From 251b3ee12de52afc82d90eca99255e2a726a15d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= Date: Thu, 18 Jun 2020 12:30:41 +0000 Subject: stop abusing netd's DAC override on prog accesses by using R/O fetch MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit and also use mapRetrieveRW(x) instead of bpfFdGet(x, 0) or mapRetrieve(x, 0) Test: builds, treehugger, see above Bug: 150040815 Signed-off-by: Maciej Żenczykowski Original-Change: https://android-review.googlesource.com/1339962 Merged-In: I09206bd07eb3ecea5256422ed9b52b791079f75a Change-Id: I09206bd07eb3ecea5256422ed9b52b791079f75a --- server/OffloadUtils.h | 23 +++++++++++------------ server/TrafficController.cpp | 2 +- tests/netlink_listener_test.cpp | 2 +- 3 files changed, 13 insertions(+), 14 deletions(-) diff --git a/server/OffloadUtils.h b/server/OffloadUtils.h index e7193e46..818fd39d 100644 --- a/server/OffloadUtils.h +++ b/server/OffloadUtils.h @@ -48,46 +48,45 @@ int hardwareAddressType(const std::string& interface); base::Result isEthernet(const std::string& interface); inline int getClatEgressMapFd(void) { - const int fd = bpf::bpfFdGet(CLAT_EGRESS_MAP_PATH, 0); + const int fd = bpf::mapRetrieveRW(CLAT_EGRESS_MAP_PATH); return (fd == -1) ? -errno : fd; } inline int getClatEgressProgFd(bool with_ethernet_header) { - const int fd = bpf::bpfFdGet( - with_ethernet_header ? CLAT_EGRESS_PROG_ETHER_PATH : CLAT_EGRESS_PROG_RAWIP_PATH, 0); + const int fd = bpf::retrieveProgram(with_ethernet_header ? CLAT_EGRESS_PROG_ETHER_PATH + : CLAT_EGRESS_PROG_RAWIP_PATH); return (fd == -1) ? -errno : fd; } inline int getClatIngressMapFd(void) { - const int fd = bpf::bpfFdGet(CLAT_INGRESS_MAP_PATH, 0); + const int fd = bpf::mapRetrieveRW(CLAT_INGRESS_MAP_PATH); return (fd == -1) ? -errno : fd; } inline int getClatIngressProgFd(bool with_ethernet_header) { - const int fd = bpf::bpfFdGet( - with_ethernet_header ? CLAT_INGRESS_PROG_ETHER_PATH : CLAT_INGRESS_PROG_RAWIP_PATH, 0); + const int fd = bpf::retrieveProgram(with_ethernet_header ? CLAT_INGRESS_PROG_ETHER_PATH + : CLAT_INGRESS_PROG_RAWIP_PATH); return (fd == -1) ? -errno : fd; } inline int getTetherIngressMapFd(void) { - const int fd = bpf::bpfFdGet(TETHER_INGRESS_MAP_PATH, 0); + const int fd = bpf::mapRetrieveRW(TETHER_INGRESS_MAP_PATH); return (fd == -1) ? -errno : fd; } inline int getTetherIngressProgFd(bool with_ethernet_header) { - const int fd = bpf::bpfFdGet( - with_ethernet_header ? TETHER_INGRESS_PROG_ETHER_PATH : TETHER_INGRESS_PROG_RAWIP_PATH, - 0); + const int fd = bpf::retrieveProgram(with_ethernet_header ? TETHER_INGRESS_PROG_ETHER_PATH + : TETHER_INGRESS_PROG_RAWIP_PATH); return (fd == -1) ? -errno : fd; } inline int getTetherStatsMapFd(void) { - const int fd = bpf::bpfFdGet(TETHER_STATS_MAP_PATH, 0); + const int fd = bpf::mapRetrieveRW(TETHER_STATS_MAP_PATH); return (fd == -1) ? -errno : fd; } inline int getTetherLimitMapFd(void) { - const int fd = bpf::bpfFdGet(TETHER_LIMIT_MAP_PATH, 0); + const int fd = bpf::mapRetrieveRW(TETHER_LIMIT_MAP_PATH); return (fd == -1) ? -errno : fd; } diff --git a/server/TrafficController.cpp b/server/TrafficController.cpp index 9d7d6a1d..3839962f 100644 --- a/server/TrafficController.cpp +++ b/server/TrafficController.cpp @@ -202,7 +202,7 @@ Status TrafficController::initMaps() { static Status attachProgramToCgroup(const char* programPath, const unique_fd& cgroupFd, bpf_attach_type type) { - unique_fd cgroupProg(bpfFdGet(programPath, 0)); + unique_fd cgroupProg(retrieveProgram(programPath)); if (cgroupProg == -1) { int ret = errno; ALOGE("Failed to get program from %s: %s", programPath, strerror(ret)); diff --git a/tests/netlink_listener_test.cpp b/tests/netlink_listener_test.cpp index 95c6d1af..46394cac 100644 --- a/tests/netlink_listener_test.cpp +++ b/tests/netlink_listener_test.cpp @@ -69,7 +69,7 @@ class NetlinkListenerTest : public testing::Test { void SetUp() { SKIP_IF_BPF_NOT_SUPPORTED; - mCookieTagMap.reset(android::bpf::mapRetrieve(COOKIE_TAG_MAP_PATH, 0)); + mCookieTagMap.reset(android::bpf::mapRetrieveRW(COOKIE_TAG_MAP_PATH)); ASSERT_TRUE(mCookieTagMap.isValid()); } -- cgit v1.2.3