[RFC PATCH v1 2/3] selftests/landlock: Add test for socket's domain

Mickaël Salaün <mic@xxxxxxxxxxx> · Fri, 19 Jul 2024 17:06:17 +0200

This new ipv4_tcp.socket_domain test checks that the restrictions are
tied to the socket at creation time, but not tied to the thread
requesting a bind action.

Properly close file descriptor in ipv4.with_fs test.

Cc: Günther Noack <gnoack@xxxxxxxxxx>
Cc: Ivanov Mikhail <ivanov.mikhail1@xxxxxxxxxxxxxxxxxxx>
Cc: Konstantin Meskhidze <konstantin.meskhidze@xxxxxxxxxx>
Cc: Paul Moore <paul@xxxxxxxxxxxxxx>
Cc: Tahera Fahimi <fahimitahera@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Fixes: a549d055a22e ("selftests/landlock: Add network tests")
Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxx>
Link: https://lore.kernel.org/r/20240719150618.197991-3-mic@xxxxxxxxxxx
---
 tools/testing/selftests/landlock/net_test.c | 29 +++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c
index f21cfbbc3638..79251e27d26d 100644
--- a/tools/testing/selftests/landlock/net_test.c
+++ b/tools/testing/selftests/landlock/net_test.c
@@ -1579,6 +1579,35 @@ TEST_F(ipv4_tcp, with_fs)
 	bind_fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
 	ASSERT_LE(0, bind_fd);
 	EXPECT_EQ(-EACCES, bind_variant(bind_fd, &self->srv1));
+	EXPECT_EQ(0, close(bind_fd));
+}
+
+TEST_F(ipv4_tcp, socket_domain)
+{
+	const struct landlock_ruleset_attr ruleset_attr = {
+		.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP,
+	};
+	int ruleset_fd, bind_fd;
+
+	/* Creates socket before sandboxing. */
+	bind_fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
+	ASSERT_LE(0, bind_fd);
+
+	ruleset_fd =
+		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
+	ASSERT_LE(0, ruleset_fd);
+	enforce_ruleset(_metadata, ruleset_fd);
+	EXPECT_EQ(0, close(ruleset_fd));
+
+	/* Tests port binding with unsandboxed socket. */
+	EXPECT_EQ(0, bind_variant(bind_fd, &self->srv1));
+	EXPECT_EQ(0, close(bind_fd));
+
+	/* Tests port binding with new sandboxed socket. */
+	bind_fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
+	ASSERT_LE(0, bind_fd);
+	EXPECT_EQ(-EACCES, bind_variant(bind_fd, &self->srv1));
+	EXPECT_EQ(0, close(bind_fd));
 }
 
 FIXTURE(port_specific)
-- 
2.45.2








