Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Connectivity / 3cb494fd285cf8ecd451db0a0d92c1790508bc3a^! / . / netd / BpfHandler.cpp
commit3cb494fd285cf8ecd451db0a0d92c1790508bc3a[log] [tgz]
authorMaciej Żenczykowski <maze@google.com>Wed Oct 04 21:35:41 2023 +0000
committerMaciej Żenczykowski <maze@google.com>Fri Oct 06 14:31:20 2023 -0700
tree6dc480ea85c1e70a2cd146b3d74e44116b20cdd4
parent10da6d4e61ecbd7cb3746e0a71248569f07a9f76 [diff] [blame]
move BPF_CGROUP_INET*_BIND registration into BpfHandler

(in preparation for moving it into netbpfload)

The programs themselves (in bpf_progs/block.c) required a 5.4+ kernel.

We relax this restriction to 4.19+ as we don't have any 5.4 device coverage
(while the pixel 4a 5G / 5 / 5a are all 4.19 devices).

I believe we could relax it further to 4.14+ but Pixel 4/4xl/4a that
would exercise those code paths are EOL and probably have poor to
non existent test coverage, and we cannot do anything for 4.9 T devices
anyway.

Note: on <4.19 kernels (ie. T devices running 4.9/4.14, U running 4.14)
this results in ConnectivityNativeService going from null to initialized
(as the bpf map will exist).

This doesn't hurt as the set/clear port interfaces are only ever
called by vendor code on devices where the kernel doesn't support
the older mechanism.  And even if you call them it will just set/clear
the bits in the bpf bitmap, they just won't actually affect anything.

We could flag the map itself as being 4.19+ as well, but I think
I prefer the no-op map to exist...

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1085addd22f4f3b709e1875049633832c5dac836

diff --git a/netd/BpfHandler.cpp b/netd/BpfHandler.cpp
index fa92f10..a7a4059 100644
--- a/netd/BpfHandler.cpp
+++ b/netd/BpfHandler.cpp

@@ -130,12 +130,21 @@
                 attachProgramToCgroup(CGROUP_SOCKET_PROG_PATH, cg_fd, BPF_CGROUP_INET_SOCK_CREATE));
     }
 
-    // This should trivially pass, since we just attached up above,
-    // but BPF_PROG_QUERY is only implemented on 4.19+ kernels.
     if (bpf::isAtLeastKernelVersion(4, 19, 0)) {
+        RETURN_IF_NOT_OK(attachProgramToCgroup(
+                "/sys/fs/bpf/netd_readonly/prog_block_bind4_block_port",
+                cg_fd, BPF_CGROUP_INET4_BIND));
+        RETURN_IF_NOT_OK(attachProgramToCgroup(
+                "/sys/fs/bpf/netd_readonly/prog_block_bind6_block_port",
+                cg_fd, BPF_CGROUP_INET6_BIND));
+
+        // This should trivially pass, since we just attached up above,
+        // but BPF_PROG_QUERY is only implemented on 4.19+ kernels.
         if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET_EGRESS) <= 0) abort();
         if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET_INGRESS) <= 0) abort();
         if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET_SOCK_CREATE) <= 0) abort();
+        if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET4_BIND) <= 0) abort();
+        if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET6_BIND) <= 0) abort();
     }
 
     return netdutils::status::ok;