Skip to content

Commit

Permalink
pkg/sensors/tracing: fix enforcer security tests
Browse files Browse the repository at this point in the history 
Because of root-images update in previous commit, the enforcer security
tests started failing, after investigation we realized that the
difference was that the old image mounted /tmp on the disk fs and the
new one with tmpfs. Then the direct-write-tester.c program was failing
using O_DIRECT (because apparently it fails on tmpfs). It failed
silently on recent linux versions however because O_DIRECT on tmpfs
might just be a noop.

/var/tmp should be backed by disk so it should be a fix for our issue.

Signed-off-by: Mahe Tardy <[email protected]>
  • Loading branch information
@mtardy
mtardy committed Jul 18, 2024
1 parent 9e8f005 commit 1e9b9c7
Showing 1 changed file with 18 additions and 2 deletions.
20 changes: 18 additions & 2 deletions pkg/sensors/tracing/enforcer_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -296,6 +296,22 @@ func testSecurity(t *testing.T, tracingPolicy, tempFile string) {
}
}

func enforcerSecurityTempFile(t *testing.T) string {
// We can't use t.TempDir as it writes into /tmp by default.
// The direct-write-tester.c program opens and writes using the O_DIRECT
// flag that is unsupported and return EINVAL on tmpfs, while it works on a
// disk based fs. Recently, the base image used by vmtests started to switch
// /tmp from the disk to tmpfs which made that test fail.
tempFile, err := os.CreateTemp("/var/tmp", "tetragon-testfile-*")
if err != nil {
t.Fatalf("failed to create temporary file for tester prog: %s", err)
}
t.Cleanup(func() {
os.Remove(tempFile.Name())
})
return tempFile.Name()
}

// Testing the ability to kill the process before it executes the syscall,
// in this case direct pwrite syscall.
// Standard Sigkill action kills executed from sys_pwrite probe kills the
Expand Down Expand Up @@ -325,7 +341,7 @@ func TestEnforcerSecuritySigKill(t *testing.T) {
t.Skip("Older kernels do not support matchArgs for more than one arguments")
}

tempFile := t.TempDir() + "/test"
tempFile := enforcerSecurityTempFile(t)

tracingPolicy := `
apiVersion: cilium.io/v1alpha1
Expand Down Expand Up @@ -412,7 +428,7 @@ func TestEnforcerSecurityNotifyEnforcer(t *testing.T) {
t.Skip("Older kernels do not support matchArgs for more than one arguments")
}

tempFile := t.TempDir() + "/test"
tempFile := enforcerSecurityTempFile(t)

tracingPolicy := `
apiVersion: cilium.io/v1alpha1
Expand Down

0 comments on commit 1e9b9c7

Please sign in to comment.