Home Explore Help
Sign In
DragonOS-Community
/
aya
mirror of https://github.com/aya-rs/aya
4
0
Fork 0
Files Issues 0 Wiki
Browse Source

Skip `lsm_cgroup` when loading fails

squash into proper check
Tamir Duberstein 2 weeks ago
parent
2e5f5efbf1
commit
54bd3ac202
2 changed files with 24 additions and 5 deletions
Split View Show Diff Stats
  1. 5 2
      aya/src/sys/feature_probe.rs
  2. 19 3
      test/integration-test/src/tests/lsm.rs

+ 5 - 2
aya/src/sys/feature_probe.rs
View File 

@@ -21,7 +21,7 @@ use super::{
 
 use crate::{
 
     MockableFd,
 
     maps::MapType,
 
-    programs::{ProgramError, ProgramType},
 
+    programs::{LsmAttachType, ProgramError, ProgramType},
 
     util::page_size,
 
 };
 
 
@@ -159,7 +159,10 @@ pub fn is_program_supported(program_type: ProgramType) -> Result<bool, ProgramEr
 
                 // explicitly.
 
                 //
 
                 // h/t to https://www.exein.io/blog/exploring-bpf-lsm-support-on-aarch64-with-ftrace.
 
-                if !matches!(program_type, ProgramType::Lsm(_)) {
 
+                //
 
+                // The same test for cGroup LSM programs would require attaching to a real cgroup,
 
+                // which is more involved and not possible in the general case.
 
+                if !matches!(program_type, ProgramType::Lsm(LsmAttachType::Mac)) {
 
                     Ok(true)
 
                 } else {
 
                     match bpf_raw_tracepoint_open(None, prog_fd.as_fd()) {

+ 19 - 3
test/integration-test/src/tests/lsm.rs
View File 

@@ -3,6 +3,7 @@ use aya::{
 
     Btf, Ebpf,
 
     programs::{Lsm, LsmAttachType, LsmCgroup, ProgramError, ProgramType},
 
     sys::{SyscallError, is_program_supported},
 
+    util::KernelVersion,
 
 };
 
 
 use crate::utils::Cgroup;
 
@@ -57,7 +58,19 @@ fn lsm_cgroup() {
 
     let prog = bpf.program_mut("test_lsm_cgroup").unwrap();
 
     let prog: &mut LsmCgroup = prog.try_into().unwrap();
 
     let btf = Btf::from_sys_fs().expect("could not get btf from sys");
 
-    prog.load("socket_bind", &btf).unwrap();
 
+    match prog.load("socket_bind", &btf) {
 
+        Ok(()) => {}
 
+        Err(err) => match err {
 
+            ProgramError::LoadError { io_error, .. }
 
+                if !is_program_supported(ProgramType::Lsm(LsmAttachType::Cgroup)).unwrap() =>
 
+            {
 
+                assert_eq!(io_error.raw_os_error(), Some(libc::EINVAL));
 
+                eprintln!("skipping test - LSM cgroup programs not supported at load");
 
+                return;
 
+            }
 
+            err => panic!("unexpected error loading LSM cgroup program: {err}"),
 
+        },
 
+    }
 
 
     assert_matches!(std::net::TcpListener::bind("127.0.0.1:0"), Ok(_));
 
 
@@ -68,12 +81,15 @@ fn lsm_cgroup() {
 
     let link_id = {
 
         let result = prog.attach(cgroup.fd());
 
 
-        if !is_program_supported(ProgramType::Lsm(LsmAttachType::Cgroup)).unwrap() {
 
+        // See https://www.exein.io/blog/exploring-bpf-lsm-support-on-aarch64-with-ftrace.
 
+        if cfg!(target_arch = "aarch64")
 
+            && KernelVersion::current().unwrap() < KernelVersion::new(6, 4, 0)
 
+        {
 
             assert_matches!(result, Err(ProgramError::SyscallError(SyscallError { call, io_error })) => {
 
                 assert_eq!(call, "bpf_link_create");
 
                 assert_eq!(io_error.raw_os_error(), Some(524));
 
             });
 
-            eprintln!("skipping test - LSM programs not supported");
 
+            eprintln!("skipping test - LSM cgroup programs not supported at attach");
 
             return;
 
         }
 
         result.unwrap()