linux/tools/testing/selftests/landlock/scoped_multiple_domain_variants.h

/* SPDX-License-Identifier: GPL-2.0 */
/*
 * Landlock variants for three processes with various domains.
 *
 * Copyright © 2024 Tahera Fahimi <[email protected]>
 */

enum sandbox_type {
	NO_SANDBOX,
	SCOPE_SANDBOX,
	/* Any other type of sandboxing domain */
	OTHER_SANDBOX,
};

/* clang-format on */
FIXTURE_VARIANT(scoped_vs_unscoped)
{
	const int domain_all;
	const int domain_parent;
	const int domain_children;
	const int domain_child;
	const int domain_grand_child;
};

/*
 * .-----------------.
 * |         ####### |  P3 -> P2 : allow
 * |   P1----# P2  # |  P3 -> P1 : deny
 * |         #  |  # |
 * |         # P3  # |
 * |         ####### |
 * '-----------------'
 */
/* clang-format off */
FIXTURE_VARIANT_ADD(scoped_vs_unscoped, deny_scoped) {
	.domain_all = OTHER_SANDBOX,
	.domain_parent = NO_SANDBOX,
	.domain_children = SCOPE_SANDBOX,
	.domain_child = NO_SANDBOX,
	.domain_grand_child = NO_SANDBOX,
	/* clang-format on */
};

/*
 * ###################
 * #         ####### #  P3 -> P2 : allow
 * #   P1----# P2  # #  P3 -> P1 : deny
 * #         #  |  # #
 * #         # P3  # #
 * #         ####### #
 * ###################
 */
/* clang-format off */
FIXTURE_VARIANT_ADD(scoped_vs_unscoped, all_scoped) {
	.domain_all = SCOPE_SANDBOX,
	.domain_parent = NO_SANDBOX,
	.domain_children = SCOPE_SANDBOX,
	.domain_child = NO_SANDBOX,
	.domain_grand_child = NO_SANDBOX,
	/* clang-format on */
};

/*
 * .-----------------.
 * |         .-----. |  P3 -> P2 : allow
 * |   P1----| P2  | |  P3 -> P1 : allow
 * |         |     | |
 * |         | P3  | |
 * |         '-----' |
 * '-----------------'
 */
/* clang-format off */
FIXTURE_VARIANT_ADD(scoped_vs_unscoped, allow_with_other_domain) {
	.domain_all = OTHER_SANDBOX,
	.domain_parent = NO_SANDBOX,
	.domain_children = OTHER_SANDBOX,
	.domain_child = NO_SANDBOX,
	.domain_grand_child = NO_SANDBOX,
	/* clang-format on */
};

/*
 *  .----.    ######   P3 -> P2 : allow
 *  | P1 |----# P2 #   P3 -> P1 : allow
 *  '----'    ######
 *              |
 *              P3
 */
/* clang-format off */
FIXTURE_VARIANT_ADD(scoped_vs_unscoped, allow_with_one_domain) {
	.domain_all = NO_SANDBOX,
	.domain_parent = OTHER_SANDBOX,
	.domain_children = NO_SANDBOX,
	.domain_child = SCOPE_SANDBOX,
	.domain_grand_child = NO_SANDBOX,
	/* clang-format on */
};

/*
 *  ######    .-----.   P3 -> P2 : allow
 *  # P1 #----| P2  |   P3 -> P1 : allow
 *  ######    '-----'
 *              |
 *              P3
 */
/* clang-format off */
FIXTURE_VARIANT_ADD(scoped_vs_unscoped, allow_with_grand_parent_scoped) {
	.domain_all = NO_SANDBOX,
	.domain_parent = SCOPE_SANDBOX,
	.domain_children = NO_SANDBOX,
	.domain_child = OTHER_SANDBOX,
	.domain_grand_child = NO_SANDBOX,
	/* clang-format on */
};

/*
 *  ######    ######   P3 -> P2 : allow
 *  # P1 #----# P2 #   P3 -> P1 : allow
 *  ######    ######
 *               |
 *             .----.
 *             | P3 |
 *             '----'
 */
/* clang-format off */
FIXTURE_VARIANT_ADD(scoped_vs_unscoped, allow_with_parents_domain) {
	.domain_all = NO_SANDBOX,
	.domain_parent = SCOPE_SANDBOX,
	.domain_children = NO_SANDBOX,
	.domain_child = SCOPE_SANDBOX,
	.domain_grand_child = NO_SANDBOX,
	/* clang-format on */
};

/*
 *  ######		P3 -> P2 : deny
 *  # P1 #----P2	P3 -> P1 : deny
 *  ######     |
 *	       |
 *	     ######
 *           # P3 #
 *           ######
 */
/* clang-format off */
FIXTURE_VARIANT_ADD(scoped_vs_unscoped, deny_with_self_and_grandparent_domain) {
	.domain_all = NO_SANDBOX,
	.domain_parent = SCOPE_SANDBOX,
	.domain_children = NO_SANDBOX,
	.domain_child = NO_SANDBOX,
	.domain_grand_child = SCOPE_SANDBOX,
	/* clang-format on */
};