Add bpf program to control socket creation am: ef6d45e7cf

am: 01806ba3e1 Change-Id: I1ce8457fd261bc0bd21eedc2bf0da1e9daa6d053
2019-01-30 13:06:30 -08:00 · 2019-01-30 13:06:30 -08:00 · 1b479ffa8f
commit 1b479ffa8f
parent 2e7698a559 01806ba3e1
2 changed files with 16 additions and 0 deletions
--- a/progs/netd.c
+++ b/progs/netd.c
@ -65,4 +65,19 @@ struct bpf_map_def SEC("maps") uid_permission_map = {
    .max_entries = UID_OWNER_MAP_SIZE,
 };

+SEC("cgroupsock/inet/creat")
+int inet_socket_create(struct bpf_sock* sk) {
+    uint64_t gid_uid = bpf_get_current_uid_gid();
+    /*
+     * A given app is guaranteed to have the same app ID in all the profiles in
+     * which it is installed, and install permission is granted to app for all
+     * user at install time so we only check the appId part of a request uid at
+     * run time. See UserHandle#isSameApp for detail.
+     */
+    uint32_t appId = (gid_uid & 0xffffffff) % PER_USER_RANGE;
+    uint8_t* internetPermission = find_map_entry(&uid_permission_map, &appId);
+    if (internetPermission) return *internetPermission & ALLOW_SOCK_CREATE;
+    return NO_PERMISSION;
+}
+
 char _license[] SEC("license") = "Apache 2.0";
--- a/progs/netd.h
+++ b/progs/netd.h
@ -64,6 +64,7 @@ static uint64_t (*get_socket_cookie)(struct __sk_buff* skb) = (void*)BPF_FUNC_ge
 static uint32_t (*get_socket_uid)(struct __sk_buff* skb) = (void*)BPF_FUNC_get_socket_uid;
 static int (*bpf_skb_load_bytes)(struct __sk_buff* skb, int off, void* to,
                                 int len) = (void*)BPF_FUNC_skb_load_bytes;
+static uint64_t (*bpf_get_current_uid_gid)(void) = (void*)BPF_FUNC_get_current_uid_gid;

 // This is defined for cgroup bpf filter only.
 #define BPF_PASS 1