156 static void mkdir_parents(struct __test_metadata *const _metadata,
182 static void create_directory(struct __test_metadata *const _metadata,
185 	mkdir_parents(_metadata, path);
193 static void create_file(struct __test_metadata *const _metadata,
196 	mkdir_parents(_metadata, path);
258 static void prepare_layout_opt(struct __test_metadata *const _metadata,
261 	disable_caps(_metadata);
263 	create_directory(_metadata, TMP_DIR);
269 	set_cap(_metadata, CAP_SYS_ADMIN);
284 	clear_cap(_metadata, CAP_SYS_ADMIN);
287 static void prepare_layout(struct __test_metadata *const _metadata)
289 	prepare_layout_opt(_metadata, &mnt_tmp);
292 static void cleanup_layout(struct __test_metadata *const _metadata)
294 	set_cap(_metadata, CAP_SYS_ADMIN);
304 	clear_cap(_metadata, CAP_SYS_ADMIN);
314 	prepare_layout(_metadata);
319 	cleanup_layout(_metadata);
322 static void create_layout1(struct __test_metadata *const _metadata)
324 	create_file(_metadata, file1_s1d1);
325 	create_file(_metadata, file1_s1d2);
326 	create_file(_metadata, file1_s1d3);
327 	create_file(_metadata, file2_s1d1);
328 	create_file(_metadata, file2_s1d2);
329 	create_file(_metadata, file2_s1d3);
331 	create_file(_metadata, file1_s2d1);
332 	create_file(_metadata, file1_s2d2);
333 	create_file(_metadata, file1_s2d3);
334 	create_file(_metadata, file2_s2d3);
336 	create_file(_metadata, file1_s3d1);
337 	create_directory(_metadata, dir_s3d2);
338 	set_cap(_metadata, CAP_SYS_ADMIN);
340 	clear_cap(_metadata, CAP_SYS_ADMIN);
345 static void remove_layout1(struct __test_metadata *const _metadata)
363 	set_cap(_metadata, CAP_SYS_ADMIN);
365 	clear_cap(_metadata, CAP_SYS_ADMIN);
375 	prepare_layout(_metadata);
377 	create_layout1(_metadata);
382 	remove_layout1(_metadata);
384 	cleanup_layout(_metadata);
680 static void add_path_beneath(struct __test_metadata *const _metadata,
720 static int create_ruleset(struct __test_metadata *const _metadata,
746 		add_path_beneath(_metadata, ruleset_fd, rules[i].access,
764 		_metadata, rules[0].access | LANDLOCK_ACCESS_FS_READ_DIR,
770 	enforce_ruleset(_metadata, ruleset_fd);
812 	drop_caps(_metadata);
814 	ruleset_fd = create_ruleset(_metadata, ACCESS_RO, rules);
820 	enforce_ruleset(_metadata, ruleset_fd);
838 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
843 	enforce_ruleset(_metadata, ruleset_fd);
892 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RO, rules);
895 	enforce_ruleset(_metadata, ruleset_fd);
925 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
928 	enforce_ruleset(_metadata, ruleset_fd);
981 	int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1);
984 	enforce_ruleset(_metadata, ruleset_fd);
1007 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2);
1009 	enforce_ruleset(_metadata, ruleset_fd);
1032 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3);
1034 	enforce_ruleset(_metadata, ruleset_fd);
1079 		create_ruleset(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, layer1);
1081 	enforce_ruleset(_metadata, ruleset_fd);
1089 	ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_REMOVE_FILE,
1092 	enforce_ruleset(_metadata, ruleset_fd);
1199 	ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
1202 	enforce_ruleset(_metadata, ruleset_fd);
1210 	ruleset_fd = create_ruleset(_metadata,
1215 	enforce_ruleset(_metadata, ruleset_fd);
1223 	ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
1226 	enforce_ruleset(_metadata, ruleset_fd);
1235 	ruleset_fd = create_ruleset(_metadata,
1240 	enforce_ruleset(_metadata, ruleset_fd);
1252 	ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
1255 	enforce_ruleset(_metadata, ruleset_fd);
1264 	ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_EXECUTE,
1267 	enforce_ruleset(_metadata, ruleset_fd);
1276 	ruleset_fd = create_ruleset(_metadata,
1281 	enforce_ruleset(_metadata, ruleset_fd);
1301 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1304 	enforce_ruleset(_metadata, ruleset_fd);
1324 	add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_WRITE_FILE,
1337 	enforce_ruleset(_metadata, ruleset_fd);
1357 	add_path_beneath(_metadata, ruleset_fd, ACCESS_RW, dir_s1d1);
1358 	enforce_ruleset(_metadata, ruleset_fd);
1379 	add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_WRITE_FILE,
1381 	enforce_ruleset(_metadata, ruleset_fd);
1417 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1420 	enforce_ruleset(_metadata, ruleset_fd);
1430 	add_path_beneath(_metadata, ruleset_fd,
1434 	enforce_ruleset(_metadata, ruleset_fd);
1455 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1459 		enforce_ruleset(_metadata, ruleset_fd);
1485 	enforce_ruleset(_metadata, ruleset_fd);
1494 	enforce_ruleset(_metadata, ruleset_fd);
1499 	enforce_ruleset(_metadata, ruleset_fd);
1517 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1520 	enforce_ruleset(_metadata, ruleset_fd);
1546 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1549 	enforce_ruleset(_metadata, ruleset_fd);
1574 	int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1577 	enforce_ruleset(_metadata, ruleset_fd);
1585 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1587 	enforce_ruleset(_metadata, ruleset_fd);
1604 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1607 	enforce_ruleset(_metadata, ruleset_fd);
1626 	set_cap(_metadata, CAP_SYS_ADMIN);
1632 	clear_cap(_metadata, CAP_SYS_ADMIN);
1634 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1636 	enforce_ruleset(_metadata, ruleset_fd);
1652 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1655 	enforce_ruleset(_metadata, ruleset_fd);
1658 	set_cap(_metadata, CAP_SYS_ADMIN);
1663 	clear_cap(_metadata, CAP_SYS_ADMIN);
1675 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1679 	set_cap(_metadata, CAP_SYS_ADMIN);
1688 	clear_cap(_metadata, CAP_SYS_ADMIN);
1690 	enforce_ruleset(_metadata, ruleset_fd);
1693 	set_cap(_metadata, CAP_SYS_ADMIN);
1697 	clear_cap(_metadata, CAP_SYS_ADMIN);
1712 	enforce_ruleset(_metadata, ruleset_fd);
1716 	set_cap(_metadata, CAP_SYS_ADMIN);
1724 	clear_cap(_metadata, CAP_SYS_ADMIN);
1740 	enforce_ruleset(_metadata, ruleset_fd);
1744 	set_cap(_metadata, CAP_SYS_ADMIN);
1756 	clear_cap(_metadata, CAP_SYS_ADMIN);
1776 	const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1780 	set_cap(_metadata, CAP_SYS_ADMIN);
1782 	clear_cap(_metadata, CAP_SYS_ADMIN);
1784 	enforce_ruleset(_metadata, ruleset_fd);
1800 static void test_relative_path(struct __test_metadata *const _metadata,
1827 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_base);
1829 	enforce_ruleset(_metadata, ruleset_fd);
1832 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_subs);
1850 	set_cap(_metadata, CAP_SYS_CHROOT);
1851 	enforce_ruleset(_metadata, ruleset_fd);
1919 	test_relative_path(_metadata, REL_OPEN);
1924 	test_relative_path(_metadata, REL_CHDIR);
1929 	test_relative_path(_metadata, REL_CHROOT_ONLY);
1934 	test_relative_path(_metadata, REL_CHROOT_CHDIR);
1937 static void copy_binary(struct __test_metadata *const _metadata,
1961 static void test_execute(struct __test_metadata *const _metadata, const int err,
1976 		_exit(__test_passed(_metadata) ? 2 : 1);
1998 		create_ruleset(_metadata, rules[0].access, rules);
2001 	copy_binary(_metadata, file1_s1d1);
2002 	copy_binary(_metadata, file1_s1d2);
2003 	copy_binary(_metadata, file1_s1d3);
2005 	enforce_ruleset(_metadata, ruleset_fd);
2010 	test_execute(_metadata, EACCES, file1_s1d1);
2014 	test_execute(_metadata, 0, file1_s1d2);
2018 	test_execute(_metadata, 0, file1_s1d3);
2037 	int ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1);
2045 	enforce_ruleset(_metadata, ruleset_fd);
2066 	ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2);
2068 	enforce_ruleset(_metadata, ruleset_fd);
2104 		create_ruleset(_metadata, rules[0].access, rules);
2110 	enforce_ruleset(_metadata, ruleset_fd);
2186 		create_ruleset(_metadata, rules[0].access, rules);
2194 	enforce_ruleset(_metadata, ruleset_fd);
2250 		create_ruleset(_metadata, LANDLOCK_ACCESS_FS_REFER, layer1);
2253 	enforce_ruleset(_metadata, ruleset_fd);
2279 static void refer_denied_by_default(struct __test_metadata *const _metadata,
2288 	ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1);
2290 	enforce_ruleset(_metadata, ruleset_fd);
2303 	ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2);
2305 	enforce_ruleset(_metadata, ruleset_fd);
2352 	refer_denied_by_default(_metadata, layer_dir_s1d1_refer, 0,
2362 	refer_denied_by_default(_metadata, layer_dir_s1d1_execute, EXDEV,
2373 	refer_denied_by_default(_metadata, layer_dir_s1d1_refer, 0,
2383 	refer_denied_by_default(_metadata, layer_dir_s2d1_execute, EXDEV,
2409 		_metadata,
2413 	enforce_ruleset(_metadata, ruleset_fd);
2487 		_metadata,
2491 	enforce_ruleset(_metadata, ruleset_fd);
2610 reparent_exdev_layers_enforce1(struct __test_metadata *const _metadata)
2633 		_metadata,
2637 	enforce_ruleset(_metadata, ruleset_fd);
2642 reparent_exdev_layers_enforce2(struct __test_metadata *const _metadata)
2656 		create_ruleset(_metadata, LANDLOCK_ACCESS_FS_MAKE_DIR, layer2);
2659 	enforce_ruleset(_metadata, ruleset_fd);
2668 	reparent_exdev_layers_enforce1(_metadata);
2692 	reparent_exdev_layers_enforce2(_metadata);
2719 	reparent_exdev_layers_enforce1(_metadata);
2737 	reparent_exdev_layers_enforce2(_metadata);
2771 	reparent_exdev_layers_enforce1(_metadata);
2828 	reparent_exdev_layers_enforce2(_metadata);
2874 	reparent_exdev_layers_enforce1(_metadata);
2875 	reparent_exdev_layers_enforce2(_metadata);
2893 	reparent_exdev_layers_enforce1(_metadata);
2930 		_metadata,
2936 	enforce_ruleset(_metadata, ruleset_fd);
3001 	int ruleset_fd = create_ruleset(_metadata,
3010 	enforce_ruleset(_metadata, ruleset_fd);
3075 		create_ruleset(_metadata, rules[0].access, rules);
3084 	enforce_ruleset(_metadata, ruleset_fd);
3112 		create_ruleset(_metadata, rules[0].access, rules);
3115 	enforce_ruleset(_metadata, ruleset_fd);
3126 static void test_make_file(struct __test_metadata *const _metadata,
3137 	const int ruleset_fd = create_ruleset(_metadata, access, rules);
3155 	enforce_ruleset(_metadata, ruleset_fd);
3183 	set_cap(_metadata, CAP_MKNOD);
3184 	test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_CHAR, S_IFCHR,
3191 	set_cap(_metadata, CAP_MKNOD);
3192 	test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_BLOCK, S_IFBLK,
3198 	test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, S_IFREG, 0);
3203 	test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, 0, 0);
3208 	test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_SOCK, S_IFSOCK, 0);
3213 	test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_FIFO, S_IFIFO, 0);
3226 		create_ruleset(_metadata, rules[0].access, rules);
3240 	enforce_ruleset(_metadata, ruleset_fd);
3271 		create_ruleset(_metadata, rules[0].access, rules);
3279 	enforce_ruleset(_metadata, ruleset_fd);
3289 static int open_proc_fd(struct __test_metadata *const _metadata, const int fd,
3312 		_metadata,
3317 	enforce_ruleset(_metadata, ruleset_fd);
3326 	proc_fd = open_proc_fd(_metadata, reg_fd, O_RDONLY | O_CLOEXEC);
3330 	proc_fd = open_proc_fd(_metadata, reg_fd, O_RDWR | O_CLOEXEC);
3356 		create_ruleset(_metadata, rules[0].access, rules);
3359 	enforce_ruleset(_metadata, ruleset_fd);
3376 	proc_fd = open_proc_fd(_metadata, pipe_fds[1], O_WRONLY | O_CLOEXEC);
3386 	proc_fd = open_proc_fd(_metadata, pipe_fds[0], O_RDONLY | O_CLOEXEC);
3455 	ruleset_fd = create_ruleset(_metadata, handled, rules);
3458 	enforce_ruleset(_metadata, ruleset_fd);
3538 	ruleset_fd = create_ruleset(_metadata, handled, rules);
3541 	enforce_ruleset(_metadata, ruleset_fd);
3647 	ruleset_fd = create_ruleset(_metadata, handled1, layer1);
3649 	enforce_ruleset(_metadata, ruleset_fd);
3656 	ruleset_fd = create_ruleset(_metadata, handled2, layer2);
3658 	enforce_ruleset(_metadata, ruleset_fd);
3666 	ruleset_fd = create_ruleset(_metadata, handled3, layer3);
3668 	enforce_ruleset(_metadata, ruleset_fd);
3689 	prepare_layout(_metadata);
3690 	create_file(_metadata, file1_s1d1);
3696 	cleanup_layout(_metadata);
3764 	ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
3766 	enforce_ruleset(_metadata, ruleset_fd);
3804 		ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
3806 		enforce_ruleset(_metadata, ruleset_fd);
3819 		_exit(_metadata->exit_code);
3862 	prepare_layout(_metadata);
3864 	create_layout1(_metadata);
3866 	set_cap(_metadata, CAP_SYS_ADMIN);
3868 	clear_cap(_metadata, CAP_SYS_ADMIN);
3875 	remove_layout1(_metadata);
3877 	cleanup_layout(_metadata);
3983 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_parent);
3985 	enforce_ruleset(_metadata, ruleset_fd);
4005 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_mount_point);
4007 	enforce_ruleset(_metadata, ruleset_fd);
4029 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3_source);
4031 	enforce_ruleset(_metadata, ruleset_fd);
4053 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer4_destination);
4055 	enforce_ruleset(_metadata, ruleset_fd);
4082 		_metadata,
4086 	enforce_ruleset(_metadata, ruleset_fd);
4242 	prepare_layout(_metadata);
4244 	create_directory(_metadata, LOWER_BASE);
4245 	set_cap(_metadata, CAP_SYS_ADMIN);
4248 	clear_cap(_metadata, CAP_SYS_ADMIN);
4249 	create_file(_metadata, lower_fl1);
4250 	create_file(_metadata, lower_dl1_fl2);
4251 	create_file(_metadata, lower_fo1);
4252 	create_file(_metadata, lower_do1_fo2);
4253 	create_file(_metadata, lower_do1_fl3);
4255 	create_directory(_metadata, UPPER_BASE);
4256 	set_cap(_metadata, CAP_SYS_ADMIN);
4258 	clear_cap(_metadata, CAP_SYS_ADMIN);
4259 	create_file(_metadata, upper_fu1);
4260 	create_file(_metadata, upper_du1_fu2);
4261 	create_file(_metadata, upper_fo1);
4262 	create_file(_metadata, upper_do1_fo2);
4263 	create_file(_metadata, upper_do1_fu3);
4266 	create_directory(_metadata, MERGE_DATA);
4267 	set_cap(_metadata, CAP_SYS_ADMIN);
4268 	set_cap(_metadata, CAP_DAC_OVERRIDE);
4272 	clear_cap(_metadata, CAP_DAC_OVERRIDE);
4273 	clear_cap(_metadata, CAP_SYS_ADMIN);
4303 	cleanup_layout(_metadata);
4478 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_base);
4480 	enforce_ruleset(_metadata, ruleset_fd);
4526 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_data);
4528 	enforce_ruleset(_metadata, ruleset_fd);
4543 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3_subdirs);
4545 	enforce_ruleset(_metadata, ruleset_fd);
4568 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer4_files);
4570 	enforce_ruleset(_metadata, ruleset_fd);
4596 	ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer5_merge_only);
4598 	enforce_ruleset(_metadata, ruleset_fd);
4709 	prepare_layout_opt(_metadata, &variant->mnt);
4713 		set_cap(_metadata, CAP_DAC_OVERRIDE);
4720 		clear_cap(_metadata, CAP_DAC_OVERRIDE);
4727 		set_cap(_metadata, CAP_DAC_OVERRIDE);
4736 		clear_cap(_metadata, CAP_DAC_OVERRIDE);
4748 		set_cap(_metadata, CAP_DAC_OVERRIDE);
4754 		clear_cap(_metadata, CAP_DAC_OVERRIDE);
4760 		set_cap(_metadata, CAP_DAC_OVERRIDE);
4766 		clear_cap(_metadata, CAP_DAC_OVERRIDE);
4770 	cleanup_layout(_metadata);
4773 static void layer3_fs_tag_inode(struct __test_metadata *const _metadata,
4798 	ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
4801 	enforce_ruleset(_metadata, ruleset_fd);
4812 	enforce_ruleset(_metadata, ruleset_fd);
4825 	layer3_fs_tag_inode(_metadata, self, variant, ".");
4830 	layer3_fs_tag_inode(_metadata, self, variant, TMP_DIR);
4837 	layer3_fs_tag_inode(_metadata, self, variant, dir_path);
4843 	layer3_fs_tag_inode(_metadata, self, variant, variant->file_path);
4874 		create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_DIR, layer1);
4878 	set_cap(_metadata, CAP_SYS_ADMIN);
4880 	clear_cap(_metadata, CAP_SYS_ADMIN);
4883 	set_cap(_metadata, CAP_SYS_ADMIN);
4885 	clear_cap(_metadata, CAP_SYS_ADMIN);
4887 	enforce_ruleset(_metadata, ruleset_fd);

Indexes created Thu May 16 13:05:45 MDT 2024