|
|
8483bf |
From a58dea6130fdcccd8cdf50633c939b45e2b32189 Mon Sep 17 00:00:00 2001
|
|
|
8483bf |
From: Anita Zhang <the.anitazha@gmail.com>
|
|
|
8483bf |
Date: Mon, 11 Oct 2021 00:25:20 -0700
|
|
|
8483bf |
Subject: [PATCH] core: serialize device cgroup bpf progs across
|
|
|
8483bf |
daemon-reload/reexec
|
|
|
8483bf |
|
|
|
8483bf |
Follows what was done in b57d75232615f98aefcf41cb145ec2ea3262857d and
|
|
|
8483bf |
adds a test that verifies the device BPF program is not detached during
|
|
|
8483bf |
reload/reexec.
|
|
|
8483bf |
---
|
|
|
8483bf |
src/core/unit-serialize.c | 4 ++++
|
|
|
8483bf |
test/TEST-66-DEVICE-ISOLATION/Makefile | 1 +
|
|
|
8483bf |
test/TEST-66-DEVICE-ISOLATION/test.sh | 10 ++++++++
|
|
|
8483bf |
.../testsuite-66-deviceisolation.service | 9 ++++++++
|
|
|
8483bf |
test/units/testsuite-66.service | 7 ++++++
|
|
|
8483bf |
test/units/testsuite-66.sh | 23 +++++++++++++++++++
|
|
|
8483bf |
6 files changed, 54 insertions(+)
|
|
|
8483bf |
create mode 120000 test/TEST-66-DEVICE-ISOLATION/Makefile
|
|
|
8483bf |
create mode 100755 test/TEST-66-DEVICE-ISOLATION/test.sh
|
|
|
8483bf |
create mode 100644 test/units/testsuite-66-deviceisolation.service
|
|
|
8483bf |
create mode 100644 test/units/testsuite-66.service
|
|
|
8483bf |
create mode 100755 test/units/testsuite-66.sh
|
|
|
8483bf |
|
|
|
8483bf |
diff --git a/src/core/unit-serialize.c b/src/core/unit-serialize.c
|
|
|
8483bf |
index 9e1664ff53af..3458d7017bd5 100644
|
|
|
8483bf |
--- a/src/core/unit-serialize.c
|
|
|
8483bf |
+++ b/src/core/unit-serialize.c
|
|
|
8483bf |
@@ -171,6 +171,7 @@ int unit_serialize(Unit *u, FILE *f, FDSet *fds, bool switching_root) {
|
|
|
8483bf |
|
|
|
8483bf |
(void) bpf_program_serialize_attachment(f, fds, "ip-bpf-ingress-installed", u->ip_bpf_ingress_installed);
|
|
|
8483bf |
(void) bpf_program_serialize_attachment(f, fds, "ip-bpf-egress-installed", u->ip_bpf_egress_installed);
|
|
|
8483bf |
+ (void) bpf_program_serialize_attachment(f, fds, "bpf-device-control-installed", u->bpf_device_control_installed);
|
|
|
8483bf |
(void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-ingress-installed", u->ip_bpf_custom_ingress_installed);
|
|
|
8483bf |
(void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-egress-installed", u->ip_bpf_custom_egress_installed);
|
|
|
8483bf |
|
|
|
8483bf |
@@ -408,6 +409,9 @@ int unit_deserialize(Unit *u, FILE *f, FDSet *fds) {
|
|
|
8483bf |
} else if (streq(l, "ip-bpf-egress-installed")) {
|
|
|
8483bf |
(void) bpf_program_deserialize_attachment(v, fds, &u->ip_bpf_egress_installed);
|
|
|
8483bf |
continue;
|
|
|
8483bf |
+ } else if (streq(l, "bpf-device-control-installed")) {
|
|
|
8483bf |
+ (void) bpf_program_deserialize_attachment(v, fds, &u->bpf_device_control_installed);
|
|
|
8483bf |
+ continue;
|
|
|
8483bf |
|
|
|
8483bf |
} else if (streq(l, "ip-bpf-custom-ingress-installed")) {
|
|
|
8483bf |
(void) bpf_program_deserialize_attachment_set(v, fds, &u->ip_bpf_custom_ingress_installed);
|
|
|
8483bf |
diff --git a/test/TEST-66-DEVICE-ISOLATION/Makefile b/test/TEST-66-DEVICE-ISOLATION/Makefile
|
|
|
8483bf |
new file mode 120000
|
|
|
8483bf |
index 000000000000..e9f93b1104cd
|
|
|
8483bf |
--- /dev/null
|
|
|
8483bf |
+++ b/test/TEST-66-DEVICE-ISOLATION/Makefile
|
|
|
8483bf |
@@ -0,0 +1 @@
|
|
|
8483bf |
+../TEST-01-BASIC/Makefile
|
|
|
8483bf |
\ No newline at end of file
|
|
|
8483bf |
diff --git a/test/TEST-66-DEVICE-ISOLATION/test.sh b/test/TEST-66-DEVICE-ISOLATION/test.sh
|
|
|
8483bf |
new file mode 100755
|
|
|
8483bf |
index 000000000000..534e43e493e6
|
|
|
8483bf |
--- /dev/null
|
|
|
8483bf |
+++ b/test/TEST-66-DEVICE-ISOLATION/test.sh
|
|
|
8483bf |
@@ -0,0 +1,10 @@
|
|
|
8483bf |
+#!/usr/bin/env bash
|
|
|
8483bf |
+set -e
|
|
|
8483bf |
+
|
|
|
8483bf |
+TEST_DESCRIPTION="test device isolation"
|
|
|
8483bf |
+TEST_NO_NSPAWN=1
|
|
|
8483bf |
+
|
|
|
8483bf |
+# shellcheck source=test/test-functions
|
|
|
8483bf |
+. "${TEST_BASE_DIR:?}/test-functions"
|
|
|
8483bf |
+
|
|
|
8483bf |
+do_test "$@"
|
|
|
8483bf |
diff --git a/test/units/testsuite-66-deviceisolation.service b/test/units/testsuite-66-deviceisolation.service
|
|
|
8483bf |
new file mode 100644
|
|
|
8483bf |
index 000000000000..0022a9a45724
|
|
|
8483bf |
--- /dev/null
|
|
|
8483bf |
+++ b/test/units/testsuite-66-deviceisolation.service
|
|
|
8483bf |
@@ -0,0 +1,9 @@
|
|
|
8483bf |
+[Unit]
|
|
|
8483bf |
+Description=Service that uses device isolation
|
|
|
8483bf |
+
|
|
|
8483bf |
+[Service]
|
|
|
8483bf |
+DevicePolicy=strict
|
|
|
8483bf |
+DeviceAllow=/dev/null r
|
|
|
8483bf |
+StandardOutput=file:/testsuite66serviceresults
|
|
|
8483bf |
+ExecStartPre=rm -f /testsuite66serviceresults
|
|
|
8483bf |
+ExecStart=/bin/bash -c "while true; do sleep 0.01 && echo meow > /dev/null && echo thisshouldnotbehere; done"
|
|
|
8483bf |
diff --git a/test/units/testsuite-66.service b/test/units/testsuite-66.service
|
|
|
8483bf |
new file mode 100644
|
|
|
8483bf |
index 000000000000..a97974a4262d
|
|
|
8483bf |
--- /dev/null
|
|
|
8483bf |
+++ b/test/units/testsuite-66.service
|
|
|
8483bf |
@@ -0,0 +1,7 @@
|
|
|
8483bf |
+[Unit]
|
|
|
8483bf |
+Description=TESTSUITE-66-DEVICEISOLATION
|
|
|
8483bf |
+
|
|
|
8483bf |
+[Service]
|
|
|
8483bf |
+ExecStartPre=rm -f /failed /testok
|
|
|
8483bf |
+ExecStart=/usr/lib/systemd/tests/testdata/units/%N.sh
|
|
|
8483bf |
+Type=oneshot
|
|
|
8483bf |
diff --git a/test/units/testsuite-66.sh b/test/units/testsuite-66.sh
|
|
|
8483bf |
new file mode 100755
|
|
|
8483bf |
index 000000000000..870dca42e169
|
|
|
8483bf |
--- /dev/null
|
|
|
8483bf |
+++ b/test/units/testsuite-66.sh
|
|
|
8483bf |
@@ -0,0 +1,23 @@
|
|
|
8483bf |
+#!/usr/bin/env bash
|
|
|
8483bf |
+set -eux
|
|
|
8483bf |
+set -o pipefail
|
|
|
8483bf |
+
|
|
|
8483bf |
+systemd-analyze log-level debug
|
|
|
8483bf |
+systemd-analyze log-target console
|
|
|
8483bf |
+
|
|
|
8483bf |
+systemctl start testsuite-66-deviceisolation.service
|
|
|
8483bf |
+
|
|
|
8483bf |
+grep -q "Operation not permitted" /testsuite66serviceresults
|
|
|
8483bf |
+
|
|
|
8483bf |
+systemctl daemon-reload
|
|
|
8483bf |
+systemctl daemon-reexec
|
|
|
8483bf |
+
|
|
|
8483bf |
+systemctl stop testsuite-66-deviceisolation.service
|
|
|
8483bf |
+
|
|
|
8483bf |
+grep -q "thisshouldnotbehere" /testsuite66serviceresults && exit 42
|
|
|
8483bf |
+
|
|
|
8483bf |
+systemd-analyze log-level info
|
|
|
8483bf |
+
|
|
|
8483bf |
+echo OK >/testok
|
|
|
8483bf |
+
|
|
|
8483bf |
+exit 0
|