Use bpf maps to store permission information In newer kernels, we can use cgroup socket filter to control inet socket creation at run time instead of paranoid network kernel check. To achieve that, we need to get the permission information from system server when device boots or new packages are installed. This patch provides a binder interface to do that and stores the information in a bpf map. It also records the uids that have permission UPDATE_DEVICE_STATS so netd no longer needs to query that from the system server. Bug: 111560570 Bug: 111560739 Test: netd_unit_test, netd_integration_test Change-Id: I0c5919d85136feec44c4406ee0bd0028b131b942

commit: 48eaed3745017204667641bd71782674e032d682 [log] [tgz]
author: Chenbo Feng <fengc@google.com> Wed Dec 26 17:40:21 2018 -0800
committer: Chenbo Feng <fengc@google.com> Tue Jan 29 19:24:36 2019 -0800
tree: 0d19e5c387e5c73320055ef4eef2b687a86f5e50
parent: 9a312dbe690c30591d4ca70dcf901934f289a997 [diff] [blame]
diff --git a/server/NetdNativeService.h b/server/NetdNativeService.h
index ba96bcc..26100e8 100644
--- a/server/NetdNativeService.h
+++ b/server/NetdNativeService.h

@@ -96,6 +96,9 @@
     binder::Status networkGetDefault(int32_t* netId) override;
     binder::Status networkCanProtect(int32_t uid, bool* ret) override;
 
+    binder::Status trafficSetNetPermForUids(int32_t permission,
+                                            const std::vector<int32_t>& uids) override;
+
     // SOCK_DIAG commands.
     binder::Status socketDestroy(const std::vector<UidRangeParcel>& uids,
                                  const std::vector<int32_t>& skipUids) override;
commit	48eaed3745017204667641bd71782674e032d682	[log] [tgz]
author	Chenbo Feng <fengc@google.com>	Wed Dec 26 17:40:21 2018 -0800
committer	Chenbo Feng <fengc@google.com>	Tue Jan 29 19:24:36 2019 -0800
tree	0d19e5c387e5c73320055ef4eef2b687a86f5e50
parent	9a312dbe690c30591d4ca70dcf901934f289a997 [diff] [blame]