github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/sys/linux/test/landlock_fs_forbidden

github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/sys/linux/test/landlock_fs_forbidden (about)

     1  # Access denied to whole syscalls, which return EPERM.
     2  #
     3  # Manipuling namespaces requires some privileges:
     4  # requires: -sandbox=setuid
     5  
     6  # Makes a private mount point for MS_MOVE.
     7  
     8  mkdirat(0xffffffffffffff9c, &AUTO='./file0\x00', 0x1c0)
     9  mount$tmpfs(0x0, &AUTO='./file0\x00', &AUTO='tmpfs\x00', 0x0, 0x0)
    10  mount$bind(&AUTO='\x00', &AUTO='./file0\x00', &AUTO='pipefs\x00', 0x40000, 0x0)
    11  mkdirat(0xffffffffffffff9c, &AUTO='./file0/file0\x00', 0x1c0)
    12  mount$tmpfs(0x0, &AUTO='./file0/file0\x00', &AUTO='tmpfs\x00', 0x0, 0x0)
    13  mkdirat(0xffffffffffffff9c, &AUTO='./file0/file1\x00', 0x1c0)
    14  
    15  # Creates a first ruleset to restrict execution.
    16  
    17  r0 = landlock_create_ruleset(&AUTO={0x1, 0x0}, AUTO, 0x0)
    18  prctl$PR_SET_NO_NEW_PRIVS(0x26, 0x1)
    19  landlock_restrict_self(r0, 0x0)
    20  
    21  # Checks hook_sb_mount().
    22  
    23  mount$tmpfs(0x0, &AUTO='./file0/file1\x00', &AUTO='tmpfs\x00', 0x0, 0x0) # EPERM
    24  
    25  # Checks hook_sb_umount().
    26  
    27  umount2(&AUTO='./file0/file0\x00', 0x0) # EPERM
    28  
    29  # Checks hook_move_mount().
    30  
    31  move_mount(0xffffffffffffff9c, &AUTO='./file0/file0\x00', 0xffffffffffffff9c, &AUTO='./file0/file0\x00', 0x0) # EPERM
    32  
    33  # Checks hook_sb_remount().
    34  
    35  mount$bind(&AUTO='\x00', &AUTO='./file0/file0\x00', &AUTO='pipefs\x00', 0x21, 0x0) # EPERM
    36  
    37  # Checks hook_sb_pivotroot().
    38  
    39  pivot_root(&AUTO='./file0\x00', &AUTO='./file0/file0\x00') # EPERM