This new ipv4_tcp.socket_domain test checks that the restrictions are tied to the socket at creation time, but not tied to the thread requesting a bind action.

Properly close file descriptor in ipv4.with_fs test.

Cc: Günther Noack gnoack@google.com Cc: Ivanov Mikhail ivanov.mikhail1@huawei-partners.com Cc: Konstantin Meskhidze konstantin.meskhidze@huawei.com Cc: Paul Moore paul@paul-moore.com Cc: Tahera Fahimi fahimitahera@gmail.com Cc: stable@vger.kernel.org Fixes: a549d055a22e ("selftests/landlock: Add network tests") Signed-off-by: Mickaël Salaün mic@digikod.net Link: https://lore.kernel.org/r/20240719150618.197991-3-mic@digikod.net --- tools/testing/selftests/landlock/net_test.c | 29 +++++++++++++++++++++ 1 file changed, 29 insertions(+)

diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c index f21cfbbc3638..79251e27d26d 100644 --- a/tools/testing/selftests/landlock/net_test.c +++ b/tools/testing/selftests/landlock/net_test.c @@ -1579,6 +1579,35 @@ TEST_F(ipv4_tcp, with_fs) bind_fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); ASSERT_LE(0, bind_fd); EXPECT_EQ(-EACCES, bind_variant(bind_fd, &self->srv1)); + EXPECT_EQ(0, close(bind_fd)); +} + +TEST_F(ipv4_tcp, socket_domain) +{ + const struct landlock_ruleset_attr ruleset_attr = { + .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP, + }; + int ruleset_fd, bind_fd; + + /* Creates socket before sandboxing. */ + bind_fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); + ASSERT_LE(0, bind_fd); + + ruleset_fd = + landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + /* Tests port binding with unsandboxed socket. */ + EXPECT_EQ(0, bind_variant(bind_fd, &self->srv1)); + EXPECT_EQ(0, close(bind_fd)); + + /* Tests port binding with new sandboxed socket. */ + bind_fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); + ASSERT_LE(0, bind_fd); + EXPECT_EQ(-EACCES, bind_variant(bind_fd, &self->srv1)); + EXPECT_EQ(0, close(bind_fd)); }

FIXTURE(port_specific)