Initial checkin for bpf project

Copied the files from system/netd into system/bpf. No modification is
made to the files.

Test: this doesn't build since the Android.bp file is missing
Bug: 112334572

Change-Id: Ia090a429dd416e07c46766784fb3dd2037201525

4 files changed, 439 insertions, 0 deletions

diff --git a/bpfloader/Android.bp b/bpfloader/Android.bp
new file mode 100644
index 0000000..fe52bcf
--- /dev/null
+++ b/bpfloader/Android.bp
@@ -0,0 +1,58 @@
+//
+// Copyright (C) 2018 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+//
+// bpfLoad binary
+//
+cc_binary {
+    name: "bpfloader",
+
+    defaults: ["netd_defaults"],
+    cflags: [
+        "-Wall",
+        "-Werror",
+        "-Wthread-safety",
+    ],
+    sanitize: {
+        integer_overflow: true,
+    },
+    clang: true,
+    shared_libs: [
+        "libcutils",
+        "libbpf",
+        "libbase",
+        "liblog",
+        "libnetdutils",
+    ],
+    srcs: [
+        "BpfLoader.cpp",
+    ],
+
+    required: [
+        "bpf_kern.o",
+    ],
+
+}
+
+bpf {
+    name: "bpf_kern.o",
+    srcs: ["bpf_kern.c"],
+    cflags: [
+        "-Wall",
+        "-Werror",
+    ],
+    include_dirs: ["system/netd/libbpf/include"],
+}
diff --git a/bpfloader/BpfLoader.cpp b/bpfloader/BpfLoader.cpp
new file mode 100644
index 0000000..c7b1332
--- /dev/null
+++ b/bpfloader/BpfLoader.cpp
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef LOG_TAG
+#define LOG_TAG "bpfloader"
+#endif
+
+#include <arpa/inet.h>
+#include <elf.h>
+#include <error.h>
+#include <fcntl.h>
+#include <inttypes.h>
+#include <linux/bpf.h>
+#include <linux/unistd.h>
+#include <net/if.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include <android-base/stringprintf.h>
+#include <android-base/unique_fd.h>
+#include <log/log.h>
+
+#include <netdutils/Misc.h>
+#include <netdutils/Slice.h>
+#include "bpf/BpfUtils.h"
+#include "bpf/bpf_shared.h"
+
+using android::base::unique_fd;
+using android::netdutils::Slice;
+
+#define BPF_PROG_PATH "/system/etc/bpf"
+#define BPF_PROG_SRC BPF_PROG_PATH "/bpf_kern.o"
+
+#define CLEANANDEXIT(ret, mapPatterns)                 \
+    do {                                               \
+        for (int i = 0; i < mapPatterns.size(); i++) { \
+            if (mapPatterns[i].fd > -1) {              \
+                close(mapPatterns[i].fd);              \
+            }                                          \
+        }                                              \
+        return ret;                                    \
+    } while (0)
+
+using android::bpf::BpfMapInfo;
+using android::bpf::BpfProgInfo;
+
+int main() {
+    const std::vector<BpfMapInfo> mapPatterns = {
+            BpfMapInfo(COOKIE_TAG_MAP, COOKIE_TAG_MAP_PATH),
+            BpfMapInfo(UID_COUNTERSET_MAP, UID_COUNTERSET_MAP_PATH),
+            BpfMapInfo(APP_UID_STATS_MAP, APP_UID_STATS_MAP_PATH),
+            BpfMapInfo(UID_STATS_MAP, UID_STATS_MAP_PATH),
+            BpfMapInfo(TAG_STATS_MAP, TAG_STATS_MAP_PATH),
+            BpfMapInfo(IFACE_STATS_MAP, IFACE_STATS_MAP_PATH),
+            BpfMapInfo(CONFIGURATION_MAP, CONFIGURATION_MAP_PATH),
+            BpfMapInfo(UID_OWNER_MAP, UID_OWNER_MAP_PATH),
+    };
+    for (int i = 0; i < mapPatterns.size(); i++) {
+        if (mapPatterns[i].fd < 0) {
+            ALOGE("Rerieve Map from %s failed: %d", mapPatterns[i].path.c_str(), mapPatterns[i].fd);
+            CLEANANDEXIT(-1, mapPatterns);
+        }
+    }
+    BpfProgInfo programs[] = {
+            {BPF_CGROUP_INET_EGRESS, BPF_EGRESS_PROG_PATH, BPF_CGROUP_EGRESS_PROG_NAME,
+             BPF_PROG_TYPE_CGROUP_SKB, unique_fd(-1)},
+            {BPF_CGROUP_INET_INGRESS, BPF_INGRESS_PROG_PATH, BPF_CGROUP_INGRESS_PROG_NAME,
+             BPF_PROG_TYPE_CGROUP_SKB, unique_fd(-1)},
+            {MAX_BPF_ATTACH_TYPE, XT_BPF_INGRESS_PROG_PATH, XT_BPF_INGRESS_PROG_NAME,
+             BPF_PROG_TYPE_SOCKET_FILTER, unique_fd(-1)},
+            {MAX_BPF_ATTACH_TYPE, XT_BPF_EGRESS_PROG_PATH, XT_BPF_EGRESS_PROG_NAME,
+             BPF_PROG_TYPE_SOCKET_FILTER, unique_fd(-1)},
+            {MAX_BPF_ATTACH_TYPE, XT_BPF_WHITELIST_PROG_PATH, XT_BPF_WHITELIST_PROG_NAME,
+             BPF_PROG_TYPE_SOCKET_FILTER, unique_fd(-1)},
+            {MAX_BPF_ATTACH_TYPE, XT_BPF_BLACKLIST_PROG_PATH, XT_BPF_BLACKLIST_PROG_NAME,
+             BPF_PROG_TYPE_SOCKET_FILTER, unique_fd(-1)}};
+    int ret = android::bpf::parseProgramsFromFile(BPF_PROG_SRC, programs, ARRAY_SIZE(programs),
+                                                  mapPatterns);
+    CLEANANDEXIT(ret, mapPatterns);
+}
diff --git a/bpfloader/bpf_kern.c b/bpfloader/bpf_kern.c
new file mode 100644
index 0000000..4fe8140
--- /dev/null
+++ b/bpfloader/bpf_kern.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <linux/bpf.h>
+#include "bpf_kern.h"
+
+
+ELF_SEC(BPF_CGROUP_INGRESS_PROG_NAME)
+int bpf_cgroup_ingress(struct __sk_buff* skb) {
+    return bpf_traffic_account(skb, BPF_INGRESS);
+}
+
+ELF_SEC(BPF_CGROUP_EGRESS_PROG_NAME)
+int bpf_cgroup_egress(struct __sk_buff* skb) {
+    return bpf_traffic_account(skb, BPF_EGRESS);
+}
+
+ELF_SEC(XT_BPF_EGRESS_PROG_NAME)
+int xt_bpf_egress_prog(struct __sk_buff* skb) {
+    uint32_t key = skb->ifindex;
+    bpf_update_stats(skb, IFACE_STATS_MAP, BPF_EGRESS, &key);
+    return BPF_MATCH;
+}
+
+ELF_SEC(XT_BPF_INGRESS_PROG_NAME)
+int xt_bpf_ingress_prog(struct __sk_buff* skb) {
+    uint32_t key = skb->ifindex;
+    bpf_update_stats(skb, IFACE_STATS_MAP, BPF_INGRESS, &key);
+    return BPF_MATCH;
+}
+
+ELF_SEC(XT_BPF_WHITELIST_PROG_NAME)
+int xt_bpf_whitelist_prog(struct __sk_buff* skb) {
+    uint32_t sock_uid = get_socket_uid(skb);
+    if (is_system_uid(sock_uid)) return BPF_MATCH;
+    uint8_t* whitelistMatch = find_map_entry(UID_OWNER_MAP, &sock_uid);
+    if (whitelistMatch) return *whitelistMatch & HAPPY_BOX_MATCH;
+    return BPF_NOMATCH;
+}
+
+ELF_SEC(XT_BPF_BLACKLIST_PROG_NAME)
+int xt_bpf_blacklist_prog(struct __sk_buff* skb) {
+    uint32_t sock_uid = get_socket_uid(skb);
+    uint8_t* blacklistMatch = find_map_entry(UID_OWNER_MAP, &sock_uid);
+    if (blacklistMatch) return *blacklistMatch & PENALTY_BOX_MATCH;
+    return BPF_NOMATCH;
+}
diff --git a/bpfloader/bpf_kern.h b/bpfloader/bpf_kern.h
new file mode 100644
index 0000000..e56033d
--- /dev/null
+++ b/bpfloader/bpf_kern.h
@@ -0,0 +1,220 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * This h file together with bpf_kern.c is used for compiling the eBPF kernel
+ * program. To generate the bpf_kern.o file manually, use the clang prebuilt in
+ * this android tree to compile the files with --target=bpf options. For
+ * example, in system/netd/ directory, execute the following command:
+ * $: ANDROID_BASE_DIRECTORY/prebuilts/clang/host/linux-x86/clang-4691093/bin/clang  \
+ *    -I ANDROID_BASE_DIRECTORY/bionic/libc/kernel/uapi/ \
+ *    -I ANDROID_BASE_DIRECTORY/system/netd/bpfloader/ \
+ *    -I ANDROID_BASE_DIRECTORY/bionic/libc/kernel/android/uapi/ \
+ *    -I ANDROID_BASE_DIRECTORY/bionic/libc/include \
+ *    -I ANDROID_BASE_DIRECTORY/system/netd/libbpf/include  \
+ *    --target=bpf -O2 -c bpfloader/bpf_kern.c -o bpfloader/bpf_kern.o
+ */
+
+#include <linux/bpf.h>
+#include <linux/if.h>
+#include <linux/if_ether.h>
+#include <linux/in.h>
+#include <linux/in6.h>
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include "bpf/bpf_shared.h"
+
+#define ELF_SEC(NAME) __attribute__((section(NAME), used))
+
+struct uid_tag {
+    uint32_t uid;
+    uint32_t tag;
+};
+
+struct stats_key {
+    uint32_t uid;
+    uint32_t tag;
+    uint32_t counterSet;
+    uint32_t ifaceIndex;
+};
+
+struct stats_value {
+    uint64_t rxPackets;
+    uint64_t rxBytes;
+    uint64_t txPackets;
+    uint64_t txBytes;
+};
+
+/* helper functions called from eBPF programs written in C */
+static void* (*find_map_entry)(uint64_t map, void* key) = (void*)BPF_FUNC_map_lookup_elem;
+static int (*write_to_map_entry)(uint64_t map, void* key, void* value,
+                                 uint64_t flags) = (void*)BPF_FUNC_map_update_elem;
+static int (*delete_map_entry)(uint64_t map, void* key) = (void*)BPF_FUNC_map_delete_elem;
+static uint64_t (*get_socket_cookie)(struct __sk_buff* skb) = (void*)BPF_FUNC_get_socket_cookie;
+static uint32_t (*get_socket_uid)(struct __sk_buff* skb) = (void*)BPF_FUNC_get_socket_uid;
+static int (*bpf_skb_load_bytes)(struct __sk_buff* skb, int off, void* to,
+                                 int len) = (void*)BPF_FUNC_skb_load_bytes;
+
+// This is defined for cgroup bpf filter only.
+#define BPF_PASS 1
+#define BPF_DROP 0
+
+// This is used for xt_bpf program only.
+#define BPF_NOMATCH 0
+#define BPF_MATCH 1
+
+#define BPF_EGRESS 0
+#define BPF_INGRESS 1
+
+#define IP_PROTO_OFF offsetof(struct iphdr, protocol)
+#define IPV6_PROTO_OFF offsetof(struct ipv6hdr, nexthdr)
+#define IPPROTO_IHL_OFF 0
+#define TCP_FLAG_OFF 13
+#define RST_OFFSET 2
+
+static __always_inline int is_system_uid(uint32_t uid) {
+    return (uid <= MAX_SYSTEM_UID) && (uid >= MIN_SYSTEM_UID);
+}
+
+static __always_inline inline void bpf_update_stats(struct __sk_buff* skb, uint64_t map,
+                                                    int direction, void *key) {
+    struct stats_value* value;
+    value = find_map_entry(map, key);
+    if (!value) {
+        struct stats_value newValue = {};
+        write_to_map_entry(map, key, &newValue, BPF_NOEXIST);
+        value = find_map_entry(map, key);
+    }
+    if (value) {
+        if (direction == BPF_EGRESS) {
+            __sync_fetch_and_add(&value->txPackets, 1);
+            __sync_fetch_and_add(&value->txBytes, skb->len);
+        } else if (direction == BPF_INGRESS) {
+            __sync_fetch_and_add(&value->rxPackets, 1);
+            __sync_fetch_and_add(&value->rxBytes, skb->len);
+        }
+    }
+}
+
+static inline bool skip_owner_match(struct __sk_buff* skb) {
+    int offset = -1;
+    int ret = 0;
+    if (skb->protocol == ETH_P_IP) {
+        offset = IP_PROTO_OFF;
+        uint8_t proto, ihl;
+        uint16_t flag;
+        ret = bpf_skb_load_bytes(skb, offset, &proto, 1);
+        if (!ret) {
+            if (proto == IPPROTO_ESP) {
+                return true;
+            } else if (proto == IPPROTO_TCP) {
+                ret = bpf_skb_load_bytes(skb, IPPROTO_IHL_OFF, &ihl, 1);
+                ihl = ihl & 0x0F;
+                ret = bpf_skb_load_bytes(skb, ihl * 4 + TCP_FLAG_OFF, &flag, 1);
+                if (ret == 0 && (flag >> RST_OFFSET & 1)) {
+                    return true;
+                }
+            }
+        }
+    } else if (skb->protocol == ETH_P_IPV6) {
+        offset = IPV6_PROTO_OFF;
+        uint8_t proto;
+        ret = bpf_skb_load_bytes(skb, offset, &proto, 1);
+        if (!ret) {
+            if (proto == IPPROTO_ESP) {
+                return true;
+            } else if (proto == IPPROTO_TCP) {
+                uint16_t flag;
+                ret = bpf_skb_load_bytes(skb, sizeof(struct ipv6hdr) + TCP_FLAG_OFF, &flag, 1);
+                if (ret == 0 && (flag >> RST_OFFSET & 1)) {
+                    return true;
+                }
+            }
+        }
+    }
+    return false;
+}
+
+static __always_inline BpfConfig getConfig() {
+    uint32_t mapSettingKey = CONFIGURATION_KEY;
+    BpfConfig* config = find_map_entry(CONFIGURATION_MAP, &mapSettingKey);
+    if (!config) {
+        // Couldn't read configuration entry. Assume everything is disabled.
+        return DEFAULT_CONFIG;
+    }
+    return *config;
+}
+
+static inline int bpf_owner_match(struct __sk_buff* skb, uint32_t uid) {
+    if (skip_owner_match(skb)) return BPF_PASS;
+
+    if ((uid <= MAX_SYSTEM_UID) && (uid >= MIN_SYSTEM_UID)) return BPF_PASS;
+
+    BpfConfig enabledRules = getConfig();
+    if (!enabledRules) {
+        return BPF_PASS;
+    }
+
+    uint8_t* uidEntry = find_map_entry(UID_OWNER_MAP, &uid);
+    uint8_t uidRules = uidEntry ? *uidEntry : 0;
+    if ((enabledRules & DOZABLE_MATCH) && !(uidRules & DOZABLE_MATCH)) {
+        return BPF_DROP;
+    }
+    if ((enabledRules & STANDBY_MATCH) && (uidRules & STANDBY_MATCH)) {
+        return BPF_DROP;
+    }
+    if ((enabledRules & POWERSAVE_MATCH) && !(uidRules & POWERSAVE_MATCH)) {
+        return BPF_DROP;
+    }
+    return BPF_PASS;
+}
+
+static __always_inline inline int bpf_traffic_account(struct __sk_buff* skb, int direction) {
+    uint32_t sock_uid = get_socket_uid(skb);
+    int match = bpf_owner_match(skb, sock_uid);
+    if ((direction == BPF_EGRESS) && (match == BPF_DROP)) {
+        // If an outbound packet is going to be dropped, we do not count that
+        // traffic.
+        return match;
+    }
+
+    uint64_t cookie = get_socket_cookie(skb);
+    struct uid_tag* utag = find_map_entry(COOKIE_TAG_MAP, &cookie);
+    uint32_t uid, tag;
+    if (utag) {
+        uid = utag->uid;
+        tag = utag->tag;
+    } else {
+        uid = sock_uid;
+        tag = 0;
+    }
+
+    struct stats_key key = {.uid = uid, .tag = tag, .counterSet = 0, .ifaceIndex = skb->ifindex};
+
+    uint8_t* counterSet = find_map_entry(UID_COUNTERSET_MAP, &uid);
+    if (counterSet) key.counterSet = (uint32_t)*counterSet;
+
+    if (tag) {
+        bpf_update_stats(skb, TAG_STATS_MAP, direction, &key);
+    }
+
+    key.tag = 0;
+    bpf_update_stats(skb, UID_STATS_MAP, direction, &key);
+    bpf_update_stats(skb, APP_UID_STATS_MAP, direction, &uid);
+    return match;
+}