Add xt_owner module support in trafficController
Add bpf maps for recording rules about socket owner uid filtering.
Modified the bpf program so that packets with uid listed in the
the uidOwnerMap will get handled according to userspace settings
Test: bpf program can be loaded and attached when boot
Bug: 72381727 30950746
Change-Id: I39497334fcb5e200dbf07a0046b85c227d59e2d7
diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp
index 26c2126..2c59817 100644
--- a/server/FirewallController.cpp
+++ b/server/FirewallController.cpp
@@ -29,12 +29,18 @@
#include <android-base/stringprintf.h>
#include <cutils/log.h>
-#include "NetdConstants.h"
+#include "Controllers.h"
#include "FirewallController.h"
+#include "NetdConstants.h"
+#include "bpf/BpfUtils.h"
using android::base::Join;
using android::base::StringAppendF;
using android::base::StringPrintf;
+using android::bpf::DOZABLE_UID_MAP_PATH;
+using android::bpf::POWERSAVE_UID_MAP_PATH;
+using android::bpf::STANDBY_UID_MAP_PATH;
+using android::net::gCtls;
auto FirewallController::execIptablesRestore = ::execIptablesRestore;
@@ -60,6 +66,10 @@
"redirect",
};
+bool getBpfOwnerStatus() {
+ return gCtls->trafficCtrl.checkBpfStatsEnable();
+}
+
FirewallController::FirewallController(void) {
// If no rules are set, it's in BLACKLIST mode
mFirewallType = BLACKLIST;
@@ -68,6 +78,10 @@
int FirewallController::setupIptablesHooks(void) {
int res = 0;
+ mUseBpfOwnerMatch = getBpfOwnerStatus();
+ if (mUseBpfOwnerMatch) {
+ return res;
+ }
res |= createChain(LOCAL_DOZABLE, getFirewallType(DOZABLE));
res |= createChain(LOCAL_STANDBY, getFirewallType(STANDBY));
res |= createChain(LOCAL_POWERSAVE, getFirewallType(POWERSAVE));
@@ -129,6 +143,10 @@
return res;
}
+ if (mUseBpfOwnerMatch) {
+ return gCtls->trafficCtrl.toggleUidOwnerMap(chain, enable);
+ }
+
std::string command = "*filter\n";
for (const char *parent : { LOCAL_INPUT, LOCAL_OUTPUT }) {
StringAppendF(&command, "%s %s -j %s\n", (enable ? "-A" : "-D"), parent, name);
@@ -224,6 +242,9 @@
ALOGW("Unknown child chain: %d", chain);
return -1;
}
+ if (mUseBpfOwnerMatch) {
+ return gCtls->trafficCtrl.changeUidOwnerRule(chain, uid, rule, firewallType);
+ }
std::string command = "*filter\n";
for (std::string chainName : chainNames) {
@@ -309,6 +330,9 @@
int FirewallController::replaceUidChain(
const std::string &name, bool isWhitelist, const std::vector<int32_t>& uids) {
+ if (mUseBpfOwnerMatch) {
+ return gCtls->trafficCtrl.replaceUidOwnerMap(name, isWhitelist, uids);
+ }
std::string commands4 = makeUidRules(V4, name.c_str(), isWhitelist, uids);
std::string commands6 = makeUidRules(V6, name.c_str(), isWhitelist, uids);
return execIptablesRestore(V4, commands4.c_str()) | execIptablesRestore(V6, commands6.c_str());