From a4a58a3be2b106043a096b069e8fbcec86cce7c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= <maze@google.com>
Date: Mon, 13 Jun 2022 17:56:06 -0700
Subject: [PATCH] netd.c - reduce privs on maps
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Before:
  $ adb shell ls -l /sys/fs/bpf/netd_shared/map_netd_*
  -rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:17 /sys/fs/bpf/netd_shared/map_netd_app_uid_stats_map
  -rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:17 /sys/fs/bpf/netd_shared/map_netd_configuration_map
  -rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:17 /sys/fs/bpf/netd_shared/map_netd_cookie_tag_map
  -rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:17 /sys/fs/bpf/netd_shared/map_netd_iface_index_name_map
  -rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:17 /sys/fs/bpf/netd_shared/map_netd_iface_stats_map
  -rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:17 /sys/fs/bpf/netd_shared/map_netd_stats_map_A
  -rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:17 /sys/fs/bpf/netd_shared/map_netd_stats_map_B
  -rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:17 /sys/fs/bpf/netd_shared/map_netd_uid_counterset_map
  -rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:17 /sys/fs/bpf/netd_shared/map_netd_uid_owner_map
  -rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:17 /sys/fs/bpf/netd_shared/map_netd_uid_permission_map

After:
  $ adb shell ls -l /sys/fs/bpf/netd_shared/map_netd_*
  ----rw---- 1 root net_bw_acct 0 2022-06-13 18:17 /sys/fs/bpf/netd_shared/map_netd_app_uid_stats_map
  -rw-rw---- 1 root net_bw_acct 0 2022-06-13 18:17 /sys/fs/bpf/netd_shared/map_netd_configuration_map
  -rw-rw---- 1 root net_bw_acct 0 2022-06-13 18:17 /sys/fs/bpf/netd_shared/map_netd_cookie_tag_map
  ----rw---- 1 root net_bw_acct 0 2022-06-13 18:17 /sys/fs/bpf/netd_shared/map_netd_iface_index_name_map
  ----rw---- 1 root net_bw_acct 0 2022-06-13 18:17 /sys/fs/bpf/netd_shared/map_netd_iface_stats_map
  -rw-rw---- 1 root net_bw_acct 0 2022-06-13 18:17 /sys/fs/bpf/netd_shared/map_netd_stats_map_A
  -r--rw---- 1 root net_bw_acct 0 2022-06-13 18:17 /sys/fs/bpf/netd_shared/map_netd_stats_map_B
  ----rw---- 1 root net_bw_acct 0 2022-06-13 18:17 /sys/fs/bpf/netd_shared/map_netd_uid_counterset_map
  ----rw---- 1 root net_bw_acct 0 2022-06-13 18:17 /sys/fs/bpf/netd_shared/map_netd_uid_owner_map
  -rw-rw---- 1 root net_bw_acct 0 2022-06-13 18:17 /sys/fs/bpf/netd_shared/map_netd_uid_permission_map

Access required is based on list of maps at netd/BpfHandler.h:62
  BpfMap<uint64_t, UidTagValue> mCookieTagMap;
  BpfMap<StatsKey, StatsValue> mStatsMapA;
  BpfMap<StatsKey, StatsValue> mStatsMapB;
  BpfMap<uint32_t, uint32_t> mConfigurationMap;
  BpfMap<uint32_t, uint8_t> mUidPermissionMap;

Note that this is still just a first stab at things.
The only one which should really be writable is mCookieTagMap,
but that's for follow ups as it gets real difficult to switch
due to the tests and BpfMap vs BpfMapRO inheritance inversion.

Additionally due to netd being root with CAP_DAC_OVERRIDE,
this change is really a no-op, and will be until we add
proper per map selinux contexts.  So it is in a sense only
a documentation of intent change...

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I86f3028251818c2025503839c7225d07a2943ed0
---
 bpf_progs/netd.c | 39 ++++++++++++++++++++++-----------------
 1 file changed, 22 insertions(+), 17 deletions(-)

diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
index cb1714cf02..2711bef6f5 100644
--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
@@ -52,25 +52,30 @@
 #define TCP_FLAG_OFF 13
 #define RST_OFFSET 2
 
-DEFINE_BPF_MAP_GRW(cookie_tag_map, HASH, uint64_t, UidTagValue, COOKIE_UID_MAP_SIZE,
-                   AID_NET_BW_ACCT)
-DEFINE_BPF_MAP_GRW(uid_counterset_map, HASH, uint32_t, uint8_t, UID_COUNTERSET_MAP_SIZE,
-                   AID_NET_BW_ACCT)
-DEFINE_BPF_MAP_GRW(app_uid_stats_map, HASH, uint32_t, StatsValue, APP_STATS_MAP_SIZE,
-                   AID_NET_BW_ACCT)
-DEFINE_BPF_MAP_GRW(stats_map_A, HASH, StatsKey, StatsValue, STATS_MAP_SIZE, AID_NET_BW_ACCT)
-DEFINE_BPF_MAP_GRW(stats_map_B, HASH, StatsKey, StatsValue, STATS_MAP_SIZE, AID_NET_BW_ACCT)
-DEFINE_BPF_MAP_GRW(iface_stats_map, HASH, uint32_t, StatsValue, IFACE_STATS_MAP_SIZE,
-                   AID_NET_BW_ACCT)
-DEFINE_BPF_MAP_GRW(configuration_map, HASH, uint32_t, uint32_t, CONFIGURATION_MAP_SIZE,
-                   AID_NET_BW_ACCT)
-DEFINE_BPF_MAP_GRW(uid_owner_map, HASH, uint32_t, UidOwnerValue, UID_OWNER_MAP_SIZE,
-                   AID_NET_BW_ACCT)
-DEFINE_BPF_MAP_GRW(uid_permission_map, HASH, uint32_t, uint8_t, UID_OWNER_MAP_SIZE, AID_NET_BW_ACCT)
+// For maps netd does not need to access
+#define DEFINE_BPF_MAP_NO_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \
+    DEFINE_BPF_MAP_UGM(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries, AID_ROOT, AID_NET_BW_ACCT, 0060)
+
+// For maps netd only needs read only access to
+#define DEFINE_BPF_MAP_RO_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \
+    DEFINE_BPF_MAP_UGM(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries, AID_ROOT, AID_NET_BW_ACCT, 0460)
+
+// For maps netd needs to be able to read and write
+#define DEFINE_BPF_MAP_RW_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \
+    DEFINE_BPF_MAP_UGM(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries, AID_ROOT, AID_NET_BW_ACCT, 0660)
+
+DEFINE_BPF_MAP_RW_NETD(cookie_tag_map, HASH, uint64_t, UidTagValue, COOKIE_UID_MAP_SIZE)
+DEFINE_BPF_MAP_NO_NETD(uid_counterset_map, HASH, uint32_t, uint8_t, UID_COUNTERSET_MAP_SIZE)
+DEFINE_BPF_MAP_NO_NETD(app_uid_stats_map, HASH, uint32_t, StatsValue, APP_STATS_MAP_SIZE)
+DEFINE_BPF_MAP_RW_NETD(stats_map_A, HASH, StatsKey, StatsValue, STATS_MAP_SIZE)
+DEFINE_BPF_MAP_RO_NETD(stats_map_B, HASH, StatsKey, StatsValue, STATS_MAP_SIZE)
+DEFINE_BPF_MAP_NO_NETD(iface_stats_map, HASH, uint32_t, StatsValue, IFACE_STATS_MAP_SIZE)
+DEFINE_BPF_MAP_RW_NETD(configuration_map, HASH, uint32_t, uint32_t, CONFIGURATION_MAP_SIZE)
+DEFINE_BPF_MAP_NO_NETD(uid_owner_map, HASH, uint32_t, UidOwnerValue, UID_OWNER_MAP_SIZE)
+DEFINE_BPF_MAP_RW_NETD(uid_permission_map, HASH, uint32_t, uint8_t, UID_OWNER_MAP_SIZE)
 
 /* never actually used from ebpf */
-DEFINE_BPF_MAP_GRW(iface_index_name_map, HASH, uint32_t, IfaceValue, IFACE_INDEX_NAME_MAP_SIZE,
-                   AID_NET_BW_ACCT)
+DEFINE_BPF_MAP_NO_NETD(iface_index_name_map, HASH, uint32_t, IfaceValue, IFACE_INDEX_NAME_MAP_SIZE)
 
 static __always_inline int is_system_uid(uint32_t uid) {
     return (uid <= MAX_SYSTEM_UID) && (uid >= MIN_SYSTEM_UID);