netd.c: factor out get_app_permissions()

Test: TreeHugger Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: If33414eccefb35e6aefbd4ec0c24b208e564ca7e
2023-10-07 19:33:39 +00:00
parent 901c71051e
commit f060849988
1 changed files with 8 additions and 8 deletions
--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
@@ -637,9 +637,7 @@ DEFINE_XTBPF_PROG("skfilter/denylist/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_den
    return BPF_NOMATCH;
 }

-DEFINE_NETD_BPF_PROG_KVER("cgroupsock/inet/create", AID_ROOT, AID_ROOT, inet_socket_create,
-                          KVER_4_14)
-(struct bpf_sock* sk) {
+static __always_inline inline uint8_t get_app_permissions() {
    uint64_t gid_uid = bpf_get_current_uid_gid();
    /*
     * A given app is guaranteed to have the same app ID in all the profiles in
@@ -649,13 +647,15 @@ DEFINE_NETD_BPF_PROG_KVER("cgroupsock/inet/create", AID_ROOT, AID_ROOT, inet_soc
     */
    uint32_t appId = (gid_uid & 0xffffffff) % AID_USER_OFFSET;  // == PER_USER_RANGE == 100000
    uint8_t* permissions = bpf_uid_permission_map_lookup_elem(&appId);
-    if (!permissions) {
-        // UID not in map. Default to just INTERNET permission.
-        return 1;
-    }
+    // if UID not in map, then default to just INTERNET permission.
+    return permissions ? *permissions : BPF_PERMISSION_INTERNET;
+}

+DEFINE_NETD_BPF_PROG_KVER("cgroupsock/inet/create", AID_ROOT, AID_ROOT, inet_socket_create,
+                          KVER_4_14)
+(struct bpf_sock* sk) {
    // A return value of 1 means allow, everything else means deny.
-    return (*permissions & BPF_PERMISSION_INTERNET) == BPF_PERMISSION_INTERNET;
+    return (get_app_permissions() & BPF_PERMISSION_INTERNET) ? 1 : 0;
 }

 LICENSE("Apache 2.0");