The FD number isn't actually useful debugging information,
and I want to get rid of this fd leak out of BpfMap class.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I981832b019b57f534bed1c1fbfedf6457abba6fa
while at it add 'const' to satisfy the linter
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I207be20c75b103bc5332c111291e4c439ba82219
The random grab bag of stuff in BpfUtils.h is weird,
and I'm trying to trim it down.
Since this is coming from the kernel, 0 meaning error / no socket
is actually kernel api and thus guaranteed.
IMHO if (!cookie) is also clearer to read.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I433dfca5695a04a42d632b7e0c2434db26c4ed00
These two checks are theoretically equivalent,
since netd.o marks the program as requiring 4.14+.
Thus unless netd.o bpf program is broken, or bpfloader
is misbehaving, this change is a no-op.
Bug: 270276754
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I2c6982e7476c2fa56b67532c80d97d7389030d32
This effectively reverts commit 6ed2ab9b57,
while ensuring that the program has the right permissions as
defined in r.android.com/2130014 :
oriole:/ # ls -lZ /sys/fs/bpf/netd_shared/prog_netd_cgroupsock_inet_create
-r--r----- 1 root root u:object_r:fs_bpf_netd_readonly:s0 0 2022-10-27 20:05 /sys/fs/bpf/netd_shared/prog_netd_cgroupsock_inet_create
Reason for revert: need to support 4.9 devices upgrading to T.
The only thing that cannot currently be supported on those
devices is the inet_create program which implements the
INTERNET permission.
Also, update bpf_existence_test so it does not check for the
existence of the program on pre-4.14 devices.
Bug: 254001921
Test: atest bpf_existence_test
Change-Id: I14f26cee5feeaae93b4d9710a7b9a2f835ff405f
since it doesn't actually work (this runs in netd, but is meant
to protect against system server modifications)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I87f268f1a68c559b19caa4d625cb9eb8395c91e2
This eliminates the need for netd_updatable BpfHandler.cpp
to initialize the hash map with a zero.
On startup the map will be freshly initialized and thus zero.
On restart it might not be empty, but it doesn't matter to netd.
Furthermore the mainline component of the system server will
re-initialize it again anyway:
see service/native/TrafficController.cpp initMaps()
This does remove the ability to call deleteValue on a key,
since that would always return -EINVAL, but since we don't
currently do that, that's really a feature.
(It does suggest though that we should have a BpfMapNonNullable
class which is writeable, but without a deleteValue() function)
Additionally BpfMap arrays are more efficient for the kernel bpf jit
compiler, as - on newer kernels - it can optimize the read/write
into a simple memory access (as opposed to a bpf helper call).
Before:
$ adb shell ls -l /sys/fs/bpf/netd_shared/map_netd_configuration_map
-rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:20 /sys/fs/bpf/netd_shared/ map_netd_configuration_map
After:
$ adbz shell ls -l /sys/fs/bpf/netd_shared/map_netd_configuration_map
-r--rw---- 1 root net_bw_acct 0 2022-06-16 15:03 /sys/fs/bpf/netd_shared/map_netd_configuration_map
Bug: 235590615
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I21730e4fa22fbf0c94ab0ca5c5db03aa000b7680
We'd like to switch more of these, but this is the only one
where tests don't get in our way.
We'll fix the rest later. This gives us an *example* for
further testing.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I9b280c7ba2d19644fc3cdd0c132de85f45df69b4
(for consistency with rest of code base)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5660615f24daf4285e2b6cbacecb7cd99061c5f5
Configuration map index 1(CURRENT_STATS_MAP_CONFIGURATION_KEY) can only
have value 0(SELECT_MAP_A) or 1(SELECT_MAP_B). Return error if it is any
other values. Otherwise, read out of array boundary can cause memory
corruption or security issues.
Bug: 231420457
Test: TH
Change-Id: Ia800ad78781f72b8118469c0230cc550796d334e
S had a minimum kernel requirement of 4.9,
T bumps this up to 4.14, which adds net cgroup bpf support.
It's important to ship T with this otherwise we'll be forced
into trying to somehow support 4.9 kernels with T mainline
module updates for years and years, when we no longer have
any tests of the old code paths...
Test: TreeHugger
Bug: 232017472
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I6e873f0815f176f5618278087132156c9974d6ea
This is a follow up commit for the family validation {INET, INET6}.
The protocol validation {TCP, UDP} has been added in previous
commit.
The TrafficController socket destroy listener only monitors
on the group {INET_TCP, INET_UDP, INET6_TCP, INET6_UDP}.
Tagging listener unsupported socket causes that the tag can't
be removed from tag map automatically. Eventually, the tag map
run out of space because of dead tag entries.
See TrafficController::makeSkDestroyListener in
packages/modules/Connectivity/service/native/TrafficController.cpp
Also address the comments from previous commit.
- Remove the useless else-statment in tagSocket protocol validation.
- Make the socket cookie query and test into one line in
BpfHandlerTest#TestTagSocketWithUnsupportedProtocol
Bug: 223094609
Test: atest BpfHandlerTest
Change-Id: I0f571fc00caa01c86399f0dbb593e8a40ad94bbd
The TrafficController socket destroy listener only monitors
on the group {INET_TCP, INET_UDP, INET6_TCP, INET6_UDP}.
Tagging listener unsupported socket causes that the tag can't
be removed from tag map automatically. Eventually, the tag map
run out of space because of dead tag entries.
See TrafficController::makeSkDestroyListener in
packages/modules/Connectivity/service/native/TrafficController.cpp
Bug: 223094609
Test: atest BpfHandlerTest
Change-Id: Icc19b7c9f37fef498b89f43e44767f6b9e931a5a
The process is not allowed to tag socket to AID_CLAT via tagSocket()
which would cause process data usage accounting to be bypassed.
Bug: 218407445
Test: atest BpfHandlerTest
Change-Id: Ia7b071e1065733da25e9f02f34ccd17f63653217
1. Add libnetd_updatable.so in com.android.tethering. The library is
loaded by netd. Currently, it mainly targets on a few functions which
access BPF maps. The functionality may extend in the future.
2. Attach gcroup progs from libnetd_updatable.so.
3. Move (privileged)TagSocket and untagSocket implementation to mainline
module. Combine privilegedTagSocket and untagSocket into a single
function.
4. Split related unit tests from netd_unit_test to
libnetd_updatable_unit_test as well.
Bug: 202086915
Test: cd system/netd; atest
Test: atest TrafficStatsTest NetworkUsageStatsTest
Change-Id: Ib556458103a4cbb643c1342d9b689ac692160de0
