On Fri, Mar 22, 2024 at 08:48:30AM +0100, Mickaël Salaün wrote: > It might be interesting to create a layout with one file of each type > and use that for the IOCTL tests. To make sure we only restrict the first layer of IOCTL (handled by the VFS) we should check that an IOCTL command that should be handled by a specific filesystem is indeed passed through this filesystem and not blocked by Landlock. Because Landlock would return EACCES, I guess it should be enough to check that we get a ENOTTY for non-block/char devices. We should find an IOCTL command number that has little chance to be taken to avoid updating this test too often.
