stop abusing netd's DAC override on prog accesses by using R/O fetch
and also use mapRetrieveRW(x) instead of bpfFdGet(x, 0) or mapRetrieve(x, 0)
Test: builds, treehugger, see above
Bug: 150040815
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Original-Change: https://android-review.googlesource.com/1339962
Merged-In: I09206bd07eb3ecea5256422ed9b52b791079f75a
Change-Id: I09206bd07eb3ecea5256422ed9b52b791079f75a
diff --git a/server/OffloadUtils.h b/server/OffloadUtils.h
index e7193e4..818fd39 100644
--- a/server/OffloadUtils.h
+++ b/server/OffloadUtils.h
@@ -48,46 +48,45 @@
base::Result<bool> isEthernet(const std::string& interface);
inline int getClatEgressMapFd(void) {
- const int fd = bpf::bpfFdGet(CLAT_EGRESS_MAP_PATH, 0);
+ const int fd = bpf::mapRetrieveRW(CLAT_EGRESS_MAP_PATH);
return (fd == -1) ? -errno : fd;
}
inline int getClatEgressProgFd(bool with_ethernet_header) {
- const int fd = bpf::bpfFdGet(
- with_ethernet_header ? CLAT_EGRESS_PROG_ETHER_PATH : CLAT_EGRESS_PROG_RAWIP_PATH, 0);
+ const int fd = bpf::retrieveProgram(with_ethernet_header ? CLAT_EGRESS_PROG_ETHER_PATH
+ : CLAT_EGRESS_PROG_RAWIP_PATH);
return (fd == -1) ? -errno : fd;
}
inline int getClatIngressMapFd(void) {
- const int fd = bpf::bpfFdGet(CLAT_INGRESS_MAP_PATH, 0);
+ const int fd = bpf::mapRetrieveRW(CLAT_INGRESS_MAP_PATH);
return (fd == -1) ? -errno : fd;
}
inline int getClatIngressProgFd(bool with_ethernet_header) {
- const int fd = bpf::bpfFdGet(
- with_ethernet_header ? CLAT_INGRESS_PROG_ETHER_PATH : CLAT_INGRESS_PROG_RAWIP_PATH, 0);
+ const int fd = bpf::retrieveProgram(with_ethernet_header ? CLAT_INGRESS_PROG_ETHER_PATH
+ : CLAT_INGRESS_PROG_RAWIP_PATH);
return (fd == -1) ? -errno : fd;
}
inline int getTetherIngressMapFd(void) {
- const int fd = bpf::bpfFdGet(TETHER_INGRESS_MAP_PATH, 0);
+ const int fd = bpf::mapRetrieveRW(TETHER_INGRESS_MAP_PATH);
return (fd == -1) ? -errno : fd;
}
inline int getTetherIngressProgFd(bool with_ethernet_header) {
- const int fd = bpf::bpfFdGet(
- with_ethernet_header ? TETHER_INGRESS_PROG_ETHER_PATH : TETHER_INGRESS_PROG_RAWIP_PATH,
- 0);
+ const int fd = bpf::retrieveProgram(with_ethernet_header ? TETHER_INGRESS_PROG_ETHER_PATH
+ : TETHER_INGRESS_PROG_RAWIP_PATH);
return (fd == -1) ? -errno : fd;
}
inline int getTetherStatsMapFd(void) {
- const int fd = bpf::bpfFdGet(TETHER_STATS_MAP_PATH, 0);
+ const int fd = bpf::mapRetrieveRW(TETHER_STATS_MAP_PATH);
return (fd == -1) ? -errno : fd;
}
inline int getTetherLimitMapFd(void) {
- const int fd = bpf::bpfFdGet(TETHER_LIMIT_MAP_PATH, 0);
+ const int fd = bpf::mapRetrieveRW(TETHER_LIMIT_MAP_PATH);
return (fd == -1) ? -errno : fd;
}
diff --git a/server/TrafficController.cpp b/server/TrafficController.cpp
index 9d7d6a1..3839962 100644
--- a/server/TrafficController.cpp
+++ b/server/TrafficController.cpp
@@ -202,7 +202,7 @@
static Status attachProgramToCgroup(const char* programPath, const unique_fd& cgroupFd,
bpf_attach_type type) {
- unique_fd cgroupProg(bpfFdGet(programPath, 0));
+ unique_fd cgroupProg(retrieveProgram(programPath));
if (cgroupProg == -1) {
int ret = errno;
ALOGE("Failed to get program from %s: %s", programPath, strerror(ret));
diff --git a/tests/netlink_listener_test.cpp b/tests/netlink_listener_test.cpp
index 95c6d1a..46394ca 100644
--- a/tests/netlink_listener_test.cpp
+++ b/tests/netlink_listener_test.cpp
@@ -69,7 +69,7 @@
void SetUp() {
SKIP_IF_BPF_NOT_SUPPORTED;
- mCookieTagMap.reset(android::bpf::mapRetrieve(COOKIE_TAG_MAP_PATH, 0));
+ mCookieTagMap.reset(android::bpf::mapRetrieveRW(COOKIE_TAG_MAP_PATH));
ASSERT_TRUE(mCookieTagMap.isValid());
}