Lines Matching defs:access
393 * (access type) confusion for this test.
494 /* Tests with denied-by-default access right. */
508 /* Test with no access. */
552 __u64 access;
564 /* Tests access rights for files. */
568 /* Tests access rights for directories. */
573 for (access = 1; access <= ACCESS_LAST; access <<= 1) {
574 path_beneath_dir.allowed_access = access;
579 path_beneath_file.allowed_access = access;
582 if (access & ACCESS_FILE) {
635 __u64 access;
676 add_path_beneath(_metadata, ruleset_fd, rules[i].access,
697 .access = LANDLOCK_ACCESS_FS_READ_FILE |
704 _metadata, rules[0].access | LANDLOCK_ACCESS_FS_READ_DIR,
746 .access = ACCESS_RO,
769 .access = ACCESS_RO,
773 .access = LANDLOCK_ACCESS_FS_READ_FILE |
827 .access = ACCESS_RO,
855 .access = LANDLOCK_ACCESS_FS_READ_FILE |
860 .access = LANDLOCK_ACCESS_FS_READ_FILE |
895 .access = LANDLOCK_ACCESS_FS_READ_FILE,
900 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
908 .access = LANDLOCK_ACCESS_FS_READ_FILE |
917 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
1002 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
1009 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
1063 /* Allows read access to file1_s1d3 with the first layer. */
1066 .access = LANDLOCK_ACCESS_FS_READ_FILE,
1072 /* Start by granting read-write access via its parent directory... */
1075 .access = LANDLOCK_ACCESS_FS_READ_FILE |
1078 /* ...but also denies read access via its grandparent directory. */
1081 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
1086 /* Allows read access via its great-grandparent directory. */
1089 .access = LANDLOCK_ACCESS_FS_READ_FILE,
1095 * Try to confuse the deny access by denying write (but not
1096 * read) access via its grandparent directory.
1100 .access = LANDLOCK_ACCESS_FS_READ_FILE,
1106 * Try to override layer2's deny read access by explicitly
1107 * allowing read access via file1_s1d3's grandparent.
1111 .access = LANDLOCK_ACCESS_FS_READ_FILE,
1117 * Restricts an unrelated file hierarchy with a new access
1122 .access = LANDLOCK_ACCESS_FS_EXECUTE,
1128 * Finally, denies read access to file1_s1d3 via its
1133 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
1145 /* Checks that read access is granted for file1_s1d3 with layer 1. */
1158 /* Checks that previous access rights are unchanged with layer 2. */
1169 /* Checks that previous access rights are unchanged with layer 3. */
1174 /* This time, denies write access for the file hierarchy. */
1184 * Checks that the only change with layer 4 is that write access is
1198 /* Checks that previous access rights are unchanged with layer 5. */
1210 /* Checks that previous access rights are unchanged with layer 6. */
1224 /* Checks read access is now denied with layer 7. */
1236 .access = LANDLOCK_ACCESS_FS_READ_FILE |
1249 /* Write access is forbidden. */
1251 /* Readdir access is allowed. */
1254 /* Write access is forbidden. */
1256 /* Readdir access is allowed. */
1261 * any new access, only remove some. Once enforced, these rules are
1269 * access rights (even if this directory is opened a second time).
1285 /* Readdir access is still allowed. */
1290 /* Readdir access is still allowed. */
1294 * Try to get more privileges by adding new access rights to the parent
1306 /* Readdir access is still allowed. */
1311 /* Readdir access is still allowed. */
1336 /* Readdir access is still allowed. */
1353 .access = ACCESS_RO,
1362 /* Readdir access is denied for dir_s1d2. */
1364 /* Readdir access is allowed for dir_s1d3. */
1366 /* File access is allowed for file1_s1d3. */
1377 /* Readdir access is still denied for dir_s1d2. */
1379 /* Readdir access is still allowed for dir_s1d3. */
1381 /* File access is still allowed for file1_s1d3. */
1391 .access = ACCESS_RO,
1420 /* Enforces policy which deny read access to all files. */
1429 /* Nests a policy which deny read access to all directories. */
1448 .access = ACCESS_RO,
1453 .access = ACCESS_RO,
1477 .access = ACCESS_RO,
1482 .access = ACCESS_RO,
1510 .access = ACCESS_RO,
1520 /* Checks allowed access. */
1524 rules[0].access = LANDLOCK_ACCESS_FS_READ_FILE;
1530 /* Checks denied access (on a directory). */
1540 .access = LANDLOCK_ACCESS_FS_READ_FILE,
1550 /* Checks denied access (on a directory). */
1560 .access = ACCESS_RO,
1588 .access = ACCESS_RO,
1611 .access = ACCESS_RO,
1645 .access = ACCESS_RO,
1649 .access = ACCESS_RO,
1653 .access = ACCESS_RO,
1691 .access = ACCESS_RO,
1698 .access = ACCESS_RO,
1702 .access = ACCESS_RO,
1874 .access = LANDLOCK_ACCESS_FS_EXECUTE,
1879 create_ruleset(_metadata, rules[0].access, rules);
1907 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
1914 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
1918 int ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1);
1947 ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2);
1976 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
1980 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
1985 create_ruleset(_metadata, rules[0].access, rules);
2058 .access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
2062 .access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
2067 create_ruleset(_metadata, rules[0].access, rules);
2122 .access = LANDLOCK_ACCESS_FS_REFER,
2126 .access = LANDLOCK_ACCESS_FS_REFER,
2169 ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1);
2184 ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2);
2203 .access = LANDLOCK_ACCESS_FS_REFER,
2212 .access = LANDLOCK_ACCESS_FS_EXECUTE,
2221 .access = LANDLOCK_ACCESS_FS_EXECUTE,
2229 * denying access (with MAKE_REG nor REMOVE).
2250 * denying access (with MAKE_REG nor REMOVE).
2273 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
2277 .access = LANDLOCK_ACCESS_FS_REFER,
2281 .access = LANDLOCK_ACCESS_FS_REFER,
2285 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
2331 * directory rename (because of the superset of access rights.
2351 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
2355 .access = LANDLOCK_ACCESS_FS_REFER,
2359 .access = LANDLOCK_ACCESS_FS_REFER,
2363 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
2443 * directory rename (because of the superset of access rights).
2451 * access rights tied to dir_s2d3. dir_s2d2 is missing one access right
2496 .access = LANDLOCK_ACCESS_FS_REFER,
2501 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
2505 .access = LANDLOCK_ACCESS_FS_REFER,
2509 .access = LANDLOCK_ACCESS_FS_MAKE_REG,
2528 .access = LANDLOCK_ACCESS_FS_MAKE_DIR,
2553 * because it doesn't inherit new access rights.
2560 * gets a new inherited access rights (MAKE_REG), because MAKE_REG is
2664 * because of access rights that would be inherited.
2673 /* Checks with same access rights. */
2679 /* Checks with different (child-only) access rights. */
2689 * directory-related access rights is allowed, and at the same time
2691 * grants less access rights is allowed too.
2699 * more access rights than the current state and because file creation
2727 /* Checks with different (child-only) access rights. */
2736 /* Checks with different (child-only) access rights. */
2796 .access = LANDLOCK_ACCESS_FS_REFER |
2801 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
2805 .access = LANDLOCK_ACCESS_FS_REFER |
2858 .access = LANDLOCK_ACCESS_FS_REFER,
2862 .access = LANDLOCK_ACCESS_FS_EXECUTE,
2866 .access = LANDLOCK_ACCESS_FS_MAKE_SOCK |
2871 .access = LANDLOCK_ACCESS_FS_REFER |
2877 .access = LANDLOCK_ACCESS_FS_READ_FILE |
2898 * access right.
2904 * superset of access rights compared to dir_s1d2, because file1_s1d2
2905 * already has these access rights anyway.
2913 * Moving dir_s1d3 beneath dir_s2d3 would grant it the MAKE_FIFO access
2920 * of access rights compared to dir_s1d2, because dir_s1d3 already has
2921 * these access rights anyway.
2928 * will be denied because the new inherited access rights from dir_s1d2
2951 .access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
2956 create_ruleset(_metadata, rules[0].access, rules);
2988 .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
2993 create_ruleset(_metadata, rules[0].access, rules);
3008 const __u64 access, const mode_t mode,
3014 .access = access,
3018 const int ruleset_fd = create_ruleset(_metadata, access, rules);
3102 .access = LANDLOCK_ACCESS_FS_MAKE_SYM,
3107 create_ruleset(_metadata, rules[0].access, rules);
3147 .access = LANDLOCK_ACCESS_FS_MAKE_DIR,
3152 create_ruleset(_metadata, rules[0].access, rules);
3187 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3230 .access = LANDLOCK_ACCESS_FS_READ_FILE |
3235 /* Limits read and write access to files tied to the filesystem. */
3237 create_ruleset(_metadata, rules[0].access, rules);
3247 /* Checks access to pipes through FD. */
3256 /* Checks write access to pipe through /proc/self/fd . */
3266 /* Checks read access to pipe through /proc/self/fd . */
3302 * (access type) confusion for this test.
3321 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3325 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
3384 .access = LANDLOCK_ACCESS_FS_READ_FILE |
3390 .access = LANDLOCK_ACCESS_FS_READ_FILE |
3395 .access = LANDLOCK_ACCESS_FS_READ_FILE |
3400 .access = LANDLOCK_ACCESS_FS_TRUNCATE,
3402 /* Implicitly: No access rights for file_none. */
3405 .access = LANDLOCK_ACCESS_FS_TRUNCATE,
3409 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
3502 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
3510 .access = LANDLOCK_ACCESS_FS_TRUNCATE,
3519 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
3639 .access = variant->permitted,
3680 .access = variant->permitted,
3818 * Sets access right on parent directories of both source and
3824 .access = ACCESS_RO,
3828 .access = ACCESS_RW,
3833 * Sets access rights on the same bind-mounted directories. The result
3840 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3844 .access = ACCESS_RW,
3848 /* Only allow read-access to the s1d3 hierarchies. */
3852 .access = LANDLOCK_ACCESS_FS_READ_FILE,
3856 /* Removes all access rights. */
3860 .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
3957 .access = LANDLOCK_ACCESS_FS_REFER,
3961 .access = LANDLOCK_ACCESS_FS_EXECUTE,
4234 /* Sets access right on parent directories of both layers. */
4238 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4242 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4246 .access = ACCESS_RW,
4253 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4257 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4261 .access = ACCESS_RW,
4265 /* Sets access right on directories inside both layers. */
4269 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4273 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4277 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4281 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4285 .access = ACCESS_RW,
4289 .access = ACCESS_RW,
4293 .access = ACCESS_RW,
4297 /* Tighten access rights to the files. */
4301 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4305 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4309 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4313 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4317 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4321 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4325 .access = LANDLOCK_ACCESS_FS_READ_FILE |
4330 .access = LANDLOCK_ACCESS_FS_READ_FILE |
4335 .access = LANDLOCK_ACCESS_FS_READ_FILE |
4340 .access = LANDLOCK_ACCESS_FS_READ_FILE |
4345 .access = LANDLOCK_ACCESS_FS_READ_FILE |
4353 .access = LANDLOCK_ACCESS_FS_READ_FILE |
4398 * Checks that access rights are independent from the lower and upper
4399 * layers: write access to upper files viewed through the merge point
4400 * is still allowed, and write access to lower file viewed (and copied)
4483 /* Only allowes access to the merge hierarchy. */
4664 .access = LANDLOCK_ACCESS_FS_READ_FILE,
4698 /* Checks with Landlock and forbidden access. */
4732 .access = LANDLOCK_ACCESS_FS_READ_DIR,
4766 /* Checks that access to the new mount point is denied. */