Snap for 10453563 from a3b51a6ffefae6a58cd9315721407566125ae65e to mainline-rkpd-releaseaml_rkp_341015010aml_rkp_341012000

Change-Id: I45f78f397d39d36d902d307a90673a21be7b2ed2

8 files changed, 82 insertions, 37 deletions

diff --git a/include/Fwmark.h b/include/Fwmark.h
index 8630710d..49aef4b4 100644
--- a/include/Fwmark.h
+++ b/include/Fwmark.h
@@ -29,6 +29,8 @@ union Fwmark {
         bool protectedFromVpn   :  1;
         Permission permission   :  2;
         bool uidBillingDone     :  1;
+        unsigned reserved       : 10;
+        bool ingress_cpu_wakeup :  1;  // reserved for config_networkWakeupPacketMark/Mask
     };
     constexpr Fwmark() : intValue(0) {}
 
diff --git a/server/XfrmController.cpp b/server/XfrmController.cpp
index ed34f736..51c4197a 100644
--- a/server/XfrmController.cpp
+++ b/server/XfrmController.cpp
@@ -87,7 +87,9 @@ constexpr uint32_t ALGO_MASK_CRYPT_ALL = ~0;
 // Exposed for testing
 constexpr uint32_t ALGO_MASK_AEAD_ALL = ~0;
 // Exposed for testing
-constexpr uint8_t REPLAY_WINDOW_SIZE = 32;
+constexpr uint8_t REPLAY_WINDOW_SIZE = 0;
+// Exposed for testing
+constexpr uint32_t REPLAY_WINDOW_SIZE_ESN = 4096;
 
 namespace {
 
@@ -946,6 +948,7 @@ netdutils::Status XfrmController::updateSecurityAssociation(const XfrmSaInfo& re
     nlattr_xfrm_output_mark xfrmoutputmark{};
     nlattr_encap_tmpl encap{};
     nlattr_xfrm_interface_id xfrm_if_id{};
+    nlattr_xfrm_replay_esn xfrm_replay_esn{};
 
     enum {
         NLMSG_HDR,
@@ -965,26 +968,30 @@ netdutils::Status XfrmController::updateSecurityAssociation(const XfrmSaInfo& re
         ENCAP_PAD,
         INTF_ID,
         INTF_ID_PAD,
+        REPLAY_ESN,  // Used to enable BMP (extended replay window) mode
+        REPLAY_ESN_PAD,
     };
 
     std::vector<iovec> iov = {
-            {nullptr, 0},          // reserved for the eventual addition of a NLMSG_HDR
-            {&usersa, 0},          // main usersa_info struct
-            {kPadBytes, 0},        // up to NLMSG_ALIGNTO pad bytes of padding
-            {&crypt, 0},           // adjust size if crypt algo is present
-            {kPadBytes, 0},        // up to NLATTR_ALIGNTO pad bytes
-            {&auth, 0},            // adjust size if auth algo is present
-            {kPadBytes, 0},        // up to NLATTR_ALIGNTO pad bytes
-            {&aead, 0},            // adjust size if aead algo is present
-            {kPadBytes, 0},        // up to NLATTR_ALIGNTO pad bytes
-            {&xfrmmark, 0},        // adjust size if xfrm mark is present
-            {kPadBytes, 0},        // up to NLATTR_ALIGNTO pad bytes
-            {&xfrmoutputmark, 0},  // adjust size if xfrm output mark is present
-            {kPadBytes, 0},        // up to NLATTR_ALIGNTO pad bytes
-            {&encap, 0},           // adjust size if encapsulating
-            {kPadBytes, 0},        // up to NLATTR_ALIGNTO pad bytes
-            {&xfrm_if_id, 0},      // adjust size if interface ID is present
-            {kPadBytes, 0},        // up to NLATTR_ALIGNTO pad bytes
+            {nullptr, 0},           // reserved for the eventual addition of a NLMSG_HDR
+            {&usersa, 0},           // main usersa_info struct
+            {kPadBytes, 0},         // up to NLMSG_ALIGNTO pad bytes of padding
+            {&crypt, 0},            // adjust size if crypt algo is present
+            {kPadBytes, 0},         // up to NLATTR_ALIGNTO pad bytes
+            {&auth, 0},             // adjust size if auth algo is present
+            {kPadBytes, 0},         // up to NLATTR_ALIGNTO pad bytes
+            {&aead, 0},             // adjust size if aead algo is present
+            {kPadBytes, 0},         // up to NLATTR_ALIGNTO pad bytes
+            {&xfrmmark, 0},         // adjust size if xfrm mark is present
+            {kPadBytes, 0},         // up to NLATTR_ALIGNTO pad bytes
+            {&xfrmoutputmark, 0},   // adjust size if xfrm output mark is present
+            {kPadBytes, 0},         // up to NLATTR_ALIGNTO pad bytes
+            {&encap, 0},            // adjust size if encapsulating
+            {kPadBytes, 0},         // up to NLATTR_ALIGNTO pad bytes
+            {&xfrm_if_id, 0},       // adjust size if interface ID is present
+            {kPadBytes, 0},         // up to NLATTR_ALIGNTO pad bytes
+            {&xfrm_replay_esn, 0},  // Always use BMP mode with a large replay window
+            {kPadBytes, 0},         // up to NLATTR_ALIGNTO pad bytes
     };
 
     if (!record.aead.name.empty() && (!record.auth.name.empty() || !record.crypt.name.empty())) {
@@ -1032,6 +1039,9 @@ netdutils::Status XfrmController::updateSecurityAssociation(const XfrmSaInfo& re
     len = iov[INTF_ID].iov_len = fillNlAttrXfrmIntfId(record.xfrm_if_id, &xfrm_if_id);
     iov[INTF_ID_PAD].iov_len = NLA_ALIGN(len) - len;
 
+    len = iov[REPLAY_ESN].iov_len = fillNlAttrXfrmReplayEsn(&xfrm_replay_esn);
+    iov[REPLAY_ESN_PAD].iov_len = NLA_ALIGN(len) - len;
+
     return sock.sendMessage(XFRM_MSG_UPDSA, NETLINK_REQUEST_FLAGS, 0, &iov);
 }
 
@@ -1423,6 +1433,16 @@ int XfrmController::fillNlAttrXfrmIntfId(const uint32_t intfIdValue,
     return len;
 }
 
+int XfrmController::fillNlAttrXfrmReplayEsn(nlattr_xfrm_replay_esn* replay_esn) {
+    replay_esn->replay_state.replay_window = REPLAY_WINDOW_SIZE_ESN;
+    replay_esn->replay_state.bmp_len = (REPLAY_WINDOW_SIZE_ESN + 31) / 32;
+
+    // bmp array allocated in kernel, this does NOT account for that.
+    const int len = NLA_HDRLEN + sizeof(xfrm_replay_state_esn);
+    fillXfrmNlaHdr(&replay_esn->hdr, XFRMA_REPLAY_ESN_VAL, len);
+    return len;
+}
+
 int XfrmController::fillNlAttrXfrmMigrate(const XfrmMigrateInfo& record,
                                           nlattr_xfrm_user_migrate* migrate) {
     migrate->migrate.old_daddr = record.dstAddr;
diff --git a/server/XfrmController.h b/server/XfrmController.h
index 781bc5e5..798284c9 100644
--- a/server/XfrmController.h
+++ b/server/XfrmController.h
@@ -48,6 +48,8 @@ extern const uint32_t ALGO_MASK_CRYPT_ALL;
 extern const uint32_t ALGO_MASK_AEAD_ALL;
 // Exposed for testing
 extern const uint8_t REPLAY_WINDOW_SIZE;
+// Exposed for testing
+extern const uint32_t REPLAY_WINDOW_SIZE_ESN;
 
 // Suggest we avoid the smallest and largest ints
 class XfrmMessage;
@@ -316,6 +318,13 @@ public:
         uint8_t key[MAX_KEY_LENGTH];
     };
 
+    // Container for the content of an XFRMA_REPLAY_ESN_VAL netlink attribute.
+    // Exposed for testing
+    struct nlattr_xfrm_replay_esn {
+        nlattr hdr;
+        xfrm_replay_state_esn replay_state;
+    };
+
 #pragma clang diagnostic pop
 
     // Exposed for testing
@@ -413,6 +422,7 @@ public:
     static int fillNlAttrXfrmOutputMark(const XfrmSaInfo& record,
                                         nlattr_xfrm_output_mark* output_mark);
     static int fillNlAttrXfrmIntfId(const __u32 intf_id_value, nlattr_xfrm_interface_id* intf_id);
+    static int fillNlAttrXfrmReplayEsn(nlattr_xfrm_replay_esn* replay_esn);
     static int fillNlAttrXfrmMigrate(const XfrmMigrateInfo& record,
                                      nlattr_xfrm_user_migrate* migrate);
 
diff --git a/server/XfrmControllerTest.cpp b/server/XfrmControllerTest.cpp
index ca53839b..c65e1f91 100644
--- a/server/XfrmControllerTest.cpp
+++ b/server/XfrmControllerTest.cpp
@@ -329,7 +329,8 @@ void testIpSecAddSecurityAssociation(testCaseParams params, const MockSyscalls&
     size_t expectedMsgLength =
             NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(xfrm_usersa_info)) +
             NLA_ALIGN(offsetof(XfrmController::nlattr_algo_crypt, key) + KEY_LENGTH) +
-            NLA_ALIGN(offsetof(XfrmController::nlattr_algo_auth, key) + KEY_LENGTH);
+            NLA_ALIGN(offsetof(XfrmController::nlattr_algo_auth, key) + KEY_LENGTH) +
+            NLA_ALIGN(sizeof(XfrmController::nlattr_xfrm_replay_esn));
 
     uint32_t testIfId = 0;
     uint32_t testMark = 0;
@@ -392,6 +393,7 @@ void testIpSecAddSecurityAssociation(testCaseParams params, const MockSyscalls&
     // Extract and check the encryption/authentication algorithm
     XfrmController::nlattr_algo_crypt _encryptAlgo{};
     XfrmController::nlattr_algo_auth _authAlgo{};
+    XfrmController::nlattr_xfrm_replay_esn _replayEsn{};
     // Need to use a pointer since you can't pass a structure with a variable
     // sized array in a lambda.
     XfrmController::nlattr_algo_crypt* const encryptAlgo = &_encryptAlgo;
@@ -399,7 +401,8 @@ void testIpSecAddSecurityAssociation(testCaseParams params, const MockSyscalls&
     XfrmController::nlattr_xfrm_mark mark{};
     XfrmController::nlattr_xfrm_output_mark outputmark{};
     XfrmController::nlattr_xfrm_interface_id xfrm_if_id{};
-    auto attrHandler = [&encryptAlgo, &authAlgo, &mark, &outputmark, &xfrm_if_id](
+    XfrmController::nlattr_xfrm_replay_esn* const replay_esn = &_replayEsn;
+    auto attrHandler = [&encryptAlgo, &authAlgo, &mark, &outputmark, &xfrm_if_id, &replay_esn](
                                const nlattr& attr, const Slice& attr_payload) {
         Slice buf = attr_payload;
         if (attr.nla_type == XFRMA_ALG_CRYPT) {
@@ -421,6 +424,9 @@ void testIpSecAddSecurityAssociation(testCaseParams params, const MockSyscalls&
         } else if (attr.nla_type == XFRMA_IF_ID) {
             xfrm_if_id.hdr = attr;
             netdutils::extract(buf, xfrm_if_id.if_id);
+        } else if (attr.nla_type == XFRMA_REPLAY_ESN_VAL) {
+            replay_esn->hdr = attr;
+            netdutils::extract(buf, replay_esn->replay_state);
         } else {
             FAIL() << "Unexpected nlattr type: " << attr.nla_type;
         }
@@ -432,6 +438,8 @@ void testIpSecAddSecurityAssociation(testCaseParams params, const MockSyscalls&
                         reinterpret_cast<void*>(&encryptAlgo->key), KEY_LENGTH));
     EXPECT_EQ(0, memcmp(reinterpret_cast<void*>(authKey.data()),
                         reinterpret_cast<void*>(&authAlgo->key), KEY_LENGTH));
+    EXPECT_EQ(REPLAY_WINDOW_SIZE_ESN, replay_esn->replay_state.replay_window);
+    EXPECT_EQ((REPLAY_WINDOW_SIZE_ESN + 31) / 32, replay_esn->replay_state.bmp_len);
 
     if (mode == XfrmMode::TUNNEL) {
         if (params.xfrmInterfacesEnabled) {
diff --git a/tests/Android.bp b/tests/Android.bp
index b046b198..b1393470 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -94,6 +94,7 @@ cc_test {
     shared_libs: [
         "libbase",
         "libbinder",
+        "libbinder_ndk",
         "libcrypto",
         "libcutils",
         "liblog",
diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp
index c85de3ae..7d3bbc87 100644
--- a/tests/binder_test.cpp
+++ b/tests/binder_test.cpp
@@ -54,7 +54,7 @@
 #include <android-base/test_utils.h>
 #include <android/multinetwork.h>
 #include <binder/IPCThreadState.h>
-#include <bpf/KernelVersion.h>
+#include <bpf/KernelUtils.h>
 #include <com/android/internal/net/BnOemNetdUnsolicitedEventListener.h>
 #include <com/android/internal/net/IOemNetd.h>
 #include <cutils/multiuser.h>
diff --git a/tests/kernel_test.cpp b/tests/kernel_test.cpp
index b9e1875e..517b165c 100644
--- a/tests/kernel_test.cpp
+++ b/tests/kernel_test.cpp
@@ -21,6 +21,8 @@
 #include <fstream>
 #include <string>
 
+#include "bpf/KernelUtils.h"
+
 namespace android {
 namespace net {
 
@@ -72,5 +74,22 @@ TEST(KernelTest, TestRateLimitingSupport) {
     ASSERT_TRUE(configVerifier.hasOption("CONFIG_BPF_JIT"));
 }
 
+TEST(KernelTest, TestBpfJitAlwaysOn) {
+    // 32-bit arm & x86 kernels aren't capable of JIT-ing all of our BPF code,
+    if (bpf::isKernel32Bit()) GTEST_SKIP() << "Exempt on 32-bit kernel.";
+    KernelConfigVerifier configVerifier;
+    ASSERT_TRUE(configVerifier.hasOption("CONFIG_BPF_JIT_ALWAYS_ON"));
+}
+
+/* Android 14/U should only launch on 64-bit kernels
+ *   T launches on 5.10/5.15
+ *   U launches on 5.15/6.1
+ * So >=5.16 implies isKernel64Bit()
+ */
+TEST(KernelTest, TestKernel64Bit) {
+    if (!bpf::isAtLeastKernelVersion(5, 16, 0)) GTEST_SKIP() << "Exempt on < 5.16 kernel.";
+    ASSERT_TRUE(bpf::isKernel64Bit());
+}
+
 }  // namespace net
 }  // namespace android
diff --git a/tests/netd_test.cpp b/tests/netd_test.cpp
index a04a6a76..a1f222b9 100644
--- a/tests/netd_test.cpp
+++ b/tests/netd_test.cpp
@@ -92,26 +92,11 @@ TEST(NetdSELinuxTest, CheckProperBpfLabels) {
     assertBpfContext("/sys/fs/bpf/net_shared", "fs_bpf_net_shared");
     assertBpfContext("/sys/fs/bpf/netd_readonly", "fs_bpf_netd_readonly");
     assertBpfContext("/sys/fs/bpf/netd_shared", "fs_bpf_netd_shared");
+    assertBpfContext("/sys/fs/bpf/tethering", "fs_bpf_tethering");
     assertBpfContext("/sys/fs/bpf/vendor", "fs_bpf_vendor");
     assertBpfContext("/sys/fs/bpf/loader", "fs_bpf_loader");
 }
 
-bool isTetheringInProcess() {
-    int v = access("/apex/com.android.tethering/etc/flag/in-process", F_OK);
-    if (!v) return true;
-    EXPECT_EQ(v, -1) << "expected return of found(0) or notfound(-1/ENOENT)";
-    EXPECT_EQ(errno, ENOENT) << "expected return of found(0) or notfound(-1/ENOENT)";
-    return false;
-}
-
-TEST(NetdSELinuxTest, CheckProperBpfTetheringLabels) {
-    if (isTetheringInProcess()) {
-        assertBpfContext("/sys/fs/bpf/net_shared/tethering", "fs_bpf_net_shared");
-    } else {
-        assertBpfContext("/sys/fs/bpf/tethering", "fs_bpf_tethering");
-    }
-}
-
 // Trivial thread function that simply immediately terminates successfully.
 static int thread(void*) {
     return 0;