selftests/landlock: Add tests to check unhandled rule's access rights

Add two tests to make sure that we cannot add a rule to a ruleset if the
rule's access rights that are not handled by the ruleset:
* fs: layout1.rule_with_unhandled_access
* net: mini.rule_with_unhandled_access

Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Reviewed-by: Günther Noack <gnoack@google.com>
Link: https://lore.kernel.org/r/20231130093616.67340-3-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>

diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
index 1e6c474e3d0847135390fc133d445a101fd53e83..a1d17ab527ae290f03e0ae71a66391164510be1f 100644 (file)
--- a/tools/testing/selftests/landlock/fs_test.c
+++ b/tools/testing/selftests/landlock/fs_test.c
@@ -632,6 +632,40 @@ TEST_F_FORK(layout0, rule_with_unknown_access)
        ASSERT_EQ(0, close(ruleset_fd));
 }
 
+TEST_F_FORK(layout1, rule_with_unhandled_access)
+{
+       struct landlock_ruleset_attr ruleset_attr = {
+               .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE,
+       };
+       struct landlock_path_beneath_attr path_beneath = {};
+       int ruleset_fd;
+       __u64 access;
+
+       ruleset_fd =
+               landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
+       ASSERT_LE(0, ruleset_fd);
+
+       path_beneath.parent_fd = open(file1_s1d2, O_PATH | O_CLOEXEC);
+       ASSERT_LE(0, path_beneath.parent_fd);
+
+       for (access = 1; access > 0; access <<= 1) {
+               int err;
+
+               path_beneath.allowed_access = access;
+               err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
+                                       &path_beneath, 0);
+               if (access == ruleset_attr.handled_access_fs) {
+                       EXPECT_EQ(0, err);
+               } else {
+                       EXPECT_EQ(-1, err);
+                       EXPECT_EQ(EINVAL, errno);
+               }
+       }
+
+       EXPECT_EQ(0, close(path_beneath.parent_fd));
+       EXPECT_EQ(0, close(ruleset_fd));
+}
+
 static void add_path_beneath(struct __test_metadata *const _metadata,
                             const int ruleset_fd, const __u64 allowed_access,
                             const char *const path)

diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c
index 83d9abc3ee55ed550396f00463ca1514ab4f5972..ea5f727dd25778df7def21365eae073981ee08fe 100644 (file)
--- a/tools/testing/selftests/landlock/net_test.c
+++ b/tools/testing/selftests/landlock/net_test.c
@@ -1301,6 +1301,38 @@ TEST_F(mini, rule_with_unknown_access)
        EXPECT_EQ(0, close(ruleset_fd));
 }
 
+TEST_F(mini, rule_with_unhandled_access)
+{
+       struct landlock_ruleset_attr ruleset_attr = {
+               .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP,
+       };
+       struct landlock_net_port_attr net_port = {
+               .port = sock_port_start,
+       };
+       int ruleset_fd;
+       __u64 access;
+
+       ruleset_fd =
+               landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
+       ASSERT_LE(0, ruleset_fd);
+
+       for (access = 1; access > 0; access <<= 1) {
+               int err;
+
+               net_port.allowed_access = access;
+               err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
+                                       &net_port, 0);
+               if (access == ruleset_attr.handled_access_net) {
+                       EXPECT_EQ(0, err);
+               } else {
+                       EXPECT_EQ(-1, err);
+                       EXPECT_EQ(EINVAL, errno);
+               }
+       }
+
+       EXPECT_EQ(0, close(ruleset_fd));
+}
+
 TEST_F(mini, inval)
 {
        const struct landlock_ruleset_attr ruleset_attr = {