#!/bin/bash

# Copyright (C) 2023 Thomas Weißschuh <thomas@t-8ch.de>
#
# This file is part of util-linux.
#
# This file is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This file is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.

TS_TOPDIR="${0%/*}/../.."
TS_DESC="setpriv landlock"

. "$TS_TOPDIR"/functions.sh
ts_init "$*"

[[ "$COVERAGE" = yes ]] && ts_skip "does not work with coverage"

ts_check_test_command "$TS_CMD_SETPRIV"

"$TS_CMD_SETPRIV" --landlock-access fs \
	--landlock-rule path-beneath:execute:/ \
	--landlock-rule path-beneath:read-file:/ \
	true \
	|| ts_skip "no landlock support in setpriv"

ts_init_subtest "nothing-allowed"
"$TS_CMD_SETPRIV" --landlock-access fs true &> "$TS_OUTPUT"
ts_finalize_subtest

ts_init_subtest "partial-access-fail"
"$TS_CMD_SETPRIV" --landlock-access \
	fs:write cp /dev/null /dev/zero \
	&> "$TS_OUTPUT"
ts_finalize_subtest

ts_init_subtest "partial-access-success"
"$TS_CMD_SETPRIV" \
	--landlock-access fs:write --landlock-rule path-beneath:write:/dev/zero \
	cp /dev/null /dev/zero \
	&> "$TS_OUTPUT"
ts_finalize_subtest

ts_init_subtest "combined-access"
"$TS_CMD_SETPRIV" --landlock-access fs:execute,read-file \
	--landlock-rule path-beneath:execute,read-file:/ \
	true \
	&> "$TS_OUTPUT"
ts_finalize_subtest

ts_init_subtest "wildcard-access"
"$TS_CMD_SETPRIV" --landlock-access fs \
	--landlock-rule path-beneath::/ \
	true \
	&> "$TS_OUTPUT"
ts_finalize_subtest

ts_finalize