[PATCH] selftests/bpf: Move test_dev_cgroup to prog_tests

[PATCH] selftests/bpf: Move test_dev_cgroup to prog_tests

[Muhammad Usama Anjum]

Move test_dev_cgroup to prog_tests to be able to run it with test_progs.
Replace dev_cgroup.bpf.o with skel header file, dev_cgroup.skel.h and
load program from it accourdingly.

  ./test_progs -t test_dev_cgroup
  mknod: /tmp/test_dev_cgroup_null: Operation not permitted
  64+0 records in
  64+0 records out
  32768 bytes (33 kB, 32 KiB) copied, 0.000856684 s, 38.2 MB/s
  dd: failed to open '/dev/full': Operation not permitted
  dd: failed to open '/dev/random': Operation not permitted
  #365     test_dev_cgroup:OK
  Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
---
While converting from skeleton APIs, I didn't found direct alternative
of bpf_prog_attach(fd, cgroup_fd, BPF_CGROUP_DEVICE). So I've kept
using the bpf_prog_attach() in this patch.
---
 .../bpf/prog_tests/test_dev_cgroup.c          | 67 +++++++++++++++
 tools/testing/selftests/bpf/test_dev_cgroup.c | 85 -------------------
 2 files changed, 67 insertions(+), 85 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/test_dev_cgroup.c
 delete mode 100644 tools/testing/selftests/bpf/test_dev_cgroup.c

diff --git a/tools/testing/selftests/bpf/prog_tests/test_dev_cgroup.c b/tools/testing/selftests/bpf/prog_tests/test_dev_cgroup.c
new file mode 100644
index 0000000000000..ee37ce52dec9f
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/test_dev_cgroup.c
@@ -0,0 +1,67 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/* Copyright (c) 2017 Facebook
+ */
+
+#include <test_progs.h>
+#include <time.h>
+#include "cgroup_helpers.h"
+#include "dev_cgroup.skel.h"
+
+#define TEST_CGROUP "/test-bpf-based-device-cgroup/"
+
+void test_test_dev_cgroup(void)
+{
+	int cgroup_fd, err, duration = 0;
+	struct dev_cgroup *skel;
+	__u32 prog_cnt;
+
+	skel = dev_cgroup__open_and_load();
+	if (CHECK(!skel, "skel_open_and_load", "failed\n"))
+		goto cleanup;
+
+	cgroup_fd = cgroup_setup_and_join(TEST_CGROUP);
+	if (CHECK(cgroup_fd < 0, "cgroup_setup_and_join", "failed: %d\n", cgroup_fd))
+		goto cleanup;
+
+	err = bpf_prog_attach(bpf_program__fd(skel->progs.bpf_prog1), cgroup_fd,
+			      BPF_CGROUP_DEVICE, 0);
+	if (CHECK(err, "bpf_attach", "failed: %d\n", err))
+		goto cleanup;
+
+	err = bpf_prog_query(cgroup_fd, BPF_CGROUP_DEVICE, 0, NULL, NULL, &prog_cnt);
+	if (CHECK(err || prog_cnt != 1, "bpf_query", "failed: %d %d\n", err, prog_cnt))
+		goto cleanup;
+
+	/* All operations with /dev/zero and /dev/urandom are allowed,
+	 * everything else is forbidden.
+	 */
+	CHECK(system("rm -f /tmp/test_dev_cgroup_null"), "rm",
+	      "unexpected rm on _null\n");
+	CHECK(!system("mknod /tmp/test_dev_cgroup_null c 1 3"),
+	      "mknod", "unexpected mknod on _null\n");
+	CHECK(system("rm -f /tmp/test_dev_cgroup_null"), "rm",
+	      "unexpected rm on _null\n");
+
+	/* /dev/zero is whitelisted */
+	CHECK(system("rm -f /tmp/test_dev_cgroup_zero"), "rm",
+	      "unexpected rm on _zero\n");
+	CHECK(system("mknod /tmp/test_dev_cgroup_zero c 1 5"),
+	      "mknod", "unexpected mknod on _zero\n");
+	CHECK(system("rm -f /tmp/test_dev_cgroup_zero"), "rm",
+	      "unexpected rm on _zero\n");
+
+	CHECK(system("dd if=/dev/urandom of=/dev/zero count=64"), "dd",
+	      "unexpected dd on /dev/zero\n");
+
+	/* src is allowed, target is forbidden */
+	CHECK(!system("dd if=/dev/urandom of=/dev/full count=64"), "dd",
+	      "unexpected dd on /dev/full\n");
+
+	/* src is forbidden, target is allowed */
+	CHECK(!system("dd if=/dev/random of=/dev/zero count=64"), "dd",
+	      "unexpected dd on /dev/zero\n");
+
+cleanup:
+	cleanup_cgroup_environment();
+	dev_cgroup__destroy(skel);
+}
diff --git a/tools/testing/selftests/bpf/test_dev_cgroup.c b/tools/testing/selftests/bpf/test_dev_cgroup.c
deleted file mode 100644
index adeaf63cb6fa3..0000000000000
--- a/tools/testing/selftests/bpf/test_dev_cgroup.c
+++ /dev/null
@@ -1,85 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0-only
-/* Copyright (c) 2017 Facebook
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <errno.h>
-#include <assert.h>
-#include <sys/time.h>
-
-#include <linux/bpf.h>
-#include <bpf/bpf.h>
-#include <bpf/libbpf.h>
-
-#include "cgroup_helpers.h"
-#include "testing_helpers.h"
-
-#define DEV_CGROUP_PROG "./dev_cgroup.bpf.o"
-
-#define TEST_CGROUP "/test-bpf-based-device-cgroup/"
-
-int main(int argc, char **argv)
-{
-	struct bpf_object *obj;
-	int error = EXIT_FAILURE;
-	int prog_fd, cgroup_fd;
-	__u32 prog_cnt;
-
-	/* Use libbpf 1.0 API mode */
-	libbpf_set_strict_mode(LIBBPF_STRICT_ALL);
-
-	if (bpf_prog_test_load(DEV_CGROUP_PROG, BPF_PROG_TYPE_CGROUP_DEVICE,
-			  &obj, &prog_fd)) {
-		printf("Failed to load DEV_CGROUP program\n");
-		goto out;
-	}
-
-	cgroup_fd = cgroup_setup_and_join(TEST_CGROUP);
-	if (cgroup_fd < 0) {
-		printf("Failed to create test cgroup\n");
-		goto out;
-	}
-
-	/* Attach bpf program */
-	if (bpf_prog_attach(prog_fd, cgroup_fd, BPF_CGROUP_DEVICE, 0)) {
-		printf("Failed to attach DEV_CGROUP program");
-		goto err;
-	}
-
-	if (bpf_prog_query(cgroup_fd, BPF_CGROUP_DEVICE, 0, NULL, NULL,
-			   &prog_cnt)) {
-		printf("Failed to query attached programs");
-		goto err;
-	}
-
-	/* All operations with /dev/zero and and /dev/urandom are allowed,
-	 * everything else is forbidden.
-	 */
-	assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
-	assert(system("mknod /tmp/test_dev_cgroup_null c 1 3"));
-	assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
-
-	/* /dev/zero is whitelisted */
-	assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
-	assert(system("mknod /tmp/test_dev_cgroup_zero c 1 5") == 0);
-	assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
-
-	assert(system("dd if=/dev/urandom of=/dev/zero count=64") == 0);
-
-	/* src is allowed, target is forbidden */
-	assert(system("dd if=/dev/urandom of=/dev/full count=64"));
-
-	/* src is forbidden, target is allowed */
-	assert(system("dd if=/dev/random of=/dev/zero count=64"));
-
-	error = 0;
-	printf("test_dev_cgroup:PASS\n");
-
-err:
-	cleanup_cgroup_environment();
-
-out:
-	return error;
-}
-- 
2.42.0

Re: [PATCH] selftests/bpf: Move test_dev_cgroup to prog_tests

[Daniel Borkmann]

Hi Muhammad,

Small nit, pls use $subj: [PATCH bpf-next]

On 2/15/24 1:01 PM, Muhammad Usama Anjum wrote:
> Move test_dev_cgroup to prog_tests to be able to run it with test_progs.
> Replace dev_cgroup.bpf.o with skel header file, dev_cgroup.skel.h and
> load program from it accourdingly.
> 
>    ./test_progs -t test_dev_cgroup
>    mknod: /tmp/test_dev_cgroup_null: Operation not permitted
>    64+0 records in
>    64+0 records out
>    32768 bytes (33 kB, 32 KiB) copied, 0.000856684 s, 38.2 MB/s
>    dd: failed to open '/dev/full': Operation not permitted
>    dd: failed to open '/dev/random': Operation not permitted
>    #365     test_dev_cgroup:OK
>    Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED
> 
> Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>

BPF CI currently fails this with :

https://github.com/kernel-patches/bpf/actions/runs/7924507406/job/21636353124

   [...]
   All error logs:
   test_test_dev_cgroup:PASS:skel_open_and_load 0 nsec
   test_test_dev_cgroup:PASS:cgroup_setup_and_join 0 nsec
   test_test_dev_cgroup:PASS:bpf_attach 0 nsec
   test_test_dev_cgroup:PASS:bpf_query 0 nsec
   test_test_dev_cgroup:PASS:rm 0 nsec
   test_test_dev_cgroup:PASS:mknod 0 nsec
   test_test_dev_cgroup:PASS:rm 0 nsec
   test_test_dev_cgroup:PASS:rm 0 nsec
   test_test_dev_cgroup:FAIL:mknod unexpected mknod on _zero
   test_test_dev_cgroup:PASS:rm 0 nsec
   test_test_dev_cgroup:PASS:dd 0 nsec
   test_test_dev_cgroup:PASS:dd 0 nsec
   test_test_dev_cgroup:PASS:dd 0 nsec
   (cgroup_helpers.c:353: errno: Device or resource busy) umount cgroup2
   #366     test_dev_cgroup:FAIL
   Summary: 517/3837 PASSED, 53 SKIPPED, 1 FAILED

You can also use vmtest.sh tool to check locally :

   # ./vmtest.sh -- ./test_progs -t test_dev_cgroup

> diff --git a/tools/testing/selftests/bpf/prog_tests/test_dev_cgroup.c b/tools/testing/selftests/bpf/prog_tests/test_dev_cgroup.c
> new file mode 100644
> index 0000000000000..ee37ce52dec9f
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/test_dev_cgroup.c
> @@ -0,0 +1,67 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +/* Copyright (c) 2017 Facebook
> + */
> +
> +#include <test_progs.h>
> +#include <time.h>
> +#include "cgroup_helpers.h"
> +#include "dev_cgroup.skel.h"
> +
> +#define TEST_CGROUP "/test-bpf-based-device-cgroup/"
> +
> +void test_test_dev_cgroup(void)

nit: test_dev_cgroup ?

> +{
> +	int cgroup_fd, err, duration = 0;
> +	struct dev_cgroup *skel;
> +	__u32 prog_cnt;
> +
> +	skel = dev_cgroup__open_and_load();
> +	if (CHECK(!skel, "skel_open_and_load", "failed\n"))
> +		goto cleanup;

Nit: please use ASSERT_* macros everywhere, the CHECK() is deprecated.

> +	cgroup_fd = cgroup_setup_and_join(TEST_CGROUP);
> +	if (CHECK(cgroup_fd < 0, "cgroup_setup_and_join", "failed: %d\n", cgroup_fd))
> +		goto cleanup;
> +
> +	err = bpf_prog_attach(bpf_program__fd(skel->progs.bpf_prog1), cgroup_fd,
> +			      BPF_CGROUP_DEVICE, 0);
> +	if (CHECK(err, "bpf_attach", "failed: %d\n", err))
> +		goto cleanup;
> +
> +	err = bpf_prog_query(cgroup_fd, BPF_CGROUP_DEVICE, 0, NULL, NULL, &prog_cnt);
> +	if (CHECK(err || prog_cnt != 1, "bpf_query", "failed: %d %d\n", err, prog_cnt))
> +		goto cleanup;
> +
> +	/* All operations with /dev/zero and /dev/urandom are allowed,
> +	 * everything else is forbidden.
> +	 */
> +	CHECK(system("rm -f /tmp/test_dev_cgroup_null"), "rm",
> +	      "unexpected rm on _null\n");
> +	CHECK(!system("mknod /tmp/test_dev_cgroup_null c 1 3"),
> +	      "mknod", "unexpected mknod on _null\n");
> +	CHECK(system("rm -f /tmp/test_dev_cgroup_null"), "rm",
> +	      "unexpected rm on _null\n");
> +
> +	/* /dev/zero is whitelisted */
> +	CHECK(system("rm -f /tmp/test_dev_cgroup_zero"), "rm",
> +	      "unexpected rm on _zero\n");
> +	CHECK(system("mknod /tmp/test_dev_cgroup_zero c 1 5"),
> +	      "mknod", "unexpected mknod on _zero\n");
> +	CHECK(system("rm -f /tmp/test_dev_cgroup_zero"), "rm",
> +	      "unexpected rm on _zero\n");
> +
> +	CHECK(system("dd if=/dev/urandom of=/dev/zero count=64"), "dd",
> +	      "unexpected dd on /dev/zero\n");
> +
> +	/* src is allowed, target is forbidden */
> +	CHECK(!system("dd if=/dev/urandom of=/dev/full count=64"), "dd",
> +	      "unexpected dd on /dev/full\n");
> +
> +	/* src is forbidden, target is allowed */
> +	CHECK(!system("dd if=/dev/random of=/dev/zero count=64"), "dd",
> +	      "unexpected dd on /dev/zero\n");
> +
> +cleanup:
> +	cleanup_cgroup_environment();
> +	dev_cgroup__destroy(skel);
> +}

Thanks,
Daniel

Re: [PATCH] selftests/bpf: Move test_dev_cgroup to prog_tests

[Muhammad Usama Anjum]

Thank you for review. I'll fix.

On 2/16/24 10:25 PM, Daniel Borkmann wrote:
> Hi Muhammad,
> 
> Small nit, pls use $subj: [PATCH bpf-next]
Sure, I'll update.

> 
> On 2/15/24 1:01 PM, Muhammad Usama Anjum wrote:
>> Move test_dev_cgroup to prog_tests to be able to run it with test_progs.
>> Replace dev_cgroup.bpf.o with skel header file, dev_cgroup.skel.h and
>> load program from it accourdingly.
>>
>>    ./test_progs -t test_dev_cgroup
>>    mknod: /tmp/test_dev_cgroup_null: Operation not permitted
>>    64+0 records in
>>    64+0 records out
>>    32768 bytes (33 kB, 32 KiB) copied, 0.000856684 s, 38.2 MB/s
>>    dd: failed to open '/dev/full': Operation not permitted
>>    dd: failed to open '/dev/random': Operation not permitted
>>    #365     test_dev_cgroup:OK
>>    Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED
>>
>> Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
> 
> BPF CI currently fails this with :
> 
> https://github.com/kernel-patches/bpf/actions/runs/7924507406/job/21636353124
> 
>   [...]
>   All error logs:
>   test_test_dev_cgroup:PASS:skel_open_and_load 0 nsec
>   test_test_dev_cgroup:PASS:cgroup_setup_and_join 0 nsec
>   test_test_dev_cgroup:PASS:bpf_attach 0 nsec
>   test_test_dev_cgroup:PASS:bpf_query 0 nsec
>   test_test_dev_cgroup:PASS:rm 0 nsec
>   test_test_dev_cgroup:PASS:mknod 0 nsec
>   test_test_dev_cgroup:PASS:rm 0 nsec
>   test_test_dev_cgroup:PASS:rm 0 nsec
>   test_test_dev_cgroup:FAIL:mknod unexpected mknod on _zero
>   test_test_dev_cgroup:PASS:rm 0 nsec
>   test_test_dev_cgroup:PASS:dd 0 nsec
>   test_test_dev_cgroup:PASS:dd 0 nsec
>   test_test_dev_cgroup:PASS:dd 0 nsec
>   (cgroup_helpers.c:353: errno: Device or resource busy) umount cgroup2
>   #366     test_dev_cgroup:FAIL
>   Summary: 517/3837 PASSED, 53 SKIPPED, 1 FAILED
> 
> You can also use vmtest.sh tool to check locally :
> 
>   # ./vmtest.sh -- ./test_progs -t test_dev_cgroup
It is passing on my side on next-20240207 and next-20240218. I'll test
again by running all the tests with test_progs. Maybe something else is
making it fail.

> 
>> diff --git a/tools/testing/selftests/bpf/prog_tests/test_dev_cgroup.c
>> b/tools/testing/selftests/bpf/prog_tests/test_dev_cgroup.c
>> new file mode 100644
>> index 0000000000000..ee37ce52dec9f
>> --- /dev/null
>> +++ b/tools/testing/selftests/bpf/prog_tests/test_dev_cgroup.c
>> @@ -0,0 +1,67 @@
>> +// SPDX-License-Identifier: GPL-2.0-only
>> +/* Copyright (c) 2017 Facebook
>> + */
>> +
>> +#include <test_progs.h>
>> +#include <time.h>
>> +#include "cgroup_helpers.h"
>> +#include "dev_cgroup.skel.h"
>> +
>> +#define TEST_CGROUP "/test-bpf-based-device-cgroup/"
>> +
>> +void test_test_dev_cgroup(void)
> 
> nit: test_dev_cgroup ?
I was trying not to rename the file. I'll rename the file.

> 
>> +{
>> +    int cgroup_fd, err, duration = 0;
>> +    struct dev_cgroup *skel;
>> +    __u32 prog_cnt;
>> +
>> +    skel = dev_cgroup__open_and_load();
>> +    if (CHECK(!skel, "skel_open_and_load", "failed\n"))
>> +        goto cleanup;

> 
> Nit: please use ASSERT_* macros everywhere, the CHECK() is deprecated.
I'd not any deprecated notice/comment. I'll use ASSERT_* from now on.

> 
>> +    cgroup_fd = cgroup_setup_and_join(TEST_CGROUP);
>> +    if (CHECK(cgroup_fd < 0, "cgroup_setup_and_join", "failed: %d\n",
>> cgroup_fd))
>> +        goto cleanup;
>> +
>> +    err = bpf_prog_attach(bpf_program__fd(skel->progs.bpf_prog1),
>> cgroup_fd,
>> +                  BPF_CGROUP_DEVICE, 0);
>> +    if (CHECK(err, "bpf_attach", "failed: %d\n", err))
>> +        goto cleanup;
>> +
>> +    err = bpf_prog_query(cgroup_fd, BPF_CGROUP_DEVICE, 0, NULL, NULL,
>> &prog_cnt);
>> +    if (CHECK(err || prog_cnt != 1, "bpf_query", "failed: %d %d\n", err,
>> prog_cnt))
>> +        goto cleanup;
>> +
>> +    /* All operations with /dev/zero and /dev/urandom are allowed,
>> +     * everything else is forbidden.
>> +     */
>> +    CHECK(system("rm -f /tmp/test_dev_cgroup_null"), "rm",
>> +          "unexpected rm on _null\n");
>> +    CHECK(!system("mknod /tmp/test_dev_cgroup_null c 1 3"),
>> +          "mknod", "unexpected mknod on _null\n");
>> +    CHECK(system("rm -f /tmp/test_dev_cgroup_null"), "rm",
>> +          "unexpected rm on _null\n");
>> +
>> +    /* /dev/zero is whitelisted */
>> +    CHECK(system("rm -f /tmp/test_dev_cgroup_zero"), "rm",
>> +          "unexpected rm on _zero\n");
>> +    CHECK(system("mknod /tmp/test_dev_cgroup_zero c 1 5"),
>> +          "mknod", "unexpected mknod on _zero\n");
>> +    CHECK(system("rm -f /tmp/test_dev_cgroup_zero"), "rm",
>> +          "unexpected rm on _zero\n");
>> +
>> +    CHECK(system("dd if=/dev/urandom of=/dev/zero count=64"), "dd",
>> +          "unexpected dd on /dev/zero\n");
>> +
>> +    /* src is allowed, target is forbidden */
>> +    CHECK(!system("dd if=/dev/urandom of=/dev/full count=64"), "dd",
>> +          "unexpected dd on /dev/full\n");
>> +
>> +    /* src is forbidden, target is allowed */
>> +    CHECK(!system("dd if=/dev/random of=/dev/zero count=64"), "dd",
>> +          "unexpected dd on /dev/zero\n");
>> +
>> +cleanup:
>> +    cleanup_cgroup_environment();
>> +    dev_cgroup__destroy(skel);
>> +}
> 
> Thanks,
> Daniel
> 

-- 
BR,
Muhammad Usama Anjum