Hi Andrea, Li,

...

+static struct tcase {
+	int *fd;
+	uint32_t flags;
+	int exp_errno;
+	char *msg;
+} tcases[] = {
+	{&ruleset_fd, -1, EINVAL, "Invalid flags"},
+	{&ruleset_invalid, 0, EBADF, "Invalid file descriptor"},
+	{&file_fd, 0, EBADFD, "Not a ruleset file descriptor"},
+	{&ruleset_fd, 0, EPERM, "File descriptor doesn't have CAP_SYS_ADMIN"},
+	{&ruleset_fd, 0, E2BIG, "Maximum number of stacked rulesets is reached"},

I was going to merge this, but the last E2BIG does not work with -i2:

# ./landlock03 -i2
tst_kconfig.c:88: TINFO: Parsing kernel config '/boot/config-6.6.15-amd64'
tst_buffers.c:57: TINFO: Test is using guarded buffers
tst_test.c:1806: TINFO: LTP version: 20240524-99-gf651e2dd5
tst_test.c:1650: TINFO: Timeout per run is 0h 00m 30s
landlock_common.h:30: TINFO: Landlock ABI v3
landlock03.c:70: TPASS: Invalid flags : EINVAL (22)
landlock03.c:70: TPASS: Invalid file descriptor : EBADF (9)
landlock03.c:70: TPASS: Not a ruleset file descriptor : EBADFD (77)
tst_capability.c:29: TINFO: Dropping CAP_SYS_ADMIN(21)
landlock03.c:70: TPASS: File descriptor doesn't have CAP_SYS_ADMIN : EPERM (1)
tst_capability.c:41: TINFO: Permitting CAP_SYS_ADMIN(21)
landlock03.c:70: TPASS: Maximum number of stacked rulesets is reached : E2BIG (7)
landlock03.c:70: TPASS: Invalid flags : EINVAL (22)
landlock03.c:70: TPASS: Invalid file descriptor : EBADF (9)
landlock03.c:70: TPASS: Not a ruleset file descriptor : EBADFD (77)
tst_capability.c:29: TINFO: Dropping CAP_SYS_ADMIN(21)
landlock03.c:70: TPASS: File descriptor doesn't have CAP_SYS_ADMIN : EPERM (1)
tst_capability.c:41: TINFO: Permitting CAP_SYS_ADMIN(21)
landlock03.c:63: TFAIL: tst_syscall(__NR_landlock_restrict_self, *tc->fd, tc->flags) failed: E2BIG (7)

+};
+
+static void run(unsigned int n)
+{
+	struct tcase *tc = &tcases[n];
+
+	if (tc->exp_errno == EPERM)
+		tst_cap_action(&dropadmin);
+
+	if (tc->exp_errno == E2BIG) {
+		for (int i = 0; i < MAX_STACKED_RULESETS; i++) {
+			TST_EXP_PASS_SILENT(tst_syscall(__NR_landlock_restrict_self,
+				*tc->fd, tc->flags));

I suppose any later call for E2BIG will fail, because we reached maximum of the
rulests, right? (That's why there is below TST_EXP_FAIL). Can we somehow undo
landlock rulestes?

It looks to me it's not possible:
https://docs.kernel.org/userspace-api/landlock.html#ruleset-layers
man page does not mention it either:
https://man7.org/linux/man-pages/man2/landlock_restrict_self.2.html
https://man7.org/linux/man-pages/man2/landlock_create_ruleset.2.html

Tomorrow I'll try to have look into the sources, but I guess we will need to
skip this last test for other iterations, right?

+			if (TST_RET == -1)
+				return;
+		}
+	}
+
+	TST_EXP_FAIL(tst_syscall(__NR_landlock_restrict_self, *tc->fd, tc->flags),
+		tc->exp_errno,
+		"%s", tc->msg);

Kind regards,
Petr

+
+	if (tc->exp_errno == EPERM)
+		tst_cap_action(&needadmin);
+}

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp