Lines Matching full:access

393 	 * (access type) confusion for this test.  in test_open_rel()
494 /* Tests with denied-by-default access right. */ in TEST_F_FORK()
508 /* Test with no access. */ in TEST_F_FORK()
552 __u64 access; in TEST_F_FORK() local
564 /* Tests access rights for files. */ in TEST_F_FORK()
568 /* Tests access rights for directories. */ in TEST_F_FORK()
573 for (access = 1; access <= ACCESS_LAST; access <<= 1) { in TEST_F_FORK()
574 path_beneath_dir.allowed_access = access; in TEST_F_FORK()
579 path_beneath_file.allowed_access = access; in TEST_F_FORK()
582 if (access & ACCESS_FILE) { in TEST_F_FORK()
612 __u64 access; in TEST_F_FORK() local
626 for (access = 1ULL << 63; access != ACCESS_LAST; access >>= 1) { in TEST_F_FORK()
627 path_beneath.allowed_access = access; in TEST_F_FORK()
644 __u64 access; in TEST_F_FORK() local
653 for (access = 1; access > 0; access <<= 1) { in TEST_F_FORK()
656 path_beneath.allowed_access = access; in TEST_F_FORK()
659 if (access == ruleset_attr.handled_access_fs) { in TEST_F_FORK()
696 __u64 access; member
737 add_path_beneath(_metadata, ruleset_fd, rules[i].access, in create_ruleset()
748 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
755 _metadata, rules[0].access | LANDLOCK_ACCESS_FS_READ_DIR, in TEST_F_FORK()
797 .access = ACCESS_RO, in TEST_F_FORK()
820 .access = ACCESS_RO, in TEST_F_FORK()
824 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
878 .access = ACCESS_RO, in TEST_F_FORK()
906 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
911 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
946 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
951 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, in TEST_F_FORK()
959 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
968 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, in TEST_F_FORK()
1053 .access = LANDLOCK_ACCESS_FS_MAKE_REG, in TEST_F_FORK()
1060 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, in TEST_F_FORK()
1114 /* Allows read access to file1_s1d3 with the first layer. */ in TEST_F_FORK()
1117 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
1123 /* Start by granting read-write access via its parent directory... */ in TEST_F_FORK()
1126 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
1129 /* ...but also denies read access via its grandparent directory. */ in TEST_F_FORK()
1132 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, in TEST_F_FORK()
1137 /* Allows read access via its great-grandparent directory. */ in TEST_F_FORK()
1140 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
1146 * Try to confuse the deny access by denying write (but not in TEST_F_FORK()
1147 * read) access via its grandparent directory. in TEST_F_FORK()
1151 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
1157 * Try to override layer2's deny read access by explicitly in TEST_F_FORK()
1158 * allowing read access via file1_s1d3's grandparent. in TEST_F_FORK()
1162 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
1168 * Restricts an unrelated file hierarchy with a new access in TEST_F_FORK()
1173 .access = LANDLOCK_ACCESS_FS_EXECUTE, in TEST_F_FORK()
1179 * Finally, denies read access to file1_s1d3 via its in TEST_F_FORK()
1184 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, in TEST_F_FORK()
1196 /* Checks that read access is granted for file1_s1d3 with layer 1. */ in TEST_F_FORK()
1209 /* Checks that previous access rights are unchanged with layer 2. */ in TEST_F_FORK()
1220 /* Checks that previous access rights are unchanged with layer 3. */ in TEST_F_FORK()
1225 /* This time, denies write access for the file hierarchy. */ in TEST_F_FORK()
1235 * Checks that the only change with layer 4 is that write access is in TEST_F_FORK()
1249 /* Checks that previous access rights are unchanged with layer 5. */ in TEST_F_FORK()
1261 /* Checks that previous access rights are unchanged with layer 6. */ in TEST_F_FORK()
1275 /* Checks read access is now denied with layer 7. */ in TEST_F_FORK()
1287 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
1300 /* Write access is forbidden. */ in TEST_F_FORK()
1302 /* Readdir access is allowed. */ in TEST_F_FORK()
1305 /* Write access is forbidden. */ in TEST_F_FORK()
1307 /* Readdir access is allowed. */ in TEST_F_FORK()
1312 * any new access, only remove some. Once enforced, these rules are in TEST_F_FORK()
1320 * access rights (even if this directory is opened a second time). in TEST_F_FORK()
1336 /* Readdir access is still allowed. */ in TEST_F_FORK()
1341 /* Readdir access is still allowed. */ in TEST_F_FORK()
1345 * Try to get more privileges by adding new access rights to the parent in TEST_F_FORK()
1357 /* Readdir access is still allowed. */ in TEST_F_FORK()
1362 /* Readdir access is still allowed. */ in TEST_F_FORK()
1387 /* Readdir access is still allowed. */ in TEST_F_FORK()
1404 .access = ACCESS_RO, in TEST_F_FORK()
1413 /* Readdir access is denied for dir_s1d2. */ in TEST_F_FORK()
1415 /* Readdir access is allowed for dir_s1d3. */ in TEST_F_FORK()
1417 /* File access is allowed for file1_s1d3. */ in TEST_F_FORK()
1428 /* Readdir access is still denied for dir_s1d2. */ in TEST_F_FORK()
1430 /* Readdir access is still allowed for dir_s1d3. */ in TEST_F_FORK()
1432 /* File access is still allowed for file1_s1d3. */ in TEST_F_FORK()
1442 .access = ACCESS_RO, in TEST_F_FORK()
1471 /* Enforces policy which deny read access to all files. */ in TEST_F_FORK()
1480 /* Nests a policy which deny read access to all directories. */ in TEST_F_FORK()
1499 .access = ACCESS_RO, in TEST_F_FORK()
1504 .access = ACCESS_RO, in TEST_F_FORK()
1528 .access = ACCESS_RO, in TEST_F_FORK()
1533 .access = ACCESS_RO, in TEST_F_FORK()
1561 .access = ACCESS_RO, in TEST_F_FORK()
1571 /* Checks allowed access. */ in TEST_F_FORK()
1575 rules[0].access = LANDLOCK_ACCESS_FS_READ_FILE; in TEST_F_FORK()
1581 /* Checks denied access (on a directory). */ in TEST_F_FORK()
1591 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
1601 /* Checks denied access (on a directory). */ in TEST_F_FORK()
1611 .access = ACCESS_RO, in TEST_F_FORK()
1639 .access = ACCESS_RO, in TEST_F_FORK()
1662 .access = ACCESS_RO, in TEST_F_FORK()
1755 .access = ACCESS_RO, in TEST_F_FORK()
1759 .access = ACCESS_RO, in TEST_F_FORK()
1763 .access = ACCESS_RO, in TEST_F_FORK()
1801 .access = ACCESS_RO, in test_relative_path()
1808 .access = ACCESS_RO, in test_relative_path()
1812 .access = ACCESS_RO, in test_relative_path()
1984 .access = LANDLOCK_ACCESS_FS_EXECUTE, in TEST_F_FORK()
1989 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
2017 .access = LANDLOCK_ACCESS_FS_MAKE_REG, in TEST_F_FORK()
2024 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, in TEST_F_FORK()
2028 int ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1); in TEST_F_FORK()
2057 ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2); in TEST_F_FORK()
2086 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, in TEST_F_FORK()
2090 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, in TEST_F_FORK()
2095 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
2168 .access = LANDLOCK_ACCESS_FS_REMOVE_DIR, in TEST_F_FORK()
2172 .access = LANDLOCK_ACCESS_FS_REMOVE_DIR, in TEST_F_FORK()
2177 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
2232 .access = LANDLOCK_ACCESS_FS_REFER, in TEST_F_FORK()
2236 .access = LANDLOCK_ACCESS_FS_REFER, in TEST_F_FORK()
2279 ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1); in refer_denied_by_default()
2294 ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2); in refer_denied_by_default()
2313 .access = LANDLOCK_ACCESS_FS_REFER,
2322 .access = LANDLOCK_ACCESS_FS_EXECUTE,
2331 .access = LANDLOCK_ACCESS_FS_EXECUTE,
2339 * denying access (with MAKE_REG nor REMOVE).
2360 * denying access (with MAKE_REG nor REMOVE).
2383 .access = LANDLOCK_ACCESS_FS_MAKE_REG, in TEST_F_FORK()
2387 .access = LANDLOCK_ACCESS_FS_REFER, in TEST_F_FORK()
2391 .access = LANDLOCK_ACCESS_FS_REFER, in TEST_F_FORK()
2395 .access = LANDLOCK_ACCESS_FS_MAKE_REG, in TEST_F_FORK()
2441 * directory rename (because of the superset of access rights. in TEST_F_FORK()
2461 .access = LANDLOCK_ACCESS_FS_MAKE_REG, in TEST_F_FORK()
2465 .access = LANDLOCK_ACCESS_FS_REFER, in TEST_F_FORK()
2469 .access = LANDLOCK_ACCESS_FS_REFER, in TEST_F_FORK()
2473 .access = LANDLOCK_ACCESS_FS_MAKE_REG, in TEST_F_FORK()
2553 * directory rename (because of the superset of access rights). in TEST_F_FORK()
2561 * access rights tied to dir_s2d3. dir_s2d2 is missing one access right in TEST_F_FORK()
2606 .access = LANDLOCK_ACCESS_FS_REFER, in reparent_exdev_layers_enforce1()
2611 .access = LANDLOCK_ACCESS_FS_MAKE_REG, in reparent_exdev_layers_enforce1()
2615 .access = LANDLOCK_ACCESS_FS_REFER, in reparent_exdev_layers_enforce1()
2619 .access = LANDLOCK_ACCESS_FS_MAKE_REG, in reparent_exdev_layers_enforce1()
2638 .access = LANDLOCK_ACCESS_FS_MAKE_DIR, in reparent_exdev_layers_enforce2()
2663 * because it doesn't inherit new access rights. in TEST_F_FORK()
2670 * gets a new inherited access rights (MAKE_REG), because MAKE_REG is in TEST_F_FORK()
2774 * because of access rights that would be inherited. in TEST_F_FORK()
2783 /* Checks with same access rights. */ in TEST_F_FORK()
2789 /* Checks with different (child-only) access rights. */ in TEST_F_FORK()
2799 * directory-related access rights is allowed, and at the same time in TEST_F_FORK()
2801 * grants less access rights is allowed too. in TEST_F_FORK()
2809 * more access rights than the current state and because file creation in TEST_F_FORK()
2837 /* Checks with different (child-only) access rights. */ in TEST_F_FORK()
2846 /* Checks with different (child-only) access rights. */ in TEST_F_FORK()
2906 .access = LANDLOCK_ACCESS_FS_REFER | in TEST_F_FORK()
2911 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, in TEST_F_FORK()
2915 .access = LANDLOCK_ACCESS_FS_REFER | in TEST_F_FORK()
2930 /* Access denied because of wrong/swapped remove file/dir. */ in TEST_F_FORK()
2942 /* Access allowed thanks to the matching rights. */ in TEST_F_FORK()
2968 .access = LANDLOCK_ACCESS_FS_REFER, in TEST_F_FORK()
2972 .access = LANDLOCK_ACCESS_FS_EXECUTE, in TEST_F_FORK()
2976 .access = LANDLOCK_ACCESS_FS_MAKE_SOCK | in TEST_F_FORK()
2981 .access = LANDLOCK_ACCESS_FS_REFER | in TEST_F_FORK()
2987 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
3008 * access right. in TEST_F_FORK()
3014 * superset of access rights compared to dir_s1d2, because file1_s1d2 in TEST_F_FORK()
3015 * already has these access rights anyway. in TEST_F_FORK()
3023 * Moving dir_s1d3 beneath dir_s2d3 would grant it the MAKE_FIFO access in TEST_F_FORK()
3030 * of access rights compared to dir_s1d2, because dir_s1d3 already has in TEST_F_FORK()
3031 * these access rights anyway. in TEST_F_FORK()
3038 * will be denied because the new inherited access rights from dir_s1d2 in TEST_F_FORK()
3061 .access = LANDLOCK_ACCESS_FS_REMOVE_DIR, in TEST_F_FORK()
3066 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
3098 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, in TEST_F_FORK()
3103 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
3118 const __u64 access, const mode_t mode, in test_make_file() argument
3124 .access = access, in test_make_file()
3128 const int ruleset_fd = create_ruleset(_metadata, access, rules); in test_make_file()
3212 .access = LANDLOCK_ACCESS_FS_MAKE_SYM, in TEST_F_FORK()
3217 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
3257 .access = LANDLOCK_ACCESS_FS_MAKE_DIR, in TEST_F_FORK()
3262 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
3297 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
3340 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
3345 /* Limits read and write access to files tied to the filesystem. */ in TEST_F_FORK()
3347 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
3357 /* Checks access to pipes through FD. */ in TEST_F_FORK()
3366 /* Checks write access to pipe through /proc/self/fd . */ in TEST_F_FORK()
3376 /* Checks read access to pipe through /proc/self/fd . */ in TEST_F_FORK()
3412 * (access type) confusion for this test. in test_creat()
3431 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
3435 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, in TEST_F_FORK()
3494 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
3500 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
3505 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
3510 .access = LANDLOCK_ACCESS_FS_TRUNCATE, in TEST_F_FORK()
3512 /* Implicitly: No access rights for file_none. */ in TEST_F_FORK()
3515 .access = LANDLOCK_ACCESS_FS_TRUNCATE, in TEST_F_FORK()
3519 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, in TEST_F_FORK()
3612 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, in TEST_F_FORK()
3620 .access = LANDLOCK_ACCESS_FS_TRUNCATE, in TEST_F_FORK()
3629 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, in TEST_F_FORK()
3748 .access = variant->allowed, in TEST_F_FORK()
3789 .access = variant->allowed, in TEST_F_FORK()
3927 * Sets access right on parent directories of both source and in TEST_F_FORK()
3933 .access = ACCESS_RO, in TEST_F_FORK()
3937 .access = ACCESS_RW, in TEST_F_FORK()
3942 * Sets access rights on the same bind-mounted directories. The result in TEST_F_FORK()
3949 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
3953 .access = ACCESS_RW, in TEST_F_FORK()
3957 /* Only allow read-access to the s1d3 hierarchies. */ in TEST_F_FORK()
3961 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
3965 /* Removes all access rights. */ in TEST_F_FORK()
3969 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, in TEST_F_FORK()
4066 .access = LANDLOCK_ACCESS_FS_REFER, in TEST_F_FORK()
4070 .access = LANDLOCK_ACCESS_FS_EXECUTE, in TEST_F_FORK()
4343 /* Sets access right on parent directories of both layers. */ in TEST_F_FORK()
4347 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4351 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4355 .access = ACCESS_RW, in TEST_F_FORK()
4362 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4366 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4370 .access = ACCESS_RW, in TEST_F_FORK()
4374 /* Sets access right on directories inside both layers. */ in TEST_F_FORK()
4378 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4382 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4386 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4390 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4394 .access = ACCESS_RW, in TEST_F_FORK()
4398 .access = ACCESS_RW, in TEST_F_FORK()
4402 .access = ACCESS_RW, in TEST_F_FORK()
4406 /* Tighten access rights to the files. */ in TEST_F_FORK()
4410 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4414 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4418 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4422 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4426 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4430 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4434 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
4439 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
4444 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
4449 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
4454 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
4462 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
4507 * Checks that access rights are independent from the lower and upper in TEST_F_FORK()
4508 * layers: write access to upper files viewed through the merge point in TEST_F_FORK()
4509 * is still allowed, and write access to lower file viewed (and copied) in TEST_F_FORK()
4592 /* Only allowes access to the merge hierarchy. */ in TEST_F_FORK()
4773 .access = LANDLOCK_ACCESS_FS_READ_FILE, in layer3_fs_tag_inode()
4807 /* Checks with Landlock and forbidden access. */ in layer3_fs_tag_inode()
4841 .access = LANDLOCK_ACCESS_FS_READ_DIR, in TEST_F_FORK()
4875 /* Checks that access to the new mount point is denied. */ in TEST_F_FORK()