From patchwork Thu Nov  2 14:54:40 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Roman Gushchin <guro@fb.com>
X-Patchwork-Id: 833397
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dkim=pass (1024-bit key;
	unprotected) header.d=fb.com header.i=@fb.com header.b="X+HjJeRU";
	dkim=pass (1024-bit key;
	unprotected) header.d=fb.onmicrosoft.com header.i=@fb.onmicrosoft.com
	header.b="gee19ctA"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3ySSpR2psbz9sNw
	for <patchwork-incoming@ozlabs.org>;
	Fri,  3 Nov 2017 01:56:31 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933828AbdKBO4T (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 2 Nov 2017 10:56:19 -0400
Received: from mx0b-00082601.pphosted.com ([67.231.153.30]:49896 "EHLO
	mx0b-00082601.pphosted.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S933448AbdKBOzl (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 2 Nov 2017 10:55:41 -0400
Received: from pps.filterd (m0109332.ppops.net [127.0.0.1])
	by mx0a-00082601.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id
	vA2ErbIL002866; Thu, 2 Nov 2017 07:55:30 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com;
	h=from : to : cc : subject
	: date : message-id : in-reply-to : references : mime-version :
	content-type; s=facebook;
	bh=13HHq1Z2IJ10Gg/FYXVDUcR6Zz+qmajo5JWXcZyGqtg=;
	b=X+HjJeRUiX/oPW9R/oC9XhOfLh8SgJp3s52lJThoZ4cnn9t046zcVAb/oMJBt5GR+46B
	qeyPsv9j/XtYRJvyYpjTBkFykWTuLq7jp3FIHVa9mkAZohKByuSMbmJxGYsFduTjNEwN
	mjZepY6z132cqEpbLKIWUwL4dgTh2ARvpJk=
Received: from maileast.thefacebook.com ([199.201.65.23])
	by mx0a-00082601.pphosted.com with ESMTP id 2dywbstcjx-1
	(version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT);
	Thu, 02 Nov 2017 07:55:30 -0700
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (192.168.183.28)
	by o365-in.thefacebook.com (192.168.177.31) with Microsoft SMTP
	Server (TLS) id 14.3.361.1; Thu, 2 Nov 2017 10:55:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com;
	s=selector1-fb-com;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
	bh=13HHq1Z2IJ10Gg/FYXVDUcR6Zz+qmajo5JWXcZyGqtg=;
	b=gee19ctAvNQIjjnwIis2G4i3BP2XfVu3q6lvehmpEdyGrK88GpFoAHP/wK+6FF3erK/PEOf71Lphc2/GUFCnqBWr8/Dv2VnwfCG9+CrM45iZFxLKIWm2WrBaxauT8d/LIOpSewgMn6X272A2uqmoBcf13s8QGq1YFFNeM54Zmfk=
Received: from castle.thefacebook.com (2620:10d:c091:200::a050) by
	CO1PR15MB1077.namprd15.prod.outlook.com (2a01:111:e400:7b66::7) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.197.13;
	Thu, 2 Nov 2017 14:55:25 +0000
From: Roman Gushchin <guro@fb.com>
To: <netdev@vger.kernel.org>
CC: Tejun Heo <tj@kernel.org>, Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	<linux-kernel@vger.kernel.org>, <kernel-team@fb.com>,
	Roman Gushchin <guro@fb.com>
Subject: [PATCH v2 net-next 5/5] selftests/bpf: add a test for device cgroup
	controller
Date: Thu, 2 Nov 2017 10:54:40 -0400
Message-ID: <20171102145440.12986-6-guro@fb.com>
X-Mailer: git-send-email 2.13.6
In-Reply-To: <20171102145440.12986-1-guro@fb.com>
References: <20171102145440.12986-1-guro@fb.com>
MIME-Version: 1.0
X-Originating-IP: [2620:10d:c091:200::a050]
X-ClientProxiedBy: BN6PR20CA0057.namprd20.prod.outlook.com
	(2603:10b6:404:151::19) To CO1PR15MB1077.namprd15.prod.outlook.com
	(2a01:111:e400:7b66::7)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 7fab7735-a18a-49ed-a844-08d52201c110
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0;
	RULEID:(22001)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603199);
	SRVR:CO1PR15MB1077;
X-Microsoft-Exchange-Diagnostics: 1; CO1PR15MB1077;
	3:/6uTkutws4moBR7bX+40f/tVRfAcqCEXfuVRFgg9D4TBvGPvN2WjWNC4wzHdTHo8cQXKDi0YjVeLVRWeekdx1is82bkJm1D6Lc6VusCWLFKRZky0bWj4S72LZtYbw6RlUiRUOf7Rbm1hYDFxuc9ePv4TdxtI/TIktFGmDONHHlgXQDwoEtl46cW+vukwg7ez8BeMHSTYYFT/+/JnZl50dm9c/hRnhI9vbrk2UQmKmO6UUui/+seOkk+8W6ZzDmZ5;
	25:ozNwqAb6BsW5UYSsxBi5BzvCtSL6Lh47s6el1McoKPJIquGKbWHjm3Hsx/Ye9dr7lVVlrEVmETw2vZc3E/x2mfVWCqNTv6xDLHBjwNSgo7PCboEpxa0SrDBn0l/iMDu2KVcGuEm9+E0cxTn2vnYg4w/SmzMaQG/0bCwRJYUYcSn7DQOW/oWokaKFYdrprM3BSfsC/FlrFwqiyrhhd2iTOA2xrXQzQJAr2AdcubWQzQZTdTkzRq39nMGm7gg7/i54hLLaiUARducJboY7MKkyrpvKe+vJ3s9c4RjZZ6IIzFyu44LCGJZQf9J19azT8NykvJWDK/XunukSaoeguAtARA==;
	31:o8StS93l4hhnyb9JOMj633/u74G1iBnXviH4n8i1l7ZdRKAM2HkDcY1gvoTezQn/IpZnWjoGXlDstZwN/jYnVM9Ve7UCKMqzuiZMnBsioVUPtturjQX4/BoX0QrQBJN85ceMCJoPiVLI5MBU2T/i8MXtH8fMFKYXn3WAavJ85thBX7W2VjcN6rkpsgaxXirR1S7hR8f+88D2CV2779i6m/B/HnmWtImvWiY3U64PkOM=
X-MS-TrafficTypeDiagnostic: CO1PR15MB1077:
X-Microsoft-Exchange-Diagnostics: 1; CO1PR15MB1077;
	20:Qsl0JiadrxuX1K3AXaEzXgzZXQoYDTQeLWDwGJ3bssZFuEjJUVR4k43NFFo4sySIfCGfhmTW05Cdz5kPi8RU8zJSO9VUruRaz/bsJVx/JImpnpEgHz0UCYrzAbFKSpQQZ4liZiplG/tffSxdVJvEjcmuOLF5dwCUJyJ2PU8vW2OKGJ+1k79UKCH8xY/UvIeR1qsbf04QI/OX6PcTkN/z/R0TfmYmtUoyM7f97Bw0BzUArqm2LTuC5tyeg03ZKxJ1m5q4W6y0mXB6IVft/E/Ms7PXdRujzeUjOvBkmPM0yQdLIMKFaMRhXDOfeR9osVyr51iI1tZy1bXc8QTWo9rDftZ1xIn7wmcSy4yCNy3M2tdrooscD3l4Sy1wh9twJ3KPGSKPRFxgrJR6KJ4wuhnM8J5iUMGH6A3hTfEz8H5n50ZEyhCR+OD9OjITcvEygep1DA0ywuthlgLKMFZzwnwfueax9tFUEEcDAObDKp373x/HjgbHbOVkryok4PnwZmmn;
	4:ZpY1jEc5MFvszdvYPkrrFIoJp0KQsZZC96i4/I/kJakoPpl/QbD7ujPJDcUonZM+WPoMIghwTHbD1jj4PeIACW7aSzAmBklO6cCyytnbyvnFrkjdJLZehdSu3clzCSvpQISKkyFJqibIVlaoaZiSQk8sosbmYUBqS60LE1sLuBgAb+9xCELUcFkDokmvUaQGIkFHcFs7XabrwK++xCOR+7Xv8l20vtQTquKKmipmDg+vHIs/aIJIWUS4GHJe2f4xr4iECaO1XxAHmNWvwoRa1JNhJOIvvZQQAaSD5Tqh4zcyPenzAzyrQE7wLVhQN2tm0s+hMDIMc9CzOmZjzOtu8VD6Nct02qIHqzfxkkOgsqI=
X-Exchange-Antispam-Report-Test: UriScan:(67672495146484)(81227570615382);
X-Microsoft-Antispam-PRVS: 
 <CO1PR15MB10771AC803223EECEFF9D7D4BE5C0@CO1PR15MB1077.namprd15.prod.outlook.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0;
	RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(11241501159)(6040450)(2401047)(5005006)(8121501046)(3231020)(93006095)(93001095)(3002001)(10201501046)(100000703101)(100105400095)(6041248)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123558100)(20161123555025)(20161123564025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);
	SRVR:CO1PR15MB1077; BCL:0; PCL:0;
	RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);
	SRVR:CO1PR15MB1077;
X-Forefront-PRVS: 047999FF16
X-Forefront-Antispam-Report: SFV:NSPM;
	SFS:(10019020)(6009001)(346002)(376002)(199003)(189002)(81156014)(50466002)(189998001)(48376002)(76176999)(50986999)(25786009)(4326008)(2361001)(36756003)(7736002)(5660300001)(2351001)(1076002)(8676002)(101416001)(68736007)(97736004)(33646002)(2906002)(81166006)(6666003)(6116002)(105586002)(106356001)(316002)(5003940100001)(8936002)(478600001)(54906003)(53936002)(305945005)(16586007)(2950100002)(6916009)(5890100001)(6486002)(47776003)(53416004)(69596002)(86362001)(6506006)(50226002)(6512007)(2004002)(42262002);
	DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR15MB1077;
	H:castle.thefacebook.com; FPR:; SPF:None; PTR:InfoNoRecords;
	A:1; MX:1; LANG:en;
Received-SPF: None (protection.outlook.com: fb.com does not designate
	permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1; CO1PR15MB1077;
	23:A+Y5At8QguKheDhXOwrAQ/CPnJEQafd4hjb7GgVzOXyLUCGyDeJ8V/q5lpCSigvFJvonVB4s+r9jDVhAa/lFnrcGgKNpmfHyq/RtvmOkU1h2QfIr89+1euKMXjpEqn1XybcZ8X1PTMojYI1TLKp2/OZeP59G72WxwhZXIoVR9p8vC/iT7j8+qYorxrjPXTKiP6ApJ2j2LgLXP54VMht7ol4cq5Oel3noNEK3bgOU3DxfdTBKIpkzEA4JeTAMO6CUsdWSVPBhwdxNPg8Y8gs5kNUQZhrd/tvVRR1xR2dOad9aHWaHbQq24OJe2ocJ0swNIrzLLLQ/bJGShnPmKcS7/4YEr63qfZga7lDrHY7Fr4o9gHjedbrW+bJUMZuy8ZViu3PtCKx91qMEHoxICtpZN6VY36pnIQnheRauGyzQylEvad+4y04gYd6Ku0iQ3ZzLdXvA3QYmM/r6UGnsLmvu8jBKxHMN6WaMQFsHVHp1719Bc9YaokNkfTBhEuZuegNm+rkGdkecZVEzS0tgjJiCxWfocoEqk7aeiOvI+G9wjNboCzHXY0lAx0/PcWYXw4/sn7XOzlkESJ++kCHxnq6N5EwHplFI1ojQvUc3qwLY9iDhQSIv9BxWZxO/TV/1FvkDpv5Se45C7tx2TNX/VqGiFonFdb75fKerH6tPkmWU18yaQ9q6PLYQ3GcJUmSmvLjZ0cwYt0qUhjJcOgjA3l0r4zVMIw8m/qT/9Q+PrJUDYkxpetcRHr+GlgZU6ifZtE1ft5SULMV6JfciBigT6dzEajpsfXVruRBFha7U7xKUSjiUWJLLgL7DLbBGaRkYXFepMOR3J53dEIJdRTKTaT+Rb3m1fPdfRXBU/nf+TIkliXvNfTkgPpIm02hHkEFkTpLlUvJg6qXjUCELGm1lqCM3HYci7vF6kt4YjhpiFHpq+auElpSwhbM3e0lQ80nul53BKlltQ+GkSlVJpd7umZd946P2/6AQzUHIH1ySGGLuVC02VH/moqArdXxoQAVZD9Lq8KAl5T5v/Ak2V1HU7K85emq6JEvzQn+OIzz9tbXP6w8icEGS5os/cpA45jhpva+jOloxi8u81k1QvoyFcwMkKxqE3SlolW54J5QeoqJd/GEbbuHEd+eZ8lYDmWJn+zrdqOJMU/0iwj8fxrFXx4o65ZfZ0GS0E+5unBJ7OJTNaKs=
X-Microsoft-Exchange-Diagnostics: 1; CO1PR15MB1077;
	6:SrdgplR9HeIU27hKrWmBgDOSEDlmABcTpVeVqBeLBaYihnwpT4qmlbEntUkfVsKGHitoLMD/oRFNq1jJDNI6b2NIacHb05wTXdO6hN7rR/wYR3Y4Z4/kMkacX5yG1RBZA/RPEhsnoFJvb01TEfbTjxWzakPmvyG2UXKp0ZZNJURib+Kt5ynCCLoF8O+IzDH3+8iVbHzMErZ8jnungSHESKVGHCnFD/bLuSCxoIALV5xSvTFodP/r1ZUJbTIG98gcCr51om1jCWq7uQCnJeOkhTW9qrFtveT1PJzvGCCmegVQ0JN4iypTNHusLpKv+G4Idh++pSMqc6mwwRqDBUquyy/HoH5mnkpWtRAiSlhbWYg=;
	5:701oQCmnMAxfMvKraCfXoZoa6qAoRur+cJAFboQbLnvTEhazRqVg4JY4DHkTdnonCG5EjmKOeajz1CfqC2bjvhhDiiW4ai8w/bTxEMB5CODPumL7HF97fiu2zwYtPt40X7l0Bc66YFh1pYx7n9/y8H6mKMI5lj65kdlptjhrsBM=;
	24:PXWucrp+ccm6H4dL0ftg3U7Kl6liYdfL51LEhuEz7E7mr553FLl0cn3UUlsZJHQLlKTp1En+elJHYhw7gGovJw/R/G/kdFX6oVPBGLLqcTo=;
	7:YUo0xAJzjra39QH7SZAo/b+IIHxm5DCNjumG39g/TVtpMODHq/Mfu3yO/iLC1R5Zq36KUzWHSaCvVGWJmvt4U8Z+ieSIOBAdooqaRZ2fNLjpIyPAVadoRQ4zranYWyDLWqXNWB5OTGS3qYdkU5YtmQNFfm2Ct6pGNYzGH3u0C7dtQMNiY0/1LqqwbaSpxmd4MInF7GCNlR59p/GNfcbMgEg227E5C+HsmAE9qbiTRhsdjFS4zEGTlRhDIWmxKKB3
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; CO1PR15MB1077;
	20:qyFePy5dw7A6XarceA3N9QCb2K65PmV1Kg7gllkVG06u8cOjbx7//JEFjcaT2z7aO7HleMaumENDgGRTfDgeppJlR8+AB5b9ehz+YXLxxWH87E49yNonsPFDQR+LRVXH/B6eHaeTpVZ38Zmj9SJBA4YnOWR5krekS8VzUpAuMQ0=
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Nov 2017 14:55:25.8604
	(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 7fab7735-a18a-49ed-a844-08d52201c110
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR15MB1077
X-OriginatorOrg: fb.com
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, ,
	definitions=2017-11-02_05:, , signatures=0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Add a test for device cgroup controller.

The test loads a simple bpf program which logs all
device access attempts using trace_printk() and forbids
all operations except operations with /dev/zero and
/dev/urandom.

Then the test creates and joins a test cgroup, and attaches
the bpf program to it.

Then it tries to perform some simple device operations
and checks the result:

  create /dev/null (should fail)
  create /dev/zero (should pass)
  copy data from /dev/urandom to /dev/zero (should pass)
  copy data from /dev/urandom to /dev/full (should fail)
  copy data from /dev/random to /dev/zero (should fail)

Signed-off-by: Roman Gushchin <guro@fb.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Tejun Heo <tj@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
---
 tools/testing/selftests/bpf/Makefile          |  4 +-
 tools/testing/selftests/bpf/dev_cgroup.c      | 60 +++++++++++++++++
 tools/testing/selftests/bpf/test_dev_cgroup.c | 93 +++++++++++++++++++++++++++
 3 files changed, 155 insertions(+), 2 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/dev_cgroup.c
 create mode 100644 tools/testing/selftests/bpf/test_dev_cgroup.c

diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
index 36c34f0218a3..64ba3684a4f4 100644
--- a/tools/testing/selftests/bpf/Makefile
+++ b/tools/testing/selftests/bpf/Makefile
@@ -12,11 +12,11 @@ CFLAGS += -Wall -O2 -I$(APIDIR) -I$(LIBDIR) -I$(GENDIR) $(GENFLAGS) -I../../../i
 LDLIBS += -lcap -lelf
 
 TEST_GEN_PROGS = test_verifier test_tag test_maps test_lru_map test_lpm_map test_progs \
-	test_align test_verifier_log
+	test_align test_verifier_log test_dev_cgroup
 
 TEST_GEN_FILES = test_pkt_access.o test_xdp.o test_l4lb.o test_tcp_estats.o test_obj_id.o \
 	test_pkt_md_access.o test_xdp_redirect.o test_xdp_meta.o sockmap_parse_prog.o     \
-	sockmap_verdict_prog.o
+	sockmap_verdict_prog.o dev_cgroup.o
 
 TEST_PROGS := test_kmod.sh test_xdp_redirect.sh test_xdp_meta.sh
 
diff --git a/tools/testing/selftests/bpf/dev_cgroup.c b/tools/testing/selftests/bpf/dev_cgroup.c
new file mode 100644
index 000000000000..f15d5befa099
--- /dev/null
+++ b/tools/testing/selftests/bpf/dev_cgroup.c
@@ -0,0 +1,60 @@
+/* Copyright (c) 2017 Facebook
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License as published by the Free Software Foundation.
+ */
+
+#include <linux/bpf.h>
+#include <linux/version.h>
+#include "bpf_helpers.h"
+
+SEC("cgroup/dev")
+int bpf_prog1(struct bpf_cgroup_dev_ctx *ctx)
+{
+	short type = ctx->access_type & 0xFFFF;
+#ifdef DEBUG
+	short access = ctx->access_type >> 16;
+	char fmt[] = "  %d:%d    \n";
+
+	switch (type) {
+	case DEV_BPF_DEV_BLOCK:
+		fmt[0] = 'b';
+		break;
+	case DEV_BPF_DEV_CHAR:
+		fmt[0] = 'c';
+		break;
+	default:
+		fmt[0] = '?';
+		break;
+	}
+
+	if (access & DEV_BPF_ACC_READ)
+		fmt[8] = 'r';
+
+	if (access & DEV_BPF_ACC_WRITE)
+		fmt[9] = 'w';
+
+	if (access & DEV_BPF_ACC_MKNOD)
+		fmt[10] = 'm';
+
+	bpf_trace_printk(fmt, sizeof(fmt), ctx->major, ctx->minor);
+#endif
+
+	/* Allow access to /dev/zero and /dev/random.
+	 * Forbid everything else.
+	 */
+	if (ctx->major != 1 || type != DEV_BPF_DEV_CHAR)
+		return 0;
+
+	switch (ctx->minor) {
+	case 5: /* 1:5 /dev/zero */
+	case 9: /* 1:9 /dev/urandom */
+		return 1;
+	}
+
+	return 0;
+}
+
+char _license[] SEC("license") = "GPL";
+__u32 _version SEC("version") = LINUX_VERSION_CODE;
diff --git a/tools/testing/selftests/bpf/test_dev_cgroup.c b/tools/testing/selftests/bpf/test_dev_cgroup.c
new file mode 100644
index 000000000000..02c85d6c89b0
--- /dev/null
+++ b/tools/testing/selftests/bpf/test_dev_cgroup.c
@@ -0,0 +1,93 @@
+/* Copyright (c) 2017 Facebook
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License as published by the Free Software Foundation.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <assert.h>
+
+#include <linux/bpf.h>
+#include <bpf/bpf.h>
+#include <bpf/libbpf.h>
+
+#include "cgroup_helpers.h"
+
+#define DEV_CGROUP_PROG "./dev_cgroup.o"
+
+#define TEST_CGROUP "test-bpf-based-device-cgroup/"
+
+int main(int argc, char **argv)
+{
+	struct bpf_object *obj;
+	int error = EXIT_FAILURE;
+	int prog_fd, cgroup_fd;
+	__u32 prog_cnt;
+
+	if (bpf_prog_load(DEV_CGROUP_PROG, BPF_PROG_TYPE_CGROUP_DEVICE,
+			  &obj, &prog_fd)) {
+		printf("Failed to load DEV_CGROUP program\n");
+		goto err;
+	}
+
+	if (setup_cgroup_environment()) {
+		printf("Failed to load DEV_CGROUP program\n");
+		goto err;
+	}
+
+	/* Create a cgroup, get fd, and join it */
+	cgroup_fd = create_and_get_cgroup(TEST_CGROUP);
+	if (!cgroup_fd) {
+		printf("Failed to create test cgroup\n");
+		goto err;
+	}
+
+	if (join_cgroup(TEST_CGROUP)) {
+		printf("Failed to join cgroup\n");
+		goto err;
+	}
+
+	/* Attach bpf program */
+	if (bpf_prog_attach(prog_fd, cgroup_fd, BPF_CGROUP_DEVICE, 0)) {
+		printf("Failed to attach DEV_CGROUP program");
+		goto err;
+	}
+
+	if (bpf_prog_query(cgroup_fd, BPF_CGROUP_DEVICE, 0, NULL, NULL,
+			   &prog_cnt)) {
+		printf("Failed to query attached programs");
+		goto err;
+	}
+
+	/* All operations with /dev/zero and and /dev/urandom are allowed,
+	 * everything else is forbidden.
+	 */
+	assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
+	assert(system("mknod /tmp/test_dev_cgroup_null c 1 3"));
+	assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
+
+	/* /dev/zero is whitelisted */
+	assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
+	assert(system("mknod /tmp/test_dev_cgroup_zero c 1 5") == 0);
+	assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
+
+	assert(system("dd if=/dev/urandom of=/dev/zero count=64") == 0);
+
+	/* src is allowed, target is forbidden */
+	assert(system("dd if=/dev/urandom of=/dev/full count=64"));
+
+	/* src is forbidden, target is allowed */
+	assert(system("dd if=/dev/random of=/dev/zero count=64"));
+
+	error = 0;
+	printf("test_dev_cgroup:PASS\n");
+
+err:
+	cleanup_cgroup_environment();
+
+	return error;
+}