summaryrefslogtreecommitdiff
path: root/tools/testing/selftests/landlock/common.h
diff options
context:
space:
mode:
authorKonstantin Meskhidze <konstantin.meskhidze@huawei.com>2023-10-26 04:47:49 +0300
committerMickaël Salaün <mic@digikod.net>2023-10-26 22:07:16 +0300
commita549d055a22e4fc5559ef642b30721899fa07b75 (patch)
tree07cae0081c802a3e322002a7df5a2bdda49c7ab6 /tools/testing/selftests/landlock/common.h
parent1fa335209f6ad9d554655bb802c5b49b855d6237 (diff)
downloadlinux-a549d055a22e4fc5559ef642b30721899fa07b75.tar.xz
selftests/landlock: Add network tests
Add 82 test suites to check edge cases related to bind() and connect() actions. They are defined with 6 fixtures and their variants: The "protocol" fixture is extended with 12 variants defined as a matrix of: sandboxed/not-sandboxed, IPv4/IPv6/unix network domain, and stream/datagram socket. 4 related tests suites are defined: * bind: Tests bind action. * connect: Tests connect action. * bind_unspec: Tests bind action with the AF_UNSPEC socket family. * connect_unspec: Tests connect action with the AF_UNSPEC socket family. The "ipv4" fixture is extended with 4 variants defined as a matrix of: sandboxed/not-sandboxed, and stream/datagram socket. 1 related test suite is defined: * from_unix_to_inet: Tests to make sure unix sockets' actions are not restricted by Landlock rules applied to TCP ones. The "tcp_layers" fixture is extended with 8 variants defined as a matrix of: IPv4/IPv6 network domain, and different number of landlock rule layers. 2 related tests suites are defined: * ruleset_overlap: Tests nested layers with less constraints. * ruleset_expand: Tests nested layers with more constraints. In the "mini" fixture 4 tests suites are defined: * network_access_rights: Tests handling of known access rights. * unknown_access_rights: Tests handling of unknown access rights. * inval: Tests unhandled allowed access and zero access value. * tcp_port_overflow: Tests with port values greater than 65535. The "ipv4_tcp" fixture supports IPv4 network domain with stream socket. 2 tests suites are defined: * port_endianness: Tests with big/little endian port formats. * with_fs: Tests a ruleset with both filesystem and network restrictions. The "port_specific" fixture is extended with 4 variants defined as a matrix of: sandboxed/not-sandboxed, IPv4/IPv6 network domain, and stream socket. 2 related tests suites are defined: * bind_connect_zero: Tests with port 0. * bind_connect_1023: Tests with port 1023. Test coverage for security/landlock is 92.4% of 710 lines according to gcc/gcov-13. Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Link: https://lore.kernel.org/r/20231026014751.414649-11-konstantin.meskhidze@huawei.com [mic: Extend commit message, update test coverage, clean up capability use, fix useless TEST_F_FORK, and improve ipv4_tcp.with_fs] Co-developed-by: Mickaël Salaün <mic@digikod.net> Signed-off-by: Mickaël Salaün <mic@digikod.net>
Diffstat (limited to 'tools/testing/selftests/landlock/common.h')
-rw-r--r--tools/testing/selftests/landlock/common.h3
1 files changed, 3 insertions, 0 deletions
diff --git a/tools/testing/selftests/landlock/common.h b/tools/testing/selftests/landlock/common.h
index 0fd6c4cf5e6f..5b79758cae62 100644
--- a/tools/testing/selftests/landlock/common.h
+++ b/tools/testing/selftests/landlock/common.h
@@ -112,10 +112,13 @@ static void _init_caps(struct __test_metadata *const _metadata, bool drop_all)
cap_t cap_p;
/* Only these three capabilities are useful for the tests. */
const cap_value_t caps[] = {
+ /* clang-format off */
CAP_DAC_OVERRIDE,
CAP_MKNOD,
CAP_SYS_ADMIN,
CAP_SYS_CHROOT,
+ CAP_NET_BIND_SERVICE,
+ /* clang-format on */
};
cap_p = cap_get_proc();