bmahler commented on code in PR #538:
URL: https://github.com/apache/mesos/pull/538#discussion_r1543851080
##########
src/tests/containerizer/cgroups2_tests.cpp:
##########
@@ -210,6 +221,119 @@ TEST_F(Cgroups2Test, ROOT_CGROUPS2_EnableAndDisable)
EXPECT_EQ(0u, enabled->count("cpu"));
}
+// Combination of a path and access flags.
+typedef pair<string, int> Access;
+
+using DeviceControllerTestParams = tuple<
+ vector<devices::Entry>,
+ vector<devices::Entry>,
+ vector<Access>,
+ vector<Access>>;
+
+class DeviceControllerTestFixture :
+ public Cgroups2Test,
+ public ::testing::WithParamInterface<DeviceControllerTestParams> {};
+
+
+TEST_P(DeviceControllerTestFixture, ROOT_CGROUPS2_DeviceController) {
+ const string& cgroup = TEST_CGROUP;
+
+ auto params = GetParam();
+ const vector<devices::Entry> allow = std::get<0>(params);
+ const vector<devices::Entry> deny = std::get<1>(params);
+ const vector<Access> allowedAccesses = std::get<2>(params);
+ const vector<Access> blockedAccesses = std::get<3>(params);
+
+ if (!cgroups2::exists(cgroup)) {
+ ASSERT_SOME(cgroups2::create(cgroup));
+ }
+ string path = cgroups2::path(cgroup);
+
+ ASSERT_SOME(devices::configure(cgroup, allow, deny));
+ Try<vector<uint32_t>> attached = ebpf::cgroups2::attached(path);
+ EXPECT_SOME(attached);
+ EXPECT_EQ(1u, attached->size());
+
+ pid_t pid = ::fork();
+ ASSERT_NE(-1, pid);
+
+ if (pid == 0) {
+ // Check that we can only do the "allowedAccesses".
+ foreach(const Access& access, allowedAccesses) {
+ ASSERT_SOME(os::open(access.first, access.second));
+ }
+ foreach(const Access& access, blockedAccesses) {
+ ASSERT_ERROR(os::open(access.first, access.second));
+ }
+
+ ASSERT_SOME(ebpf::cgroups2::detach(path, attached->at(0)));
+
+ // Check that we can do both the "allowedAccesses" and "blockedAccesses".
+ foreach(const Access& access, allowedAccesses) {
+ ASSERT_SOME(os::open(access.first, access.second));
+ }
+ foreach(const Access& access, blockedAccesses) {
+ ASSERT_SOME(os::open(access.first, access.second));
+ }
+
+ // Wait for kill signal.
+ while (true) { sleep(1); }
+
+ SAFE_EXIT(
+ EXIT_FAILURE, "Error, child should be killed before reaching here");
+ }
+
+ // Kill the child process.
+ ASSERT_NE(-1, ::kill(pid, SIGKILL));
+
+ AWAIT_EXPECT_WTERMSIG_EQ(SIGKILL, process::reap(pid));
+}
+
+
+INSTANTIATE_TEST_CASE_P(
+ DeviceControllerTestParams,
+ DeviceControllerTestFixture,
+ ::testing::Values<DeviceControllerTestParams>(
+ DeviceControllerTestParams{
+ vector<devices::Entry>{},
+ vector<devices::Entry>{*devices::Entry::parse("c *:* rwm")},
+ vector<Access>{},
+ vector<Access>{{os::DEV_NULL, O_RDWR}}
+ },
+ DeviceControllerTestParams{
+ // allow /dev/null
+ vector<devices::Entry>{*devices::Entry::parse("c 1:3 rwm")},
+ vector<devices::Entry>{},
+ // read-write allowed
+ vector<Access>{{os::DEV_NULL, O_RDWR}},
+ vector<Access>{}
+ },
+ DeviceControllerTestParams{
+ // allow /dev/null
+ vector<devices::Entry>{*devices::Entry::parse("c 1:3 r")},
+ vector<devices::Entry>{},
+ // read-only allowed
+ vector<Access>{{os::DEV_NULL, O_RDONLY}},
+ // read-write is blocked
+ vector<Access>{{os::DEV_NULL, O_RDWR}}
+ },
+ DeviceControllerTestParams{
Review Comment:
It's probably easier to just have one comment that explains what each test
case here does rather than these fine grained comments, for example there's no
comment on the "b 1:3 rwm" test, so it's hard for the reader to know what that
case is checking (e.g. different device type so not actually /dev/null?)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
