Re: [PATCH testsuite] tests/bpf: ask for unlimited RLIMIT_MEMLOCK

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Mar 12, 2020 at 1:36 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> On Thu, Mar 12, 2020 at 4:40 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> > Currently the code sets it to at most 128K, but this is not enough in
> > some aarch64/ppc64le environments. Therefore, stop guessing the magic
> > threshold and just set it straight to RLIM_INFINITY.
> >
> > Fixes: 8f0f980a4ad5 ("selinux-testsuite: Add BPF tests")
> > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> > ---
> >  tests/bpf/bpf_common.c | 16 ++++------------
> >  1 file changed, 4 insertions(+), 12 deletions(-)
>
> I have to make a similar fix to the audit-testsuite earlier this week,
> I didn't think to check the selinux-testsuite because the bpf tests
> were running just fine on my aarch64 test system.  Sorry about that, I
> should have checked regardless.

No problem, I had kept the bpf subtest disabled on non-x86_64 in our
testing for some time, since it was failing there and I didn't know
why. Once I saw your audit-testsuite patch I realized that it was
probably the same issue so I did some testing and indeed the
RLIMIT_MEMLOCK was the cause so I put together a patch.

>
> One small style nit below, but otherwise ...
>
> Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx>
>
> > diff --git a/tests/bpf/bpf_common.c b/tests/bpf/bpf_common.c
> > index 681e2eb..f499034 100644
> > --- a/tests/bpf/bpf_common.c
> > +++ b/tests/bpf/bpf_common.c
> > @@ -41,24 +41,16 @@ int create_bpf_prog(void)
> >
> >  /*
> >   * The default RLIMIT_MEMLOCK is normally 64K, however BPF map/prog requires
> > - * more than this so double it unless RLIM_INFINITY is set.
> > + * more than this (the actual threshold varying across arches) so set it to
> > + * RLIM_INFINITY.
> >   */
> >  void bpf_setrlimit(void)
> >  {
> >         int result;
> >         struct rlimit r;
> >
> > -       result = getrlimit(RLIMIT_MEMLOCK, &r);
> > -       if (result < 0) {
> > -               fprintf(stderr, "Failed to get resource limit: %s\n",
> > -                       strerror(errno));
> > -               exit(-1);
> > -       }
> > -
> > -       if (r.rlim_cur != RLIM_INFINITY && r.rlim_cur <= (64 * 1024)) {
> > -               r.rlim_cur *= 2;
> > -               r.rlim_max *= 2;
> > -       }
> > +       r.rlim_cur = RLIM_INFINITY;
> > +       r.rlim_max = RLIM_INFINITY;
>
> If you really want to simplify things you could assign those values
> when you declare "r":
>
> struct rlimit r = {
>   .rlim_cur = RLIM_INFINITY,
>   .rlim_max = RLIM_INFINITY };

True, but I don't think the difference is big enough to respin the patch.

>
> >         result = setrlimit(RLIMIT_MEMLOCK, &r);
> >         if (result < 0) {
> > --
> > 2.24.1
>
> --
> paul moore
> www.paul-moore.com
>

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux