[LTP] [PATCH v2 1/1] fanotify14: fix anonymous pipe testcases
Amir Goldstein
amir73il@gmail.com
Tue Mar 12 16:00:38 CET 2024
On Tue, Mar 12, 2024 at 2:09 PM Mete Durlu <meted@linux.ibm.com> wrote:
>
> When SElinux is in enforcing state and SEpolicies disallow anonymous
> pipe usage with fanotify_mark(), related fanotify14 testcases fail with
> EACCES instead of EINVAL. Accept both errnos when SElinux is in
> enforcing state to correctly evaluate test results.
>
> Replace TST_EXP_FD_OR_FAIL with TST_EXP_FAIL when testing
> fanotify_mark() as it returns -1 on failure and 0 on success not a file
> descriptor.
>
> Signed-off-by: Mete Durlu <meted@linux.ibm.com>
> ---
> .../kernel/syscalls/fanotify/fanotify14.c | 32 +++++++++++++++++--
> 1 file changed, 29 insertions(+), 3 deletions(-)
>
> diff --git a/testcases/kernel/syscalls/fanotify/fanotify14.c b/testcases/kernel/syscalls/fanotify/fanotify14.c
> index d02d81495..52c327dff 100644
> --- a/testcases/kernel/syscalls/fanotify/fanotify14.c
> +++ b/testcases/kernel/syscalls/fanotify/fanotify14.c
> @@ -27,12 +27,14 @@
> #define _GNU_SOURCE
> #include "tst_test.h"
> #include <errno.h>
> +#include <stdlib.h>
>
> #ifdef HAVE_SYS_FANOTIFY_H
> #include "fanotify.h"
>
> #define MNTPOINT "mntpoint"
> #define FILE1 MNTPOINT"/file1"
> +#define SELINUX_STATUS_PATH "/sys/fs/selinux/enforce"
>
> /*
> * List of inode events that are only available when notification group is
> @@ -240,6 +242,19 @@ static struct test_case_t {
> },
> };
>
> +static int is_selinux_enforcing(void)
> +{
> + char res;
> + int fd;
> +
> + fd = open(SELINUX_STATUS_PATH, O_RDONLY);
> + if (fd <= 0)
> + return 0;
> + SAFE_READ(1, fd, &res, 1);
> + SAFE_CLOSE(fd);
> + return atoi(&res);
> +}
> +
> static void do_test(unsigned int number)
> {
> struct test_case_t *tc = &test_cases[number];
> @@ -275,17 +290,28 @@ static void do_test(unsigned int number)
> /* Set mark on non-dir only when expecting error ENOTDIR */
> const char *path = tc->expected_errno == ENOTDIR ? FILE1 : MNTPOINT;
> int dirfd = AT_FDCWD;
> + int se_enforcing = 0;
>
> if (tc->pfd) {
> dirfd = tc->pfd[0];
> path = NULL;
> + se_enforcing = is_selinux_enforcing();
> }
>
> tst_res(TINFO, "Testing %s with %s",
> tc->mark.desc, tc->mask.desc);
> - TST_EXP_FD_OR_FAIL(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> - tc->mask.flags, dirfd, path),
> - tc->expected_errno);
> +
> + if (tc->pfd && se_enforcing) {
> + const int exp_errs[] = {tc->expected_errno, EACCES};
> +
> + TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> + tc->mask.flags, dirfd, path),
> + exp_errs);
> + } else {
> + TST_EXP_FAIL(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> + tc->mask.flags, dirfd, path),
> + tc->expected_errno);
> + }
>
This looks fine to me, but on second thought I am not sure how important
it is to special case se_enforcing.
We could probably always check for either error value.
Let's see what Jan and Petr think.
Thanks,
Amir.
More information about the ltp
mailing list