| Message ID | 20220224124227.44146-1-richard_c_haines@btinternet.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Ondrej Mosnáček |
| Headers | show |
| Series | [testsuite] tests/ioctl: Update ioctl tests | expand |
On Thu, Feb 24, 2022 at 1:43 PM Richard Haines <richard_c_haines@btinternet.com> wrote: > This change replaces the ioctl check FIOCLEX with FIOQSIZE as the > kernel will always allow FIOCLEX if policy capability 'ioctl_skip_cloexec' > is set true. > > Also updated policy to test xperm ioctl FIOQSIZE. > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> > --- > policy/test_ioctl_xperms.te | 7 ++++--- > tests/ioctl/test_ioctl.c | 4 ++-- > tests/ioctl/test_noioctl.c | 4 ++-- > 3 files changed, 8 insertions(+), 7 deletions(-) > > diff --git a/policy/test_ioctl_xperms.te b/policy/test_ioctl_xperms.te > index f9bc8d5..5f570c3 100644 > --- a/policy/test_ioctl_xperms.te > +++ b/policy/test_ioctl_xperms.te > @@ -1,4 +1,4 @@ > -define(`FIOCLEX', `{ 0x00006601 0x00005451 }') > +define(`FIOQSIZE', `{ 0x00005460 }') > > # Domain for process that is allowed the required ioctl xperms. > type test_ioctl_xperm_t; > @@ -7,7 +7,7 @@ unconfined_runs_test(test_ioctl_xperm_t) > typeattribute test_ioctl_xperm_t ioctldomain; > typeattribute test_ioctl_xperm_t testdomain; > allow test_ioctl_xperm_t test_ioctl_file_t:file { open read write ioctl getattr setattr }; > -allowxperm test_ioctl_xperm_t test_ioctl_file_t:file ioctl FIOCLEX; > +allowxperm test_ioctl_xperm_t test_ioctl_file_t:file ioctl FIOQSIZE; > > # Domain for process that is not allowed the required ioctl xperms. > type test_ioctl_noxperm_t; > @@ -15,4 +15,5 @@ domain_type(test_ioctl_noxperm_t) > unconfined_runs_test(test_ioctl_noxperm_t) > typeattribute test_ioctl_noxperm_t ioctldomain; > typeattribute test_ioctl_noxperm_t testdomain; > -allowxperm test_ioctl_noxperm_t test_ioctl_file_t:file ioctl ~FIOCLEX; > +allow test_ioctl_noxperm_t test_ioctl_file_t:file { open read getattr setattr ioctl }; > +allowxperm test_ioctl_noxperm_t test_ioctl_file_t:file ioctl ~FIOQSIZE; > diff --git a/tests/ioctl/test_ioctl.c b/tests/ioctl/test_ioctl.c > index 366d09c..6fff2d0 100644 > --- a/tests/ioctl/test_ioctl.c > +++ b/tests/ioctl/test_ioctl.c > @@ -35,9 +35,9 @@ int main(int argc, char **argv) > } > > /* This one should hit the FILE__IOCTL test */ > - rc = ioctl(fd, FIOCLEX); > + rc = ioctl(fd, FIOQSIZE, &val); > if( rc < 0 ) { > - perror("test_ioctl:FIOCLEX"); > + perror("test_ioctl:FIOQSIZE"); > exit(1); > } > > diff --git a/tests/ioctl/test_noioctl.c b/tests/ioctl/test_noioctl.c > index ddce457..4b67e9a 100644 > --- a/tests/ioctl/test_noioctl.c > +++ b/tests/ioctl/test_noioctl.c > @@ -51,9 +51,9 @@ int main(int argc, char **argv) > } > > /* This one should hit the FILE__IOCTL test and fail. */ > - rc = ioctl(fd, FIOCLEX); > + rc = ioctl(fd, FIOQSIZE, &val); > if( rc == 0 ) { > - printf("test_noioctl:FIOCLEX"); > + printf("test_noioctl:FIOQSIZE"); > exit(1); > } > > -- > 2.35.1 > Thanks, I merged this with some minor commit message edits: https://github.com/SELinuxProject/selinux-testsuite/commit/b11701a55614eeb20e85fee9829d1699cc13c39a -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
diff --git a/policy/test_ioctl_xperms.te b/policy/test_ioctl_xperms.te index f9bc8d5..5f570c3 100644 --- a/policy/test_ioctl_xperms.te +++ b/policy/test_ioctl_xperms.te @@ -1,4 +1,4 @@ -define(`FIOCLEX', `{ 0x00006601 0x00005451 }') +define(`FIOQSIZE', `{ 0x00005460 }') # Domain for process that is allowed the required ioctl xperms. type test_ioctl_xperm_t; @@ -7,7 +7,7 @@ unconfined_runs_test(test_ioctl_xperm_t) typeattribute test_ioctl_xperm_t ioctldomain; typeattribute test_ioctl_xperm_t testdomain; allow test_ioctl_xperm_t test_ioctl_file_t:file { open read write ioctl getattr setattr }; -allowxperm test_ioctl_xperm_t test_ioctl_file_t:file ioctl FIOCLEX; +allowxperm test_ioctl_xperm_t test_ioctl_file_t:file ioctl FIOQSIZE; # Domain for process that is not allowed the required ioctl xperms. type test_ioctl_noxperm_t; @@ -15,4 +15,5 @@ domain_type(test_ioctl_noxperm_t) unconfined_runs_test(test_ioctl_noxperm_t) typeattribute test_ioctl_noxperm_t ioctldomain; typeattribute test_ioctl_noxperm_t testdomain; -allowxperm test_ioctl_noxperm_t test_ioctl_file_t:file ioctl ~FIOCLEX; +allow test_ioctl_noxperm_t test_ioctl_file_t:file { open read getattr setattr ioctl }; +allowxperm test_ioctl_noxperm_t test_ioctl_file_t:file ioctl ~FIOQSIZE; diff --git a/tests/ioctl/test_ioctl.c b/tests/ioctl/test_ioctl.c index 366d09c..6fff2d0 100644 --- a/tests/ioctl/test_ioctl.c +++ b/tests/ioctl/test_ioctl.c @@ -35,9 +35,9 @@ int main(int argc, char **argv) } /* This one should hit the FILE__IOCTL test */ - rc = ioctl(fd, FIOCLEX); + rc = ioctl(fd, FIOQSIZE, &val); if( rc < 0 ) { - perror("test_ioctl:FIOCLEX"); + perror("test_ioctl:FIOQSIZE"); exit(1); } diff --git a/tests/ioctl/test_noioctl.c b/tests/ioctl/test_noioctl.c index ddce457..4b67e9a 100644 --- a/tests/ioctl/test_noioctl.c +++ b/tests/ioctl/test_noioctl.c @@ -51,9 +51,9 @@ int main(int argc, char **argv) } /* This one should hit the FILE__IOCTL test and fail. */ - rc = ioctl(fd, FIOCLEX); + rc = ioctl(fd, FIOQSIZE, &val); if( rc == 0 ) { - printf("test_noioctl:FIOCLEX"); + printf("test_noioctl:FIOQSIZE"); exit(1); }
This change replaces the ioctl check FIOCLEX with FIOQSIZE as the kernel will always allow FIOCLEX if policy capability 'ioctl_skip_cloexec' is set true. Also updated policy to test xperm ioctl FIOQSIZE. Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> --- policy/test_ioctl_xperms.te | 7 ++++--- tests/ioctl/test_ioctl.c | 4 ++-- tests/ioctl/test_noioctl.c | 4 ++-- 3 files changed, 8 insertions(+), 7 deletions(-)