commit d6395205bb9cfa8e082d5a15f6aaf140f426a04c
author Maciej Żenczykowski <maze@google.com> Mon Oct 02 19:39:35 2023 -0700
committer Maciej Żenczykowski <maze@google.com> Mon Oct 02 22:35:24 2023 -0700
tree 6ad5d2b802b082bae657173b9684cff537111069
parent 0e4802df200e2d66fc2e7f2007600f190891163c

netbpfload: remove support for 'vendor'

Test: N/A
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: If088188b4832d37b084846b5ad3db06b8858d856

netbpfload/NetBpfLoad.cpp

diff --git a/netbpfload/NetBpfLoad.cpp b/netbpfload/NetBpfLoad.cpp
index 499f833..242fcc3 100644
--- a/netbpfload/NetBpfLoad.cpp
+++ b/netbpfload/NetBpfLoad.cpp
@@ -93,14 +93,6 @@
         BPF_PROG_TYPE_XDP,
 };
 
-// see b/162057235. For arbitrary program types, the concern is that due to the lack of
-// SELinux access controls over BPF program attachpoints, we have no way to control the
-// attachment of programs to shared resources (or to detect when a shared resource
-// has one BPF program replace another that is attached there)
-constexpr bpf_prog_type kVendorAllowedProgTypes[] = {
-        BPF_PROG_TYPE_SOCKET_FILTER,
-};
-
 
 const android::bpf::Location locations[] = {
         // S+ Tethering mainline module (network_stack): tether offload
@@ -145,14 +137,6 @@
                 .allowedProgTypes = kTetheringApexAllowedProgTypes,
                 .allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
         },
-        // Vendor operating system
-        {
-                .dir = "/vendor/etc/bpf/",
-                .prefix = "vendor/",
-                .allowedDomainBitmask = domainToBitmask(domain::vendor),
-                .allowedProgTypes = kVendorAllowedProgTypes,
-                .allowedProgTypesLength = arraysize(kVendorAllowedProgTypes),
-        },
 };
 
 int loadAllElfObjects(const android::bpf::Location& location) {

netbpfload/loader.cpp

diff --git a/netbpfload/loader.cpp b/netbpfload/loader.cpp
index a8944f2..64ee5bb 100644
--- a/netbpfload/loader.cpp
+++ b/netbpfload/loader.cpp
@@ -103,7 +103,6 @@
         case domain::net_shared:    return "fs_bpf_net_shared";
         case domain::netd_readonly: return "fs_bpf_netd_readonly";
         case domain::netd_shared:   return "fs_bpf_netd_shared";
-        case domain::vendor:        return "fs_bpf_vendor";
         case domain::loader:        return "fs_bpf_loader";
         default:                    return "(unrecognized)";
     }
@@ -134,7 +133,6 @@
         case domain::net_shared:    return "net_shared/";
         case domain::netd_readonly: return "netd_readonly/";
         case domain::netd_shared:   return "netd_shared/";
-        case domain::vendor:        return "vendor/";
         case domain::loader:        return "loader/";
         default:                    return "(unrecognized)";
     }

netbpfload/loader.h

diff --git a/netbpfload/loader.h b/netbpfload/loader.h
index 6791523..9e2b4df 100644
--- a/netbpfload/loader.h
+++ b/netbpfload/loader.h
@@ -44,7 +44,6 @@
     net_shared,         // (T+) fs_bpf_net_shared    /sys/fs/bpf/net_shared
     netd_readonly,      // (T+) fs_bpf_netd_readonly /sys/fs/bpf/netd_readonly
     netd_shared,        // (T+) fs_bpf_netd_shared   /sys/fs/bpf/netd_shared
-    vendor,             // (T+) fs_bpf_vendor        /sys/fs/bpf/vendor
     loader,             // (U+) fs_bpf_loader        /sys/fs/bpf/loader
 };
 
@@ -56,7 +55,6 @@
     domain::net_shared,
     domain::netd_readonly,
     domain::netd_shared,
-    domain::vendor,
     domain::loader,
 };