[LTP] [PATCH v2 1/1] fanotify14: fix anonymous pipe testcases

Jan Kara jack@suse.cz
Wed Mar 13 17:47:39 CET 2024 

On Wed 13-03-24 08:26:23, Petr Vorel wrote:
> Hi all,
> ...
> 
> > >  static void do_test(unsigned int number)
> > >  {
> > >         struct test_case_t *tc = &test_cases[number];
> > > @@ -275,17 +290,28 @@ static void do_test(unsigned int number)
> > >         /* Set mark on non-dir only when expecting error ENOTDIR */
> > >         const char *path = tc->expected_errno == ENOTDIR ? FILE1 : MNTPOINT;
> > >         int dirfd = AT_FDCWD;
> > > +       int se_enforcing = 0;
> 
> > >         if (tc->pfd) {
> > >                 dirfd = tc->pfd[0];
> > >                 path = NULL;
> > > +               se_enforcing = is_selinux_enforcing();
> nit: this check should be in the setup function to be done only once.
> (by default it's done twice, because we have 2 testcases with pfd, we support
> -iN parameter, thus it's actually 2*N.). I'll fix it before merge.
> > >         }
> 
> > >         tst_res(TINFO, "Testing %s with %s",
> > >                 tc->mark.desc, tc->mask.desc);
> > > -       TST_EXP_FD_OR_FAIL(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> > > -                                        tc->mask.flags, dirfd, path),
> > > -                                        tc->expected_errno);
> > > +
> > > +       if (tc->pfd && se_enforcing) {
> > > +               const int exp_errs[] = {tc->expected_errno, EACCES};
> > > +
> > > +               TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> > > +                                tc->mask.flags, dirfd, path),
> > > +                                exp_errs);
> > > +       } else {
> > > +               TST_EXP_FAIL(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> > > +                                                tc->mask.flags, dirfd, path),
> > > +                                                tc->expected_errno);
> > > +       }
> 
> 
> > This looks fine to me, but on second thought I am not sure how important
> > it is to special case se_enforcing.
> > We could probably always check for either error value.
> 
> I don't mind explicitly testing EACCES with SELinux. @Jan WDYT?
> 
> With a diff below (I can change it before merge + I would do the following work
> to integrate this into the LTP C API):
> Reviewed-by: Petr Vorel <pvorel@suse.cz>

Yes, looks fine to me as well. I don't feel strongly whether we should
accept EACCESS unconditionally or only with SELinux. I suspect eventually
we might need to accept it unconditionally as there may be other security
modules that would block addition of the mark. But let's see what the
future brings. So feel free to add:

Reviewed-by: Jan Kara <jack@suse.cz>

								Honza
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

More information about the ltp mailing list