Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cgroupv2 devices needs unit tests and a minor rework #2797

Closed
cyphar opened this issue Feb 8, 2021 · 7 comments
Closed

cgroupv2 devices needs unit tests and a minor rework #2797

cyphar opened this issue Feb 8, 2021 · 7 comments
Assignees
@cyphar
Labels
area/cgroupv2 area/ci area/ebpf enhancement
Milestone
1.0.0

Comments

@cyphar
Copy link
Member

cyphar commented Feb 8, 2021

Based on #2796 and #2793, it looks like the eBPF devices code needs some more tests to make sure it's acting properly. If we can do emulation of the BPF program (like I did for seccomp), that would be ideal.
@cyphar cyphar added this to the 1.0.0-rc94 milestone Feb 8, 2021
@cyphar cyphar mentioned this issue Feb 8, 2021
Merged
@cyphar
Copy link
Member Author

cyphar commented Feb 8, 2021

I also have a feeling the wildcard behaviour is wrong -- maybe we should use the devices cgroup emulator to get the computed minimal ruleset and then generate a program based on that?

@cyphar cyphar changed the title cgroupv2 devices needs unit tests cgroupv2 devices needs unit tests and a minor rework Feb 8, 2021
@cyphar
Copy link
Member Author

cyphar commented Feb 24, 2021

I'm working on this now. I think it's quite critical for devices cgroup security on cgroupv2.

@cyphar cyphar self-assigned this Feb 24, 2021
@h-vetinari h-vetinari mentioned this issue Mar 16, 2021
Closed
@cyphar cyphar modified the milestones: 1.0.0-rc94, 1.0.0 Apr 2, 2021
@h-vetinari
Copy link

Any update on this effort?

@cyphar
Copy link
Member Author

cyphar commented May 10, 2021
edited
Loading

It seems that we would need to implement the BPF generation ourselves. Now, I do now have experience with doing this thanks to the lovely experience with seccomp, but I'm a little bit apprehensive about doing it entirely ourselves. Unless it turns out to be simpler than it looks, it's probably going to be a post-1.0 thing. (Especially since the behaviour with updating also needs to be taken into consideration -- see #2366.)

@cyphar
Copy link
Member Author

cyphar commented May 12, 2021

Actually, looking at this again, this might not be too hard to do since cilium supports testing eBPF programs (though rather than doing emulation -- which is what golang.org/x/net does -- eBPF testing is actually done in-kernel).

@cyphar
Copy link
Member Author

cyphar commented May 12, 2021

Ah, the kernel doesn't support BPF_PROG_TEST_RUN for prog_type=BPF_PROG_TYPE_CGROUP_DEVICE. That sucks. In that case we can't really add unit tests right now, but I'll work on sending a patch upstream to support this.

@cyphar cyphar mentioned this issue May 12, 2021
Merged
@AkihiroSuda
Copy link
Member

Merged #2951

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cyphar cyphar

Labels
area/cgroupv2 area/ci area/ebpf enhancement
Projects
None yet
Milestone
1.0.0
Development

No branches or pull requests
4 participants
@cyphar @kolyshkin @AkihiroSuda @h-vetinari