@@ -41,14 +41,14 @@ int bpf_prog1(struct bpf_cgroup_dev_ctx *ctx)
bpf_trace_printk(fmt, sizeof(fmt), ctx->major, ctx->minor);
#endif
- /* Allow access to /dev/zero and /dev/random.
+ /* Allow access to /dev/null and /dev/urandom.
* Forbid everything else.
*/
if (ctx->major != 1 || type != BPF_DEVCG_DEV_CHAR)
return 0;
switch (ctx->minor) {
- case 5: /* 1:5 /dev/zero */
+ case 3: /* 1:3 /dev/null */
case 9: /* 1:9 /dev/urandom */
return 1;
}
@@ -54,25 +54,25 @@ int main(int argc, char **argv)
goto err;
}
- /* All operations with /dev/zero and and /dev/urandom are allowed,
+ /* All operations with /dev/null and /dev/urandom are allowed,
* everything else is forbidden.
*/
- assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
- assert(system("mknod /tmp/test_dev_cgroup_null c 1 3"));
- assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
-
- /* /dev/zero is whitelisted */
assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
- assert(system("mknod /tmp/test_dev_cgroup_zero c 1 5") == 0);
+ assert(system("mknod /tmp/test_dev_cgroup_zero c 1 5"));
assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
- assert(system("dd if=/dev/urandom of=/dev/zero count=64") == 0);
+ /* /dev/null is whitelisted */
+ assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
+ assert(system("mknod /tmp/test_dev_cgroup_null c 1 3") == 0);
+ assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
+
+ assert(system("dd if=/dev/urandom of=/dev/null count=64") == 0);
/* src is allowed, target is forbidden */
assert(system("dd if=/dev/urandom of=/dev/full count=64"));
/* src is forbidden, target is allowed */
- assert(system("dd if=/dev/random of=/dev/zero count=64"));
+ assert(system("dd if=/dev/random of=/dev/null count=64"));
error = 0;
printf("test_dev_cgroup:PASS\n");