netd.c - only check clat uid on egress
On ingress:
(a) the socket is not a normal socket (it's AF_PACKET)
and thus (likely) doesn't hit this code path
[if it did... we'd have double or more accounting
of any traffic captured by AF_PACKET sockets,
I haven't checked - but I assume that doesn't happen]
(b) is created by the system server (so not AID_CLAT)
(c) is not tagged by the system server (so not AID_CLAT)
So this is a no-op, but it simplifies the bpf program,
since 'egress' is a compile time evaluated constant.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iec693548789eb2752f9f30038e72e35c876f986c
diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
index 74b09e7..9f5c743 100644
--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
@@ -413,7 +413,8 @@
// Always allow and never count clat traffic. Only the IPv4 traffic on the stacked
// interface is accounted for and subject to usage restrictions.
// CLAT IPv6 TX sockets are *always* tagged with CLAT uid, see tagSocketAsClat()
- if (uid == AID_CLAT) return PASS;
+ // CLAT daemon receives via an untagged AF_PACKET socket.
+ if (egress && uid == AID_CLAT) return PASS;
int match = bpf_owner_match(skb, sock_uid, egress, kver);