bpf: switch map/prog selinux_context field from storing 'fs_bpf_foo' to 'foo/'
This will eliminate the need for domain stuff.
After this:
git grep fs_bpf_
finds nothing but comments.
Test: TreeHugger
Flag: EXEMPT no-op
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ie834e9b2b120ee772690b28457c1ff080cb914dd
diff --git a/bpf/loader/NetBpfLoad.cpp b/bpf/loader/NetBpfLoad.cpp
index 6ccd748..79583bd 100644
--- a/bpf/loader/NetBpfLoad.cpp
+++ b/bpf/loader/NetBpfLoad.cpp
@@ -151,12 +151,12 @@
constexpr const char* lookupSelinuxContext(const domain d) {
switch (d) {
case domain::unspecified: return "";
- case domain::tethering: return "fs_bpf_tethering";
- case domain::net_private: return "fs_bpf_net_private";
- case domain::net_shared: return "fs_bpf_net_shared";
- case domain::netd_readonly: return "fs_bpf_netd_readonly";
- case domain::netd_shared: return "fs_bpf_netd_shared";
- case domain::loader: return "fs_bpf_loader";
+ case domain::tethering: return "tethering/";
+ case domain::net_private: return "net_private/";
+ case domain::net_shared: return "net_shared/";
+ case domain::netd_readonly: return "netd_readonly/";
+ case domain::netd_shared: return "netd_shared/";
+ case domain::loader: return "loader/";
}
}
diff --git a/bpf/progs/include/bpf_helpers.h b/bpf/progs/include/bpf_helpers.h
index 76ef5a2..689545d 100644
--- a/bpf/progs/include/bpf_helpers.h
+++ b/bpf/progs/include/bpf_helpers.h
@@ -315,9 +315,9 @@
return bpf_sk_storage_delete_unsafe(&the_map, sk); \
};
-#define DEFINE_BPF_SK_STORAGE(the_map, TypeOfValue) \
- DEFINE_BPF_SK_STORAGE_EXT(the_map, TypeOfValue, \
- AID_ROOT, AID_NET_BW_ACCT, 0060, "fs_bpf_net_shared", "", \
+#define DEFINE_BPF_SK_STORAGE(the_map, TypeOfValue) \
+ DEFINE_BPF_SK_STORAGE_EXT(the_map, TypeOfValue, \
+ AID_ROOT, AID_NET_BW_ACCT, 0060, "net_shared/", "", \
PRIVATE, BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, 0)
/* There exist buggy kernels with pre-T OS, that due to
@@ -380,7 +380,7 @@
// for maps not meant to be accessed from userspace
#define DEFINE_BPF_MAP_KERNEL_INTERNAL(the_map, TYPE, KeyType, ValueType, num_entries) \
DEFINE_BPF_MAP_EXT(the_map, TYPE, KeyType, ValueType, num_entries, AID_ROOT, AID_ROOT, 0000, \
- "fs_bpf_loader", "", PRIVATE, BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, 0)
+ "loader/", "", PRIVATE, BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, 0)
#define DEFINE_BPF_MAP_UGM(the_map, TYPE, KeyType, ValueType, num_entries, usr, grp, md) \
DEFINE_BPF_MAP_EXT(the_map, TYPE, KeyType, ValueType, num_entries, usr, grp, md, \
diff --git a/bpf/progs/netd.c b/bpf/progs/netd.c
index ce22890..3eaa095 100644
--- a/bpf/progs/netd.c
+++ b/bpf/progs/netd.c
@@ -40,13 +40,13 @@
// For maps netd does not need to access
#define DEFINE_BPF_MAP_NO_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \
DEFINE_BPF_MAP_EXT(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries, \
- AID_ROOT, AID_NET_BW_ACCT, 0060, "fs_bpf_net_shared", "", \
+ AID_ROOT, AID_NET_BW_ACCT, 0060, "net_shared/", "", \
PRIVATE, BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, 0)
// For maps netd only needs read only access to
#define DEFINE_BPF_MAP_RO_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \
DEFINE_BPF_MAP_EXT(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries, \
- AID_ROOT, AID_NET_BW_ACCT, 0460, "fs_bpf_netd_readonly", "", \
+ AID_ROOT, AID_NET_BW_ACCT, 0460, "netd_readonly/", "", \
PRIVATE, BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, 0)
// For maps netd needs to be able to read and write
@@ -85,23 +85,23 @@
// A single-element configuration array, packet tracing is enabled when 'true'.
DEFINE_BPF_MAP_EXT(packet_trace_enabled_map, ARRAY, uint32_t, bool, 1,
- AID_ROOT, AID_SYSTEM, 0060, "fs_bpf_net_shared", "", PRIVATE,
+ AID_ROOT, AID_SYSTEM, 0060, "net_shared/", "", PRIVATE,
BPFLOADER_MAINLINE_U_VERSION, BPFLOADER_MAX_VER, 0)
// A ring buffer on which packet information is pushed.
DEFINE_BPF_RINGBUF_EXT(packet_trace_ringbuf, PacketTrace, 32 * 1024,
- AID_ROOT, AID_SYSTEM, 0060, "fs_bpf_net_shared", "", PRIVATE,
+ AID_ROOT, AID_SYSTEM, 0060, "net_shared/", "", PRIVATE,
BPFLOADER_MAINLINE_U_VERSION, BPFLOADER_MAX_VER);
DEFINE_BPF_MAP_RO_NETD(data_saver_enabled_map, ARRAY, uint32_t, bool, 1)
DEFINE_BPF_MAP_EXT(local_net_access_map, LPM_TRIE, LocalNetAccessKey, bool, 1000,
- AID_ROOT, AID_NET_BW_ACCT, 0060, "fs_bpf_net_shared", "", PRIVATE,
+ AID_ROOT, AID_NET_BW_ACCT, 0060, "net_shared/", "", PRIVATE,
BPFLOADER_MAINLINE_25Q2_VERSION, BPFLOADER_MAX_VER, 0)
// not preallocated
DEFINE_BPF_MAP_EXT(local_net_blocked_uid_map, HASH, uint32_t, bool, -1000,
- AID_ROOT, AID_NET_BW_ACCT, 0060, "fs_bpf_net_shared", "", PRIVATE,
+ AID_ROOT, AID_NET_BW_ACCT, 0060, "net_shared/", "", PRIVATE,
BPFLOADER_MAINLINE_25Q2_VERSION, BPFLOADER_MAX_VER, 0)
// iptables xt_bpf programs need to be usable by both netd and netutils_wrappers
@@ -120,7 +120,7 @@
#define DEFINE_NETD_BPF_PROG_RANGES(SECTION_NAME, the_prog, minKV, maxKV, min_loader, max_loader) \
DEFINE_BPF_PROG_EXT(SECTION_NAME, AID_ROOT, AID_ROOT, the_prog, \
minKV, maxKV, min_loader, max_loader, MANDATORY, \
- "fs_bpf_netd_readonly", "")
+ "netd_readonly/", "")
#define DEFINE_NETD_BPF_PROG_KVER_RANGE(SECTION_NAME, the_prog, minKV, maxKV) \
DEFINE_NETD_BPF_PROG_RANGES(SECTION_NAME, the_prog, minKV, maxKV, BPFLOADER_MIN_VER, BPFLOADER_MAX_VER)
@@ -134,13 +134,13 @@
#define DEFINE_NETD_V_BPF_PROG_KVER(SECTION_NAME, the_prog, minKV) \
DEFINE_BPF_PROG_EXT(SECTION_NAME, AID_ROOT, AID_ROOT, the_prog, minKV, \
KVER_INF, BPFLOADER_MAINLINE_V_VERSION, BPFLOADER_MAX_VER, MANDATORY, \
- "fs_bpf_netd_readonly", "")
+ "netd_readonly/", "")
// programs that only need to be usable by the system server
#define DEFINE_SYS_BPF_PROG(SECTION_NAME, the_prog) \
DEFINE_BPF_PROG_EXT(SECTION_NAME, AID_ROOT, AID_NET_ADMIN, the_prog, KVER_NONE, KVER_INF, \
BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, MANDATORY, \
- "fs_bpf_net_shared", "")
+ "net_shared/", "")
/*
* Note: this blindly assumes an MTU of 1500, and that packets > MTU are always TCP,