From f7d23e1a607f9f15ff8f1d107a5eea1465a89a50 Mon Sep 17 00:00:00 2001 From: Ken Chen Date: Sat, 16 Sep 2023 16:44:42 +0800 Subject: [PATCH] [Refactor] Make uid owner match comparison logic into a function As an inline function, the logic can be reused by others. Bug: Bug: 288340533 Test: build; presubmit Change-Id: I8e57829e304e829eed72cc165b051cd22088260d --- bpf_progs/netd.c | 12 +----------- bpf_progs/netd.h | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c index c3258e9e89..0054d4aea6 100644 --- a/bpf_progs/netd.c +++ b/bpf_progs/netd.c @@ -401,11 +401,6 @@ static __always_inline inline bool ingress_should_discard(struct __sk_buff* skb, return true; // disallowed interface } -// DROP_IF_SET is set of rules that DROP if rule is globally enabled, and per-uid bit is set -#define DROP_IF_SET (STANDBY_MATCH | OEM_DENY_1_MATCH | OEM_DENY_2_MATCH | OEM_DENY_3_MATCH) -// DROP_IF_UNSET is set of rules that should DROP if globally enabled, and per-uid bit is NOT set -#define DROP_IF_UNSET (DOZABLE_MATCH | POWERSAVE_MATCH | RESTRICTED_MATCH | LOW_POWER_STANDBY_MATCH) - static __always_inline inline int bpf_owner_match(struct __sk_buff* skb, uint32_t uid, bool egress, const unsigned kver) { if (is_system_uid(uid)) return PASS; @@ -418,12 +413,7 @@ static __always_inline inline int bpf_owner_match(struct __sk_buff* skb, uint32_ uint32_t uidRules = uidEntry ? uidEntry->rule : 0; uint32_t allowed_iif = uidEntry ? uidEntry->iif : 0; - // Warning: funky bit-wise arithmetic: in parallel, for all DROP_IF_SET/UNSET rules - // check whether the rules are globally enabled, and if so whether the rules are - // set/unset for the specific uid. DROP if that is the case for ANY of the rules. - // We achieve this by masking out only the bits/rules we're interested in checking, - // and negating (via bit-wise xor) the bits/rules that should drop if unset. - if (enabledRules & (DROP_IF_SET | DROP_IF_UNSET) & (uidRules ^ DROP_IF_UNSET)) return DROP; + if (isBlockedByUidRules(enabledRules, uidRules)) return DROP; if (!egress && skb->ifindex != 1) { if (ingress_should_discard(skb, kver)) return DROP; diff --git a/bpf_progs/netd.h b/bpf_progs/netd.h index 6e9acaa380..dd27bf9f93 100644 --- a/bpf_progs/netd.h +++ b/bpf_progs/netd.h @@ -235,3 +235,17 @@ STRUCT_SIZE(IngressDiscardValue, 2 * 4); // 8 #define CURRENT_STATS_MAP_CONFIGURATION_KEY 1 #undef STRUCT_SIZE + +// DROP_IF_SET is set of rules that DROP if rule is globally enabled, and per-uid bit is set +#define DROP_IF_SET (STANDBY_MATCH | OEM_DENY_1_MATCH | OEM_DENY_2_MATCH | OEM_DENY_3_MATCH) +// DROP_IF_UNSET is set of rules that should DROP if globally enabled, and per-uid bit is NOT set +#define DROP_IF_UNSET (DOZABLE_MATCH | POWERSAVE_MATCH | RESTRICTED_MATCH | LOW_POWER_STANDBY_MATCH) + +// Warning: funky bit-wise arithmetic: in parallel, for all DROP_IF_SET/UNSET rules +// check whether the rules are globally enabled, and if so whether the rules are +// set/unset for the specific uid. DROP if that is the case for ANY of the rules. +// We achieve this by masking out only the bits/rules we're interested in checking, +// and negating (via bit-wise xor) the bits/rules that should drop if unset. +static inline bool isBlockedByUidRules(BpfConfig enabledRules, uint32_t uidRules) { + return enabledRules & (DROP_IF_SET | DROP_IF_UNSET) & (uidRules ^ DROP_IF_UNSET); +}