<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/tools/testing/selftests/landlock, branch v6.7</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>selftests/landlock: Add tests for FS topology changes with network rules</title>
<updated>2023-10-27T15:53:31+00:00</updated>
<author>
<name>Mickaël Salaün</name>
<email>mic@digikod.net</email>
</author>
<published>2023-10-27T15:46:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=f12f8f84509a084399444c4422661345a15cc713'/>
<id>f12f8f84509a084399444c4422661345a15cc713</id>
<content type='text'>
Add 2 tests to the layout1 fixture:
* topology_changes_with_net_only: Checks that FS topology
  changes are not denied by network-only restrictions.
* topology_changes_with_net_and_fs: Make sure that FS topology
  changes are still denied with FS and network restrictions.

This specifically test commit d7220364039f ("landlock: Allow FS topology
changes for domains without such rule type").

Cc: Konstantin Meskhidze &lt;konstantin.meskhidze@huawei.com&gt;
Link: https://lore.kernel.org/r/20231027154615.815134-1-mic@digikod.net
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add 2 tests to the layout1 fixture:
* topology_changes_with_net_only: Checks that FS topology
  changes are not denied by network-only restrictions.
* topology_changes_with_net_and_fs: Make sure that FS topology
  changes are still denied with FS and network restrictions.

This specifically test commit d7220364039f ("landlock: Allow FS topology
changes for domains without such rule type").

Cc: Konstantin Meskhidze &lt;konstantin.meskhidze@huawei.com&gt;
Link: https://lore.kernel.org/r/20231027154615.815134-1-mic@digikod.net
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>selftests/landlock: Add network tests</title>
<updated>2023-10-26T19:07:16+00:00</updated>
<author>
<name>Konstantin Meskhidze</name>
<email>konstantin.meskhidze@huawei.com</email>
</author>
<published>2023-10-26T01:47:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=a549d055a22e4fc5559ef642b30721899fa07b75'/>
<id>a549d055a22e4fc5559ef642b30721899fa07b75</id>
<content type='text'>
Add 82 test suites to check edge cases related to bind() and connect()
actions. They are defined with 6 fixtures and their variants:

The "protocol" fixture is extended with 12 variants defined as a matrix
of: sandboxed/not-sandboxed, IPv4/IPv6/unix network domain, and
stream/datagram socket. 4 related tests suites are defined:
* bind: Tests bind action.
* connect: Tests connect action.
* bind_unspec: Tests bind action with the AF_UNSPEC socket family.
* connect_unspec: Tests connect action with the AF_UNSPEC socket family.

The "ipv4" fixture is extended with 4 variants defined as a matrix
of: sandboxed/not-sandboxed, and stream/datagram socket. 1 related test
suite is defined:
* from_unix_to_inet: Tests to make sure unix sockets' actions are not
  restricted by Landlock rules applied to TCP ones.

The "tcp_layers" fixture is extended with 8 variants defined as a matrix
of: IPv4/IPv6 network domain, and different number of landlock rule
layers. 2 related tests suites are defined:
* ruleset_overlap: Tests nested layers with less constraints.
* ruleset_expand: Tests nested layers with more constraints.

In the "mini" fixture 4 tests suites are defined:
* network_access_rights: Tests handling of known access rights.
* unknown_access_rights: Tests handling of unknown access rights.
* inval: Tests unhandled allowed access and zero access value.
* tcp_port_overflow: Tests with port values greater than 65535.

The "ipv4_tcp" fixture supports IPv4 network domain with stream socket.
2 tests suites are defined:
* port_endianness: Tests with big/little endian port formats.
* with_fs: Tests a ruleset with both filesystem and network
  restrictions.

The "port_specific" fixture is extended with 4 variants defined
as a matrix of: sandboxed/not-sandboxed, IPv4/IPv6 network domain,
and stream socket. 2 related tests suites are defined:
* bind_connect_zero: Tests with port 0.
* bind_connect_1023: Tests with port 1023.

Test coverage for security/landlock is 92.4% of 710 lines according to
gcc/gcov-13.

Signed-off-by: Konstantin Meskhidze &lt;konstantin.meskhidze@huawei.com&gt;
Link: https://lore.kernel.org/r/20231026014751.414649-11-konstantin.meskhidze@huawei.com
[mic: Extend commit message, update test coverage, clean up capability
use, fix useless TEST_F_FORK, and improve ipv4_tcp.with_fs]
Co-developed-by: Mickaël Salaün &lt;mic@digikod.net&gt;
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add 82 test suites to check edge cases related to bind() and connect()
actions. They are defined with 6 fixtures and their variants:

The "protocol" fixture is extended with 12 variants defined as a matrix
of: sandboxed/not-sandboxed, IPv4/IPv6/unix network domain, and
stream/datagram socket. 4 related tests suites are defined:
* bind: Tests bind action.
* connect: Tests connect action.
* bind_unspec: Tests bind action with the AF_UNSPEC socket family.
* connect_unspec: Tests connect action with the AF_UNSPEC socket family.

The "ipv4" fixture is extended with 4 variants defined as a matrix
of: sandboxed/not-sandboxed, and stream/datagram socket. 1 related test
suite is defined:
* from_unix_to_inet: Tests to make sure unix sockets' actions are not
  restricted by Landlock rules applied to TCP ones.

The "tcp_layers" fixture is extended with 8 variants defined as a matrix
of: IPv4/IPv6 network domain, and different number of landlock rule
layers. 2 related tests suites are defined:
* ruleset_overlap: Tests nested layers with less constraints.
* ruleset_expand: Tests nested layers with more constraints.

In the "mini" fixture 4 tests suites are defined:
* network_access_rights: Tests handling of known access rights.
* unknown_access_rights: Tests handling of unknown access rights.
* inval: Tests unhandled allowed access and zero access value.
* tcp_port_overflow: Tests with port values greater than 65535.

The "ipv4_tcp" fixture supports IPv4 network domain with stream socket.
2 tests suites are defined:
* port_endianness: Tests with big/little endian port formats.
* with_fs: Tests a ruleset with both filesystem and network
  restrictions.

The "port_specific" fixture is extended with 4 variants defined
as a matrix of: sandboxed/not-sandboxed, IPv4/IPv6 network domain,
and stream socket. 2 related tests suites are defined:
* bind_connect_zero: Tests with port 0.
* bind_connect_1023: Tests with port 1023.

Test coverage for security/landlock is 92.4% of 710 lines according to
gcc/gcov-13.

Signed-off-by: Konstantin Meskhidze &lt;konstantin.meskhidze@huawei.com&gt;
Link: https://lore.kernel.org/r/20231026014751.414649-11-konstantin.meskhidze@huawei.com
[mic: Extend commit message, update test coverage, clean up capability
use, fix useless TEST_F_FORK, and improve ipv4_tcp.with_fs]
Co-developed-by: Mickaël Salaün &lt;mic@digikod.net&gt;
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>selftests/landlock: Share enforce_ruleset() helper</title>
<updated>2023-10-26T19:07:15+00:00</updated>
<author>
<name>Konstantin Meskhidze</name>
<email>konstantin.meskhidze@huawei.com</email>
</author>
<published>2023-10-26T01:47:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=1fa335209f6ad9d554655bb802c5b49b855d6237'/>
<id>1fa335209f6ad9d554655bb802c5b49b855d6237</id>
<content type='text'>
Move enforce_ruleset() helper function to common.h so that it can be
used both by filesystem tests and network ones.

Signed-off-by: Konstantin Meskhidze &lt;konstantin.meskhidze@huawei.com&gt;
Link: https://lore.kernel.org/r/20231026014751.414649-10-konstantin.meskhidze@huawei.com
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Move enforce_ruleset() helper function to common.h so that it can be
used both by filesystem tests and network ones.

Signed-off-by: Konstantin Meskhidze &lt;konstantin.meskhidze@huawei.com&gt;
Link: https://lore.kernel.org/r/20231026014751.414649-10-konstantin.meskhidze@huawei.com
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>landlock: Support network rules with TCP bind and connect</title>
<updated>2023-10-26T19:07:15+00:00</updated>
<author>
<name>Konstantin Meskhidze</name>
<email>konstantin.meskhidze@huawei.com</email>
</author>
<published>2023-10-26T01:47:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=fff69fb03dde1dfa348cfdb74b13287dabe42c25'/>
<id>fff69fb03dde1dfa348cfdb74b13287dabe42c25</id>
<content type='text'>
Add network rules support in the ruleset management helpers and the
landlock_create_ruleset() syscall. Extend user space API to support
network actions:
* Add new network access rights: LANDLOCK_ACCESS_NET_BIND_TCP and
  LANDLOCK_ACCESS_NET_CONNECT_TCP.
* Add a new network rule type: LANDLOCK_RULE_NET_PORT tied to struct
  landlock_net_port_attr. The allowed_access field contains the network
  access rights, and the port field contains the port value according to
  the controlled protocol. This field can take up to a 64-bit value
  but the maximum value depends on the related protocol (e.g. 16-bit
  value for TCP). Network port is in host endianness [1].
* Add a new handled_access_net field to struct landlock_ruleset_attr
  that contains network access rights.
* Increment the Landlock ABI version to 4.

Implement socket_bind() and socket_connect() LSM hooks, which enable
to control TCP socket binding and connection to specific ports.

Expand access_masks_t from u16 to u32 to be able to store network access
rights alongside filesystem access rights for rulesets' handled access
rights.

Access rights are not tied to socket file descriptors but checked at
bind() or connect() call time against the caller's Landlock domain. For
the filesystem, a file descriptor is a direct access to a file/data.
However, for network sockets, we cannot identify for which data or peer
a newly created socket will give access to. Indeed, we need to wait for
a connect or bind request to identify the use case for this socket.
Likewise a directory file descriptor may enable to open another file
(i.e. a new data item), but this opening is also restricted by the
caller's domain, not the file descriptor's access rights [2].

[1] https://lore.kernel.org/r/278ab07f-7583-a4e0-3d37-1bacd091531d@digikod.net
[2] https://lore.kernel.org/r/263c1eb3-602f-57fe-8450-3f138581bee7@digikod.net

Signed-off-by: Konstantin Meskhidze &lt;konstantin.meskhidze@huawei.com&gt;
Link: https://lore.kernel.org/r/20231026014751.414649-9-konstantin.meskhidze@huawei.com
[mic: Extend commit message, fix typo in comments, and specify
endianness in the documentation]
Co-developed-by: Mickaël Salaün &lt;mic@digikod.net&gt;
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add network rules support in the ruleset management helpers and the
landlock_create_ruleset() syscall. Extend user space API to support
network actions:
* Add new network access rights: LANDLOCK_ACCESS_NET_BIND_TCP and
  LANDLOCK_ACCESS_NET_CONNECT_TCP.
* Add a new network rule type: LANDLOCK_RULE_NET_PORT tied to struct
  landlock_net_port_attr. The allowed_access field contains the network
  access rights, and the port field contains the port value according to
  the controlled protocol. This field can take up to a 64-bit value
  but the maximum value depends on the related protocol (e.g. 16-bit
  value for TCP). Network port is in host endianness [1].
* Add a new handled_access_net field to struct landlock_ruleset_attr
  that contains network access rights.
* Increment the Landlock ABI version to 4.

Implement socket_bind() and socket_connect() LSM hooks, which enable
to control TCP socket binding and connection to specific ports.

Expand access_masks_t from u16 to u32 to be able to store network access
rights alongside filesystem access rights for rulesets' handled access
rights.

Access rights are not tied to socket file descriptors but checked at
bind() or connect() call time against the caller's Landlock domain. For
the filesystem, a file descriptor is a direct access to a file/data.
However, for network sockets, we cannot identify for which data or peer
a newly created socket will give access to. Indeed, we need to wait for
a connect or bind request to identify the use case for this socket.
Likewise a directory file descriptor may enable to open another file
(i.e. a new data item), but this opening is also restricted by the
caller's domain, not the file descriptor's access rights [2].

[1] https://lore.kernel.org/r/278ab07f-7583-a4e0-3d37-1bacd091531d@digikod.net
[2] https://lore.kernel.org/r/263c1eb3-602f-57fe-8450-3f138581bee7@digikod.net

Signed-off-by: Konstantin Meskhidze &lt;konstantin.meskhidze@huawei.com&gt;
Link: https://lore.kernel.org/r/20231026014751.414649-9-konstantin.meskhidze@huawei.com
[mic: Extend commit message, fix typo in comments, and specify
endianness in the documentation]
Co-developed-by: Mickaël Salaün &lt;mic@digikod.net&gt;
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>selftests/landlock: Fix a resource leak</title>
<updated>2023-08-30T16:53:08+00:00</updated>
<author>
<name>Ding Xiang</name>
<email>dingxiang@cmss.chinamobile.com</email>
</author>
<published>2023-08-30T10:11:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=2a2015495142ee0a35711b5dcf7b215c31489f27'/>
<id>2a2015495142ee0a35711b5dcf7b215c31489f27</id>
<content type='text'>
The opened file should be closed before return, otherwise resource leak
will occur.

Signed-off-by: Ding Xiang &lt;dingxiang@cmss.chinamobile.com&gt;
Link: https://lore.kernel.org/r/20230830101148.3738-1-dingxiang@cmss.chinamobile.com
Fixes: 3de64b656b3c ("selftests/landlock: Add supports_filesystem() helper")
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The opened file should be closed before return, otherwise resource leak
will occur.

Signed-off-by: Ding Xiang &lt;dingxiang@cmss.chinamobile.com&gt;
Link: https://lore.kernel.org/r/20230830101148.3738-1-dingxiang@cmss.chinamobile.com
Fixes: 3de64b656b3c ("selftests/landlock: Add supports_filesystem() helper")
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>selftests/landlock: Add hostfs tests</title>
<updated>2023-06-12T19:26:23+00:00</updated>
<author>
<name>Mickaël Salaün</name>
<email>mic@digikod.net</email>
</author>
<published>2023-06-12T19:14:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=35ca4239929737bdc021ee923f97ebe7aff8fcc4'/>
<id>35ca4239929737bdc021ee923f97ebe7aff8fcc4</id>
<content type='text'>
Add tests for the hostfs filesystems to make sure it has a consistent
inode management, which is required for Landlock's file hierarchy
identification.  This adds 5 new tests for layout3_fs with the hostfs
variant.

Add hostfs to the new (architecture-specific) config.um file.

The hostfs filesystem, only available for an User-Mode Linux kernel, is
special because we cannot explicitly mount it.  The layout3_fs.hostfs
variant tests are skipped if the current test directory is not backed by
this filesystem.

The layout3_fs.hostfs.tag_inode_dir_child and
layout3_fs.hostfs.tag_inode_file tests pass thanks to a previous commit
fixing hostfs inode management.  Without this fix, the deny-by-default
policy would apply and all access requests would be denied.

Link: https://lore.kernel.org/r/20230612191430.339153-7-mic@digikod.net
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add tests for the hostfs filesystems to make sure it has a consistent
inode management, which is required for Landlock's file hierarchy
identification.  This adds 5 new tests for layout3_fs with the hostfs
variant.

Add hostfs to the new (architecture-specific) config.um file.

The hostfs filesystem, only available for an User-Mode Linux kernel, is
special because we cannot explicitly mount it.  The layout3_fs.hostfs
variant tests are skipped if the current test directory is not backed by
this filesystem.

The layout3_fs.hostfs.tag_inode_dir_child and
layout3_fs.hostfs.tag_inode_file tests pass thanks to a previous commit
fixing hostfs inode management.  Without this fix, the deny-by-default
policy would apply and all access requests would be denied.

Link: https://lore.kernel.org/r/20230612191430.339153-7-mic@digikod.net
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>selftests/landlock: Add tests for pseudo filesystems</title>
<updated>2023-06-12T19:26:23+00:00</updated>
<author>
<name>Mickaël Salaün</name>
<email>mic@digikod.net</email>
</author>
<published>2023-06-12T19:14:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=04f9070e99a4c5d60f05436f63e470c19b579e24'/>
<id>04f9070e99a4c5d60f05436f63e470c19b579e24</id>
<content type='text'>
Add generic and read-only tests for 6 pseudo filesystems to make sure
they have a consistent inode management, which is required for
Landlock's file hierarchy identification:
- tmpfs
- ramfs
- cgroup2
- proc
- sysfs

Update related kernel configuration to support these new filesystems,
remove useless CONFIG_SECURITY_PATH, and sort all entries.  If these
filesystems are not supported by the kernel running tests, the related
tests are skipped.

Expanding variants, this adds 25 new tests for layout3_fs:
- tag_inode_dir_parent
- tag_inode_dir_mnt
- tag_inode_dir_child
- tag_inode_dir_file
- release_inodes

Test coverage for security/landlock with kernel debug code:
- 94.7% of 835 lines according to gcc/gcov-12
- 93.0% of 852 lines according to gcc/gcov-13

Test coverage for security/landlock without kernel debug code:
- 95.5% of 624 lines according to gcc/gcov-12
- 93.1% of 641 lines according to gcc/gcov-13

Link: https://lore.kernel.org/r/20230612191430.339153-6-mic@digikod.net
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add generic and read-only tests for 6 pseudo filesystems to make sure
they have a consistent inode management, which is required for
Landlock's file hierarchy identification:
- tmpfs
- ramfs
- cgroup2
- proc
- sysfs

Update related kernel configuration to support these new filesystems,
remove useless CONFIG_SECURITY_PATH, and sort all entries.  If these
filesystems are not supported by the kernel running tests, the related
tests are skipped.

Expanding variants, this adds 25 new tests for layout3_fs:
- tag_inode_dir_parent
- tag_inode_dir_mnt
- tag_inode_dir_child
- tag_inode_dir_file
- release_inodes

Test coverage for security/landlock with kernel debug code:
- 94.7% of 835 lines according to gcc/gcov-12
- 93.0% of 852 lines according to gcc/gcov-13

Test coverage for security/landlock without kernel debug code:
- 95.5% of 624 lines according to gcc/gcov-12
- 93.1% of 641 lines according to gcc/gcov-13

Link: https://lore.kernel.org/r/20230612191430.339153-6-mic@digikod.net
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>selftests/landlock: Make mounts configurable</title>
<updated>2023-06-12T19:26:22+00:00</updated>
<author>
<name>Mickaël Salaün</name>
<email>mic@digikod.net</email>
</author>
<published>2023-06-12T19:14:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=55ab3fbe8333148e9c21477ffdc4edbe1f568f55'/>
<id>55ab3fbe8333148e9c21477ffdc4edbe1f568f55</id>
<content type='text'>
Add a new struct mnt_opt to define a mount point with the mount_opt()
helper.  This doesn't change tests but prepare for the next commit.

Link: https://lore.kernel.org/r/20230612191430.339153-5-mic@digikod.net
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add a new struct mnt_opt to define a mount point with the mount_opt()
helper.  This doesn't change tests but prepare for the next commit.

Link: https://lore.kernel.org/r/20230612191430.339153-5-mic@digikod.net
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>selftests/landlock: Add supports_filesystem() helper</title>
<updated>2023-06-12T19:26:21+00:00</updated>
<author>
<name>Mickaël Salaün</name>
<email>mic@digikod.net</email>
</author>
<published>2023-06-12T19:14:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=3de64b656b3c827d7d194558b0ae3a09400b116d'/>
<id>3de64b656b3c827d7d194558b0ae3a09400b116d</id>
<content type='text'>
Replace supports_overlayfs() with supports_filesystem() to be able to
check several filesystems.  This will be useful in a following commit.

Only check for overlay filesystem once in the setup step, and then rely
on self-&gt;skip_test.

Cc: Guenter Roeck &lt;groeck@chromium.org&gt;
Cc: Jeff Xu &lt;jeffxu@google.com&gt;
Link: https://lore.kernel.org/r/20230612191430.339153-4-mic@digikod.net
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Replace supports_overlayfs() with supports_filesystem() to be able to
check several filesystems.  This will be useful in a following commit.

Only check for overlay filesystem once in the setup step, and then rely
on self-&gt;skip_test.

Cc: Guenter Roeck &lt;groeck@chromium.org&gt;
Cc: Jeff Xu &lt;jeffxu@google.com&gt;
Link: https://lore.kernel.org/r/20230612191430.339153-4-mic@digikod.net
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>selftests/landlock: Don't create useless file layouts</title>
<updated>2023-06-12T19:26:21+00:00</updated>
<author>
<name>Mickaël Salaün</name>
<email>mic@digikod.net</email>
</author>
<published>2023-06-12T19:14:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=592efeb4a07ee46204c0f87001455c28f4743dea'/>
<id>592efeb4a07ee46204c0f87001455c28f4743dea</id>
<content type='text'>
Add and use a layout0 test fixture to not populate the tmpfs filesystem
if it is not required for tests: unknown_access_rights, proc_nsfs,
unpriv and max_layers.

This doesn't change these tests but it speeds up their setup and makes
them less prone to error.  This prepare the ground for a next commit.

Link: https://lore.kernel.org/r/20230612191430.339153-3-mic@digikod.net
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add and use a layout0 test fixture to not populate the tmpfs filesystem
if it is not required for tests: unknown_access_rights, proc_nsfs,
unpriv and max_layers.

This doesn't change these tests but it speeds up their setup and makes
them less prone to error.  This prepare the ground for a next commit.

Link: https://lore.kernel.org/r/20230612191430.339153-3-mic@digikod.net
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</pre>
</div>
</content>
</entry>
</feed>
