Home Explore Help
Sign In
DragonOS-Community
/
aya
mirror of https://github.com/aya-rs/aya
4
0
Fork 0
Files Issues 0 Wiki
Tree: fc5387c806
Branches Tags
aya
/
test
/
integration-test
/
src
/
tests
/
lsm.rs

lsm.rs 3.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 
  1. use assert_matches::assert_matches;
    2. 

  2. use aya::{
    3. 

  3.     Btf, Ebpf,
    4. 

  4.     programs::{Lsm, LsmCgroup, ProgramError, ProgramType},
    5. 

  5.     sys::{SyscallError, is_program_supported},
    6. 

  6. };
    7. 

  7. 

  8. use crate::utils::Cgroup;
    9. 

  9. 

  10. macro_rules! expect_permission_denied {
    11. 

  11.     ($result:expr) => {
    12. 

  12.         let result = $result;
    13. 

  13.         if !std::fs::read_to_string("/sys/kernel/security/lsm").unwrap().contains("bpf") {
    14. 

  14.             assert_matches!(result, Ok(_));
    15. 

  15.         } else {
    16. 

  16.             assert_matches!(result, Err(e) => assert_eq!(
    17. 

  17.                 e.kind(), std::io::ErrorKind::PermissionDenied)
    18. 

  18.             );
    19. 

  19.         }
    20. 

  20.     };
    21. 

  21. }
    22. 

  22. 

  23. #[test]
    24. 

  24. fn lsm() {
    25. 

  25.     let btf = Btf::from_sys_fs().unwrap();
    26. 

  26. 

  27.     let mut bpf: Ebpf = Ebpf::load(crate::TEST).unwrap();
    28. 

  28.     let prog = bpf.program_mut("test_lsm").unwrap();
    29. 

  29.     let prog: &mut Lsm = prog.try_into().unwrap();
    30. 

  30.     prog.load("socket_bind", &btf).unwrap();
    31. 

  31. 

  32.     assert_matches!(std::net::TcpListener::bind("127.0.0.1:0"), Ok(_));
    33. 

  33. 

  34.     let link_id = {
    35. 

  35.         let result = prog.attach();
    36. 

  36.         if !is_program_supported(ProgramType::Lsm).unwrap() {
    37. 

  37.             assert_matches!(result, Err(ProgramError::SyscallError(SyscallError { call, io_error })) => {
    38. 

  38.                 assert_eq!(call, "bpf_raw_tracepoint_open");
    39. 

  39.                 assert_eq!(io_error.raw_os_error(), Some(524));
    40. 

  40.             });
    41. 

  41.             eprintln!("skipping test - LSM programs not supported");
    42. 

  42.             return;
    43. 

  43.         }
    44. 

  44.         result.unwrap()
    45. 

  45.     };
    46. 

  46. 

  47.     expect_permission_denied!(std::net::TcpListener::bind("127.0.0.1:0"));
    48. 

  48. 

  49.     prog.detach(link_id).unwrap();
    50. 

  50. 

  51.     assert_matches!(std::net::TcpListener::bind("127.0.0.1:0"), Ok(_));
    52. 

  52. }
    53. 

  53. 

  54. #[test]
    55. 

  55. fn lsm_cgroup() {
    56. 

  56.     let mut bpf: Ebpf = Ebpf::load(crate::TEST).unwrap();
    57. 

  57.     let prog = bpf.program_mut("test_lsm_cgroup").unwrap();
    58. 

  58.     let prog: &mut LsmCgroup = prog.try_into().unwrap();
    59. 

  59.     let btf = Btf::from_sys_fs().expect("could not get btf from sys");
    60. 

  60.     prog.load("socket_bind", &btf).unwrap();
    61. 

  61. 

  62.     assert_matches!(std::net::TcpListener::bind("127.0.0.1:0"), Ok(_));
    63. 

  63. 

  64.     let pid = std::process::id();
    65. 

  65.     let root = Cgroup::root();
    66. 

  66.     let cgroup = root.create_child("aya-test-lsm-cgroup");
    67. 

  67. 

  68.     let link_id = {
    69. 

  69.         let result = prog.attach(cgroup.fd());
    70. 

  70. 

  71.         if !is_program_supported(ProgramType::Lsm).unwrap() {
    72. 

  72.             assert_matches!(result, Err(ProgramError::SyscallError(SyscallError { call, io_error })) => {
    73. 

  73.                 assert_eq!(call, "bpf_link_create");
    74. 

  74.                 assert_eq!(io_error.raw_os_error(), Some(524));
    75. 

  75.             });
    76. 

  76.             eprintln!("skipping test - LSM programs not supported");
    77. 

  77.             return;
    78. 

  78.         }
    79. 

  79.         result.unwrap()
    80. 

  80.     };
    81. 

  81. 

  82.     let cgroup = cgroup.into_cgroup();
    83. 

  83. 

  84.     cgroup.write_pid(pid);
    85. 

  85. 

  86.     expect_permission_denied!(std::net::TcpListener::bind("127.0.0.1:0"));
    87. 

  87. 

  88.     root.write_pid(pid);
    89. 

  89. 

  90.     assert_matches!(std::net::TcpListener::bind("127.0.0.1:0"), Ok(_));
    91. 

  91. 

  92.     cgroup.write_pid(pid);
    93. 

  93. 

  94.     expect_permission_denied!(std::net::TcpListener::bind("127.0.0.1:0"));
    95. 

  95. 

  96.     prog.detach(link_id).unwrap();
    97. 

  97. 

  98.     assert_matches!(std::net::TcpListener::bind("127.0.0.1:0"), Ok(_));
    99. 

  99. }
    100.