On Thu, Feb 24, 2022 at 1:43 PM Richard Haines
<richard_c_haines@xxxxxxxxxxxxxx> wrote:
> This change replaces the ioctl check FIOCLEX with FIOQSIZE as the
> kernel will always allow FIOCLEX if policy capability 'ioctl_skip_cloexec'
> is set true.
>
> Also updated policy to test xperm ioctl FIOQSIZE.
>
> Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
> ---
> policy/test_ioctl_xperms.te | 7 ++++---
> tests/ioctl/test_ioctl.c | 4 ++--
> tests/ioctl/test_noioctl.c | 4 ++--
> 3 files changed, 8 insertions(+), 7 deletions(-)
>
> diff --git a/policy/test_ioctl_xperms.te b/policy/test_ioctl_xperms.te
> index f9bc8d5..5f570c3 100644
> --- a/policy/test_ioctl_xperms.te
> +++ b/policy/test_ioctl_xperms.te
> @@ -1,4 +1,4 @@
> -define(`FIOCLEX', `{ 0x00006601 0x00005451 }')
> +define(`FIOQSIZE', `{ 0x00005460 }')
>
> # Domain for process that is allowed the required ioctl xperms.
> type test_ioctl_xperm_t;
> @@ -7,7 +7,7 @@ unconfined_runs_test(test_ioctl_xperm_t)
> typeattribute test_ioctl_xperm_t ioctldomain;
> typeattribute test_ioctl_xperm_t testdomain;
> allow test_ioctl_xperm_t test_ioctl_file_t:file { open read write ioctl getattr setattr };
> -allowxperm test_ioctl_xperm_t test_ioctl_file_t:file ioctl FIOCLEX;
> +allowxperm test_ioctl_xperm_t test_ioctl_file_t:file ioctl FIOQSIZE;
>
> # Domain for process that is not allowed the required ioctl xperms.
> type test_ioctl_noxperm_t;
> @@ -15,4 +15,5 @@ domain_type(test_ioctl_noxperm_t)
> unconfined_runs_test(test_ioctl_noxperm_t)
> typeattribute test_ioctl_noxperm_t ioctldomain;
> typeattribute test_ioctl_noxperm_t testdomain;
> -allowxperm test_ioctl_noxperm_t test_ioctl_file_t:file ioctl ~FIOCLEX;
> +allow test_ioctl_noxperm_t test_ioctl_file_t:file { open read getattr setattr ioctl };
> +allowxperm test_ioctl_noxperm_t test_ioctl_file_t:file ioctl ~FIOQSIZE;
> diff --git a/tests/ioctl/test_ioctl.c b/tests/ioctl/test_ioctl.c
> index 366d09c..6fff2d0 100644
> --- a/tests/ioctl/test_ioctl.c
> +++ b/tests/ioctl/test_ioctl.c
> @@ -35,9 +35,9 @@ int main(int argc, char **argv)
> }
>
> /* This one should hit the FILE__IOCTL test */
> - rc = ioctl(fd, FIOCLEX);
> + rc = ioctl(fd, FIOQSIZE, &val);
> if( rc < 0 ) {
> - perror("test_ioctl:FIOCLEX");
> + perror("test_ioctl:FIOQSIZE");
> exit(1);
> }
>
> diff --git a/tests/ioctl/test_noioctl.c b/tests/ioctl/test_noioctl.c
> index ddce457..4b67e9a 100644
> --- a/tests/ioctl/test_noioctl.c
> +++ b/tests/ioctl/test_noioctl.c
> @@ -51,9 +51,9 @@ int main(int argc, char **argv)
> }
>
> /* This one should hit the FILE__IOCTL test and fail. */
> - rc = ioctl(fd, FIOCLEX);
> + rc = ioctl(fd, FIOQSIZE, &val);
> if( rc == 0 ) {
> - printf("test_noioctl:FIOCLEX");
> + printf("test_noioctl:FIOQSIZE");
> exit(1);
> }
>
> --
> 2.35.1
>
Thanks, I merged this with some minor commit message edits:
https://github.com/SELinuxProject/selinux-testsuite/commit/b11701a55614eeb20e85fee9829d1699cc13c39a
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
