src/test/test-bpf.c

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2 /***
   3   This file is part of systemd.
   4
   5   Copyright 2016 Daniel Mack
   6
   7   systemd is free software; you can redistribute it and/or modify it
   8   under the terms of the GNU Lesser General Public License as published by
   9   the Free Software Foundation; either version 2.1 of the License, or
  10   (at your option) any later version.
  11
  12   systemd is distributed in the hope that it will be useful, but
  13   WITHOUT ANY WARRANTY; without even the implied warranty of
  14   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  15   Lesser General Public License for more details.
  16
  17   You should have received a copy of the GNU Lesser General Public License
  18   along with systemd; If not, see <http://www.gnu.org/licenses/>.
  19 ***/
  20
  21 #include <linux/libbpf.h>
  22 #include <string.h>
  23 #include <unistd.h>
  24
  25 #include "bpf-firewall.h"
  26 #include "bpf-program.h"
  27 #include "load-fragment.h"
  28 #include "manager.h"
  29 #include "rm-rf.h"
  30 #include "service.h"
  31 #include "test-helper.h"
  32 #include "tests.h"
  33 #include "unit.h"
  34
  35 int main(int argc, char *argv[]) {
  36         struct bpf_insn exit_insn[] = {
  37                 BPF_MOV64_IMM(BPF_REG_0, 1),
  38                 BPF_EXIT_INSN()
  39         };
  40
  41         _cleanup_(rm_rf_physical_and_freep) char *runtime_dir = NULL;
  42         CGroupContext *cc = NULL;
  43         _cleanup_(bpf_program_unrefp) BPFProgram *p = NULL;
  44         _cleanup_(manager_freep) Manager *m = NULL;
  45         Unit *u;
  46         char log_buf[65535];
  47         int r;
  48
  49         log_set_max_level(LOG_DEBUG);
  50         log_parse_environment();
  51         log_open();
  52
  53         r = enter_cgroup_subroot();
  54         if (r == -ENOMEDIUM) {
  55                 log_notice("cgroupfs not available, skipping tests");
  56                 return EXIT_TEST_SKIP;
  57         }
  58
  59         assert_se(set_unit_path(get_testdata_dir("")) >= 0);
  60         assert_se(runtime_dir = setup_fake_runtime_dir());
  61
  62         r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &p);
  63         assert(r == 0);
  64
  65         r = bpf_program_add_instructions(p, exit_insn, ELEMENTSOF(exit_insn));
  66         assert(r == 0);
  67
  68         if (getuid() != 0) {
  69                 log_notice("Not running as root, skipping kernel related tests.");
  70                 return EXIT_TEST_SKIP;
  71         }
  72
  73         r = bpf_firewall_supported();
  74         if (r == BPF_FIREWALL_UNSUPPORTED) {
  75                 log_notice("BPF firewalling not supported, skipping");
  76                 return EXIT_TEST_SKIP;
  77         }
  78         assert_se(r > 0);
  79
  80         if (r == BPF_FIREWALL_SUPPORTED_WITH_MULTI)
  81                 log_notice("BPF firewalling with BPF_F_ALLOW_MULTI supported. Yay!");
  82         else
  83                 log_notice("BPF firewalling (though without BPF_F_ALLOW_MULTI) supported. Good.");
  84
  85         r = bpf_program_load_kernel(p, log_buf, ELEMENTSOF(log_buf));
  86         assert(r >= 0);
  87
  88         p = bpf_program_unref(p);
  89
  90         /* The simple tests suceeded. Now let's try full unit-based use-case. */
  91
  92         assert_se(manager_new(UNIT_FILE_USER, true, &m) >= 0);
  93         assert_se(manager_startup(m, NULL, NULL) >= 0);
  94
  95         assert_se(u = unit_new(m, sizeof(Service)));
  96         assert_se(unit_add_name(u, "foo.service") == 0);
  97         assert_se(cc = unit_get_cgroup_context(u));
  98         u->perpetual = true;
  99
 100         cc->ip_accounting = true;
 101
 102         assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressAllow", 0, "10.0.1.0/24", &cc->ip_address_allow, NULL) == 0);
 103         assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressAllow", 0, "127.0.0.2", &cc->ip_address_allow, NULL) == 0);
 104         assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressDeny", 0, "127.0.0.3", &cc->ip_address_deny, NULL) == 0);
 105         assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressDeny", 0, "10.0.3.2/24", &cc->ip_address_deny, NULL) == 0);
 106         assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressDeny", 0, "127.0.0.1/25", &cc->ip_address_deny, NULL) == 0);
 107         assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressDeny", 0, "127.0.0.4", &cc->ip_address_deny, NULL) == 0);
 108
 109         assert(cc->ip_address_allow);
 110         assert(cc->ip_address_allow->items_next);
 111         assert(!cc->ip_address_allow->items_next->items_next);
 112
 113         /* The deny list is defined redundantly, let's ensure it got properly reduced */
 114         assert(cc->ip_address_deny);
 115         assert(cc->ip_address_deny->items_next);
 116         assert(!cc->ip_address_deny->items_next->items_next);
 117
 118         assert_se(config_parse_exec(u->id, "filename", 1, "Service", 1, "ExecStart", SERVICE_EXEC_START, "/bin/ping -c 1 127.0.0.2 -W 5", SERVICE(u)->exec_command, u) == 0);
 119         assert_se(config_parse_exec(u->id, "filename", 1, "Service", 1, "ExecStart", SERVICE_EXEC_START, "/bin/ping -c 1 127.0.0.3 -W 5", SERVICE(u)->exec_command, u) == 0);
 120
 121         assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]);
 122         assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next);
 123         assert_se(!SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->command_next);
 124
 125         SERVICE(u)->type = SERVICE_ONESHOT;
 126         u->load_state = UNIT_LOADED;
 127
 128         unit_dump(u, stdout, NULL);
 129
 130         r = bpf_firewall_compile(u);
 131         if (IN_SET(r, -ENOTTY, -ENOSYS, -EPERM ))
 132                 /* Kernel doesn't support the necessary bpf bits, or masked out via seccomp? */
 133                 return EXIT_TEST_SKIP;
 134         assert_se(r >= 0);
 135
 136         assert(u->ip_bpf_ingress);
 137         assert(u->ip_bpf_egress);
 138
 139         r = bpf_program_load_kernel(u->ip_bpf_ingress, log_buf, ELEMENTSOF(log_buf));
 140
 141         log_notice("log:");
 142         log_notice("-------");
 143         log_notice("%s", log_buf);
 144         log_notice("-------");
 145
 146         assert(r >= 0);
 147
 148         r = bpf_program_load_kernel(u->ip_bpf_egress, log_buf, ELEMENTSOF(log_buf));
 149
 150         log_notice("log:");
 151         log_notice("-------");
 152         log_notice("%s", log_buf);
 153         log_notice("-------");
 154
 155         assert(r >= 0);
 156
 157         assert_se(unit_start(u) >= 0);
 158
 159         while (!IN_SET(SERVICE(u)->state, SERVICE_DEAD, SERVICE_FAILED))
 160                 assert_se(sd_event_run(m->event, UINT64_MAX) >= 0);
 161
 162         assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.code == CLD_EXITED &&
 163                   SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.status == EXIT_SUCCESS);
 164
 165         assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->exec_status.code != CLD_EXITED ||
 166                   SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->exec_status.status != EXIT_SUCCESS);
 167
 168         return 0;
 169 }