netbpfload: remove support for limiting selinux contexts
No need for this, as we simply only support those selinux contexts (and directories) which are available to networking. Test: TreeHugger Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I35b134c57411f82514b9f7148411f83d3aee1927
This commit is contained in:
Maciej Żenczykowski
parent
857399114e
commit
af07d6db1f
3 changed files with 4 additions and 48 deletions
|
|
@ -65,46 +65,34 @@ bool exists(const char* const path) {
|
|||
abort(); // can only hit this if permissions (likely selinux) are screwed up
|
||||
}
|
||||
|
||||
constexpr unsigned long long kTetheringApexDomainBitmask =
|
||||
domainToBitmask(domain::tethering) |
|
||||
domainToBitmask(domain::net_private) |
|
||||
domainToBitmask(domain::net_shared) |
|
||||
domainToBitmask(domain::netd_readonly) |
|
||||
domainToBitmask(domain::netd_shared);
|
||||
|
||||
|
||||
const android::bpf::Location locations[] = {
|
||||
// S+ Tethering mainline module (network_stack): tether offload
|
||||
{
|
||||
.dir = "/apex/com.android.tethering/etc/bpf/",
|
||||
.prefix = "tethering/",
|
||||
.allowedDomainBitmask = kTetheringApexDomainBitmask,
|
||||
},
|
||||
// T+ Tethering mainline module (shared with netd & system server)
|
||||
// netutils_wrapper (for iptables xt_bpf) has access to programs
|
||||
{
|
||||
.dir = "/apex/com.android.tethering/etc/bpf/netd_shared/",
|
||||
.prefix = "netd_shared/",
|
||||
.allowedDomainBitmask = kTetheringApexDomainBitmask,
|
||||
},
|
||||
// T+ Tethering mainline module (shared with netd & system server)
|
||||
// netutils_wrapper has no access, netd has read only access
|
||||
{
|
||||
.dir = "/apex/com.android.tethering/etc/bpf/netd_readonly/",
|
||||
.prefix = "netd_readonly/",
|
||||
.allowedDomainBitmask = kTetheringApexDomainBitmask,
|
||||
},
|
||||
// T+ Tethering mainline module (shared with system server)
|
||||
{
|
||||
.dir = "/apex/com.android.tethering/etc/bpf/net_shared/",
|
||||
.prefix = "net_shared/",
|
||||
.allowedDomainBitmask = kTetheringApexDomainBitmask,
|
||||
},
|
||||
// T+ Tethering mainline module (not shared, just network_stack)
|
||||
{
|
||||
.dir = "/apex/com.android.tethering/etc/bpf/net_private/",
|
||||
.prefix = "net_private/",
|
||||
.allowedDomainBitmask = kTetheringApexDomainBitmask,
|
||||
},
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -621,8 +621,7 @@ static bool mapMatchesExpectations(const unique_fd& fd, const string& mapName,
|
|||
}
|
||||
|
||||
static int createMaps(const char* elfPath, ifstream& elfFile, vector<unique_fd>& mapFds,
|
||||
const char* prefix, const unsigned long long allowedDomainBitmask,
|
||||
const size_t sizeOfBpfMapDef) {
|
||||
const char* prefix, const size_t sizeOfBpfMapDef) {
|
||||
int ret;
|
||||
vector<char> mdData;
|
||||
vector<struct bpf_map_def> md;
|
||||
|
|
@ -733,11 +732,6 @@ static int createMaps(const char* elfPath, ifstream& elfFile, vector<unique_fd>&
|
|||
|
||||
domain selinux_context = getDomainFromSelinuxContext(md[i].selinux_context);
|
||||
if (specified(selinux_context)) {
|
||||
if (!inDomainBitmask(selinux_context, allowedDomainBitmask)) {
|
||||
ALOGE("map %s has invalid selinux_context of %d (allowed bitmask 0x%llx)",
|
||||
mapNames[i].c_str(), selinux_context, allowedDomainBitmask);
|
||||
return -EINVAL;
|
||||
}
|
||||
ALOGI("map %s selinux_context [%-32s] -> %d -> '%s' (%s)", mapNames[i].c_str(),
|
||||
md[i].selinux_context, selinux_context, lookupSelinuxContext(selinux_context),
|
||||
lookupPinSubdir(selinux_context));
|
||||
|
|
@ -746,11 +740,6 @@ static int createMaps(const char* elfPath, ifstream& elfFile, vector<unique_fd>&
|
|||
domain pin_subdir = getDomainFromPinSubdir(md[i].pin_subdir);
|
||||
if (unrecognized(pin_subdir)) return -ENOTDIR;
|
||||
if (specified(pin_subdir)) {
|
||||
if (!inDomainBitmask(pin_subdir, allowedDomainBitmask)) {
|
||||
ALOGE("map %s has invalid pin_subdir of %d (allowed bitmask 0x%llx)",
|
||||
mapNames[i].c_str(), pin_subdir, allowedDomainBitmask);
|
||||
return -EINVAL;
|
||||
}
|
||||
ALOGI("map %s pin_subdir [%-32s] -> %d -> '%s'", mapNames[i].c_str(), md[i].pin_subdir,
|
||||
pin_subdir, lookupPinSubdir(pin_subdir));
|
||||
}
|
||||
|
|
@ -921,7 +910,7 @@ static void applyMapRelo(ifstream& elfFile, vector<unique_fd> &mapFds, vector<co
|
|||
}
|
||||
|
||||
static int loadCodeSections(const char* elfPath, vector<codeSection>& cs, const string& license,
|
||||
const char* prefix, const unsigned long long allowedDomainBitmask) {
|
||||
const char* prefix) {
|
||||
unsigned kvers = kernelVersion();
|
||||
|
||||
if (!kvers) {
|
||||
|
|
@ -980,22 +969,12 @@ static int loadCodeSections(const char* elfPath, vector<codeSection>& cs, const
|
|||
if (unrecognized(pin_subdir)) return -ENOTDIR;
|
||||
|
||||
if (specified(selinux_context)) {
|
||||
if (!inDomainBitmask(selinux_context, allowedDomainBitmask)) {
|
||||
ALOGE("prog %s has invalid selinux_context of %d (allowed bitmask 0x%llx)",
|
||||
name.c_str(), selinux_context, allowedDomainBitmask);
|
||||
return -EINVAL;
|
||||
}
|
||||
ALOGI("prog %s selinux_context [%-32s] -> %d -> '%s' (%s)", name.c_str(),
|
||||
cs[i].prog_def->selinux_context, selinux_context,
|
||||
lookupSelinuxContext(selinux_context), lookupPinSubdir(selinux_context));
|
||||
}
|
||||
|
||||
if (specified(pin_subdir)) {
|
||||
if (!inDomainBitmask(pin_subdir, allowedDomainBitmask)) {
|
||||
ALOGE("prog %s has invalid pin_subdir of %d (allowed bitmask 0x%llx)", name.c_str(),
|
||||
pin_subdir, allowedDomainBitmask);
|
||||
return -EINVAL;
|
||||
}
|
||||
ALOGI("prog %s pin_subdir [%-32s] -> %d -> '%s'", name.c_str(),
|
||||
cs[i].prog_def->pin_subdir, pin_subdir, lookupPinSubdir(pin_subdir));
|
||||
}
|
||||
|
|
@ -1185,8 +1164,7 @@ int loadProg(const char* elfPath, bool* isCritical, const Location& location) {
|
|||
/* Just for future debugging */
|
||||
if (0) dumpAllCs(cs);
|
||||
|
||||
ret = createMaps(elfPath, elfFile, mapFds, location.prefix, location.allowedDomainBitmask,
|
||||
sizeOfBpfMapDef);
|
||||
ret = createMaps(elfPath, elfFile, mapFds, location.prefix, sizeOfBpfMapDef);
|
||||
if (ret) {
|
||||
ALOGE("Failed to create maps: (ret=%d) in %s", ret, elfPath);
|
||||
return ret;
|
||||
|
|
@ -1197,8 +1175,7 @@ int loadProg(const char* elfPath, bool* isCritical, const Location& location) {
|
|||
|
||||
applyMapRelo(elfFile, mapFds, cs);
|
||||
|
||||
ret = loadCodeSections(elfPath, cs, string(license.data()), location.prefix,
|
||||
location.allowedDomainBitmask);
|
||||
ret = loadCodeSections(elfPath, cs, string(license.data()), location.prefix);
|
||||
if (ret) ALOGE("Failed to load programs, loadCodeSections ret=%d", ret);
|
||||
|
||||
return ret;
|
||||
|
|
|
|||
|
|
@ -64,18 +64,9 @@ static constexpr bool specified(domain d) {
|
|||
return d != domain::unspecified;
|
||||
}
|
||||
|
||||
static constexpr unsigned long long domainToBitmask(domain d) {
|
||||
return specified(d) ? 1uLL << (static_cast<int>(d) - 1) : 0;
|
||||
}
|
||||
|
||||
static constexpr bool inDomainBitmask(domain d, unsigned long long v) {
|
||||
return domainToBitmask(d) & v;
|
||||
}
|
||||
|
||||
struct Location {
|
||||
const char* const dir = "";
|
||||
const char* const prefix = "";
|
||||
unsigned long long allowedDomainBitmask = 0;
|
||||
};
|
||||
|
||||
// BPF loader implementation. Loads an eBPF ELF object
|
||||
|
|
|
|||
Loading…
Reference in a new issue