Merge "Unfinalize additional methods in NetworkAgent"
diff --git a/bpf_progs/Android.bp b/bpf_progs/Android.bp
index ef2a6e7..b1144b4 100644
--- a/bpf_progs/Android.bp
+++ b/bpf_progs/Android.bp
@@ -25,8 +25,14 @@
name: "bpf_connectivity_headers",
vendor_available: false,
host_supported: false,
- header_libs: ["bpf_headers"],
- export_header_lib_headers: ["bpf_headers"],
+ header_libs: [
+ "bpf_headers",
+ "libnetdbinder_utils_headers", // for XtBpfProgLocations.h
+ ],
+ export_header_lib_headers: [
+ "bpf_headers",
+ "libnetdbinder_utils_headers", // for XtBpfProgLocations.h
+ ],
export_include_dirs: ["."],
cflags: [
"-Wall",
@@ -37,7 +43,7 @@
apex_available: [
"//apex_available:platform",
"com.android.tethering",
- ],
+ ],
visibility: [
"//packages/modules/Connectivity/netd",
"//packages/modules/Connectivity/service",
@@ -47,7 +53,6 @@
"//packages/modules/Connectivity/tests/native",
"//packages/modules/Connectivity/service-t/native/libs/libnetworkstats",
"//packages/modules/Connectivity/tests/unit/jni",
- "//system/netd/server",
"//system/netd/tests",
],
}
@@ -103,13 +108,11 @@
"-Wall",
"-Werror",
],
- include_dirs: [
- "frameworks/libs/net/common/netd/libnetdutils/include",
- ],
sub_dir: "net_shared",
}
bpf {
+ // WARNING: Android T's non-updatable netd depends on 'netd' string for xt_bpf programs it loads
name: "netd.o",
srcs: ["netd.c"],
btf: true,
@@ -117,8 +120,6 @@
"-Wall",
"-Werror",
],
- include_dirs: [
- "frameworks/libs/net/common/netd/libnetdutils/include",
- ],
+ // WARNING: Android T's non-updatable netd depends on 'netd_shared' string for xt_bpf programs
sub_dir: "netd_shared",
}
diff --git a/bpf_progs/bpf_shared.h b/bpf_progs/bpf_shared.h
index 706dd1d..0556253 100644
--- a/bpf_progs/bpf_shared.h
+++ b/bpf_progs/bpf_shared.h
@@ -21,6 +21,11 @@
#include <linux/in.h>
#include <linux/in6.h>
+#ifdef __cplusplus
+#include <string_view>
+#include "XtBpfProgLocations.h"
+#endif
+
// This header file is shared by eBPF kernel programs (C) and netd (C++) and
// some of the maps are also accessed directly from Java mainline module code.
//
@@ -98,14 +103,33 @@
static const int CONFIGURATION_MAP_SIZE = 2;
static const int UID_OWNER_MAP_SIZE = 2000;
+#ifdef __cplusplus
+
#define BPF_NETD_PATH "/sys/fs/bpf/netd_shared/"
#define BPF_EGRESS_PROG_PATH BPF_NETD_PATH "prog_netd_cgroupskb_egress_stats"
#define BPF_INGRESS_PROG_PATH BPF_NETD_PATH "prog_netd_cgroupskb_ingress_stats"
-#define XT_BPF_INGRESS_PROG_PATH BPF_NETD_PATH "prog_netd_skfilter_ingress_xtbpf"
-#define XT_BPF_EGRESS_PROG_PATH BPF_NETD_PATH "prog_netd_skfilter_egress_xtbpf"
-#define XT_BPF_ALLOWLIST_PROG_PATH BPF_NETD_PATH "prog_netd_skfilter_allowlist_xtbpf"
-#define XT_BPF_DENYLIST_PROG_PATH BPF_NETD_PATH "prog_netd_skfilter_denylist_xtbpf"
+
+#define ASSERT_STRING_EQUAL(s1, s2) \
+ static_assert(std::string_view(s1) == std::string_view(s2), "mismatch vs Android T netd")
+
+/* -=-=-=-=- WARNING -=-=-=-=-
+ *
+ * These 4 xt_bpf program paths are actually defined by:
+ * //system/netd/include/binder_utils/XtBpfProgLocations.h
+ * which is intentionally a non-automerged location.
+ *
+ * They are *UNCHANGEABLE* due to being hard coded in Android T's netd binary
+ * as such we have compile time asserts that things match.
+ * (which will be validated during build on mainline-prod branch against old system/netd)
+ *
+ * If you break this, netd on T will fail to start with your tethering mainline module.
+ */
+ASSERT_STRING_EQUAL(XT_BPF_INGRESS_PROG_PATH, BPF_NETD_PATH "prog_netd_skfilter_ingress_xtbpf");
+ASSERT_STRING_EQUAL(XT_BPF_EGRESS_PROG_PATH, BPF_NETD_PATH "prog_netd_skfilter_egress_xtbpf");
+ASSERT_STRING_EQUAL(XT_BPF_ALLOWLIST_PROG_PATH, BPF_NETD_PATH "prog_netd_skfilter_allowlist_xtbpf");
+ASSERT_STRING_EQUAL(XT_BPF_DENYLIST_PROG_PATH, BPF_NETD_PATH "prog_netd_skfilter_denylist_xtbpf");
+
#define CGROUP_SOCKET_PROG_PATH BPF_NETD_PATH "prog_netd_cgroupsock_inet_create"
#define TC_BPF_INGRESS_ACCOUNT_PROG_NAME "prog_netd_schedact_ingress_account"
@@ -122,6 +146,8 @@
#define UID_OWNER_MAP_PATH BPF_NETD_PATH "map_netd_uid_owner_map"
#define UID_PERMISSION_MAP_PATH BPF_NETD_PATH "map_netd_uid_permission_map"
+#endif // __cplusplus
+
enum UidOwnerMatchType {
NO_MATCH = 0,
HAPPY_BOX_MATCH = (1 << 0),
@@ -168,16 +194,6 @@
// Entry in the configuration map that stores which stats map is currently in use.
#define CURRENT_STATS_MAP_CONFIGURATION_KEY 2
-#define BPF_CLATD_PATH "/sys/fs/bpf/net_shared/"
-
-#define CLAT_INGRESS6_PROG_RAWIP_NAME "prog_clatd_schedcls_ingress6_clat_rawip"
-#define CLAT_INGRESS6_PROG_ETHER_NAME "prog_clatd_schedcls_ingress6_clat_ether"
-
-#define CLAT_INGRESS6_PROG_RAWIP_PATH BPF_CLATD_PATH CLAT_INGRESS6_PROG_RAWIP_NAME
-#define CLAT_INGRESS6_PROG_ETHER_PATH BPF_CLATD_PATH CLAT_INGRESS6_PROG_ETHER_NAME
-
-#define CLAT_INGRESS6_MAP_PATH BPF_CLATD_PATH "map_clatd_clat_ingress6_map"
-
typedef struct {
uint32_t iif; // The input interface index
struct in6_addr pfx96; // The source /96 nat64 prefix, bottom 32 bits must be 0
@@ -191,14 +207,6 @@
} ClatIngress6Value;
STRUCT_SIZE(ClatIngress6Value, 4 + 4); // 8
-#define CLAT_EGRESS4_PROG_RAWIP_NAME "prog_clatd_schedcls_egress4_clat_rawip"
-#define CLAT_EGRESS4_PROG_ETHER_NAME "prog_clatd_schedcls_egress4_clat_ether"
-
-#define CLAT_EGRESS4_PROG_RAWIP_PATH BPF_CLATD_PATH CLAT_EGRESS4_PROG_RAWIP_NAME
-#define CLAT_EGRESS4_PROG_ETHER_PATH BPF_CLATD_PATH CLAT_EGRESS4_PROG_ETHER_NAME
-
-#define CLAT_EGRESS4_MAP_PATH BPF_CLATD_PATH "map_clatd_clat_egress4_map"
-
typedef struct {
uint32_t iif; // The input interface index
struct in_addr local4; // The source IPv4 address
diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
index 2711bef..8f72f7c 100644
--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
@@ -28,7 +28,6 @@
#include <linux/ipv6.h>
#include <linux/pkt_cls.h>
#include <linux/tcp.h>
-#include <netdutils/UidConstants.h>
#include <stdbool.h>
#include <stdint.h>
#include "bpf_net_helpers.h"
@@ -78,7 +77,9 @@
DEFINE_BPF_MAP_NO_NETD(iface_index_name_map, HASH, uint32_t, IfaceValue, IFACE_INDEX_NAME_MAP_SIZE)
static __always_inline int is_system_uid(uint32_t uid) {
- return (uid <= MAX_SYSTEM_UID) && (uid >= MIN_SYSTEM_UID);
+ // MIN_SYSTEM_UID is AID_ROOT == 0, so uint32_t is *always* >= 0
+ // MAX_SYSTEM_UID is AID_NOBODY == 9999, while AID_APP_START == 10000
+ return (uid < AID_APP_START);
}
/*
@@ -317,6 +318,7 @@
return bpf_traffic_account(skb, BPF_EGRESS);
}
+// WARNING: Android T's non-updatable netd depends on the name of this program.
DEFINE_BPF_PROG("skfilter/egress/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_egress_prog)
(struct __sk_buff* skb) {
// Clat daemon does not generate new traffic, all its traffic is accounted for already
@@ -336,6 +338,7 @@
return BPF_MATCH;
}
+// WARNING: Android T's non-updatable netd depends on the name of this program.
DEFINE_BPF_PROG("skfilter/ingress/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_ingress_prog)
(struct __sk_buff* skb) {
// Clat daemon traffic is not accounted by virtue of iptables raw prerouting drop rule
@@ -358,6 +361,7 @@
return TC_ACT_UNSPEC;
}
+// WARNING: Android T's non-updatable netd depends on the name of this program.
DEFINE_BPF_PROG("skfilter/allowlist/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_allowlist_prog)
(struct __sk_buff* skb) {
uint32_t sock_uid = bpf_get_socket_uid(skb);
@@ -375,6 +379,7 @@
return BPF_NOMATCH;
}
+// WARNING: Android T's non-updatable netd depends on the name of this program.
DEFINE_BPF_PROG("skfilter/denylist/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_denylist_prog)
(struct __sk_buff* skb) {
uint32_t sock_uid = bpf_get_socket_uid(skb);
@@ -392,7 +397,7 @@
* user at install time so we only check the appId part of a request uid at
* run time. See UserHandle#isSameApp for detail.
*/
- uint32_t appId = (gid_uid & 0xffffffff) % PER_USER_RANGE;
+ uint32_t appId = (gid_uid & 0xffffffff) % AID_USER_OFFSET; // == PER_USER_RANGE == 100000
uint8_t* permissions = bpf_uid_permission_map_lookup_elem(&appId);
if (!permissions) {
// UID not in map. Default to just INTERNET permission.
diff --git a/tests/cts/hostside/src/com/android/cts/net/HostsideLinkPropertiesGatingTests.java b/tests/cts/hostside/src/com/android/cts/net/HostsideLinkPropertiesGatingTests.java
index b65fb6b..9a1fa42 100644
--- a/tests/cts/hostside/src/com/android/cts/net/HostsideLinkPropertiesGatingTests.java
+++ b/tests/cts/hostside/src/com/android/cts/net/HostsideLinkPropertiesGatingTests.java
@@ -22,6 +22,9 @@
/**
* Tests for the {@link android.net.LinkProperties#EXCLUDED_ROUTES} compatibility change.
+ *
+ * TODO: see if we can delete this cumbersome host test by moving the coverage to CtsNetTestCases
+ * and CtsNetTestCasesMaxTargetSdk31.
*/
public class HostsideLinkPropertiesGatingTests extends CompatChangeGatingTestCase {
private static final String TEST_APK = "CtsHostsideNetworkTestsApp3.apk";
@@ -45,8 +48,19 @@
runDeviceCompatTest("testExcludedRoutesChangeDisabled");
}
- public void testExcludedRoutesChangeDisabledByOverride() throws Exception {
+ public void testExcludedRoutesChangeDisabledByOverrideOnDebugBuild() throws Exception {
+ // Must install APK even when skipping test, because tearDown expects uninstall to succeed.
installPackage(TEST_APK, true);
+
+ // This test uses an app with a target SDK where the compat change is on by default.
+ // Because user builds do not allow overriding compat changes, only run this test on debug
+ // builds. This seems better than deleting this test and not running it anywhere because we
+ // could in the future run this test on userdebug builds in presubmit.
+ //
+ // We cannot use assumeXyz here because CompatChangeGatingTestCase ultimately inherits from
+ // junit.framework.TestCase, which does not understand assumption failures.
+ if ("user".equals(getDevice().getProperty("ro.build.type"))) return;
+
runDeviceCompatTestWithChangeDisabled("testExcludedRoutesChangeDisabled");
}
diff --git a/tests/cts/net/src/android/net/cts/RateLimitTest.java b/tests/cts/net/src/android/net/cts/RateLimitTest.java
index 423f213..28cec1a 100644
--- a/tests/cts/net/src/android/net/cts/RateLimitTest.java
+++ b/tests/cts/net/src/android/net/cts/RateLimitTest.java
@@ -304,7 +304,7 @@
// If this value is too low, this test might become flaky because of the burst value that
// allows to send at a higher data rate for a short period of time. The faster the data rate
// and the longer the test, the less this test will be affected.
- final long dataLimitInBytesPerSecond = 1_000_000; // 1MB/s
+ final long dataLimitInBytesPerSecond = 2_000_000; // 2MB/s
long resultInBytesPerSecond = runIngressDataRateMeasurement(Duration.ofSeconds(1));
assertGreaterThan("Failed initial test with rate limit disabled", resultInBytesPerSecond,
dataLimitInBytesPerSecond);
@@ -315,9 +315,9 @@
waitForTcPoliceFilterInstalled(Duration.ofSeconds(1));
resultInBytesPerSecond = runIngressDataRateMeasurement(Duration.ofSeconds(10));
- // Add 1% tolerance to reduce test flakiness. Burst size is constant at 128KiB.
+ // Add 10% tolerance to reduce test flakiness. Burst size is constant at 128KiB.
assertLessThan("Failed test with rate limit enabled", resultInBytesPerSecond,
- (long) (dataLimitInBytesPerSecond * 1.01));
+ (long) (dataLimitInBytesPerSecond * 1.1));
ConnectivitySettingsManager.setIngressRateLimitInBytesPerSecond(mContext, -1);