BpfHandler: add 25Q2+ netd map create and write test
Adding this to make sure we have 'unprivileged_bpf_disabled = 0'
This is currently set by NetBpfLoad, but if we remove that things currently work.
However with this change the device then fails to boot:
$ adbz logcat -s -d *:* | egrep -i -C10 bpf
I NetdUpdatable: libnetd_updatable_init: Initializing
I NetdUpdatable: BPF programs are loaded
I NetdUpdatable: initMaps successfully
E NetdUpdatable: libnetd_updatable_init: Failed: (1) [Operation not permitted] : map create failed
This is because even though system/netd/server/netd.rc has:
service netd /system/bin/netd
class main
capabilities CHOWN DAC_OVERRIDE DAC_READ_SEARCH FOWNER IPC_LOCK KILL NET_ADMIN NET_BIND_SERVICE NET_RAW SETUID SETGID
user root
group root net_admin
and we thus run as root/root with CAP_NET_ADMIN, but we do *NOT* have CAP_BPF nor CAP_SYS_ADMIN.
This means netd is considered 'unprivileged' from the point of view of that sysctl.
Creating maps from outside the bpfloader (ie. netd/system server/network stack)
is required for map-in-map.
While the sepolicy for netd.te map_create is in V, there is no real
need for this test on V atm, doing this to prevent *future* regressions.
A rollout purely to the not yet existing 25Q2+ is safer.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ia39c74cfb1707e88b0aa534ddf42139b1698d5d6
1 file changed