test_dev_cgroup is defined as a standalone test program, and so is not
executed in CI.
Convert it to test_progs framework so it is tested automatically in CI, and
remove the old test. In order to be able to run it in test_progs, /dev/null
must remain usable, so change the new test to test operations on devices
1:3 as valid, and operations on devices 1:5 (/dev/zero) as invalid.
Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Signed-off-by: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
---
Changes in v3:
- delete mknod file only when is has been created
- use bpf_program__attach_cgroup instead of bpf_prog_attach
- reorder subtests
- collect review/ack tags
Changes in v2:
- pass expected return code to subtest function instead of boolean pass/not
pass
- also pass buffer and buffer size for read/write subtests
- fix faulty fd check on read/write tests expected to fail
---
tools/testing/selftests/bpf/.gitignore | 1 -
tools/testing/selftests/bpf/Makefile | 2 -
.../testing/selftests/bpf/prog_tests/cgroup_dev.c | 115 +++++++++++++++++++++
tools/testing/selftests/bpf/test_dev_cgroup.c | 85 ---------------
4 files changed, 115 insertions(+), 88 deletions(-)
diff --git a/tools/testing/selftests/bpf/.gitignore b/tools/testing/selftests/bpf/.gitignore
index 4e4aae8aa7ec..8f14d8faeb0b 100644
--- a/tools/testing/selftests/bpf/.gitignore
+++ b/tools/testing/selftests/bpf/.gitignore
@@ -9,7 +9,6 @@ test_lpm_map
test_tag
FEATURE-DUMP.libbpf
fixdep
-test_dev_cgroup
/test_progs
/test_progs-no_alu32
/test_progs-bpf_gcc
diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
index 564e1fdf80b6..bb02a3540d7a 100644
--- a/tools/testing/selftests/bpf/Makefile
+++ b/tools/testing/selftests/bpf/Makefile
@@ -69,7 +69,6 @@ endif
# Order correspond to 'make run_tests' order
TEST_GEN_PROGS = test_verifier test_tag test_maps test_lru_map test_lpm_map test_progs \
- test_dev_cgroup \
test_sock test_sockmap get_cgroup_id_user \
test_cgroup_storage \
test_tcpnotify_user test_sysctl \
@@ -294,7 +293,6 @@ JSON_WRITER := $(OUTPUT)/json_writer.o
CAP_HELPERS := $(OUTPUT)/cap_helpers.o
NETWORK_HELPERS := $(OUTPUT)/network_helpers.o
-$(OUTPUT)/test_dev_cgroup: $(CGROUP_HELPERS) $(TESTING_HELPERS)
$(OUTPUT)/test_skb_cgroup_id_user: $(CGROUP_HELPERS) $(TESTING_HELPERS)
$(OUTPUT)/test_sock: $(CGROUP_HELPERS) $(TESTING_HELPERS)
$(OUTPUT)/test_sockmap: $(CGROUP_HELPERS) $(TESTING_HELPERS)
diff --git a/tools/testing/selftests/bpf/prog_tests/cgroup_dev.c b/tools/testing/selftests/bpf/prog_tests/cgroup_dev.c
new file mode 100644
index 000000000000..62a2ca9a0b94
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/cgroup_dev.c
@@ -0,0 +1,115 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <sys/stat.h>
+#include <sys/sysmacros.h>
+#include "test_progs.h"
+#include "cgroup_helpers.h"
+#include "dev_cgroup.skel.h"
+
+#define TEST_CGROUP "/test-bpf-based-device-cgroup/"
+#define TEST_BUFFER_SIZE 64
+
+static void test_mknod(const char *path, mode_t mode, int dev_major,
+ int dev_minor, int expected_ret)
+{
+ int ret;
+
+ unlink(path);
+ ret = mknod(path, mode, makedev(dev_major, dev_minor));
+ ASSERT_EQ(ret, expected_ret, "mknod");
+ if (!ret)
+ unlink(path);
+}
+
+static void test_read(const char *path, char *buf, int buf_size,
+ int expected_ret)
+{
+ int ret, fd;
+
+ fd = open(path, O_RDONLY);
+
+ /* A bare open on unauthorized device should fail */
+ if (expected_ret < 0) {
+ ASSERT_EQ(fd, expected_ret, "open file for read");
+ if (fd >= 0)
+ close(fd);
+ return;
+ }
+
+ if (!ASSERT_OK_FD(fd, "open file for read"))
+ return;
+
+ ret = read(fd, buf, buf_size);
+ ASSERT_EQ(ret, expected_ret, "read");
+
+ close(fd);
+}
+
+static void test_write(const char *path, char *buf, int buf_size,
+ int expected_ret)
+{
+ int ret, fd;
+
+ fd = open(path, O_WRONLY);
+
+ /* A bare open on unauthorized device should fail */
+ if (expected_ret < 0) {
+ ASSERT_EQ(fd, expected_ret, "open file for write");
+ if (fd >= 0)
+ close(fd);
+ return;
+ }
+
+ if (!ASSERT_OK_FD(fd, "open file for write"))
+ return;
+
+ ret = write(fd, buf, buf_size);
+ ASSERT_EQ(ret, expected_ret, "write");
+
+ close(fd);
+}
+
+void test_cgroup_dev(void)
+{
+ char buf[TEST_BUFFER_SIZE] = "some random test data";
+ struct dev_cgroup *skel;
+ int cgroup_fd;
+
+ cgroup_fd = cgroup_setup_and_join(TEST_CGROUP);
+ if (!ASSERT_OK_FD(cgroup_fd, "cgroup switch"))
+ return;
+
+ skel = dev_cgroup__open_and_load();
+ if (!ASSERT_OK_PTR(skel, "load program"))
+ goto cleanup_cgroup;
+
+ skel->links.bpf_prog1 =
+ bpf_program__attach_cgroup(skel->progs.bpf_prog1, cgroup_fd);
+ if (!ASSERT_OK_PTR(skel->links.bpf_prog1, "attach_program"))
+ goto cleanup_progs;
+
+ if (test__start_subtest("allow-mknod"))
+ test_mknod("/dev/test_dev_cgroup_null", S_IFCHR, 1, 3, 0);
+
+ if (test__start_subtest("allow-read"))
+ test_read("/dev/urandom", buf, TEST_BUFFER_SIZE,
+ TEST_BUFFER_SIZE);
+
+ if (test__start_subtest("allow-write"))
+ test_write("/dev/null", buf, TEST_BUFFER_SIZE,
+ TEST_BUFFER_SIZE);
+
+ if (test__start_subtest("deny-mknod"))
+ test_mknod("/dev/test_dev_cgroup_zero", S_IFCHR, 1, 5, -EPERM);
+
+ if (test__start_subtest("deny-read"))
+ test_read("/dev/random", buf, TEST_BUFFER_SIZE, -EPERM);
+
+ if (test__start_subtest("deny-write"))
+ test_write("/dev/zero", buf, TEST_BUFFER_SIZE, -EPERM);
+
+cleanup_progs:
+ dev_cgroup__destroy(skel);
+cleanup_cgroup:
+ cleanup_cgroup_environment();
+}
diff --git a/tools/testing/selftests/bpf/test_dev_cgroup.c b/tools/testing/selftests/bpf/test_dev_cgroup.c
deleted file mode 100644
index 33f544f0005a..000000000000
--- a/tools/testing/selftests/bpf/test_dev_cgroup.c
+++ /dev/null
@@ -1,85 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0-only
-/* Copyright (c) 2017 Facebook
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <errno.h>
-#include <assert.h>
-#include <sys/time.h>
-
-#include <linux/bpf.h>
-#include <bpf/bpf.h>
-#include <bpf/libbpf.h>
-
-#include "cgroup_helpers.h"
-#include "testing_helpers.h"
-
-#define DEV_CGROUP_PROG "./dev_cgroup.bpf.o"
-
-#define TEST_CGROUP "/test-bpf-based-device-cgroup/"
-
-int main(int argc, char **argv)
-{
- struct bpf_object *obj;
- int error = EXIT_FAILURE;
- int prog_fd, cgroup_fd;
- __u32 prog_cnt;
-
- /* Use libbpf 1.0 API mode */
- libbpf_set_strict_mode(LIBBPF_STRICT_ALL);
-
- if (bpf_prog_test_load(DEV_CGROUP_PROG, BPF_PROG_TYPE_CGROUP_DEVICE,
- &obj, &prog_fd)) {
- printf("Failed to load DEV_CGROUP program\n");
- goto out;
- }
-
- cgroup_fd = cgroup_setup_and_join(TEST_CGROUP);
- if (cgroup_fd < 0) {
- printf("Failed to create test cgroup\n");
- goto out;
- }
-
- /* Attach bpf program */
- if (bpf_prog_attach(prog_fd, cgroup_fd, BPF_CGROUP_DEVICE, 0)) {
- printf("Failed to attach DEV_CGROUP program");
- goto err;
- }
-
- if (bpf_prog_query(cgroup_fd, BPF_CGROUP_DEVICE, 0, NULL, NULL,
- &prog_cnt)) {
- printf("Failed to query attached programs");
- goto err;
- }
-
- /* All operations with /dev/null and /dev/urandom are allowed,
- * everything else is forbidden.
- */
- assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
- assert(system("mknod /tmp/test_dev_cgroup_zero c 1 5"));
- assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
-
- /* /dev/null is whitelisted */
- assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
- assert(system("mknod /tmp/test_dev_cgroup_null c 1 3") == 0);
- assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
-
- assert(system("dd if=/dev/urandom of=/dev/null count=64") == 0);
-
- /* src is allowed, target is forbidden */
- assert(system("dd if=/dev/urandom of=/dev/full count=64"));
-
- /* src is forbidden, target is allowed */
- assert(system("dd if=/dev/random of=/dev/null count=64"));
-
- error = 0;
- printf("test_dev_cgroup:PASS\n");
-
-err:
- cleanup_cgroup_environment();
-
-out:
- return error;
-}
--
2.45.2
On 7/30/24 4:59 AM, Alexis Lothoré (eBPF Foundation) wrote:
> +static void test_read(const char *path, char *buf, int buf_size,
> + int expected_ret)
> +{
> + int ret, fd;
> +
> + fd = open(path, O_RDONLY);
> +
> + /* A bare open on unauthorized device should fail */
> + if (expected_ret < 0) {
> + ASSERT_EQ(fd, expected_ret, "open file for read");
One nit. expected_ret is actually expected_errno. It just happens -EPERM is -1,
so testing fd against expected_errno works here but is confusing to read. How
about separating the fd and errno test in the access rejected case. First test
for fd == -1 and then test for errno == expected_errno.
Please also carry Stanislav's Ack in patch 1 and 3 in the next respin.
Thanks for helping to move this test to test_progs.
pw-bot: cr
> + if (fd >= 0)
> + close(fd);
> + return;
> + }
> +
> + if (!ASSERT_OK_FD(fd, "open file for read"))
> + return;
> +
> + ret = read(fd, buf, buf_size);
> + ASSERT_EQ(ret, expected_ret, "read");
> +
> + close(fd);
> +}
> +
> +static void test_write(const char *path, char *buf, int buf_size,
> + int expected_ret)
> +{
> + int ret, fd;
> +
> + fd = open(path, O_WRONLY);
> +
> + /* A bare open on unauthorized device should fail */
> + if (expected_ret < 0) {
> + ASSERT_EQ(fd, expected_ret, "open file for write");
> + if (fd >= 0)
> + close(fd);
> + return;
> + }
> +
> + if (!ASSERT_OK_FD(fd, "open file for write"))
> + return;
> +
> + ret = write(fd, buf, buf_size);
> + ASSERT_EQ(ret, expected_ret, "write");
> +
> + close(fd);
> +}
> +
> +void test_cgroup_dev(void)
> +{
> + char buf[TEST_BUFFER_SIZE] = "some random test data";
> + struct dev_cgroup *skel;
> + int cgroup_fd;
> +
> + cgroup_fd = cgroup_setup_and_join(TEST_CGROUP);
> + if (!ASSERT_OK_FD(cgroup_fd, "cgroup switch"))
> + return;
> +
> + skel = dev_cgroup__open_and_load();
> + if (!ASSERT_OK_PTR(skel, "load program"))
> + goto cleanup_cgroup;
> +
> + skel->links.bpf_prog1 =
> + bpf_program__attach_cgroup(skel->progs.bpf_prog1, cgroup_fd);
> + if (!ASSERT_OK_PTR(skel->links.bpf_prog1, "attach_program"))
> + goto cleanup_progs;
> +
> + if (test__start_subtest("allow-mknod"))
> + test_mknod("/dev/test_dev_cgroup_null", S_IFCHR, 1, 3, 0);
> +
> + if (test__start_subtest("allow-read"))
> + test_read("/dev/urandom", buf, TEST_BUFFER_SIZE,
> + TEST_BUFFER_SIZE);
> +
> + if (test__start_subtest("allow-write"))
> + test_write("/dev/null", buf, TEST_BUFFER_SIZE,
> + TEST_BUFFER_SIZE);
> +
> + if (test__start_subtest("deny-mknod"))
> + test_mknod("/dev/test_dev_cgroup_zero", S_IFCHR, 1, 5, -EPERM);
> +
> + if (test__start_subtest("deny-read"))
> + test_read("/dev/random", buf, TEST_BUFFER_SIZE, -EPERM);
> +
> + if (test__start_subtest("deny-write"))
> + test_write("/dev/zero", buf, TEST_BUFFER_SIZE, -EPERM);
> +
> +cleanup_progs:
> + dev_cgroup__destroy(skel);
> +cleanup_cgroup:
> + cleanup_cgroup_environment();
> +}
Hello Martin,
On 7/31/24 02:34, Martin KaFai Lau wrote:
> On 7/30/24 4:59 AM, Alexis Lothoré (eBPF Foundation) wrote:
>> +static void test_read(const char *path, char *buf, int buf_size,
>> + int expected_ret)
>> +{
>> + int ret, fd;
>> +
>> + fd = open(path, O_RDONLY);
>> +
>> + /* A bare open on unauthorized device should fail */
>> + if (expected_ret < 0) {
>> + ASSERT_EQ(fd, expected_ret, "open file for read");
>
> One nit. expected_ret is actually expected_errno. It just happens -EPERM is -1,
> so testing fd against expected_errno works here but is confusing to read. How
> about separating the fd and errno test in the access rejected case. First test
> for fd == -1 and then test for errno == expected_errno.
Ah you are right, I mixed up things here, I'll fix it.
> Please also carry Stanislav's Ack in patch 1 and 3 in the next respin.
Sure, will do.
Thanks,
Alexis
--
Alexis Lothoré, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
© 2016 - 2026 Red Hat, Inc.