From: Anita Zhang Date: Mon, 11 Oct 2021 07:25:20 +0000 (-0700) Subject: core: serialize device cgroup bpf progs across daemon-reload/reexec X-Git-Tag: v250-rc1~514 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0b4f8d94989dec304e70102798d5e942effe8bee;p=thirdparty%2Fsystemd.git core: serialize device cgroup bpf progs across daemon-reload/reexec Follows what was done in b57d75232615f98aefcf41cb145ec2ea3262857d and adds a test that verifies the device BPF program is not detached during reload/reexec. --- diff --git a/src/core/unit-serialize.c b/src/core/unit-serialize.c index 9e1664ff53a..3458d7017bd 100644 --- a/src/core/unit-serialize.c +++ b/src/core/unit-serialize.c @@ -171,6 +171,7 @@ int unit_serialize(Unit *u, FILE *f, FDSet *fds, bool switching_root) { (void) bpf_program_serialize_attachment(f, fds, "ip-bpf-ingress-installed", u->ip_bpf_ingress_installed); (void) bpf_program_serialize_attachment(f, fds, "ip-bpf-egress-installed", u->ip_bpf_egress_installed); + (void) bpf_program_serialize_attachment(f, fds, "bpf-device-control-installed", u->bpf_device_control_installed); (void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-ingress-installed", u->ip_bpf_custom_ingress_installed); (void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-egress-installed", u->ip_bpf_custom_egress_installed); @@ -408,6 +409,9 @@ int unit_deserialize(Unit *u, FILE *f, FDSet *fds) { } else if (streq(l, "ip-bpf-egress-installed")) { (void) bpf_program_deserialize_attachment(v, fds, &u->ip_bpf_egress_installed); continue; + } else if (streq(l, "bpf-device-control-installed")) { + (void) bpf_program_deserialize_attachment(v, fds, &u->bpf_device_control_installed); + continue; } else if (streq(l, "ip-bpf-custom-ingress-installed")) { (void) bpf_program_deserialize_attachment_set(v, fds, &u->ip_bpf_custom_ingress_installed); diff --git a/test/TEST-66-DEVICE-ISOLATION/Makefile b/test/TEST-66-DEVICE-ISOLATION/Makefile new file mode 120000 index 00000000000..e9f93b1104c --- /dev/null +++ b/test/TEST-66-DEVICE-ISOLATION/Makefile @@ -0,0 +1 @@ +../TEST-01-BASIC/Makefile \ No newline at end of file diff --git a/test/TEST-66-DEVICE-ISOLATION/test.sh b/test/TEST-66-DEVICE-ISOLATION/test.sh new file mode 100755 index 00000000000..534e43e493e --- /dev/null +++ b/test/TEST-66-DEVICE-ISOLATION/test.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +set -e + +TEST_DESCRIPTION="test device isolation" +TEST_NO_NSPAWN=1 + +# shellcheck source=test/test-functions +. "${TEST_BASE_DIR:?}/test-functions" + +do_test "$@" diff --git a/test/units/testsuite-66-deviceisolation.service b/test/units/testsuite-66-deviceisolation.service new file mode 100644 index 00000000000..9aeafa37472 --- /dev/null +++ b/test/units/testsuite-66-deviceisolation.service @@ -0,0 +1,9 @@ +[Unit] +Description=Service that uses device isolation + +[Service] +DevicePolicy=strict +DeviceAllow=/dev/null r +StandardOutput=file:/tmp/testsuite66serviceresults +ExecStartPre=rm -f /tmp/testsuite66serviceresults +ExecStart=/bin/bash -c "while true; do sleep 0.01 && echo meow > /dev/null && echo thisshouldnotbehere; done" diff --git a/test/units/testsuite-66.service b/test/units/testsuite-66.service new file mode 100644 index 00000000000..a97974a4262 --- /dev/null +++ b/test/units/testsuite-66.service @@ -0,0 +1,7 @@ +[Unit] +Description=TESTSUITE-66-DEVICEISOLATION + +[Service] +ExecStartPre=rm -f /failed /testok +ExecStart=/usr/lib/systemd/tests/testdata/units/%N.sh +Type=oneshot diff --git a/test/units/testsuite-66.sh b/test/units/testsuite-66.sh new file mode 100755 index 00000000000..6fffa4674f6 --- /dev/null +++ b/test/units/testsuite-66.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash +set -eux +set -o pipefail + +RESULTS_FILE=/tmp/testsuite66serviceresults + +systemd-analyze log-level debug +systemd-analyze log-target console + +systemctl start testsuite-66-deviceisolation.service + +sleep 5 +grep -q "Operation not permitted" "$RESULTS_FILE" + +systemctl daemon-reload +systemctl daemon-reexec + +systemctl stop testsuite-66-deviceisolation.service + +grep -q "thisshouldnotbehere" "$RESULTS_FILE" && exit 42 + +systemd-analyze log-level info + +echo OK >/testok + +exit 0