@@ -1579,6 +1579,35 @@ TEST_F(ipv4_tcp, with_fs)
bind_fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
ASSERT_LE(0, bind_fd);
EXPECT_EQ(-EACCES, bind_variant(bind_fd, &self->srv1));
+ EXPECT_EQ(0, close(bind_fd));
+}
+
+TEST_F(ipv4_tcp, socket_domain)
+{
+ const struct landlock_ruleset_attr ruleset_attr = {
+ .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP,
+ };
+ int ruleset_fd, bind_fd;
+
+ /* Creates socket before sandboxing. */
+ bind_fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
+ ASSERT_LE(0, bind_fd);
+
+ ruleset_fd =
+ landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
+ ASSERT_LE(0, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd);
+ EXPECT_EQ(0, close(ruleset_fd));
+
+ /* Tests port binding with unsandboxed socket. */
+ EXPECT_EQ(0, bind_variant(bind_fd, &self->srv1));
+ EXPECT_EQ(0, close(bind_fd));
+
+ /* Tests port binding with new sandboxed socket. */
+ bind_fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
+ ASSERT_LE(0, bind_fd);
+ EXPECT_EQ(-EACCES, bind_variant(bind_fd, &self->srv1));
+ EXPECT_EQ(0, close(bind_fd));
}
FIXTURE(port_specific)
This new ipv4_tcp.socket_domain test checks that the restrictions are tied to the socket at creation time, but not tied to the thread requesting a bind action. Properly close file descriptor in ipv4.with_fs test. Cc: Günther Noack <gnoack@google.com> Cc: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com> Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Cc: Paul Moore <paul@paul-moore.com> Cc: Tahera Fahimi <fahimitahera@gmail.com> Cc: stable@vger.kernel.org Fixes: a549d055a22e ("selftests/landlock: Add network tests") Signed-off-by: Mickaël Salaün <mic@digikod.net> Link: https://lore.kernel.org/r/20240719150618.197991-3-mic@digikod.net --- tools/testing/selftests/landlock/net_test.c | 29 +++++++++++++++++++++ 1 file changed, 29 insertions(+)