[LTP] [PATCH v3] ioctl_pidfd01: check EACCESS error when SELinux is enabled

[LTP] [PATCH v3] ioctl_pidfd01: check EACCESS error when SELinux is enabled

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

When SELinux is enabled with enforcing policy, ioctl_pidfd01 might fail
with EACCESS. This is an error triggered by ioctl() syscall, before we
actually reach the code we are about to test, so we need to consider
this errno just in case enforcing policy is on.

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
Following errors are caused by SELinux, trying to block any access to
the file descriptor before actually accessing to it.

ioctl_pidfd01.c:37: TINFO: io uring -> ...
ioctl_pidfd01.c:28: TFAIL: ioctl(io uring, PIDFD_GET_INFO, info) expected EINVAL, EBADF, ENOTTY: EACCES (13)
---
Changes in v3:
- verify for EACCESS only
- Link to v2: https://lore.kernel.org/r/20250729-ioctl_pidfd01_selinux-v2-1-2d92c0e56b25@suse.com

Changes in v2:
- disable the whole test if enforcing policy is on
- Link to v1: https://lore.kernel.org/r/20250729-ioctl_pidfd01_selinux-v1-1-432e100a5a53@suse.com
---
 testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c b/testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c
index 92c51c6c0d0dcbb2308c1a8d82b2a92650f3a6b3..a786b25b495b7b465ef8a2c410ae6c11e0e01763 100644
--- a/testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c
+++ b/testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c
@@ -10,10 +10,12 @@
 
 #include "ioctl_pidfd.h"
 
+static int exp_errnos_num;
 static int exp_errnos[] = {
 	EINVAL,
 	EBADF,
 	ENOTTY,
+	EACCES,
 };
 
 static struct pidfd_info *info;
@@ -26,7 +28,7 @@ static void test_bad_pidfd(struct tst_fd *fd_in)
 	}
 
 	TST_EXP_FAIL_ARR(ioctl(fd_in->fd, PIDFD_GET_INFO, info),
-		  exp_errnos, ARRAY_SIZE(exp_errnos),
+		  exp_errnos, exp_errnos_num,
 		  "ioctl(%s, PIDFD_GET_INFO, info)",
 		  tst_fd_desc(fd_in));
 }
@@ -44,6 +46,11 @@ static void setup(void)
 	if (!ioctl_pidfd_info_exit_supported())
 		tst_brk(TCONF, "PIDFD_INFO_EXIT is not supported by ioctl()");
 
+	exp_errnos_num = ARRAY_SIZE(exp_errnos) - 1;
+
+	if (tst_selinux_enforcing())
+		exp_errnos_num++;
+
 	info->mask = PIDFD_INFO_EXIT;
 }
 

---
base-commit: 91e6272febf95e19a8300695dfc2089569adf9d8
change-id: 20250729-ioctl_pidfd01_selinux-1479ea457850

Best regards,
-- 
Andrea Cervesato <andrea.cervesato@suse.com>


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v3] ioctl_pidfd01: check EACCESS error when SELinux is enabled

[Petr Vorel]

Hi Andrea,

> From: Andrea Cervesato <andrea.cervesato@suse.com>

> When SELinux is enabled with enforcing policy, ioctl_pidfd01 might fail
> with EACCESS. This is an error triggered by ioctl() syscall, before we
> actually reach the code we are about to test, so we need to consider
> this errno just in case enforcing policy is on.

Thanks!
Reviewed-by: Petr Vorel <pvorel@suse.cz>

ALso, we have yet another bug on some older kernel versions (found on 6.12 and
6.13, but 6.16 is not affected)
ioctl_pidfd.h:32: TBROK: ioctl(3,((((2U|1U) << (((0+8)+8)+14)) | (((0xFF)) << (0+8)) | (((11)) << 0) | ((((sizeof(struct pidfd_info)))) << ((0+8)+8)))),...) failed: ESRCH (3)

Kind regards,
Petr

> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
> Following errors are caused by SELinux, trying to block any access to
> the file descriptor before actually accessing to it.

> ioctl_pidfd01.c:37: TINFO: io uring -> ...
> ioctl_pidfd01.c:28: TFAIL: ioctl(io uring, PIDFD_GET_INFO, info) expected EINVAL, EBADF, ENOTTY: EACCES (13)
> ---
> Changes in v3:
> - verify for EACCESS only
> - Link to v2: https://lore.kernel.org/r/20250729-ioctl_pidfd01_selinux-v2-1-2d92c0e56b25@suse.com

> Changes in v2:
> - disable the whole test if enforcing policy is on
> - Link to v1: https://lore.kernel.org/r/20250729-ioctl_pidfd01_selinux-v1-1-432e100a5a53@suse.com
> ---
>  testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)

> diff --git a/testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c b/testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c
> index 92c51c6c0d0dcbb2308c1a8d82b2a92650f3a6b3..a786b25b495b7b465ef8a2c410ae6c11e0e01763 100644
> --- a/testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c
> +++ b/testcases/kernel/syscalls/ioctl/ioctl_pidfd01.c
> @@ -10,10 +10,12 @@

>  #include "ioctl_pidfd.h"

> +static int exp_errnos_num;
>  static int exp_errnos[] = {
>  	EINVAL,
>  	EBADF,
>  	ENOTTY,
> +	EACCES,
>  };

>  static struct pidfd_info *info;
> @@ -26,7 +28,7 @@ static void test_bad_pidfd(struct tst_fd *fd_in)
>  	}

>  	TST_EXP_FAIL_ARR(ioctl(fd_in->fd, PIDFD_GET_INFO, info),
> -		  exp_errnos, ARRAY_SIZE(exp_errnos),
> +		  exp_errnos, exp_errnos_num,
>  		  "ioctl(%s, PIDFD_GET_INFO, info)",
>  		  tst_fd_desc(fd_in));
>  }
> @@ -44,6 +46,11 @@ static void setup(void)
>  	if (!ioctl_pidfd_info_exit_supported())
>  		tst_brk(TCONF, "PIDFD_INFO_EXIT is not supported by ioctl()");

> +	exp_errnos_num = ARRAY_SIZE(exp_errnos) - 1;
> +
> +	if (tst_selinux_enforcing())
> +		exp_errnos_num++;
> +
>  	info->mask = PIDFD_INFO_EXIT;
>  }


> ---
> base-commit: 91e6272febf95e19a8300695dfc2089569adf9d8
> change-id: 20250729-ioctl_pidfd01_selinux-1479ea457850

> Best regards,

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v3] ioctl_pidfd01: check EACCESS error when SELinux is enabled

[Andrea Cervesato via ltp]

On 7/30/25 10:24 AM, Petr Vorel wrote:
> ALso, we have yet another bug on some older kernel versions (found on 6.12 and
> 6.13, but 6.16 is not affected)
> ioctl_pidfd.h:32: TBROK: ioctl(3,((((2U|1U) << (((0+8)+8)+14)) | (((0xFF)) << (0+8)) | (((11)) << 0) | ((((sizeof(struct pidfd_info)))) << ((0+8)+8)))),...) failed: ESRCH (3)

I'm gonna investigate this bug now. In the meanwhile I merge the patch. 
Thanks!

- Andrea


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp