(these only affect boot time logging)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I3f315c5eabe73d3378e6ca0059f05221df7bab5e
The utility currently contains a firewall class that is used by DNS
resolver tests to block DNS packets.
Bug: 227159929
Test: atest resolv_integration_test
Change-Id: I5c5bc0b263a677f57cd63f002057ff0812f15e64
Move sources of connectivity_native_test to a dedicated folder so that
other native tests or utilities can be added to p/m/c/tests/native/ as
well.
Bug: 227159929
Test: atest connectivity_native_test
Change-Id: I97217fbb03b26ed79f1f34932b92c4227a1ece4d
It is most definitely worthwhile to cache negative lookups as well!
Test: TreeHugger, atest DscpPolicyTest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iab1a57a2611a891642fef0c5897918c16e0ca540
(and merge the ipv4 and ipv6 caches into one,
as there really is no need for separate ones)
Test: TreeHugger, atest DscpPolicyTest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ie62393ea428885076ef59af69ac3eafeeba2934f
The 'switch_comp_map' is never written to,
hence map A is always used anyway...
Additionally this is backwards - ie. the *wrong* maps were A/B:
it is not the cache that should be A/B but rather the policy map(s).
This simplification has the nice benefit of making the program
much simpler and thus presumably optimizing bpf verifier processing
and thus bpfloader runtime during boot.
The fact that these socket cache maps are never cleared from userspace
is a different bug that needs to be fixed.
Bug: 235559605
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ic2b0d20cd4e9e7290fb9fae38e1625ea1ed85a78
Use a single skb store bytes for IPv6 instead of 2 api
calls for 2 uint8_t values, use 1 for a single uint32_t value.
Bug: 234808633
Change-Id: I31ecc6d7036fd71b10c60d320c1dc5ebf0b86cca
The raw IP program was removed, so there is no need to support it
anymore in match_policy().
Test: TH
Bug: 235559605
Change-Id: I755a9a55e3ad33a210145b2cc09578fdf4d66c79
This program was only used for tests as WiFi interfaces should always
include an ethernet header. Since the test has moved from tun to tap,
this can be deleted.
Support for using this program was already removed in a previous CL.
Test: TH
Bug: 235559605
Change-Id: I2148bce60992070790ba237176b99a40597ee751
Underscore character may cause bpf prog/map naming collision. For
example, x.o with map y_z and x_y.o with map z both result in x_y_z
prog/map name, which should be prevented during compile-time.
aosp/2147825 will prohibit underscore character in bpf source name
(source name derives the obj name). Existing bpf modules with underscore
characters in source name need to be updated accordingly.
Bug: 236706995
Test: atest bpf_existence_test
Test: adb root; adb shell ls -l sys/fs/bpf/net_shared | grep dscpPolicy
Change-Id: Ibe98944d09d42bd11b78b5e9ae35ded48c70416d
InProcessTethering runs as system_server (uid/gid AID_SYSTEM)
instead of as the network_stack (uid/gid AID_NETWORK_STACK).
Additionally only the network_stack has access to the default
selinux context of /sys/fs/bpf/tethering, which is fs_bpf_tethering,
so we need to use 'fs_bpf_net_shared' instead.
Bug: 190523685
Bug: 236925089
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ibb6ae255dcd8a8e8049be112055f60c3b2cf7df0
The objdump -x visible changes between old and new versions of the
mainline shipped .o files are really very minimal: just the inclusion
of a new .BTF section and changes/removals of some 'l' entries from
the symbol table. However, it turns out a change to symbol ordering
is incompatible with BpfLoader <v0.10 which doesn't know to skip
non-function symbols, and as such enabling btf requires a little
bit of gymnastics.
After:
$ adbz shell ls -l /apex/com.android.tethering/etc/bpf/*.o
-rw-r--r-- 1 system system 118352 1969-12-31 16:00 /apex/com.android.tethering/etc/bpf/offload.o
-rw-r--r-- 1 system system 123424 1969-12-31 16:00 /apex/com.android.tethering/etc/bpf/offload@btf.o
-rw-r--r-- 1 system system 2232 1969-12-31 16:00 /apex/com.android.tethering/etc/bpf/test.o
-rw-r--r-- 1 system system 6376 1969-12-31 16:00 /apex/com.android.tethering/etc/bpf/test@btf.o
$ adbz shell logcat -d | egrep offload.*[.]o
07-15 13:10:43.358 0 0 D LibBpfLoader: Loading critical for tethering ELF object /apex/com.android.tethering/etc/bpf/offload.o with license Apache 2.0
07-15 13:10:43.359 0 0 I LibBpfLoader: BpfLoader version 0x00019 ignoring ELF object /apex/com.android.tethering/etc/bpf/offload.o with max ver 0x00019
07-15 13:10:43.359 0 0 I bpfloader: Loaded object: /apex/com.android.tethering/etc/bpf/offload.o
07-15 13:10:43.374 0 0 D LibBpfLoader: Loading critical for tethering ELF object /apex/com.android.tethering/etc/bpf/offload@btf.o with license Apache 2.0
07-15 13:10:43.375 0 0 I LibBpfLoader: BpfLoader version 0x00019 processing ELF object /apex/com.android.tethering/etc/bpf/offload@btf.o with ver [0x00019,0x10000)
07-15 13:10:43.452 0 0 D LibBpfLoader: map_fd found at 0 is 6 in /apex/com.android.tethering/etc/bpf/offload@btf.o
...
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id658818d1d42763358747523615b7918d312588e
Use the correct offset for the eth header when calculating the
checksum.
Store the DSCP value in BPF map for subsequent skb's instead
of the TOS so the calculation and checksum is correct.
Bug: 234808633
Change-Id: Ib40d4575455f34a8970eca8751b590319e2ee1ad
Require at least kernel 5.15. Feature is not required on older
kernels and may impact boot time unnecessarily.
Bug: 235559605
Change-Id: I2e4b509de1d8940fc63ae057a8326f13c0fd1420
This commit adds ConnectivityManager#getFirewallChainEnabled to read the
current firewall chain status
Bug: 208371987
Test: m
Change-Id: I1eadb69f953af5d031cd8dabde3e1f098cf0f4df
Make use of new BpfLoader functionality: per-map/program selinux context
to further restrict access to mainline module shipped bpf maps and programs.
Bug: 218408035
Test: booted on cuttlefish, TreeHugger
Change-Id: Iaa33754aaca8bfafef6539abfbdd30b4cdfc4727
This is a temporary thing for testing with framework/libs/net patch
that adds checks for V18 define.
This is very short term and will be reverted in the next topic,
that will make v0.18 the default.
Bug: 218408035
Test: booted on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I22c414ebc64201db60eb872e0da0fea6c65eaede
This reverts the previous commit.
This is no longer required as v0.18 is now the default.
Test: Treehugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I9331f27cf20e7932f6ef0e3829c27b6684dece59
This eliminates the need for netd_updatable BpfHandler.cpp
to initialize the hash map with a zero.
On startup the map will be freshly initialized and thus zero.
On restart it might not be empty, but it doesn't matter to netd.
Furthermore the mainline component of the system server will
re-initialize it again anyway:
see service/native/TrafficController.cpp initMaps()
This does remove the ability to call deleteValue on a key,
since that would always return -EINVAL, but since we don't
currently do that, that's really a feature.
(It does suggest though that we should have a BpfMapNonNullable
class which is writeable, but without a deleteValue() function)
Additionally BpfMap arrays are more efficient for the kernel bpf jit
compiler, as - on newer kernels - it can optimize the read/write
into a simple memory access (as opposed to a bpf helper call).
Before:
$ adb shell ls -l /sys/fs/bpf/netd_shared/map_netd_configuration_map
-rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:20 /sys/fs/bpf/netd_shared/ map_netd_configuration_map
After:
$ adbz shell ls -l /sys/fs/bpf/netd_shared/map_netd_configuration_map
-r--rw---- 1 root net_bw_acct 0 2022-06-16 15:03 /sys/fs/bpf/netd_shared/map_netd_configuration_map
Bug: 235590615
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I21730e4fa22fbf0c94ab0ca5c5db03aa000b7680
In the BPF code, per-UID network access (e.g., for doze mode,
standby, etc.) is stored in UidOwnerValue structures. Each of
these stores that UID's rules in a 32-bit bitmask of
UidOwnerMatchType values, so the code can support ~31 match
types.
However, which match types are enabled is stored in
configuration_map at index UID_RULES_CONFIGURATION_KEY, and
configuration_map only stores 8-bit values. So it's not
possible to define more than 7 match types.
Widen configuration_map to from 8 to 32 bits to match the width
of UidOwnerValue.rule. This doesn't impact memory because
configuration_map only has 2 entries.
Bug: 208371987
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I7e1eee2daedd66d27965a2dd4ce6b4c3667892f7
(per request from Lorenzo)
We do bump block/clatd/dscp_policy requirements from 0.12 to 0.13,
but this effectively doesn't matter:
- Beta2 is too old either way (pre-0.12)
- Beta3 is new enough (0.13)
- versions in between are simply obsolete / unused / not important
- bpfloader 0.12 won't boot right anyway due to lack of netd maps/programs
(which cause a netd startup failure)
This allows us to have one less #define in the header files,
with a hard to write explanation about what exactly v0.12 is (or was).
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1ecf15f9d7abbb82ec6bd49848255fab6a41aed4
This is meant to optimize dscp_policy bpf verifier time at boot.
Bug: 230585250
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1ecd61db80919e2fa1fcbac00348f10a80b77620
In practice this doesn't actually really matter, since older versions
of the bpfloader won't even look in the relevant directories:
BpfLoader v0.9 is the first one that looks into
'/apex/com.android.tethering/etc/bpf/net_shared',
but it is only v0.12 that pins the resulting programs and maps
correctly into
/sys/fs/bpf/net_shared/
hence the annotations for block/clatd/dscp_policy.
BpfLoader v0.13 is the first one that looks into
'/apex/com.android.tethering/etc/bpf/netd_shared'
subdirectory and pins into
/sys/fs/bpf/netd_shared/
hence the annotation for netd.
But it's best to explicitly document the intent.
Note that in practice the mainline module will fail spectacularly
on a T OS if it can't find the programs and maps
(presumably due to the bpfloader being too old)
but will work on S even though the bpfloader there is much older,
because these programs/maps are not required on pre-T OS.
This change is thus really only documentation.
Bug: 218408035
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5ffa2faf83ca337b84e34b01df84436629989c58
(out of current /sys/fs/bpf/net_shared/...)
This will allow genfscon regexp changes in a followup selinux commit.
Note that this has a hard dependency on system/bpf change
'bpfloader: add support for netd_shared and net_private subdirs'
which also bumps bpfloader to v0.13.
This was merged May 12, 2022 (into both aosp/master and tm-dev)
and it is in Android T starting with Beta 3 release.
This isn't really an issue since amusingly T Beta 2 is already
incompatible with current mainline releases due to the snap
reverting a previous required bpfloader system/bpf change:
move net_shared bpf programs into net_shared subdirectory
See: http://b/232050459#comment14
So this doesn't break T Beta1/2, since they already don't work,
and Beta3 will work.
Bug: 218408035
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id5f14d6e3f11cfe35d9d8a9496548a2bc4d022ec
S had a minimum kernel requirement of 4.9,
T bumps this up to 4.14, which adds net cgroup bpf support.
It's important to ship T with this otherwise we'll be forced
into trying to somehow support 4.9 kernels with T mainline
module updates for years and years, when we no longer have
any tests of the old code paths...
Test: TreeHugger
Bug: 232017472
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I6e873f0815f176f5618278087132156c9974d6ea
Currently, even when VPN Lockdown mode is enabled, incoming packets are
not dropped if VPN is not connected.
This commit fixed this issue.
After this commit, If VPN Lockdown mode is enabled, incoming packets
are dropped regardless of the VPN connectivity.
Bug: 206482423
Test: atest TrafficControllerTest ConnectivityServiceTest PermissionMonitorTest
Change-Id: If52ece613c8aac1073355e43b6fb9cb3fcc87d1d
Match type is also used in configuration_map at index
UID_RULES_CONFIGURATION_KEY.
However, this commit does not extend configuration_map and we can
not still use more than 8 match type in configuration_map.
Test: m
Change-Id: I0f20cc8034551806b5cb3da322a0ea7861983095
