| 1 | // SPDX-License-Identifier: GPL-2.0-only |
|---|
| 2 | /* Copyright (c) 2017 Facebook |
|---|
| 3 | */ |
|---|
| 4 | |
|---|
| 5 | #include <stdio.h> |
|---|
| 6 | #include <stdlib.h> |
|---|
| 7 | #include <string.h> |
|---|
| 8 | #include <errno.h> |
|---|
| 9 | #include <assert.h> |
|---|
| 10 | #include <sys/time.h> |
|---|
| 11 | |
|---|
| 12 | #include <linux/bpf.h> |
|---|
| 13 | #include <bpf/bpf.h> |
|---|
| 14 | #include <bpf/libbpf.h> |
|---|
| 15 | |
|---|
| 16 | #include "cgroup_helpers.h" |
|---|
| 17 | #include "testing_helpers.h" |
|---|
| 18 | |
|---|
| 19 | #define DEV_CGROUP_PROG "./dev_cgroup.bpf.o" |
|---|
| 20 | |
|---|
| 21 | #define TEST_CGROUP "/test-bpf-based-device-cgroup/" |
|---|
| 22 | |
|---|
| 23 | int main(int argc, char **argv) |
|---|
| 24 | { |
|---|
| 25 | struct bpf_object *obj; |
|---|
| 26 | int error = EXIT_FAILURE; |
|---|
| 27 | int prog_fd, cgroup_fd; |
|---|
| 28 | __u32 prog_cnt; |
|---|
| 29 | |
|---|
| 30 | /* Use libbpf 1.0 API mode */ |
|---|
| 31 | libbpf_set_strict_mode(LIBBPF_STRICT_ALL); |
|---|
| 32 | |
|---|
| 33 | if (bpf_prog_test_load(DEV_CGROUP_PROG, type: BPF_PROG_TYPE_CGROUP_DEVICE, |
|---|
| 34 | pobj: &obj, prog_fd: &prog_fd)) { |
|---|
| 35 | printf("Failed to load DEV_CGROUP program\n" ); |
|---|
| 36 | goto out; |
|---|
| 37 | } |
|---|
| 38 | |
|---|
| 39 | cgroup_fd = cgroup_setup_and_join(TEST_CGROUP); |
|---|
| 40 | if (cgroup_fd < 0) { |
|---|
| 41 | printf("Failed to create test cgroup\n" ); |
|---|
| 42 | goto out; |
|---|
| 43 | } |
|---|
| 44 | |
|---|
| 45 | /* Attach bpf program */ |
|---|
| 46 | if (bpf_prog_attach(prog_fd, cgroup_fd, BPF_CGROUP_DEVICE, 0)) { |
|---|
| 47 | printf("Failed to attach DEV_CGROUP program" ); |
|---|
| 48 | goto err; |
|---|
| 49 | } |
|---|
| 50 | |
|---|
| 51 | if (bpf_prog_query(cgroup_fd, BPF_CGROUP_DEVICE, 0, NULL, NULL, |
|---|
| 52 | &prog_cnt)) { |
|---|
| 53 | printf("Failed to query attached programs" ); |
|---|
| 54 | goto err; |
|---|
| 55 | } |
|---|
| 56 | |
|---|
| 57 | /* All operations with /dev/zero and and /dev/urandom are allowed, |
|---|
| 58 | * everything else is forbidden. |
|---|
| 59 | */ |
|---|
| 60 | assert(system("rm -f /tmp/test_dev_cgroup_null" ) == 0); |
|---|
| 61 | assert(system("mknod /tmp/test_dev_cgroup_null c 1 3" )); |
|---|
| 62 | assert(system("rm -f /tmp/test_dev_cgroup_null" ) == 0); |
|---|
| 63 | |
|---|
| 64 | /* /dev/zero is whitelisted */ |
|---|
| 65 | assert(system("rm -f /tmp/test_dev_cgroup_zero" ) == 0); |
|---|
| 66 | assert(system("mknod /tmp/test_dev_cgroup_zero c 1 5" ) == 0); |
|---|
| 67 | assert(system("rm -f /tmp/test_dev_cgroup_zero" ) == 0); |
|---|
| 68 | |
|---|
| 69 | assert(system("dd if=/dev/urandom of=/dev/zero count=64" ) == 0); |
|---|
| 70 | |
|---|
| 71 | /* src is allowed, target is forbidden */ |
|---|
| 72 | assert(system("dd if=/dev/urandom of=/dev/full count=64" )); |
|---|
| 73 | |
|---|
| 74 | /* src is forbidden, target is allowed */ |
|---|
| 75 | assert(system("dd if=/dev/random of=/dev/zero count=64" )); |
|---|
| 76 | |
|---|
| 77 | error = 0; |
|---|
| 78 | printf("test_dev_cgroup:PASS\n" ); |
|---|
| 79 | |
|---|
| 80 | err: |
|---|
| 81 | cleanup_cgroup_environment(); |
|---|
| 82 | |
|---|
| 83 | out: |
|---|
| 84 | return error; |
|---|
| 85 | } |
|---|
| 86 | |
|---|
