255 	 * (access type) confusion for this test.  in test_open_rel()
363 	/* Test with no access. */  in TEST_F_FORK()
401 	__u64 access;  in TEST_F_FORK()  local
412 	/* Tests access rights for files. */  in TEST_F_FORK()
415 	for (access = 1; access <= ACCESS_LAST; access <<= 1) {  in TEST_F_FORK()
416 		path_beneath.allowed_access = access;  in TEST_F_FORK()
419 		if ((access | ACCESS_FILE) == ACCESS_FILE) {  in TEST_F_FORK()
452 	__u64 access;  member
485 		add_path_beneath(_metadata, ruleset_fd, rules[i].access,  in create_ruleset()
505 			.access = LANDLOCK_ACCESS_FS_READ_FILE |  in TEST_F_FORK()
511 	const int ruleset_fd = create_ruleset(_metadata, rules[0].access |  in TEST_F_FORK()
552 			.access = ACCESS_RO,  in TEST_F_FORK()
575 			.access = ACCESS_RO,  in TEST_F_FORK()
579 			.access = LANDLOCK_ACCESS_FS_READ_FILE |  in TEST_F_FORK()
627 			.access = ACCESS_RO,  in TEST_F_FORK()
655 			.access = LANDLOCK_ACCESS_FS_READ_FILE |  in TEST_F_FORK()
660 			.access = LANDLOCK_ACCESS_FS_READ_FILE |  in TEST_F_FORK()
695 			.access = LANDLOCK_ACCESS_FS_MAKE_REG,  in TEST_F_FORK()
702 			.access = LANDLOCK_ACCESS_FS_REMOVE_FILE,  in TEST_F_FORK()
756 		/* Allows read access to file1_s1d3 with the first layer. */  in TEST_F_FORK()
759 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
765 		/* Start by granting read-write access via its parent directory... */  in TEST_F_FORK()
768 			.access = LANDLOCK_ACCESS_FS_READ_FILE |  in TEST_F_FORK()
771 		/* ...but also denies read access via its grandparent directory. */  in TEST_F_FORK()
774 			.access = LANDLOCK_ACCESS_FS_WRITE_FILE,  in TEST_F_FORK()
779 		/* Allows read access via its great-grandparent directory. */  in TEST_F_FORK()
782 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
788 		 * Try to confuse the deny access by denying write (but not  in TEST_F_FORK()
789 		 * read) access via its grandparent directory.  in TEST_F_FORK()
793 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
799 		 * Try to override layer2's deny read access by explicitly  in TEST_F_FORK()
800 		 * allowing read access via file1_s1d3's grandparent.  in TEST_F_FORK()
804 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
810 		 * Restricts an unrelated file hierarchy with a new access  in TEST_F_FORK()
815 			.access = LANDLOCK_ACCESS_FS_EXECUTE,  in TEST_F_FORK()
821 		 * Finally, denies read access to file1_s1d3 via its  in TEST_F_FORK()
826 			.access = LANDLOCK_ACCESS_FS_WRITE_FILE,  in TEST_F_FORK()
838 	/* Checks that read access is granted for file1_s1d3 with layer 1. */  in TEST_F_FORK()
849 	/* Checks that previous access rights are unchanged with layer 2. */  in TEST_F_FORK()
860 	/* Checks that previous access rights are unchanged with layer 3. */  in TEST_F_FORK()
865 	/* This time, denies write access for the file hierarchy. */  in TEST_F_FORK()
873 	 * Checks that the only change with layer 4 is that write access is  in TEST_F_FORK()
887 	/* Checks that previous access rights are unchanged with layer 5. */  in TEST_F_FORK()
899 	/* Checks that previous access rights are unchanged with layer 6. */  in TEST_F_FORK()
911 	/* Checks read access is now denied with layer 7. */  in TEST_F_FORK()
923 			.access = LANDLOCK_ACCESS_FS_READ_FILE |  in TEST_F_FORK()
936 	/* Write access is forbidden. */  in TEST_F_FORK()
938 	/* Readdir access is allowed. */  in TEST_F_FORK()
941 	/* Write access is forbidden. */  in TEST_F_FORK()
943 	/* Readdir access is allowed. */  in TEST_F_FORK()
948 	 * any new access, only remove some.  Once enforced, these rules are  in TEST_F_FORK()
956 	 * access rights (even if this directory is opened a second time).  in TEST_F_FORK()
972 	/* Readdir access is still allowed. */  in TEST_F_FORK()
977 	/* Readdir access is still allowed. */  in TEST_F_FORK()
981 	 * Try to get more privileges by adding new access rights to the parent  in TEST_F_FORK()
993 	/* Readdir access is still allowed. */  in TEST_F_FORK()
998 	/* Readdir access is still allowed. */  in TEST_F_FORK()
1023 	/* Readdir access is still allowed. */  in TEST_F_FORK()
1040 			.access = ACCESS_RO,  in TEST_F_FORK()
1049 	/* Readdir access is denied for dir_s1d2. */  in TEST_F_FORK()
1051 	/* Readdir access is allowed for dir_s1d3. */  in TEST_F_FORK()
1053 	/* File access is allowed for file1_s1d3. */  in TEST_F_FORK()
1062 	/* Readdir access is still denied for dir_s1d2. */  in TEST_F_FORK()
1064 	/* Readdir access is still allowed for dir_s1d3. */  in TEST_F_FORK()
1066 	/* File access is still allowed for file1_s1d3. */  in TEST_F_FORK()
1076 			.access = ACCESS_RO,  in TEST_F_FORK()
1105 	/* Enforces policy which deny read access to all files. */  in TEST_F_FORK()
1114 	/* Nests a policy which deny read access to all directories. */  in TEST_F_FORK()
1133 			.access = ACCESS_RO,  in TEST_F_FORK()
1138 			.access = ACCESS_RO,  in TEST_F_FORK()
1162 			.access = ACCESS_RO,  in TEST_F_FORK()
1167 			.access = ACCESS_RO,  in TEST_F_FORK()
1195 			.access = ACCESS_RO,  in TEST_F_FORK()
1205 	/* Checks allowed access. */  in TEST_F_FORK()
1209 	rules[0].access = LANDLOCK_ACCESS_FS_READ_FILE;  in TEST_F_FORK()
1215 	/* Checks denied access (on a directory). */  in TEST_F_FORK()
1225 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
1235 	/* Checks denied access (on a directory). */  in TEST_F_FORK()
1245 			.access = ACCESS_RO,  in TEST_F_FORK()
1272 			.access = ACCESS_RO,  in TEST_F_FORK()
1295 			.access = ACCESS_RO,  in TEST_F_FORK()
1328 			.access = ACCESS_RO,  in TEST_F_FORK()
1332 			.access = ACCESS_RO,  in TEST_F_FORK()
1336 			.access = ACCESS_RO,  in TEST_F_FORK()
1374 			.access = ACCESS_RO,  in test_relative_path()
1381 			.access = ACCESS_RO,  in test_relative_path()
1385 			.access = ACCESS_RO,  in test_relative_path()
1550 			.access = LANDLOCK_ACCESS_FS_EXECUTE,  in TEST_F_FORK()
1554 	const int ruleset_fd = create_ruleset(_metadata, rules[0].access,  in TEST_F_FORK()
1583 			.access = LANDLOCK_ACCESS_FS_MAKE_REG,  in TEST_F_FORK()
1587 	const int ruleset_fd = create_ruleset(_metadata, rules[0].access,  in TEST_F_FORK()
1616 			.access = LANDLOCK_ACCESS_FS_REMOVE_FILE,  in TEST_F_FORK()
1620 			.access = LANDLOCK_ACCESS_FS_REMOVE_FILE,  in TEST_F_FORK()
1624 	const int ruleset_fd = create_ruleset(_metadata, rules[0].access,  in TEST_F_FORK()
1693 			.access = LANDLOCK_ACCESS_FS_REMOVE_DIR,  in TEST_F_FORK()
1697 			.access = LANDLOCK_ACCESS_FS_REMOVE_DIR,  in TEST_F_FORK()
1701 	const int ruleset_fd = create_ruleset(_metadata, rules[0].access,  in TEST_F_FORK()
1751 			.access = LANDLOCK_ACCESS_FS_REMOVE_DIR,  in TEST_F_FORK()
1755 	const int ruleset_fd = create_ruleset(_metadata, rules[0].access,  in TEST_F_FORK()
1788 			.access = LANDLOCK_ACCESS_FS_REMOVE_FILE,  in TEST_F_FORK()
1792 	const int ruleset_fd = create_ruleset(_metadata, rules[0].access,  in TEST_F_FORK()
1808 		const __u64 access, const mode_t mode, const dev_t dev)  in test_make_file()  argument
1813 			.access = access,  in test_make_file()
1817 	const int ruleset_fd = create_ruleset(_metadata, access, rules);  in test_make_file()
1899 			.access = LANDLOCK_ACCESS_FS_MAKE_SYM,  in TEST_F_FORK()
1903 	const int ruleset_fd = create_ruleset(_metadata, rules[0].access,  in TEST_F_FORK()
1944 			.access = LANDLOCK_ACCESS_FS_MAKE_DIR,  in TEST_F_FORK()
1948 	const int ruleset_fd = create_ruleset(_metadata, rules[0].access,  in TEST_F_FORK()
1984 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
2025 			.access = LANDLOCK_ACCESS_FS_READ_FILE |  in TEST_F_FORK()
2030 	/* Limits read and write access to files tied to the filesystem. */  in TEST_F_FORK()
2031 	const int ruleset_fd = create_ruleset(_metadata, rules[0].access,  in TEST_F_FORK()
2042 	/* Checks access to pipes through FD. */  in TEST_F_FORK()
2050 	/* Checks write access to pipe through /proc/self/fd . */  in TEST_F_FORK()
2059 	/* Checks read access to pipe through /proc/self/fd . */  in TEST_F_FORK()
2152 	 * Sets access right on parent directories of both source and  in TEST_F_FORK()
2158 			.access = ACCESS_RO,  in TEST_F_FORK()
2162 			.access = ACCESS_RW,  in TEST_F_FORK()
2167 	 * Sets access rights on the same bind-mounted directories.  The result  in TEST_F_FORK()
2174 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
2178 			.access = ACCESS_RW,  in TEST_F_FORK()
2182 	/* Only allow read-access to the s1d3 hierarchies. */  in TEST_F_FORK()
2186 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
2190 	/* Removes all access rights. */  in TEST_F_FORK()
2194 			.access = LANDLOCK_ACCESS_FS_WRITE_FILE,  in TEST_F_FORK()
2522 	/* Sets access right on parent directories of both layers. */  in TEST_F_FORK()
2526 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
2530 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
2534 			.access = ACCESS_RW,  in TEST_F_FORK()
2541 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
2545 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
2549 			.access = ACCESS_RW,  in TEST_F_FORK()
2553 	/* Sets access right on directories inside both layers. */  in TEST_F_FORK()
2557 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
2561 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
2565 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
2569 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
2573 			.access = ACCESS_RW,  in TEST_F_FORK()
2577 			.access = ACCESS_RW,  in TEST_F_FORK()
2581 			.access = ACCESS_RW,  in TEST_F_FORK()
2585 	/* Tighten access rights to the files. */  in TEST_F_FORK()
2589 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
2593 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
2597 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
2601 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
2605 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
2609 			.access = LANDLOCK_ACCESS_FS_READ_FILE,  in TEST_F_FORK()
2613 			.access = LANDLOCK_ACCESS_FS_READ_FILE |  in TEST_F_FORK()
2618 			.access = LANDLOCK_ACCESS_FS_READ_FILE |  in TEST_F_FORK()
2623 			.access = LANDLOCK_ACCESS_FS_READ_FILE |  in TEST_F_FORK()
2628 			.access = LANDLOCK_ACCESS_FS_READ_FILE |  in TEST_F_FORK()
2633 			.access = LANDLOCK_ACCESS_FS_READ_FILE |  in TEST_F_FORK()
2641 			.access = LANDLOCK_ACCESS_FS_READ_FILE |  in TEST_F_FORK()
2681 	 * Checks that access rights are independent from the lower and upper  in TEST_F_FORK()
2682 	 * layers: write access to upper files viewed through the merge point  in TEST_F_FORK()
2683 	 * is still allowed, and write access to lower file viewed (and copied)  in TEST_F_FORK()
2765 	/* Only allowes access to the merge hierarchy. */  in TEST_F_FORK()