1 /** 2 * Copyright (c) 2022, The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #define LOG_TAG "NetdUpdatable" 18 19 #include "BpfHandler.h" 20 21 #include <linux/bpf.h> 22 #include <inttypes.h> 23 24 #include <android-base/unique_fd.h> 25 #include <android-modules-utils/sdk_level.h> 26 #include <bpf/WaitForProgsLoaded.h> 27 #include <log/log.h> 28 #include <netdutils/UidConstants.h> 29 #include <private/android_filesystem_config.h> 30 31 #include "BpfSyscallWrappers.h" 32 33 namespace android { 34 namespace net { 35 36 using base::unique_fd; 37 using base::WaitForProperty; 38 using bpf::getSocketCookie; 39 using bpf::retrieveProgram; 40 using netdutils::Status; 41 using netdutils::statusFromErrno; 42 43 constexpr int PER_UID_STATS_ENTRIES_LIMIT = 500; 44 // At most 90% of the stats map may be used by tagged traffic entries. This ensures 45 // that 10% of the map is always available to count untagged traffic, one entry per UID. 46 // Otherwise, apps would be able to avoid data usage accounting entirely by filling up the 47 // map with tagged traffic entries. 48 constexpr int TOTAL_UID_STATS_ENTRIES_LIMIT = STATS_MAP_SIZE * 0.9; 49 50 static_assert(STATS_MAP_SIZE - TOTAL_UID_STATS_ENTRIES_LIMIT > 100, 51 "The limit for stats map is to high, stats data may be lost due to overflow"); 52 attachProgramToCgroup(const char * programPath,const unique_fd & cgroupFd,bpf_attach_type type)53 static Status attachProgramToCgroup(const char* programPath, const unique_fd& cgroupFd, 54 bpf_attach_type type) { 55 unique_fd cgroupProg(retrieveProgram(programPath)); 56 if (!cgroupProg.ok()) { 57 return statusFromErrno(errno, fmt::format("Failed to get program from {}", programPath)); 58 } 59 if (android::bpf::attachProgram(type, cgroupProg, cgroupFd)) { 60 return statusFromErrno(errno, fmt::format("Program {} attach failed", programPath)); 61 } 62 return netdutils::status::ok; 63 } 64 checkProgramAccessible(const char * programPath)65 static Status checkProgramAccessible(const char* programPath) { 66 unique_fd prog(retrieveProgram(programPath)); 67 if (!prog.ok()) { 68 return statusFromErrno(errno, fmt::format("Failed to get program from {}", programPath)); 69 } 70 return netdutils::status::ok; 71 } 72 initPrograms(const char * cg2_path)73 static Status initPrograms(const char* cg2_path) { 74 if (!cg2_path) return Status("cg2_path is NULL"); 75 76 // This code was mainlined in T, so this should be trivially satisfied. 77 if (!modules::sdklevel::IsAtLeastT()) return Status("S- platform is unsupported"); 78 79 // S requires eBPF support which was only added in 4.9, so this should be satisfied. 80 if (!bpf::isAtLeastKernelVersion(4, 9, 0)) { 81 return Status("kernel version < 4.9.0 is unsupported"); 82 } 83 84 // U bumps the kernel requirement up to 4.14 85 if (modules::sdklevel::IsAtLeastU() && !bpf::isAtLeastKernelVersion(4, 14, 0)) { 86 return Status("U+ platform with kernel version < 4.14.0 is unsupported"); 87 } 88 89 // U mandates this mount point (though it should also be the case on T) 90 if (modules::sdklevel::IsAtLeastU() && !!strcmp(cg2_path, "/sys/fs/cgroup")) { 91 return Status("U+ platform with cg2_path != /sys/fs/cgroup is unsupported"); 92 } 93 94 unique_fd cg_fd(open(cg2_path, O_DIRECTORY | O_RDONLY | O_CLOEXEC)); 95 if (!cg_fd.ok()) { 96 const int err = errno; 97 ALOGE("Failed to open the cgroup directory: %s", strerror(err)); 98 return statusFromErrno(err, "Open the cgroup directory failed"); 99 } 100 101 RETURN_IF_NOT_OK(checkProgramAccessible(XT_BPF_ALLOWLIST_PROG_PATH)); 102 RETURN_IF_NOT_OK(checkProgramAccessible(XT_BPF_DENYLIST_PROG_PATH)); 103 RETURN_IF_NOT_OK(checkProgramAccessible(XT_BPF_EGRESS_PROG_PATH)); 104 RETURN_IF_NOT_OK(checkProgramAccessible(XT_BPF_INGRESS_PROG_PATH)); 105 RETURN_IF_NOT_OK(attachProgramToCgroup(BPF_EGRESS_PROG_PATH, cg_fd, BPF_CGROUP_INET_EGRESS)); 106 RETURN_IF_NOT_OK(attachProgramToCgroup(BPF_INGRESS_PROG_PATH, cg_fd, BPF_CGROUP_INET_INGRESS)); 107 108 // For the devices that support cgroup socket filter, the socket filter 109 // should be loaded successfully by bpfloader. So we attach the filter to 110 // cgroup if the program is pinned properly. 111 // TODO: delete the if statement once all devices should support cgroup 112 // socket filter (ie. the minimum kernel version required is 4.14). 113 if (bpf::isAtLeastKernelVersion(4, 14, 0)) { 114 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_INET_CREATE_PROG_PATH, 115 cg_fd, BPF_CGROUP_INET_SOCK_CREATE)); 116 } 117 118 if (bpf::isAtLeastKernelVersion(5, 10, 0)) { 119 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_INET_RELEASE_PROG_PATH, 120 cg_fd, BPF_CGROUP_INET_SOCK_RELEASE)); 121 } 122 123 if (modules::sdklevel::IsAtLeastV()) { 124 // V requires 4.19+, so technically this 2nd 'if' is not required, but it 125 // doesn't hurt us to try to support AOSP forks that try to support older kernels. 126 if (bpf::isAtLeastKernelVersion(4, 19, 0)) { 127 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_CONNECT4_PROG_PATH, 128 cg_fd, BPF_CGROUP_INET4_CONNECT)); 129 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_CONNECT6_PROG_PATH, 130 cg_fd, BPF_CGROUP_INET6_CONNECT)); 131 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_UDP4_RECVMSG_PROG_PATH, 132 cg_fd, BPF_CGROUP_UDP4_RECVMSG)); 133 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_UDP6_RECVMSG_PROG_PATH, 134 cg_fd, BPF_CGROUP_UDP6_RECVMSG)); 135 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_UDP4_SENDMSG_PROG_PATH, 136 cg_fd, BPF_CGROUP_UDP4_SENDMSG)); 137 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_UDP6_SENDMSG_PROG_PATH, 138 cg_fd, BPF_CGROUP_UDP6_SENDMSG)); 139 } 140 141 if (bpf::isAtLeastKernelVersion(5, 4, 0)) { 142 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_GETSOCKOPT_PROG_PATH, 143 cg_fd, BPF_CGROUP_GETSOCKOPT)); 144 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_SETSOCKOPT_PROG_PATH, 145 cg_fd, BPF_CGROUP_SETSOCKOPT)); 146 } 147 } 148 149 if (bpf::isAtLeastKernelVersion(4, 19, 0)) { 150 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_BIND4_PROG_PATH, 151 cg_fd, BPF_CGROUP_INET4_BIND)); 152 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_BIND6_PROG_PATH, 153 cg_fd, BPF_CGROUP_INET6_BIND)); 154 155 // This should trivially pass, since we just attached up above, 156 // but BPF_PROG_QUERY is only implemented on 4.19+ kernels. 157 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET_EGRESS) <= 0) abort(); 158 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET_INGRESS) <= 0) abort(); 159 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET_SOCK_CREATE) <= 0) abort(); 160 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET4_BIND) <= 0) abort(); 161 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET6_BIND) <= 0) abort(); 162 } 163 164 if (bpf::isAtLeastKernelVersion(5, 10, 0)) { 165 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET_SOCK_RELEASE) <= 0) abort(); 166 } 167 168 if (modules::sdklevel::IsAtLeastV()) { 169 // V requires 4.19+, so technically this 2nd 'if' is not required, but it 170 // doesn't hurt us to try to support AOSP forks that try to support older kernels. 171 if (bpf::isAtLeastKernelVersion(4, 19, 0)) { 172 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET4_CONNECT) <= 0) abort(); 173 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET6_CONNECT) <= 0) abort(); 174 if (bpf::queryProgram(cg_fd, BPF_CGROUP_UDP4_RECVMSG) <= 0) abort(); 175 if (bpf::queryProgram(cg_fd, BPF_CGROUP_UDP6_RECVMSG) <= 0) abort(); 176 if (bpf::queryProgram(cg_fd, BPF_CGROUP_UDP4_SENDMSG) <= 0) abort(); 177 if (bpf::queryProgram(cg_fd, BPF_CGROUP_UDP6_SENDMSG) <= 0) abort(); 178 } 179 180 if (bpf::isAtLeastKernelVersion(5, 4, 0)) { 181 if (bpf::queryProgram(cg_fd, BPF_CGROUP_GETSOCKOPT) <= 0) abort(); 182 if (bpf::queryProgram(cg_fd, BPF_CGROUP_SETSOCKOPT) <= 0) abort(); 183 } 184 } 185 186 return netdutils::status::ok; 187 } 188 BpfHandler()189 BpfHandler::BpfHandler() 190 : mPerUidStatsEntriesLimit(PER_UID_STATS_ENTRIES_LIMIT), 191 mTotalUidStatsEntriesLimit(TOTAL_UID_STATS_ENTRIES_LIMIT) {} 192 BpfHandler(uint32_t perUidLimit,uint32_t totalLimit)193 BpfHandler::BpfHandler(uint32_t perUidLimit, uint32_t totalLimit) 194 : mPerUidStatsEntriesLimit(perUidLimit), mTotalUidStatsEntriesLimit(totalLimit) {} 195 mainlineNetBpfLoadDone()196 static bool mainlineNetBpfLoadDone() { 197 return !access("/sys/fs/bpf/netd_shared/mainline_done", F_OK); 198 } 199 200 // copied with minor changes from waitForProgsLoaded() 201 // p/m/C's staticlibs/native/bpf_headers/include/bpf/WaitForProgsLoaded.h waitForNetProgsLoaded()202 static inline void waitForNetProgsLoaded() { 203 // infinite loop until success with 5/10/20/40/60/60/60... delay 204 for (int delay = 5;; delay *= 2) { 205 if (delay > 60) delay = 60; 206 if (WaitForProperty("init.svc.mdnsd_netbpfload", "stopped", std::chrono::seconds(delay)) 207 && mainlineNetBpfLoadDone()) 208 return; 209 ALOGW("Waited %ds for init.svc.mdnsd_netbpfload=stopped, still waiting...", delay); 210 } 211 } 212 waitForBpf()213 static inline void waitForBpf() { 214 // Note: netd *can* be restarted, so this might get called a second time after boot is complete 215 // at which point we don't need to (and shouldn't) wait for (more importantly start) loading bpf 216 217 if (base::GetProperty("bpf.progs_loaded", "") != "1") { 218 // AOSP platform netd & mainline don't need this (at least prior to U QPR3), 219 // but there could be platform provided (xt_)bpf programs that oem/vendor 220 // modified netd (which calls us during init) depends on... 221 ALOGI("Waiting for platform BPF programs"); 222 android::bpf::waitForProgsLoaded(); 223 } 224 225 if (!mainlineNetBpfLoadDone()) { 226 // We're on < U QPR3 & it's the first time netd is starting up (unless crashlooping) 227 // 228 // On U QPR3+ netbpfload is guaranteed to run before the platform bpfloader, 229 // so waitForProgsLoaded() implies mainlineNetBpfLoadDone(). 230 if (!base::SetProperty("ctl.start", "mdnsd_netbpfload")) { 231 ALOGE("Failed to set property ctl.start=mdnsd_netbpfload, see dmesg for reason."); 232 abort(); 233 } 234 235 ALOGI("Waiting for Networking BPF programs"); 236 waitForNetProgsLoaded(); 237 ALOGI("Networking BPF programs are loaded"); 238 } 239 240 ALOGI("BPF programs are loaded"); 241 } 242 init(const char * cg2_path)243 Status BpfHandler::init(const char* cg2_path) { 244 // This wait is effectively a no-op on U QPR3+ devices (as netd starts 245 // *after* the synchronous 'exec_start bpfloader' which calls NetBpfLoad) 246 // but checking for U QPR3 is hard. 247 // 248 // Waiting should not be required on U QPR3+ devices, 249 // ... 250 // 251 // ...unless someone changed 'exec_start bpfloader' to 'start bpfloader' 252 // in the rc file. 253 // 254 // TODO: should be: if (!modules::sdklevel::IsAtLeastW()) 255 if (android_get_device_api_level() <= __ANDROID_API_V__) waitForBpf(); 256 257 RETURN_IF_NOT_OK(initPrograms(cg2_path)); 258 RETURN_IF_NOT_OK(initMaps()); 259 260 return netdutils::status::ok; 261 } 262 mapLockTest(void)263 static void mapLockTest(void) { 264 // The maps must be R/W, and as yet unopened (or more specifically not yet lock'ed). 265 const char * const m1 = BPF_NETD_PATH "map_netd_lock_array_test_map"; 266 const char * const m2 = BPF_NETD_PATH "map_netd_lock_hash_test_map"; 267 268 unique_fd fd0(bpf::mapRetrieveExclusiveRW(m1)); if (!fd0.ok()) abort(); // grabs exclusive lock 269 270 unique_fd fd1(bpf::mapRetrieveExclusiveRW(m2)); if (!fd1.ok()) abort(); // no conflict with fd0 271 unique_fd fd2(bpf::mapRetrieveExclusiveRW(m2)); if ( fd2.ok()) abort(); // busy due to fd1 272 unique_fd fd3(bpf::mapRetrieveRO(m2)); if (!fd3.ok()) abort(); // no lock taken 273 unique_fd fd4(bpf::mapRetrieveRW(m2)); if ( fd4.ok()) abort(); // busy due to fd1 274 fd1.reset(); // releases exclusive lock 275 unique_fd fd5(bpf::mapRetrieveRO(m2)); if (!fd5.ok()) abort(); // no lock taken 276 unique_fd fd6(bpf::mapRetrieveRW(m2)); if (!fd6.ok()) abort(); // now ok 277 unique_fd fd7(bpf::mapRetrieveRO(m2)); if (!fd7.ok()) abort(); // no lock taken 278 unique_fd fd8(bpf::mapRetrieveExclusiveRW(m2)); if ( fd8.ok()) abort(); // busy due to fd6 279 280 fd0.reset(); // releases exclusive lock 281 unique_fd fd9(bpf::mapRetrieveWO(m1)); if (!fd9.ok()) abort(); // grabs exclusive lock 282 } 283 initMaps()284 Status BpfHandler::initMaps() { 285 // bpfLock() requires bpfGetFdMapId which is only available on 4.14+ kernels. 286 if (bpf::isAtLeastKernelVersion(4, 14, 0)) { 287 mapLockTest(); 288 } 289 290 RETURN_IF_NOT_OK(mStatsMapA.init(STATS_MAP_A_PATH)); 291 RETURN_IF_NOT_OK(mStatsMapB.init(STATS_MAP_B_PATH)); 292 RETURN_IF_NOT_OK(mConfigurationMap.init(CONFIGURATION_MAP_PATH)); 293 RETURN_IF_NOT_OK(mUidPermissionMap.init(UID_PERMISSION_MAP_PATH)); 294 // initialized last so mCookieTagMap.isValid() implies everything else is valid too 295 RETURN_IF_NOT_OK(mCookieTagMap.init(COOKIE_TAG_MAP_PATH)); 296 ALOGI("%s successfully", __func__); 297 298 return netdutils::status::ok; 299 } 300 hasUpdateDeviceStatsPermission(uid_t uid)301 bool BpfHandler::hasUpdateDeviceStatsPermission(uid_t uid) { 302 // This implementation is the same logic as method ActivityManager#checkComponentPermission. 303 // It implies that the real uid can never be the same as PER_USER_RANGE. 304 uint32_t appId = uid % PER_USER_RANGE; 305 auto permission = mUidPermissionMap.readValue(appId); 306 if (permission.ok() && (permission.value() & BPF_PERMISSION_UPDATE_DEVICE_STATS)) { 307 return true; 308 } 309 return ((appId == AID_ROOT) || (appId == AID_SYSTEM) || (appId == AID_DNS)); 310 } 311 tagSocket(int sockFd,uint32_t tag,uid_t chargeUid,uid_t realUid)312 int BpfHandler::tagSocket(int sockFd, uint32_t tag, uid_t chargeUid, uid_t realUid) { 313 if (!mCookieTagMap.isValid()) return -EPERM; 314 315 if (chargeUid != realUid && !hasUpdateDeviceStatsPermission(realUid)) return -EPERM; 316 317 // Note that tagging the socket to AID_CLAT is only implemented in JNI ClatCoordinator. 318 // The process is not allowed to tag socket to AID_CLAT via tagSocket() which would cause 319 // process data usage accounting to be bypassed. Tagging AID_CLAT is used for avoiding counting 320 // CLAT traffic data usage twice. See packages/modules/Connectivity/service/jni/ 321 // com_android_server_connectivity_ClatCoordinator.cpp 322 if (chargeUid == AID_CLAT) return -EPERM; 323 324 // The socket destroy listener only monitors on the group {INET_TCP, INET_UDP, INET6_TCP, 325 // INET6_UDP}. Tagging listener unsupported socket causes that the tag can't be removed from 326 // tag map automatically. Eventually, the tag map may run out of space because of dead tag 327 // entries. Note that although tagSocket() of net client has already denied the family which 328 // is neither AF_INET nor AF_INET6, the family validation is still added here just in case. 329 // See tagSocket in system/netd/client/NetdClient.cpp and 330 // TrafficController::makeSkDestroyListener in 331 // packages/modules/Connectivity/service/native/TrafficController.cpp 332 // TODO: remove this once the socket destroy listener can detect more types of socket destroy. 333 int socketFamily; 334 socklen_t familyLen = sizeof(socketFamily); 335 if (getsockopt(sockFd, SOL_SOCKET, SO_DOMAIN, &socketFamily, &familyLen)) { 336 ALOGE("Failed to getsockopt SO_DOMAIN: %s, fd: %d", strerror(errno), sockFd); 337 return -errno; 338 } 339 if (socketFamily != AF_INET && socketFamily != AF_INET6) { 340 ALOGE("Unsupported family: %d", socketFamily); 341 return -EAFNOSUPPORT; 342 } 343 344 int socketProto; 345 socklen_t protoLen = sizeof(socketProto); 346 if (getsockopt(sockFd, SOL_SOCKET, SO_PROTOCOL, &socketProto, &protoLen)) { 347 ALOGE("Failed to getsockopt SO_PROTOCOL: %s, fd: %d", strerror(errno), sockFd); 348 return -errno; 349 } 350 if (socketProto != IPPROTO_UDP && socketProto != IPPROTO_TCP) { 351 ALOGE("Unsupported protocol: %d", socketProto); 352 return -EPROTONOSUPPORT; 353 } 354 355 uint64_t sock_cookie = getSocketCookie(sockFd); 356 if (!sock_cookie) return -errno; 357 358 UidTagValue newKey = {.uid = (uint32_t)chargeUid, .tag = tag}; 359 360 uint32_t totalEntryCount = 0; 361 uint32_t perUidEntryCount = 0; 362 // Now we go through the stats map and count how many entries are associated 363 // with chargeUid. If the uid entry hit the limit for each chargeUid, we block 364 // the request to prevent the map from overflow. Note though that it isn't really 365 // safe here to iterate over the map since it might be modified by the system server, 366 // which might toggle the live stats map and clean it. 367 const auto countUidStatsEntries = [chargeUid, &totalEntryCount, &perUidEntryCount]( 368 const StatsKey& key, 369 const BpfMapRO<StatsKey, StatsValue>&) { 370 if (key.uid == chargeUid) { 371 perUidEntryCount++; 372 } 373 totalEntryCount++; 374 return base::Result<void>(); 375 }; 376 auto configuration = mConfigurationMap.readValue(CURRENT_STATS_MAP_CONFIGURATION_KEY); 377 if (!configuration.ok()) { 378 ALOGE("Failed to get current configuration: %s", 379 strerror(configuration.error().code())); 380 return -configuration.error().code(); 381 } 382 if (configuration.value() != SELECT_MAP_A && configuration.value() != SELECT_MAP_B) { 383 ALOGE("unknown configuration value: %d", configuration.value()); 384 return -EINVAL; 385 } 386 387 BpfMapRO<StatsKey, StatsValue>& currentMap = 388 (configuration.value() == SELECT_MAP_A) ? mStatsMapA : mStatsMapB; 389 base::Result<void> res = currentMap.iterate(countUidStatsEntries); 390 if (!res.ok()) { 391 ALOGE("Failed to count the stats entry in map: %s", 392 strerror(res.error().code())); 393 return -res.error().code(); 394 } 395 396 if (totalEntryCount > mTotalUidStatsEntriesLimit || 397 perUidEntryCount > mPerUidStatsEntriesLimit) { 398 ALOGE("Too many stats entries in the map, total count: %u, chargeUid(%u) count: %u," 399 " blocking tag request to prevent map overflow", 400 totalEntryCount, chargeUid, perUidEntryCount); 401 return -EMFILE; 402 } 403 // Update the tag information of a socket to the cookieUidMap. Use BPF_ANY 404 // flag so it will insert a new entry to the map if that value doesn't exist 405 // yet and update the tag if there is already a tag stored. Since the eBPF 406 // program in kernel only read this map, and is protected by rcu read lock. It 407 // should be fine to concurrently update the map while eBPF program is running. 408 res = mCookieTagMap.writeValue(sock_cookie, newKey, BPF_ANY); 409 if (!res.ok()) { 410 ALOGE("Failed to tag the socket: %s", strerror(res.error().code())); 411 return -res.error().code(); 412 } 413 ALOGD("Socket with cookie %" PRIu64 " tagged successfully with tag %" PRIu32 " uid %u " 414 "and real uid %u", sock_cookie, tag, chargeUid, realUid); 415 return 0; 416 } 417 untagSocket(int sockFd)418 int BpfHandler::untagSocket(int sockFd) { 419 uint64_t sock_cookie = getSocketCookie(sockFd); 420 if (!sock_cookie) return -errno; 421 422 if (!mCookieTagMap.isValid()) return -EPERM; 423 base::Result<void> res = mCookieTagMap.deleteValue(sock_cookie); 424 if (!res.ok()) { 425 ALOGE("Failed to untag socket: %s", strerror(res.error().code())); 426 return -res.error().code(); 427 } 428 ALOGD("Socket with cookie %" PRIu64 " untagged successfully.", sock_cookie); 429 return 0; 430 } 431 432 } // namespace net 433 } // namespace android 434