From: danieldurning.work@gmail.com
To: selinux@vger.kernel.org
Cc: paul@paul-moore.com, stephen.smalley.work@gmail.com, omosnace@redhat.com
Subject: [PATCH testsuite] Add tests for pidfds
Date: Fri, 6 Feb 2026 18:36:18 +0000 [thread overview]
Message-ID: <20260206183618.16065-1-danieldurning.work@gmail.com> (raw)
From: Daniel Durning <danieldurning.work@gmail.com>
Added two tests to exercise accesss controls on pidfd_getinfo(),
as introduced in the corresponding kernel patch.
Link: https://lore.kernel.org/selinux/20260206180248.12418-1-danieldurning.work@gmail.com
Signed-off-by: Daniel Durning <danieldurning.work@gmail.com>
---
policy/Makefile | 2 +-
policy/test_pidfd.te | 30 +++++++++++
tests/Makefile | 2 +-
tests/pidfd/.gitignore | 1 +
tests/pidfd/Makefile | 5 ++
tests/pidfd/pidfd_test.c | 112 +++++++++++++++++++++++++++++++++++++++
tests/pidfd/test | 49 +++++++++++++++++
7 files changed, 199 insertions(+), 2 deletions(-)
create mode 100644 policy/test_pidfd.te
create mode 100644 tests/pidfd/.gitignore
create mode 100644 tests/pidfd/Makefile
create mode 100644 tests/pidfd/pidfd_test.c
create mode 100755 tests/pidfd/test
diff --git a/policy/Makefile b/policy/Makefile
index a43883f..870b45b 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -22,7 +22,7 @@ TARGETS = \
test_entrypoint.te test_execshare.te test_exectrace.te \
test_execute_no_trans.te test_fdreceive.te test_file.te \
test_inherit.te test_ioctl.te test_ipc.te test_link.te test_mkdir.te \
- test_open.te test_ptrace.te test_readlink.te \
+ test_open.te test_ptrace.te test_pidfd.te test_readlink.te \
test_relabel.te test_rename.te test_rxdir.te test_setattr.te \
test_setnice.te test_sigkill.te test_stat.te test_sysctl.te \
test_task_create.te test_task_getpgid.te test_task_getsched.te \
diff --git a/policy/test_pidfd.te b/policy/test_pidfd.te
new file mode 100644
index 0000000..89b3c00
--- /dev/null
+++ b/policy/test_pidfd.te
@@ -0,0 +1,30 @@
+#
+################# pidfd selinux-testsuite policy module ###################
+#
+
+attribute pidfddomain;
+
+################################### Main ##################################
+type test_pidfd_t;
+testsuite_domain_type(test_pidfd_t)
+typeattribute test_pidfd_t pidfddomain;
+
+allow test_pidfd_t self:file read;
+
+############################### Deny fd read ##############################
+type test_pidfd_deny_read_t;
+testsuite_domain_type(test_pidfd_deny_read_t)
+typeattribute test_pidfd_deny_read_t pidfddomain;
+
+allow test_pidfd_deny_read_t self:file read;
+
+############################### Process type ##############################
+type test_pidfd_process_t;
+testsuite_domain_type(test_pidfd_process_t)
+typeattribute test_pidfd_process_t pidfddomain;
+
+# For writing to flag file
+allow test_pidfd_process_t test_file_t:fifo_file rw_file_perms;
+
+# Allow the main domain to read the process info
+allow test_pidfd_t test_pidfd_process_t:file read;
\ No newline at end of file
diff --git a/tests/Makefile b/tests/Makefile
index 6df220c..7cd80f6 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -22,7 +22,7 @@ POL_TYPE := $(shell ./pol_detect $(SELINUXFS))
FILESYSTEMS := $(foreach fs,$(FILESYSTEMS),$(shell modprobe $(fs) > /dev/null 2>&1 && echo $(fs)))
SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \
- fdreceive inherit link mkdir msg open ptrace readlink relabel rename \
+ fdreceive inherit link mkdir msg open ptrace pidfd readlink relabel rename \
rxdir sem setattr setnice shm sigkill stat sysctl task_create \
task_setnice task_setscheduler task_getscheduler task_getsid \
task_getpgid task_setpgid file ioctl capable_file capable_net \
diff --git a/tests/pidfd/.gitignore b/tests/pidfd/.gitignore
new file mode 100644
index 0000000..42604c5
--- /dev/null
+++ b/tests/pidfd/.gitignore
@@ -0,0 +1 @@
+pidfd_test
\ No newline at end of file
diff --git a/tests/pidfd/Makefile b/tests/pidfd/Makefile
new file mode 100644
index 0000000..d4d3d48
--- /dev/null
+++ b/tests/pidfd/Makefile
@@ -0,0 +1,5 @@
+TARGETS = pidfd_test
+
+all: $(TARGETS)
+clean:
+ rm -f $(TARGETS) flag
diff --git a/tests/pidfd/pidfd_test.c b/tests/pidfd/pidfd_test.c
new file mode 100644
index 0000000..b937a5d
--- /dev/null
+++ b/tests/pidfd/pidfd_test.c
@@ -0,0 +1,112 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <unistd.h>
+
+#include <linux/pidfd.h>
+
+#ifndef PIDFD_GET_INFO
+#include <stdint.h>
+
+struct pidfd_info {
+ uint64_t mask;
+ uint64_t cgroupid;
+ uint32_t pid;
+ uint32_t tgid;
+ uint32_t ppid;
+ uint32_t ruid;
+ uint32_t rgid;
+ uint32_t euid;
+ uint32_t egid;
+ uint32_t suid;
+ uint32_t sgid;
+ uint32_t fsuid;
+ uint32_t fsgid;
+ uint32_t spare0[1];
+};
+
+#define PIDFD_GET_INFO _IOWR(PIDFS_IOCTL_MAGIC, 11, struct pidfd_info)
+#endif
+
+enum pidfd_op_types {
+ GET_INFO = 1
+};
+
+static int pidfd_open(pid_t pid, unsigned int flags)
+{
+ return syscall(SYS_pidfd_open, pid, flags);
+}
+
+int getinfo(int pidfd)
+{
+ struct pidfd_info info;
+
+ return ioctl(pidfd, PIDFD_GET_INFO, &info);
+}
+
+static void usage(char *argv[])
+{
+ fprintf(stderr,
+ "Usage: %s -i [-v] <pid>\n"
+ "Where:\n\t"
+ "-i Attempt pidfd_getinfo.\n\t"
+ "-v Print information.\n", argv[0]);
+ exit(-1);
+}
+
+int main(int argc, char *argv[])
+{
+ int pid, pidfd, ret = 0, opt, verbose = 0;
+ char *addr = NULL;
+ enum pidfd_op_types op = 0;
+
+ while ((opt = getopt(argc, argv, "vi")) != -1) {
+ switch (opt) {
+ case 'v':
+ verbose = 1;
+ break;
+ case 'i':
+ op = GET_INFO;
+ break;
+ case '?':
+ usage(argv);
+ break;
+ default:
+ exit(-1);
+ }
+ }
+
+ if (argc < 3)
+ usage(argv);
+
+ pid = atoi(argv[optind]);
+
+ ret = pidfd_open(pid, 0);
+ if (ret < 0) {
+ perror("pidfd_open");
+ goto out;
+ }
+ pidfd = ret;
+
+ switch (op) {
+ case GET_INFO:
+ if (verbose)
+ printf("Attempting to get info from pidfd...\n");
+ ret = getinfo(pidfd);
+ if (verbose) {
+ if (ret)
+ printf("Pidfd get info failed\n");
+ else
+ printf("Got info successfully\n");
+ }
+ break;
+ default:
+ exit(-1);
+ }
+
+out:
+ close(pidfd);
+ return ret;
+}
\ No newline at end of file
diff --git a/tests/pidfd/test b/tests/pidfd/test
new file mode 100755
index 0000000..3585a57
--- /dev/null
+++ b/tests/pidfd/test
@@ -0,0 +1,49 @@
+#!/usr/bin/perl
+
+use Test::More;
+
+BEGIN {
+ plan tests => 2;
+ $basedir = $0;
+ $basedir =~ s|(.*)/[^/]*|$1|;
+
+ # Allow info to be shown during tests
+ $v = $ARGV[0];
+ if ($v) {
+ if ( $v ne "-v" ) {
+ plan skip_all => "Invalid option (use -v)";
+ }
+ }
+ else {
+ $v = " ";
+ }
+}
+
+# Create child process with process test type
+system("mkfifo $basedir/flag");
+if ( ( $pid = fork() ) == 0 ) {
+ exec
+"exec runcon -t test_pidfd_process_t sh -c 'echo >$basedir/flag; while :; do :; done'";
+ exit;
+}
+
+# Wait for it to start
+open( my $f, "<", "$basedir/flag" );
+my $rin = '';
+vec( $rin, fileno($f), 1 ) = 1;
+select( $rin, undef, undef, 5 );
+close($f);
+
+# Test that process info read is allowed under default type
+$result = system "runcon -t test_pidfd_t $basedir/pidfd_test $v -i $pid";
+ok( $result eq 0 );
+
+# Test that process info read is denied under deny type
+$result = system "runcon -t test_pidfd_deny_read_t $basedir/pidfd_test $v -i $pid";
+ok($result);
+
+# Clean up
+kill KILL, $pid;
+system "rm -f $basedir/flag";
+
+exit;
--
2.52.0
reply other threads:[~2026-02-06 18:36 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260206183618.16065-1-danieldurning.work@gmail.com \
--to=danieldurning.work@gmail.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.