tequilaOS/platform_system_bpf
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

bpfloader: stop loading networking bpf programs

Browse source 
(note: bpf.progs_loaded is set by the network bpf loader)

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ie1a906f31afacd656fcaa402ff348955c5f510b0
This commit is contained in:
Maciej Żenczykowski 2023-10-08 22:37:00 -07:00
parent 3b0811b786
commit 0e3a078884
4 changed files with 4 additions and 99 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

74
bpfloader/BpfLoader.cpp
View file

@ -64,33 +64,6 @@ bool exists(const char* const path) {
abort(); // can only hit this if permissions (likely selinux) are screwed up
}
constexpr unsigned long long kTetheringApexDomainBitmask =
domainToBitmask(domain::tethering) |
domainToBitmask(domain::net_private) |
domainToBitmask(domain::net_shared) |
domainToBitmask(domain::netd_readonly) |
domainToBitmask(domain::netd_shared);
// Programs shipped inside the tethering apex should be limited to networking stuff,
// as KPROBE, PERF_EVENT, TRACEPOINT are dangerous to use from mainline updatable code,
// since they are less stable abi/api and may conflict with platform uses of bpf.
constexpr bpf_prog_type kTetheringApexAllowedProgTypes[] = {
BPF_PROG_TYPE_CGROUP_SKB,
BPF_PROG_TYPE_CGROUP_SOCK,
BPF_PROG_TYPE_CGROUP_SOCKOPT,
BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
BPF_PROG_TYPE_CGROUP_SYSCTL,
BPF_PROG_TYPE_LWT_IN,
BPF_PROG_TYPE_LWT_OUT,
BPF_PROG_TYPE_LWT_SEG6LOCAL,
BPF_PROG_TYPE_LWT_XMIT,
BPF_PROG_TYPE_SCHED_ACT,
BPF_PROG_TYPE_SCHED_CLS,
BPF_PROG_TYPE_SOCKET_FILTER,
BPF_PROG_TYPE_SOCK_OPS,
BPF_PROG_TYPE_XDP,
};
// Networking-related program types are limited to the Tethering Apex
// to prevent things from breaking due to conflicts on mainline updates
// (exception made for socket filters, ie. xt_bpf for potential use in iptables,
@ -113,48 +86,6 @@ constexpr bpf_prog_type kVendorAllowedProgTypes[] = {
const android::bpf::Location locations[] = {
// S+ Tethering mainline module (network_stack): tether offload
{
.dir = "/apex/com.android.tethering/etc/bpf/",
.prefix = "tethering/",
.allowedDomainBitmask = kTetheringApexDomainBitmask,
.allowedProgTypes = kTetheringApexAllowedProgTypes,
.allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
},
// T+ Tethering mainline module (shared with netd & system server)
// netutils_wrapper (for iptables xt_bpf) has access to programs
{
.dir = "/apex/com.android.tethering/etc/bpf/netd_shared/",
.prefix = "netd_shared/",
.allowedDomainBitmask = kTetheringApexDomainBitmask,
.allowedProgTypes = kTetheringApexAllowedProgTypes,
.allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
},
// T+ Tethering mainline module (shared with netd & system server)
// netutils_wrapper has no access, netd has read only access
{
.dir = "/apex/com.android.tethering/etc/bpf/netd_readonly/",
.prefix = "netd_readonly/",
.allowedDomainBitmask = kTetheringApexDomainBitmask,
.allowedProgTypes = kTetheringApexAllowedProgTypes,
.allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
},
// T+ Tethering mainline module (shared with system server)
{
.dir = "/apex/com.android.tethering/etc/bpf/net_shared/",
.prefix = "net_shared/",
.allowedDomainBitmask = kTetheringApexDomainBitmask,
.allowedProgTypes = kTetheringApexAllowedProgTypes,
.allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
},
// T+ Tethering mainline module (not shared, just network_stack)
{
.dir = "/apex/com.android.tethering/etc/bpf/net_private/",
.prefix = "net_private/",
.allowedDomainBitmask = kTetheringApexDomainBitmask,
.allowedProgTypes = kTetheringApexAllowedProgTypes,
.allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
},
// Core operating system
{
.dir = "/system/etc/bpf/",
@ -341,10 +272,5 @@ int main(int argc, char** argv) {
return 1;
}
if (android::base::SetProperty("bpf.progs_loaded", "1") == false) {
ALOGE("Failed to set bpf.progs_loaded property");
return 1;
}
return 0;
}

9
bpfloader/bpfloader.rc
View file

@ -18,13 +18,13 @@ on load_bpf_programs
exec_start bpfloader
service bpfloader /system/bin/bpfloader
capabilities CHOWN SYS_ADMIN NET_ADMIN
capabilities CHOWN SYS_ADMIN
# The following group memberships are a workaround for lack of DAC_OVERRIDE
# and allow us to open (among other things) files that we created and are
# no longer root owned (due to CHOWN) but still have group read access to
# one of the following groups. This is not perfect, but a more correct
# solution requires significantly more effort to implement.
group root graphics network_stack net_admin net_bw_acct net_bw_stats net_raw system
group root graphics system
user root
#
# Set RLIMIT_MEMLOCK to 1GiB for bpfloader
@ -36,9 +36,8 @@ service bpfloader /system/bin/bpfloader
# memlock data before bpfloader even gets a chance to run, it would fail
# if its memlock rlimit is only 8MiB - since there would be none left for it.
#
# bpfloader succeeding is critical to system health, since a failure will
# cause netd crashloop and thus system server crashloop... and the only
# recovery is a full kernel reboot.
# bpfloader succeeding is critical to system health:
# the only way to recover is a full kernel reboot.
#
# We've had issues where devices would sometimes (rarely) boot into
# a crashloop because bpfloader would occasionally lose a boot time

10
libbpf_android/Loader.cpp
View file

@ -93,11 +93,6 @@ constexpr const char* lookupSelinuxContext(const domain d, const char* const uns
switch (d) {
case domain::unspecified: return unspecified;
case domain::platform: return "fs_bpf";
case domain::tethering: return "fs_bpf_tethering";
case domain::net_private: return "fs_bpf_net_private";
case domain::net_shared: return "fs_bpf_net_shared";
case domain::netd_readonly: return "fs_bpf_netd_readonly";
case domain::netd_shared: return "fs_bpf_netd_shared";
case domain::vendor: return "fs_bpf_vendor";
case domain::loader: return "fs_bpf_loader";
default: return "(unrecognized)";
@ -125,11 +120,6 @@ constexpr const char* lookupPinSubdir(const domain d, const char* const unspecif
switch (d) {
case domain::unspecified: return unspecified;
case domain::platform: return "/";
case domain::tethering: return "tethering/";
case domain::net_private: return "net_private/";
case domain::net_shared: return "net_shared/";
case domain::netd_readonly: return "netd_readonly/";
case domain::netd_shared: return "netd_shared/";
case domain::vendor: return "vendor/";
case domain::loader: return "loader/";
default: return "(unrecognized)";

10
libbpf_android/include/libbpf_android.h
View file

@ -40,11 +40,6 @@ enum class domain : int {
unrecognized = -1, // invalid for this version of the bpfloader
unspecified = 0, // means just use the default for that specific pin location
platform, // fs_bpf /sys/fs/bpf
tethering, // (S+) fs_bpf_tethering /sys/fs/bpf/tethering
net_private, // (T+) fs_bpf_net_private /sys/fs/bpf/net_private
net_shared, // (T+) fs_bpf_net_shared /sys/fs/bpf/net_shared
netd_readonly, // (T+) fs_bpf_netd_readonly /sys/fs/bpf/netd_readonly
netd_shared, // (T+) fs_bpf_netd_shared /sys/fs/bpf/netd_shared
vendor, // (T+) fs_bpf_vendor /sys/fs/bpf/vendor
loader, // (U+) fs_bpf_loader /sys/fs/bpf/loader
};
@ -53,11 +48,6 @@ enum class domain : int {
static constexpr domain AllDomains[] = {
domain::unspecified,
domain::platform,
domain::tethering,
domain::net_private,
domain::net_shared,
domain::netd_readonly,
domain::netd_shared,
domain::vendor,
domain::loader,
};