stop abusing netd's DAC override on prog accesses by using R/O fetch am: 251b3ee12d

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/netd/+/11920239

Change-Id: I067ce221740d1efc117525cc20abdcc38970c335

3 files changed, 13 insertions, 14 deletions

diff --git a/server/OffloadUtils.h b/server/OffloadUtils.h
index e7193e46..818fd39d 100644
--- a/server/OffloadUtils.h
+++ b/server/OffloadUtils.h
@@ -48,46 +48,45 @@ int hardwareAddressType(const std::string& interface);
 base::Result<bool> isEthernet(const std::string& interface);
 
 inline int getClatEgressMapFd(void) {
-    const int fd = bpf::bpfFdGet(CLAT_EGRESS_MAP_PATH, 0);
+    const int fd = bpf::mapRetrieveRW(CLAT_EGRESS_MAP_PATH);
     return (fd == -1) ? -errno : fd;
 }
 
 inline int getClatEgressProgFd(bool with_ethernet_header) {
-    const int fd = bpf::bpfFdGet(
-            with_ethernet_header ? CLAT_EGRESS_PROG_ETHER_PATH : CLAT_EGRESS_PROG_RAWIP_PATH, 0);
+    const int fd = bpf::retrieveProgram(with_ethernet_header ? CLAT_EGRESS_PROG_ETHER_PATH
+                                                             : CLAT_EGRESS_PROG_RAWIP_PATH);
     return (fd == -1) ? -errno : fd;
 }
 
 inline int getClatIngressMapFd(void) {
-    const int fd = bpf::bpfFdGet(CLAT_INGRESS_MAP_PATH, 0);
+    const int fd = bpf::mapRetrieveRW(CLAT_INGRESS_MAP_PATH);
     return (fd == -1) ? -errno : fd;
 }
 
 inline int getClatIngressProgFd(bool with_ethernet_header) {
-    const int fd = bpf::bpfFdGet(
-            with_ethernet_header ? CLAT_INGRESS_PROG_ETHER_PATH : CLAT_INGRESS_PROG_RAWIP_PATH, 0);
+    const int fd = bpf::retrieveProgram(with_ethernet_header ? CLAT_INGRESS_PROG_ETHER_PATH
+                                                             : CLAT_INGRESS_PROG_RAWIP_PATH);
     return (fd == -1) ? -errno : fd;
 }
 
 inline int getTetherIngressMapFd(void) {
-    const int fd = bpf::bpfFdGet(TETHER_INGRESS_MAP_PATH, 0);
+    const int fd = bpf::mapRetrieveRW(TETHER_INGRESS_MAP_PATH);
     return (fd == -1) ? -errno : fd;
 }
 
 inline int getTetherIngressProgFd(bool with_ethernet_header) {
-    const int fd = bpf::bpfFdGet(
-            with_ethernet_header ? TETHER_INGRESS_PROG_ETHER_PATH : TETHER_INGRESS_PROG_RAWIP_PATH,
-            0);
+    const int fd = bpf::retrieveProgram(with_ethernet_header ? TETHER_INGRESS_PROG_ETHER_PATH
+                                                             : TETHER_INGRESS_PROG_RAWIP_PATH);
     return (fd == -1) ? -errno : fd;
 }
 
 inline int getTetherStatsMapFd(void) {
-    const int fd = bpf::bpfFdGet(TETHER_STATS_MAP_PATH, 0);
+    const int fd = bpf::mapRetrieveRW(TETHER_STATS_MAP_PATH);
     return (fd == -1) ? -errno : fd;
 }
 
 inline int getTetherLimitMapFd(void) {
-    const int fd = bpf::bpfFdGet(TETHER_LIMIT_MAP_PATH, 0);
+    const int fd = bpf::mapRetrieveRW(TETHER_LIMIT_MAP_PATH);
     return (fd == -1) ? -errno : fd;
 }
 
diff --git a/server/TrafficController.cpp b/server/TrafficController.cpp
index 9d7d6a1d..3839962f 100644
--- a/server/TrafficController.cpp
+++ b/server/TrafficController.cpp
@@ -202,7 +202,7 @@ Status TrafficController::initMaps() {
 
 static Status attachProgramToCgroup(const char* programPath, const unique_fd& cgroupFd,
                                     bpf_attach_type type) {
-    unique_fd cgroupProg(bpfFdGet(programPath, 0));
+    unique_fd cgroupProg(retrieveProgram(programPath));
     if (cgroupProg == -1) {
         int ret = errno;
         ALOGE("Failed to get program from %s: %s", programPath, strerror(ret));
diff --git a/tests/netlink_listener_test.cpp b/tests/netlink_listener_test.cpp
index 95c6d1af..46394cac 100644
--- a/tests/netlink_listener_test.cpp
+++ b/tests/netlink_listener_test.cpp
@@ -69,7 +69,7 @@ class NetlinkListenerTest : public testing::Test {
     void SetUp() {
         SKIP_IF_BPF_NOT_SUPPORTED;
 
-        mCookieTagMap.reset(android::bpf::mapRetrieve(COOKIE_TAG_MAP_PATH, 0));
+        mCookieTagMap.reset(android::bpf::mapRetrieveRW(COOKIE_TAG_MAP_PATH));
         ASSERT_TRUE(mCookieTagMap.isValid());
     }