1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* Copyright (c) 2017 Facebook |
3 | */ |
4 | |
5 | #include <stdio.h> |
6 | #include <stdlib.h> |
7 | #include <string.h> |
8 | #include <errno.h> |
9 | #include <assert.h> |
10 | #include <sys/time.h> |
11 | |
12 | #include <linux/bpf.h> |
13 | #include <bpf/bpf.h> |
14 | #include <bpf/libbpf.h> |
15 | |
16 | #include "cgroup_helpers.h" |
17 | #include "testing_helpers.h" |
18 | |
19 | #define DEV_CGROUP_PROG "./dev_cgroup.bpf.o" |
20 | |
21 | #define TEST_CGROUP "/test-bpf-based-device-cgroup/" |
22 | |
23 | int main(int argc, char **argv) |
24 | { |
25 | struct bpf_object *obj; |
26 | int error = EXIT_FAILURE; |
27 | int prog_fd, cgroup_fd; |
28 | __u32 prog_cnt; |
29 | |
30 | /* Use libbpf 1.0 API mode */ |
31 | libbpf_set_strict_mode(LIBBPF_STRICT_ALL); |
32 | |
33 | if (bpf_prog_test_load(DEV_CGROUP_PROG, type: BPF_PROG_TYPE_CGROUP_DEVICE, |
34 | pobj: &obj, prog_fd: &prog_fd)) { |
35 | printf("Failed to load DEV_CGROUP program\n" ); |
36 | goto out; |
37 | } |
38 | |
39 | cgroup_fd = cgroup_setup_and_join(TEST_CGROUP); |
40 | if (cgroup_fd < 0) { |
41 | printf("Failed to create test cgroup\n" ); |
42 | goto out; |
43 | } |
44 | |
45 | /* Attach bpf program */ |
46 | if (bpf_prog_attach(prog_fd, cgroup_fd, BPF_CGROUP_DEVICE, 0)) { |
47 | printf("Failed to attach DEV_CGROUP program" ); |
48 | goto err; |
49 | } |
50 | |
51 | if (bpf_prog_query(cgroup_fd, BPF_CGROUP_DEVICE, 0, NULL, NULL, |
52 | &prog_cnt)) { |
53 | printf("Failed to query attached programs" ); |
54 | goto err; |
55 | } |
56 | |
57 | /* All operations with /dev/zero and and /dev/urandom are allowed, |
58 | * everything else is forbidden. |
59 | */ |
60 | assert(system("rm -f /tmp/test_dev_cgroup_null" ) == 0); |
61 | assert(system("mknod /tmp/test_dev_cgroup_null c 1 3" )); |
62 | assert(system("rm -f /tmp/test_dev_cgroup_null" ) == 0); |
63 | |
64 | /* /dev/zero is whitelisted */ |
65 | assert(system("rm -f /tmp/test_dev_cgroup_zero" ) == 0); |
66 | assert(system("mknod /tmp/test_dev_cgroup_zero c 1 5" ) == 0); |
67 | assert(system("rm -f /tmp/test_dev_cgroup_zero" ) == 0); |
68 | |
69 | assert(system("dd if=/dev/urandom of=/dev/zero count=64" ) == 0); |
70 | |
71 | /* src is allowed, target is forbidden */ |
72 | assert(system("dd if=/dev/urandom of=/dev/full count=64" )); |
73 | |
74 | /* src is forbidden, target is allowed */ |
75 | assert(system("dd if=/dev/random of=/dev/zero count=64" )); |
76 | |
77 | error = 0; |
78 | printf("test_dev_cgroup:PASS\n" ); |
79 | |
80 | err: |
81 | cleanup_cgroup_environment(); |
82 | |
83 | out: |
84 | return error; |
85 | } |
86 | |