On Thu, Sep 9, 2021 at 5:13 AM Daniel Borkmann <daniel@xxxxxxxxxxxxx> wrote: > > Minimal selftest which implements a small BPF policy program to the > connect(2) hook which rejects TCP connection requests to port 60123 > with EPERM. This is being attached to a non-root cgroup v2 path. The > test asserts that this works under cgroup v2-only and under a mixed > cgroup v1/v2 environment where net_classid is set in the former case. > > Before fix: > > # ./test_progs -t cgroup_v1v2 > test_cgroup_v1v2:PASS:server_fd 0 nsec > test_cgroup_v1v2:PASS:client_fd 0 nsec > test_cgroup_v1v2:PASS:cgroup_fd 0 nsec > test_cgroup_v1v2:PASS:server_fd 0 nsec > run_test:PASS:skel_open 0 nsec > run_test:PASS:prog_attach 0 nsec > test_cgroup_v1v2:PASS:cgroup-v2-only 0 nsec > run_test:PASS:skel_open 0 nsec > run_test:PASS:prog_attach 0 nsec > run_test:PASS:join_classid 0 nsec > (network_helpers.c:219: errno: None) Unexpected success to connect to server > test_cgroup_v1v2:FAIL:cgroup-v1v2 unexpected error: -1 (errno 0) > #27 cgroup_v1v2:FAIL > Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED > > After fix: > > # ./test_progs -t cgroup_v1v2 > #27 cgroup_v1v2:OK > Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED > > Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx> > --- > tools/testing/selftests/bpf/network_helpers.c | 27 +++++-- > tools/testing/selftests/bpf/network_helpers.h | 1 + > .../selftests/bpf/prog_tests/cgroup_v1v2.c | 79 +++++++++++++++++++ > .../selftests/bpf/progs/connect4_dropper.c | 26 ++++++ > 4 files changed, 127 insertions(+), 6 deletions(-) > create mode 100644 tools/testing/selftests/bpf/prog_tests/cgroup_v1v2.c > create mode 100644 tools/testing/selftests/bpf/progs/connect4_dropper.c > LGTM. Acked-by: Andrii Nakryiko <andrii@xxxxxxxxxx> [...]
