From a58dea6130fdcccd8cdf50633c939b45e2b32189 Mon Sep 17 00:00:00 2001 From: Anita Zhang Date: Mon, 11 Oct 2021 00:25:20 -0700 Subject: [PATCH] core: serialize device cgroup bpf progs across daemon-reload/reexec Follows what was done in b57d75232615f98aefcf41cb145ec2ea3262857d and adds a test that verifies the device BPF program is not detached during reload/reexec. --- src/core/unit-serialize.c | 4 ++++ test/TEST-66-DEVICE-ISOLATION/Makefile | 1 + test/TEST-66-DEVICE-ISOLATION/test.sh | 10 ++++++++ .../testsuite-66-deviceisolation.service | 9 ++++++++ test/units/testsuite-66.service | 7 ++++++ test/units/testsuite-66.sh | 23 +++++++++++++++++++ 6 files changed, 54 insertions(+) create mode 120000 test/TEST-66-DEVICE-ISOLATION/Makefile create mode 100755 test/TEST-66-DEVICE-ISOLATION/test.sh create mode 100644 test/units/testsuite-66-deviceisolation.service create mode 100644 test/units/testsuite-66.service create mode 100755 test/units/testsuite-66.sh diff --git a/src/core/unit-serialize.c b/src/core/unit-serialize.c index 9e1664ff53af..3458d7017bd5 100644 --- a/src/core/unit-serialize.c +++ b/src/core/unit-serialize.c @@ -171,6 +171,7 @@ int unit_serialize(Unit *u, FILE *f, FDSet *fds, bool switching_root) { (void) bpf_program_serialize_attachment(f, fds, "ip-bpf-ingress-installed", u->ip_bpf_ingress_installed); (void) bpf_program_serialize_attachment(f, fds, "ip-bpf-egress-installed", u->ip_bpf_egress_installed); + (void) bpf_program_serialize_attachment(f, fds, "bpf-device-control-installed", u->bpf_device_control_installed); (void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-ingress-installed", u->ip_bpf_custom_ingress_installed); (void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-egress-installed", u->ip_bpf_custom_egress_installed); @@ -408,6 +409,9 @@ int unit_deserialize(Unit *u, FILE *f, FDSet *fds) { } else if (streq(l, "ip-bpf-egress-installed")) { (void) bpf_program_deserialize_attachment(v, fds, &u->ip_bpf_egress_installed); continue; + } else if (streq(l, "bpf-device-control-installed")) { + (void) bpf_program_deserialize_attachment(v, fds, &u->bpf_device_control_installed); + continue; } else if (streq(l, "ip-bpf-custom-ingress-installed")) { (void) bpf_program_deserialize_attachment_set(v, fds, &u->ip_bpf_custom_ingress_installed); diff --git a/test/TEST-66-DEVICE-ISOLATION/Makefile b/test/TEST-66-DEVICE-ISOLATION/Makefile new file mode 120000 index 000000000000..e9f93b1104cd --- /dev/null +++ b/test/TEST-66-DEVICE-ISOLATION/Makefile @@ -0,0 +1 @@ +../TEST-01-BASIC/Makefile \ No newline at end of file diff --git a/test/TEST-66-DEVICE-ISOLATION/test.sh b/test/TEST-66-DEVICE-ISOLATION/test.sh new file mode 100755 index 000000000000..534e43e493e6 --- /dev/null +++ b/test/TEST-66-DEVICE-ISOLATION/test.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +set -e + +TEST_DESCRIPTION="test device isolation" +TEST_NO_NSPAWN=1 + +# shellcheck source=test/test-functions +. "${TEST_BASE_DIR:?}/test-functions" + +do_test "$@" diff --git a/test/units/testsuite-66-deviceisolation.service b/test/units/testsuite-66-deviceisolation.service new file mode 100644 index 000000000000..0022a9a45724 --- /dev/null +++ b/test/units/testsuite-66-deviceisolation.service @@ -0,0 +1,9 @@ +[Unit] +Description=Service that uses device isolation + +[Service] +DevicePolicy=strict +DeviceAllow=/dev/null r +StandardOutput=file:/testsuite66serviceresults +ExecStartPre=rm -f /testsuite66serviceresults +ExecStart=/bin/bash -c "while true; do sleep 0.01 && echo meow > /dev/null && echo thisshouldnotbehere; done" diff --git a/test/units/testsuite-66.service b/test/units/testsuite-66.service new file mode 100644 index 000000000000..a97974a4262d --- /dev/null +++ b/test/units/testsuite-66.service @@ -0,0 +1,7 @@ +[Unit] +Description=TESTSUITE-66-DEVICEISOLATION + +[Service] +ExecStartPre=rm -f /failed /testok +ExecStart=/usr/lib/systemd/tests/testdata/units/%N.sh +Type=oneshot diff --git a/test/units/testsuite-66.sh b/test/units/testsuite-66.sh new file mode 100755 index 000000000000..870dca42e169 --- /dev/null +++ b/test/units/testsuite-66.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash +set -eux +set -o pipefail + +systemd-analyze log-level debug +systemd-analyze log-target console + +systemctl start testsuite-66-deviceisolation.service + +grep -q "Operation not permitted" /testsuite66serviceresults + +systemctl daemon-reload +systemctl daemon-reexec + +systemctl stop testsuite-66-deviceisolation.service + +grep -q "thisshouldnotbehere" /testsuite66serviceresults && exit 42 + +systemd-analyze log-level info + +echo OK >/testok + +exit 0