selftests/bpf/test_dev_cgroup.c

25763b3cSThomas Gleixner// SPDX-License-Identifier: GPL-2.0-only
37f1ba09SRoman Gushchin/* Copyright (c) 2017 Facebook
37f1ba09SRoman Gushchin */
37f1ba09SRoman Gushchin
37f1ba09SRoman Gushchin#include <stdio.h>
37f1ba09SRoman Gushchin#include <stdlib.h>
37f1ba09SRoman Gushchin#include <string.h>
37f1ba09SRoman Gushchin#include <errno.h>
37f1ba09SRoman Gushchin#include <assert.h>
c475ffadSYonghong Song#include <sys/time.h>
37f1ba09SRoman Gushchin
37f1ba09SRoman Gushchin#include <linux/bpf.h>
37f1ba09SRoman Gushchin#include <bpf/bpf.h>
37f1ba09SRoman Gushchin#include <bpf/libbpf.h>
37f1ba09SRoman Gushchin
37f1ba09SRoman Gushchin#include "cgroup_helpers.h"
*cbdb1461SAndrii Nakryiko#include "testing_helpers.h"
fe8d662aSDaniel Borkmann#include "bpf_rlimit.h"
37f1ba09SRoman Gushchin
37f1ba09SRoman Gushchin#define DEV_CGROUP_PROG "./dev_cgroup.o"
37f1ba09SRoman Gushchin
8e687525SAlexei Starovoitov#define TEST_CGROUP "/test-bpf-based-device-cgroup/"
37f1ba09SRoman Gushchin
37f1ba09SRoman Gushchinint main(int argc, char **argv)
37f1ba09SRoman Gushchin{
37f1ba09SRoman Gushchin	struct bpf_object *obj;
37f1ba09SRoman Gushchin	int error = EXIT_FAILURE;
37f1ba09SRoman Gushchin	int prog_fd, cgroup_fd;
37f1ba09SRoman Gushchin	__u32 prog_cnt;
37f1ba09SRoman Gushchin
*cbdb1461SAndrii Nakryiko	if (bpf_prog_test_load(DEV_CGROUP_PROG, BPF_PROG_TYPE_CGROUP_DEVICE,
37f1ba09SRoman Gushchin			  &obj, &prog_fd)) {
37f1ba09SRoman Gushchin		printf("Failed to load DEV_CGROUP program\n");
c475ffadSYonghong Song		goto out;
37f1ba09SRoman Gushchin	}
37f1ba09SRoman Gushchin
4939b284SJohn Fastabend	cgroup_fd = cgroup_setup_and_join(TEST_CGROUP);
a8911d6dSStanislav Fomichev	if (cgroup_fd < 0) {
37f1ba09SRoman Gushchin		printf("Failed to create test cgroup\n");
4939b284SJohn Fastabend		goto out;
37f1ba09SRoman Gushchin	}
37f1ba09SRoman Gushchin
37f1ba09SRoman Gushchin	/* Attach bpf program */
37f1ba09SRoman Gushchin	if (bpf_prog_attach(prog_fd, cgroup_fd, BPF_CGROUP_DEVICE, 0)) {
37f1ba09SRoman Gushchin		printf("Failed to attach DEV_CGROUP program");
37f1ba09SRoman Gushchin		goto err;
37f1ba09SRoman Gushchin	}
37f1ba09SRoman Gushchin
37f1ba09SRoman Gushchin	if (bpf_prog_query(cgroup_fd, BPF_CGROUP_DEVICE, 0, NULL, NULL,
37f1ba09SRoman Gushchin			   &prog_cnt)) {
37f1ba09SRoman Gushchin		printf("Failed to query attached programs");
37f1ba09SRoman Gushchin		goto err;
37f1ba09SRoman Gushchin	}
37f1ba09SRoman Gushchin
37f1ba09SRoman Gushchin	/* All operations with /dev/zero and and /dev/urandom are allowed,
37f1ba09SRoman Gushchin	 * everything else is forbidden.
37f1ba09SRoman Gushchin	 */
37f1ba09SRoman Gushchin	assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
37f1ba09SRoman Gushchin	assert(system("mknod /tmp/test_dev_cgroup_null c 1 3"));
37f1ba09SRoman Gushchin	assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
37f1ba09SRoman Gushchin
37f1ba09SRoman Gushchin	/* /dev/zero is whitelisted */
37f1ba09SRoman Gushchin	assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
37f1ba09SRoman Gushchin	assert(system("mknod /tmp/test_dev_cgroup_zero c 1 5") == 0);
37f1ba09SRoman Gushchin	assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
37f1ba09SRoman Gushchin
37f1ba09SRoman Gushchin	assert(system("dd if=/dev/urandom of=/dev/zero count=64") == 0);
37f1ba09SRoman Gushchin
37f1ba09SRoman Gushchin	/* src is allowed, target is forbidden */
37f1ba09SRoman Gushchin	assert(system("dd if=/dev/urandom of=/dev/full count=64"));
37f1ba09SRoman Gushchin
37f1ba09SRoman Gushchin	/* src is forbidden, target is allowed */
37f1ba09SRoman Gushchin	assert(system("dd if=/dev/random of=/dev/zero count=64"));
37f1ba09SRoman Gushchin
37f1ba09SRoman Gushchin	error = 0;
37f1ba09SRoman Gushchin	printf("test_dev_cgroup:PASS\n");
37f1ba09SRoman Gushchin
37f1ba09SRoman Gushchinerr:
37f1ba09SRoman Gushchin	cleanup_cgroup_environment();
37f1ba09SRoman Gushchin
c475ffadSYonghong Songout:
37f1ba09SRoman Gushchin	return error;
37f1ba09SRoman Gushchin}