summaryrefslogtreecommitdiff
path: root/tools/testing/selftests/landlock/audit.h
AgeCommit message (Collapse)Author
2025-06-19selftests/landlock: Fix readlink checkMickaël Salaün
The audit_init_filter_exe() helper incorrectly checks the readlink(2) error because an unsigned integer is used to store the result. Use a signed integer for this check. Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Closes: https://lore.kernel.org/r/aDbFwyZ_fM-IO7sC@stanley.mountain Fixes: 6a500b22971c ("selftests/landlock: Add tests for audit flags and domain IDs") Reviewed-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20250528144426.1709063-1-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
2025-04-11selftests/landlock: Add PID tests for audit recordsMickaël Salaün
Add audit.thread tests to check that the PID tied to a domain is not a thread ID but the thread group ID. These new tests would not pass without the previous TGID fix. Extend matches_log_domain_allocated() to check against the PID that created the domain. Test coverage for security/landlock is 93.6% of 1524 lines according to gcc/gcov-14. Cc: Christian Brauner <brauner@kernel.org> Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20250410171725.1265860-3-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
2025-03-26selftests/landlock: Add audit tests for filesystemMickaël Salaün
Test all filesystem blockers, including events with several records, and record with several blockers: - fs.execute - fs.write_file - fs.read_file - fs_read_dir - fs.remove_dir - fs.remove_file - fs.make_char - fs.make_dir - fs.make_reg - fs.make_sock - fs.make_fifo - fs.make_block - fs.make_sym - fs.refer - fs.truncate - fs.ioctl_dev - fs.change_topology Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20250320190717.2287696-27-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
2025-03-26selftests/landlock: Add tests for audit flags and domain IDsMickaël Salaün
Add audit_test.c to check with and without LANDLOCK_RESTRICT_SELF_* flags against the two Landlock audit record types: AUDIT_LANDLOCK_ACCESS and AUDIT_LANDLOCK_DOMAIN. Check consistency of domain IDs per layer in AUDIT_LANDLOCK_ACCESS and AUDIT_LANDLOCK_DOMAIN messages: denied access, domain allocation, and domain deallocation. These tests use signal scoping to make it simple. They are not in the scoped_signal_test.c file but in the new dedicated audit_test.c file. Tests are run with audit filters to ensure the audit records come from the test program. Moreover, because there can only be one audit process, tests would failed if run in parallel. Because of audit limitations, tests can only be run in the initial namespace. The audit test helpers were inspired by libaudit and tools/testing/selftests/net/netfilter/audit_logread.c Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Cc: Phil Sutter <phil@nwl.cc> Link: https://lore.kernel.org/r/20250320190717.2287696-23-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
generated by cgit (git 2.34.1) at 2025-08-03 13:36:24 +0000