1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
|
/*
* Copyright (C) 2017 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef LOG_TAG
#define LOG_TAG "bpfloader"
#endif
#include <arpa/inet.h>
#include <dirent.h>
#include <elf.h>
#include <error.h>
#include <fcntl.h>
#include <inttypes.h>
#include <linux/bpf.h>
#include <linux/unistd.h>
#include <net/if.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/mman.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <android-base/logging.h>
#include <android-base/macros.h>
#include <android-base/properties.h>
#include <android-base/stringprintf.h>
#include <android-base/strings.h>
#include <android-base/unique_fd.h>
#include <libbpf_android.h>
#include <log/log.h>
#include <netdutils/Misc.h>
#include <netdutils/Slice.h>
#include "bpf/BpfUtils.h"
using android::base::EndsWith;
using android::bpf::domain;
using std::string;
bool exists(const char* const path) {
int v = access(path, F_OK);
if (!v) {
ALOGI("%s exists.", path);
return true;
}
if (errno == ENOENT) return false;
ALOGE("FATAL: access(%s, F_OK) -> %d [%d:%s]", path, v, errno, strerror(errno));
abort(); // can only hit this if permissions (likely selinux) are screwed up
}
bool isInProcessTethering() {
bool in = exists("/apex/com.android.tethering/etc/flag/in-process");
bool out = exists("/apex/com.android.tethering/etc/flag/out-of-process");
if (in && out) abort(); // bad build
// Handle cases where the module explicitly tells us
if (in) return true;
if (out) return false;
ALOGE("FATAL: cannot determine if Tethering is in or out of process.");
abort();
}
constexpr unsigned long long kTetheringApexDomainBitmask =
domainToBitmask(domain::tethering) |
domainToBitmask(domain::net_private) |
domainToBitmask(domain::net_shared) |
domainToBitmask(domain::netd_readonly) |
domainToBitmask(domain::netd_shared);
// Programs shipped inside the tethering apex should be limited to networking stuff,
// as KPROBE, PERF_EVENT, TRACEPOINT are dangerous to use from mainline updatable code,
// since they are less stable abi/api and may conflict with platform uses of bpf.
constexpr bpf_prog_type kTetheringApexAllowedProgTypes[] = {
BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
BPF_PROG_TYPE_CGROUP_SKB,
BPF_PROG_TYPE_CGROUP_SOCK,
BPF_PROG_TYPE_SCHED_ACT,
BPF_PROG_TYPE_SCHED_CLS,
BPF_PROG_TYPE_SOCKET_FILTER,
BPF_PROG_TYPE_XDP,
};
// Networking-related program types are limited to the Tethering Apex
// to prevent things from breaking due to conflicts on mainline updates
// (exception made for socket filters, ie. xt_bpf for potential use in iptables,
// or for attaching to sockets directly)
constexpr bpf_prog_type kPlatformAllowedProgTypes[] = {
BPF_PROG_TYPE_KPROBE,
BPF_PROG_TYPE_PERF_EVENT,
BPF_PROG_TYPE_SOCKET_FILTER,
BPF_PROG_TYPE_TRACEPOINT,
BPF_PROG_TYPE_UNSPEC, // Will be replaced with fuse bpf program type
};
// see b/162057235. For arbitrary program types, the concern is that due to the lack of
// SELinux access controls over BPF program attachpoints, we have no way to control the
// attachment of programs to shared resources (or to detect when a shared resource
// has one BPF program replace another that is attached there)
constexpr bpf_prog_type kVendorAllowedProgTypes[] = {
BPF_PROG_TYPE_SOCKET_FILTER,
};
struct Location {
const char* const dir;
const char* const prefix;
unsigned long long allowedDomainBitmask;
const bpf_prog_type* allowedProgTypes = nullptr;
size_t allowedProgTypesLength = 0;
};
const Location locations[] = {
// S+ Tethering mainline module (network_stack): tether offload
{
.dir = "/apex/com.android.tethering/etc/bpf/",
.prefix = "tethering/",
.allowedDomainBitmask = kTetheringApexDomainBitmask,
.allowedProgTypes = kTetheringApexAllowedProgTypes,
.allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
},
// T+ Tethering mainline module (shared with netd & system server)
// netutils_wrapper (for iptables xt_bpf) has access to programs
{
.dir = "/apex/com.android.tethering/etc/bpf/netd_shared/",
.prefix = "netd_shared/",
.allowedDomainBitmask = kTetheringApexDomainBitmask,
.allowedProgTypes = kTetheringApexAllowedProgTypes,
.allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
},
// T+ Tethering mainline module (shared with netd & system server)
// netutils_wrapper has no access, netd has read only access
{
.dir = "/apex/com.android.tethering/etc/bpf/netd_readonly/",
.prefix = "netd_readonly/",
.allowedDomainBitmask = kTetheringApexDomainBitmask,
.allowedProgTypes = kTetheringApexAllowedProgTypes,
.allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
},
// T+ Tethering mainline module (shared with system server)
{
.dir = "/apex/com.android.tethering/etc/bpf/net_shared/",
.prefix = "net_shared/",
.allowedDomainBitmask = kTetheringApexDomainBitmask,
.allowedProgTypes = kTetheringApexAllowedProgTypes,
.allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
},
// T+ Tethering mainline module (not shared, just network_stack)
{
.dir = "/apex/com.android.tethering/etc/bpf/net_private/",
.prefix = "net_private/",
.allowedDomainBitmask = kTetheringApexDomainBitmask,
.allowedProgTypes = kTetheringApexAllowedProgTypes,
.allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
},
// Core operating system
{
.dir = "/system/etc/bpf/",
.prefix = "",
.allowedDomainBitmask = domainToBitmask(domain::platform),
.allowedProgTypes = kPlatformAllowedProgTypes,
.allowedProgTypesLength = arraysize(kPlatformAllowedProgTypes),
},
// Vendor operating system
{
.dir = "/vendor/etc/bpf/",
.prefix = "vendor/",
.allowedDomainBitmask = domainToBitmask(domain::vendor),
.allowedProgTypes = kVendorAllowedProgTypes,
.allowedProgTypesLength = arraysize(kVendorAllowedProgTypes),
},
};
int loadAllElfObjects(const Location& location) {
int retVal = 0;
DIR* dir;
struct dirent* ent;
if ((dir = opendir(location.dir)) != NULL) {
while ((ent = readdir(dir)) != NULL) {
string s = ent->d_name;
if (!EndsWith(s, ".o")) continue;
string progPath(location.dir);
progPath += s;
bool critical;
int ret = android::bpf::loadProg(progPath.c_str(), &critical,
location.prefix,
location.allowedDomainBitmask,
location.allowedProgTypes,
location.allowedProgTypesLength);
if (ret) {
if (critical) retVal = ret;
ALOGE("Failed to load object: %s, ret: %s", progPath.c_str(), std::strerror(-ret));
} else {
ALOGI("Loaded object: %s", progPath.c_str());
}
}
closedir(dir);
}
return retVal;
}
int createSysFsBpfSubDir(const char* const prefix) {
if (*prefix) {
mode_t prevUmask = umask(0);
string s = "/sys/fs/bpf/";
s += prefix;
errno = 0;
int ret = mkdir(s.c_str(), S_ISVTX | S_IRWXU | S_IRWXG | S_IRWXO);
if (ret && errno != EEXIST) {
const int err = errno;
ALOGE("Failed to create directory: %s, ret: %s", s.c_str(), std::strerror(err));
return -err;
}
umask(prevUmask);
}
return 0;
}
// Technically 'value' doesn't need to be newline terminated, but it's best
// to include a newline to match 'echo "value" > /proc/sys/...foo' behaviour,
// which is usually how kernel devs test the actual sysctl interfaces.
int writeProcSysFile(const char *filename, const char *value) {
android::base::unique_fd fd(open(filename, O_WRONLY | O_CLOEXEC));
if (fd < 0) {
const int err = errno;
ALOGE("open('%s', O_WRONLY | O_CLOEXEC) -> %s", filename, strerror(err));
return -err;
}
int len = strlen(value);
int v = write(fd, value, len);
if (v < 0) {
const int err = errno;
ALOGE("write('%s', '%s', %d) -> %s", filename, value, len, strerror(err));
return -err;
}
if (v != len) {
// In practice, due to us only using this for /proc/sys/... files, this can't happen.
ALOGE("write('%s', '%s', %d) -> short write [%d]", filename, value, len, v);
return -EINVAL;
}
return 0;
}
int main(int argc, char** argv) {
(void)argc;
android::base::InitLogging(argv, &android::base::KernelLogger);
// Linux 5.16-rc1 changed the default to 2 (disabled but changeable), but we need 0 (enabled)
// (this writeFile is known to fail on at least 4.19, but always defaults to 0 on pre-5.13,
// on 5.13+ it depends on CONFIG_BPF_UNPRIV_DEFAULT_OFF)
if (writeProcSysFile("/proc/sys/kernel/unprivileged_bpf_disabled", "0\n") &&
android::bpf::isAtLeastKernelVersion(5, 13, 0)) return 1;
// Enable the eBPF JIT -- but do note that on 64-bit kernels it is likely
// already force enabled by the kernel config option BPF_JIT_ALWAYS_ON
if (writeProcSysFile("/proc/sys/net/core/bpf_jit_enable", "1\n")) return 1;
// Enable JIT kallsyms export for privileged users only
if (writeProcSysFile("/proc/sys/net/core/bpf_jit_kallsyms", "1\n")) return 1;
// This is ugly... but this allows InProcessTethering which runs as system_server,
// instead of as network_stack to access /sys/fs/bpf/tethering, which would otherwise
// (due to genfscon rules) have fs_bpf_tethering selinux context, which is restricted
// to the network_stack process only (which is where out of process tethering runs)
if (isInProcessTethering() && !exists("/sys/fs/bpf/tethering")) {
if (createSysFsBpfSubDir(/* /sys/fs/bpf/ */ "net_shared")) return 1;
if (createSysFsBpfSubDir(/* /sys/fs/bpf/ */ "net_shared/tethering")) return 1;
/* /sys/fs/bpf/tethering -> net_shared/tethering */
if (symlink("net_shared/tethering", "/sys/fs/bpf/tethering")) {
ALOGE("symlink(net_shared/tethering, /sys/fs/bpf/tethering) -> %s", strerror(errno));
return 1;
}
}
// Create all the pin subdirectories
// (this must be done first to allow selinux_context and pin_subdir functionality,
// which could otherwise fail with ENOENT during object pinning or renaming,
// due to ordering issues)
for (const auto& location : locations) {
if (createSysFsBpfSubDir(location.prefix)) return 1;
}
// Note: there's no actual src dir for fs_bpf_loader .o's,
// so it is not listed in 'locations[].prefix'.
// This is because this is primarily meant for triggering genfscon rules,
// and as such this will likely always be the case.
// Thus we need to manually create the /sys/fs/bpf/loader subdirectory.
if (createSysFsBpfSubDir("loader")) return 1;
// Load all ELF objects, create programs and maps, and pin them
for (const auto& location : locations) {
if (loadAllElfObjects(location) != 0) {
ALOGE("=== CRITICAL FAILURE LOADING BPF PROGRAMS FROM %s ===", location.dir);
ALOGE("If this triggers reliably, you're probably missing kernel options or patches.");
ALOGE("If this triggers randomly, you might be hitting some memory allocation "
"problems or startup script race.");
ALOGE("--- DO NOT EXPECT SYSTEM TO BOOT SUCCESSFULLY ---");
sleep(20);
return 2;
}
}
int key = 1;
int value = 123;
android::base::unique_fd map(
android::bpf::createMap(BPF_MAP_TYPE_ARRAY, sizeof(key), sizeof(value), 2, 0));
if (android::bpf::writeToMapEntry(map, &key, &value, BPF_ANY)) {
ALOGE("Critical kernel bug - failure to write into index 1 of 2 element bpf map array.");
return 1;
}
if (android::base::SetProperty("bpf.progs_loaded", "1") == false) {
ALOGE("Failed to set bpf.progs_loaded property");
return 1;
}
return 0;
}
|
