Use cgroup socket filter to control socket creation

2019-01-30T03:25:04+00:00

For the devices that support cgroup socket filter, use it to control the
inet socket creation.

Bug: 111560570
Bug: 111560739
Test: dumpsys netd trafficcontroller
Change-Id: I0dda638ff610a2342afca9e99cd5a2ea38718f80

Use bpf maps to store permission information

2019-01-30T03:24:36+00:00

In newer kernels, we can use cgroup socket filter to control inet socket
creation at run time instead of paranoid network kernel check. To
achieve that, we need to get the permission information from system
server when device boots or new packages are installed. This patch
provides a binder interface to do that and stores the information in a
bpf map. It also records the uids that have permission
UPDATE_DEVICE_STATS so netd no longer needs to query that from the
system server.

Bug: 111560570
Bug: 111560739
Test: netd_unit_test, netd_integration_test

Change-Id: I0c5919d85136feec44c4406ee0bd0028b131b942

platform_system_netd/libnetdutils/include/netdutils/UidConstants.h, branch master

Use cgroup socket filter to control socket creation

Use bpf maps to store permission information