qm icon indicating copy to clipboard operation
qm copied to clipboard

Published 20 hours ago verified publisher icon containers

FFI: create a test case for sched_setscheduler() syscall

Open dougsland opened this issue 10 months ago • 7 comments

Basically, inside QM sched_setscheduler() syscall is not allowed and we should prove it. Transform the below steps into a test plan.

Steps:

1- Build source code:

gcc -o test_sched_setscheduler test_sched_setscheduler.c

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <errno.h>
#include <string.h>

int main() {
    int pid = getpid(); 
    int policy = SCHED_FIFO;  // Desired scheduling policy
    struct sched_param param;

    // Assign the maximum priority for the SCHED_FIFO policy
    param.sched_priority = sched_get_priority_max(policy);
    if (param.sched_priority == -1) {
        fprintf(stderr, "Failed to get max priority for SCHED_FIFO: %s\n", strerror(errno));
        return EXIT_FAILURE;
    }

    // Attempt to set the scheduling policy and priority
    if (sched_setscheduler(pid, policy, &param) == -1) {
        fprintf(stderr, "Failed to set scheduler: %s\n", strerror(errno));
        return EXIT_FAILURE;
    }

    printf("Scheduler set to SCHED_FIFO with priority %d\n", param.sched_priority);
    return EXIT_SUCCESS;
}

2- copy the binary to qm

cp test_sched_setscheduler /usr/lib/qm/rootfs/root/

3- Execute the test

# podman exec -it qm bash
bash-5.1# ./test_sched_setscheduler
Failed to set scheduler: Operation not permitted

Please note: the QM pull request 362 includes the patch to make sure set schedules is not allowed, to test without this restriction just test previous version or remove create_qm_seccomp_rules from setup and --security-opt seccomp=/usr/share/qm/seccomp.json from qm.container.

See also: https://github.com/containers/qm/pull/362#issuecomment-2058211553 https://gitlab.com/CentOS/automotive/container-images/ffi-tools/-/blob/main/Containerfile?ref_type=heads

dougsland avatar Apr 16 '24 04:04 dougsland

cc @pbrilla-rh @Yarboa

dougsland avatar Apr 16 '24 04:04 dougsland

@dougsland better add it to ffi tools something like that:

From host partition or qm partition

podman cp ctr_name:/root/tests/FFI/bin/QM/test_sched_setscheduler .

@pbrilla-rh This test should could exist in public repo, since it is checking seccomp

Yarboa avatar Apr 16 '24 08:04 Yarboa

@dougsland better add it to ffi tools something like that:

From host partition or qm partition

podman cp ctr_name:/root/tests/FFI/bin/QM/test_sched_setscheduler .

@pbrilla-rh This test should could exist in public repo, since it is checking seccomp

Agreed @Yarboa, opened this one to document and track the work.

dougsland avatar Apr 16 '24 13:04 dougsland

If no complain get raised, the tool should be included here: https://github.com/containers/qm/pull/371 After that, we can just include into the cycle of tests https://gitlab.com/CentOS/automotive/container-images/ffi-tools

dougsland avatar Apr 18 '24 14:04 dougsland

filed a PR: https://github.com/containers/qm/pull/438

pengshanyu avatar May 15 '24 08:05 pengshanyu

Resolved.

dougsland avatar May 20 '24 11:05 dougsland

talked with @pengshanyu still need to finish the tmt case.

dougsland avatar May 22 '24 11:05 dougsland