linux-toradex.git/tools/testing/selftests/landlock/Makefile, branch master Linux kernel for Apalis and Colibri modules selftests/landlock: Add filesystem access benchmark 2026-02-10T15:46:42+00:00 Günther Noack gnoack3000@gmail.com 2026-02-06T15:11:53+00:00 9adbe8935152c511c1e43a47d69f44f0e969afc8 fs_bench benchmarks the performance of Landlock's path walk by exercising it in a scenario that amplifies Landlock's overhead: * Create a large number of nested directories * Enforce a Landlock policy in which a rule is associated with each of these subdirectories * Benchmark openat() applied to the deepest directory, forcing Landlock to walk the entire path. Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20260206151154.97915-3-gnoack3000@gmail.com [mic: Fix missing mode with O_CREAT, improve text consistency, sort includes] Signed-off-by: Mickaël Salaün <mic@digikod.net> 
fs_bench benchmarks the performance of Landlock's path walk
by exercising it in a scenario that amplifies Landlock's overhead:

* Create a large number of nested directories
* Enforce a Landlock policy in which a rule is associated with each of
  these subdirectories
* Benchmark openat() applied to the deepest directory,
  forcing Landlock to walk the entire path.

Signed-off-by: Günther Noack <gnoack3000@gmail.com>
Link: https://lore.kernel.org/r/20260206151154.97915-3-gnoack3000@gmail.com
[mic: Fix missing mode with O_CREAT, improve text consistency, sort
includes]
Signed-off-by: Mickaël Salaün <mic@digikod.net>
selftests/landlock: Fix makefile header list 2025-11-26T19:20:23+00:00 Matthieu Buffet matthieu@buffet.re 2025-10-27T01:14:40+00:00 e61462232a58bddd818fa6a913a9a2e76fd3634f Make all headers part of make's dependencies computations. Otherwise, updating audit.h, common.h, scoped_base_variants.h, scoped_common.h, scoped_multiple_domain_variants.h, or wrappers.h, re-running make and running selftests could lead to testing stale headers. Fixes: 6a500b22971c ("selftests/landlock: Add tests for audit flags and domain IDs") Fixes: fefcf0f7cf47 ("selftests/landlock: Test abstract UNIX socket scoping") Fixes: 5147779d5e1b ("selftests/landlock: Add wrappers.h") Signed-off-by: Matthieu Buffet <matthieu@buffet.re> Link: https://lore.kernel.org/r/20251027011440.1838514-1-matthieu@buffet.re Signed-off-by: Mickaël Salaün <mic@digikod.net> 
Make all headers part of make's dependencies computations.
Otherwise, updating audit.h, common.h, scoped_base_variants.h,
scoped_common.h, scoped_multiple_domain_variants.h, or wrappers.h,
re-running make and running selftests could lead to testing stale headers.

Fixes: 6a500b22971c ("selftests/landlock: Add tests for audit flags and domain IDs")
Fixes: fefcf0f7cf47 ("selftests/landlock: Test abstract UNIX socket scoping")
Fixes: 5147779d5e1b ("selftests/landlock: Add wrappers.h")
Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
Link: https://lore.kernel.org/r/20251027011440.1838514-1-matthieu@buffet.re
Signed-off-by: Mickaël Salaün <mic@digikod.net>
selftests/landlock: Test audit with restrict flags 2025-03-26T12:59:46+00:00 Mickaël Salaün mic@digikod.net 2025-03-20T19:07:12+00:00 960ed6ca4c46c1e7a44f3f7b8be2c147757459e4 Add audit_exec tests to filter Landlock denials according to cross-execution or muted subdomains. Add a wait-pipe-sandbox.c test program to sandbox itself and send a (denied) signals to its parent. Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20250320190717.2287696-24-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 
Add audit_exec tests to filter Landlock denials according to
cross-execution or muted subdomains.

Add a wait-pipe-sandbox.c test program to sandbox itself and send a
(denied) signals to its parent.

Cc: Günther Noack <gnoack@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Link: https://lore.kernel.org/r/20250320190717.2287696-24-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
selftests/landlock: Add layout1.umount_sandboxer tests 2025-01-17T18:05:38+00:00 Mickaël Salaün mic@digikod.net 2025-01-08T15:43:30+00:00 2a794ee613617b5d8fd978b7ef08d64aa07ff2e6 Check that a domain is not tied to the executable file that created it. For instance, that could happen if a Landlock domain took a reference to a struct path. Move global path names to common.h and replace copy_binary() with a more generic copy_file() helper. Test coverage for security/landlock is 92.7% of 1133 lines according to gcc/gcov-14. Cc: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20250108154338.1129069-23-mic@digikod.net [mic: Update date and add test coverage] Signed-off-by: Mickaël Salaün <mic@digikod.net> 
Check that a domain is not tied to the executable file that created it.
For instance, that could happen if a Landlock domain took a reference to
a struct path.

Move global path names to common.h and replace copy_binary() with a more
generic copy_file() helper.

Test coverage for security/landlock is 92.7% of 1133 lines according to
gcc/gcov-14.

Cc: Günther Noack <gnoack@google.com>
Link: https://lore.kernel.org/r/20250108154338.1129069-23-mic@digikod.net
[mic: Update date and add test coverage]
Signed-off-by: Mickaël Salaün <mic@digikod.net>
selftests/landlock: Fix build with non-default pthread linking 2025-01-17T18:05:31+00:00 Mickaël Salaün mic@digikod.net 2025-01-15T14:54:07+00:00 0e4db4f843c2c0115b5981bd6f6b75dea62e7d60 Old toolchains require explicit -lpthread (e.g. on Debian 11). Cc: Nathan Chancellor <nathan@kernel.org> Cc: Tahera Fahimi <fahimitahera@gmail.com> Fixes: c8994965013e ("selftests/landlock: Test signal scoping for threads") Reviewed-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20250115145409.312226-1-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 
Old toolchains require explicit -lpthread (e.g. on Debian 11).

Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Tahera Fahimi <fahimitahera@gmail.com>
Fixes: c8994965013e ("selftests/landlock: Test signal scoping for threads")
Reviewed-by: Günther Noack <gnoack3000@gmail.com>
Link: https://lore.kernel.org/r/20250115145409.312226-1-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
selftests/landlock: Build without static libraries 2022-10-19T20:10:56+00:00 Mickaël Salaün mic@digikod.net 2022-10-19T20:05:36+00:00 091873e47ef700e935aa80079b63929af599a0b2 The only (forced) static test binary doesn't depend on libcap. Because using -lcap on systems that don't have such static library would fail (e.g. on Arch Linux), let's be more specific and require only dynamic libcap linking. Fixes: a52540522c95 ("selftests/landlock: Fix out-of-tree builds") Cc: Anders Roxell <anders.roxell@linaro.org> Cc: Guillaume Tucker <guillaume.tucker@collabora.com> Cc: Mark Brown <broonie@kernel.org> Cc: Shuah Khan <skhan@linuxfoundation.org> Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net> Link: https://lore.kernel.org/r/20221019200536.2771316-1-mic@digikod.net 
The only (forced) static test binary doesn't depend on libcap.  Because
using -lcap on systems that don't have such static library would fail
(e.g. on Arch Linux), let's be more specific and require only dynamic
libcap linking.

Fixes: a52540522c95 ("selftests/landlock: Fix out-of-tree builds")
Cc: Anders Roxell <anders.roxell@linaro.org>
Cc: Guillaume Tucker <guillaume.tucker@collabora.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Shuah Khan <skhan@linuxfoundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20221019200536.2771316-1-mic@digikod.net
selftests/landlock: Fix out-of-tree builds 2022-09-14T14:37:38+00:00 Mickaël Salaün mic@digikod.net 2022-09-09T10:34:02+00:00 a52540522c9541bfa3e499d2edba7bc0ca73a4ca These changes simplify the Makefile and handle these 5 ways to build Landlock tests: - make -C tools/testing/selftests/landlock - make -C tools/testing/selftests TARGETS=landlock gen_tar - make TARGETS=landlock kselftest-gen_tar - make TARGETS=landlock O=build kselftest-gen_tar - make -C /tmp/linux TARGETS=landlock O=/tmp/build kselftest-gen_tar This also makes $(KHDR_INCLUDES) available to other test collections when building in their directory. Fixes: f1227dc7d041 ("selftests/landlock: fix broken include of linux/landlock.h") Fixes: 3bb267a36185 ("selftests: drop khdr make target") Cc: Anders Roxell <anders.roxell@linaro.org> Cc: Guillaume Tucker <guillaume.tucker@collabora.com> Cc: Mark Brown <broonie@kernel.org> Cc: Shuah Khan <skhan@linuxfoundation.org> Signed-off-by: Mickaël Salaün <mic@digikod.net> Link: https://lore.kernel.org/r/20220909103402.1501802-1-mic@digikod.net 
These changes simplify the Makefile and handle these 5 ways to build
Landlock tests:
- make -C tools/testing/selftests/landlock
- make -C tools/testing/selftests TARGETS=landlock gen_tar
- make TARGETS=landlock kselftest-gen_tar
- make TARGETS=landlock O=build kselftest-gen_tar
- make -C /tmp/linux TARGETS=landlock O=/tmp/build kselftest-gen_tar

This also makes $(KHDR_INCLUDES) available to other test collections
when building in their directory.

Fixes: f1227dc7d041 ("selftests/landlock: fix broken include of linux/landlock.h")
Fixes: 3bb267a36185 ("selftests: drop khdr make target")
Cc: Anders Roxell <anders.roxell@linaro.org>
Cc: Guillaume Tucker <guillaume.tucker@collabora.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20220909103402.1501802-1-mic@digikod.net
selftests/landlock: fix broken include of linux/landlock.h 2022-08-15T17:26:12+00:00 Guillaume Tucker guillaume.tucker@collabora.com 2022-08-03T20:13:54+00:00 f1227dc7d0411ee9a9faaa1e80cfd9d6e5d6d63e Revert part of the earlier changes to fix the kselftest build when using a sub-directory from the top of the tree as this broke the landlock test build as a side-effect when building with "make -C tools/testing/selftests/landlock". Reported-by: Mickaël Salaün <mic@digikod.net> Fixes: a917dd94b832 ("selftests/landlock: drop deprecated headers dependency") Fixes: f2745dc0ba3d ("selftests: stop using KSFT_KHDR_INSTALL") Signed-off-by: Guillaume Tucker <guillaume.tucker@collabora.com> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> 
Revert part of the earlier changes to fix the kselftest build when
using a sub-directory from the top of the tree as this broke the
landlock test build as a side-effect when building with "make -C
tools/testing/selftests/landlock".

Reported-by: Mickaël Salaün <mic@digikod.net>
Fixes: a917dd94b832 ("selftests/landlock: drop deprecated headers dependency")
Fixes: f2745dc0ba3d ("selftests: stop using KSFT_KHDR_INSTALL")
Signed-off-by: Guillaume Tucker <guillaume.tucker@collabora.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
selftests/landlock: drop deprecated headers dependency 2022-07-14T20:43:26+00:00 Guillaume Tucker guillaume.tucker@collabora.com 2022-07-13T06:35:01+00:00 a917dd94b832c8f4ad458d0ca2bd1007466c5643 The khdr make target has been removed, so drop it from the landlock Makefile dependencies as well as related include paths that are standard for headers in the kernel tree. Signed-off-by: Guillaume Tucker <guillaume.tucker@collabora.com> Reported-by: Anders Roxell <anders.roxell@linaro.org> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> 
The khdr make target has been removed, so drop it from the landlock
Makefile dependencies as well as related include paths that are
standard for headers in the kernel tree.

Signed-off-by: Guillaume Tucker <guillaume.tucker@collabora.com>
Reported-by: Anders Roxell <anders.roxell@linaro.org>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
selftests: stop using KSFT_KHDR_INSTALL 2022-07-11T23:23:30+00:00 Guillaume Tucker guillaume.tucker@collabora.com 2022-07-08T16:23:28+00:00 f2745dc0ba3dadd8fa2b2c33f48253d78e133a12 Stop using the KSFT_KHDR_INSTALL flag as installing the kernel headers from the kselftest Makefile is causing some issues. Instead, rely on the headers to be installed directly by the top-level Makefile "headers_install" make target prior to building kselftest. Signed-off-by: Guillaume Tucker <guillaume.tucker@collabora.com> Tested-by: Anders Roxell <anders.roxell@linaro.org> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> 
Stop using the KSFT_KHDR_INSTALL flag as installing the kernel headers
from the kselftest Makefile is causing some issues.  Instead, rely on
the headers to be installed directly by the top-level Makefile
"headers_install" make target prior to building kselftest.

Signed-off-by: Guillaume Tucker <guillaume.tucker@collabora.com>
Tested-by: Anders Roxell <anders.roxell@linaro.org>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>