From: danieldurning.work@gmail.com
To: selinux@vger.kernel.org
Cc: paul@paul-moore.com, stephen.smalley.work@gmail.com, omosnace@redhat.com
Subject: [PATCH testsuite] Add tests for pidfds
Date: Fri, 6 Feb 2026 18:36:18 +0000 [thread overview]
Message-ID: <20260206183618.16065-1-danieldurning.work@gmail.com> (raw)
From: Daniel Durning <danieldurning.work@gmail.com>
Added two tests to exercise accesss controls on pidfd_getinfo(),
as introduced in the corresponding kernel patch.
Link: https://lore.kernel.org/selinux/20260206180248.12418-1-danieldurning.work@gmail.com
Signed-off-by: Daniel Durning <danieldurning.work@gmail.com>
---
policy/Makefile | 2 +-
policy/test_pidfd.te | 30 +++++++++++
tests/Makefile | 2 +-
tests/pidfd/.gitignore | 1 +
tests/pidfd/Makefile | 5 ++
tests/pidfd/pidfd_test.c | 112 +++++++++++++++++++++++++++++++++++++++
tests/pidfd/test | 49 +++++++++++++++++
7 files changed, 199 insertions(+), 2 deletions(-)
create mode 100644 policy/test_pidfd.te
create mode 100644 tests/pidfd/.gitignore
create mode 100644 tests/pidfd/Makefile
create mode 100644 tests/pidfd/pidfd_test.c
create mode 100755 tests/pidfd/test
diff --git a/policy/Makefile b/policy/Makefile
index a43883f..870b45b 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -22,7 +22,7 @@ TARGETS = \
test_entrypoint.te test_execshare.te test_exectrace.te \
test_execute_no_trans.te test_fdreceive.te test_file.te \
test_inherit.te test_ioctl.te test_ipc.te test_link.te test_mkdir.te \
- test_open.te test_ptrace.te test_readlink.te \
+ test_open.te test_ptrace.te test_pidfd.te test_readlink.te \
test_relabel.te test_rename.te test_rxdir.te test_setattr.te \
test_setnice.te test_sigkill.te test_stat.te test_sysctl.te \
test_task_create.te test_task_getpgid.te test_task_getsched.te \
diff --git a/policy/test_pidfd.te b/policy/test_pidfd.te
new file mode 100644
index 0000000..89b3c00
--- /dev/null
+++ b/policy/test_pidfd.te
@@ -0,0 +1,30 @@
+#
+################# pidfd selinux-testsuite policy module ###################
+#
+
+attribute pidfddomain;
+
+################################### Main ##################################
+type test_pidfd_t;
+testsuite_domain_type(test_pidfd_t)
+typeattribute test_pidfd_t pidfddomain;
+
+allow test_pidfd_t self:file read;
+
+############################### Deny fd read ##############################
+type test_pidfd_deny_read_t;
+testsuite_domain_type(test_pidfd_deny_read_t)
+typeattribute test_pidfd_deny_read_t pidfddomain;
+
+allow test_pidfd_deny_read_t self:file read;
+
+############################### Process type ##############################
+type test_pidfd_process_t;
+testsuite_domain_type(test_pidfd_process_t)
+typeattribute test_pidfd_process_t pidfddomain;
+
+# For writing to flag file
+allow test_pidfd_process_t test_file_t:fifo_file rw_file_perms;
+
+# Allow the main domain to read the process info
+allow test_pidfd_t test_pidfd_process_t:file read;
\ No newline at end of file
diff --git a/tests/Makefile b/tests/Makefile
index 6df220c..7cd80f6 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -22,7 +22,7 @@ POL_TYPE := $(shell ./pol_detect $(SELINUXFS))
FILESYSTEMS := $(foreach fs,$(FILESYSTEMS),$(shell modprobe $(fs) > /dev/null 2>&1 && echo $(fs)))
SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \
- fdreceive inherit link mkdir msg open ptrace readlink relabel rename \
+ fdreceive inherit link mkdir msg open ptrace pidfd readlink relabel rename \
rxdir sem setattr setnice shm sigkill stat sysctl task_create \
task_setnice task_setscheduler task_getscheduler task_getsid \
task_getpgid task_setpgid file ioctl capable_file capable_net \
diff --git a/tests/pidfd/.gitignore b/tests/pidfd/.gitignore
new file mode 100644
index 0000000..42604c5
--- /dev/null
+++ b/tests/pidfd/.gitignore
@@ -0,0 +1 @@
+pidfd_test
\ No newline at end of file
diff --git a/tests/pidfd/Makefile b/tests/pidfd/Makefile
new file mode 100644
index 0000000..d4d3d48
--- /dev/null
+++ b/tests/pidfd/Makefile
@@ -0,0 +1,5 @@
+TARGETS = pidfd_test
+
+all: $(TARGETS)
+clean:
+ rm -f $(TARGETS) flag
diff --git a/tests/pidfd/pidfd_test.c b/tests/pidfd/pidfd_test.c
new file mode 100644
index 0000000..b937a5d
--- /dev/null
+++ b/tests/pidfd/pidfd_test.c
@@ -0,0 +1,112 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <unistd.h>
+
+#include <linux/pidfd.h>
+
+#ifndef PIDFD_GET_INFO
+#include <stdint.h>
+
+struct pidfd_info {
+ uint64_t mask;
+ uint64_t cgroupid;
+ uint32_t pid;
+ uint32_t tgid;
+ uint32_t ppid;
+ uint32_t ruid;
+ uint32_t rgid;
+ uint32_t euid;
+ uint32_t egid;
+ uint32_t suid;
+ uint32_t sgid;
+ uint32_t fsuid;
+ uint32_t fsgid;
+ uint32_t spare0[1];
+};
+
+#define PIDFD_GET_INFO _IOWR(PIDFS_IOCTL_MAGIC, 11, struct pidfd_info)
+#endif
+
+enum pidfd_op_types {
+ GET_INFO = 1
+};
+
+static int pidfd_open(pid_t pid, unsigned int flags)
+{
+ return syscall(SYS_pidfd_open, pid, flags);
+}
+
+int getinfo(int pidfd)
+{
+ struct pidfd_info info;
+
+ return ioctl(pidfd, PIDFD_GET_INFO, &info);
+}
+
+static void usage(char *argv[])
+{
+ fprintf(stderr,
+ "Usage: %s -i [-v] <pid>\n"
+ "Where:\n\t"
+ "-i Attempt pidfd_getinfo.\n\t"
+ "-v Print information.\n", argv[0]);
+ exit(-1);
+}
+
+int main(int argc, char *argv[])
+{
+ int pid, pidfd, ret = 0, opt, verbose = 0;
+ char *addr = NULL;
+ enum pidfd_op_types op = 0;
+
+ while ((opt = getopt(argc, argv, "vi")) != -1) {
+ switch (opt) {
+ case 'v':
+ verbose = 1;
+ break;
+ case 'i':
+ op = GET_INFO;
+ break;
+ case '?':
+ usage(argv);
+ break;
+ default:
+ exit(-1);
+ }
+ }
+
+ if (argc < 3)
+ usage(argv);
+
+ pid = atoi(argv[optind]);
+
+ ret = pidfd_open(pid, 0);
+ if (ret < 0) {
+ perror("pidfd_open");
+ goto out;
+ }
+ pidfd = ret;
+
+ switch (op) {
+ case GET_INFO:
+ if (verbose)
+ printf("Attempting to get info from pidfd...\n");
+ ret = getinfo(pidfd);
+ if (verbose) {
+ if (ret)
+ printf("Pidfd get info failed\n");
+ else
+ printf("Got info successfully\n");
+ }
+ break;
+ default:
+ exit(-1);
+ }
+
+out:
+ close(pidfd);
+ return ret;
+}
\ No newline at end of file
diff --git a/tests/pidfd/test b/tests/pidfd/test
new file mode 100755
index 0000000..3585a57
--- /dev/null
+++ b/tests/pidfd/test
@@ -0,0 +1,49 @@
+#!/usr/bin/perl
+
+use Test::More;
+
+BEGIN {
+ plan tests => 2;
+ $basedir = $0;
+ $basedir =~ s|(.*)/[^/]*|$1|;
+
+ # Allow info to be shown during tests
+ $v = $ARGV[0];
+ if ($v) {
+ if ( $v ne "-v" ) {
+ plan skip_all => "Invalid option (use -v)";
+ }
+ }
+ else {
+ $v = " ";
+ }
+}
+
+# Create child process with process test type
+system("mkfifo $basedir/flag");
+if ( ( $pid = fork() ) == 0 ) {
+ exec
+"exec runcon -t test_pidfd_process_t sh -c 'echo >$basedir/flag; while :; do :; done'";
+ exit;
+}
+
+# Wait for it to start
+open( my $f, "<", "$basedir/flag" );
+my $rin = '';
+vec( $rin, fileno($f), 1 ) = 1;
+select( $rin, undef, undef, 5 );
+close($f);
+
+# Test that process info read is allowed under default type
+$result = system "runcon -t test_pidfd_t $basedir/pidfd_test $v -i $pid";
+ok( $result eq 0 );
+
+# Test that process info read is denied under deny type
+$result = system "runcon -t test_pidfd_deny_read_t $basedir/pidfd_test $v -i $pid";
+ok($result);
+
+# Clean up
+kill KILL, $pid;
+system "rm -f $basedir/flag";
+
+exit;
--
2.52.0
reply other threads:[~2026-02-06 18:36 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260206183618.16065-1-danieldurning.work@gmail.com \
--to=danieldurning.work@gmail.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox