[PATCH v4 30/30] selftests/landlock: Test compatibility with audit rule lists

From: Mickaël Salaün
Date: Wed Jan 08 2025 - 10:51:48 EST

Next message: Alexandre Ghiti: "[PATCH v3] riscv: Call secondary mmu notifier when flushing the tlb"
Previous message: Doug Smythies: "RE: [REGRESSION] Re: [PATCH 00/24] Complete EEVDF"
In reply to: Christian Brauner: "Re: (subset) [PATCH v4 27/30] fs: Add iput() cleanup helper"
Next in thread: Mickaël Salaün: "[PATCH v4 19/30] samples/landlock: Do not log denials from the sandboxer by default"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Add compatibility.lists tests to make sure AUDIT_EXE_LANDLOCK_DENY is
only allowed for AUDIT_FILTER_EXCLUDE, AUDIT_FILTER_EXIT, and
AUDIT_FILTER_URING_EXIT.

Test coverage for security/landlock is 93.5% of 1635 lines according to
gcc/gcov-14.

Cc: Günther Noack <gnoack@xxxxxxxxxx>
Cc: Paul Moore <paul@xxxxxxxxxxxxxx>
Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxx>
Link: https://lore.kernel.org/r/20250108154338.1129069-31-mic@xxxxxxxxxxx
---

Changes since v3:
- New patch.
---
tools/testing/selftests/landlock/audit_test.c | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)

diff --git a/tools/testing/selftests/landlock/audit_test.c b/tools/testing/selftests/landlock/audit_test.c
index 921f316ddbf8..d9f227680641 100644
--- a/tools/testing/selftests/landlock/audit_test.c
+++ b/tools/testing/selftests/landlock/audit_test.c
@@ -308,4 +308,82 @@ TEST_F(audit_rule, exe_landlock_deny)
ASSERT_EQ(0, WEXITSTATUS(status));
}

+FIXTURE(compatibility)
+{
+ struct audit_filter filter_self;
+ int audit_fd;
+};
+
+FIXTURE_SETUP(compatibility)
+{
+ disable_caps(_metadata);
+ set_cap(_metadata, CAP_AUDIT_CONTROL);
+ self->audit_fd = audit_init_with_exe_filter(&self->filter_self);
+ EXPECT_LE(0, self->audit_fd)
+ {
+ const char *error_msg;
+
+ /* kill "$(auditctl -s | sed -ne 's/^pid $[0-9]\+$$/\1/p')" */
+ if (self->audit_fd == -EEXIST)
+ error_msg = "socket already in use (e.g. auditd)";
+ else
+ error_msg = strerror(-self->audit_fd);
+ TH_LOG("Failed to initialize audit: %s", error_msg);
+ }
+ clear_cap(_metadata, CAP_AUDIT_CONTROL);
+}
+
+FIXTURE_TEARDOWN(compatibility)
+{
+ set_cap(_metadata, CAP_AUDIT_CONTROL);
+ EXPECT_EQ(0, audit_cleanup(self->audit_fd, &self->filter_self));
+ clear_cap(_metadata, CAP_AUDIT_CONTROL);
+}
+
+TEST_F(compatibility, lists)
+{
+ struct audit_filter filter_test;
+ size_t num_ok = 0;
+ __u32 list;
+
+ EXPECT_EQ(0, audit_init_filter_exe(AUDIT_EXE_LANDLOCK_DENY,
+ &filter_test, NULL));
+ set_cap(_metadata, CAP_AUDIT_CONTROL);
+
+ for (list = 0; list < AUDIT_NR_FILTERS; list++) {
+ int err;
+
+ switch (list) {
+ case AUDIT_FILTER_EXIT:
+ case AUDIT_FILTER_EXCLUDE:
+ case AUDIT_FILTER_URING_EXIT:
+ num_ok++;
+ err = 0;
+ break;
+ default:
+ err = -EINVAL;
+ break;
+ }
+
+ /*
+ * Testing AUDIT_FILTER_ENTRY prints "auditfilter:
+ * AUDIT_FILTER_ENTRY is deprecated" in kernel logs.
+ */
+ EXPECT_EQ(err, audit_filter_exe(self->audit_fd, &filter_test,
+ AUDIT_ADD_RULE, list))
+ {
+ TH_LOG("Unexpected result for list %u", list);
+ }
+ EXPECT_EQ(err, audit_filter_exe(self->audit_fd, &filter_test,
+ AUDIT_DEL_RULE, list))
+ {
+ TH_LOG("Unexpected result for list %u", list);
+ }
+ }
+
+ /* Makes sure the three accepted lists are checked. */
+ EXPECT_EQ(3, num_ok);
+ clear_cap(_metadata, CAP_AUDIT_CONTROL);
+}
+
TEST_HARNESS_MAIN
--
2.47.1

Next message: Alexandre Ghiti: "[PATCH v3] riscv: Call secondary mmu notifier when flushing the tlb"
Previous message: Doug Smythies: "RE: [REGRESSION] Re: [PATCH 00/24] Complete EEVDF"
In reply to: Christian Brauner: "Re: (subset) [PATCH v4 27/30] fs: Add iput() cleanup helper"
Next in thread: Mickaël Salaün: "[PATCH v4 19/30] samples/landlock: Do not log denials from the sandboxer by default"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]