]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/test/test-bpf.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tree-wide: drop license boilerplate
[thirdparty/systemd.git] / src / test / test-bpf.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2 /***
3 This file is part of systemd.
4
5 Copyright 2016 Daniel Mack
6 ***/
7
8 #include <linux/libbpf.h>
9 #include <string.h>
10 #include <unistd.h>
11
12 #include "bpf-firewall.h"
13 #include "bpf-program.h"
14 #include "load-fragment.h"
15 #include "manager.h"
16 #include "rm-rf.h"
17 #include "service.h"
18 #include "test-helper.h"
19 #include "tests.h"
20 #include "unit.h"
21
22 int main(int argc, char *argv[]) {
23 struct bpf_insn exit_insn[] = {
24 BPF_MOV64_IMM(BPF_REG_0, 1),
25 BPF_EXIT_INSN()
26 };
27
28 _cleanup_(rm_rf_physical_and_freep) char *runtime_dir = NULL;
29 CGroupContext *cc = NULL;
30 _cleanup_(bpf_program_unrefp) BPFProgram *p = NULL;
31 _cleanup_(manager_freep) Manager *m = NULL;
32 Unit *u;
33 char log_buf[65535];
34 int r;
35
36 log_set_max_level(LOG_DEBUG);
37 log_parse_environment();
38 log_open();
39
40 r = enter_cgroup_subroot();
41 if (r == -ENOMEDIUM) {
42 log_notice("cgroupfs not available, skipping tests");
43 return EXIT_TEST_SKIP;
44 }
45
46 assert_se(set_unit_path(get_testdata_dir("")) >= 0);
47 assert_se(runtime_dir = setup_fake_runtime_dir());
48
49 r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &p);
50 assert(r == 0);
51
52 r = bpf_program_add_instructions(p, exit_insn, ELEMENTSOF(exit_insn));
53 assert(r == 0);
54
55 if (getuid() != 0) {
56 log_notice("Not running as root, skipping kernel related tests.");
57 return EXIT_TEST_SKIP;
58 }
59
60 r = bpf_firewall_supported();
61 if (r == BPF_FIREWALL_UNSUPPORTED) {
62 log_notice("BPF firewalling not supported, skipping");
63 return EXIT_TEST_SKIP;
64 }
65 assert_se(r > 0);
66
67 if (r == BPF_FIREWALL_SUPPORTED_WITH_MULTI)
68 log_notice("BPF firewalling with BPF_F_ALLOW_MULTI supported. Yay!");
69 else
70 log_notice("BPF firewalling (though without BPF_F_ALLOW_MULTI) supported. Good.");
71
72 r = bpf_program_load_kernel(p, log_buf, ELEMENTSOF(log_buf));
73 assert(r >= 0);
74
75 p = bpf_program_unref(p);
76
77 /* The simple tests suceeded. Now let's try full unit-based use-case. */
78
79 assert_se(manager_new(UNIT_FILE_USER, true, &m) >= 0);
80 assert_se(manager_startup(m, NULL, NULL) >= 0);
81
82 assert_se(u = unit_new(m, sizeof(Service)));
83 assert_se(unit_add_name(u, "foo.service") == 0);
84 assert_se(cc = unit_get_cgroup_context(u));
85 u->perpetual = true;
86
87 cc->ip_accounting = true;
88
89 assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressAllow", 0, "10.0.1.0/24", &cc->ip_address_allow, NULL) == 0);
90 assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressAllow", 0, "127.0.0.2", &cc->ip_address_allow, NULL) == 0);
91 assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressDeny", 0, "127.0.0.3", &cc->ip_address_deny, NULL) == 0);
92 assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressDeny", 0, "10.0.3.2/24", &cc->ip_address_deny, NULL) == 0);
93 assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressDeny", 0, "127.0.0.1/25", &cc->ip_address_deny, NULL) == 0);
94 assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressDeny", 0, "127.0.0.4", &cc->ip_address_deny, NULL) == 0);
95
96 assert(cc->ip_address_allow);
97 assert(cc->ip_address_allow->items_next);
98 assert(!cc->ip_address_allow->items_next->items_next);
99
100 /* The deny list is defined redundantly, let's ensure it got properly reduced */
101 assert(cc->ip_address_deny);
102 assert(cc->ip_address_deny->items_next);
103 assert(!cc->ip_address_deny->items_next->items_next);
104
105 assert_se(config_parse_exec(u->id, "filename", 1, "Service", 1, "ExecStart", SERVICE_EXEC_START, "/bin/ping -c 1 127.0.0.2 -W 5", SERVICE(u)->exec_command, u) == 0);
106 assert_se(config_parse_exec(u->id, "filename", 1, "Service", 1, "ExecStart", SERVICE_EXEC_START, "/bin/ping -c 1 127.0.0.3 -W 5", SERVICE(u)->exec_command, u) == 0);
107
108 assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]);
109 assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next);
110 assert_se(!SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->command_next);
111
112 SERVICE(u)->type = SERVICE_ONESHOT;
113 u->load_state = UNIT_LOADED;
114
115 unit_dump(u, stdout, NULL);
116
117 r = bpf_firewall_compile(u);
118 if (IN_SET(r, -ENOTTY, -ENOSYS, -EPERM ))
119 /* Kernel doesn't support the necessary bpf bits, or masked out via seccomp? */
120 return EXIT_TEST_SKIP;
121 assert_se(r >= 0);
122
123 assert(u->ip_bpf_ingress);
124 assert(u->ip_bpf_egress);
125
126 r = bpf_program_load_kernel(u->ip_bpf_ingress, log_buf, ELEMENTSOF(log_buf));
127
128 log_notice("log:");
129 log_notice("-------");
130 log_notice("%s", log_buf);
131 log_notice("-------");
132
133 assert(r >= 0);
134
135 r = bpf_program_load_kernel(u->ip_bpf_egress, log_buf, ELEMENTSOF(log_buf));
136
137 log_notice("log:");
138 log_notice("-------");
139 log_notice("%s", log_buf);
140 log_notice("-------");
141
142 assert(r >= 0);
143
144 assert_se(unit_start(u) >= 0);
145
146 while (!IN_SET(SERVICE(u)->state, SERVICE_DEAD, SERVICE_FAILED))
147 assert_se(sd_event_run(m->event, UINT64_MAX) >= 0);
148
149 assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.code == CLD_EXITED &&
150 SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.status == EXIT_SUCCESS);
151
152 assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->exec_status.code != CLD_EXITED ||
153 SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->exec_status.status != EXIT_SUCCESS);
154
155 return 0;
156 }
Unnamed repository; edit this file 'description' to name the repository.