bpf: move BPF_(DIS)ALLOW from block.c to bpf_net_helpers.h
And use the new constants in netd.c.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Icebaaf78298f0a6e00a28e79a8e0779fc9dc3f1c
diff --git a/bpf_progs/block.c b/bpf_progs/block.c
index 127ec4e..d1d7091 100644
--- a/bpf_progs/block.c
+++ b/bpf_progs/block.c
@@ -14,18 +14,13 @@
* limitations under the License.
*/
-#include <linux/types.h>
-#include <linux/bpf.h>
-#include <netinet/in.h>
-#include <stdint.h>
+#include <linux/in.h>
// The resulting .o needs to load on Android T+
#define BPFLOADER_MIN_VER BPFLOADER_MAINLINE_T_VERSION
#include "bpf_helpers.h"
-
-static const int BPF_ALLOW = 1;
-static const int BPF_DISALLOW = 0;
+#include "bpf_net_helpers.h"
DEFINE_BPF_MAP_GRW(blocked_ports_map, ARRAY, int, uint64_t,
1024 /* 64K ports -> 1024 u64s */, AID_SYSTEM)
diff --git a/bpf_progs/bpf_net_helpers.h b/bpf_progs/bpf_net_helpers.h
index 0acc812..5c6febc 100644
--- a/bpf_progs/bpf_net_helpers.h
+++ b/bpf_progs/bpf_net_helpers.h
@@ -107,3 +107,6 @@
// Return value for xt_bpf (netfilter match extension) programs
static const int XTBPF_NOMATCH = 0;
static const int XTBPF_MATCH = 1;
+
+static const int BPF_DISALLOW = 0;
+static const int BPF_ALLOW = 1;
diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
index f5898bf..da46bd4 100644
--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
@@ -653,8 +653,7 @@
DEFINE_NETD_BPF_PROG_KVER("cgroupsock/inet_create", AID_ROOT, AID_ROOT, inet_socket_create,
KVER_4_14)
(__unused struct bpf_sock* sk) {
- // A return value of 1 means allow, everything else means deny.
- return (get_app_permissions() & BPF_PERMISSION_INTERNET) ? 1 : 0;
+ return (get_app_permissions() & BPF_PERMISSION_INTERNET) ? BPF_ALLOW : BPF_DISALLOW;
}
DEFINE_NETD_V_BPF_PROG_KVER("cgroupsockrelease/inet_release", AID_ROOT, AID_ROOT,
@@ -681,7 +680,7 @@
// __u32 msg_src_ip6[4]; // BE, R: 1,2,4,8-byte, W: 4,8-byte
// __bpf_md_ptr(struct bpf_sock *, sk);
// };
- return 1;
+ return BPF_ALLOW;
}
DEFINE_NETD_V_BPF_PROG_KVER("connect4/inet4_connect", AID_ROOT, AID_ROOT, inet4_connect, KVER_4_14)
@@ -719,7 +718,7 @@
// Tell kernel to return 'original' kernel reply (instead of the bpf modified buffer)
// This is important if the answer is larger than PAGE_SIZE (max size this bpf hook can provide)
ctx->optlen = 0;
- return 1; // ALLOW
+ return BPF_ALLOW;
}
DEFINE_NETD_V_BPF_PROG_KVER("setsockopt/prog", AID_ROOT, AID_ROOT, setsockopt_prog, KVER_5_4)
@@ -727,7 +726,7 @@
// Tell kernel to use/process original buffer provided by userspace.
// This is important if it is larger than PAGE_SIZE (max size this bpf hook can handle).
ctx->optlen = 0;
- return 1; // ALLOW
+ return BPF_ALLOW;
}
LICENSE("Apache 2.0");