Re: [LTP] [PATCH v3] ioctl_pidfd01: check EACCESS error when SELinux is enabled

[Petr Vorel <pvorel@suse.cz>]

Hi Andrea,

> From: Andrea Cervesato <andrea.cervesato@suse.com>

> When SELinux is enabled with enforcing policy, ioctl_pidfd01 might fail
> with EACCESS. This is an error triggered by ioctl() syscall, before we
> actually reach the code we are about to test, so we need to consider
> this errno just in case enforcing policy is on.

Thanks!
Reviewed-by: Petr Vorel <pvorel@suse.cz>

ALso, we have yet another bug on some older kernel versions (found on 6.12 and
6.13, but 6.16 is not affected)
ioctl_pidfd.h:32: TBROK: ioctl(3,((((2U|1U) << (((0+8)+8)+14)) | (((0xFF)) << (0+8)) | (((11)) << 0) | ((((sizeof(struct pidfd_info)))) << ((0+8)+8)))),...) failed: ESRCH (3)

Kind regards,
Petr

> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
> Following errors are caused by SELinux, trying to block any access to
> the file descriptor before actually accessing to it.

> ioctl_pidfd01.c:37: TINFO: io uring -> ...
> ioctl_pidfd01.c:28: TFAIL: ioctl(io uring, PIDFD_GET_INFO, info) expected EINVAL, EBADF, ENOTTY: EACCES (13)
> ---
> Changes in v3:
> - verify for EACCESS only
> - Link to v2: https://lore.kernel.org/r/20250729-ioctl_pidfd01_selinux-v2-1-2d92c0e56b25@suse.com

> Changes in v2:
> - disable the whole test if enforcing policy is on
> - Link to v1: https://lore.kernel.org/r/20250729-ioctl_pidfd01_selinux-v1-1-432e100a5a53@suse.com
> ---
>  testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)

> diff --git a/testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c b/testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c
> index 92c51c6c0d0dcbb2308c1a8d82b2a92650f3a6b3..a786b25b495b7b465ef8a2c410ae6c11e0e01763 100644
> --- a/testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c
> +++ b/testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c
> @@ -10,10 +10,12 @@

>  #include "ioctl_pidfd.h"

> +static int exp_errnos_num;
>  static int exp_errnos[] = {
>  	EINVAL,
>  	EBADF,
>  	ENOTTY,
> +	EACCES,
>  };

>  static struct pidfd_info *info;
> @@ -26,7 +28,7 @@ static void test_bad_pidfd(struct tst_fd *fd_in)
>  	}

>  	TST_EXP_FAIL_ARR(ioctl(fd_in->fd, PIDFD_GET_INFO, info),
> -		  exp_errnos, ARRAY_SIZE(exp_errnos),
> +		  exp_errnos, exp_errnos_num,
>  		  "ioctl(%s, PIDFD_GET_INFO, info)",
>  		  tst_fd_desc(fd_in));
>  }
> @@ -44,6 +46,11 @@ static void setup(void)
>  	if (!ioctl_pidfd_info_exit_supported())
>  		tst_brk(TCONF, "PIDFD_INFO_EXIT is not supported by ioctl()");

> +	exp_errnos_num = ARRAY_SIZE(exp_errnos) - 1;
> +
> +	if (tst_selinux_enforcing())
> +		exp_errnos_num++;
> +
>  	info->mask = PIDFD_INFO_EXIT;
>  }


> ---
> base-commit: 91e6272febf95e19a8300695dfc2089569adf9d8
> change-id: 20250729-ioctl_pidfd01_selinux-1479ea457850

> Best regards,

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp