1 /* SPDX-License-Identifier: GPL-2.0 */ 2 /* 3 * Landlock variants for three processes with various domains. 4 * 5 * Copyright © 2024 Tahera Fahimi <fahimitahera@gmail.com> 6 */ 7 8 enum sandbox_type { 9 NO_SANDBOX, 10 SCOPE_SANDBOX, 11 /* Any other type of sandboxing domain */ 12 OTHER_SANDBOX, 13 }; 14 15 /* clang-format on */ 16 FIXTURE_VARIANT(scoped_vs_unscoped) 17 { 18 const int domain_all; 19 const int domain_parent; 20 const int domain_children; 21 const int domain_child; 22 const int domain_grand_child; 23 }; 24 25 /* 26 * .-----------------. 27 * | ####### | P3 -> P2 : allow 28 * | P1----# P2 # | P3 -> P1 : deny 29 * | # | # | 30 * | # P3 # | 31 * | ####### | 32 * '-----------------' 33 */ 34 /* clang-format off */ 35 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, deny_scoped) { 36 .domain_all = OTHER_SANDBOX, 37 .domain_parent = NO_SANDBOX, 38 .domain_children = SCOPE_SANDBOX, 39 .domain_child = NO_SANDBOX, 40 .domain_grand_child = NO_SANDBOX, 41 /* clang-format on */ 42 }; 43 44 /* 45 * ################### 46 * # ####### # P3 -> P2 : allow 47 * # P1----# P2 # # P3 -> P1 : deny 48 * # # | # # 49 * # # P3 # # 50 * # ####### # 51 * ################### 52 */ 53 /* clang-format off */ 54 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, all_scoped) { 55 .domain_all = SCOPE_SANDBOX, 56 .domain_parent = NO_SANDBOX, 57 .domain_children = SCOPE_SANDBOX, 58 .domain_child = NO_SANDBOX, 59 .domain_grand_child = NO_SANDBOX, 60 /* clang-format on */ 61 }; 62 63 /* 64 * .-----------------. 65 * | .-----. | P3 -> P2 : allow 66 * | P1----| P2 | | P3 -> P1 : allow 67 * | | | | 68 * | | P3 | | 69 * | '-----' | 70 * '-----------------' 71 */ 72 /* clang-format off */ 73 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, allow_with_other_domain) { 74 .domain_all = OTHER_SANDBOX, 75 .domain_parent = NO_SANDBOX, 76 .domain_children = OTHER_SANDBOX, 77 .domain_child = NO_SANDBOX, 78 .domain_grand_child = NO_SANDBOX, 79 /* clang-format on */ 80 }; 81 82 /* 83 * .----. ###### P3 -> P2 : allow 84 * | P1 |----# P2 # P3 -> P1 : allow 85 * '----' ###### 86 * | 87 * P3 88 */ 89 /* clang-format off */ 90 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, allow_with_one_domain) { 91 .domain_all = NO_SANDBOX, 92 .domain_parent = OTHER_SANDBOX, 93 .domain_children = NO_SANDBOX, 94 .domain_child = SCOPE_SANDBOX, 95 .domain_grand_child = NO_SANDBOX, 96 /* clang-format on */ 97 }; 98 99 /* 100 * ###### .-----. P3 -> P2 : allow 101 * # P1 #----| P2 | P3 -> P1 : allow 102 * ###### '-----' 103 * | 104 * P3 105 */ 106 /* clang-format off */ 107 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, allow_with_grand_parent_scoped) { 108 .domain_all = NO_SANDBOX, 109 .domain_parent = SCOPE_SANDBOX, 110 .domain_children = NO_SANDBOX, 111 .domain_child = OTHER_SANDBOX, 112 .domain_grand_child = NO_SANDBOX, 113 /* clang-format on */ 114 }; 115 116 /* 117 * ###### ###### P3 -> P2 : allow 118 * # P1 #----# P2 # P3 -> P1 : allow 119 * ###### ###### 120 * | 121 * .----. 122 * | P3 | 123 * '----' 124 */ 125 /* clang-format off */ 126 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, allow_with_parents_domain) { 127 .domain_all = NO_SANDBOX, 128 .domain_parent = SCOPE_SANDBOX, 129 .domain_children = NO_SANDBOX, 130 .domain_child = SCOPE_SANDBOX, 131 .domain_grand_child = NO_SANDBOX, 132 /* clang-format on */ 133 }; 134 135 /* 136 * ###### P3 -> P2 : deny 137 * # P1 #----P2 P3 -> P1 : deny 138 * ###### | 139 * | 140 * ###### 141 * # P3 # 142 * ###### 143 */ 144 /* clang-format off */ 145 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, deny_with_self_and_grandparent_domain) { 146 .domain_all = NO_SANDBOX, 147 .domain_parent = SCOPE_SANDBOX, 148 .domain_children = NO_SANDBOX, 149 .domain_child = NO_SANDBOX, 150 .domain_grand_child = SCOPE_SANDBOX, 151 /* clang-format on */ 152 }; 153