limit types of bpf programs that platform and tethering apex can load

This is to prevent platform and tethering mainline module updatable code from being to step on each other. Bug: 218408035 Test: TreeHugger Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I8f4ffafb72efb17d07aaf993892c5d395bd6876d
author: Maciej Żenczykowski <maze@google.com> 2022-07-01 10:01:44 -0700
committer: Maciej Żenczykowski <maze@google.com> 2022-07-01 20:18:38 +0000
commit: ae58e7e4a7ddbedd8e6254da686c97d81c93b3ee (patch)
tree: 6ae12c81bde9cc5027984febb39ba7a6a168bbe0 /bpfloader/BpfLoader.cpp
parent: e867b84dae30378b7f260ee41745cb3c518c70b1 (diff)
download: bpf-ae58e7e4a7ddbedd8e6254da686c97d81c93b3ee.tar.gz
1 files changed, 36 insertions, 0 deletions
diff --git a/bpfloader/BpfLoader.cpp b/bpfloader/BpfLoader.cpp
index bc72811..64e4de3 100644
--- a/bpfloader/BpfLoader.cpp
+++ b/bpfloader/BpfLoader.cpp
@@ -61,6 +61,30 @@ constexpr unsigned long long kTetheringApexDomainBitmask =
         domainToBitmask(domain::netd_readonly) |
         domainToBitmask(domain::netd_shared);
 
+// Programs shipped inside the tethering apex should be limited to networking stuff,
+// as KPROBE, PERF_EVENT, TRACEPOINT are dangerous to use from mainline updatable code,
+// since they are less stable abi/api and may conflict with platform uses of bpf.
+constexpr bpf_prog_type kTetheringApexAllowedProgTypes[] = {
+        BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
+        BPF_PROG_TYPE_CGROUP_SKB,
+        BPF_PROG_TYPE_CGROUP_SOCK,
+        BPF_PROG_TYPE_SCHED_ACT,
+        BPF_PROG_TYPE_SCHED_CLS,
+        BPF_PROG_TYPE_SOCKET_FILTER,
+        BPF_PROG_TYPE_XDP,
+};
+
+// Networking-related program types are limited to the Tethering Apex
+// to prevent things from breaking due to conflicts on mainline updates
+// (exception made for socket filters, ie. xt_bpf for potential use in iptables,
+// or for attaching to sockets directly)
+constexpr bpf_prog_type kPlatformAllowedProgTypes[] = {
+        BPF_PROG_TYPE_KPROBE,
+        BPF_PROG_TYPE_PERF_EVENT,
+        BPF_PROG_TYPE_SOCKET_FILTER,
+        BPF_PROG_TYPE_TRACEPOINT,
+};
+
 // see b/162057235. For arbitrary program types, the concern is that due to the lack of
 // SELinux access controls over BPF program attachpoints, we have no way to control the
 // attachment of programs to shared resources (or to detect when a shared resource
@@ -83,6 +107,8 @@ const Location locations[] = {
                 .dir = "/apex/com.android.tethering/etc/bpf/",
                 .prefix = "tethering/",
                 .allowedDomainBitmask = kTetheringApexDomainBitmask,
+                .allowedProgTypes = kTetheringApexAllowedProgTypes,
+                .allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
         },
         // T+ Tethering mainline module (shared with netd & system server)
         // netutils_wrapper (for iptables xt_bpf) has access to programs
@@ -90,6 +116,8 @@ const Location locations[] = {
                 .dir = "/apex/com.android.tethering/etc/bpf/netd_shared/",
                 .prefix = "netd_shared/",
                 .allowedDomainBitmask = kTetheringApexDomainBitmask,
+                .allowedProgTypes = kTetheringApexAllowedProgTypes,
+                .allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
         },
         // T+ Tethering mainline module (shared with netd & system server)
         // netutils_wrapper has no access, netd has read only access
@@ -97,24 +125,32 @@ const Location locations[] = {
                 .dir = "/apex/com.android.tethering/etc/bpf/netd_readonly/",
                 .prefix = "netd_readonly/",
                 .allowedDomainBitmask = kTetheringApexDomainBitmask,
+                .allowedProgTypes = kTetheringApexAllowedProgTypes,
+                .allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
         },
         // T+ Tethering mainline module (shared with system server)
         {
                 .dir = "/apex/com.android.tethering/etc/bpf/net_shared/",
                 .prefix = "net_shared/",
                 .allowedDomainBitmask = kTetheringApexDomainBitmask,
+                .allowedProgTypes = kTetheringApexAllowedProgTypes,
+                .allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
         },
         // T+ Tethering mainline module (not shared, just network_stack)
         {
                 .dir = "/apex/com.android.tethering/etc/bpf/net_private/",
                 .prefix = "net_private/",
                 .allowedDomainBitmask = kTetheringApexDomainBitmask,
+                .allowedProgTypes = kTetheringApexAllowedProgTypes,
+                .allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
         },
         // Core operating system
         {
                 .dir = "/system/etc/bpf/",
                 .prefix = "",
                 .allowedDomainBitmask = domainToBitmask(domain::platform),
+                .allowedProgTypes = kPlatformAllowedProgTypes,
+                .allowedProgTypesLength = arraysize(kPlatformAllowedProgTypes),
         },
         // Vendor operating system
         {
author	Maciej Żenczykowski <maze@google.com>	2022-07-01 10:01:44 -0700
committer	Maciej Żenczykowski <maze@google.com>	2022-07-01 20:18:38 +0000
commit	ae58e7e4a7ddbedd8e6254da686c97d81c93b3ee (patch)
tree	6ae12c81bde9cc5027984febb39ba7a6a168bbe0 /bpfloader/BpfLoader.cpp
parent	e867b84dae30378b7f260ee41745cb3c518c70b1 (diff)
download	bpf-ae58e7e4a7ddbedd8e6254da686c97d81c93b3ee.tar.gz