Message ID | 20240309075320.160128-8-gnoack@google.com (mailing list archive) |
---|---|
State | Handled Elsewhere |
Delegated to: | Paul Moore |
Headers | show |
Series | Landlock: IOCTL support | expand |
On Sat, Mar 09, 2024 at 07:53:18AM +0000, Günther Noack wrote: > Suggested-by: Mickaël Salaün <mic@digikod.net> > Signed-off-by: Günther Noack <gnoack@google.com> > --- > tools/testing/selftests/landlock/fs_test.c | 53 ++++++++++++++++++++++ > 1 file changed, 53 insertions(+) > > diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c > index d991f44875bc..941e6f9702b7 100644 > --- a/tools/testing/selftests/landlock/fs_test.c > +++ b/tools/testing/selftests/landlock/fs_test.c > @@ -20,8 +20,10 @@ > #include <sys/mount.h> > #include <sys/prctl.h> > #include <sys/sendfile.h> > +#include <sys/socket.h> > #include <sys/stat.h> > #include <sys/sysmacros.h> > +#include <sys/un.h> > #include <sys/vfs.h> > #include <unistd.h> > > @@ -3976,6 +3978,57 @@ TEST_F_FORK(layout1, named_pipe_ioctl) > ASSERT_EQ(child_pid, waitpid(child_pid, NULL, 0)); > } > > +/* For named UNIX domain sockets, no IOCTL restrictions apply. */ > +TEST_F_FORK(layout1, named_unix_domain_socket_ioctl) > +{ > + const char *const path = file1_s1d1; > + int srv_fd, cli_fd, ruleset_fd; > + socklen_t size; > + struct sockaddr_un srv_un, cli_un; > + const struct landlock_ruleset_attr attr = { > + .handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV, > + }; > + > + /* Sets up a server */ > + srv_un.sun_family = AF_UNIX; > + strncpy(srv_un.sun_path, path, sizeof(srv_un.sun_path)); > + > + ASSERT_EQ(0, unlink(path)); > + ASSERT_LE(0, (srv_fd = socket(AF_UNIX, SOCK_STREAM, 0))); > + > + size = offsetof(struct sockaddr_un, sun_path) + strlen(srv_un.sun_path); > + ASSERT_EQ(0, bind(srv_fd, (struct sockaddr *)&srv_un, size)); > + ASSERT_EQ(0, listen(srv_fd, 10 /* qlen */)); > + > + /* Enables Landlock. */ > + ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); > + ASSERT_LE(0, ruleset_fd); > + enforce_ruleset(_metadata, ruleset_fd); > + ASSERT_EQ(0, close(ruleset_fd)); > + > + /* Sets up a client connection to it */ > + cli_un.sun_family = AF_UNIX; > + snprintf(cli_un.sun_path, sizeof(cli_un.sun_path), "%s%ld", path, > + (long)getpid()); I don't think it is useful to have a unique sun_path for a named unix socket, that's the purpose of naming it right? > + > + ASSERT_LE(0, (cli_fd = socket(AF_UNIX, SOCK_STREAM, 0))); > + > + size = offsetof(struct sockaddr_un, sun_path) + strlen(cli_un.sun_path); > + ASSERT_EQ(0, bind(cli_fd, (struct sockaddr *)&cli_un, size)); > + > + bzero(&cli_un, sizeof(cli_un)); > + cli_un.sun_family = AF_UNIX; > + strncpy(cli_un.sun_path, path, sizeof(cli_un.sun_path)); > + size = offsetof(struct sockaddr_un, sun_path) + strlen(cli_un.sun_path); > + > + ASSERT_EQ(0, connect(cli_fd, (struct sockaddr *)&cli_un, size)); > + > + /* FIONREAD and other IOCTLs should not be forbidden. */ > + EXPECT_EQ(0, test_fionread_ioctl(cli_fd)); > + > + ASSERT_EQ(0, close(cli_fd)); > +} > + > /* clang-format off */ > FIXTURE(ioctl) {}; > > -- > 2.44.0.278.ge034bb2e1d-goog > >
On Fri, Mar 22, 2024 at 08:57:18AM +0100, Mickaël Salaün wrote: > On Sat, Mar 09, 2024 at 07:53:18AM +0000, Günther Noack wrote: > > diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c > > index d991f44875bc..941e6f9702b7 100644 > > --- a/tools/testing/selftests/landlock/fs_test.c > > +++ b/tools/testing/selftests/landlock/fs_test.c [...] > > +/* For named UNIX domain sockets, no IOCTL restrictions apply. */ > > +TEST_F_FORK(layout1, named_unix_domain_socket_ioctl) > > +{ [...] > > + /* Sets up a client connection to it */ > > + cli_un.sun_family = AF_UNIX; > > + snprintf(cli_un.sun_path, sizeof(cli_un.sun_path), "%s%ld", path, > > + (long)getpid()); > > I don't think it is useful to have a unique sun_path for a named unix > socket, that's the purpose of naming it right? Removed, well spotted! I did not realize that I could omit that. —Günther
diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index d991f44875bc..941e6f9702b7 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -20,8 +20,10 @@ #include <sys/mount.h> #include <sys/prctl.h> #include <sys/sendfile.h> +#include <sys/socket.h> #include <sys/stat.h> #include <sys/sysmacros.h> +#include <sys/un.h> #include <sys/vfs.h> #include <unistd.h> @@ -3976,6 +3978,57 @@ TEST_F_FORK(layout1, named_pipe_ioctl) ASSERT_EQ(child_pid, waitpid(child_pid, NULL, 0)); } +/* For named UNIX domain sockets, no IOCTL restrictions apply. */ +TEST_F_FORK(layout1, named_unix_domain_socket_ioctl) +{ + const char *const path = file1_s1d1; + int srv_fd, cli_fd, ruleset_fd; + socklen_t size; + struct sockaddr_un srv_un, cli_un; + const struct landlock_ruleset_attr attr = { + .handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV, + }; + + /* Sets up a server */ + srv_un.sun_family = AF_UNIX; + strncpy(srv_un.sun_path, path, sizeof(srv_un.sun_path)); + + ASSERT_EQ(0, unlink(path)); + ASSERT_LE(0, (srv_fd = socket(AF_UNIX, SOCK_STREAM, 0))); + + size = offsetof(struct sockaddr_un, sun_path) + strlen(srv_un.sun_path); + ASSERT_EQ(0, bind(srv_fd, (struct sockaddr *)&srv_un, size)); + ASSERT_EQ(0, listen(srv_fd, 10 /* qlen */)); + + /* Enables Landlock. */ + ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + /* Sets up a client connection to it */ + cli_un.sun_family = AF_UNIX; + snprintf(cli_un.sun_path, sizeof(cli_un.sun_path), "%s%ld", path, + (long)getpid()); + + ASSERT_LE(0, (cli_fd = socket(AF_UNIX, SOCK_STREAM, 0))); + + size = offsetof(struct sockaddr_un, sun_path) + strlen(cli_un.sun_path); + ASSERT_EQ(0, bind(cli_fd, (struct sockaddr *)&cli_un, size)); + + bzero(&cli_un, sizeof(cli_un)); + cli_un.sun_family = AF_UNIX; + strncpy(cli_un.sun_path, path, sizeof(cli_un.sun_path)); + size = offsetof(struct sockaddr_un, sun_path) + strlen(cli_un.sun_path); + + ASSERT_EQ(0, connect(cli_fd, (struct sockaddr *)&cli_un, size)); + + /* FIONREAD and other IOCTLs should not be forbidden. */ + EXPECT_EQ(0, test_fionread_ioctl(cli_fd)); + + ASSERT_EQ(0, close(cli_fd)); +} + /* clang-format off */ FIXTURE(ioctl) {};
Suggested-by: Mickaël Salaün <mic@digikod.net> Signed-off-by: Günther Noack <gnoack@google.com> --- tools/testing/selftests/landlock/fs_test.c | 53 ++++++++++++++++++++++ 1 file changed, 53 insertions(+)