Re: [RFC PATCH v2 07/12] selftests/landlock: Add protocol.inval to socket tests

[RFC PATCH v2 00/12] Socket type control for Landlock · Mikhail Ivanov <hidden> · 2024-05-24
[RFC PATCH v2 01/12] landlock: Support socket access-control · Mikhail Ivanov <hidden> · 2024-05-24
Re: [RFC PATCH v2 01/12] landlock: Support socket access-control · "Günther Noack" <gnoack@google.com> · 2024-05-27
Re: [RFC PATCH v2 01/12] landlock: Support socket access-control · Mikhail Ivanov <hidden> · 2024-05-30
Re: [RFC PATCH v2 01/12] landlock: Support socket access-control · "Günther Noack" <gnoack@google.com> · 2024-06-05
Re: [RFC PATCH v2 01/12] landlock: Support socket access-control · Mikhail Ivanov <hidden> · 2024-06-07
[RFC PATCH v2 02/12] landlock: Add hook on socket creation · Mikhail Ivanov <hidden> · 2024-05-24
Re: [RFC PATCH v2 02/12] landlock: Add hook on socket creation · "Günther Noack" <gnoack@google.com> · 2024-05-27
Re: [RFC PATCH v2 02/12] landlock: Add hook on socket creation · Mikhail Ivanov <hidden> · 2024-05-30
Re: [RFC PATCH v2 02/12] landlock: Add hook on socket creation · "Günther Noack" <gnoack@google.com> · 2024-06-05
Re: [RFC PATCH v2 02/12] landlock: Add hook on socket creation · Mikhail Ivanov <hidden> · 2024-06-07
Re: [RFC PATCH v2 02/12] landlock: Add hook on socket creation · Mickaël Salaün <mic@digikod.net> · 2024-09-25
[RFC PATCH v2 03/12] selftests/landlock: Add protocol.create to socket tests · Mikhail Ivanov <hidden> · 2024-05-24
Re: [RFC PATCH v2 03/12] selftests/landlock: Add protocol.create to socket tests · "Günther Noack" <gnoack@google.com> · 2024-05-27
Re: [RFC PATCH v2 03/12] selftests/landlock: Add protocol.create to socket tests · Mikhail Ivanov <hidden> · 2024-05-30
[RFC PATCH v2 04/12] selftests/landlock: Add protocol.socket_access_rights to socket tests · Mikhail Ivanov <hidden> · 2024-05-24
Re: [RFC PATCH v2 04/12] selftests/landlock: Add protocol.socket_access_rights to socket tests · "Günther Noack" <gnoack@google.com> · 2024-05-27
Re: [RFC PATCH v2 04/12] selftests/landlock: Add protocol.socket_access_rights to socket tests · Mikhail Ivanov <hidden> · 2024-05-30
[RFC PATCH v2 05/12] selftests/landlock: Add protocol.rule_with_unknown_access to socket tests · Mikhail Ivanov <hidden> · 2024-05-24
Re: [RFC PATCH v2 05/12] selftests/landlock: Add protocol.rule_with_unknown_access to socket tests · "Günther Noack" <gnoack@google.com> · 2024-05-27
[RFC PATCH v2 06/12] selftests/landlock: Add protocol.rule_with_unhandled_access to socket tests · Mikhail Ivanov <hidden> · 2024-05-24
Re: [RFC PATCH v2 06/12] selftests/landlock: Add protocol.rule_with_unhandled_access to socket tests · "Günther Noack" <gnoack@google.com> · 2024-05-27
[RFC PATCH v2 07/12] selftests/landlock: Add protocol.inval to socket tests · Mikhail Ivanov <hidden> · 2024-05-24
Re: [RFC PATCH v2 07/12] selftests/landlock: Add protocol.inval to socket tests · "Günther Noack" <gnoack@google.com> · 2024-05-27
Re: [RFC PATCH v2 07/12] selftests/landlock: Add protocol.inval to socket tests · Mikhail Ivanov <hidden> · 2024-05-30
[RFC PATCH v2 08/12] selftests/landlock: Add tcp_layers.ruleset_overlap to socket tests · Mikhail Ivanov <hidden> · 2024-05-24
Re: [RFC PATCH v2 08/12] selftests/landlock: Add tcp_layers.ruleset_overlap to socket tests · "Günther Noack" <gnoack@google.com> · 2024-05-27
Re: [RFC PATCH v2 08/12] selftests/landlock: Add tcp_layers.ruleset_overlap to socket tests · Mikhail Ivanov <hidden> · 2024-05-30
[RFC PATCH v2 09/12] selftests/landlock: Add mini.ruleset_with_unknown_access to socket tests · Mikhail Ivanov <hidden> · 2024-05-24
[RFC PATCH v2 10/12] selftests/landlock: Add mini.socket_overflow to socket tests · Mikhail Ivanov <hidden> · 2024-05-24
[RFC PATCH v2 11/12] selftests/landlock: Add mini.socket_invalid_type to socket tests · Mikhail Ivanov <hidden> · 2024-05-24
[RFC PATCH v2 12/12] samples/landlock: Support socket protocol restrictions · Mikhail Ivanov <hidden> · 2024-05-24
Re: [RFC PATCH v2 00/12] Socket type control for Landlock · Günther Noack <hidden> · 2024-06-04
Re: [RFC PATCH v2 00/12] Socket type control for Landlock · Mikhail Ivanov <hidden> · 2024-06-06
Re: [RFC PATCH v2 00/12] Socket type control for Landlock · "Günther Noack" <gnoack@google.com> · 2024-06-06
Re: [RFC PATCH v2 00/12] Socket type control for Landlock · "Günther Noack" <gnoack@google.com> · 2024-06-06
Re: [RFC PATCH v2 00/12] Socket type control for Landlock · Mikhail Ivanov <hidden> · 2024-06-07
Re: [RFC PATCH v2 00/12] Socket type control for Landlock · "Günther Noack" <gnoack@google.com> · 2024-06-10
Re: [RFC PATCH v2 00/12] Socket type control for Landlock · Mikhail Ivanov <hidden> · 2024-06-11

From: "Günther Noack" <gnoack@google.com>
Date: 2024-05-27 21:27:31
Also in: linux-security-module, netfilter-devel

On Fri, May 24, 2024 at 05:30:10PM +0800, Mikhail Ivanov wrote:

quoted hunk ↗ jump to hunk

Add test that validates behavior of landlock with fully
access restriction.

Signed-off-by: Mikhail Ivanov <redacted>
---

Changes since v1:
* Refactors commit message.
---
 .../testing/selftests/landlock/socket_test.c  | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/tools/testing/selftests/landlock/socket_test.c b/tools/testing/selftests/landlock/socket_test.c
index 31af47de1937..751596c381fe 100644
--- a/tools/testing/selftests/landlock/socket_test.c
+++ b/tools/testing/selftests/landlock/socket_test.c

@@ -265,4 +265,38 @@ TEST_F(protocol, rule_with_unhandled_access)
 	EXPECT_EQ(0, close(ruleset_fd));
 }
 
+TEST_F(protocol, inval)
+{
+	const struct landlock_ruleset_attr ruleset_attr = {
+		.handled_access_socket = LANDLOCK_ACCESS_SOCKET_CREATE
+	};
+
+	struct landlock_socket_attr protocol = {
+		.allowed_access = LANDLOCK_ACCESS_SOCKET_CREATE,
+		.family = self->srv0.protocol.family,
+		.type = self->srv0.protocol.type,
+	};
+
+	struct landlock_socket_attr protocol_denied = {
+		.allowed_access = 0,
+		.family = self->srv0.protocol.family,
+		.type = self->srv0.protocol.type,
+	};
+
+	int ruleset_fd;
+
+	ruleset_fd =
+		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
+	ASSERT_LE(0, ruleset_fd);
+
+	/* Checks zero access value. */
+	EXPECT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_SOCKET,
+					&protocol_denied, 0));
+	EXPECT_EQ(ENOMSG, errno);
+
+	/* Adds with legitimate values. */
+	ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_SOCKET,
+				       &protocol, 0));
+}
+
 TEST_HARNESS_MAIN

-- 
2.34.1

Code is based on TEST_F(mini, inval) from net_test.c.  I see that you removed
the check for unhandled allowed_access, because there is already a separate
TEST_F(mini, rule_with_unhandled_access) for that.

That is true for the "legitimate value" case as well, though...?  We already
have a test for that too.  Should that also get removed?

Should we then rename the "inval" test to "rule_with_zero_access", so that the
naming is consistent with the "rule_with_unhandled_access" test?

—Günther

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help