lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAEf4BzYzaooN3wg7x8ju3D__EhVnCWcq09u8L3fL5W6qWg5OPw@mail.gmail.com>
Date:   Fri, 26 Jun 2020 17:57:57 -0700
From:   Andrii Nakryiko <andrii.nakryiko@...il.com>
To:     Stanislav Fomichev <sdf@...gle.com>
Cc:     Networking <netdev@...r.kernel.org>, bpf <bpf@...r.kernel.org>,
        "David S. Miller" <davem@...emloft.net>,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>
Subject: Re: [PATCH bpf-next 4/4] selftests/bpf: test BPF_CGROUP_INET_SOCK_RELEASE

On Fri, Jun 26, 2020 at 4:52 PM Stanislav Fomichev <sdf@...gle.com> wrote:
>
> On Fri, Jun 26, 2020 at 3:06 PM Andrii Nakryiko
> <andrii.nakryiko@...il.com> wrote:
> >
> > On Thu, Jun 25, 2020 at 5:13 PM Stanislav Fomichev <sdf@...gle.com> wrote:
> > >
> > > Simple test that enforces a single SOCK_DGRAM socker per cgroup.
> > >
> > > Signed-off-by: Stanislav Fomichev <sdf@...gle.com>
> > > ---
> > >  .../selftests/bpf/prog_tests/udp_limit.c      | 71 +++++++++++++++++++
> > >  tools/testing/selftests/bpf/progs/udp_limit.c | 42 +++++++++++
> > >  2 files changed, 113 insertions(+)
> > >  create mode 100644 tools/testing/selftests/bpf/prog_tests/udp_limit.c
> > >  create mode 100644 tools/testing/selftests/bpf/progs/udp_limit.c
> > >
> > > diff --git a/tools/testing/selftests/bpf/prog_tests/udp_limit.c b/tools/testing/selftests/bpf/prog_tests/udp_limit.c
> > > new file mode 100644
> > > index 000000000000..fe359a927d92
> > > --- /dev/null
> > > +++ b/tools/testing/selftests/bpf/prog_tests/udp_limit.c
> > > @@ -0,0 +1,71 @@
> > > +// SPDX-License-Identifier: GPL-2.0
> > > +#include <test_progs.h>
> > > +#include "udp_limit.skel.h"
> > > +
> > > +#include <sys/types.h>
> > > +#include <sys/socket.h>
> > > +
> > > +void test_udp_limit(void)
> > > +{
> > > +       struct udp_limit *skel;
> > > +       int cgroup_fd;
> > > +       int fd1, fd2;
> > > +       int err;
> > > +
> > > +       cgroup_fd = test__join_cgroup("/udp_limit");
> > > +       if (CHECK_FAIL(cgroup_fd < 0))
> > > +               return;
> > > +
> > > +       skel = udp_limit__open_and_load();
> > > +       if (CHECK_FAIL(!skel))
> > > +               goto close_cgroup_fd;
> > > +
> > > +       err = bpf_prog_attach(bpf_program__fd(skel->progs.sock),
> > > +                             cgroup_fd, BPF_CGROUP_INET_SOCK_CREATE, 0);
> > > +       if (CHECK_FAIL(err))
> > > +               goto close_skeleton;
> > > +
> > > +       err = bpf_prog_attach(bpf_program__fd(skel->progs.sock_release),
> > > +                             cgroup_fd, BPF_CGROUP_INET_SOCK_RELEASE, 0);
> > > +       if (CHECK_FAIL(err))
> > > +               goto close_skeleton;
> >
> > Have you tried:
> >
> > skel->links.sock = bpf_program__attach_cgroup(skel->progs.sock);
> >
> > and similarly for sock_release?
> Ack, I can try that, thanks!
>
> > > +       /* BPF program enforces a single UDP socket per cgroup,
> > > +        * verify that.
> > > +        */
> > > +       fd1 = socket(AF_INET, SOCK_DGRAM, 0);
> > > +       if (CHECK_FAIL(fd1 < 0))
> > > +               goto close_skeleton;
> > > +
> > > +       fd2 = socket(AF_INET, SOCK_DGRAM, 0);
> > > +       if (CHECK_FAIL(fd2 != -1))
> > > +               goto close_fd1;
> > > +
> > > +       /* We can reopen again after close. */
> > > +       close(fd1);
> > > +
> > > +       fd1 = socket(AF_INET, SOCK_DGRAM, 0);
> > > +       if (CHECK_FAIL(fd1 < 0))
> > > +               goto close_skeleton;
> > > +
> > > +       /* Make sure the program was invoked the expected
> > > +        * number of times:
> > > +        * - open fd1           - BPF_CGROUP_INET_SOCK_CREATE
> > > +        * - attempt to openfd2 - BPF_CGROUP_INET_SOCK_CREATE
> > > +        * - close fd1          - BPF_CGROUP_INET_SOCK_RELEASE
> > > +        * - open fd1 again     - BPF_CGROUP_INET_SOCK_CREATE
> > > +        */
> > > +       if (CHECK_FAIL(skel->bss->invocations != 4))
> > > +               goto close_fd1;
> > > +
> > > +       /* We should still have a single socket in use */
> > > +       if (CHECK_FAIL(skel->bss->in_use != 1))
> > > +               goto close_fd1;
> >
> > Please use a non-silent CHECK() macro for everything that's a proper
> > and not a high-frequency check. That generates "a log trail" when
> > running the test in verbose mode, so it's easier to pinpoint where the
> > failure happened.
> IIRC, the problem with CHECK() is that it requires a 'duration'
> argument to be defined.
> Do you suggest defining it somewhere just to make CHECK() happy?

Yes, that's what most tests are doing. Just `static int duration;` on
top of test file, and you can forget about it.

>
> > > +
> > > +close_fd1:
> > > +       close(fd1);
> > > +close_skeleton:
> > > +       udp_limit__destroy(skel);
> > > +close_cgroup_fd:
> > > +       close(cgroup_fd);
> > > +}
> > > diff --git a/tools/testing/selftests/bpf/progs/udp_limit.c b/tools/testing/selftests/bpf/progs/udp_limit.c
> > > new file mode 100644
> > > index 000000000000..98fe294d9c21
> > > --- /dev/null
> > > +++ b/tools/testing/selftests/bpf/progs/udp_limit.c
> > > @@ -0,0 +1,42 @@
> > > +// SPDX-License-Identifier: GPL-2.0-only
> > > +
> > > +#include <sys/socket.h>
> > > +#include <linux/bpf.h>
> > > +#include <bpf/bpf_helpers.h>
> > > +
> > > +int invocations, in_use;
> > > +
> > > +SEC("cgroup/sock")
> > > +int sock(struct bpf_sock *ctx)
> > > +{
> > > +       __u32 key;
> > > +
> > > +       if (ctx->type != SOCK_DGRAM)
> > > +               return 1;
> > > +
> > > +       __sync_fetch_and_add(&invocations, 1);
> > > +
> > > +       if (&in_use > 0) {
> >
> >
> > &in_use is supposed to return an address of a variable... this looks
> > weird and probably not what you wanted?
> Oh, good catch! I was about to ask myself "how did the test pass with
> that?", but the test fails as well :-/
> Not sure how it creeped in and how I ran my tests, sorry about that.

Yeah, I was wondering that myself :) but was too lazy to check the exact logic.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ