/* Copyright (c) 2017 Facebook
|
*
|
* This program is free software; you can redistribute it and/or
|
* modify it under the terms of version 2 of the GNU General Public
|
* License as published by the Free Software Foundation.
|
*/
|
|
#include <linux/bpf.h>
|
#include <linux/version.h>
|
#include "bpf_helpers.h"
|
|
SEC("cgroup/dev")
|
int bpf_prog1(struct bpf_cgroup_dev_ctx *ctx)
|
{
|
short type = ctx->access_type & 0xFFFF;
|
#ifdef DEBUG
|
short access = ctx->access_type >> 16;
|
char fmt[] = " %d:%d \n";
|
|
switch (type) {
|
case BPF_DEVCG_DEV_BLOCK:
|
fmt[0] = 'b';
|
break;
|
case BPF_DEVCG_DEV_CHAR:
|
fmt[0] = 'c';
|
break;
|
default:
|
fmt[0] = '?';
|
break;
|
}
|
|
if (access & BPF_DEVCG_ACC_READ)
|
fmt[8] = 'r';
|
|
if (access & BPF_DEVCG_ACC_WRITE)
|
fmt[9] = 'w';
|
|
if (access & BPF_DEVCG_ACC_MKNOD)
|
fmt[10] = 'm';
|
|
bpf_trace_printk(fmt, sizeof(fmt), ctx->major, ctx->minor);
|
#endif
|
|
/* Allow access to /dev/zero and /dev/random.
|
* Forbid everything else.
|
*/
|
if (ctx->major != 1 || type != BPF_DEVCG_DEV_CHAR)
|
return 0;
|
|
switch (ctx->minor) {
|
case 5: /* 1:5 /dev/zero */
|
case 9: /* 1:9 /dev/urandom */
|
return 1;
|
}
|
|
return 0;
|
}
|
|
char _license[] SEC("license") = "GPL";
|
__u32 _version SEC("version") = LINUX_VERSION_CODE;
|
