Branch data Line data Source code
1 : : /* SPDX-License-Identifier: LGPL-2.1+ */
2 : :
3 : : #include <linux/bpf_insn.h>
4 : : #include <string.h>
5 : : #include <sys/mman.h>
6 : : #include <unistd.h>
7 : :
8 : : #include "bpf-firewall.h"
9 : : #include "bpf-program.h"
10 : : #include "load-fragment.h"
11 : : #include "manager.h"
12 : : #include "missing.h"
13 : : #include "rm-rf.h"
14 : : #include "service.h"
15 : : #include "test-helper.h"
16 : : #include "tests.h"
17 : : #include "unit.h"
18 : : #include "virt.h"
19 : :
20 : : /* We use the same limit here that PID 1 bumps RLIMIT_MEMLOCK to if it can */
21 : : #define CAN_MEMLOCK_SIZE (64U*1024U*1024U)
22 : :
23 : 4 : static bool can_memlock(void) {
24 : : void *p;
25 : : bool b;
26 : :
27 : : /* Let's see if we can mlock() a larger blob of memory. BPF programs are charged against
28 : : * RLIMIT_MEMLOCK, hence let's first make sure we can lock memory at all, and skip the test if we
29 : : * cannot. Why not check RLIMIT_MEMLOCK explicitly? Because in container environments the
30 : : * RLIMIT_MEMLOCK value we see might not match the RLIMIT_MEMLOCK value actually in effect. */
31 : :
32 : 4 : p = mmap(NULL, CAN_MEMLOCK_SIZE, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_SHARED, -1, 0);
33 [ - + ]: 4 : if (p == MAP_FAILED)
34 : 0 : return false;
35 : :
36 : 4 : b = mlock(p, CAN_MEMLOCK_SIZE) >= 0;
37 [ - + ]: 4 : if (b)
38 [ # # ]: 0 : assert_se(munlock(p, CAN_MEMLOCK_SIZE) >= 0);
39 : :
40 [ - + ]: 4 : assert_se(munmap(p, CAN_MEMLOCK_SIZE) >= 0);
41 : 4 : return b;
42 : : }
43 : :
44 : 4 : int main(int argc, char *argv[]) {
45 : 4 : struct bpf_insn exit_insn[] = {
46 : : BPF_MOV64_IMM(BPF_REG_0, 0), /* drop */
47 : : BPF_EXIT_INSN()
48 : : };
49 : :
50 : 4 : _cleanup_(rm_rf_physical_and_freep) char *runtime_dir = NULL;
51 : 4 : CGroupContext *cc = NULL;
52 : 4 : _cleanup_(bpf_program_unrefp) BPFProgram *p = NULL;
53 : 4 : _cleanup_(manager_freep) Manager *m = NULL;
54 : : Unit *u;
55 : : char log_buf[65535];
56 : : struct rlimit rl;
57 : : int r;
58 : : union bpf_attr attr;
59 : 4 : bool test_custom_filter = false;
60 : 4 : const char *test_prog = "/sys/fs/bpf/test-dropper";
61 : :
62 : 4 : test_setup_logging(LOG_DEBUG);
63 : :
64 [ - + ]: 4 : if (detect_container() > 0)
65 : 0 : return log_tests_skipped("test-bpf fails inside LXC and Docker containers: https://github.com/systemd/systemd/issues/9666");
66 : :
67 [ - + ]: 4 : assert_se(getrlimit(RLIMIT_MEMLOCK, &rl) >= 0);
68 : 4 : rl.rlim_cur = rl.rlim_max = MAX3(rl.rlim_cur, rl.rlim_max, CAN_MEMLOCK_SIZE);
69 : 4 : (void) setrlimit(RLIMIT_MEMLOCK, &rl);
70 : :
71 [ + - ]: 4 : if (!can_memlock())
72 : 4 : return log_tests_skipped("Can't use mlock(), skipping.");
73 : :
74 : 0 : r = enter_cgroup_subroot();
75 [ # # ]: 0 : if (r == -ENOMEDIUM)
76 : 0 : return log_tests_skipped("cgroupfs not available");
77 : :
78 [ # # ]: 0 : assert_se(set_unit_path(get_testdata_dir()) >= 0);
79 [ # # ]: 0 : assert_se(runtime_dir = setup_fake_runtime_dir());
80 : :
81 : 0 : r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &p);
82 [ # # ]: 0 : assert(r == 0);
83 : :
84 : 0 : r = bpf_program_add_instructions(p, exit_insn, ELEMENTSOF(exit_insn));
85 [ # # ]: 0 : assert(r == 0);
86 : :
87 [ # # ]: 0 : if (getuid() != 0)
88 : 0 : return log_tests_skipped("not running as root");
89 : :
90 : 0 : r = bpf_firewall_supported();
91 [ # # ]: 0 : if (r == BPF_FIREWALL_UNSUPPORTED)
92 : 0 : return log_tests_skipped("BPF firewalling not supported");
93 [ # # ]: 0 : assert_se(r > 0);
94 : :
95 [ # # ]: 0 : if (r == BPF_FIREWALL_SUPPORTED_WITH_MULTI) {
96 [ # # ]: 0 : log_notice("BPF firewalling with BPF_F_ALLOW_MULTI supported. Yay!");
97 : 0 : test_custom_filter = true;
98 : : } else
99 [ # # ]: 0 : log_notice("BPF firewalling (though without BPF_F_ALLOW_MULTI) supported. Good.");
100 : :
101 : 0 : r = bpf_program_load_kernel(p, log_buf, ELEMENTSOF(log_buf));
102 [ # # ]: 0 : assert(r >= 0);
103 : :
104 [ # # ]: 0 : if (test_custom_filter) {
105 : 0 : attr = (union bpf_attr) {
106 : 0 : .pathname = PTR_TO_UINT64(test_prog),
107 : 0 : .bpf_fd = p->kernel_fd,
108 : : .file_flags = 0,
109 : : };
110 : :
111 : 0 : (void) unlink(test_prog);
112 : :
113 : 0 : r = bpf(BPF_OBJ_PIN, &attr, sizeof(attr));
114 [ # # ]: 0 : if (r < 0) {
115 [ # # ]: 0 : log_warning_errno(errno, "BPF object pinning failed, will not run custom filter test: %m");
116 : 0 : test_custom_filter = false;
117 : : }
118 : : }
119 : :
120 : 0 : p = bpf_program_unref(p);
121 : :
122 : : /* The simple tests succeeded. Now let's try full unit-based use-case. */
123 : :
124 [ # # ]: 0 : assert_se(manager_new(UNIT_FILE_USER, MANAGER_TEST_RUN_BASIC, &m) >= 0);
125 [ # # ]: 0 : assert_se(manager_startup(m, NULL, NULL) >= 0);
126 : :
127 [ # # ]: 0 : assert_se(u = unit_new(m, sizeof(Service)));
128 [ # # ]: 0 : assert_se(unit_add_name(u, "foo.service") == 0);
129 [ # # ]: 0 : assert_se(cc = unit_get_cgroup_context(u));
130 : 0 : u->perpetual = true;
131 : :
132 : 0 : cc->ip_accounting = true;
133 : :
134 [ # # ]: 0 : assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressAllow", 0, "10.0.1.0/24", &cc->ip_address_allow, NULL) == 0);
135 [ # # ]: 0 : assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressAllow", 0, "127.0.0.2", &cc->ip_address_allow, NULL) == 0);
136 [ # # ]: 0 : assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressDeny", 0, "127.0.0.3", &cc->ip_address_deny, NULL) == 0);
137 [ # # ]: 0 : assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressDeny", 0, "10.0.3.2/24", &cc->ip_address_deny, NULL) == 0);
138 [ # # ]: 0 : assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressDeny", 0, "127.0.0.1/25", &cc->ip_address_deny, NULL) == 0);
139 [ # # ]: 0 : assert_se(config_parse_ip_address_access(u->id, "filename", 1, "Service", 1, "IPAddressDeny", 0, "127.0.0.4", &cc->ip_address_deny, NULL) == 0);
140 : :
141 [ # # ]: 0 : assert(cc->ip_address_allow);
142 [ # # ]: 0 : assert(cc->ip_address_allow->items_next);
143 [ # # ]: 0 : assert(!cc->ip_address_allow->items_next->items_next);
144 : :
145 : : /* The deny list is defined redundantly, let's ensure it got properly reduced */
146 [ # # ]: 0 : assert(cc->ip_address_deny);
147 [ # # ]: 0 : assert(cc->ip_address_deny->items_next);
148 [ # # ]: 0 : assert(!cc->ip_address_deny->items_next->items_next);
149 : :
150 [ # # ]: 0 : assert_se(config_parse_exec(u->id, "filename", 1, "Service", 1, "ExecStart", SERVICE_EXEC_START, "/bin/ping -c 1 127.0.0.2 -W 5", SERVICE(u)->exec_command, u) == 0);
151 [ # # ]: 0 : assert_se(config_parse_exec(u->id, "filename", 1, "Service", 1, "ExecStart", SERVICE_EXEC_START, "/bin/ping -c 1 127.0.0.3 -W 5", SERVICE(u)->exec_command, u) == 0);
152 : :
153 [ # # ]: 0 : assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]);
154 [ # # ]: 0 : assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next);
155 [ # # ]: 0 : assert_se(!SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->command_next);
156 : :
157 : 0 : SERVICE(u)->type = SERVICE_ONESHOT;
158 : 0 : u->load_state = UNIT_LOADED;
159 : :
160 : 0 : unit_dump(u, stdout, NULL);
161 : :
162 : 0 : r = bpf_firewall_compile(u);
163 [ # # # # ]: 0 : if (IN_SET(r, -ENOTTY, -ENOSYS, -EPERM))
164 : 0 : return log_tests_skipped("Kernel doesn't support the necessary bpf bits (masked out via seccomp?)");
165 [ # # ]: 0 : assert_se(r >= 0);
166 : :
167 [ # # ]: 0 : assert(u->ip_bpf_ingress);
168 [ # # ]: 0 : assert(u->ip_bpf_egress);
169 : :
170 : 0 : r = bpf_program_load_kernel(u->ip_bpf_ingress, log_buf, ELEMENTSOF(log_buf));
171 : :
172 [ # # ]: 0 : log_notice("log:");
173 [ # # ]: 0 : log_notice("-------");
174 [ # # ]: 0 : log_notice("%s", log_buf);
175 [ # # ]: 0 : log_notice("-------");
176 : :
177 [ # # ]: 0 : assert(r >= 0);
178 : :
179 : 0 : r = bpf_program_load_kernel(u->ip_bpf_egress, log_buf, ELEMENTSOF(log_buf));
180 : :
181 [ # # ]: 0 : log_notice("log:");
182 [ # # ]: 0 : log_notice("-------");
183 [ # # ]: 0 : log_notice("%s", log_buf);
184 [ # # ]: 0 : log_notice("-------");
185 : :
186 [ # # ]: 0 : assert(r >= 0);
187 : :
188 [ # # ]: 0 : assert_se(unit_start(u) >= 0);
189 : :
190 [ # # # # ]: 0 : while (!IN_SET(SERVICE(u)->state, SERVICE_DEAD, SERVICE_FAILED))
191 [ # # ]: 0 : assert_se(sd_event_run(m->event, UINT64_MAX) >= 0);
192 : :
193 [ # # # # ]: 0 : assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.code == CLD_EXITED &&
194 : : SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.status == EXIT_SUCCESS);
195 : :
196 [ # # # # ]: 0 : assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->exec_status.code != CLD_EXITED ||
197 : : SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->exec_status.status != EXIT_SUCCESS);
198 : :
199 [ # # ]: 0 : if (test_custom_filter) {
200 [ # # ]: 0 : assert_se(u = unit_new(m, sizeof(Service)));
201 [ # # ]: 0 : assert_se(unit_add_name(u, "custom-filter.service") == 0);
202 [ # # ]: 0 : assert_se(cc = unit_get_cgroup_context(u));
203 : 0 : u->perpetual = true;
204 : :
205 : 0 : cc->ip_accounting = true;
206 : :
207 [ # # ]: 0 : assert_se(config_parse_ip_filter_bpf_progs(u->id, "filename", 1, "Service", 1, "IPIngressFilterPath", 0, test_prog, &cc->ip_filters_ingress, u) == 0);
208 [ # # ]: 0 : assert_se(config_parse_exec(u->id, "filename", 1, "Service", 1, "ExecStart", SERVICE_EXEC_START, "-/bin/ping -c 1 127.0.0.1 -W 5", SERVICE(u)->exec_command, u) == 0);
209 : :
210 : 0 : SERVICE(u)->type = SERVICE_ONESHOT;
211 : 0 : u->load_state = UNIT_LOADED;
212 : :
213 [ # # ]: 0 : assert_se(unit_start(u) >= 0);
214 : :
215 [ # # # # ]: 0 : while (!IN_SET(SERVICE(u)->state, SERVICE_DEAD, SERVICE_FAILED))
216 [ # # ]: 0 : assert_se(sd_event_run(m->event, UINT64_MAX) >= 0);
217 : :
218 [ # # # # ]: 0 : assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.code != CLD_EXITED ||
219 : : SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.status != EXIT_SUCCESS);
220 : :
221 : 0 : (void) unlink(test_prog);
222 [ # # ]: 0 : assert_se(SERVICE(u)->state == SERVICE_DEAD);
223 : : }
224 : :
225 : 0 : return 0;
226 : : }
|
