[PATCH v10 4/9] selftests/landlock: Test IOCTL with memfds

[PATCH v10 0/9] Landlock: IOCTL support · "Günther Noack" <gnoack@google.com> · 2024-03-09
[PATCH v10 1/9] security: Create security_file_vfs_ioctl hook · "Günther Noack" <gnoack@google.com> · 2024-03-09
Re: [PATCH v10 1/9] security: Create security_file_vfs_ioctl hook · Paul Moore <paul@paul-moore.com> · 2024-03-14
[RFC PATCH] fs: Add an use vfs_get_ioctl_handler() · Mickaël Salaün <mic@digikod.net> · 2024-03-15
Re: [PATCH v10 1/9] security: Create security_file_vfs_ioctl hook · Mickaël Salaün <mic@digikod.net> · 2024-03-15
[PATCH v10 2/9] landlock: Add IOCTL access right for character and block devices · "Günther Noack" <gnoack@google.com> · 2024-03-09
Re: [PATCH v10 2/9] landlock: Add IOCTL access right for character and block devices · Mickaël Salaün <mic@digikod.net> · 2024-03-11
Re: [PATCH v10 2/9] landlock: Add IOCTL access right for character and block devices · Alejandro Colomar <alx@kernel.org> · 2024-03-11
[PATCH v10 3/9] selftests/landlock: Test IOCTL support · "Günther Noack" <gnoack@google.com> · 2024-03-09
[PATCH v10 4/9] selftests/landlock: Test IOCTL with memfds · "Günther Noack" <gnoack@google.com> · 2024-03-09
[PATCH v10 5/9] selftests/landlock: Test ioctl(2) and ftruncate(2) with open(O_PATH) · "Günther Noack" <gnoack@google.com> · 2024-03-09
[PATCH v10 6/9] selftests/landlock: Test IOCTLs on named pipes · "Günther Noack" <gnoack@google.com> · 2024-03-09
Re: [PATCH v10 6/9] selftests/landlock: Test IOCTLs on named pipes · Mickaël Salaün <mic@digikod.net> · 2024-03-22
Re: [PATCH v10 6/9] selftests/landlock: Test IOCTLs on named pipes · Mickaël Salaün <mic@digikod.net> · 2024-03-22
Re: [PATCH v10 6/9] selftests/landlock: Test IOCTLs on named pipes · "Günther Noack" <gnoack@google.com> · 2024-03-22
Re: [PATCH v10 6/9] selftests/landlock: Test IOCTLs on named pipes · Mickaël Salaün <mic@digikod.net> · 2024-03-22
[PATCH v10 7/9] selftests/landlock: Check IOCTL restrictions for named UNIX domain sockets · "Günther Noack" <gnoack@google.com> · 2024-03-09
Re: [PATCH v10 7/9] selftests/landlock: Check IOCTL restrictions for named UNIX domain sockets · Mickaël Salaün <mic@digikod.net> · 2024-03-22
Re: [PATCH v10 7/9] selftests/landlock: Check IOCTL restrictions for named UNIX domain sockets · "Günther Noack" <gnoack@google.com> · 2024-03-22
[PATCH v10 8/9] samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL_DEV · "Günther Noack" <gnoack@google.com> · 2024-03-09
[PATCH v10 9/9] landlock: Document IOCTL support · "Günther Noack" <gnoack@google.com> · 2024-03-09

STALE827d

Revisions (11)

2023-06-23 v2 [diff vs current]
2023-08-14 v3 [diff vs current]
2023-11-03 v4 [diff vs current]
2023-11-17 v5 [diff vs current]
2023-11-24 v6 [diff vs current]
2023-12-01 v7 [diff vs current]
2023-12-08 v8 [diff vs current]
2024-03-09 v10 current
2024-03-22 v11 [diff vs current]
2024-03-25 v12 [diff vs current]
2024-04-05 v14 [diff vs current]

From: "Günther Noack" <gnoack@google.com>
Date: 2024-03-09 07:53:35
Also in: linux-fsdevel
Subsystem: kernel selftest framework, landlock security module, the rest · Maintainers: Shuah Khan, Mickaël Salaün, Linus Torvalds

Because the LANDLOCK_ACCESS_FS_IOCTL_DEV right is associated with the
opened file during open(2), IOCTLs are supposed to work with files
which are opened by means other than open(2).

Signed-off-by: Günther Noack <gnoack@google.com>
---
 tools/testing/selftests/landlock/fs_test.c | 36 ++++++++++++++++------
 1 file changed, 27 insertions(+), 9 deletions(-)

diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
index 91567e5db0fd..f0e545c428eb 100644
--- a/tools/testing/selftests/landlock/fs_test.c
+++ b/tools/testing/selftests/landlock/fs_test.c

@@ -3850,20 +3850,38 @@ static int test_fs_ioc_getflags_ioctl(int fd)
 	return 0;
 }
 
-TEST(memfd_ftruncate)
+TEST(memfd_ftruncate_and_ioctl)
 {
-	int fd;
-
-	fd = memfd_create("name", MFD_CLOEXEC);
-	ASSERT_LE(0, fd);
+	const struct landlock_ruleset_attr attr = {
+		.handled_access_fs = ACCESS_ALL,
+	};
+	int ruleset_fd, fd, i;
 
 	/*
-	 * Checks that ftruncate is permitted on file descriptors that are
-	 * created in ways other than open(2).
+	 * We exercise the same test both with and without Landlock enabled, to
+	 * ensure that it behaves the same in both cases.
 	 */
-	EXPECT_EQ(0, test_ftruncate(fd));
+	for (i = 0; i < 2; i++) {
+		/* Creates a new memfd. */
+		fd = memfd_create("name", MFD_CLOEXEC);
+		ASSERT_LE(0, fd);
 
-	ASSERT_EQ(0, close(fd));
+		/*
+		 * Checks that operations associated with the opened file
+		 * (ftruncate, ioctl) are permitted on file descriptors that are
+		 * created in ways other than open(2).
+		 */
+		EXPECT_EQ(0, test_ftruncate(fd));
+		EXPECT_EQ(0, test_fs_ioc_getflags_ioctl(fd));
+
+		ASSERT_EQ(0, close(fd));
+
+		/* Enables Landlock. */
+		ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
+		ASSERT_LE(0, ruleset_fd);
+		enforce_ruleset(_metadata, ruleset_fd);
+		ASSERT_EQ(0, close(ruleset_fd));
+	}
 }
 
 /* clang-format off */

-- 
2.44.0.278.ge034bb2e1d-goog

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help