From 70f00a74ef32b72c4f884092d1ebe323eb0c0f38 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Sun, 7 Feb 2021 18:46:27 +1100 Subject: [PATCH] [wip] tests: regression-test cgroupv2 ebpf error handling Signed-off-by: Aleksa Sarai --- tests/integration/cgroups.bats | 104 +++++++++++++++++++++++++++++++++ 1 file changed, 104 insertions(+) diff --git a/tests/integration/cgroups.bats b/tests/integration/cgroups.bats index a319ed04218..d297cd4c7e3 100644 --- a/tests/integration/cgroups.bats +++ b/tests/integration/cgroups.bats @@ -7,6 +7,7 @@ function teardown() { teardown_running_container test_cgroups_permissions teardown_running_container test_cgroups_group teardown_running_container test_cgroups_unified + teardown_running_container test_cgroups_ebpf teardown_busybox } @@ -270,3 +271,106 @@ function setup() { check_cpu_weight 42 } + +# Set up the devices configuration such that you'll get errors under +# cgroupv2 (eBPF). The usage of this function looks like: +# +# devices_ebpf_error_config [default_deny=<0|1>] +# [bulk_allow=] [bulk_mode=] +# +# default_deny indicates whether there should be an "a *:* rwm" deny rule. +# bulk_{allow,mode} control what the bulk rules added contain. +function devices_ebpf_error_config() { + default_deny="${1:-1}" + bulk_allow="${2:-true}" + bulk_mode="${3:-rwm}" + + # Set the script to "true". + update_config '.process.args = ["/bin/true"]' "$BUSYBOX_BUNDLE" + + # Clear the devices rules. + update_config '.linux.resources.devices = []' "$BUSYBOX_BUNDLE" + + # Add default-deny rule if applicable. + if [ "$default_deny" -eq 1 ] + then + update_config '.linux.resources.devices = [{ + "type": "a", + "allow": "false", + "access": "rwm" + }]' "$BUSYBOX_BUNDLE" + fi + + # The idea here is that if we create a really large rule-set, the eBPF + # load will fail because of program size limits. This is to simulate + # some other error with devices configuration loading, to make sure we + # give an error in cases where it matters. + for major in {0..32} + do + for minor in {0..512} + do + update_config '.linux.resources.devices += [{ + "type": "c", + "allow": "'"$bulk_allow"'", + "major": '"$major"', + "minor": '"$minor"', + "access": "'"$bulk_mode"'" + }]' "$BUSYBOX_BUNDLE" + done + done +} + +@test "runc run [cgroup v2 devices] (error handling)" { + requires cgroups_v2 + + set_cgroups_path "$BUSYBOX_BUNDLE" + + # All-allow rules must not cause an error. + devices_ebpf_error_config 0 true rwm + runc run test_cgroups_ebpf + [ "$status" -eq 0 ] + + # All-deny rules must cause an error. + devices_ebpf_error_config 1 false rwm + runc run test_cgroups_ebpf + if [ "$ROOTLESS" -eq 0 ]; then + [ "$status" -ne 0 ] + else + # No eBPF failures under rootless containers. + [ "$status" -eq 0 ] + fi + + # All-allow with a single deny rule must cause an error. + devices_ebpf_error_config 0 true rwm + update_config '.linux.resources.devices += [{ + "type": "b", + "major": 123, + "minor": 4567, + "allow": "false", + "access": "rwm" + }]' "$BUSYBOX_BUNDLE" + runc run test_cgroups_ebpf + if [ "$ROOTLESS" -eq 0 ]; then + [ "$status" -ne 0 ] + else + # No eBPF failures under rootless containers. + [ "$status" -eq 0 ] + fi + + # All-allow with a non-rwm rule must cause an error. + devices_ebpf_error_config 0 true rwm + update_config '.linux.resources.devices += [{ + "type": "b", + "major": 123, + "minor": 4567, + "allow": "true", + "access": "rw" + }]' "$BUSYBOX_BUNDLE" + runc run test_cgroups_ebpf + if [ "$ROOTLESS" -eq 0 ]; then + [ "$status" -ne 0 ] + else + # No eBPF failures under rootless containers. + [ "$status" -eq 0 ] + fi +}