]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/test/test-bpf-firewall.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
core: split out a few funcs into unit-serialize.[ch]
[thirdparty/systemd.git] / src / test / test-bpf-firewall.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <linux/bpf_insn.h>
4 #include <string.h>
5 #include <unistd.h>
6
7 #include "bpf-firewall.h"
8 #include "bpf-program.h"
9 #include "load-fragment.h"
10 #include "manager.h"
11 #include "memory-util.h"
12 #include "rm-rf.h"
13 #include "service.h"
14 #include "tests.h"
15 #include "unit-serialize.h"
16 #include "virt.h"
17
18 int main(int argc, char *argv[]) {
19 const struct bpf_insn exit_insn[] = {
20 BPF_MOV64_IMM(BPF_REG_0, 0), /* drop */
21 BPF_EXIT_INSN()
22 };
23
24 _cleanup_(rm_rf_physical_and_freep) char *runtime_dir = NULL;
25 CGroupContext *cc = NULL;
26 _cleanup_(bpf_program_unrefp) BPFProgram *p = NULL;
27 _cleanup_(manager_freep) Manager *m = NULL;
28 Unit *u;
29 char log_buf[65535];
30 struct rlimit rl;
31 int r;
32 union bpf_attr attr;
33 bool test_custom_filter = false;
34 const char *test_prog = "/sys/fs/bpf/test-dropper";
35
36 test_setup_logging(LOG_DEBUG);
37
38 if (detect_container() > 0)
39 return log_tests_skipped("test-bpf-firewall fails inside LXC and Docker containers: https://github.com/systemd/systemd/issues/9666");
40
41 assert_se(getrlimit(RLIMIT_MEMLOCK, &rl) >= 0);
42 rl.rlim_cur = rl.rlim_max = MAX(rl.rlim_max, CAN_MEMLOCK_SIZE);
43 (void) setrlimit(RLIMIT_MEMLOCK, &rl);
44
45 if (!can_memlock())
46 return log_tests_skipped("Can't use mlock()");
47
48 r = enter_cgroup_subroot(NULL);
49 if (r == -ENOMEDIUM)
50 return log_tests_skipped("cgroupfs not available");
51
52 _cleanup_free_ char *unit_dir = NULL;
53 assert_se(get_testdata_dir("units", &unit_dir) >= 0);
54 assert_se(set_unit_path(unit_dir) >= 0);
55 assert_se(runtime_dir = setup_fake_runtime_dir());
56
57 r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &p);
58 assert(r == 0);
59
60 r = bpf_program_add_instructions(p, exit_insn, ELEMENTSOF(exit_insn));
61 assert(r == 0);
62
63 if (getuid() != 0)
64 return log_tests_skipped("not running as root");
65
66 r = bpf_firewall_supported();
67 if (r == BPF_FIREWALL_UNSUPPORTED)
68 return log_tests_skipped("BPF firewalling not supported");
69 assert_se(r > 0);
70
71 if (r == BPF_FIREWALL_SUPPORTED_WITH_MULTI) {
72 log_notice("BPF firewalling with BPF_F_ALLOW_MULTI supported. Yay!");
73 test_custom_filter = true;
74 } else
75 log_notice("BPF firewalling (though without BPF_F_ALLOW_MULTI) supported. Good.");
76
77 r = bpf_program_load_kernel(p, log_buf, ELEMENTSOF(log_buf));
78 assert(r >= 0);
79
80 if (test_custom_filter) {
81 zero(attr);
82 attr.pathname = PTR_TO_UINT64(test_prog);
83 attr.bpf_fd = p->kernel_fd;
84 attr.file_flags = 0;
85
86 (void) unlink(test_prog);
87
88 r = bpf(BPF_OBJ_PIN, &attr, sizeof(attr));
89 if (r < 0) {
90 log_warning_errno(errno, "BPF object pinning failed, will not run custom filter test: %m");
91 test_custom_filter = false;
92 }
93 }
94
95 p = bpf_program_unref(p);
96
97 /* The simple tests succeeded. Now let's try full unit-based use-case. */
98
99 assert_se(manager_new(UNIT_FILE_USER, MANAGER_TEST_RUN_BASIC, &m) >= 0);
100 assert_se(manager_startup(m, NULL, NULL) >= 0);
101
102 assert_se(u = unit_new(m, sizeof(Service)));
103 assert_se(unit_add_name(u, "foo.service") == 0);
104 assert_se(cc = unit_get_cgroup_context(u));
105 u->perpetual = true;
106
107 cc->ip_accounting = true;
108
109 assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressAllow", 0, "10.0.1.0/24", &cc->ip_address_allow, NULL) == 0);
110 assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressAllow", 0, "127.0.0.2", &cc->ip_address_allow, NULL) == 0);
111 assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressDeny", 0, "127.0.0.3", &cc->ip_address_deny, NULL) == 0);
112 assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressDeny", 0, "10.0.3.2/24", &cc->ip_address_deny, NULL) == 0);
113 assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressDeny", 0, "127.0.0.1/25", &cc->ip_address_deny, NULL) == 0);
114 assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressDeny", 0, "127.0.0.4", &cc->ip_address_deny, NULL) == 0);
115
116 assert(cc->ip_address_allow);
117 assert(cc->ip_address_allow->items_next);
118 assert(!cc->ip_address_allow->items_next->items_next);
119
120 /* The deny list is defined redundantly, let's ensure it got properly reduced */
121 assert(cc->ip_address_deny);
122 assert(cc->ip_address_deny->items_next);
123 assert(!cc->ip_address_deny->items_next->items_next);
124
125 assert_se(config_parse_exec(u->id, "filename", 1, "Service", 1, "ExecStart", SERVICE_EXEC_START, "/bin/ping -c 1 127.0.0.2 -W 5", SERVICE(u)->exec_command, u) == 0);
126 assert_se(config_parse_exec(u->id, "filename", 1, "Service", 1, "ExecStart", SERVICE_EXEC_START, "/bin/ping -c 1 127.0.0.3 -W 5", SERVICE(u)->exec_command, u) == 0);
127
128 assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]);
129 assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next);
130 assert_se(!SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->command_next);
131
132 SERVICE(u)->type = SERVICE_ONESHOT;
133 u->load_state = UNIT_LOADED;
134
135 unit_dump(u, stdout, NULL);
136
137 r = bpf_firewall_compile(u);
138 if (IN_SET(r, -ENOTTY, -ENOSYS, -EPERM))
139 return log_tests_skipped("Kernel doesn't support the necessary bpf bits (masked out via seccomp?)");
140 assert_se(r >= 0);
141
142 assert(u->ip_bpf_ingress);
143 assert(u->ip_bpf_egress);
144
145 r = bpf_program_load_kernel(u->ip_bpf_ingress, log_buf, ELEMENTSOF(log_buf));
146
147 log_notice("log:");
148 log_notice("-------");
149 log_notice("%s", log_buf);
150 log_notice("-------");
151
152 assert(r >= 0);
153
154 r = bpf_program_load_kernel(u->ip_bpf_egress, log_buf, ELEMENTSOF(log_buf));
155
156 log_notice("log:");
157 log_notice("-------");
158 log_notice("%s", log_buf);
159 log_notice("-------");
160
161 assert(r >= 0);
162
163 assert_se(unit_start(u) >= 0);
164
165 while (!IN_SET(SERVICE(u)->state, SERVICE_DEAD, SERVICE_FAILED))
166 assert_se(sd_event_run(m->event, UINT64_MAX) >= 0);
167
168 assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.code == CLD_EXITED &&
169 SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.status == EXIT_SUCCESS);
170
171 assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->exec_status.code != CLD_EXITED ||
172 SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->exec_status.status != EXIT_SUCCESS);
173
174 if (test_custom_filter) {
175 assert_se(u = unit_new(m, sizeof(Service)));
176 assert_se(unit_add_name(u, "custom-filter.service") == 0);
177 assert_se(cc = unit_get_cgroup_context(u));
178 u->perpetual = true;
179
180 cc->ip_accounting = true;
181
182 assert_se(config_parse_ip_filter_bpf_progs(u->id, "filename", 1, "Service", 1, "IPIngressFilterPath", 0, test_prog, &cc->ip_filters_ingress, u) == 0);
183 assert_se(config_parse_exec(u->id, "filename", 1, "Service", 1, "ExecStart", SERVICE_EXEC_START, "-/bin/ping -c 1 127.0.0.1 -W 5", SERVICE(u)->exec_command, u) == 0);
184
185 SERVICE(u)->type = SERVICE_ONESHOT;
186 u->load_state = UNIT_LOADED;
187
188 assert_se(unit_start(u) >= 0);
189
190 while (!IN_SET(SERVICE(u)->state, SERVICE_DEAD, SERVICE_FAILED))
191 assert_se(sd_event_run(m->event, UINT64_MAX) >= 0);
192
193 assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.code != CLD_EXITED ||
194 SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.status != EXIT_SUCCESS);
195
196 (void) unlink(test_prog);
197 assert_se(SERVICE(u)->state == SERVICE_DEAD);
198 }
199
200 return 0;
201 }
Unnamed repository; edit this file 'description' to name the repository.