core: serialize device cgroup bpf progs across daemon-reload/reexec

Follows what was done in b57d75232615f98aefcf41cb145ec2ea3262857d and adds a test that verifies the device BPF program is not detached during reload/reexec.
2025-03-28 02:50:16 +03:00 · 2021-10-11 00:25:20 -07:00 · 2021-10-11 00:25:20 -07:00 · 0b4f8d9498
commit 0b4f8d9498
parent c2e22d73ae
6 changed files with 57 additions and 0 deletions
--- a/src/core/unit-serialize.c
+++ b/src/core/unit-serialize.c
@ -171,6 +171,7 @@ int unit_serialize(Unit *u, FILE *f, FDSet *fds, bool switching_root) {

        (void) bpf_program_serialize_attachment(f, fds, "ip-bpf-ingress-installed", u->ip_bpf_ingress_installed);
        (void) bpf_program_serialize_attachment(f, fds, "ip-bpf-egress-installed", u->ip_bpf_egress_installed);
+        (void) bpf_program_serialize_attachment(f, fds, "bpf-device-control-installed", u->bpf_device_control_installed);
        (void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-ingress-installed", u->ip_bpf_custom_ingress_installed);
        (void) bpf_program_serialize_attachment_set(f, fds, "ip-bpf-custom-egress-installed", u->ip_bpf_custom_egress_installed);

@ -408,6 +409,9 @@ int unit_deserialize(Unit *u, FILE *f, FDSet *fds) {
                } else if (streq(l, "ip-bpf-egress-installed")) {
                         (void) bpf_program_deserialize_attachment(v, fds, &u->ip_bpf_egress_installed);
                         continue;
+                } else if (streq(l, "bpf-device-control-installed")) {
+                         (void) bpf_program_deserialize_attachment(v, fds, &u->bpf_device_control_installed);
+                         continue;

                } else if (streq(l, "ip-bpf-custom-ingress-installed")) {
                         (void) bpf_program_deserialize_attachment_set(v, fds, &u->ip_bpf_custom_ingress_installed);
--- a/test/TEST-66-DEVICE-ISOLATION/Makefile
+++ b/test/TEST-66-DEVICE-ISOLATION/Makefile
@ -0,0 +1 @@
+../TEST-01-BASIC/Makefile
--- a/test/TEST-66-DEVICE-ISOLATION/test.sh
+++ b/test/TEST-66-DEVICE-ISOLATION/test.sh
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -e
+
+TEST_DESCRIPTION="test device isolation"
+TEST_NO_NSPAWN=1
+
+# shellcheck source=test/test-functions
+. "${TEST_BASE_DIR:?}/test-functions"
+
+do_test "$@"
--- a/test/units/testsuite-66-deviceisolation.service
+++ b/test/units/testsuite-66-deviceisolation.service
@ -0,0 +1,9 @@
+[Unit]
+Description=Service that uses device isolation
+
+[Service]
+DevicePolicy=strict
+DeviceAllow=/dev/null r
+StandardOutput=file:/tmp/testsuite66serviceresults
+ExecStartPre=rm -f /tmp/testsuite66serviceresults
+ExecStart=/bin/bash -c "while true; do sleep 0.01 && echo meow > /dev/null && echo thisshouldnotbehere; done"
--- a/test/units/testsuite-66.service
+++ b/test/units/testsuite-66.service
@ -0,0 +1,7 @@
+[Unit]
+Description=TESTSUITE-66-DEVICEISOLATION
+
+[Service]
+ExecStartPre=rm -f /failed /testok
+ExecStart=/usr/lib/systemd/tests/testdata/units/%N.sh
+Type=oneshot
--- a/test/units/testsuite-66.sh
+++ b/test/units/testsuite-66.sh
@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -eux
+set -o pipefail
+
+RESULTS_FILE=/tmp/testsuite66serviceresults
+
+systemd-analyze log-level debug
+systemd-analyze log-target console
+
+systemctl start testsuite-66-deviceisolation.service
+
+sleep 5
+grep -q "Operation not permitted" "$RESULTS_FILE"
+
+systemctl daemon-reload
+systemctl daemon-reexec
+
+systemctl stop testsuite-66-deviceisolation.service
+
+grep -q "thisshouldnotbehere" "$RESULTS_FILE" && exit 42
+
+systemd-analyze log-level info
+
+echo OK >/testok
+
+exit 0