[PATCH 4/6] selftests/landlock: Test LANDLOCK_SCOPE_SYSV_MSG_QUEUE

From: Justin Suess <hidden>
Date: 2026-05-21 16:07:05
Also in: lkml
Subsystem: kernel selftest framework, landlock security module, the rest · Maintainers: Shuah Khan, Mickaël Salaün, Linus Torvalds

Add selftests for SysV message queue scoped right.

Use the existing scoped domain harness for msgget, and another fixture
for testing msgsnd, msgrcv and msgctl.

Pass the msqid around for coverage of non-msgget syscalls, since calling
msgget while already restricted would fail and prevent testing the
operation under test.

Denials are checked against -EACCES rather than -EPERM: msgget,
msgsnd, msgrcv and msgctl(IPC_STAT) all reach the Landlock scope
check via ipcperms(), whose callers map every non-zero return into
-EACCES before propagating it to user space.

Signed-off-by: Justin Suess <redacted>
---
 .../landlock/scoped_sysv_msg_queue_test.c     | 256 ++++++++++++++++++
 1 file changed, 256 insertions(+)
 create mode 100644 tools/testing/selftests/landlock/scoped_sysv_msg_queue_test.c

diff --git a/tools/testing/selftests/landlock/scoped_sysv_msg_queue_test.c b/tools/testing/selftests/landlock/scoped_sysv_msg_queue_test.c
new file mode 100644
index 000000000000..41f99803b593
--- /dev/null
+++ b/tools/testing/selftests/landlock/scoped_sysv_msg_queue_test.c

@@ -0,0 +1,256 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Landlock tests - SysV Message Queue Scoping
+ *
+ */
+
+#define _GNU_SOURCE
+#include <errno.h>
+#include <fcntl.h>
+#include <linux/landlock.h>
+#include <sys/ipc.h>
+#include <sys/msg.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#include "common.h"
+#include "scoped_common.h"
+
+/*
+ * Removes the message queue identified by @msqid, ignoring any error since
+ * the caller might no longer have permission to operate on it (for example,
+ * after entering a scoped domain).
+ */
+static void cleanup_msg_queue(int msqid)
+{
+	if (msqid >= 0)
+		msgctl(msqid, IPC_RMID, NULL);
+}
+
+/* clang-format off */
+FIXTURE(scoped_domains) {};
+/* clang-format on */
+
+#include "scoped_base_variants.h"
+
+FIXTURE_SETUP(scoped_domains)
+{
+	drop_caps(_metadata);
+}
+
+FIXTURE_TEARDOWN(scoped_domains)
+{
+}
+
+/*
+ * Parent creates a SysV message queue, then the child tries to associate
+ * with it via msgget(2).  When the child is in a domain that scopes message
+ * queues and the parent is not in that same scope, the association must be
+ * denied with -EACCES (msgget runs the scope check via ipcperms(), which
+ * masks every denial as -EACCES).
+ */
+TEST_F(scoped_domains, check_access_msg_queue)
+{
+	pid_t child;
+	int status;
+	int msqid = -1;
+	int pipe_parent[2], pipe_child[2];
+	char buf;
+	key_t key;
+	bool can_associate;
+
+	/*
+	 * The child can associate with the parent's queue unless the child
+	 * is in a scoped domain that does not include the parent (i.e. the
+	 * parent is outside the child's domain).
+	 */
+	can_associate = !variant->domain_child;
+
+	/*
+	 * Picks a per-test key derived from PID to avoid collisions.  Stale
+	 * queues from a previous run are unlikely but handled by removing
+	 * any matching entry before applying any scope.
+	 */
+	key = (key_t)(getpid() & 0x7fffffff);
+	cleanup_msg_queue(msgget(key, 0));
+
+	if (variant->domain_both)
+		create_scoped_domain(_metadata, LANDLOCK_SCOPE_SYSV_MSG_QUEUE);
+
+	ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC));
+	ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC));
+
+	child = fork();
+	ASSERT_LE(0, child);
+	if (child == 0) {
+		int ret;
+
+		EXPECT_EQ(0, close(pipe_child[0]));
+		EXPECT_EQ(0, close(pipe_parent[1]));
+
+		if (variant->domain_child)
+			create_scoped_domain(_metadata,
+					     LANDLOCK_SCOPE_SYSV_MSG_QUEUE);
+
+		/* Signals readiness to the parent. */
+		ASSERT_EQ(1, write(pipe_child[1], ".", 1));
+		EXPECT_EQ(0, close(pipe_child[1]));
+
+		/* Waits for the parent to have created the queue. */
+		ASSERT_EQ(1, read(pipe_parent[0], &buf, 1));
+		EXPECT_EQ(0, close(pipe_parent[0]));
+
+		ret = msgget(key, 0);
+		if (can_associate) {
+			ASSERT_LE(0, ret);
+		} else {
+			ASSERT_EQ(-1, ret);
+			/*
+			 * msgget uses ipcperms(), which masks every LSM
+			 * denial as -EACCES regardless of the value the
+			 * LSM hook returns.
+			 */
+			ASSERT_EQ(EACCES, errno);
+		}
+
+		_exit(_metadata->exit_code);
+		return;
+	}
+	EXPECT_EQ(0, close(pipe_child[1]));
+	EXPECT_EQ(0, close(pipe_parent[0]));
+
+	if (variant->domain_parent)
+		create_scoped_domain(_metadata, LANDLOCK_SCOPE_SYSV_MSG_QUEUE);
+
+	/* Waits for the child to be ready. */
+	ASSERT_EQ(1, read(pipe_child[0], &buf, 1));
+	EXPECT_EQ(0, close(pipe_child[0]));
+
+	msqid = msgget(key, IPC_CREAT | IPC_EXCL | 0600);
+	ASSERT_LE(0, msqid);
+
+	/* Releases the child. */
+	ASSERT_EQ(1, write(pipe_parent[1], ".", 1));
+	EXPECT_EQ(0, close(pipe_parent[1]));
+
+	ASSERT_EQ(child, waitpid(child, &status, 0));
+	cleanup_msg_queue(msqid);
+
+	if (WIFSIGNALED(status) || !WIFEXITED(status) ||
+	    WEXITSTATUS(status) != EXIT_SUCCESS)
+		_metadata->exit_code = KSFT_FAIL;
+}
+
+/*
+ * The msg_queue_associate hook (exercised by msgget(2)) is covered by the
+ * scoped_domains fixture above.  The remaining hooks all funnel through the
+ * same scope check, so it suffices to verify that each operation is denied
+ * when the child is scoped relative to the queue's creator.
+ *
+ * To attribute a denial to the operation under test (and not to a preceding
+ * msgget(2) call), the parent creates the queue and the child inherits the
+ * msqid across fork(2), bypassing msg_queue_associate.
+ */
+enum msg_op {
+	MSG_OP_SND,
+	MSG_OP_RCV,
+	MSG_OP_CTL,
+};
+
+/* clang-format off */
+FIXTURE(scoping_msg_ops) {};
+/* clang-format on */
+
+FIXTURE_VARIANT(scoping_msg_ops)
+{
+	enum msg_op op;
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(scoping_msg_ops, msgsnd) {
+	/* clang-format on */
+	.op = MSG_OP_SND,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(scoping_msg_ops, msgrcv) {
+	/* clang-format on */
+	.op = MSG_OP_RCV,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(scoping_msg_ops, msgctl) {
+	/* clang-format on */
+	.op = MSG_OP_CTL,
+};
+
+FIXTURE_SETUP(scoping_msg_ops)
+{
+	drop_caps(_metadata);
+}
+
+FIXTURE_TEARDOWN(scoping_msg_ops)
+{
+}
+
+TEST_F(scoping_msg_ops, deny_op)
+{
+	struct msgbuf {
+		long mtype;
+		char mtext[1];
+	} msg = { .mtype = 1 };
+	struct msqid_ds ds;
+	pid_t child;
+	int status;
+	int msqid, ret = 0;
+	key_t key;
+
+	key = (key_t)(getpid() & 0x7fffffff);
+	cleanup_msg_queue(msgget(key, 0));
+
+	msqid = msgget(key, IPC_CREAT | IPC_EXCL | 0600);
+	ASSERT_LE(0, msqid);
+
+	/* Preloads a message so msgrcv(2) would otherwise succeed. */
+	ASSERT_EQ(0, msgsnd(msqid, &msg, sizeof(msg.mtext), 0));
+
+	child = fork();
+	ASSERT_LE(0, child);
+	if (child == 0) {
+		create_scoped_domain(_metadata, LANDLOCK_SCOPE_SYSV_MSG_QUEUE);
+
+		switch (variant->op) {
+		case MSG_OP_SND:
+			ret = msgsnd(msqid, &msg, sizeof(msg.mtext), 0);
+			break;
+		case MSG_OP_RCV:
+			ret = msgrcv(msqid, &msg, sizeof(msg.mtext), 0,
+				     IPC_NOWAIT);
+			break;
+		case MSG_OP_CTL:
+			ret = msgctl(msqid, IPC_STAT, &ds);
+			break;
+		}
+		ASSERT_EQ(-1, ret);
+		/*
+		 * msgsnd, msgrcv and msgctl(IPC_STAT) all reach the
+		 * Landlock scope check via ipcperms(), whose callers map
+		 * any non-zero return into -EACCES before propagating it
+		 * to user space.
+		 */
+		ASSERT_EQ(EACCES, errno);
+
+		_exit(_metadata->exit_code);
+		return;
+	}
+
+	ASSERT_EQ(child, waitpid(child, &status, 0));
+	cleanup_msg_queue(msqid);
+
+	if (WIFSIGNALED(status) || !WIFEXITED(status) ||
+	    WEXITSTATUS(status) != EXIT_SUCCESS)
+		_metadata->exit_code = KSFT_FAIL;
+}
+
+TEST_HARNESS_MAIN

-- 
2.53.0

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help