mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-31 16:38:12 +00:00
43d2b88c29
Minimal selftest which implements a small BPF policy program to the connect(2) hook which rejects TCP connection requests to port 60123 with EPERM. This is being attached to a non-root cgroup v2 path. The test asserts that this works under cgroup v2-only and under a mixed cgroup v1/v2 environment where net_classid is set in the former case. Before fix: # ./test_progs -t cgroup_v1v2 test_cgroup_v1v2:PASS:server_fd 0 nsec test_cgroup_v1v2:PASS:client_fd 0 nsec test_cgroup_v1v2:PASS:cgroup_fd 0 nsec test_cgroup_v1v2:PASS:server_fd 0 nsec run_test:PASS:skel_open 0 nsec run_test:PASS:prog_attach 0 nsec test_cgroup_v1v2:PASS:cgroup-v2-only 0 nsec run_test:PASS:skel_open 0 nsec run_test:PASS:prog_attach 0 nsec run_test:PASS:join_classid 0 nsec (network_helpers.c:219: errno: None) Unexpected success to connect to server test_cgroup_v1v2:FAIL:cgroup-v1v2 unexpected error: -1 (errno 0) #27 cgroup_v1v2:FAIL Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED After fix: # ./test_progs -t cgroup_v1v2 #27 cgroup_v1v2:OK Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20210913230759.2313-3-daniel@iogearbox.net
26 lines
509 B
C
26 lines
509 B
C
// SPDX-License-Identifier: GPL-2.0
|
|
|
|
#include <string.h>
|
|
|
|
#include <linux/stddef.h>
|
|
#include <linux/bpf.h>
|
|
|
|
#include <sys/socket.h>
|
|
|
|
#include <bpf/bpf_helpers.h>
|
|
#include <bpf/bpf_endian.h>
|
|
|
|
#define VERDICT_REJECT 0
|
|
#define VERDICT_PROCEED 1
|
|
|
|
SEC("cgroup/connect4")
|
|
int connect_v4_dropper(struct bpf_sock_addr *ctx)
|
|
{
|
|
if (ctx->type != SOCK_STREAM)
|
|
return VERDICT_PROCEED;
|
|
if (ctx->user_port == bpf_htons(60123))
|
|
return VERDICT_REJECT;
|
|
return VERDICT_PROCEED;
|
|
}
|
|
|
|
char _license[] SEC("license") = "GPL";
|