tools/testing/selftests/landlock/scoped_multiple_domain_variants.h

   1 /* SPDX-License-Identifier: GPL-2.0 */
   2 /*
   3  * Landlock variants for three processes with various domains.
   4  *
   5  * Copyright © 2024 Tahera Fahimi <fahimitahera@gmail.com>
   6  */
   7
   8 enum sandbox_type {
   9         NO_SANDBOX,
  10         SCOPE_SANDBOX,
  11         /* Any other type of sandboxing domain */
  12         OTHER_SANDBOX,
  13 };
  14
  15 /* clang-format on */
  16 FIXTURE_VARIANT(scoped_vs_unscoped)
  17 {
  18         const int domain_all;
  19         const int domain_parent;
  20         const int domain_children;
  21         const int domain_child;
  22         const int domain_grand_child;
  23 };
  24
  25 /*
  26  * .-----------------.
  27  * |         ####### |  P3 -> P2 : allow
  28  * |   P1----# P2  # |  P3 -> P1 : deny
  29  * |         #  |  # |
  30  * |         # P3  # |
  31  * |         ####### |
  32  * '-----------------'
  33  */
  34 /* clang-format off */
  35 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, deny_scoped) {
  36         .domain_all = OTHER_SANDBOX,
  37         .domain_parent = NO_SANDBOX,
  38         .domain_children = SCOPE_SANDBOX,
  39         .domain_child = NO_SANDBOX,
  40         .domain_grand_child = NO_SANDBOX,
  41         /* clang-format on */
  42 };
  43
  44 /*
  45  * ###################
  46  * #         ####### #  P3 -> P2 : allow
  47  * #   P1----# P2  # #  P3 -> P1 : deny
  48  * #         #  |  # #
  49  * #         # P3  # #
  50  * #         ####### #
  51  * ###################
  52  */
  53 /* clang-format off */
  54 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, all_scoped) {
  55         .domain_all = SCOPE_SANDBOX,
  56         .domain_parent = NO_SANDBOX,
  57         .domain_children = SCOPE_SANDBOX,
  58         .domain_child = NO_SANDBOX,
  59         .domain_grand_child = NO_SANDBOX,
  60         /* clang-format on */
  61 };
  62
  63 /*
  64  * .-----------------.
  65  * |         .-----. |  P3 -> P2 : allow
  66  * |   P1----| P2  | |  P3 -> P1 : allow
  67  * |         |     | |
  68  * |         | P3  | |
  69  * |         '-----' |
  70  * '-----------------'
  71  */
  72 /* clang-format off */
  73 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, allow_with_other_domain) {
  74         .domain_all = OTHER_SANDBOX,
  75         .domain_parent = NO_SANDBOX,
  76         .domain_children = OTHER_SANDBOX,
  77         .domain_child = NO_SANDBOX,
  78         .domain_grand_child = NO_SANDBOX,
  79         /* clang-format on */
  80 };
  81
  82 /*
  83  *  .----.    ######   P3 -> P2 : allow
  84  *  | P1 |----# P2 #   P3 -> P1 : allow
  85  *  '----'    ######
  86  *              |
  87  *              P3
  88  */
  89 /* clang-format off */
  90 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, allow_with_one_domain) {
  91         .domain_all = NO_SANDBOX,
  92         .domain_parent = OTHER_SANDBOX,
  93         .domain_children = NO_SANDBOX,
  94         .domain_child = SCOPE_SANDBOX,
  95         .domain_grand_child = NO_SANDBOX,
  96         /* clang-format on */
  97 };
  98
  99 /*
 100  *  ######    .-----.   P3 -> P2 : allow
 101  *  # P1 #----| P2  |   P3 -> P1 : allow
 102  *  ######    '-----'
 103  *              |
 104  *              P3
 105  */
 106 /* clang-format off */
 107 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, allow_with_grand_parent_scoped) {
 108         .domain_all = NO_SANDBOX,
 109         .domain_parent = SCOPE_SANDBOX,
 110         .domain_children = NO_SANDBOX,
 111         .domain_child = OTHER_SANDBOX,
 112         .domain_grand_child = NO_SANDBOX,
 113         /* clang-format on */
 114 };
 115
 116 /*
 117  *  ######    ######   P3 -> P2 : allow
 118  *  # P1 #----# P2 #   P3 -> P1 : allow
 119  *  ######    ######
 120  *               |
 121  *             .----.
 122  *             | P3 |
 123  *             '----'
 124  */
 125 /* clang-format off */
 126 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, allow_with_parents_domain) {
 127         .domain_all = NO_SANDBOX,
 128         .domain_parent = SCOPE_SANDBOX,
 129         .domain_children = NO_SANDBOX,
 130         .domain_child = SCOPE_SANDBOX,
 131         .domain_grand_child = NO_SANDBOX,
 132         /* clang-format on */
 133 };
 134
 135 /*
 136  *  ######              P3 -> P2 : deny
 137  *  # P1 #----P2        P3 -> P1 : deny
 138  *  ######     |
 139  *             |
 140  *           ######
 141  *           # P3 #
 142  *           ######
 143  */
 144 /* clang-format off */
 145 FIXTURE_VARIANT_ADD(scoped_vs_unscoped, deny_with_self_and_grandparent_domain) {
 146         .domain_all = NO_SANDBOX,
 147         .domain_parent = SCOPE_SANDBOX,
 148         .domain_children = NO_SANDBOX,
 149         .domain_child = NO_SANDBOX,
 150         .domain_grand_child = SCOPE_SANDBOX,
 151         /* clang-format on */
 152 };