diff options
| author | Tahera Fahimi <fahimitahera@gmail.com> | 2024-09-06 15:30:05 -0600 |
|---|---|---|
| committer | Mickaël Salaün <mic@digikod.net> | 2024-09-16 23:50:53 +0200 |
| commit | c8994965013ee62cfb0f3cec01aa447f9077a869 (patch) | |
| tree | 75695b6e94ecfe7fc92b7d85babdaba455c60f30 /tools | |
| parent | ea292363c322d82663e021c5dc532894c30d4e59 (diff) | |
selftests/landlock: Test signal scoping for threads
Expand the signal scoping tests with pthread_kill(3). Test if a scoped
thread can send signal to a process in the same scoped domain, or a
non-sandboxed thread.
Signed-off-by: Tahera Fahimi <fahimitahera@gmail.com>
Link: https://lore.kernel.org/r/c15e9eafbb2da1210e46ba8db7b8907f5ea11009.1725657728.git.fahimitahera@gmail.com
[mic: Improve commit message]
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/testing/selftests/landlock/scoped_signal_test.c | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/tools/testing/selftests/landlock/scoped_signal_test.c b/tools/testing/selftests/landlock/scoped_signal_test.c index 55d983e38fc5..4426b8a8b718 100644 --- a/tools/testing/selftests/landlock/scoped_signal_test.c +++ b/tools/testing/selftests/landlock/scoped_signal_test.c @@ -9,6 +9,7 @@ #include <errno.h> #include <fcntl.h> #include <linux/landlock.h> +#include <pthread.h> #include <signal.h> #include <sys/prctl.h> #include <sys/types.h> @@ -248,4 +249,52 @@ TEST_F(scoped_domains, check_access_signal) _metadata->exit_code = KSFT_FAIL; } +static int thread_pipe[2]; + +enum thread_return { + THREAD_INVALID = 0, + THREAD_SUCCESS = 1, + THREAD_ERROR = 2, +}; + +void *thread_func(void *arg) +{ + char buf; + + if (read(thread_pipe[0], &buf, 1) != 1) + return (void *)THREAD_ERROR; + + return (void *)THREAD_SUCCESS; +} + +TEST(signal_scoping_threads) +{ + pthread_t no_sandbox_thread, scoped_thread; + enum thread_return ret = THREAD_INVALID; + + drop_caps(_metadata); + ASSERT_EQ(0, pipe2(thread_pipe, O_CLOEXEC)); + + ASSERT_EQ(0, + pthread_create(&no_sandbox_thread, NULL, thread_func, NULL)); + + /* Restricts the domain after creating the first thread. */ + create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL); + + ASSERT_EQ(EPERM, pthread_kill(no_sandbox_thread, 0)); + ASSERT_EQ(1, write(thread_pipe[1], ".", 1)); + + ASSERT_EQ(0, pthread_create(&scoped_thread, NULL, thread_func, NULL)); + ASSERT_EQ(0, pthread_kill(scoped_thread, 0)); + ASSERT_EQ(1, write(thread_pipe[1], ".", 1)); + + EXPECT_EQ(0, pthread_join(no_sandbox_thread, (void **)&ret)); + EXPECT_EQ(THREAD_SUCCESS, ret); + EXPECT_EQ(0, pthread_join(scoped_thread, (void **)&ret)); + EXPECT_EQ(THREAD_SUCCESS, ret); + + EXPECT_EQ(0, close(thread_pipe[0])); + EXPECT_EQ(0, close(thread_pipe[1])); +} + TEST_HARNESS_MAIN |