diff --git a/bpf_progs/bpf_net_helpers.h b/bpf_progs/bpf_net_helpers.h index b9f67aab7b..bb5e330f1b 100644 --- a/bpf_progs/bpf_net_helpers.h +++ b/bpf_progs/bpf_net_helpers.h @@ -87,6 +87,14 @@ static inline __always_inline void try_make_writable(struct __sk_buff* skb, int if (skb->data_end - skb->data < len) bpf_skb_pull_data(skb, len); } +// constants for passing in to 'bool shared' (for maps) +static const bool PRIVATE = false; +static const bool SHARED = true; + +// constants for passing in to 'bool optional' (for programs) +static const bool MANDATORY = false; +static const bool OPTIONAL = true; + // constants for passing in to 'bool egress' static const bool INGRESS = false; static const bool EGRESS = true; diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c index 256dd6a26c..7a48e8ce04 100644 --- a/bpf_progs/netd.c +++ b/bpf_progs/netd.c @@ -59,18 +59,18 @@ static const bool TRACE_OFF = false; #define TCP_FLAG8_OFF (TCP_FLAG32_OFF + 1) // For maps netd does not need to access -#define DEFINE_BPF_MAP_NO_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \ - DEFINE_BPF_MAP_EXT(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries, \ - AID_ROOT, AID_NET_BW_ACCT, 0060, "fs_bpf_net_shared", "", false, \ - BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, LOAD_ON_ENG, \ - LOAD_ON_USER, LOAD_ON_USERDEBUG) +#define DEFINE_BPF_MAP_NO_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \ + DEFINE_BPF_MAP_EXT(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries, \ + AID_ROOT, AID_NET_BW_ACCT, 0060, "fs_bpf_net_shared", "", \ + PRIVATE, BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, \ + LOAD_ON_ENG, LOAD_ON_USER, LOAD_ON_USERDEBUG) // For maps netd only needs read only access to -#define DEFINE_BPF_MAP_RO_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \ - DEFINE_BPF_MAP_EXT(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries, \ - AID_ROOT, AID_NET_BW_ACCT, 0460, "fs_bpf_netd_readonly", "", false, \ - BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, LOAD_ON_ENG, \ - LOAD_ON_USER, LOAD_ON_USERDEBUG) +#define DEFINE_BPF_MAP_RO_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \ + DEFINE_BPF_MAP_EXT(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries, \ + AID_ROOT, AID_NET_BW_ACCT, 0460, "fs_bpf_netd_readonly", "", \ + PRIVATE, BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, \ + LOAD_ON_ENG, LOAD_ON_USER, LOAD_ON_USERDEBUG) // For maps netd needs to be able to read and write #define DEFINE_BPF_MAP_RW_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \ @@ -102,13 +102,13 @@ DEFINE_BPF_MAP_NO_NETD(iface_index_name_map, HASH, uint32_t, IfaceValue, IFACE_I // A single-element configuration array, packet tracing is enabled when 'true'. DEFINE_BPF_MAP_EXT(packet_trace_enabled_map, ARRAY, uint32_t, bool, 1, - AID_ROOT, AID_SYSTEM, 0060, "fs_bpf_net_shared", "", false, + AID_ROOT, AID_SYSTEM, 0060, "fs_bpf_net_shared", "", PRIVATE, BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, LOAD_ON_ENG, LOAD_ON_USER, LOAD_ON_USERDEBUG) // A ring buffer on which packet information is pushed. DEFINE_BPF_RINGBUF_EXT(packet_trace_ringbuf, PacketTrace, PACKET_TRACE_BUF_SIZE, - AID_ROOT, AID_SYSTEM, 0060, "fs_bpf_net_shared", "", false, + AID_ROOT, AID_SYSTEM, 0060, "fs_bpf_net_shared", "", PRIVATE, BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, LOAD_ON_ENG, LOAD_ON_USER, LOAD_ON_USERDEBUG); @@ -127,8 +127,8 @@ DEFINE_BPF_RINGBUF_EXT(packet_trace_ringbuf, PacketTrace, PACKET_TRACE_BUF_SIZE, // which is loaded into netd and thus runs as netd uid/gid/selinux context) #define DEFINE_NETD_BPF_PROG_KVER_RANGE(SECTION_NAME, prog_uid, prog_gid, the_prog, minKV, maxKV) \ DEFINE_BPF_PROG_EXT(SECTION_NAME, prog_uid, prog_gid, the_prog, \ - minKV, maxKV, BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, false, \ - "fs_bpf_netd_readonly", "", false, false, false) + minKV, maxKV, BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, MANDATORY, \ + "fs_bpf_netd_readonly", "", LOAD_ON_ENG, LOAD_ON_USER, LOAD_ON_USERDEBUG) #define DEFINE_NETD_BPF_PROG_KVER(SECTION_NAME, prog_uid, prog_gid, the_prog, min_kv) \ DEFINE_NETD_BPF_PROG_KVER_RANGE(SECTION_NAME, prog_uid, prog_gid, the_prog, min_kv, KVER_INF) @@ -139,8 +139,8 @@ DEFINE_BPF_RINGBUF_EXT(packet_trace_ringbuf, PacketTrace, PACKET_TRACE_BUF_SIZE, // programs that only need to be usable by the system server #define DEFINE_SYS_BPF_PROG(SECTION_NAME, prog_uid, prog_gid, the_prog) \ DEFINE_BPF_PROG_EXT(SECTION_NAME, prog_uid, prog_gid, the_prog, KVER_NONE, KVER_INF, \ - BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, false, "fs_bpf_net_shared", \ - "", false, false, false) + BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, MANDATORY, \ + "fs_bpf_net_shared", "", LOAD_ON_ENG, LOAD_ON_USER, LOAD_ON_USERDEBUG) static __always_inline int is_system_uid(uint32_t uid) { // MIN_SYSTEM_UID is AID_ROOT == 0, so uint32_t is *always* >= 0 @@ -506,8 +506,9 @@ static __always_inline inline int bpf_traffic_account(struct __sk_buff* skb, boo // This program is optional, and enables tracing on Android U+, 5.8+ on user builds. DEFINE_BPF_PROG_EXT("cgroupskb/ingress/stats$trace_user", AID_ROOT, AID_SYSTEM, bpf_cgroup_ingress_trace_user, KVER(5, 8, 0), KVER_INF, - BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, true, - "fs_bpf_netd_readonly", "", true, false, true) + BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, OPTIONAL, + "fs_bpf_netd_readonly", "", + IGNORE_ON_ENG, LOAD_ON_USER, IGNORE_ON_USERDEBUG) (struct __sk_buff* skb) { return bpf_traffic_account(skb, INGRESS, TRACE_ON, KVER(5, 8, 0)); } @@ -515,8 +516,9 @@ DEFINE_BPF_PROG_EXT("cgroupskb/ingress/stats$trace_user", AID_ROOT, AID_SYSTEM, // This program is required, and enables tracing on Android U+, 5.8+, userdebug/eng. DEFINE_BPF_PROG_EXT("cgroupskb/ingress/stats$trace", AID_ROOT, AID_SYSTEM, bpf_cgroup_ingress_trace, KVER(5, 8, 0), KVER_INF, - BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, false, - "fs_bpf_netd_readonly", "", false, true, false) + BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, MANDATORY, + "fs_bpf_netd_readonly", "", + LOAD_ON_ENG, IGNORE_ON_USER, LOAD_ON_USERDEBUG) (struct __sk_buff* skb) { return bpf_traffic_account(skb, INGRESS, TRACE_ON, KVER(5, 8, 0)); } @@ -536,8 +538,9 @@ DEFINE_NETD_BPF_PROG_KVER_RANGE("cgroupskb/ingress/stats$4_14", AID_ROOT, AID_SY // This program is optional, and enables tracing on Android U+, 5.8+ on user builds. DEFINE_BPF_PROG_EXT("cgroupskb/egress/stats$trace_user", AID_ROOT, AID_SYSTEM, bpf_cgroup_egress_trace_user, KVER(5, 8, 0), KVER_INF, - BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, true, - "fs_bpf_netd_readonly", "", true, false, true) + BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, OPTIONAL, + "fs_bpf_netd_readonly", "", + LOAD_ON_ENG, IGNORE_ON_USER, LOAD_ON_USERDEBUG) (struct __sk_buff* skb) { return bpf_traffic_account(skb, EGRESS, TRACE_ON, KVER(5, 8, 0)); } @@ -545,8 +548,9 @@ DEFINE_BPF_PROG_EXT("cgroupskb/egress/stats$trace_user", AID_ROOT, AID_SYSTEM, // This program is required, and enables tracing on Android U+, 5.8+, userdebug/eng. DEFINE_BPF_PROG_EXT("cgroupskb/egress/stats$trace", AID_ROOT, AID_SYSTEM, bpf_cgroup_egress_trace, KVER(5, 8, 0), KVER_INF, - BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, false, - "fs_bpf_netd_readonly", "", false, true, false) + BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, MANDATORY, + "fs_bpf_netd_readonly", "", + LOAD_ON_ENG, IGNORE_ON_USER, LOAD_ON_USERDEBUG) (struct __sk_buff* skb) { return bpf_traffic_account(skb, EGRESS, TRACE_ON, KVER(5, 8, 0)); }