Lines Matching full:access
391 * (access type) confusion for this test. in test_open_rel()
492 /* Tests with denied-by-default access right. */ in TEST_F_FORK()
506 /* Test with no access. */ in TEST_F_FORK()
550 __u64 access; in TEST_F_FORK() local
562 /* Tests access rights for files. */ in TEST_F_FORK()
566 /* Tests access rights for directories. */ in TEST_F_FORK()
571 for (access = 1; access <= ACCESS_LAST; access <<= 1) { in TEST_F_FORK()
572 path_beneath_dir.allowed_access = access; in TEST_F_FORK()
577 path_beneath_file.allowed_access = access; in TEST_F_FORK()
580 if (access & ACCESS_FILE) { in TEST_F_FORK()
633 __u64 access; member
674 add_path_beneath(_metadata, ruleset_fd, rules[i].access, in create_ruleset()
695 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
702 _metadata, rules[0].access | LANDLOCK_ACCESS_FS_READ_DIR, in TEST_F_FORK()
744 .access = ACCESS_RO, in TEST_F_FORK()
767 .access = ACCESS_RO, in TEST_F_FORK()
771 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
825 .access = ACCESS_RO, in TEST_F_FORK()
853 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
858 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
893 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
898 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, in TEST_F_FORK()
906 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
915 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, in TEST_F_FORK()
1000 .access = LANDLOCK_ACCESS_FS_MAKE_REG, in TEST_F_FORK()
1007 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, in TEST_F_FORK()
1061 /* Allows read access to file1_s1d3 with the first layer. */ in TEST_F_FORK()
1064 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
1070 /* Start by granting read-write access via its parent directory... */ in TEST_F_FORK()
1073 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
1076 /* ...but also denies read access via its grandparent directory. */ in TEST_F_FORK()
1079 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, in TEST_F_FORK()
1084 /* Allows read access via its great-grandparent directory. */ in TEST_F_FORK()
1087 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
1093 * Try to confuse the deny access by denying write (but not in TEST_F_FORK()
1094 * read) access via its grandparent directory. in TEST_F_FORK()
1098 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
1104 * Try to override layer2's deny read access by explicitly in TEST_F_FORK()
1105 * allowing read access via file1_s1d3's grandparent. in TEST_F_FORK()
1109 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
1115 * Restricts an unrelated file hierarchy with a new access in TEST_F_FORK()
1120 .access = LANDLOCK_ACCESS_FS_EXECUTE, in TEST_F_FORK()
1126 * Finally, denies read access to file1_s1d3 via its in TEST_F_FORK()
1131 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, in TEST_F_FORK()
1143 /* Checks that read access is granted for file1_s1d3 with layer 1. */ in TEST_F_FORK()
1156 /* Checks that previous access rights are unchanged with layer 2. */ in TEST_F_FORK()
1167 /* Checks that previous access rights are unchanged with layer 3. */ in TEST_F_FORK()
1172 /* This time, denies write access for the file hierarchy. */ in TEST_F_FORK()
1182 * Checks that the only change with layer 4 is that write access is in TEST_F_FORK()
1196 /* Checks that previous access rights are unchanged with layer 5. */ in TEST_F_FORK()
1208 /* Checks that previous access rights are unchanged with layer 6. */ in TEST_F_FORK()
1222 /* Checks read access is now denied with layer 7. */ in TEST_F_FORK()
1234 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
1247 /* Write access is forbidden. */ in TEST_F_FORK()
1249 /* Readdir access is allowed. */ in TEST_F_FORK()
1252 /* Write access is forbidden. */ in TEST_F_FORK()
1254 /* Readdir access is allowed. */ in TEST_F_FORK()
1259 * any new access, only remove some. Once enforced, these rules are in TEST_F_FORK()
1267 * access rights (even if this directory is opened a second time). in TEST_F_FORK()
1283 /* Readdir access is still allowed. */ in TEST_F_FORK()
1288 /* Readdir access is still allowed. */ in TEST_F_FORK()
1292 * Try to get more privileges by adding new access rights to the parent in TEST_F_FORK()
1304 /* Readdir access is still allowed. */ in TEST_F_FORK()
1309 /* Readdir access is still allowed. */ in TEST_F_FORK()
1334 /* Readdir access is still allowed. */ in TEST_F_FORK()
1351 .access = ACCESS_RO, in TEST_F_FORK()
1360 /* Readdir access is denied for dir_s1d2. */ in TEST_F_FORK()
1362 /* Readdir access is allowed for dir_s1d3. */ in TEST_F_FORK()
1364 /* File access is allowed for file1_s1d3. */ in TEST_F_FORK()
1375 /* Readdir access is still denied for dir_s1d2. */ in TEST_F_FORK()
1377 /* Readdir access is still allowed for dir_s1d3. */ in TEST_F_FORK()
1379 /* File access is still allowed for file1_s1d3. */ in TEST_F_FORK()
1389 .access = ACCESS_RO, in TEST_F_FORK()
1418 /* Enforces policy which deny read access to all files. */ in TEST_F_FORK()
1427 /* Nests a policy which deny read access to all directories. */ in TEST_F_FORK()
1446 .access = ACCESS_RO, in TEST_F_FORK()
1451 .access = ACCESS_RO, in TEST_F_FORK()
1475 .access = ACCESS_RO, in TEST_F_FORK()
1480 .access = ACCESS_RO, in TEST_F_FORK()
1508 .access = ACCESS_RO, in TEST_F_FORK()
1518 /* Checks allowed access. */ in TEST_F_FORK()
1522 rules[0].access = LANDLOCK_ACCESS_FS_READ_FILE; in TEST_F_FORK()
1528 /* Checks denied access (on a directory). */ in TEST_F_FORK()
1538 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
1548 /* Checks denied access (on a directory). */ in TEST_F_FORK()
1558 .access = ACCESS_RO, in TEST_F_FORK()
1586 .access = ACCESS_RO, in TEST_F_FORK()
1609 .access = ACCESS_RO, in TEST_F_FORK()
1643 .access = ACCESS_RO, in TEST_F_FORK()
1647 .access = ACCESS_RO, in TEST_F_FORK()
1651 .access = ACCESS_RO, in TEST_F_FORK()
1689 .access = ACCESS_RO, in test_relative_path()
1696 .access = ACCESS_RO, in test_relative_path()
1700 .access = ACCESS_RO, in test_relative_path()
1872 .access = LANDLOCK_ACCESS_FS_EXECUTE, in TEST_F_FORK()
1877 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
1905 .access = LANDLOCK_ACCESS_FS_MAKE_REG, in TEST_F_FORK()
1912 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, in TEST_F_FORK()
1916 int ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1); in TEST_F_FORK()
1945 ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2); in TEST_F_FORK()
1974 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, in TEST_F_FORK()
1978 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, in TEST_F_FORK()
1983 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
2056 .access = LANDLOCK_ACCESS_FS_REMOVE_DIR, in TEST_F_FORK()
2060 .access = LANDLOCK_ACCESS_FS_REMOVE_DIR, in TEST_F_FORK()
2065 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
2120 .access = LANDLOCK_ACCESS_FS_REFER, in TEST_F_FORK()
2124 .access = LANDLOCK_ACCESS_FS_REFER, in TEST_F_FORK()
2167 ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1); in refer_denied_by_default()
2182 ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2); in refer_denied_by_default()
2201 .access = LANDLOCK_ACCESS_FS_REFER,
2210 .access = LANDLOCK_ACCESS_FS_EXECUTE,
2219 .access = LANDLOCK_ACCESS_FS_EXECUTE,
2227 * denying access (with MAKE_REG nor REMOVE).
2248 * denying access (with MAKE_REG nor REMOVE).
2271 .access = LANDLOCK_ACCESS_FS_MAKE_REG, in TEST_F_FORK()
2275 .access = LANDLOCK_ACCESS_FS_REFER, in TEST_F_FORK()
2279 .access = LANDLOCK_ACCESS_FS_REFER, in TEST_F_FORK()
2283 .access = LANDLOCK_ACCESS_FS_MAKE_REG, in TEST_F_FORK()
2329 * directory rename (because of the superset of access rights. in TEST_F_FORK()
2349 .access = LANDLOCK_ACCESS_FS_MAKE_REG, in TEST_F_FORK()
2353 .access = LANDLOCK_ACCESS_FS_REFER, in TEST_F_FORK()
2357 .access = LANDLOCK_ACCESS_FS_REFER, in TEST_F_FORK()
2361 .access = LANDLOCK_ACCESS_FS_MAKE_REG, in TEST_F_FORK()
2441 * directory rename (because of the superset of access rights). in TEST_F_FORK()
2449 * access rights tied to dir_s2d3. dir_s2d2 is missing one access right in TEST_F_FORK()
2494 .access = LANDLOCK_ACCESS_FS_REFER, in reparent_exdev_layers_enforce1()
2499 .access = LANDLOCK_ACCESS_FS_MAKE_REG, in reparent_exdev_layers_enforce1()
2503 .access = LANDLOCK_ACCESS_FS_REFER, in reparent_exdev_layers_enforce1()
2507 .access = LANDLOCK_ACCESS_FS_MAKE_REG, in reparent_exdev_layers_enforce1()
2526 .access = LANDLOCK_ACCESS_FS_MAKE_DIR, in reparent_exdev_layers_enforce2()
2551 * because it doesn't inherit new access rights. in TEST_F_FORK()
2558 * gets a new inherited access rights (MAKE_REG), because MAKE_REG is in TEST_F_FORK()
2662 * because of access rights that would be inherited. in TEST_F_FORK()
2671 /* Checks with same access rights. */ in TEST_F_FORK()
2677 /* Checks with different (child-only) access rights. */ in TEST_F_FORK()
2687 * directory-related access rights is allowed, and at the same time in TEST_F_FORK()
2689 * grants less access rights is allowed too. in TEST_F_FORK()
2697 * more access rights than the current state and because file creation in TEST_F_FORK()
2725 /* Checks with different (child-only) access rights. */ in TEST_F_FORK()
2734 /* Checks with different (child-only) access rights. */ in TEST_F_FORK()
2794 .access = LANDLOCK_ACCESS_FS_REFER | in TEST_F_FORK()
2799 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, in TEST_F_FORK()
2803 .access = LANDLOCK_ACCESS_FS_REFER | in TEST_F_FORK()
2818 /* Access denied because of wrong/swapped remove file/dir. */ in TEST_F_FORK()
2830 /* Access allowed thanks to the matching rights. */ in TEST_F_FORK()
2856 .access = LANDLOCK_ACCESS_FS_REFER, in TEST_F_FORK()
2860 .access = LANDLOCK_ACCESS_FS_EXECUTE, in TEST_F_FORK()
2864 .access = LANDLOCK_ACCESS_FS_MAKE_SOCK | in TEST_F_FORK()
2869 .access = LANDLOCK_ACCESS_FS_REFER | in TEST_F_FORK()
2875 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
2896 * access right. in TEST_F_FORK()
2902 * superset of access rights compared to dir_s1d2, because file1_s1d2 in TEST_F_FORK()
2903 * already has these access rights anyway. in TEST_F_FORK()
2911 * Moving dir_s1d3 beneath dir_s2d3 would grant it the MAKE_FIFO access in TEST_F_FORK()
2918 * of access rights compared to dir_s1d2, because dir_s1d3 already has in TEST_F_FORK()
2919 * these access rights anyway. in TEST_F_FORK()
2926 * will be denied because the new inherited access rights from dir_s1d2 in TEST_F_FORK()
2949 .access = LANDLOCK_ACCESS_FS_REMOVE_DIR, in TEST_F_FORK()
2954 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
2986 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, in TEST_F_FORK()
2991 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
3006 const __u64 access, const mode_t mode, in test_make_file() argument
3012 .access = access, in test_make_file()
3016 const int ruleset_fd = create_ruleset(_metadata, access, rules); in test_make_file()
3100 .access = LANDLOCK_ACCESS_FS_MAKE_SYM, in TEST_F_FORK()
3105 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
3145 .access = LANDLOCK_ACCESS_FS_MAKE_DIR, in TEST_F_FORK()
3150 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
3185 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
3228 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
3233 /* Limits read and write access to files tied to the filesystem. */ in TEST_F_FORK()
3235 create_ruleset(_metadata, rules[0].access, rules); in TEST_F_FORK()
3245 /* Checks access to pipes through FD. */ in TEST_F_FORK()
3254 /* Checks write access to pipe through /proc/self/fd . */ in TEST_F_FORK()
3264 /* Checks read access to pipe through /proc/self/fd . */ in TEST_F_FORK()
3300 * (access type) confusion for this test. in test_creat()
3319 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
3323 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, in TEST_F_FORK()
3382 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
3388 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
3393 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
3398 .access = LANDLOCK_ACCESS_FS_TRUNCATE, in TEST_F_FORK()
3400 /* Implicitly: No access rights for file_none. */ in TEST_F_FORK()
3403 .access = LANDLOCK_ACCESS_FS_TRUNCATE, in TEST_F_FORK()
3407 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, in TEST_F_FORK()
3500 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, in TEST_F_FORK()
3508 .access = LANDLOCK_ACCESS_FS_TRUNCATE, in TEST_F_FORK()
3517 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, in TEST_F_FORK()
3637 .access = variant->permitted, in TEST_F_FORK()
3678 .access = variant->permitted, in TEST_F_FORK()
3816 * Sets access right on parent directories of both source and in TEST_F_FORK()
3822 .access = ACCESS_RO, in TEST_F_FORK()
3826 .access = ACCESS_RW, in TEST_F_FORK()
3831 * Sets access rights on the same bind-mounted directories. The result in TEST_F_FORK()
3838 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
3842 .access = ACCESS_RW, in TEST_F_FORK()
3846 /* Only allow read-access to the s1d3 hierarchies. */ in TEST_F_FORK()
3850 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
3854 /* Removes all access rights. */ in TEST_F_FORK()
3858 .access = LANDLOCK_ACCESS_FS_WRITE_FILE, in TEST_F_FORK()
3955 .access = LANDLOCK_ACCESS_FS_REFER, in TEST_F_FORK()
3959 .access = LANDLOCK_ACCESS_FS_EXECUTE, in TEST_F_FORK()
4232 /* Sets access right on parent directories of both layers. */ in TEST_F_FORK()
4236 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4240 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4244 .access = ACCESS_RW, in TEST_F_FORK()
4251 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4255 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4259 .access = ACCESS_RW, in TEST_F_FORK()
4263 /* Sets access right on directories inside both layers. */ in TEST_F_FORK()
4267 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4271 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4275 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4279 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4283 .access = ACCESS_RW, in TEST_F_FORK()
4287 .access = ACCESS_RW, in TEST_F_FORK()
4291 .access = ACCESS_RW, in TEST_F_FORK()
4295 /* Tighten access rights to the files. */ in TEST_F_FORK()
4299 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4303 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4307 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4311 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4315 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4319 .access = LANDLOCK_ACCESS_FS_READ_FILE, in TEST_F_FORK()
4323 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
4328 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
4333 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
4338 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
4343 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
4351 .access = LANDLOCK_ACCESS_FS_READ_FILE | in TEST_F_FORK()
4396 * Checks that access rights are independent from the lower and upper in TEST_F_FORK()
4397 * layers: write access to upper files viewed through the merge point in TEST_F_FORK()
4398 * is still allowed, and write access to lower file viewed (and copied) in TEST_F_FORK()
4481 /* Only allowes access to the merge hierarchy. */ in TEST_F_FORK()
4659 .access = LANDLOCK_ACCESS_FS_READ_FILE, in layer3_fs_tag_inode()
4693 /* Checks with Landlock and forbidden access. */ in layer3_fs_tag_inode()
4727 .access = LANDLOCK_ACCESS_FS_READ_DIR, in TEST_F_FORK()
4761 /* Checks that access to the new mount point is denied. */ in TEST_F_FORK()