diff --git a/bpf_progs/block.c b/bpf_progs/block.c index 5bf3fe1d0f..68da0f730f 100644 --- a/bpf_progs/block.c +++ b/bpf_progs/block.c @@ -57,14 +57,18 @@ static inline __always_inline int block_port(struct bpf_sock_addr *ctx) { return ALLOW; } -DEFINE_BPF_PROG_KVER("bind4/block_port", AID_ROOT, AID_SYSTEM, - bind4_block_port, KVER(5, 4, 0)) +// the program need to be accessible/loadable by netd (from netd updatable plugin) +#define DEFINE_NETD_RO_BPF_PROG(SECTION_NAME, the_prog, min_kver) \ + DEFINE_BPF_PROG_EXT(SECTION_NAME, AID_ROOT, AID_ROOT, the_prog, min_kver, KVER_INF, \ + BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, MANDATORY, \ + "", "netd_readonly/", LOAD_ON_ENG, LOAD_ON_USER, LOAD_ON_USERDEBUG) + +DEFINE_NETD_RO_BPF_PROG("bind4/block_port", bind4_block_port, KVER(4, 19, 0)) (struct bpf_sock_addr *ctx) { return block_port(ctx); } -DEFINE_BPF_PROG_KVER("bind6/block_port", AID_ROOT, AID_SYSTEM, - bind6_block_port, KVER(5, 4, 0)) +DEFINE_NETD_RO_BPF_PROG("bind6/block_port", bind6_block_port, KVER(4, 19, 0)) (struct bpf_sock_addr *ctx) { return block_port(ctx); } diff --git a/netd/BpfHandler.cpp b/netd/BpfHandler.cpp index fa92f10548..a7a405953c 100644 --- a/netd/BpfHandler.cpp +++ b/netd/BpfHandler.cpp @@ -130,12 +130,21 @@ static Status initPrograms(const char* cg2_path) { attachProgramToCgroup(CGROUP_SOCKET_PROG_PATH, cg_fd, BPF_CGROUP_INET_SOCK_CREATE)); } - // This should trivially pass, since we just attached up above, - // but BPF_PROG_QUERY is only implemented on 4.19+ kernels. if (bpf::isAtLeastKernelVersion(4, 19, 0)) { + RETURN_IF_NOT_OK(attachProgramToCgroup( + "/sys/fs/bpf/netd_readonly/prog_block_bind4_block_port", + cg_fd, BPF_CGROUP_INET4_BIND)); + RETURN_IF_NOT_OK(attachProgramToCgroup( + "/sys/fs/bpf/netd_readonly/prog_block_bind6_block_port", + cg_fd, BPF_CGROUP_INET6_BIND)); + + // This should trivially pass, since we just attached up above, + // but BPF_PROG_QUERY is only implemented on 4.19+ kernels. if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET_EGRESS) <= 0) abort(); if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET_INGRESS) <= 0) abort(); if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET_SOCK_CREATE) <= 0) abort(); + if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET4_BIND) <= 0) abort(); + if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET6_BIND) <= 0) abort(); } return netdutils::status::ok; diff --git a/service/src/com/android/server/connectivity/ConnectivityNativeService.java b/service/src/com/android/server/connectivity/ConnectivityNativeService.java index c1ba40e69f..e16117be56 100644 --- a/service/src/com/android/server/connectivity/ConnectivityNativeService.java +++ b/service/src/com/android/server/connectivity/ConnectivityNativeService.java @@ -46,10 +46,6 @@ public class ConnectivityNativeService extends ConnectivityNative.Stub { private static final String TAG = ConnectivityNativeService.class.getSimpleName(); private static final String CGROUP_PATH = "/sys/fs/cgroup"; - private static final String V4_PROG_PATH = - "/sys/fs/bpf/net_shared/prog_block_bind4_block_port"; - private static final String V6_PROG_PATH = - "/sys/fs/bpf/net_shared/prog_block_bind6_block_port"; private static final String BLOCKED_PORTS_MAP_PATH = "/sys/fs/bpf/net_shared/map_block_blocked_ports_map"; @@ -95,7 +91,6 @@ public class ConnectivityNativeService extends ConnectivityNative.Stub { protected ConnectivityNativeService(final Context context, @NonNull Dependencies deps) { mContext = context; mBpfBlockedPortsMap = deps.getBlockPortsMap(); - attachProgram(); } @Override @@ -155,23 +150,4 @@ public class ConnectivityNativeService extends ConnectivityNative.Stub { public String getInterfaceHash() { return this.HASH; } - - /** - * Attach BPF program - */ - private void attachProgram() { - try { - BpfUtils.attachProgram(BPF_CGROUP_INET4_BIND, V4_PROG_PATH, CGROUP_PATH, 0); - } catch (IOException e) { - throw new UnsupportedOperationException("Unable to attach to BPF_CGROUP_INET4_BIND: " - + e); - } - try { - BpfUtils.attachProgram(BPF_CGROUP_INET6_BIND, V6_PROG_PATH, CGROUP_PATH, 0); - } catch (IOException e) { - throw new UnsupportedOperationException("Unable to attach to BPF_CGROUP_INET6_BIND: " - + e); - } - Log.d(TAG, "Attached BPF_CGROUP_INET4_BIND and BPF_CGROUP_INET6_BIND programs"); - } } diff --git a/tests/mts/bpf_existence_test.cpp b/tests/mts/bpf_existence_test.cpp index 0c424e92dd..cff4d6f680 100644 --- a/tests/mts/bpf_existence_test.cpp +++ b/tests/mts/bpf_existence_test.cpp @@ -40,6 +40,7 @@ using android::modules::sdklevel::IsAtLeastV; #define TETHERING "/sys/fs/bpf/tethering/" #define PRIVATE "/sys/fs/bpf/net_private/" #define SHARED "/sys/fs/bpf/net_shared/" +#define NETD_RO "/sys/fs/bpf/netd_readonly/" #define NETD "/sys/fs/bpf/netd_shared/" class BpfExistenceTest : public ::testing::Test { @@ -119,9 +120,9 @@ static const set MAINLINE_FOR_T_4_14_PLUS = { }; // Provided by *current* mainline module for T+ devices with 5.4+ kernels -static const set MAINLINE_FOR_T_5_4_PLUS = { - SHARED "prog_block_bind4_block_port", - SHARED "prog_block_bind6_block_port", +static const set MAINLINE_FOR_T_4_19_PLUS = { + NETD_RO "prog_block_bind4_block_port", + NETD_RO "prog_block_bind6_block_port", }; // Provided by *current* mainline module for T+ devices with 5.15+ kernels @@ -176,7 +177,7 @@ TEST_F(BpfExistenceTest, TestPrograms) { // T still only requires Linux Kernel 4.9+. DO_EXPECT(IsAtLeastT(), MAINLINE_FOR_T_PLUS); DO_EXPECT(IsAtLeastT() && isAtLeastKernelVersion(4, 14, 0), MAINLINE_FOR_T_4_14_PLUS); - DO_EXPECT(IsAtLeastT() && isAtLeastKernelVersion(5, 4, 0), MAINLINE_FOR_T_5_4_PLUS); + DO_EXPECT(IsAtLeastT() && isAtLeastKernelVersion(4, 19, 0), MAINLINE_FOR_T_4_19_PLUS); DO_EXPECT(IsAtLeastT() && isAtLeastKernelVersion(5, 15, 0), MAINLINE_FOR_T_5_15_PLUS); // U requires Linux Kernel 4.14+, but nothing (as yet) added or removed in U.