root/tools/testing/selftests/bpf/test_dev_cgroup.c

DEFINITIONS

1. main

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /* Copyright (c) 2017 Facebook
   3  */
   4 
   5 #include <stdio.h>
   6 #include <stdlib.h>
   7 #include <string.h>
   8 #include <errno.h>
   9 #include <assert.h>
  10 #include <sys/time.h>
  11 
  12 #include <linux/bpf.h>
  13 #include <bpf/bpf.h>
  14 #include <bpf/libbpf.h>
  15 
  16 #include "cgroup_helpers.h"
  17 #include "bpf_rlimit.h"
  18 
  19 #define DEV_CGROUP_PROG "./dev_cgroup.o"
  20 
  21 #define TEST_CGROUP "/test-bpf-based-device-cgroup/"
  22 
  23 int main(int argc, char **argv)
  24 {
  25         struct bpf_object *obj;
  26         int error = EXIT_FAILURE;
  27         int prog_fd, cgroup_fd;
  28         __u32 prog_cnt;
  29 
  30         if (bpf_prog_load(DEV_CGROUP_PROG, BPF_PROG_TYPE_CGROUP_DEVICE,
  31                           &obj, &prog_fd)) {
  32                 printf("Failed to load DEV_CGROUP program\n");
  33                 goto out;
  34         }
  35 
  36         if (setup_cgroup_environment()) {
  37                 printf("Failed to load DEV_CGROUP program\n");
  38                 goto err;
  39         }
  40 
  41         /* Create a cgroup, get fd, and join it */
  42         cgroup_fd = create_and_get_cgroup(TEST_CGROUP);
  43         if (cgroup_fd < 0) {
  44                 printf("Failed to create test cgroup\n");
  45                 goto err;
  46         }
  47 
  48         if (join_cgroup(TEST_CGROUP)) {
  49                 printf("Failed to join cgroup\n");
  50                 goto err;
  51         }
  52 
  53         /* Attach bpf program */
  54         if (bpf_prog_attach(prog_fd, cgroup_fd, BPF_CGROUP_DEVICE, 0)) {
  55                 printf("Failed to attach DEV_CGROUP program");
  56                 goto err;
  57         }
  58 
  59         if (bpf_prog_query(cgroup_fd, BPF_CGROUP_DEVICE, 0, NULL, NULL,
  60                            &prog_cnt)) {
  61                 printf("Failed to query attached programs");
  62                 goto err;
  63         }
  64 
  65         /* All operations with /dev/zero and and /dev/urandom are allowed,
  66          * everything else is forbidden.
  67          */
  68         assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
  69         assert(system("mknod /tmp/test_dev_cgroup_null c 1 3"));
  70         assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
  71 
  72         /* /dev/zero is whitelisted */
  73         assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
  74         assert(system("mknod /tmp/test_dev_cgroup_zero c 1 5") == 0);
  75         assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
  76 
  77         assert(system("dd if=/dev/urandom of=/dev/zero count=64") == 0);
  78 
  79         /* src is allowed, target is forbidden */
  80         assert(system("dd if=/dev/urandom of=/dev/full count=64"));
  81 
  82         /* src is forbidden, target is allowed */
  83         assert(system("dd if=/dev/random of=/dev/zero count=64"));
  84 
  85         error = 0;
  86         printf("test_dev_cgroup:PASS\n");
  87 
  88 err:
  89         cleanup_cgroup_environment();
  90 
  91 out:
  92         return error;
  93 }