Quelle  audit_test.c   Sprache: C

// SPDX-License-Identifier: GPL-2.0
/*
 * Landlock tests - Audit
 *
 * Copyright © 2024-2025 Microsoft Corporation
 */

#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <linux/landlock.h>
#include <pthread.h>
#include <stdlib.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>

#include "audit.h"
#include "common.h"

static int matches_log_signal(struct __test_metadata *const _metadata,
         int audit_fd, const pid_t opid, __u64 *domain_id)
{
 static const char log_template[] = REGEX_LANDLOCK_PREFIX
  " blockers=scope\\.signal opid=%d ocomm=\"audit_test\"$";
 char log_match[sizeof(log_template) + 10];
 int log_match_len;

 log_match_len =
  snprintf(log_match, sizeof(log_match), log_template, opid);
 if (log_match_len > sizeof(log_match))
  return -E2BIG;

 return audit_match_record(audit_fd, AUDIT_LANDLOCK_ACCESS, log_match,
      domain_id);
}

FIXTURE(audit)
{
 struct audit_filter audit_filter;
 int audit_fd;
};

FIXTURE_SETUP(audit)
{
 disable_caps(_metadata);
 set_cap(_metadata, CAP_AUDIT_CONTROL);
 self->audit_fd = audit_init_with_exe_filter(&self->audit_filter);
 EXPECT_LE(0, self->audit_fd)
 {
  const char *error_msg;

  /* kill "$(auditctl -s | sed -ne 's/^pid \([0-9]\+\)$/\1/p')" */
  if (self->audit_fd == -EEXIST)
   error_msg = "socket already in use (e.g. auditd)";
  else
   error_msg = strerror(-self->audit_fd);
  TH_LOG("Failed to initialize audit: %s", error_msg);
 }
 clear_cap(_metadata, CAP_AUDIT_CONTROL);
}

FIXTURE_TEARDOWN(audit)
{
 set_cap(_metadata, CAP_AUDIT_CONTROL);
 EXPECT_EQ(0, audit_cleanup(self->audit_fd, &self->audit_filter));
 clear_cap(_metadata, CAP_AUDIT_CONTROL);
}

TEST_F(audit, layers)
{
 const struct landlock_ruleset_attr ruleset_attr = {
  .scoped = LANDLOCK_SCOPE_SIGNAL,
 };
 int status, ruleset_fd, i;
 __u64(*domain_stack)[16];
 __u64 prev_dom = 3;
 pid_t child;

 domain_stack = mmap(NULL, sizeof(*domain_stack), PROT_READ | PROT_WRITE,
       MAP_SHARED | MAP_ANONYMOUS, -1, 0);
 ASSERT_NE(MAP_FAILED, domain_stack);
 memset(domain_stack, 0, sizeof(*domain_stack));

 ruleset_fd =
  landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
 ASSERT_LE(0, ruleset_fd);
 EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));

 child = fork();
 ASSERT_LE(0, child);
 if (child == 0) {
  for (i = 0; i < ARRAY_SIZE(*domain_stack); i++) {
   __u64 denial_dom = 1;
   __u64 allocated_dom = 2;

   EXPECT_EQ(0, landlock_restrict_self(ruleset_fd, 0));

   /* Creates a denial to get the domain ID. */
   EXPECT_EQ(-1, kill(getppid(), 0));
   EXPECT_EQ(EPERM, errno);
   EXPECT_EQ(0,
      matches_log_signal(_metadata, self->audit_fd,
           getppid(), &denial_dom));
   EXPECT_EQ(0, matches_log_domain_allocated(
          self->audit_fd, getpid(),
          &allocated_dom));
   EXPECT_NE(denial_dom, 1);
   EXPECT_NE(denial_dom, 0);
   EXPECT_EQ(denial_dom, allocated_dom);

   /* Checks that the new domain is younger than the previous one. */
   EXPECT_GT(allocated_dom, prev_dom);
   prev_dom = allocated_dom;
   (*domain_stack)[i] = allocated_dom;
  }

  /* Checks that we reached the maximum number of layers. */
  EXPECT_EQ(-1, landlock_restrict_self(ruleset_fd, 0));
  EXPECT_EQ(E2BIG, errno);

  /* Updates filter rules to match the drop record. */
  set_cap(_metadata, CAP_AUDIT_CONTROL);
  EXPECT_EQ(0, audit_filter_drop(self->audit_fd, AUDIT_ADD_RULE));
  EXPECT_EQ(0,
     audit_filter_exe(self->audit_fd, &self->audit_filter,
        AUDIT_DEL_RULE));
  clear_cap(_metadata, CAP_AUDIT_CONTROL);

  _exit(_metadata->exit_code);
  return;
 }

 ASSERT_EQ(child, waitpid(child, &status, 0));
 if (WIFSIGNALED(status) || !WIFEXITED(status) ||
     WEXITSTATUS(status) != EXIT_SUCCESS)
  _metadata->exit_code = KSFT_FAIL;

 /* Purges log from deallocated domains. */
 EXPECT_EQ(0, setsockopt(self->audit_fd, SOL_SOCKET, SO_RCVTIMEO,
    &audit_tv_dom_drop, sizeof(audit_tv_dom_drop)));
 for (i = ARRAY_SIZE(*domain_stack) - 1; i >= 0; i--) {
  __u64 deallocated_dom = 2;

  EXPECT_EQ(0, matches_log_domain_deallocated(self->audit_fd, 1,
           &deallocated_dom));
  EXPECT_EQ((*domain_stack)[i], deallocated_dom)
  {
   TH_LOG("Failed to match domain %llx (#%d)",
          (*domain_stack)[i], i);
  }
 }
 EXPECT_EQ(0, munmap(domain_stack, sizeof(*domain_stack)));
 EXPECT_EQ(0, setsockopt(self->audit_fd, SOL_SOCKET, SO_RCVTIMEO,
    &audit_tv_default, sizeof(audit_tv_default)));
 EXPECT_EQ(0, close(ruleset_fd));
}

struct thread_data {
 pid_t parent_pid;
 int ruleset_fd, pipe_child, pipe_parent;
};

static void *thread_audit_test(void *arg)
{
 const struct thread_data *data = (struct thread_data *)arg;
 uintptr_t err = 0;
 char buffer;

 /* TGID and TID are different for a second thread. */
 if (getpid() == gettid()) {
  err = 1;
  goto out;
 }

 if (landlock_restrict_self(data->ruleset_fd, 0)) {
  err = 2;
  goto out;
 }

 if (close(data->ruleset_fd)) {
  err = 3;
  goto out;
 }

 /* Creates a denial to get the domain ID. */
 if (kill(data->parent_pid, 0) != -1) {
  err = 4;
  goto out;
 }

 if (EPERM != errno) {
  err = 5;
  goto out;
 }

 /* Signals the parent to read denial logs. */
 if (write(data->pipe_child, ".", 1) != 1) {
  err = 6;
  goto out;
 }

 /* Waits for the parent to update audit filters. */
 if (read(data->pipe_parent, &buffer, 1) != 1) {
  err = 7;
  goto out;
 }

out:
 close(data->pipe_child);
 close(data->pipe_parent);
 return (void *)err;
}

/* Checks that the PID tied to a domain is not a TID but the TGID. */
TEST_F(audit, thread)
{
 const struct landlock_ruleset_attr ruleset_attr = {
  .scoped = LANDLOCK_SCOPE_SIGNAL,
 };
 __u64 denial_dom = 1;
 __u64 allocated_dom = 2;
 __u64 deallocated_dom = 3;
 pthread_t thread;
 int pipe_child[2], pipe_parent[2];
 char buffer;
 struct thread_data child_data;

 child_data.parent_pid = getppid();
 ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC));
 child_data.pipe_child = pipe_child[1];
 ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC));
 child_data.pipe_parent = pipe_parent[0];
 child_data.ruleset_fd =
  landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
 ASSERT_LE(0, child_data.ruleset_fd);

 /* TGID and TID are the same for the initial thread . */
 EXPECT_EQ(getpid(), gettid());
 EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
 ASSERT_EQ(0, pthread_create(&thread, NULL, thread_audit_test,
        &child_data));

 /* Waits for the child to generate a denial. */
 ASSERT_EQ(1, read(pipe_child[0], &buffer, 1));
 EXPECT_EQ(0, close(pipe_child[0]));

 /* Matches the signal log to get the domain ID. */
 EXPECT_EQ(0, matches_log_signal(_metadata, self->audit_fd,
     child_data.parent_pid, &denial_dom));
 EXPECT_NE(denial_dom, 1);
 EXPECT_NE(denial_dom, 0);

 EXPECT_EQ(0, matches_log_domain_allocated(self->audit_fd, getpid(),
        &allocated_dom));
 EXPECT_EQ(denial_dom, allocated_dom);

 /* Updates filter rules to match the drop record. */
 set_cap(_metadata, CAP_AUDIT_CONTROL);
 EXPECT_EQ(0, audit_filter_drop(self->audit_fd, AUDIT_ADD_RULE));
 EXPECT_EQ(0, audit_filter_exe(self->audit_fd, &self->audit_filter,
          AUDIT_DEL_RULE));
 clear_cap(_metadata, CAP_AUDIT_CONTROL);

 /* Signals the thread to exit, which will generate a domain deallocation. */
 ASSERT_EQ(1, write(pipe_parent[1], ".", 1));
 EXPECT_EQ(0, close(pipe_parent[1]));
 ASSERT_EQ(0, pthread_join(thread, NULL));

 EXPECT_EQ(0, setsockopt(self->audit_fd, SOL_SOCKET, SO_RCVTIMEO,
    &audit_tv_dom_drop, sizeof(audit_tv_dom_drop)));
 EXPECT_EQ(0, matches_log_domain_deallocated(self->audit_fd, 1,
          &deallocated_dom));
 EXPECT_EQ(denial_dom, deallocated_dom);
 EXPECT_EQ(0, setsockopt(self->audit_fd, SOL_SOCKET, SO_RCVTIMEO,
    &audit_tv_default, sizeof(audit_tv_default)));
}

FIXTURE(audit_flags)
{
 struct audit_filter audit_filter;
 int audit_fd;
 __u64 *domain_id;
};

FIXTURE_VARIANT(audit_flags)
{
 const int restrict_flags;
};

/* clang-format off */
FIXTURE_VARIANT_ADD(audit_flags, default) {
 /* clang-format on */
 .restrict_flags = 0,
};

/* clang-format off */
FIXTURE_VARIANT_ADD(audit_flags, same_exec_off) {
 /* clang-format on */
 .restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF,
};

/* clang-format off */
FIXTURE_VARIANT_ADD(audit_flags, subdomains_off) {
 /* clang-format on */
 .restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF,
};

/* clang-format off */
FIXTURE_VARIANT_ADD(audit_flags, cross_exec_on) {
 /* clang-format on */
 .restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON,
};

FIXTURE_SETUP(audit_flags)
{
 disable_caps(_metadata);
 set_cap(_metadata, CAP_AUDIT_CONTROL);
 self->audit_fd = audit_init_with_exe_filter(&self->audit_filter);
 EXPECT_LE(0, self->audit_fd)
 {
  const char *error_msg;

  /* kill "$(auditctl -s | sed -ne 's/^pid \([0-9]\+\)$/\1/p')" */
  if (self->audit_fd == -EEXIST)
   error_msg = "socket already in use (e.g. auditd)";
  else
   error_msg = strerror(-self->audit_fd);
  TH_LOG("Failed to initialize audit: %s", error_msg);
 }
 clear_cap(_metadata, CAP_AUDIT_CONTROL);

 self->domain_id = mmap(NULL, sizeof(*self->domain_id),
          PROT_READ | PROT_WRITE,
          MAP_SHARED | MAP_ANONYMOUS, -1, 0);
 ASSERT_NE(MAP_FAILED, self->domain_id);
 /* Domain IDs are greater or equal to 2^32. */
 *self->domain_id = 1;
}

FIXTURE_TEARDOWN(audit_flags)
{
 EXPECT_EQ(0, munmap(self->domain_id, sizeof(*self->domain_id)));

 set_cap(_metadata, CAP_AUDIT_CONTROL);
 EXPECT_EQ(0, audit_cleanup(self->audit_fd, &self->audit_filter));
 clear_cap(_metadata, CAP_AUDIT_CONTROL);
}

TEST_F(audit_flags, signal)
{
 int status;
 pid_t child;
 struct audit_records records;
 __u64 deallocated_dom = 2;

 child = fork();
 ASSERT_LE(0, child);
 if (child == 0) {
  const struct landlock_ruleset_attr ruleset_attr = {
   .scoped = LANDLOCK_SCOPE_SIGNAL,
  };
  int ruleset_fd;

  /* Add filesystem restrictions. */
  ruleset_fd = landlock_create_ruleset(&ruleset_attr,
           sizeof(ruleset_attr), 0);
  ASSERT_LE(0, ruleset_fd);
  EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
  ASSERT_EQ(0, landlock_restrict_self(ruleset_fd,
          variant->restrict_flags));
  EXPECT_EQ(0, close(ruleset_fd));

  /* First signal checks to test log entries. */
  EXPECT_EQ(-1, kill(getppid(), 0));
  EXPECT_EQ(EPERM, errno);

  if (variant->restrict_flags &
      LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF) {
   EXPECT_EQ(-EAGAIN, matches_log_signal(
         _metadata, self->audit_fd,
         getppid(), self->domain_id));
   EXPECT_EQ(*self->domain_id, 1);
  } else {
   __u64 allocated_dom = 3;

   EXPECT_EQ(0, matches_log_signal(
          _metadata, self->audit_fd,
          getppid(), self->domain_id));

   /* Checks domain information records. */
   EXPECT_EQ(0, matches_log_domain_allocated(
          self->audit_fd, getpid(),
          &allocated_dom));
   EXPECT_NE(*self->domain_id, 1);
   EXPECT_NE(*self->domain_id, 0);
   EXPECT_EQ(*self->domain_id, allocated_dom);
  }

  /* Second signal checks to test audit_count_records(). */
  EXPECT_EQ(-1, kill(getppid(), 0));
  EXPECT_EQ(EPERM, errno);

  /* Makes sure there is no superfluous logged records. */
  EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  if (variant->restrict_flags &
      LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF) {
   EXPECT_EQ(0, records.access);
  } else {
   EXPECT_EQ(1, records.access);
  }
  EXPECT_EQ(0, records.domain);

  /* Updates filter rules to match the drop record. */
  set_cap(_metadata, CAP_AUDIT_CONTROL);
  EXPECT_EQ(0, audit_filter_drop(self->audit_fd, AUDIT_ADD_RULE));
  EXPECT_EQ(0,
     audit_filter_exe(self->audit_fd, &self->audit_filter,
        AUDIT_DEL_RULE));
  clear_cap(_metadata, CAP_AUDIT_CONTROL);

  _exit(_metadata->exit_code);
  return;
 }

 ASSERT_EQ(child, waitpid(child, &status, 0));
 if (WIFSIGNALED(status) || !WIFEXITED(status) ||
     WEXITSTATUS(status) != EXIT_SUCCESS)
  _metadata->exit_code = KSFT_FAIL;

 if (variant->restrict_flags &
     LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF) {
  EXPECT_EQ(-EAGAIN,
     matches_log_domain_deallocated(self->audit_fd, 0,
        &deallocated_dom));
  EXPECT_EQ(deallocated_dom, 2);
 } else {
  EXPECT_EQ(0, setsockopt(self->audit_fd, SOL_SOCKET, SO_RCVTIMEO,
     &audit_tv_dom_drop,
     sizeof(audit_tv_dom_drop)));
  EXPECT_EQ(0, matches_log_domain_deallocated(self->audit_fd, 2,
           &deallocated_dom));
  EXPECT_NE(deallocated_dom, 2);
  EXPECT_NE(deallocated_dom, 0);
  EXPECT_EQ(deallocated_dom, *self->domain_id);
  EXPECT_EQ(0, setsockopt(self->audit_fd, SOL_SOCKET, SO_RCVTIMEO,
     &audit_tv_default,
     sizeof(audit_tv_default)));
 }
}

static int matches_log_fs_read_root(int audit_fd)
{
 return audit_match_record(
  audit_fd, AUDIT_LANDLOCK_ACCESS,
  REGEX_LANDLOCK_PREFIX
  " blockers=fs\\.read_dir path=\"/\" dev=\"[^\"]\\+\" ino=[0-9]\\+$",
  NULL);
}

FIXTURE(audit_exec)
{
 struct audit_filter audit_filter;
 int audit_fd;
};

FIXTURE_VARIANT(audit_exec)
{
 const int restrict_flags;
};

/* clang-format off */
FIXTURE_VARIANT_ADD(audit_exec, default) {
 /* clang-format on */
 .restrict_flags = 0,
};

/* clang-format off */
FIXTURE_VARIANT_ADD(audit_exec, same_exec_off) {
 /* clang-format on */
 .restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF,
};

/* clang-format off */
FIXTURE_VARIANT_ADD(audit_exec, subdomains_off) {
 /* clang-format on */
 .restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF,
};

/* clang-format off */
FIXTURE_VARIANT_ADD(audit_exec, cross_exec_on) {
 /* clang-format on */
 .restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON,
};

/* clang-format off */
FIXTURE_VARIANT_ADD(audit_exec, subdomains_off_and_cross_exec_on) {
 /* clang-format on */
 .restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF |
     LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON,
};

FIXTURE_SETUP(audit_exec)
{
 disable_caps(_metadata);
 set_cap(_metadata, CAP_AUDIT_CONTROL);

 self->audit_fd = audit_init();
 EXPECT_LE(0, self->audit_fd)
 {
  const char *error_msg;

  /* kill "$(auditctl -s | sed -ne 's/^pid \([0-9]\+\)$/\1/p')" */
  if (self->audit_fd == -EEXIST)
   error_msg = "socket already in use (e.g. auditd)";
  else
   error_msg = strerror(-self->audit_fd);
  TH_LOG("Failed to initialize audit: %s", error_msg);
 }

 /* Applies test filter for the bin_wait_pipe_sandbox program. */
 EXPECT_EQ(0, audit_init_filter_exe(&self->audit_filter,
        bin_wait_pipe_sandbox));
 EXPECT_EQ(0, audit_filter_exe(self->audit_fd, &self->audit_filter,
          AUDIT_ADD_RULE));

 clear_cap(_metadata, CAP_AUDIT_CONTROL);
}

FIXTURE_TEARDOWN(audit_exec)
{
 set_cap(_metadata, CAP_AUDIT_CONTROL);
 EXPECT_EQ(0, audit_filter_exe(self->audit_fd, &self->audit_filter,
          AUDIT_DEL_RULE));
 clear_cap(_metadata, CAP_AUDIT_CONTROL);
 EXPECT_EQ(0, close(self->audit_fd));
}

TEST_F(audit_exec, signal_and_open)
{
 struct audit_records records;
 int pipe_child[2], pipe_parent[2];
 char buf_parent;
 pid_t child;
 int status;

 ASSERT_EQ(0, pipe2(pipe_child, 0));
 ASSERT_EQ(0, pipe2(pipe_parent, 0));

 child = fork();
 ASSERT_LE(0, child);
 if (child == 0) {
  const struct landlock_ruleset_attr layer1 = {
   .scoped = LANDLOCK_SCOPE_SIGNAL,
  };
  char pipe_child_str[12], pipe_parent_str[12];
  char *const argv[] = { (char *)bin_wait_pipe_sandbox,
           pipe_child_str, pipe_parent_str, NULL };
  int ruleset_fd;

  /* Passes the pipe FDs to the executed binary. */
  EXPECT_EQ(0, close(pipe_child[0]));
  EXPECT_EQ(0, close(pipe_parent[1]));
  snprintf(pipe_child_str, sizeof(pipe_child_str), "%d",
    pipe_child[1]);
  snprintf(pipe_parent_str, sizeof(pipe_parent_str), "%d",
    pipe_parent[0]);

  ruleset_fd =
   landlock_create_ruleset(&layer1, sizeof(layer1), 0);
  if (ruleset_fd < 0) {
   perror("Failed to create a ruleset");
   _exit(1);
  }
  prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
  if (landlock_restrict_self(ruleset_fd,
        variant->restrict_flags)) {
   perror("Failed to restrict self");
   _exit(1);
  }
  close(ruleset_fd);

  ASSERT_EQ(0, execve(argv[0], argv, NULL))
  {
   TH_LOG("Failed to execute \"%s\": %s", argv[0],
          strerror(errno));
  };
  _exit(1);
  return;
 }

 EXPECT_EQ(0, close(pipe_child[1]));
 EXPECT_EQ(0, close(pipe_parent[0]));

 /* Waits for the child. */
 EXPECT_EQ(1, read(pipe_child[0], &buf_parent, 1));

 /* Tests that there was no denial until now. */
 EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
 EXPECT_EQ(0, records.access);
 EXPECT_EQ(0, records.domain);

 /*
 * Wait for the child to do a first denied action by layer1 and
 * sandbox itself with layer2.
 */
 EXPECT_EQ(1, write(pipe_parent[1], ".", 1));
 EXPECT_EQ(1, read(pipe_child[0], &buf_parent, 1));

 /* Tests that the audit record only matches the child. */
 if (variant->restrict_flags & LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON) {
  /* Matches the current domain. */
  EXPECT_EQ(0, matches_log_signal(_metadata, self->audit_fd,
      getpid(), NULL));
 }

 /* Checks that we didn't miss anything. */
 EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
 EXPECT_EQ(0, records.access);

 /*
 * Wait for the child to do a second denied action by layer1 and
 * layer2, and sandbox itself with layer3.
 */
 EXPECT_EQ(1, write(pipe_parent[1], ".", 1));
 EXPECT_EQ(1, read(pipe_child[0], &buf_parent, 1));

 /* Tests that the audit record only matches the child. */
 if (variant->restrict_flags & LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON) {
  /* Matches the current domain. */
  EXPECT_EQ(0, matches_log_signal(_metadata, self->audit_fd,
      getpid(), NULL));
 }

 if (!(variant->restrict_flags &
       LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF)) {
  /* Matches the child domain. */
  EXPECT_EQ(0, matches_log_fs_read_root(self->audit_fd));
 }

 /* Checks that we didn't miss anything. */
 EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
 EXPECT_EQ(0, records.access);

 /* Waits for the child to terminate. */
 EXPECT_EQ(1, write(pipe_parent[1], ".", 1));
 ASSERT_EQ(child, waitpid(child, &status, 0));
 ASSERT_EQ(1, WIFEXITED(status));
 ASSERT_EQ(0, WEXITSTATUS(status));

 /* Tests that the audit record only matches the child. */
 if (!(variant->restrict_flags &
       LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF)) {
  /*
 * Matches the child domains, which tests that the
 * llcred->domain_exec bitmask is correctly updated with a new
 * domain.
 */
  EXPECT_EQ(0, matches_log_fs_read_root(self->audit_fd));
  EXPECT_EQ(0, matches_log_signal(_metadata, self->audit_fd,
      getpid(), NULL));
 }

 /* Checks that we didn't miss anything. */
 EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
 EXPECT_EQ(0, records.access);
}

TEST_HARNESS_MAIN