commit 05393d8d36429a81466725b429ab976ea977fd07
author Chenbo Feng <fengc@google.com> Tue Jan 09 15:18:43 2018 -0800
committer Chenbo Feng <fengc@google.com> Tue Jan 23 05:52:15 2018 +0000
tree f855f6cb3d50bbccea412d3882a1b72e2f3c1dfd
parent dc4e3253ddee699cdbb8ac659fab8662353c9194

Use a isolated process to load bpf program

For the security reason of the bpf program loading process, the
program loading and running operation is moved to a seperate process out
of netd traffic controller. This can help we isolate the program loading
process into a seperate sandbox and apply more strict selinux and
seccomp security policy on it. This action can help providing additional
security fence on CVE-2017-5753.

Test: bpf program pinned at sys/fs/bpf after device boot.
Bug: 30950746
Change-Id: Id194017692343d1f55ec7f44254ff4918e95e2d3

server/TrafficController.h

diff --git a/server/TrafficController.h b/server/TrafficController.h
index 71df78f..7761974 100644
--- a/server/TrafficController.h
+++ b/server/TrafficController.h
@@ -24,23 +24,11 @@
 #include "Network.h"
 #include "android-base/unique_fd.h"
 
-#define LOG_BUF_SIZE 65536
-
-#define BPF_PATH "/sys/fs/bpf"
-
-constexpr const char* BPF_EGRESS_PROG_PATH = BPF_PATH "/egress_prog";
-constexpr const char* BPF_INGRESS_PROG_PATH = BPF_PATH "/ingress_prog";
-
-constexpr const char* CGROUP_ROOT_PATH = "/dev/cg2_bpf";
-
-constexpr const int IPV6_TRANSPORT_PROTOCOL_OFFSET = 6;
-constexpr const int IPV4_TRANSPORT_PROTOCOL_OFFSET = 9;
-
 // TODO: change it to a reasonable size.
-constexpr const int COOKIE_UID_MAP_SIZE = 100;
-constexpr const int UID_COUNTERSET_MAP_SIZE = 100;
-constexpr const int UID_STATS_MAP_SIZE = 100;
-constexpr const int TAG_STATS_MAP_SIZE = 100;
+constexpr const int COOKIE_UID_MAP_SIZE = 1000;
+constexpr const int UID_COUNTERSET_MAP_SIZE = 1000;
+constexpr const int UID_STATS_MAP_SIZE = 1000;
+constexpr const int TAG_STATS_MAP_SIZE = 1000;
 
 constexpr const int COUNTERSETS_LIMIT = 2;