[PATCH v3 bpf-next 0/4] Introduce bpf_cgroup_read_xattr

Alexei Starovoitov alexei.starovoitov at gmail.com
Fri Jun 27 15:59:26 UTC 2025 

On Thu, Jun 26, 2025 at 9:04 PM Song Liu <song at kernel.org> wrote:
>
> On Thu, Jun 26, 2025 at 7:14 PM Alexei Starovoitov
> <alexei.starovoitov at gmail.com> wrote:
> [...]
> > ./test_progs -t lsm_cgroup
> > Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED
> > ./test_progs -t lsm_cgroup
> > Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED
> > ./test_progs -t cgroup_xattr
> > Summary: 1/8 PASSED, 0 SKIPPED, 0 FAILED
> > ./test_progs -t lsm_cgroup
> > test_lsm_cgroup_functional:PASS:bind(ETH_P_ALL) 0 nsec
> > (network_helpers.c:121: errno: Cannot assign requested address) Failed
> > to bind socket
> > test_lsm_cgroup_functional:FAIL:start_server unexpected start_server:
> > actual -1 < expected 0
> > (network_helpers.c:360: errno: Bad file descriptor) getsockopt(SOL_PROTOCOL)
> > test_lsm_cgroup_functional:FAIL:connect_to_fd unexpected
> > connect_to_fd: actual -1 < expected 0
> > test_lsm_cgroup_functional:FAIL:accept unexpected accept: actual -1 < expected 0
> > test_lsm_cgroup_functional:FAIL:getsockopt unexpected getsockopt:
> > actual -1 < expected 0
> > test_lsm_cgroup_functional:FAIL:sk_priority unexpected sk_priority:
> > actual 0 != expected 234
> > ...
> > Summary: 0/1 PASSED, 0 SKIPPED, 1 FAILED
> >
> >
> > Song,
> > Please follow up with the fix for selftest.
> > It will be in bpf-next only.
>
> The issue is because cgroup_xattr calls "ip link set dev lo up"
> in setup, and calls "ip link set dev lo down" in cleanup. Most
> other tests only call "ip link set dev lo up". IOW, it appears to
> me that cgroup_xattr is doing the cleanup properly. To fix this,
> we can either remove "dev lo down" from cgroup_xattr, or add
> "dev lo up" to lsm_cgroups. Do you have any preference one
> way or another?

It messes with "lo" without switching netns? Ouch.
Not sure what tests you copied that code from,
but all "ip" commands, ping_group_range, and sockets
don't need to be in the test. Instead of triggering
progs through lsm/socket_connect hook can't you use
a simple hook like lsm/bpf or lsm/file_open that doesn't require
networking setup ?

More information about the Linux-security-module-archive mailing list