limit types of bpf programs that platform and tethering apex can load am: ae58e7e4a7 am: eb6c2ece0b

Original change: https://android-review.googlesource.com/c/platform/system/bpf/+/2143735

Change-Id: I96728b8f9fce51bb1021b8f1b772b7e0f3fe21b5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Maciej Żenczykowski 2022-07-01 22:58:02 +00:00 committed by Automerger Merge Worker
commit d00ef559b2
2 changed files with 38 additions and 2 deletions

View file

@ -61,6 +61,30 @@ constexpr unsigned long long kTetheringApexDomainBitmask =
domainToBitmask(domain::netd_readonly) |
domainToBitmask(domain::netd_shared);
// Programs shipped inside the tethering apex should be limited to networking stuff,
// as KPROBE, PERF_EVENT, TRACEPOINT are dangerous to use from mainline updatable code,
// since they are less stable abi/api and may conflict with platform uses of bpf.
constexpr bpf_prog_type kTetheringApexAllowedProgTypes[] = {
BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
BPF_PROG_TYPE_CGROUP_SKB,
BPF_PROG_TYPE_CGROUP_SOCK,
BPF_PROG_TYPE_SCHED_ACT,
BPF_PROG_TYPE_SCHED_CLS,
BPF_PROG_TYPE_SOCKET_FILTER,
BPF_PROG_TYPE_XDP,
};
// Networking-related program types are limited to the Tethering Apex
// to prevent things from breaking due to conflicts on mainline updates
// (exception made for socket filters, ie. xt_bpf for potential use in iptables,
// or for attaching to sockets directly)
constexpr bpf_prog_type kPlatformAllowedProgTypes[] = {
BPF_PROG_TYPE_KPROBE,
BPF_PROG_TYPE_PERF_EVENT,
BPF_PROG_TYPE_SOCKET_FILTER,
BPF_PROG_TYPE_TRACEPOINT,
};
// see b/162057235. For arbitrary program types, the concern is that due to the lack of
// SELinux access controls over BPF program attachpoints, we have no way to control the
// attachment of programs to shared resources (or to detect when a shared resource
@ -83,6 +107,8 @@ const Location locations[] = {
.dir = "/apex/com.android.tethering/etc/bpf/",
.prefix = "tethering/",
.allowedDomainBitmask = kTetheringApexDomainBitmask,
.allowedProgTypes = kTetheringApexAllowedProgTypes,
.allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
},
// T+ Tethering mainline module (shared with netd & system server)
// netutils_wrapper (for iptables xt_bpf) has access to programs
@ -90,6 +116,8 @@ const Location locations[] = {
.dir = "/apex/com.android.tethering/etc/bpf/netd_shared/",
.prefix = "netd_shared/",
.allowedDomainBitmask = kTetheringApexDomainBitmask,
.allowedProgTypes = kTetheringApexAllowedProgTypes,
.allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
},
// T+ Tethering mainline module (shared with netd & system server)
// netutils_wrapper has no access, netd has read only access
@ -97,24 +125,32 @@ const Location locations[] = {
.dir = "/apex/com.android.tethering/etc/bpf/netd_readonly/",
.prefix = "netd_readonly/",
.allowedDomainBitmask = kTetheringApexDomainBitmask,
.allowedProgTypes = kTetheringApexAllowedProgTypes,
.allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
},
// T+ Tethering mainline module (shared with system server)
{
.dir = "/apex/com.android.tethering/etc/bpf/net_shared/",
.prefix = "net_shared/",
.allowedDomainBitmask = kTetheringApexDomainBitmask,
.allowedProgTypes = kTetheringApexAllowedProgTypes,
.allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
},
// T+ Tethering mainline module (not shared, just network_stack)
{
.dir = "/apex/com.android.tethering/etc/bpf/net_private/",
.prefix = "net_private/",
.allowedDomainBitmask = kTetheringApexDomainBitmask,
.allowedProgTypes = kTetheringApexAllowedProgTypes,
.allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
},
// Core operating system
{
.dir = "/system/etc/bpf/",
.prefix = "",
.allowedDomainBitmask = domainToBitmask(domain::platform),
.allowedProgTypes = kPlatformAllowedProgTypes,
.allowedProgTypesLength = arraysize(kPlatformAllowedProgTypes),
},
// Vendor operating system
{

View file

@ -30,9 +30,9 @@
#include <sys/wait.h>
#include <unistd.h>
// This is BpfLoader v0.21
// This is BpfLoader v0.22
#define BPFLOADER_VERSION_MAJOR 0u
#define BPFLOADER_VERSION_MINOR 21u
#define BPFLOADER_VERSION_MINOR 22u
#define BPFLOADER_VERSION ((BPFLOADER_VERSION_MAJOR << 16) | BPFLOADER_VERSION_MINOR)
#include "bpf/BpfUtils.h"