Re: [PATCH testsuite] tests/ioctl: Update ioctl tests

From: Ondrej Mosnacek <omosnace@redhat.com>
To: Richard Haines <richard_c_haines@btinternet.com>
Cc: SElinux list <selinux@vger.kernel.org>,
	Paul Moore <paul@paul-moore.com>,
	demiobenour@gmail.com
Subject: Re: [PATCH testsuite] tests/ioctl: Update ioctl tests
Date: Wed, 20 Apr 2022 14:22:58 +0200	[thread overview]
Message-ID: <CAFqZXNsS40T8rRjJOKWVTTJjfEvQOr_MnEYFzsKhT8kUu+BHhw@mail.gmail.com> (raw)
In-Reply-To: <20220224124227.44146-1-richard_c_haines@btinternet.com>

On Thu, Feb 24, 2022 at 1:43 PM Richard Haines
<richard_c_haines@btinternet.com> wrote:
> This change replaces the ioctl check FIOCLEX with FIOQSIZE as the
> kernel will always allow FIOCLEX if policy capability 'ioctl_skip_cloexec'
> is set true.
>
> Also updated policy to test xperm ioctl FIOQSIZE.
>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
>  policy/test_ioctl_xperms.te | 7 ++++---
>  tests/ioctl/test_ioctl.c    | 4 ++--
>  tests/ioctl/test_noioctl.c  | 4 ++--
>  3 files changed, 8 insertions(+), 7 deletions(-)
>
> diff --git a/policy/test_ioctl_xperms.te b/policy/test_ioctl_xperms.te
> index f9bc8d5..5f570c3 100644
> --- a/policy/test_ioctl_xperms.te
> +++ b/policy/test_ioctl_xperms.te
> @@ -1,4 +1,4 @@
> -define(`FIOCLEX', `{ 0x00006601 0x00005451 }')
> +define(`FIOQSIZE', `{ 0x00005460 }')
>
>  # Domain for process that is allowed the required ioctl xperms.
>  type test_ioctl_xperm_t;
> @@ -7,7 +7,7 @@ unconfined_runs_test(test_ioctl_xperm_t)
>  typeattribute test_ioctl_xperm_t ioctldomain;
>  typeattribute test_ioctl_xperm_t testdomain;
>  allow test_ioctl_xperm_t test_ioctl_file_t:file { open read write ioctl getattr setattr };
> -allowxperm test_ioctl_xperm_t test_ioctl_file_t:file ioctl FIOCLEX;
> +allowxperm test_ioctl_xperm_t test_ioctl_file_t:file ioctl FIOQSIZE;
>
>  # Domain for process that is not allowed the required ioctl xperms.
>  type test_ioctl_noxperm_t;
> @@ -15,4 +15,5 @@ domain_type(test_ioctl_noxperm_t)
>  unconfined_runs_test(test_ioctl_noxperm_t)
>  typeattribute test_ioctl_noxperm_t ioctldomain;
>  typeattribute test_ioctl_noxperm_t testdomain;
> -allowxperm test_ioctl_noxperm_t test_ioctl_file_t:file ioctl ~FIOCLEX;
> +allow test_ioctl_noxperm_t test_ioctl_file_t:file { open read getattr setattr ioctl };
> +allowxperm test_ioctl_noxperm_t test_ioctl_file_t:file ioctl ~FIOQSIZE;
> diff --git a/tests/ioctl/test_ioctl.c b/tests/ioctl/test_ioctl.c
> index 366d09c..6fff2d0 100644
> --- a/tests/ioctl/test_ioctl.c
> +++ b/tests/ioctl/test_ioctl.c
> @@ -35,9 +35,9 @@ int main(int argc, char **argv)
>         }
>
>         /* This one should hit the FILE__IOCTL test */
> -       rc = ioctl(fd, FIOCLEX);
> +       rc = ioctl(fd, FIOQSIZE, &val);
>         if( rc < 0 ) {
> -               perror("test_ioctl:FIOCLEX");
> +               perror("test_ioctl:FIOQSIZE");
>                 exit(1);
>         }
>
> diff --git a/tests/ioctl/test_noioctl.c b/tests/ioctl/test_noioctl.c
> index ddce457..4b67e9a 100644
> --- a/tests/ioctl/test_noioctl.c
> +++ b/tests/ioctl/test_noioctl.c
> @@ -51,9 +51,9 @@ int main(int argc, char **argv)
>         }
>
>         /* This one should hit the FILE__IOCTL test and fail. */
> -       rc = ioctl(fd, FIOCLEX);
> +       rc = ioctl(fd, FIOQSIZE, &val);
>         if( rc == 0 ) {
> -               printf("test_noioctl:FIOCLEX");
> +               printf("test_noioctl:FIOQSIZE");
>                 exit(1);
>         }
>
> --
> 2.35.1
>

Thanks, I merged this with some minor commit message edits:
https://github.com/SELinuxProject/selinux-testsuite/commit/b11701a55614eeb20e85fee9829d1699cc13c39a

--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.