Add bpf program to control socket creation
For new kernel that support cgroup socket filter, use bpf programs to
control the creation of inet socket.
Bug: 111560570
Bug: 111560739
Test: dumpsys netd trafficcontroller
Change-Id: I94efcdccfcd17f08c731caa700ea5797f2f56e7d
diff --git a/progs/netd.c b/progs/netd.c
index 5f89839..73e7d28 100644
--- a/progs/netd.c
+++ b/progs/netd.c
@@ -65,4 +65,19 @@
.max_entries = UID_OWNER_MAP_SIZE,
};
+SEC("cgroupsock/inet/creat")
+int inet_socket_create(struct bpf_sock* sk) {
+ uint64_t gid_uid = bpf_get_current_uid_gid();
+ /*
+ * A given app is guaranteed to have the same app ID in all the profiles in
+ * which it is installed, and install permission is granted to app for all
+ * user at install time so we only check the appId part of a request uid at
+ * run time. See UserHandle#isSameApp for detail.
+ */
+ uint32_t appId = (gid_uid & 0xffffffff) % PER_USER_RANGE;
+ uint8_t* internetPermission = find_map_entry(&uid_permission_map, &appId);
+ if (internetPermission) return *internetPermission & ALLOW_SOCK_CREATE;
+ return NO_PERMISSION;
+}
+
char _license[] SEC("license") = "Apache 2.0";
diff --git a/progs/netd.h b/progs/netd.h
index ff97753..4b8ea8a 100644
--- a/progs/netd.h
+++ b/progs/netd.h
@@ -64,6 +64,7 @@
static uint32_t (*get_socket_uid)(struct __sk_buff* skb) = (void*)BPF_FUNC_get_socket_uid;
static int (*bpf_skb_load_bytes)(struct __sk_buff* skb, int off, void* to,
int len) = (void*)BPF_FUNC_skb_load_bytes;
+static uint64_t (*bpf_get_current_uid_gid)(void) = (void*)BPF_FUNC_get_current_uid_gid;
// This is defined for cgroup bpf filter only.
#define BPF_PASS 1