Do not block system uid from creating inet socket
Some system uid such as root is not in the package list send to netd
when device start. But they should still have INTERNET permission. Add a
check in eBPF program to stop blocking them from creating sockets. Also
fix the name of program so it can be correctly identified. Also switch
the eBPF map from a whitelist to a blacklist, now only uids in the map
but not have PERMISSION_INTERNET bit set will get blocked. Otherwise the
eBPF map will not block the uid from creating inet/inet6 sockets.
Bug: 111560570
Bug: 128944261
Test: netd_integration_test
Change-Id: I0dd4e74a0f2b301ceea90829eda1564a4922e27a
diff --git a/tests/bpf_base_test.cpp b/tests/bpf_base_test.cpp
index 20b6340..f9b07e5 100644
--- a/tests/bpf_base_test.cpp
+++ b/tests/bpf_base_test.cpp
@@ -50,6 +50,15 @@
constexpr int TEST_COUNTERSET = 1;
constexpr int DEFAULT_COUNTERSET = 0;
+#define SKIP_IF_EXTENDED_BPF_NOT_SUPPORTED \
+ do { \
+ if (android::bpf::getBpfSupportLevel() != android::bpf::BpfLevel::EXTENDED) { \
+ GTEST_LOG_(INFO) << "This test is skipped since extended bpf feature" \
+ << "not supported\n"; \
+ return; \
+ } \
+ } while (0)
+
class BpfBasicTest : public testing::Test {
protected:
BpfBasicTest() {}
@@ -81,6 +90,13 @@
ASSERT_EQ(0, access(UID_OWNER_MAP_PATH, R_OK));
}
+TEST_F(BpfBasicTest, TestSocketFilterSetUp) {
+ SKIP_IF_EXTENDED_BPF_NOT_SUPPORTED;
+
+ ASSERT_EQ(0, access(CGROUP_SOCKET_PROG_PATH, R_OK));
+ ASSERT_EQ(0, access(UID_PERMISSION_MAP_PATH, R_OK));
+}
+
TEST_F(BpfBasicTest, TestTagSocket) {
SKIP_IF_BPF_NOT_SUPPORTED;