selftests/landlock: Test TCP accesses with protocol=IPPROTO_TCP

Extend protocol_variant structure with protocol field (Cf. socket(2)).

Extend protocol fixture with TCP test suits with protocol=IPPROTO_TCP
which can be used as an alias for IPPROTO_IP (=0) in socket(2).

Signed-off-by: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>
Link: https://lore.kernel.org/r/20250205093651.1424339-3-ivanov.mikhail1@huawei-partners.com
Cc: <stable@vger.kernel.org> # 6.7.x
Signed-off-by: Mickaël Salaün <mic@digikod.net>

diff --git a/tools/testing/selftests/landlock/common.h b/tools/testing/selftests/landlock/common.h
index a604ea5d8297ccb04481fe6c6c6fb5c5b7f08750..6064c9ac05329d42bf70c3a1e6e2cd4b5b190bbb 100644 (file)
--- a/tools/testing/selftests/landlock/common.h
+++ b/tools/testing/selftests/landlock/common.h
@@ -207,6 +207,7 @@ enforce_ruleset(struct __test_metadata *const _metadata, const int ruleset_fd)
 struct protocol_variant {
        int domain;
        int type;
+       int protocol;
 };
 
 struct service_fixture {

diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c
index 4e0aeb53b225a546134ef7068391e935fcefaf1b..333263780fae40b923de646135fee8f4f2bb1468 100644 (file)
--- a/tools/testing/selftests/landlock/net_test.c
+++ b/tools/testing/selftests/landlock/net_test.c
@@ -85,18 +85,18 @@ static void setup_loopback(struct __test_metadata *const _metadata)
        clear_ambient_cap(_metadata, CAP_NET_ADMIN);
 }
 
+static bool prot_is_tcp(const struct protocol_variant *const prot)
+{
+       return (prot->domain == AF_INET || prot->domain == AF_INET6) &&
+              prot->type == SOCK_STREAM &&
+              (prot->protocol == IPPROTO_TCP || prot->protocol == IPPROTO_IP);
+}
+
 static bool is_restricted(const struct protocol_variant *const prot,
                          const enum sandbox_type sandbox)
 {
-       switch (prot->domain) {
-       case AF_INET:
-       case AF_INET6:
-               switch (prot->type) {
-               case SOCK_STREAM:
-                       return sandbox == TCP_SANDBOX;
-               }
-               break;
-       }
+       if (sandbox == TCP_SANDBOX)
+               return prot_is_tcp(prot);
        return false;
 }
 
@@ -105,7 +105,7 @@ static int socket_variant(const struct service_fixture *const srv)
        int ret;
 
        ret = socket(srv->protocol.domain, srv->protocol.type | SOCK_CLOEXEC,
-                    0);
+                    srv->protocol.protocol);
        if (ret < 0)
                return -errno;
        return ret;
@@ -290,22 +290,48 @@ FIXTURE_TEARDOWN(protocol)
 }
 
 /* clang-format off */
-FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_tcp) {
+FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_tcp1) {
        /* clang-format on */
        .sandbox = NO_SANDBOX,
        .prot = {
                .domain = AF_INET,
                .type = SOCK_STREAM,
+               /* IPPROTO_IP == 0 */
+               .protocol = IPPROTO_IP,
        },
 };
 
 /* clang-format off */
-FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp) {
+FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_tcp2) {
+       /* clang-format on */
+       .sandbox = NO_SANDBOX,
+       .prot = {
+               .domain = AF_INET,
+               .type = SOCK_STREAM,
+               .protocol = IPPROTO_TCP,
+       },
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp1) {
        /* clang-format on */
        .sandbox = NO_SANDBOX,
        .prot = {
                .domain = AF_INET6,
                .type = SOCK_STREAM,
+               /* IPPROTO_IP == 0 */
+               .protocol = IPPROTO_IP,
+       },
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp2) {
+       /* clang-format on */
+       .sandbox = NO_SANDBOX,
+       .prot = {
+               .domain = AF_INET6,
+               .type = SOCK_STREAM,
+               .protocol = IPPROTO_TCP,
        },
 };
 
@@ -350,22 +376,48 @@ FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_unix_datagram) {
 };
 
 /* clang-format off */
-FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_tcp) {
+FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_tcp1) {
+       /* clang-format on */
+       .sandbox = TCP_SANDBOX,
+       .prot = {
+               .domain = AF_INET,
+               .type = SOCK_STREAM,
+               /* IPPROTO_IP == 0 */
+               .protocol = IPPROTO_IP,
+       },
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_tcp2) {
        /* clang-format on */
        .sandbox = TCP_SANDBOX,
        .prot = {
                .domain = AF_INET,
                .type = SOCK_STREAM,
+               .protocol = IPPROTO_TCP,
+       },
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp1) {
+       /* clang-format on */
+       .sandbox = TCP_SANDBOX,
+       .prot = {
+               .domain = AF_INET6,
+               .type = SOCK_STREAM,
+               /* IPPROTO_IP == 0 */
+               .protocol = IPPROTO_IP,
        },
 };
 
 /* clang-format off */
-FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp) {
+FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp2) {
        /* clang-format on */
        .sandbox = TCP_SANDBOX,
        .prot = {
                .domain = AF_INET6,
                .type = SOCK_STREAM,
+               .protocol = IPPROTO_TCP,
        },
 };