libct/int: add device update test

[kolyshkin]

... and remove the one from tests/integration.

The idea is similar to the one for the test case being removed -- try
updating device rules many times to make sure we are not leaking eBPF
programs after every update/Set(). This is better though as we can
really change the device rules every time (which "runc update" can't)
and check that the rule is applied.

The test works, but I see the following warning (on Fedora 34, cgroup v2):

WARN[0000] found more than one filter (2) attached to a cgroup -- removing extra filters! 

[kolyshkin]

Same in Fedora CI:

=== RUN   TestUpdateDevices
time="2021-06-04T22:28:40Z" level=warning msg="found more than one filter (2) attached to a cgroup -- removing extra filters!"
time="2021-06-04T22:28:40Z" level=warning msg="found more than one filter (2) attached to a cgroup -- removing extra filters!"
...
time="2021-06-04T22:28:54Z" level=warning msg="found more than one filter (2) attached to a cgroup -- removing extra filters!"
--- PASS: TestUpdateDevices (14.49s)
PASS

I changed the test like this:

diff --git a/libcontainer/integration/update_test.go b/libcontainer/integration/update_test.go
index 4a83ed41..0ec1dca1 100644
--- a/libcontainer/integration/update_test.go
+++ b/libcontainer/integration/update_test.go
@@ -69,14 +69,18 @@ func TestUpdateDevices(t *testing.T) {
 
                // Now flip the access permission
                isAllowed = !isAllowed
-               config.Cgroups.Resources.Devices = []*devices.Rule{
-                       {
-                               Type:        devices.CharDevice,
-                               Major:       1,
-                               Minor:       7,
-                               Permissions: "rwm",
-                               Allow:       isAllowed,
-                       },
+               if isAllowed {
+                       config.Cgroups.Resources.Devices = []*devices.Rule{
+                               {
+                                       Type:        devices.CharDevice,
+                                       Major:       1,
+                                       Minor:       7,
+                                       Permissions: "rwm",
+                                       Allow:       true,
+                               },
+                       }
+               } else {
+                       config.Cgroups.Resources.Devices = []*devices.Rule{}
                }
                if err := container.Set(*config); err != nil {
                        t.Fatal(err)

and it's still emitting the same warning.

[kolyshkin]

Any way I modify the devices list, the warning is here.

Modified the test to

• add systemd
• add a second check (for /dev/null)
• instead of grant/remove access to just one device, alternate between default and empty lists

[kolyshkin]

So I have tried the following ways of modifying device access:

1. Start from the default list, then use the list with a single /dev/full entry, alternating between Allow: true and Allow: false.
2. Start from the default list, then alternate between the empty list and the list with a single /dev/full entry.
3. Start from the default list, then alternate between empty and the default list.

The only method I haven't tried yet is modifying device permissions (say remove/re-add w from /dev/full`).

[kolyshkin]

I think it's easier for you to cherry-pick this test to PR #2986 (or just merge this and then expand this test to cover more cases).

[kolyshkin]

@cyphar let me know if you're OK to merge this as is, or is this test totally useless, or there is something else I should address.

[cyphar]

LGTM. This is a pretty good smoke test and actually exercises the "update" aspect as well, so device rule updates can't be a no-op either.