1*fefcf0f7STahera Fahimi /* SPDX-License-Identifier: GPL-2.0 */
2*fefcf0f7STahera Fahimi /*
3*fefcf0f7STahera Fahimi * Landlock scoped_domains variants
4*fefcf0f7STahera Fahimi *
5*fefcf0f7STahera Fahimi * See the hierarchy variants from ptrace_test.c
6*fefcf0f7STahera Fahimi *
7*fefcf0f7STahera Fahimi * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
8*fefcf0f7STahera Fahimi * Copyright © 2019-2020 ANSSI
9*fefcf0f7STahera Fahimi * Copyright © 2024 Tahera Fahimi <fahimitahera@gmail.com>
10*fefcf0f7STahera Fahimi */
11*fefcf0f7STahera Fahimi
12*fefcf0f7STahera Fahimi /* clang-format on */
FIXTURE_VARIANT(scoped_domains)13*fefcf0f7STahera Fahimi FIXTURE_VARIANT(scoped_domains)
14*fefcf0f7STahera Fahimi {
15*fefcf0f7STahera Fahimi bool domain_both;
16*fefcf0f7STahera Fahimi bool domain_parent;
17*fefcf0f7STahera Fahimi bool domain_child;
18*fefcf0f7STahera Fahimi };
19*fefcf0f7STahera Fahimi
20*fefcf0f7STahera Fahimi /*
21*fefcf0f7STahera Fahimi * No domain
22*fefcf0f7STahera Fahimi *
23*fefcf0f7STahera Fahimi * P1-. P1 -> P2 : allow
24*fefcf0f7STahera Fahimi * \ P2 -> P1 : allow
25*fefcf0f7STahera Fahimi * 'P2
26*fefcf0f7STahera Fahimi */
27*fefcf0f7STahera Fahimi /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_domains,without_domain)28*fefcf0f7STahera Fahimi FIXTURE_VARIANT_ADD(scoped_domains, without_domain) {
29*fefcf0f7STahera Fahimi /* clang-format on */
30*fefcf0f7STahera Fahimi .domain_both = false,
31*fefcf0f7STahera Fahimi .domain_parent = false,
32*fefcf0f7STahera Fahimi .domain_child = false,
33*fefcf0f7STahera Fahimi };
34*fefcf0f7STahera Fahimi
35*fefcf0f7STahera Fahimi /*
36*fefcf0f7STahera Fahimi * Child domain
37*fefcf0f7STahera Fahimi *
38*fefcf0f7STahera Fahimi * P1--. P1 -> P2 : allow
39*fefcf0f7STahera Fahimi * \ P2 -> P1 : deny
40*fefcf0f7STahera Fahimi * .'-----.
41*fefcf0f7STahera Fahimi * | P2 |
42*fefcf0f7STahera Fahimi * '------'
43*fefcf0f7STahera Fahimi */
44*fefcf0f7STahera Fahimi /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_domains,child_domain)45*fefcf0f7STahera Fahimi FIXTURE_VARIANT_ADD(scoped_domains, child_domain) {
46*fefcf0f7STahera Fahimi /* clang-format on */
47*fefcf0f7STahera Fahimi .domain_both = false,
48*fefcf0f7STahera Fahimi .domain_parent = false,
49*fefcf0f7STahera Fahimi .domain_child = true,
50*fefcf0f7STahera Fahimi };
51*fefcf0f7STahera Fahimi
52*fefcf0f7STahera Fahimi /*
53*fefcf0f7STahera Fahimi * Parent domain
54*fefcf0f7STahera Fahimi * .------.
55*fefcf0f7STahera Fahimi * | P1 --. P1 -> P2 : deny
56*fefcf0f7STahera Fahimi * '------' \ P2 -> P1 : allow
57*fefcf0f7STahera Fahimi * '
58*fefcf0f7STahera Fahimi * P2
59*fefcf0f7STahera Fahimi */
60*fefcf0f7STahera Fahimi /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_domains,parent_domain)61*fefcf0f7STahera Fahimi FIXTURE_VARIANT_ADD(scoped_domains, parent_domain) {
62*fefcf0f7STahera Fahimi /* clang-format on */
63*fefcf0f7STahera Fahimi .domain_both = false,
64*fefcf0f7STahera Fahimi .domain_parent = true,
65*fefcf0f7STahera Fahimi .domain_child = false,
66*fefcf0f7STahera Fahimi };
67*fefcf0f7STahera Fahimi
68*fefcf0f7STahera Fahimi /*
69*fefcf0f7STahera Fahimi * Parent + child domain (siblings)
70*fefcf0f7STahera Fahimi * .------.
71*fefcf0f7STahera Fahimi * | P1 ---. P1 -> P2 : deny
72*fefcf0f7STahera Fahimi * '------' \ P2 -> P1 : deny
73*fefcf0f7STahera Fahimi * .---'--.
74*fefcf0f7STahera Fahimi * | P2 |
75*fefcf0f7STahera Fahimi * '------'
76*fefcf0f7STahera Fahimi */
77*fefcf0f7STahera Fahimi /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_domains,sibling_domain)78*fefcf0f7STahera Fahimi FIXTURE_VARIANT_ADD(scoped_domains, sibling_domain) {
79*fefcf0f7STahera Fahimi /* clang-format on */
80*fefcf0f7STahera Fahimi .domain_both = false,
81*fefcf0f7STahera Fahimi .domain_parent = true,
82*fefcf0f7STahera Fahimi .domain_child = true,
83*fefcf0f7STahera Fahimi };
84*fefcf0f7STahera Fahimi
85*fefcf0f7STahera Fahimi /*
86*fefcf0f7STahera Fahimi * Same domain (inherited)
87*fefcf0f7STahera Fahimi * .-------------.
88*fefcf0f7STahera Fahimi * | P1----. | P1 -> P2 : allow
89*fefcf0f7STahera Fahimi * | \ | P2 -> P1 : allow
90*fefcf0f7STahera Fahimi * | ' |
91*fefcf0f7STahera Fahimi * | P2 |
92*fefcf0f7STahera Fahimi * '-------------'
93*fefcf0f7STahera Fahimi */
94*fefcf0f7STahera Fahimi /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_domains,inherited_domain)95*fefcf0f7STahera Fahimi FIXTURE_VARIANT_ADD(scoped_domains, inherited_domain) {
96*fefcf0f7STahera Fahimi /* clang-format on */
97*fefcf0f7STahera Fahimi .domain_both = true,
98*fefcf0f7STahera Fahimi .domain_parent = false,
99*fefcf0f7STahera Fahimi .domain_child = false,
100*fefcf0f7STahera Fahimi };
101*fefcf0f7STahera Fahimi
102*fefcf0f7STahera Fahimi /*
103*fefcf0f7STahera Fahimi * Inherited + child domain
104*fefcf0f7STahera Fahimi * .-----------------.
105*fefcf0f7STahera Fahimi * | P1----. | P1 -> P2 : allow
106*fefcf0f7STahera Fahimi * | \ | P2 -> P1 : deny
107*fefcf0f7STahera Fahimi * | .-'----. |
108*fefcf0f7STahera Fahimi * | | P2 | |
109*fefcf0f7STahera Fahimi * | '------' |
110*fefcf0f7STahera Fahimi * '-----------------'
111*fefcf0f7STahera Fahimi */
112*fefcf0f7STahera Fahimi /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_domains,nested_domain)113*fefcf0f7STahera Fahimi FIXTURE_VARIANT_ADD(scoped_domains, nested_domain) {
114*fefcf0f7STahera Fahimi /* clang-format on */
115*fefcf0f7STahera Fahimi .domain_both = true,
116*fefcf0f7STahera Fahimi .domain_parent = false,
117*fefcf0f7STahera Fahimi .domain_child = true,
118*fefcf0f7STahera Fahimi };
119*fefcf0f7STahera Fahimi
120*fefcf0f7STahera Fahimi /*
121*fefcf0f7STahera Fahimi * Inherited + parent domain
122*fefcf0f7STahera Fahimi * .-----------------.
123*fefcf0f7STahera Fahimi * |.------. | P1 -> P2 : deny
124*fefcf0f7STahera Fahimi * || P1 ----. | P2 -> P1 : allow
125*fefcf0f7STahera Fahimi * |'------' \ |
126*fefcf0f7STahera Fahimi * | ' |
127*fefcf0f7STahera Fahimi * | P2 |
128*fefcf0f7STahera Fahimi * '-----------------'
129*fefcf0f7STahera Fahimi */
130*fefcf0f7STahera Fahimi /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_domains,nested_and_parent_domain)131*fefcf0f7STahera Fahimi FIXTURE_VARIANT_ADD(scoped_domains, nested_and_parent_domain) {
132*fefcf0f7STahera Fahimi /* clang-format on */
133*fefcf0f7STahera Fahimi .domain_both = true,
134*fefcf0f7STahera Fahimi .domain_parent = true,
135*fefcf0f7STahera Fahimi .domain_child = false,
136*fefcf0f7STahera Fahimi };
137*fefcf0f7STahera Fahimi
138*fefcf0f7STahera Fahimi /*
139*fefcf0f7STahera Fahimi * Inherited + parent and child domain (siblings)
140*fefcf0f7STahera Fahimi * .-----------------.
141*fefcf0f7STahera Fahimi * | .------. | P1 -> P2 : deny
142*fefcf0f7STahera Fahimi * | | P1 . | P2 -> P1 : deny
143*fefcf0f7STahera Fahimi * | '------'\ |
144*fefcf0f7STahera Fahimi * | \ |
145*fefcf0f7STahera Fahimi * | .--'---. |
146*fefcf0f7STahera Fahimi * | | P2 | |
147*fefcf0f7STahera Fahimi * | '------' |
148*fefcf0f7STahera Fahimi * '-----------------'
149*fefcf0f7STahera Fahimi */
150*fefcf0f7STahera Fahimi /* clang-format off */
FIXTURE_VARIANT_ADD(scoped_domains,forked_domains)151*fefcf0f7STahera Fahimi FIXTURE_VARIANT_ADD(scoped_domains, forked_domains) {
152*fefcf0f7STahera Fahimi /* clang-format on */
153*fefcf0f7STahera Fahimi .domain_both = true,
154*fefcf0f7STahera Fahimi .domain_parent = true,
155*fefcf0f7STahera Fahimi .domain_child = true,
156*fefcf0f7STahera Fahimi };
157