lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200117202441.GA11957@tower.DHCP.thefacebook.com>
Date:   Fri, 17 Jan 2020 20:24:51 +0000
From:   Roman Gushchin <guro@...com>
To:     Christian Brauner <christian.brauner@...ntu.com>
CC:     "linux-api@...r.kernel.org" <linux-api@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Tejun Heo <tj@...nel.org>, Oleg Nesterov <oleg@...hat.com>,
        Shuah Khan <shuah@...nel.org>,
        "cgroups@...r.kernel.org" <cgroups@...r.kernel.org>,
        "linux-kselftest@...r.kernel.org" <linux-kselftest@...r.kernel.org>
Subject: Re: [PATCH v4 6/6] selftests/cgroup: add tests for cloning into
 cgroups

On Fri, Jan 17, 2020 at 07:12:19PM +0100, Christian Brauner wrote:
> Expand the cgroup test-suite to include tests for CLONE_INTO_CGROUP.
> This adds the following tests:
> - CLONE_INTO_CGROUP manages to clone a process directly into a correctly
>   delegated cgroup
> - CLONE_INTO_CGROUP fails to clone a process into a cgroup that has been
>   removed after we've opened an fd to it
> - CLONE_INTO_CGROUP fails to clone a process into an invalid domain
>   cgroup
> - CLONE_INTO_CGROUP adheres to the no internal process constraint
> - CLONE_INTO_CGROUP works with the freezer feature
> 
> Cc: Roman Gushchin <guro@...com>
> Cc: Tejun Heo <tj@...nel.org>
> Cc: Shuah Khan <shuah@...nel.org>
> Cc: cgroups@...r.kernel.org
> Cc: linux-kselftest@...r.kernel.org
> Signed-off-by: Christian Brauner <christian.brauner@...ntu.com>

Acked-by: Roman Gushchin <guro@...com>

Thank you for adding tests!


> ---
> /* v1 */
> Link: https://lore.kernel.org/r/20191218173516.7875-4-christian.brauner@ubuntu.com
> 
> /* v2 */
> Link: https://lore.kernel.org/r/20191223061504.28716-4-christian.brauner@ubuntu.com
> unchanged
> 
> /* v3 */
> Link: https://lore.kernel.org/r/20200117002143.15559-6-christian.brauner@ubuntu.com
> unchanged
> 
> /* v3 */

v4?

> unchanged
> ---
>  tools/testing/selftests/cgroup/Makefile       |   6 +-
>  tools/testing/selftests/cgroup/cgroup_util.c  | 126 ++++++++++++++++++
>  tools/testing/selftests/cgroup/cgroup_util.h  |   4 +
>  tools/testing/selftests/cgroup/test_core.c    |  64 +++++++++
>  .../selftests/clone3/clone3_selftests.h       |  19 ++-
>  5 files changed, 214 insertions(+), 5 deletions(-)
> 
> diff --git a/tools/testing/selftests/cgroup/Makefile b/tools/testing/selftests/cgroup/Makefile
> index 66aafe1f5746..967f268fde74 100644
> --- a/tools/testing/selftests/cgroup/Makefile
> +++ b/tools/testing/selftests/cgroup/Makefile
> @@ -11,6 +11,6 @@ TEST_GEN_PROGS += test_freezer
>  
>  include ../lib.mk
>  
> -$(OUTPUT)/test_memcontrol: cgroup_util.c
> -$(OUTPUT)/test_core: cgroup_util.c
> -$(OUTPUT)/test_freezer: cgroup_util.c
> +$(OUTPUT)/test_memcontrol: cgroup_util.c ../clone3/clone3_selftests.h
> +$(OUTPUT)/test_core: cgroup_util.c ../clone3/clone3_selftests.h
> +$(OUTPUT)/test_freezer: cgroup_util.c ../clone3/clone3_selftests.h
> diff --git a/tools/testing/selftests/cgroup/cgroup_util.c b/tools/testing/selftests/cgroup/cgroup_util.c
> index 8f7131dcf1ff..8a637ca7d73a 100644
> --- a/tools/testing/selftests/cgroup/cgroup_util.c
> +++ b/tools/testing/selftests/cgroup/cgroup_util.c
> @@ -15,6 +15,7 @@
>  #include <unistd.h>
>  
>  #include "cgroup_util.h"
> +#include "../clone3/clone3_selftests.h"
>  
>  static ssize_t read_text(const char *path, char *buf, size_t max_len)
>  {
> @@ -331,12 +332,112 @@ int cg_run(const char *cgroup,
>  	}
>  }
>  
> +pid_t clone_into_cgroup(int cgroup_fd)
> +{
> +#ifdef CLONE_ARGS_SIZE_VER2
> +	pid_t pid;
> +
> +	struct clone_args args = {
> +		.flags = CLONE_INTO_CGROUP,
> +		.exit_signal = SIGCHLD,
> +		.cgroup = cgroup_fd,
> +	};
> +
> +	pid = sys_clone3(&args, sizeof(struct clone_args));
> +	/*
> +	 * Verify that this is a genuine test failure:
> +	 * ENOSYS -> clone3() not available
> +	 * E2BIG  -> CLONE_INTO_CGROUP not available
> +	 */
> +	if (pid < 0 && (errno == ENOSYS || errno == E2BIG))
> +		goto pretend_enosys;
> +
> +	return pid;
> +
> +pretend_enosys:
> +#endif
> +	errno = ENOSYS;
> +	return -ENOSYS;
> +}
> +
> +int clone_reap(pid_t pid, int options)
> +{
> +	int ret;
> +	siginfo_t info = {
> +		.si_signo = 0,
> +	};
> +
> +again:
> +	ret = waitid(P_PID, pid, &info, options | __WALL | __WNOTHREAD);
> +	if (ret < 0) {
> +		if (errno == EINTR)
> +			goto again;
> +		return -1;
> +	}
> +
> +	if (options & WEXITED) {
> +		if (WIFEXITED(info.si_status))
> +			return WEXITSTATUS(info.si_status);
> +	}
> +
> +	if (options & WSTOPPED) {
> +		if (WIFSTOPPED(info.si_status))
> +			return WSTOPSIG(info.si_status);
> +	}
> +
> +	if (options & WCONTINUED) {
> +		if (WIFCONTINUED(info.si_status))
> +			return 0;
> +	}
> +
> +	return -1;
> +}
> +
> +int dirfd_open_opath(const char *dir)
> +{
> +	return open(dir, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW | O_PATH);
> +}
> +
> +#define close_prot_errno(fd)                                                   \
> +	if (fd >= 0) {                                                         \
> +		int _e_ = errno;                                               \
> +		close(fd);                                                     \
> +		errno = _e_;                                                   \
> +	}
> +
> +static int clone_into_cgroup_run_nowait(const char *cgroup,
> +					int (*fn)(const char *cgroup, void *arg),
> +					void *arg)
> +{
> +	int cgroup_fd;
> +	pid_t pid;
> +
> +	cgroup_fd =  dirfd_open_opath(cgroup);
> +	if (cgroup_fd < 0)
> +		return -1;
> +
> +	pid = clone_into_cgroup(cgroup_fd);
> +	close_prot_errno(cgroup_fd);
> +	if (pid == 0)
> +		exit(fn(cgroup, arg));
> +
> +	return pid;
> +}
> +
>  int cg_run_nowait(const char *cgroup,
>  		  int (*fn)(const char *cgroup, void *arg),
>  		  void *arg)
>  {
>  	int pid;
>  
> +	pid = clone_into_cgroup_run_nowait(cgroup, fn, arg);
> +	if (pid > 0)
> +		return pid;
> +
> +	/* Genuine test failure. */
> +	if (pid < 0 && errno != ENOSYS)
> +		return -1;
> +
>  	pid = fork();
>  	if (pid == 0) {
>  		char buf[64];
> @@ -450,3 +551,28 @@ int proc_read_strstr(int pid, bool thread, const char *item, const char *needle)
>  
>  	return strstr(buf, needle) ? 0 : -1;
>  }
> +
> +int clone_into_cgroup_run_wait(const char *cgroup)
> +{
> +	int cgroup_fd;
> +	pid_t pid;
> +
> +	cgroup_fd =  dirfd_open_opath(cgroup);
> +	if (cgroup_fd < 0)
> +		return -1;
> +
> +	pid = clone_into_cgroup(cgroup_fd);
> +	close_prot_errno(cgroup_fd);
> +	if (pid < 0)
> +		return -1;
> +
> +	if (pid == 0)
> +		exit(EXIT_SUCCESS);
> +
> +	/*
> +	 * We don't care whether this fails. We only care whether the initial
> +	 * clone succeeded.
> +	 */
> +	(void)clone_reap(pid, WEXITED);
> +	return 0;
> +}
> diff --git a/tools/testing/selftests/cgroup/cgroup_util.h b/tools/testing/selftests/cgroup/cgroup_util.h
> index 49c54fbdb229..5a1305dd1f0b 100644
> --- a/tools/testing/selftests/cgroup/cgroup_util.h
> +++ b/tools/testing/selftests/cgroup/cgroup_util.h
> @@ -50,3 +50,7 @@ extern int cg_wait_for_proc_count(const char *cgroup, int count);
>  extern int cg_killall(const char *cgroup);
>  extern ssize_t proc_read_text(int pid, bool thread, const char *item, char *buf, size_t size);
>  extern int proc_read_strstr(int pid, bool thread, const char *item, const char *needle);
> +extern pid_t clone_into_cgroup(int cgroup_fd);
> +extern int clone_reap(pid_t pid, int options);
> +extern int clone_into_cgroup_run_wait(const char *cgroup);
> +extern int dirfd_open_opath(const char *dir);
> diff --git a/tools/testing/selftests/cgroup/test_core.c b/tools/testing/selftests/cgroup/test_core.c
> index c5ca669feb2b..96e016ccafe0 100644
> --- a/tools/testing/selftests/cgroup/test_core.c
> +++ b/tools/testing/selftests/cgroup/test_core.c
> @@ -25,8 +25,11 @@
>  static int test_cgcore_populated(const char *root)
>  {
>  	int ret = KSFT_FAIL;
> +	int err;
>  	char *cg_test_a = NULL, *cg_test_b = NULL;
>  	char *cg_test_c = NULL, *cg_test_d = NULL;
> +	int cgroup_fd = -EBADF;
> +	pid_t pid;
>  
>  	cg_test_a = cg_name(root, "cg_test_a");
>  	cg_test_b = cg_name(root, "cg_test_a/cg_test_b");
> @@ -78,6 +81,52 @@ static int test_cgcore_populated(const char *root)
>  	if (cg_read_strcmp(cg_test_d, "cgroup.events", "populated 0\n"))
>  		goto cleanup;
>  
> +	/* Test that we can directly clone into a new cgroup. */
> +	cgroup_fd = dirfd_open_opath(cg_test_d);
> +	if (cgroup_fd < 0)
> +		goto cleanup;
> +
> +	pid = clone_into_cgroup(cgroup_fd);
> +	if (pid < 0) {
> +		if (errno == ENOSYS)
> +			goto cleanup_pass;
> +		goto cleanup;
> +	}
> +
> +	if (pid == 0) {
> +		if (raise(SIGSTOP))
> +			exit(EXIT_FAILURE);
> +		exit(EXIT_SUCCESS);
> +	}
> +
> +	err = cg_read_strcmp(cg_test_d, "cgroup.events", "populated 1\n");
> +
> +	(void)clone_reap(pid, WSTOPPED);
> +	(void)kill(pid, SIGCONT);
> +	(void)clone_reap(pid, WEXITED);
> +
> +	if (err)
> +		goto cleanup;
> +
> +	if (cg_read_strcmp(cg_test_d, "cgroup.events", "populated 0\n"))
> +		goto cleanup;
> +
> +	/* Remove cgroup. */
> +	if (cg_test_d) {
> +		cg_destroy(cg_test_d);
> +		free(cg_test_d);
> +		cg_test_d = NULL;
> +	}
> +
> +	pid = clone_into_cgroup(cgroup_fd);
> +	if (pid < 0)
> +		goto cleanup_pass;
> +	if (pid == 0)
> +		exit(EXIT_SUCCESS);
> +	(void)clone_reap(pid, WEXITED);
> +	goto cleanup;
> +
> +cleanup_pass:
>  	ret = KSFT_PASS;
>  
>  cleanup:
> @@ -93,6 +142,8 @@ static int test_cgcore_populated(const char *root)
>  	free(cg_test_c);
>  	free(cg_test_b);
>  	free(cg_test_a);
> +	if (cgroup_fd >= 0)
> +		close(cgroup_fd);
>  	return ret;
>  }
>  
> @@ -136,6 +187,16 @@ static int test_cgcore_invalid_domain(const char *root)
>  	if (errno != EOPNOTSUPP)
>  		goto cleanup;
>  
> +	if (!clone_into_cgroup_run_wait(child))
> +		goto cleanup;
> +
> +	if (errno == ENOSYS)
> +		goto cleanup_pass;
> +
> +	if (errno != EOPNOTSUPP)
> +		goto cleanup;
> +
> +cleanup_pass:
>  	ret = KSFT_PASS;
>  
>  cleanup:
> @@ -345,6 +406,9 @@ static int test_cgcore_internal_process_constraint(const char *root)
>  	if (!cg_enter_current(parent))
>  		goto cleanup;
>  
> +	if (!clone_into_cgroup_run_wait(parent))
> +		goto cleanup;
> +
>  	ret = KSFT_PASS;
>  
>  cleanup:
> diff --git a/tools/testing/selftests/clone3/clone3_selftests.h b/tools/testing/selftests/clone3/clone3_selftests.h
> index a3f2c8ad8bcc..91c1a78ddb39 100644
> --- a/tools/testing/selftests/clone3/clone3_selftests.h
> +++ b/tools/testing/selftests/clone3/clone3_selftests.h
> @@ -5,12 +5,24 @@
>  
>  #define _GNU_SOURCE
>  #include <sched.h>
> +#include <linux/sched.h>
> +#include <linux/types.h>
>  #include <stdint.h>
>  #include <syscall.h>
> -#include <linux/types.h>
> +#include <sys/wait.h>
> +
> +#include "../kselftest.h"
>  
>  #define ptr_to_u64(ptr) ((__u64)((uintptr_t)(ptr)))
>  
> +#ifndef CLONE_INTO_CGROUP
> +#define CLONE_INTO_CGROUP 0x200000000ULL /* Clone into a specific cgroup given the right permissions. */
> +#endif
> +
> +#ifndef CLONE_ARGS_SIZE_VER0
> +#define CLONE_ARGS_SIZE_VER0 64
> +#endif
> +
>  #ifndef __NR_clone3
>  #define __NR_clone3 -1
>  struct clone_args {
> @@ -22,10 +34,13 @@ struct clone_args {
>  	__aligned_u64 stack;
>  	__aligned_u64 stack_size;
>  	__aligned_u64 tls;
> +#define CLONE_ARGS_SIZE_VER1 80
>  	__aligned_u64 set_tid;
>  	__aligned_u64 set_tid_size;
> +#define CLONE_ARGS_SIZE_VER2 88
> +	__aligned_u64 cgroup;
>  };
> -#endif
> +#endif /* __NR_clone3 */
>  
>  static pid_t sys_clone3(struct clone_args *args, size_t size)
>  {
> -- 
> 2.25.0
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ