Skip `lsm_cgroup` when loading fails

squash into proper check
1 week ago · 54bd3ac202
parent 2e5f5efbf1
commit 54bd3ac202
2 changed files with 24 additions and 5 deletions
--- a/aya/src/sys/feature_probe.rs
+++ b/aya/src/sys/feature_probe.rs
@ -21,7 +21,7 @@ use super::{
 use crate::{
    MockableFd,
    maps::MapType,
-    programs::{ProgramError, ProgramType},
+    programs::{LsmAttachType, ProgramError, ProgramType},
    util::page_size,
 };

@ -159,7 +159,10 @@ pub fn is_program_supported(program_type: ProgramType) -> Result<bool, ProgramEr
                // explicitly.
                //
                // h/t to https://www.exein.io/blog/exploring-bpf-lsm-support-on-aarch64-with-ftrace.
-                if !matches!(program_type, ProgramType::Lsm(_)) {
+                //
+                // The same test for cGroup LSM programs would require attaching to a real cgroup,
+                // which is more involved and not possible in the general case.
+                if !matches!(program_type, ProgramType::Lsm(LsmAttachType::Mac)) {
                    Ok(true)
                } else {
                    match bpf_raw_tracepoint_open(None, prog_fd.as_fd()) {
--- a/test/integration-test/src/tests/lsm.rs
+++ b/test/integration-test/src/tests/lsm.rs
@ -3,6 +3,7 @@ use aya::{
    Btf, Ebpf,
    programs::{Lsm, LsmAttachType, LsmCgroup, ProgramError, ProgramType},
    sys::{SyscallError, is_program_supported},
+    util::KernelVersion,
 };

 use crate::utils::Cgroup;
@ -57,7 +58,19 @@ fn lsm_cgroup() {
    let prog = bpf.program_mut("test_lsm_cgroup").unwrap();
    let prog: &mut LsmCgroup = prog.try_into().unwrap();
    let btf = Btf::from_sys_fs().expect("could not get btf from sys");
-    prog.load("socket_bind", &btf).unwrap();
+    match prog.load("socket_bind", &btf) {
+        Ok(()) => {}
+        Err(err) => match err {
+            ProgramError::LoadError { io_error, .. }
+                if !is_program_supported(ProgramType::Lsm(LsmAttachType::Cgroup)).unwrap() =>
+            {
+                assert_eq!(io_error.raw_os_error(), Some(libc::EINVAL));
+                eprintln!("skipping test - LSM cgroup programs not supported at load");
+                return;
+            }
+            err => panic!("unexpected error loading LSM cgroup program: {err}"),
+        },
+    }

    assert_matches!(std::net::TcpListener::bind("127.0.0.1:0"), Ok(_));

@ -68,12 +81,15 @@ fn lsm_cgroup() {
    let link_id = {
        let result = prog.attach(cgroup.fd());

-        if !is_program_supported(ProgramType::Lsm(LsmAttachType::Cgroup)).unwrap() {
+        // See https://www.exein.io/blog/exploring-bpf-lsm-support-on-aarch64-with-ftrace.
+        if cfg!(target_arch = "aarch64")
+            && KernelVersion::current().unwrap() < KernelVersion::new(6, 4, 0)
+        {
            assert_matches!(result, Err(ProgramError::SyscallError(SyscallError { call, io_error })) => {
                assert_eq!(call, "bpf_link_create");
                assert_eq!(io_error.raw_os_error(), Some(524));
            });
-            eprintln!("skipping test - LSM programs not supported");
+            eprintln!("skipping test - LSM cgroup programs not supported at attach");
            return;
        }
        result.unwrap()