diff options
| author | Maciej Żenczykowski <maze@google.com> | 2020-01-27 01:58:40 -0800 |
|---|---|---|
| committer | Maciej Żenczykowski <maze@google.com> | 2020-02-18 16:13:52 -0800 |
| commit | 565b6fbc4ff9ae35d33a0453fffda0bab54cb8b8 (patch) | |
| tree | 48c7359d5d503e48519b54b41424f4d80e3b372a /server/TrafficController.cpp | |
| parent | c49e8f4e991641087d14aa966b5f058b7f93fcc7 (diff) | |
| download | platform_system_netd-565b6fbc4ff9ae35d33a0453fffda0bab54cb8b8.tar.gz platform_system_netd-565b6fbc4ff9ae35d33a0453fffda0bab54cb8b8.tar.bz2 platform_system_netd-565b6fbc4ff9ae35d33a0453fffda0bab54cb8b8.zip | |
eliminate changeOwnerAndMode()
This is possible now that we have native chown/chgrp/chmod support in the bpfloader.
Now:
$ adb shell ls -lZ /sys/fs/bpf
total 0
-rw------- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_clatd_clat_egress_map
-rw------- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_clatd_clat_ingress_map
-rw-r----- 1 root net_bw_stats u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_netd_app_uid_stats_map
-rw-r----- 1 root net_bw_stats u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_netd_configuration_map
-rw-r----- 1 root net_bw_acct u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_netd_cookie_tag_map
-rw-r----- 1 root net_bw_stats u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_netd_iface_index_name_map
-rw-r----- 1 root net_bw_stats u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_netd_iface_stats_map
-rw-rw---- 1 root net_bw_stats u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_netd_stats_map_A
-rw-rw---- 1 root net_bw_stats u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_netd_stats_map_B
-rw-r----- 1 root net_bw_acct u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_netd_uid_counterset_map
-rw------- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_netd_uid_owner_map
-rw------- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_netd_uid_permission_map
-rw-rw---- 1 root network_stack u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_offload_tether_ingress_map
-rw-rw---- 1 root network_stack u:object_r:fs_bpf:s0 0 2020-02-15 16:04 map_offload_tether_stats_map
-r--r----- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_clatd_schedcls_egress_clat_ether
-r--r----- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_clatd_schedcls_egress_clat_rawip
-r--r----- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_clatd_schedcls_ingress_clat_ether
-r--r----- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_clatd_schedcls_ingress_clat_rawip
-r--r----- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_netd_cgroupskb_egress_stats
-r--r----- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_netd_cgroupskb_ingress_stats
-r--r----- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_netd_cgroupsock_inet_create
-r--r----- 1 root net_admin u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_netd_skfilter_blacklist_xtbpf
-r--r----- 1 root net_admin u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_netd_skfilter_egress_xtbpf
-r--r----- 1 root net_admin u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_netd_skfilter_ingress_xtbpf
-r--r----- 1 root net_admin u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_netd_skfilter_whitelist_xtbpf
-r--r----- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_offload_schedcls_ingress_tether_ether
-r--r----- 1 root root u:object_r:fs_bpf:s0 0 2020-02-15 16:04 prog_offload_schedcls_ingress_tether_rawip
Test: builds, atest
Bug: 149434314
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ie7b79e85a6e5c0be88fdc4d78c82f1a7d3228167
Diffstat (limited to 'server/TrafficController.cpp')
| -rw-r--r-- | server/TrafficController.cpp | 54 |
1 files changed, 1 insertions, 53 deletions
diff --git a/server/TrafficController.cpp b/server/TrafficController.cpp index d91407ffd..36ccf5389 100644 --- a/server/TrafficController.cpp +++ b/server/TrafficController.cpp @@ -77,7 +77,6 @@ constexpr int PER_UID_STATS_ENTRIES_LIMIT = 500; // Otherwise, apps would be able to avoid data usage accounting entirely by filling up the // map with tagged traffic entries. constexpr int TOTAL_UID_STATS_ENTRIES_LIMIT = STATS_MAP_SIZE * 0.9; -constexpr mode_t S_NONE = 0; static_assert(BPF_PERMISSION_INTERNET == INetd::PERMISSION_INTERNET, "Mismatch between BPF and AIDL permissions: PERMISSION_INTERNET"); @@ -167,20 +166,6 @@ StatusOr<std::unique_ptr<NetlinkListenerInterface>> TrafficController::makeSkDes return listener; } -Status changeOwnerAndMode(const char* path, gid_t group, const char* debugName, mode_t groupMode) { - int ret = chown(path, AID_ROOT, group); - if (ret != 0) return statusFromErrno(errno, StringPrintf("change %s group failed", debugName)); - - // Ensure groupMode only contains group bits. - groupMode &= S_IRGRP | S_IWGRP; - - // chmod doesn't by itself grant permission to all processes in that group to - // read/write the bpf map. They still need correct sepolicy. - ret = chmod(path, S_IRUSR | S_IWUSR | groupMode); - if (ret != 0) return statusFromErrno(errno, StringPrintf("change %s mode failed", debugName)); - return netdutils::status::ok; -} - TrafficController::TrafficController() : mBpfEnabled(isBpfSupported()), mPerUidStatsEntriesLimit(PER_UID_STATS_ENTRIES_LIMIT), @@ -193,62 +178,25 @@ TrafficController::TrafficController(uint32_t perUidLimit, uint32_t totalLimit) Status TrafficController::initMaps() { std::lock_guard guard(mMutex); - RETURN_IF_NOT_OK(mCookieTagMap.init(COOKIE_TAG_MAP_PATH)); - RETURN_IF_NOT_OK( - changeOwnerAndMode(COOKIE_TAG_MAP_PATH, AID_NET_BW_ACCT, "CookieTagMap", S_IRGRP)); + RETURN_IF_NOT_OK(mCookieTagMap.init(COOKIE_TAG_MAP_PATH)); RETURN_IF_NOT_OK(mUidCounterSetMap.init(UID_COUNTERSET_MAP_PATH)); - RETURN_IF_NOT_OK(changeOwnerAndMode(UID_COUNTERSET_MAP_PATH, AID_NET_BW_ACCT, - "UidCounterSetMap", S_IRGRP)); - RETURN_IF_NOT_OK(mAppUidStatsMap.init(APP_UID_STATS_MAP_PATH)); - RETURN_IF_NOT_OK(changeOwnerAndMode(APP_UID_STATS_MAP_PATH, AID_NET_BW_STATS, "AppUidStatsMap", - S_IRGRP)); - RETURN_IF_NOT_OK(mStatsMapA.init(STATS_MAP_A_PATH)); - RETURN_IF_NOT_OK( - changeOwnerAndMode(STATS_MAP_A_PATH, AID_NET_BW_STATS, "StatsMapA", S_IRGRP | S_IWGRP)); - RETURN_IF_NOT_OK(mStatsMapB.init(STATS_MAP_B_PATH)); - RETURN_IF_NOT_OK( - changeOwnerAndMode(STATS_MAP_B_PATH, AID_NET_BW_STATS, "StatsMapB", S_IRGRP | S_IWGRP)); - RETURN_IF_NOT_OK(mIfaceIndexNameMap.init(IFACE_INDEX_NAME_MAP_PATH)); - RETURN_IF_NOT_OK(changeOwnerAndMode(IFACE_INDEX_NAME_MAP_PATH, AID_NET_BW_STATS, - "IfaceIndexNameMap", S_IRGRP)); - RETURN_IF_NOT_OK(mIfaceStatsMap.init(IFACE_STATS_MAP_PATH)); - RETURN_IF_NOT_OK( - changeOwnerAndMode(IFACE_STATS_MAP_PATH, AID_NET_BW_STATS, "IfaceStatsMap", S_IRGRP)); RETURN_IF_NOT_OK(mConfigurationMap.init(CONFIGURATION_MAP_PATH)); - RETURN_IF_NOT_OK(changeOwnerAndMode(CONFIGURATION_MAP_PATH, AID_NET_BW_STATS, - "ConfigurationMap", S_IRGRP)); RETURN_IF_NOT_OK( mConfigurationMap.writeValue(UID_RULES_CONFIGURATION_KEY, DEFAULT_CONFIG, BPF_ANY)); RETURN_IF_NOT_OK(mConfigurationMap.writeValue(CURRENT_STATS_MAP_CONFIGURATION_KEY, SELECT_MAP_A, BPF_ANY)); RETURN_IF_NOT_OK(mUidOwnerMap.init(UID_OWNER_MAP_PATH)); - RETURN_IF_NOT_OK(changeOwnerAndMode(UID_OWNER_MAP_PATH, AID_ROOT, "UidOwnerMap", S_NONE)); RETURN_IF_NOT_OK(mUidOwnerMap.clear()); RETURN_IF_NOT_OK(mUidPermissionMap.init(UID_PERMISSION_MAP_PATH)); - RETURN_IF_NOT_OK(changeOwnerAndMode(TETHER_INGRESS_MAP_PATH, AID_NETWORK_STACK, - "TetherIngressMap", S_IRGRP | S_IWGRP)); - RETURN_IF_NOT_OK(changeOwnerAndMode(TETHER_STATS_MAP_PATH, AID_NETWORK_STACK, "TetherStatsMap", - S_IRGRP | S_IWGRP)); - - // The programs must be readable to process that modify iptables rules - RETURN_IF_NOT_OK(changeOwnerAndMode(XT_BPF_EGRESS_PROG_PATH, AID_NET_ADMIN, - "XtFilterEgressProgram", S_IRGRP)); - RETURN_IF_NOT_OK(changeOwnerAndMode(XT_BPF_INGRESS_PROG_PATH, AID_NET_ADMIN, - "XtFilterIngressProgram", S_IRGRP)); - RETURN_IF_NOT_OK(changeOwnerAndMode(XT_BPF_WHITELIST_PROG_PATH, AID_NET_ADMIN, - "XtWhitelistProgram", S_IRGRP)); - RETURN_IF_NOT_OK(changeOwnerAndMode(XT_BPF_BLACKLIST_PROG_PATH, AID_NET_ADMIN, - "XtBlacklistProgram", S_IRGRP)); - return netdutils::status::ok; } |