tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

selftests/landlock: Add audit tests for abstract UNIX socket scoping

Add a new scoped_audit.connect_to_child test to check the abstract UNIX
socket blocker.

Cc: Günther Noack <gnoack@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Link: https://lore.kernel.org/r/20250320190717.2287696-26-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>

Mickaël Salaün e1156872 e2893c0a

+111
+111
tools/testing/selftests/landlock/scoped_abstract_unix_test.c
··· 20 20 #include <sys/wait.h> 21 21 #include <unistd.h> 22 22 23 + #include "audit.h" 23 24 #include "common.h" 24 25 #include "scoped_common.h" 25 26 ··· 260 259 } 261 260 ASSERT_EQ(1, write(pipe_parent[1], ".", 1)); 262 261 EXPECT_EQ(0, close(stream_client)); 262 + EXPECT_EQ(0, close(dgram_client)); 263 + 264 + ASSERT_EQ(child, waitpid(child, &status, 0)); 265 + if (WIFSIGNALED(status) || !WIFEXITED(status) || 266 + WEXITSTATUS(status) != EXIT_SUCCESS) 267 + _metadata->exit_code = KSFT_FAIL; 268 + } 269 + 270 + FIXTURE(scoped_audit) 271 + { 272 + struct service_fixture dgram_address; 273 + struct audit_filter audit_filter; 274 + int audit_fd; 275 + }; 276 + 277 + FIXTURE_SETUP(scoped_audit) 278 + { 279 + disable_caps(_metadata); 280 + 281 + memset(&self->dgram_address, 0, sizeof(self->dgram_address)); 282 + set_unix_address(&self->dgram_address, 1); 283 + 284 + set_cap(_metadata, CAP_AUDIT_CONTROL); 285 + self->audit_fd = audit_init_with_exe_filter(&self->audit_filter); 286 + EXPECT_LE(0, self->audit_fd); 287 + drop_caps(_metadata); 288 + } 289 + 290 + FIXTURE_TEARDOWN_PARENT(scoped_audit) 291 + { 292 + EXPECT_EQ(0, audit_cleanup(-1, NULL)); 293 + } 294 + 295 + /* python -c 'print(b"\0selftests-landlock-abstract-unix-".hex().upper())' */ 296 + #define ABSTRACT_SOCKET_PATH_PREFIX \ 297 + "0073656C6674657374732D6C616E646C6F636B2D61627374726163742D756E69782D" 298 + 299 + /* 300 + * Simpler version of scoped_domains.connect_to_child, but with audit tests. 301 + */ 302 + TEST_F(scoped_audit, connect_to_child) 303 + { 304 + pid_t child; 305 + int err_dgram, status; 306 + int pipe_child[2], pipe_parent[2]; 307 + char buf; 308 + int dgram_client; 309 + struct audit_records records; 310 + 311 + /* Makes sure there is no superfluous logged records. */ 312 + EXPECT_EQ(0, audit_count_records(self->audit_fd, &records)); 313 + EXPECT_EQ(0, records.access); 314 + EXPECT_EQ(0, records.domain); 315 + 316 + ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC)); 317 + ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC)); 318 + 319 + child = fork(); 320 + ASSERT_LE(0, child); 321 + if (child == 0) { 322 + int dgram_server; 323 + 324 + EXPECT_EQ(0, close(pipe_parent[1])); 325 + EXPECT_EQ(0, close(pipe_child[0])); 326 + 327 + /* Waits for the parent to be in a domain. */ 328 + ASSERT_EQ(1, read(pipe_parent[0], &buf, 1)); 329 + 330 + dgram_server = socket(AF_UNIX, SOCK_DGRAM, 0); 331 + ASSERT_LE(0, dgram_server); 332 + ASSERT_EQ(0, bind(dgram_server, &self->dgram_address.unix_addr, 333 + self->dgram_address.unix_addr_len)); 334 + 335 + /* Signals to the parent that child is listening. */ 336 + ASSERT_EQ(1, write(pipe_child[1], ".", 1)); 337 + 338 + /* Waits to connect. */ 339 + ASSERT_EQ(1, read(pipe_parent[0], &buf, 1)); 340 + EXPECT_EQ(0, close(dgram_server)); 341 + _exit(_metadata->exit_code); 342 + return; 343 + } 344 + EXPECT_EQ(0, close(pipe_child[1])); 345 + EXPECT_EQ(0, close(pipe_parent[0])); 346 + 347 + create_scoped_domain(_metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET); 348 + 349 + /* Signals that the parent is in a domain, if any. */ 350 + ASSERT_EQ(1, write(pipe_parent[1], ".", 1)); 351 + 352 + dgram_client = socket(AF_UNIX, SOCK_DGRAM, 0); 353 + ASSERT_LE(0, dgram_client); 354 + 355 + /* Waits for the child to listen */ 356 + ASSERT_EQ(1, read(pipe_child[0], &buf, 1)); 357 + err_dgram = connect(dgram_client, &self->dgram_address.unix_addr, 358 + self->dgram_address.unix_addr_len); 359 + EXPECT_EQ(-1, err_dgram); 360 + EXPECT_EQ(EPERM, errno); 361 + 362 + EXPECT_EQ( 363 + 0, 364 + audit_match_record( 365 + self->audit_fd, AUDIT_LANDLOCK_ACCESS, 366 + REGEX_LANDLOCK_PREFIX 367 + " blockers=scope\\.abstract_unix_socket path=" ABSTRACT_SOCKET_PATH_PREFIX 368 + "[0-9A-F]\\+$", 369 + NULL)); 370 + 371 + ASSERT_EQ(1, write(pipe_parent[1], ".", 1)); 263 372 EXPECT_EQ(0, close(dgram_client)); 264 373 265 374 ASSERT_EQ(child, waitpid(child, &status, 0));