[LTP] [PATCH] Disable io_uring fd in ioctl_pidfd01 for selinux

[LTP] [PATCH] Disable io_uring fd in ioctl_pidfd01 for selinux

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

Disable io_uring bad file descriptor in ioctl_pidfd01 when SELinux is
enabled with enforcing mode. The reason is that SELinux inhibits usage
of the io_uring file descriptor with EACCESS, causing test to fail
without a real underlying bug.

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
ioctl_pidfd01.c:37: TINFO: io uring -> ...
ioctl_pidfd01.c:28: TFAIL: ioctl(io uring, PIDFD_GET_INFO, info) expected EINVAL, EBADF, ENOTTY: EACCES (13)
---
 testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c b/testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c
index 92c51c6c0d0dcbb2308c1a8d82b2a92650f3a6b3..1ccb4bcd8a5d4283d29e0a005aef57fbb6753759 100644
--- a/testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c
+++ b/testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c
@@ -17,6 +17,7 @@ static int exp_errnos[] = {
 };
 
 static struct pidfd_info *info;
+static int selinux_enforcing;
 
 static void test_bad_pidfd(struct tst_fd *fd_in)
 {
@@ -25,6 +26,11 @@ static void test_bad_pidfd(struct tst_fd *fd_in)
 		return;
 	}
 
+	if (fd_in->type == TST_FD_IO_URING && selinux_enforcing) {
+		tst_res(TINFO, "Skipping io_uring: SELinux enforcing enabled");
+		return;
+	}
+
 	TST_EXP_FAIL_ARR(ioctl(fd_in->fd, PIDFD_GET_INFO, info),
 		  exp_errnos, ARRAY_SIZE(exp_errnos),
 		  "ioctl(%s, PIDFD_GET_INFO, info)",
@@ -44,6 +50,8 @@ static void setup(void)
 	if (!ioctl_pidfd_info_exit_supported())
 		tst_brk(TCONF, "PIDFD_INFO_EXIT is not supported by ioctl()");
 
+	selinux_enforcing = tst_selinux_enforcing();
+
 	info->mask = PIDFD_INFO_EXIT;
 }
 

---
base-commit: 91e6272febf95e19a8300695dfc2089569adf9d8
change-id: 20250729-ioctl_pidfd01_selinux-1479ea457850

Best regards,
-- 
Andrea Cervesato <andrea.cervesato@suse.com>


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] Disable io_uring fd in ioctl_pidfd01 for selinux

[Avinesh Kumar]

On Tuesday, July 29, 2025 10:06:45 AM CEST Andrea Cervesato wrote:
> From: Andrea Cervesato <andrea.cervesato@suse.com>
> 
> Disable io_uring bad file descriptor in ioctl_pidfd01 when SELinux is
> enabled with enforcing mode. The reason is that SELinux inhibits usage
> of the io_uring file descriptor with EACCESS, causing test to fail
> without a real underlying bug.

We also have same failure for memfd_secret case in this test:

ioctl_pidfd01.c:37: TINFO: memfd secret -> ...
ioctl_pidfd01.c:28: TFAIL: ioctl(memfd secret, PIDFD_GET_INFO, info) expected EINVAL, EBADF, ENOTTY: EACCES (13)

If we are opting for skipping the tests when selinux is enforcing mode,
this also needs to be skipped.

> 
> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
> ioctl_pidfd01.c:37: TINFO: io uring -> ...
> ioctl_pidfd01.c:28: TFAIL: ioctl(io uring, PIDFD_GET_INFO, info) expected EINVAL, EBADF, ENOTTY: EACCES (13)
> ---
>  testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c b/testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c
> index 92c51c6c0d0dcbb2308c1a8d82b2a92650f3a6b3..1ccb4bcd8a5d4283d29e0a005aef57fbb6753759 100644
> --- a/testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c
> +++ b/testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c
> @@ -17,6 +17,7 @@ static int exp_errnos[] = {
>  };
>  
>  static struct pidfd_info *info;
> +static int selinux_enforcing;
>  
>  static void test_bad_pidfd(struct tst_fd *fd_in)
>  {
> @@ -25,6 +26,11 @@ static void test_bad_pidfd(struct tst_fd *fd_in)
>  		return;
>  	}
>  
> +	if (fd_in->type == TST_FD_IO_URING && selinux_enforcing) {
> +		tst_res(TINFO, "Skipping io_uring: SELinux enforcing enabled");
> +		return;
> +	}
> +
>  	TST_EXP_FAIL_ARR(ioctl(fd_in->fd, PIDFD_GET_INFO, info),
>  		  exp_errnos, ARRAY_SIZE(exp_errnos),
>  		  "ioctl(%s, PIDFD_GET_INFO, info)",
> @@ -44,6 +50,8 @@ static void setup(void)
>  	if (!ioctl_pidfd_info_exit_supported())
>  		tst_brk(TCONF, "PIDFD_INFO_EXIT is not supported by ioctl()");
>  
> +	selinux_enforcing = tst_selinux_enforcing();
> +
>  	info->mask = PIDFD_INFO_EXIT;
>  }
>  
> 
> ---
> base-commit: 91e6272febf95e19a8300695dfc2089569adf9d8
> change-id: 20250729-ioctl_pidfd01_selinux-1479ea457850
> 
> Best regards,
> 

Thanks,
Avinesh



-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] Disable io_uring fd in ioctl_pidfd01 for selinux

[Andrea Cervesato via ltp]

On 7/29/25 10:32 AM, Avinesh Kumar wrote:
> We also have same failure for memfd_secret case in this test:
>
> ioctl_pidfd01.c:37: TINFO: memfd secret -> ...
> ioctl_pidfd01.c:28: TFAIL: ioctl(memfd secret, PIDFD_GET_INFO, info) expected EINVAL, EBADF, ENOTTY: EACCES (13)
>
> If we are opting for skipping the tests when selinux is enforcing mode,
> this also needs to be skipped.

In this case we will probably need to disable the test for SELinux 
enforcing.

- Andrea


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] Disable io_uring fd in ioctl_pidfd01 for selinux

[Petr Vorel]

> On 7/29/25 10:32 AM, Avinesh Kumar wrote:
> > We also have same failure for memfd_secret case in this test:

> > ioctl_pidfd01.c:37: TINFO: memfd secret -> ...
> > ioctl_pidfd01.c:28: TFAIL: ioctl(memfd secret, PIDFD_GET_INFO, info) expected EINVAL, EBADF, ENOTTY: EACCES (13)

> > If we are opting for skipping the tests when selinux is enforcing mode,
> > this also needs to be skipped.

> In this case we will probably need to disable the test for SELinux
> enforcing.

Well, all tests (ioctl_pidfd01.c, this ioctl_pidfd01.c, mount08.c) are testing
with TST_EXP_FAIL_ARR(), i.e. negative tests.  Wouldn't be better to just expect
a different errno? At least this is what I suggested to mount08.c [1].

Whichever of these to approaches we agree on, I wonder if we should document the
recommended way somewhere, maybe in Writing tests [2].

Kind regards,
Petr

[1] https://lore.kernel.org/ltp/20250728103141.GA756176@pevik/
[2] https://linux-test-project.readthedocs.io/en/latest/developers/writing_tests.html

> - Andrea


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] Disable io_uring fd in ioctl_pidfd01 for selinux

[Andrea Cervesato via ltp]

On 7/29/25 10:47 AM, Petr Vorel wrote:
> Well, all tests (ioctl_pidfd01.c, this ioctl_pidfd01.c, mount08.c) are testing
> with TST_EXP_FAIL_ARR(), i.e. negative tests.  Wouldn't be better to just expect
> a different errno? At least this is what I suggested to mount08.c [1].

Probably that works only for specific SELinux configurations and not for 
all of them. We can't consider the test to always fail with EACCESS if 
SELinux is enabled.

Also, we are testing ioctl() syscall and not SELinux interaction with 
the faulty file descriptors: that would happen with any other test as well.

- Andrea


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] Disable io_uring fd in ioctl_pidfd01 for selinux

[Cyril Hrubis]

Hi!
> > > We also have same failure for memfd_secret case in this test:
> 
> > > ioctl_pidfd01.c:37: TINFO: memfd secret -> ...
> > > ioctl_pidfd01.c:28: TFAIL: ioctl(memfd secret, PIDFD_GET_INFO, info) expected EINVAL, EBADF, ENOTTY: EACCES (13)
> 
> > > If we are opting for skipping the tests when selinux is enforcing mode,
> > > this also needs to be skipped.
> 
> > In this case we will probably need to disable the test for SELinux
> > enforcing.
> 
> Well, all tests (ioctl_pidfd01.c, this ioctl_pidfd01.c, mount08.c) are testing
> with TST_EXP_FAIL_ARR(), i.e. negative tests.  Wouldn't be better to just expect
> a different errno? At least this is what I suggested to mount08.c [1].

I'm not that sure about how to fix this. Disabling tests preventively
just because selinux is enforcing does not sound convincing to me. I
would expect that it all depends on the particular configuration of the
rules on the system.

Maybe it would make sense to inject additional errno EACESS to the
TST_EXP_FAIL() automatically if we detect that selinux is enforcing.

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] Disable io_uring fd in ioctl_pidfd01 for selinux

[Andrea Cervesato via ltp]

On 7/29/25 6:17 PM, Cyril Hrubis wrote:
> Maybe it would make sense to inject additional errno EACESS to the
> TST_EXP_FAIL() automatically if we detect that selinux is enforcing.

This is potentially true for every LTP test, because SELinux can be 
customized in many ways. Technically, we should not take care about 
SELinux inside tests if they fail because of it and to threat failures 
according to the LSM configuration, considering that as a known issue or 
a soft failure.

At least, this was my first idea. This patch was introduced after 
talking to other devs and I'm also not 100% sure about it.

- Andrea


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] Disable io_uring fd in ioctl_pidfd01 for selinux

[Andrea Cervesato via ltp]

On 7/30/25 12:40 PM, Wei Gao wrote:
> Just FYI discussion on similar case for fanotify14 handle selinux
> https://lists.linux.it/pipermail/ltp/2024-March/037564.html

Thanks Wei for pointing to the fanotify14 discussion. I'm going to 
implement the same solution we had there, even if I'm not 100% convinced 
about it.

- Andrea


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] Disable io_uring fd in ioctl_pidfd01 for selinux

[Petr Vorel]

> On 7/30/25 12:40 PM, Wei Gao wrote:
> > Just FYI discussion on similar case for fanotify14 handle selinux
> > https://lists.linux.it/pipermail/ltp/2024-March/037564.html

> Thanks Wei for pointing to the fanotify14 discussion. I'm going to implement
> the same solution we had there, even if I'm not 100% convinced about it.

Thank you! IMHO it's better to proactive check for some expected errnos than
skip on SELinux without bothering what actually happened.

Kind regards,
Petr

> - Andrea


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] Disable io_uring fd in ioctl_pidfd01 for selinux

[Wei Gao via ltp]

On Tue, Jul 29, 2025 at 06:48:15PM +0200, Andrea Cervesato wrote:
> On 7/29/25 6:17 PM, Cyril Hrubis wrote:
> > Maybe it would make sense to inject additional errno EACESS to the
> > TST_EXP_FAIL() automatically if we detect that selinux is enforcing.
> 
> This is potentially true for every LTP test, because SELinux can be
> customized in many ways. Technically, we should not take care about SELinux
> inside tests if they fail because of it and to threat failures according to
> the LSM configuration, considering that as a known issue or a soft failure.
> 
> At least, this was my first idea. This patch was introduced after talking to
> other devs and I'm also not 100% sure about it.
> 
> - Andrea
> 
Just FYI discussion on similar case for fanotify14 handle selinux
https://lists.linux.it/pipermail/ltp/2024-March/037564.html

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp