bpf: add constants PRIVATE, SHARED, MANDATORY, OPTIONAL
use them & IGNORE_ON_* LOAD_ON_* as needed. Test: TreeHugger Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: Ibadd782d289e6a2ce1467778a1930c6f1b609f98
This commit is contained in:
Maciej Żenczykowski
@@ -87,6 +87,14 @@ static inline __always_inline void try_make_writable(struct __sk_buff* skb, int
|
|||||||
if (skb->data_end - skb->data < len) bpf_skb_pull_data(skb, len);
|
if (skb->data_end - skb->data < len) bpf_skb_pull_data(skb, len);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// constants for passing in to 'bool shared' (for maps)
|
||||||
|
static const bool PRIVATE = false;
|
||||||
|
static const bool SHARED = true;
|
||||||
|
|
||||||
|
// constants for passing in to 'bool optional' (for programs)
|
||||||
|
static const bool MANDATORY = false;
|
||||||
|
static const bool OPTIONAL = true;
|
||||||
|
|
||||||
// constants for passing in to 'bool egress'
|
// constants for passing in to 'bool egress'
|
||||||
static const bool INGRESS = false;
|
static const bool INGRESS = false;
|
||||||
static const bool EGRESS = true;
|
static const bool EGRESS = true;
|
||||||
|
|||||||
@@ -59,18 +59,18 @@ static const bool TRACE_OFF = false;
|
|||||||
#define TCP_FLAG8_OFF (TCP_FLAG32_OFF + 1)
|
#define TCP_FLAG8_OFF (TCP_FLAG32_OFF + 1)
|
||||||
|
|
||||||
// For maps netd does not need to access
|
// For maps netd does not need to access
|
||||||
#define DEFINE_BPF_MAP_NO_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \
|
#define DEFINE_BPF_MAP_NO_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \
|
||||||
DEFINE_BPF_MAP_EXT(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries, \
|
DEFINE_BPF_MAP_EXT(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries, \
|
||||||
AID_ROOT, AID_NET_BW_ACCT, 0060, "fs_bpf_net_shared", "", false, \
|
AID_ROOT, AID_NET_BW_ACCT, 0060, "fs_bpf_net_shared", "", \
|
||||||
BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, LOAD_ON_ENG, \
|
PRIVATE, BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, \
|
||||||
LOAD_ON_USER, LOAD_ON_USERDEBUG)
|
LOAD_ON_ENG, LOAD_ON_USER, LOAD_ON_USERDEBUG)
|
||||||
|
|
||||||
// For maps netd only needs read only access to
|
// For maps netd only needs read only access to
|
||||||
#define DEFINE_BPF_MAP_RO_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \
|
#define DEFINE_BPF_MAP_RO_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \
|
||||||
DEFINE_BPF_MAP_EXT(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries, \
|
DEFINE_BPF_MAP_EXT(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries, \
|
||||||
AID_ROOT, AID_NET_BW_ACCT, 0460, "fs_bpf_netd_readonly", "", false, \
|
AID_ROOT, AID_NET_BW_ACCT, 0460, "fs_bpf_netd_readonly", "", \
|
||||||
BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, LOAD_ON_ENG, \
|
PRIVATE, BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, \
|
||||||
LOAD_ON_USER, LOAD_ON_USERDEBUG)
|
LOAD_ON_ENG, LOAD_ON_USER, LOAD_ON_USERDEBUG)
|
||||||
|
|
||||||
// For maps netd needs to be able to read and write
|
// For maps netd needs to be able to read and write
|
||||||
#define DEFINE_BPF_MAP_RW_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \
|
#define DEFINE_BPF_MAP_RW_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \
|
||||||
@@ -102,13 +102,13 @@ DEFINE_BPF_MAP_NO_NETD(iface_index_name_map, HASH, uint32_t, IfaceValue, IFACE_I
|
|||||||
|
|
||||||
// A single-element configuration array, packet tracing is enabled when 'true'.
|
// A single-element configuration array, packet tracing is enabled when 'true'.
|
||||||
DEFINE_BPF_MAP_EXT(packet_trace_enabled_map, ARRAY, uint32_t, bool, 1,
|
DEFINE_BPF_MAP_EXT(packet_trace_enabled_map, ARRAY, uint32_t, bool, 1,
|
||||||
AID_ROOT, AID_SYSTEM, 0060, "fs_bpf_net_shared", "", false,
|
AID_ROOT, AID_SYSTEM, 0060, "fs_bpf_net_shared", "", PRIVATE,
|
||||||
BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, LOAD_ON_ENG,
|
BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, LOAD_ON_ENG,
|
||||||
LOAD_ON_USER, LOAD_ON_USERDEBUG)
|
LOAD_ON_USER, LOAD_ON_USERDEBUG)
|
||||||
|
|
||||||
// A ring buffer on which packet information is pushed.
|
// A ring buffer on which packet information is pushed.
|
||||||
DEFINE_BPF_RINGBUF_EXT(packet_trace_ringbuf, PacketTrace, PACKET_TRACE_BUF_SIZE,
|
DEFINE_BPF_RINGBUF_EXT(packet_trace_ringbuf, PacketTrace, PACKET_TRACE_BUF_SIZE,
|
||||||
AID_ROOT, AID_SYSTEM, 0060, "fs_bpf_net_shared", "", false,
|
AID_ROOT, AID_SYSTEM, 0060, "fs_bpf_net_shared", "", PRIVATE,
|
||||||
BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, LOAD_ON_ENG,
|
BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, LOAD_ON_ENG,
|
||||||
LOAD_ON_USER, LOAD_ON_USERDEBUG);
|
LOAD_ON_USER, LOAD_ON_USERDEBUG);
|
||||||
|
|
||||||
@@ -127,8 +127,8 @@ DEFINE_BPF_RINGBUF_EXT(packet_trace_ringbuf, PacketTrace, PACKET_TRACE_BUF_SIZE,
|
|||||||
// which is loaded into netd and thus runs as netd uid/gid/selinux context)
|
// which is loaded into netd and thus runs as netd uid/gid/selinux context)
|
||||||
#define DEFINE_NETD_BPF_PROG_KVER_RANGE(SECTION_NAME, prog_uid, prog_gid, the_prog, minKV, maxKV) \
|
#define DEFINE_NETD_BPF_PROG_KVER_RANGE(SECTION_NAME, prog_uid, prog_gid, the_prog, minKV, maxKV) \
|
||||||
DEFINE_BPF_PROG_EXT(SECTION_NAME, prog_uid, prog_gid, the_prog, \
|
DEFINE_BPF_PROG_EXT(SECTION_NAME, prog_uid, prog_gid, the_prog, \
|
||||||
minKV, maxKV, BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, false, \
|
minKV, maxKV, BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, MANDATORY, \
|
||||||
"fs_bpf_netd_readonly", "", false, false, false)
|
"fs_bpf_netd_readonly", "", LOAD_ON_ENG, LOAD_ON_USER, LOAD_ON_USERDEBUG)
|
||||||
|
|
||||||
#define DEFINE_NETD_BPF_PROG_KVER(SECTION_NAME, prog_uid, prog_gid, the_prog, min_kv) \
|
#define DEFINE_NETD_BPF_PROG_KVER(SECTION_NAME, prog_uid, prog_gid, the_prog, min_kv) \
|
||||||
DEFINE_NETD_BPF_PROG_KVER_RANGE(SECTION_NAME, prog_uid, prog_gid, the_prog, min_kv, KVER_INF)
|
DEFINE_NETD_BPF_PROG_KVER_RANGE(SECTION_NAME, prog_uid, prog_gid, the_prog, min_kv, KVER_INF)
|
||||||
@@ -139,8 +139,8 @@ DEFINE_BPF_RINGBUF_EXT(packet_trace_ringbuf, PacketTrace, PACKET_TRACE_BUF_SIZE,
|
|||||||
// programs that only need to be usable by the system server
|
// programs that only need to be usable by the system server
|
||||||
#define DEFINE_SYS_BPF_PROG(SECTION_NAME, prog_uid, prog_gid, the_prog) \
|
#define DEFINE_SYS_BPF_PROG(SECTION_NAME, prog_uid, prog_gid, the_prog) \
|
||||||
DEFINE_BPF_PROG_EXT(SECTION_NAME, prog_uid, prog_gid, the_prog, KVER_NONE, KVER_INF, \
|
DEFINE_BPF_PROG_EXT(SECTION_NAME, prog_uid, prog_gid, the_prog, KVER_NONE, KVER_INF, \
|
||||||
BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, false, "fs_bpf_net_shared", \
|
BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, MANDATORY, \
|
||||||
"", false, false, false)
|
"fs_bpf_net_shared", "", LOAD_ON_ENG, LOAD_ON_USER, LOAD_ON_USERDEBUG)
|
||||||
|
|
||||||
static __always_inline int is_system_uid(uint32_t uid) {
|
static __always_inline int is_system_uid(uint32_t uid) {
|
||||||
// MIN_SYSTEM_UID is AID_ROOT == 0, so uint32_t is *always* >= 0
|
// MIN_SYSTEM_UID is AID_ROOT == 0, so uint32_t is *always* >= 0
|
||||||
@@ -506,8 +506,9 @@ static __always_inline inline int bpf_traffic_account(struct __sk_buff* skb, boo
|
|||||||
// This program is optional, and enables tracing on Android U+, 5.8+ on user builds.
|
// This program is optional, and enables tracing on Android U+, 5.8+ on user builds.
|
||||||
DEFINE_BPF_PROG_EXT("cgroupskb/ingress/stats$trace_user", AID_ROOT, AID_SYSTEM,
|
DEFINE_BPF_PROG_EXT("cgroupskb/ingress/stats$trace_user", AID_ROOT, AID_SYSTEM,
|
||||||
bpf_cgroup_ingress_trace_user, KVER(5, 8, 0), KVER_INF,
|
bpf_cgroup_ingress_trace_user, KVER(5, 8, 0), KVER_INF,
|
||||||
BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, true,
|
BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, OPTIONAL,
|
||||||
"fs_bpf_netd_readonly", "", true, false, true)
|
"fs_bpf_netd_readonly", "",
|
||||||
|
IGNORE_ON_ENG, LOAD_ON_USER, IGNORE_ON_USERDEBUG)
|
||||||
(struct __sk_buff* skb) {
|
(struct __sk_buff* skb) {
|
||||||
return bpf_traffic_account(skb, INGRESS, TRACE_ON, KVER(5, 8, 0));
|
return bpf_traffic_account(skb, INGRESS, TRACE_ON, KVER(5, 8, 0));
|
||||||
}
|
}
|
||||||
@@ -515,8 +516,9 @@ DEFINE_BPF_PROG_EXT("cgroupskb/ingress/stats$trace_user", AID_ROOT, AID_SYSTEM,
|
|||||||
// This program is required, and enables tracing on Android U+, 5.8+, userdebug/eng.
|
// This program is required, and enables tracing on Android U+, 5.8+, userdebug/eng.
|
||||||
DEFINE_BPF_PROG_EXT("cgroupskb/ingress/stats$trace", AID_ROOT, AID_SYSTEM,
|
DEFINE_BPF_PROG_EXT("cgroupskb/ingress/stats$trace", AID_ROOT, AID_SYSTEM,
|
||||||
bpf_cgroup_ingress_trace, KVER(5, 8, 0), KVER_INF,
|
bpf_cgroup_ingress_trace, KVER(5, 8, 0), KVER_INF,
|
||||||
BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, false,
|
BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, MANDATORY,
|
||||||
"fs_bpf_netd_readonly", "", false, true, false)
|
"fs_bpf_netd_readonly", "",
|
||||||
|
LOAD_ON_ENG, IGNORE_ON_USER, LOAD_ON_USERDEBUG)
|
||||||
(struct __sk_buff* skb) {
|
(struct __sk_buff* skb) {
|
||||||
return bpf_traffic_account(skb, INGRESS, TRACE_ON, KVER(5, 8, 0));
|
return bpf_traffic_account(skb, INGRESS, TRACE_ON, KVER(5, 8, 0));
|
||||||
}
|
}
|
||||||
@@ -536,8 +538,9 @@ DEFINE_NETD_BPF_PROG_KVER_RANGE("cgroupskb/ingress/stats$4_14", AID_ROOT, AID_SY
|
|||||||
// This program is optional, and enables tracing on Android U+, 5.8+ on user builds.
|
// This program is optional, and enables tracing on Android U+, 5.8+ on user builds.
|
||||||
DEFINE_BPF_PROG_EXT("cgroupskb/egress/stats$trace_user", AID_ROOT, AID_SYSTEM,
|
DEFINE_BPF_PROG_EXT("cgroupskb/egress/stats$trace_user", AID_ROOT, AID_SYSTEM,
|
||||||
bpf_cgroup_egress_trace_user, KVER(5, 8, 0), KVER_INF,
|
bpf_cgroup_egress_trace_user, KVER(5, 8, 0), KVER_INF,
|
||||||
BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, true,
|
BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, OPTIONAL,
|
||||||
"fs_bpf_netd_readonly", "", true, false, true)
|
"fs_bpf_netd_readonly", "",
|
||||||
|
LOAD_ON_ENG, IGNORE_ON_USER, LOAD_ON_USERDEBUG)
|
||||||
(struct __sk_buff* skb) {
|
(struct __sk_buff* skb) {
|
||||||
return bpf_traffic_account(skb, EGRESS, TRACE_ON, KVER(5, 8, 0));
|
return bpf_traffic_account(skb, EGRESS, TRACE_ON, KVER(5, 8, 0));
|
||||||
}
|
}
|
||||||
@@ -545,8 +548,9 @@ DEFINE_BPF_PROG_EXT("cgroupskb/egress/stats$trace_user", AID_ROOT, AID_SYSTEM,
|
|||||||
// This program is required, and enables tracing on Android U+, 5.8+, userdebug/eng.
|
// This program is required, and enables tracing on Android U+, 5.8+, userdebug/eng.
|
||||||
DEFINE_BPF_PROG_EXT("cgroupskb/egress/stats$trace", AID_ROOT, AID_SYSTEM,
|
DEFINE_BPF_PROG_EXT("cgroupskb/egress/stats$trace", AID_ROOT, AID_SYSTEM,
|
||||||
bpf_cgroup_egress_trace, KVER(5, 8, 0), KVER_INF,
|
bpf_cgroup_egress_trace, KVER(5, 8, 0), KVER_INF,
|
||||||
BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, false,
|
BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, MANDATORY,
|
||||||
"fs_bpf_netd_readonly", "", false, true, false)
|
"fs_bpf_netd_readonly", "",
|
||||||
|
LOAD_ON_ENG, IGNORE_ON_USER, LOAD_ON_USERDEBUG)
|
||||||
(struct __sk_buff* skb) {
|
(struct __sk_buff* skb) {
|
||||||
return bpf_traffic_account(skb, EGRESS, TRACE_ON, KVER(5, 8, 0));
|
return bpf_traffic_account(skb, EGRESS, TRACE_ON, KVER(5, 8, 0));
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user