Skip to content

Commit 90c618e

Browse files
sm1ling-knightgregkh
sm1ling-knight
authored and
gregkh
committed
selftests/landlock: Test TCP accesses with protocol=IPPROTO_TCP
commit f5534d5 upstream. Extend protocol_variant structure with protocol field (Cf. socket(2)). Extend protocol fixture with TCP test suits with protocol=IPPROTO_TCP which can be used as an alias for IPPROTO_IP (=0) in socket(2). Signed-off-by: Mikhail Ivanov <[email protected]> Link: https://lore.kernel.org/r/[email protected] Cc: <[email protected]> # 6.7.x Signed-off-by: Mickaël Salaün <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
1 parent 5324c45 commit 90c618e

File tree

2 files changed

+67
-14
lines changed

2 files changed

+67
-14
lines changed

tools/testing/selftests/landlock/common.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -234,6 +234,7 @@ enforce_ruleset(struct __test_metadata *const _metadata, const int ruleset_fd)
234234
struct protocol_variant {
235235
int domain;
236236
int type;
237+
int protocol;
237238
};
238239

239240
struct service_fixture {

tools/testing/selftests/landlock/net_test.c

Lines changed: 66 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -85,18 +85,18 @@ static void setup_loopback(struct __test_metadata *const _metadata)
8585
clear_ambient_cap(_metadata, CAP_NET_ADMIN);
8686
}
8787

88+
static bool prot_is_tcp(const struct protocol_variant *const prot)
89+
{
90+
return (prot->domain == AF_INET || prot->domain == AF_INET6) &&
91+
prot->type == SOCK_STREAM &&
92+
(prot->protocol == IPPROTO_TCP || prot->protocol == IPPROTO_IP);
93+
}
94+
8895
static bool is_restricted(const struct protocol_variant *const prot,
8996
const enum sandbox_type sandbox)
9097
{
91-
switch (prot->domain) {
92-
case AF_INET:
93-
case AF_INET6:
94-
switch (prot->type) {
95-
case SOCK_STREAM:
96-
return sandbox == TCP_SANDBOX;
97-
}
98-
break;
99-
}
98+
if (sandbox == TCP_SANDBOX)
99+
return prot_is_tcp(prot);
100100
return false;
101101
}
102102

@@ -105,7 +105,7 @@ static int socket_variant(const struct service_fixture *const srv)
105105
int ret;
106106

107107
ret = socket(srv->protocol.domain, srv->protocol.type | SOCK_CLOEXEC,
108-
0);
108+
srv->protocol.protocol);
109109
if (ret < 0)
110110
return -errno;
111111
return ret;
@@ -290,22 +290,48 @@ FIXTURE_TEARDOWN(protocol)
290290
}
291291

292292
/* clang-format off */
293-
FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_tcp) {
293+
FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_tcp1) {
294294
/* clang-format on */
295295
.sandbox = NO_SANDBOX,
296296
.prot = {
297297
.domain = AF_INET,
298298
.type = SOCK_STREAM,
299+
/* IPPROTO_IP == 0 */
300+
.protocol = IPPROTO_IP,
299301
},
300302
};
301303

302304
/* clang-format off */
303-
FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp) {
305+
FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_tcp2) {
306+
/* clang-format on */
307+
.sandbox = NO_SANDBOX,
308+
.prot = {
309+
.domain = AF_INET,
310+
.type = SOCK_STREAM,
311+
.protocol = IPPROTO_TCP,
312+
},
313+
};
314+
315+
/* clang-format off */
316+
FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp1) {
304317
/* clang-format on */
305318
.sandbox = NO_SANDBOX,
306319
.prot = {
307320
.domain = AF_INET6,
308321
.type = SOCK_STREAM,
322+
/* IPPROTO_IP == 0 */
323+
.protocol = IPPROTO_IP,
324+
},
325+
};
326+
327+
/* clang-format off */
328+
FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp2) {
329+
/* clang-format on */
330+
.sandbox = NO_SANDBOX,
331+
.prot = {
332+
.domain = AF_INET6,
333+
.type = SOCK_STREAM,
334+
.protocol = IPPROTO_TCP,
309335
},
310336
};
311337

@@ -372,22 +398,48 @@ FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_unix_datagram) {
372398
};
373399

374400
/* clang-format off */
375-
FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_tcp) {
401+
FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_tcp1) {
402+
/* clang-format on */
403+
.sandbox = TCP_SANDBOX,
404+
.prot = {
405+
.domain = AF_INET,
406+
.type = SOCK_STREAM,
407+
/* IPPROTO_IP == 0 */
408+
.protocol = IPPROTO_IP,
409+
},
410+
};
411+
412+
/* clang-format off */
413+
FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_tcp2) {
376414
/* clang-format on */
377415
.sandbox = TCP_SANDBOX,
378416
.prot = {
379417
.domain = AF_INET,
380418
.type = SOCK_STREAM,
419+
.protocol = IPPROTO_TCP,
420+
},
421+
};
422+
423+
/* clang-format off */
424+
FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp1) {
425+
/* clang-format on */
426+
.sandbox = TCP_SANDBOX,
427+
.prot = {
428+
.domain = AF_INET6,
429+
.type = SOCK_STREAM,
430+
/* IPPROTO_IP == 0 */
431+
.protocol = IPPROTO_IP,
381432
},
382433
};
383434

384435
/* clang-format off */
385-
FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp) {
436+
FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp2) {
386437
/* clang-format on */
387438
.sandbox = TCP_SANDBOX,
388439
.prot = {
389440
.domain = AF_INET6,
390441
.type = SOCK_STREAM,
442+
.protocol = IPPROTO_TCP,
391443
},
392444
};
393445

0 commit comments

Comments
 (0)