Loading...
Note: File does not exist in v5.4.
1/* SPDX-License-Identifier: GPL-2.0 */
2/*
3 * Landlock variants for three processes with various domains.
4 *
5 * Copyright © 2024 Tahera Fahimi <fahimitahera@gmail.com>
6 */
7
8enum sandbox_type {
9 NO_SANDBOX,
10 SCOPE_SANDBOX,
11 /* Any other type of sandboxing domain */
12 OTHER_SANDBOX,
13};
14
15/* clang-format on */
16FIXTURE_VARIANT(scoped_vs_unscoped)
17{
18 const int domain_all;
19 const int domain_parent;
20 const int domain_children;
21 const int domain_child;
22 const int domain_grand_child;
23};
24
25/*
26 * .-----------------.
27 * | ####### | P3 -> P2 : allow
28 * | P1----# P2 # | P3 -> P1 : deny
29 * | # | # |
30 * | # P3 # |
31 * | ####### |
32 * '-----------------'
33 */
34/* clang-format off */
35FIXTURE_VARIANT_ADD(scoped_vs_unscoped, deny_scoped) {
36 .domain_all = OTHER_SANDBOX,
37 .domain_parent = NO_SANDBOX,
38 .domain_children = SCOPE_SANDBOX,
39 .domain_child = NO_SANDBOX,
40 .domain_grand_child = NO_SANDBOX,
41 /* clang-format on */
42};
43
44/*
45 * ###################
46 * # ####### # P3 -> P2 : allow
47 * # P1----# P2 # # P3 -> P1 : deny
48 * # # | # #
49 * # # P3 # #
50 * # ####### #
51 * ###################
52 */
53/* clang-format off */
54FIXTURE_VARIANT_ADD(scoped_vs_unscoped, all_scoped) {
55 .domain_all = SCOPE_SANDBOX,
56 .domain_parent = NO_SANDBOX,
57 .domain_children = SCOPE_SANDBOX,
58 .domain_child = NO_SANDBOX,
59 .domain_grand_child = NO_SANDBOX,
60 /* clang-format on */
61};
62
63/*
64 * .-----------------.
65 * | .-----. | P3 -> P2 : allow
66 * | P1----| P2 | | P3 -> P1 : allow
67 * | | | |
68 * | | P3 | |
69 * | '-----' |
70 * '-----------------'
71 */
72/* clang-format off */
73FIXTURE_VARIANT_ADD(scoped_vs_unscoped, allow_with_other_domain) {
74 .domain_all = OTHER_SANDBOX,
75 .domain_parent = NO_SANDBOX,
76 .domain_children = OTHER_SANDBOX,
77 .domain_child = NO_SANDBOX,
78 .domain_grand_child = NO_SANDBOX,
79 /* clang-format on */
80};
81
82/*
83 * .----. ###### P3 -> P2 : allow
84 * | P1 |----# P2 # P3 -> P1 : allow
85 * '----' ######
86 * |
87 * P3
88 */
89/* clang-format off */
90FIXTURE_VARIANT_ADD(scoped_vs_unscoped, allow_with_one_domain) {
91 .domain_all = NO_SANDBOX,
92 .domain_parent = OTHER_SANDBOX,
93 .domain_children = NO_SANDBOX,
94 .domain_child = SCOPE_SANDBOX,
95 .domain_grand_child = NO_SANDBOX,
96 /* clang-format on */
97};
98
99/*
100 * ###### .-----. P3 -> P2 : allow
101 * # P1 #----| P2 | P3 -> P1 : allow
102 * ###### '-----'
103 * |
104 * P3
105 */
106/* clang-format off */
107FIXTURE_VARIANT_ADD(scoped_vs_unscoped, allow_with_grand_parent_scoped) {
108 .domain_all = NO_SANDBOX,
109 .domain_parent = SCOPE_SANDBOX,
110 .domain_children = NO_SANDBOX,
111 .domain_child = OTHER_SANDBOX,
112 .domain_grand_child = NO_SANDBOX,
113 /* clang-format on */
114};
115
116/*
117 * ###### ###### P3 -> P2 : allow
118 * # P1 #----# P2 # P3 -> P1 : allow
119 * ###### ######
120 * |
121 * .----.
122 * | P3 |
123 * '----'
124 */
125/* clang-format off */
126FIXTURE_VARIANT_ADD(scoped_vs_unscoped, allow_with_parents_domain) {
127 .domain_all = NO_SANDBOX,
128 .domain_parent = SCOPE_SANDBOX,
129 .domain_children = NO_SANDBOX,
130 .domain_child = SCOPE_SANDBOX,
131 .domain_grand_child = NO_SANDBOX,
132 /* clang-format on */
133};
134
135/*
136 * ###### P3 -> P2 : deny
137 * # P1 #----P2 P3 -> P1 : deny
138 * ###### |
139 * |
140 * ######
141 * # P3 #
142 * ######
143 */
144/* clang-format off */
145FIXTURE_VARIANT_ADD(scoped_vs_unscoped, deny_with_self_and_grandparent_domain) {
146 .domain_all = NO_SANDBOX,
147 .domain_parent = SCOPE_SANDBOX,
148 .domain_children = NO_SANDBOX,
149 .domain_child = NO_SANDBOX,
150 .domain_grand_child = SCOPE_SANDBOX,
151 /* clang-format on */
152};