1 /**
2 * Copyright (c) 2022, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "NetdUpdatable"
18
19 #include "BpfHandler.h"
20
21 #include <linux/bpf.h>
22 #include <inttypes.h>
23
24 #include <android-base/unique_fd.h>
25 #include <android-modules-utils/sdk_level.h>
26 #include <bpf/WaitForProgsLoaded.h>
27 #include <log/log.h>
28 #include <netdutils/UidConstants.h>
29 #include <private/android_filesystem_config.h>
30
31 #include "BpfSyscallWrappers.h"
32
33 namespace android {
34 namespace net {
35
36 using base::unique_fd;
37 using base::WaitForProperty;
38 using bpf::getSocketCookie;
39 using bpf::retrieveProgram;
40 using netdutils::Status;
41 using netdutils::statusFromErrno;
42
43 constexpr int PER_UID_STATS_ENTRIES_LIMIT = 500;
44 // At most 90% of the stats map may be used by tagged traffic entries. This ensures
45 // that 10% of the map is always available to count untagged traffic, one entry per UID.
46 // Otherwise, apps would be able to avoid data usage accounting entirely by filling up the
47 // map with tagged traffic entries.
48 constexpr int TOTAL_UID_STATS_ENTRIES_LIMIT = STATS_MAP_SIZE * 0.9;
49
50 static_assert(STATS_MAP_SIZE - TOTAL_UID_STATS_ENTRIES_LIMIT > 100,
51 "The limit for stats map is to high, stats data may be lost due to overflow");
52
attachProgramToCgroup(const char * programPath,const unique_fd & cgroupFd,bpf_attach_type type)53 static Status attachProgramToCgroup(const char* programPath, const unique_fd& cgroupFd,
54 bpf_attach_type type) {
55 unique_fd cgroupProg(retrieveProgram(programPath));
56 if (!cgroupProg.ok()) {
57 return statusFromErrno(errno, fmt::format("Failed to get program from {}", programPath));
58 }
59 if (android::bpf::attachProgram(type, cgroupProg, cgroupFd)) {
60 return statusFromErrno(errno, fmt::format("Program {} attach failed", programPath));
61 }
62 return netdutils::status::ok;
63 }
64
checkProgramAccessible(const char * programPath)65 static Status checkProgramAccessible(const char* programPath) {
66 unique_fd prog(retrieveProgram(programPath));
67 if (!prog.ok()) {
68 return statusFromErrno(errno, fmt::format("Failed to get program from {}", programPath));
69 }
70 return netdutils::status::ok;
71 }
72
initPrograms(const char * cg2_path)73 static Status initPrograms(const char* cg2_path) {
74 if (!cg2_path) return Status("cg2_path is NULL");
75
76 // This code was mainlined in T, so this should be trivially satisfied.
77 if (!modules::sdklevel::IsAtLeastT()) return Status("S- platform is unsupported");
78
79 // S requires eBPF support which was only added in 4.9, so this should be satisfied.
80 if (!bpf::isAtLeastKernelVersion(4, 9, 0)) {
81 return Status("kernel version < 4.9.0 is unsupported");
82 }
83
84 // U bumps the kernel requirement up to 4.14
85 if (modules::sdklevel::IsAtLeastU() && !bpf::isAtLeastKernelVersion(4, 14, 0)) {
86 return Status("U+ platform with kernel version < 4.14.0 is unsupported");
87 }
88
89 // U mandates this mount point (though it should also be the case on T)
90 if (modules::sdklevel::IsAtLeastU() && !!strcmp(cg2_path, "/sys/fs/cgroup")) {
91 return Status("U+ platform with cg2_path != /sys/fs/cgroup is unsupported");
92 }
93
94 unique_fd cg_fd(open(cg2_path, O_DIRECTORY | O_RDONLY | O_CLOEXEC));
95 if (!cg_fd.ok()) {
96 const int err = errno;
97 ALOGE("Failed to open the cgroup directory: %s", strerror(err));
98 return statusFromErrno(err, "Open the cgroup directory failed");
99 }
100
101 RETURN_IF_NOT_OK(checkProgramAccessible(XT_BPF_ALLOWLIST_PROG_PATH));
102 RETURN_IF_NOT_OK(checkProgramAccessible(XT_BPF_DENYLIST_PROG_PATH));
103 RETURN_IF_NOT_OK(checkProgramAccessible(XT_BPF_EGRESS_PROG_PATH));
104 RETURN_IF_NOT_OK(checkProgramAccessible(XT_BPF_INGRESS_PROG_PATH));
105 RETURN_IF_NOT_OK(attachProgramToCgroup(BPF_EGRESS_PROG_PATH, cg_fd, BPF_CGROUP_INET_EGRESS));
106 RETURN_IF_NOT_OK(attachProgramToCgroup(BPF_INGRESS_PROG_PATH, cg_fd, BPF_CGROUP_INET_INGRESS));
107
108 // For the devices that support cgroup socket filter, the socket filter
109 // should be loaded successfully by bpfloader. So we attach the filter to
110 // cgroup if the program is pinned properly.
111 // TODO: delete the if statement once all devices should support cgroup
112 // socket filter (ie. the minimum kernel version required is 4.14).
113 if (bpf::isAtLeastKernelVersion(4, 14, 0)) {
114 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_INET_CREATE_PROG_PATH,
115 cg_fd, BPF_CGROUP_INET_SOCK_CREATE));
116 }
117
118 if (bpf::isAtLeastKernelVersion(5, 10, 0)) {
119 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_INET_RELEASE_PROG_PATH,
120 cg_fd, BPF_CGROUP_INET_SOCK_RELEASE));
121 }
122
123 if (modules::sdklevel::IsAtLeastV()) {
124 // V requires 4.19+, so technically this 2nd 'if' is not required, but it
125 // doesn't hurt us to try to support AOSP forks that try to support older kernels.
126 if (bpf::isAtLeastKernelVersion(4, 19, 0)) {
127 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_CONNECT4_PROG_PATH,
128 cg_fd, BPF_CGROUP_INET4_CONNECT));
129 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_CONNECT6_PROG_PATH,
130 cg_fd, BPF_CGROUP_INET6_CONNECT));
131 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_UDP4_RECVMSG_PROG_PATH,
132 cg_fd, BPF_CGROUP_UDP4_RECVMSG));
133 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_UDP6_RECVMSG_PROG_PATH,
134 cg_fd, BPF_CGROUP_UDP6_RECVMSG));
135 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_UDP4_SENDMSG_PROG_PATH,
136 cg_fd, BPF_CGROUP_UDP4_SENDMSG));
137 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_UDP6_SENDMSG_PROG_PATH,
138 cg_fd, BPF_CGROUP_UDP6_SENDMSG));
139 }
140
141 if (bpf::isAtLeastKernelVersion(5, 4, 0)) {
142 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_GETSOCKOPT_PROG_PATH,
143 cg_fd, BPF_CGROUP_GETSOCKOPT));
144 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_SETSOCKOPT_PROG_PATH,
145 cg_fd, BPF_CGROUP_SETSOCKOPT));
146 }
147 }
148
149 if (bpf::isAtLeastKernelVersion(4, 19, 0)) {
150 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_BIND4_PROG_PATH,
151 cg_fd, BPF_CGROUP_INET4_BIND));
152 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_BIND6_PROG_PATH,
153 cg_fd, BPF_CGROUP_INET6_BIND));
154
155 // This should trivially pass, since we just attached up above,
156 // but BPF_PROG_QUERY is only implemented on 4.19+ kernels.
157 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET_EGRESS) <= 0) abort();
158 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET_INGRESS) <= 0) abort();
159 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET_SOCK_CREATE) <= 0) abort();
160 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET4_BIND) <= 0) abort();
161 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET6_BIND) <= 0) abort();
162 }
163
164 if (bpf::isAtLeastKernelVersion(5, 10, 0)) {
165 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET_SOCK_RELEASE) <= 0) abort();
166 }
167
168 if (modules::sdklevel::IsAtLeastV()) {
169 // V requires 4.19+, so technically this 2nd 'if' is not required, but it
170 // doesn't hurt us to try to support AOSP forks that try to support older kernels.
171 if (bpf::isAtLeastKernelVersion(4, 19, 0)) {
172 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET4_CONNECT) <= 0) abort();
173 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET6_CONNECT) <= 0) abort();
174 if (bpf::queryProgram(cg_fd, BPF_CGROUP_UDP4_RECVMSG) <= 0) abort();
175 if (bpf::queryProgram(cg_fd, BPF_CGROUP_UDP6_RECVMSG) <= 0) abort();
176 if (bpf::queryProgram(cg_fd, BPF_CGROUP_UDP4_SENDMSG) <= 0) abort();
177 if (bpf::queryProgram(cg_fd, BPF_CGROUP_UDP6_SENDMSG) <= 0) abort();
178 }
179
180 if (bpf::isAtLeastKernelVersion(5, 4, 0)) {
181 if (bpf::queryProgram(cg_fd, BPF_CGROUP_GETSOCKOPT) <= 0) abort();
182 if (bpf::queryProgram(cg_fd, BPF_CGROUP_SETSOCKOPT) <= 0) abort();
183 }
184 }
185
186 return netdutils::status::ok;
187 }
188
BpfHandler()189 BpfHandler::BpfHandler()
190 : mPerUidStatsEntriesLimit(PER_UID_STATS_ENTRIES_LIMIT),
191 mTotalUidStatsEntriesLimit(TOTAL_UID_STATS_ENTRIES_LIMIT) {}
192
BpfHandler(uint32_t perUidLimit,uint32_t totalLimit)193 BpfHandler::BpfHandler(uint32_t perUidLimit, uint32_t totalLimit)
194 : mPerUidStatsEntriesLimit(perUidLimit), mTotalUidStatsEntriesLimit(totalLimit) {}
195
mainlineNetBpfLoadDone()196 static bool mainlineNetBpfLoadDone() {
197 return !access("/sys/fs/bpf/netd_shared/mainline_done", F_OK);
198 }
199
200 // copied with minor changes from waitForProgsLoaded()
201 // p/m/C's staticlibs/native/bpf_headers/include/bpf/WaitForProgsLoaded.h
waitForNetProgsLoaded()202 static inline void waitForNetProgsLoaded() {
203 // infinite loop until success with 5/10/20/40/60/60/60... delay
204 for (int delay = 5;; delay *= 2) {
205 if (delay > 60) delay = 60;
206 if (WaitForProperty("init.svc.mdnsd_netbpfload", "stopped", std::chrono::seconds(delay))
207 && mainlineNetBpfLoadDone())
208 return;
209 ALOGW("Waited %ds for init.svc.mdnsd_netbpfload=stopped, still waiting...", delay);
210 }
211 }
212
waitForBpf()213 static inline void waitForBpf() {
214 // Note: netd *can* be restarted, so this might get called a second time after boot is complete
215 // at which point we don't need to (and shouldn't) wait for (more importantly start) loading bpf
216
217 if (base::GetProperty("bpf.progs_loaded", "") != "1") {
218 // AOSP platform netd & mainline don't need this (at least prior to U QPR3),
219 // but there could be platform provided (xt_)bpf programs that oem/vendor
220 // modified netd (which calls us during init) depends on...
221 ALOGI("Waiting for platform BPF programs");
222 android::bpf::waitForProgsLoaded();
223 }
224
225 if (!mainlineNetBpfLoadDone()) {
226 // We're on < U QPR3 & it's the first time netd is starting up (unless crashlooping)
227 //
228 // On U QPR3+ netbpfload is guaranteed to run before the platform bpfloader,
229 // so waitForProgsLoaded() implies mainlineNetBpfLoadDone().
230 if (!base::SetProperty("ctl.start", "mdnsd_netbpfload")) {
231 ALOGE("Failed to set property ctl.start=mdnsd_netbpfload, see dmesg for reason.");
232 abort();
233 }
234
235 ALOGI("Waiting for Networking BPF programs");
236 waitForNetProgsLoaded();
237 ALOGI("Networking BPF programs are loaded");
238 }
239
240 ALOGI("BPF programs are loaded");
241 }
242
init(const char * cg2_path)243 Status BpfHandler::init(const char* cg2_path) {
244 // This wait is effectively a no-op on U QPR3+ devices (as netd starts
245 // *after* the synchronous 'exec_start bpfloader' which calls NetBpfLoad)
246 // but checking for U QPR3 is hard.
247 //
248 // Waiting should not be required on U QPR3+ devices,
249 // ...
250 //
251 // ...unless someone changed 'exec_start bpfloader' to 'start bpfloader'
252 // in the rc file.
253 //
254 // TODO: should be: if (!modules::sdklevel::IsAtLeastW())
255 if (android_get_device_api_level() <= __ANDROID_API_V__) waitForBpf();
256
257 RETURN_IF_NOT_OK(initPrograms(cg2_path));
258 RETURN_IF_NOT_OK(initMaps());
259
260 return netdutils::status::ok;
261 }
262
mapLockTest(void)263 static void mapLockTest(void) {
264 // The maps must be R/W, and as yet unopened (or more specifically not yet lock'ed).
265 const char * const m1 = BPF_NETD_PATH "map_netd_lock_array_test_map";
266 const char * const m2 = BPF_NETD_PATH "map_netd_lock_hash_test_map";
267
268 unique_fd fd0(bpf::mapRetrieveExclusiveRW(m1)); if (!fd0.ok()) abort(); // grabs exclusive lock
269
270 unique_fd fd1(bpf::mapRetrieveExclusiveRW(m2)); if (!fd1.ok()) abort(); // no conflict with fd0
271 unique_fd fd2(bpf::mapRetrieveExclusiveRW(m2)); if ( fd2.ok()) abort(); // busy due to fd1
272 unique_fd fd3(bpf::mapRetrieveRO(m2)); if (!fd3.ok()) abort(); // no lock taken
273 unique_fd fd4(bpf::mapRetrieveRW(m2)); if ( fd4.ok()) abort(); // busy due to fd1
274 fd1.reset(); // releases exclusive lock
275 unique_fd fd5(bpf::mapRetrieveRO(m2)); if (!fd5.ok()) abort(); // no lock taken
276 unique_fd fd6(bpf::mapRetrieveRW(m2)); if (!fd6.ok()) abort(); // now ok
277 unique_fd fd7(bpf::mapRetrieveRO(m2)); if (!fd7.ok()) abort(); // no lock taken
278 unique_fd fd8(bpf::mapRetrieveExclusiveRW(m2)); if ( fd8.ok()) abort(); // busy due to fd6
279
280 fd0.reset(); // releases exclusive lock
281 unique_fd fd9(bpf::mapRetrieveWO(m1)); if (!fd9.ok()) abort(); // grabs exclusive lock
282 }
283
initMaps()284 Status BpfHandler::initMaps() {
285 // bpfLock() requires bpfGetFdMapId which is only available on 4.14+ kernels.
286 if (bpf::isAtLeastKernelVersion(4, 14, 0)) {
287 mapLockTest();
288 }
289
290 RETURN_IF_NOT_OK(mStatsMapA.init(STATS_MAP_A_PATH));
291 RETURN_IF_NOT_OK(mStatsMapB.init(STATS_MAP_B_PATH));
292 RETURN_IF_NOT_OK(mConfigurationMap.init(CONFIGURATION_MAP_PATH));
293 RETURN_IF_NOT_OK(mUidPermissionMap.init(UID_PERMISSION_MAP_PATH));
294 // initialized last so mCookieTagMap.isValid() implies everything else is valid too
295 RETURN_IF_NOT_OK(mCookieTagMap.init(COOKIE_TAG_MAP_PATH));
296 ALOGI("%s successfully", __func__);
297
298 return netdutils::status::ok;
299 }
300
hasUpdateDeviceStatsPermission(uid_t uid)301 bool BpfHandler::hasUpdateDeviceStatsPermission(uid_t uid) {
302 // This implementation is the same logic as method ActivityManager#checkComponentPermission.
303 // It implies that the real uid can never be the same as PER_USER_RANGE.
304 uint32_t appId = uid % PER_USER_RANGE;
305 auto permission = mUidPermissionMap.readValue(appId);
306 if (permission.ok() && (permission.value() & BPF_PERMISSION_UPDATE_DEVICE_STATS)) {
307 return true;
308 }
309 return ((appId == AID_ROOT) || (appId == AID_SYSTEM) || (appId == AID_DNS));
310 }
311
tagSocket(int sockFd,uint32_t tag,uid_t chargeUid,uid_t realUid)312 int BpfHandler::tagSocket(int sockFd, uint32_t tag, uid_t chargeUid, uid_t realUid) {
313 if (!mCookieTagMap.isValid()) return -EPERM;
314
315 if (chargeUid != realUid && !hasUpdateDeviceStatsPermission(realUid)) return -EPERM;
316
317 // Note that tagging the socket to AID_CLAT is only implemented in JNI ClatCoordinator.
318 // The process is not allowed to tag socket to AID_CLAT via tagSocket() which would cause
319 // process data usage accounting to be bypassed. Tagging AID_CLAT is used for avoiding counting
320 // CLAT traffic data usage twice. See packages/modules/Connectivity/service/jni/
321 // com_android_server_connectivity_ClatCoordinator.cpp
322 if (chargeUid == AID_CLAT) return -EPERM;
323
324 // The socket destroy listener only monitors on the group {INET_TCP, INET_UDP, INET6_TCP,
325 // INET6_UDP}. Tagging listener unsupported socket causes that the tag can't be removed from
326 // tag map automatically. Eventually, the tag map may run out of space because of dead tag
327 // entries. Note that although tagSocket() of net client has already denied the family which
328 // is neither AF_INET nor AF_INET6, the family validation is still added here just in case.
329 // See tagSocket in system/netd/client/NetdClient.cpp and
330 // TrafficController::makeSkDestroyListener in
331 // packages/modules/Connectivity/service/native/TrafficController.cpp
332 // TODO: remove this once the socket destroy listener can detect more types of socket destroy.
333 int socketFamily;
334 socklen_t familyLen = sizeof(socketFamily);
335 if (getsockopt(sockFd, SOL_SOCKET, SO_DOMAIN, &socketFamily, &familyLen)) {
336 ALOGE("Failed to getsockopt SO_DOMAIN: %s, fd: %d", strerror(errno), sockFd);
337 return -errno;
338 }
339 if (socketFamily != AF_INET && socketFamily != AF_INET6) {
340 ALOGE("Unsupported family: %d", socketFamily);
341 return -EAFNOSUPPORT;
342 }
343
344 int socketProto;
345 socklen_t protoLen = sizeof(socketProto);
346 if (getsockopt(sockFd, SOL_SOCKET, SO_PROTOCOL, &socketProto, &protoLen)) {
347 ALOGE("Failed to getsockopt SO_PROTOCOL: %s, fd: %d", strerror(errno), sockFd);
348 return -errno;
349 }
350 if (socketProto != IPPROTO_UDP && socketProto != IPPROTO_TCP) {
351 ALOGE("Unsupported protocol: %d", socketProto);
352 return -EPROTONOSUPPORT;
353 }
354
355 uint64_t sock_cookie = getSocketCookie(sockFd);
356 if (!sock_cookie) return -errno;
357
358 UidTagValue newKey = {.uid = (uint32_t)chargeUid, .tag = tag};
359
360 uint32_t totalEntryCount = 0;
361 uint32_t perUidEntryCount = 0;
362 // Now we go through the stats map and count how many entries are associated
363 // with chargeUid. If the uid entry hit the limit for each chargeUid, we block
364 // the request to prevent the map from overflow. Note though that it isn't really
365 // safe here to iterate over the map since it might be modified by the system server,
366 // which might toggle the live stats map and clean it.
367 const auto countUidStatsEntries = [chargeUid, &totalEntryCount, &perUidEntryCount](
368 const StatsKey& key,
369 const BpfMapRO<StatsKey, StatsValue>&) {
370 if (key.uid == chargeUid) {
371 perUidEntryCount++;
372 }
373 totalEntryCount++;
374 return base::Result<void>();
375 };
376 auto configuration = mConfigurationMap.readValue(CURRENT_STATS_MAP_CONFIGURATION_KEY);
377 if (!configuration.ok()) {
378 ALOGE("Failed to get current configuration: %s",
379 strerror(configuration.error().code()));
380 return -configuration.error().code();
381 }
382 if (configuration.value() != SELECT_MAP_A && configuration.value() != SELECT_MAP_B) {
383 ALOGE("unknown configuration value: %d", configuration.value());
384 return -EINVAL;
385 }
386
387 BpfMapRO<StatsKey, StatsValue>& currentMap =
388 (configuration.value() == SELECT_MAP_A) ? mStatsMapA : mStatsMapB;
389 base::Result<void> res = currentMap.iterate(countUidStatsEntries);
390 if (!res.ok()) {
391 ALOGE("Failed to count the stats entry in map: %s",
392 strerror(res.error().code()));
393 return -res.error().code();
394 }
395
396 if (totalEntryCount > mTotalUidStatsEntriesLimit ||
397 perUidEntryCount > mPerUidStatsEntriesLimit) {
398 ALOGE("Too many stats entries in the map, total count: %u, chargeUid(%u) count: %u,"
399 " blocking tag request to prevent map overflow",
400 totalEntryCount, chargeUid, perUidEntryCount);
401 return -EMFILE;
402 }
403 // Update the tag information of a socket to the cookieUidMap. Use BPF_ANY
404 // flag so it will insert a new entry to the map if that value doesn't exist
405 // yet and update the tag if there is already a tag stored. Since the eBPF
406 // program in kernel only read this map, and is protected by rcu read lock. It
407 // should be fine to concurrently update the map while eBPF program is running.
408 res = mCookieTagMap.writeValue(sock_cookie, newKey, BPF_ANY);
409 if (!res.ok()) {
410 ALOGE("Failed to tag the socket: %s", strerror(res.error().code()));
411 return -res.error().code();
412 }
413 ALOGD("Socket with cookie %" PRIu64 " tagged successfully with tag %" PRIu32 " uid %u "
414 "and real uid %u", sock_cookie, tag, chargeUid, realUid);
415 return 0;
416 }
417
untagSocket(int sockFd)418 int BpfHandler::untagSocket(int sockFd) {
419 uint64_t sock_cookie = getSocketCookie(sockFd);
420 if (!sock_cookie) return -errno;
421
422 if (!mCookieTagMap.isValid()) return -EPERM;
423 base::Result<void> res = mCookieTagMap.deleteValue(sock_cookie);
424 if (!res.ok()) {
425 ALOGE("Failed to untag socket: %s", strerror(res.error().code()));
426 return -res.error().code();
427 }
428 ALOGD("Socket with cookie %" PRIu64 " untagged successfully.", sock_cookie);
429 return 0;
430 }
431
432 } // namespace net
433 } // namespace android
434