yanguangshaonian
/
aya
mirror of https://github.com/aya-rs/aya
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

integration-test: add LSM

Browse Source
reviewable/pr1359/r1
Tamir Duberstein 1 month ago
parent 552b69367f
commit ee3372f7aa
No known key found for this signature in database
4 changed files with 54 additions and 11 deletions
Show Stats Download Patch File Download Diff File

8
test-distro/src/init.rs
Unescape Escape View File

@ -89,6 +89,14 @@ fn run() -> anyhow::Result<()> {
data: None, data: None,
target_mode: None, target_mode: None,
}, },
Mount {
source: "securityfs",
target: "/sys/kernel/security",
fstype: "securityfs",
flags: nix::mount::MsFlags::empty(),
data: None,
target_mode: None,
},
] { ] {
match target_mode { match target_mode {
None => { None => {

21
test/integration-ebpf/src/test.rs
Unescape Escape View File

@ -4,24 +4,18 @@
use aya_ebpf::{ use aya_ebpf::{
bindings::{bpf_ret_code, xdp_action}, bindings::{bpf_ret_code, xdp_action},
macros::{flow_dissector, kprobe, kretprobe, tracepoint, uprobe, uretprobe, xdp}, macros::{flow_dissector, kprobe, kretprobe, lsm, tracepoint, uprobe, uretprobe, xdp},
programs::{ programs::{
FlowDissectorContext, ProbeContext, RetProbeContext, TracePointContext, XdpContext, FlowDissectorContext, LsmContext, ProbeContext, RetProbeContext, TracePointContext,
XdpContext,
}, },
}; };
#[cfg(not(test))] #[cfg(not(test))]
extern crate ebpf_panic; extern crate ebpf_panic;
#[xdp] #[xdp]
fn pass(ctx: XdpContext) -> u32 { fn pass(_ctx: XdpContext) -> u32 {
match unsafe { try_pass(ctx) } { xdp_action::XDP_PASS
Ok(ret) => ret,
Err(_) => xdp_action::XDP_ABORTED,
}
}
unsafe fn try_pass(_ctx: XdpContext) -> Result<u32, u32> {
Ok(xdp_action::XDP_PASS)
} }
#[kprobe] #[kprobe]
@ -55,3 +49,8 @@ fn test_flow(_ctx: FlowDissectorContext) -> u32 {
// Linux kernel for inspiration. // Linux kernel for inspiration.
bpf_ret_code::BPF_FLOW_DISSECTOR_CONTINUE bpf_ret_code::BPF_FLOW_DISSECTOR_CONTINUE
} }
#[lsm(hook = "file_open")]
fn test_file_open(_ctx: LsmContext) -> i32 {
1 // Disallow.
}

1
test/integration-test/src/tests.rs
Unescape Escape View File

@ -8,6 +8,7 @@ mod iter;
mod linear_data_structures; mod linear_data_structures;
mod load; mod load;
mod log; mod log;
mod lsm;
mod map_pin; mod map_pin;
mod raw_tracepoint; mod raw_tracepoint;
mod rbpf; mod rbpf;

35
test/integration-test/src/tests/lsm.rs
Unescape Escape View File

@ -0,0 +1,35 @@
use aya::{Btf, Ebpf, programs::Lsm, sys::is_program_supported};
#[test]
fn lsm() {
if !is_program_supported(aya::programs::ProgramType::Lsm).unwrap() {
eprintln!("LSM programs are not supported");
return;
}
if !std::fs::read_to_string("/sys/kernel/security/lsm")
.unwrap()
.contains("bpf")
{
eprintln!("bpf is not enabled in LSM");
return;
}
let btf = Btf::from_sys_fs().unwrap();
if let Err(e) = btf.id_by_type_name_kind("bpf_lsm_bpf", aya_obj::btf::BtfKind::Func) {
eprintln!("bpf_lsm_bpf is not found in BTF: {e}");
return;
}
let mut bpf: Ebpf = Ebpf::load(crate::TEST).unwrap();
let prog = bpf.program_mut("test_file_open").unwrap();
let prog: &mut Lsm = prog.try_into().unwrap();
prog.load("file_open", &btf).unwrap();
assert_matches::assert_matches!(std::fs::File::open("/proc/self/exe"), Ok(_));
prog.attach().unwrap();
assert_matches::assert_matches!(std::fs::File::open("/proc/self/exe"), Err(e) => assert_eq!(
e.kind(), std::io::ErrorKind::PermissionDenied)
);
}
Write Preview
Loading…
Cancel
Save