Instead of also accounting tag!=0 traffic against tag==0 slot,
while the bpf code writes into the map, move this logic into
the userspace jni code which reads from the map.
Simplifies the bpf program making things easier on the
kernel's bpf verifier, and is better for performance,
since a per-packet fixup operation becomes a per-poll fixup.
Test: TreeHugger, atest libnetworkstats_test FrameworksNetTests
Bug: 276296921
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ic220a201781a1170bcffe327fe5664fc12b65dd9
effectively no-op, but since it's a trivial check (uid < APP_START),
better do it first, rather than the complex packet parsing in
skip_owner_match().
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I35a9188e108987d48f03a18cdf70ec4cdd715376
We only ever return DROP_UNLESS_DNS on ingress,
so the ordering doesn't actually matter.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I742b85748433f5319d518bebc05d976d630b72e7
This adds the core BPF implementation of Android network packet tracing.
The new code looks into the skb to pull out various bits of information.
Both the program and the ring buffer are restricted to 5.8+ kernels and
userdebug or eng builds.
With the packet_info_config map defaulting to zero, userdebug and eng
builds won't run any of the tracing today. The only effect will be 32k
memory increase for the ringbuf and the check on the config array.
Bug: 246985031
Test: build & flash both userdebug and user
Change-Id: I144da2971c0738b565ad58abc17e456209f13bde
These all default to false, never ignoring the maps.
Bug: 246985031
Test: build connectivity module
Change-Id: I404d56dcb311b34587d56dd6edc292029c4ad83f
This change updates callers to include the new ignore_on and bpfloader
arguments as per the change in aosp/2374598.
Bug: 246985031
Test: tethering build & install, full platform build & install
Change-Id: Id940a6003ae4cb0bbfc65db8ff96590c4f3c847b
will make it easier to extend this for 5.4+ behaviour as well
without having to introduce another is_5_4 boolean
Bug: 263884894
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id4f6512d813dd460cb2b9a7ccb6a5f7b7e937575
easier on bpf verifier with no third case
Bug: 263884894
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5076de6f83ba522ed4783bca0a9d7fca4024986a
and get rid of some macros while we're at it.
This is just slightly easier to read.
(side note: this is all resolved at compile time!)
Bug: 259199087
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I7b38afd4b6f9d73b4f34a90040639f0780544ac8
This effectively reverts commit 6ed2ab9b57,
while ensuring that the program has the right permissions as
defined in r.android.com/2130014 :
oriole:/ # ls -lZ /sys/fs/bpf/netd_shared/prog_netd_cgroupsock_inet_create
-r--r----- 1 root root u:object_r:fs_bpf_netd_readonly:s0 0 2022-10-27 20:05 /sys/fs/bpf/netd_shared/prog_netd_cgroupsock_inet_create
Reason for revert: need to support 4.9 devices upgrading to T.
The only thing that cannot currently be supported on those
devices is the inet_create program which implements the
INTERNET permission.
Also, update bpf_existence_test so it does not check for the
existence of the program on pre-4.14 devices.
Bug: 254001921
Test: atest bpf_existence_test
Change-Id: I14f26cee5feeaae93b4d9710a7b9a2f835ff405f
(these only affect boot time logging)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I3f315c5eabe73d3378e6ca0059f05221df7bab5e
Make use of new BpfLoader functionality: per-map/program selinux context
to further restrict access to mainline module shipped bpf maps and programs.
Bug: 218408035
Test: booted on cuttlefish, TreeHugger
Change-Id: Iaa33754aaca8bfafef6539abfbdd30b4cdfc4727
This reverts the previous commit.
This is no longer required as v0.18 is now the default.
Test: Treehugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I9331f27cf20e7932f6ef0e3829c27b6684dece59
This is a temporary thing for testing with framework/libs/net patch
that adds checks for V18 define.
This is very short term and will be reverted in the next topic,
that will make v0.18 the default.
Bug: 218408035
Test: booted on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I22c414ebc64201db60eb872e0da0fea6c65eaede
This eliminates the need for netd_updatable BpfHandler.cpp
to initialize the hash map with a zero.
On startup the map will be freshly initialized and thus zero.
On restart it might not be empty, but it doesn't matter to netd.
Furthermore the mainline component of the system server will
re-initialize it again anyway:
see service/native/TrafficController.cpp initMaps()
This does remove the ability to call deleteValue on a key,
since that would always return -EINVAL, but since we don't
currently do that, that's really a feature.
(It does suggest though that we should have a BpfMapNonNullable
class which is writeable, but without a deleteValue() function)
Additionally BpfMap arrays are more efficient for the kernel bpf jit
compiler, as - on newer kernels - it can optimize the read/write
into a simple memory access (as opposed to a bpf helper call).
Before:
$ adb shell ls -l /sys/fs/bpf/netd_shared/map_netd_configuration_map
-rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:20 /sys/fs/bpf/netd_shared/ map_netd_configuration_map
After:
$ adbz shell ls -l /sys/fs/bpf/netd_shared/map_netd_configuration_map
-r--rw---- 1 root net_bw_acct 0 2022-06-16 15:03 /sys/fs/bpf/netd_shared/map_netd_configuration_map
Bug: 235590615
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I21730e4fa22fbf0c94ab0ca5c5db03aa000b7680
In the BPF code, per-UID network access (e.g., for doze mode,
standby, etc.) is stored in UidOwnerValue structures. Each of
these stores that UID's rules in a 32-bit bitmask of
UidOwnerMatchType values, so the code can support ~31 match
types.
However, which match types are enabled is stored in
configuration_map at index UID_RULES_CONFIGURATION_KEY, and
configuration_map only stores 8-bit values. So it's not
possible to define more than 7 match types.
Widen configuration_map to from 8 to 32 bits to match the width
of UidOwnerValue.rule. This doesn't impact memory because
configuration_map only has 2 entries.
Bug: 208371987
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I7e1eee2daedd66d27965a2dd4ce6b4c3667892f7
(per request from Lorenzo)
We do bump block/clatd/dscp_policy requirements from 0.12 to 0.13,
but this effectively doesn't matter:
- Beta2 is too old either way (pre-0.12)
- Beta3 is new enough (0.13)
- versions in between are simply obsolete / unused / not important
- bpfloader 0.12 won't boot right anyway due to lack of netd maps/programs
(which cause a netd startup failure)
This allows us to have one less #define in the header files,
with a hard to write explanation about what exactly v0.12 is (or was).
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1ecf15f9d7abbb82ec6bd49848255fab6a41aed4
In practice this doesn't actually really matter, since older versions
of the bpfloader won't even look in the relevant directories:
BpfLoader v0.9 is the first one that looks into
'/apex/com.android.tethering/etc/bpf/net_shared',
but it is only v0.12 that pins the resulting programs and maps
correctly into
/sys/fs/bpf/net_shared/
hence the annotations for block/clatd/dscp_policy.
BpfLoader v0.13 is the first one that looks into
'/apex/com.android.tethering/etc/bpf/netd_shared'
subdirectory and pins into
/sys/fs/bpf/netd_shared/
hence the annotation for netd.
But it's best to explicitly document the intent.
Note that in practice the mainline module will fail spectacularly
on a T OS if it can't find the programs and maps
(presumably due to the bpfloader being too old)
but will work on S even though the bpfloader there is much older,
because these programs/maps are not required on pre-T OS.
This change is thus really only documentation.
Bug: 218408035
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5ffa2faf83ca337b84e34b01df84436629989c58
S had a minimum kernel requirement of 4.9,
T bumps this up to 4.14, which adds net cgroup bpf support.
It's important to ship T with this otherwise we'll be forced
into trying to somehow support 4.9 kernels with T mainline
module updates for years and years, when we no longer have
any tests of the old code paths...
Test: TreeHugger
Bug: 232017472
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I6e873f0815f176f5618278087132156c9974d6ea
Currently, even when VPN Lockdown mode is enabled, incoming packets are
not dropped if VPN is not connected.
This commit fixed this issue.
After this commit, If VPN Lockdown mode is enabled, incoming packets
are dropped regardless of the VPN connectivity.
Bug: 206482423
Test: atest TrafficControllerTest ConnectivityServiceTest PermissionMonitorTest
Change-Id: If52ece613c8aac1073355e43b6fb9cb3fcc87d1d
Match type is also used in configuration_map at index
UID_RULES_CONFIGURATION_KEY.
However, this commit does not extend configuration_map and we can
not still use more than 8 match type in configuration_map.
Test: m
Change-Id: I0f20cc8034551806b5cb3da322a0ea7861983095
Change gid BPF programs from AID_ROOT to AID_SYSTEM because
system_server needs to access them.
Bug: 202086915
Test: test in Ib0e935ee2b714ac61daceba6d13fa7a20f97f68f
Change-Id: I8c0019f141414994aad2986cc5dfdb7dd027a36a
Two reason for renaming:
1. Avoid module name collision in sc-mainline-prod branch.
2. The libnetdbpf was misnamed before.
Bug: 202086915
Test: atest libnetworkstats_test FrameworksNetTests
ConnectivityCoverageTests FrameworksNetSmokeTests
CtsAppOpsTestCases
Change-Id: I87fcf4b1a9d58780a45743a9aa91b9b936e54266
This is a clean move. The content of netd.c is not changed. The object
name is still netd.o. But the module name is renamed to netd.o_mainline
to avoid name collision in sc-mainline-prod branch.
Modified Android.bp according to the file location. The sub_dir is
newly specified. The object file will be compiled to:
- apex/com.android.tethering/etc/bpf/net_shared/netd.o
The extracted programs and maps will be in:
- sys/fs/bpf/net_shared/
The netd.o will not be loaded in pre-T because the bpfloader before T
does not load objects from paths other than:
- apex/com.android.tethering/etc/bpf/
- /system/etc/bpf/
Bug: 202086915
Test: cd system/netd; atest
Test: atest TrafficStatsTest NetworkUsageStatsTest
Change-Id: I5281c851341f9258a37d8aad6da4196c06342940
