bpf netd: 25q2 specific bpf_owner_match()
(makes room for 25q2+ sdksandbox localhost restrictions,
without increasing program complexity and thus bpf verifier
run time on older devices)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ia2bbd089467459754c4f6eabd90a3ea51cec6b98
diff --git a/bpf/progs/netd.c b/bpf/progs/netd.c
index 330a9fb..8897627 100644
--- a/bpf/progs/netd.c
+++ b/bpf/progs/netd.c
@@ -391,7 +391,8 @@
static __always_inline inline int bpf_owner_match(struct __sk_buff* skb, uint32_t uid,
const struct egress_bool egress,
- const struct kver_uint kver) {
+ const struct kver_uint kver,
+ const struct sdk_level_uint lvl) {
if (is_system_uid(uid)) return PASS;
if (skip_owner_match(skb, egress, kver)) return PASS;
@@ -421,6 +422,11 @@
return DROP_UNLESS_DNS;
}
}
+
+ if (SDK_LEVEL_IS_AT_LEAST(lvl, 25Q2) && skb->ifindex == 1) {
+ // TODO: sdksandbox localhost restrictions
+ }
+
return PASS;
}
@@ -468,7 +474,7 @@
// CLAT daemon receives via an untagged AF_PACKET socket.
if (egress.egress && uid == AID_CLAT) return PASS;
- int match = bpf_owner_match(skb, sock_uid, egress, kver);
+ int match = bpf_owner_match(skb, sock_uid, egress, kver, lvl);
// Workaround for secureVPN with VpnIsolation enabled, refer to b/159994981 for details.
// Keep TAG_SYSTEM_DNS in sync with DnsResolver/include/netd_resolv/resolv.h