1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Landlock tests - Filesystem 4 * 5 * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net> 6 * Copyright © 2020 ANSSI 7 * Copyright © 2020-2022 Microsoft Corporation 8 */ 9 10 #define _GNU_SOURCE 11 #include <fcntl.h> 12 #include <libgen.h> 13 #include <linux/landlock.h> 14 #include <linux/magic.h> 15 #include <sched.h> 16 #include <stdio.h> 17 #include <string.h> 18 #include <sys/capability.h> 19 #include <sys/mount.h> 20 #include <sys/prctl.h> 21 #include <sys/sendfile.h> 22 #include <sys/stat.h> 23 #include <sys/sysmacros.h> 24 #include <sys/vfs.h> 25 #include <unistd.h> 26 27 #include "common.h" 28 29 #ifndef renameat2 30 int renameat2(int olddirfd, const char *oldpath, int newdirfd, 31 const char *newpath, unsigned int flags) 32 { 33 return syscall(__NR_renameat2, olddirfd, oldpath, newdirfd, newpath, 34 flags); 35 } 36 #endif 37 38 #ifndef RENAME_EXCHANGE 39 #define RENAME_EXCHANGE (1 << 1) 40 #endif 41 42 #define TMP_DIR "tmp" 43 #define BINARY_PATH "./true" 44 45 /* Paths (sibling number and depth) */ 46 static const char dir_s1d1[] = TMP_DIR "/s1d1"; 47 static const char file1_s1d1[] = TMP_DIR "/s1d1/f1"; 48 static const char file2_s1d1[] = TMP_DIR "/s1d1/f2"; 49 static const char dir_s1d2[] = TMP_DIR "/s1d1/s1d2"; 50 static const char file1_s1d2[] = TMP_DIR "/s1d1/s1d2/f1"; 51 static const char file2_s1d2[] = TMP_DIR "/s1d1/s1d2/f2"; 52 static const char dir_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3"; 53 static const char file1_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3/f1"; 54 static const char file2_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3/f2"; 55 56 static const char dir_s2d1[] = TMP_DIR "/s2d1"; 57 static const char file1_s2d1[] = TMP_DIR "/s2d1/f1"; 58 static const char dir_s2d2[] = TMP_DIR "/s2d1/s2d2"; 59 static const char file1_s2d2[] = TMP_DIR "/s2d1/s2d2/f1"; 60 static const char dir_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3"; 61 static const char file1_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3/f1"; 62 static const char file2_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3/f2"; 63 64 static const char dir_s3d1[] = TMP_DIR "/s3d1"; 65 static const char file1_s3d1[] = TMP_DIR "/s3d1/f1"; 66 /* dir_s3d2 is a mount point. */ 67 static const char dir_s3d2[] = TMP_DIR "/s3d1/s3d2"; 68 static const char dir_s3d3[] = TMP_DIR "/s3d1/s3d2/s3d3"; 69 70 /* 71 * layout1 hierarchy: 72 * 73 * tmp 74 * ├── s1d1 75 * │ ├── f1 76 * │ ├── f2 77 * │ └── s1d2 78 * │ ├── f1 79 * │ ├── f2 80 * │ └── s1d3 81 * │ ├── f1 82 * │ └── f2 83 * ├── s2d1 84 * │ ├── f1 85 * │ └── s2d2 86 * │ ├── f1 87 * │ └── s2d3 88 * │ ├── f1 89 * │ └── f2 90 * └── s3d1 91 * ├── f1 92 * └── s3d2 93 * └── s3d3 94 */ 95 96 static bool fgrep(FILE *const inf, const char *const str) 97 { 98 char line[32]; 99 const int slen = strlen(str); 100 101 while (!feof(inf)) { 102 if (!fgets(line, sizeof(line), inf)) 103 break; 104 if (strncmp(line, str, slen)) 105 continue; 106 107 return true; 108 } 109 110 return false; 111 } 112 113 static bool supports_filesystem(const char *const filesystem) 114 { 115 char str[32]; 116 int len; 117 bool res = true; 118 FILE *const inf = fopen("/proc/filesystems", "r"); 119 120 /* 121 * Consider that the filesystem is supported if we cannot get the 122 * supported ones. 123 */ 124 if (!inf) 125 return true; 126 127 /* filesystem can be null for bind mounts. */ 128 if (!filesystem) 129 goto out; 130 131 len = snprintf(str, sizeof(str), "nodev\t%s\n", filesystem); 132 if (len >= sizeof(str)) 133 /* Ignores too-long filesystem names. */ 134 goto out; 135 136 res = fgrep(inf, str); 137 138 out: 139 fclose(inf); 140 return res; 141 } 142 143 static bool cwd_matches_fs(unsigned int fs_magic) 144 { 145 struct statfs statfs_buf; 146 147 if (!fs_magic) 148 return true; 149 150 if (statfs(".", &statfs_buf)) 151 return true; 152 153 return statfs_buf.f_type == fs_magic; 154 } 155 156 static void mkdir_parents(struct __test_metadata *const _metadata, 157 const char *const path) 158 { 159 char *walker; 160 const char *parent; 161 int i, err; 162 163 ASSERT_NE(path[0], '\0'); 164 walker = strdup(path); 165 ASSERT_NE(NULL, walker); 166 parent = walker; 167 for (i = 1; walker[i]; i++) { 168 if (walker[i] != '/') 169 continue; 170 walker[i] = '\0'; 171 err = mkdir(parent, 0700); 172 ASSERT_FALSE(err && errno != EEXIST) 173 { 174 TH_LOG("Failed to create directory \"%s\": %s", parent, 175 strerror(errno)); 176 } 177 walker[i] = '/'; 178 } 179 free(walker); 180 } 181 182 static void create_directory(struct __test_metadata *const _metadata, 183 const char *const path) 184 { 185 mkdir_parents(_metadata, path); 186 ASSERT_EQ(0, mkdir(path, 0700)) 187 { 188 TH_LOG("Failed to create directory \"%s\": %s", path, 189 strerror(errno)); 190 } 191 } 192 193 static void create_file(struct __test_metadata *const _metadata, 194 const char *const path) 195 { 196 mkdir_parents(_metadata, path); 197 ASSERT_EQ(0, mknod(path, S_IFREG | 0700, 0)) 198 { 199 TH_LOG("Failed to create file \"%s\": %s", path, 200 strerror(errno)); 201 } 202 } 203 204 static int remove_path(const char *const path) 205 { 206 char *walker; 207 int i, ret, err = 0; 208 209 walker = strdup(path); 210 if (!walker) { 211 err = ENOMEM; 212 goto out; 213 } 214 if (unlink(path) && rmdir(path)) { 215 if (errno != ENOENT && errno != ENOTDIR) 216 err = errno; 217 goto out; 218 } 219 for (i = strlen(walker); i > 0; i--) { 220 if (walker[i] != '/') 221 continue; 222 walker[i] = '\0'; 223 ret = rmdir(walker); 224 if (ret) { 225 if (errno != ENOTEMPTY && errno != EBUSY) 226 err = errno; 227 goto out; 228 } 229 if (strcmp(walker, TMP_DIR) == 0) 230 goto out; 231 } 232 233 out: 234 free(walker); 235 return err; 236 } 237 238 struct mnt_opt { 239 const char *const source; 240 const char *const type; 241 const unsigned long flags; 242 const char *const data; 243 }; 244 245 #define MNT_TMP_DATA "size=4m,mode=700" 246 247 static const struct mnt_opt mnt_tmp = { 248 .type = "tmpfs", 249 .data = MNT_TMP_DATA, 250 }; 251 252 static int mount_opt(const struct mnt_opt *const mnt, const char *const target) 253 { 254 return mount(mnt->source ?: mnt->type, target, mnt->type, mnt->flags, 255 mnt->data); 256 } 257 258 static void prepare_layout_opt(struct __test_metadata *const _metadata, 259 const struct mnt_opt *const mnt) 260 { 261 disable_caps(_metadata); 262 umask(0077); 263 create_directory(_metadata, TMP_DIR); 264 265 /* 266 * Do not pollute the rest of the system: creates a private mount point 267 * for tests relying on pivot_root(2) and move_mount(2). 268 */ 269 set_cap(_metadata, CAP_SYS_ADMIN); 270 ASSERT_EQ(0, unshare(CLONE_NEWNS | CLONE_NEWCGROUP)); 271 ASSERT_EQ(0, mount_opt(mnt, TMP_DIR)) 272 { 273 TH_LOG("Failed to mount the %s filesystem: %s", mnt->type, 274 strerror(errno)); 275 /* 276 * FIXTURE_TEARDOWN() is not called when FIXTURE_SETUP() 277 * failed, so we need to explicitly do a minimal cleanup to 278 * avoid cascading errors with other tests that don't depend on 279 * the same filesystem. 280 */ 281 remove_path(TMP_DIR); 282 } 283 ASSERT_EQ(0, mount(NULL, TMP_DIR, NULL, MS_PRIVATE | MS_REC, NULL)); 284 clear_cap(_metadata, CAP_SYS_ADMIN); 285 } 286 287 static void prepare_layout(struct __test_metadata *const _metadata) 288 { 289 prepare_layout_opt(_metadata, &mnt_tmp); 290 } 291 292 static void cleanup_layout(struct __test_metadata *const _metadata) 293 { 294 set_cap(_metadata, CAP_SYS_ADMIN); 295 if (umount(TMP_DIR)) { 296 /* 297 * According to the test environment, the mount point of the 298 * current directory may be shared or not, which changes the 299 * visibility of the nested TMP_DIR mount point for the test's 300 * parent process doing this cleanup. 301 */ 302 ASSERT_EQ(EINVAL, errno); 303 } 304 clear_cap(_metadata, CAP_SYS_ADMIN); 305 EXPECT_EQ(0, remove_path(TMP_DIR)); 306 } 307 308 /* clang-format off */ 309 FIXTURE(layout0) {}; 310 /* clang-format on */ 311 312 FIXTURE_SETUP(layout0) 313 { 314 prepare_layout(_metadata); 315 } 316 317 FIXTURE_TEARDOWN_PARENT(layout0) 318 { 319 cleanup_layout(_metadata); 320 } 321 322 static void create_layout1(struct __test_metadata *const _metadata) 323 { 324 create_file(_metadata, file1_s1d1); 325 create_file(_metadata, file1_s1d2); 326 create_file(_metadata, file1_s1d3); 327 create_file(_metadata, file2_s1d1); 328 create_file(_metadata, file2_s1d2); 329 create_file(_metadata, file2_s1d3); 330 331 create_file(_metadata, file1_s2d1); 332 create_file(_metadata, file1_s2d2); 333 create_file(_metadata, file1_s2d3); 334 create_file(_metadata, file2_s2d3); 335 336 create_file(_metadata, file1_s3d1); 337 create_directory(_metadata, dir_s3d2); 338 set_cap(_metadata, CAP_SYS_ADMIN); 339 ASSERT_EQ(0, mount_opt(&mnt_tmp, dir_s3d2)); 340 clear_cap(_metadata, CAP_SYS_ADMIN); 341 342 ASSERT_EQ(0, mkdir(dir_s3d3, 0700)); 343 } 344 345 static void remove_layout1(struct __test_metadata *const _metadata) 346 { 347 EXPECT_EQ(0, remove_path(file2_s1d3)); 348 EXPECT_EQ(0, remove_path(file2_s1d2)); 349 EXPECT_EQ(0, remove_path(file2_s1d1)); 350 EXPECT_EQ(0, remove_path(file1_s1d3)); 351 EXPECT_EQ(0, remove_path(file1_s1d2)); 352 EXPECT_EQ(0, remove_path(file1_s1d1)); 353 EXPECT_EQ(0, remove_path(dir_s1d3)); 354 355 EXPECT_EQ(0, remove_path(file2_s2d3)); 356 EXPECT_EQ(0, remove_path(file1_s2d3)); 357 EXPECT_EQ(0, remove_path(file1_s2d2)); 358 EXPECT_EQ(0, remove_path(file1_s2d1)); 359 EXPECT_EQ(0, remove_path(dir_s2d2)); 360 361 EXPECT_EQ(0, remove_path(file1_s3d1)); 362 EXPECT_EQ(0, remove_path(dir_s3d3)); 363 set_cap(_metadata, CAP_SYS_ADMIN); 364 umount(dir_s3d2); 365 clear_cap(_metadata, CAP_SYS_ADMIN); 366 EXPECT_EQ(0, remove_path(dir_s3d2)); 367 } 368 369 /* clang-format off */ 370 FIXTURE(layout1) {}; 371 /* clang-format on */ 372 373 FIXTURE_SETUP(layout1) 374 { 375 prepare_layout(_metadata); 376 377 create_layout1(_metadata); 378 } 379 380 FIXTURE_TEARDOWN_PARENT(layout1) 381 { 382 remove_layout1(_metadata); 383 384 cleanup_layout(_metadata); 385 } 386 387 /* 388 * This helper enables to use the ASSERT_* macros and print the line number 389 * pointing to the test caller. 390 */ 391 static int test_open_rel(const int dirfd, const char *const path, 392 const int flags) 393 { 394 int fd; 395 396 /* Works with file and directories. */ 397 fd = openat(dirfd, path, flags | O_CLOEXEC); 398 if (fd < 0) 399 return errno; 400 /* 401 * Mixing error codes from close(2) and open(2) should not lead to any 402 * (access type) confusion for this test. 403 */ 404 if (close(fd) != 0) 405 return errno; 406 return 0; 407 } 408 409 static int test_open(const char *const path, const int flags) 410 { 411 return test_open_rel(AT_FDCWD, path, flags); 412 } 413 414 TEST_F_FORK(layout1, no_restriction) 415 { 416 ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY)); 417 ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY)); 418 ASSERT_EQ(0, test_open(file2_s1d1, O_RDONLY)); 419 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY)); 420 ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); 421 ASSERT_EQ(0, test_open(file2_s1d2, O_RDONLY)); 422 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY)); 423 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); 424 425 ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY)); 426 ASSERT_EQ(0, test_open(file1_s2d1, O_RDONLY)); 427 ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY)); 428 ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY)); 429 ASSERT_EQ(0, test_open(dir_s2d3, O_RDONLY)); 430 ASSERT_EQ(0, test_open(file1_s2d3, O_RDONLY)); 431 432 ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY)); 433 ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY)); 434 ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY)); 435 } 436 437 TEST_F_FORK(layout1, inval) 438 { 439 struct landlock_path_beneath_attr path_beneath = { 440 .allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | 441 LANDLOCK_ACCESS_FS_WRITE_FILE, 442 .parent_fd = -1, 443 }; 444 struct landlock_ruleset_attr ruleset_attr = { 445 .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | 446 LANDLOCK_ACCESS_FS_WRITE_FILE, 447 }; 448 int ruleset_fd; 449 450 path_beneath.parent_fd = 451 open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC); 452 ASSERT_LE(0, path_beneath.parent_fd); 453 454 ruleset_fd = open(dir_s1d1, O_PATH | O_DIRECTORY | O_CLOEXEC); 455 ASSERT_LE(0, ruleset_fd); 456 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, 457 &path_beneath, 0)); 458 /* Returns EBADF because ruleset_fd is not a landlock-ruleset FD. */ 459 ASSERT_EQ(EBADF, errno); 460 ASSERT_EQ(0, close(ruleset_fd)); 461 462 ruleset_fd = open(dir_s1d1, O_DIRECTORY | O_CLOEXEC); 463 ASSERT_LE(0, ruleset_fd); 464 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, 465 &path_beneath, 0)); 466 /* Returns EBADFD because ruleset_fd is not a valid ruleset. */ 467 ASSERT_EQ(EBADFD, errno); 468 ASSERT_EQ(0, close(ruleset_fd)); 469 470 /* Gets a real ruleset. */ 471 ruleset_fd = 472 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); 473 ASSERT_LE(0, ruleset_fd); 474 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, 475 &path_beneath, 0)); 476 ASSERT_EQ(0, close(path_beneath.parent_fd)); 477 478 /* Tests without O_PATH. */ 479 path_beneath.parent_fd = open(dir_s1d2, O_DIRECTORY | O_CLOEXEC); 480 ASSERT_LE(0, path_beneath.parent_fd); 481 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, 482 &path_beneath, 0)); 483 ASSERT_EQ(0, close(path_beneath.parent_fd)); 484 485 /* Tests with a ruleset FD. */ 486 path_beneath.parent_fd = ruleset_fd; 487 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, 488 &path_beneath, 0)); 489 ASSERT_EQ(EBADFD, errno); 490 491 /* Checks unhandled allowed_access. */ 492 path_beneath.parent_fd = 493 open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC); 494 ASSERT_LE(0, path_beneath.parent_fd); 495 496 /* Test with legitimate values. */ 497 path_beneath.allowed_access |= LANDLOCK_ACCESS_FS_EXECUTE; 498 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, 499 &path_beneath, 0)); 500 ASSERT_EQ(EINVAL, errno); 501 path_beneath.allowed_access &= ~LANDLOCK_ACCESS_FS_EXECUTE; 502 503 /* Tests with denied-by-default access right. */ 504 path_beneath.allowed_access |= LANDLOCK_ACCESS_FS_REFER; 505 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, 506 &path_beneath, 0)); 507 ASSERT_EQ(EINVAL, errno); 508 path_beneath.allowed_access &= ~LANDLOCK_ACCESS_FS_REFER; 509 510 /* Test with unknown (64-bits) value. */ 511 path_beneath.allowed_access |= (1ULL << 60); 512 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, 513 &path_beneath, 0)); 514 ASSERT_EQ(EINVAL, errno); 515 path_beneath.allowed_access &= ~(1ULL << 60); 516 517 /* Test with no access. */ 518 path_beneath.allowed_access = 0; 519 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, 520 &path_beneath, 0)); 521 ASSERT_EQ(ENOMSG, errno); 522 path_beneath.allowed_access &= ~(1ULL << 60); 523 524 ASSERT_EQ(0, close(path_beneath.parent_fd)); 525 526 /* Enforces the ruleset. */ 527 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)); 528 ASSERT_EQ(0, landlock_restrict_self(ruleset_fd, 0)); 529 530 ASSERT_EQ(0, close(ruleset_fd)); 531 } 532 533 /* clang-format off */ 534 535 #define ACCESS_FILE ( \ 536 LANDLOCK_ACCESS_FS_EXECUTE | \ 537 LANDLOCK_ACCESS_FS_WRITE_FILE | \ 538 LANDLOCK_ACCESS_FS_READ_FILE | \ 539 LANDLOCK_ACCESS_FS_TRUNCATE) 540 541 #define ACCESS_LAST LANDLOCK_ACCESS_FS_TRUNCATE 542 543 #define ACCESS_ALL ( \ 544 ACCESS_FILE | \ 545 LANDLOCK_ACCESS_FS_READ_DIR | \ 546 LANDLOCK_ACCESS_FS_REMOVE_DIR | \ 547 LANDLOCK_ACCESS_FS_REMOVE_FILE | \ 548 LANDLOCK_ACCESS_FS_MAKE_CHAR | \ 549 LANDLOCK_ACCESS_FS_MAKE_DIR | \ 550 LANDLOCK_ACCESS_FS_MAKE_REG | \ 551 LANDLOCK_ACCESS_FS_MAKE_SOCK | \ 552 LANDLOCK_ACCESS_FS_MAKE_FIFO | \ 553 LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ 554 LANDLOCK_ACCESS_FS_MAKE_SYM | \ 555 LANDLOCK_ACCESS_FS_REFER) 556 557 /* clang-format on */ 558 559 TEST_F_FORK(layout1, file_and_dir_access_rights) 560 { 561 __u64 access; 562 int err; 563 struct landlock_path_beneath_attr path_beneath_file = {}, 564 path_beneath_dir = {}; 565 struct landlock_ruleset_attr ruleset_attr = { 566 .handled_access_fs = ACCESS_ALL, 567 }; 568 const int ruleset_fd = 569 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); 570 571 ASSERT_LE(0, ruleset_fd); 572 573 /* Tests access rights for files. */ 574 path_beneath_file.parent_fd = open(file1_s1d2, O_PATH | O_CLOEXEC); 575 ASSERT_LE(0, path_beneath_file.parent_fd); 576 577 /* Tests access rights for directories. */ 578 path_beneath_dir.parent_fd = 579 open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC); 580 ASSERT_LE(0, path_beneath_dir.parent_fd); 581 582 for (access = 1; access <= ACCESS_LAST; access <<= 1) { 583 path_beneath_dir.allowed_access = access; 584 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, 585 LANDLOCK_RULE_PATH_BENEATH, 586 &path_beneath_dir, 0)); 587 588 path_beneath_file.allowed_access = access; 589 err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, 590 &path_beneath_file, 0); 591 if (access & ACCESS_FILE) { 592 ASSERT_EQ(0, err); 593 } else { 594 ASSERT_EQ(-1, err); 595 ASSERT_EQ(EINVAL, errno); 596 } 597 } 598 ASSERT_EQ(0, close(path_beneath_file.parent_fd)); 599 ASSERT_EQ(0, close(path_beneath_dir.parent_fd)); 600 ASSERT_EQ(0, close(ruleset_fd)); 601 } 602 603 TEST_F_FORK(layout0, ruleset_with_unknown_access) 604 { 605 __u64 access_mask; 606 607 for (access_mask = 1ULL << 63; access_mask != ACCESS_LAST; 608 access_mask >>= 1) { 609 struct landlock_ruleset_attr ruleset_attr = { 610 .handled_access_fs = access_mask, 611 }; 612 613 ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 614 sizeof(ruleset_attr), 0)); 615 ASSERT_EQ(EINVAL, errno); 616 } 617 } 618 619 TEST_F_FORK(layout0, rule_with_unknown_access) 620 { 621 __u64 access; 622 struct landlock_path_beneath_attr path_beneath = {}; 623 const struct landlock_ruleset_attr ruleset_attr = { 624 .handled_access_fs = ACCESS_ALL, 625 }; 626 const int ruleset_fd = 627 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); 628 629 ASSERT_LE(0, ruleset_fd); 630 631 path_beneath.parent_fd = 632 open(TMP_DIR, O_PATH | O_DIRECTORY | O_CLOEXEC); 633 ASSERT_LE(0, path_beneath.parent_fd); 634 635 for (access = 1ULL << 63; access != ACCESS_LAST; access >>= 1) { 636 path_beneath.allowed_access = access; 637 EXPECT_EQ(-1, landlock_add_rule(ruleset_fd, 638 LANDLOCK_RULE_PATH_BENEATH, 639 &path_beneath, 0)); 640 EXPECT_EQ(EINVAL, errno); 641 } 642 ASSERT_EQ(0, close(path_beneath.parent_fd)); 643 ASSERT_EQ(0, close(ruleset_fd)); 644 } 645 646 TEST_F_FORK(layout1, rule_with_unhandled_access) 647 { 648 struct landlock_ruleset_attr ruleset_attr = { 649 .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE, 650 }; 651 struct landlock_path_beneath_attr path_beneath = {}; 652 int ruleset_fd; 653 __u64 access; 654 655 ruleset_fd = 656 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); 657 ASSERT_LE(0, ruleset_fd); 658 659 path_beneath.parent_fd = open(file1_s1d2, O_PATH | O_CLOEXEC); 660 ASSERT_LE(0, path_beneath.parent_fd); 661 662 for (access = 1; access > 0; access <<= 1) { 663 int err; 664 665 path_beneath.allowed_access = access; 666 err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, 667 &path_beneath, 0); 668 if (access == ruleset_attr.handled_access_fs) { 669 EXPECT_EQ(0, err); 670 } else { 671 EXPECT_EQ(-1, err); 672 EXPECT_EQ(EINVAL, errno); 673 } 674 } 675 676 EXPECT_EQ(0, close(path_beneath.parent_fd)); 677 EXPECT_EQ(0, close(ruleset_fd)); 678 } 679 680 static void add_path_beneath(struct __test_metadata *const _metadata, 681 const int ruleset_fd, const __u64 allowed_access, 682 const char *const path) 683 { 684 struct landlock_path_beneath_attr path_beneath = { 685 .allowed_access = allowed_access, 686 }; 687 688 path_beneath.parent_fd = open(path, O_PATH | O_CLOEXEC); 689 ASSERT_LE(0, path_beneath.parent_fd) 690 { 691 TH_LOG("Failed to open directory \"%s\": %s", path, 692 strerror(errno)); 693 } 694 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, 695 &path_beneath, 0)) 696 { 697 TH_LOG("Failed to update the ruleset with \"%s\": %s", path, 698 strerror(errno)); 699 } 700 ASSERT_EQ(0, close(path_beneath.parent_fd)); 701 } 702 703 struct rule { 704 const char *path; 705 __u64 access; 706 }; 707 708 /* clang-format off */ 709 710 #define ACCESS_RO ( \ 711 LANDLOCK_ACCESS_FS_READ_FILE | \ 712 LANDLOCK_ACCESS_FS_READ_DIR) 713 714 #define ACCESS_RW ( \ 715 ACCESS_RO | \ 716 LANDLOCK_ACCESS_FS_WRITE_FILE) 717 718 /* clang-format on */ 719 720 static int create_ruleset(struct __test_metadata *const _metadata, 721 const __u64 handled_access_fs, 722 const struct rule rules[]) 723 { 724 int ruleset_fd, i; 725 struct landlock_ruleset_attr ruleset_attr = { 726 .handled_access_fs = handled_access_fs, 727 }; 728 729 ASSERT_NE(NULL, rules) 730 { 731 TH_LOG("No rule list"); 732 } 733 ASSERT_NE(NULL, rules[0].path) 734 { 735 TH_LOG("Empty rule list"); 736 } 737 738 ruleset_fd = 739 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); 740 ASSERT_LE(0, ruleset_fd) 741 { 742 TH_LOG("Failed to create a ruleset: %s", strerror(errno)); 743 } 744 745 for (i = 0; rules[i].path; i++) { 746 add_path_beneath(_metadata, ruleset_fd, rules[i].access, 747 rules[i].path); 748 } 749 return ruleset_fd; 750 } 751 752 TEST_F_FORK(layout0, proc_nsfs) 753 { 754 const struct rule rules[] = { 755 { 756 .path = "/dev/null", 757 .access = LANDLOCK_ACCESS_FS_READ_FILE | 758 LANDLOCK_ACCESS_FS_WRITE_FILE, 759 }, 760 {}, 761 }; 762 struct landlock_path_beneath_attr path_beneath; 763 const int ruleset_fd = create_ruleset( 764 _metadata, rules[0].access | LANDLOCK_ACCESS_FS_READ_DIR, 765 rules); 766 767 ASSERT_LE(0, ruleset_fd); 768 ASSERT_EQ(0, test_open("/proc/self/ns/mnt", O_RDONLY)); 769 770 enforce_ruleset(_metadata, ruleset_fd); 771 772 ASSERT_EQ(EACCES, test_open("/", O_RDONLY)); 773 ASSERT_EQ(EACCES, test_open("/dev", O_RDONLY)); 774 ASSERT_EQ(0, test_open("/dev/null", O_RDONLY)); 775 ASSERT_EQ(EACCES, test_open("/dev/full", O_RDONLY)); 776 777 ASSERT_EQ(EACCES, test_open("/proc", O_RDONLY)); 778 ASSERT_EQ(EACCES, test_open("/proc/self", O_RDONLY)); 779 ASSERT_EQ(EACCES, test_open("/proc/self/ns", O_RDONLY)); 780 /* 781 * Because nsfs is an internal filesystem, /proc/self/ns/mnt is a 782 * disconnected path. Such path cannot be identified and must then be 783 * allowed. 784 */ 785 ASSERT_EQ(0, test_open("/proc/self/ns/mnt", O_RDONLY)); 786 787 /* 788 * Checks that it is not possible to add nsfs-like filesystem 789 * references to a ruleset. 790 */ 791 path_beneath.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | 792 LANDLOCK_ACCESS_FS_WRITE_FILE, 793 path_beneath.parent_fd = open("/proc/self/ns/mnt", O_PATH | O_CLOEXEC); 794 ASSERT_LE(0, path_beneath.parent_fd); 795 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, 796 &path_beneath, 0)); 797 ASSERT_EQ(EBADFD, errno); 798 ASSERT_EQ(0, close(path_beneath.parent_fd)); 799 } 800 801 TEST_F_FORK(layout0, unpriv) 802 { 803 const struct rule rules[] = { 804 { 805 .path = TMP_DIR, 806 .access = ACCESS_RO, 807 }, 808 {}, 809 }; 810 int ruleset_fd; 811 812 drop_caps(_metadata); 813 814 ruleset_fd = create_ruleset(_metadata, ACCESS_RO, rules); 815 ASSERT_LE(0, ruleset_fd); 816 ASSERT_EQ(-1, landlock_restrict_self(ruleset_fd, 0)); 817 ASSERT_EQ(EPERM, errno); 818 819 /* enforce_ruleset() calls prctl(no_new_privs). */ 820 enforce_ruleset(_metadata, ruleset_fd); 821 ASSERT_EQ(0, close(ruleset_fd)); 822 } 823 824 TEST_F_FORK(layout1, effective_access) 825 { 826 const struct rule rules[] = { 827 { 828 .path = dir_s1d2, 829 .access = ACCESS_RO, 830 }, 831 { 832 .path = file1_s2d2, 833 .access = LANDLOCK_ACCESS_FS_READ_FILE | 834 LANDLOCK_ACCESS_FS_WRITE_FILE, 835 }, 836 {}, 837 }; 838 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); 839 char buf; 840 int reg_fd; 841 842 ASSERT_LE(0, ruleset_fd); 843 enforce_ruleset(_metadata, ruleset_fd); 844 ASSERT_EQ(0, close(ruleset_fd)); 845 846 /* Tests on a directory (with or without O_PATH). */ 847 ASSERT_EQ(EACCES, test_open("/", O_RDONLY)); 848 ASSERT_EQ(0, test_open("/", O_RDONLY | O_PATH)); 849 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY)); 850 ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY | O_PATH)); 851 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY)); 852 ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY | O_PATH)); 853 854 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY)); 855 ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); 856 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY)); 857 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); 858 859 /* Tests on a file (with or without O_PATH). */ 860 ASSERT_EQ(EACCES, test_open(dir_s2d2, O_RDONLY)); 861 ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_PATH)); 862 863 ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY)); 864 865 /* Checks effective read and write actions. */ 866 reg_fd = open(file1_s2d2, O_RDWR | O_CLOEXEC); 867 ASSERT_LE(0, reg_fd); 868 ASSERT_EQ(1, write(reg_fd, ".", 1)); 869 ASSERT_LE(0, lseek(reg_fd, 0, SEEK_SET)); 870 ASSERT_EQ(1, read(reg_fd, &buf, 1)); 871 ASSERT_EQ('.', buf); 872 ASSERT_EQ(0, close(reg_fd)); 873 874 /* Just in case, double-checks effective actions. */ 875 reg_fd = open(file1_s2d2, O_RDONLY | O_CLOEXEC); 876 ASSERT_LE(0, reg_fd); 877 ASSERT_EQ(-1, write(reg_fd, &buf, 1)); 878 ASSERT_EQ(EBADF, errno); 879 ASSERT_EQ(0, close(reg_fd)); 880 } 881 882 TEST_F_FORK(layout1, unhandled_access) 883 { 884 const struct rule rules[] = { 885 { 886 .path = dir_s1d2, 887 .access = ACCESS_RO, 888 }, 889 {}, 890 }; 891 /* Here, we only handle read accesses, not write accesses. */ 892 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RO, rules); 893 894 ASSERT_LE(0, ruleset_fd); 895 enforce_ruleset(_metadata, ruleset_fd); 896 ASSERT_EQ(0, close(ruleset_fd)); 897 898 /* 899 * Because the policy does not handle LANDLOCK_ACCESS_FS_WRITE_FILE, 900 * opening for write-only should be allowed, but not read-write. 901 */ 902 ASSERT_EQ(0, test_open(file1_s1d1, O_WRONLY)); 903 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR)); 904 905 ASSERT_EQ(0, test_open(file1_s1d2, O_WRONLY)); 906 ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR)); 907 } 908 909 TEST_F_FORK(layout1, ruleset_overlap) 910 { 911 const struct rule rules[] = { 912 /* These rules should be ORed among them. */ 913 { 914 .path = dir_s1d2, 915 .access = LANDLOCK_ACCESS_FS_READ_FILE | 916 LANDLOCK_ACCESS_FS_WRITE_FILE, 917 }, 918 { 919 .path = dir_s1d2, 920 .access = LANDLOCK_ACCESS_FS_READ_FILE | 921 LANDLOCK_ACCESS_FS_READ_DIR, 922 }, 923 {}, 924 }; 925 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); 926 927 ASSERT_LE(0, ruleset_fd); 928 enforce_ruleset(_metadata, ruleset_fd); 929 ASSERT_EQ(0, close(ruleset_fd)); 930 931 /* Checks s1d1 hierarchy. */ 932 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY)); 933 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); 934 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR)); 935 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); 936 937 /* Checks s1d2 hierarchy. */ 938 ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); 939 ASSERT_EQ(0, test_open(file1_s1d2, O_WRONLY)); 940 ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR)); 941 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); 942 943 /* Checks s1d3 hierarchy. */ 944 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); 945 ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY)); 946 ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR)); 947 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY)); 948 } 949 950 TEST_F_FORK(layout1, layer_rule_unions) 951 { 952 const struct rule layer1[] = { 953 { 954 .path = dir_s1d2, 955 .access = LANDLOCK_ACCESS_FS_READ_FILE, 956 }, 957 /* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */ 958 { 959 .path = dir_s1d3, 960 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, 961 }, 962 {}, 963 }; 964 const struct rule layer2[] = { 965 /* Doesn't change anything from layer1. */ 966 { 967 .path = dir_s1d2, 968 .access = LANDLOCK_ACCESS_FS_READ_FILE | 969 LANDLOCK_ACCESS_FS_WRITE_FILE, 970 }, 971 {}, 972 }; 973 const struct rule layer3[] = { 974 /* Only allows write (but not read) to dir_s1d3. */ 975 { 976 .path = dir_s1d2, 977 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, 978 }, 979 {}, 980 }; 981 int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1); 982 983 ASSERT_LE(0, ruleset_fd); 984 enforce_ruleset(_metadata, ruleset_fd); 985 ASSERT_EQ(0, close(ruleset_fd)); 986 987 /* Checks s1d1 hierarchy with layer1. */ 988 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY)); 989 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); 990 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR)); 991 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); 992 993 /* Checks s1d2 hierarchy with layer1. */ 994 ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); 995 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY)); 996 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR)); 997 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); 998 999 /* Checks s1d3 hierarchy with layer1. */ 1000 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); 1001 ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY)); 1002 /* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */ 1003 ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR)); 1004 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); 1005 1006 /* Doesn't change anything from layer1. */ 1007 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2); 1008 ASSERT_LE(0, ruleset_fd); 1009 enforce_ruleset(_metadata, ruleset_fd); 1010 ASSERT_EQ(0, close(ruleset_fd)); 1011 1012 /* Checks s1d1 hierarchy with layer2. */ 1013 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY)); 1014 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); 1015 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR)); 1016 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); 1017 1018 /* Checks s1d2 hierarchy with layer2. */ 1019 ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); 1020 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY)); 1021 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR)); 1022 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); 1023 1024 /* Checks s1d3 hierarchy with layer2. */ 1025 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); 1026 ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY)); 1027 /* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */ 1028 ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR)); 1029 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); 1030 1031 /* Only allows write (but not read) to dir_s1d3. */ 1032 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3); 1033 ASSERT_LE(0, ruleset_fd); 1034 enforce_ruleset(_metadata, ruleset_fd); 1035 ASSERT_EQ(0, close(ruleset_fd)); 1036 1037 /* Checks s1d1 hierarchy with layer3. */ 1038 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY)); 1039 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); 1040 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR)); 1041 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); 1042 1043 /* Checks s1d2 hierarchy with layer3. */ 1044 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDONLY)); 1045 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY)); 1046 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR)); 1047 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); 1048 1049 /* Checks s1d3 hierarchy with layer3. */ 1050 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY)); 1051 ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY)); 1052 /* dir_s1d3 should now deny READ_FILE and WRITE_FILE (O_RDWR). */ 1053 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDWR)); 1054 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); 1055 } 1056 1057 TEST_F_FORK(layout1, non_overlapping_accesses) 1058 { 1059 const struct rule layer1[] = { 1060 { 1061 .path = dir_s1d2, 1062 .access = LANDLOCK_ACCESS_FS_MAKE_REG, 1063 }, 1064 {}, 1065 }; 1066 const struct rule layer2[] = { 1067 { 1068 .path = dir_s1d3, 1069 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, 1070 }, 1071 {}, 1072 }; 1073 int ruleset_fd; 1074 1075 ASSERT_EQ(0, unlink(file1_s1d1)); 1076 ASSERT_EQ(0, unlink(file1_s1d2)); 1077 1078 ruleset_fd = 1079 create_ruleset(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, layer1); 1080 ASSERT_LE(0, ruleset_fd); 1081 enforce_ruleset(_metadata, ruleset_fd); 1082 ASSERT_EQ(0, close(ruleset_fd)); 1083 1084 ASSERT_EQ(-1, mknod(file1_s1d1, S_IFREG | 0700, 0)); 1085 ASSERT_EQ(EACCES, errno); 1086 ASSERT_EQ(0, mknod(file1_s1d2, S_IFREG | 0700, 0)); 1087 ASSERT_EQ(0, unlink(file1_s1d2)); 1088 1089 ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_REMOVE_FILE, 1090 layer2); 1091 ASSERT_LE(0, ruleset_fd); 1092 enforce_ruleset(_metadata, ruleset_fd); 1093 ASSERT_EQ(0, close(ruleset_fd)); 1094 1095 /* Unchanged accesses for file creation. */ 1096 ASSERT_EQ(-1, mknod(file1_s1d1, S_IFREG | 0700, 0)); 1097 ASSERT_EQ(EACCES, errno); 1098 ASSERT_EQ(0, mknod(file1_s1d2, S_IFREG | 0700, 0)); 1099 1100 /* Checks file removing. */ 1101 ASSERT_EQ(-1, unlink(file1_s1d2)); 1102 ASSERT_EQ(EACCES, errno); 1103 ASSERT_EQ(0, unlink(file1_s1d3)); 1104 } 1105 1106 TEST_F_FORK(layout1, interleaved_masked_accesses) 1107 { 1108 /* 1109 * Checks overly restrictive rules: 1110 * layer 1: allows R s1d1/s1d2/s1d3/file1 1111 * layer 2: allows RW s1d1/s1d2/s1d3 1112 * allows W s1d1/s1d2 1113 * denies R s1d1/s1d2 1114 * layer 3: allows R s1d1 1115 * layer 4: allows R s1d1/s1d2 1116 * denies W s1d1/s1d2 1117 * layer 5: allows R s1d1/s1d2 1118 * layer 6: allows X ---- 1119 * layer 7: allows W s1d1/s1d2 1120 * denies R s1d1/s1d2 1121 */ 1122 const struct rule layer1_read[] = { 1123 /* Allows read access to file1_s1d3 with the first layer. */ 1124 { 1125 .path = file1_s1d3, 1126 .access = LANDLOCK_ACCESS_FS_READ_FILE, 1127 }, 1128 {}, 1129 }; 1130 /* First rule with write restrictions. */ 1131 const struct rule layer2_read_write[] = { 1132 /* Start by granting read-write access via its parent directory... */ 1133 { 1134 .path = dir_s1d3, 1135 .access = LANDLOCK_ACCESS_FS_READ_FILE | 1136 LANDLOCK_ACCESS_FS_WRITE_FILE, 1137 }, 1138 /* ...but also denies read access via its grandparent directory. */ 1139 { 1140 .path = dir_s1d2, 1141 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, 1142 }, 1143 {}, 1144 }; 1145 const struct rule layer3_read[] = { 1146 /* Allows read access via its great-grandparent directory. */ 1147 { 1148 .path = dir_s1d1, 1149 .access = LANDLOCK_ACCESS_FS_READ_FILE, 1150 }, 1151 {}, 1152 }; 1153 const struct rule layer4_read_write[] = { 1154 /* 1155 * Try to confuse the deny access by denying write (but not 1156 * read) access via its grandparent directory. 1157 */ 1158 { 1159 .path = dir_s1d2, 1160 .access = LANDLOCK_ACCESS_FS_READ_FILE, 1161 }, 1162 {}, 1163 }; 1164 const struct rule layer5_read[] = { 1165 /* 1166 * Try to override layer2's deny read access by explicitly 1167 * allowing read access via file1_s1d3's grandparent. 1168 */ 1169 { 1170 .path = dir_s1d2, 1171 .access = LANDLOCK_ACCESS_FS_READ_FILE, 1172 }, 1173 {}, 1174 }; 1175 const struct rule layer6_execute[] = { 1176 /* 1177 * Restricts an unrelated file hierarchy with a new access 1178 * (non-overlapping) type. 1179 */ 1180 { 1181 .path = dir_s2d1, 1182 .access = LANDLOCK_ACCESS_FS_EXECUTE, 1183 }, 1184 {}, 1185 }; 1186 const struct rule layer7_read_write[] = { 1187 /* 1188 * Finally, denies read access to file1_s1d3 via its 1189 * grandparent. 1190 */ 1191 { 1192 .path = dir_s1d2, 1193 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, 1194 }, 1195 {}, 1196 }; 1197 int ruleset_fd; 1198 1199 ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE, 1200 layer1_read); 1201 ASSERT_LE(0, ruleset_fd); 1202 enforce_ruleset(_metadata, ruleset_fd); 1203 ASSERT_EQ(0, close(ruleset_fd)); 1204 1205 /* Checks that read access is granted for file1_s1d3 with layer 1. */ 1206 ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR)); 1207 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY)); 1208 ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY)); 1209 1210 ruleset_fd = create_ruleset(_metadata, 1211 LANDLOCK_ACCESS_FS_READ_FILE | 1212 LANDLOCK_ACCESS_FS_WRITE_FILE, 1213 layer2_read_write); 1214 ASSERT_LE(0, ruleset_fd); 1215 enforce_ruleset(_metadata, ruleset_fd); 1216 ASSERT_EQ(0, close(ruleset_fd)); 1217 1218 /* Checks that previous access rights are unchanged with layer 2. */ 1219 ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR)); 1220 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY)); 1221 ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY)); 1222 1223 ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE, 1224 layer3_read); 1225 ASSERT_LE(0, ruleset_fd); 1226 enforce_ruleset(_metadata, ruleset_fd); 1227 ASSERT_EQ(0, close(ruleset_fd)); 1228 1229 /* Checks that previous access rights are unchanged with layer 3. */ 1230 ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR)); 1231 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY)); 1232 ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY)); 1233 1234 /* This time, denies write access for the file hierarchy. */ 1235 ruleset_fd = create_ruleset(_metadata, 1236 LANDLOCK_ACCESS_FS_READ_FILE | 1237 LANDLOCK_ACCESS_FS_WRITE_FILE, 1238 layer4_read_write); 1239 ASSERT_LE(0, ruleset_fd); 1240 enforce_ruleset(_metadata, ruleset_fd); 1241 ASSERT_EQ(0, close(ruleset_fd)); 1242 1243 /* 1244 * Checks that the only change with layer 4 is that write access is 1245 * denied. 1246 */ 1247 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); 1248 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY)); 1249 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY)); 1250 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY)); 1251 1252 ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE, 1253 layer5_read); 1254 ASSERT_LE(0, ruleset_fd); 1255 enforce_ruleset(_metadata, ruleset_fd); 1256 ASSERT_EQ(0, close(ruleset_fd)); 1257 1258 /* Checks that previous access rights are unchanged with layer 5. */ 1259 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); 1260 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY)); 1261 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY)); 1262 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY)); 1263 1264 ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_EXECUTE, 1265 layer6_execute); 1266 ASSERT_LE(0, ruleset_fd); 1267 enforce_ruleset(_metadata, ruleset_fd); 1268 ASSERT_EQ(0, close(ruleset_fd)); 1269 1270 /* Checks that previous access rights are unchanged with layer 6. */ 1271 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); 1272 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY)); 1273 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY)); 1274 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY)); 1275 1276 ruleset_fd = create_ruleset(_metadata, 1277 LANDLOCK_ACCESS_FS_READ_FILE | 1278 LANDLOCK_ACCESS_FS_WRITE_FILE, 1279 layer7_read_write); 1280 ASSERT_LE(0, ruleset_fd); 1281 enforce_ruleset(_metadata, ruleset_fd); 1282 ASSERT_EQ(0, close(ruleset_fd)); 1283 1284 /* Checks read access is now denied with layer 7. */ 1285 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY)); 1286 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY)); 1287 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY)); 1288 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY)); 1289 } 1290 1291 TEST_F_FORK(layout1, inherit_subset) 1292 { 1293 const struct rule rules[] = { 1294 { 1295 .path = dir_s1d2, 1296 .access = LANDLOCK_ACCESS_FS_READ_FILE | 1297 LANDLOCK_ACCESS_FS_READ_DIR, 1298 }, 1299 {}, 1300 }; 1301 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); 1302 1303 ASSERT_LE(0, ruleset_fd); 1304 enforce_ruleset(_metadata, ruleset_fd); 1305 1306 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); 1307 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); 1308 1309 /* Write access is forbidden. */ 1310 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY)); 1311 /* Readdir access is allowed. */ 1312 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); 1313 1314 /* Write access is forbidden. */ 1315 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY)); 1316 /* Readdir access is allowed. */ 1317 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY)); 1318 1319 /* 1320 * Tests shared rule extension: the following rules should not grant 1321 * any new access, only remove some. Once enforced, these rules are 1322 * ANDed with the previous ones. 1323 */ 1324 add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_WRITE_FILE, 1325 dir_s1d2); 1326 /* 1327 * According to ruleset_fd, dir_s1d2 should now have the 1328 * LANDLOCK_ACCESS_FS_READ_FILE and LANDLOCK_ACCESS_FS_WRITE_FILE 1329 * access rights (even if this directory is opened a second time). 1330 * However, when enforcing this updated ruleset, the ruleset tied to 1331 * the current process (i.e. its domain) will still only have the 1332 * dir_s1d2 with LANDLOCK_ACCESS_FS_READ_FILE and 1333 * LANDLOCK_ACCESS_FS_READ_DIR accesses, but 1334 * LANDLOCK_ACCESS_FS_WRITE_FILE must not be allowed because it would 1335 * be a privilege escalation. 1336 */ 1337 enforce_ruleset(_metadata, ruleset_fd); 1338 1339 /* Same tests and results as above. */ 1340 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); 1341 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); 1342 1343 /* It is still forbidden to write in file1_s1d2. */ 1344 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY)); 1345 /* Readdir access is still allowed. */ 1346 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); 1347 1348 /* It is still forbidden to write in file1_s1d3. */ 1349 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY)); 1350 /* Readdir access is still allowed. */ 1351 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY)); 1352 1353 /* 1354 * Try to get more privileges by adding new access rights to the parent 1355 * directory: dir_s1d1. 1356 */ 1357 add_path_beneath(_metadata, ruleset_fd, ACCESS_RW, dir_s1d1); 1358 enforce_ruleset(_metadata, ruleset_fd); 1359 1360 /* Same tests and results as above. */ 1361 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); 1362 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); 1363 1364 /* It is still forbidden to write in file1_s1d2. */ 1365 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY)); 1366 /* Readdir access is still allowed. */ 1367 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); 1368 1369 /* It is still forbidden to write in file1_s1d3. */ 1370 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY)); 1371 /* Readdir access is still allowed. */ 1372 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY)); 1373 1374 /* 1375 * Now, dir_s1d3 get a new rule tied to it, only allowing 1376 * LANDLOCK_ACCESS_FS_WRITE_FILE. The (kernel internal) difference is 1377 * that there was no rule tied to it before. 1378 */ 1379 add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_WRITE_FILE, 1380 dir_s1d3); 1381 enforce_ruleset(_metadata, ruleset_fd); 1382 ASSERT_EQ(0, close(ruleset_fd)); 1383 1384 /* 1385 * Same tests and results as above, except for open(dir_s1d3) which is 1386 * now denied because the new rule mask the rule previously inherited 1387 * from dir_s1d2. 1388 */ 1389 1390 /* Same tests and results as above. */ 1391 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); 1392 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); 1393 1394 /* It is still forbidden to write in file1_s1d2. */ 1395 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY)); 1396 /* Readdir access is still allowed. */ 1397 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); 1398 1399 /* It is still forbidden to write in file1_s1d3. */ 1400 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY)); 1401 /* 1402 * Readdir of dir_s1d3 is still allowed because of the OR policy inside 1403 * the same layer. 1404 */ 1405 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY)); 1406 } 1407 1408 TEST_F_FORK(layout1, inherit_superset) 1409 { 1410 const struct rule rules[] = { 1411 { 1412 .path = dir_s1d3, 1413 .access = ACCESS_RO, 1414 }, 1415 {}, 1416 }; 1417 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); 1418 1419 ASSERT_LE(0, ruleset_fd); 1420 enforce_ruleset(_metadata, ruleset_fd); 1421 1422 /* Readdir access is denied for dir_s1d2. */ 1423 ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); 1424 /* Readdir access is allowed for dir_s1d3. */ 1425 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY)); 1426 /* File access is allowed for file1_s1d3. */ 1427 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); 1428 1429 /* Now dir_s1d2, parent of dir_s1d3, gets a new rule tied to it. */ 1430 add_path_beneath(_metadata, ruleset_fd, 1431 LANDLOCK_ACCESS_FS_READ_FILE | 1432 LANDLOCK_ACCESS_FS_READ_DIR, 1433 dir_s1d2); 1434 enforce_ruleset(_metadata, ruleset_fd); 1435 ASSERT_EQ(0, close(ruleset_fd)); 1436 1437 /* Readdir access is still denied for dir_s1d2. */ 1438 ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); 1439 /* Readdir access is still allowed for dir_s1d3. */ 1440 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY)); 1441 /* File access is still allowed for file1_s1d3. */ 1442 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); 1443 } 1444 1445 TEST_F_FORK(layout0, max_layers) 1446 { 1447 int i, err; 1448 const struct rule rules[] = { 1449 { 1450 .path = TMP_DIR, 1451 .access = ACCESS_RO, 1452 }, 1453 {}, 1454 }; 1455 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); 1456 1457 ASSERT_LE(0, ruleset_fd); 1458 for (i = 0; i < 16; i++) 1459 enforce_ruleset(_metadata, ruleset_fd); 1460 1461 for (i = 0; i < 2; i++) { 1462 err = landlock_restrict_self(ruleset_fd, 0); 1463 ASSERT_EQ(-1, err); 1464 ASSERT_EQ(E2BIG, errno); 1465 } 1466 ASSERT_EQ(0, close(ruleset_fd)); 1467 } 1468 1469 TEST_F_FORK(layout1, empty_or_same_ruleset) 1470 { 1471 struct landlock_ruleset_attr ruleset_attr = {}; 1472 int ruleset_fd; 1473 1474 /* Tests empty handled_access_fs. */ 1475 ruleset_fd = 1476 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); 1477 ASSERT_LE(-1, ruleset_fd); 1478 ASSERT_EQ(ENOMSG, errno); 1479 1480 /* Enforces policy which deny read access to all files. */ 1481 ruleset_attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE; 1482 ruleset_fd = 1483 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); 1484 ASSERT_LE(0, ruleset_fd); 1485 enforce_ruleset(_metadata, ruleset_fd); 1486 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY)); 1487 ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY)); 1488 1489 /* Nests a policy which deny read access to all directories. */ 1490 ruleset_attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_DIR; 1491 ruleset_fd = 1492 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); 1493 ASSERT_LE(0, ruleset_fd); 1494 enforce_ruleset(_metadata, ruleset_fd); 1495 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY)); 1496 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY)); 1497 1498 /* Enforces a second time with the same ruleset. */ 1499 enforce_ruleset(_metadata, ruleset_fd); 1500 ASSERT_EQ(0, close(ruleset_fd)); 1501 } 1502 1503 TEST_F_FORK(layout1, rule_on_mountpoint) 1504 { 1505 const struct rule rules[] = { 1506 { 1507 .path = dir_s1d1, 1508 .access = ACCESS_RO, 1509 }, 1510 { 1511 /* dir_s3d2 is a mount point. */ 1512 .path = dir_s3d2, 1513 .access = ACCESS_RO, 1514 }, 1515 {}, 1516 }; 1517 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); 1518 1519 ASSERT_LE(0, ruleset_fd); 1520 enforce_ruleset(_metadata, ruleset_fd); 1521 ASSERT_EQ(0, close(ruleset_fd)); 1522 1523 ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY)); 1524 1525 ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY)); 1526 1527 ASSERT_EQ(EACCES, test_open(dir_s3d1, O_RDONLY)); 1528 ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY)); 1529 ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY)); 1530 } 1531 1532 TEST_F_FORK(layout1, rule_over_mountpoint) 1533 { 1534 const struct rule rules[] = { 1535 { 1536 .path = dir_s1d1, 1537 .access = ACCESS_RO, 1538 }, 1539 { 1540 /* dir_s3d2 is a mount point. */ 1541 .path = dir_s3d1, 1542 .access = ACCESS_RO, 1543 }, 1544 {}, 1545 }; 1546 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); 1547 1548 ASSERT_LE(0, ruleset_fd); 1549 enforce_ruleset(_metadata, ruleset_fd); 1550 ASSERT_EQ(0, close(ruleset_fd)); 1551 1552 ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY)); 1553 1554 ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY)); 1555 1556 ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY)); 1557 ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY)); 1558 ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY)); 1559 } 1560 1561 /* 1562 * This test verifies that we can apply a landlock rule on the root directory 1563 * (which might require special handling). 1564 */ 1565 TEST_F_FORK(layout1, rule_over_root_allow_then_deny) 1566 { 1567 struct rule rules[] = { 1568 { 1569 .path = "/", 1570 .access = ACCESS_RO, 1571 }, 1572 {}, 1573 }; 1574 int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); 1575 1576 ASSERT_LE(0, ruleset_fd); 1577 enforce_ruleset(_metadata, ruleset_fd); 1578 ASSERT_EQ(0, close(ruleset_fd)); 1579 1580 /* Checks allowed access. */ 1581 ASSERT_EQ(0, test_open("/", O_RDONLY)); 1582 ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY)); 1583 1584 rules[0].access = LANDLOCK_ACCESS_FS_READ_FILE; 1585 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); 1586 ASSERT_LE(0, ruleset_fd); 1587 enforce_ruleset(_metadata, ruleset_fd); 1588 ASSERT_EQ(0, close(ruleset_fd)); 1589 1590 /* Checks denied access (on a directory). */ 1591 ASSERT_EQ(EACCES, test_open("/", O_RDONLY)); 1592 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY)); 1593 } 1594 1595 TEST_F_FORK(layout1, rule_over_root_deny) 1596 { 1597 const struct rule rules[] = { 1598 { 1599 .path = "/", 1600 .access = LANDLOCK_ACCESS_FS_READ_FILE, 1601 }, 1602 {}, 1603 }; 1604 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); 1605 1606 ASSERT_LE(0, ruleset_fd); 1607 enforce_ruleset(_metadata, ruleset_fd); 1608 ASSERT_EQ(0, close(ruleset_fd)); 1609 1610 /* Checks denied access (on a directory). */ 1611 ASSERT_EQ(EACCES, test_open("/", O_RDONLY)); 1612 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY)); 1613 } 1614 1615 TEST_F_FORK(layout1, rule_inside_mount_ns) 1616 { 1617 const struct rule rules[] = { 1618 { 1619 .path = "s3d3", 1620 .access = ACCESS_RO, 1621 }, 1622 {}, 1623 }; 1624 int ruleset_fd; 1625 1626 set_cap(_metadata, CAP_SYS_ADMIN); 1627 ASSERT_EQ(0, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3)) 1628 { 1629 TH_LOG("Failed to pivot root: %s", strerror(errno)); 1630 }; 1631 ASSERT_EQ(0, chdir("/")); 1632 clear_cap(_metadata, CAP_SYS_ADMIN); 1633 1634 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); 1635 ASSERT_LE(0, ruleset_fd); 1636 enforce_ruleset(_metadata, ruleset_fd); 1637 ASSERT_EQ(0, close(ruleset_fd)); 1638 1639 ASSERT_EQ(0, test_open("s3d3", O_RDONLY)); 1640 ASSERT_EQ(EACCES, test_open("/", O_RDONLY)); 1641 } 1642 1643 TEST_F_FORK(layout1, mount_and_pivot) 1644 { 1645 const struct rule rules[] = { 1646 { 1647 .path = dir_s3d2, 1648 .access = ACCESS_RO, 1649 }, 1650 {}, 1651 }; 1652 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); 1653 1654 ASSERT_LE(0, ruleset_fd); 1655 enforce_ruleset(_metadata, ruleset_fd); 1656 ASSERT_EQ(0, close(ruleset_fd)); 1657 1658 set_cap(_metadata, CAP_SYS_ADMIN); 1659 ASSERT_EQ(-1, mount(NULL, dir_s3d2, NULL, MS_RDONLY, NULL)); 1660 ASSERT_EQ(EPERM, errno); 1661 ASSERT_EQ(-1, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3)); 1662 ASSERT_EQ(EPERM, errno); 1663 clear_cap(_metadata, CAP_SYS_ADMIN); 1664 } 1665 1666 TEST_F_FORK(layout1, move_mount) 1667 { 1668 const struct rule rules[] = { 1669 { 1670 .path = dir_s3d2, 1671 .access = ACCESS_RO, 1672 }, 1673 {}, 1674 }; 1675 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); 1676 1677 ASSERT_LE(0, ruleset_fd); 1678 1679 set_cap(_metadata, CAP_SYS_ADMIN); 1680 ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD, 1681 dir_s1d2, 0)) 1682 { 1683 TH_LOG("Failed to move mount: %s", strerror(errno)); 1684 } 1685 1686 ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s1d2, AT_FDCWD, 1687 dir_s3d2, 0)); 1688 clear_cap(_metadata, CAP_SYS_ADMIN); 1689 1690 enforce_ruleset(_metadata, ruleset_fd); 1691 ASSERT_EQ(0, close(ruleset_fd)); 1692 1693 set_cap(_metadata, CAP_SYS_ADMIN); 1694 ASSERT_EQ(-1, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD, 1695 dir_s1d2, 0)); 1696 ASSERT_EQ(EPERM, errno); 1697 clear_cap(_metadata, CAP_SYS_ADMIN); 1698 } 1699 1700 TEST_F_FORK(layout1, topology_changes_with_net_only) 1701 { 1702 const struct landlock_ruleset_attr ruleset_net = { 1703 .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP | 1704 LANDLOCK_ACCESS_NET_CONNECT_TCP, 1705 }; 1706 int ruleset_fd; 1707 1708 /* Add network restrictions. */ 1709 ruleset_fd = 1710 landlock_create_ruleset(&ruleset_net, sizeof(ruleset_net), 0); 1711 ASSERT_LE(0, ruleset_fd); 1712 enforce_ruleset(_metadata, ruleset_fd); 1713 ASSERT_EQ(0, close(ruleset_fd)); 1714 1715 /* Mount, remount, move_mount, umount, and pivot_root checks. */ 1716 set_cap(_metadata, CAP_SYS_ADMIN); 1717 ASSERT_EQ(0, mount_opt(&mnt_tmp, dir_s1d2)); 1718 ASSERT_EQ(0, mount(NULL, dir_s1d2, NULL, MS_PRIVATE | MS_REC, NULL)); 1719 ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s1d2, AT_FDCWD, 1720 dir_s2d2, 0)); 1721 ASSERT_EQ(0, umount(dir_s2d2)); 1722 ASSERT_EQ(0, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3)); 1723 ASSERT_EQ(0, chdir("/")); 1724 clear_cap(_metadata, CAP_SYS_ADMIN); 1725 } 1726 1727 TEST_F_FORK(layout1, topology_changes_with_net_and_fs) 1728 { 1729 const struct landlock_ruleset_attr ruleset_net_fs = { 1730 .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP | 1731 LANDLOCK_ACCESS_NET_CONNECT_TCP, 1732 .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE, 1733 }; 1734 int ruleset_fd; 1735 1736 /* Add network and filesystem restrictions. */ 1737 ruleset_fd = landlock_create_ruleset(&ruleset_net_fs, 1738 sizeof(ruleset_net_fs), 0); 1739 ASSERT_LE(0, ruleset_fd); 1740 enforce_ruleset(_metadata, ruleset_fd); 1741 ASSERT_EQ(0, close(ruleset_fd)); 1742 1743 /* Mount, remount, move_mount, umount, and pivot_root checks. */ 1744 set_cap(_metadata, CAP_SYS_ADMIN); 1745 ASSERT_EQ(-1, mount_opt(&mnt_tmp, dir_s1d2)); 1746 ASSERT_EQ(EPERM, errno); 1747 ASSERT_EQ(-1, mount(NULL, dir_s3d2, NULL, MS_PRIVATE | MS_REC, NULL)); 1748 ASSERT_EQ(EPERM, errno); 1749 ASSERT_EQ(-1, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD, 1750 dir_s2d2, 0)); 1751 ASSERT_EQ(EPERM, errno); 1752 ASSERT_EQ(-1, umount(dir_s3d2)); 1753 ASSERT_EQ(EPERM, errno); 1754 ASSERT_EQ(-1, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3)); 1755 ASSERT_EQ(EPERM, errno); 1756 clear_cap(_metadata, CAP_SYS_ADMIN); 1757 } 1758 1759 TEST_F_FORK(layout1, release_inodes) 1760 { 1761 const struct rule rules[] = { 1762 { 1763 .path = dir_s1d1, 1764 .access = ACCESS_RO, 1765 }, 1766 { 1767 .path = dir_s3d2, 1768 .access = ACCESS_RO, 1769 }, 1770 { 1771 .path = dir_s3d3, 1772 .access = ACCESS_RO, 1773 }, 1774 {}, 1775 }; 1776 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); 1777 1778 ASSERT_LE(0, ruleset_fd); 1779 /* Unmount a file hierarchy while it is being used by a ruleset. */ 1780 set_cap(_metadata, CAP_SYS_ADMIN); 1781 ASSERT_EQ(0, umount(dir_s3d2)); 1782 clear_cap(_metadata, CAP_SYS_ADMIN); 1783 1784 enforce_ruleset(_metadata, ruleset_fd); 1785 ASSERT_EQ(0, close(ruleset_fd)); 1786 1787 ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY)); 1788 ASSERT_EQ(EACCES, test_open(dir_s3d2, O_RDONLY)); 1789 /* This dir_s3d3 would not be allowed and does not exist anyway. */ 1790 ASSERT_EQ(ENOENT, test_open(dir_s3d3, O_RDONLY)); 1791 } 1792 1793 enum relative_access { 1794 REL_OPEN, 1795 REL_CHDIR, 1796 REL_CHROOT_ONLY, 1797 REL_CHROOT_CHDIR, 1798 }; 1799 1800 static void test_relative_path(struct __test_metadata *const _metadata, 1801 const enum relative_access rel) 1802 { 1803 /* 1804 * Common layer to check that chroot doesn't ignore it (i.e. a chroot 1805 * is not a disconnected root directory). 1806 */ 1807 const struct rule layer1_base[] = { 1808 { 1809 .path = TMP_DIR, 1810 .access = ACCESS_RO, 1811 }, 1812 {}, 1813 }; 1814 const struct rule layer2_subs[] = { 1815 { 1816 .path = dir_s1d2, 1817 .access = ACCESS_RO, 1818 }, 1819 { 1820 .path = dir_s2d2, 1821 .access = ACCESS_RO, 1822 }, 1823 {}, 1824 }; 1825 int dirfd, ruleset_fd; 1826 1827 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_base); 1828 ASSERT_LE(0, ruleset_fd); 1829 enforce_ruleset(_metadata, ruleset_fd); 1830 ASSERT_EQ(0, close(ruleset_fd)); 1831 1832 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_subs); 1833 1834 ASSERT_LE(0, ruleset_fd); 1835 switch (rel) { 1836 case REL_OPEN: 1837 case REL_CHDIR: 1838 break; 1839 case REL_CHROOT_ONLY: 1840 ASSERT_EQ(0, chdir(dir_s2d2)); 1841 break; 1842 case REL_CHROOT_CHDIR: 1843 ASSERT_EQ(0, chdir(dir_s1d2)); 1844 break; 1845 default: 1846 ASSERT_TRUE(false); 1847 return; 1848 } 1849 1850 set_cap(_metadata, CAP_SYS_CHROOT); 1851 enforce_ruleset(_metadata, ruleset_fd); 1852 1853 switch (rel) { 1854 case REL_OPEN: 1855 dirfd = open(dir_s1d2, O_DIRECTORY); 1856 ASSERT_LE(0, dirfd); 1857 break; 1858 case REL_CHDIR: 1859 ASSERT_EQ(0, chdir(dir_s1d2)); 1860 dirfd = AT_FDCWD; 1861 break; 1862 case REL_CHROOT_ONLY: 1863 /* Do chroot into dir_s1d2 (relative to dir_s2d2). */ 1864 ASSERT_EQ(0, chroot("../../s1d1/s1d2")) 1865 { 1866 TH_LOG("Failed to chroot: %s", strerror(errno)); 1867 } 1868 dirfd = AT_FDCWD; 1869 break; 1870 case REL_CHROOT_CHDIR: 1871 /* Do chroot into dir_s1d2. */ 1872 ASSERT_EQ(0, chroot(".")) 1873 { 1874 TH_LOG("Failed to chroot: %s", strerror(errno)); 1875 } 1876 dirfd = AT_FDCWD; 1877 break; 1878 } 1879 1880 ASSERT_EQ((rel == REL_CHROOT_CHDIR) ? 0 : EACCES, 1881 test_open_rel(dirfd, "..", O_RDONLY)); 1882 ASSERT_EQ(0, test_open_rel(dirfd, ".", O_RDONLY)); 1883 1884 if (rel == REL_CHROOT_ONLY) { 1885 /* The current directory is dir_s2d2. */ 1886 ASSERT_EQ(0, test_open_rel(dirfd, "./s2d3", O_RDONLY)); 1887 } else { 1888 /* The current directory is dir_s1d2. */ 1889 ASSERT_EQ(0, test_open_rel(dirfd, "./s1d3", O_RDONLY)); 1890 } 1891 1892 if (rel == REL_CHROOT_ONLY || rel == REL_CHROOT_CHDIR) { 1893 /* Checks the root dir_s1d2. */ 1894 ASSERT_EQ(0, test_open_rel(dirfd, "/..", O_RDONLY)); 1895 ASSERT_EQ(0, test_open_rel(dirfd, "/", O_RDONLY)); 1896 ASSERT_EQ(0, test_open_rel(dirfd, "/f1", O_RDONLY)); 1897 ASSERT_EQ(0, test_open_rel(dirfd, "/s1d3", O_RDONLY)); 1898 } 1899 1900 if (rel != REL_CHROOT_CHDIR) { 1901 ASSERT_EQ(EACCES, test_open_rel(dirfd, "../../s1d1", O_RDONLY)); 1902 ASSERT_EQ(0, test_open_rel(dirfd, "../../s1d1/s1d2", O_RDONLY)); 1903 ASSERT_EQ(0, test_open_rel(dirfd, "../../s1d1/s1d2/s1d3", 1904 O_RDONLY)); 1905 1906 ASSERT_EQ(EACCES, test_open_rel(dirfd, "../../s2d1", O_RDONLY)); 1907 ASSERT_EQ(0, test_open_rel(dirfd, "../../s2d1/s2d2", O_RDONLY)); 1908 ASSERT_EQ(0, test_open_rel(dirfd, "../../s2d1/s2d2/s2d3", 1909 O_RDONLY)); 1910 } 1911 1912 if (rel == REL_OPEN) 1913 ASSERT_EQ(0, close(dirfd)); 1914 ASSERT_EQ(0, close(ruleset_fd)); 1915 } 1916 1917 TEST_F_FORK(layout1, relative_open) 1918 { 1919 test_relative_path(_metadata, REL_OPEN); 1920 } 1921 1922 TEST_F_FORK(layout1, relative_chdir) 1923 { 1924 test_relative_path(_metadata, REL_CHDIR); 1925 } 1926 1927 TEST_F_FORK(layout1, relative_chroot_only) 1928 { 1929 test_relative_path(_metadata, REL_CHROOT_ONLY); 1930 } 1931 1932 TEST_F_FORK(layout1, relative_chroot_chdir) 1933 { 1934 test_relative_path(_metadata, REL_CHROOT_CHDIR); 1935 } 1936 1937 static void copy_binary(struct __test_metadata *const _metadata, 1938 const char *const dst_path) 1939 { 1940 int dst_fd, src_fd; 1941 struct stat statbuf; 1942 1943 dst_fd = open(dst_path, O_WRONLY | O_TRUNC | O_CLOEXEC); 1944 ASSERT_LE(0, dst_fd) 1945 { 1946 TH_LOG("Failed to open \"%s\": %s", dst_path, strerror(errno)); 1947 } 1948 src_fd = open(BINARY_PATH, O_RDONLY | O_CLOEXEC); 1949 ASSERT_LE(0, src_fd) 1950 { 1951 TH_LOG("Failed to open \"" BINARY_PATH "\": %s", 1952 strerror(errno)); 1953 } 1954 ASSERT_EQ(0, fstat(src_fd, &statbuf)); 1955 ASSERT_EQ(statbuf.st_size, 1956 sendfile(dst_fd, src_fd, 0, statbuf.st_size)); 1957 ASSERT_EQ(0, close(src_fd)); 1958 ASSERT_EQ(0, close(dst_fd)); 1959 } 1960 1961 static void test_execute(struct __test_metadata *const _metadata, const int err, 1962 const char *const path) 1963 { 1964 int status; 1965 char *const argv[] = { (char *)path, NULL }; 1966 const pid_t child = fork(); 1967 1968 ASSERT_LE(0, child); 1969 if (child == 0) { 1970 ASSERT_EQ(err ? -1 : 0, execve(path, argv, NULL)) 1971 { 1972 TH_LOG("Failed to execute \"%s\": %s", path, 1973 strerror(errno)); 1974 }; 1975 ASSERT_EQ(err, errno); 1976 _exit(__test_passed(_metadata) ? 2 : 1); 1977 return; 1978 } 1979 ASSERT_EQ(child, waitpid(child, &status, 0)); 1980 ASSERT_EQ(1, WIFEXITED(status)); 1981 ASSERT_EQ(err ? 2 : 0, WEXITSTATUS(status)) 1982 { 1983 TH_LOG("Unexpected return code for \"%s\": %s", path, 1984 strerror(errno)); 1985 }; 1986 } 1987 1988 TEST_F_FORK(layout1, execute) 1989 { 1990 const struct rule rules[] = { 1991 { 1992 .path = dir_s1d2, 1993 .access = LANDLOCK_ACCESS_FS_EXECUTE, 1994 }, 1995 {}, 1996 }; 1997 const int ruleset_fd = 1998 create_ruleset(_metadata, rules[0].access, rules); 1999 2000 ASSERT_LE(0, ruleset_fd); 2001 copy_binary(_metadata, file1_s1d1); 2002 copy_binary(_metadata, file1_s1d2); 2003 copy_binary(_metadata, file1_s1d3); 2004 2005 enforce_ruleset(_metadata, ruleset_fd); 2006 ASSERT_EQ(0, close(ruleset_fd)); 2007 2008 ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY)); 2009 ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY)); 2010 test_execute(_metadata, EACCES, file1_s1d1); 2011 2012 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY)); 2013 ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); 2014 test_execute(_metadata, 0, file1_s1d2); 2015 2016 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY)); 2017 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); 2018 test_execute(_metadata, 0, file1_s1d3); 2019 } 2020 2021 TEST_F_FORK(layout1, link) 2022 { 2023 const struct rule layer1[] = { 2024 { 2025 .path = dir_s1d2, 2026 .access = LANDLOCK_ACCESS_FS_MAKE_REG, 2027 }, 2028 {}, 2029 }; 2030 const struct rule layer2[] = { 2031 { 2032 .path = dir_s1d3, 2033 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, 2034 }, 2035 {}, 2036 }; 2037 int ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1); 2038 2039 ASSERT_LE(0, ruleset_fd); 2040 2041 ASSERT_EQ(0, unlink(file1_s1d1)); 2042 ASSERT_EQ(0, unlink(file1_s1d2)); 2043 ASSERT_EQ(0, unlink(file1_s1d3)); 2044 2045 enforce_ruleset(_metadata, ruleset_fd); 2046 ASSERT_EQ(0, close(ruleset_fd)); 2047 2048 ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1)); 2049 ASSERT_EQ(EACCES, errno); 2050 2051 /* Denies linking because of reparenting. */ 2052 ASSERT_EQ(-1, link(file1_s2d1, file1_s1d2)); 2053 ASSERT_EQ(EXDEV, errno); 2054 ASSERT_EQ(-1, link(file2_s1d2, file1_s1d3)); 2055 ASSERT_EQ(EXDEV, errno); 2056 ASSERT_EQ(-1, link(file2_s1d3, file1_s1d2)); 2057 ASSERT_EQ(EXDEV, errno); 2058 2059 ASSERT_EQ(0, link(file2_s1d2, file1_s1d2)); 2060 ASSERT_EQ(0, link(file2_s1d3, file1_s1d3)); 2061 2062 /* Prepares for next unlinks. */ 2063 ASSERT_EQ(0, unlink(file2_s1d2)); 2064 ASSERT_EQ(0, unlink(file2_s1d3)); 2065 2066 ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2); 2067 ASSERT_LE(0, ruleset_fd); 2068 enforce_ruleset(_metadata, ruleset_fd); 2069 ASSERT_EQ(0, close(ruleset_fd)); 2070 2071 /* Checks that linkind doesn't require the ability to delete a file. */ 2072 ASSERT_EQ(0, link(file1_s1d2, file2_s1d2)); 2073 ASSERT_EQ(0, link(file1_s1d3, file2_s1d3)); 2074 } 2075 2076 static int test_rename(const char *const oldpath, const char *const newpath) 2077 { 2078 if (rename(oldpath, newpath)) 2079 return errno; 2080 return 0; 2081 } 2082 2083 static int test_exchange(const char *const oldpath, const char *const newpath) 2084 { 2085 if (renameat2(AT_FDCWD, oldpath, AT_FDCWD, newpath, RENAME_EXCHANGE)) 2086 return errno; 2087 return 0; 2088 } 2089 2090 TEST_F_FORK(layout1, rename_file) 2091 { 2092 const struct rule rules[] = { 2093 { 2094 .path = dir_s1d3, 2095 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, 2096 }, 2097 { 2098 .path = dir_s2d2, 2099 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, 2100 }, 2101 {}, 2102 }; 2103 const int ruleset_fd = 2104 create_ruleset(_metadata, rules[0].access, rules); 2105 2106 ASSERT_LE(0, ruleset_fd); 2107 2108 ASSERT_EQ(0, unlink(file1_s1d2)); 2109 2110 enforce_ruleset(_metadata, ruleset_fd); 2111 ASSERT_EQ(0, close(ruleset_fd)); 2112 2113 /* 2114 * Tries to replace a file, from a directory that allows file removal, 2115 * but to a different directory (which also allows file removal). 2116 */ 2117 ASSERT_EQ(-1, rename(file1_s2d3, file1_s1d3)); 2118 ASSERT_EQ(EXDEV, errno); 2119 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d3, 2120 RENAME_EXCHANGE)); 2121 ASSERT_EQ(EXDEV, errno); 2122 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, dir_s1d3, 2123 RENAME_EXCHANGE)); 2124 ASSERT_EQ(EXDEV, errno); 2125 2126 /* 2127 * Tries to replace a file, from a directory that denies file removal, 2128 * to a different directory (which allows file removal). 2129 */ 2130 ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3)); 2131 ASSERT_EQ(EACCES, errno); 2132 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file1_s1d3, 2133 RENAME_EXCHANGE)); 2134 ASSERT_EQ(EACCES, errno); 2135 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d2, AT_FDCWD, file1_s1d3, 2136 RENAME_EXCHANGE)); 2137 ASSERT_EQ(EXDEV, errno); 2138 2139 /* Exchanges files and directories that partially allow removal. */ 2140 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d2, AT_FDCWD, file1_s2d1, 2141 RENAME_EXCHANGE)); 2142 ASSERT_EQ(EACCES, errno); 2143 /* Checks that file1_s2d1 cannot be removed (instead of ENOTDIR). */ 2144 ASSERT_EQ(-1, rename(dir_s2d2, file1_s2d1)); 2145 ASSERT_EQ(EACCES, errno); 2146 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, dir_s2d2, 2147 RENAME_EXCHANGE)); 2148 ASSERT_EQ(EACCES, errno); 2149 /* Checks that file1_s1d1 cannot be removed (instead of EISDIR). */ 2150 ASSERT_EQ(-1, rename(file1_s1d1, dir_s1d2)); 2151 ASSERT_EQ(EACCES, errno); 2152 2153 /* Renames files with different parents. */ 2154 ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d2)); 2155 ASSERT_EQ(EXDEV, errno); 2156 ASSERT_EQ(0, unlink(file1_s1d3)); 2157 ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3)); 2158 ASSERT_EQ(EACCES, errno); 2159 2160 /* Exchanges and renames files with same parent. */ 2161 ASSERT_EQ(0, renameat2(AT_FDCWD, file2_s2d3, AT_FDCWD, file1_s2d3, 2162 RENAME_EXCHANGE)); 2163 ASSERT_EQ(0, rename(file2_s2d3, file1_s2d3)); 2164 2165 /* Exchanges files and directories with same parent, twice. */ 2166 ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s2d3, 2167 RENAME_EXCHANGE)); 2168 ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s2d3, 2169 RENAME_EXCHANGE)); 2170 } 2171 2172 TEST_F_FORK(layout1, rename_dir) 2173 { 2174 const struct rule rules[] = { 2175 { 2176 .path = dir_s1d2, 2177 .access = LANDLOCK_ACCESS_FS_REMOVE_DIR, 2178 }, 2179 { 2180 .path = dir_s2d1, 2181 .access = LANDLOCK_ACCESS_FS_REMOVE_DIR, 2182 }, 2183 {}, 2184 }; 2185 const int ruleset_fd = 2186 create_ruleset(_metadata, rules[0].access, rules); 2187 2188 ASSERT_LE(0, ruleset_fd); 2189 2190 /* Empties dir_s1d3 to allow renaming. */ 2191 ASSERT_EQ(0, unlink(file1_s1d3)); 2192 ASSERT_EQ(0, unlink(file2_s1d3)); 2193 2194 enforce_ruleset(_metadata, ruleset_fd); 2195 ASSERT_EQ(0, close(ruleset_fd)); 2196 2197 /* Exchanges and renames directory to a different parent. */ 2198 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3, 2199 RENAME_EXCHANGE)); 2200 ASSERT_EQ(EXDEV, errno); 2201 ASSERT_EQ(-1, rename(dir_s2d3, dir_s1d3)); 2202 ASSERT_EQ(EXDEV, errno); 2203 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3, 2204 RENAME_EXCHANGE)); 2205 ASSERT_EQ(EXDEV, errno); 2206 2207 /* 2208 * Exchanges directory to the same parent, which doesn't allow 2209 * directory removal. 2210 */ 2211 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d1, AT_FDCWD, dir_s2d1, 2212 RENAME_EXCHANGE)); 2213 ASSERT_EQ(EACCES, errno); 2214 /* Checks that dir_s1d2 cannot be removed (instead of ENOTDIR). */ 2215 ASSERT_EQ(-1, rename(dir_s1d2, file1_s1d1)); 2216 ASSERT_EQ(EACCES, errno); 2217 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s1d2, 2218 RENAME_EXCHANGE)); 2219 ASSERT_EQ(EACCES, errno); 2220 /* Checks that dir_s1d2 cannot be removed (instead of EISDIR). */ 2221 ASSERT_EQ(-1, rename(file1_s1d1, dir_s1d2)); 2222 ASSERT_EQ(EACCES, errno); 2223 2224 /* 2225 * Exchanges and renames directory to the same parent, which allows 2226 * directory removal. 2227 */ 2228 ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, file1_s1d2, 2229 RENAME_EXCHANGE)); 2230 ASSERT_EQ(0, unlink(dir_s1d3)); 2231 ASSERT_EQ(0, mkdir(dir_s1d3, 0700)); 2232 ASSERT_EQ(0, rename(file1_s1d2, dir_s1d3)); 2233 ASSERT_EQ(0, rmdir(dir_s1d3)); 2234 } 2235 2236 TEST_F_FORK(layout1, reparent_refer) 2237 { 2238 const struct rule layer1[] = { 2239 { 2240 .path = dir_s1d2, 2241 .access = LANDLOCK_ACCESS_FS_REFER, 2242 }, 2243 { 2244 .path = dir_s2d2, 2245 .access = LANDLOCK_ACCESS_FS_REFER, 2246 }, 2247 {}, 2248 }; 2249 int ruleset_fd = 2250 create_ruleset(_metadata, LANDLOCK_ACCESS_FS_REFER, layer1); 2251 2252 ASSERT_LE(0, ruleset_fd); 2253 enforce_ruleset(_metadata, ruleset_fd); 2254 ASSERT_EQ(0, close(ruleset_fd)); 2255 2256 ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d1)); 2257 ASSERT_EQ(EXDEV, errno); 2258 ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d2)); 2259 ASSERT_EQ(EXDEV, errno); 2260 ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d3)); 2261 ASSERT_EQ(EXDEV, errno); 2262 2263 ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d1)); 2264 ASSERT_EQ(EXDEV, errno); 2265 ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d2)); 2266 ASSERT_EQ(EXDEV, errno); 2267 /* 2268 * Moving should only be allowed when the source and the destination 2269 * parent directory have REFER. 2270 */ 2271 ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d3)); 2272 ASSERT_EQ(ENOTEMPTY, errno); 2273 ASSERT_EQ(0, unlink(file1_s2d3)); 2274 ASSERT_EQ(0, unlink(file2_s2d3)); 2275 ASSERT_EQ(0, rename(dir_s1d3, dir_s2d3)); 2276 } 2277 2278 /* Checks renames beneath dir_s1d1. */ 2279 static void refer_denied_by_default(struct __test_metadata *const _metadata, 2280 const struct rule layer1[], 2281 const int layer1_err, 2282 const struct rule layer2[]) 2283 { 2284 int ruleset_fd; 2285 2286 ASSERT_EQ(0, unlink(file1_s1d2)); 2287 2288 ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1); 2289 ASSERT_LE(0, ruleset_fd); 2290 enforce_ruleset(_metadata, ruleset_fd); 2291 ASSERT_EQ(0, close(ruleset_fd)); 2292 2293 /* 2294 * If the first layer handles LANDLOCK_ACCESS_FS_REFER (according to 2295 * layer1_err), then it allows some different-parent renames and links. 2296 */ 2297 ASSERT_EQ(layer1_err, test_rename(file1_s1d1, file1_s1d2)); 2298 if (layer1_err == 0) 2299 ASSERT_EQ(layer1_err, test_rename(file1_s1d2, file1_s1d1)); 2300 ASSERT_EQ(layer1_err, test_exchange(file2_s1d1, file2_s1d2)); 2301 ASSERT_EQ(layer1_err, test_exchange(file2_s1d2, file2_s1d1)); 2302 2303 ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2); 2304 ASSERT_LE(0, ruleset_fd); 2305 enforce_ruleset(_metadata, ruleset_fd); 2306 ASSERT_EQ(0, close(ruleset_fd)); 2307 2308 /* 2309 * Now, either the first or the second layer does not handle 2310 * LANDLOCK_ACCESS_FS_REFER, which means that any different-parent 2311 * renames and links are denied, thus making the layer handling 2312 * LANDLOCK_ACCESS_FS_REFER null and void. 2313 */ 2314 ASSERT_EQ(EXDEV, test_rename(file1_s1d1, file1_s1d2)); 2315 ASSERT_EQ(EXDEV, test_exchange(file2_s1d1, file2_s1d2)); 2316 ASSERT_EQ(EXDEV, test_exchange(file2_s1d2, file2_s1d1)); 2317 } 2318 2319 const struct rule layer_dir_s1d1_refer[] = { 2320 { 2321 .path = dir_s1d1, 2322 .access = LANDLOCK_ACCESS_FS_REFER, 2323 }, 2324 {}, 2325 }; 2326 2327 const struct rule layer_dir_s1d1_execute[] = { 2328 { 2329 /* Matches a parent directory. */ 2330 .path = dir_s1d1, 2331 .access = LANDLOCK_ACCESS_FS_EXECUTE, 2332 }, 2333 {}, 2334 }; 2335 2336 const struct rule layer_dir_s2d1_execute[] = { 2337 { 2338 /* Does not match a parent directory. */ 2339 .path = dir_s2d1, 2340 .access = LANDLOCK_ACCESS_FS_EXECUTE, 2341 }, 2342 {}, 2343 }; 2344 2345 /* 2346 * Tests precedence over renames: denied by default for different parent 2347 * directories, *with* a rule matching a parent directory, but not directly 2348 * denying access (with MAKE_REG nor REMOVE). 2349 */ 2350 TEST_F_FORK(layout1, refer_denied_by_default1) 2351 { 2352 refer_denied_by_default(_metadata, layer_dir_s1d1_refer, 0, 2353 layer_dir_s1d1_execute); 2354 } 2355 2356 /* 2357 * Same test but this time turning around the ABI version order: the first 2358 * layer does not handle LANDLOCK_ACCESS_FS_REFER. 2359 */ 2360 TEST_F_FORK(layout1, refer_denied_by_default2) 2361 { 2362 refer_denied_by_default(_metadata, layer_dir_s1d1_execute, EXDEV, 2363 layer_dir_s1d1_refer); 2364 } 2365 2366 /* 2367 * Tests precedence over renames: denied by default for different parent 2368 * directories, *without* a rule matching a parent directory, but not directly 2369 * denying access (with MAKE_REG nor REMOVE). 2370 */ 2371 TEST_F_FORK(layout1, refer_denied_by_default3) 2372 { 2373 refer_denied_by_default(_metadata, layer_dir_s1d1_refer, 0, 2374 layer_dir_s2d1_execute); 2375 } 2376 2377 /* 2378 * Same test but this time turning around the ABI version order: the first 2379 * layer does not handle LANDLOCK_ACCESS_FS_REFER. 2380 */ 2381 TEST_F_FORK(layout1, refer_denied_by_default4) 2382 { 2383 refer_denied_by_default(_metadata, layer_dir_s2d1_execute, EXDEV, 2384 layer_dir_s1d1_refer); 2385 } 2386 2387 TEST_F_FORK(layout1, reparent_link) 2388 { 2389 const struct rule layer1[] = { 2390 { 2391 .path = dir_s1d2, 2392 .access = LANDLOCK_ACCESS_FS_MAKE_REG, 2393 }, 2394 { 2395 .path = dir_s1d3, 2396 .access = LANDLOCK_ACCESS_FS_REFER, 2397 }, 2398 { 2399 .path = dir_s2d2, 2400 .access = LANDLOCK_ACCESS_FS_REFER, 2401 }, 2402 { 2403 .path = dir_s2d3, 2404 .access = LANDLOCK_ACCESS_FS_MAKE_REG, 2405 }, 2406 {}, 2407 }; 2408 const int ruleset_fd = create_ruleset( 2409 _metadata, 2410 LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, layer1); 2411 2412 ASSERT_LE(0, ruleset_fd); 2413 enforce_ruleset(_metadata, ruleset_fd); 2414 ASSERT_EQ(0, close(ruleset_fd)); 2415 2416 ASSERT_EQ(0, unlink(file1_s1d1)); 2417 ASSERT_EQ(0, unlink(file1_s1d2)); 2418 ASSERT_EQ(0, unlink(file1_s1d3)); 2419 2420 /* Denies linking because of missing MAKE_REG. */ 2421 ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1)); 2422 ASSERT_EQ(EACCES, errno); 2423 /* Denies linking because of missing source and destination REFER. */ 2424 ASSERT_EQ(-1, link(file1_s2d1, file1_s1d2)); 2425 ASSERT_EQ(EXDEV, errno); 2426 /* Denies linking because of missing source REFER. */ 2427 ASSERT_EQ(-1, link(file1_s2d1, file1_s1d3)); 2428 ASSERT_EQ(EXDEV, errno); 2429 2430 /* Denies linking because of missing MAKE_REG. */ 2431 ASSERT_EQ(-1, link(file1_s2d2, file1_s1d1)); 2432 ASSERT_EQ(EACCES, errno); 2433 /* Denies linking because of missing destination REFER. */ 2434 ASSERT_EQ(-1, link(file1_s2d2, file1_s1d2)); 2435 ASSERT_EQ(EXDEV, errno); 2436 2437 /* Allows linking because of REFER and MAKE_REG. */ 2438 ASSERT_EQ(0, link(file1_s2d2, file1_s1d3)); 2439 ASSERT_EQ(0, unlink(file1_s2d2)); 2440 /* Reverse linking denied because of missing MAKE_REG. */ 2441 ASSERT_EQ(-1, link(file1_s1d3, file1_s2d2)); 2442 ASSERT_EQ(EACCES, errno); 2443 ASSERT_EQ(0, unlink(file1_s2d3)); 2444 /* Checks reverse linking. */ 2445 ASSERT_EQ(0, link(file1_s1d3, file1_s2d3)); 2446 ASSERT_EQ(0, unlink(file1_s1d3)); 2447 2448 /* 2449 * This is OK for a file link, but it should not be allowed for a 2450 * directory rename (because of the superset of access rights. 2451 */ 2452 ASSERT_EQ(0, link(file1_s2d3, file1_s1d3)); 2453 ASSERT_EQ(0, unlink(file1_s1d3)); 2454 2455 ASSERT_EQ(-1, link(file2_s1d2, file1_s1d3)); 2456 ASSERT_EQ(EXDEV, errno); 2457 ASSERT_EQ(-1, link(file2_s1d3, file1_s1d2)); 2458 ASSERT_EQ(EXDEV, errno); 2459 2460 ASSERT_EQ(0, link(file2_s1d2, file1_s1d2)); 2461 ASSERT_EQ(0, link(file2_s1d3, file1_s1d3)); 2462 } 2463 2464 TEST_F_FORK(layout1, reparent_rename) 2465 { 2466 /* Same rules as for reparent_link. */ 2467 const struct rule layer1[] = { 2468 { 2469 .path = dir_s1d2, 2470 .access = LANDLOCK_ACCESS_FS_MAKE_REG, 2471 }, 2472 { 2473 .path = dir_s1d3, 2474 .access = LANDLOCK_ACCESS_FS_REFER, 2475 }, 2476 { 2477 .path = dir_s2d2, 2478 .access = LANDLOCK_ACCESS_FS_REFER, 2479 }, 2480 { 2481 .path = dir_s2d3, 2482 .access = LANDLOCK_ACCESS_FS_MAKE_REG, 2483 }, 2484 {}, 2485 }; 2486 const int ruleset_fd = create_ruleset( 2487 _metadata, 2488 LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, layer1); 2489 2490 ASSERT_LE(0, ruleset_fd); 2491 enforce_ruleset(_metadata, ruleset_fd); 2492 ASSERT_EQ(0, close(ruleset_fd)); 2493 2494 ASSERT_EQ(0, unlink(file1_s1d2)); 2495 ASSERT_EQ(0, unlink(file1_s1d3)); 2496 2497 /* Denies renaming because of missing MAKE_REG. */ 2498 ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file1_s1d1, 2499 RENAME_EXCHANGE)); 2500 ASSERT_EQ(EACCES, errno); 2501 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file2_s1d1, 2502 RENAME_EXCHANGE)); 2503 ASSERT_EQ(EACCES, errno); 2504 ASSERT_EQ(0, unlink(file1_s1d1)); 2505 ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1)); 2506 ASSERT_EQ(EACCES, errno); 2507 /* Even denies same file exchange. */ 2508 ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file2_s1d1, 2509 RENAME_EXCHANGE)); 2510 ASSERT_EQ(EACCES, errno); 2511 2512 /* Denies renaming because of missing source and destination REFER. */ 2513 ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d2)); 2514 ASSERT_EQ(EXDEV, errno); 2515 /* 2516 * Denies renaming because of missing MAKE_REG, source and destination 2517 * REFER. 2518 */ 2519 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file2_s1d1, 2520 RENAME_EXCHANGE)); 2521 ASSERT_EQ(EACCES, errno); 2522 ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file1_s2d1, 2523 RENAME_EXCHANGE)); 2524 ASSERT_EQ(EACCES, errno); 2525 2526 /* Denies renaming because of missing source REFER. */ 2527 ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3)); 2528 ASSERT_EQ(EXDEV, errno); 2529 /* Denies renaming because of missing MAKE_REG. */ 2530 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file2_s1d3, 2531 RENAME_EXCHANGE)); 2532 ASSERT_EQ(EACCES, errno); 2533 2534 /* Denies renaming because of missing MAKE_REG. */ 2535 ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d1)); 2536 ASSERT_EQ(EACCES, errno); 2537 /* Denies renaming because of missing destination REFER*/ 2538 ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d2)); 2539 ASSERT_EQ(EXDEV, errno); 2540 2541 /* Denies exchange because of one missing MAKE_REG. */ 2542 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, file2_s1d3, 2543 RENAME_EXCHANGE)); 2544 ASSERT_EQ(EACCES, errno); 2545 /* Allows renaming because of REFER and MAKE_REG. */ 2546 ASSERT_EQ(0, rename(file1_s2d2, file1_s1d3)); 2547 2548 /* Reverse renaming denied because of missing MAKE_REG. */ 2549 ASSERT_EQ(-1, rename(file1_s1d3, file1_s2d2)); 2550 ASSERT_EQ(EACCES, errno); 2551 ASSERT_EQ(0, unlink(file1_s2d3)); 2552 ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3)); 2553 2554 /* Tests reverse renaming. */ 2555 ASSERT_EQ(0, rename(file1_s2d3, file1_s1d3)); 2556 ASSERT_EQ(0, renameat2(AT_FDCWD, file2_s2d3, AT_FDCWD, file1_s1d3, 2557 RENAME_EXCHANGE)); 2558 ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3)); 2559 2560 /* 2561 * This is OK for a file rename, but it should not be allowed for a 2562 * directory rename (because of the superset of access rights). 2563 */ 2564 ASSERT_EQ(0, rename(file1_s2d3, file1_s1d3)); 2565 ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3)); 2566 2567 /* 2568 * Tests superset restrictions applied to directories. Not only the 2569 * dir_s2d3's parent (dir_s2d2) should be taken into account but also 2570 * access rights tied to dir_s2d3. dir_s2d2 is missing one access right 2571 * compared to dir_s1d3/file1_s1d3 (MAKE_REG) but it is provided 2572 * directly by the moved dir_s2d3. 2573 */ 2574 ASSERT_EQ(0, rename(dir_s2d3, file1_s1d3)); 2575 ASSERT_EQ(0, rename(file1_s1d3, dir_s2d3)); 2576 /* 2577 * The first rename is allowed but not the exchange because dir_s1d3's 2578 * parent (dir_s1d2) doesn't have REFER. 2579 */ 2580 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, dir_s1d3, 2581 RENAME_EXCHANGE)); 2582 ASSERT_EQ(EXDEV, errno); 2583 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, file1_s2d3, 2584 RENAME_EXCHANGE)); 2585 ASSERT_EQ(EXDEV, errno); 2586 ASSERT_EQ(-1, rename(file1_s2d3, dir_s1d3)); 2587 ASSERT_EQ(EXDEV, errno); 2588 2589 ASSERT_EQ(-1, rename(file2_s1d2, file1_s1d3)); 2590 ASSERT_EQ(EXDEV, errno); 2591 ASSERT_EQ(-1, rename(file2_s1d3, file1_s1d2)); 2592 ASSERT_EQ(EXDEV, errno); 2593 2594 /* Renaming in the same directory is always allowed. */ 2595 ASSERT_EQ(0, rename(file2_s1d2, file1_s1d2)); 2596 ASSERT_EQ(0, rename(file2_s1d3, file1_s1d3)); 2597 2598 ASSERT_EQ(0, unlink(file1_s1d2)); 2599 /* Denies because of missing source MAKE_REG and destination REFER. */ 2600 ASSERT_EQ(-1, rename(dir_s2d3, file1_s1d2)); 2601 ASSERT_EQ(EXDEV, errno); 2602 2603 ASSERT_EQ(0, unlink(file1_s1d3)); 2604 /* Denies because of missing source MAKE_REG and REFER. */ 2605 ASSERT_EQ(-1, rename(dir_s2d2, file1_s1d3)); 2606 ASSERT_EQ(EXDEV, errno); 2607 } 2608 2609 static void 2610 reparent_exdev_layers_enforce1(struct __test_metadata *const _metadata) 2611 { 2612 const struct rule layer1[] = { 2613 { 2614 .path = dir_s1d2, 2615 .access = LANDLOCK_ACCESS_FS_REFER, 2616 }, 2617 { 2618 /* Interesting for the layer2 tests. */ 2619 .path = dir_s1d3, 2620 .access = LANDLOCK_ACCESS_FS_MAKE_REG, 2621 }, 2622 { 2623 .path = dir_s2d2, 2624 .access = LANDLOCK_ACCESS_FS_REFER, 2625 }, 2626 { 2627 .path = dir_s2d3, 2628 .access = LANDLOCK_ACCESS_FS_MAKE_REG, 2629 }, 2630 {}, 2631 }; 2632 const int ruleset_fd = create_ruleset( 2633 _metadata, 2634 LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, layer1); 2635 2636 ASSERT_LE(0, ruleset_fd); 2637 enforce_ruleset(_metadata, ruleset_fd); 2638 ASSERT_EQ(0, close(ruleset_fd)); 2639 } 2640 2641 static void 2642 reparent_exdev_layers_enforce2(struct __test_metadata *const _metadata) 2643 { 2644 const struct rule layer2[] = { 2645 { 2646 .path = dir_s2d3, 2647 .access = LANDLOCK_ACCESS_FS_MAKE_DIR, 2648 }, 2649 {}, 2650 }; 2651 /* 2652 * Same checks as before but with a second layer and a new MAKE_DIR 2653 * rule (and no explicit handling of REFER). 2654 */ 2655 const int ruleset_fd = 2656 create_ruleset(_metadata, LANDLOCK_ACCESS_FS_MAKE_DIR, layer2); 2657 2658 ASSERT_LE(0, ruleset_fd); 2659 enforce_ruleset(_metadata, ruleset_fd); 2660 ASSERT_EQ(0, close(ruleset_fd)); 2661 } 2662 2663 TEST_F_FORK(layout1, reparent_exdev_layers_rename1) 2664 { 2665 ASSERT_EQ(0, unlink(file1_s2d2)); 2666 ASSERT_EQ(0, unlink(file1_s2d3)); 2667 2668 reparent_exdev_layers_enforce1(_metadata); 2669 2670 /* 2671 * Moving the dir_s1d3 directory below dir_s2d2 is allowed by Landlock 2672 * because it doesn't inherit new access rights. 2673 */ 2674 ASSERT_EQ(0, rename(dir_s1d3, file1_s2d2)); 2675 ASSERT_EQ(0, rename(file1_s2d2, dir_s1d3)); 2676 2677 /* 2678 * Moving the dir_s1d3 directory below dir_s2d3 is allowed, even if it 2679 * gets a new inherited access rights (MAKE_REG), because MAKE_REG is 2680 * already allowed for dir_s1d3. 2681 */ 2682 ASSERT_EQ(0, rename(dir_s1d3, file1_s2d3)); 2683 ASSERT_EQ(0, rename(file1_s2d3, dir_s1d3)); 2684 2685 /* 2686 * However, moving the file1_s1d3 file below dir_s2d3 is allowed 2687 * because it cannot inherit MAKE_REG right (which is dedicated to 2688 * directories). 2689 */ 2690 ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3)); 2691 2692 reparent_exdev_layers_enforce2(_metadata); 2693 2694 /* 2695 * Moving the dir_s1d3 directory below dir_s2d2 is now denied because 2696 * MAKE_DIR is not tied to dir_s2d2. 2697 */ 2698 ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d2)); 2699 ASSERT_EQ(EACCES, errno); 2700 2701 /* 2702 * Moving the dir_s1d3 directory below dir_s2d3 is forbidden because it 2703 * would grants MAKE_REG and MAKE_DIR rights to it. 2704 */ 2705 ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d3)); 2706 ASSERT_EQ(EXDEV, errno); 2707 2708 /* 2709 * Moving the file2_s1d3 file below dir_s2d3 is denied because the 2710 * second layer does not handle REFER, which is always denied by 2711 * default. 2712 */ 2713 ASSERT_EQ(-1, rename(file2_s1d3, file1_s2d3)); 2714 ASSERT_EQ(EXDEV, errno); 2715 } 2716 2717 TEST_F_FORK(layout1, reparent_exdev_layers_rename2) 2718 { 2719 reparent_exdev_layers_enforce1(_metadata); 2720 2721 /* Checks EACCES predominance over EXDEV. */ 2722 ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d2)); 2723 ASSERT_EQ(EACCES, errno); 2724 ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d2)); 2725 ASSERT_EQ(EACCES, errno); 2726 ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d3)); 2727 ASSERT_EQ(EXDEV, errno); 2728 /* Modify layout! */ 2729 ASSERT_EQ(0, rename(file1_s1d2, file1_s2d3)); 2730 2731 /* Without REFER source. */ 2732 ASSERT_EQ(-1, rename(dir_s1d1, file1_s2d2)); 2733 ASSERT_EQ(EXDEV, errno); 2734 ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d2)); 2735 ASSERT_EQ(EXDEV, errno); 2736 2737 reparent_exdev_layers_enforce2(_metadata); 2738 2739 /* Checks EACCES predominance over EXDEV. */ 2740 ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d2)); 2741 ASSERT_EQ(EACCES, errno); 2742 /* Checks with actual file2_s1d2. */ 2743 ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d2)); 2744 ASSERT_EQ(EACCES, errno); 2745 ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d3)); 2746 ASSERT_EQ(EXDEV, errno); 2747 /* 2748 * Modifying the layout is now denied because the second layer does not 2749 * handle REFER, which is always denied by default. 2750 */ 2751 ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d3)); 2752 ASSERT_EQ(EXDEV, errno); 2753 2754 /* Without REFER source, EACCES wins over EXDEV. */ 2755 ASSERT_EQ(-1, rename(dir_s1d1, file1_s2d2)); 2756 ASSERT_EQ(EACCES, errno); 2757 ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d2)); 2758 ASSERT_EQ(EACCES, errno); 2759 } 2760 2761 TEST_F_FORK(layout1, reparent_exdev_layers_exchange1) 2762 { 2763 const char *const dir_file1_s1d2 = file1_s1d2, *const dir_file2_s2d3 = 2764 file2_s2d3; 2765 2766 ASSERT_EQ(0, unlink(file1_s1d2)); 2767 ASSERT_EQ(0, mkdir(file1_s1d2, 0700)); 2768 ASSERT_EQ(0, unlink(file2_s2d3)); 2769 ASSERT_EQ(0, mkdir(file2_s2d3, 0700)); 2770 2771 reparent_exdev_layers_enforce1(_metadata); 2772 2773 /* Error predominance with file exchange: returns EXDEV and EACCES. */ 2774 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file1_s2d3, 2775 RENAME_EXCHANGE)); 2776 ASSERT_EQ(EACCES, errno); 2777 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d1, 2778 RENAME_EXCHANGE)); 2779 ASSERT_EQ(EACCES, errno); 2780 2781 /* 2782 * Checks with directories which creation could be allowed, but denied 2783 * because of access rights that would be inherited. 2784 */ 2785 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, 2786 dir_file2_s2d3, RENAME_EXCHANGE)); 2787 ASSERT_EQ(EXDEV, errno); 2788 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, 2789 dir_file1_s1d2, RENAME_EXCHANGE)); 2790 ASSERT_EQ(EXDEV, errno); 2791 2792 /* Checks with same access rights. */ 2793 ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, dir_s2d3, 2794 RENAME_EXCHANGE)); 2795 ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3, 2796 RENAME_EXCHANGE)); 2797 2798 /* Checks with different (child-only) access rights. */ 2799 ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_file1_s1d2, 2800 RENAME_EXCHANGE)); 2801 ASSERT_EQ(0, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, dir_s2d3, 2802 RENAME_EXCHANGE)); 2803 2804 /* 2805 * Checks that exchange between file and directory are consistent. 2806 * 2807 * Moving a file (file1_s2d2) to a directory which only grants more 2808 * directory-related access rights is allowed, and at the same time 2809 * moving a directory (dir_file2_s2d3) to another directory which 2810 * grants less access rights is allowed too. 2811 * 2812 * See layout1.reparent_exdev_layers_exchange3 for inverted arguments. 2813 */ 2814 ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3, 2815 RENAME_EXCHANGE)); 2816 /* 2817 * However, moving back the directory is denied because it would get 2818 * more access rights than the current state and because file creation 2819 * is forbidden (in dir_s2d2). 2820 */ 2821 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2, 2822 RENAME_EXCHANGE)); 2823 ASSERT_EQ(EACCES, errno); 2824 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3, 2825 RENAME_EXCHANGE)); 2826 ASSERT_EQ(EACCES, errno); 2827 2828 reparent_exdev_layers_enforce2(_metadata); 2829 2830 /* Error predominance with file exchange: returns EXDEV and EACCES. */ 2831 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file1_s2d3, 2832 RENAME_EXCHANGE)); 2833 ASSERT_EQ(EACCES, errno); 2834 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d1, 2835 RENAME_EXCHANGE)); 2836 ASSERT_EQ(EACCES, errno); 2837 2838 /* Checks with directories which creation is now denied. */ 2839 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, 2840 dir_file2_s2d3, RENAME_EXCHANGE)); 2841 ASSERT_EQ(EACCES, errno); 2842 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, 2843 dir_file1_s1d2, RENAME_EXCHANGE)); 2844 ASSERT_EQ(EACCES, errno); 2845 2846 /* Checks with different (child-only) access rights. */ 2847 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, dir_s2d3, 2848 RENAME_EXCHANGE)); 2849 /* Denied because of MAKE_DIR. */ 2850 ASSERT_EQ(EACCES, errno); 2851 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3, 2852 RENAME_EXCHANGE)); 2853 ASSERT_EQ(EACCES, errno); 2854 2855 /* Checks with different (child-only) access rights. */ 2856 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_file1_s1d2, 2857 RENAME_EXCHANGE)); 2858 /* Denied because of MAKE_DIR. */ 2859 ASSERT_EQ(EACCES, errno); 2860 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, dir_s2d3, 2861 RENAME_EXCHANGE)); 2862 ASSERT_EQ(EACCES, errno); 2863 2864 /* See layout1.reparent_exdev_layers_exchange2 for complement. */ 2865 } 2866 2867 TEST_F_FORK(layout1, reparent_exdev_layers_exchange2) 2868 { 2869 const char *const dir_file2_s2d3 = file2_s2d3; 2870 2871 ASSERT_EQ(0, unlink(file2_s2d3)); 2872 ASSERT_EQ(0, mkdir(file2_s2d3, 0700)); 2873 2874 reparent_exdev_layers_enforce1(_metadata); 2875 reparent_exdev_layers_enforce2(_metadata); 2876 2877 /* Checks that exchange between file and directory are consistent. */ 2878 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3, 2879 RENAME_EXCHANGE)); 2880 ASSERT_EQ(EACCES, errno); 2881 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2, 2882 RENAME_EXCHANGE)); 2883 ASSERT_EQ(EACCES, errno); 2884 } 2885 2886 TEST_F_FORK(layout1, reparent_exdev_layers_exchange3) 2887 { 2888 const char *const dir_file2_s2d3 = file2_s2d3; 2889 2890 ASSERT_EQ(0, unlink(file2_s2d3)); 2891 ASSERT_EQ(0, mkdir(file2_s2d3, 0700)); 2892 2893 reparent_exdev_layers_enforce1(_metadata); 2894 2895 /* 2896 * Checks that exchange between file and directory are consistent, 2897 * including with inverted arguments (see 2898 * layout1.reparent_exdev_layers_exchange1). 2899 */ 2900 ASSERT_EQ(0, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2, 2901 RENAME_EXCHANGE)); 2902 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3, 2903 RENAME_EXCHANGE)); 2904 ASSERT_EQ(EACCES, errno); 2905 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2, 2906 RENAME_EXCHANGE)); 2907 ASSERT_EQ(EACCES, errno); 2908 } 2909 2910 TEST_F_FORK(layout1, reparent_remove) 2911 { 2912 const struct rule layer1[] = { 2913 { 2914 .path = dir_s1d1, 2915 .access = LANDLOCK_ACCESS_FS_REFER | 2916 LANDLOCK_ACCESS_FS_REMOVE_DIR, 2917 }, 2918 { 2919 .path = dir_s1d2, 2920 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, 2921 }, 2922 { 2923 .path = dir_s2d1, 2924 .access = LANDLOCK_ACCESS_FS_REFER | 2925 LANDLOCK_ACCESS_FS_REMOVE_FILE, 2926 }, 2927 {}, 2928 }; 2929 const int ruleset_fd = create_ruleset( 2930 _metadata, 2931 LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_REMOVE_DIR | 2932 LANDLOCK_ACCESS_FS_REMOVE_FILE, 2933 layer1); 2934 2935 ASSERT_LE(0, ruleset_fd); 2936 enforce_ruleset(_metadata, ruleset_fd); 2937 ASSERT_EQ(0, close(ruleset_fd)); 2938 2939 /* Access denied because of wrong/swapped remove file/dir. */ 2940 ASSERT_EQ(-1, rename(file1_s1d1, dir_s2d2)); 2941 ASSERT_EQ(EACCES, errno); 2942 ASSERT_EQ(-1, rename(dir_s2d2, file1_s1d1)); 2943 ASSERT_EQ(EACCES, errno); 2944 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s2d2, 2945 RENAME_EXCHANGE)); 2946 ASSERT_EQ(EACCES, errno); 2947 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s2d3, 2948 RENAME_EXCHANGE)); 2949 ASSERT_EQ(EACCES, errno); 2950 2951 /* Access allowed thanks to the matching rights. */ 2952 ASSERT_EQ(-1, rename(file1_s2d1, dir_s1d2)); 2953 ASSERT_EQ(EISDIR, errno); 2954 ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d1)); 2955 ASSERT_EQ(ENOTDIR, errno); 2956 ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d1)); 2957 ASSERT_EQ(ENOTDIR, errno); 2958 ASSERT_EQ(0, unlink(file1_s2d1)); 2959 ASSERT_EQ(0, unlink(file1_s1d3)); 2960 ASSERT_EQ(0, unlink(file2_s1d3)); 2961 ASSERT_EQ(0, rename(dir_s1d3, file1_s2d1)); 2962 2963 /* Effectively removes a file and a directory by exchanging them. */ 2964 ASSERT_EQ(0, mkdir(dir_s1d3, 0700)); 2965 ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3, 2966 RENAME_EXCHANGE)); 2967 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3, 2968 RENAME_EXCHANGE)); 2969 ASSERT_EQ(EACCES, errno); 2970 } 2971 2972 TEST_F_FORK(layout1, reparent_dom_superset) 2973 { 2974 const struct rule layer1[] = { 2975 { 2976 .path = dir_s1d2, 2977 .access = LANDLOCK_ACCESS_FS_REFER, 2978 }, 2979 { 2980 .path = file1_s1d2, 2981 .access = LANDLOCK_ACCESS_FS_EXECUTE, 2982 }, 2983 { 2984 .path = dir_s1d3, 2985 .access = LANDLOCK_ACCESS_FS_MAKE_SOCK | 2986 LANDLOCK_ACCESS_FS_EXECUTE, 2987 }, 2988 { 2989 .path = dir_s2d2, 2990 .access = LANDLOCK_ACCESS_FS_REFER | 2991 LANDLOCK_ACCESS_FS_EXECUTE | 2992 LANDLOCK_ACCESS_FS_MAKE_SOCK, 2993 }, 2994 { 2995 .path = dir_s2d3, 2996 .access = LANDLOCK_ACCESS_FS_READ_FILE | 2997 LANDLOCK_ACCESS_FS_MAKE_FIFO, 2998 }, 2999 {}, 3000 }; 3001 int ruleset_fd = create_ruleset(_metadata, 3002 LANDLOCK_ACCESS_FS_REFER | 3003 LANDLOCK_ACCESS_FS_EXECUTE | 3004 LANDLOCK_ACCESS_FS_MAKE_SOCK | 3005 LANDLOCK_ACCESS_FS_READ_FILE | 3006 LANDLOCK_ACCESS_FS_MAKE_FIFO, 3007 layer1); 3008 3009 ASSERT_LE(0, ruleset_fd); 3010 enforce_ruleset(_metadata, ruleset_fd); 3011 ASSERT_EQ(0, close(ruleset_fd)); 3012 3013 ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d1)); 3014 ASSERT_EQ(EXDEV, errno); 3015 /* 3016 * Moving file1_s1d2 beneath dir_s2d3 would grant it the READ_FILE 3017 * access right. 3018 */ 3019 ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d3)); 3020 ASSERT_EQ(EXDEV, errno); 3021 /* 3022 * Moving file1_s1d2 should be allowed even if dir_s2d2 grants a 3023 * superset of access rights compared to dir_s1d2, because file1_s1d2 3024 * already has these access rights anyway. 3025 */ 3026 ASSERT_EQ(0, rename(file1_s1d2, file1_s2d2)); 3027 ASSERT_EQ(0, rename(file1_s2d2, file1_s1d2)); 3028 3029 ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d1)); 3030 ASSERT_EQ(EXDEV, errno); 3031 /* 3032 * Moving dir_s1d3 beneath dir_s2d3 would grant it the MAKE_FIFO access 3033 * right. 3034 */ 3035 ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d3)); 3036 ASSERT_EQ(EXDEV, errno); 3037 /* 3038 * Moving dir_s1d3 should be allowed even if dir_s2d2 grants a superset 3039 * of access rights compared to dir_s1d2, because dir_s1d3 already has 3040 * these access rights anyway. 3041 */ 3042 ASSERT_EQ(0, rename(dir_s1d3, file1_s2d2)); 3043 ASSERT_EQ(0, rename(file1_s2d2, dir_s1d3)); 3044 3045 /* 3046 * Moving file1_s2d3 beneath dir_s1d2 is allowed, but moving it back 3047 * will be denied because the new inherited access rights from dir_s1d2 3048 * will be less than the destination (original) dir_s2d3. This is a 3049 * sinkhole scenario where we cannot move back files or directories. 3050 */ 3051 ASSERT_EQ(0, rename(file1_s2d3, file2_s1d2)); 3052 ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d3)); 3053 ASSERT_EQ(EXDEV, errno); 3054 ASSERT_EQ(0, unlink(file2_s1d2)); 3055 ASSERT_EQ(0, unlink(file2_s2d3)); 3056 /* 3057 * Checks similar directory one-way move: dir_s2d3 loses EXECUTE and 3058 * MAKE_SOCK which were inherited from dir_s1d3. 3059 */ 3060 ASSERT_EQ(0, rename(dir_s2d3, file2_s1d2)); 3061 ASSERT_EQ(-1, rename(file2_s1d2, dir_s2d3)); 3062 ASSERT_EQ(EXDEV, errno); 3063 } 3064 3065 TEST_F_FORK(layout1, remove_dir) 3066 { 3067 const struct rule rules[] = { 3068 { 3069 .path = dir_s1d2, 3070 .access = LANDLOCK_ACCESS_FS_REMOVE_DIR, 3071 }, 3072 {}, 3073 }; 3074 const int ruleset_fd = 3075 create_ruleset(_metadata, rules[0].access, rules); 3076 3077 ASSERT_LE(0, ruleset_fd); 3078 3079 ASSERT_EQ(0, unlink(file1_s1d1)); 3080 ASSERT_EQ(0, unlink(file1_s1d2)); 3081 ASSERT_EQ(0, unlink(file1_s1d3)); 3082 ASSERT_EQ(0, unlink(file2_s1d3)); 3083 3084 enforce_ruleset(_metadata, ruleset_fd); 3085 ASSERT_EQ(0, close(ruleset_fd)); 3086 3087 ASSERT_EQ(0, rmdir(dir_s1d3)); 3088 ASSERT_EQ(0, mkdir(dir_s1d3, 0700)); 3089 ASSERT_EQ(0, unlinkat(AT_FDCWD, dir_s1d3, AT_REMOVEDIR)); 3090 3091 /* dir_s1d2 itself cannot be removed. */ 3092 ASSERT_EQ(-1, rmdir(dir_s1d2)); 3093 ASSERT_EQ(EACCES, errno); 3094 ASSERT_EQ(-1, unlinkat(AT_FDCWD, dir_s1d2, AT_REMOVEDIR)); 3095 ASSERT_EQ(EACCES, errno); 3096 ASSERT_EQ(-1, rmdir(dir_s1d1)); 3097 ASSERT_EQ(EACCES, errno); 3098 ASSERT_EQ(-1, unlinkat(AT_FDCWD, dir_s1d1, AT_REMOVEDIR)); 3099 ASSERT_EQ(EACCES, errno); 3100 } 3101 3102 TEST_F_FORK(layout1, remove_file) 3103 { 3104 const struct rule rules[] = { 3105 { 3106 .path = dir_s1d2, 3107 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, 3108 }, 3109 {}, 3110 }; 3111 const int ruleset_fd = 3112 create_ruleset(_metadata, rules[0].access, rules); 3113 3114 ASSERT_LE(0, ruleset_fd); 3115 enforce_ruleset(_metadata, ruleset_fd); 3116 ASSERT_EQ(0, close(ruleset_fd)); 3117 3118 ASSERT_EQ(-1, unlink(file1_s1d1)); 3119 ASSERT_EQ(EACCES, errno); 3120 ASSERT_EQ(-1, unlinkat(AT_FDCWD, file1_s1d1, 0)); 3121 ASSERT_EQ(EACCES, errno); 3122 ASSERT_EQ(0, unlink(file1_s1d2)); 3123 ASSERT_EQ(0, unlinkat(AT_FDCWD, file1_s1d3, 0)); 3124 } 3125 3126 static void test_make_file(struct __test_metadata *const _metadata, 3127 const __u64 access, const mode_t mode, 3128 const dev_t dev) 3129 { 3130 const struct rule rules[] = { 3131 { 3132 .path = dir_s1d2, 3133 .access = access, 3134 }, 3135 {}, 3136 }; 3137 const int ruleset_fd = create_ruleset(_metadata, access, rules); 3138 3139 ASSERT_LE(0, ruleset_fd); 3140 3141 ASSERT_EQ(0, unlink(file1_s1d1)); 3142 ASSERT_EQ(0, unlink(file2_s1d1)); 3143 ASSERT_EQ(0, mknod(file2_s1d1, mode | 0400, dev)) 3144 { 3145 TH_LOG("Failed to make file \"%s\": %s", file2_s1d1, 3146 strerror(errno)); 3147 }; 3148 3149 ASSERT_EQ(0, unlink(file1_s1d2)); 3150 ASSERT_EQ(0, unlink(file2_s1d2)); 3151 3152 ASSERT_EQ(0, unlink(file1_s1d3)); 3153 ASSERT_EQ(0, unlink(file2_s1d3)); 3154 3155 enforce_ruleset(_metadata, ruleset_fd); 3156 ASSERT_EQ(0, close(ruleset_fd)); 3157 3158 ASSERT_EQ(-1, mknod(file1_s1d1, mode | 0400, dev)); 3159 ASSERT_EQ(EACCES, errno); 3160 ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1)); 3161 ASSERT_EQ(EACCES, errno); 3162 ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1)); 3163 ASSERT_EQ(EACCES, errno); 3164 3165 ASSERT_EQ(0, mknod(file1_s1d2, mode | 0400, dev)) 3166 { 3167 TH_LOG("Failed to make file \"%s\": %s", file1_s1d2, 3168 strerror(errno)); 3169 }; 3170 ASSERT_EQ(0, link(file1_s1d2, file2_s1d2)); 3171 ASSERT_EQ(0, unlink(file2_s1d2)); 3172 ASSERT_EQ(0, rename(file1_s1d2, file2_s1d2)); 3173 3174 ASSERT_EQ(0, mknod(file1_s1d3, mode | 0400, dev)); 3175 ASSERT_EQ(0, link(file1_s1d3, file2_s1d3)); 3176 ASSERT_EQ(0, unlink(file2_s1d3)); 3177 ASSERT_EQ(0, rename(file1_s1d3, file2_s1d3)); 3178 } 3179 3180 TEST_F_FORK(layout1, make_char) 3181 { 3182 /* Creates a /dev/null device. */ 3183 set_cap(_metadata, CAP_MKNOD); 3184 test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_CHAR, S_IFCHR, 3185 makedev(1, 3)); 3186 } 3187 3188 TEST_F_FORK(layout1, make_block) 3189 { 3190 /* Creates a /dev/loop0 device. */ 3191 set_cap(_metadata, CAP_MKNOD); 3192 test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_BLOCK, S_IFBLK, 3193 makedev(7, 0)); 3194 } 3195 3196 TEST_F_FORK(layout1, make_reg_1) 3197 { 3198 test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, S_IFREG, 0); 3199 } 3200 3201 TEST_F_FORK(layout1, make_reg_2) 3202 { 3203 test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, 0, 0); 3204 } 3205 3206 TEST_F_FORK(layout1, make_sock) 3207 { 3208 test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_SOCK, S_IFSOCK, 0); 3209 } 3210 3211 TEST_F_FORK(layout1, make_fifo) 3212 { 3213 test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_FIFO, S_IFIFO, 0); 3214 } 3215 3216 TEST_F_FORK(layout1, make_sym) 3217 { 3218 const struct rule rules[] = { 3219 { 3220 .path = dir_s1d2, 3221 .access = LANDLOCK_ACCESS_FS_MAKE_SYM, 3222 }, 3223 {}, 3224 }; 3225 const int ruleset_fd = 3226 create_ruleset(_metadata, rules[0].access, rules); 3227 3228 ASSERT_LE(0, ruleset_fd); 3229 3230 ASSERT_EQ(0, unlink(file1_s1d1)); 3231 ASSERT_EQ(0, unlink(file2_s1d1)); 3232 ASSERT_EQ(0, symlink("none", file2_s1d1)); 3233 3234 ASSERT_EQ(0, unlink(file1_s1d2)); 3235 ASSERT_EQ(0, unlink(file2_s1d2)); 3236 3237 ASSERT_EQ(0, unlink(file1_s1d3)); 3238 ASSERT_EQ(0, unlink(file2_s1d3)); 3239 3240 enforce_ruleset(_metadata, ruleset_fd); 3241 ASSERT_EQ(0, close(ruleset_fd)); 3242 3243 ASSERT_EQ(-1, symlink("none", file1_s1d1)); 3244 ASSERT_EQ(EACCES, errno); 3245 ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1)); 3246 ASSERT_EQ(EACCES, errno); 3247 ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1)); 3248 ASSERT_EQ(EACCES, errno); 3249 3250 ASSERT_EQ(0, symlink("none", file1_s1d2)); 3251 ASSERT_EQ(0, link(file1_s1d2, file2_s1d2)); 3252 ASSERT_EQ(0, unlink(file2_s1d2)); 3253 ASSERT_EQ(0, rename(file1_s1d2, file2_s1d2)); 3254 3255 ASSERT_EQ(0, symlink("none", file1_s1d3)); 3256 ASSERT_EQ(0, link(file1_s1d3, file2_s1d3)); 3257 ASSERT_EQ(0, unlink(file2_s1d3)); 3258 ASSERT_EQ(0, rename(file1_s1d3, file2_s1d3)); 3259 } 3260 3261 TEST_F_FORK(layout1, make_dir) 3262 { 3263 const struct rule rules[] = { 3264 { 3265 .path = dir_s1d2, 3266 .access = LANDLOCK_ACCESS_FS_MAKE_DIR, 3267 }, 3268 {}, 3269 }; 3270 const int ruleset_fd = 3271 create_ruleset(_metadata, rules[0].access, rules); 3272 3273 ASSERT_LE(0, ruleset_fd); 3274 3275 ASSERT_EQ(0, unlink(file1_s1d1)); 3276 ASSERT_EQ(0, unlink(file1_s1d2)); 3277 ASSERT_EQ(0, unlink(file1_s1d3)); 3278 3279 enforce_ruleset(_metadata, ruleset_fd); 3280 ASSERT_EQ(0, close(ruleset_fd)); 3281 3282 /* Uses file_* as directory names. */ 3283 ASSERT_EQ(-1, mkdir(file1_s1d1, 0700)); 3284 ASSERT_EQ(EACCES, errno); 3285 ASSERT_EQ(0, mkdir(file1_s1d2, 0700)); 3286 ASSERT_EQ(0, mkdir(file1_s1d3, 0700)); 3287 } 3288 3289 static int open_proc_fd(struct __test_metadata *const _metadata, const int fd, 3290 const int open_flags) 3291 { 3292 static const char path_template[] = "/proc/self/fd/%d"; 3293 char procfd_path[sizeof(path_template) + 10]; 3294 const int procfd_path_size = 3295 snprintf(procfd_path, sizeof(procfd_path), path_template, fd); 3296 3297 ASSERT_LT(procfd_path_size, sizeof(procfd_path)); 3298 return open(procfd_path, open_flags); 3299 } 3300 3301 TEST_F_FORK(layout1, proc_unlinked_file) 3302 { 3303 const struct rule rules[] = { 3304 { 3305 .path = file1_s1d2, 3306 .access = LANDLOCK_ACCESS_FS_READ_FILE, 3307 }, 3308 {}, 3309 }; 3310 int reg_fd, proc_fd; 3311 const int ruleset_fd = create_ruleset( 3312 _metadata, 3313 LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_WRITE_FILE, 3314 rules); 3315 3316 ASSERT_LE(0, ruleset_fd); 3317 enforce_ruleset(_metadata, ruleset_fd); 3318 ASSERT_EQ(0, close(ruleset_fd)); 3319 3320 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR)); 3321 ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); 3322 reg_fd = open(file1_s1d2, O_RDONLY | O_CLOEXEC); 3323 ASSERT_LE(0, reg_fd); 3324 ASSERT_EQ(0, unlink(file1_s1d2)); 3325 3326 proc_fd = open_proc_fd(_metadata, reg_fd, O_RDONLY | O_CLOEXEC); 3327 ASSERT_LE(0, proc_fd); 3328 ASSERT_EQ(0, close(proc_fd)); 3329 3330 proc_fd = open_proc_fd(_metadata, reg_fd, O_RDWR | O_CLOEXEC); 3331 ASSERT_EQ(-1, proc_fd) 3332 { 3333 TH_LOG("Successfully opened /proc/self/fd/%d: %s", reg_fd, 3334 strerror(errno)); 3335 } 3336 ASSERT_EQ(EACCES, errno); 3337 3338 ASSERT_EQ(0, close(reg_fd)); 3339 } 3340 3341 TEST_F_FORK(layout1, proc_pipe) 3342 { 3343 int proc_fd; 3344 int pipe_fds[2]; 3345 char buf = '\0'; 3346 const struct rule rules[] = { 3347 { 3348 .path = dir_s1d2, 3349 .access = LANDLOCK_ACCESS_FS_READ_FILE | 3350 LANDLOCK_ACCESS_FS_WRITE_FILE, 3351 }, 3352 {}, 3353 }; 3354 /* Limits read and write access to files tied to the filesystem. */ 3355 const int ruleset_fd = 3356 create_ruleset(_metadata, rules[0].access, rules); 3357 3358 ASSERT_LE(0, ruleset_fd); 3359 enforce_ruleset(_metadata, ruleset_fd); 3360 ASSERT_EQ(0, close(ruleset_fd)); 3361 3362 /* Checks enforcement for normal files. */ 3363 ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR)); 3364 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR)); 3365 3366 /* Checks access to pipes through FD. */ 3367 ASSERT_EQ(0, pipe2(pipe_fds, O_CLOEXEC)); 3368 ASSERT_EQ(1, write(pipe_fds[1], ".", 1)) 3369 { 3370 TH_LOG("Failed to write in pipe: %s", strerror(errno)); 3371 } 3372 ASSERT_EQ(1, read(pipe_fds[0], &buf, 1)); 3373 ASSERT_EQ('.', buf); 3374 3375 /* Checks write access to pipe through /proc/self/fd . */ 3376 proc_fd = open_proc_fd(_metadata, pipe_fds[1], O_WRONLY | O_CLOEXEC); 3377 ASSERT_LE(0, proc_fd); 3378 ASSERT_EQ(1, write(proc_fd, ".", 1)) 3379 { 3380 TH_LOG("Failed to write through /proc/self/fd/%d: %s", 3381 pipe_fds[1], strerror(errno)); 3382 } 3383 ASSERT_EQ(0, close(proc_fd)); 3384 3385 /* Checks read access to pipe through /proc/self/fd . */ 3386 proc_fd = open_proc_fd(_metadata, pipe_fds[0], O_RDONLY | O_CLOEXEC); 3387 ASSERT_LE(0, proc_fd); 3388 buf = '\0'; 3389 ASSERT_EQ(1, read(proc_fd, &buf, 1)) 3390 { 3391 TH_LOG("Failed to read through /proc/self/fd/%d: %s", 3392 pipe_fds[1], strerror(errno)); 3393 } 3394 ASSERT_EQ(0, close(proc_fd)); 3395 3396 ASSERT_EQ(0, close(pipe_fds[0])); 3397 ASSERT_EQ(0, close(pipe_fds[1])); 3398 } 3399 3400 /* Invokes truncate(2) and returns its errno or 0. */ 3401 static int test_truncate(const char *const path) 3402 { 3403 if (truncate(path, 10) < 0) 3404 return errno; 3405 return 0; 3406 } 3407 3408 /* 3409 * Invokes creat(2) and returns its errno or 0. 3410 * Closes the opened file descriptor on success. 3411 */ 3412 static int test_creat(const char *const path) 3413 { 3414 int fd = creat(path, 0600); 3415 3416 if (fd < 0) 3417 return errno; 3418 3419 /* 3420 * Mixing error codes from close(2) and creat(2) should not lead to any 3421 * (access type) confusion for this test. 3422 */ 3423 if (close(fd) < 0) 3424 return errno; 3425 return 0; 3426 } 3427 3428 /* 3429 * Exercises file truncation when it's not restricted, 3430 * as it was the case before LANDLOCK_ACCESS_FS_TRUNCATE existed. 3431 */ 3432 TEST_F_FORK(layout1, truncate_unhandled) 3433 { 3434 const char *const file_r = file1_s1d1; 3435 const char *const file_w = file2_s1d1; 3436 const char *const file_none = file1_s1d2; 3437 const struct rule rules[] = { 3438 { 3439 .path = file_r, 3440 .access = LANDLOCK_ACCESS_FS_READ_FILE, 3441 }, 3442 { 3443 .path = file_w, 3444 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, 3445 }, 3446 /* Implicitly: No rights for file_none. */ 3447 {}, 3448 }; 3449 3450 const __u64 handled = LANDLOCK_ACCESS_FS_READ_FILE | 3451 LANDLOCK_ACCESS_FS_WRITE_FILE; 3452 int ruleset_fd; 3453 3454 /* Enable Landlock. */ 3455 ruleset_fd = create_ruleset(_metadata, handled, rules); 3456 3457 ASSERT_LE(0, ruleset_fd); 3458 enforce_ruleset(_metadata, ruleset_fd); 3459 ASSERT_EQ(0, close(ruleset_fd)); 3460 3461 /* 3462 * Checks read right: truncate and open with O_TRUNC work, unless the 3463 * file is attempted to be opened for writing. 3464 */ 3465 EXPECT_EQ(0, test_truncate(file_r)); 3466 EXPECT_EQ(0, test_open(file_r, O_RDONLY | O_TRUNC)); 3467 EXPECT_EQ(EACCES, test_open(file_r, O_WRONLY | O_TRUNC)); 3468 EXPECT_EQ(EACCES, test_creat(file_r)); 3469 3470 /* 3471 * Checks write right: truncate and open with O_TRUNC work, unless the 3472 * file is attempted to be opened for reading. 3473 */ 3474 EXPECT_EQ(0, test_truncate(file_w)); 3475 EXPECT_EQ(EACCES, test_open(file_w, O_RDONLY | O_TRUNC)); 3476 EXPECT_EQ(0, test_open(file_w, O_WRONLY | O_TRUNC)); 3477 EXPECT_EQ(0, test_creat(file_w)); 3478 3479 /* 3480 * Checks "no rights" case: truncate works but all open attempts fail, 3481 * including creat. 3482 */ 3483 EXPECT_EQ(0, test_truncate(file_none)); 3484 EXPECT_EQ(EACCES, test_open(file_none, O_RDONLY | O_TRUNC)); 3485 EXPECT_EQ(EACCES, test_open(file_none, O_WRONLY | O_TRUNC)); 3486 EXPECT_EQ(EACCES, test_creat(file_none)); 3487 } 3488 3489 TEST_F_FORK(layout1, truncate) 3490 { 3491 const char *const file_rwt = file1_s1d1; 3492 const char *const file_rw = file2_s1d1; 3493 const char *const file_rt = file1_s1d2; 3494 const char *const file_t = file2_s1d2; 3495 const char *const file_none = file1_s1d3; 3496 const char *const dir_t = dir_s2d1; 3497 const char *const file_in_dir_t = file1_s2d1; 3498 const char *const dir_w = dir_s3d1; 3499 const char *const file_in_dir_w = file1_s3d1; 3500 const struct rule rules[] = { 3501 { 3502 .path = file_rwt, 3503 .access = LANDLOCK_ACCESS_FS_READ_FILE | 3504 LANDLOCK_ACCESS_FS_WRITE_FILE | 3505 LANDLOCK_ACCESS_FS_TRUNCATE, 3506 }, 3507 { 3508 .path = file_rw, 3509 .access = LANDLOCK_ACCESS_FS_READ_FILE | 3510 LANDLOCK_ACCESS_FS_WRITE_FILE, 3511 }, 3512 { 3513 .path = file_rt, 3514 .access = LANDLOCK_ACCESS_FS_READ_FILE | 3515 LANDLOCK_ACCESS_FS_TRUNCATE, 3516 }, 3517 { 3518 .path = file_t, 3519 .access = LANDLOCK_ACCESS_FS_TRUNCATE, 3520 }, 3521 /* Implicitly: No access rights for file_none. */ 3522 { 3523 .path = dir_t, 3524 .access = LANDLOCK_ACCESS_FS_TRUNCATE, 3525 }, 3526 { 3527 .path = dir_w, 3528 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, 3529 }, 3530 {}, 3531 }; 3532 const __u64 handled = LANDLOCK_ACCESS_FS_READ_FILE | 3533 LANDLOCK_ACCESS_FS_WRITE_FILE | 3534 LANDLOCK_ACCESS_FS_TRUNCATE; 3535 int ruleset_fd; 3536 3537 /* Enable Landlock. */ 3538 ruleset_fd = create_ruleset(_metadata, handled, rules); 3539 3540 ASSERT_LE(0, ruleset_fd); 3541 enforce_ruleset(_metadata, ruleset_fd); 3542 ASSERT_EQ(0, close(ruleset_fd)); 3543 3544 /* Checks read, write and truncate rights: truncation works. */ 3545 EXPECT_EQ(0, test_truncate(file_rwt)); 3546 EXPECT_EQ(0, test_open(file_rwt, O_RDONLY | O_TRUNC)); 3547 EXPECT_EQ(0, test_open(file_rwt, O_WRONLY | O_TRUNC)); 3548 3549 /* Checks read and write rights: no truncate variant works. */ 3550 EXPECT_EQ(EACCES, test_truncate(file_rw)); 3551 EXPECT_EQ(EACCES, test_open(file_rw, O_RDONLY | O_TRUNC)); 3552 EXPECT_EQ(EACCES, test_open(file_rw, O_WRONLY | O_TRUNC)); 3553 3554 /* 3555 * Checks read and truncate rights: truncation works. 3556 * 3557 * Note: Files can get truncated using open() even with O_RDONLY. 3558 */ 3559 EXPECT_EQ(0, test_truncate(file_rt)); 3560 EXPECT_EQ(0, test_open(file_rt, O_RDONLY | O_TRUNC)); 3561 EXPECT_EQ(EACCES, test_open(file_rt, O_WRONLY | O_TRUNC)); 3562 3563 /* Checks truncate right: truncate works, but can't open file. */ 3564 EXPECT_EQ(0, test_truncate(file_t)); 3565 EXPECT_EQ(EACCES, test_open(file_t, O_RDONLY | O_TRUNC)); 3566 EXPECT_EQ(EACCES, test_open(file_t, O_WRONLY | O_TRUNC)); 3567 3568 /* Checks "no rights" case: No form of truncation works. */ 3569 EXPECT_EQ(EACCES, test_truncate(file_none)); 3570 EXPECT_EQ(EACCES, test_open(file_none, O_RDONLY | O_TRUNC)); 3571 EXPECT_EQ(EACCES, test_open(file_none, O_WRONLY | O_TRUNC)); 3572 3573 /* 3574 * Checks truncate right on directory: truncate works on contained 3575 * files. 3576 */ 3577 EXPECT_EQ(0, test_truncate(file_in_dir_t)); 3578 EXPECT_EQ(EACCES, test_open(file_in_dir_t, O_RDONLY | O_TRUNC)); 3579 EXPECT_EQ(EACCES, test_open(file_in_dir_t, O_WRONLY | O_TRUNC)); 3580 3581 /* 3582 * Checks creat in dir_w: This requires the truncate right when 3583 * overwriting an existing file, but does not require it when the file 3584 * is new. 3585 */ 3586 EXPECT_EQ(EACCES, test_creat(file_in_dir_w)); 3587 3588 ASSERT_EQ(0, unlink(file_in_dir_w)); 3589 EXPECT_EQ(0, test_creat(file_in_dir_w)); 3590 } 3591 3592 /* Invokes ftruncate(2) and returns its errno or 0. */ 3593 static int test_ftruncate(int fd) 3594 { 3595 if (ftruncate(fd, 10) < 0) 3596 return errno; 3597 return 0; 3598 } 3599 3600 TEST_F_FORK(layout1, ftruncate) 3601 { 3602 /* 3603 * This test opens a new file descriptor at different stages of 3604 * Landlock restriction: 3605 * 3606 * without restriction: ftruncate works 3607 * something else but truncate restricted: ftruncate works 3608 * truncate restricted and permitted: ftruncate works 3609 * truncate restricted and not permitted: ftruncate fails 3610 * 3611 * Whether this works or not is expected to depend on the time when the 3612 * FD was opened, not to depend on the time when ftruncate() was 3613 * called. 3614 */ 3615 const char *const path = file1_s1d1; 3616 const __u64 handled1 = LANDLOCK_ACCESS_FS_READ_FILE | 3617 LANDLOCK_ACCESS_FS_WRITE_FILE; 3618 const struct rule layer1[] = { 3619 { 3620 .path = path, 3621 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, 3622 }, 3623 {}, 3624 }; 3625 const __u64 handled2 = LANDLOCK_ACCESS_FS_TRUNCATE; 3626 const struct rule layer2[] = { 3627 { 3628 .path = path, 3629 .access = LANDLOCK_ACCESS_FS_TRUNCATE, 3630 }, 3631 {}, 3632 }; 3633 const __u64 handled3 = LANDLOCK_ACCESS_FS_TRUNCATE | 3634 LANDLOCK_ACCESS_FS_WRITE_FILE; 3635 const struct rule layer3[] = { 3636 { 3637 .path = path, 3638 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, 3639 }, 3640 {}, 3641 }; 3642 int fd_layer0, fd_layer1, fd_layer2, fd_layer3, ruleset_fd; 3643 3644 fd_layer0 = open(path, O_WRONLY); 3645 EXPECT_EQ(0, test_ftruncate(fd_layer0)); 3646 3647 ruleset_fd = create_ruleset(_metadata, handled1, layer1); 3648 ASSERT_LE(0, ruleset_fd); 3649 enforce_ruleset(_metadata, ruleset_fd); 3650 ASSERT_EQ(0, close(ruleset_fd)); 3651 3652 fd_layer1 = open(path, O_WRONLY); 3653 EXPECT_EQ(0, test_ftruncate(fd_layer0)); 3654 EXPECT_EQ(0, test_ftruncate(fd_layer1)); 3655 3656 ruleset_fd = create_ruleset(_metadata, handled2, layer2); 3657 ASSERT_LE(0, ruleset_fd); 3658 enforce_ruleset(_metadata, ruleset_fd); 3659 ASSERT_EQ(0, close(ruleset_fd)); 3660 3661 fd_layer2 = open(path, O_WRONLY); 3662 EXPECT_EQ(0, test_ftruncate(fd_layer0)); 3663 EXPECT_EQ(0, test_ftruncate(fd_layer1)); 3664 EXPECT_EQ(0, test_ftruncate(fd_layer2)); 3665 3666 ruleset_fd = create_ruleset(_metadata, handled3, layer3); 3667 ASSERT_LE(0, ruleset_fd); 3668 enforce_ruleset(_metadata, ruleset_fd); 3669 ASSERT_EQ(0, close(ruleset_fd)); 3670 3671 fd_layer3 = open(path, O_WRONLY); 3672 EXPECT_EQ(0, test_ftruncate(fd_layer0)); 3673 EXPECT_EQ(0, test_ftruncate(fd_layer1)); 3674 EXPECT_EQ(0, test_ftruncate(fd_layer2)); 3675 EXPECT_EQ(EACCES, test_ftruncate(fd_layer3)); 3676 3677 ASSERT_EQ(0, close(fd_layer0)); 3678 ASSERT_EQ(0, close(fd_layer1)); 3679 ASSERT_EQ(0, close(fd_layer2)); 3680 ASSERT_EQ(0, close(fd_layer3)); 3681 } 3682 3683 /* clang-format off */ 3684 FIXTURE(ftruncate) {}; 3685 /* clang-format on */ 3686 3687 FIXTURE_SETUP(ftruncate) 3688 { 3689 prepare_layout(_metadata); 3690 create_file(_metadata, file1_s1d1); 3691 } 3692 3693 FIXTURE_TEARDOWN_PARENT(ftruncate) 3694 { 3695 EXPECT_EQ(0, remove_path(file1_s1d1)); 3696 cleanup_layout(_metadata); 3697 } 3698 3699 FIXTURE_VARIANT(ftruncate) 3700 { 3701 const __u64 handled; 3702 const __u64 allowed; 3703 const int expected_open_result; 3704 const int expected_ftruncate_result; 3705 }; 3706 3707 /* clang-format off */ 3708 FIXTURE_VARIANT_ADD(ftruncate, w_w) { 3709 /* clang-format on */ 3710 .handled = LANDLOCK_ACCESS_FS_WRITE_FILE, 3711 .allowed = LANDLOCK_ACCESS_FS_WRITE_FILE, 3712 .expected_open_result = 0, 3713 .expected_ftruncate_result = 0, 3714 }; 3715 3716 /* clang-format off */ 3717 FIXTURE_VARIANT_ADD(ftruncate, t_t) { 3718 /* clang-format on */ 3719 .handled = LANDLOCK_ACCESS_FS_TRUNCATE, 3720 .allowed = LANDLOCK_ACCESS_FS_TRUNCATE, 3721 .expected_open_result = 0, 3722 .expected_ftruncate_result = 0, 3723 }; 3724 3725 /* clang-format off */ 3726 FIXTURE_VARIANT_ADD(ftruncate, wt_w) { 3727 /* clang-format on */ 3728 .handled = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE, 3729 .allowed = LANDLOCK_ACCESS_FS_WRITE_FILE, 3730 .expected_open_result = 0, 3731 .expected_ftruncate_result = EACCES, 3732 }; 3733 3734 /* clang-format off */ 3735 FIXTURE_VARIANT_ADD(ftruncate, wt_wt) { 3736 /* clang-format on */ 3737 .handled = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE, 3738 .allowed = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE, 3739 .expected_open_result = 0, 3740 .expected_ftruncate_result = 0, 3741 }; 3742 3743 /* clang-format off */ 3744 FIXTURE_VARIANT_ADD(ftruncate, wt_t) { 3745 /* clang-format on */ 3746 .handled = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE, 3747 .allowed = LANDLOCK_ACCESS_FS_TRUNCATE, 3748 .expected_open_result = EACCES, 3749 }; 3750 3751 TEST_F_FORK(ftruncate, open_and_ftruncate) 3752 { 3753 const char *const path = file1_s1d1; 3754 const struct rule rules[] = { 3755 { 3756 .path = path, 3757 .access = variant->allowed, 3758 }, 3759 {}, 3760 }; 3761 int fd, ruleset_fd; 3762 3763 /* Enable Landlock. */ 3764 ruleset_fd = create_ruleset(_metadata, variant->handled, rules); 3765 ASSERT_LE(0, ruleset_fd); 3766 enforce_ruleset(_metadata, ruleset_fd); 3767 ASSERT_EQ(0, close(ruleset_fd)); 3768 3769 fd = open(path, O_WRONLY); 3770 EXPECT_EQ(variant->expected_open_result, (fd < 0 ? errno : 0)); 3771 if (fd >= 0) { 3772 EXPECT_EQ(variant->expected_ftruncate_result, 3773 test_ftruncate(fd)); 3774 ASSERT_EQ(0, close(fd)); 3775 } 3776 } 3777 3778 TEST_F_FORK(ftruncate, open_and_ftruncate_in_different_processes) 3779 { 3780 int child, fd, status; 3781 int socket_fds[2]; 3782 3783 ASSERT_EQ(0, socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, 3784 socket_fds)); 3785 3786 child = fork(); 3787 ASSERT_LE(0, child); 3788 if (child == 0) { 3789 /* 3790 * Enables Landlock in the child process, open a file descriptor 3791 * where truncation is forbidden and send it to the 3792 * non-landlocked parent process. 3793 */ 3794 const char *const path = file1_s1d1; 3795 const struct rule rules[] = { 3796 { 3797 .path = path, 3798 .access = variant->allowed, 3799 }, 3800 {}, 3801 }; 3802 int fd, ruleset_fd; 3803 3804 ruleset_fd = create_ruleset(_metadata, variant->handled, rules); 3805 ASSERT_LE(0, ruleset_fd); 3806 enforce_ruleset(_metadata, ruleset_fd); 3807 ASSERT_EQ(0, close(ruleset_fd)); 3808 3809 fd = open(path, O_WRONLY); 3810 ASSERT_EQ(variant->expected_open_result, (fd < 0 ? errno : 0)); 3811 3812 if (fd >= 0) { 3813 ASSERT_EQ(0, send_fd(socket_fds[0], fd)); 3814 ASSERT_EQ(0, close(fd)); 3815 } 3816 3817 ASSERT_EQ(0, close(socket_fds[0])); 3818 3819 _exit(_metadata->exit_code); 3820 return; 3821 } 3822 3823 if (variant->expected_open_result == 0) { 3824 fd = recv_fd(socket_fds[1]); 3825 ASSERT_LE(0, fd); 3826 3827 EXPECT_EQ(variant->expected_ftruncate_result, 3828 test_ftruncate(fd)); 3829 ASSERT_EQ(0, close(fd)); 3830 } 3831 3832 ASSERT_EQ(child, waitpid(child, &status, 0)); 3833 ASSERT_EQ(1, WIFEXITED(status)); 3834 ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status)); 3835 3836 ASSERT_EQ(0, close(socket_fds[0])); 3837 ASSERT_EQ(0, close(socket_fds[1])); 3838 } 3839 3840 TEST(memfd_ftruncate) 3841 { 3842 int fd; 3843 3844 fd = memfd_create("name", MFD_CLOEXEC); 3845 ASSERT_LE(0, fd); 3846 3847 /* 3848 * Checks that ftruncate is permitted on file descriptors that are 3849 * created in ways other than open(2). 3850 */ 3851 EXPECT_EQ(0, test_ftruncate(fd)); 3852 3853 ASSERT_EQ(0, close(fd)); 3854 } 3855 3856 /* clang-format off */ 3857 FIXTURE(layout1_bind) {}; 3858 /* clang-format on */ 3859 3860 FIXTURE_SETUP(layout1_bind) 3861 { 3862 prepare_layout(_metadata); 3863 3864 create_layout1(_metadata); 3865 3866 set_cap(_metadata, CAP_SYS_ADMIN); 3867 ASSERT_EQ(0, mount(dir_s1d2, dir_s2d2, NULL, MS_BIND, NULL)); 3868 clear_cap(_metadata, CAP_SYS_ADMIN); 3869 } 3870 3871 FIXTURE_TEARDOWN_PARENT(layout1_bind) 3872 { 3873 /* umount(dir_s2d2)) is handled by namespace lifetime. */ 3874 3875 remove_layout1(_metadata); 3876 3877 cleanup_layout(_metadata); 3878 } 3879 3880 static const char bind_dir_s1d3[] = TMP_DIR "/s2d1/s2d2/s1d3"; 3881 static const char bind_file1_s1d3[] = TMP_DIR "/s2d1/s2d2/s1d3/f1"; 3882 3883 /* 3884 * layout1_bind hierarchy: 3885 * 3886 * tmp 3887 * ├── s1d1 3888 * │ ├── f1 3889 * │ ├── f2 3890 * │ └── s1d2 3891 * │ ├── f1 3892 * │ ├── f2 3893 * │ └── s1d3 3894 * │ ├── f1 3895 * │ └── f2 3896 * ├── s2d1 3897 * │ ├── f1 3898 * │ └── s2d2 3899 * │ ├── f1 3900 * │ ├── f2 3901 * │ └── s1d3 3902 * │ ├── f1 3903 * │ └── f2 3904 * └── s3d1 3905 * └── s3d2 3906 * └── s3d3 3907 */ 3908 3909 TEST_F_FORK(layout1_bind, no_restriction) 3910 { 3911 ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY)); 3912 ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY)); 3913 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY)); 3914 ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); 3915 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY)); 3916 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); 3917 3918 ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY)); 3919 ASSERT_EQ(0, test_open(file1_s2d1, O_RDONLY)); 3920 ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY)); 3921 ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY)); 3922 ASSERT_EQ(ENOENT, test_open(dir_s2d3, O_RDONLY)); 3923 ASSERT_EQ(ENOENT, test_open(file1_s2d3, O_RDONLY)); 3924 3925 ASSERT_EQ(0, test_open(bind_dir_s1d3, O_RDONLY)); 3926 ASSERT_EQ(0, test_open(bind_file1_s1d3, O_RDONLY)); 3927 3928 ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY)); 3929 } 3930 3931 TEST_F_FORK(layout1_bind, same_content_same_file) 3932 { 3933 /* 3934 * Sets access right on parent directories of both source and 3935 * destination mount points. 3936 */ 3937 const struct rule layer1_parent[] = { 3938 { 3939 .path = dir_s1d1, 3940 .access = ACCESS_RO, 3941 }, 3942 { 3943 .path = dir_s2d1, 3944 .access = ACCESS_RW, 3945 }, 3946 {}, 3947 }; 3948 /* 3949 * Sets access rights on the same bind-mounted directories. The result 3950 * should be ACCESS_RW for both directories, but not both hierarchies 3951 * because of the first layer. 3952 */ 3953 const struct rule layer2_mount_point[] = { 3954 { 3955 .path = dir_s1d2, 3956 .access = LANDLOCK_ACCESS_FS_READ_FILE, 3957 }, 3958 { 3959 .path = dir_s2d2, 3960 .access = ACCESS_RW, 3961 }, 3962 {}, 3963 }; 3964 /* Only allow read-access to the s1d3 hierarchies. */ 3965 const struct rule layer3_source[] = { 3966 { 3967 .path = dir_s1d3, 3968 .access = LANDLOCK_ACCESS_FS_READ_FILE, 3969 }, 3970 {}, 3971 }; 3972 /* Removes all access rights. */ 3973 const struct rule layer4_destination[] = { 3974 { 3975 .path = bind_file1_s1d3, 3976 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, 3977 }, 3978 {}, 3979 }; 3980 int ruleset_fd; 3981 3982 /* Sets rules for the parent directories. */ 3983 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_parent); 3984 ASSERT_LE(0, ruleset_fd); 3985 enforce_ruleset(_metadata, ruleset_fd); 3986 ASSERT_EQ(0, close(ruleset_fd)); 3987 3988 /* Checks source hierarchy. */ 3989 ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY)); 3990 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); 3991 ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); 3992 3993 ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); 3994 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY)); 3995 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); 3996 3997 /* Checks destination hierarchy. */ 3998 ASSERT_EQ(0, test_open(file1_s2d1, O_RDWR)); 3999 ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY | O_DIRECTORY)); 4000 4001 ASSERT_EQ(0, test_open(file1_s2d2, O_RDWR)); 4002 ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY)); 4003 4004 /* Sets rules for the mount points. */ 4005 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_mount_point); 4006 ASSERT_LE(0, ruleset_fd); 4007 enforce_ruleset(_metadata, ruleset_fd); 4008 ASSERT_EQ(0, close(ruleset_fd)); 4009 4010 /* Checks source hierarchy. */ 4011 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY)); 4012 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); 4013 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); 4014 4015 ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); 4016 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY)); 4017 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); 4018 4019 /* Checks destination hierarchy. */ 4020 ASSERT_EQ(EACCES, test_open(file1_s2d1, O_RDONLY)); 4021 ASSERT_EQ(EACCES, test_open(file1_s2d1, O_WRONLY)); 4022 ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY | O_DIRECTORY)); 4023 4024 ASSERT_EQ(0, test_open(file1_s2d2, O_RDWR)); 4025 ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY)); 4026 ASSERT_EQ(0, test_open(bind_dir_s1d3, O_RDONLY | O_DIRECTORY)); 4027 4028 /* Sets a (shared) rule only on the source. */ 4029 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3_source); 4030 ASSERT_LE(0, ruleset_fd); 4031 enforce_ruleset(_metadata, ruleset_fd); 4032 ASSERT_EQ(0, close(ruleset_fd)); 4033 4034 /* Checks source hierarchy. */ 4035 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDONLY)); 4036 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY)); 4037 ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); 4038 4039 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); 4040 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY)); 4041 ASSERT_EQ(EACCES, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY)); 4042 4043 /* Checks destination hierarchy. */ 4044 ASSERT_EQ(EACCES, test_open(file1_s2d2, O_RDONLY)); 4045 ASSERT_EQ(EACCES, test_open(file1_s2d2, O_WRONLY)); 4046 ASSERT_EQ(EACCES, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY)); 4047 4048 ASSERT_EQ(0, test_open(bind_file1_s1d3, O_RDONLY)); 4049 ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_WRONLY)); 4050 ASSERT_EQ(EACCES, test_open(bind_dir_s1d3, O_RDONLY | O_DIRECTORY)); 4051 4052 /* Sets a (shared) rule only on the destination. */ 4053 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer4_destination); 4054 ASSERT_LE(0, ruleset_fd); 4055 enforce_ruleset(_metadata, ruleset_fd); 4056 ASSERT_EQ(0, close(ruleset_fd)); 4057 4058 /* Checks source hierarchy. */ 4059 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY)); 4060 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY)); 4061 4062 /* Checks destination hierarchy. */ 4063 ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_RDONLY)); 4064 ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_WRONLY)); 4065 } 4066 4067 TEST_F_FORK(layout1_bind, reparent_cross_mount) 4068 { 4069 const struct rule layer1[] = { 4070 { 4071 /* dir_s2d1 is beneath the dir_s2d2 mount point. */ 4072 .path = dir_s2d1, 4073 .access = LANDLOCK_ACCESS_FS_REFER, 4074 }, 4075 { 4076 .path = bind_dir_s1d3, 4077 .access = LANDLOCK_ACCESS_FS_EXECUTE, 4078 }, 4079 {}, 4080 }; 4081 int ruleset_fd = create_ruleset( 4082 _metadata, 4083 LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_EXECUTE, layer1); 4084 4085 ASSERT_LE(0, ruleset_fd); 4086 enforce_ruleset(_metadata, ruleset_fd); 4087 ASSERT_EQ(0, close(ruleset_fd)); 4088 4089 /* Checks basic denied move. */ 4090 ASSERT_EQ(-1, rename(file1_s1d1, file1_s1d2)); 4091 ASSERT_EQ(EXDEV, errno); 4092 4093 /* Checks real cross-mount move (Landlock is not involved). */ 4094 ASSERT_EQ(-1, rename(file1_s2d1, file1_s2d2)); 4095 ASSERT_EQ(EXDEV, errno); 4096 4097 /* Checks move that will give more accesses. */ 4098 ASSERT_EQ(-1, rename(file1_s2d2, bind_file1_s1d3)); 4099 ASSERT_EQ(EXDEV, errno); 4100 4101 /* Checks legitimate downgrade move. */ 4102 ASSERT_EQ(0, rename(bind_file1_s1d3, file1_s2d2)); 4103 } 4104 4105 #define LOWER_BASE TMP_DIR "/lower" 4106 #define LOWER_DATA LOWER_BASE "/data" 4107 static const char lower_fl1[] = LOWER_DATA "/fl1"; 4108 static const char lower_dl1[] = LOWER_DATA "/dl1"; 4109 static const char lower_dl1_fl2[] = LOWER_DATA "/dl1/fl2"; 4110 static const char lower_fo1[] = LOWER_DATA "/fo1"; 4111 static const char lower_do1[] = LOWER_DATA "/do1"; 4112 static const char lower_do1_fo2[] = LOWER_DATA "/do1/fo2"; 4113 static const char lower_do1_fl3[] = LOWER_DATA "/do1/fl3"; 4114 4115 static const char (*lower_base_files[])[] = { 4116 &lower_fl1, 4117 &lower_fo1, 4118 NULL, 4119 }; 4120 static const char (*lower_base_directories[])[] = { 4121 &lower_dl1, 4122 &lower_do1, 4123 NULL, 4124 }; 4125 static const char (*lower_sub_files[])[] = { 4126 &lower_dl1_fl2, 4127 &lower_do1_fo2, 4128 &lower_do1_fl3, 4129 NULL, 4130 }; 4131 4132 #define UPPER_BASE TMP_DIR "/upper" 4133 #define UPPER_DATA UPPER_BASE "/data" 4134 #define UPPER_WORK UPPER_BASE "/work" 4135 static const char upper_fu1[] = UPPER_DATA "/fu1"; 4136 static const char upper_du1[] = UPPER_DATA "/du1"; 4137 static const char upper_du1_fu2[] = UPPER_DATA "/du1/fu2"; 4138 static const char upper_fo1[] = UPPER_DATA "/fo1"; 4139 static const char upper_do1[] = UPPER_DATA "/do1"; 4140 static const char upper_do1_fo2[] = UPPER_DATA "/do1/fo2"; 4141 static const char upper_do1_fu3[] = UPPER_DATA "/do1/fu3"; 4142 4143 static const char (*upper_base_files[])[] = { 4144 &upper_fu1, 4145 &upper_fo1, 4146 NULL, 4147 }; 4148 static const char (*upper_base_directories[])[] = { 4149 &upper_du1, 4150 &upper_do1, 4151 NULL, 4152 }; 4153 static const char (*upper_sub_files[])[] = { 4154 &upper_du1_fu2, 4155 &upper_do1_fo2, 4156 &upper_do1_fu3, 4157 NULL, 4158 }; 4159 4160 #define MERGE_BASE TMP_DIR "/merge" 4161 #define MERGE_DATA MERGE_BASE "/data" 4162 static const char merge_fl1[] = MERGE_DATA "/fl1"; 4163 static const char merge_dl1[] = MERGE_DATA "/dl1"; 4164 static const char merge_dl1_fl2[] = MERGE_DATA "/dl1/fl2"; 4165 static const char merge_fu1[] = MERGE_DATA "/fu1"; 4166 static const char merge_du1[] = MERGE_DATA "/du1"; 4167 static const char merge_du1_fu2[] = MERGE_DATA "/du1/fu2"; 4168 static const char merge_fo1[] = MERGE_DATA "/fo1"; 4169 static const char merge_do1[] = MERGE_DATA "/do1"; 4170 static const char merge_do1_fo2[] = MERGE_DATA "/do1/fo2"; 4171 static const char merge_do1_fl3[] = MERGE_DATA "/do1/fl3"; 4172 static const char merge_do1_fu3[] = MERGE_DATA "/do1/fu3"; 4173 4174 static const char (*merge_base_files[])[] = { 4175 &merge_fl1, 4176 &merge_fu1, 4177 &merge_fo1, 4178 NULL, 4179 }; 4180 static const char (*merge_base_directories[])[] = { 4181 &merge_dl1, 4182 &merge_du1, 4183 &merge_do1, 4184 NULL, 4185 }; 4186 static const char (*merge_sub_files[])[] = { 4187 &merge_dl1_fl2, &merge_du1_fu2, &merge_do1_fo2, 4188 &merge_do1_fl3, &merge_do1_fu3, NULL, 4189 }; 4190 4191 /* 4192 * layout2_overlay hierarchy: 4193 * 4194 * tmp 4195 * ├── lower 4196 * │ └── data 4197 * │ ├── dl1 4198 * │ │ └── fl2 4199 * │ ├── do1 4200 * │ │ ├── fl3 4201 * │ │ └── fo2 4202 * │ ├── fl1 4203 * │ └── fo1 4204 * ├── merge 4205 * │ └── data 4206 * │ ├── dl1 4207 * │ │ └── fl2 4208 * │ ├── do1 4209 * │ │ ├── fl3 4210 * │ │ ├── fo2 4211 * │ │ └── fu3 4212 * │ ├── du1 4213 * │ │ └── fu2 4214 * │ ├── fl1 4215 * │ ├── fo1 4216 * │ └── fu1 4217 * └── upper 4218 * ├── data 4219 * │ ├── do1 4220 * │ │ ├── fo2 4221 * │ │ └── fu3 4222 * │ ├── du1 4223 * │ │ └── fu2 4224 * │ ├── fo1 4225 * │ └── fu1 4226 * └── work 4227 * └── work 4228 */ 4229 4230 FIXTURE(layout2_overlay) 4231 { 4232 bool skip_test; 4233 }; 4234 4235 FIXTURE_SETUP(layout2_overlay) 4236 { 4237 if (!supports_filesystem("overlay")) { 4238 self->skip_test = true; 4239 SKIP(return, "overlayfs is not supported (setup)"); 4240 } 4241 4242 prepare_layout(_metadata); 4243 4244 create_directory(_metadata, LOWER_BASE); 4245 set_cap(_metadata, CAP_SYS_ADMIN); 4246 /* Creates tmpfs mount points to get deterministic overlayfs. */ 4247 ASSERT_EQ(0, mount_opt(&mnt_tmp, LOWER_BASE)); 4248 clear_cap(_metadata, CAP_SYS_ADMIN); 4249 create_file(_metadata, lower_fl1); 4250 create_file(_metadata, lower_dl1_fl2); 4251 create_file(_metadata, lower_fo1); 4252 create_file(_metadata, lower_do1_fo2); 4253 create_file(_metadata, lower_do1_fl3); 4254 4255 create_directory(_metadata, UPPER_BASE); 4256 set_cap(_metadata, CAP_SYS_ADMIN); 4257 ASSERT_EQ(0, mount_opt(&mnt_tmp, UPPER_BASE)); 4258 clear_cap(_metadata, CAP_SYS_ADMIN); 4259 create_file(_metadata, upper_fu1); 4260 create_file(_metadata, upper_du1_fu2); 4261 create_file(_metadata, upper_fo1); 4262 create_file(_metadata, upper_do1_fo2); 4263 create_file(_metadata, upper_do1_fu3); 4264 ASSERT_EQ(0, mkdir(UPPER_WORK, 0700)); 4265 4266 create_directory(_metadata, MERGE_DATA); 4267 set_cap(_metadata, CAP_SYS_ADMIN); 4268 set_cap(_metadata, CAP_DAC_OVERRIDE); 4269 ASSERT_EQ(0, mount("overlay", MERGE_DATA, "overlay", 0, 4270 "lowerdir=" LOWER_DATA ",upperdir=" UPPER_DATA 4271 ",workdir=" UPPER_WORK)); 4272 clear_cap(_metadata, CAP_DAC_OVERRIDE); 4273 clear_cap(_metadata, CAP_SYS_ADMIN); 4274 } 4275 4276 FIXTURE_TEARDOWN_PARENT(layout2_overlay) 4277 { 4278 if (self->skip_test) 4279 SKIP(return, "overlayfs is not supported (teardown)"); 4280 4281 EXPECT_EQ(0, remove_path(lower_do1_fl3)); 4282 EXPECT_EQ(0, remove_path(lower_dl1_fl2)); 4283 EXPECT_EQ(0, remove_path(lower_fl1)); 4284 EXPECT_EQ(0, remove_path(lower_do1_fo2)); 4285 EXPECT_EQ(0, remove_path(lower_fo1)); 4286 4287 /* umount(LOWER_BASE)) is handled by namespace lifetime. */ 4288 EXPECT_EQ(0, remove_path(LOWER_BASE)); 4289 4290 EXPECT_EQ(0, remove_path(upper_do1_fu3)); 4291 EXPECT_EQ(0, remove_path(upper_du1_fu2)); 4292 EXPECT_EQ(0, remove_path(upper_fu1)); 4293 EXPECT_EQ(0, remove_path(upper_do1_fo2)); 4294 EXPECT_EQ(0, remove_path(upper_fo1)); 4295 EXPECT_EQ(0, remove_path(UPPER_WORK "/work")); 4296 4297 /* umount(UPPER_BASE)) is handled by namespace lifetime. */ 4298 EXPECT_EQ(0, remove_path(UPPER_BASE)); 4299 4300 /* umount(MERGE_DATA)) is handled by namespace lifetime. */ 4301 EXPECT_EQ(0, remove_path(MERGE_DATA)); 4302 4303 cleanup_layout(_metadata); 4304 } 4305 4306 TEST_F_FORK(layout2_overlay, no_restriction) 4307 { 4308 if (self->skip_test) 4309 SKIP(return, "overlayfs is not supported (test)"); 4310 4311 ASSERT_EQ(0, test_open(lower_fl1, O_RDONLY)); 4312 ASSERT_EQ(0, test_open(lower_dl1, O_RDONLY)); 4313 ASSERT_EQ(0, test_open(lower_dl1_fl2, O_RDONLY)); 4314 ASSERT_EQ(0, test_open(lower_fo1, O_RDONLY)); 4315 ASSERT_EQ(0, test_open(lower_do1, O_RDONLY)); 4316 ASSERT_EQ(0, test_open(lower_do1_fo2, O_RDONLY)); 4317 ASSERT_EQ(0, test_open(lower_do1_fl3, O_RDONLY)); 4318 4319 ASSERT_EQ(0, test_open(upper_fu1, O_RDONLY)); 4320 ASSERT_EQ(0, test_open(upper_du1, O_RDONLY)); 4321 ASSERT_EQ(0, test_open(upper_du1_fu2, O_RDONLY)); 4322 ASSERT_EQ(0, test_open(upper_fo1, O_RDONLY)); 4323 ASSERT_EQ(0, test_open(upper_do1, O_RDONLY)); 4324 ASSERT_EQ(0, test_open(upper_do1_fo2, O_RDONLY)); 4325 ASSERT_EQ(0, test_open(upper_do1_fu3, O_RDONLY)); 4326 4327 ASSERT_EQ(0, test_open(merge_fl1, O_RDONLY)); 4328 ASSERT_EQ(0, test_open(merge_dl1, O_RDONLY)); 4329 ASSERT_EQ(0, test_open(merge_dl1_fl2, O_RDONLY)); 4330 ASSERT_EQ(0, test_open(merge_fu1, O_RDONLY)); 4331 ASSERT_EQ(0, test_open(merge_du1, O_RDONLY)); 4332 ASSERT_EQ(0, test_open(merge_du1_fu2, O_RDONLY)); 4333 ASSERT_EQ(0, test_open(merge_fo1, O_RDONLY)); 4334 ASSERT_EQ(0, test_open(merge_do1, O_RDONLY)); 4335 ASSERT_EQ(0, test_open(merge_do1_fo2, O_RDONLY)); 4336 ASSERT_EQ(0, test_open(merge_do1_fl3, O_RDONLY)); 4337 ASSERT_EQ(0, test_open(merge_do1_fu3, O_RDONLY)); 4338 } 4339 4340 #define for_each_path(path_list, path_entry, i) \ 4341 for (i = 0, path_entry = *path_list[i]; path_list[i]; \ 4342 path_entry = *path_list[++i]) 4343 4344 TEST_F_FORK(layout2_overlay, same_content_different_file) 4345 { 4346 /* Sets access right on parent directories of both layers. */ 4347 const struct rule layer1_base[] = { 4348 { 4349 .path = LOWER_BASE, 4350 .access = LANDLOCK_ACCESS_FS_READ_FILE, 4351 }, 4352 { 4353 .path = UPPER_BASE, 4354 .access = LANDLOCK_ACCESS_FS_READ_FILE, 4355 }, 4356 { 4357 .path = MERGE_BASE, 4358 .access = ACCESS_RW, 4359 }, 4360 {}, 4361 }; 4362 const struct rule layer2_data[] = { 4363 { 4364 .path = LOWER_DATA, 4365 .access = LANDLOCK_ACCESS_FS_READ_FILE, 4366 }, 4367 { 4368 .path = UPPER_DATA, 4369 .access = LANDLOCK_ACCESS_FS_READ_FILE, 4370 }, 4371 { 4372 .path = MERGE_DATA, 4373 .access = ACCESS_RW, 4374 }, 4375 {}, 4376 }; 4377 /* Sets access right on directories inside both layers. */ 4378 const struct rule layer3_subdirs[] = { 4379 { 4380 .path = lower_dl1, 4381 .access = LANDLOCK_ACCESS_FS_READ_FILE, 4382 }, 4383 { 4384 .path = lower_do1, 4385 .access = LANDLOCK_ACCESS_FS_READ_FILE, 4386 }, 4387 { 4388 .path = upper_du1, 4389 .access = LANDLOCK_ACCESS_FS_READ_FILE, 4390 }, 4391 { 4392 .path = upper_do1, 4393 .access = LANDLOCK_ACCESS_FS_READ_FILE, 4394 }, 4395 { 4396 .path = merge_dl1, 4397 .access = ACCESS_RW, 4398 }, 4399 { 4400 .path = merge_du1, 4401 .access = ACCESS_RW, 4402 }, 4403 { 4404 .path = merge_do1, 4405 .access = ACCESS_RW, 4406 }, 4407 {}, 4408 }; 4409 /* Tighten access rights to the files. */ 4410 const struct rule layer4_files[] = { 4411 { 4412 .path = lower_dl1_fl2, 4413 .access = LANDLOCK_ACCESS_FS_READ_FILE, 4414 }, 4415 { 4416 .path = lower_do1_fo2, 4417 .access = LANDLOCK_ACCESS_FS_READ_FILE, 4418 }, 4419 { 4420 .path = lower_do1_fl3, 4421 .access = LANDLOCK_ACCESS_FS_READ_FILE, 4422 }, 4423 { 4424 .path = upper_du1_fu2, 4425 .access = LANDLOCK_ACCESS_FS_READ_FILE, 4426 }, 4427 { 4428 .path = upper_do1_fo2, 4429 .access = LANDLOCK_ACCESS_FS_READ_FILE, 4430 }, 4431 { 4432 .path = upper_do1_fu3, 4433 .access = LANDLOCK_ACCESS_FS_READ_FILE, 4434 }, 4435 { 4436 .path = merge_dl1_fl2, 4437 .access = LANDLOCK_ACCESS_FS_READ_FILE | 4438 LANDLOCK_ACCESS_FS_WRITE_FILE, 4439 }, 4440 { 4441 .path = merge_du1_fu2, 4442 .access = LANDLOCK_ACCESS_FS_READ_FILE | 4443 LANDLOCK_ACCESS_FS_WRITE_FILE, 4444 }, 4445 { 4446 .path = merge_do1_fo2, 4447 .access = LANDLOCK_ACCESS_FS_READ_FILE | 4448 LANDLOCK_ACCESS_FS_WRITE_FILE, 4449 }, 4450 { 4451 .path = merge_do1_fl3, 4452 .access = LANDLOCK_ACCESS_FS_READ_FILE | 4453 LANDLOCK_ACCESS_FS_WRITE_FILE, 4454 }, 4455 { 4456 .path = merge_do1_fu3, 4457 .access = LANDLOCK_ACCESS_FS_READ_FILE | 4458 LANDLOCK_ACCESS_FS_WRITE_FILE, 4459 }, 4460 {}, 4461 }; 4462 const struct rule layer5_merge_only[] = { 4463 { 4464 .path = MERGE_DATA, 4465 .access = LANDLOCK_ACCESS_FS_READ_FILE | 4466 LANDLOCK_ACCESS_FS_WRITE_FILE, 4467 }, 4468 {}, 4469 }; 4470 int ruleset_fd; 4471 size_t i; 4472 const char *path_entry; 4473 4474 if (self->skip_test) 4475 SKIP(return, "overlayfs is not supported (test)"); 4476 4477 /* Sets rules on base directories (i.e. outside overlay scope). */ 4478 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_base); 4479 ASSERT_LE(0, ruleset_fd); 4480 enforce_ruleset(_metadata, ruleset_fd); 4481 ASSERT_EQ(0, close(ruleset_fd)); 4482 4483 /* Checks lower layer. */ 4484 for_each_path(lower_base_files, path_entry, i) { 4485 ASSERT_EQ(0, test_open(path_entry, O_RDONLY)); 4486 ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY)); 4487 } 4488 for_each_path(lower_base_directories, path_entry, i) { 4489 ASSERT_EQ(EACCES, 4490 test_open(path_entry, O_RDONLY | O_DIRECTORY)); 4491 } 4492 for_each_path(lower_sub_files, path_entry, i) { 4493 ASSERT_EQ(0, test_open(path_entry, O_RDONLY)); 4494 ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY)); 4495 } 4496 /* Checks upper layer. */ 4497 for_each_path(upper_base_files, path_entry, i) { 4498 ASSERT_EQ(0, test_open(path_entry, O_RDONLY)); 4499 ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY)); 4500 } 4501 for_each_path(upper_base_directories, path_entry, i) { 4502 ASSERT_EQ(EACCES, 4503 test_open(path_entry, O_RDONLY | O_DIRECTORY)); 4504 } 4505 for_each_path(upper_sub_files, path_entry, i) { 4506 ASSERT_EQ(0, test_open(path_entry, O_RDONLY)); 4507 ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY)); 4508 } 4509 /* 4510 * Checks that access rights are independent from the lower and upper 4511 * layers: write access to upper files viewed through the merge point 4512 * is still allowed, and write access to lower file viewed (and copied) 4513 * through the merge point is still allowed. 4514 */ 4515 for_each_path(merge_base_files, path_entry, i) { 4516 ASSERT_EQ(0, test_open(path_entry, O_RDWR)); 4517 } 4518 for_each_path(merge_base_directories, path_entry, i) { 4519 ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY)); 4520 } 4521 for_each_path(merge_sub_files, path_entry, i) { 4522 ASSERT_EQ(0, test_open(path_entry, O_RDWR)); 4523 } 4524 4525 /* Sets rules on data directories (i.e. inside overlay scope). */ 4526 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_data); 4527 ASSERT_LE(0, ruleset_fd); 4528 enforce_ruleset(_metadata, ruleset_fd); 4529 ASSERT_EQ(0, close(ruleset_fd)); 4530 4531 /* Checks merge. */ 4532 for_each_path(merge_base_files, path_entry, i) { 4533 ASSERT_EQ(0, test_open(path_entry, O_RDWR)); 4534 } 4535 for_each_path(merge_base_directories, path_entry, i) { 4536 ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY)); 4537 } 4538 for_each_path(merge_sub_files, path_entry, i) { 4539 ASSERT_EQ(0, test_open(path_entry, O_RDWR)); 4540 } 4541 4542 /* Same checks with tighter rules. */ 4543 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3_subdirs); 4544 ASSERT_LE(0, ruleset_fd); 4545 enforce_ruleset(_metadata, ruleset_fd); 4546 ASSERT_EQ(0, close(ruleset_fd)); 4547 4548 /* Checks changes for lower layer. */ 4549 for_each_path(lower_base_files, path_entry, i) { 4550 ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY)); 4551 } 4552 /* Checks changes for upper layer. */ 4553 for_each_path(upper_base_files, path_entry, i) { 4554 ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY)); 4555 } 4556 /* Checks all merge accesses. */ 4557 for_each_path(merge_base_files, path_entry, i) { 4558 ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR)); 4559 } 4560 for_each_path(merge_base_directories, path_entry, i) { 4561 ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY)); 4562 } 4563 for_each_path(merge_sub_files, path_entry, i) { 4564 ASSERT_EQ(0, test_open(path_entry, O_RDWR)); 4565 } 4566 4567 /* Sets rules directly on overlayed files. */ 4568 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer4_files); 4569 ASSERT_LE(0, ruleset_fd); 4570 enforce_ruleset(_metadata, ruleset_fd); 4571 ASSERT_EQ(0, close(ruleset_fd)); 4572 4573 /* Checks unchanged accesses on lower layer. */ 4574 for_each_path(lower_sub_files, path_entry, i) { 4575 ASSERT_EQ(0, test_open(path_entry, O_RDONLY)); 4576 ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY)); 4577 } 4578 /* Checks unchanged accesses on upper layer. */ 4579 for_each_path(upper_sub_files, path_entry, i) { 4580 ASSERT_EQ(0, test_open(path_entry, O_RDONLY)); 4581 ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY)); 4582 } 4583 /* Checks all merge accesses. */ 4584 for_each_path(merge_base_files, path_entry, i) { 4585 ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR)); 4586 } 4587 for_each_path(merge_base_directories, path_entry, i) { 4588 ASSERT_EQ(EACCES, 4589 test_open(path_entry, O_RDONLY | O_DIRECTORY)); 4590 } 4591 for_each_path(merge_sub_files, path_entry, i) { 4592 ASSERT_EQ(0, test_open(path_entry, O_RDWR)); 4593 } 4594 4595 /* Only allowes access to the merge hierarchy. */ 4596 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer5_merge_only); 4597 ASSERT_LE(0, ruleset_fd); 4598 enforce_ruleset(_metadata, ruleset_fd); 4599 ASSERT_EQ(0, close(ruleset_fd)); 4600 4601 /* Checks new accesses on lower layer. */ 4602 for_each_path(lower_sub_files, path_entry, i) { 4603 ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY)); 4604 } 4605 /* Checks new accesses on upper layer. */ 4606 for_each_path(upper_sub_files, path_entry, i) { 4607 ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY)); 4608 } 4609 /* Checks all merge accesses. */ 4610 for_each_path(merge_base_files, path_entry, i) { 4611 ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR)); 4612 } 4613 for_each_path(merge_base_directories, path_entry, i) { 4614 ASSERT_EQ(EACCES, 4615 test_open(path_entry, O_RDONLY | O_DIRECTORY)); 4616 } 4617 for_each_path(merge_sub_files, path_entry, i) { 4618 ASSERT_EQ(0, test_open(path_entry, O_RDWR)); 4619 } 4620 } 4621 4622 FIXTURE(layout3_fs) 4623 { 4624 bool has_created_dir; 4625 bool has_created_file; 4626 bool skip_test; 4627 }; 4628 4629 FIXTURE_VARIANT(layout3_fs) 4630 { 4631 const struct mnt_opt mnt; 4632 const char *const file_path; 4633 unsigned int cwd_fs_magic; 4634 }; 4635 4636 /* clang-format off */ 4637 FIXTURE_VARIANT_ADD(layout3_fs, tmpfs) { 4638 /* clang-format on */ 4639 .mnt = { 4640 .type = "tmpfs", 4641 .data = MNT_TMP_DATA, 4642 }, 4643 .file_path = file1_s1d1, 4644 }; 4645 4646 FIXTURE_VARIANT_ADD(layout3_fs, ramfs) { 4647 .mnt = { 4648 .type = "ramfs", 4649 .data = "mode=700", 4650 }, 4651 .file_path = TMP_DIR "/dir/file", 4652 }; 4653 4654 FIXTURE_VARIANT_ADD(layout3_fs, cgroup2) { 4655 .mnt = { 4656 .type = "cgroup2", 4657 }, 4658 .file_path = TMP_DIR "/test/cgroup.procs", 4659 }; 4660 4661 FIXTURE_VARIANT_ADD(layout3_fs, proc) { 4662 .mnt = { 4663 .type = "proc", 4664 }, 4665 .file_path = TMP_DIR "/self/status", 4666 }; 4667 4668 FIXTURE_VARIANT_ADD(layout3_fs, sysfs) { 4669 .mnt = { 4670 .type = "sysfs", 4671 }, 4672 .file_path = TMP_DIR "/kernel/notes", 4673 }; 4674 4675 FIXTURE_VARIANT_ADD(layout3_fs, hostfs) { 4676 .mnt = { 4677 .source = TMP_DIR, 4678 .flags = MS_BIND, 4679 }, 4680 .file_path = TMP_DIR "/dir/file", 4681 .cwd_fs_magic = HOSTFS_SUPER_MAGIC, 4682 }; 4683 4684 static char *dirname_alloc(const char *path) 4685 { 4686 char *dup; 4687 4688 if (!path) 4689 return NULL; 4690 4691 dup = strdup(path); 4692 if (!dup) 4693 return NULL; 4694 4695 return dirname(dup); 4696 } 4697 4698 FIXTURE_SETUP(layout3_fs) 4699 { 4700 struct stat statbuf; 4701 char *dir_path = dirname_alloc(variant->file_path); 4702 4703 if (!supports_filesystem(variant->mnt.type) || 4704 !cwd_matches_fs(variant->cwd_fs_magic)) { 4705 self->skip_test = true; 4706 SKIP(return, "this filesystem is not supported (setup)"); 4707 } 4708 4709 prepare_layout_opt(_metadata, &variant->mnt); 4710 4711 /* Creates directory when required. */ 4712 if (stat(dir_path, &statbuf)) { 4713 set_cap(_metadata, CAP_DAC_OVERRIDE); 4714 EXPECT_EQ(0, mkdir(dir_path, 0700)) 4715 { 4716 TH_LOG("Failed to create directory \"%s\": %s", 4717 dir_path, strerror(errno)); 4718 } 4719 self->has_created_dir = true; 4720 clear_cap(_metadata, CAP_DAC_OVERRIDE); 4721 } 4722 4723 /* Creates file when required. */ 4724 if (stat(variant->file_path, &statbuf)) { 4725 int fd; 4726 4727 set_cap(_metadata, CAP_DAC_OVERRIDE); 4728 fd = creat(variant->file_path, 0600); 4729 EXPECT_LE(0, fd) 4730 { 4731 TH_LOG("Failed to create file \"%s\": %s", 4732 variant->file_path, strerror(errno)); 4733 } 4734 EXPECT_EQ(0, close(fd)); 4735 self->has_created_file = true; 4736 clear_cap(_metadata, CAP_DAC_OVERRIDE); 4737 } 4738 4739 free(dir_path); 4740 } 4741 4742 FIXTURE_TEARDOWN_PARENT(layout3_fs) 4743 { 4744 if (self->skip_test) 4745 SKIP(return, "this filesystem is not supported (teardown)"); 4746 4747 if (self->has_created_file) { 4748 set_cap(_metadata, CAP_DAC_OVERRIDE); 4749 /* 4750 * Don't check for error because the file might already 4751 * have been removed (cf. release_inode test). 4752 */ 4753 unlink(variant->file_path); 4754 clear_cap(_metadata, CAP_DAC_OVERRIDE); 4755 } 4756 4757 if (self->has_created_dir) { 4758 char *dir_path = dirname_alloc(variant->file_path); 4759 4760 set_cap(_metadata, CAP_DAC_OVERRIDE); 4761 /* 4762 * Don't check for error because the directory might already 4763 * have been removed (cf. release_inode test). 4764 */ 4765 rmdir(dir_path); 4766 clear_cap(_metadata, CAP_DAC_OVERRIDE); 4767 free(dir_path); 4768 } 4769 4770 cleanup_layout(_metadata); 4771 } 4772 4773 static void layer3_fs_tag_inode(struct __test_metadata *const _metadata, 4774 FIXTURE_DATA(layout3_fs) * self, 4775 const FIXTURE_VARIANT(layout3_fs) * variant, 4776 const char *const rule_path) 4777 { 4778 const struct rule layer1_allow_read_file[] = { 4779 { 4780 .path = rule_path, 4781 .access = LANDLOCK_ACCESS_FS_READ_FILE, 4782 }, 4783 {}, 4784 }; 4785 const struct landlock_ruleset_attr layer2_deny_everything_attr = { 4786 .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE, 4787 }; 4788 const char *const dev_null_path = "/dev/null"; 4789 int ruleset_fd; 4790 4791 if (self->skip_test) 4792 SKIP(return, "this filesystem is not supported (test)"); 4793 4794 /* Checks without Landlock. */ 4795 EXPECT_EQ(0, test_open(dev_null_path, O_RDONLY | O_CLOEXEC)); 4796 EXPECT_EQ(0, test_open(variant->file_path, O_RDONLY | O_CLOEXEC)); 4797 4798 ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE, 4799 layer1_allow_read_file); 4800 EXPECT_LE(0, ruleset_fd); 4801 enforce_ruleset(_metadata, ruleset_fd); 4802 EXPECT_EQ(0, close(ruleset_fd)); 4803 4804 EXPECT_EQ(EACCES, test_open(dev_null_path, O_RDONLY | O_CLOEXEC)); 4805 EXPECT_EQ(0, test_open(variant->file_path, O_RDONLY | O_CLOEXEC)); 4806 4807 /* Forbids directory reading. */ 4808 ruleset_fd = 4809 landlock_create_ruleset(&layer2_deny_everything_attr, 4810 sizeof(layer2_deny_everything_attr), 0); 4811 EXPECT_LE(0, ruleset_fd); 4812 enforce_ruleset(_metadata, ruleset_fd); 4813 EXPECT_EQ(0, close(ruleset_fd)); 4814 4815 /* Checks with Landlock and forbidden access. */ 4816 EXPECT_EQ(EACCES, test_open(dev_null_path, O_RDONLY | O_CLOEXEC)); 4817 EXPECT_EQ(EACCES, test_open(variant->file_path, O_RDONLY | O_CLOEXEC)); 4818 } 4819 4820 /* Matrix of tests to check file hierarchy evaluation. */ 4821 4822 TEST_F_FORK(layout3_fs, tag_inode_dir_parent) 4823 { 4824 /* The current directory must not be the root for this test. */ 4825 layer3_fs_tag_inode(_metadata, self, variant, "."); 4826 } 4827 4828 TEST_F_FORK(layout3_fs, tag_inode_dir_mnt) 4829 { 4830 layer3_fs_tag_inode(_metadata, self, variant, TMP_DIR); 4831 } 4832 4833 TEST_F_FORK(layout3_fs, tag_inode_dir_child) 4834 { 4835 char *dir_path = dirname_alloc(variant->file_path); 4836 4837 layer3_fs_tag_inode(_metadata, self, variant, dir_path); 4838 free(dir_path); 4839 } 4840 4841 TEST_F_FORK(layout3_fs, tag_inode_file) 4842 { 4843 layer3_fs_tag_inode(_metadata, self, variant, variant->file_path); 4844 } 4845 4846 /* Light version of layout1.release_inodes */ 4847 TEST_F_FORK(layout3_fs, release_inodes) 4848 { 4849 const struct rule layer1[] = { 4850 { 4851 .path = TMP_DIR, 4852 .access = LANDLOCK_ACCESS_FS_READ_DIR, 4853 }, 4854 {}, 4855 }; 4856 int ruleset_fd; 4857 4858 if (self->skip_test) 4859 SKIP(return, "this filesystem is not supported (test)"); 4860 4861 /* Clean up for the teardown to not fail. */ 4862 if (self->has_created_file) 4863 EXPECT_EQ(0, remove_path(variant->file_path)); 4864 4865 if (self->has_created_dir) { 4866 char *dir_path = dirname_alloc(variant->file_path); 4867 4868 /* Don't check for error because of cgroup specificities. */ 4869 remove_path(dir_path); 4870 free(dir_path); 4871 } 4872 4873 ruleset_fd = 4874 create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_DIR, layer1); 4875 ASSERT_LE(0, ruleset_fd); 4876 4877 /* Unmount the filesystem while it is being used by a ruleset. */ 4878 set_cap(_metadata, CAP_SYS_ADMIN); 4879 ASSERT_EQ(0, umount(TMP_DIR)); 4880 clear_cap(_metadata, CAP_SYS_ADMIN); 4881 4882 /* Replaces with a new mount point to simplify FIXTURE_TEARDOWN. */ 4883 set_cap(_metadata, CAP_SYS_ADMIN); 4884 ASSERT_EQ(0, mount_opt(&mnt_tmp, TMP_DIR)); 4885 clear_cap(_metadata, CAP_SYS_ADMIN); 4886 4887 enforce_ruleset(_metadata, ruleset_fd); 4888 ASSERT_EQ(0, close(ruleset_fd)); 4889 4890 /* Checks that access to the new mount point is denied. */ 4891 ASSERT_EQ(EACCES, test_open(TMP_DIR, O_RDONLY)); 4892 } 4893 4894 TEST_HARNESS_MAIN 4895