[PATCH v9 9/9] landlock: Add KUnit tests for LANDLOCK_ADD_RULE_NO_INHERIT
From: Justin Suess <hidden>
Date: 2026-06-21 03:52:46
Subsystem:
landlock security module, security subsystem, the rest · Maintainers:
Mickaël Salaün, Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds
Add the landlock_ruleset KUnit suite with three tests for the
no_inherit handling in landlock_unmask_layers():
- test_unmask_no_inherit_propagates: a rule with no_inherit unmasks
access and sets the no_inherit bit on the layer mask.
- test_unmask_multilayer_no_inherit: no_inherit on one layer of a
multi-layer rule only affects that layer.
- test_unmask_no_inherit_sequential: applying a descendant rule
(no_inherit) followed by an ancestor rule causes the ancestor to be
skipped, modeling a path walk. This exercises the same skip branch
that a pre-set no_inherit mask would, via realistic rule application.
Signed-off-by: Justin Suess <redacted>
---
Notes:
Changes since v8:
- Reduced from five tests to three, dropping test_unmask_no_inherit_skip
and test_unmask_no_inherit_both_set (which set the per-layer no_inherit
bit synthetically). Kept test_unmask_no_inherit_propagates,
test_unmask_multilayer_no_inherit, and test_unmask_no_inherit_sequential,
which exercise the same skip branch through realistic rule application.
- Rebased onto mic/next.
security/landlock/ruleset.c | 137 ++++++++++++++++++++++++++++++++++++
1 file changed, 137 insertions(+)
diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index ca7cfa45c90a..144b6fc19f79 100644
--- a/security/landlock/ruleset.c
+++ b/security/landlock/ruleset.c@@ -6,6 +6,7 @@ * Copyright © 2018-2020 ANSSI */ +#include <kunit/test.h> #include <linux/bits.h> #include <linux/bug.h> #include <linux/cleanup.h>
@@ -766,3 +767,139 @@ landlock_init_layer_masks(const struct landlock_ruleset *const domain, return handled_accesses; } + +#ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST + +/* + * Helper to allocate a rule with @num_layers layers and initialize + * its num_layers field. Caller must fill in individual layers. + */ +static struct landlock_rule *alloc_rule(struct kunit *test, u32 num_layers) +{ + struct landlock_rule *rule; + + rule = kzalloc(struct_size(rule, layers, num_layers), GFP_KERNEL); + KUNIT_ASSERT_NOT_NULL(test, rule); + rule->num_layers = num_layers; + return rule; +} + +/* + * Build a layer_masks with the first @num_layers layers' access set to + * @val, and all no_inherit flags cleared. Layers beyond @num_layers stay + * zeroed, matching what landlock_init_layer_masks() produces for a domain + * with that many layers. + */ +static void fill_masks(struct layer_masks *masks, access_mask_t val, + size_t num_layers) +{ + memset(masks, 0, sizeof(*masks)); + for (size_t i = 0; i < num_layers; i++) + masks->layers[i].access = val; +} + +/* Verify that a rule with no_inherit unmasks access and propagates the flag. */ +static void test_unmask_no_inherit_propagates(struct kunit *const test) +{ + struct landlock_rule *rule = alloc_rule(test, 1); + struct layer_masks masks; + const access_mask_t req = BIT_ULL(0) | BIT_ULL(1); + + rule->layers[0].level = 1; + rule->layers[0].access = BIT_ULL(0); + rule->layers[0].flags.no_inherit = true; + + fill_masks(&masks, req, 1); + landlock_unmask_layers(rule, &masks); + + /* access bit 0 should be cleared, bit 1 remains */ + KUNIT_EXPECT_EQ(test, (access_mask_t)masks.layers[0].access, + BIT_ULL(1)); + KUNIT_EXPECT_TRUE(test, masks.layers[0].no_inherit); + KUNIT_EXPECT_EQ(test, (access_mask_t)masks.layers[1].access, 0); + kfree(rule); +} + +/* + * Verify that no_inherit on layer 1 of a multi-layer rule only affects + * layer 1; layer 2 still contributes normally. + */ +static void test_unmask_multilayer_no_inherit(struct kunit *const test) +{ + struct landlock_rule *rule = alloc_rule(test, 2); + struct layer_masks masks; + const access_mask_t req = BIT_ULL(0) | BIT_ULL(1); + + rule->layers[0].level = 1; + rule->layers[0].access = BIT_ULL(0); + rule->layers[0].flags.no_inherit = true; + + rule->layers[1].level = 2; + rule->layers[1].access = BIT_ULL(1); + + fill_masks(&masks, req, 2); + landlock_unmask_layers(rule, &masks); + + /* Layer 1: bit 0 cleared, no_inherit set */ + KUNIT_EXPECT_EQ(test, (access_mask_t)masks.layers[0].access, BIT_ULL(1)); + KUNIT_EXPECT_TRUE(test, masks.layers[0].no_inherit); + + /* Layer 2: bit 1 cleared, no_inherit not set */ + KUNIT_EXPECT_EQ(test, (access_mask_t)masks.layers[1].access, BIT_ULL(0)); + KUNIT_EXPECT_FALSE(test, masks.layers[1].no_inherit); + kfree(rule); +} + +/* + * Verify that when applying two rules sequentially (as happens during + * a path walk), no_inherit from the first rule prevents the second + * rule from contributing to that layer. + */ +static void test_unmask_no_inherit_sequential(struct kunit *const test) +{ + struct landlock_rule *rule1 = alloc_rule(test, 1); + struct landlock_rule *rule2 = alloc_rule(test, 1); + struct layer_masks masks; + const access_mask_t req = BIT_ULL(0) | BIT_ULL(1); + + /* Rule 1: no_inherit on layer 1, grants access bit 0 */ + rule1->layers[0].level = 1; + rule1->layers[0].access = BIT_ULL(0); + rule1->layers[0].flags.no_inherit = true; + + /* Rule 2: also on layer 1, grants access bit 1 (ancestor rule) */ + rule2->layers[0].level = 1; + rule2->layers[0].access = BIT_ULL(1); + + /* Apply rule1 first (descendant), then rule2 (ancestor) */ + fill_masks(&masks, req, 1); + landlock_unmask_layers(rule1, &masks); + landlock_unmask_layers(rule2, &masks); + + /* + * Rule2 should be skipped because rule1 set no_inherit. + * bit 0 cleared by rule1, bit 1 remains because rule2 skipped. + */ + KUNIT_EXPECT_EQ(test, (access_mask_t)masks.layers[0].access, BIT_ULL(1)); + KUNIT_EXPECT_TRUE(test, masks.layers[0].no_inherit); + kfree(rule1); + kfree(rule2); +} + +static struct kunit_case test_cases[] = { + /* clang-format off */ + KUNIT_CASE(test_unmask_no_inherit_propagates), + KUNIT_CASE(test_unmask_multilayer_no_inherit), + KUNIT_CASE(test_unmask_no_inherit_sequential), + {} + /* clang-format on */ +}; + +static struct kunit_suite test_suite = { + .name = "landlock_ruleset", + .test_cases = test_cases, +}; + +kunit_test_suite(test_suite); + +#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */
--
2.54.0