From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752926AbdKENRO (ORCPT ); Sun, 5 Nov 2017 08:17:14 -0500 Received: from mx0b-00082601.pphosted.com ([67.231.153.30]:47770 "EHLO mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752784AbdKENQm (ORCPT ); Sun, 5 Nov 2017 08:16:42 -0500 From: Roman Gushchin To: CC: Tejun Heo , Alexei Starovoitov , Daniel Borkmann , , , Roman Gushchin Subject: [PATCH v3 net-next 5/5] selftests/bpf: add a test for device cgroup controller Date: Sun, 5 Nov 2017 08:15:34 -0500 Message-ID: <20171105131534.25040-6-guro@fb.com> X-Mailer: git-send-email 2.13.6 In-Reply-To: <20171105131534.25040-1-guro@fb.com> References: <20171104.224008.1289480268047106418.davem@davemloft.net> <20171105131534.25040-1-guro@fb.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [2620:10d:c091:180::1:3064] X-ClientProxiedBy: DM3PR12CA0094.namprd12.prod.outlook.com (2603:10b6:0:55::14) To DM3PR15MB1082.namprd15.prod.outlook.com (2603:10b6:0:12::8) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 49048c66-5d26-4a4d-9be2-08d5244f61fd X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603199);SRVR:DM3PR15MB1082; X-Microsoft-Exchange-Diagnostics: 1;DM3PR15MB1082;3:kUPDgiAK0Cf0X0DDDUm3rv9fL94hl/ZglOpXrQ0eboEkUp/nGVzUtoE9nkj6/uq1JB+rfJwxvpO8JwbHm8VvW0GsDZpSsmEA+TIGMZqvWNLaxn8oHAdLaC0aNchTNZ8BtWdDbibnZZyN9RgXbe3twk3gZbCg36ODRGR5x1hcm0pgqjkqMxfP7oI582Jes/0tZ/8CNRAmvmsB8jVgnAnNSOSKdKRZdA27dEsausafZejyPOkIt3OB51TI+A0wFlEP;25:UOVZ34IN43aB6oBYLIy1gCkJlkLLsZ4VjYUVh4Vl61aG2+U0WjHpxoTrjedm7hY3B6bMGx1sZnJ/CX5CXC/DBwW5csOs7wIZID2N/M9sipNBgDuoUXNtVaVqPhsg+GxtewjPNHlrZReFsWdaNXcQT42up8ZDTsagx6hkFcLNu0p6CaKwc+CEbkmofUyyQTI/hiFxOLk430+RjkumfGz8u/iYMYODLHBQ+m3bZztr980HfZRRCh0hsDsshrsrsnBA08O+mrMsJEar2Z0UpdJX4Ir8t/5lk6qvEmB5veVEplAna3HZSnzaDVVho2KU8K53FWLNW1tJgdIoWqZKmAQDvA==;31:IaYLsji29NS2Tvtz0M75CefHVosKQOwL0OxeDhOp01kXjh+d4+5t1fou36VKgrgcmpt4EX8K0vMzTEHfSe6/ruznjy+i9Y0HAXBS4QAJSdmTgzwFKtsn3ZcQamL7hVbrLQ6N4PENk1Up8Qp9SgPEK0/lAMjxat9qwRXxOZselTatp8xLZ2wM2jA5BhL7DteTd5hCs6F1Uw07Uxj4zVMrgfTfsRv2HNbP3K1rIRzqORY= X-MS-TrafficTypeDiagnostic: DM3PR15MB1082: X-Microsoft-Exchange-Diagnostics: 1;DM3PR15MB1082;20:24NcQS+h1o+IFuJUJ0yQJqGkYg7gg38H++n0E1v2+gBmucjk6xUumRvgKUku5t8Yp/45zJcPuwyO3NEiZAGTh+M5KksrIQvMKaGcr3+iaLnKUT1ca+qMrwzyDG20sQ/Y0Y/9CMddwlCLrPRgnB72qZbxnUX/72yjxpNVFT7EI+FcfMGI4oJp3wqI9LsL0gQDSvOIg1Fe6T5ZkghOhPglHfGMVNvG4nmmTcBylbBcW+8EDNHa/PeXlPz55v20TbcKx6gGJftnvByCuTc1a5Yg1jOnfOjh0l58dxIMARlH1mzDb0sxwMKfZ5Su+eXDHsfcG5BRTQeB1SyoP+8Hnae14Ap4XguKTCd5rbIAp6HNjUnYOulCOPcrQNWJHyvjJbhNof2cLPoQudCyYOejYxGKnMkI87wGzK3+bcq95roUqPVhDY+39LNAS30LiT2nf4d63JXHOiwas16bAg0VueGSRYumxg8CuGVMbY0/jyT2VBe87NJPvxvwo4pbSl3aeM46;4:JhTiK7jkJmi0+3ql/AndUrocCTtgcJrGHVBepZHol2x2US9meqfUxYm4dkzs8ELSNqalBi3YHiGDjhYGQgsqMGuTx2UJCfz2GxFrFWoxSkKThv4pNE931mD2COyze42Asbe07bPhvuGO37OZVAKFFAxo6WfddUyGAe2gcKkz6w/7XsIAkKjLKjN6Kv/AG2sl7M7jAIhC1No+lafk+5gZnimJbLt0mMdW3OmKZZnu7huvJznbQl2lodzZG8aKpEi38oMmeCanSNzHqTMZYc0vQ/ESe8A97M6fzIEDiJ8xHxV6ruIUHdFwqlyefs5hMZPoeXi+rcRRHVB4h7SEpZUjOQ== X-Exchange-Antispam-Report-Test: UriScan:(67672495146484)(81227570615382); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(11241501159)(6040450)(2401047)(5005006)(8121501046)(3231021)(100000703101)(100105400095)(3002001)(93006095)(93001095)(10201501046)(6041248)(20161123564025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123558100)(20161123555025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:DM3PR15MB1082;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:DM3PR15MB1082; X-Forefront-PRVS: 04825EA361 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(6009001)(346002)(376002)(189002)(199003)(5660300001)(25786009)(316002)(305945005)(5890100001)(76176999)(6486002)(50466002)(50986999)(8936002)(6506006)(50226002)(4326008)(101416001)(68736007)(54906003)(97736004)(36756003)(16586007)(53416004)(6512007)(478600001)(69596002)(47776003)(5003940100001)(2950100002)(2361001)(33646002)(106356001)(6666003)(53936002)(1076002)(48376002)(189998001)(2906002)(81156014)(81166006)(8676002)(6116002)(105586002)(2351001)(86362001)(6916009)(7736002)(2004002)(42262002);DIR:OUT;SFP:1102;SCL:1;SRVR:DM3PR15MB1082;H:castle.thefacebook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;DM3PR15MB1082;23:pP54CaqefojlyjHl0MdV8Xe+lTYzlJvdSv+SPvw2M?= =?us-ascii?Q?j1XaASEFSNUHJQfWADz39Jsrz5w311powKe+Ysxwb/ysVuGI6BW5Ai3fP9Pc?= =?us-ascii?Q?muKF79hbQLiV70/UQ+6O2pBbm8FpseMMk55DrUFwwGuiwB/7AaWQQksW/lbG?= =?us-ascii?Q?5CxApzp2pdUIl1F9maquhDUcOnIvXVPz1IBaX/wbV4fcDDpwCttz7vk0nVEg?= =?us-ascii?Q?7/3K5xzxsfJzc8tiz8rPF7tS06PEB9kJAMIA63JW1+uMthkSrPVT6LX+q8Vi?= =?us-ascii?Q?JQJcOERM5W7p3NisXLh5RnEEzu+6wwma7fioZc/c+dAh2m5X8NCL4g82O7yE?= =?us-ascii?Q?P43H4dWszFAo4jfbsBiixoe4uFfp/yPbwSS82UwqiEu8wQBdZt8py1hGKRUy?= =?us-ascii?Q?7SGxelLOq/K2/lcfhjr7lzlodxfI+0jCbJt4jSTmFm8s6yRoeJfJSvPuq/9f?= =?us-ascii?Q?fFkJCXdWiYuMIsw3mMJcmOBmFwWHzFW0LJ+LjXa8A4iCs/72a3Gp5F+6z8jL?= =?us-ascii?Q?4y7hSJA6ZSyuE4HMHQwWUruA4GfWFQx/3qipPrx+f0GgRK2f1aak6Xb//wrs?= =?us-ascii?Q?Pp/vjVBFAlRJdYN+yzfNQsbQl1RhaGgIsJJRMUiPHZwh1Fl6Ef0/wOSRhr44?= =?us-ascii?Q?P0x2QeeL6h180wU/GYkKALsPMZyBzvcwSQgAZ3WlCx8RV4cS8AereKAO6DiM?= =?us-ascii?Q?qYOvrSYDZgjti+8HEEOIy3RdpxSb19sgkdRp1jHa8valaSlLh5dfb0XXW/8N?= =?us-ascii?Q?/AYT5yc/aUyEHMzjzT6+54wfUwek6c9ReZgzh5+K/KAGkWmhE+zWNosoqqr1?= =?us-ascii?Q?PydKFkq+aA74rHKHAIwFt5TNto/WLQjJ+crD0KsJVeyWDSOWVnMpnL4mWKcH?= =?us-ascii?Q?YVw/Bm7QbQp3s1ZXKh59iWAGbyvEc2urUKtQWF1AKfuwz99CJ4yld14ty7PA?= =?us-ascii?Q?S8BVsnRVj9bZ7lmapvbDcRvXocsme7aMilNSpX+y5te7Uv7nFz5UjBUUeuae?= =?us-ascii?Q?ot3ZXgRFFRFvdGGev5Ry31IdaWisdPgVGtNferBR5ZwDQQCavNq6BJqe5nc/?= =?us-ascii?Q?4vHQSoPcIC9OYINElB5WOfS3F6r4SNh9Ym7dvfOojwGhzsHJzYXn4or2C3IJ?= =?us-ascii?Q?VU3Gxf2on3Lsf0YqYzwhiRGa6G/VzXa96c/5xmXTInnmv/NFttRVfQ1MEeIe?= =?us-ascii?Q?TA7Ot2OXyNP6Dc=3D?= X-Microsoft-Exchange-Diagnostics: 1;DM3PR15MB1082;6:erLWuO267/g2Xk0cRZFfC5sJMiScfVznphc7effWnbj53O5UQXaZMaAMSGj5qexZPkrE/O6QvSqJ42Lah8vJBRtv6ie0pBWSiHmD3ktuG2BRWLAh3uOlrfWoCWusFCuqDNy11HlrMH45YYs85l5CMTvVuBeX9a2F7k1lAbPkevgjNTSybt5DTKGaTNHsPEsuk/owU3O0xN71b+h4b+PnVx8GVtwbI1gAAY0UFZIp67S5HBDpJjo1N6BVuGTBqJ95stS/vzWfrgN2rUl26m9fRfHPilzlWCa3wndV38T/MF9f3ts9NBLKroikY3N2KO0H9qwq7IwqlPcOUd/wlDWYaFlhFYrkbhsw67icjdDwo2M=;5:6YABgYhmLHmr4rMnvvoubBptp+YABJdJwcmCvpMNZr7Yio2Gr1CLlKnN0ql5ODQFxb+VtNGbSDT3t03Rr+V3Bgi7KRdRPi3DP2AljJ37wBWrsfbLnrjo/XrBLM/AS9JaOEdHve11JFCWtHoh17etRDHYRzgHcO1ClVTZsLo+0ZY=;24:FB1uJeZPYtV2A3WC0IFHDGXoauzgRdkZ7Jf/zRPssdHo48GK73dmdyNRm6c1tD9g0gca0fxqXFpFR3rh6s4UkDCNraOnR7VXdsQb+q3NiMA=;7:snZLmyR5c1zgKAZE0IiMJyVdb+FUCFXeoTKgdvIMCSLHCM/fjQOqwr6a1hBAnyfD1NYPtolJtnWsf89Kbq3liggaLBHC7sl5tE9Wqc5XNIcjubEjlzBNuIzi2emo+ugjuba6hgNpyUzLme0J0JvH1oc4I5A4xGcY5tfFHD8qZqMCulQ52xE69w0fbSU1CDif8+9cAZdbCg4ahCzDCWG8cbbaPgtykJm1YuORPKe9iHY3b2QcxGwCqA3ukVlKF8GH SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;DM3PR15MB1082;20:6K89AtMz1cYjMLENkOU03AlZ4XdzCaw7sIcsZBQpB2Q+kNAVw0yChEjkU43g0v+j1bMk9Q/zHzNl5ukvr6R/JSwYxWy0kwJlifoVmQqfqSNMzBFrq/V7H8CsBfnzoSZ/Ra0s+KAEu0SXwdWNmVfEuHURtIRrbbBM5ffghV1bbXI= X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Nov 2017 13:16:09.2507 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 49048c66-5d26-4a4d-9be2-08d5244f61fd X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3PR15MB1082 X-OriginatorOrg: fb.com X-Proofpoint-Spam-Reason: safe X-FB-Internal: Safe X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-11-05_03:,, signatures=0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Add a test for device cgroup controller. The test loads a simple bpf program which logs all device access attempts using trace_printk() and forbids all operations except operations with /dev/zero and /dev/urandom. Then the test creates and joins a test cgroup, and attaches the bpf program to it. Then it tries to perform some simple device operations and checks the result: create /dev/null (should fail) create /dev/zero (should pass) copy data from /dev/urandom to /dev/zero (should pass) copy data from /dev/urandom to /dev/full (should fail) copy data from /dev/random to /dev/zero (should fail) Signed-off-by: Roman Gushchin Acked-by: Alexei Starovoitov Acked-by: Tejun Heo Cc: Daniel Borkmann --- tools/testing/selftests/bpf/Makefile | 4 +- tools/testing/selftests/bpf/dev_cgroup.c | 60 +++++++++++++++++ tools/testing/selftests/bpf/test_dev_cgroup.c | 93 +++++++++++++++++++++++++++ 3 files changed, 155 insertions(+), 2 deletions(-) create mode 100644 tools/testing/selftests/bpf/dev_cgroup.c create mode 100644 tools/testing/selftests/bpf/test_dev_cgroup.c diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile index 9fbb02638198..333a48655ee0 100644 --- a/tools/testing/selftests/bpf/Makefile +++ b/tools/testing/selftests/bpf/Makefile @@ -13,11 +13,11 @@ CFLAGS += -Wall -O2 -I$(APIDIR) -I$(LIBDIR) -I$(GENDIR) $(GENFLAGS) -I../../../i LDLIBS += -lcap -lelf TEST_GEN_PROGS = test_verifier test_tag test_maps test_lru_map test_lpm_map test_progs \ - test_align test_verifier_log + test_align test_verifier_log test_dev_cgroup TEST_GEN_FILES = test_pkt_access.o test_xdp.o test_l4lb.o test_tcp_estats.o test_obj_id.o \ test_pkt_md_access.o test_xdp_redirect.o test_xdp_meta.o sockmap_parse_prog.o \ - sockmap_verdict_prog.o + sockmap_verdict_prog.o dev_cgroup.o TEST_PROGS := test_kmod.sh test_xdp_redirect.sh test_xdp_meta.sh diff --git a/tools/testing/selftests/bpf/dev_cgroup.c b/tools/testing/selftests/bpf/dev_cgroup.c new file mode 100644 index 000000000000..ce41a3475f27 --- /dev/null +++ b/tools/testing/selftests/bpf/dev_cgroup.c @@ -0,0 +1,60 @@ +/* Copyright (c) 2017 Facebook + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of version 2 of the GNU General Public + * License as published by the Free Software Foundation. + */ + +#include +#include +#include "bpf_helpers.h" + +SEC("cgroup/dev") +int bpf_prog1(struct bpf_cgroup_dev_ctx *ctx) +{ + short type = ctx->access_type & 0xFFFF; +#ifdef DEBUG + short access = ctx->access_type >> 16; + char fmt[] = " %d:%d \n"; + + switch (type) { + case BPF_DEVCG_DEV_BLOCK: + fmt[0] = 'b'; + break; + case BPF_DEVCG_DEV_CHAR: + fmt[0] = 'c'; + break; + default: + fmt[0] = '?'; + break; + } + + if (access & BPF_DEVCG_ACC_READ) + fmt[8] = 'r'; + + if (access & BPF_DEVCG_ACC_WRITE) + fmt[9] = 'w'; + + if (access & BPF_DEVCG_ACC_MKNOD) + fmt[10] = 'm'; + + bpf_trace_printk(fmt, sizeof(fmt), ctx->major, ctx->minor); +#endif + + /* Allow access to /dev/zero and /dev/random. + * Forbid everything else. + */ + if (ctx->major != 1 || type != BPF_DEVCG_DEV_CHAR) + return 0; + + switch (ctx->minor) { + case 5: /* 1:5 /dev/zero */ + case 9: /* 1:9 /dev/urandom */ + return 1; + } + + return 0; +} + +char _license[] SEC("license") = "GPL"; +__u32 _version SEC("version") = LINUX_VERSION_CODE; diff --git a/tools/testing/selftests/bpf/test_dev_cgroup.c b/tools/testing/selftests/bpf/test_dev_cgroup.c new file mode 100644 index 000000000000..02c85d6c89b0 --- /dev/null +++ b/tools/testing/selftests/bpf/test_dev_cgroup.c @@ -0,0 +1,93 @@ +/* Copyright (c) 2017 Facebook + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of version 2 of the GNU General Public + * License as published by the Free Software Foundation. + */ + +#include +#include +#include +#include +#include + +#include +#include +#include + +#include "cgroup_helpers.h" + +#define DEV_CGROUP_PROG "./dev_cgroup.o" + +#define TEST_CGROUP "test-bpf-based-device-cgroup/" + +int main(int argc, char **argv) +{ + struct bpf_object *obj; + int error = EXIT_FAILURE; + int prog_fd, cgroup_fd; + __u32 prog_cnt; + + if (bpf_prog_load(DEV_CGROUP_PROG, BPF_PROG_TYPE_CGROUP_DEVICE, + &obj, &prog_fd)) { + printf("Failed to load DEV_CGROUP program\n"); + goto err; + } + + if (setup_cgroup_environment()) { + printf("Failed to load DEV_CGROUP program\n"); + goto err; + } + + /* Create a cgroup, get fd, and join it */ + cgroup_fd = create_and_get_cgroup(TEST_CGROUP); + if (!cgroup_fd) { + printf("Failed to create test cgroup\n"); + goto err; + } + + if (join_cgroup(TEST_CGROUP)) { + printf("Failed to join cgroup\n"); + goto err; + } + + /* Attach bpf program */ + if (bpf_prog_attach(prog_fd, cgroup_fd, BPF_CGROUP_DEVICE, 0)) { + printf("Failed to attach DEV_CGROUP program"); + goto err; + } + + if (bpf_prog_query(cgroup_fd, BPF_CGROUP_DEVICE, 0, NULL, NULL, + &prog_cnt)) { + printf("Failed to query attached programs"); + goto err; + } + + /* All operations with /dev/zero and and /dev/urandom are allowed, + * everything else is forbidden. + */ + assert(system("rm -f /tmp/test_dev_cgroup_null") == 0); + assert(system("mknod /tmp/test_dev_cgroup_null c 1 3")); + assert(system("rm -f /tmp/test_dev_cgroup_null") == 0); + + /* /dev/zero is whitelisted */ + assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0); + assert(system("mknod /tmp/test_dev_cgroup_zero c 1 5") == 0); + assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0); + + assert(system("dd if=/dev/urandom of=/dev/zero count=64") == 0); + + /* src is allowed, target is forbidden */ + assert(system("dd if=/dev/urandom of=/dev/full count=64")); + + /* src is forbidden, target is allowed */ + assert(system("dd if=/dev/random of=/dev/zero count=64")); + + error = 0; + printf("test_dev_cgroup:PASS\n"); + +err: + cleanup_cgroup_environment(); + + return error; +} -- 2.13.6