60 lines
		
	
	
		
			1.2 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			60 lines
		
	
	
		
			1.2 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /* Copyright (c) 2017 Facebook
 | |
|  *
 | |
|  * This program is free software; you can redistribute it and/or
 | |
|  * modify it under the terms of version 2 of the GNU General Public
 | |
|  * License as published by the Free Software Foundation.
 | |
|  */
 | |
| 
 | |
| #include <linux/bpf.h>
 | |
| #include <linux/version.h>
 | |
| #include <bpf/bpf_helpers.h>
 | |
| 
 | |
| SEC("cgroup/dev")
 | |
| int bpf_prog1(struct bpf_cgroup_dev_ctx *ctx)
 | |
| {
 | |
| 	short type = ctx->access_type & 0xFFFF;
 | |
| #ifdef DEBUG
 | |
| 	short access = ctx->access_type >> 16;
 | |
| 	char fmt[] = "  %d:%d    \n";
 | |
| 
 | |
| 	switch (type) {
 | |
| 	case BPF_DEVCG_DEV_BLOCK:
 | |
| 		fmt[0] = 'b';
 | |
| 		break;
 | |
| 	case BPF_DEVCG_DEV_CHAR:
 | |
| 		fmt[0] = 'c';
 | |
| 		break;
 | |
| 	default:
 | |
| 		fmt[0] = '?';
 | |
| 		break;
 | |
| 	}
 | |
| 
 | |
| 	if (access & BPF_DEVCG_ACC_READ)
 | |
| 		fmt[8] = 'r';
 | |
| 
 | |
| 	if (access & BPF_DEVCG_ACC_WRITE)
 | |
| 		fmt[9] = 'w';
 | |
| 
 | |
| 	if (access & BPF_DEVCG_ACC_MKNOD)
 | |
| 		fmt[10] = 'm';
 | |
| 
 | |
| 	bpf_trace_printk(fmt, sizeof(fmt), ctx->major, ctx->minor);
 | |
| #endif
 | |
| 
 | |
| 	/* Allow access to /dev/null and /dev/urandom.
 | |
| 	 * Forbid everything else.
 | |
| 	 */
 | |
| 	if (ctx->major != 1 || type != BPF_DEVCG_DEV_CHAR)
 | |
| 		return 0;
 | |
| 
 | |
| 	switch (ctx->minor) {
 | |
| 	case 3: /* 1:3 /dev/null */
 | |
| 	case 9: /* 1:9 /dev/urandom */
 | |
| 		return 1;
 | |
| 	}
 | |
| 
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| char _license[] SEC("license") = "GPL";
 |