| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4a7926e3-f8b7-4df8-8deb-0dfae067e732@collabora.com>
Date: Mon, 19 Feb 2024 17:34:13 +0500
From: Muhammad Usama Anjum <usama.anjum@...labora.com>
To: Daniel Borkmann <daniel@...earbox.net>,
Alexei Starovoitov <ast@...nel.org>, Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <martin.lau@...ux.dev>, Eduard Zingerman
<eddyz87@...il.com>, Song Liu <song@...nel.org>,
Yonghong Song <yonghong.song@...ux.dev>,
John Fastabend <john.fastabend@...il.com>, KP Singh <kpsingh@...nel.org>,
Stanislav Fomichev <sdf@...gle.com>, Hao Luo <haoluo@...gle.com>,
Jiri Olsa <jolsa@...nel.org>, Mykola Lysenko <mykolal@...com>,
Shuah Khan <shuah@...nel.org>
Cc: Muhammad Usama Anjum <usama.anjum@...labora.com>, kernel@...labora.com,
linux-kernel@...r.kernel.org, bpf@...r.kernel.org,
linux-kselftest@...r.kernel.org
Subject: Re: [PATCH] selftests/bpf: Move test_dev_cgroup to prog_tests
Thank you for review. I'll fix.
On 2/16/24 10:25 PM, Daniel Borkmann wrote:
> Hi Muhammad,
>
> Small nit, pls use $subj: [PATCH bpf-next]
Sure, I'll update.
>
> On 2/15/24 1:01 PM, Muhammad Usama Anjum wrote:
>> Move test_dev_cgroup to prog_tests to be able to run it with test_progs.
>> Replace dev_cgroup.bpf.o with skel header file, dev_cgroup.skel.h and
>> load program from it accourdingly.
>>
>> ./test_progs -t test_dev_cgroup
>> mknod: /tmp/test_dev_cgroup_null: Operation not permitted
>> 64+0 records in
>> 64+0 records out
>> 32768 bytes (33 kB, 32 KiB) copied, 0.000856684 s, 38.2 MB/s
>> dd: failed to open '/dev/full': Operation not permitted
>> dd: failed to open '/dev/random': Operation not permitted
>> #365 test_dev_cgroup:OK
>> Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED
>>
>> Signed-off-by: Muhammad Usama Anjum <usama.anjum@...labora.com>
>
> BPF CI currently fails this with :
>
> https://github.com/kernel-patches/bpf/actions/runs/7924507406/job/21636353124
>
> [...]
> All error logs:
> test_test_dev_cgroup:PASS:skel_open_and_load 0 nsec
> test_test_dev_cgroup:PASS:cgroup_setup_and_join 0 nsec
> test_test_dev_cgroup:PASS:bpf_attach 0 nsec
> test_test_dev_cgroup:PASS:bpf_query 0 nsec
> test_test_dev_cgroup:PASS:rm 0 nsec
> test_test_dev_cgroup:PASS:mknod 0 nsec
> test_test_dev_cgroup:PASS:rm 0 nsec
> test_test_dev_cgroup:PASS:rm 0 nsec
> test_test_dev_cgroup:FAIL:mknod unexpected mknod on _zero
> test_test_dev_cgroup:PASS:rm 0 nsec
> test_test_dev_cgroup:PASS:dd 0 nsec
> test_test_dev_cgroup:PASS:dd 0 nsec
> test_test_dev_cgroup:PASS:dd 0 nsec
> (cgroup_helpers.c:353: errno: Device or resource busy) umount cgroup2
> #366 test_dev_cgroup:FAIL
> Summary: 517/3837 PASSED, 53 SKIPPED, 1 FAILED
>
> You can also use vmtest.sh tool to check locally :
>
> # ./vmtest.sh -- ./test_progs -t test_dev_cgroup
It is passing on my side on next-20240207 and next-20240218. I'll test
again by running all the tests with test_progs. Maybe something else is
making it fail.
>
>> diff --git a/tools/testing/selftests/bpf/prog_tests/test_dev_cgroup.c
>> b/tools/testing/selftests/bpf/prog_tests/test_dev_cgroup.c
>> new file mode 100644
>> index 0000000000000..ee37ce52dec9f
>> --- /dev/null
>> +++ b/tools/testing/selftests/bpf/prog_tests/test_dev_cgroup.c
>> @@ -0,0 +1,67 @@
>> +// SPDX-License-Identifier: GPL-2.0-only
>> +/* Copyright (c) 2017 Facebook
>> + */
>> +
>> +#include <test_progs.h>
>> +#include <time.h>
>> +#include "cgroup_helpers.h"
>> +#include "dev_cgroup.skel.h"
>> +
>> +#define TEST_CGROUP "/test-bpf-based-device-cgroup/"
>> +
>> +void test_test_dev_cgroup(void)
>
> nit: test_dev_cgroup ?
I was trying not to rename the file. I'll rename the file.
>
>> +{
>> + int cgroup_fd, err, duration = 0;
>> + struct dev_cgroup *skel;
>> + __u32 prog_cnt;
>> +
>> + skel = dev_cgroup__open_and_load();
>> + if (CHECK(!skel, "skel_open_and_load", "failed\n"))
>> + goto cleanup;
>
> Nit: please use ASSERT_* macros everywhere, the CHECK() is deprecated.
I'd not any deprecated notice/comment. I'll use ASSERT_* from now on.
>
>> + cgroup_fd = cgroup_setup_and_join(TEST_CGROUP);
>> + if (CHECK(cgroup_fd < 0, "cgroup_setup_and_join", "failed: %d\n",
>> cgroup_fd))
>> + goto cleanup;
>> +
>> + err = bpf_prog_attach(bpf_program__fd(skel->progs.bpf_prog1),
>> cgroup_fd,
>> + BPF_CGROUP_DEVICE, 0);
>> + if (CHECK(err, "bpf_attach", "failed: %d\n", err))
>> + goto cleanup;
>> +
>> + err = bpf_prog_query(cgroup_fd, BPF_CGROUP_DEVICE, 0, NULL, NULL,
>> &prog_cnt);
>> + if (CHECK(err || prog_cnt != 1, "bpf_query", "failed: %d %d\n", err,
>> prog_cnt))
>> + goto cleanup;
>> +
>> + /* All operations with /dev/zero and /dev/urandom are allowed,
>> + * everything else is forbidden.
>> + */
>> + CHECK(system("rm -f /tmp/test_dev_cgroup_null"), "rm",
>> + "unexpected rm on _null\n");
>> + CHECK(!system("mknod /tmp/test_dev_cgroup_null c 1 3"),
>> + "mknod", "unexpected mknod on _null\n");
>> + CHECK(system("rm -f /tmp/test_dev_cgroup_null"), "rm",
>> + "unexpected rm on _null\n");
>> +
>> + /* /dev/zero is whitelisted */
>> + CHECK(system("rm -f /tmp/test_dev_cgroup_zero"), "rm",
>> + "unexpected rm on _zero\n");
>> + CHECK(system("mknod /tmp/test_dev_cgroup_zero c 1 5"),
>> + "mknod", "unexpected mknod on _zero\n");
>> + CHECK(system("rm -f /tmp/test_dev_cgroup_zero"), "rm",
>> + "unexpected rm on _zero\n");
>> +
>> + CHECK(system("dd if=/dev/urandom of=/dev/zero count=64"), "dd",
>> + "unexpected dd on /dev/zero\n");
>> +
>> + /* src is allowed, target is forbidden */
>> + CHECK(!system("dd if=/dev/urandom of=/dev/full count=64"), "dd",
>> + "unexpected dd on /dev/full\n");
>> +
>> + /* src is forbidden, target is allowed */
>> + CHECK(!system("dd if=/dev/random of=/dev/zero count=64"), "dd",
>> + "unexpected dd on /dev/zero\n");
>> +
>> +cleanup:
>> + cleanup_cgroup_environment();
>> + dev_cgroup__destroy(skel);
>> +}
>
> Thanks,
> Daniel
>
--
BR,
Muhammad Usama Anjum
Powered by blists - more mailing lists