daandemeyer / rpms / systemd

Forked from rpms/systemd 2 years ago
Clone
Blob Blame History Raw
From a58dea6130fdcccd8cdf50633c939b45e2b32189 Mon Sep 17 00:00:00 2001
From: Anita Zhang <the.anitazha@gmail.com>
Date: Mon, 11 Oct 2021 00:25:20 -0700
Subject: [PATCH] core: serialize device cgroup bpf progs across
 daemon-reload/reexec

Follows what was done in b57d75232615f98aefcf41cb145ec2ea3262857d and
adds a test that verifies the device BPF program is not detached during
reload/reexec.
---
 src/core/unit-serialize.c                     |  4 ++++
 test/TEST-66-DEVICE-ISOLATION/Makefile        |  1 +
 test/TEST-66-DEVICE-ISOLATION/test.sh         | 10 ++++++++
 .../testsuite-66-deviceisolation.service      |  9 ++++++++
 test/units/testsuite-66.service               |  7 ++++++
 test/units/testsuite-66.sh                    | 23 +++++++++++++++++++
 6 files changed, 54 insertions(+)
 create mode 120000 test/TEST-66-DEVICE-ISOLATION/Makefile
 create mode 100755 test/TEST-66-DEVICE-ISOLATION/test.sh
 create mode 100644 test/units/testsuite-66-deviceisolation.service
 create mode 100644 test/units/testsuite-66.service
 create mode 100755 test/units/testsuite-66.sh

diff --git a/src/core/unit-serialize.c b/src/core/unit-serialize.c
index 9e1664ff53af..3458d7017bd5 100644
--- a/src/core/unit-serialize.c
+++ b/src/core/unit-serialize.c
@@ -171,6 +171,7 @@ int unit_serialize(Unit *u, FILE *f, FDSet *fds, bool switching_root) {
 
         (void) bpf_program_serialize_attachment(f, fds, "ip-bpf-ingress-installed", u->ip_bpf_ingress_installed);
         (void) bpf_program_serialize_attachment(f, fds, "ip-bpf-egress-installed", u->ip_bpf_egress_installed);
+        (void) bpf_program_serialize_attachment(f, fds, "bpf-device-control-installed", u->bpf_device_control_installed);
         (void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-ingress-installed", u->ip_bpf_custom_ingress_installed);
         (void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-egress-installed", u->ip_bpf_custom_egress_installed);
 
@@ -408,6 +409,9 @@ int unit_deserialize(Unit *u, FILE *f, FDSet *fds) {
                 } else if (streq(l, "ip-bpf-egress-installed")) {
                          (void) bpf_program_deserialize_attachment(v, fds, &u->ip_bpf_egress_installed);
                          continue;
+                } else if (streq(l, "bpf-device-control-installed")) {
+                         (void) bpf_program_deserialize_attachment(v, fds, &u->bpf_device_control_installed);
+                         continue;
 
                 } else if (streq(l, "ip-bpf-custom-ingress-installed")) {
                          (void) bpf_program_deserialize_attachment_set(v, fds, &u->ip_bpf_custom_ingress_installed);
diff --git a/test/TEST-66-DEVICE-ISOLATION/Makefile b/test/TEST-66-DEVICE-ISOLATION/Makefile
new file mode 120000
index 000000000000..e9f93b1104cd
--- /dev/null
+++ b/test/TEST-66-DEVICE-ISOLATION/Makefile
@@ -0,0 +1 @@
+../TEST-01-BASIC/Makefile
\ No newline at end of file
diff --git a/test/TEST-66-DEVICE-ISOLATION/test.sh b/test/TEST-66-DEVICE-ISOLATION/test.sh
new file mode 100755
index 000000000000..534e43e493e6
--- /dev/null
+++ b/test/TEST-66-DEVICE-ISOLATION/test.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -e
+
+TEST_DESCRIPTION="test device isolation"
+TEST_NO_NSPAWN=1
+
+# shellcheck source=test/test-functions
+. "${TEST_BASE_DIR:?}/test-functions"
+
+do_test "$@"
diff --git a/test/units/testsuite-66-deviceisolation.service b/test/units/testsuite-66-deviceisolation.service
new file mode 100644
index 000000000000..0022a9a45724
--- /dev/null
+++ b/test/units/testsuite-66-deviceisolation.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Service that uses device isolation
+
+[Service]
+DevicePolicy=strict
+DeviceAllow=/dev/null r
+StandardOutput=file:/testsuite66serviceresults
+ExecStartPre=rm -f /testsuite66serviceresults
+ExecStart=/bin/bash -c "while true; do sleep 0.01 && echo meow > /dev/null && echo thisshouldnotbehere; done"
diff --git a/test/units/testsuite-66.service b/test/units/testsuite-66.service
new file mode 100644
index 000000000000..a97974a4262d
--- /dev/null
+++ b/test/units/testsuite-66.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=TESTSUITE-66-DEVICEISOLATION
+
+[Service]
+ExecStartPre=rm -f /failed /testok
+ExecStart=/usr/lib/systemd/tests/testdata/units/%N.sh
+Type=oneshot
diff --git a/test/units/testsuite-66.sh b/test/units/testsuite-66.sh
new file mode 100755
index 000000000000..870dca42e169
--- /dev/null
+++ b/test/units/testsuite-66.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -eux
+set -o pipefail
+
+systemd-analyze log-level debug
+systemd-analyze log-target console
+
+systemctl start testsuite-66-deviceisolation.service
+
+grep -q "Operation not permitted" /testsuite66serviceresults
+
+systemctl daemon-reload
+systemctl daemon-reexec
+
+systemctl stop testsuite-66-deviceisolation.service
+
+grep -q "thisshouldnotbehere" /testsuite66serviceresults && exit 42
+
+systemd-analyze log-level info
+
+echo OK >/testok
+
+exit 0