cgroupv2 devices needs unit tests and a minor rework

[cyphar]

Based on #2796 and #2793, it looks like the eBPF devices code needs some more tests to make sure it's acting properly. If we can do emulation of the BPF program (like I did for seccomp), that would be ideal.

[cyphar]

I also have a feeling the wildcard behaviour is wrong -- maybe we should use the devices cgroup emulator to get the computed minimal ruleset and then generate a program based on that?

[cyphar]

I'm working on this now. I think it's quite critical for devices cgroup security on cgroupv2.

[h-vetinari]

Any update on this effort?

[cyphar]

It seems that we would need to implement the BPF generation ourselves. Now, I do now have experience with doing this thanks to the lovely experience with seccomp, but I'm a little bit apprehensive about doing it entirely ourselves. Unless it turns out to be simpler than it looks, it's probably going to be a post-1.0 thing. (Especially since the behaviour with updating also needs to be taken into consideration -- see #2366.)

[cyphar]

Actually, looking at this again, this might not be too hard to do since cilium supports testing eBPF programs (though rather than doing emulation -- which is what golang.org/x/net does -- eBPF testing is actually done in-kernel).

[cyphar]

Ah, the kernel doesn't support BPF_PROG_TEST_RUN for prog_type=BPF_PROG_TYPE_CGROUP_DEVICE. That sucks. In that case we can't really add unit tests right now, but I'll work on sending a patch upstream to support this.

[AkihiroSuda]

Merged #2951