From a58dea6130fdcccd8cdf50633c939b45e2b32189 Mon Sep 17 00:00:00 2001

From: Anita Zhang <the.anitazha@gmail.com>

Date: Mon, 11 Oct 2021 00:25:20 -0700

Subject: [PATCH] core: serialize device cgroup bpf progs across

 daemon-reload/reexec

Follows what was done in b57d75232615f98aefcf41cb145ec2ea3262857d and

adds a test that verifies the device BPF program is not detached during

reload/reexec.

---

 src/core/unit-serialize.c                     |  4 ++++

 test/TEST-66-DEVICE-ISOLATION/Makefile        |  1 +

 test/TEST-66-DEVICE-ISOLATION/test.sh         | 10 ++++++++

 .../testsuite-66-deviceisolation.service      |  9 ++++++++

 test/units/testsuite-66.service               |  7 ++++++

 test/units/testsuite-66.sh                    | 23 +++++++++++++++++++

 6 files changed, 54 insertions(+)

 create mode 120000 test/TEST-66-DEVICE-ISOLATION/Makefile

 create mode 100755 test/TEST-66-DEVICE-ISOLATION/test.sh

 create mode 100644 test/units/testsuite-66-deviceisolation.service

 create mode 100644 test/units/testsuite-66.service

 create mode 100755 test/units/testsuite-66.sh

diff --git a/src/core/unit-serialize.c b/src/core/unit-serialize.c

index 9e1664ff53af..3458d7017bd5 100644

--- a/src/core/unit-serialize.c

+++ b/src/core/unit-serialize.c

@@ -171,6 +171,7 @@ int unit_serialize(Unit *u, FILE *f, FDSet *fds, bool switching_root) {

         (void) bpf_program_serialize_attachment(f, fds, "ip-bpf-ingress-installed", u->ip_bpf_ingress_installed);

         (void) bpf_program_serialize_attachment(f, fds, "ip-bpf-egress-installed", u->ip_bpf_egress_installed);

+        (void) bpf_program_serialize_attachment(f, fds, "bpf-device-control-installed", u->bpf_device_control_installed);

         (void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-ingress-installed", u->ip_bpf_custom_ingress_installed);

         (void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-egress-installed", u->ip_bpf_custom_egress_installed);

@@ -408,6 +409,9 @@ int unit_deserialize(Unit *u, FILE *f, FDSet *fds) {

                 } else if (streq(l, "ip-bpf-egress-installed")) {

                          (void) bpf_program_deserialize_attachment(v, fds, &u->ip_bpf_egress_installed);

                          continue;

+                } else if (streq(l, "bpf-device-control-installed")) {

+                         (void) bpf_program_deserialize_attachment(v, fds, &u->bpf_device_control_installed);

+                         continue;

                 } else if (streq(l, "ip-bpf-custom-ingress-installed")) {

                          (void) bpf_program_deserialize_attachment_set(v, fds, &u->ip_bpf_custom_ingress_installed);

diff --git a/test/TEST-66-DEVICE-ISOLATION/Makefile b/test/TEST-66-DEVICE-ISOLATION/Makefile

new file mode 120000

index 000000000000..e9f93b1104cd

--- /dev/null

+++ b/test/TEST-66-DEVICE-ISOLATION/Makefile

@@ -0,0 +1 @@

+../TEST-01-BASIC/Makefile

\ No newline at end of file

diff --git a/test/TEST-66-DEVICE-ISOLATION/test.sh b/test/TEST-66-DEVICE-ISOLATION/test.sh

new file mode 100755

index 000000000000..534e43e493e6

--- /dev/null

+++ b/test/TEST-66-DEVICE-ISOLATION/test.sh

@@ -0,0 +1,10 @@

+#!/usr/bin/env bash

+set -e

+

+TEST_DESCRIPTION="test device isolation"

+TEST_NO_NSPAWN=1

+

+# shellcheck source=test/test-functions

+. "${TEST_BASE_DIR:?}/test-functions"

+

+do_test "$@"

diff --git a/test/units/testsuite-66-deviceisolation.service b/test/units/testsuite-66-deviceisolation.service

new file mode 100644

index 000000000000..0022a9a45724

--- /dev/null

+++ b/test/units/testsuite-66-deviceisolation.service

@@ -0,0 +1,9 @@

+[Unit]

+Description=Service that uses device isolation

+

+[Service]

+DevicePolicy=strict

+DeviceAllow=/dev/null r

+StandardOutput=file:/testsuite66serviceresults

+ExecStartPre=rm -f /testsuite66serviceresults

+ExecStart=/bin/bash -c "while true; do sleep 0.01 && echo meow > /dev/null && echo thisshouldnotbehere; done"

diff --git a/test/units/testsuite-66.service b/test/units/testsuite-66.service

new file mode 100644

index 000000000000..a97974a4262d

--- /dev/null

+++ b/test/units/testsuite-66.service

@@ -0,0 +1,7 @@

+[Unit]

+Description=TESTSUITE-66-DEVICEISOLATION

+

+[Service]

+ExecStartPre=rm -f /failed /testok

+ExecStart=/usr/lib/systemd/tests/testdata/units/%N.sh

+Type=oneshot

diff --git a/test/units/testsuite-66.sh b/test/units/testsuite-66.sh

new file mode 100755

index 000000000000..870dca42e169

--- /dev/null

+++ b/test/units/testsuite-66.sh

@@ -0,0 +1,23 @@

+#!/usr/bin/env bash

+set -eux

+set -o pipefail

+

+systemd-analyze log-level debug

+systemd-analyze log-target console

+

+systemctl start testsuite-66-deviceisolation.service

+

+grep -q "Operation not permitted" /testsuite66serviceresults

+

+systemctl daemon-reload

+systemctl daemon-reexec

+

+systemctl stop testsuite-66-deviceisolation.service

+

+grep -q "thisshouldnotbehere" /testsuite66serviceresults && exit 42

+

+systemd-analyze log-level info

+

+echo OK >/testok

+

+exit 0