* [LTP] [PATCH 1/2] lib: Add tst_selinux_enforcing()
@ 2024-03-20 6:32 Petr Vorel
2024-03-20 6:32 ` [LTP] [PATCH v3 2/2] fanotify14: fix anonymous pipe testcases Petr Vorel
2024-03-20 7:31 ` [LTP] [PATCH 1/2] lib: Add tst_selinux_enforcing() Li Wang
0 siblings, 2 replies; 9+ messages in thread
From: Petr Vorel @ 2024-03-20 6:32 UTC (permalink / raw
To: ltp; +Cc: Mete Durlu
Co-developed-by: Mete Durlu <meted@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Hi,
@Li, Cyril:
1) I guess we want to distinguish EACCES for SELinux enforcing, right?
If not, this commit would be dropped and second commit would just use
const int exp_errs[] = {tc->expected_errno, EACCES};
TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
tc->mask.flags, dirfd, path),
exp_errs);
2) Some time ago I proposed to merge some lib/*.c files, not
just have so many files with single functions in the library. E.g.
lib/tst_fips.c, lib/tst_selinux.c, lib/tst_lockdown.c could be merged
into lib/tst_security.c. Or do we want to have these separate?
When I proposed this, I wanted to merge files, which have the same name
as the single function in the file (e.g. tst_dir_is_empty.c,
tst_path_has_mnt_flags.c), having them as single file does not help much
with searching for the content.
Kind regards,
Petr
include/tst_selinux.h | 10 ++++++++++
lib/tst_selinux.c | 25 +++++++++++++++++++++++++
2 files changed, 35 insertions(+)
create mode 100644 include/tst_selinux.h
create mode 100644 lib/tst_selinux.c
diff --git a/include/tst_selinux.h b/include/tst_selinux.h
new file mode 100644
index 000000000..18bbcff21
--- /dev/null
+++ b/include/tst_selinux.h
@@ -0,0 +1,10 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later
+ * Copyright (c) Linux Test Project, 2024
+ */
+
+#ifndef TST_SELINUX_H__
+#define TST_SELINUX_H__
+
+int tst_selinux_enforcing(void);
+
+#endif /* TST_SELINUX_H__ */
diff --git a/lib/tst_selinux.c b/lib/tst_selinux.c
new file mode 100644
index 000000000..2219b85d4
--- /dev/null
+++ b/lib/tst_selinux.c
@@ -0,0 +1,25 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) Linux Test Project, 2024
+ */
+
+#define TST_NO_DEFAULT_MAIN
+
+#define SELINUX_STATUS_PATH "/sys/fs/selinux/enforce"
+
+#include <fcntl.h>
+#include <stdlib.h>
+#include "tst_test.h"
+#include "tst_selinux.h"
+
+int tst_selinux_enforcing(void)
+{
+ int res = 0;
+
+ if (access(SELINUX_STATUS_PATH, F_OK) == 0)
+ SAFE_FILE_SCANF(SELINUX_STATUS_PATH, "%d", &res);
+
+ tst_res(TINFO, "SELinux enforcing: %s", res ? "on" : "off");
+
+ return res;
+}
--
2.43.0
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [LTP] [PATCH v3 2/2] fanotify14: fix anonymous pipe testcases
2024-03-20 6:32 [LTP] [PATCH 1/2] lib: Add tst_selinux_enforcing() Petr Vorel
@ 2024-03-20 6:32 ` Petr Vorel
2024-03-20 6:59 ` Amir Goldstein
` (2 more replies)
2024-03-20 7:31 ` [LTP] [PATCH 1/2] lib: Add tst_selinux_enforcing() Li Wang
1 sibling, 3 replies; 9+ messages in thread
From: Petr Vorel @ 2024-03-20 6:32 UTC (permalink / raw
To: ltp; +Cc: Jan Kara, Mete Durlu
From: Mete Durlu <meted@linux.ibm.com>
When SElinux is in enforcing state and SEpolicies disallow anonymous
pipe usage with fanotify_mark(), related fanotify14 testcases fail with
EACCES instead of EINVAL. Accept both errnos when SElinux is in
enforcing state to correctly evaluate test results.
Replace TST_EXP_FD_OR_FAIL with TST_EXP_FAIL when testing
fanotify_mark() as it returns -1 on failure and 0 on success not a file
descriptor.
Co-developed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mete Durlu <meted@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Hi,
this is a replacement of Mete's v2 fanotify14: fix anonymous pipe testcases:
https://lore.kernel.org/ltp/20240312120829.178305-2-meted@linux.ibm.com/
Kind regards,
Petr
.../kernel/syscalls/fanotify/fanotify14.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/testcases/kernel/syscalls/fanotify/fanotify14.c b/testcases/kernel/syscalls/fanotify/fanotify14.c
index d02d81495..b554af22a 100644
--- a/testcases/kernel/syscalls/fanotify/fanotify14.c
+++ b/testcases/kernel/syscalls/fanotify/fanotify14.c
@@ -30,6 +30,7 @@
#ifdef HAVE_SYS_FANOTIFY_H
#include "fanotify.h"
+#include "tst_selinux.h"
#define MNTPOINT "mntpoint"
#define FILE1 MNTPOINT"/file1"
@@ -47,6 +48,7 @@ static int pipes[2] = {-1, -1};
static int fanotify_fd;
static int ignore_mark_unsupported;
static int filesystem_mark_unsupported;
+static int se_enforcing;
static unsigned int supported_init_flags;
struct test_case_flags_t {
@@ -283,9 +285,18 @@ static void do_test(unsigned int number)
tst_res(TINFO, "Testing %s with %s",
tc->mark.desc, tc->mask.desc);
- TST_EXP_FD_OR_FAIL(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
- tc->mask.flags, dirfd, path),
- tc->expected_errno);
+
+ if (tc->pfd && se_enforcing) {
+ const int exp_errs[] = {tc->expected_errno, EACCES};
+
+ TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
+ tc->mask.flags, dirfd, path),
+ exp_errs);
+ } else {
+ TST_EXP_FAIL(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
+ tc->mask.flags, dirfd, path),
+ tc->expected_errno);
+ }
/*
* ENOTDIR are errors for events/flags not allowed on a non-dir inode.
@@ -334,6 +345,8 @@ static void do_setup(void)
SAFE_FILE_PRINTF(FILE1, "0");
/* Create anonymous pipes to place marks on */
SAFE_PIPE2(pipes, O_CLOEXEC);
+
+ se_enforcing = tst_selinux_enforcing();
}
static void do_cleanup(void)
--
2.43.0
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [LTP] [PATCH v3 2/2] fanotify14: fix anonymous pipe testcases
2024-03-20 6:32 ` [LTP] [PATCH v3 2/2] fanotify14: fix anonymous pipe testcases Petr Vorel
@ 2024-03-20 6:59 ` Amir Goldstein
2024-03-20 9:01 ` Mete Durlu
2024-03-20 12:11 ` Jan Kara
2 siblings, 0 replies; 9+ messages in thread
From: Amir Goldstein @ 2024-03-20 6:59 UTC (permalink / raw
To: Petr Vorel; +Cc: Mete Durlu, Jan Kara, ltp
On Wed, Mar 20, 2024 at 8:32 AM Petr Vorel <pvorel@suse.cz> wrote:
>
> From: Mete Durlu <meted@linux.ibm.com>
>
> When SElinux is in enforcing state and SEpolicies disallow anonymous
> pipe usage with fanotify_mark(), related fanotify14 testcases fail with
> EACCES instead of EINVAL. Accept both errnos when SElinux is in
> enforcing state to correctly evaluate test results.
>
> Replace TST_EXP_FD_OR_FAIL with TST_EXP_FAIL when testing
> fanotify_mark() as it returns -1 on failure and 0 on success not a file
> descriptor.
>
> Co-developed-by: Petr Vorel <pvorel@suse.cz>
> Signed-off-by: Mete Durlu <meted@linux.ibm.com>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
> ---
> Hi,
>
> this is a replacement of Mete's v2 fanotify14: fix anonymous pipe testcases:
> https://lore.kernel.org/ltp/20240312120829.178305-2-meted@linux.ibm.com/
>
> Kind regards,
> Petr
>
> .../kernel/syscalls/fanotify/fanotify14.c | 19 ++++++++++++++++---
> 1 file changed, 16 insertions(+), 3 deletions(-)
>
> diff --git a/testcases/kernel/syscalls/fanotify/fanotify14.c b/testcases/kernel/syscalls/fanotify/fanotify14.c
> index d02d81495..b554af22a 100644
> --- a/testcases/kernel/syscalls/fanotify/fanotify14.c
> +++ b/testcases/kernel/syscalls/fanotify/fanotify14.c
> @@ -30,6 +30,7 @@
>
> #ifdef HAVE_SYS_FANOTIFY_H
> #include "fanotify.h"
> +#include "tst_selinux.h"
>
> #define MNTPOINT "mntpoint"
> #define FILE1 MNTPOINT"/file1"
> @@ -47,6 +48,7 @@ static int pipes[2] = {-1, -1};
> static int fanotify_fd;
> static int ignore_mark_unsupported;
> static int filesystem_mark_unsupported;
> +static int se_enforcing;
> static unsigned int supported_init_flags;
>
> struct test_case_flags_t {
> @@ -283,9 +285,18 @@ static void do_test(unsigned int number)
>
> tst_res(TINFO, "Testing %s with %s",
> tc->mark.desc, tc->mask.desc);
> - TST_EXP_FD_OR_FAIL(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> - tc->mask.flags, dirfd, path),
> - tc->expected_errno);
> +
> + if (tc->pfd && se_enforcing) {
> + const int exp_errs[] = {tc->expected_errno, EACCES};
> +
> + TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> + tc->mask.flags, dirfd, path),
> + exp_errs);
> + } else {
> + TST_EXP_FAIL(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> + tc->mask.flags, dirfd, path),
> + tc->expected_errno);
> + }
>
> /*
> * ENOTDIR are errors for events/flags not allowed on a non-dir inode.
> @@ -334,6 +345,8 @@ static void do_setup(void)
> SAFE_FILE_PRINTF(FILE1, "0");
> /* Create anonymous pipes to place marks on */
> SAFE_PIPE2(pipes, O_CLOEXEC);
> +
> + se_enforcing = tst_selinux_enforcing();
> }
>
> static void do_cleanup(void)
> --
> 2.43.0
>
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [LTP] [PATCH 1/2] lib: Add tst_selinux_enforcing()
2024-03-20 6:32 [LTP] [PATCH 1/2] lib: Add tst_selinux_enforcing() Petr Vorel
2024-03-20 6:32 ` [LTP] [PATCH v3 2/2] fanotify14: fix anonymous pipe testcases Petr Vorel
@ 2024-03-20 7:31 ` Li Wang
2024-03-20 7:56 ` Petr Vorel
1 sibling, 1 reply; 9+ messages in thread
From: Li Wang @ 2024-03-20 7:31 UTC (permalink / raw
To: Petr Vorel; +Cc: Mete Durlu, ltp
Hi Petr,
On Wed, Mar 20, 2024 at 2:32 PM Petr Vorel <pvorel@suse.cz> wrote:
> Co-developed-by: Mete Durlu <meted@linux.ibm.com>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
>
This patch is doing the same work as security_getenforce() which provides
by 'selinux/selinux.h', but it is still worth having it because we do not
want ltp
has many extra dependencies (e.g. libselinux-devel).
Reviewed-by: Li Wang <liwang@redhat.com>
> ---
> Hi,
>
> @Li, Cyril:
> 1) I guess we want to distinguish EACCES for SELinux enforcing, right?
> If not, this commit would be dropped and second commit would just use
>
> const int exp_errs[] = {tc->expected_errno, EACCES};
>
> TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD |
> tc->mark.flags,
> tc->mask.flags, dirfd, path),
> exp_errs);
>
> 2) Some time ago I proposed to merge some lib/*.c files, not
> just have so many files with single functions in the library. E.g.
> lib/tst_fips.c, lib/tst_selinux.c, lib/tst_lockdown.c could be merged
> into lib/tst_security.c. Or do we want to have these separate?
>
I think the answer is Yes. There are more and more lib/*.c files with
some trivial features, which bring troubles for reading/managing the
library. It is necessary to archive and merge the same thing.
>
> When I proposed this, I wanted to merge files, which have the same name
> as the single function in the file (e.g. tst_dir_is_empty.c,
> tst_path_has_mnt_flags.c), having them as single file does not help much
> with searching for the content.
>
+1
And the most important is we need to give a good name for the
achieved header file.
--
Regards,
Li Wang
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [LTP] [PATCH 1/2] lib: Add tst_selinux_enforcing()
2024-03-20 7:31 ` [LTP] [PATCH 1/2] lib: Add tst_selinux_enforcing() Li Wang
@ 2024-03-20 7:56 ` Petr Vorel
2024-03-20 8:04 ` Li Wang
0 siblings, 1 reply; 9+ messages in thread
From: Petr Vorel @ 2024-03-20 7:56 UTC (permalink / raw
To: Li Wang; +Cc: Mete Durlu, ltp
Hi Li, all,
> Hi Petr,
> On Wed, Mar 20, 2024 at 2:32 PM Petr Vorel <pvorel@suse.cz> wrote:
> > Co-developed-by: Mete Durlu <meted@linux.ibm.com>
> > Signed-off-by: Petr Vorel <pvorel@suse.cz>
> This patch is doing the same work as security_getenforce() which provides
> by 'selinux/selinux.h', but it is still worth having it because we do not
> want ltp
> has many extra dependencies (e.g. libselinux-devel).
+1
> Reviewed-by: Li Wang <liwang@redhat.com>
Thanks!
> > ---
> > Hi,
> > @Li, Cyril:
> > 1) I guess we want to distinguish EACCES for SELinux enforcing, right?
> > If not, this commit would be dropped and second commit would just use
> > const int exp_errs[] = {tc->expected_errno, EACCES};
> > TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD |
> > tc->mark.flags,
> > tc->mask.flags, dirfd, path),
> > exp_errs);
> > 2) Some time ago I proposed to merge some lib/*.c files, not
> > just have so many files with single functions in the library. E.g.
> > lib/tst_fips.c, lib/tst_selinux.c, lib/tst_lockdown.c could be merged
> > into lib/tst_security.c. Or do we want to have these separate?
> I think the answer is Yes. There are more and more lib/*.c files with
I read "Yes" as to keep lib/tst_selinux.c, lib/tst_lockdown.c as separate.
I'm not sure myself (quite separate things, although they are all "security"),
what bothers me more are these tst_dir_is_empty.c, tst_path_has_mnt_flags.c
files.
> some trivial features, which bring troubles for reading/managing the
> library. It is necessary to archive and merge the same thing.
> > When I proposed this, I wanted to merge files, which have the same name
> > as the single function in the file (e.g. tst_dir_is_empty.c,
> > tst_path_has_mnt_flags.c), having them as single file does not help much
> > with searching for the content.
> +1
> And the most important is we need to give a good name for the
> achieved header file.
+1
Kind regards,
Petr
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [LTP] [PATCH 1/2] lib: Add tst_selinux_enforcing()
2024-03-20 7:56 ` Petr Vorel
@ 2024-03-20 8:04 ` Li Wang
2024-03-20 8:54 ` Petr Vorel
0 siblings, 1 reply; 9+ messages in thread
From: Li Wang @ 2024-03-20 8:04 UTC (permalink / raw
To: Petr Vorel; +Cc: Mete Durlu, ltp
On Wed, Mar 20, 2024 at 3:56 PM Petr Vorel <pvorel@suse.cz> wrote:
> Hi Li, all,
>
> > Hi Petr,
>
> > On Wed, Mar 20, 2024 at 2:32 PM Petr Vorel <pvorel@suse.cz> wrote:
>
> > > Co-developed-by: Mete Durlu <meted@linux.ibm.com>
> > > Signed-off-by: Petr Vorel <pvorel@suse.cz>
>
>
> > This patch is doing the same work as security_getenforce() which provides
> > by 'selinux/selinux.h', but it is still worth having it because we do not
> > want ltp
> > has many extra dependencies (e.g. libselinux-devel).
>
> +1
>
> > Reviewed-by: Li Wang <liwang@redhat.com>
>
> Thanks!
>
> > > ---
> > > Hi,
>
> > > @Li, Cyril:
> > > 1) I guess we want to distinguish EACCES for SELinux enforcing, right?
> > > If not, this commit would be dropped and second commit would just use
>
> > > const int exp_errs[] = {tc->expected_errno, EACCES};
>
> > > TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD |
> > > tc->mark.flags,
> > > tc->mask.flags, dirfd, path),
> > > exp_errs);
>
> > > 2) Some time ago I proposed to merge some lib/*.c files, not
> > > just have so many files with single functions in the library. E.g.
> > > lib/tst_fips.c, lib/tst_selinux.c, lib/tst_lockdown.c could be merged
> > > into lib/tst_security.c. Or do we want to have these separate?
>
>
> > I think the answer is Yes. There are more and more lib/*.c files with
>
> I read "Yes" as to keep lib/tst_selinux.c, lib/tst_lockdown.c as separate.
>
Ohh, sorry, I don't mean that. More separate (boring!!!) files should be
avoided.
I think I should step away from the keyboard now, watching too much screen
time makes me foolish :).
--
Regards,
Li Wang
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [LTP] [PATCH 1/2] lib: Add tst_selinux_enforcing()
2024-03-20 8:04 ` Li Wang
@ 2024-03-20 8:54 ` Petr Vorel
0 siblings, 0 replies; 9+ messages in thread
From: Petr Vorel @ 2024-03-20 8:54 UTC (permalink / raw
To: Li Wang; +Cc: Mete Durlu, ltp
> On Wed, Mar 20, 2024 at 3:56 PM Petr Vorel <pvorel@suse.cz> wrote:
> > Hi Li, all,
> > > Hi Petr,
> > > On Wed, Mar 20, 2024 at 2:32 PM Petr Vorel <pvorel@suse.cz> wrote:
> > > > Co-developed-by: Mete Durlu <meted@linux.ibm.com>
> > > > Signed-off-by: Petr Vorel <pvorel@suse.cz>
> > > This patch is doing the same work as security_getenforce() which provides
> > > by 'selinux/selinux.h', but it is still worth having it because we do not
> > > want ltp
> > > has many extra dependencies (e.g. libselinux-devel).
> > +1
> > > Reviewed-by: Li Wang <liwang@redhat.com>
> > Thanks!
> > > > ---
> > > > Hi,
> > > > @Li, Cyril:
> > > > 1) I guess we want to distinguish EACCES for SELinux enforcing, right?
> > > > If not, this commit would be dropped and second commit would just use
> > > > const int exp_errs[] = {tc->expected_errno, EACCES};
> > > > TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD |
> > > > tc->mark.flags,
> > > > tc->mask.flags, dirfd, path),
> > > > exp_errs);
> > > > 2) Some time ago I proposed to merge some lib/*.c files, not
> > > > just have so many files with single functions in the library. E.g.
> > > > lib/tst_fips.c, lib/tst_selinux.c, lib/tst_lockdown.c could be merged
> > > > into lib/tst_security.c. Or do we want to have these separate?
> > > I think the answer is Yes. There are more and more lib/*.c files with
> > I read "Yes" as to keep lib/tst_selinux.c, lib/tst_lockdown.c as separate.
> Ohh, sorry, I don't mean that. More separate (boring!!!) files should be
> avoided.
Thank for info. I'll send this another version, which merge these two files.
I guess we could merge it soon.
Kind regards,
Petr
> I think I should step away from the keyboard now, watching too much screen
> time makes me foolish :).
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [LTP] [PATCH v3 2/2] fanotify14: fix anonymous pipe testcases
2024-03-20 6:32 ` [LTP] [PATCH v3 2/2] fanotify14: fix anonymous pipe testcases Petr Vorel
2024-03-20 6:59 ` Amir Goldstein
@ 2024-03-20 9:01 ` Mete Durlu
2024-03-20 12:11 ` Jan Kara
2 siblings, 0 replies; 9+ messages in thread
From: Mete Durlu @ 2024-03-20 9:01 UTC (permalink / raw
To: Petr Vorel; +Cc: Jan Kara, ltp
On 3/20/24 07:32, Petr Vorel wrote:
> From: Mete Durlu <meted@linux.ibm.com>
>
> When SElinux is in enforcing state and SEpolicies disallow anonymous
> pipe usage with fanotify_mark(), related fanotify14 testcases fail with
> EACCES instead of EINVAL. Accept both errnos when SElinux is in
> enforcing state to correctly evaluate test results.
>
> Replace TST_EXP_FD_OR_FAIL with TST_EXP_FAIL when testing
> fanotify_mark() as it returns -1 on failure and 0 on success not a file
> descriptor.
>
> Co-developed-by: Petr Vorel <pvorel@suse.cz>
> Signed-off-by: Mete Durlu <meted@linux.ibm.com>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
Looks good to me! Thanks for handling this.
> ---
> Hi,
>
> this is a replacement of Mete's v2 fanotify14: fix anonymous pipe testcases:
> https://lore.kernel.org/ltp/20240312120829.178305-2-meted@linux.ibm.com/
>
> Kind regards,
> Petr
>
> .../kernel/syscalls/fanotify/fanotify14.c | 19 ++++++++++++++++---
> 1 file changed, 16 insertions(+), 3 deletions(-)
>
> diff --git a/testcases/kernel/syscalls/fanotify/fanotify14.c b/testcases/kernel/syscalls/fanotify/fanotify14.c
> index d02d81495..b554af22a 100644
> --- a/testcases/kernel/syscalls/fanotify/fanotify14.c
> +++ b/testcases/kernel/syscalls/fanotify/fanotify14.c
> @@ -30,6 +30,7 @@
>
> #ifdef HAVE_SYS_FANOTIFY_H
> #include "fanotify.h"
> +#include "tst_selinux.h"
>
> #define MNTPOINT "mntpoint"
> #define FILE1 MNTPOINT"/file1"
> @@ -47,6 +48,7 @@ static int pipes[2] = {-1, -1};
> static int fanotify_fd;
> static int ignore_mark_unsupported;
> static int filesystem_mark_unsupported;
> +static int se_enforcing;
> static unsigned int supported_init_flags;
>
> struct test_case_flags_t {
> @@ -283,9 +285,18 @@ static void do_test(unsigned int number)
>
> tst_res(TINFO, "Testing %s with %s",
> tc->mark.desc, tc->mask.desc);
> - TST_EXP_FD_OR_FAIL(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> - tc->mask.flags, dirfd, path),
> - tc->expected_errno);
> +
> + if (tc->pfd && se_enforcing) {
> + const int exp_errs[] = {tc->expected_errno, EACCES};
> +
> + TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> + tc->mask.flags, dirfd, path),
> + exp_errs);
> + } else {
> + TST_EXP_FAIL(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> + tc->mask.flags, dirfd, path),
> + tc->expected_errno);
> + }
>
> /*
> * ENOTDIR are errors for events/flags not allowed on a non-dir inode.
> @@ -334,6 +345,8 @@ static void do_setup(void)
> SAFE_FILE_PRINTF(FILE1, "0");
> /* Create anonymous pipes to place marks on */
> SAFE_PIPE2(pipes, O_CLOEXEC);
> +
> + se_enforcing = tst_selinux_enforcing();
> }
>
> static void do_cleanup(void)
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [LTP] [PATCH v3 2/2] fanotify14: fix anonymous pipe testcases
2024-03-20 6:32 ` [LTP] [PATCH v3 2/2] fanotify14: fix anonymous pipe testcases Petr Vorel
2024-03-20 6:59 ` Amir Goldstein
2024-03-20 9:01 ` Mete Durlu
@ 2024-03-20 12:11 ` Jan Kara
2 siblings, 0 replies; 9+ messages in thread
From: Jan Kara @ 2024-03-20 12:11 UTC (permalink / raw
To: Petr Vorel; +Cc: Jan Kara, Mete Durlu, ltp
On Wed 20-03-24 07:32:17, Petr Vorel wrote:
> From: Mete Durlu <meted@linux.ibm.com>
>
> When SElinux is in enforcing state and SEpolicies disallow anonymous
> pipe usage with fanotify_mark(), related fanotify14 testcases fail with
> EACCES instead of EINVAL. Accept both errnos when SElinux is in
> enforcing state to correctly evaluate test results.
>
> Replace TST_EXP_FD_OR_FAIL with TST_EXP_FAIL when testing
> fanotify_mark() as it returns -1 on failure and 0 on success not a file
> descriptor.
>
> Co-developed-by: Petr Vorel <pvorel@suse.cz>
> Signed-off-by: Mete Durlu <meted@linux.ibm.com>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
Looks good. Feel free to add:
Reviewed-by: Jan Kara <jack@suse.cz>
Honza
> ---
> Hi,
>
> this is a replacement of Mete's v2 fanotify14: fix anonymous pipe testcases:
> https://lore.kernel.org/ltp/20240312120829.178305-2-meted@linux.ibm.com/
>
> Kind regards,
> Petr
>
> .../kernel/syscalls/fanotify/fanotify14.c | 19 ++++++++++++++++---
> 1 file changed, 16 insertions(+), 3 deletions(-)
>
> diff --git a/testcases/kernel/syscalls/fanotify/fanotify14.c b/testcases/kernel/syscalls/fanotify/fanotify14.c
> index d02d81495..b554af22a 100644
> --- a/testcases/kernel/syscalls/fanotify/fanotify14.c
> +++ b/testcases/kernel/syscalls/fanotify/fanotify14.c
> @@ -30,6 +30,7 @@
>
> #ifdef HAVE_SYS_FANOTIFY_H
> #include "fanotify.h"
> +#include "tst_selinux.h"
>
> #define MNTPOINT "mntpoint"
> #define FILE1 MNTPOINT"/file1"
> @@ -47,6 +48,7 @@ static int pipes[2] = {-1, -1};
> static int fanotify_fd;
> static int ignore_mark_unsupported;
> static int filesystem_mark_unsupported;
> +static int se_enforcing;
> static unsigned int supported_init_flags;
>
> struct test_case_flags_t {
> @@ -283,9 +285,18 @@ static void do_test(unsigned int number)
>
> tst_res(TINFO, "Testing %s with %s",
> tc->mark.desc, tc->mask.desc);
> - TST_EXP_FD_OR_FAIL(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> - tc->mask.flags, dirfd, path),
> - tc->expected_errno);
> +
> + if (tc->pfd && se_enforcing) {
> + const int exp_errs[] = {tc->expected_errno, EACCES};
> +
> + TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> + tc->mask.flags, dirfd, path),
> + exp_errs);
> + } else {
> + TST_EXP_FAIL(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> + tc->mask.flags, dirfd, path),
> + tc->expected_errno);
> + }
>
> /*
> * ENOTDIR are errors for events/flags not allowed on a non-dir inode.
> @@ -334,6 +345,8 @@ static void do_setup(void)
> SAFE_FILE_PRINTF(FILE1, "0");
> /* Create anonymous pipes to place marks on */
> SAFE_PIPE2(pipes, O_CLOEXEC);
> +
> + se_enforcing = tst_selinux_enforcing();
> }
>
> static void do_cleanup(void)
> --
> 2.43.0
>
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2024-03-20 12:11 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-20 6:32 [LTP] [PATCH 1/2] lib: Add tst_selinux_enforcing() Petr Vorel
2024-03-20 6:32 ` [LTP] [PATCH v3 2/2] fanotify14: fix anonymous pipe testcases Petr Vorel
2024-03-20 6:59 ` Amir Goldstein
2024-03-20 9:01 ` Mete Durlu
2024-03-20 12:11 ` Jan Kara
2024-03-20 7:31 ` [LTP] [PATCH 1/2] lib: Add tst_selinux_enforcing() Li Wang
2024-03-20 7:56 ` Petr Vorel
2024-03-20 8:04 ` Li Wang
2024-03-20 8:54 ` Petr Vorel
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.