[PATCH v2 1/1] selftests/landlock: skip ptrace_test according to YAMA

From: jeffxu@chromium.org
To: mic@digikod.net
Cc: jorgelo@chromium.org, keescook@chromium.org,
	linux-security-module@vger.kernel.org, groeck@chromium.org,
	Jeff Xu <jeffxu@google.com>
Subject: [PATCH v2 1/1] selftests/landlock: skip ptrace_test according to YAMA
Date: Tue, 13 Dec 2022 18:58:16 +0000	[thread overview]
Message-ID: <20221213185816.3942853-2-jeffxu@chromium.org> (raw)
In-Reply-To: <20221213185816.3942853-1-jeffxu@chromium.org>

From: Jeff Xu <jeffxu@google.com>

Add check for yama setting for ptrace_test.

Signed-off-by: Jeff Xu <jeffxu@google.com>
---
 .../testing/selftests/landlock/ptrace_test.c  | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/tools/testing/selftests/landlock/ptrace_test.c b/tools/testing/selftests/landlock/ptrace_test.c
index c28ef98ff3ac..8565a25a9587 100644
--- a/tools/testing/selftests/landlock/ptrace_test.c
+++ b/tools/testing/selftests/landlock/ptrace_test.c
@@ -60,6 +60,24 @@ static int test_ptrace_read(const pid_t pid)
 	return 0;
 }
 
+static int get_ptrace_scope(void)
+{
+	int ret = -1;
+	char buf[2];
+	int fd = open("/proc/sys/kernel/yama/ptrace_scope", O_RDONLY);
+
+	if (fd < 0)
+		return 0;
+
+	if (read(fd, &buf, 1) < 0)
+		return -1;
+
+	buf[1] = '\0';
+	ret = atoi(buf);
+	close(fd);
+	return ret;
+}
+
 /* clang-format off */
 FIXTURE(hierarchy) {};
 /* clang-format on */
@@ -69,6 +87,7 @@ FIXTURE_VARIANT(hierarchy)
 	const bool domain_both;
 	const bool domain_parent;
 	const bool domain_child;
+	const int  yama_value;
 };
 
 /*
@@ -93,6 +112,7 @@ FIXTURE_VARIANT_ADD(hierarchy, allow_without_domain) {
 	.domain_both = false,
 	.domain_parent = false,
 	.domain_child = false,
+	.yama_value = 0,
 };
 
 /*
@@ -110,6 +130,7 @@ FIXTURE_VARIANT_ADD(hierarchy, allow_with_one_domain) {
 	.domain_both = false,
 	.domain_parent = false,
 	.domain_child = true,
+	.yama_value = 1,
 };
 
 /*
@@ -126,6 +147,7 @@ FIXTURE_VARIANT_ADD(hierarchy, deny_with_parent_domain) {
 	.domain_both = false,
 	.domain_parent = true,
 	.domain_child = false,
+	.yama_value = 0,
 };
 
 /*
@@ -143,6 +165,7 @@ FIXTURE_VARIANT_ADD(hierarchy, deny_with_sibling_domain) {
 	.domain_both = false,
 	.domain_parent = true,
 	.domain_child = true,
+	.yama_value = 2,
 };
 
 /*
@@ -160,6 +183,7 @@ FIXTURE_VARIANT_ADD(hierarchy, allow_sibling_domain) {
 	.domain_both = true,
 	.domain_parent = false,
 	.domain_child = false,
+	.yama_value = 0,
 };
 
 /*
@@ -178,6 +202,7 @@ FIXTURE_VARIANT_ADD(hierarchy, allow_with_nested_domain) {
 	.domain_both = true,
 	.domain_parent = false,
 	.domain_child = true,
+	.yama_value = 1,
 };
 
 /*
@@ -196,6 +221,7 @@ FIXTURE_VARIANT_ADD(hierarchy, deny_with_nested_and_parent_domain) {
 	.domain_both = true,
 	.domain_parent = true,
 	.domain_child = false,
+	.yama_value = 0,
 };
 
 /*
@@ -216,6 +242,7 @@ FIXTURE_VARIANT_ADD(hierarchy, deny_with_forked_domain) {
 	.domain_both = true,
 	.domain_parent = true,
 	.domain_child = true,
+	.yama_value = 2,
 };
 
 FIXTURE_SETUP(hierarchy)
@@ -232,9 +259,16 @@ TEST_F(hierarchy, trace)
 	pid_t child, parent;
 	int status, err_proc_read;
 	int pipe_child[2], pipe_parent[2];
+	int yama;
 	char buf_parent;
 	long ret;
 
+	yama = get_ptrace_scope();
+	ASSERT_LE(0, yama);
+
+	if (variant->yama_value < yama)
+		SKIP(return, "unsupported yama value %d", yama);
+
 	/*
 	 * Removes all effective and permitted capabilities to not interfere
 	 * with cap_ptrace_access_check() in case of PTRACE_MODE_FSCREDS.
-- 
2.39.0.rc1.256.g54fd8350bd-goog

