commit a51f4fabd82fe23b2cccf919138d90d58dfbecf1
author Chenbo Feng <fengc@google.com> Tue Jan 15 15:03:32 2019 -0800
committer Chenbo Feng <fengc@google.com> Tue Jan 29 19:25:04 2019 -0800
tree 53067b49a0e6516d966c759e5dfa9910156a5575
parent b4a4fa1be51357a8c6c58cb5a72c03421ebabf44

Use cgroup socket filter to control socket creation

For the devices that support cgroup socket filter, use it to control the
inet socket creation.

Bug: 111560570
Bug: 111560739
Test: dumpsys netd trafficcontroller
Change-Id: I0dda638ff610a2342afca9e99cd5a2ea38718f80

libnetdbpf/include/netdbpf/bpf_shared.h

diff --git a/libnetdbpf/include/netdbpf/bpf_shared.h b/libnetdbpf/include/netdbpf/bpf_shared.h
index 88a20b9..4d807a2 100644
--- a/libnetdbpf/include/netdbpf/bpf_shared.h
+++ b/libnetdbpf/include/netdbpf/bpf_shared.h
@@ -62,6 +62,7 @@
 #define XT_BPF_EGRESS_PROG_PATH BPF_PATH "/prog_netd_skfilter_egress_xtbpf"
 #define XT_BPF_WHITELIST_PROG_PATH BPF_PATH "/prog_netd_skfilter_whitelist_xtbpf"
 #define XT_BPF_BLACKLIST_PROG_PATH BPF_PATH "/prog_netd_skfilter_blacklist_xtbpf"
+#define CGROUP_SOCKET_PROG_PATH BPF_PATH "/prog_netd_cgroupsock_inet_create"
 
 #define COOKIE_TAG_MAP_PATH BPF_PATH "/map_netd_cookie_tag_map"
 #define UID_COUNTERSET_MAP_PATH BPF_PATH "/map_netd_uid_counterset_map"

libnetdutils/include/netdutils/UidConstants.h

diff --git a/libnetdutils/include/netdutils/UidConstants.h b/libnetdutils/include/netdutils/UidConstants.h
index 65f6f3b..42c1090 100644
--- a/libnetdutils/include/netdutils/UidConstants.h
+++ b/libnetdutils/include/netdutils/UidConstants.h
@@ -22,4 +22,6 @@
 #define MIN_SYSTEM_UID 0
 #define MAX_SYSTEM_UID 9999
 
+#define PER_USER_RANGE 100000
+
 #endif  // NETDUTILS_UID_CONSTANTS_H

server/TrafficController.cpp

diff --git a/server/TrafficController.cpp b/server/TrafficController.cpp
index a30f9dd..d599a82 100644
--- a/server/TrafficController.cpp
+++ b/server/TrafficController.cpp
@@ -238,6 +238,16 @@
     }
     RETURN_IF_NOT_OK(attachProgramToCgroup(BPF_EGRESS_PROG_PATH, cg_fd, BPF_CGROUP_INET_EGRESS));
     RETURN_IF_NOT_OK(attachProgramToCgroup(BPF_INGRESS_PROG_PATH, cg_fd, BPF_CGROUP_INET_INGRESS));
+
+    // For the devices that support cgroup socket filter, the socket filter
+    // should be loaded successfully by bpfloader. So we attach the filter to
+    // cgroup if the program is pinned properly.
+    // TODO: delete the if statement once all devices should support cgroup
+    // socket filter (ie. the minimum kernel version required is 4.14).
+    if (!access(CGROUP_SOCKET_PROG_PATH, F_OK)) {
+        RETURN_IF_NOT_OK(
+                attachProgramToCgroup(CGROUP_SOCKET_PROG_PATH, cg_fd, BPF_CGROUP_INET_SOCK_CREATE));
+    }
     return netdutils::status::ok;
 }