StarFive Tech Linux Kernel for VisionFive (JH7110) boards (mirror) https://git.radix-linux.su/starfive-tech/linux.git/atom?h=visionfive 2025-06-19T11:55:41+00:00 2025-06-19T11:55:41+00:00 Mickaël Salaün mic@digikod.net 2025-06-06T11:08:09+00:00 urn:sha1:dae01387e6a9bbce31f6c62839733ab8b63e16f3 This test checks that a rule on a directory used as a mount point does not grant access to the mount covering it. It is a generalization of the bind mount case in layout3_fs.hostfs.release_inodes [1] that tests hidden mount points. Cc: Günther Noack <gnoack@google.com> Cc: Song Liu <song@kernel.org> Cc: Tingmao Wang <m@maowtm.org> Link: https://lore.kernel.org/r/20250606.zo5aekae6Da6@digikod.net [1] Link: https://lore.kernel.org/r/20250606110811.211297-1-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-06-19T11:55:40+00:00 Song Liu song@kernel.org 2025-06-05T21:44:16+00:00 urn:sha1:dc58130bc38f09b162aa3b216f8b8f1e0a56127b We are hitting build error on CentOS 9: audit_test.c:232:40: error: ‘O_CLOEXEC’ undeclared (...) Fix this by including fcntl.h. Signed-off-by: Song Liu <song@kernel.org> Link: https://lore.kernel.org/r/20250605214416.1885878-1-song@kernel.org Fixes: 6b4566400a29 ("selftests/landlock: Add PID tests for audit records") Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-06-19T11:55:38+00:00 Mickaël Salaün mic@digikod.net 2025-05-28T14:44:25+00:00 urn:sha1:94a7ce26428d3a7ceb46c503ed726160578b9fcc The audit_init_filter_exe() helper incorrectly checks the readlink(2) error because an unsigned integer is used to store the result. Use a signed integer for this check. Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Closes: https://lore.kernel.org/r/aDbFwyZ_fM-IO7sC@stanley.mountain Fixes: 6a500b22971c ("selftests/landlock: Add tests for audit flags and domain IDs") Reviewed-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20250528144426.1709063-1-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-04-11T10:53:22+00:00 Mickaël Salaün mic@digikod.net 2025-04-10T17:17:23+00:00 urn:sha1:6b4566400a2919e6c1137404c53d7cf1ada559aa Add audit.thread tests to check that the PID tied to a domain is not a thread ID but the thread group ID. These new tests would not pass without the previous TGID fix. Extend matches_log_domain_allocated() to check against the PID that created the domain. Test coverage for security/landlock is 93.6% of 1524 lines according to gcc/gcov-14. Cc: Christian Brauner <brauner@kernel.org> Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20250410171725.1265860-3-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-04-11T10:53:20+00:00 Mickaël Salaün mic@digikod.net 2025-04-10T17:17:22+00:00 urn:sha1:e4a0f9e0cacd93094b619616426a273e0bc9107e The audit fixture needlessly stores and manages domain_stack. Move it to the audit.layers tests. This will be useful to reuse the audit fixture with the next patch. Cc: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20250410171725.1265860-2-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-03-26T12:59:48+00:00 Mickaël Salaün mic@digikod.net 2025-03-20T19:07:16+00:00 urn:sha1:a5c369e45b3e066c8defee149fad9f25dbcdaa11 Test all network blockers: - net.bind_tcp - net.connect_tcp Test coverage for security/landlock is 94.0% of 1525 lines according to gcc/gcov-14. Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20250320190717.2287696-28-mic@digikod.net [mic: Update test coverage] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-03-26T12:59:48+00:00 Mickaël Salaün mic@digikod.net 2025-03-20T19:07:15+00:00 urn:sha1:316d06b011300ece31f90febb432385636f3d00e Test all filesystem blockers, including events with several records, and record with several blockers: - fs.execute - fs.write_file - fs.read_file - fs_read_dir - fs.remove_dir - fs.remove_file - fs.make_char - fs.make_dir - fs.make_reg - fs.make_sock - fs.make_fifo - fs.make_block - fs.make_sym - fs.refer - fs.truncate - fs.ioctl_dev - fs.change_topology Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20250320190717.2287696-27-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-03-26T12:59:47+00:00 Mickaël Salaün mic@digikod.net 2025-03-20T19:07:14+00:00 urn:sha1:e1156872efa70b470534eed455861de3725aa867 Add a new scoped_audit.connect_to_child test to check the abstract UNIX socket blocker. Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20250320190717.2287696-26-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-03-26T12:59:47+00:00 Mickaël Salaün mic@digikod.net 2025-03-20T19:07:13+00:00 urn:sha1:e2893c0a696f285e1163bc0db26253bf8d3e4c54 Add tests for all ptrace actions checking "blockers=ptrace" records. This also improves PTRACE_TRACEME and PTRACE_ATTACH tests by making sure that the restrictions comes from Landlock, and with the expected process. These extended tests are like enhanced errno checks that make sure Landlock enforcement is consistent. Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20250320190717.2287696-25-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-03-26T12:59:46+00:00 Mickaël Salaün mic@digikod.net 2025-03-20T19:07:12+00:00 urn:sha1:960ed6ca4c46c1e7a44f3f7b8be2c147757459e4 Add audit_exec tests to filter Landlock denials according to cross-execution or muted subdomains. Add a wait-pipe-sandbox.c test program to sandbox itself and send a (denied) signals to its parent. Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20250320190717.2287696-24-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>