Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1/* SPDX-License-Identifier: GPL-2.0 */
2/*
3 * Landlock scoped_domains test variant definition.
4 *
5 * This file defines a fixture variant "scoped_domains" that has all
6 * permutations of parent/child process being in separate or shared
7 * Landlock domain, or not being in a Landlock domain at all.
8 *
9 * Scoped access tests can include this file to avoid repeating these
10 * combinations.
11 *
12 * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
13 * Copyright © 2019-2020 ANSSI
14 * Copyright © 2024 Tahera Fahimi <fahimitahera@gmail.com>
15 */
16
17/* clang-format on */
18FIXTURE_VARIANT(scoped_domains)
19{
20 bool domain_both;
21 bool domain_parent;
22 bool domain_child;
23};
24
25/*
26 * No domain
27 *
28 * P1-. P1 -> P2 : allow
29 * \ P2 -> P1 : allow
30 * 'P2
31 */
32/* clang-format off */
33FIXTURE_VARIANT_ADD(scoped_domains, without_domain) {
34 /* clang-format on */
35 .domain_both = false,
36 .domain_parent = false,
37 .domain_child = false,
38};
39
40/*
41 * Child domain
42 *
43 * P1--. P1 -> P2 : allow
44 * \ P2 -> P1 : deny
45 * .'-----.
46 * | P2 |
47 * '------'
48 */
49/* clang-format off */
50FIXTURE_VARIANT_ADD(scoped_domains, child_domain) {
51 /* clang-format on */
52 .domain_both = false,
53 .domain_parent = false,
54 .domain_child = true,
55};
56
57/*
58 * Parent domain
59 * .------.
60 * | P1 --. P1 -> P2 : deny
61 * '------' \ P2 -> P1 : allow
62 * '
63 * P2
64 */
65/* clang-format off */
66FIXTURE_VARIANT_ADD(scoped_domains, parent_domain) {
67 /* clang-format on */
68 .domain_both = false,
69 .domain_parent = true,
70 .domain_child = false,
71};
72
73/*
74 * Parent + child domain (siblings)
75 * .------.
76 * | P1 ---. P1 -> P2 : deny
77 * '------' \ P2 -> P1 : deny
78 * .---'--.
79 * | P2 |
80 * '------'
81 */
82/* clang-format off */
83FIXTURE_VARIANT_ADD(scoped_domains, sibling_domain) {
84 /* clang-format on */
85 .domain_both = false,
86 .domain_parent = true,
87 .domain_child = true,
88};
89
90/*
91 * Same domain (inherited)
92 * .-------------.
93 * | P1----. | P1 -> P2 : allow
94 * | \ | P2 -> P1 : allow
95 * | ' |
96 * | P2 |
97 * '-------------'
98 */
99/* clang-format off */
100FIXTURE_VARIANT_ADD(scoped_domains, inherited_domain) {
101 /* clang-format on */
102 .domain_both = true,
103 .domain_parent = false,
104 .domain_child = false,
105};
106
107/*
108 * Inherited + child domain
109 * .-----------------.
110 * | P1----. | P1 -> P2 : allow
111 * | \ | P2 -> P1 : deny
112 * | .-'----. |
113 * | | P2 | |
114 * | '------' |
115 * '-----------------'
116 */
117/* clang-format off */
118FIXTURE_VARIANT_ADD(scoped_domains, nested_domain) {
119 /* clang-format on */
120 .domain_both = true,
121 .domain_parent = false,
122 .domain_child = true,
123};
124
125/*
126 * Inherited + parent domain
127 * .-----------------.
128 * |.------. | P1 -> P2 : deny
129 * || P1 ----. | P2 -> P1 : allow
130 * |'------' \ |
131 * | ' |
132 * | P2 |
133 * '-----------------'
134 */
135/* clang-format off */
136FIXTURE_VARIANT_ADD(scoped_domains, nested_and_parent_domain) {
137 /* clang-format on */
138 .domain_both = true,
139 .domain_parent = true,
140 .domain_child = false,
141};
142
143/*
144 * Inherited + parent and child domain (siblings)
145 * .-----------------.
146 * | .------. | P1 -> P2 : deny
147 * | | P1 . | P2 -> P1 : deny
148 * | '------'\ |
149 * | \ |
150 * | .--'---. |
151 * | | P2 | |
152 * | '------' |
153 * '-----------------'
154 */
155/* clang-format off */
156FIXTURE_VARIANT_ADD(scoped_domains, forked_domains) {
157 /* clang-format on */
158 .domain_both = true,
159 .domain_parent = true,
160 .domain_child = true,
161};