MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-08-21 08:21:58 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
linux-yocto/security/landlock/Kconfig
Mickaël Salaün b4007fd272
landlock: Add support for KUnit tests 
Add the SECURITY_LANDLOCK_KUNIT_TEST option to enable KUnit tests for
Landlock.  The minimal required configuration is listed in the
security/landlock/.kunitconfig file.

Add an initial landlock_fs KUnit test suite with 7 test cases for
filesystem helpers.  These are related to the LANDLOCK_ACCESS_FS_REFER
right.

There is one KUnit test case per:
* mutated state (e.g. test_scope_to_request_*) or,
* shared state between tests (e.g. test_is_eaccess_*).

Add macros to improve readability of tests (i.e. one per line).  Test
cases are collocated with the tested functions to help maintenance and
improve documentation.  This is why SECURITY_LANDLOCK_KUNIT_TEST cannot
be set as module.

This is a nice complement to Landlock's user space kselftests.  We
expect new Landlock features to come with KUnit tests as well.

Thanks to UML support, we can run all KUnit tests for Landlock with:
./tools/testing/kunit/kunit.py run --kunitconfig security/landlock

[00:00:00] ======================= landlock_fs  =======================
[00:00:00] [PASSED] test_no_more_access
[00:00:00] [PASSED] test_scope_to_request_with_exec_none
[00:00:00] [PASSED] test_scope_to_request_with_exec_some
[00:00:00] [PASSED] test_scope_to_request_without_access
[00:00:00] [PASSED] test_is_eacces_with_none
[00:00:00] [PASSED] test_is_eacces_with_refer
[00:00:00] [PASSED] test_is_eacces_with_write
[00:00:00] =================== [PASSED] landlock_fs ===================
[00:00:00] ============================================================
[00:00:00] Testing complete. Ran 7 tests: passed: 7

Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Reviewed-by: Günther Noack <gnoack@google.com>
Link: https://lore.kernel.org/r/20240118113632.1948478-1-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
2024-02-27 11:21:45 +01:00

1.3 KiB
Raw Permalink Blame History

SPDX-License-Identifier: GPL-2.0-only

config SECURITY_LANDLOCK bool "Landlock support" depends on SECURITY select SECURITY_NETWORK select SECURITY_PATH help Landlock is a sandboxing mechanism that enables processes to restrict themselves (and their future children) by gradually enforcing tailored access control policies. A Landlock security policy is a set of access rights (e.g. open a file in read-only, make a directory, etc.) tied to a file hierarchy. Such policy can be configured and enforced by any processes for themselves using the dedicated system calls: landlock_create_ruleset(), landlock_add_rule(), and landlock_restrict_self().

  See Documentation/userspace-api/landlock.rst for further information.

  If you are unsure how to answer this question, answer N.  Otherwise,
  you should also prepend "landlock," to the content of CONFIG_LSM to
  enable Landlock at boot time.

config SECURITY_LANDLOCK_KUNIT_TEST bool "KUnit tests for Landlock" if !KUNIT_ALL_TESTS depends on KUNIT=y depends on SECURITY_LANDLOCK default KUNIT_ALL_TESTS help Build KUnit tests for Landlock.

  See the KUnit documentation in Documentation/dev-tools/kunit

  Run all KUnit tests for Landlock with:
  ./tools/testing/kunit/kunit.py run --kunitconfig security/landlock

  If you are unsure how to answer this question, answer N.