eliminate changeOwnerAndMode()
This is possible now that we have native chown/chgrp/chmod support in the bpfloader.
Now:
$ adb shell ls -lZ /sys/fs/bpf
total 0
-rw------- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_clatd_clat_egress_map
-rw------- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_clatd_clat_ingress_map
-rw-r----- 1 root net_bw_stats u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_netd_app_uid_stats_map
-rw-r----- 1 root net_bw_stats u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_netd_configuration_map
-rw-r----- 1 root net_bw_acct u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_netd_cookie_tag_map
-rw-r----- 1 root net_bw_stats u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_netd_iface_index_name_map
-rw-r----- 1 root net_bw_stats u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_netd_iface_stats_map
-rw-rw---- 1 root net_bw_stats u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_netd_stats_map_A
-rw-rw---- 1 root net_bw_stats u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_netd_stats_map_B
-rw-r----- 1 root net_bw_acct u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_netd_uid_counterset_map
-rw------- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_netd_uid_owner_map
-rw------- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_netd_uid_permission_map
-rw-rw---- 1 root network_stack u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_offload_tether_ingress_map
-rw-rw---- 1 root network_stack u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_offload_tether_stats_map
-r--r----- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_clatd_schedcls_egress_clat_ether
-r--r----- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_clatd_schedcls_egress_clat_rawip
-r--r----- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_clatd_schedcls_ingress_clat_ether
-r--r----- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_clatd_schedcls_ingress_clat_rawip
-r--r----- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_netd_cgroupskb_egress_stats
-r--r----- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_netd_cgroupskb_ingress_stats
-r--r----- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_netd_cgroupsock_inet_create
-r--r----- 1 root net_admin u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_netd_skfilter_blacklist_xtbpf
-r--r----- 1 root net_admin u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_netd_skfilter_egress_xtbpf
-r--r----- 1 root net_admin u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_netd_skfilter_ingress_xtbpf
-r--r----- 1 root net_admin u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_netd_skfilter_whitelist_xtbpf
-r--r----- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_offload_schedcls_ingress_tether_ether
-r--r----- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_offload_schedcls_ingress_tether_rawip
Test: builds, atest
Bug: 149434314
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ie7b79e85a6e5c0be88fdc4d78c82f1a7d3228167
diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
index 03cffbd..40725ca 100644
--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
@@ -46,17 +46,23 @@
#define TCP_FLAG_OFF 13
#define RST_OFFSET 2
-DEFINE_BPF_MAP(cookie_tag_map, HASH, uint64_t, UidTagValue, COOKIE_UID_MAP_SIZE)
-DEFINE_BPF_MAP(uid_counterset_map, HASH, uint32_t, uint8_t, UID_COUNTERSET_MAP_SIZE)
-DEFINE_BPF_MAP(app_uid_stats_map, HASH, uint32_t, StatsValue, APP_STATS_MAP_SIZE)
-DEFINE_BPF_MAP(stats_map_A, HASH, StatsKey, StatsValue, STATS_MAP_SIZE)
-DEFINE_BPF_MAP(stats_map_B, HASH, StatsKey, StatsValue, STATS_MAP_SIZE)
-DEFINE_BPF_MAP(iface_stats_map, HASH, uint32_t, StatsValue, IFACE_STATS_MAP_SIZE)
-DEFINE_BPF_MAP(configuration_map, HASH, uint32_t, uint8_t, CONFIGURATION_MAP_SIZE)
+DEFINE_BPF_MAP_GRO(cookie_tag_map, HASH, uint64_t, UidTagValue, COOKIE_UID_MAP_SIZE,
+ AID_NET_BW_ACCT)
+DEFINE_BPF_MAP_GRO(uid_counterset_map, HASH, uint32_t, uint8_t, UID_COUNTERSET_MAP_SIZE,
+ AID_NET_BW_ACCT)
+DEFINE_BPF_MAP_GRO(app_uid_stats_map, HASH, uint32_t, StatsValue, APP_STATS_MAP_SIZE,
+ AID_NET_BW_STATS)
+DEFINE_BPF_MAP_GRW(stats_map_A, HASH, StatsKey, StatsValue, STATS_MAP_SIZE, AID_NET_BW_STATS)
+DEFINE_BPF_MAP_GRW(stats_map_B, HASH, StatsKey, StatsValue, STATS_MAP_SIZE, AID_NET_BW_STATS)
+DEFINE_BPF_MAP_GRO(iface_stats_map, HASH, uint32_t, StatsValue, IFACE_STATS_MAP_SIZE,
+ AID_NET_BW_STATS)
+DEFINE_BPF_MAP_GRO(configuration_map, HASH, uint32_t, uint8_t, CONFIGURATION_MAP_SIZE,
+ AID_NET_BW_STATS)
DEFINE_BPF_MAP(uid_owner_map, HASH, uint32_t, UidOwnerValue, UID_OWNER_MAP_SIZE)
/* never actually used from ebpf */
-DEFINE_BPF_MAP(iface_index_name_map, HASH, uint32_t, IfaceValue, IFACE_INDEX_NAME_MAP_SIZE)
+DEFINE_BPF_MAP_GRO(iface_index_name_map, HASH, uint32_t, IfaceValue, IFACE_INDEX_NAME_MAP_SIZE,
+ AID_NET_BW_STATS)
static __always_inline int is_system_uid(uint32_t uid) {
return (uid <= MAX_SYSTEM_UID) && (uid >= MIN_SYSTEM_UID);
@@ -266,22 +272,22 @@
return bpf_traffic_account(skb, BPF_EGRESS);
}
-SEC("skfilter/egress/xtbpf")
-int xt_bpf_egress_prog(struct __sk_buff* skb) {
+DEFINE_BPF_PROG("skfilter/egress/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_egress_prog)
+(struct __sk_buff* skb) {
uint32_t key = skb->ifindex;
update_iface_stats_map(skb, BPF_EGRESS, &key);
return BPF_MATCH;
}
-SEC("skfilter/ingress/xtbpf")
-int xt_bpf_ingress_prog(struct __sk_buff* skb) {
+DEFINE_BPF_PROG("skfilter/ingress/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_ingress_prog)
+(struct __sk_buff* skb) {
uint32_t key = skb->ifindex;
update_iface_stats_map(skb, BPF_INGRESS, &key);
return BPF_MATCH;
}
-SEC("skfilter/whitelist/xtbpf")
-int xt_bpf_whitelist_prog(struct __sk_buff* skb) {
+DEFINE_BPF_PROG("skfilter/whitelist/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_whitelist_prog)
+(struct __sk_buff* skb) {
uint32_t sock_uid = bpf_get_socket_uid(skb);
if (is_system_uid(sock_uid)) return BPF_MATCH;
@@ -297,8 +303,8 @@
return BPF_NOMATCH;
}
-SEC("skfilter/blacklist/xtbpf")
-int xt_bpf_blacklist_prog(struct __sk_buff* skb) {
+DEFINE_BPF_PROG("skfilter/blacklist/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_blacklist_prog)
+(struct __sk_buff* skb) {
uint32_t sock_uid = bpf_get_socket_uid(skb);
UidOwnerValue* blacklistMatch = bpf_uid_owner_map_lookup_elem(&sock_uid);
if (blacklistMatch) return blacklistMatch->rule & PENALTY_BOX_MATCH ? BPF_MATCH : BPF_NOMATCH;