diff options
Diffstat (limited to 'bpfloader')
-rw-r--r-- | bpfloader/BpfLoader.cpp | 44 |
1 files changed, 38 insertions, 6 deletions
diff --git a/bpfloader/BpfLoader.cpp b/bpfloader/BpfLoader.cpp index 739932d..bc72811 100644 --- a/bpfloader/BpfLoader.cpp +++ b/bpfloader/BpfLoader.cpp @@ -51,8 +51,16 @@ #include "bpf/BpfUtils.h" using android::base::EndsWith; +using android::bpf::domain; using std::string; +constexpr unsigned long long kTetheringApexDomainBitmask = + domainToBitmask(domain::tethering) | + domainToBitmask(domain::net_private) | + domainToBitmask(domain::net_shared) | + domainToBitmask(domain::netd_readonly) | + domainToBitmask(domain::netd_shared); + // see b/162057235. For arbitrary program types, the concern is that due to the lack of // SELinux access controls over BPF program attachpoints, we have no way to control the // attachment of programs to shared resources (or to detect when a shared resource @@ -64,40 +72,55 @@ constexpr bpf_prog_type kVendorAllowedProgTypes[] = { struct Location { const char* const dir; const char* const prefix; + unsigned long long allowedDomainBitmask; const bpf_prog_type* allowedProgTypes = nullptr; size_t allowedProgTypesLength = 0; }; const Location locations[] = { - // Tethering mainline module: tether offload + // S+ Tethering mainline module (network_stack): tether offload { .dir = "/apex/com.android.tethering/etc/bpf/", .prefix = "tethering/", + .allowedDomainBitmask = kTetheringApexDomainBitmask, }, - // Tethering mainline module (shared with netd & system server) + // T+ Tethering mainline module (shared with netd & system server) + // netutils_wrapper (for iptables xt_bpf) has access to programs { .dir = "/apex/com.android.tethering/etc/bpf/netd_shared/", .prefix = "netd_shared/", + .allowedDomainBitmask = kTetheringApexDomainBitmask, + }, + // T+ Tethering mainline module (shared with netd & system server) + // netutils_wrapper has no access, netd has read only access + { + .dir = "/apex/com.android.tethering/etc/bpf/netd_readonly/", + .prefix = "netd_readonly/", + .allowedDomainBitmask = kTetheringApexDomainBitmask, }, - // Tethering mainline module (shared with system server) + // T+ Tethering mainline module (shared with system server) { .dir = "/apex/com.android.tethering/etc/bpf/net_shared/", .prefix = "net_shared/", + .allowedDomainBitmask = kTetheringApexDomainBitmask, }, - // Tethering mainline module (not shared) + // T+ Tethering mainline module (not shared, just network_stack) { .dir = "/apex/com.android.tethering/etc/bpf/net_private/", .prefix = "net_private/", + .allowedDomainBitmask = kTetheringApexDomainBitmask, }, // Core operating system { .dir = "/system/etc/bpf/", .prefix = "", + .allowedDomainBitmask = domainToBitmask(domain::platform), }, // Vendor operating system { .dir = "/vendor/etc/bpf/", .prefix = "vendor/", + .allowedDomainBitmask = domainToBitmask(domain::vendor), .allowedProgTypes = kVendorAllowedProgTypes, .allowedProgTypesLength = arraysize(kVendorAllowedProgTypes), }, @@ -117,7 +140,9 @@ int loadAllElfObjects(const Location& location) { progPath += s; bool critical; - int ret = android::bpf::loadProg(progPath.c_str(), &critical, location.prefix, + int ret = android::bpf::loadProg(progPath.c_str(), &critical, + location.prefix, + location.allowedDomainBitmask, location.allowedProgTypes, location.allowedProgTypesLength); if (ret) { @@ -153,9 +178,16 @@ int main(int argc, char** argv) { (void)argc; android::base::InitLogging(argv, &android::base::KernelLogger); - // Load all ELF objects, create programs and maps, and pin them + // Create all the pin subdirectories + // (this must be done first to allow selinux_context and pin_subdir functionality, + // which could otherwise fail with ENOENT during object pinning or renaming, + // due to ordering issues) for (const auto& location : locations) { createSysFsBpfSubDir(location.prefix); + } + + // Load all ELF objects, create programs and maps, and pin them + for (const auto& location : locations) { if (loadAllElfObjects(location) != 0) { ALOGE("=== CRITICAL FAILURE LOADING BPF PROGRAMS FROM %s ===", location.dir); ALOGE("If this triggers reliably, you're probably missing kernel options or patches."); |