Skip to content

Commit a1d8b10

Browse files
sm1ling-knightmehmetb0
sm1ling-knight
authored and
mehmetb0
committed
selftests/landlock: Test TCP accesses with protocol=IPPROTO_TCP
BugLink: https://bugs.launchpad.net/bugs/2106703 commit f5534d5 upstream. Extend protocol_variant structure with protocol field (Cf. socket(2)). Extend protocol fixture with TCP test suits with protocol=IPPROTO_TCP which can be used as an alias for IPPROTO_IP (=0) in socket(2). Signed-off-by: Mikhail Ivanov <[email protected]> Link: https://lore.kernel.org/r/[email protected] Cc: <[email protected]> # 6.7.x Signed-off-by: Mickaël Salaün <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> [nwager: apply change to struct protocol_variant in "tools/testing/selftests/landlock/net_test.c" instead of "tools/testing/selftests/landlock/common.h" due to missing commit: fefcf0f ("selftests/landlock: Test abstract UNIX socket scoping")] Signed-off-by: Noah Wager <[email protected]> Signed-off-by: Mehmet Basaran <[email protected]>
1 parent 32d5211 commit a1d8b10

File tree

1 file changed

+67
-14
lines changed

1 file changed

+67
-14
lines changed

tools/testing/selftests/landlock/net_test.c

Lines changed: 67 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@ enum sandbox_type {
3939
struct protocol_variant {
4040
int domain;
4141
int type;
42+
int protocol;
4243
};
4344

4445
struct service_fixture {
@@ -114,18 +115,18 @@ static void setup_loopback(struct __test_metadata *const _metadata)
114115
clear_ambient_cap(_metadata, CAP_NET_ADMIN);
115116
}
116117

118+
static bool prot_is_tcp(const struct protocol_variant *const prot)
119+
{
120+
return (prot->domain == AF_INET || prot->domain == AF_INET6) &&
121+
prot->type == SOCK_STREAM &&
122+
(prot->protocol == IPPROTO_TCP || prot->protocol == IPPROTO_IP);
123+
}
124+
117125
static bool is_restricted(const struct protocol_variant *const prot,
118126
const enum sandbox_type sandbox)
119127
{
120-
switch (prot->domain) {
121-
case AF_INET:
122-
case AF_INET6:
123-
switch (prot->type) {
124-
case SOCK_STREAM:
125-
return sandbox == TCP_SANDBOX;
126-
}
127-
break;
128-
}
128+
if (sandbox == TCP_SANDBOX)
129+
return prot_is_tcp(prot);
129130
return false;
130131
}
131132

@@ -134,7 +135,7 @@ static int socket_variant(const struct service_fixture *const srv)
134135
int ret;
135136

136137
ret = socket(srv->protocol.domain, srv->protocol.type | SOCK_CLOEXEC,
137-
0);
138+
srv->protocol.protocol);
138139
if (ret < 0)
139140
return -errno;
140141
return ret;
@@ -319,22 +320,48 @@ FIXTURE_TEARDOWN(protocol)
319320
}
320321

321322
/* clang-format off */
322-
FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_tcp) {
323+
FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_tcp1) {
323324
/* clang-format on */
324325
.sandbox = NO_SANDBOX,
325326
.prot = {
326327
.domain = AF_INET,
327328
.type = SOCK_STREAM,
329+
/* IPPROTO_IP == 0 */
330+
.protocol = IPPROTO_IP,
328331
},
329332
};
330333

331334
/* clang-format off */
332-
FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp) {
335+
FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_tcp2) {
336+
/* clang-format on */
337+
.sandbox = NO_SANDBOX,
338+
.prot = {
339+
.domain = AF_INET,
340+
.type = SOCK_STREAM,
341+
.protocol = IPPROTO_TCP,
342+
},
343+
};
344+
345+
/* clang-format off */
346+
FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp1) {
333347
/* clang-format on */
334348
.sandbox = NO_SANDBOX,
335349
.prot = {
336350
.domain = AF_INET6,
337351
.type = SOCK_STREAM,
352+
/* IPPROTO_IP == 0 */
353+
.protocol = IPPROTO_IP,
354+
},
355+
};
356+
357+
/* clang-format off */
358+
FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp2) {
359+
/* clang-format on */
360+
.sandbox = NO_SANDBOX,
361+
.prot = {
362+
.domain = AF_INET6,
363+
.type = SOCK_STREAM,
364+
.protocol = IPPROTO_TCP,
338365
},
339366
};
340367

@@ -401,22 +428,48 @@ FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_unix_datagram) {
401428
};
402429

403430
/* clang-format off */
404-
FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_tcp) {
431+
FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_tcp1) {
432+
/* clang-format on */
433+
.sandbox = TCP_SANDBOX,
434+
.prot = {
435+
.domain = AF_INET,
436+
.type = SOCK_STREAM,
437+
/* IPPROTO_IP == 0 */
438+
.protocol = IPPROTO_IP,
439+
},
440+
};
441+
442+
/* clang-format off */
443+
FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_tcp2) {
405444
/* clang-format on */
406445
.sandbox = TCP_SANDBOX,
407446
.prot = {
408447
.domain = AF_INET,
409448
.type = SOCK_STREAM,
449+
.protocol = IPPROTO_TCP,
450+
},
451+
};
452+
453+
/* clang-format off */
454+
FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp1) {
455+
/* clang-format on */
456+
.sandbox = TCP_SANDBOX,
457+
.prot = {
458+
.domain = AF_INET6,
459+
.type = SOCK_STREAM,
460+
/* IPPROTO_IP == 0 */
461+
.protocol = IPPROTO_IP,
410462
},
411463
};
412464

413465
/* clang-format off */
414-
FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp) {
466+
FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp2) {
415467
/* clang-format on */
416468
.sandbox = TCP_SANDBOX,
417469
.prot = {
418470
.domain = AF_INET6,
419471
.type = SOCK_STREAM,
472+
.protocol = IPPROTO_TCP,
420473
},
421474
};
422475

0 commit comments

Comments
 (0)