selftests/landlock: Fix socket file descriptor leaks in audit helpers

audit_init() opens a netlink socket and configures it, but leaks the file descriptor if audit_set_status() or setsockopt() fails. Fix this by jumping to an error path that closes the socket before returning. Apply the same fix to audit_init_with_exe_filter(), which leaks the file descriptor from audit_init() if audit_init_filter_exe() or audit_filter_exe() fails, and to audit_cleanup(), which leaks it if audit_init_filter_exe() fails in FIXTURE_TEARDOWN_PARENT(). Cc: Günther Noack <gnoack@google.com> Cc: stable@vger.kernel.org Fixes: 6a500b2297 ("selftests/landlock: Add tests for audit flags and domain IDs") Reviewed-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20260402192608.1458252-3-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
2026-05-12 16:18:45 +02:00 · 2026-04-02 21:26:03 +02:00 · 2026-04-02 21:26:03 +02:00 · 9143d79033
commit 9143d79033
parent b566f7a4f0
1 changed files with 19 additions and 7 deletions
--- a/tools/testing/selftests/landlock/audit.h
+++ b/tools/testing/selftests/landlock/audit.h
@ -379,19 +379,25 @@ static int audit_init(void)

 	err = audit_set_status(fd, AUDIT_STATUS_ENABLED, 1);
 	if (err)
-		return err;
+		goto err_close;

 	err = audit_set_status(fd, AUDIT_STATUS_PID, getpid());
 	if (err)
-		return err;
+		goto err_close;

 	/* Sets a timeout for negative tests. */
 	err = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &audit_tv_default,
 			 sizeof(audit_tv_default));
-	if (err)
-		return -errno;
+	if (err) {
+		err = -errno;
+		goto err_close;
+	}

 	return fd;
+
+err_close:
+	close(fd);
+	return err;
 }

 static int audit_init_filter_exe(struct audit_filter *filter, const char *path)
@ -441,8 +447,10 @@ static int audit_cleanup(int audit_fd, struct audit_filter *filter)

 		filter = &new_filter;
 		err = audit_init_filter_exe(filter, NULL);
-		if (err)
+		if (err) {
+			close(audit_fd);
 			return err;
+		}
 	}

 	/* Filters might not be in place. */
@ -468,11 +476,15 @@ static int audit_init_with_exe_filter(struct audit_filter *filter)

 	err = audit_init_filter_exe(filter, NULL);
 	if (err)
-		return err;
+		goto err_close;

 	err = audit_filter_exe(fd, filter, AUDIT_ADD_RULE);
 	if (err)
-		return err;
+		goto err_close;

 	return fd;
+
+err_close:
+	close(fd);
+	return err;
 }