From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755845AbdKBRQw (ORCPT ); Thu, 2 Nov 2017 13:16:52 -0400 Received: from mx0b-00082601.pphosted.com ([67.231.153.30]:59636 "EHLO mx0b-00082601.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755255AbdKBRQn (ORCPT ); Thu, 2 Nov 2017 13:16:43 -0400 From: Roman Gushchin To: CC: Tejun Heo , Alexei Starovoitov , Daniel Borkmann , , , Roman Gushchin Subject: [PATCH v3 net-next 5/5] selftests/bpf: add a test for device cgroup controller Date: Thu, 2 Nov 2017 13:15:30 -0400 Message-ID: <20171102171530.7627-6-guro@fb.com> X-Mailer: git-send-email 2.13.6 In-Reply-To: <20171102171530.7627-1-guro@fb.com> References: <20171102171530.7627-1-guro@fb.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [2620:10d:c091:200::2:53d6] X-ClientProxiedBy: CO2PR04CA0112.namprd04.prod.outlook.com (2603:10b6:104:7::14) To BL2PR15MB1073.namprd15.prod.outlook.com (2603:10b6:201:17::7) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 2178bfbb-da18-4c65-99e3-08d5221571e5 X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603199);SRVR:BL2PR15MB1073; X-Microsoft-Exchange-Diagnostics: 1;BL2PR15MB1073;3:lMRv31EzQusvAUTXHCErkA+wDh6VzQtykkkhI/x21VjezqlWTY0z/AlhWXfe0ycwHBfH5ZcYt+4Aj8qBaJ3Y1HEe4Com2h/jZmXZA/wwNlBaloEzDY23RwknyJQU/D4redqk85kTEx+ONVvzObzIr1Gl2PuPvvLl6MB3LuJmsD85jVCcWlvnHbKH2QlTvjS0HYoqBKG9IAHjYW0AZIz5gpAbqtnXj2QoHMOWXOrOCfzJ8p6AIbxOi1i+KcmM+0cH;25:Gn6zJsLKMxISPuGFgOiW1TTXjkAsjWWUVnyYyIxhW+L2guEhd1vKqDdU1IG9HW2uAmywaqf0ztS3gcLuYm9HX7ZklfvNPKnTceCE7rNZ2dU0d5FSgFzntr8xVjbDBEBu3FqSgvDgYIMkqhQwbqLGBx/z+GdoI91L2FqlUxwb/Vxzv4JWBkrQTLzFQVOOMS1XpgsSHAMoehlEhLST6z9pp6YRllZ5OC7ezBlKESmu0O+4TxsGf2NEJX/GTHOBAN1WEMB8wVAD9dNYN1GZseQb5RsuthnnASojrgpbYgoLrIRolMkQrqXkWEUXA4h1sLUiZ/yRT1DxPOV8focpQgI21A==;31:JAGs2JZ7i4GeVfIOXr0XkUuMUSAeaBhcmAGcFfJ2Q40k1yMaFV2T7t0jSB4PPrpnGUIYibZsjOOTSzGLiBwEyiw668L0emNv989Mi8McaRWcj4fQqlxaqpN1tM2PAQbhBf0DJCYvb/8hz6pRea9HgMzN9+3tU0Kk6im2SkHIIEgdBGY6tO0LgBqtp9DiyXqjCMvyNTmtG/JrxcqGQ4B9CgzjgyP4MogzPLcXYz/1ELI= X-MS-TrafficTypeDiagnostic: BL2PR15MB1073: X-Microsoft-Exchange-Diagnostics: 1;BL2PR15MB1073;20:Z7LbOaOySggArz1He0Kvkup9q52v+X/kMzw/5s4iMhqvyrr/6AX4gQiVyylZCzJS27HEKK2onT/VsefEZj4ghUlV6ZPxWorGN06qzdg+WFNuqu8GRF5QsCT8vDf2dSBzvm9xfyZARE0qcgDcSIyjyg4KMOqI19IxejEwYxEMre5fwEE6lPCjWFIhuZj7FtnrKPOrZb04FF6YiG8jYhhH4hDIbty0DbggTI2u9ZInTq7mEKw5Mjdp5CKdcmj974p8kQdIbOJujlDZ4q7EIhNjuR3UGb0RDwuQuNh1DT0loGEeNBX4Nouf9xWAs33BkOrXeljMfhsa6h4H/aFVuNT6nXs2L8RhHXFtopYRNotkp7XNgv44zzipKrCARTGKdN2u+cI8x6UVFoKtisyPcBBNe2bH9Zn/xVMyL/ikvk15AULmo/gQlvPRkb/IXq2t6Zqw74pbbu6m4H6GlOs2cd9g4y8Dx7PTt91XfxMl8weWxGzaERxWhV6tHuoZLFYD4YEe;4:e0rvi7aNfE4mxTIhEvCHsBklTl/FNfPKWKjSJXJndrLTtBbIxbS51wLnySuydVqnzOxJC96MUhwfcmRFUPA8AswTmRiCnicptl4ogoNfVd+Avap8Zs2yivnpwYf26pvL0M1F4ycFuS63oQvGdYvnkS/bMvBUbHIAvWA8h44Xs8Wg+t2fXvCNuL7U6oEM92M3gjIt/fXPfLIvNRrbn988hdVwoG1BqlEYHEidI/H7v1fBRAz0HrMqezGP5rWN8lRe/Xj2aOp6MhWO+FF07TArjaIRhTT5OMJA36KaeJSzLgokRcFUZeL120E17ODJGIXBqg/on37uvGJPH6ATLRltP4ssS6jUjCiyZdvKNhqY+sE= X-Exchange-Antispam-Report-Test: UriScan:(67672495146484)(81227570615382); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(11241501159)(6040450)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(93006095)(93001095)(10201501046)(3231020)(3002001)(6041248)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123555025)(20161123562025)(20161123564025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:BL2PR15MB1073;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BL2PR15MB1073; X-Forefront-PRVS: 047999FF16 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(6009001)(376002)(346002)(199003)(189002)(50986999)(76176999)(478600001)(53416004)(33646002)(54906003)(5003940100001)(2351001)(105586002)(4326008)(2361001)(2906002)(16586007)(316002)(106356001)(305945005)(5890100001)(7736002)(25786009)(101416001)(50226002)(1076002)(8676002)(189998001)(36756003)(81166006)(81156014)(47776003)(69596002)(97736004)(6666003)(6116002)(6916009)(2950100002)(5660300001)(6512007)(6506006)(68736007)(53936002)(48376002)(50466002)(6486002)(8936002)(86362001)(2004002)(42262002);DIR:OUT;SFP:1102;SCL:1;SRVR:BL2PR15MB1073;H:castle.thefacebook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;BL2PR15MB1073;23:UFLhiVxaaavyStyB9be1vWjl6DYsqLhddiYuVinO7?= =?us-ascii?Q?9xWxdGuuWL3iAhNphymofj7kQosXpQbHJWL9J2qqcM3mdHrHOTZJgVXuRJIw?= =?us-ascii?Q?IuIqrThQM6l0A9x4tmyd6EAnsxNzZVBSkzUAj/+IyBaCJNyA+JDYvtB63I/M?= =?us-ascii?Q?vWk3Fuf7/7k/0/b03hjxwHfutJqnsAKJntwnlIBPuw087ImuzsAC7shSOw0D?= =?us-ascii?Q?V/8OIs8+L9kDjPzPLzhns0JopUgQAV736e7lGCGbdy3dQ4lafTdX+fA3+jAg?= =?us-ascii?Q?wH9BjvwqFk5M6NHnKq57wbiNj5bhE/qos1NucwPTxBU1t686E7MKXKXGdqa2?= =?us-ascii?Q?c7NVGLIEg+CObrhPB/ElTIZG7I1DKVoEtJL6/dfbHqMy699/V/5m561QX1bJ?= =?us-ascii?Q?ivca/H7cbtrEyZjVZUo3dJwM8AAWDnK3g4horMkUrHENAIfiVyfLZAe0p5da?= =?us-ascii?Q?ZW4qjgbc9B/UqV70Khu8BvN2EWoYzvAKdT9h6Sr1zxx5ql3hmkFv3/34hUJy?= =?us-ascii?Q?Jh29fPFUBP72llQxi8Msc+j1BTvyE9apway9MWnIoRysGYM42RU5Nnsl5wOP?= =?us-ascii?Q?YpWNNc2uPXEF3xuVjZMnsvSwn27fziyn5aZQF/0SBxLVnTjisd6S6B7ItBOh?= =?us-ascii?Q?SrL7brMKvigEUeFE9bMMHsLOtOQzZ5F+xiwcl6OlZeqKpjeKeuaeJ3EPUTS/?= =?us-ascii?Q?LfWnuGDcvF70F642tFgF4PbvYOAT48W8dKtcPTjxXmiKa7vEz03Ku62APHMu?= =?us-ascii?Q?guvBxQYdyYPnDgT5OPLOeF2UKR1OGIg5zH5iknOPAOm11zUhJooib0afu5dh?= =?us-ascii?Q?aCJBUc6yaGY8qQcPjiOkjo9A9Yr/CpAhdDcuQWsgbdh3MVd5Xg1XPUdh7HiU?= =?us-ascii?Q?v1o83UBzTnKDN/ON179rYwCT2HxQ+bM1GeRhO3H1DbooKIBGsRXd0J0RDqyg?= =?us-ascii?Q?we+R093FrO526prdSJnU/9hSTjO4j/gKtcrmgctqdIgZiwp90xjuozcGnEf5?= =?us-ascii?Q?7qv/CfrRbio3PD4pA1OWKp0bL9ul7Z/vCTGN5dQoetOHsvMOLSKxCQPThG5i?= =?us-ascii?Q?VPf9VsmvGaDiulFoxgkTfdT2DMlXjxRrUpHi3zjWx9h/LR2uHyQc6JImrtGy?= =?us-ascii?Q?dL99O5c05pfSQDxILrn151I6dHQmWcGrM1IZ1rmwkNEGOYcvyKthmzdX13SR?= =?us-ascii?Q?UHGB97nbkSuQbw=3D?= X-Microsoft-Exchange-Diagnostics: 1;BL2PR15MB1073;6:zh7151JQujFCvSeVu5H6rqW+vP0T0jKdknHxHvgu8D3XD0p836nGF7PsLof/q+8CwSlgIXShrtrs9eaF4QXZLzT5uwQM6n+J14b/HgzeeAZVfT/2e3QYCtjbritwemkoWCtRkIHLQgFNXTF43tKeVAMCw78Q6SR89bq9HVRmPWCX1q2DCfCDGMkfLXawlbGjBPJH3C23P3JOYjmte4IsGW0ftW/ZaClrrlKktrnZoKnqODrdXVffV/+cb8TEmpXe1GHss/das/tH0BEWbGmqt7r6QxhKCq8M3DQtGf05as5HijId5TFz1GrHQfOQm3FqDageK4A6XFgsv7Dp+BIEUR0WwtZZi92TCLnP9l+J2A0=;5:KIsu0G0qwgcJU5yxplTW/xSik5ckvuFgo3B+zzh+tkhzC4vYgGX8p+ZnO7x5pFCNaI4B2EXQJFRJ3IBM2AJI9XhipvfH/4oogG/zJXZCCp8RKZEXhNq63Zz4brDgYTCnwzHueIpdd54sXLkCnVNhks18P+slwYmxTLk6krybibc=;24:RWsf/LQ4NJJnNnqW9VblN5YUmGgdadrZMtdHRmyBmolDLDCHRqjb8ImDNuvn7o8+f5gvUn3B1ZvVlku6QhHJdTnLMipUVy4VaEzdSvJ0wrU=;7:JVcrpRBpAzZC3YcC2sG1K0CaQ/6aIeicyRfPobEECEiUCliwERjagWoAx/VZDs4H+SUp6ZJiA4gmE5xM+1ir+eSLv1/2pDWxQxiDs/RyDBcWv/MwDNP94tVeRGgMd3LBxXuTQsi3TSlolPdBkVByn9sLq/Vz8S5kn3ANvx1Rif42K8Ze4FA6CIvnrw38tH16f8MnIt9lr99kDJCATvAI4DsLu7n0VUjbgValrMxlhWQDVNDcVps1+AkcZWbBJ7t/ SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;BL2PR15MB1073;20:B6fdNwAjIH0XFJxFyc2yHXMv4XR3j2GvwNcFYjm9/rQuWOEdR5lozP61xGktHKZACB0s3Svc7gysEOto7vzTqvQesFHRz/vbCUtPiLZ0gVYuAaCwV6xY/sXUW/cq9ZIoV6EbWuCmjBr+pu4tAkcW3LhdaxTH6o3sJ0vxr2EzLv8= X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Nov 2017 17:16:22.4572 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 2178bfbb-da18-4c65-99e3-08d5221571e5 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2PR15MB1073 X-OriginatorOrg: fb.com X-Proofpoint-Spam-Reason: safe X-FB-Internal: Safe X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-11-02_06:,, signatures=0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Add a test for device cgroup controller. The test loads a simple bpf program which logs all device access attempts using trace_printk() and forbids all operations except operations with /dev/zero and /dev/urandom. Then the test creates and joins a test cgroup, and attaches the bpf program to it. Then it tries to perform some simple device operations and checks the result: create /dev/null (should fail) create /dev/zero (should pass) copy data from /dev/urandom to /dev/zero (should pass) copy data from /dev/urandom to /dev/full (should fail) copy data from /dev/random to /dev/zero (should fail) Signed-off-by: Roman Gushchin Acked-by: Alexei Starovoitov Acked-by: Tejun Heo Cc: Daniel Borkmann --- tools/testing/selftests/bpf/Makefile | 4 +- tools/testing/selftests/bpf/dev_cgroup.c | 60 +++++++++++++++++ tools/testing/selftests/bpf/test_dev_cgroup.c | 93 +++++++++++++++++++++++++++ 3 files changed, 155 insertions(+), 2 deletions(-) create mode 100644 tools/testing/selftests/bpf/dev_cgroup.c create mode 100644 tools/testing/selftests/bpf/test_dev_cgroup.c diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile index 36c34f0218a3..64ba3684a4f4 100644 --- a/tools/testing/selftests/bpf/Makefile +++ b/tools/testing/selftests/bpf/Makefile @@ -12,11 +12,11 @@ CFLAGS += -Wall -O2 -I$(APIDIR) -I$(LIBDIR) -I$(GENDIR) $(GENFLAGS) -I../../../i LDLIBS += -lcap -lelf TEST_GEN_PROGS = test_verifier test_tag test_maps test_lru_map test_lpm_map test_progs \ - test_align test_verifier_log + test_align test_verifier_log test_dev_cgroup TEST_GEN_FILES = test_pkt_access.o test_xdp.o test_l4lb.o test_tcp_estats.o test_obj_id.o \ test_pkt_md_access.o test_xdp_redirect.o test_xdp_meta.o sockmap_parse_prog.o \ - sockmap_verdict_prog.o + sockmap_verdict_prog.o dev_cgroup.o TEST_PROGS := test_kmod.sh test_xdp_redirect.sh test_xdp_meta.sh diff --git a/tools/testing/selftests/bpf/dev_cgroup.c b/tools/testing/selftests/bpf/dev_cgroup.c new file mode 100644 index 000000000000..ce41a3475f27 --- /dev/null +++ b/tools/testing/selftests/bpf/dev_cgroup.c @@ -0,0 +1,60 @@ +/* Copyright (c) 2017 Facebook + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of version 2 of the GNU General Public + * License as published by the Free Software Foundation. + */ + +#include +#include +#include "bpf_helpers.h" + +SEC("cgroup/dev") +int bpf_prog1(struct bpf_cgroup_dev_ctx *ctx) +{ + short type = ctx->access_type & 0xFFFF; +#ifdef DEBUG + short access = ctx->access_type >> 16; + char fmt[] = " %d:%d \n"; + + switch (type) { + case BPF_DEVCG_DEV_BLOCK: + fmt[0] = 'b'; + break; + case BPF_DEVCG_DEV_CHAR: + fmt[0] = 'c'; + break; + default: + fmt[0] = '?'; + break; + } + + if (access & BPF_DEVCG_ACC_READ) + fmt[8] = 'r'; + + if (access & BPF_DEVCG_ACC_WRITE) + fmt[9] = 'w'; + + if (access & BPF_DEVCG_ACC_MKNOD) + fmt[10] = 'm'; + + bpf_trace_printk(fmt, sizeof(fmt), ctx->major, ctx->minor); +#endif + + /* Allow access to /dev/zero and /dev/random. + * Forbid everything else. + */ + if (ctx->major != 1 || type != BPF_DEVCG_DEV_CHAR) + return 0; + + switch (ctx->minor) { + case 5: /* 1:5 /dev/zero */ + case 9: /* 1:9 /dev/urandom */ + return 1; + } + + return 0; +} + +char _license[] SEC("license") = "GPL"; +__u32 _version SEC("version") = LINUX_VERSION_CODE; diff --git a/tools/testing/selftests/bpf/test_dev_cgroup.c b/tools/testing/selftests/bpf/test_dev_cgroup.c new file mode 100644 index 000000000000..02c85d6c89b0 --- /dev/null +++ b/tools/testing/selftests/bpf/test_dev_cgroup.c @@ -0,0 +1,93 @@ +/* Copyright (c) 2017 Facebook + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of version 2 of the GNU General Public + * License as published by the Free Software Foundation. + */ + +#include +#include +#include +#include +#include + +#include +#include +#include + +#include "cgroup_helpers.h" + +#define DEV_CGROUP_PROG "./dev_cgroup.o" + +#define TEST_CGROUP "test-bpf-based-device-cgroup/" + +int main(int argc, char **argv) +{ + struct bpf_object *obj; + int error = EXIT_FAILURE; + int prog_fd, cgroup_fd; + __u32 prog_cnt; + + if (bpf_prog_load(DEV_CGROUP_PROG, BPF_PROG_TYPE_CGROUP_DEVICE, + &obj, &prog_fd)) { + printf("Failed to load DEV_CGROUP program\n"); + goto err; + } + + if (setup_cgroup_environment()) { + printf("Failed to load DEV_CGROUP program\n"); + goto err; + } + + /* Create a cgroup, get fd, and join it */ + cgroup_fd = create_and_get_cgroup(TEST_CGROUP); + if (!cgroup_fd) { + printf("Failed to create test cgroup\n"); + goto err; + } + + if (join_cgroup(TEST_CGROUP)) { + printf("Failed to join cgroup\n"); + goto err; + } + + /* Attach bpf program */ + if (bpf_prog_attach(prog_fd, cgroup_fd, BPF_CGROUP_DEVICE, 0)) { + printf("Failed to attach DEV_CGROUP program"); + goto err; + } + + if (bpf_prog_query(cgroup_fd, BPF_CGROUP_DEVICE, 0, NULL, NULL, + &prog_cnt)) { + printf("Failed to query attached programs"); + goto err; + } + + /* All operations with /dev/zero and and /dev/urandom are allowed, + * everything else is forbidden. + */ + assert(system("rm -f /tmp/test_dev_cgroup_null") == 0); + assert(system("mknod /tmp/test_dev_cgroup_null c 1 3")); + assert(system("rm -f /tmp/test_dev_cgroup_null") == 0); + + /* /dev/zero is whitelisted */ + assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0); + assert(system("mknod /tmp/test_dev_cgroup_zero c 1 5") == 0); + assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0); + + assert(system("dd if=/dev/urandom of=/dev/zero count=64") == 0); + + /* src is allowed, target is forbidden */ + assert(system("dd if=/dev/urandom of=/dev/full count=64")); + + /* src is forbidden, target is allowed */ + assert(system("dd if=/dev/random of=/dev/zero count=64")); + + error = 0; + printf("test_dev_cgroup:PASS\n"); + +err: + cleanup_cgroup_environment(); + + return error; +} -- 2.13.6