Lines Matching +full:test +full:- +full:rules
1 // SPDX-License-Identifier: GPL-2.0
3 * Landlock tests - Filesystem
5 * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
7 * Copyright © 2020-2022 Microsoft Corporation
132 /* Ignores too-long filesystem names. */ in supports_filesystem()
218 for (i = strlen(walker); i > 0; i--) { in remove_path()
253 return mount(mnt->source ?: mnt->type, target, mnt->type, mnt->flags, in mount_opt()
254 mnt->data); in mount_opt()
272 TH_LOG("Failed to mount the %s filesystem: %s", mnt->type, in prepare_layout_opt()
299 /* clang-format off */
301 /* clang-format on */
360 /* clang-format off */
362 /* clang-format on */
380 * pointing to the test caller.
393 * (access type) confusion for this test. in test_open_rel()
433 .parent_fd = -1, in TEST_F_FORK()
447 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, in TEST_F_FORK()
449 /* Returns EBADF because ruleset_fd is not a landlock-ruleset FD. */ in TEST_F_FORK()
455 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, in TEST_F_FORK()
478 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, in TEST_F_FORK()
487 /* Test with legitimate values. */ in TEST_F_FORK()
489 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, in TEST_F_FORK()
494 /* Tests with denied-by-default access right. */ in TEST_F_FORK()
496 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, in TEST_F_FORK()
501 /* Test with unknown (64-bits) value. */ in TEST_F_FORK()
503 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, in TEST_F_FORK()
508 /* Test with no access. */ in TEST_F_FORK()
510 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, in TEST_F_FORK()
524 /* clang-format off */
548 /* clang-format on */
585 ASSERT_EQ(-1, err); in TEST_F_FORK()
604 ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, in TEST_F_FORK()
628 EXPECT_EQ(-1, landlock_add_rule(ruleset_fd, in TEST_F_FORK()
662 EXPECT_EQ(-1, err); in TEST_F_FORK()
699 /* clang-format off */
709 /* clang-format on */
713 const struct rule rules[]) in create_ruleset() argument
720 ASSERT_NE(NULL, rules) in create_ruleset()
724 ASSERT_NE(NULL, rules[0].path) in create_ruleset()
736 for (i = 0; rules[i].path; i++) { in create_ruleset()
737 add_path_beneath(_metadata, ruleset_fd, rules[i].access, in create_ruleset()
738 rules[i].path); in create_ruleset()
745 const struct rule rules[] = { in TEST_F_FORK() local
755 _metadata, rules[0].access | LANDLOCK_ACCESS_FS_READ_DIR, in TEST_F_FORK()
756 rules); in TEST_F_FORK()
779 * Checks that it is not possible to add nsfs-like filesystem in TEST_F_FORK()
786 ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, in TEST_F_FORK()
794 const struct rule rules[] = { in TEST_F_FORK() local
805 ruleset_fd = create_ruleset(_metadata, ACCESS_RO, rules); in TEST_F_FORK()
807 ASSERT_EQ(-1, landlock_restrict_self(ruleset_fd, 0)); in TEST_F_FORK()
817 const struct rule rules[] = { in TEST_F_FORK() local
829 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); in TEST_F_FORK()
865 /* Just in case, double-checks effective actions. */ in TEST_F_FORK()
868 ASSERT_EQ(-1, write(reg_fd, &buf, 1)); in TEST_F_FORK()
875 const struct rule rules[] = { in TEST_F_FORK() local
883 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RO, rules); in TEST_F_FORK()
891 * opening for write-only should be allowed, but not read-write. in TEST_F_FORK()
902 const struct rule rules[] = { in TEST_F_FORK() local
903 /* These rules should be ORed among them. */ in TEST_F_FORK()
916 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); in TEST_F_FORK()
1075 ASSERT_EQ(-1, mknod(file1_s1d1, S_IFREG | 0700, 0)); in TEST_F_FORK()
1087 ASSERT_EQ(-1, mknod(file1_s1d1, S_IFREG | 0700, 0)); in TEST_F_FORK()
1092 ASSERT_EQ(-1, unlink(file1_s1d2)); in TEST_F_FORK()
1100 * Checks overly restrictive rules: in TEST_F_FORK()
1109 * layer 6: allows X ---- in TEST_F_FORK()
1123 /* Start by granting read-write access via its parent directory... */ in TEST_F_FORK()
1137 /* Allows read access via its great-grandparent directory. */ in TEST_F_FORK()
1169 * (non-overlapping) type. in TEST_F_FORK()
1284 const struct rule rules[] = { in TEST_F_FORK() local
1292 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); in TEST_F_FORK()
1311 * Tests shared rule extension: the following rules should not grant in TEST_F_FORK()
1312 * any new access, only remove some. Once enforced, these rules are in TEST_F_FORK()
1401 const struct rule rules[] = { in TEST_F_FORK() local
1408 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); in TEST_F_FORK()
1439 const struct rule rules[] = { in TEST_F_FORK() local
1446 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); in TEST_F_FORK()
1454 ASSERT_EQ(-1, err); in TEST_F_FORK()
1468 ASSERT_LE(-1, ruleset_fd); in TEST_F_FORK()
1496 const struct rule rules[] = { in TEST_F_FORK() local
1508 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); in TEST_F_FORK()
1525 const struct rule rules[] = { in TEST_F_FORK() local
1537 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); in TEST_F_FORK()
1553 * This test verifies that we can apply a landlock rule on the root directory
1558 struct rule rules[] = { in TEST_F_FORK() local
1565 int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); in TEST_F_FORK()
1575 rules[0].access = LANDLOCK_ACCESS_FS_READ_FILE; in TEST_F_FORK()
1576 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); in TEST_F_FORK()
1588 const struct rule rules[] = { in TEST_F_FORK() local
1595 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); in TEST_F_FORK()
1608 const struct rule rules[] = { in TEST_F_FORK() local
1625 ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); in TEST_F_FORK()
1636 const struct rule rules[] = { in TEST_F_FORK() local
1643 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); in TEST_F_FORK()
1650 ASSERT_EQ(-1, mount(NULL, dir_s3d2, NULL, MS_RDONLY, NULL)); in TEST_F_FORK()
1652 ASSERT_EQ(-1, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3)); in TEST_F_FORK()
1659 const struct rule rules[] = { in TEST_F_FORK() local
1666 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); in TEST_F_FORK()
1685 ASSERT_EQ(-1, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD, in TEST_F_FORK()
1736 ASSERT_EQ(-1, mount_opt(&mnt_tmp, dir_s1d2)); in TEST_F_FORK()
1738 ASSERT_EQ(-1, mount(NULL, dir_s3d2, NULL, MS_PRIVATE | MS_REC, NULL)); in TEST_F_FORK()
1740 ASSERT_EQ(-1, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD, in TEST_F_FORK()
1743 ASSERT_EQ(-1, umount(dir_s3d2)); in TEST_F_FORK()
1745 ASSERT_EQ(-1, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3)); in TEST_F_FORK()
1752 const struct rule rules[] = { in TEST_F_FORK() local
1767 const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); in TEST_F_FORK()
1961 ASSERT_EQ(err ? -1 : 0, execve(path, argv, NULL)) in test_execute()
1967 _exit(_metadata->passed ? 2 : 1); in test_execute()
1981 const struct rule rules[] = { in TEST_F_FORK() local
1989 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
2039 ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1)); in TEST_F_FORK()
2043 ASSERT_EQ(-1, link(file1_s2d1, file1_s1d2)); in TEST_F_FORK()
2045 ASSERT_EQ(-1, link(file2_s1d2, file1_s1d3)); in TEST_F_FORK()
2047 ASSERT_EQ(-1, link(file2_s1d3, file1_s1d2)); in TEST_F_FORK()
2083 const struct rule rules[] = { in TEST_F_FORK() local
2095 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
2108 ASSERT_EQ(-1, rename(file1_s2d3, file1_s1d3)); in TEST_F_FORK()
2110 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d3, in TEST_F_FORK()
2113 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, dir_s1d3, in TEST_F_FORK()
2121 ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3)); in TEST_F_FORK()
2123 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file1_s1d3, in TEST_F_FORK()
2126 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d2, AT_FDCWD, file1_s1d3, in TEST_F_FORK()
2131 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d2, AT_FDCWD, file1_s2d1, in TEST_F_FORK()
2135 ASSERT_EQ(-1, rename(dir_s2d2, file1_s2d1)); in TEST_F_FORK()
2137 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, dir_s2d2, in TEST_F_FORK()
2141 ASSERT_EQ(-1, rename(file1_s1d1, dir_s1d2)); in TEST_F_FORK()
2145 ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d2)); in TEST_F_FORK()
2148 ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3)); in TEST_F_FORK()
2165 const struct rule rules[] = { in TEST_F_FORK() local
2177 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
2189 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3, in TEST_F_FORK()
2192 ASSERT_EQ(-1, rename(dir_s2d3, dir_s1d3)); in TEST_F_FORK()
2194 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3, in TEST_F_FORK()
2202 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d1, AT_FDCWD, dir_s2d1, in TEST_F_FORK()
2206 ASSERT_EQ(-1, rename(dir_s1d2, file1_s1d1)); in TEST_F_FORK()
2208 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s1d2, in TEST_F_FORK()
2212 ASSERT_EQ(-1, rename(file1_s1d1, dir_s1d2)); in TEST_F_FORK()
2247 ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d1)); in TEST_F_FORK()
2249 ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d2)); in TEST_F_FORK()
2251 ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d3)); in TEST_F_FORK()
2254 ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d1)); in TEST_F_FORK()
2256 ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d2)); in TEST_F_FORK()
2262 ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d3)); in TEST_F_FORK()
2286 * layer1_err), then it allows some different-parent renames and links. in refer_denied_by_default()
2301 * LANDLOCK_ACCESS_FS_REFER, which means that any different-parent in refer_denied_by_default()
2348 * Same test but this time turning around the ABI version order: the first
2369 * Same test but this time turning around the ABI version order: the first
2412 ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1)); in TEST_F_FORK()
2415 ASSERT_EQ(-1, link(file1_s2d1, file1_s1d2)); in TEST_F_FORK()
2418 ASSERT_EQ(-1, link(file1_s2d1, file1_s1d3)); in TEST_F_FORK()
2422 ASSERT_EQ(-1, link(file1_s2d2, file1_s1d1)); in TEST_F_FORK()
2425 ASSERT_EQ(-1, link(file1_s2d2, file1_s1d2)); in TEST_F_FORK()
2432 ASSERT_EQ(-1, link(file1_s1d3, file1_s2d2)); in TEST_F_FORK()
2446 ASSERT_EQ(-1, link(file2_s1d2, file1_s1d3)); in TEST_F_FORK()
2448 ASSERT_EQ(-1, link(file2_s1d3, file1_s1d2)); in TEST_F_FORK()
2457 /* Same rules as for reparent_link. */ in TEST_F_FORK()
2489 ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file1_s1d1, in TEST_F_FORK()
2492 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file2_s1d1, in TEST_F_FORK()
2496 ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1)); in TEST_F_FORK()
2499 ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file2_s1d1, in TEST_F_FORK()
2504 ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d2)); in TEST_F_FORK()
2510 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file2_s1d1, in TEST_F_FORK()
2513 ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file1_s2d1, in TEST_F_FORK()
2518 ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3)); in TEST_F_FORK()
2521 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file2_s1d3, in TEST_F_FORK()
2526 ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d1)); in TEST_F_FORK()
2529 ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d2)); in TEST_F_FORK()
2533 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, file2_s1d3, in TEST_F_FORK()
2540 ASSERT_EQ(-1, rename(file1_s1d3, file1_s2d2)); in TEST_F_FORK()
2571 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, dir_s1d3, in TEST_F_FORK()
2574 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, file1_s2d3, in TEST_F_FORK()
2577 ASSERT_EQ(-1, rename(file1_s2d3, dir_s1d3)); in TEST_F_FORK()
2580 ASSERT_EQ(-1, rename(file2_s1d2, file1_s1d3)); in TEST_F_FORK()
2582 ASSERT_EQ(-1, rename(file2_s1d3, file1_s1d2)); in TEST_F_FORK()
2591 ASSERT_EQ(-1, rename(dir_s2d3, file1_s1d2)); in TEST_F_FORK()
2596 ASSERT_EQ(-1, rename(dir_s2d2, file1_s1d3)); in TEST_F_FORK()
2689 ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d2)); in TEST_F_FORK()
2696 ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d3)); in TEST_F_FORK()
2704 ASSERT_EQ(-1, rename(file2_s1d3, file1_s2d3)); in TEST_F_FORK()
2713 ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d2)); in TEST_F_FORK()
2715 ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d2)); in TEST_F_FORK()
2717 ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d3)); in TEST_F_FORK()
2723 ASSERT_EQ(-1, rename(dir_s1d1, file1_s2d2)); in TEST_F_FORK()
2725 ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d2)); in TEST_F_FORK()
2731 ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d2)); in TEST_F_FORK()
2734 ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d2)); in TEST_F_FORK()
2736 ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d3)); in TEST_F_FORK()
2742 ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d3)); in TEST_F_FORK()
2746 ASSERT_EQ(-1, rename(dir_s1d1, file1_s2d2)); in TEST_F_FORK()
2748 ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d2)); in TEST_F_FORK()
2765 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file1_s2d3, in TEST_F_FORK()
2768 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d1, in TEST_F_FORK()
2776 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, in TEST_F_FORK()
2779 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, in TEST_F_FORK()
2789 /* Checks with different (child-only) access rights. */ in TEST_F_FORK()
2799 * directory-related access rights is allowed, and at the same time in TEST_F_FORK()
2812 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2, in TEST_F_FORK()
2815 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3, in TEST_F_FORK()
2822 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file1_s2d3, in TEST_F_FORK()
2825 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d1, in TEST_F_FORK()
2830 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, in TEST_F_FORK()
2833 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, in TEST_F_FORK()
2837 /* Checks with different (child-only) access rights. */ in TEST_F_FORK()
2838 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, dir_s2d3, in TEST_F_FORK()
2842 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3, in TEST_F_FORK()
2846 /* Checks with different (child-only) access rights. */ in TEST_F_FORK()
2847 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_file1_s1d2, in TEST_F_FORK()
2851 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, dir_s2d3, in TEST_F_FORK()
2869 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3, in TEST_F_FORK()
2872 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2, in TEST_F_FORK()
2893 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3, in TEST_F_FORK()
2896 ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2, in TEST_F_FORK()
2931 ASSERT_EQ(-1, rename(file1_s1d1, dir_s2d2)); in TEST_F_FORK()
2933 ASSERT_EQ(-1, rename(dir_s2d2, file1_s1d1)); in TEST_F_FORK()
2935 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s2d2, in TEST_F_FORK()
2938 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s2d3, in TEST_F_FORK()
2943 ASSERT_EQ(-1, rename(file1_s2d1, dir_s1d2)); in TEST_F_FORK()
2945 ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d1)); in TEST_F_FORK()
2947 ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d1)); in TEST_F_FORK()
2958 ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3, in TEST_F_FORK()
3004 ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d1)); in TEST_F_FORK()
3010 ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d3)); in TEST_F_FORK()
3020 ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d1)); in TEST_F_FORK()
3026 ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d3)); in TEST_F_FORK()
3043 ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d3)); in TEST_F_FORK()
3048 * Checks similar directory one-way move: dir_s2d3 loses EXECUTE and in TEST_F_FORK()
3052 ASSERT_EQ(-1, rename(file2_s1d2, dir_s2d3)); in TEST_F_FORK()
3058 const struct rule rules[] = { in TEST_F_FORK() local
3066 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
3083 ASSERT_EQ(-1, rmdir(dir_s1d2)); in TEST_F_FORK()
3085 ASSERT_EQ(-1, unlinkat(AT_FDCWD, dir_s1d2, AT_REMOVEDIR)); in TEST_F_FORK()
3087 ASSERT_EQ(-1, rmdir(dir_s1d1)); in TEST_F_FORK()
3089 ASSERT_EQ(-1, unlinkat(AT_FDCWD, dir_s1d1, AT_REMOVEDIR)); in TEST_F_FORK()
3095 const struct rule rules[] = { in TEST_F_FORK() local
3103 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
3109 ASSERT_EQ(-1, unlink(file1_s1d1)); in TEST_F_FORK()
3111 ASSERT_EQ(-1, unlinkat(AT_FDCWD, file1_s1d1, 0)); in TEST_F_FORK()
3121 const struct rule rules[] = { in test_make_file() local
3128 const int ruleset_fd = create_ruleset(_metadata, access, rules); in test_make_file()
3149 ASSERT_EQ(-1, mknod(file1_s1d1, mode | 0400, dev)); in test_make_file()
3151 ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1)); in test_make_file()
3153 ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1)); in test_make_file()
3209 const struct rule rules[] = { in TEST_F_FORK() local
3217 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
3234 ASSERT_EQ(-1, symlink("none", file1_s1d1)); in TEST_F_FORK()
3236 ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1)); in TEST_F_FORK()
3238 ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1)); in TEST_F_FORK()
3254 const struct rule rules[] = { in TEST_F_FORK() local
3262 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
3274 ASSERT_EQ(-1, mkdir(file1_s1d1, 0700)); in TEST_F_FORK()
3294 const struct rule rules[] = { in TEST_F_FORK() local
3305 rules); in TEST_F_FORK()
3322 ASSERT_EQ(-1, proc_fd) in TEST_F_FORK()
3337 const struct rule rules[] = { in TEST_F_FORK() local
3347 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
3412 * (access type) confusion for this test. in test_creat()
3428 const struct rule rules[] = { in TEST_F_FORK() local
3446 ruleset_fd = create_ruleset(_metadata, handled, rules); in TEST_F_FORK()
3491 const struct rule rules[] = { in TEST_F_FORK() local
3529 ruleset_fd = create_ruleset(_metadata, handled, rules); in TEST_F_FORK()
3594 * This test opens a new file descriptor at different stages of in TEST_F_FORK()
3674 /* clang-format off */
3676 /* clang-format on */
3698 /* clang-format off */
3700 /* clang-format on */ in FIXTURE_VARIANT_ADD()
3707 /* clang-format off */
3709 /* clang-format on */ in FIXTURE_VARIANT_ADD()
3716 /* clang-format off */
3718 /* clang-format on */ in FIXTURE_VARIANT_ADD()
3725 /* clang-format off */
3727 /* clang-format on */ in FIXTURE_VARIANT_ADD()
3734 /* clang-format off */
3736 /* clang-format on */ in FIXTURE_VARIANT_ADD()
3745 const struct rule rules[] = { in TEST_F_FORK() local
3748 .access = variant->allowed, in TEST_F_FORK()
3755 ruleset_fd = create_ruleset(_metadata, variant->handled, rules); in TEST_F_FORK()
3761 EXPECT_EQ(variant->expected_open_result, (fd < 0 ? errno : 0)); in TEST_F_FORK()
3763 EXPECT_EQ(variant->expected_ftruncate_result, in TEST_F_FORK()
3783 * non-landlocked parent process. in TEST_F_FORK()
3786 const struct rule rules[] = { in TEST_F_FORK() local
3789 .access = variant->allowed, in TEST_F_FORK()
3795 ruleset_fd = create_ruleset(_metadata, variant->handled, rules); in TEST_F_FORK()
3801 ASSERT_EQ(variant->expected_open_result, (fd < 0 ? errno : 0)); in TEST_F_FORK()
3810 _exit(_metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE); in TEST_F_FORK()
3814 if (variant->expected_open_result == 0) { in TEST_F_FORK()
3818 EXPECT_EQ(variant->expected_ftruncate_result, in TEST_F_FORK()
3831 TEST(memfd_ftruncate) in TEST() function
3847 /* clang-format off */
3849 /* clang-format on */
3942 * Sets access rights on the same bind-mounted directories. The result in TEST_F_FORK()
3957 /* Only allow read-access to the s1d3 hierarchies. */ in TEST_F_FORK()
3975 /* Sets rules for the parent directories. */ in TEST_F_FORK()
3997 /* Sets rules for the mount points. */ in TEST_F_FORK()
4083 ASSERT_EQ(-1, rename(file1_s1d1, file1_s1d2)); in TEST_F_FORK()
4086 /* Checks real cross-mount move (Landlock is not involved). */ in TEST_F_FORK()
4087 ASSERT_EQ(-1, rename(file1_s2d1, file1_s2d2)); in TEST_F_FORK()
4091 ASSERT_EQ(-1, rename(file1_s2d2, bind_file1_s1d3)); in TEST_F_FORK()
4231 self->skip_test = true; in FIXTURE_SETUP()
4271 if (self->skip_test) in FIXTURE_TEARDOWN()
4305 if (self->skip_test) in TEST_F_FORK()
4306 SKIP(return, "overlayfs is not supported (test)"); in TEST_F_FORK()
4471 if (self->skip_test) in TEST_F_FORK()
4472 SKIP(return, "overlayfs is not supported (test)"); in TEST_F_FORK()
4474 /* Sets rules on base directories (i.e. outside overlay scope). */ in TEST_F_FORK()
4522 /* Sets rules on data directories (i.e. inside overlay scope). */ in TEST_F_FORK()
4539 /* Same checks with tighter rules. */ in TEST_F_FORK()
4564 /* Sets rules directly on overlayed files. */ in TEST_F_FORK()
4634 /* clang-format off */
4636 /* clang-format on */ in FIXTURE_VARIANT_ADD()
4656 .file_path = TMP_DIR "/test/cgroup.procs", in FIXTURE_VARIANT_ADD()
4688 if (!supports_filesystem(variant->mnt.type) || in FIXTURE_SETUP()
4689 !cwd_matches_fs(variant->cwd_fs_magic)) { in FIXTURE_SETUP()
4690 self->skip_test = true; in FIXTURE_SETUP()
4694 slash = strrchr(variant->file_path, '/'); in FIXTURE_SETUP()
4696 dir_len = (size_t)slash - (size_t)variant->file_path; in FIXTURE_SETUP()
4698 self->dir_path = malloc(dir_len + 1); in FIXTURE_SETUP()
4699 self->dir_path[dir_len] = '\0'; in FIXTURE_SETUP()
4700 strncpy(self->dir_path, variant->file_path, dir_len); in FIXTURE_SETUP()
4702 prepare_layout_opt(_metadata, &variant->mnt); in FIXTURE_SETUP()
4705 if (stat(self->dir_path, &statbuf)) { in FIXTURE_SETUP()
4707 EXPECT_EQ(0, mkdir(self->dir_path, 0700)) in FIXTURE_SETUP()
4710 self->dir_path, strerror(errno)); in FIXTURE_SETUP()
4711 free(self->dir_path); in FIXTURE_SETUP()
4712 self->dir_path = NULL; in FIXTURE_SETUP()
4714 self->has_created_dir = true; in FIXTURE_SETUP()
4719 if (stat(variant->file_path, &statbuf)) { in FIXTURE_SETUP()
4723 fd = creat(variant->file_path, 0600); in FIXTURE_SETUP()
4727 variant->file_path, strerror(errno)); in FIXTURE_SETUP()
4730 self->has_created_file = true; in FIXTURE_SETUP()
4737 if (self->skip_test) in FIXTURE_TEARDOWN()
4740 if (self->has_created_file) { in FIXTURE_TEARDOWN()
4744 * have been removed (cf. release_inode test). in FIXTURE_TEARDOWN()
4746 unlink(variant->file_path); in FIXTURE_TEARDOWN()
4750 if (self->has_created_dir) { in FIXTURE_TEARDOWN()
4754 * have been removed (cf. release_inode test). in FIXTURE_TEARDOWN()
4756 rmdir(self->dir_path); in FIXTURE_TEARDOWN()
4759 free(self->dir_path); in FIXTURE_TEARDOWN()
4760 self->dir_path = NULL; in FIXTURE_TEARDOWN()
4783 if (self->skip_test) in layer3_fs_tag_inode()
4784 SKIP(return, "this filesystem is not supported (test)"); in layer3_fs_tag_inode()
4788 EXPECT_EQ(0, test_open(variant->file_path, O_RDONLY | O_CLOEXEC)); in layer3_fs_tag_inode()
4797 EXPECT_EQ(0, test_open(variant->file_path, O_RDONLY | O_CLOEXEC)); in layer3_fs_tag_inode()
4809 EXPECT_EQ(EACCES, test_open(variant->file_path, O_RDONLY | O_CLOEXEC)); in layer3_fs_tag_inode()
4816 /* The current directory must not be the root for this test. */ in TEST_F_FORK()
4827 layer3_fs_tag_inode(_metadata, self, variant, self->dir_path); in TEST_F_FORK()
4832 layer3_fs_tag_inode(_metadata, self, variant, variant->file_path); in TEST_F_FORK()
4847 if (self->skip_test) in TEST_F_FORK()
4848 SKIP(return, "this filesystem is not supported (test)"); in TEST_F_FORK()
4851 if (self->has_created_file) in TEST_F_FORK()
4852 EXPECT_EQ(0, remove_path(variant->file_path)); in TEST_F_FORK()
4854 if (self->has_created_dir) in TEST_F_FORK()
4856 remove_path(self->dir_path); in TEST_F_FORK()