diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2019-11-11 21:25:07 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2019-11-11 21:25:07 +0000 |
commit | 3f258b6361c65883e828b35b9090fa80ee68c62c (patch) | |
tree | de5383c4e0d5351b54c3623142e408f941655717 | |
parent | 73254a1d10dde0b7ea16d3f62816b14891fed090 (diff) | |
parent | 624b332a987413c143cdcb2bce734a0ca72ad351 (diff) | |
download | netd-3f258b6361c65883e828b35b9090fa80ee68c62c.tar.gz |
Snap for 6001391 from 624b332a987413c143cdcb2bce734a0ca72ad351 to qt-aml-tzdata-release
Change-Id: Id9c3e27ef8ed08872ecf50f155e7a437205592d9
-rw-r--r-- | Android.bp | 2 | ||||
-rw-r--r-- | PREUPLOAD.cfg | 1 | ||||
-rw-r--r-- | bpf_progs/Android.bp | 5 | ||||
-rw-r--r-- | bpf_progs/bpf_net_helpers.h | 51 | ||||
-rw-r--r-- | bpf_progs/clatd.c | 12 | ||||
-rw-r--r-- | bpf_progs/netd.c | 4 | ||||
-rw-r--r-- | bpf_progs/netd.h | 1 | ||||
-rw-r--r-- | server/Android.bp | 14 | ||||
-rw-r--r-- | server/ClatdController.cpp | 2 | ||||
-rw-r--r-- | server/ResolvStub.cpp | 4 | ||||
-rw-r--r-- | server/main.cpp | 5 | ||||
-rw-r--r-- | tests/Android.bp | 2 | ||||
-rw-r--r-- | tests/binder_test.cpp | 24 |
13 files changed, 93 insertions, 34 deletions
@@ -10,6 +10,8 @@ cc_defaults { "-Werror", // Override -Wno-error=implicit-fallthrough from soong "-Werror=implicit-fallthrough", + "-Werror=sometimes-uninitialized", + "-Werror=conditional-uninitialized", "-Wnullable-to-nonnull-conversion", "-Wsign-compare", "-Wthread-safety", diff --git a/PREUPLOAD.cfg b/PREUPLOAD.cfg index c8dbf77f..27eac943 100644 --- a/PREUPLOAD.cfg +++ b/PREUPLOAD.cfg @@ -1,5 +1,6 @@ [Builtin Hooks] clang_format = true +commit_msg_test_field = false [Builtin Hooks Options] clang_format = --commit ${PREUPLOAD_COMMIT} --style file --extensions c,h,cc,cpp diff --git a/bpf_progs/Android.bp b/bpf_progs/Android.bp index a393035b..7b1f015a 100644 --- a/bpf_progs/Android.bp +++ b/bpf_progs/Android.bp @@ -14,6 +14,11 @@ // limitations under the License. // +cc_library_headers { + name: "netd_bpf_progs_headers", + export_include_dirs: ["."], +} + // // bpf kernel programs // diff --git a/bpf_progs/bpf_net_helpers.h b/bpf_progs/bpf_net_helpers.h new file mode 100644 index 00000000..714b7e6e --- /dev/null +++ b/bpf_progs/bpf_net_helpers.h @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2019 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef NETDBPF_BPF_NET_HELPERS_H +#define NETDBPF_BPF_NET_HELPERS_H + +#include <linux/bpf.h> +#include <linux/if_packet.h> +#include <stdbool.h> +#include <stdint.h> + +// this returns 0 iff skb->sk is NULL +static uint64_t (*bpf_get_socket_cookie)(struct __sk_buff* skb) = (void*)BPF_FUNC_get_socket_cookie; + +static uint32_t (*bpf_get_socket_uid)(struct __sk_buff* skb) = (void*)BPF_FUNC_get_socket_uid; +static int (*bpf_skb_load_bytes)(struct __sk_buff* skb, int off, void* to, + int len) = (void*)BPF_FUNC_skb_load_bytes; + +static int (*bpf_skb_change_proto)(struct __sk_buff* skb, __be16 proto, + __u64 flags) = (void*)BPF_FUNC_skb_change_proto; +static int (*bpf_l3_csum_replace)(struct __sk_buff* skb, __u32 offset, __u64 from, __u64 to, + __u64 flags) = (void*)BPF_FUNC_l3_csum_replace; +static int (*bpf_l4_csum_replace)(struct __sk_buff* skb, __u32 offset, __u64 from, __u64 to, + __u64 flags) = (void*)BPF_FUNC_l4_csum_replace; +static int (*bpf_redirect)(__u32 ifindex, __u64 flags) = (void*)BPF_FUNC_redirect; + +// Android only supports little endian architectures +#define htons(x) (__builtin_constant_p(x) ? ___constant_swab16(x) : __builtin_bswap16(x)) +#define htonl(x) (__builtin_constant_p(x) ? ___constant_swab32(x) : __builtin_bswap32(x)) +#define ntohs(x) htons(x) +#define ntohl(x) htonl(x) + +static inline __always_inline __unused bool is_received_skb(struct __sk_buff* skb) { + return skb->pkt_type == PACKET_HOST || skb->pkt_type == PACKET_BROADCAST || + skb->pkt_type == PACKET_MULTICAST; +} + +#endif // NETDBPF_BPF_NET_HELPERS_H diff --git a/bpf_progs/clatd.c b/bpf_progs/clatd.c index c2cd9502..fb7acfab 100644 --- a/bpf_progs/clatd.c +++ b/bpf_progs/clatd.c @@ -27,17 +27,12 @@ #include <stdint.h> #include "bpf_helpers.h" +#include "bpf_net_helpers.h" #include "netdbpf/bpf_shared.h" // From kernel:include/net/ip.h #define IP_DF 0x4000 // Flag: "Don't Fragment" -// Android only supports little endian architectures -#define htons(x) (__builtin_constant_p(x) ? ___constant_swab16(x) : __builtin_bswap16(x)) -#define htonl(x) (__builtin_constant_p(x) ? ___constant_swab32(x) : __builtin_bswap32(x)) -#define ntohs(x) htons(x) -#define ntohl(x) htonl(x) - DEFINE_BPF_MAP(clat_ingress_map, HASH, ClatIngressKey, ClatIngressValue, 16) static inline __always_inline int nat64(struct __sk_buff* skb, bool is_ethernet) { @@ -121,8 +116,9 @@ static inline __always_inline int nat64(struct __sk_buff* skb, bool is_ethernet) // Note that there is no L4 checksum update: we are relying on the checksum neutrality // of the ipv6 address chosen by netd's ClatdController. - // Packet mutations begin - point of no return. - if (bpf_skb_change_proto(skb, htons(ETH_P_IP), 0)) return TC_ACT_SHOT; + // Packet mutations begin - point of no return, but if this first modification fails + // the packet is probably still pristine, so let clatd handle it. + if (bpf_skb_change_proto(skb, htons(ETH_P_IP), 0)) return TC_ACT_OK; // bpf_skb_change_proto() invalidates all pointers - reload them. data = (void*)(long)skb->data; diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c index 1362be25..32123148 100644 --- a/bpf_progs/netd.c +++ b/bpf_progs/netd.c @@ -51,9 +51,7 @@ int xt_bpf_whitelist_prog(struct __sk_buff* skb) { // that skb->sk is NULL during RX (early decap socket lookup failure), // which commonly happens for incoming packets to an unconnected udp socket. // Additionally bpf_get_socket_cookie() returns 0 if skb->sk is NULL - if ((sock_uid == 65534) && !bpf_get_socket_cookie(skb) && - (skb->pkt_type == PACKET_HOST || skb->pkt_type == PACKET_BROADCAST || - skb->pkt_type == PACKET_MULTICAST)) + if ((sock_uid == 65534) && !bpf_get_socket_cookie(skb) && is_received_skb(skb)) return BPF_MATCH; UidOwnerValue* whitelistMatch = bpf_uid_owner_map_lookup_elem(&sock_uid); diff --git a/bpf_progs/netd.h b/bpf_progs/netd.h index 8be21be1..be9aaeee 100644 --- a/bpf_progs/netd.h +++ b/bpf_progs/netd.h @@ -29,6 +29,7 @@ #include <linux/ipv6.h> #include <stdbool.h> #include <stdint.h> +#include "bpf_net_helpers.h" #include "netdbpf/bpf_shared.h" typedef struct { diff --git a/server/Android.bp b/server/Android.bp index ae5d204e..eba80bce 100644 --- a/server/Android.bp +++ b/server/Android.bp @@ -102,7 +102,7 @@ cc_library_static { "libqtaguid", "libssl", "netd_aidl_interface-cpp", - "netd_event_listener_interface-V1-cpp", + "netd_event_listener_interface-cpp", ], header_libs: [ "libnetd_resolv_headers", @@ -142,8 +142,8 @@ cc_binary { "libselinux", "libsysutils", "libutils", - "netd_aidl_interface-cpp", - "netd_event_listener_interface-V1-cpp", + "netd_aidl_interface-unstable-cpp", + "netd_event_listener_interface-cpp", "oemnetd_aidl_interface-cpp", ], static_libs: [ @@ -192,8 +192,8 @@ cc_binary { "liblog", "libutils", "libbinder", - "dnsresolver_aidl_interface-V2-cpp", - "netd_aidl_interface-V2-cpp", + "dnsresolver_aidl_interface-cpp", + "netd_aidl_interface-cpp", ], srcs: [ "ndc.cpp", @@ -236,8 +236,8 @@ cc_test { "libnetd_server", "libnetd_test_tun_interface", "libqtaguid", - "netd_aidl_interface-V2-cpp", - "netd_event_listener_interface-V1-cpp", + "netd_aidl_interface-cpp", + "netd_event_listener_interface-cpp", ], shared_libs: [ "libbase", diff --git a/server/ClatdController.cpp b/server/ClatdController.cpp index bf29693f..cf0ab966 100644 --- a/server/ClatdController.cpp +++ b/server/ClatdController.cpp @@ -142,7 +142,7 @@ bool ClatdController::isIpv4AddressFree(in_addr_t addr) { // same then the address is already assigned to the system and we can't use it. struct sockaddr_in sin = { .sin_family = AF_INET, - .sin_port = 53, + .sin_port = htons(53), .sin_addr = {addr}, }; socklen_t len = sizeof(sin); diff --git a/server/ResolvStub.cpp b/server/ResolvStub.cpp index 5199e6e2..2fb66254 100644 --- a/server/ResolvStub.cpp +++ b/server/ResolvStub.cpp @@ -55,7 +55,7 @@ static void resolvStubInitFunction(void* handle, const char* symbol, FunctionTyp } int resolv_stub_init() { - void* netdResolvHandle; + void* netdResolvHandle = nullptr; for (const auto& dir : {APEX_LIB64_DIR, APEX_LIB_DIR}) { std::string path = std::string(dir) + "/" + LIBNAME; @@ -76,7 +76,7 @@ int resolv_stub_init() { #define RESOLV_STUB_LOAD_SYMBOL(x) resolvStubInitFunction(netdResolvHandle, STR(x), &RESOLV_STUB.x) RESOLV_STUB_LOAD_SYMBOL(resolv_has_nameservers); RESOLV_STUB_LOAD_SYMBOL(resolv_init); - RESOLV_STUB_LOAD_SYMBOL(resolv_gethostbyaddr_from_local_cache); + RESOLV_STUB_LOAD_SYMBOL(resolv_gethostbyaddr_from_cache); #undef RESOLV_STUB_LOAD_SYMBOL #undef STR diff --git a/server/main.cpp b/server/main.cpp index ed50c14c..d8ed96fc 100644 --- a/server/main.cpp +++ b/server/main.cpp @@ -86,12 +86,17 @@ int tagSocketCallback(int sockFd, uint32_t tag, uid_t uid, pid_t) { return gCtls->trafficCtrl.tagSocket(sockFd, tag, uid, geteuid()); } +bool evaluateDomainNameCallback(const android_net_context&, const char* /*name*/) { + return true; +} + bool initDnsResolver() { ResolverNetdCallbacks callbacks = { .check_calling_permission = &checkCallingPermissionCallback, .get_network_context = &getNetworkContextCallback, .log = &logCallback, .tagSocket = &tagSocketCallback, + .evaluate_domain_name = &evaluateDomainNameCallback, }; return RESOLV_STUB.resolv_init(callbacks); } diff --git a/tests/Android.bp b/tests/Android.bp index 535cae37..1ac413ff 100644 --- a/tests/Android.bp +++ b/tests/Android.bp @@ -93,7 +93,7 @@ cc_test { "libnetdbpf", "libnetdutils", "libqtaguid", - "netd_aidl_interface-cpp", + "netd_aidl_interface-unstable-cpp", "netd_event_listener_interface-cpp", "oemnetd_aidl_interface-cpp", ], diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp index 8fad188f..7be8e55e 100644 --- a/tests/binder_test.cpp +++ b/tests/binder_test.cpp @@ -87,6 +87,7 @@ using android::base::ReadFileToString; using android::base::StartsWith; using android::base::StringPrintf; using android::base::Trim; +using android::base::unique_fd; using android::net::INetd; using android::net::InterfaceConfigurationParcel; using android::net::InterfaceController; @@ -150,7 +151,8 @@ class BinderTest : public ::testing::Test { sTun2.destroy(); } - static void fakeRemoteSocketPair(int *clientSocket, int *serverSocket, int *acceptedSocket); + static void fakeRemoteSocketPair(unique_fd* clientSocket, unique_fd* serverSocket, + unique_fd* acceptedSocket); void createVpnNetworkWithUid(bool secure, uid_t uid, int vpnNetId = TEST_NETID2, int fallthroughNetId = TEST_NETID1); @@ -291,7 +293,7 @@ TEST_F(BinderTest, IpSecTunnelInterface) { } TEST_F(BinderTest, IpSecSetEncapSocketOwner) { - android::base::unique_fd uniqueFd(socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0)); + unique_fd uniqueFd(socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0)); android::os::ParcelFileDescriptor sockFd(std::move(uniqueFd)); int sockOptVal = UDP_ENCAP_ESPINUDP; @@ -601,8 +603,9 @@ TEST_F(BinderTest, NetworkRejectNonSecureVpn) { } // Create a socket pair that isLoopbackSocket won't think is local. -void BinderTest::fakeRemoteSocketPair(int *clientSocket, int *serverSocket, int *acceptedSocket) { - *serverSocket = socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0); +void BinderTest::fakeRemoteSocketPair(unique_fd* clientSocket, unique_fd* serverSocket, + unique_fd* acceptedSocket) { + serverSocket->reset(socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0)); struct sockaddr_in6 server6 = { .sin6_family = AF_INET6, .sin6_addr = sTun.dstAddr() }; ASSERT_EQ(0, bind(*serverSocket, (struct sockaddr *) &server6, sizeof(server6))); @@ -610,13 +613,14 @@ void BinderTest::fakeRemoteSocketPair(int *clientSocket, int *serverSocket, int ASSERT_EQ(0, getsockname(*serverSocket, (struct sockaddr *) &server6, &addrlen)); ASSERT_EQ(0, listen(*serverSocket, 10)); - *clientSocket = socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0); + clientSocket->reset(socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0)); struct sockaddr_in6 client6 = { .sin6_family = AF_INET6, .sin6_addr = sTun.srcAddr() }; ASSERT_EQ(0, bind(*clientSocket, (struct sockaddr *) &client6, sizeof(client6))); ASSERT_EQ(0, connect(*clientSocket, (struct sockaddr *) &server6, sizeof(server6))); ASSERT_EQ(0, getsockname(*clientSocket, (struct sockaddr *) &client6, &addrlen)); - *acceptedSocket = accept4(*serverSocket, (struct sockaddr *) &server6, &addrlen, SOCK_CLOEXEC); + acceptedSocket->reset( + accept4(*serverSocket, (struct sockaddr*)&server6, &addrlen, SOCK_CLOEXEC)); ASSERT_NE(-1, *acceptedSocket); ASSERT_EQ(0, memcmp(&client6, &server6, sizeof(client6))); @@ -644,7 +648,7 @@ void checkSocketpairClosed(int clientSocket, int acceptedSocket) { } TEST_F(BinderTest, SocketDestroy) { - int clientSocket, serverSocket, acceptedSocket; + unique_fd clientSocket, serverSocket, acceptedSocket; ASSERT_NO_FATAL_FAILURE(fakeRemoteSocketPair(&clientSocket, &serverSocket, &acceptedSocket)); // Pick a random UID in the system UID range. @@ -684,10 +688,6 @@ TEST_F(BinderTest, SocketDestroy) { skipUids.resize(skipUids.size() - 1); EXPECT_TRUE(mNetd->socketDestroy(uidRanges, skipUids).isOk()); checkSocketpairClosed(clientSocket, acceptedSocket); - - close(clientSocket); - close(serverSocket); - close(acceptedSocket); } namespace { @@ -3108,7 +3108,7 @@ void checkDataReceived(int udpSocket, int tunFd) { bool sendIPv6PacketFromUid(uid_t uid, const in6_addr& dstAddr, Fwmark* fwmark, int tunFd) { ScopedUidChange scopedUidChange(uid); - android::base::unique_fd testSocket(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0)); + unique_fd testSocket(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0)); if (testSocket < 0) return false; const sockaddr_in6 dst6 = { |