github.com/cilium/cilium@v1.16.2/pkg/maps/policymap/policymap_privileged_test.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 // Copyright Authors of Cilium 3 4 package policymap 5 6 import ( 7 "errors" 8 "os" 9 "testing" 10 11 "github.com/cilium/ebpf/rlimit" 12 "github.com/stretchr/testify/require" 13 "golang.org/x/sys/unix" 14 15 "github.com/cilium/cilium/pkg/bpf" 16 17 "github.com/cilium/cilium/pkg/policy/trafficdirection" 18 "github.com/cilium/cilium/pkg/testutils" 19 "github.com/cilium/cilium/pkg/u8proto" 20 ) 21 22 func setupPolicyMapPrivilegedTestSuite(tb testing.TB) *PolicyMap { 23 testutils.PrivilegedTest(tb) 24 25 bpf.CheckOrMountFS("") 26 27 if err := rlimit.RemoveMemlock(); err != nil { 28 tb.Fatal(err) 29 } 30 31 testMap := newMap("cilium_policy_test") 32 33 _ = os.RemoveAll(bpf.MapPath("cilium_policy_test")) 34 err := testMap.CreateUnpinned() 35 require.NoError(tb, err) 36 37 tb.Cleanup(func() { 38 err := testMap.DeleteAll() 39 require.NoError(tb, err) 40 }) 41 42 return testMap 43 } 44 45 func TestPolicyMapDumpToSlice(t *testing.T) { 46 testMap := setupPolicyMapPrivilegedTestSuite(t) 47 48 fooEntry := newKey(1, 1, SinglePortMask, 1, 1) 49 err := testMap.AllowKey(fooEntry, 0, 0) 50 require.Nil(t, err) 51 52 dump, err := testMap.DumpToSlice() 53 require.Nil(t, err) 54 require.Equal(t, 1, len(dump)) 55 56 require.EqualValues(t, fooEntry, dump[0].Key) 57 58 // Special case: allow-all entry 59 barEntry := newKey(0, 0, SinglePortMask, 0, 0) 60 err = testMap.AllowKey(barEntry, 0, 0) 61 require.Nil(t, err) 62 63 dump, err = testMap.DumpToSlice() 64 require.Nil(t, err) 65 require.Equal(t, 2, len(dump)) 66 } 67 68 func TestDeleteNonexistentKey(t *testing.T) { 69 testMap := setupPolicyMapPrivilegedTestSuite(t) 70 key := newKey(27, 80, SinglePortMask, u8proto.TCP, trafficdirection.Ingress) 71 err := testMap.Map.Delete(&key) 72 require.NotNil(t, err) 73 var errno unix.Errno 74 require.Equal(t, true, errors.As(err, &errno)) 75 require.Equal(t, unix.ENOENT, errno) 76 } 77 78 func TestDenyPolicyMapDumpToSlice(t *testing.T) { 79 testMap := setupPolicyMapPrivilegedTestSuite(t) 80 81 fooKey := newKey(1, 1, SinglePortMask, 1, 1) 82 fooEntry := newDenyEntry(fooKey) 83 err := testMap.DenyKey(fooKey) 84 require.Nil(t, err) 85 86 dump, err := testMap.DumpToSlice() 87 require.Nil(t, err) 88 require.Equal(t, 1, len(dump)) 89 90 require.EqualValues(t, fooKey, dump[0].Key) 91 require.EqualValues(t, fooEntry, dump[0].PolicyEntry) 92 93 // Special case: deny-all entry 94 barKey := newKey(0, 0, SinglePortMask, 0, 0) 95 err = testMap.DenyKey(barKey) 96 require.Nil(t, err) 97 98 dump, err = testMap.DumpToSlice() 99 require.Nil(t, err) 100 require.Equal(t, 2, len(dump)) 101 }