1 // SPDX-License-Identifier: GPL-2.0
3 * Landlock tests - Filesystem
5 * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
6 * Copyright © 2020 ANSSI
7 * Copyright © 2020-2021 Microsoft Corporation
12 #include <linux/landlock.h>
15 #include <sys/capability.h>
16 #include <sys/mount.h>
17 #include <sys/prctl.h>
18 #include <sys/sendfile.h>
20 #include <sys/sysmacros.h>
26 int renameat2(int olddirfd, const char *oldpath, int newdirfd,
27 const char *newpath, unsigned int flags)
29 return syscall(__NR_renameat2, olddirfd, oldpath, newdirfd, newpath,
34 #ifndef RENAME_EXCHANGE
35 #define RENAME_EXCHANGE (1 << 1)
39 #define BINARY_PATH "./true"
41 /* Paths (sibling number and depth) */
42 static const char dir_s1d1[] = TMP_DIR "/s1d1";
43 static const char file1_s1d1[] = TMP_DIR "/s1d1/f1";
44 static const char file2_s1d1[] = TMP_DIR "/s1d1/f2";
45 static const char dir_s1d2[] = TMP_DIR "/s1d1/s1d2";
46 static const char file1_s1d2[] = TMP_DIR "/s1d1/s1d2/f1";
47 static const char file2_s1d2[] = TMP_DIR "/s1d1/s1d2/f2";
48 static const char dir_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3";
49 static const char file1_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3/f1";
50 static const char file2_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3/f2";
52 static const char dir_s2d1[] = TMP_DIR "/s2d1";
53 static const char file1_s2d1[] = TMP_DIR "/s2d1/f1";
54 static const char dir_s2d2[] = TMP_DIR "/s2d1/s2d2";
55 static const char file1_s2d2[] = TMP_DIR "/s2d1/s2d2/f1";
56 static const char dir_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3";
57 static const char file1_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3/f1";
58 static const char file2_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3/f2";
60 static const char dir_s3d1[] = TMP_DIR "/s3d1";
61 /* dir_s3d2 is a mount point. */
62 static const char dir_s3d2[] = TMP_DIR "/s3d1/s3d2";
63 static const char dir_s3d3[] = TMP_DIR "/s3d1/s3d2/s3d3";
90 static void mkdir_parents(struct __test_metadata *const _metadata,
91 const char *const path)
97 ASSERT_NE(path[0], '\0');
98 walker = strdup(path);
99 ASSERT_NE(NULL, walker);
101 for (i = 1; walker[i]; i++) {
102 if (walker[i] != '/')
105 err = mkdir(parent, 0700);
106 ASSERT_FALSE(err && errno != EEXIST)
108 TH_LOG("Failed to create directory \"%s\": %s", parent,
116 static void create_directory(struct __test_metadata *const _metadata,
117 const char *const path)
119 mkdir_parents(_metadata, path);
120 ASSERT_EQ(0, mkdir(path, 0700))
122 TH_LOG("Failed to create directory \"%s\": %s", path,
127 static void create_file(struct __test_metadata *const _metadata,
128 const char *const path)
130 mkdir_parents(_metadata, path);
131 ASSERT_EQ(0, mknod(path, S_IFREG | 0700, 0))
133 TH_LOG("Failed to create file \"%s\": %s", path,
138 static int remove_path(const char *const path)
143 walker = strdup(path);
148 if (unlink(path) && rmdir(path)) {
149 if (errno != ENOENT && errno != ENOTDIR)
153 for (i = strlen(walker); i > 0; i--) {
154 if (walker[i] != '/')
159 if (errno != ENOTEMPTY && errno != EBUSY)
163 if (strcmp(walker, TMP_DIR) == 0)
172 static void prepare_layout(struct __test_metadata *const _metadata)
174 disable_caps(_metadata);
176 create_directory(_metadata, TMP_DIR);
179 * Do not pollute the rest of the system: creates a private mount point
180 * for tests relying on pivot_root(2) and move_mount(2).
182 set_cap(_metadata, CAP_SYS_ADMIN);
183 ASSERT_EQ(0, unshare(CLONE_NEWNS));
184 ASSERT_EQ(0, mount("tmp", TMP_DIR, "tmpfs", 0, "size=4m,mode=700"));
185 ASSERT_EQ(0, mount(NULL, TMP_DIR, NULL, MS_PRIVATE | MS_REC, NULL));
186 clear_cap(_metadata, CAP_SYS_ADMIN);
189 static void cleanup_layout(struct __test_metadata *const _metadata)
191 set_cap(_metadata, CAP_SYS_ADMIN);
192 EXPECT_EQ(0, umount(TMP_DIR));
193 clear_cap(_metadata, CAP_SYS_ADMIN);
194 EXPECT_EQ(0, remove_path(TMP_DIR));
197 static void create_layout1(struct __test_metadata *const _metadata)
199 create_file(_metadata, file1_s1d1);
200 create_file(_metadata, file1_s1d2);
201 create_file(_metadata, file1_s1d3);
202 create_file(_metadata, file2_s1d1);
203 create_file(_metadata, file2_s1d2);
204 create_file(_metadata, file2_s1d3);
206 create_file(_metadata, file1_s2d1);
207 create_file(_metadata, file1_s2d2);
208 create_file(_metadata, file1_s2d3);
209 create_file(_metadata, file2_s2d3);
211 create_directory(_metadata, dir_s3d2);
212 set_cap(_metadata, CAP_SYS_ADMIN);
213 ASSERT_EQ(0, mount("tmp", dir_s3d2, "tmpfs", 0, "size=4m,mode=700"));
214 clear_cap(_metadata, CAP_SYS_ADMIN);
216 ASSERT_EQ(0, mkdir(dir_s3d3, 0700));
219 static void remove_layout1(struct __test_metadata *const _metadata)
221 EXPECT_EQ(0, remove_path(file2_s1d3));
222 EXPECT_EQ(0, remove_path(file2_s1d2));
223 EXPECT_EQ(0, remove_path(file2_s1d1));
224 EXPECT_EQ(0, remove_path(file1_s1d3));
225 EXPECT_EQ(0, remove_path(file1_s1d2));
226 EXPECT_EQ(0, remove_path(file1_s1d1));
228 EXPECT_EQ(0, remove_path(file2_s2d3));
229 EXPECT_EQ(0, remove_path(file1_s2d3));
230 EXPECT_EQ(0, remove_path(file1_s2d2));
231 EXPECT_EQ(0, remove_path(file1_s2d1));
233 EXPECT_EQ(0, remove_path(dir_s3d3));
234 set_cap(_metadata, CAP_SYS_ADMIN);
236 clear_cap(_metadata, CAP_SYS_ADMIN);
237 EXPECT_EQ(0, remove_path(dir_s3d2));
240 /* clang-format off */
242 /* clang-format on */
244 FIXTURE_SETUP(layout1)
246 prepare_layout(_metadata);
248 create_layout1(_metadata);
251 FIXTURE_TEARDOWN(layout1)
253 remove_layout1(_metadata);
255 cleanup_layout(_metadata);
259 * This helper enables to use the ASSERT_* macros and print the line number
260 * pointing to the test caller.
262 static int test_open_rel(const int dirfd, const char *const path,
267 /* Works with file and directories. */
268 fd = openat(dirfd, path, flags | O_CLOEXEC);
272 * Mixing error codes from close(2) and open(2) should not lead to any
273 * (access type) confusion for this test.
280 static int test_open(const char *const path, const int flags)
282 return test_open_rel(AT_FDCWD, path, flags);
285 TEST_F_FORK(layout1, no_restriction)
287 ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
288 ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
289 ASSERT_EQ(0, test_open(file2_s1d1, O_RDONLY));
290 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
291 ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
292 ASSERT_EQ(0, test_open(file2_s1d2, O_RDONLY));
293 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
294 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
296 ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY));
297 ASSERT_EQ(0, test_open(file1_s2d1, O_RDONLY));
298 ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY));
299 ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY));
300 ASSERT_EQ(0, test_open(dir_s2d3, O_RDONLY));
301 ASSERT_EQ(0, test_open(file1_s2d3, O_RDONLY));
303 ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY));
304 ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY));
305 ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY));
308 TEST_F_FORK(layout1, inval)
310 struct landlock_path_beneath_attr path_beneath = {
311 .allowed_access = LANDLOCK_ACCESS_FS_READ_FILE |
312 LANDLOCK_ACCESS_FS_WRITE_FILE,
315 struct landlock_ruleset_attr ruleset_attr = {
316 .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE |
317 LANDLOCK_ACCESS_FS_WRITE_FILE,
321 path_beneath.parent_fd =
322 open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC);
323 ASSERT_LE(0, path_beneath.parent_fd);
325 ruleset_fd = open(dir_s1d1, O_PATH | O_DIRECTORY | O_CLOEXEC);
326 ASSERT_LE(0, ruleset_fd);
327 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
329 /* Returns EBADF because ruleset_fd is not a landlock-ruleset FD. */
330 ASSERT_EQ(EBADF, errno);
331 ASSERT_EQ(0, close(ruleset_fd));
333 ruleset_fd = open(dir_s1d1, O_DIRECTORY | O_CLOEXEC);
334 ASSERT_LE(0, ruleset_fd);
335 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
337 /* Returns EBADFD because ruleset_fd is not a valid ruleset. */
338 ASSERT_EQ(EBADFD, errno);
339 ASSERT_EQ(0, close(ruleset_fd));
341 /* Gets a real ruleset. */
343 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
344 ASSERT_LE(0, ruleset_fd);
345 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
347 ASSERT_EQ(0, close(path_beneath.parent_fd));
349 /* Tests without O_PATH. */
350 path_beneath.parent_fd = open(dir_s1d2, O_DIRECTORY | O_CLOEXEC);
351 ASSERT_LE(0, path_beneath.parent_fd);
352 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
354 ASSERT_EQ(0, close(path_beneath.parent_fd));
356 /* Tests with a ruleset FD. */
357 path_beneath.parent_fd = ruleset_fd;
358 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
360 ASSERT_EQ(EBADFD, errno);
362 /* Checks unhandled allowed_access. */
363 path_beneath.parent_fd =
364 open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC);
365 ASSERT_LE(0, path_beneath.parent_fd);
367 /* Test with legitimate values. */
368 path_beneath.allowed_access |= LANDLOCK_ACCESS_FS_EXECUTE;
369 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
371 ASSERT_EQ(EINVAL, errno);
372 path_beneath.allowed_access &= ~LANDLOCK_ACCESS_FS_EXECUTE;
374 /* Test with unknown (64-bits) value. */
375 path_beneath.allowed_access |= (1ULL << 60);
376 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
378 ASSERT_EQ(EINVAL, errno);
379 path_beneath.allowed_access &= ~(1ULL << 60);
381 /* Test with no access. */
382 path_beneath.allowed_access = 0;
383 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
385 ASSERT_EQ(ENOMSG, errno);
386 path_beneath.allowed_access &= ~(1ULL << 60);
388 ASSERT_EQ(0, close(path_beneath.parent_fd));
390 /* Enforces the ruleset. */
391 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
392 ASSERT_EQ(0, landlock_restrict_self(ruleset_fd, 0));
394 ASSERT_EQ(0, close(ruleset_fd));
397 /* clang-format off */
399 #define ACCESS_FILE ( \
400 LANDLOCK_ACCESS_FS_EXECUTE | \
401 LANDLOCK_ACCESS_FS_WRITE_FILE | \
402 LANDLOCK_ACCESS_FS_READ_FILE)
404 #define ACCESS_LAST LANDLOCK_ACCESS_FS_REFER
406 #define ACCESS_ALL ( \
408 LANDLOCK_ACCESS_FS_READ_DIR | \
409 LANDLOCK_ACCESS_FS_REMOVE_DIR | \
410 LANDLOCK_ACCESS_FS_REMOVE_FILE | \
411 LANDLOCK_ACCESS_FS_MAKE_CHAR | \
412 LANDLOCK_ACCESS_FS_MAKE_DIR | \
413 LANDLOCK_ACCESS_FS_MAKE_REG | \
414 LANDLOCK_ACCESS_FS_MAKE_SOCK | \
415 LANDLOCK_ACCESS_FS_MAKE_FIFO | \
416 LANDLOCK_ACCESS_FS_MAKE_BLOCK | \
417 LANDLOCK_ACCESS_FS_MAKE_SYM | \
420 /* clang-format on */
422 TEST_F_FORK(layout1, file_and_dir_access_rights)
426 struct landlock_path_beneath_attr path_beneath_file = {},
427 path_beneath_dir = {};
428 struct landlock_ruleset_attr ruleset_attr = {
429 .handled_access_fs = ACCESS_ALL,
431 const int ruleset_fd =
432 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
434 ASSERT_LE(0, ruleset_fd);
436 /* Tests access rights for files. */
437 path_beneath_file.parent_fd = open(file1_s1d2, O_PATH | O_CLOEXEC);
438 ASSERT_LE(0, path_beneath_file.parent_fd);
440 /* Tests access rights for directories. */
441 path_beneath_dir.parent_fd =
442 open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC);
443 ASSERT_LE(0, path_beneath_dir.parent_fd);
445 for (access = 1; access <= ACCESS_LAST; access <<= 1) {
446 path_beneath_dir.allowed_access = access;
447 ASSERT_EQ(0, landlock_add_rule(ruleset_fd,
448 LANDLOCK_RULE_PATH_BENEATH,
449 &path_beneath_dir, 0));
451 path_beneath_file.allowed_access = access;
452 err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
453 &path_beneath_file, 0);
454 if (access & ACCESS_FILE) {
458 ASSERT_EQ(EINVAL, errno);
461 ASSERT_EQ(0, close(path_beneath_file.parent_fd));
462 ASSERT_EQ(0, close(path_beneath_dir.parent_fd));
463 ASSERT_EQ(0, close(ruleset_fd));
466 TEST_F_FORK(layout1, unknown_access_rights)
470 for (access_mask = 1ULL << 63; access_mask != ACCESS_LAST;
472 struct landlock_ruleset_attr ruleset_attr = {
473 .handled_access_fs = access_mask,
476 ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr,
477 sizeof(ruleset_attr), 0));
478 ASSERT_EQ(EINVAL, errno);
482 static void add_path_beneath(struct __test_metadata *const _metadata,
483 const int ruleset_fd, const __u64 allowed_access,
484 const char *const path)
486 struct landlock_path_beneath_attr path_beneath = {
487 .allowed_access = allowed_access,
490 path_beneath.parent_fd = open(path, O_PATH | O_CLOEXEC);
491 ASSERT_LE(0, path_beneath.parent_fd)
493 TH_LOG("Failed to open directory \"%s\": %s", path,
496 ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
499 TH_LOG("Failed to update the ruleset with \"%s\": %s", path,
502 ASSERT_EQ(0, close(path_beneath.parent_fd));
510 /* clang-format off */
512 #define ACCESS_RO ( \
513 LANDLOCK_ACCESS_FS_READ_FILE | \
514 LANDLOCK_ACCESS_FS_READ_DIR)
516 #define ACCESS_RW ( \
518 LANDLOCK_ACCESS_FS_WRITE_FILE)
520 /* clang-format on */
522 static int create_ruleset(struct __test_metadata *const _metadata,
523 const __u64 handled_access_fs,
524 const struct rule rules[])
527 struct landlock_ruleset_attr ruleset_attr = {
528 .handled_access_fs = handled_access_fs,
531 ASSERT_NE(NULL, rules)
533 TH_LOG("No rule list");
535 ASSERT_NE(NULL, rules[0].path)
537 TH_LOG("Empty rule list");
541 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
542 ASSERT_LE(0, ruleset_fd)
544 TH_LOG("Failed to create a ruleset: %s", strerror(errno));
547 for (i = 0; rules[i].path; i++) {
548 add_path_beneath(_metadata, ruleset_fd, rules[i].access,
554 static void enforce_ruleset(struct __test_metadata *const _metadata,
555 const int ruleset_fd)
557 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
558 ASSERT_EQ(0, landlock_restrict_self(ruleset_fd, 0))
560 TH_LOG("Failed to enforce ruleset: %s", strerror(errno));
564 TEST_F_FORK(layout1, proc_nsfs)
566 const struct rule rules[] = {
569 .access = LANDLOCK_ACCESS_FS_READ_FILE |
570 LANDLOCK_ACCESS_FS_WRITE_FILE,
574 struct landlock_path_beneath_attr path_beneath;
575 const int ruleset_fd = create_ruleset(
576 _metadata, rules[0].access | LANDLOCK_ACCESS_FS_READ_DIR,
579 ASSERT_LE(0, ruleset_fd);
580 ASSERT_EQ(0, test_open("/proc/self/ns/mnt", O_RDONLY));
582 enforce_ruleset(_metadata, ruleset_fd);
584 ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
585 ASSERT_EQ(EACCES, test_open("/dev", O_RDONLY));
586 ASSERT_EQ(0, test_open("/dev/null", O_RDONLY));
587 ASSERT_EQ(EACCES, test_open("/dev/full", O_RDONLY));
589 ASSERT_EQ(EACCES, test_open("/proc", O_RDONLY));
590 ASSERT_EQ(EACCES, test_open("/proc/self", O_RDONLY));
591 ASSERT_EQ(EACCES, test_open("/proc/self/ns", O_RDONLY));
593 * Because nsfs is an internal filesystem, /proc/self/ns/mnt is a
594 * disconnected path. Such path cannot be identified and must then be
597 ASSERT_EQ(0, test_open("/proc/self/ns/mnt", O_RDONLY));
600 * Checks that it is not possible to add nsfs-like filesystem
601 * references to a ruleset.
603 path_beneath.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE |
604 LANDLOCK_ACCESS_FS_WRITE_FILE,
605 path_beneath.parent_fd = open("/proc/self/ns/mnt", O_PATH | O_CLOEXEC);
606 ASSERT_LE(0, path_beneath.parent_fd);
607 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
609 ASSERT_EQ(EBADFD, errno);
610 ASSERT_EQ(0, close(path_beneath.parent_fd));
613 TEST_F_FORK(layout1, unpriv)
615 const struct rule rules[] = {
624 drop_caps(_metadata);
626 ruleset_fd = create_ruleset(_metadata, ACCESS_RO, rules);
627 ASSERT_LE(0, ruleset_fd);
628 ASSERT_EQ(-1, landlock_restrict_self(ruleset_fd, 0));
629 ASSERT_EQ(EPERM, errno);
631 /* enforce_ruleset() calls prctl(no_new_privs). */
632 enforce_ruleset(_metadata, ruleset_fd);
633 ASSERT_EQ(0, close(ruleset_fd));
636 TEST_F_FORK(layout1, effective_access)
638 const struct rule rules[] = {
645 .access = LANDLOCK_ACCESS_FS_READ_FILE |
646 LANDLOCK_ACCESS_FS_WRITE_FILE,
650 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
654 ASSERT_LE(0, ruleset_fd);
655 enforce_ruleset(_metadata, ruleset_fd);
656 ASSERT_EQ(0, close(ruleset_fd));
658 /* Tests on a directory (with or without O_PATH). */
659 ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
660 ASSERT_EQ(0, test_open("/", O_RDONLY | O_PATH));
661 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
662 ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY | O_PATH));
663 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
664 ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY | O_PATH));
666 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
667 ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
668 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
669 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
671 /* Tests on a file (with or without O_PATH). */
672 ASSERT_EQ(EACCES, test_open(dir_s2d2, O_RDONLY));
673 ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_PATH));
675 ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY));
677 /* Checks effective read and write actions. */
678 reg_fd = open(file1_s2d2, O_RDWR | O_CLOEXEC);
679 ASSERT_LE(0, reg_fd);
680 ASSERT_EQ(1, write(reg_fd, ".", 1));
681 ASSERT_LE(0, lseek(reg_fd, 0, SEEK_SET));
682 ASSERT_EQ(1, read(reg_fd, &buf, 1));
684 ASSERT_EQ(0, close(reg_fd));
686 /* Just in case, double-checks effective actions. */
687 reg_fd = open(file1_s2d2, O_RDONLY | O_CLOEXEC);
688 ASSERT_LE(0, reg_fd);
689 ASSERT_EQ(-1, write(reg_fd, &buf, 1));
690 ASSERT_EQ(EBADF, errno);
691 ASSERT_EQ(0, close(reg_fd));
694 TEST_F_FORK(layout1, unhandled_access)
696 const struct rule rules[] = {
703 /* Here, we only handle read accesses, not write accesses. */
704 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RO, rules);
706 ASSERT_LE(0, ruleset_fd);
707 enforce_ruleset(_metadata, ruleset_fd);
708 ASSERT_EQ(0, close(ruleset_fd));
711 * Because the policy does not handle LANDLOCK_ACCESS_FS_WRITE_FILE,
712 * opening for write-only should be allowed, but not read-write.
714 ASSERT_EQ(0, test_open(file1_s1d1, O_WRONLY));
715 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
717 ASSERT_EQ(0, test_open(file1_s1d2, O_WRONLY));
718 ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR));
721 TEST_F_FORK(layout1, ruleset_overlap)
723 const struct rule rules[] = {
724 /* These rules should be ORed among them. */
727 .access = LANDLOCK_ACCESS_FS_READ_FILE |
728 LANDLOCK_ACCESS_FS_WRITE_FILE,
732 .access = LANDLOCK_ACCESS_FS_READ_FILE |
733 LANDLOCK_ACCESS_FS_READ_DIR,
737 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
739 ASSERT_LE(0, ruleset_fd);
740 enforce_ruleset(_metadata, ruleset_fd);
741 ASSERT_EQ(0, close(ruleset_fd));
743 /* Checks s1d1 hierarchy. */
744 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
745 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
746 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
747 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
749 /* Checks s1d2 hierarchy. */
750 ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
751 ASSERT_EQ(0, test_open(file1_s1d2, O_WRONLY));
752 ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR));
753 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
755 /* Checks s1d3 hierarchy. */
756 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
757 ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY));
758 ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
759 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
762 TEST_F_FORK(layout1, layer_rule_unions)
764 const struct rule layer1[] = {
767 .access = LANDLOCK_ACCESS_FS_READ_FILE,
769 /* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */
772 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
776 const struct rule layer2[] = {
777 /* Doesn't change anything from layer1. */
780 .access = LANDLOCK_ACCESS_FS_READ_FILE |
781 LANDLOCK_ACCESS_FS_WRITE_FILE,
785 const struct rule layer3[] = {
786 /* Only allows write (but not read) to dir_s1d3. */
789 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
793 int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1);
795 ASSERT_LE(0, ruleset_fd);
796 enforce_ruleset(_metadata, ruleset_fd);
797 ASSERT_EQ(0, close(ruleset_fd));
799 /* Checks s1d1 hierarchy with layer1. */
800 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
801 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
802 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
803 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
805 /* Checks s1d2 hierarchy with layer1. */
806 ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
807 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
808 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR));
809 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
811 /* Checks s1d3 hierarchy with layer1. */
812 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
813 ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY));
814 /* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */
815 ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
816 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
818 /* Doesn't change anything from layer1. */
819 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2);
820 ASSERT_LE(0, ruleset_fd);
821 enforce_ruleset(_metadata, ruleset_fd);
822 ASSERT_EQ(0, close(ruleset_fd));
824 /* Checks s1d1 hierarchy with layer2. */
825 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
826 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
827 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
828 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
830 /* Checks s1d2 hierarchy with layer2. */
831 ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
832 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
833 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR));
834 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
836 /* Checks s1d3 hierarchy with layer2. */
837 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
838 ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY));
839 /* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */
840 ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
841 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
843 /* Only allows write (but not read) to dir_s1d3. */
844 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3);
845 ASSERT_LE(0, ruleset_fd);
846 enforce_ruleset(_metadata, ruleset_fd);
847 ASSERT_EQ(0, close(ruleset_fd));
849 /* Checks s1d1 hierarchy with layer3. */
850 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
851 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
852 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
853 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
855 /* Checks s1d2 hierarchy with layer3. */
856 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDONLY));
857 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
858 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR));
859 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
861 /* Checks s1d3 hierarchy with layer3. */
862 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY));
863 ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY));
864 /* dir_s1d3 should now deny READ_FILE and WRITE_FILE (O_RDWR). */
865 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDWR));
866 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
869 TEST_F_FORK(layout1, non_overlapping_accesses)
871 const struct rule layer1[] = {
874 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
878 const struct rule layer2[] = {
881 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
887 ASSERT_EQ(0, unlink(file1_s1d1));
888 ASSERT_EQ(0, unlink(file1_s1d2));
891 create_ruleset(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, layer1);
892 ASSERT_LE(0, ruleset_fd);
893 enforce_ruleset(_metadata, ruleset_fd);
894 ASSERT_EQ(0, close(ruleset_fd));
896 ASSERT_EQ(-1, mknod(file1_s1d1, S_IFREG | 0700, 0));
897 ASSERT_EQ(EACCES, errno);
898 ASSERT_EQ(0, mknod(file1_s1d2, S_IFREG | 0700, 0));
899 ASSERT_EQ(0, unlink(file1_s1d2));
901 ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_REMOVE_FILE,
903 ASSERT_LE(0, ruleset_fd);
904 enforce_ruleset(_metadata, ruleset_fd);
905 ASSERT_EQ(0, close(ruleset_fd));
907 /* Unchanged accesses for file creation. */
908 ASSERT_EQ(-1, mknod(file1_s1d1, S_IFREG | 0700, 0));
909 ASSERT_EQ(EACCES, errno);
910 ASSERT_EQ(0, mknod(file1_s1d2, S_IFREG | 0700, 0));
912 /* Checks file removing. */
913 ASSERT_EQ(-1, unlink(file1_s1d2));
914 ASSERT_EQ(EACCES, errno);
915 ASSERT_EQ(0, unlink(file1_s1d3));
918 TEST_F_FORK(layout1, interleaved_masked_accesses)
921 * Checks overly restrictive rules:
922 * layer 1: allows R s1d1/s1d2/s1d3/file1
923 * layer 2: allows RW s1d1/s1d2/s1d3
926 * layer 3: allows R s1d1
927 * layer 4: allows R s1d1/s1d2
929 * layer 5: allows R s1d1/s1d2
930 * layer 6: allows X ----
931 * layer 7: allows W s1d1/s1d2
934 const struct rule layer1_read[] = {
935 /* Allows read access to file1_s1d3 with the first layer. */
938 .access = LANDLOCK_ACCESS_FS_READ_FILE,
942 /* First rule with write restrictions. */
943 const struct rule layer2_read_write[] = {
944 /* Start by granting read-write access via its parent directory... */
947 .access = LANDLOCK_ACCESS_FS_READ_FILE |
948 LANDLOCK_ACCESS_FS_WRITE_FILE,
950 /* ...but also denies read access via its grandparent directory. */
953 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
957 const struct rule layer3_read[] = {
958 /* Allows read access via its great-grandparent directory. */
961 .access = LANDLOCK_ACCESS_FS_READ_FILE,
965 const struct rule layer4_read_write[] = {
967 * Try to confuse the deny access by denying write (but not
968 * read) access via its grandparent directory.
972 .access = LANDLOCK_ACCESS_FS_READ_FILE,
976 const struct rule layer5_read[] = {
978 * Try to override layer2's deny read access by explicitly
979 * allowing read access via file1_s1d3's grandparent.
983 .access = LANDLOCK_ACCESS_FS_READ_FILE,
987 const struct rule layer6_execute[] = {
989 * Restricts an unrelated file hierarchy with a new access
990 * (non-overlapping) type.
994 .access = LANDLOCK_ACCESS_FS_EXECUTE,
998 const struct rule layer7_read_write[] = {
1000 * Finally, denies read access to file1_s1d3 via its
1005 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
1011 ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
1013 ASSERT_LE(0, ruleset_fd);
1014 enforce_ruleset(_metadata, ruleset_fd);
1015 ASSERT_EQ(0, close(ruleset_fd));
1017 /* Checks that read access is granted for file1_s1d3 with layer 1. */
1018 ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
1019 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1020 ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY));
1022 ruleset_fd = create_ruleset(_metadata,
1023 LANDLOCK_ACCESS_FS_READ_FILE |
1024 LANDLOCK_ACCESS_FS_WRITE_FILE,
1026 ASSERT_LE(0, ruleset_fd);
1027 enforce_ruleset(_metadata, ruleset_fd);
1028 ASSERT_EQ(0, close(ruleset_fd));
1030 /* Checks that previous access rights are unchanged with layer 2. */
1031 ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
1032 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1033 ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY));
1035 ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
1037 ASSERT_LE(0, ruleset_fd);
1038 enforce_ruleset(_metadata, ruleset_fd);
1039 ASSERT_EQ(0, close(ruleset_fd));
1041 /* Checks that previous access rights are unchanged with layer 3. */
1042 ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
1043 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1044 ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY));
1046 /* This time, denies write access for the file hierarchy. */
1047 ruleset_fd = create_ruleset(_metadata,
1048 LANDLOCK_ACCESS_FS_READ_FILE |
1049 LANDLOCK_ACCESS_FS_WRITE_FILE,
1051 ASSERT_LE(0, ruleset_fd);
1052 enforce_ruleset(_metadata, ruleset_fd);
1053 ASSERT_EQ(0, close(ruleset_fd));
1056 * Checks that the only change with layer 4 is that write access is
1059 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
1060 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1061 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1062 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY));
1064 ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
1066 ASSERT_LE(0, ruleset_fd);
1067 enforce_ruleset(_metadata, ruleset_fd);
1068 ASSERT_EQ(0, close(ruleset_fd));
1070 /* Checks that previous access rights are unchanged with layer 5. */
1071 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
1072 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1073 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY));
1074 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1076 ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_EXECUTE,
1078 ASSERT_LE(0, ruleset_fd);
1079 enforce_ruleset(_metadata, ruleset_fd);
1080 ASSERT_EQ(0, close(ruleset_fd));
1082 /* Checks that previous access rights are unchanged with layer 6. */
1083 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
1084 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1085 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY));
1086 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1088 ruleset_fd = create_ruleset(_metadata,
1089 LANDLOCK_ACCESS_FS_READ_FILE |
1090 LANDLOCK_ACCESS_FS_WRITE_FILE,
1092 ASSERT_LE(0, ruleset_fd);
1093 enforce_ruleset(_metadata, ruleset_fd);
1094 ASSERT_EQ(0, close(ruleset_fd));
1096 /* Checks read access is now denied with layer 7. */
1097 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY));
1098 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1099 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY));
1100 ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
1103 TEST_F_FORK(layout1, inherit_subset)
1105 const struct rule rules[] = {
1108 .access = LANDLOCK_ACCESS_FS_READ_FILE |
1109 LANDLOCK_ACCESS_FS_READ_DIR,
1113 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1115 ASSERT_LE(0, ruleset_fd);
1116 enforce_ruleset(_metadata, ruleset_fd);
1118 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
1119 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1121 /* Write access is forbidden. */
1122 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
1123 /* Readdir access is allowed. */
1124 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
1126 /* Write access is forbidden. */
1127 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1128 /* Readdir access is allowed. */
1129 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
1132 * Tests shared rule extension: the following rules should not grant
1133 * any new access, only remove some. Once enforced, these rules are
1134 * ANDed with the previous ones.
1136 add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_WRITE_FILE,
1139 * According to ruleset_fd, dir_s1d2 should now have the
1140 * LANDLOCK_ACCESS_FS_READ_FILE and LANDLOCK_ACCESS_FS_WRITE_FILE
1141 * access rights (even if this directory is opened a second time).
1142 * However, when enforcing this updated ruleset, the ruleset tied to
1143 * the current process (i.e. its domain) will still only have the
1144 * dir_s1d2 with LANDLOCK_ACCESS_FS_READ_FILE and
1145 * LANDLOCK_ACCESS_FS_READ_DIR accesses, but
1146 * LANDLOCK_ACCESS_FS_WRITE_FILE must not be allowed because it would
1147 * be a privilege escalation.
1149 enforce_ruleset(_metadata, ruleset_fd);
1151 /* Same tests and results as above. */
1152 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
1153 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1155 /* It is still forbidden to write in file1_s1d2. */
1156 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
1157 /* Readdir access is still allowed. */
1158 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
1160 /* It is still forbidden to write in file1_s1d3. */
1161 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1162 /* Readdir access is still allowed. */
1163 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
1166 * Try to get more privileges by adding new access rights to the parent
1167 * directory: dir_s1d1.
1169 add_path_beneath(_metadata, ruleset_fd, ACCESS_RW, dir_s1d1);
1170 enforce_ruleset(_metadata, ruleset_fd);
1172 /* Same tests and results as above. */
1173 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
1174 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1176 /* It is still forbidden to write in file1_s1d2. */
1177 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
1178 /* Readdir access is still allowed. */
1179 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
1181 /* It is still forbidden to write in file1_s1d3. */
1182 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1183 /* Readdir access is still allowed. */
1184 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
1187 * Now, dir_s1d3 get a new rule tied to it, only allowing
1188 * LANDLOCK_ACCESS_FS_WRITE_FILE. The (kernel internal) difference is
1189 * that there was no rule tied to it before.
1191 add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_WRITE_FILE,
1193 enforce_ruleset(_metadata, ruleset_fd);
1194 ASSERT_EQ(0, close(ruleset_fd));
1197 * Same tests and results as above, except for open(dir_s1d3) which is
1198 * now denied because the new rule mask the rule previously inherited
1202 /* Same tests and results as above. */
1203 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
1204 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
1206 /* It is still forbidden to write in file1_s1d2. */
1207 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
1208 /* Readdir access is still allowed. */
1209 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
1211 /* It is still forbidden to write in file1_s1d3. */
1212 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
1214 * Readdir of dir_s1d3 is still allowed because of the OR policy inside
1217 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
1220 TEST_F_FORK(layout1, inherit_superset)
1222 const struct rule rules[] = {
1225 .access = ACCESS_RO,
1229 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1231 ASSERT_LE(0, ruleset_fd);
1232 enforce_ruleset(_metadata, ruleset_fd);
1234 /* Readdir access is denied for dir_s1d2. */
1235 ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
1236 /* Readdir access is allowed for dir_s1d3. */
1237 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
1238 /* File access is allowed for file1_s1d3. */
1239 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
1241 /* Now dir_s1d2, parent of dir_s1d3, gets a new rule tied to it. */
1242 add_path_beneath(_metadata, ruleset_fd,
1243 LANDLOCK_ACCESS_FS_READ_FILE |
1244 LANDLOCK_ACCESS_FS_READ_DIR,
1246 enforce_ruleset(_metadata, ruleset_fd);
1247 ASSERT_EQ(0, close(ruleset_fd));
1249 /* Readdir access is still denied for dir_s1d2. */
1250 ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
1251 /* Readdir access is still allowed for dir_s1d3. */
1252 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
1253 /* File access is still allowed for file1_s1d3. */
1254 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
1257 TEST_F_FORK(layout1, max_layers)
1260 const struct rule rules[] = {
1263 .access = ACCESS_RO,
1267 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1269 ASSERT_LE(0, ruleset_fd);
1270 for (i = 0; i < 16; i++)
1271 enforce_ruleset(_metadata, ruleset_fd);
1273 for (i = 0; i < 2; i++) {
1274 err = landlock_restrict_self(ruleset_fd, 0);
1276 ASSERT_EQ(E2BIG, errno);
1278 ASSERT_EQ(0, close(ruleset_fd));
1281 TEST_F_FORK(layout1, empty_or_same_ruleset)
1283 struct landlock_ruleset_attr ruleset_attr = {};
1286 /* Tests empty handled_access_fs. */
1288 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
1289 ASSERT_LE(-1, ruleset_fd);
1290 ASSERT_EQ(ENOMSG, errno);
1292 /* Enforces policy which deny read access to all files. */
1293 ruleset_attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE;
1295 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
1296 ASSERT_LE(0, ruleset_fd);
1297 enforce_ruleset(_metadata, ruleset_fd);
1298 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
1299 ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
1301 /* Nests a policy which deny read access to all directories. */
1302 ruleset_attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_DIR;
1304 landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
1305 ASSERT_LE(0, ruleset_fd);
1306 enforce_ruleset(_metadata, ruleset_fd);
1307 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
1308 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
1310 /* Enforces a second time with the same ruleset. */
1311 enforce_ruleset(_metadata, ruleset_fd);
1312 ASSERT_EQ(0, close(ruleset_fd));
1315 TEST_F_FORK(layout1, rule_on_mountpoint)
1317 const struct rule rules[] = {
1320 .access = ACCESS_RO,
1323 /* dir_s3d2 is a mount point. */
1325 .access = ACCESS_RO,
1329 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1331 ASSERT_LE(0, ruleset_fd);
1332 enforce_ruleset(_metadata, ruleset_fd);
1333 ASSERT_EQ(0, close(ruleset_fd));
1335 ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
1337 ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY));
1339 ASSERT_EQ(EACCES, test_open(dir_s3d1, O_RDONLY));
1340 ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY));
1341 ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY));
1344 TEST_F_FORK(layout1, rule_over_mountpoint)
1346 const struct rule rules[] = {
1349 .access = ACCESS_RO,
1352 /* dir_s3d2 is a mount point. */
1354 .access = ACCESS_RO,
1358 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1360 ASSERT_LE(0, ruleset_fd);
1361 enforce_ruleset(_metadata, ruleset_fd);
1362 ASSERT_EQ(0, close(ruleset_fd));
1364 ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
1366 ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY));
1368 ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY));
1369 ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY));
1370 ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY));
1374 * This test verifies that we can apply a landlock rule on the root directory
1375 * (which might require special handling).
1377 TEST_F_FORK(layout1, rule_over_root_allow_then_deny)
1379 struct rule rules[] = {
1382 .access = ACCESS_RO,
1386 int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1388 ASSERT_LE(0, ruleset_fd);
1389 enforce_ruleset(_metadata, ruleset_fd);
1390 ASSERT_EQ(0, close(ruleset_fd));
1392 /* Checks allowed access. */
1393 ASSERT_EQ(0, test_open("/", O_RDONLY));
1394 ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
1396 rules[0].access = LANDLOCK_ACCESS_FS_READ_FILE;
1397 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1398 ASSERT_LE(0, ruleset_fd);
1399 enforce_ruleset(_metadata, ruleset_fd);
1400 ASSERT_EQ(0, close(ruleset_fd));
1402 /* Checks denied access (on a directory). */
1403 ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
1404 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
1407 TEST_F_FORK(layout1, rule_over_root_deny)
1409 const struct rule rules[] = {
1412 .access = LANDLOCK_ACCESS_FS_READ_FILE,
1416 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1418 ASSERT_LE(0, ruleset_fd);
1419 enforce_ruleset(_metadata, ruleset_fd);
1420 ASSERT_EQ(0, close(ruleset_fd));
1422 /* Checks denied access (on a directory). */
1423 ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
1424 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
1427 TEST_F_FORK(layout1, rule_inside_mount_ns)
1429 const struct rule rules[] = {
1432 .access = ACCESS_RO,
1438 set_cap(_metadata, CAP_SYS_ADMIN);
1439 ASSERT_EQ(0, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3))
1441 TH_LOG("Failed to pivot root: %s", strerror(errno));
1443 ASSERT_EQ(0, chdir("/"));
1444 clear_cap(_metadata, CAP_SYS_ADMIN);
1446 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1447 ASSERT_LE(0, ruleset_fd);
1448 enforce_ruleset(_metadata, ruleset_fd);
1449 ASSERT_EQ(0, close(ruleset_fd));
1451 ASSERT_EQ(0, test_open("s3d3", O_RDONLY));
1452 ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
1455 TEST_F_FORK(layout1, mount_and_pivot)
1457 const struct rule rules[] = {
1460 .access = ACCESS_RO,
1464 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1466 ASSERT_LE(0, ruleset_fd);
1467 enforce_ruleset(_metadata, ruleset_fd);
1468 ASSERT_EQ(0, close(ruleset_fd));
1470 set_cap(_metadata, CAP_SYS_ADMIN);
1471 ASSERT_EQ(-1, mount(NULL, dir_s3d2, NULL, MS_RDONLY, NULL));
1472 ASSERT_EQ(EPERM, errno);
1473 ASSERT_EQ(-1, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3));
1474 ASSERT_EQ(EPERM, errno);
1475 clear_cap(_metadata, CAP_SYS_ADMIN);
1478 TEST_F_FORK(layout1, move_mount)
1480 const struct rule rules[] = {
1483 .access = ACCESS_RO,
1487 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1489 ASSERT_LE(0, ruleset_fd);
1491 set_cap(_metadata, CAP_SYS_ADMIN);
1492 ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD,
1495 TH_LOG("Failed to move mount: %s", strerror(errno));
1498 ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s1d2, AT_FDCWD,
1500 clear_cap(_metadata, CAP_SYS_ADMIN);
1502 enforce_ruleset(_metadata, ruleset_fd);
1503 ASSERT_EQ(0, close(ruleset_fd));
1505 set_cap(_metadata, CAP_SYS_ADMIN);
1506 ASSERT_EQ(-1, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD,
1508 ASSERT_EQ(EPERM, errno);
1509 clear_cap(_metadata, CAP_SYS_ADMIN);
1512 TEST_F_FORK(layout1, release_inodes)
1514 const struct rule rules[] = {
1517 .access = ACCESS_RO,
1521 .access = ACCESS_RO,
1525 .access = ACCESS_RO,
1529 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
1531 ASSERT_LE(0, ruleset_fd);
1532 /* Unmount a file hierarchy while it is being used by a ruleset. */
1533 set_cap(_metadata, CAP_SYS_ADMIN);
1534 ASSERT_EQ(0, umount(dir_s3d2));
1535 clear_cap(_metadata, CAP_SYS_ADMIN);
1537 enforce_ruleset(_metadata, ruleset_fd);
1538 ASSERT_EQ(0, close(ruleset_fd));
1540 ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
1541 ASSERT_EQ(EACCES, test_open(dir_s3d2, O_RDONLY));
1542 /* This dir_s3d3 would not be allowed and does not exist anyway. */
1543 ASSERT_EQ(ENOENT, test_open(dir_s3d3, O_RDONLY));
1546 enum relative_access {
1553 static void test_relative_path(struct __test_metadata *const _metadata,
1554 const enum relative_access rel)
1557 * Common layer to check that chroot doesn't ignore it (i.e. a chroot
1558 * is not a disconnected root directory).
1560 const struct rule layer1_base[] = {
1563 .access = ACCESS_RO,
1567 const struct rule layer2_subs[] = {
1570 .access = ACCESS_RO,
1574 .access = ACCESS_RO,
1578 int dirfd, ruleset_fd;
1580 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_base);
1581 ASSERT_LE(0, ruleset_fd);
1582 enforce_ruleset(_metadata, ruleset_fd);
1583 ASSERT_EQ(0, close(ruleset_fd));
1585 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_subs);
1587 ASSERT_LE(0, ruleset_fd);
1592 case REL_CHROOT_ONLY:
1593 ASSERT_EQ(0, chdir(dir_s2d2));
1595 case REL_CHROOT_CHDIR:
1596 ASSERT_EQ(0, chdir(dir_s1d2));
1603 set_cap(_metadata, CAP_SYS_CHROOT);
1604 enforce_ruleset(_metadata, ruleset_fd);
1608 dirfd = open(dir_s1d2, O_DIRECTORY);
1609 ASSERT_LE(0, dirfd);
1612 ASSERT_EQ(0, chdir(dir_s1d2));
1615 case REL_CHROOT_ONLY:
1616 /* Do chroot into dir_s1d2 (relative to dir_s2d2). */
1617 ASSERT_EQ(0, chroot("../../s1d1/s1d2"))
1619 TH_LOG("Failed to chroot: %s", strerror(errno));
1623 case REL_CHROOT_CHDIR:
1624 /* Do chroot into dir_s1d2. */
1625 ASSERT_EQ(0, chroot("."))
1627 TH_LOG("Failed to chroot: %s", strerror(errno));
1633 ASSERT_EQ((rel == REL_CHROOT_CHDIR) ? 0 : EACCES,
1634 test_open_rel(dirfd, "..", O_RDONLY));
1635 ASSERT_EQ(0, test_open_rel(dirfd, ".", O_RDONLY));
1637 if (rel == REL_CHROOT_ONLY) {
1638 /* The current directory is dir_s2d2. */
1639 ASSERT_EQ(0, test_open_rel(dirfd, "./s2d3", O_RDONLY));
1641 /* The current directory is dir_s1d2. */
1642 ASSERT_EQ(0, test_open_rel(dirfd, "./s1d3", O_RDONLY));
1645 if (rel == REL_CHROOT_ONLY || rel == REL_CHROOT_CHDIR) {
1646 /* Checks the root dir_s1d2. */
1647 ASSERT_EQ(0, test_open_rel(dirfd, "/..", O_RDONLY));
1648 ASSERT_EQ(0, test_open_rel(dirfd, "/", O_RDONLY));
1649 ASSERT_EQ(0, test_open_rel(dirfd, "/f1", O_RDONLY));
1650 ASSERT_EQ(0, test_open_rel(dirfd, "/s1d3", O_RDONLY));
1653 if (rel != REL_CHROOT_CHDIR) {
1654 ASSERT_EQ(EACCES, test_open_rel(dirfd, "../../s1d1", O_RDONLY));
1655 ASSERT_EQ(0, test_open_rel(dirfd, "../../s1d1/s1d2", O_RDONLY));
1656 ASSERT_EQ(0, test_open_rel(dirfd, "../../s1d1/s1d2/s1d3",
1659 ASSERT_EQ(EACCES, test_open_rel(dirfd, "../../s2d1", O_RDONLY));
1660 ASSERT_EQ(0, test_open_rel(dirfd, "../../s2d1/s2d2", O_RDONLY));
1661 ASSERT_EQ(0, test_open_rel(dirfd, "../../s2d1/s2d2/s2d3",
1665 if (rel == REL_OPEN)
1666 ASSERT_EQ(0, close(dirfd));
1667 ASSERT_EQ(0, close(ruleset_fd));
1670 TEST_F_FORK(layout1, relative_open)
1672 test_relative_path(_metadata, REL_OPEN);
1675 TEST_F_FORK(layout1, relative_chdir)
1677 test_relative_path(_metadata, REL_CHDIR);
1680 TEST_F_FORK(layout1, relative_chroot_only)
1682 test_relative_path(_metadata, REL_CHROOT_ONLY);
1685 TEST_F_FORK(layout1, relative_chroot_chdir)
1687 test_relative_path(_metadata, REL_CHROOT_CHDIR);
1690 static void copy_binary(struct __test_metadata *const _metadata,
1691 const char *const dst_path)
1694 struct stat statbuf;
1696 dst_fd = open(dst_path, O_WRONLY | O_TRUNC | O_CLOEXEC);
1697 ASSERT_LE(0, dst_fd)
1699 TH_LOG("Failed to open \"%s\": %s", dst_path, strerror(errno));
1701 src_fd = open(BINARY_PATH, O_RDONLY | O_CLOEXEC);
1702 ASSERT_LE(0, src_fd)
1704 TH_LOG("Failed to open \"" BINARY_PATH "\": %s",
1707 ASSERT_EQ(0, fstat(src_fd, &statbuf));
1708 ASSERT_EQ(statbuf.st_size,
1709 sendfile(dst_fd, src_fd, 0, statbuf.st_size));
1710 ASSERT_EQ(0, close(src_fd));
1711 ASSERT_EQ(0, close(dst_fd));
1714 static void test_execute(struct __test_metadata *const _metadata, const int err,
1715 const char *const path)
1718 char *const argv[] = { (char *)path, NULL };
1719 const pid_t child = fork();
1721 ASSERT_LE(0, child);
1723 ASSERT_EQ(err ? -1 : 0, execve(path, argv, NULL))
1725 TH_LOG("Failed to execute \"%s\": %s", path,
1728 ASSERT_EQ(err, errno);
1729 _exit(_metadata->passed ? 2 : 1);
1732 ASSERT_EQ(child, waitpid(child, &status, 0));
1733 ASSERT_EQ(1, WIFEXITED(status));
1734 ASSERT_EQ(err ? 2 : 0, WEXITSTATUS(status))
1736 TH_LOG("Unexpected return code for \"%s\": %s", path,
1741 TEST_F_FORK(layout1, execute)
1743 const struct rule rules[] = {
1746 .access = LANDLOCK_ACCESS_FS_EXECUTE,
1750 const int ruleset_fd =
1751 create_ruleset(_metadata, rules[0].access, rules);
1753 ASSERT_LE(0, ruleset_fd);
1754 copy_binary(_metadata, file1_s1d1);
1755 copy_binary(_metadata, file1_s1d2);
1756 copy_binary(_metadata, file1_s1d3);
1758 enforce_ruleset(_metadata, ruleset_fd);
1759 ASSERT_EQ(0, close(ruleset_fd));
1761 ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
1762 ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
1763 test_execute(_metadata, EACCES, file1_s1d1);
1765 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
1766 ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
1767 test_execute(_metadata, 0, file1_s1d2);
1769 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
1770 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
1771 test_execute(_metadata, 0, file1_s1d3);
1774 TEST_F_FORK(layout1, link)
1776 const struct rule layer1[] = {
1779 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
1783 const struct rule layer2[] = {
1786 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
1790 int ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1);
1792 ASSERT_LE(0, ruleset_fd);
1794 ASSERT_EQ(0, unlink(file1_s1d1));
1795 ASSERT_EQ(0, unlink(file1_s1d2));
1796 ASSERT_EQ(0, unlink(file1_s1d3));
1798 enforce_ruleset(_metadata, ruleset_fd);
1799 ASSERT_EQ(0, close(ruleset_fd));
1801 ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1));
1802 ASSERT_EQ(EACCES, errno);
1804 /* Denies linking because of reparenting. */
1805 ASSERT_EQ(-1, link(file1_s2d1, file1_s1d2));
1806 ASSERT_EQ(EXDEV, errno);
1807 ASSERT_EQ(-1, link(file2_s1d2, file1_s1d3));
1808 ASSERT_EQ(EXDEV, errno);
1809 ASSERT_EQ(-1, link(file2_s1d3, file1_s1d2));
1810 ASSERT_EQ(EXDEV, errno);
1812 ASSERT_EQ(0, link(file2_s1d2, file1_s1d2));
1813 ASSERT_EQ(0, link(file2_s1d3, file1_s1d3));
1815 /* Prepares for next unlinks. */
1816 ASSERT_EQ(0, unlink(file2_s1d2));
1817 ASSERT_EQ(0, unlink(file2_s1d3));
1819 ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2);
1820 ASSERT_LE(0, ruleset_fd);
1821 enforce_ruleset(_metadata, ruleset_fd);
1822 ASSERT_EQ(0, close(ruleset_fd));
1824 /* Checks that linkind doesn't require the ability to delete a file. */
1825 ASSERT_EQ(0, link(file1_s1d2, file2_s1d2));
1826 ASSERT_EQ(0, link(file1_s1d3, file2_s1d3));
1829 TEST_F_FORK(layout1, rename_file)
1831 const struct rule rules[] = {
1834 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
1838 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
1842 const int ruleset_fd =
1843 create_ruleset(_metadata, rules[0].access, rules);
1845 ASSERT_LE(0, ruleset_fd);
1847 ASSERT_EQ(0, unlink(file1_s1d2));
1849 enforce_ruleset(_metadata, ruleset_fd);
1850 ASSERT_EQ(0, close(ruleset_fd));
1853 * Tries to replace a file, from a directory that allows file removal,
1854 * but to a different directory (which also allows file removal).
1856 ASSERT_EQ(-1, rename(file1_s2d3, file1_s1d3));
1857 ASSERT_EQ(EXDEV, errno);
1858 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d3,
1860 ASSERT_EQ(EXDEV, errno);
1861 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, dir_s1d3,
1863 ASSERT_EQ(EXDEV, errno);
1866 * Tries to replace a file, from a directory that denies file removal,
1867 * to a different directory (which allows file removal).
1869 ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3));
1870 ASSERT_EQ(EXDEV, errno);
1871 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file1_s1d3,
1873 ASSERT_EQ(EXDEV, errno);
1874 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d2, AT_FDCWD, file1_s1d3,
1876 ASSERT_EQ(EXDEV, errno);
1878 /* Exchanges files and directories that partially allow removal. */
1879 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d2, AT_FDCWD, file1_s2d1,
1881 ASSERT_EQ(EACCES, errno);
1882 /* Checks that file1_s2d1 cannot be removed (instead of ENOTDIR). */
1883 ASSERT_EQ(-1, rename(dir_s2d2, file1_s2d1));
1884 ASSERT_EQ(EACCES, errno);
1885 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, dir_s2d2,
1887 ASSERT_EQ(EACCES, errno);
1888 /* Checks that file1_s1d1 cannot be removed (instead of EISDIR). */
1889 ASSERT_EQ(-1, rename(file1_s1d1, dir_s1d2));
1890 ASSERT_EQ(EACCES, errno);
1892 /* Renames files with different parents. */
1893 ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d2));
1894 ASSERT_EQ(EXDEV, errno);
1895 ASSERT_EQ(0, unlink(file1_s1d3));
1896 ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3));
1897 ASSERT_EQ(EXDEV, errno);
1899 /* Exchanges and renames files with same parent. */
1900 ASSERT_EQ(0, renameat2(AT_FDCWD, file2_s2d3, AT_FDCWD, file1_s2d3,
1902 ASSERT_EQ(0, rename(file2_s2d3, file1_s2d3));
1904 /* Exchanges files and directories with same parent, twice. */
1905 ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s2d3,
1907 ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s2d3,
1911 TEST_F_FORK(layout1, rename_dir)
1913 const struct rule rules[] = {
1916 .access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
1920 .access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
1924 const int ruleset_fd =
1925 create_ruleset(_metadata, rules[0].access, rules);
1927 ASSERT_LE(0, ruleset_fd);
1929 /* Empties dir_s1d3 to allow renaming. */
1930 ASSERT_EQ(0, unlink(file1_s1d3));
1931 ASSERT_EQ(0, unlink(file2_s1d3));
1933 enforce_ruleset(_metadata, ruleset_fd);
1934 ASSERT_EQ(0, close(ruleset_fd));
1936 /* Exchanges and renames directory to a different parent. */
1937 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3,
1939 ASSERT_EQ(EXDEV, errno);
1940 ASSERT_EQ(-1, rename(dir_s2d3, dir_s1d3));
1941 ASSERT_EQ(EXDEV, errno);
1942 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3,
1944 ASSERT_EQ(EXDEV, errno);
1947 * Exchanges directory to the same parent, which doesn't allow
1948 * directory removal.
1950 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d1, AT_FDCWD, dir_s2d1,
1952 ASSERT_EQ(EACCES, errno);
1953 /* Checks that dir_s1d2 cannot be removed (instead of ENOTDIR). */
1954 ASSERT_EQ(-1, rename(dir_s1d2, file1_s1d1));
1955 ASSERT_EQ(EACCES, errno);
1956 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s1d2,
1958 ASSERT_EQ(EACCES, errno);
1959 /* Checks that dir_s1d2 cannot be removed (instead of EISDIR). */
1960 ASSERT_EQ(-1, rename(file1_s1d1, dir_s1d2));
1961 ASSERT_EQ(EACCES, errno);
1964 * Exchanges and renames directory to the same parent, which allows
1965 * directory removal.
1967 ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, file1_s1d2,
1969 ASSERT_EQ(0, unlink(dir_s1d3));
1970 ASSERT_EQ(0, mkdir(dir_s1d3, 0700));
1971 ASSERT_EQ(0, rename(file1_s1d2, dir_s1d3));
1972 ASSERT_EQ(0, rmdir(dir_s1d3));
1975 TEST_F_FORK(layout1, reparent_refer)
1977 const struct rule layer1[] = {
1980 .access = LANDLOCK_ACCESS_FS_REFER,
1984 .access = LANDLOCK_ACCESS_FS_REFER,
1989 create_ruleset(_metadata, LANDLOCK_ACCESS_FS_REFER, layer1);
1991 ASSERT_LE(0, ruleset_fd);
1992 enforce_ruleset(_metadata, ruleset_fd);
1993 ASSERT_EQ(0, close(ruleset_fd));
1995 ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d1));
1996 ASSERT_EQ(EXDEV, errno);
1997 ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d2));
1998 ASSERT_EQ(EXDEV, errno);
1999 ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d3));
2000 ASSERT_EQ(EXDEV, errno);
2002 ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d1));
2003 ASSERT_EQ(EXDEV, errno);
2004 ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d2));
2005 ASSERT_EQ(EXDEV, errno);
2007 * Moving should only be allowed when the source and the destination
2008 * parent directory have REFER.
2010 ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d3));
2011 ASSERT_EQ(ENOTEMPTY, errno);
2012 ASSERT_EQ(0, unlink(file1_s2d3));
2013 ASSERT_EQ(0, unlink(file2_s2d3));
2014 ASSERT_EQ(0, rename(dir_s1d3, dir_s2d3));
2017 TEST_F_FORK(layout1, reparent_link)
2019 const struct rule layer1[] = {
2022 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
2026 .access = LANDLOCK_ACCESS_FS_REFER,
2030 .access = LANDLOCK_ACCESS_FS_REFER,
2034 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
2038 const int ruleset_fd = create_ruleset(
2040 LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, layer1);
2042 ASSERT_LE(0, ruleset_fd);
2043 enforce_ruleset(_metadata, ruleset_fd);
2044 ASSERT_EQ(0, close(ruleset_fd));
2046 ASSERT_EQ(0, unlink(file1_s1d1));
2047 ASSERT_EQ(0, unlink(file1_s1d2));
2048 ASSERT_EQ(0, unlink(file1_s1d3));
2050 /* Denies linking because of missing MAKE_REG. */
2051 ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1));
2052 ASSERT_EQ(EACCES, errno);
2053 /* Denies linking because of missing source and destination REFER. */
2054 ASSERT_EQ(-1, link(file1_s2d1, file1_s1d2));
2055 ASSERT_EQ(EXDEV, errno);
2056 /* Denies linking because of missing source REFER. */
2057 ASSERT_EQ(-1, link(file1_s2d1, file1_s1d3));
2058 ASSERT_EQ(EXDEV, errno);
2060 /* Denies linking because of missing MAKE_REG. */
2061 ASSERT_EQ(-1, link(file1_s2d2, file1_s1d1));
2062 ASSERT_EQ(EACCES, errno);
2063 /* Denies linking because of missing destination REFER. */
2064 ASSERT_EQ(-1, link(file1_s2d2, file1_s1d2));
2065 ASSERT_EQ(EXDEV, errno);
2067 /* Allows linking because of REFER and MAKE_REG. */
2068 ASSERT_EQ(0, link(file1_s2d2, file1_s1d3));
2069 ASSERT_EQ(0, unlink(file1_s2d2));
2070 /* Reverse linking denied because of missing MAKE_REG. */
2071 ASSERT_EQ(-1, link(file1_s1d3, file1_s2d2));
2072 ASSERT_EQ(EACCES, errno);
2073 ASSERT_EQ(0, unlink(file1_s2d3));
2074 /* Checks reverse linking. */
2075 ASSERT_EQ(0, link(file1_s1d3, file1_s2d3));
2076 ASSERT_EQ(0, unlink(file1_s1d3));
2079 * This is OK for a file link, but it should not be allowed for a
2080 * directory rename (because of the superset of access rights.
2082 ASSERT_EQ(0, link(file1_s2d3, file1_s1d3));
2083 ASSERT_EQ(0, unlink(file1_s1d3));
2085 ASSERT_EQ(-1, link(file2_s1d2, file1_s1d3));
2086 ASSERT_EQ(EXDEV, errno);
2087 ASSERT_EQ(-1, link(file2_s1d3, file1_s1d2));
2088 ASSERT_EQ(EXDEV, errno);
2090 ASSERT_EQ(0, link(file2_s1d2, file1_s1d2));
2091 ASSERT_EQ(0, link(file2_s1d3, file1_s1d3));
2094 TEST_F_FORK(layout1, reparent_rename)
2096 /* Same rules as for reparent_link. */
2097 const struct rule layer1[] = {
2100 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
2104 .access = LANDLOCK_ACCESS_FS_REFER,
2108 .access = LANDLOCK_ACCESS_FS_REFER,
2112 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
2116 const int ruleset_fd = create_ruleset(
2118 LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, layer1);
2120 ASSERT_LE(0, ruleset_fd);
2121 enforce_ruleset(_metadata, ruleset_fd);
2122 ASSERT_EQ(0, close(ruleset_fd));
2124 ASSERT_EQ(0, unlink(file1_s1d2));
2125 ASSERT_EQ(0, unlink(file1_s1d3));
2127 /* Denies renaming because of missing MAKE_REG. */
2128 ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file1_s1d1,
2130 ASSERT_EQ(EACCES, errno);
2131 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file2_s1d1,
2133 ASSERT_EQ(EACCES, errno);
2134 ASSERT_EQ(0, unlink(file1_s1d1));
2135 ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1));
2136 ASSERT_EQ(EACCES, errno);
2137 /* Even denies same file exchange. */
2138 ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file2_s1d1,
2140 ASSERT_EQ(EACCES, errno);
2142 /* Denies renaming because of missing source and destination REFER. */
2143 ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d2));
2144 ASSERT_EQ(EXDEV, errno);
2146 * Denies renaming because of missing MAKE_REG, source and destination
2149 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file2_s1d1,
2151 ASSERT_EQ(EACCES, errno);
2152 ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file1_s2d1,
2154 ASSERT_EQ(EACCES, errno);
2156 /* Denies renaming because of missing source REFER. */
2157 ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3));
2158 ASSERT_EQ(EXDEV, errno);
2159 /* Denies renaming because of missing MAKE_REG. */
2160 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file2_s1d3,
2162 ASSERT_EQ(EACCES, errno);
2164 /* Denies renaming because of missing MAKE_REG. */
2165 ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d1));
2166 ASSERT_EQ(EACCES, errno);
2167 /* Denies renaming because of missing destination REFER*/
2168 ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d2));
2169 ASSERT_EQ(EXDEV, errno);
2171 /* Denies exchange because of one missing MAKE_REG. */
2172 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, file2_s1d3,
2174 ASSERT_EQ(EACCES, errno);
2175 /* Allows renaming because of REFER and MAKE_REG. */
2176 ASSERT_EQ(0, rename(file1_s2d2, file1_s1d3));
2178 /* Reverse renaming denied because of missing MAKE_REG. */
2179 ASSERT_EQ(-1, rename(file1_s1d3, file1_s2d2));
2180 ASSERT_EQ(EACCES, errno);
2181 ASSERT_EQ(0, unlink(file1_s2d3));
2182 ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3));
2184 /* Tests reverse renaming. */
2185 ASSERT_EQ(0, rename(file1_s2d3, file1_s1d3));
2186 ASSERT_EQ(0, renameat2(AT_FDCWD, file2_s2d3, AT_FDCWD, file1_s1d3,
2188 ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3));
2191 * This is OK for a file rename, but it should not be allowed for a
2192 * directory rename (because of the superset of access rights).
2194 ASSERT_EQ(0, rename(file1_s2d3, file1_s1d3));
2195 ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3));
2198 * Tests superset restrictions applied to directories. Not only the
2199 * dir_s2d3's parent (dir_s2d2) should be taken into account but also
2200 * access rights tied to dir_s2d3. dir_s2d2 is missing one access right
2201 * compared to dir_s1d3/file1_s1d3 (MAKE_REG) but it is provided
2202 * directly by the moved dir_s2d3.
2204 ASSERT_EQ(0, rename(dir_s2d3, file1_s1d3));
2205 ASSERT_EQ(0, rename(file1_s1d3, dir_s2d3));
2207 * The first rename is allowed but not the exchange because dir_s1d3's
2208 * parent (dir_s1d2) doesn't have REFER.
2210 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, dir_s1d3,
2212 ASSERT_EQ(EXDEV, errno);
2213 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, file1_s2d3,
2215 ASSERT_EQ(EXDEV, errno);
2216 ASSERT_EQ(-1, rename(file1_s2d3, dir_s1d3));
2217 ASSERT_EQ(EXDEV, errno);
2219 ASSERT_EQ(-1, rename(file2_s1d2, file1_s1d3));
2220 ASSERT_EQ(EXDEV, errno);
2221 ASSERT_EQ(-1, rename(file2_s1d3, file1_s1d2));
2222 ASSERT_EQ(EXDEV, errno);
2224 /* Renaming in the same directory is always allowed. */
2225 ASSERT_EQ(0, rename(file2_s1d2, file1_s1d2));
2226 ASSERT_EQ(0, rename(file2_s1d3, file1_s1d3));
2228 ASSERT_EQ(0, unlink(file1_s1d2));
2229 /* Denies because of missing source MAKE_REG and destination REFER. */
2230 ASSERT_EQ(-1, rename(dir_s2d3, file1_s1d2));
2231 ASSERT_EQ(EXDEV, errno);
2233 ASSERT_EQ(0, unlink(file1_s1d3));
2234 /* Denies because of missing source MAKE_REG and REFER. */
2235 ASSERT_EQ(-1, rename(dir_s2d2, file1_s1d3));
2236 ASSERT_EQ(EXDEV, errno);
2240 reparent_exdev_layers_enforce1(struct __test_metadata *const _metadata)
2242 const struct rule layer1[] = {
2245 .access = LANDLOCK_ACCESS_FS_REFER,
2248 /* Interesting for the layer2 tests. */
2250 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
2254 .access = LANDLOCK_ACCESS_FS_REFER,
2258 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
2262 const int ruleset_fd = create_ruleset(
2264 LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, layer1);
2266 ASSERT_LE(0, ruleset_fd);
2267 enforce_ruleset(_metadata, ruleset_fd);
2268 ASSERT_EQ(0, close(ruleset_fd));
2272 reparent_exdev_layers_enforce2(struct __test_metadata *const _metadata)
2274 const struct rule layer2[] = {
2277 .access = LANDLOCK_ACCESS_FS_MAKE_DIR,
2282 * Same checks as before but with a second layer and a new MAKE_DIR
2283 * rule (and no explicit handling of REFER).
2285 const int ruleset_fd =
2286 create_ruleset(_metadata, LANDLOCK_ACCESS_FS_MAKE_DIR, layer2);
2288 ASSERT_LE(0, ruleset_fd);
2289 enforce_ruleset(_metadata, ruleset_fd);
2290 ASSERT_EQ(0, close(ruleset_fd));
2293 TEST_F_FORK(layout1, reparent_exdev_layers_rename1)
2295 ASSERT_EQ(0, unlink(file1_s2d2));
2296 ASSERT_EQ(0, unlink(file1_s2d3));
2298 reparent_exdev_layers_enforce1(_metadata);
2301 * Moving the dir_s1d3 directory below dir_s2d2 is allowed by Landlock
2302 * because it doesn't inherit new access rights.
2304 ASSERT_EQ(0, rename(dir_s1d3, file1_s2d2));
2305 ASSERT_EQ(0, rename(file1_s2d2, dir_s1d3));
2308 * Moving the dir_s1d3 directory below dir_s2d3 is allowed, even if it
2309 * gets a new inherited access rights (MAKE_REG), because MAKE_REG is
2310 * already allowed for dir_s1d3.
2312 ASSERT_EQ(0, rename(dir_s1d3, file1_s2d3));
2313 ASSERT_EQ(0, rename(file1_s2d3, dir_s1d3));
2316 * However, moving the file1_s1d3 file below dir_s2d3 is allowed
2317 * because it cannot inherit MAKE_REG right (which is dedicated to
2320 ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3));
2322 reparent_exdev_layers_enforce2(_metadata);
2325 * Moving the dir_s1d3 directory below dir_s2d2 is now denied because
2326 * MAKE_DIR is not tied to dir_s2d2.
2328 ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d2));
2329 ASSERT_EQ(EACCES, errno);
2332 * Moving the dir_s1d3 directory below dir_s2d3 is forbidden because it
2333 * would grants MAKE_REG and MAKE_DIR rights to it.
2335 ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d3));
2336 ASSERT_EQ(EXDEV, errno);
2339 * However, moving the file2_s1d3 file below dir_s2d3 is allowed
2340 * because it cannot inherit MAKE_REG nor MAKE_DIR rights (which are
2341 * dedicated to directories).
2343 ASSERT_EQ(0, rename(file2_s1d3, file1_s2d3));
2346 TEST_F_FORK(layout1, reparent_exdev_layers_rename2)
2348 reparent_exdev_layers_enforce1(_metadata);
2350 /* Checks EACCES predominance over EXDEV. */
2351 ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d2));
2352 ASSERT_EQ(EACCES, errno);
2353 ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d2));
2354 ASSERT_EQ(EACCES, errno);
2355 ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d3));
2356 ASSERT_EQ(EXDEV, errno);
2357 /* Modify layout! */
2358 ASSERT_EQ(0, rename(file1_s1d2, file1_s2d3));
2360 /* Without REFER source. */
2361 ASSERT_EQ(-1, rename(dir_s1d1, file1_s2d2));
2362 ASSERT_EQ(EXDEV, errno);
2363 ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d2));
2364 ASSERT_EQ(EXDEV, errno);
2366 reparent_exdev_layers_enforce2(_metadata);
2368 /* Checks EACCES predominance over EXDEV. */
2369 ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d2));
2370 ASSERT_EQ(EACCES, errno);
2371 /* Checks with actual file2_s1d2. */
2372 ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d2));
2373 ASSERT_EQ(EACCES, errno);
2374 ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d3));
2375 ASSERT_EQ(EXDEV, errno);
2376 /* Modify layout! */
2377 ASSERT_EQ(0, rename(file2_s1d2, file1_s2d3));
2379 /* Without REFER source, EACCES wins over EXDEV. */
2380 ASSERT_EQ(-1, rename(dir_s1d1, file1_s2d2));
2381 ASSERT_EQ(EACCES, errno);
2382 ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d2));
2383 ASSERT_EQ(EACCES, errno);
2386 TEST_F_FORK(layout1, reparent_exdev_layers_exchange1)
2388 const char *const dir_file1_s1d2 = file1_s1d2, *const dir_file2_s2d3 =
2391 ASSERT_EQ(0, unlink(file1_s1d2));
2392 ASSERT_EQ(0, mkdir(file1_s1d2, 0700));
2393 ASSERT_EQ(0, unlink(file2_s2d3));
2394 ASSERT_EQ(0, mkdir(file2_s2d3, 0700));
2396 reparent_exdev_layers_enforce1(_metadata);
2398 /* Error predominance with file exchange: returns EXDEV and EACCES. */
2399 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file1_s2d3,
2401 ASSERT_EQ(EACCES, errno);
2402 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d1,
2404 ASSERT_EQ(EACCES, errno);
2407 * Checks with directories which creation could be allowed, but denied
2408 * because of access rights that would be inherited.
2410 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD,
2411 dir_file2_s2d3, RENAME_EXCHANGE));
2412 ASSERT_EQ(EXDEV, errno);
2413 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD,
2414 dir_file1_s1d2, RENAME_EXCHANGE));
2415 ASSERT_EQ(EXDEV, errno);
2417 /* Checks with same access rights. */
2418 ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, dir_s2d3,
2420 ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3,
2423 /* Checks with different (child-only) access rights. */
2424 ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_file1_s1d2,
2426 ASSERT_EQ(0, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, dir_s2d3,
2430 * Checks that exchange between file and directory are consistent.
2432 * Moving a file (file1_s2d2) to a directory which only grants more
2433 * directory-related access rights is allowed, and at the same time
2434 * moving a directory (dir_file2_s2d3) to another directory which
2435 * grants less access rights is allowed too.
2437 * See layout1.reparent_exdev_layers_exchange3 for inverted arguments.
2439 ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3,
2442 * However, moving back the directory is denied because it would get
2443 * more access rights than the current state and because file creation
2444 * is forbidden (in dir_s2d2).
2446 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2,
2448 ASSERT_EQ(EACCES, errno);
2449 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3,
2451 ASSERT_EQ(EACCES, errno);
2453 reparent_exdev_layers_enforce2(_metadata);
2455 /* Error predominance with file exchange: returns EXDEV and EACCES. */
2456 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file1_s2d3,
2458 ASSERT_EQ(EACCES, errno);
2459 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d1,
2461 ASSERT_EQ(EACCES, errno);
2463 /* Checks with directories which creation is now denied. */
2464 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD,
2465 dir_file2_s2d3, RENAME_EXCHANGE));
2466 ASSERT_EQ(EACCES, errno);
2467 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD,
2468 dir_file1_s1d2, RENAME_EXCHANGE));
2469 ASSERT_EQ(EACCES, errno);
2471 /* Checks with different (child-only) access rights. */
2472 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, dir_s2d3,
2474 /* Denied because of MAKE_DIR. */
2475 ASSERT_EQ(EACCES, errno);
2476 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3,
2478 ASSERT_EQ(EACCES, errno);
2480 /* Checks with different (child-only) access rights. */
2481 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_file1_s1d2,
2483 /* Denied because of MAKE_DIR. */
2484 ASSERT_EQ(EACCES, errno);
2485 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, dir_s2d3,
2487 ASSERT_EQ(EACCES, errno);
2489 /* See layout1.reparent_exdev_layers_exchange2 for complement. */
2492 TEST_F_FORK(layout1, reparent_exdev_layers_exchange2)
2494 const char *const dir_file2_s2d3 = file2_s2d3;
2496 ASSERT_EQ(0, unlink(file2_s2d3));
2497 ASSERT_EQ(0, mkdir(file2_s2d3, 0700));
2499 reparent_exdev_layers_enforce1(_metadata);
2500 reparent_exdev_layers_enforce2(_metadata);
2502 /* Checks that exchange between file and directory are consistent. */
2503 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3,
2505 ASSERT_EQ(EACCES, errno);
2506 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2,
2508 ASSERT_EQ(EACCES, errno);
2511 TEST_F_FORK(layout1, reparent_exdev_layers_exchange3)
2513 const char *const dir_file2_s2d3 = file2_s2d3;
2515 ASSERT_EQ(0, unlink(file2_s2d3));
2516 ASSERT_EQ(0, mkdir(file2_s2d3, 0700));
2518 reparent_exdev_layers_enforce1(_metadata);
2521 * Checks that exchange between file and directory are consistent,
2522 * including with inverted arguments (see
2523 * layout1.reparent_exdev_layers_exchange1).
2525 ASSERT_EQ(0, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2,
2527 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3,
2529 ASSERT_EQ(EACCES, errno);
2530 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2,
2532 ASSERT_EQ(EACCES, errno);
2535 TEST_F_FORK(layout1, reparent_remove)
2537 const struct rule layer1[] = {
2540 .access = LANDLOCK_ACCESS_FS_REFER |
2541 LANDLOCK_ACCESS_FS_REMOVE_DIR,
2545 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
2549 .access = LANDLOCK_ACCESS_FS_REFER |
2550 LANDLOCK_ACCESS_FS_REMOVE_FILE,
2554 const int ruleset_fd = create_ruleset(
2556 LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_REMOVE_DIR |
2557 LANDLOCK_ACCESS_FS_REMOVE_FILE,
2560 ASSERT_LE(0, ruleset_fd);
2561 enforce_ruleset(_metadata, ruleset_fd);
2562 ASSERT_EQ(0, close(ruleset_fd));
2564 /* Access denied because of wrong/swapped remove file/dir. */
2565 ASSERT_EQ(-1, rename(file1_s1d1, dir_s2d2));
2566 ASSERT_EQ(EACCES, errno);
2567 ASSERT_EQ(-1, rename(dir_s2d2, file1_s1d1));
2568 ASSERT_EQ(EACCES, errno);
2569 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s2d2,
2571 ASSERT_EQ(EACCES, errno);
2572 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s2d3,
2574 ASSERT_EQ(EACCES, errno);
2576 /* Access allowed thanks to the matching rights. */
2577 ASSERT_EQ(-1, rename(file1_s2d1, dir_s1d2));
2578 ASSERT_EQ(EISDIR, errno);
2579 ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d1));
2580 ASSERT_EQ(ENOTDIR, errno);
2581 ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d1));
2582 ASSERT_EQ(ENOTDIR, errno);
2583 ASSERT_EQ(0, unlink(file1_s2d1));
2584 ASSERT_EQ(0, unlink(file1_s1d3));
2585 ASSERT_EQ(0, unlink(file2_s1d3));
2586 ASSERT_EQ(0, rename(dir_s1d3, file1_s2d1));
2588 /* Effectively removes a file and a directory by exchanging them. */
2589 ASSERT_EQ(0, mkdir(dir_s1d3, 0700));
2590 ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3,
2592 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3,
2594 ASSERT_EQ(EACCES, errno);
2597 TEST_F_FORK(layout1, reparent_dom_superset)
2599 const struct rule layer1[] = {
2602 .access = LANDLOCK_ACCESS_FS_REFER,
2606 .access = LANDLOCK_ACCESS_FS_EXECUTE,
2610 .access = LANDLOCK_ACCESS_FS_MAKE_SOCK |
2611 LANDLOCK_ACCESS_FS_EXECUTE,
2615 .access = LANDLOCK_ACCESS_FS_REFER |
2616 LANDLOCK_ACCESS_FS_EXECUTE |
2617 LANDLOCK_ACCESS_FS_MAKE_SOCK,
2621 .access = LANDLOCK_ACCESS_FS_READ_FILE |
2622 LANDLOCK_ACCESS_FS_MAKE_FIFO,
2626 int ruleset_fd = create_ruleset(_metadata,
2627 LANDLOCK_ACCESS_FS_REFER |
2628 LANDLOCK_ACCESS_FS_EXECUTE |
2629 LANDLOCK_ACCESS_FS_MAKE_SOCK |
2630 LANDLOCK_ACCESS_FS_READ_FILE |
2631 LANDLOCK_ACCESS_FS_MAKE_FIFO,
2634 ASSERT_LE(0, ruleset_fd);
2635 enforce_ruleset(_metadata, ruleset_fd);
2636 ASSERT_EQ(0, close(ruleset_fd));
2638 ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d1));
2639 ASSERT_EQ(EXDEV, errno);
2641 * Moving file1_s1d2 beneath dir_s2d3 would grant it the READ_FILE
2644 ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d3));
2645 ASSERT_EQ(EXDEV, errno);
2647 * Moving file1_s1d2 should be allowed even if dir_s2d2 grants a
2648 * superset of access rights compared to dir_s1d2, because file1_s1d2
2649 * already has these access rights anyway.
2651 ASSERT_EQ(0, rename(file1_s1d2, file1_s2d2));
2652 ASSERT_EQ(0, rename(file1_s2d2, file1_s1d2));
2654 ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d1));
2655 ASSERT_EQ(EXDEV, errno);
2657 * Moving dir_s1d3 beneath dir_s2d3 would grant it the MAKE_FIFO access
2660 ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d3));
2661 ASSERT_EQ(EXDEV, errno);
2663 * Moving dir_s1d3 should be allowed even if dir_s2d2 grants a superset
2664 * of access rights compared to dir_s1d2, because dir_s1d3 already has
2665 * these access rights anyway.
2667 ASSERT_EQ(0, rename(dir_s1d3, file1_s2d2));
2668 ASSERT_EQ(0, rename(file1_s2d2, dir_s1d3));
2671 * Moving file1_s2d3 beneath dir_s1d2 is allowed, but moving it back
2672 * will be denied because the new inherited access rights from dir_s1d2
2673 * will be less than the destination (original) dir_s2d3. This is a
2674 * sinkhole scenario where we cannot move back files or directories.
2676 ASSERT_EQ(0, rename(file1_s2d3, file2_s1d2));
2677 ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d3));
2678 ASSERT_EQ(EXDEV, errno);
2679 ASSERT_EQ(0, unlink(file2_s1d2));
2680 ASSERT_EQ(0, unlink(file2_s2d3));
2682 * Checks similar directory one-way move: dir_s2d3 loses EXECUTE and
2683 * MAKE_SOCK which were inherited from dir_s1d3.
2685 ASSERT_EQ(0, rename(dir_s2d3, file2_s1d2));
2686 ASSERT_EQ(-1, rename(file2_s1d2, dir_s2d3));
2687 ASSERT_EQ(EXDEV, errno);
2690 TEST_F_FORK(layout1, remove_dir)
2692 const struct rule rules[] = {
2695 .access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
2699 const int ruleset_fd =
2700 create_ruleset(_metadata, rules[0].access, rules);
2702 ASSERT_LE(0, ruleset_fd);
2704 ASSERT_EQ(0, unlink(file1_s1d1));
2705 ASSERT_EQ(0, unlink(file1_s1d2));
2706 ASSERT_EQ(0, unlink(file1_s1d3));
2707 ASSERT_EQ(0, unlink(file2_s1d3));
2709 enforce_ruleset(_metadata, ruleset_fd);
2710 ASSERT_EQ(0, close(ruleset_fd));
2712 ASSERT_EQ(0, rmdir(dir_s1d3));
2713 ASSERT_EQ(0, mkdir(dir_s1d3, 0700));
2714 ASSERT_EQ(0, unlinkat(AT_FDCWD, dir_s1d3, AT_REMOVEDIR));
2716 /* dir_s1d2 itself cannot be removed. */
2717 ASSERT_EQ(-1, rmdir(dir_s1d2));
2718 ASSERT_EQ(EACCES, errno);
2719 ASSERT_EQ(-1, unlinkat(AT_FDCWD, dir_s1d2, AT_REMOVEDIR));
2720 ASSERT_EQ(EACCES, errno);
2721 ASSERT_EQ(-1, rmdir(dir_s1d1));
2722 ASSERT_EQ(EACCES, errno);
2723 ASSERT_EQ(-1, unlinkat(AT_FDCWD, dir_s1d1, AT_REMOVEDIR));
2724 ASSERT_EQ(EACCES, errno);
2727 TEST_F_FORK(layout1, remove_file)
2729 const struct rule rules[] = {
2732 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
2736 const int ruleset_fd =
2737 create_ruleset(_metadata, rules[0].access, rules);
2739 ASSERT_LE(0, ruleset_fd);
2740 enforce_ruleset(_metadata, ruleset_fd);
2741 ASSERT_EQ(0, close(ruleset_fd));
2743 ASSERT_EQ(-1, unlink(file1_s1d1));
2744 ASSERT_EQ(EACCES, errno);
2745 ASSERT_EQ(-1, unlinkat(AT_FDCWD, file1_s1d1, 0));
2746 ASSERT_EQ(EACCES, errno);
2747 ASSERT_EQ(0, unlink(file1_s1d2));
2748 ASSERT_EQ(0, unlinkat(AT_FDCWD, file1_s1d3, 0));
2751 static void test_make_file(struct __test_metadata *const _metadata,
2752 const __u64 access, const mode_t mode,
2755 const struct rule rules[] = {
2762 const int ruleset_fd = create_ruleset(_metadata, access, rules);
2764 ASSERT_LE(0, ruleset_fd);
2766 ASSERT_EQ(0, unlink(file1_s1d1));
2767 ASSERT_EQ(0, unlink(file2_s1d1));
2768 ASSERT_EQ(0, mknod(file2_s1d1, mode | 0400, dev))
2770 TH_LOG("Failed to make file \"%s\": %s", file2_s1d1,
2774 ASSERT_EQ(0, unlink(file1_s1d2));
2775 ASSERT_EQ(0, unlink(file2_s1d2));
2777 ASSERT_EQ(0, unlink(file1_s1d3));
2778 ASSERT_EQ(0, unlink(file2_s1d3));
2780 enforce_ruleset(_metadata, ruleset_fd);
2781 ASSERT_EQ(0, close(ruleset_fd));
2783 ASSERT_EQ(-1, mknod(file1_s1d1, mode | 0400, dev));
2784 ASSERT_EQ(EACCES, errno);
2785 ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1));
2786 ASSERT_EQ(EACCES, errno);
2787 ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1));
2788 ASSERT_EQ(EACCES, errno);
2790 ASSERT_EQ(0, mknod(file1_s1d2, mode | 0400, dev))
2792 TH_LOG("Failed to make file \"%s\": %s", file1_s1d2,
2795 ASSERT_EQ(0, link(file1_s1d2, file2_s1d2));
2796 ASSERT_EQ(0, unlink(file2_s1d2));
2797 ASSERT_EQ(0, rename(file1_s1d2, file2_s1d2));
2799 ASSERT_EQ(0, mknod(file1_s1d3, mode | 0400, dev));
2800 ASSERT_EQ(0, link(file1_s1d3, file2_s1d3));
2801 ASSERT_EQ(0, unlink(file2_s1d3));
2802 ASSERT_EQ(0, rename(file1_s1d3, file2_s1d3));
2805 TEST_F_FORK(layout1, make_char)
2807 /* Creates a /dev/null device. */
2808 set_cap(_metadata, CAP_MKNOD);
2809 test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_CHAR, S_IFCHR,
2813 TEST_F_FORK(layout1, make_block)
2815 /* Creates a /dev/loop0 device. */
2816 set_cap(_metadata, CAP_MKNOD);
2817 test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_BLOCK, S_IFBLK,
2821 TEST_F_FORK(layout1, make_reg_1)
2823 test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, S_IFREG, 0);
2826 TEST_F_FORK(layout1, make_reg_2)
2828 test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, 0, 0);
2831 TEST_F_FORK(layout1, make_sock)
2833 test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_SOCK, S_IFSOCK, 0);
2836 TEST_F_FORK(layout1, make_fifo)
2838 test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_FIFO, S_IFIFO, 0);
2841 TEST_F_FORK(layout1, make_sym)
2843 const struct rule rules[] = {
2846 .access = LANDLOCK_ACCESS_FS_MAKE_SYM,
2850 const int ruleset_fd =
2851 create_ruleset(_metadata, rules[0].access, rules);
2853 ASSERT_LE(0, ruleset_fd);
2855 ASSERT_EQ(0, unlink(file1_s1d1));
2856 ASSERT_EQ(0, unlink(file2_s1d1));
2857 ASSERT_EQ(0, symlink("none", file2_s1d1));
2859 ASSERT_EQ(0, unlink(file1_s1d2));
2860 ASSERT_EQ(0, unlink(file2_s1d2));
2862 ASSERT_EQ(0, unlink(file1_s1d3));
2863 ASSERT_EQ(0, unlink(file2_s1d3));
2865 enforce_ruleset(_metadata, ruleset_fd);
2866 ASSERT_EQ(0, close(ruleset_fd));
2868 ASSERT_EQ(-1, symlink("none", file1_s1d1));
2869 ASSERT_EQ(EACCES, errno);
2870 ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1));
2871 ASSERT_EQ(EACCES, errno);
2872 ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1));
2873 ASSERT_EQ(EACCES, errno);
2875 ASSERT_EQ(0, symlink("none", file1_s1d2));
2876 ASSERT_EQ(0, link(file1_s1d2, file2_s1d2));
2877 ASSERT_EQ(0, unlink(file2_s1d2));
2878 ASSERT_EQ(0, rename(file1_s1d2, file2_s1d2));
2880 ASSERT_EQ(0, symlink("none", file1_s1d3));
2881 ASSERT_EQ(0, link(file1_s1d3, file2_s1d3));
2882 ASSERT_EQ(0, unlink(file2_s1d3));
2883 ASSERT_EQ(0, rename(file1_s1d3, file2_s1d3));
2886 TEST_F_FORK(layout1, make_dir)
2888 const struct rule rules[] = {
2891 .access = LANDLOCK_ACCESS_FS_MAKE_DIR,
2895 const int ruleset_fd =
2896 create_ruleset(_metadata, rules[0].access, rules);
2898 ASSERT_LE(0, ruleset_fd);
2900 ASSERT_EQ(0, unlink(file1_s1d1));
2901 ASSERT_EQ(0, unlink(file1_s1d2));
2902 ASSERT_EQ(0, unlink(file1_s1d3));
2904 enforce_ruleset(_metadata, ruleset_fd);
2905 ASSERT_EQ(0, close(ruleset_fd));
2907 /* Uses file_* as directory names. */
2908 ASSERT_EQ(-1, mkdir(file1_s1d1, 0700));
2909 ASSERT_EQ(EACCES, errno);
2910 ASSERT_EQ(0, mkdir(file1_s1d2, 0700));
2911 ASSERT_EQ(0, mkdir(file1_s1d3, 0700));
2914 static int open_proc_fd(struct __test_metadata *const _metadata, const int fd,
2915 const int open_flags)
2917 static const char path_template[] = "/proc/self/fd/%d";
2918 char procfd_path[sizeof(path_template) + 10];
2919 const int procfd_path_size =
2920 snprintf(procfd_path, sizeof(procfd_path), path_template, fd);
2922 ASSERT_LT(procfd_path_size, sizeof(procfd_path));
2923 return open(procfd_path, open_flags);
2926 TEST_F_FORK(layout1, proc_unlinked_file)
2928 const struct rule rules[] = {
2931 .access = LANDLOCK_ACCESS_FS_READ_FILE,
2935 int reg_fd, proc_fd;
2936 const int ruleset_fd = create_ruleset(
2938 LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_WRITE_FILE,
2941 ASSERT_LE(0, ruleset_fd);
2942 enforce_ruleset(_metadata, ruleset_fd);
2943 ASSERT_EQ(0, close(ruleset_fd));
2945 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR));
2946 ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
2947 reg_fd = open(file1_s1d2, O_RDONLY | O_CLOEXEC);
2948 ASSERT_LE(0, reg_fd);
2949 ASSERT_EQ(0, unlink(file1_s1d2));
2951 proc_fd = open_proc_fd(_metadata, reg_fd, O_RDONLY | O_CLOEXEC);
2952 ASSERT_LE(0, proc_fd);
2953 ASSERT_EQ(0, close(proc_fd));
2955 proc_fd = open_proc_fd(_metadata, reg_fd, O_RDWR | O_CLOEXEC);
2956 ASSERT_EQ(-1, proc_fd)
2958 TH_LOG("Successfully opened /proc/self/fd/%d: %s", reg_fd,
2961 ASSERT_EQ(EACCES, errno);
2963 ASSERT_EQ(0, close(reg_fd));
2966 TEST_F_FORK(layout1, proc_pipe)
2971 const struct rule rules[] = {
2974 .access = LANDLOCK_ACCESS_FS_READ_FILE |
2975 LANDLOCK_ACCESS_FS_WRITE_FILE,
2979 /* Limits read and write access to files tied to the filesystem. */
2980 const int ruleset_fd =
2981 create_ruleset(_metadata, rules[0].access, rules);
2983 ASSERT_LE(0, ruleset_fd);
2984 enforce_ruleset(_metadata, ruleset_fd);
2985 ASSERT_EQ(0, close(ruleset_fd));
2987 /* Checks enforcement for normal files. */
2988 ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR));
2989 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
2991 /* Checks access to pipes through FD. */
2992 ASSERT_EQ(0, pipe2(pipe_fds, O_CLOEXEC));
2993 ASSERT_EQ(1, write(pipe_fds[1], ".", 1))
2995 TH_LOG("Failed to write in pipe: %s", strerror(errno));
2997 ASSERT_EQ(1, read(pipe_fds[0], &buf, 1));
2998 ASSERT_EQ('.', buf);
3000 /* Checks write access to pipe through /proc/self/fd . */
3001 proc_fd = open_proc_fd(_metadata, pipe_fds[1], O_WRONLY | O_CLOEXEC);
3002 ASSERT_LE(0, proc_fd);
3003 ASSERT_EQ(1, write(proc_fd, ".", 1))
3005 TH_LOG("Failed to write through /proc/self/fd/%d: %s",
3006 pipe_fds[1], strerror(errno));
3008 ASSERT_EQ(0, close(proc_fd));
3010 /* Checks read access to pipe through /proc/self/fd . */
3011 proc_fd = open_proc_fd(_metadata, pipe_fds[0], O_RDONLY | O_CLOEXEC);
3012 ASSERT_LE(0, proc_fd);
3014 ASSERT_EQ(1, read(proc_fd, &buf, 1))
3016 TH_LOG("Failed to read through /proc/self/fd/%d: %s",
3017 pipe_fds[1], strerror(errno));
3019 ASSERT_EQ(0, close(proc_fd));
3021 ASSERT_EQ(0, close(pipe_fds[0]));
3022 ASSERT_EQ(0, close(pipe_fds[1]));
3025 /* clang-format off */
3026 FIXTURE(layout1_bind) {};
3027 /* clang-format on */
3029 FIXTURE_SETUP(layout1_bind)
3031 prepare_layout(_metadata);
3033 create_layout1(_metadata);
3035 set_cap(_metadata, CAP_SYS_ADMIN);
3036 ASSERT_EQ(0, mount(dir_s1d2, dir_s2d2, NULL, MS_BIND, NULL));
3037 clear_cap(_metadata, CAP_SYS_ADMIN);
3040 FIXTURE_TEARDOWN(layout1_bind)
3042 set_cap(_metadata, CAP_SYS_ADMIN);
3043 EXPECT_EQ(0, umount(dir_s2d2));
3044 clear_cap(_metadata, CAP_SYS_ADMIN);
3046 remove_layout1(_metadata);
3048 cleanup_layout(_metadata);
3051 static const char bind_dir_s1d3[] = TMP_DIR "/s2d1/s2d2/s1d3";
3052 static const char bind_file1_s1d3[] = TMP_DIR "/s2d1/s2d2/s1d3/f1";
3055 * layout1_bind hierarchy:
3080 TEST_F_FORK(layout1_bind, no_restriction)
3082 ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
3083 ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
3084 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
3085 ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
3086 ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
3087 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
3089 ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY));
3090 ASSERT_EQ(0, test_open(file1_s2d1, O_RDONLY));
3091 ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY));
3092 ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY));
3093 ASSERT_EQ(ENOENT, test_open(dir_s2d3, O_RDONLY));
3094 ASSERT_EQ(ENOENT, test_open(file1_s2d3, O_RDONLY));
3096 ASSERT_EQ(0, test_open(bind_dir_s1d3, O_RDONLY));
3097 ASSERT_EQ(0, test_open(bind_file1_s1d3, O_RDONLY));
3099 ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY));
3102 TEST_F_FORK(layout1_bind, same_content_same_file)
3105 * Sets access right on parent directories of both source and
3106 * destination mount points.
3108 const struct rule layer1_parent[] = {
3111 .access = ACCESS_RO,
3115 .access = ACCESS_RW,
3120 * Sets access rights on the same bind-mounted directories. The result
3121 * should be ACCESS_RW for both directories, but not both hierarchies
3122 * because of the first layer.
3124 const struct rule layer2_mount_point[] = {
3127 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3131 .access = ACCESS_RW,
3135 /* Only allow read-access to the s1d3 hierarchies. */
3136 const struct rule layer3_source[] = {
3139 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3143 /* Removes all access rights. */
3144 const struct rule layer4_destination[] = {
3146 .path = bind_file1_s1d3,
3147 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
3153 /* Sets rules for the parent directories. */
3154 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_parent);
3155 ASSERT_LE(0, ruleset_fd);
3156 enforce_ruleset(_metadata, ruleset_fd);
3157 ASSERT_EQ(0, close(ruleset_fd));
3159 /* Checks source hierarchy. */
3160 ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
3161 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
3162 ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
3164 ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
3165 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
3166 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
3168 /* Checks destination hierarchy. */
3169 ASSERT_EQ(0, test_open(file1_s2d1, O_RDWR));
3170 ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY | O_DIRECTORY));
3172 ASSERT_EQ(0, test_open(file1_s2d2, O_RDWR));
3173 ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY));
3175 /* Sets rules for the mount points. */
3176 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_mount_point);
3177 ASSERT_LE(0, ruleset_fd);
3178 enforce_ruleset(_metadata, ruleset_fd);
3179 ASSERT_EQ(0, close(ruleset_fd));
3181 /* Checks source hierarchy. */
3182 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
3183 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
3184 ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
3186 ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
3187 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
3188 ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
3190 /* Checks destination hierarchy. */
3191 ASSERT_EQ(EACCES, test_open(file1_s2d1, O_RDONLY));
3192 ASSERT_EQ(EACCES, test_open(file1_s2d1, O_WRONLY));
3193 ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY | O_DIRECTORY));
3195 ASSERT_EQ(0, test_open(file1_s2d2, O_RDWR));
3196 ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY));
3197 ASSERT_EQ(0, test_open(bind_dir_s1d3, O_RDONLY | O_DIRECTORY));
3199 /* Sets a (shared) rule only on the source. */
3200 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3_source);
3201 ASSERT_LE(0, ruleset_fd);
3202 enforce_ruleset(_metadata, ruleset_fd);
3203 ASSERT_EQ(0, close(ruleset_fd));
3205 /* Checks source hierarchy. */
3206 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDONLY));
3207 ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
3208 ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
3210 ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
3211 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
3212 ASSERT_EQ(EACCES, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
3214 /* Checks destination hierarchy. */
3215 ASSERT_EQ(EACCES, test_open(file1_s2d2, O_RDONLY));
3216 ASSERT_EQ(EACCES, test_open(file1_s2d2, O_WRONLY));
3217 ASSERT_EQ(EACCES, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY));
3219 ASSERT_EQ(0, test_open(bind_file1_s1d3, O_RDONLY));
3220 ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_WRONLY));
3221 ASSERT_EQ(EACCES, test_open(bind_dir_s1d3, O_RDONLY | O_DIRECTORY));
3223 /* Sets a (shared) rule only on the destination. */
3224 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer4_destination);
3225 ASSERT_LE(0, ruleset_fd);
3226 enforce_ruleset(_metadata, ruleset_fd);
3227 ASSERT_EQ(0, close(ruleset_fd));
3229 /* Checks source hierarchy. */
3230 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY));
3231 ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
3233 /* Checks destination hierarchy. */
3234 ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_RDONLY));
3235 ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_WRONLY));
3238 TEST_F_FORK(layout1_bind, reparent_cross_mount)
3240 const struct rule layer1[] = {
3242 /* dir_s2d1 is beneath the dir_s2d2 mount point. */
3244 .access = LANDLOCK_ACCESS_FS_REFER,
3247 .path = bind_dir_s1d3,
3248 .access = LANDLOCK_ACCESS_FS_EXECUTE,
3252 int ruleset_fd = create_ruleset(
3254 LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_EXECUTE, layer1);
3256 ASSERT_LE(0, ruleset_fd);
3257 enforce_ruleset(_metadata, ruleset_fd);
3258 ASSERT_EQ(0, close(ruleset_fd));
3260 /* Checks basic denied move. */
3261 ASSERT_EQ(-1, rename(file1_s1d1, file1_s1d2));
3262 ASSERT_EQ(EXDEV, errno);
3264 /* Checks real cross-mount move (Landlock is not involved). */
3265 ASSERT_EQ(-1, rename(file1_s2d1, file1_s2d2));
3266 ASSERT_EQ(EXDEV, errno);
3268 /* Checks move that will give more accesses. */
3269 ASSERT_EQ(-1, rename(file1_s2d2, bind_file1_s1d3));
3270 ASSERT_EQ(EXDEV, errno);
3272 /* Checks legitimate downgrade move. */
3273 ASSERT_EQ(0, rename(bind_file1_s1d3, file1_s2d2));
3276 #define LOWER_BASE TMP_DIR "/lower"
3277 #define LOWER_DATA LOWER_BASE "/data"
3278 static const char lower_fl1[] = LOWER_DATA "/fl1";
3279 static const char lower_dl1[] = LOWER_DATA "/dl1";
3280 static const char lower_dl1_fl2[] = LOWER_DATA "/dl1/fl2";
3281 static const char lower_fo1[] = LOWER_DATA "/fo1";
3282 static const char lower_do1[] = LOWER_DATA "/do1";
3283 static const char lower_do1_fo2[] = LOWER_DATA "/do1/fo2";
3284 static const char lower_do1_fl3[] = LOWER_DATA "/do1/fl3";
3286 static const char (*lower_base_files[])[] = {
3291 static const char (*lower_base_directories[])[] = {
3296 static const char (*lower_sub_files[])[] = {
3303 #define UPPER_BASE TMP_DIR "/upper"
3304 #define UPPER_DATA UPPER_BASE "/data"
3305 #define UPPER_WORK UPPER_BASE "/work"
3306 static const char upper_fu1[] = UPPER_DATA "/fu1";
3307 static const char upper_du1[] = UPPER_DATA "/du1";
3308 static const char upper_du1_fu2[] = UPPER_DATA "/du1/fu2";
3309 static const char upper_fo1[] = UPPER_DATA "/fo1";
3310 static const char upper_do1[] = UPPER_DATA "/do1";
3311 static const char upper_do1_fo2[] = UPPER_DATA "/do1/fo2";
3312 static const char upper_do1_fu3[] = UPPER_DATA "/do1/fu3";
3314 static const char (*upper_base_files[])[] = {
3319 static const char (*upper_base_directories[])[] = {
3324 static const char (*upper_sub_files[])[] = {
3331 #define MERGE_BASE TMP_DIR "/merge"
3332 #define MERGE_DATA MERGE_BASE "/data"
3333 static const char merge_fl1[] = MERGE_DATA "/fl1";
3334 static const char merge_dl1[] = MERGE_DATA "/dl1";
3335 static const char merge_dl1_fl2[] = MERGE_DATA "/dl1/fl2";
3336 static const char merge_fu1[] = MERGE_DATA "/fu1";
3337 static const char merge_du1[] = MERGE_DATA "/du1";
3338 static const char merge_du1_fu2[] = MERGE_DATA "/du1/fu2";
3339 static const char merge_fo1[] = MERGE_DATA "/fo1";
3340 static const char merge_do1[] = MERGE_DATA "/do1";
3341 static const char merge_do1_fo2[] = MERGE_DATA "/do1/fo2";
3342 static const char merge_do1_fl3[] = MERGE_DATA "/do1/fl3";
3343 static const char merge_do1_fu3[] = MERGE_DATA "/do1/fu3";
3345 static const char (*merge_base_files[])[] = {
3351 static const char (*merge_base_directories[])[] = {
3357 static const char (*merge_sub_files[])[] = {
3358 &merge_dl1_fl2, &merge_du1_fu2, &merge_do1_fo2,
3359 &merge_do1_fl3, &merge_do1_fu3, NULL,
3363 * layout2_overlay hierarchy:
3401 /* clang-format off */
3402 FIXTURE(layout2_overlay) {};
3403 /* clang-format on */
3405 FIXTURE_SETUP(layout2_overlay)
3407 prepare_layout(_metadata);
3409 create_directory(_metadata, LOWER_BASE);
3410 set_cap(_metadata, CAP_SYS_ADMIN);
3411 /* Creates tmpfs mount points to get deterministic overlayfs. */
3412 ASSERT_EQ(0, mount("tmp", LOWER_BASE, "tmpfs", 0, "size=4m,mode=700"));
3413 clear_cap(_metadata, CAP_SYS_ADMIN);
3414 create_file(_metadata, lower_fl1);
3415 create_file(_metadata, lower_dl1_fl2);
3416 create_file(_metadata, lower_fo1);
3417 create_file(_metadata, lower_do1_fo2);
3418 create_file(_metadata, lower_do1_fl3);
3420 create_directory(_metadata, UPPER_BASE);
3421 set_cap(_metadata, CAP_SYS_ADMIN);
3422 ASSERT_EQ(0, mount("tmp", UPPER_BASE, "tmpfs", 0, "size=4m,mode=700"));
3423 clear_cap(_metadata, CAP_SYS_ADMIN);
3424 create_file(_metadata, upper_fu1);
3425 create_file(_metadata, upper_du1_fu2);
3426 create_file(_metadata, upper_fo1);
3427 create_file(_metadata, upper_do1_fo2);
3428 create_file(_metadata, upper_do1_fu3);
3429 ASSERT_EQ(0, mkdir(UPPER_WORK, 0700));
3431 create_directory(_metadata, MERGE_DATA);
3432 set_cap(_metadata, CAP_SYS_ADMIN);
3433 set_cap(_metadata, CAP_DAC_OVERRIDE);
3434 ASSERT_EQ(0, mount("overlay", MERGE_DATA, "overlay", 0,
3435 "lowerdir=" LOWER_DATA ",upperdir=" UPPER_DATA
3436 ",workdir=" UPPER_WORK));
3437 clear_cap(_metadata, CAP_DAC_OVERRIDE);
3438 clear_cap(_metadata, CAP_SYS_ADMIN);
3441 FIXTURE_TEARDOWN(layout2_overlay)
3443 EXPECT_EQ(0, remove_path(lower_do1_fl3));
3444 EXPECT_EQ(0, remove_path(lower_dl1_fl2));
3445 EXPECT_EQ(0, remove_path(lower_fl1));
3446 EXPECT_EQ(0, remove_path(lower_do1_fo2));
3447 EXPECT_EQ(0, remove_path(lower_fo1));
3448 set_cap(_metadata, CAP_SYS_ADMIN);
3449 EXPECT_EQ(0, umount(LOWER_BASE));
3450 clear_cap(_metadata, CAP_SYS_ADMIN);
3451 EXPECT_EQ(0, remove_path(LOWER_BASE));
3453 EXPECT_EQ(0, remove_path(upper_do1_fu3));
3454 EXPECT_EQ(0, remove_path(upper_du1_fu2));
3455 EXPECT_EQ(0, remove_path(upper_fu1));
3456 EXPECT_EQ(0, remove_path(upper_do1_fo2));
3457 EXPECT_EQ(0, remove_path(upper_fo1));
3458 EXPECT_EQ(0, remove_path(UPPER_WORK "/work"));
3459 set_cap(_metadata, CAP_SYS_ADMIN);
3460 EXPECT_EQ(0, umount(UPPER_BASE));
3461 clear_cap(_metadata, CAP_SYS_ADMIN);
3462 EXPECT_EQ(0, remove_path(UPPER_BASE));
3464 set_cap(_metadata, CAP_SYS_ADMIN);
3465 EXPECT_EQ(0, umount(MERGE_DATA));
3466 clear_cap(_metadata, CAP_SYS_ADMIN);
3467 EXPECT_EQ(0, remove_path(MERGE_DATA));
3469 cleanup_layout(_metadata);
3472 TEST_F_FORK(layout2_overlay, no_restriction)
3474 ASSERT_EQ(0, test_open(lower_fl1, O_RDONLY));
3475 ASSERT_EQ(0, test_open(lower_dl1, O_RDONLY));
3476 ASSERT_EQ(0, test_open(lower_dl1_fl2, O_RDONLY));
3477 ASSERT_EQ(0, test_open(lower_fo1, O_RDONLY));
3478 ASSERT_EQ(0, test_open(lower_do1, O_RDONLY));
3479 ASSERT_EQ(0, test_open(lower_do1_fo2, O_RDONLY));
3480 ASSERT_EQ(0, test_open(lower_do1_fl3, O_RDONLY));
3482 ASSERT_EQ(0, test_open(upper_fu1, O_RDONLY));
3483 ASSERT_EQ(0, test_open(upper_du1, O_RDONLY));
3484 ASSERT_EQ(0, test_open(upper_du1_fu2, O_RDONLY));
3485 ASSERT_EQ(0, test_open(upper_fo1, O_RDONLY));
3486 ASSERT_EQ(0, test_open(upper_do1, O_RDONLY));
3487 ASSERT_EQ(0, test_open(upper_do1_fo2, O_RDONLY));
3488 ASSERT_EQ(0, test_open(upper_do1_fu3, O_RDONLY));
3490 ASSERT_EQ(0, test_open(merge_fl1, O_RDONLY));
3491 ASSERT_EQ(0, test_open(merge_dl1, O_RDONLY));
3492 ASSERT_EQ(0, test_open(merge_dl1_fl2, O_RDONLY));
3493 ASSERT_EQ(0, test_open(merge_fu1, O_RDONLY));
3494 ASSERT_EQ(0, test_open(merge_du1, O_RDONLY));
3495 ASSERT_EQ(0, test_open(merge_du1_fu2, O_RDONLY));
3496 ASSERT_EQ(0, test_open(merge_fo1, O_RDONLY));
3497 ASSERT_EQ(0, test_open(merge_do1, O_RDONLY));
3498 ASSERT_EQ(0, test_open(merge_do1_fo2, O_RDONLY));
3499 ASSERT_EQ(0, test_open(merge_do1_fl3, O_RDONLY));
3500 ASSERT_EQ(0, test_open(merge_do1_fu3, O_RDONLY));
3503 #define for_each_path(path_list, path_entry, i) \
3504 for (i = 0, path_entry = *path_list[i]; path_list[i]; \
3505 path_entry = *path_list[++i])
3507 TEST_F_FORK(layout2_overlay, same_content_different_file)
3509 /* Sets access right on parent directories of both layers. */
3510 const struct rule layer1_base[] = {
3513 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3517 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3521 .access = ACCESS_RW,
3525 const struct rule layer2_data[] = {
3528 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3532 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3536 .access = ACCESS_RW,
3540 /* Sets access right on directories inside both layers. */
3541 const struct rule layer3_subdirs[] = {
3544 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3548 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3552 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3556 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3560 .access = ACCESS_RW,
3564 .access = ACCESS_RW,
3568 .access = ACCESS_RW,
3572 /* Tighten access rights to the files. */
3573 const struct rule layer4_files[] = {
3575 .path = lower_dl1_fl2,
3576 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3579 .path = lower_do1_fo2,
3580 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3583 .path = lower_do1_fl3,
3584 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3587 .path = upper_du1_fu2,
3588 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3591 .path = upper_do1_fo2,
3592 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3595 .path = upper_do1_fu3,
3596 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3599 .path = merge_dl1_fl2,
3600 .access = LANDLOCK_ACCESS_FS_READ_FILE |
3601 LANDLOCK_ACCESS_FS_WRITE_FILE,
3604 .path = merge_du1_fu2,
3605 .access = LANDLOCK_ACCESS_FS_READ_FILE |
3606 LANDLOCK_ACCESS_FS_WRITE_FILE,
3609 .path = merge_do1_fo2,
3610 .access = LANDLOCK_ACCESS_FS_READ_FILE |
3611 LANDLOCK_ACCESS_FS_WRITE_FILE,
3614 .path = merge_do1_fl3,
3615 .access = LANDLOCK_ACCESS_FS_READ_FILE |
3616 LANDLOCK_ACCESS_FS_WRITE_FILE,
3619 .path = merge_do1_fu3,
3620 .access = LANDLOCK_ACCESS_FS_READ_FILE |
3621 LANDLOCK_ACCESS_FS_WRITE_FILE,
3625 const struct rule layer5_merge_only[] = {
3628 .access = LANDLOCK_ACCESS_FS_READ_FILE |
3629 LANDLOCK_ACCESS_FS_WRITE_FILE,
3635 const char *path_entry;
3637 /* Sets rules on base directories (i.e. outside overlay scope). */
3638 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_base);
3639 ASSERT_LE(0, ruleset_fd);
3640 enforce_ruleset(_metadata, ruleset_fd);
3641 ASSERT_EQ(0, close(ruleset_fd));
3643 /* Checks lower layer. */
3644 for_each_path(lower_base_files, path_entry, i) {
3645 ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
3646 ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
3648 for_each_path(lower_base_directories, path_entry, i) {
3650 test_open(path_entry, O_RDONLY | O_DIRECTORY));
3652 for_each_path(lower_sub_files, path_entry, i) {
3653 ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
3654 ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
3656 /* Checks upper layer. */
3657 for_each_path(upper_base_files, path_entry, i) {
3658 ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
3659 ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
3661 for_each_path(upper_base_directories, path_entry, i) {
3663 test_open(path_entry, O_RDONLY | O_DIRECTORY));
3665 for_each_path(upper_sub_files, path_entry, i) {
3666 ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
3667 ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
3670 * Checks that access rights are independent from the lower and upper
3671 * layers: write access to upper files viewed through the merge point
3672 * is still allowed, and write access to lower file viewed (and copied)
3673 * through the merge point is still allowed.
3675 for_each_path(merge_base_files, path_entry, i) {
3676 ASSERT_EQ(0, test_open(path_entry, O_RDWR));
3678 for_each_path(merge_base_directories, path_entry, i) {
3679 ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY));
3681 for_each_path(merge_sub_files, path_entry, i) {
3682 ASSERT_EQ(0, test_open(path_entry, O_RDWR));
3685 /* Sets rules on data directories (i.e. inside overlay scope). */
3686 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_data);
3687 ASSERT_LE(0, ruleset_fd);
3688 enforce_ruleset(_metadata, ruleset_fd);
3689 ASSERT_EQ(0, close(ruleset_fd));
3692 for_each_path(merge_base_files, path_entry, i) {
3693 ASSERT_EQ(0, test_open(path_entry, O_RDWR));
3695 for_each_path(merge_base_directories, path_entry, i) {
3696 ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY));
3698 for_each_path(merge_sub_files, path_entry, i) {
3699 ASSERT_EQ(0, test_open(path_entry, O_RDWR));
3702 /* Same checks with tighter rules. */
3703 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3_subdirs);
3704 ASSERT_LE(0, ruleset_fd);
3705 enforce_ruleset(_metadata, ruleset_fd);
3706 ASSERT_EQ(0, close(ruleset_fd));
3708 /* Checks changes for lower layer. */
3709 for_each_path(lower_base_files, path_entry, i) {
3710 ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY));
3712 /* Checks changes for upper layer. */
3713 for_each_path(upper_base_files, path_entry, i) {
3714 ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY));
3716 /* Checks all merge accesses. */
3717 for_each_path(merge_base_files, path_entry, i) {
3718 ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR));
3720 for_each_path(merge_base_directories, path_entry, i) {
3721 ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY));
3723 for_each_path(merge_sub_files, path_entry, i) {
3724 ASSERT_EQ(0, test_open(path_entry, O_RDWR));
3727 /* Sets rules directly on overlayed files. */
3728 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer4_files);
3729 ASSERT_LE(0, ruleset_fd);
3730 enforce_ruleset(_metadata, ruleset_fd);
3731 ASSERT_EQ(0, close(ruleset_fd));
3733 /* Checks unchanged accesses on lower layer. */
3734 for_each_path(lower_sub_files, path_entry, i) {
3735 ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
3736 ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
3738 /* Checks unchanged accesses on upper layer. */
3739 for_each_path(upper_sub_files, path_entry, i) {
3740 ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
3741 ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
3743 /* Checks all merge accesses. */
3744 for_each_path(merge_base_files, path_entry, i) {
3745 ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR));
3747 for_each_path(merge_base_directories, path_entry, i) {
3749 test_open(path_entry, O_RDONLY | O_DIRECTORY));
3751 for_each_path(merge_sub_files, path_entry, i) {
3752 ASSERT_EQ(0, test_open(path_entry, O_RDWR));
3755 /* Only allowes access to the merge hierarchy. */
3756 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer5_merge_only);
3757 ASSERT_LE(0, ruleset_fd);
3758 enforce_ruleset(_metadata, ruleset_fd);
3759 ASSERT_EQ(0, close(ruleset_fd));
3761 /* Checks new accesses on lower layer. */
3762 for_each_path(lower_sub_files, path_entry, i) {
3763 ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY));
3765 /* Checks new accesses on upper layer. */
3766 for_each_path(upper_sub_files, path_entry, i) {
3767 ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY));
3769 /* Checks all merge accesses. */
3770 for_each_path(merge_base_files, path_entry, i) {
3771 ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR));
3773 for_each_path(merge_base_directories, path_entry, i) {
3775 test_open(path_entry, O_RDONLY | O_DIRECTORY));
3777 for_each_path(merge_sub_files, path_entry, i) {
3778 ASSERT_EQ(0, test_open(path_entry, O_RDWR));