Changes in config

6a500b22 - selftests/landlock: Add tests for audit flags and domain IDs

Thu, 20 Mar 2025 19:07:11 +0000

selftests/landlock: Add tests for audit flags and domain IDsAdd audit_test.c to check with and without LANDLOCK_RESTRICT_SELF_*flags against the two Landlock audit record types:AUDIT_LANDLOCK_ACCESS and AUDIT_LANDLOCK_DOMAIN.Check consistency of domain IDs per layer in AUDIT_LANDLOCK_ACCESS andAUDIT_LANDLOCK_DOMAIN messages: denied access, domain allocation, anddomain deallocation.These tests use signal scoping to make it simple. They are not in thescoped_signal_test.c file but in the new dedicated audit_test.c file.Tests are run with audit filters to ensure the audit records come fromthe test program. Moreover, because there can only be one auditprocess, tests would failed if run in parallel. Because of auditlimitations, tests can only be run in the initial namespace.The audit test helpers were inspired by libaudit andtools/testing/selftests/net/netfilter/audit_logread.cCc: Günther Noack Cc: Paul Moore Cc: Phil Sutter Link: https://lore.kernel.org/r/20250320190717.2287696-23-mic@digikod.netSigned-off-by: Mickaël Salaün List of files: /linux-6.15/tools/testing/selftests/landlock/config

3d403398 - selftests/landlock: Test that MPTCP actions are not restricted

Wed, 05 Feb 2025 09:36:51 +0000

selftests/landlock: Test that MPTCP actions are not restrictedExtend protocol fixture with test suits for MPTCP protocol.Add CONFIG_MPTCP and CONFIG_MPTCP_IPV6 options in config.Signed-off-by: Mikhail Ivanov Link: https://lore.kernel.org/r/20250205093651.1424339-4-ivanov.mikhail1@huawei-partners.comCc: # 6.7.xSigned-off-by: Mickaël Salaün List of files: /linux-6.15/tools/testing/selftests/landlock/config

89cb121e - selftests/landlock: Enable the new CONFIG_AF_UNIX_OOB

Tue, 11 Feb 2025 13:25:28 +0000

selftests/landlock: Enable the new CONFIG_AF_UNIX_OOBSince commit 5155cbcdbf03 ("af_unix: Add a prompt toCONFIG_AF_UNIX_OOB"), the Landlock selftests's configuration is notenough to build a minimal kernel. Because scoped_signal_test checkswith the MSG_OOB flag, we need to enable CONFIG_AF_UNIX_OOB for tests: # RUN fown.no_sandbox.sigurg_socket ... # scoped_signal_test.c:420:sigurg_socket:Expected 1 (1) == send(client_socket, ".", 1, MSG_OOB) (-1) # sigurg_socket: Test terminated by assertion # FAIL fown.no_sandbox.sigurg_socket ...Cc: Günther Noack Acked-by: Florent Revest Link: https://lore.kernel.org/r/20250211132531.1625566-1-mic@digikod.netSigned-off-by: Mickaël Salaün List of files: /linux-6.15/tools/testing/selftests/landlock/config

cc374782 - selftests/landlock: Add cred_transfer test

Wed, 24 Jul 2024 14:54:26 +0000

selftests/landlock: Add cred_transfer testCheck that keyctl(KEYCTL_SESSION_TO_PARENT) preserves the parent'srestrictions.Fixes: e1199815b47b ("selftests/landlock: Add user space tests")Co-developed-by: Jann Horn Signed-off-by: Jann Horn Link: https://lore.kernel.org/r/20240724.Ood5aige9she@digikod.netSigned-off-by: Mickaël Salaün List of files: /linux-6.15/tools/testing/selftests/landlock/config

a549d055 - selftests/landlock: Add network tests

Thu, 26 Oct 2023 01:47:49 +0000

selftests/landlock: Add network testsAdd 82 test suites to check edge cases related to bind() and connect()actions. They are defined with 6 fixtures and their variants:The "protocol" fixture is extended with 12 variants defined as a matrixof: sandboxed/not-sandboxed, IPv4/IPv6/unix network domain, andstream/datagram socket. 4 related tests suites are defined:* bind: Tests bind action.* connect: Tests connect action.* bind_unspec: Tests bind action with the AF_UNSPEC socket family.* connect_unspec: Tests connect action with the AF_UNSPEC socket family.The "ipv4" fixture is extended with 4 variants defined as a matrixof: sandboxed/not-sandboxed, and stream/datagram socket. 1 related testsuite is defined:* from_unix_to_inet: Tests to make sure unix sockets' actions are not restricted by Landlock rules applied to TCP ones.The "tcp_layers" fixture is extended with 8 variants defined as a matrixof: IPv4/IPv6 network domain, and different number of landlock rulelayers. 2 related tests suites are defined:* ruleset_overlap: Tests nested layers with less constraints.* ruleset_expand: Tests nested layers with more constraints.In the "mini" fixture 4 tests suites are defined:* network_access_rights: Tests handling of known access rights.* unknown_access_rights: Tests handling of unknown access rights.* inval: Tests unhandled allowed access and zero access value.* tcp_port_overflow: Tests with port values greater than 65535.The "ipv4_tcp" fixture supports IPv4 network domain with stream socket.2 tests suites are defined:* port_endianness: Tests with big/little endian port formats.* with_fs: Tests a ruleset with both filesystem and network restrictions.The "port_specific" fixture is extended with 4 variants definedas a matrix of: sandboxed/not-sandboxed, IPv4/IPv6 network domain,and stream socket. 2 related tests suites are defined:* bind_connect_zero: Tests with port 0.* bind_connect_1023: Tests with port 1023.Test coverage for security/landlock is 92.4% of 710 lines according togcc/gcov-13.Signed-off-by: Konstantin Meskhidze Link: https://lore.kernel.org/r/20231026014751.414649-11-konstantin.meskhidze@huawei.com[mic: Extend commit message, update test coverage, clean up capabilityuse, fix useless TEST_F_FORK, and improve ipv4_tcp.with_fs]Co-developed-by: Mickaël Salaün Signed-off-by: Mickaël Salaün List of files: /linux-6.15/tools/testing/selftests/landlock/config

04f9070e - selftests/landlock: Add tests for pseudo filesystems

Mon, 12 Jun 2023 19:14:29 +0000

selftests/landlock: Add tests for pseudo filesystemsAdd generic and read-only tests for 6 pseudo filesystems to make surethey have a consistent inode management, which is required forLandlock's file hierarchy identification:- tmpfs- ramfs- cgroup2- proc- sysfsUpdate related kernel configuration to support these new filesystems,remove useless CONFIG_SECURITY_PATH, and sort all entries. If thesefilesystems are not supported by the kernel running tests, the relatedtests are skipped.Expanding variants, this adds 25 new tests for layout3_fs:- tag_inode_dir_parent- tag_inode_dir_mnt- tag_inode_dir_child- tag_inode_dir_file- release_inodesTest coverage for security/landlock with kernel debug code:- 94.7% of 835 lines according to gcc/gcov-12- 93.0% of 852 lines according to gcc/gcov-13Test coverage for security/landlock without kernel debug code:- 95.5% of 624 lines according to gcc/gcov-12- 93.1% of 641 lines according to gcc/gcov-13Link: https://lore.kernel.org/r/20230612191430.339153-6-mic@digikod.netSigned-off-by: Mickaël Salaün List of files: /linux-6.15/tools/testing/selftests/landlock/config

e1199815 - selftests/landlock: Add user space tests

Thu, 22 Apr 2021 15:41:20 +0000

selftests/landlock: Add user space testsTest all Landlock system calls, ptrace hooks semantic and filesystemaccess-control with multiple layouts.Test coverage for security/landlock/ is 93.6% of lines. The code notcovered only deals with internal kernel errors (e.g. memory allocation)and race conditions.Cc: James Morris Cc: Jann Horn Cc: Serge E. Hallyn Cc: Shuah Khan Signed-off-by: Mickaël Salaün Reviewed-by: Vincent Dagonneau Reviewed-by: Kees Cook Link: https://lore.kernel.org/r/20210422154123.13086-11-mic@digikod.netSigned-off-by: James Morris List of files: /linux-6.15/tools/testing/selftests/landlock/config