Use cgroup socket filter to control socket creation For the devices that support cgroup socket filter, use it to control the inet socket creation. Bug: 111560570 Bug: 111560739 Test: dumpsys netd trafficcontroller Change-Id: I0dda638ff610a2342afca9e99cd5a2ea38718f80

commit: a51f4fabd82fe23b2cccf919138d90d58dfbecf1 [log] [tgz]
author: Chenbo Feng <fengc@google.com> Tue Jan 15 15:03:32 2019 -0800
committer: Chenbo Feng <fengc@google.com> Tue Jan 29 19:25:04 2019 -0800
tree: 53067b49a0e6516d966c759e5dfa9910156a5575
parent: b4a4fa1be51357a8c6c58cb5a72c03421ebabf44 [diff] [blame]
diff --git a/server/TrafficController.cpp b/server/TrafficController.cpp
index a30f9dd..d599a82 100644
--- a/server/TrafficController.cpp
+++ b/server/TrafficController.cpp

@@ -238,6 +238,16 @@
     }
     RETURN_IF_NOT_OK(attachProgramToCgroup(BPF_EGRESS_PROG_PATH, cg_fd, BPF_CGROUP_INET_EGRESS));
     RETURN_IF_NOT_OK(attachProgramToCgroup(BPF_INGRESS_PROG_PATH, cg_fd, BPF_CGROUP_INET_INGRESS));
+
+    // For the devices that support cgroup socket filter, the socket filter
+    // should be loaded successfully by bpfloader. So we attach the filter to
+    // cgroup if the program is pinned properly.
+    // TODO: delete the if statement once all devices should support cgroup
+    // socket filter (ie. the minimum kernel version required is 4.14).
+    if (!access(CGROUP_SOCKET_PROG_PATH, F_OK)) {
+        RETURN_IF_NOT_OK(
+                attachProgramToCgroup(CGROUP_SOCKET_PROG_PATH, cg_fd, BPF_CGROUP_INET_SOCK_CREATE));
+    }
     return netdutils::status::ok;
 }
commit	a51f4fabd82fe23b2cccf919138d90d58dfbecf1	[log] [tgz]
author	Chenbo Feng <fengc@google.com>	Tue Jan 15 15:03:32 2019 -0800
committer	Chenbo Feng <fengc@google.com>	Tue Jan 29 19:25:04 2019 -0800
tree	53067b49a0e6516d966c759e5dfa9910156a5575
parent	b4a4fa1be51357a8c6c58cb5a72c03421ebabf44 [diff] [blame]