[Devel] [PATCH vz10 2/3] selftests/ve_devcg_bpf: add prog_query_denied test
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Tue May 19 13:39:31 MSK 2026
Important scenario, thanks!
Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
On 5/18/26 18:17, Konstantin Khorenko wrote:
> Add a test that verifies BPF_PROG_QUERY(BPF_CGROUP_DEVICE) is denied
> with EPERM when VE_FEATURE_BPF is not enabled, complementing the
> existing prog_load_denied test.
>
> https://virtuozzo.atlassian.net/browse/VSTOR-126504
> Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
>
> Feature: ve: allow BPF in Containers
> ---
> .../ve_devcg_bpf/ve_devcg_bpf_test.c | 44 +++++++++++++++++++
> 1 file changed, 44 insertions(+)
>
> diff --git a/tools/testing/selftests/ve_devcg_bpf/ve_devcg_bpf_test.c b/tools/testing/selftests/ve_devcg_bpf/ve_devcg_bpf_test.c
> index b887ec73e18e2..0a04298149290 100644
> --- a/tools/testing/selftests/ve_devcg_bpf/ve_devcg_bpf_test.c
> +++ b/tools/testing/selftests/ve_devcg_bpf/ve_devcg_bpf_test.c
> @@ -92,6 +92,7 @@ enum {
> TEST_PROG_QUERY,
> TEST_PROG_QUERY_EFFECTIVE_DENIED,
> TEST_PROG_QUERY_ROOT_DENIED,
> + TEST_PROG_QUERY_DENIED,
> TEST_PROG_ATTACH_QUERY,
> TEST_PROG_LOAD_OVERSIZED_DENIED,
> };
> @@ -222,6 +223,36 @@ static int test_prog_query(int ve_cg_fd)
> return (ret < 0) ? 3 : 0;
> }
>
> +static int test_prog_query_denied(int ve_cg_fd)
> +{
> + union bpf_attr attr;
> + int cg_fd, ret, saved_errno;
> +
> + if (mkdirat(ve_cg_fd, "subcg", 0755))
> + return 1;
> +
> + cg_fd = openat(ve_cg_fd, "subcg", O_RDONLY | O_DIRECTORY);
> + if (cg_fd < 0) {
> + unlinkat(ve_cg_fd, "subcg", AT_REMOVEDIR);
> + return 2;
> + }
> +
> + memset(&attr, 0, sizeof(attr));
> + attr.query.target_fd = cg_fd;
> + attr.query.attach_type = BPF_CGROUP_DEVICE;
> +
> + ret = syscall(__NR_bpf, BPF_PROG_QUERY, &attr, sizeof(attr));
> + saved_errno = errno;
> +
> + close(cg_fd);
> + unlinkat(ve_cg_fd, "subcg", AT_REMOVEDIR);
> +
> + if (ret == 0)
> + return 3;
> +
> + return (saved_errno == EPERM) ? 0 : 4;
> +}
> +
> static int test_prog_query_effective_denied(int ve_cg_fd)
> {
> union bpf_attr attr;
> @@ -412,6 +443,9 @@ int child_func(void *arg)
> case TEST_PROG_QUERY_EFFECTIVE_DENIED:
> ret = test_prog_query_effective_denied(ve_cg_fd);
> break;
> + case TEST_PROG_QUERY_DENIED:
> + ret = test_prog_query_denied(ve_cg_fd);
> + break;
> case TEST_PROG_QUERY_ROOT_DENIED:
> ret = test_prog_query_root_denied(ve_cg_fd);
> break;
> @@ -610,6 +644,16 @@ TEST_F(ve_devcg_bpf, prog_query_root_denied)
> TEST_PROG_QUERY_ROOT_DENIED), 0);
> }
>
> +/*
> + * Without VE_FEATURE_BPF, querying BPF_CGROUP_DEVICE programs on a
> + * descendant cgroup inside VE should fail with EPERM.
> + */
> +TEST_F(ve_devcg_bpf, prog_query_denied)
> +{
> + ASSERT_EQ(run_vzct(_metadata, self->cgv2_fd, self->ctid,
> + TEST_PROG_QUERY_DENIED), 0);
> +}
> +
> /*
> * With VE_FEATURE_BPF, loading a BPF_PROG_TYPE_CGROUP_DEVICE program,
> * attaching it to a descendant cgroup, and querying it back should all
--
Best regards, Pavel Tikhomirov
Senior Software Developer, Virtuozzo.
More information about the Devel
mailing list