commit 1ec8d7df583aff4a32fc7a5aa4b938da96546f17
author Maciej Żenczykowski <maze@google.com> Wed Sep 04 16:44:04 2024 -0700
committer Maciej Żenczykowski <maze@google.com> Wed Sep 04 17:41:47 2024 -0700
tree 9e2e453ae4d39c03816fb8897b051da207d0a6b3
parent 5e7247d92236a4ef078a1469eff261e824e3edf5

dscpPolicy: lock down bpf cache map

(since this map relies on percpu access semantics,
 and we don't even have userspace helpers to access PERCPU_ maps)

This will also be used by the upcoming satellite egress limiting logic.
See aosp/3235142

With this change we see:
  $ adbz shell ls -lZ /sys/fs/bpf/net_shared/*_dscpPolicy_*
  -rw-rw---- 1 root system u:object_r:fs_bpf_net_shared:s0  0 2024-09-04 17:01 /sys/fs/bpf/net_shared/map_dscpPolicy_ipv4_dscp_policies_map
  -rw-rw---- 1 root system u:object_r:fs_bpf_net_shared:s0  0 2024-09-04 17:01 /sys/fs/bpf/net_shared/map_dscpPolicy_ipv6_dscp_policies_map
  ---------- 1 root root   u:object_r:fs_bpf_loader:s0      0 2024-09-04 17:01 /sys/fs/bpf/net_shared/map_dscpPolicy_socket_policy_cache_map
  -r--r----- 1 root system u:object_r:fs_bpf_net_shared:s0  0 2024-09-04 17:01 /sys/fs/bpf/net_shared/prog_dscpPolicy_schedcls_set_dscp_ether

Test: TreeHugger, atest CtsNetTestCases:android.net.cts.DscpPolicyTest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I50a12ca4cd5587342f8aaf9df8cb28917f555252

bpf/headers/include/bpf_helpers.h

diff --git a/bpf/headers/include/bpf_helpers.h b/bpf/headers/include/bpf_helpers.h
index 1a9fd31..d379357 100644
--- a/bpf/headers/include/bpf_helpers.h
+++ b/bpf/headers/include/bpf_helpers.h
@@ -349,11 +349,17 @@
 #error "Bpf Map UID must be left at default of AID_ROOT for BpfLoader prior to v0.28"
 #endif
 
-#define DEFINE_BPF_MAP_UGM(the_map, TYPE, KeyType, ValueType, num_entries, usr, grp, md)     \
-    DEFINE_BPF_MAP_EXT(the_map, TYPE, KeyType, ValueType, num_entries, usr, grp, md,         \
-                       DEFAULT_BPF_MAP_SELINUX_CONTEXT, DEFAULT_BPF_MAP_PIN_SUBDIR, PRIVATE, \
-                       BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, LOAD_ON_ENG,                    \
-                       LOAD_ON_USER, LOAD_ON_USERDEBUG)
+// for maps not meant to be accessed from userspace
+#define DEFINE_BPF_MAP_KERNEL_INTERNAL(the_map, TYPE, KeyType, ValueType, num_entries)           \
+    DEFINE_BPF_MAP_EXT(the_map, TYPE, KeyType, ValueType, num_entries, AID_ROOT, AID_ROOT,       \
+                       0000, "fs_bpf_loader", "", PRIVATE, BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, \
+                       LOAD_ON_ENG, LOAD_ON_USER, LOAD_ON_USERDEBUG)
+
+#define DEFINE_BPF_MAP_UGM(the_map, TYPE, KeyType, ValueType, num_entries, usr, grp, md) \
+    DEFINE_BPF_MAP_EXT(the_map, TYPE, KeyType, ValueType, num_entries, usr, grp, md,     \
+                       DEFAULT_BPF_MAP_SELINUX_CONTEXT, DEFAULT_BPF_MAP_PIN_SUBDIR,      \
+                       PRIVATE, BPFLOADER_MIN_VER, BPFLOADER_MAX_VER,                    \
+                       LOAD_ON_ENG, LOAD_ON_USER, LOAD_ON_USERDEBUG)
 
 #define DEFINE_BPF_MAP(the_map, TYPE, KeyType, ValueType, num_entries) \
     DEFINE_BPF_MAP_UGM(the_map, TYPE, KeyType, ValueType, num_entries, \