Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-rolling-stable 2025-08-15T10:16:13Z 2025-08-15T10:16:13Z Song Liu song@kernel.org 2025-06-05T21:44:16Z urn:sha1:79f49b0c7bf5fb879dfed92276d75c9e803a16f4 [ Upstream commit dc58130bc38f09b162aa3b216f8b8f1e0a56127b ] We are hitting build error on CentOS 9: audit_test.c:232:40: error: ‘O_CLOEXEC’ undeclared (...) Fix this by including fcntl.h. Signed-off-by: Song Liu <song@kernel.org> Link: https://lore.kernel.org/r/20250605214416.1885878-1-song@kernel.org Fixes: 6b4566400a29 ("selftests/landlock: Add PID tests for audit records") Signed-off-by: Mickaël Salaün <mic@digikod.net> Signed-off-by: Sasha Levin <sashal@kernel.org> 2025-04-11T10:53:22Z Mickaël Salaün mic@digikod.net 2025-04-10T17:17:23Z urn:sha1:6b4566400a2919e6c1137404c53d7cf1ada559aa Add audit.thread tests to check that the PID tied to a domain is not a thread ID but the thread group ID. These new tests would not pass without the previous TGID fix. Extend matches_log_domain_allocated() to check against the PID that created the domain. Test coverage for security/landlock is 93.6% of 1524 lines according to gcc/gcov-14. Cc: Christian Brauner <brauner@kernel.org> Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20250410171725.1265860-3-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-04-11T10:53:20Z Mickaël Salaün mic@digikod.net 2025-04-10T17:17:22Z urn:sha1:e4a0f9e0cacd93094b619616426a273e0bc9107e The audit fixture needlessly stores and manages domain_stack. Move it to the audit.layers tests. This will be useful to reuse the audit fixture with the next patch. Cc: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20250410171725.1265860-2-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-03-26T12:59:46Z Mickaël Salaün mic@digikod.net 2025-03-20T19:07:12Z urn:sha1:960ed6ca4c46c1e7a44f3f7b8be2c147757459e4 Add audit_exec tests to filter Landlock denials according to cross-execution or muted subdomains. Add a wait-pipe-sandbox.c test program to sandbox itself and send a (denied) signals to its parent. Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20250320190717.2287696-24-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-03-26T12:59:45Z Mickaël Salaün mic@digikod.net 2025-03-20T19:07:11Z urn:sha1:6a500b22971c42da4037ff95481dd6c5535b01bd Add audit_test.c to check with and without LANDLOCK_RESTRICT_SELF_* flags against the two Landlock audit record types: AUDIT_LANDLOCK_ACCESS and AUDIT_LANDLOCK_DOMAIN. Check consistency of domain IDs per layer in AUDIT_LANDLOCK_ACCESS and AUDIT_LANDLOCK_DOMAIN messages: denied access, domain allocation, and domain deallocation. These tests use signal scoping to make it simple. They are not in the scoped_signal_test.c file but in the new dedicated audit_test.c file. Tests are run with audit filters to ensure the audit records come from the test program. Moreover, because there can only be one audit process, tests would failed if run in parallel. Because of audit limitations, tests can only be run in the initial namespace. The audit test helpers were inspired by libaudit and tools/testing/selftests/net/netfilter/audit_logread.c Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Cc: Phil Sutter <phil@nwl.cc> Link: https://lore.kernel.org/r/20250320190717.2287696-23-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>