mirror of https://github.com/torvalds/linux.git
132 lines
3.0 KiB
C
132 lines
3.0 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* Write in a pipe, wait, sandbox itself, test sandboxing, and wait again.
|
|
*
|
|
* Used by audit_exec.flags from audit_test.c
|
|
*
|
|
* Copyright © 2024-2025 Microsoft Corporation
|
|
*/
|
|
|
|
#define _GNU_SOURCE
|
|
#include <fcntl.h>
|
|
#include <linux/landlock.h>
|
|
#include <linux/prctl.h>
|
|
#include <signal.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <sys/prctl.h>
|
|
#include <unistd.h>
|
|
|
|
#include "wrappers.h"
|
|
|
|
static int sync_with(int pipe_child, int pipe_parent)
|
|
{
|
|
char buf;
|
|
|
|
/* Signals that we are waiting. */
|
|
if (write(pipe_child, ".", 1) != 1) {
|
|
perror("Failed to write to first argument");
|
|
return 1;
|
|
}
|
|
|
|
/* Waits for the parent do its test. */
|
|
if (read(pipe_parent, &buf, 1) != 1) {
|
|
perror("Failed to write to the second argument");
|
|
return 1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
int main(int argc, char *argv[])
|
|
{
|
|
const struct landlock_ruleset_attr layer2 = {
|
|
.handled_access_fs = LANDLOCK_ACCESS_FS_READ_DIR,
|
|
};
|
|
const struct landlock_ruleset_attr layer3 = {
|
|
.scoped = LANDLOCK_SCOPE_SIGNAL,
|
|
};
|
|
int err, pipe_child, pipe_parent, ruleset_fd;
|
|
|
|
/* The first argument must be the file descriptor number of a pipe. */
|
|
if (argc != 3) {
|
|
fprintf(stderr, "Wrong number of arguments (not two)\n");
|
|
return 1;
|
|
}
|
|
|
|
pipe_child = atoi(argv[1]);
|
|
pipe_parent = atoi(argv[2]);
|
|
/* PR_SET_NO_NEW_PRIVS already set by parent. */
|
|
|
|
/* First step to test parent's layer1. */
|
|
err = sync_with(pipe_child, pipe_parent);
|
|
if (err)
|
|
return err;
|
|
|
|
/* Tries to send a signal, denied by layer1. */
|
|
if (!kill(getppid(), 0)) {
|
|
fprintf(stderr, "Successfully sent a signal to the parent");
|
|
return 1;
|
|
}
|
|
|
|
/* Second step to test parent's layer1 and our layer2. */
|
|
err = sync_with(pipe_child, pipe_parent);
|
|
if (err)
|
|
return err;
|
|
|
|
ruleset_fd = landlock_create_ruleset(&layer2, sizeof(layer2), 0);
|
|
if (ruleset_fd < 0) {
|
|
perror("Failed to create the layer2 ruleset");
|
|
return 1;
|
|
}
|
|
|
|
if (landlock_restrict_self(ruleset_fd, 0)) {
|
|
perror("Failed to restrict self");
|
|
return 1;
|
|
}
|
|
close(ruleset_fd);
|
|
|
|
/* Tries to send a signal, denied by layer1. */
|
|
if (!kill(getppid(), 0)) {
|
|
fprintf(stderr, "Successfully sent a signal to the parent");
|
|
return 1;
|
|
}
|
|
|
|
/* Tries to open ., denied by layer2. */
|
|
if (open("/", O_RDONLY | O_DIRECTORY | O_CLOEXEC) >= 0) {
|
|
fprintf(stderr, "Successfully opened /");
|
|
return 1;
|
|
}
|
|
|
|
/* Third step to test our layer2 and layer3. */
|
|
err = sync_with(pipe_child, pipe_parent);
|
|
if (err)
|
|
return err;
|
|
|
|
ruleset_fd = landlock_create_ruleset(&layer3, sizeof(layer3), 0);
|
|
if (ruleset_fd < 0) {
|
|
perror("Failed to create the layer3 ruleset");
|
|
return 1;
|
|
}
|
|
|
|
if (landlock_restrict_self(ruleset_fd, 0)) {
|
|
perror("Failed to restrict self");
|
|
return 1;
|
|
}
|
|
close(ruleset_fd);
|
|
|
|
/* Tries to open ., denied by layer2. */
|
|
if (open("/", O_RDONLY | O_DIRECTORY | O_CLOEXEC) >= 0) {
|
|
fprintf(stderr, "Successfully opened /");
|
|
return 1;
|
|
}
|
|
|
|
/* Tries to send a signal, denied by layer3. */
|
|
if (!kill(getppid(), 0)) {
|
|
fprintf(stderr, "Successfully sent a signal to the parent");
|
|
return 1;
|
|
}
|
|
|
|
return 0;
|
|
}
|