tetragon: Add persistent enforcement test for policy unload

Add persistent enforcement test that simulates enforcement policy unload (not exit) with KeepSensorsOnExit and make sure the enforcement is removed. Signed-off-by: Jiri Olsa <[email protected]>
cilium · Nov 7, 2024 · fa5b10d · fa5b10d
1 parent d42f27c
commit fa5b10d
Showing 1 changed file with 56 additions and 0 deletions.
diff --git a/pkg/sensors/tracing/enforcer_test.go b/pkg/sensors/tracing/enforcer_test.go
@@ -823,6 +823,56 @@ func testEnforcerPersistentNoKeep(t *testing.T, builder func() *EnforcerSpecBuil
 	run(2, "exit status 22")
 }
 
+// We test following scenario:
+// - load enforcement policy
+// - 1st run of test binary, make sure enforcement policy is triggered
+// - remove enforcement policy via sensor manager
+// - 2nd run of test binary, no enforcement
+func testEnforcerPersistentUnload(t *testing.T, builder func() *EnforcerSpecBuilder, expected, test string) {
+	testEnforcerCheckSkip(t)
+
+	if !bpf.HasLinkPin() {
+		t.Skip("skipping persistent enforcer test, link pin is not available")
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	tus.LoadSensor(t, base.GetInitialSensor())
+	path := bpf.MapPrefixPath()
+	mgr, err := sensors.StartSensorManager(path, true /* KeepSensorsOnExit */)
+	assert.NoError(t, err)
+
+	run := func(idx int, exp string) {
+		cmd := exec.Command(test, "0xfffe")
+		err := cmd.Run()
+
+		t.Logf("Run %s: %v\n", cmd, err)
+		if err == nil || err.Error() != exp {
+			t.Fatalf("run %d: Wrong error '%v' expected '%s'", idx, err, exp)
+		}
+	}
+
+	tp, err := builder().WithoutMultiKprobe().Build()
+	assert.NoError(t, err)
+
+	err = mgr.AddTracingPolicy(ctx, tp)
+	assert.NoError(t, err)
+
+	// first run - sensors are loaded, we should get kill/override
+	run(1, expected)
+
+	// remove the policy and we should get rid of the enforcement
+	err = mgr.DeleteTracingPolicy(ctx, tp.TpName(), "")
+	assert.NoError(t, err)
+
+	// bpf pinned links removal is asynchronous, we need to wait to be sure it's gone
+	time.Sleep(2 * time.Second)
+
+	// third run - sensors are unloaded, map dir is removed, we should get no enforcement
+	run(2, "exit status 22")
+}
+
 func TestEnforcerPersistentOverride(t *testing.T) {
 	test := testutils.RepoRootPath("contrib/tester-progs/enforcer-tester")
 
@@ -839,6 +889,9 @@ func TestEnforcerPersistentOverride(t *testing.T) {
 	t.Run("persistent-override-no-keep", func(t *testing.T) {
 		testEnforcerPersistentNoKeep(t, builder, "exit status 17", test)
 	})
+	t.Run("persistent-override-extra", func(t *testing.T) {
+		testEnforcerPersistentUnload(t, builder, "exit status 17", test)
+	})
 }
 
 func TestEnforcerPersistentKill(t *testing.T) {
@@ -858,4 +911,7 @@ func TestEnforcerPersistentKill(t *testing.T) {
 	t.Run("persistent-kill-no-keep", func(t *testing.T) {
 		testEnforcerPersistentNoKeep(t, builder, "signal: killed", test)
 	})
+	t.Run("persistent-kill-extra", func(t *testing.T) {
+		testEnforcerPersistentUnload(t, builder, "signal: killed", test)
+	})
 }