LineageOS/android_packages_modules_Connectivity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[BR01.1] Support BpfNetMapsReader

Browse Source 
A helper class to *read* java BpfMaps. This is designed to
provide direct bpf access in the caller process through
ConnectivityManager APIs.

The change also removes any statical link to
net-utils-device-common-struct from service-connectivity.
This is because net-utils-device-common-struct is already
included in framework-connectivity. Including it again in
service-connectivity would create a r8 build fail by circular
dependency.

Test: atest FrameworksNetTests:android.net.connectivity.com.android.server.BpfNetMapsTest
Test: atest ConnectivityCoverageTests:android.net.connectivity.com.android.net.module.util.StructTest
Test: atest FrameworksNetTests:android.net.connectivity.android.net.BpfNetMapsReaderTest
Bug: 297836825
Change-Id: I7a6d2eb816d0dc7343167bddd672806b199f44fe
This commit is contained in:
Junyu Lai
2023-08-28 18:49:44 +08:00
parent 6c83f00b09
commit 626045a601
13 changed files with 313 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

179
framework/src/android/net/BpfNetMapsReader.java Normal file
View File

@@ -0,0 +1,179 @@
/*
* Copyright (C) 2023 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.net;
import static android.net.BpfNetMapsConstants.CONFIGURATION_MAP_PATH;
import static android.net.BpfNetMapsConstants.UID_OWNER_MAP_PATH;
import static android.net.BpfNetMapsConstants.UID_RULES_CONFIGURATION_KEY;
import static android.net.BpfNetMapsUtils.getMatchByFirewallChain;
import static android.net.BpfNetMapsUtils.isFirewallAllowList;
import static android.net.BpfNetMapsUtils.throwIfPreT;
import static android.net.ConnectivityManager.FIREWALL_RULE_ALLOW;
import static android.net.ConnectivityManager.FIREWALL_RULE_DENY;
import android.annotation.NonNull;
import android.annotation.RequiresApi;
import android.os.Build;
import android.os.ServiceSpecificException;
import android.system.ErrnoException;
import android.system.Os;
import com.android.internal.annotations.VisibleForTesting;
import com.android.modules.utils.build.SdkLevel;
import com.android.net.module.util.BpfMap;
import com.android.net.module.util.IBpfMap;
import com.android.net.module.util.Struct;
import com.android.net.module.util.Struct.S32;
import com.android.net.module.util.Struct.U32;
/**
* A helper class to *read* java BpfMaps.
* @hide
*/
@RequiresApi(Build.VERSION_CODES.TIRAMISU) // BPF maps were only mainlined in T
public class BpfNetMapsReader {
// Locally store the handle of bpf maps. The FileDescriptors are statically cached inside the
// BpfMap implementation.
// Bpf map to store various networking configurations, the format of the value is different
// for different keys. See BpfNetMapsConstants#*_CONFIGURATION_KEY for keys.
private final IBpfMap<S32, U32> mConfigurationMap;
// Bpf map to store per uid traffic control configurations.
// See {@link UidOwnerValue} for more detail.
private final IBpfMap<S32, UidOwnerValue> mUidOwnerMap;
private final Dependencies mDeps;
public BpfNetMapsReader() {
this(new Dependencies());
}
@VisibleForTesting
public BpfNetMapsReader(@NonNull Dependencies deps) {
if (!SdkLevel.isAtLeastT()) {
throw new UnsupportedOperationException(
BpfNetMapsReader.class.getSimpleName() + " is not supported below Android T");
}
mDeps = deps;
mConfigurationMap = mDeps.getConfigurationMap();
mUidOwnerMap = mDeps.getUidOwnerMap();
}
/**
* Dependencies of BpfNetMapReader, for injection in tests.
*/
@VisibleForTesting
public static class Dependencies {
/** Get the configuration map. */
public IBpfMap<S32, U32> getConfigurationMap() {
try {
return new BpfMap<>(CONFIGURATION_MAP_PATH, BpfMap.BPF_F_RDONLY,
S32.class, U32.class);
} catch (ErrnoException e) {
throw new IllegalStateException("Cannot open configuration map", e);
}
}
/** Get the uid owner map. */
public IBpfMap<S32, UidOwnerValue> getUidOwnerMap() {
try {
return new BpfMap<>(UID_OWNER_MAP_PATH, BpfMap.BPF_F_RDONLY,
S32.class, UidOwnerValue.class);
} catch (ErrnoException e) {
throw new IllegalStateException("Cannot open uid owner map", e);
}
}
}
/**
* Get the specified firewall chain's status.
*
* @param chain target chain
* @return {@code true} if chain is enabled, {@code false} if chain is not enabled.
* @throws UnsupportedOperationException if called on pre-T devices.
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
public boolean isChainEnabled(final int chain) {
return isChainEnabled(mConfigurationMap, chain);
}
/**
* Get firewall rule of specified firewall chain on specified uid.
*
* @param chain target chain
* @param uid target uid
* @return either {@link ConnectivityManager#FIREWALL_RULE_ALLOW} or
* {@link ConnectivityManager#FIREWALL_RULE_DENY}.
* @throws UnsupportedOperationException if called on pre-T devices.
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
public int getUidRule(final int chain, final int uid) {
return getUidRule(mUidOwnerMap, chain, uid);
}
/**
* Get the specified firewall chain's status.
*
* @param configurationMap target configurationMap
* @param chain target chain
* @return {@code true} if chain is enabled, {@code false} if chain is not enabled.
* @throws UnsupportedOperationException if called on pre-T devices.
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
public static boolean isChainEnabled(
final IBpfMap<Struct.S32, Struct.U32> configurationMap, final int chain) {
throwIfPreT("isChainEnabled is not available on pre-T devices");
final long match = getMatchByFirewallChain(chain);
try {
final Struct.U32 config = configurationMap.getValue(UID_RULES_CONFIGURATION_KEY);
return (config.val & match) != 0;
} catch (ErrnoException e) {
throw new ServiceSpecificException(e.errno,
"Unable to get firewall chain status: " + Os.strerror(e.errno));
}
}
/**
* Get firewall rule of specified firewall chain on specified uid.
*
* @param uidOwnerMap target uidOwnerMap.
* @param chain target chain.
* @param uid target uid.
* @return either FIREWALL_RULE_ALLOW or FIREWALL_RULE_DENY
* @throws UnsupportedOperationException if called on pre-T devices.
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
public static int getUidRule(final IBpfMap<Struct.S32, UidOwnerValue> uidOwnerMap,
final int chain, final int uid) {
throwIfPreT("getUidRule is not available on pre-T devices");
final long match = getMatchByFirewallChain(chain);
final boolean isAllowList = isFirewallAllowList(chain);
try {
final UidOwnerValue uidMatch = uidOwnerMap.getValue(new Struct.S32(uid));
final boolean isMatchEnabled = uidMatch != null && (uidMatch.rule & match) != 0;
return isMatchEnabled == isAllowList ? FIREWALL_RULE_ALLOW : FIREWALL_RULE_DENY;
} catch (ErrnoException e) {
throw new ServiceSpecificException(e.errno,
"Unable to get uid rule status: " + Os.strerror(e.errno));
}
}
}