[Devel] [PATCH RHEL10 COMMIT] selftests/ve_devcg_bpf: add prog_query_denied test
Konstantin Khorenko
khorenko at virtuozzo.com
Wed May 20 16:01:59 MSK 2026
The commit is pushed to "branch-rh10-6.12.0-55.52.1.5.x.vz10-ovz" and will appear at git at bitbucket.org:openvz/vzkernel.git
after rh10-6.12.0-55.52.1.5.27.vz10
------>
commit a72a363fb7aff1d135ac6aa8c6314f66ff99cc5b
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date: Mon May 18 18:10:18 2026 +0200
selftests/ve_devcg_bpf: add prog_query_denied test
Add a test that verifies BPF_PROG_QUERY(BPF_CGROUP_DEVICE) is denied
with EPERM when VE_FEATURE_BPF is not enabled, complementing the
existing prog_load_denied test.
https://virtuozzo.atlassian.net/browse/VSTOR-126504
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Feature: ve: allow BPF in Containers
---
.../selftests/ve_devcg_bpf/ve_devcg_bpf_test.c | 44 ++++++++++++++++++++++
1 file changed, 44 insertions(+)
diff --git a/tools/testing/selftests/ve_devcg_bpf/ve_devcg_bpf_test.c b/tools/testing/selftests/ve_devcg_bpf/ve_devcg_bpf_test.c
index b887ec73e18e2..0a04298149290 100644
--- a/tools/testing/selftests/ve_devcg_bpf/ve_devcg_bpf_test.c
+++ b/tools/testing/selftests/ve_devcg_bpf/ve_devcg_bpf_test.c
@@ -92,6 +92,7 @@ enum {
TEST_PROG_QUERY,
TEST_PROG_QUERY_EFFECTIVE_DENIED,
TEST_PROG_QUERY_ROOT_DENIED,
+ TEST_PROG_QUERY_DENIED,
TEST_PROG_ATTACH_QUERY,
TEST_PROG_LOAD_OVERSIZED_DENIED,
};
@@ -222,6 +223,36 @@ static int test_prog_query(int ve_cg_fd)
return (ret < 0) ? 3 : 0;
}
+static int test_prog_query_denied(int ve_cg_fd)
+{
+ union bpf_attr attr;
+ int cg_fd, ret, saved_errno;
+
+ if (mkdirat(ve_cg_fd, "subcg", 0755))
+ return 1;
+
+ cg_fd = openat(ve_cg_fd, "subcg", O_RDONLY | O_DIRECTORY);
+ if (cg_fd < 0) {
+ unlinkat(ve_cg_fd, "subcg", AT_REMOVEDIR);
+ return 2;
+ }
+
+ memset(&attr, 0, sizeof(attr));
+ attr.query.target_fd = cg_fd;
+ attr.query.attach_type = BPF_CGROUP_DEVICE;
+
+ ret = syscall(__NR_bpf, BPF_PROG_QUERY, &attr, sizeof(attr));
+ saved_errno = errno;
+
+ close(cg_fd);
+ unlinkat(ve_cg_fd, "subcg", AT_REMOVEDIR);
+
+ if (ret == 0)
+ return 3;
+
+ return (saved_errno == EPERM) ? 0 : 4;
+}
+
static int test_prog_query_effective_denied(int ve_cg_fd)
{
union bpf_attr attr;
@@ -412,6 +443,9 @@ int child_func(void *arg)
case TEST_PROG_QUERY_EFFECTIVE_DENIED:
ret = test_prog_query_effective_denied(ve_cg_fd);
break;
+ case TEST_PROG_QUERY_DENIED:
+ ret = test_prog_query_denied(ve_cg_fd);
+ break;
case TEST_PROG_QUERY_ROOT_DENIED:
ret = test_prog_query_root_denied(ve_cg_fd);
break;
@@ -610,6 +644,16 @@ TEST_F(ve_devcg_bpf, prog_query_root_denied)
TEST_PROG_QUERY_ROOT_DENIED), 0);
}
+/*
+ * Without VE_FEATURE_BPF, querying BPF_CGROUP_DEVICE programs on a
+ * descendant cgroup inside VE should fail with EPERM.
+ */
+TEST_F(ve_devcg_bpf, prog_query_denied)
+{
+ ASSERT_EQ(run_vzct(_metadata, self->cgv2_fd, self->ctid,
+ TEST_PROG_QUERY_DENIED), 0);
+}
+
/*
* With VE_FEATURE_BPF, loading a BPF_PROG_TYPE_CGROUP_DEVICE program,
* attaching it to a descendant cgroup, and querying it back should all
More information about the Devel
mailing list