1 // SPDX-License-Identifier: GPL-2.0-only 2 /* Copyright (c) 2017 Facebook 3 */ 4 5 #include <stdio.h> 6 #include <stdlib.h> 7 #include <string.h> 8 #include <errno.h> 9 #include <assert.h> 10 #include <sys/time.h> 11 12 #include <linux/bpf.h> 13 #include <bpf/bpf.h> 14 #include <bpf/libbpf.h> 15 16 #include "cgroup_helpers.h" 17 #include "testing_helpers.h" 18 19 #define DEV_CGROUP_PROG "./dev_cgroup.bpf.o" 20 21 #define TEST_CGROUP "/test-bpf-based-device-cgroup/" 22 23 int main(int argc, char **argv) 24 { 25 struct bpf_object *obj; 26 int error = EXIT_FAILURE; 27 int prog_fd, cgroup_fd; 28 __u32 prog_cnt; 29 30 /* Use libbpf 1.0 API mode */ 31 libbpf_set_strict_mode(LIBBPF_STRICT_ALL); 32 33 if (bpf_prog_test_load(DEV_CGROUP_PROG, BPF_PROG_TYPE_CGROUP_DEVICE, 34 &obj, &prog_fd)) { 35 printf("Failed to load DEV_CGROUP program\n"); 36 goto out; 37 } 38 39 cgroup_fd = cgroup_setup_and_join(TEST_CGROUP); 40 if (cgroup_fd < 0) { 41 printf("Failed to create test cgroup\n"); 42 goto out; 43 } 44 45 /* Attach bpf program */ 46 if (bpf_prog_attach(prog_fd, cgroup_fd, BPF_CGROUP_DEVICE, 0)) { 47 printf("Failed to attach DEV_CGROUP program"); 48 goto err; 49 } 50 51 if (bpf_prog_query(cgroup_fd, BPF_CGROUP_DEVICE, 0, NULL, NULL, 52 &prog_cnt)) { 53 printf("Failed to query attached programs"); 54 goto err; 55 } 56 57 /* All operations with /dev/zero and and /dev/urandom are allowed, 58 * everything else is forbidden. 59 */ 60 assert(system("rm -f /tmp/test_dev_cgroup_null") == 0); 61 assert(system("mknod /tmp/test_dev_cgroup_null c 1 3")); 62 assert(system("rm -f /tmp/test_dev_cgroup_null") == 0); 63 64 /* /dev/zero is whitelisted */ 65 assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0); 66 assert(system("mknod /tmp/test_dev_cgroup_zero c 1 5") == 0); 67 assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0); 68 69 assert(system("dd if=/dev/urandom of=/dev/zero count=64") == 0); 70 71 /* src is allowed, target is forbidden */ 72 assert(system("dd if=/dev/urandom of=/dev/full count=64")); 73 74 /* src is forbidden, target is allowed */ 75 assert(system("dd if=/dev/random of=/dev/zero count=64")); 76 77 error = 0; 78 printf("test_dev_cgroup:PASS\n"); 79 80 err: 81 cleanup_cgroup_environment(); 82 83 out: 84 return error; 85 } 86