(void) bpf_program_serialize_attachment(f, fds, "ip-bpf-ingress-installed", u->ip_bpf_ingress_installed);
(void) bpf_program_serialize_attachment(f, fds, "ip-bpf-egress-installed", u->ip_bpf_egress_installed);
+ (void) bpf_program_serialize_attachment(f, fds, "bpf-device-control-installed", u->bpf_device_control_installed);
(void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-ingress-installed", u->ip_bpf_custom_ingress_installed);
(void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-egress-installed", u->ip_bpf_custom_egress_installed);
} else if (streq(l, "ip-bpf-egress-installed")) {
(void) bpf_program_deserialize_attachment(v, fds, &u->ip_bpf_egress_installed);
continue;
+ } else if (streq(l, "bpf-device-control-installed")) {
+ (void) bpf_program_deserialize_attachment(v, fds, &u->bpf_device_control_installed);
+ continue;
} else if (streq(l, "ip-bpf-custom-ingress-installed")) {
(void) bpf_program_deserialize_attachment_set(v, fds, &u->ip_bpf_custom_ingress_installed);
--- /dev/null
+[Unit]
+Description=Service that uses device isolation
+
+[Service]
+DevicePolicy=strict
+DeviceAllow=/dev/null r
+StandardOutput=file:/tmp/testsuite66serviceresults
+ExecStartPre=rm -f /tmp/testsuite66serviceresults
+ExecStart=/bin/bash -c "while true; do sleep 0.01 && echo meow > /dev/null && echo thisshouldnotbehere; done"
--- /dev/null
+#!/usr/bin/env bash
+set -eux
+set -o pipefail
+
+RESULTS_FILE=/tmp/testsuite66serviceresults
+
+systemd-analyze log-level debug
+systemd-analyze log-target console
+
+systemctl start testsuite-66-deviceisolation.service
+
+sleep 5
+grep -q "Operation not permitted" "$RESULTS_FILE"
+
+systemctl daemon-reload
+systemctl daemon-reexec
+
+systemctl stop testsuite-66-deviceisolation.service
+
+grep -q "thisshouldnotbehere" "$RESULTS_FILE" && exit 42
+
+systemd-analyze log-level info
+
+echo OK >/testok
+
+exit 0
projects / thirdparty / systemd.git / commitdiff
