b4007fd272
Add the SECURITY_LANDLOCK_KUNIT_TEST option to enable KUnit tests for Landlock. The minimal required configuration is listed in the security/landlock/.kunitconfig file. Add an initial landlock_fs KUnit test suite with 7 test cases for filesystem helpers. These are related to the LANDLOCK_ACCESS_FS_REFER right. There is one KUnit test case per: * mutated state (e.g. test_scope_to_request_*) or, * shared state between tests (e.g. test_is_eaccess_*). Add macros to improve readability of tests (i.e. one per line). Test cases are collocated with the tested functions to help maintenance and improve documentation. This is why SECURITY_LANDLOCK_KUNIT_TEST cannot be set as module. This is a nice complement to Landlock's user space kselftests. We expect new Landlock features to come with KUnit tests as well. Thanks to UML support, we can run all KUnit tests for Landlock with: ./tools/testing/kunit/kunit.py run --kunitconfig security/landlock [00:00:00] ======================= landlock_fs ======================= [00:00:00] [PASSED] test_no_more_access [00:00:00] [PASSED] test_scope_to_request_with_exec_none [00:00:00] [PASSED] test_scope_to_request_with_exec_some [00:00:00] [PASSED] test_scope_to_request_without_access [00:00:00] [PASSED] test_is_eacces_with_none [00:00:00] [PASSED] test_is_eacces_with_refer [00:00:00] [PASSED] test_is_eacces_with_write [00:00:00] =================== [PASSED] landlock_fs =================== [00:00:00] ============================================================ [00:00:00] Testing complete. Ran 7 tests: passed: 7 Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Reviewed-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20240118113632.1948478-1-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
38 lines
1.3 KiB
Plaintext
38 lines
1.3 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
config SECURITY_LANDLOCK
|
|
bool "Landlock support"
|
|
depends on SECURITY
|
|
select SECURITY_NETWORK
|
|
select SECURITY_PATH
|
|
help
|
|
Landlock is a sandboxing mechanism that enables processes to restrict
|
|
themselves (and their future children) by gradually enforcing
|
|
tailored access control policies. A Landlock security policy is a
|
|
set of access rights (e.g. open a file in read-only, make a
|
|
directory, etc.) tied to a file hierarchy. Such policy can be
|
|
configured and enforced by any processes for themselves using the
|
|
dedicated system calls: landlock_create_ruleset(),
|
|
landlock_add_rule(), and landlock_restrict_self().
|
|
|
|
See Documentation/userspace-api/landlock.rst for further information.
|
|
|
|
If you are unsure how to answer this question, answer N. Otherwise,
|
|
you should also prepend "landlock," to the content of CONFIG_LSM to
|
|
enable Landlock at boot time.
|
|
|
|
config SECURITY_LANDLOCK_KUNIT_TEST
|
|
bool "KUnit tests for Landlock" if !KUNIT_ALL_TESTS
|
|
depends on KUNIT=y
|
|
depends on SECURITY_LANDLOCK
|
|
default KUNIT_ALL_TESTS
|
|
help
|
|
Build KUnit tests for Landlock.
|
|
|
|
See the KUnit documentation in Documentation/dev-tools/kunit
|
|
|
|
Run all KUnit tests for Landlock with:
|
|
./tools/testing/kunit/kunit.py run --kunitconfig security/landlock
|
|
|
|
If you are unsure how to answer this question, answer N.
|