1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2016 Daniel Mack
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
21 #include <linux/libbpf.h>
25 #include "bpf-firewall.h"
26 #include "bpf-program.h"
27 #include "load-fragment.h"
31 #include "test-helper.h"
35 int main(int argc
, char *argv
[]) {
36 struct bpf_insn exit_insn
[] = {
37 BPF_MOV64_IMM(BPF_REG_0
, 1),
41 _cleanup_(rm_rf_physical_and_freep
) char *runtime_dir
= NULL
;
42 CGroupContext
*cc
= NULL
;
43 _cleanup_(bpf_program_unrefp
) BPFProgram
*p
= NULL
;
44 _cleanup_(manager_freep
) Manager
*m
= NULL
;
49 log_set_max_level(LOG_DEBUG
);
50 log_parse_environment();
53 r
= enter_cgroup_subroot();
54 if (r
== -ENOMEDIUM
) {
55 log_notice("cgroupfs not available, skipping tests");
56 return EXIT_TEST_SKIP
;
59 assert_se(set_unit_path(get_testdata_dir("")) >= 0);
60 assert_se(runtime_dir
= setup_fake_runtime_dir());
62 r
= bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB
, &p
);
65 r
= bpf_program_add_instructions(p
, exit_insn
, ELEMENTSOF(exit_insn
));
69 log_notice("Not running as root, skipping kernel related tests.");
70 return EXIT_TEST_SKIP
;
73 r
= bpf_firewall_supported();
74 if (r
== BPF_FIREWALL_UNSUPPORTED
) {
75 log_notice("BPF firewalling not supported, skipping");
76 return EXIT_TEST_SKIP
;
80 if (r
== BPF_FIREWALL_SUPPORTED_WITH_MULTI
)
81 log_notice("BPF firewalling with BPF_F_ALLOW_MULTI supported. Yay!");
83 log_notice("BPF firewalling (though without BPF_F_ALLOW_MULTI) supported. Good.");
85 r
= bpf_program_load_kernel(p
, log_buf
, ELEMENTSOF(log_buf
));
88 p
= bpf_program_unref(p
);
90 /* The simple tests suceeded. Now let's try full unit-based use-case. */
92 assert_se(manager_new(UNIT_FILE_USER
, true, &m
) >= 0);
93 assert_se(manager_startup(m
, NULL
, NULL
) >= 0);
95 assert_se(u
= unit_new(m
, sizeof(Service
)));
96 assert_se(unit_add_name(u
, "foo.service") == 0);
97 assert_se(cc
= unit_get_cgroup_context(u
));
100 cc
->ip_accounting
= true;
102 assert_se(config_parse_ip_address_access(u
->id
, "filename", 1, "Service", 1, "IPAddressAllow", 0, "10.0.1.0/24", &cc
->ip_address_allow
, NULL
) == 0);
103 assert_se(config_parse_ip_address_access(u
->id
, "filename", 1, "Service", 1, "IPAddressAllow", 0, "127.0.0.2", &cc
->ip_address_allow
, NULL
) == 0);
104 assert_se(config_parse_ip_address_access(u
->id
, "filename", 1, "Service", 1, "IPAddressDeny", 0, "127.0.0.3", &cc
->ip_address_deny
, NULL
) == 0);
105 assert_se(config_parse_ip_address_access(u
->id
, "filename", 1, "Service", 1, "IPAddressDeny", 0, "10.0.3.2/24", &cc
->ip_address_deny
, NULL
) == 0);
106 assert_se(config_parse_ip_address_access(u
->id
, "filename", 1, "Service", 1, "IPAddressDeny", 0, "127.0.0.1/25", &cc
->ip_address_deny
, NULL
) == 0);
107 assert_se(config_parse_ip_address_access(u
->id
, "filename", 1, "Service", 1, "IPAddressDeny", 0, "127.0.0.4", &cc
->ip_address_deny
, NULL
) == 0);
109 assert(cc
->ip_address_allow
);
110 assert(cc
->ip_address_allow
->items_next
);
111 assert(!cc
->ip_address_allow
->items_next
->items_next
);
113 /* The deny list is defined redundantly, let's ensure it got properly reduced */
114 assert(cc
->ip_address_deny
);
115 assert(cc
->ip_address_deny
->items_next
);
116 assert(!cc
->ip_address_deny
->items_next
->items_next
);
118 assert_se(config_parse_exec(u
->id
, "filename", 1, "Service", 1, "ExecStart", SERVICE_EXEC_START
, "/bin/ping -c 1 127.0.0.2 -W 5", SERVICE(u
)->exec_command
, u
) == 0);
119 assert_se(config_parse_exec(u
->id
, "filename", 1, "Service", 1, "ExecStart", SERVICE_EXEC_START
, "/bin/ping -c 1 127.0.0.3 -W 5", SERVICE(u
)->exec_command
, u
) == 0);
121 assert_se(SERVICE(u
)->exec_command
[SERVICE_EXEC_START
]);
122 assert_se(SERVICE(u
)->exec_command
[SERVICE_EXEC_START
]->command_next
);
123 assert_se(!SERVICE(u
)->exec_command
[SERVICE_EXEC_START
]->command_next
->command_next
);
125 SERVICE(u
)->type
= SERVICE_ONESHOT
;
126 u
->load_state
= UNIT_LOADED
;
128 unit_dump(u
, stdout
, NULL
);
130 r
= bpf_firewall_compile(u
);
131 if (IN_SET(r
, -ENOTTY
, -ENOSYS
, -EPERM
))
132 /* Kernel doesn't support the necessary bpf bits, or masked out via seccomp? */
133 return EXIT_TEST_SKIP
;
136 assert(u
->ip_bpf_ingress
);
137 assert(u
->ip_bpf_egress
);
139 r
= bpf_program_load_kernel(u
->ip_bpf_ingress
, log_buf
, ELEMENTSOF(log_buf
));
142 log_notice("-------");
143 log_notice("%s", log_buf
);
144 log_notice("-------");
148 r
= bpf_program_load_kernel(u
->ip_bpf_egress
, log_buf
, ELEMENTSOF(log_buf
));
151 log_notice("-------");
152 log_notice("%s", log_buf
);
153 log_notice("-------");
157 assert_se(unit_start(u
) >= 0);
159 while (!IN_SET(SERVICE(u
)->state
, SERVICE_DEAD
, SERVICE_FAILED
))
160 assert_se(sd_event_run(m
->event
, UINT64_MAX
) >= 0);
162 assert_se(SERVICE(u
)->exec_command
[SERVICE_EXEC_START
]->exec_status
.code
== CLD_EXITED
&&
163 SERVICE(u
)->exec_command
[SERVICE_EXEC_START
]->exec_status
.status
== EXIT_SUCCESS
);
165 assert_se(SERVICE(u
)->exec_command
[SERVICE_EXEC_START
]->command_next
->exec_status
.code
!= CLD_EXITED
||
166 SERVICE(u
)->exec_command
[SERVICE_EXEC_START
]->command_next
->exec_status
.status
!= EXIT_SUCCESS
);