clatd: drop AID_INET and AID_VPN supplementary groups
I can't see a reason for these still existing.
AID_VPN was needed in order to open tap/tun devices,
but this logic has long been moved out of clatd and into netd.
AID_INET is something left over from the
Paranoid Android kernel patch days.
Paranoid Android was definitely removed from the beginning of the
Android Common Kernel 4.14-r branch, but we later removed it
from 4.14-q as well (at least as far as AID_INET is concerned,
it looks like AID_NET_RAW/AID_NET_ADMIN support stayed around).
Anyway, the last branches in which AID_INET has special meaning
are ACK 4.9-Q and 4.14-P.
We effectively already require 4.9+ Q+ in Android S due to
Android Q clat bpf requirements. Besides, the upgrade path
for any 4.14-P kernels is trivial enough: 4.14-Q or 4.14-R.
Nowadays '/sys/fs/bpf/prog_netd_cgroupsock_inet_create'
*must* load on *all* 4.14 devices or bpfloader panics.
This should enforce the internet permission via bpf
as opposed to requiring Paranoid Android kernel patch.
As such we should have all the privs necessary for correct
functionality without this - at least on any 4.14+ devices.
We dropped support for <4.9 || <Q devices in Android S,
this patch bumps the minimum kernel version to 4.14
for Android T. Alternatively it requires 4.9 kernels
to have Paranoid Android patchset reverted (trivial),
which in turn probably requires backporting support for
cgroupsock programs. However devices running 4.9
were launched on Android Q or earlier -- likely on P.
There is a very low probability anyone will want to
go to the effort of porting Android T to low tier
Android Q or mid tier Android P devices.
launch P devices: 4.4 4.9 4.14 - upgradable to Q, R, to S via 4.9/14-q kernel
launch Q devices: 4.9 4.14 4.19 - upgradable to R, S, to T via 4.14/19-r kernel
launch R devices: 4.14 4.19 5.4 - upgradable to S, T
launch S devices: 4.19 5.4 5.10 - upgradable to T
launch T devices: 5.4 5.10 5.~15
Either way, the next patch will actually move socket creation
ahead of priv dropping which means everything should once
again work even on 4.9 devices.
While longer term the plan is to move all socket creation out of clatd
and into it's caller (and pass them in via inherited fds).
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I8fe2e2c0232b6cf0d4b7b2585f840a574080afa9
1 file changed