diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-07-07 05:33:28 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-07-07 05:33:28 +0000 |
commit | c04d91b2d2cce41b9cbc513b984baa357ceb81a4 (patch) | |
tree | 962b147bd5768cc5a96f4e92e601aa0223355f79 | |
parent | a2d92cc2f6147d3e61b70d9509a8c1831bf45c64 (diff) | |
parent | a3b51a6ffefae6a58cd9315721407566125ae65e (diff) | |
download | netd-aml_rkp_341015010.tar.gz |
Snap for 10453563 from a3b51a6ffefae6a58cd9315721407566125ae65e to mainline-rkpd-releaseaml_rkp_341015010aml_rkp_341012000
Change-Id: I45f78f397d39d36d902d307a90673a21be7b2ed2
-rw-r--r-- | include/Fwmark.h | 2 | ||||
-rw-r--r-- | server/XfrmController.cpp | 56 | ||||
-rw-r--r-- | server/XfrmController.h | 10 | ||||
-rw-r--r-- | server/XfrmControllerTest.cpp | 12 | ||||
-rw-r--r-- | tests/Android.bp | 1 | ||||
-rw-r--r-- | tests/binder_test.cpp | 2 | ||||
-rw-r--r-- | tests/kernel_test.cpp | 19 | ||||
-rw-r--r-- | tests/netd_test.cpp | 17 |
8 files changed, 82 insertions, 37 deletions
diff --git a/include/Fwmark.h b/include/Fwmark.h index 8630710d..49aef4b4 100644 --- a/include/Fwmark.h +++ b/include/Fwmark.h @@ -29,6 +29,8 @@ union Fwmark { bool protectedFromVpn : 1; Permission permission : 2; bool uidBillingDone : 1; + unsigned reserved : 10; + bool ingress_cpu_wakeup : 1; // reserved for config_networkWakeupPacketMark/Mask }; constexpr Fwmark() : intValue(0) {} diff --git a/server/XfrmController.cpp b/server/XfrmController.cpp index ed34f736..51c4197a 100644 --- a/server/XfrmController.cpp +++ b/server/XfrmController.cpp @@ -87,7 +87,9 @@ constexpr uint32_t ALGO_MASK_CRYPT_ALL = ~0; // Exposed for testing constexpr uint32_t ALGO_MASK_AEAD_ALL = ~0; // Exposed for testing -constexpr uint8_t REPLAY_WINDOW_SIZE = 32; +constexpr uint8_t REPLAY_WINDOW_SIZE = 0; +// Exposed for testing +constexpr uint32_t REPLAY_WINDOW_SIZE_ESN = 4096; namespace { @@ -946,6 +948,7 @@ netdutils::Status XfrmController::updateSecurityAssociation(const XfrmSaInfo& re nlattr_xfrm_output_mark xfrmoutputmark{}; nlattr_encap_tmpl encap{}; nlattr_xfrm_interface_id xfrm_if_id{}; + nlattr_xfrm_replay_esn xfrm_replay_esn{}; enum { NLMSG_HDR, @@ -965,26 +968,30 @@ netdutils::Status XfrmController::updateSecurityAssociation(const XfrmSaInfo& re ENCAP_PAD, INTF_ID, INTF_ID_PAD, + REPLAY_ESN, // Used to enable BMP (extended replay window) mode + REPLAY_ESN_PAD, }; std::vector<iovec> iov = { - {nullptr, 0}, // reserved for the eventual addition of a NLMSG_HDR - {&usersa, 0}, // main usersa_info struct - {kPadBytes, 0}, // up to NLMSG_ALIGNTO pad bytes of padding - {&crypt, 0}, // adjust size if crypt algo is present - {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes - {&auth, 0}, // adjust size if auth algo is present - {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes - {&aead, 0}, // adjust size if aead algo is present - {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes - {&xfrmmark, 0}, // adjust size if xfrm mark is present - {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes - {&xfrmoutputmark, 0}, // adjust size if xfrm output mark is present - {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes - {&encap, 0}, // adjust size if encapsulating - {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes - {&xfrm_if_id, 0}, // adjust size if interface ID is present - {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes + {nullptr, 0}, // reserved for the eventual addition of a NLMSG_HDR + {&usersa, 0}, // main usersa_info struct + {kPadBytes, 0}, // up to NLMSG_ALIGNTO pad bytes of padding + {&crypt, 0}, // adjust size if crypt algo is present + {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes + {&auth, 0}, // adjust size if auth algo is present + {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes + {&aead, 0}, // adjust size if aead algo is present + {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes + {&xfrmmark, 0}, // adjust size if xfrm mark is present + {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes + {&xfrmoutputmark, 0}, // adjust size if xfrm output mark is present + {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes + {&encap, 0}, // adjust size if encapsulating + {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes + {&xfrm_if_id, 0}, // adjust size if interface ID is present + {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes + {&xfrm_replay_esn, 0}, // Always use BMP mode with a large replay window + {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes }; if (!record.aead.name.empty() && (!record.auth.name.empty() || !record.crypt.name.empty())) { @@ -1032,6 +1039,9 @@ netdutils::Status XfrmController::updateSecurityAssociation(const XfrmSaInfo& re len = iov[INTF_ID].iov_len = fillNlAttrXfrmIntfId(record.xfrm_if_id, &xfrm_if_id); iov[INTF_ID_PAD].iov_len = NLA_ALIGN(len) - len; + len = iov[REPLAY_ESN].iov_len = fillNlAttrXfrmReplayEsn(&xfrm_replay_esn); + iov[REPLAY_ESN_PAD].iov_len = NLA_ALIGN(len) - len; + return sock.sendMessage(XFRM_MSG_UPDSA, NETLINK_REQUEST_FLAGS, 0, &iov); } @@ -1423,6 +1433,16 @@ int XfrmController::fillNlAttrXfrmIntfId(const uint32_t intfIdValue, return len; } +int XfrmController::fillNlAttrXfrmReplayEsn(nlattr_xfrm_replay_esn* replay_esn) { + replay_esn->replay_state.replay_window = REPLAY_WINDOW_SIZE_ESN; + replay_esn->replay_state.bmp_len = (REPLAY_WINDOW_SIZE_ESN + 31) / 32; + + // bmp array allocated in kernel, this does NOT account for that. + const int len = NLA_HDRLEN + sizeof(xfrm_replay_state_esn); + fillXfrmNlaHdr(&replay_esn->hdr, XFRMA_REPLAY_ESN_VAL, len); + return len; +} + int XfrmController::fillNlAttrXfrmMigrate(const XfrmMigrateInfo& record, nlattr_xfrm_user_migrate* migrate) { migrate->migrate.old_daddr = record.dstAddr; diff --git a/server/XfrmController.h b/server/XfrmController.h index 781bc5e5..798284c9 100644 --- a/server/XfrmController.h +++ b/server/XfrmController.h @@ -48,6 +48,8 @@ extern const uint32_t ALGO_MASK_CRYPT_ALL; extern const uint32_t ALGO_MASK_AEAD_ALL; // Exposed for testing extern const uint8_t REPLAY_WINDOW_SIZE; +// Exposed for testing +extern const uint32_t REPLAY_WINDOW_SIZE_ESN; // Suggest we avoid the smallest and largest ints class XfrmMessage; @@ -316,6 +318,13 @@ public: uint8_t key[MAX_KEY_LENGTH]; }; + // Container for the content of an XFRMA_REPLAY_ESN_VAL netlink attribute. + // Exposed for testing + struct nlattr_xfrm_replay_esn { + nlattr hdr; + xfrm_replay_state_esn replay_state; + }; + #pragma clang diagnostic pop // Exposed for testing @@ -413,6 +422,7 @@ public: static int fillNlAttrXfrmOutputMark(const XfrmSaInfo& record, nlattr_xfrm_output_mark* output_mark); static int fillNlAttrXfrmIntfId(const __u32 intf_id_value, nlattr_xfrm_interface_id* intf_id); + static int fillNlAttrXfrmReplayEsn(nlattr_xfrm_replay_esn* replay_esn); static int fillNlAttrXfrmMigrate(const XfrmMigrateInfo& record, nlattr_xfrm_user_migrate* migrate); diff --git a/server/XfrmControllerTest.cpp b/server/XfrmControllerTest.cpp index ca53839b..c65e1f91 100644 --- a/server/XfrmControllerTest.cpp +++ b/server/XfrmControllerTest.cpp @@ -329,7 +329,8 @@ void testIpSecAddSecurityAssociation(testCaseParams params, const MockSyscalls& size_t expectedMsgLength = NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(xfrm_usersa_info)) + NLA_ALIGN(offsetof(XfrmController::nlattr_algo_crypt, key) + KEY_LENGTH) + - NLA_ALIGN(offsetof(XfrmController::nlattr_algo_auth, key) + KEY_LENGTH); + NLA_ALIGN(offsetof(XfrmController::nlattr_algo_auth, key) + KEY_LENGTH) + + NLA_ALIGN(sizeof(XfrmController::nlattr_xfrm_replay_esn)); uint32_t testIfId = 0; uint32_t testMark = 0; @@ -392,6 +393,7 @@ void testIpSecAddSecurityAssociation(testCaseParams params, const MockSyscalls& // Extract and check the encryption/authentication algorithm XfrmController::nlattr_algo_crypt _encryptAlgo{}; XfrmController::nlattr_algo_auth _authAlgo{}; + XfrmController::nlattr_xfrm_replay_esn _replayEsn{}; // Need to use a pointer since you can't pass a structure with a variable // sized array in a lambda. XfrmController::nlattr_algo_crypt* const encryptAlgo = &_encryptAlgo; @@ -399,7 +401,8 @@ void testIpSecAddSecurityAssociation(testCaseParams params, const MockSyscalls& XfrmController::nlattr_xfrm_mark mark{}; XfrmController::nlattr_xfrm_output_mark outputmark{}; XfrmController::nlattr_xfrm_interface_id xfrm_if_id{}; - auto attrHandler = [&encryptAlgo, &authAlgo, &mark, &outputmark, &xfrm_if_id]( + XfrmController::nlattr_xfrm_replay_esn* const replay_esn = &_replayEsn; + auto attrHandler = [&encryptAlgo, &authAlgo, &mark, &outputmark, &xfrm_if_id, &replay_esn]( const nlattr& attr, const Slice& attr_payload) { Slice buf = attr_payload; if (attr.nla_type == XFRMA_ALG_CRYPT) { @@ -421,6 +424,9 @@ void testIpSecAddSecurityAssociation(testCaseParams params, const MockSyscalls& } else if (attr.nla_type == XFRMA_IF_ID) { xfrm_if_id.hdr = attr; netdutils::extract(buf, xfrm_if_id.if_id); + } else if (attr.nla_type == XFRMA_REPLAY_ESN_VAL) { + replay_esn->hdr = attr; + netdutils::extract(buf, replay_esn->replay_state); } else { FAIL() << "Unexpected nlattr type: " << attr.nla_type; } @@ -432,6 +438,8 @@ void testIpSecAddSecurityAssociation(testCaseParams params, const MockSyscalls& reinterpret_cast<void*>(&encryptAlgo->key), KEY_LENGTH)); EXPECT_EQ(0, memcmp(reinterpret_cast<void*>(authKey.data()), reinterpret_cast<void*>(&authAlgo->key), KEY_LENGTH)); + EXPECT_EQ(REPLAY_WINDOW_SIZE_ESN, replay_esn->replay_state.replay_window); + EXPECT_EQ((REPLAY_WINDOW_SIZE_ESN + 31) / 32, replay_esn->replay_state.bmp_len); if (mode == XfrmMode::TUNNEL) { if (params.xfrmInterfacesEnabled) { diff --git a/tests/Android.bp b/tests/Android.bp index b046b198..b1393470 100644 --- a/tests/Android.bp +++ b/tests/Android.bp @@ -94,6 +94,7 @@ cc_test { shared_libs: [ "libbase", "libbinder", + "libbinder_ndk", "libcrypto", "libcutils", "liblog", diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp index c85de3ae..7d3bbc87 100644 --- a/tests/binder_test.cpp +++ b/tests/binder_test.cpp @@ -54,7 +54,7 @@ #include <android-base/test_utils.h> #include <android/multinetwork.h> #include <binder/IPCThreadState.h> -#include <bpf/KernelVersion.h> +#include <bpf/KernelUtils.h> #include <com/android/internal/net/BnOemNetdUnsolicitedEventListener.h> #include <com/android/internal/net/IOemNetd.h> #include <cutils/multiuser.h> diff --git a/tests/kernel_test.cpp b/tests/kernel_test.cpp index b9e1875e..517b165c 100644 --- a/tests/kernel_test.cpp +++ b/tests/kernel_test.cpp @@ -21,6 +21,8 @@ #include <fstream> #include <string> +#include "bpf/KernelUtils.h" + namespace android { namespace net { @@ -72,5 +74,22 @@ TEST(KernelTest, TestRateLimitingSupport) { ASSERT_TRUE(configVerifier.hasOption("CONFIG_BPF_JIT")); } +TEST(KernelTest, TestBpfJitAlwaysOn) { + // 32-bit arm & x86 kernels aren't capable of JIT-ing all of our BPF code, + if (bpf::isKernel32Bit()) GTEST_SKIP() << "Exempt on 32-bit kernel."; + KernelConfigVerifier configVerifier; + ASSERT_TRUE(configVerifier.hasOption("CONFIG_BPF_JIT_ALWAYS_ON")); +} + +/* Android 14/U should only launch on 64-bit kernels + * T launches on 5.10/5.15 + * U launches on 5.15/6.1 + * So >=5.16 implies isKernel64Bit() + */ +TEST(KernelTest, TestKernel64Bit) { + if (!bpf::isAtLeastKernelVersion(5, 16, 0)) GTEST_SKIP() << "Exempt on < 5.16 kernel."; + ASSERT_TRUE(bpf::isKernel64Bit()); +} + } // namespace net } // namespace android diff --git a/tests/netd_test.cpp b/tests/netd_test.cpp index a04a6a76..a1f222b9 100644 --- a/tests/netd_test.cpp +++ b/tests/netd_test.cpp @@ -92,26 +92,11 @@ TEST(NetdSELinuxTest, CheckProperBpfLabels) { assertBpfContext("/sys/fs/bpf/net_shared", "fs_bpf_net_shared"); assertBpfContext("/sys/fs/bpf/netd_readonly", "fs_bpf_netd_readonly"); assertBpfContext("/sys/fs/bpf/netd_shared", "fs_bpf_netd_shared"); + assertBpfContext("/sys/fs/bpf/tethering", "fs_bpf_tethering"); assertBpfContext("/sys/fs/bpf/vendor", "fs_bpf_vendor"); assertBpfContext("/sys/fs/bpf/loader", "fs_bpf_loader"); } -bool isTetheringInProcess() { - int v = access("/apex/com.android.tethering/etc/flag/in-process", F_OK); - if (!v) return true; - EXPECT_EQ(v, -1) << "expected return of found(0) or notfound(-1/ENOENT)"; - EXPECT_EQ(errno, ENOENT) << "expected return of found(0) or notfound(-1/ENOENT)"; - return false; -} - -TEST(NetdSELinuxTest, CheckProperBpfTetheringLabels) { - if (isTetheringInProcess()) { - assertBpfContext("/sys/fs/bpf/net_shared/tethering", "fs_bpf_net_shared"); - } else { - assertBpfContext("/sys/fs/bpf/tethering", "fs_bpf_tethering"); - } -} - // Trivial thread function that simply immediately terminates successfully. static int thread(void*) { return 0; |