[wip] tests: regression-test cgroupv2 ebpf error handling

Signed-off-by: Aleksa Sarai <[email protected]>
opencontainers · Feb 7, 2021 · 70f00a7 · 70f00a7
1 parent 2831fb5
commit 70f00a7
Showing 1 changed file with 104 additions and 0 deletions.
diff --git a/tests/integration/cgroups.bats b/tests/integration/cgroups.bats
@@ -7,6 +7,7 @@ function teardown() {
 	teardown_running_container test_cgroups_permissions
 	teardown_running_container test_cgroups_group
 	teardown_running_container test_cgroups_unified
+	teardown_running_container test_cgroups_ebpf
 	teardown_busybox
 }
 
@@ -270,3 +271,106 @@ function setup() {
 
 	check_cpu_weight 42
 }
+
+# Set up the devices configuration such that you'll get errors under
+# cgroupv2 (eBPF). The usage of this function looks like:
+#
+#  devices_ebpf_error_config [default_deny=<0|1>]
+#                            [bulk_allow=<true|false>] [bulk_mode=<rwm>]
+#
+#  default_deny indicates whether there should be an "a *:* rwm" deny rule.
+#  bulk_{allow,mode} control what the bulk rules added contain.
+function devices_ebpf_error_config() {
+	default_deny="${1:-1}"
+	bulk_allow="${2:-true}"
+	bulk_mode="${3:-rwm}"
+
+	# Set the script to "true".
+	update_config '.process.args = ["/bin/true"]' "$BUSYBOX_BUNDLE"
+
+	# Clear the devices rules.
+	update_config '.linux.resources.devices = []' "$BUSYBOX_BUNDLE"
+
+	# Add default-deny rule if applicable.
+	if [ "$default_deny" -eq 1 ]
+	then
+		update_config '.linux.resources.devices = [{
+			"type": "a",
+			"allow": "false",
+			"access": "rwm"
+		}]' "$BUSYBOX_BUNDLE"
+	fi
+
+	# The idea here is that if we create a really large rule-set, the eBPF
+	# load will fail because of program size limits. This is to simulate
+	# some other error with devices configuration loading, to make sure we
+	# give an error in cases where it matters.
+	for major in {0..32}
+	do
+		for minor in {0..512}
+		do
+			update_config '.linux.resources.devices += [{
+				"type": "c",
+				"allow": "'"$bulk_allow"'",
+				"major": '"$major"',
+				"minor": '"$minor"',
+				"access": "'"$bulk_mode"'"
+			}]' "$BUSYBOX_BUNDLE"
+		done
+	done
+}
+
+@test "runc run [cgroup v2 devices] (error handling)" {
+	requires cgroups_v2
+
+	set_cgroups_path "$BUSYBOX_BUNDLE"
+
+	# All-allow rules must not cause an error.
+	devices_ebpf_error_config 0 true rwm
+	runc run test_cgroups_ebpf
+	[ "$status" -eq 0 ]
+
+	# All-deny rules must cause an error.
+	devices_ebpf_error_config 1 false rwm
+	runc run test_cgroups_ebpf
+	if [ "$ROOTLESS" -eq 0 ]; then
+		[ "$status" -ne 0 ]
+	else
+		# No eBPF failures under rootless containers.
+		[ "$status" -eq 0 ]
+	fi
+
+	# All-allow with a single deny rule must cause an error.
+	devices_ebpf_error_config 0 true rwm
+	update_config '.linux.resources.devices += [{
+		"type": "b",
+		"major": 123,
+		"minor": 4567,
+		"allow": "false",
+		"access": "rwm"
+	}]' "$BUSYBOX_BUNDLE"
+	runc run test_cgroups_ebpf
+	if [ "$ROOTLESS" -eq 0 ]; then
+		[ "$status" -ne 0 ]
+	else
+		# No eBPF failures under rootless containers.
+		[ "$status" -eq 0 ]
+	fi
+
+	# All-allow with a non-rwm rule must cause an error.
+	devices_ebpf_error_config 0 true rwm
+	update_config '.linux.resources.devices += [{
+		"type": "b",
+		"major": 123,
+		"minor": 4567,
+		"allow": "true",
+		"access": "rw"
+	}]' "$BUSYBOX_BUNDLE"
+	runc run test_cgroups_ebpf
+	if [ "$ROOTLESS" -eq 0 ]; then
+		[ "$status" -ne 0 ]
+	else
+		# No eBPF failures under rootless containers.
+		[ "$status" -eq 0 ]
+	fi
+}