mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-04 09:34:12 +08:00
bpf, selftests: Add test case for mixed cgroup v1/v2
Minimal selftest which implements a small BPF policy program to the connect(2) hook which rejects TCP connection requests to port 60123 with EPERM. This is being attached to a non-root cgroup v2 path. The test asserts that this works under cgroup v2-only and under a mixed cgroup v1/v2 environment where net_classid is set in the former case. Before fix: # ./test_progs -t cgroup_v1v2 test_cgroup_v1v2:PASS:server_fd 0 nsec test_cgroup_v1v2:PASS:client_fd 0 nsec test_cgroup_v1v2:PASS:cgroup_fd 0 nsec test_cgroup_v1v2:PASS:server_fd 0 nsec run_test:PASS:skel_open 0 nsec run_test:PASS:prog_attach 0 nsec test_cgroup_v1v2:PASS:cgroup-v2-only 0 nsec run_test:PASS:skel_open 0 nsec run_test:PASS:prog_attach 0 nsec run_test:PASS:join_classid 0 nsec (network_helpers.c:219: errno: None) Unexpected success to connect to server test_cgroup_v1v2:FAIL:cgroup-v1v2 unexpected error: -1 (errno 0) #27 cgroup_v1v2:FAIL Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED After fix: # ./test_progs -t cgroup_v1v2 #27 cgroup_v1v2:OK Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20210913230759.2313-3-daniel@iogearbox.net
This commit is contained in:
parent
d8079d8026
commit
43d2b88c29
@ -208,11 +208,26 @@ error_close:
|
||||
|
||||
static int connect_fd_to_addr(int fd,
|
||||
const struct sockaddr_storage *addr,
|
||||
socklen_t addrlen)
|
||||
socklen_t addrlen, const bool must_fail)
|
||||
{
|
||||
if (connect(fd, (const struct sockaddr *)addr, addrlen)) {
|
||||
log_err("Failed to connect to server");
|
||||
return -1;
|
||||
int ret;
|
||||
|
||||
errno = 0;
|
||||
ret = connect(fd, (const struct sockaddr *)addr, addrlen);
|
||||
if (must_fail) {
|
||||
if (!ret) {
|
||||
log_err("Unexpected success to connect to server");
|
||||
return -1;
|
||||
}
|
||||
if (errno != EPERM) {
|
||||
log_err("Unexpected error from connect to server");
|
||||
return -1;
|
||||
}
|
||||
} else {
|
||||
if (ret) {
|
||||
log_err("Failed to connect to server");
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
@ -257,7 +272,7 @@ int connect_to_fd_opts(int server_fd, const struct network_helper_opts *opts)
|
||||
strlen(opts->cc) + 1))
|
||||
goto error_close;
|
||||
|
||||
if (connect_fd_to_addr(fd, &addr, addrlen))
|
||||
if (connect_fd_to_addr(fd, &addr, addrlen, opts->must_fail))
|
||||
goto error_close;
|
||||
|
||||
return fd;
|
||||
@ -289,7 +304,7 @@ int connect_fd_to_fd(int client_fd, int server_fd, int timeout_ms)
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (connect_fd_to_addr(client_fd, &addr, len))
|
||||
if (connect_fd_to_addr(client_fd, &addr, len, false))
|
||||
return -1;
|
||||
|
||||
return 0;
|
||||
|
@ -20,6 +20,7 @@ typedef __u16 __sum16;
|
||||
struct network_helper_opts {
|
||||
const char *cc;
|
||||
int timeout_ms;
|
||||
bool must_fail;
|
||||
};
|
||||
|
||||
/* ipv4 test vector */
|
||||
|
79
tools/testing/selftests/bpf/prog_tests/cgroup_v1v2.c
Normal file
79
tools/testing/selftests/bpf/prog_tests/cgroup_v1v2.c
Normal file
@ -0,0 +1,79 @@
|
||||
// SPDX-License-Identifier: GPL-2.0
|
||||
|
||||
#include <test_progs.h>
|
||||
|
||||
#include "connect4_dropper.skel.h"
|
||||
|
||||
#include "cgroup_helpers.h"
|
||||
#include "network_helpers.h"
|
||||
|
||||
static int run_test(int cgroup_fd, int server_fd, bool classid)
|
||||
{
|
||||
struct network_helper_opts opts = {
|
||||
.must_fail = true,
|
||||
};
|
||||
struct connect4_dropper *skel;
|
||||
int fd, err = 0;
|
||||
|
||||
skel = connect4_dropper__open_and_load();
|
||||
if (!ASSERT_OK_PTR(skel, "skel_open"))
|
||||
return -1;
|
||||
|
||||
skel->links.connect_v4_dropper =
|
||||
bpf_program__attach_cgroup(skel->progs.connect_v4_dropper,
|
||||
cgroup_fd);
|
||||
if (!ASSERT_OK_PTR(skel->links.connect_v4_dropper, "prog_attach")) {
|
||||
err = -1;
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (classid && !ASSERT_OK(join_classid(), "join_classid")) {
|
||||
err = -1;
|
||||
goto out;
|
||||
}
|
||||
|
||||
fd = connect_to_fd_opts(server_fd, &opts);
|
||||
if (fd < 0)
|
||||
err = -1;
|
||||
else
|
||||
close(fd);
|
||||
out:
|
||||
connect4_dropper__destroy(skel);
|
||||
return err;
|
||||
}
|
||||
|
||||
void test_cgroup_v1v2(void)
|
||||
{
|
||||
struct network_helper_opts opts = {};
|
||||
int server_fd, client_fd, cgroup_fd;
|
||||
static const int port = 60123;
|
||||
|
||||
/* Step 1: Check base connectivity works without any BPF. */
|
||||
server_fd = start_server(AF_INET, SOCK_STREAM, NULL, port, 0);
|
||||
if (!ASSERT_GE(server_fd, 0, "server_fd"))
|
||||
return;
|
||||
client_fd = connect_to_fd_opts(server_fd, &opts);
|
||||
if (!ASSERT_GE(client_fd, 0, "client_fd")) {
|
||||
close(server_fd);
|
||||
return;
|
||||
}
|
||||
close(client_fd);
|
||||
close(server_fd);
|
||||
|
||||
/* Step 2: Check BPF policy prog attached to cgroups drops connectivity. */
|
||||
cgroup_fd = test__join_cgroup("/connect_dropper");
|
||||
if (!ASSERT_GE(cgroup_fd, 0, "cgroup_fd"))
|
||||
return;
|
||||
server_fd = start_server(AF_INET, SOCK_STREAM, NULL, port, 0);
|
||||
if (!ASSERT_GE(server_fd, 0, "server_fd")) {
|
||||
close(cgroup_fd);
|
||||
return;
|
||||
}
|
||||
ASSERT_OK(run_test(cgroup_fd, server_fd, false), "cgroup-v2-only");
|
||||
setup_classid_environment();
|
||||
set_classid(42);
|
||||
ASSERT_OK(run_test(cgroup_fd, server_fd, true), "cgroup-v1v2");
|
||||
cleanup_classid_environment();
|
||||
close(server_fd);
|
||||
close(cgroup_fd);
|
||||
}
|
26
tools/testing/selftests/bpf/progs/connect4_dropper.c
Normal file
26
tools/testing/selftests/bpf/progs/connect4_dropper.c
Normal file
@ -0,0 +1,26 @@
|
||||
// SPDX-License-Identifier: GPL-2.0
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#include <linux/stddef.h>
|
||||
#include <linux/bpf.h>
|
||||
|
||||
#include <sys/socket.h>
|
||||
|
||||
#include <bpf/bpf_helpers.h>
|
||||
#include <bpf/bpf_endian.h>
|
||||
|
||||
#define VERDICT_REJECT 0
|
||||
#define VERDICT_PROCEED 1
|
||||
|
||||
SEC("cgroup/connect4")
|
||||
int connect_v4_dropper(struct bpf_sock_addr *ctx)
|
||||
{
|
||||
if (ctx->type != SOCK_STREAM)
|
||||
return VERDICT_PROCEED;
|
||||
if (ctx->user_port == bpf_htons(60123))
|
||||
return VERDICT_REJECT;
|
||||
return VERDICT_PROCEED;
|
||||
}
|
||||
|
||||
char _license[] SEC("license") = "GPL";
|
Loading…
Reference in New Issue
Block a user