add support for 'netd_readonly'

For use by:
- maps netd should have read but not write access to
  (needed due to netd being root with DAC_OVERRIDE,
   and thus not obeying standard unix permissions)
- programs that netd should have access to but
  not netutils_wrappers (which due to being able to
  run iptables, needs access to xt_bpf programs)

Bug: 218408035
Test: booted on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I72b106692a25077ff54252fd93db81f46b52125d
This commit is contained in:
Maciej Żenczykowski 2022-06-16 18:58:22 -07:00
parent e626a95e2f
commit 32c0b8f46e
2 changed files with 13 additions and 6 deletions

View file

@ -69,22 +69,29 @@ struct Location {
}; };
const Location locations[] = { const Location locations[] = {
// Tethering mainline module: tether offload // S+ Tethering mainline module (network_stack): tether offload
{ {
.dir = "/apex/com.android.tethering/etc/bpf/", .dir = "/apex/com.android.tethering/etc/bpf/",
.prefix = "tethering/", .prefix = "tethering/",
}, },
// Tethering mainline module (shared with netd & system server) // T+ Tethering mainline module (shared with netd & system server)
// netutils_wrapper (for iptables xt_bpf) has access to programs
{ {
.dir = "/apex/com.android.tethering/etc/bpf/netd_shared/", .dir = "/apex/com.android.tethering/etc/bpf/netd_shared/",
.prefix = "netd_shared/", .prefix = "netd_shared/",
}, },
// Tethering mainline module (shared with system server) // T+ Tethering mainline module (shared with netd & system server)
// netutils_wrapper has no access, netd has read only access
{
.dir = "/apex/com.android.tethering/etc/bpf/netd_readonly/",
.prefix = "netd_readonly/",
},
// T+ Tethering mainline module (shared with system server)
{ {
.dir = "/apex/com.android.tethering/etc/bpf/net_shared/", .dir = "/apex/com.android.tethering/etc/bpf/net_shared/",
.prefix = "net_shared/", .prefix = "net_shared/",
}, },
// Tethering mainline module (not shared) // T+ Tethering mainline module (not shared, just network_stack)
{ {
.dir = "/apex/com.android.tethering/etc/bpf/net_private/", .dir = "/apex/com.android.tethering/etc/bpf/net_private/",
.prefix = "net_private/", .prefix = "net_private/",

View file

@ -30,9 +30,9 @@
#include <sys/wait.h> #include <sys/wait.h>
#include <unistd.h> #include <unistd.h>
// This is BpfLoader v0.15 // This is BpfLoader v0.16
#define BPFLOADER_VERSION_MAJOR 0u #define BPFLOADER_VERSION_MAJOR 0u
#define BPFLOADER_VERSION_MINOR 15u #define BPFLOADER_VERSION_MINOR 16u
#define BPFLOADER_VERSION ((BPFLOADER_VERSION_MAJOR << 16) | BPFLOADER_VERSION_MINOR) #define BPFLOADER_VERSION ((BPFLOADER_VERSION_MAJOR << 16) | BPFLOADER_VERSION_MINOR)
#include "bpf/BpfUtils.h" #include "bpf/BpfUtils.h"