Lines Matching refs:access
395 * (access type) confusion for this test.
496 /* Tests with denied-by-default access right. */
510 /* Test with no access. */
554 __u64 access;
566 /* Tests access rights for files. */
570 /* Tests access rights for directories. */
575 for (access = 1; access <= ACCESS_LAST; access <<= 1) {
576 path_beneath_dir.allowed_access = access;
581 path_beneath_file.allowed_access = access;
584 if (access & ACCESS_FILE) {
614 __u64 access;
628 for (access = 1ULL << 63; access != ACCESS_LAST; access >>= 1) {
629 path_beneath.allowed_access = access;
646 __u64 access;
655 for (access = 1; access > 0; access <<= 1) {
658 path_beneath.allowed_access = access;
661 if (access == ruleset_attr.handled_access_fs) {
698 __u64 access;
739 add_path_beneath(_metadata, ruleset_fd, rules[i].access,
750 .access = LANDLOCK_ACCESS_FS_READ_FILE |
757 _metadata, rules[0].access | LANDLOCK_ACCESS_FS_READ_DIR,
799 .access = ACCESS_RO,
822 .access = ACCESS_RO,
826 .access = LANDLOCK_ACCESS_FS_READ_FILE |
880 .access = ACCESS_RO,
908 .access = LANDLOCK_ACCESS_FS_READ_FILE |
913 .access = LANDLOCK_ACCESS_FS_READ_FILE |
948 .access = LANDLOCK_ACCESS_FS_READ_FILE,
953 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
961 .access = LANDLOCK_ACCESS_FS_READ_FILE |
970 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
1055 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
1062 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
1116 /* Allows read access to file1_s1d3 with the first layer. */
1119 .access = LANDLOCK_ACCESS_FS_READ_FILE,
1125 /* Start by granting read-write access via its parent directory... */
1128 .access = LANDLOCK_ACCESS_FS_READ_FILE |
1131 /* ...but also denies read access via its grandparent directory. */
1134 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
1139 /* Allows read access via its great-grandparent directory. */
1142 .access = LANDLOCK_ACCESS_FS_READ_FILE,
1148 * Try to confuse the deny access by denying write (but not
1149 * read) access via its grandparent directory.
1153 .access = LANDLOCK_ACCESS_FS_READ_FILE,
1159 * Try to override layer2's deny read access by explicitly
1160 * allowing read access via file1_s1d3's grandparent.
1164 .access = LANDLOCK_ACCESS_FS_READ_FILE,
1170 * Restricts an unrelated file hierarchy with a new access
1175 .access = LANDLOCK_ACCESS_FS_EXECUTE,
1181 * Finally, denies read access to file1_s1d3 via its
1186 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
1198 /* Checks that read access is granted for file1_s1d3 with layer 1. */
1211 /* Checks that previous access rights are unchanged with layer 2. */
1222 /* Checks that previous access rights are unchanged with layer 3. */
1227 /* This time, denies write access for the file hierarchy. */
1237 * Checks that the only change with layer 4 is that write access is
1251 /* Checks that previous access rights are unchanged with layer 5. */
1263 /* Checks that previous access rights are unchanged with layer 6. */
1277 /* Checks read access is now denied with layer 7. */
1289 .access = LANDLOCK_ACCESS_FS_READ_FILE |
1302 /* Write access is forbidden. */
1304 /* Readdir access is allowed. */
1307 /* Write access is forbidden. */
1309 /* Readdir access is allowed. */
1314 * any new access, only remove some. Once enforced, these rules are
1322 * access rights (even if this directory is opened a second time).
1338 /* Readdir access is still allowed. */
1343 /* Readdir access is still allowed. */
1347 * Try to get more privileges by adding new access rights to the parent
1359 /* Readdir access is still allowed. */
1364 /* Readdir access is still allowed. */
1389 /* Readdir access is still allowed. */
1406 .access = ACCESS_RO,
1415 /* Readdir access is denied for dir_s1d2. */
1417 /* Readdir access is allowed for dir_s1d3. */
1419 /* File access is allowed for file1_s1d3. */
1430 /* Readdir access is still denied for dir_s1d2. */
1432 /* Readdir access is still allowed for dir_s1d3. */
1434 /* File access is still allowed for file1_s1d3. */
1444 .access = ACCESS_RO,
1473 /* Enforces policy which deny read access to all files. */
1482 /* Nests a policy which deny read access to all directories. */
1501 .access = ACCESS_RO,
1506 .access = ACCESS_RO,
1530 .access = ACCESS_RO,
1535 .access = ACCESS_RO,
1563 .access = ACCESS_RO,
1573 /* Checks allowed access. */
1577 rules[0].access = LANDLOCK_ACCESS_FS_READ_FILE;
1583 /* Checks denied access (on a directory). */
1593 .access = LANDLOCK_ACCESS_FS_READ_FILE,
1603 /* Checks denied access (on a directory). */
1613 .access = ACCESS_RO,
1641 .access = ACCESS_RO,
1664 .access = ACCESS_RO,
1757 .access = ACCESS_RO,
1761 .access = ACCESS_RO,
1765 .access = ACCESS_RO,
1803 .access = ACCESS_RO,
1810 .access = ACCESS_RO,
1814 .access = ACCESS_RO,
1986 .access = LANDLOCK_ACCESS_FS_EXECUTE,
1991 create_ruleset(_metadata, rules[0].access, rules);
2019 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
2026 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
2030 int ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1);
2059 ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2);
2088 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
2092 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
2097 create_ruleset(_metadata, rules[0].access, rules);
2170 .access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
2174 .access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
2179 create_ruleset(_metadata, rules[0].access, rules);
2234 .access = LANDLOCK_ACCESS_FS_REFER,
2238 .access = LANDLOCK_ACCESS_FS_REFER,
2281 ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1);
2296 ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2);
2315 .access = LANDLOCK_ACCESS_FS_REFER,
2324 .access = LANDLOCK_ACCESS_FS_EXECUTE,
2333 .access = LANDLOCK_ACCESS_FS_EXECUTE,
2341 * denying access (with MAKE_REG nor REMOVE).
2362 * denying access (with MAKE_REG nor REMOVE).
2385 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
2389 .access = LANDLOCK_ACCESS_FS_REFER,
2393 .access = LANDLOCK_ACCESS_FS_REFER,
2397 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
2443 * directory rename (because of the superset of access rights.
2463 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
2467 .access = LANDLOCK_ACCESS_FS_REFER,
2471 .access = LANDLOCK_ACCESS_FS_REFER,
2475 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
2555 * directory rename (because of the superset of access rights).
2563 * access rights tied to dir_s2d3. dir_s2d2 is missing one access right
2608 .access = LANDLOCK_ACCESS_FS_REFER,
2613 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
2617 .access = LANDLOCK_ACCESS_FS_REFER,
2621 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
2640 .access = LANDLOCK_ACCESS_FS_MAKE_DIR,
2665 * because it doesn't inherit new access rights.
2672 * gets a new inherited access rights (MAKE_REG), because MAKE_REG is
2776 * because of access rights that would be inherited.
2785 /* Checks with same access rights. */
2791 /* Checks with different (child-only) access rights. */
2801 * directory-related access rights is allowed, and at the same time
2803 * grants less access rights is allowed too.
2811 * more access rights than the current state and because file creation
2839 /* Checks with different (child-only) access rights. */
2848 /* Checks with different (child-only) access rights. */
2908 .access = LANDLOCK_ACCESS_FS_REFER |
2913 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
2917 .access = LANDLOCK_ACCESS_FS_REFER |
2970 .access = LANDLOCK_ACCESS_FS_REFER,
2974 .access = LANDLOCK_ACCESS_FS_EXECUTE,
2978 .access = LANDLOCK_ACCESS_FS_MAKE_SOCK |
2983 .access = LANDLOCK_ACCESS_FS_REFER |
2989 .access = LANDLOCK_ACCESS_FS_READ_FILE |
3010 * access right.
3016 * superset of access rights compared to dir_s1d2, because file1_s1d2
3017 * already has these access rights anyway.
3025 * Moving dir_s1d3 beneath dir_s2d3 would grant it the MAKE_FIFO access
3032 * of access rights compared to dir_s1d2, because dir_s1d3 already has
3033 * these access rights anyway.
3040 * will be denied because the new inherited access rights from dir_s1d2
3063 .access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
3068 create_ruleset(_metadata, rules[0].access, rules);
3100 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
3105 create_ruleset(_metadata, rules[0].access, rules);
3120 const __u64 access, const mode_t mode,
3126 .access = access,
3130 const int ruleset_fd = create_ruleset(_metadata, access, rules);
3214 .access = LANDLOCK_ACCESS_FS_MAKE_SYM,
3219 create_ruleset(_metadata, rules[0].access, rules);
3259 .access = LANDLOCK_ACCESS_FS_MAKE_DIR,
3264 create_ruleset(_metadata, rules[0].access, rules);
3299 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3342 .access = LANDLOCK_ACCESS_FS_READ_FILE |
3347 /* Limits read and write access to files tied to the filesystem. */
3349 create_ruleset(_metadata, rules[0].access, rules);
3359 /* Checks access to pipes through FD. */
3368 /* Checks write access to pipe through /proc/self/fd . */
3378 /* Checks read access to pipe through /proc/self/fd . */
3414 * (access type) confusion for this test.
3433 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3437 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
3496 .access = LANDLOCK_ACCESS_FS_READ_FILE |
3502 .access = LANDLOCK_ACCESS_FS_READ_FILE |
3507 .access = LANDLOCK_ACCESS_FS_READ_FILE |
3512 .access = LANDLOCK_ACCESS_FS_TRUNCATE,
3514 /* Implicitly: No access rights for file_none. */
3517 .access = LANDLOCK_ACCESS_FS_TRUNCATE,
3521 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
3614 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
3622 .access = LANDLOCK_ACCESS_FS_TRUNCATE,
3631 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
3750 .access = variant->allowed,
3791 .access = variant->allowed,
3927 * Sets access right on parent directories of both source and
3933 .access = ACCESS_RO,
3937 .access = ACCESS_RW,
3942 * Sets access rights on the same bind-mounted directories. The result
3949 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3953 .access = ACCESS_RW,
3957 /* Only allow read-access to the s1d3 hierarchies. */
3961 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3965 /* Removes all access rights. */
3969 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
4066 .access = LANDLOCK_ACCESS_FS_REFER,
4070 .access = LANDLOCK_ACCESS_FS_EXECUTE,
4339 /* Sets access right on parent directories of both layers. */
4343 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4347 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4351 .access = ACCESS_RW,
4358 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4362 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4366 .access = ACCESS_RW,
4370 /* Sets access right on directories inside both layers. */
4374 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4378 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4382 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4386 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4390 .access = ACCESS_RW,
4394 .access = ACCESS_RW,
4398 .access = ACCESS_RW,
4402 /* Tighten access rights to the files. */
4406 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4410 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4414 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4418 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4422 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4426 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4430 .access = LANDLOCK_ACCESS_FS_READ_FILE |
4435 .access = LANDLOCK_ACCESS_FS_READ_FILE |
4440 .access = LANDLOCK_ACCESS_FS_READ_FILE |
4445 .access = LANDLOCK_ACCESS_FS_READ_FILE |
4450 .access = LANDLOCK_ACCESS_FS_READ_FILE |
4458 .access = LANDLOCK_ACCESS_FS_READ_FILE |
4503 * Checks that access rights are independent from the lower and upper
4504 * layers: write access to upper files viewed through the merge point
4505 * is still allowed, and write access to lower file viewed (and copied)
4588 /* Only allowes access to the merge hierarchy. */
4771 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4805 /* Checks with Landlock and forbidden access. */
4839 .access = LANDLOCK_ACCESS_FS_READ_DIR,
4873 /* Checks that access to the new mount point is denied. */