Commit graph

24 commits

Author SHA1 Message Date
Maciej Żenczykowski
52c8a2ebd5 netd/netutils_wrapper/network_stack/system_server - allow getattr on bpf progs/maps
This is so that we can potentially verify that things
are setup right.

Test: TreeHugger
Bug: 275209284
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I59a49cbece2710345fff0b2fb98e32f4e5f3af44
2023-03-28 03:11:42 +00:00
Maciej Żenczykowski
60f4a34544 refactor: get_prop(bpfdomain, bpf_progs_loaded_prop)
Based on:
  cs/p:aosp-master -file:prebuilts/ get_prop.*bpf_progs_loaded_prop

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: If07026b1ea5753a82401a62349c494b4cbf699b6
2023-01-06 10:09:33 +00:00
Maciej Żenczykowski
b13921c3f0 much more finegrained bpf selinux privs for networking mainline
Goal is to gain a better handle on who has access to which maps
and to allow (with bpfloader changes to create in one directory
and move into the target directory) per-map selection of
selinux context, while still having reasonable defaults for stuff
pinned directly into the target location.

BPFFS (ie. /sys/fs/bpf) labelling is as follows:
  subdirectory   selinux context      mainline  usecase / usable by
  /              fs_bpf               no (*)    core operating system (ie. platform)
  /net_private   fs_bpf_net_private   yes, T+   network_stack
  /net_shared    fs_bpf_net_shared    yes, T+   network_stack & system_server
  /netd_readonly fs_bpf_netd_readonly yes, T+   network_stack & system_server & r/o to netd
  /netd_shared   fs_bpf_netd_shared   yes, T+   network_stack & system_server & netd [**]
  /tethering     fs_bpf_tethering     yes, S+   network_stack
  /vendor        fs_bpf_vendor        no, T+    vendor

* initial support for bpf was added back in P,
  but things worked differently back then with no bpfloader,
  and instead netd doing stuff by hand,
  bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q
  (and was definitely there in R)

** additionally bpf programs are accesible to netutils_wrapper
   for use by iptables xt_bpf extensions

'mainline yes' currently means shipped by the com.android.tethering apex,
but this is really another case of bad naming, as it's really
the 'networking/connectivity/tethering' apex / mainline module.
Long term the plan is to merge a few other networking mainline modules
into it (and maybe give it a saner name...).

The reason for splitting net_private vs tethering is that:
  S+ must support 4.9+ kernels and S era bpfloader v0.2+
  T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+

The kernel affects the intelligence of the in-kernel bpf verifier
and the available bpf helper functions.  Older kernels have
a tendency to reject programs that newer kernels allow.

/ && /vendor are not shipped via mainline, so only need to work
with the bpfloader that's part of the core os.

Bug: 218408035
Test: TreeHugger, manually on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4
(cherry picked from commit 15715aea32)
2022-06-22 16:07:42 -07:00
Maciej Żenczykowski
1ebfb867a8 Merge "Grants clatd privs since forked by system server" 2022-04-21 14:00:23 +00:00
Steven Moreland
6598175e06 bpfdomain: attribute for domain which can use BPF
Require all domains which can be used for BPF to be marked as
bpfdomain, and add a restriction for these domains to not
be able to use net_raw or net_admin. We want to make sure the
network stack has exclusive access to certain BPF attach
points.

Bug: 140330870
Bug: 162057235
Test: build (compile-time neverallows)
Change-Id: I29100e48a757fdcf600931d5eb42988101275325
2022-02-10 00:34:50 +00:00
Ken Chen
1aed006a77 Move pf_key socket creation permission to system_server
Allow system_server to trigger the kernel synchronize rcu with open and
close pf_key socket. This action was previously done by netd but now
it need to be done by system_server instead because the handling code in
netd are moved to mainline module which will be loaded by system_server
in JNI mode.

Note: the permission will be removed from netd once all bpf interactions
have moved out of netd.

Bug: 202086915
Test: android.app.usage.cts.NetworkUsageStatsTest
      android.net.cts.TrafficStatsTest
Change-Id: I440e0c87193775115a9b9ffb19270c47b01b082e
2022-01-28 17:12:51 +01:00
Hungming Chen
fc6556a5b5 Grants clatd privs since forked by system server
System server forks clatd now. Need to add rules to
fork clatd. netd doesn't fork clatd anymore.

Bug: 212345928
Test: ping 8.8.8.8 under ipv6-only network
check bpf maps are added.
$ adb shell dumpsys netd --short | grep Clat -A10
  ClatdController
    Trackers: iif[iface] nat64Prefix v6Addr -> v4Addr v4iif[v4iface] [fwmark]
    BPF ingress map: iif(iface) nat64Prefix v6Addr -> v4Addr oif(iface)
      47(wlan0) 64:ff9b::/96 2a00:79e1:abc:6f02:b7aa:ff3c:9220:595c -> 192.0.0.4 52(v4-wlan0)
    BPF egress map: iif(iface) v4Addr -> v6Addr nat64Prefix oif(iface)
      52(v4-wlan0) 192.0.0.4 -> 2a00:79e1:abc:6f02:b7aa:ff3c:9220:595c 64:ff9b::/96 47(wlan0) ether

Change-Id: I70be6132ab7bfdd96b5f537a96722312cd93bbb8
2022-01-21 18:17:45 +00:00
Hungming Chen
ffa08bbd21 [NC#1] netd: allow netd to setup packet socket for clatd
Needed because the packet socket setup has been moved from clatd
to netd.

Test: manual test
    1. Connect to ipv6-only wifi.
    2. Try IPv4 traffic.
       $ ping 8.8.8.8
Change-Id: If6c3ba70cd7b3a44a31b8deab088303c22838da8
2021-11-26 20:28:29 +08:00
steven_fann
d3e8f6fc84 Fix sepolicy to netd.
Allow netd to get adb port from property service.adb.tcp.port

Bug: b/161861298
Test: atest android.net.cts.Ikev2VpnTest#testStartStopVpnProfileV4

Change-Id: I05ce21683b01cf05a16b9fb30030cf4fc879fb20
2021-01-27 17:34:01 +08:00
Inseob Kim
55e5c9b513 Move system property rules to private
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.

Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
2020-03-18 16:46:04 +00:00
Maciej Żenczykowski
44328c061d sepolicy - move public clatd to private
Clatd is effectively an internal implementation detail of netd.
It exists as a separate daemon only because this gives us a better
security boundary.  Netd is it's only launcher (via fork/exec) and
killer.

Generated via:
  { echo; cat public/clatd.te; echo; } >> private/clatd.te
  rm -f public/clatd.te

  plus a minor edit to put coredomain after clatd type declaration
  and required changes to move netd's clatd use out of public into private.

Test: build and install on non-aosp test device, atest, check for selinux clat denials
Change-Id: I80f110b75828f3657986e64650ef9e0f9877a07c
2019-05-11 17:47:25 -07:00
Chenbo Feng
8a5539b5f0 Move pf_key socket creation permission to netd
Allow netd to trigger the kernel synchronize rcu with open and close
pf_key socket. This action was previously done by system_server but now
it need to be done by netd instead because there might be race issue
when netd is operating on a map that is cleaned up by system server.

Bug: 126620214
Test: android.app.usage.cts.NetworkUsageStatsTest
      android.net.cts.TrafficStatsTest

Change-Id: Id5ca86aa4610e37a2752709ed9cfd4536ea3bfaf
2019-04-12 02:24:46 +00:00
Chalard Jean
a4c9f7b2c6 Let dumpstate get netd stack traces.
Test: manual
Bug: 128804277
Change-Id: Ibb3c0063f96f835edb13868b3e7a9fb9f6f94195
2019-04-05 17:33:56 +09:00
Remi NGUYEN VAN
780fbadf08 Add NetworkStack policies for netd and netlink
Allow netd to send network events to the NetworkStack, and allow the
NetworkStack to interact with netlink_route_socket for neighbor
monitoring.

Test: built, booted, WiFi works, no more violations
Bug: 112869080
Change-Id: If212b2897e37e9d249f81ba8139461bce461528e
2019-01-28 14:40:52 +09:00
lifr
980c08c999 Allow netd to write to statsd
config sepolicy to allow netd to write to statsd.

Test: run runtests.sh, make sure no missing test and get all pass
      run /out/host/linux-x86/bin/statsd_testdrive 82
      Got following metric data dump:pass for local test
Bug: 119862317

Change-Id: Ieff5ca55de46715d54ef57c4a6d144fd7d03e4b7
2019-01-16 13:33:18 +00:00
Joel Fernandes
b76a639956 Add permissions for bpf.progs_loaded property
Change-Id: If4e550e4186415c5a1088bb53b0755b69f92560a
Signed-off-by: Joel Fernandes <joelaf@google.com>
2019-01-14 10:59:10 -05:00
Joel Fernandes
147cf6482e Allow executing bpfloader from init and modify rules
init needs to execute bpfloader as a one-shot service. Add sepolicy for
the same. Also update old rules allowing init to fork/exec bpfloader and
remove rules allowing netd to do so.

Bug: 112334572
Change-Id: Ic242cd507731ed8af3f8e94d4fccc95819831d37
Signed-off-by: Joel Fernandes <joelaf@google.com>
2019-01-14 10:59:10 -05:00
Chenbo Feng
7b57104013 Use bpfloader to create bpf maps instead of netd
Recent change in netd and bpfloader switched the creater of bpf maps
from netd to bpfloader. Change the rules related to it to make sure it
doesn't fail.

Test: dumpsys netd trafficcontroller
Bug: 112334572
Change-Id: I016ff68b58ef7b12bdfdebc2fd178be1d0206a62
2019-01-08 10:30:22 -08:00
Chenbo Feng
5c95c16841 Allow netd to setup xt_bpf iptable rules
To better record the network traffic stats for each network interface.
We use xt_bpf netfilter module to do the iface stats accounting instead
of the cgroup bpf filter we currently use for per uid stats accounting.
The xt_bpf module will take pinned eBPF program as iptables rule and run
the program when packet pass through the netfilter hook. To setup the
iptables rules. netd need to be able to access bpf filesystem and run the
bpf program at boot time. The program used will still be created and
pinned by the bpfloader process.

Test: With selinux enforced, run "iptables -L -t raw" should show the
xt_bpf related rule present in bw_raw_PREROUTING chain.
Bug: 72111305

Change-Id: I11efe158d6bd5499df6adf15e8123a76cd67de04
2018-03-21 11:06:03 -07:00
Chenbo Feng
566411edf2 Add sepolicy to lock down bpf access
Add a new set of sepolicy for the process that only netd use to load
and run ebpf programs. It is the only process that can load eBPF
programs into the kernel and is only used to do that. Add some
neverallow rules regarding which processes have access to bpf objects.

Test: program successfully loaded and pinned at sys/fs/bpf after device
boot. No selinux violation for bpfloader
Bug: 30950746

Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f
2018-01-17 23:19:30 +00:00
Jeff Vander Stoep
b5da252e45 domain_deprecated is dead
long live domain.te!

Remove all references.

Bug: 28760354
Test: build
Merged-In: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
Change-Id: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
2017-07-28 22:01:46 +00:00
Jeff Vander Stoep
7c34e83fcd Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Merged-In: I31beeb5bdf3885195310b086c1af3432dc6a349b
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
(cherry picked from commit 76aab82cb3)
2017-07-24 07:39:54 -07:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00