diff options
author | Steven Moreland <smoreland@google.com> | 2019-12-12 14:22:34 -0800 |
---|---|---|
committer | Steven Moreland <smoreland@google.com> | 2022-02-09 00:59:37 +0000 |
commit | 0f10f3fd9f961abf78030922ac5638150b8c2694 (patch) | |
tree | bbe47c668eaa33b1dd8841bdc961c75791d25a84 /libbpf_android | |
parent | 7429fcb8421ce0cd134bca8cc9141f5b64417ad1 (diff) | |
download | bpf-0f10f3fd9f961abf78030922ac5638150b8c2694.tar.gz |
bpfloader: also load from /vendor/etc/bpf/android-t-preview-2android-t-preview-1android-t-beta-3android-s-v2-beta-3android-s-qpr3-beta-1android-t-preview-1android-s-v2-beta-3android-s-qpr3-beta-1
Allow vendors to use bpf programs, but limit to tracepoints
for now (other types of programs, for instance skfilter, aren't
safe to expose, because the kernel gives us limited ways to
control which resources can have BPF programs attached, and
some shared resources only support a single BPF program at an
attach point).
Bug: 140330870
Bug: 162057235
Test: install bpf program to /vendor/etc/bpf/ and use it.
Test: atest libbpf_load_test
Change-Id: I6c876fe52739c38db73689ffd784167e7d35d58a
Diffstat (limited to 'libbpf_android')
-rw-r--r-- | libbpf_android/BpfLoadTest.cpp | 8 | ||||
-rw-r--r-- | libbpf_android/Loader.cpp | 28 | ||||
-rw-r--r-- | libbpf_android/include/libbpf_android.h | 3 |
3 files changed, 32 insertions, 7 deletions
diff --git a/libbpf_android/BpfLoadTest.cpp b/libbpf_android/BpfLoadTest.cpp index d14c7fc..db45da1 100644 --- a/libbpf_android/BpfLoadTest.cpp +++ b/libbpf_android/BpfLoadTest.cpp @@ -49,6 +49,14 @@ class BpfLoadTest : public TestWithParam<std::string> { auto progPath = android::base::GetExecutableDirectory() + "/" + GetParam() + ".o"; bool critical = true; + + bpf_prog_type kAllowed[] = { + BPF_PROG_TYPE_UNSPEC, + }; + EXPECT_EQ(android::bpf::loadProg(progPath.c_str(), &critical, "", kAllowed, + arraysize(kAllowed)), + -1); + EXPECT_EQ(android::bpf::loadProg(progPath.c_str(), &critical), 0); EXPECT_EQ(false, critical); diff --git a/libbpf_android/Loader.cpp b/libbpf_android/Loader.cpp index fd223a2..eab8e96 100644 --- a/libbpf_android/Loader.cpp +++ b/libbpf_android/Loader.cpp @@ -312,16 +312,14 @@ static enum bpf_attach_type getExpectedAttachType(string& name) { return BPF_ATTACH_TYPE_UNSPEC; } -/* If ever needed static string getSectionName(enum bpf_prog_type type) { for (auto& snt : sectionNameTypes) if (snt.type == type) return string(snt.name); - return NULL; + return "UNKNOWN SECTION NAME " + std::to_string(type); } -*/ static int readProgDefs(ifstream& elfFile, vector<struct bpf_prog_def>& pd, size_t sizeOfBpfProgDef) { @@ -401,8 +399,19 @@ static int getSectionSymNames(ifstream& elfFile, const string& sectionName, vect return 0; } +static bool IsAllowed(bpf_prog_type type, const bpf_prog_type* allowed, size_t numAllowed) { + if (allowed == nullptr) return true; + + for (size_t i = 0; i < numAllowed; i++) { + if (type == allowed[i]) return true; + } + + return false; +} + /* Read a section by its index - for ex to get sec hdr strtab blob */ -static int readCodeSections(ifstream& elfFile, vector<codeSection>& cs, size_t sizeOfBpfProgDef) { +static int readCodeSections(ifstream& elfFile, vector<codeSection>& cs, size_t sizeOfBpfProgDef, + const bpf_prog_type* allowed, size_t numAllowed) { vector<Elf64_Shdr> shTable; int entries, ret = 0; @@ -426,8 +435,14 @@ static int readCodeSections(ifstream& elfFile, vector<codeSection>& cs, size_t s if (ret) return ret; enum bpf_prog_type ptype = getSectionType(name); + if (ptype == BPF_PROG_TYPE_UNSPEC) continue; + if (!IsAllowed(ptype, allowed, numAllowed)) { + ALOGE("Program type %s not permitted here", getSectionName(ptype).c_str()); + return -1; + } + // This must be done before '/' is replaced with '_'. cs_temp.expected_attach_type = getExpectedAttachType(name); @@ -881,7 +896,8 @@ static int loadCodeSections(const char* elfPath, vector<codeSection>& cs, const return 0; } -int loadProg(const char* elfPath, bool* isCritical, const char* prefix) { +int loadProg(const char* elfPath, bool* isCritical, const char* prefix, + const bpf_prog_type* allowed, size_t numAllowed) { vector<char> license; vector<char> critical; vector<codeSection> cs; @@ -946,7 +962,7 @@ int loadProg(const char* elfPath, bool* isCritical, const char* prefix) { return -1; } - ret = readCodeSections(elfFile, cs, sizeOfBpfProgDef); + ret = readCodeSections(elfFile, cs, sizeOfBpfProgDef, allowed, numAllowed); if (ret) { ALOGE("Couldn't read all code sections in %s\n", elfPath); return ret; diff --git a/libbpf_android/include/libbpf_android.h b/libbpf_android/include/libbpf_android.h index a3d5f03..3fb777b 100644 --- a/libbpf_android/include/libbpf_android.h +++ b/libbpf_android/include/libbpf_android.h @@ -24,7 +24,8 @@ namespace android { namespace bpf { // BPF loader implementation. Loads an eBPF ELF object -int loadProg(const char* elfPath, bool* isCritical, const char* prefix = ""); +int loadProg(const char* elfPath, bool* isCritical, const char* prefix = "", + const bpf_prog_type* allowed = nullptr, size_t numAllowed = 0); // Exposed for testing unsigned int readSectionUint(const char* name, std::ifstream& elfFile, unsigned int defVal); |