry, i) {
5071 		ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY));
5072 	}
5073 	for_each_path(merge_sub_files, path_entry, i) {
5074 		ASSERT_EQ(0, test_open(path_entry, O_RDWR));
5075 	}
5076 
5077 	/* Sets rules directly on overlayed files. */
5078 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer4_files);
5079 	ASSERT_LE(0, ruleset_fd);
5080 	enforce_ruleset(_metadata, ruleset_fd);
5081 	ASSERT_EQ(0, close(ruleset_fd));
5082 
5083 	/* Checks unchanged accesses on lower layer. */
5084 	for_each_path(lower_sub_files, path_entry, i) {
5085 		ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
5086 		ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
5087 	}
5088 	/* Checks unchanged accesses on upper layer. */
5089 	for_each_path(upper_sub_files, path_entry, i) {
5090 		ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
5091 		ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
5092 	}
5093 	/* Checks all merge accesses. */
5094 	for_each_path(merge_base_files, path_entry, i) {
5095 		ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR));
5096 	}
5097 	for_each_path(merge_base_directories, path_entry, i) {
5098 		ASSERT_EQ(EACCES,
5099 			  test_open(path_entry, O_RDONLY | O_DIRECTORY));
5100 	}
5101 	for_each_path(merge_sub_files, path_entry, i) {
5102 		ASSERT_EQ(0, test_open(path_entry, O_RDWR));
5103 	}
5104 
5105 	/* Only allowes access to the merge hierarchy. */
5106 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer5_merge_only);
5107 	ASSERT_LE(0, ruleset_fd);
5108 	enforce_ruleset(_metadata, ruleset_fd);
5109 	ASSERT_EQ(0, close(ruleset_fd));
5110 
5111 	/* Checks new accesses on lower layer. */
5112 	for_each_path(lower_sub_files, path_entry, i) {
5113 		ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY));
5114 	}
5115 	/* Checks new accesses on upper layer. */
5116 	for_each_path(upper_sub_files, path_entry, i) {
5117 		ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY));
5118 	}
5119 	/* Checks all merge accesses. */
5120 	for_each_path(merge_base_files, path_entry, i) {
5121 		ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR));
5122 	}
5123 	for_each_path(merge_base_directories, path_entry, i) {
5124 		ASSERT_EQ(EACCES,
5125 			  test_open(path_entry, O_RDONLY | O_DIRECTORY));
5126 	}
5127 	for_each_path(merge_sub_files, path_entry, i) {
5128 		ASSERT_EQ(0, test_open(path_entry, O_RDWR));
5129 	}
5130 }
5131 
5132 FIXTURE(layout3_fs)
5133 {
5134 	bool has_created_dir;
5135 	bool has_created_file;
5136 	bool skip_test;
5137 };
5138 
5139 FIXTURE_VARIANT(layout3_fs)
5140 {
5141 	const struct mnt_opt mnt;
5142 	const char *const file_path;
5143 	unsigned int cwd_fs_magic;
5144 };
5145 
5146 /* clang-format off */
5147 FIXTURE_VARIANT_ADD(layout3_fs, tmpfs) {
5148 	/* clang-format on */
5149 	.mnt = {
5150 		.type = "tmpfs",
5151 		.data = MNT_TMP_DATA,
5152 	},
5153 	.file_path = file1_s1d1,
5154 };
5155 
5156 FIXTURE_VARIANT_ADD(layout3_fs, ramfs) {
5157 	.mnt = {
5158 		.type = "ramfs",
5159 		.data = "mode=700",
5160 	},
5161 	.file_path = TMP_DIR "/dir/file",
5162 };
5163 
5164 FIXTURE_VARIANT_ADD(layout3_fs, cgroup2) {
5165 	.mnt = {
5166 		.type = "cgroup2",
5167 	},
5168 	.file_path = TMP_DIR "/test/cgroup.procs",
5169 };
5170 
5171 FIXTURE_VARIANT_ADD(layout3_fs, proc) {
5172 	.mnt = {
5173 		.type = "proc",
5174 	},
5175 	.file_path = TMP_DIR "/self/status",
5176 };
5177 
5178 FIXTURE_VARIANT_ADD(layout3_fs, sysfs) {
5179 	.mnt = {
5180 		.type = "sysfs",
5181 	},
5182 	.file_path = TMP_DIR "/kernel/notes",
5183 };
5184 
5185 FIXTURE_VARIANT_ADD(layout3_fs, hostfs) {
5186 	.mnt = {
5187 		.source = TMP_DIR,
5188 		.flags = MS_BIND,
5189 	},
5190 	.file_path = TMP_DIR "/dir/file",
5191 	.cwd_fs_magic = HOSTFS_SUPER_MAGIC,
5192 };
5193 
5194 static char *dirname_alloc(const char *path)
5195 {
5196 	char *dup;
5197 
5198 	if (!path)
5199 		return NULL;
5200 
5201 	dup = strdup(path);
5202 	if (!dup)
5203 		return NULL;
5204 
5205 	return dirname(dup);
5206 }
5207 
5208 FIXTURE_SETUP(layout3_fs)
5209 {
5210 	struct stat statbuf;
5211 	char *dir_path = dirname_alloc(variant->file_path);
5212 
5213 	if (!supports_filesystem(variant->mnt.type) ||
5214 	    !cwd_matches_fs(variant->cwd_fs_magic)) {
5215 		self->skip_test = true;
5216 		SKIP(return, "this filesystem is not supported (setup)");
5217 	}
5218 
5219 	prepare_layout_opt(_metadata, &variant->mnt);
5220 
5221 	/* Creates directory when required. */
5222 	if (stat(dir_path, &statbuf)) {
5223 		set_cap(_metadata, CAP_DAC_OVERRIDE);
5224 		EXPECT_EQ(0, mkdir(dir_path, 0700))
5225 		{
5226 			TH_LOG("Failed to create directory \"%s\": %s",
5227 			       dir_path, strerror(errno));
5228 		}
5229 		self->has_created_dir = true;
5230 		clear_cap(_metadata, CAP_DAC_OVERRIDE);
5231 	}
5232 
5233 	/* Creates file when required. */
5234 	if (stat(variant->file_path, &statbuf)) {
5235 		int fd;
5236 
5237 		set_cap(_metadata, CAP_DAC_OVERRIDE);
5238 		fd = creat(variant->file_path, 0600);
5239 		EXPECT_LE(0, fd)
5240 		{
5241 			TH_LOG("Failed to create file \"%s\": %s",
5242 			       variant->file_path, strerror(errno));
5243 		}
5244 		EXPECT_EQ(0, close(fd));
5245 		self->has_created_file = true;
5246 		clear_cap(_metadata, CAP_DAC_OVERRIDE);
5247 	}
5248 
5249 	free(dir_path);
5250 }
5251 
5252 FIXTURE_TEARDOWN_PARENT(layout3_fs)
5253 {
5254 	if (self->skip_test)
5255 		SKIP(return, "this filesystem is not supported (teardown)");
5256 
5257 	if (self->has_created_file) {
5258 		set_cap(_metadata, CAP_DAC_OVERRIDE);
5259 		/*
5260 		 * Don't check for error because the file might already
5261 		 * have been removed (cf. release_inode test).
5262 		 */
5263 		unlink(variant->file_path);
5264 		clear_cap(_metadata, CAP_DAC_OVERRIDE);
5265 	}
5266 
5267 	if (self->has_created_dir) {
5268 		char *dir_path = dirname_alloc(variant->file_path);
5269 
5270 		set_cap(_metadata, CAP_DAC_OVERRIDE);
5271 		/*
5272 		 * Don't check for error because the directory might already
5273 		 * have been removed (cf. release_inode test).
5274 		 */
5275 		rmdir(dir_path);
5276 		clear_cap(_metadata, CAP_DAC_OVERRIDE);
5277 		free(dir_path);
5278 	}
5279 
5280 	cleanup_layout(_metadata);
5281 }
5282 
5283 static void layer3_fs_tag_inode(struct __test_metadata *const _metadata,
5284 				FIXTURE_DATA(layout3_fs) * self,
5285 				const FIXTURE_VARIANT(layout3_fs) * variant,
5286 				const char *const rule_path)
5287 {
5288 	const struct rule layer1_allow_read_file[] = {
5289 		{
5290 			.path = rule_path,
5291 			.access = LANDLOCK_ACCESS_FS_READ_FILE,
5292 		},
5293 		{},
5294 	};
5295 	const struct landlock_ruleset_attr layer2_deny_everything_attr = {
5296 		.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE,
5297 	};
5298 	const char *const dev_null_path = "/dev/null";
5299 	int ruleset_fd;
5300 
5301 	if (self->skip_test)
5302 		SKIP(return, "this filesystem is not supported (test)");
5303 
5304 	/* Checks without Landlock. */
5305 	EXPECT_EQ(0, test_open(dev_null_path, O_RDONLY | O_CLOEXEC));
5306 	EXPECT_EQ(0, test_open(variant->file_path, O_RDONLY | O_CLOEXEC));
5307 
5308 	ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
5309 				    layer1_allow_read_file);
5310 	EXPECT_LE(0, ruleset_fd);
5311 	enforce_ruleset(_metadata, ruleset_fd);
5312 	EXPECT_EQ(0, close(ruleset_fd));
5313 
5314 	EXPECT_EQ(EACCES, test_open(dev_null_path, O_RDONLY | O_CLOEXEC));
5315 	EXPECT_EQ(0, test_open(variant->file_path, O_RDONLY | O_CLOEXEC));
5316 
5317 	/* Forbids directory reading. */
5318 	ruleset_fd =
5319 		landlock_create_ruleset(&layer2_deny_everything_attr,
5320 					sizeof(layer2_deny_everything_attr), 0);
5321 	EXPECT_LE(0, ruleset_fd);
5322 	enforce_ruleset(_metadata, ruleset_fd);
5323 	EXPECT_EQ(0, close(ruleset_fd));
5324 
5325 	/* Checks with Landlock and forbidden access. */
5326 	EXPECT_EQ(EACCES, test_open(dev_null_path, O_RDONLY | O_CLOEXEC));
5327 	EXPECT_EQ(EACCES, test_open(variant->file_path, O_RDONLY | O_CLOEXEC));
5328 }
5329 
5330 /* Matrix of tests to check file hierarchy evaluation. */
5331 
5332 TEST_F_FORK(layout3_fs, tag_inode_dir_parent)
5333 {
5334 	/* The current directory must not be the root for this test. */
5335 	layer3_fs_tag_inode(_metadata, self, variant, ".");
5336 }
5337 
5338 TEST_F_FORK(layout3_fs, tag_inode_dir_mnt)
5339 {
5340 	layer3_fs_tag_inode(_metadata, self, variant, TMP_DIR);
5341 }
5342 
5343 TEST_F_FORK(layout3_fs, tag_inode_dir_child)
5344 {
5345 	char *dir_path = dirname_alloc(variant->file_path);
5346 
5347 	layer3_fs_tag_inode(_metadata, self, variant, dir_path);
5348 	free(dir_path);
5349 }
5350 
5351 TEST_F_FORK(layout3_fs, tag_inode_file)
5352 {
5353 	layer3_fs_tag_inode(_metadata, self, variant, variant->file_path);
5354 }
5355 
5356 /* Light version of layout1.release_inodes */
5357 TEST_F_FORK(layout3_fs, release_inodes)
5358 {
5359 	const struct rule layer1[] = {
5360 		{
5361 			.path = TMP_DIR,
5362 			.access = LANDLOCK_ACCESS_FS_READ_DIR,
5363 		},
5364 		{},
5365 	};
5366 	int ruleset_fd;
5367 
5368 	if (self->skip_test)
5369 		SKIP(return, "this filesystem is not supported (test)");
5370 
5371 	/* Clean up for the teardown to not fail. */
5372 	if (self->has_created_file)
5373 		EXPECT_EQ(0, remove_path(variant->file_path));
5374 
5375 	if (self->has_created_dir) {
5376 		char *dir_path = dirname_alloc(variant->file_path);
5377 
5378 		/* Don't check for error because of cgroup specificities. */
5379 		remove_path(dir_path);
5380 		free(dir_path);
5381 	}
5382 
5383 	ruleset_fd =
5384 		create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_DIR, layer1);
5385 	ASSERT_LE(0, ruleset_fd);
5386 
5387 	/* Unmount the filesystem while it is being used by a ruleset. */
5388 	set_cap(_metadata, CAP_SYS_ADMIN);
5389 	ASSERT_EQ(0, umount(TMP_DIR));
5390 	clear_cap(_metadata, CAP_SYS_ADMIN);
5391 
5392 	/* Replaces with a new mount point to simplify FIXTURE_TEARDOWN. */
5393 	set_cap(_metadata, CAP_SYS_ADMIN);
5394 	ASSERT_EQ(0, mount_opt(&mnt_tmp, TMP_DIR));
5395 	clear_cap(_metadata, CAP_SYS_ADMIN);
5396 
5397 	enforce_ruleset(_metadata, ruleset_fd);
5398 	ASSERT_EQ(0, close(ruleset_fd));
5399 
5400 	/* Checks that access to the new mount point is denied. */
5401 	ASSERT_EQ(EACCES, test_open(TMP_DIR, O_RDONLY));
5402 }
5403 
5404 TEST_HARNESS_MAIN
5405