<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-size:small">Hi Erico,</div></div><div><br></div><div><div class="gmail_default" style="font-size:small">Thanks for working on this fix. Comments as below:</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jul 21, 2020 at 3:50 AM Erico Nunes <<a href="mailto:ernunes@redhat.com">ernunes@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Some syscalls are not available if the kernel is booted using the<br>
'lockdown' feature. That can cause some tests to report fail, showing<br>
a message like:<br>
<br>
Lockdown: iopl01: iopl is restricted; see man kernel_lockdown.7<br>
<br>
This patch adds a function that can be used by tests to check for this<br>
case, so tests can be skipped rather than reporting a test failure.<br>
<br>
Signed-off-by: Erico Nunes <<a href="mailto:ernunes@redhat.com" target="_blank">ernunes@redhat.com</a>><br>
---<br>
include/tst_lockdown.h | 8 ++++++++<br>
include/tst_test.h | 1 +<br>
lib/tst_lockdown.c | 28 ++++++++++++++++++++++++++++<br>
3 files changed, 37 insertions(+)<br>
create mode 100644 include/tst_lockdown.h<br>
create mode 100644 lib/tst_lockdown.c<br>
<br>
diff --git a/include/tst_lockdown.h b/include/tst_lockdown.h<br>
new file mode 100644<br>
index 000000000..8db26d943<br>
--- /dev/null<br>
+++ b/include/tst_lockdown.h<br>
@@ -0,0 +1,8 @@<br>
+// SPDX-License-Identifier: GPL-2.0-or-later<br>
+<br>
+#ifndef TST_LOCKDOWN_H<br>
+#define TST_LOCKDOWN_H<br>
+<br>
+void tst_lockdown_skip(void);<br>
+<br>
+#endif /* TST_LOCKDOWN_H */<br>
diff --git a/include/tst_test.h b/include/tst_test.h<br>
index b84f7b9dd..b02de4597 100644<br>
--- a/include/tst_test.h<br>
+++ b/include/tst_test.h<br>
@@ -40,6 +40,7 @@<br>
#include "tst_hugepage.h"<br>
#include "tst_assert.h"<br>
#include "tst_cgroup.h"<br>
+#include "tst_lockdown.h"<br>
<br>
/*<br>
* Reports testcase result.<br>
diff --git a/lib/tst_lockdown.c b/lib/tst_lockdown.c<br>
new file mode 100644<br>
index 000000000..d57a6bdf3<br>
--- /dev/null<br>
+++ b/lib/tst_lockdown.c<br>
@@ -0,0 +1,28 @@<br>
+// SPDX-License-Identifier: GPL-2.0-or-later<br>
+<br>
+#define TST_NO_DEFAULT_MAIN<br>
+<br>
+#include <stdio.h><br>
+#include <stdlib.h><br>
+#include <sys/mount.h><br>
+<br>
+#include "tst_test.h"<br>
+#include "tst_safe_macros.h"<br>
+#include "tst_safe_stdio.h"<br>
+#include "tst_lockdown.h"<br>
+<br>
+void tst_lockdown_skip(void)<br></blockquote><div><br></div><div><div class="gmail_default" style="font-size:small">Maybe renaming the function to tst_lockdown_enabled() is better? Then we can return 1 if confirm kernel under lockdown mode otherwise 0.</div></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
+{<br>
+ char line[BUFSIZ];<br>
+ FILE *file;<br>
+<br>
+ if (access("/sys/kernel/security/lockdown", F_OK) != 0)<br></blockquote><div><br></div><div><div class="gmail_default" style="font-size:small">After thinking over, I guess it's not enough to only check /sys/../lockdown file. Seems we need to consider the situation that system without supporting this file? </div></div><div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">i.e. </div><div class="gmail_default" style="font-size:small"> Test on RHEL8 (no /sys/../lockdown file) with kernel parameter "lockdown" and got the restriction error too.</div><br></div><div><div class="gmail_default" style="font-size:small"># cat /proc/cmdline </div>BOOT_IMAGE=(hd0,msdos1)/vmlinuz-4.18.0-226.el8.x86_64 root=/dev/mapper/rhel_bootp--73--3--209-root ro console=ttyS0,115200 <span class="gmail_default" style="font-size:small">...</span> lockdown<br> <br></div><div># ll /sys/kernel/security/lockdown<br>ls: cannot access '/sys/kernel/security/lockdown': No such file or directory</div><div><br><div class="gmail_default" style="font-size:small"># ./iopl01 </div><span class="gmail_default" style="font-size:small">...</span><br>iopl01.c:37: FAIL: iopl() failed for level 1, errno=1 : EPERM: EPERM (1)<br>iopl01.c:37: FAIL: iopl() failed for level 2, errno=1 : EPERM: EPERM (1)<br><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
+ return;<br>
+<br>
+ file = SAFE_FOPEN("/sys/kernel/security/lockdown", "r");<br>
+ fgets(line, sizeof(line), file);<br>
+ SAFE_FCLOSE(file);<br>
+<br>
+ if (strstr(line, "[none]") == NULL)<br>
+ tst_brk(TCONF, "Kernel is locked down, skip this test.");<br>
+}<br>
-- <br>
2.26.2<br>
<br>
<br>
-- <br>
Mailing list info: <a href="https://lists.linux.it/listinfo/ltp" rel="noreferrer" target="_blank">https://lists.linux.it/listinfo/ltp</a><br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>Regards,<br></div><div>Li Wang<br></div></div></div></div>