By the way, for extra credit, you could augment the ioctl tests in the selinux-testsuite to also exercise this new hook and confirm that it works correctly. See https://github.com/SELinuxProject/selinux-testsuite particularly tests/ioctl and policy/test_ioctl.te. Feel free to ask for help on that.
I do like extra credit. I'll take a look and see if it's something I can tackle. I'm primarily doing ad hoc checks on Android devices, so I'm unsure how easy it will be for me to run the suite. I'll get back to you shortly on that.
In response to myself, I unfortunately won't have time to do the testing updates this year. If someone else wants to help, that'd be great! Otherwise, I'll take a look next year after vacation and see if I can take a crack at it. Thanks!