[PATCH testsuite] tests/ioctl: Update ioctl tests

[PATCH testsuite] tests/ioctl: Update ioctl tests

[Richard Haines]

This change replaces the ioctl check FIOCLEX with FIOQSIZE as the
kernel will always allow FIOCLEX if policy capability 'ioctl_skip_cloexec'
is set true.

Also updated policy to test xperm ioctl FIOQSIZE.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 policy/test_ioctl_xperms.te | 7 ++++---
 tests/ioctl/test_ioctl.c    | 4 ++--
 tests/ioctl/test_noioctl.c  | 4 ++--
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/policy/test_ioctl_xperms.te b/policy/test_ioctl_xperms.te
index f9bc8d5..5f570c3 100644
--- a/policy/test_ioctl_xperms.te
+++ b/policy/test_ioctl_xperms.te
@@ -1,4 +1,4 @@
-define(`FIOCLEX', `{ 0x00006601 0x00005451 }')
+define(`FIOQSIZE', `{ 0x00005460 }')
 
 # Domain for process that is allowed the required ioctl xperms.
 type test_ioctl_xperm_t;
@@ -7,7 +7,7 @@ unconfined_runs_test(test_ioctl_xperm_t)
 typeattribute test_ioctl_xperm_t ioctldomain;
 typeattribute test_ioctl_xperm_t testdomain;
 allow test_ioctl_xperm_t test_ioctl_file_t:file { open read write ioctl getattr setattr };
-allowxperm test_ioctl_xperm_t test_ioctl_file_t:file ioctl FIOCLEX;
+allowxperm test_ioctl_xperm_t test_ioctl_file_t:file ioctl FIOQSIZE;
 
 # Domain for process that is not allowed the required ioctl xperms.
 type test_ioctl_noxperm_t;
@@ -15,4 +15,5 @@ domain_type(test_ioctl_noxperm_t)
 unconfined_runs_test(test_ioctl_noxperm_t)
 typeattribute test_ioctl_noxperm_t ioctldomain;
 typeattribute test_ioctl_noxperm_t testdomain;
-allowxperm test_ioctl_noxperm_t test_ioctl_file_t:file ioctl ~FIOCLEX;
+allow test_ioctl_noxperm_t test_ioctl_file_t:file { open read getattr setattr ioctl };
+allowxperm test_ioctl_noxperm_t test_ioctl_file_t:file ioctl ~FIOQSIZE;
diff --git a/tests/ioctl/test_ioctl.c b/tests/ioctl/test_ioctl.c
index 366d09c..6fff2d0 100644
--- a/tests/ioctl/test_ioctl.c
+++ b/tests/ioctl/test_ioctl.c
@@ -35,9 +35,9 @@ int main(int argc, char **argv)
 	}
 
 	/* This one should hit the FILE__IOCTL test */
-	rc = ioctl(fd, FIOCLEX);
+	rc = ioctl(fd, FIOQSIZE, &val);
 	if( rc < 0 ) {
-		perror("test_ioctl:FIOCLEX");
+		perror("test_ioctl:FIOQSIZE");
 		exit(1);
 	}
 
diff --git a/tests/ioctl/test_noioctl.c b/tests/ioctl/test_noioctl.c
index ddce457..4b67e9a 100644
--- a/tests/ioctl/test_noioctl.c
+++ b/tests/ioctl/test_noioctl.c
@@ -51,9 +51,9 @@ int main(int argc, char **argv)
 	}
 
 	/* This one should hit the FILE__IOCTL test and fail. */
-	rc = ioctl(fd, FIOCLEX);
+	rc = ioctl(fd, FIOQSIZE, &val);
 	if( rc == 0 ) {
-		printf("test_noioctl:FIOCLEX");
+		printf("test_noioctl:FIOQSIZE");
 		exit(1);
 	}
 
-- 
2.35.1

Re: [PATCH testsuite] tests/ioctl: Update ioctl tests

[Ondrej Mosnacek]

On Thu, Feb 24, 2022 at 1:43 PM Richard Haines
<richard_c_haines@btinternet.com> wrote:
> This change replaces the ioctl check FIOCLEX with FIOQSIZE as the
> kernel will always allow FIOCLEX if policy capability 'ioctl_skip_cloexec'
> is set true.
>
> Also updated policy to test xperm ioctl FIOQSIZE.
>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
>  policy/test_ioctl_xperms.te | 7 ++++---
>  tests/ioctl/test_ioctl.c    | 4 ++--
>  tests/ioctl/test_noioctl.c  | 4 ++--
>  3 files changed, 8 insertions(+), 7 deletions(-)
>
> diff --git a/policy/test_ioctl_xperms.te b/policy/test_ioctl_xperms.te
> index f9bc8d5..5f570c3 100644
> --- a/policy/test_ioctl_xperms.te
> +++ b/policy/test_ioctl_xperms.te
> @@ -1,4 +1,4 @@
> -define(`FIOCLEX', `{ 0x00006601 0x00005451 }')
> +define(`FIOQSIZE', `{ 0x00005460 }')
>
>  # Domain for process that is allowed the required ioctl xperms.
>  type test_ioctl_xperm_t;
> @@ -7,7 +7,7 @@ unconfined_runs_test(test_ioctl_xperm_t)
>  typeattribute test_ioctl_xperm_t ioctldomain;
>  typeattribute test_ioctl_xperm_t testdomain;
>  allow test_ioctl_xperm_t test_ioctl_file_t:file { open read write ioctl getattr setattr };
> -allowxperm test_ioctl_xperm_t test_ioctl_file_t:file ioctl FIOCLEX;
> +allowxperm test_ioctl_xperm_t test_ioctl_file_t:file ioctl FIOQSIZE;
>
>  # Domain for process that is not allowed the required ioctl xperms.
>  type test_ioctl_noxperm_t;
> @@ -15,4 +15,5 @@ domain_type(test_ioctl_noxperm_t)
>  unconfined_runs_test(test_ioctl_noxperm_t)
>  typeattribute test_ioctl_noxperm_t ioctldomain;
>  typeattribute test_ioctl_noxperm_t testdomain;
> -allowxperm test_ioctl_noxperm_t test_ioctl_file_t:file ioctl ~FIOCLEX;
> +allow test_ioctl_noxperm_t test_ioctl_file_t:file { open read getattr setattr ioctl };
> +allowxperm test_ioctl_noxperm_t test_ioctl_file_t:file ioctl ~FIOQSIZE;
> diff --git a/tests/ioctl/test_ioctl.c b/tests/ioctl/test_ioctl.c
> index 366d09c..6fff2d0 100644
> --- a/tests/ioctl/test_ioctl.c
> +++ b/tests/ioctl/test_ioctl.c
> @@ -35,9 +35,9 @@ int main(int argc, char **argv)
>         }
>
>         /* This one should hit the FILE__IOCTL test */
> -       rc = ioctl(fd, FIOCLEX);
> +       rc = ioctl(fd, FIOQSIZE, &val);
>         if( rc < 0 ) {
> -               perror("test_ioctl:FIOCLEX");
> +               perror("test_ioctl:FIOQSIZE");
>                 exit(1);
>         }
>
> diff --git a/tests/ioctl/test_noioctl.c b/tests/ioctl/test_noioctl.c
> index ddce457..4b67e9a 100644
> --- a/tests/ioctl/test_noioctl.c
> +++ b/tests/ioctl/test_noioctl.c
> @@ -51,9 +51,9 @@ int main(int argc, char **argv)
>         }
>
>         /* This one should hit the FILE__IOCTL test and fail. */
> -       rc = ioctl(fd, FIOCLEX);
> +       rc = ioctl(fd, FIOQSIZE, &val);
>         if( rc == 0 ) {
> -               printf("test_noioctl:FIOCLEX");
> +               printf("test_noioctl:FIOQSIZE");
>                 exit(1);
>         }
>
> --
> 2.35.1
>

Thanks, I merged this with some minor commit message edits:
https://github.com/SELinuxProject/selinux-testsuite/commit/b11701a55614eeb20e85fee9829d1699cc13c39a

--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.