1 /*
2  * Copyright (C) 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #pragma once
18 
19 /* This file is separate because it's included both by eBPF programs (via include
20  * in bpf_helpers.h) and directly by the boot time bpfloader (Loader.cpp).
21  */
22 
23 #include <linux/bpf.h>
24 
25 // Pull in AID_* constants from //system/core/libcutils/include/private/android_filesystem_config.h
26 #include <cutils/android_filesystem_config.h>
27 
28 /******************************************************************************
29  *                                                                            *
30  *                          ! ! ! W A R N I N G ! ! !                         *
31  *                                                                            *
32  * CHANGES TO THESE STRUCTURE DEFINITIONS OUTSIDE OF AOSP/MASTER *WILL* BREAK *
33  * MAINLINE MODULE COMPATIBILITY                                              *
34  *                                                                            *
35  * AND THUS MAY RESULT IN YOUR DEVICE BRICKING AT SOME ARBITRARY POINT IN     *
36  * THE FUTURE                                                                 *
37  *                                                                            *
38  * (and even in aosp/master you may only append new fields at the very end,   *
39  *  you may *never* delete fields, change their types, ordering, insert in    *
40  *  the middle, etc.  If a mainline module using the old definition has       *
41  *  already shipped (which happens roughly monthly), then it's set in stone)  *
42  *                                                                            *
43  ******************************************************************************/
44 
45 // These are the values used if these fields are missing
46 #define DEFAULT_BPFLOADER_MIN_VER 0u        // v0.0 (this is inclusive ie. >= v0.0)
47 #define DEFAULT_BPFLOADER_MAX_VER 0x10000u  // v1.0 (this is exclusive ie. < v1.0)
48 #define DEFAULT_SIZEOF_BPF_MAP_DEF 32       // v0.0 struct: enum (uint sized) + 7 uint
49 #define DEFAULT_SIZEOF_BPF_PROG_DEF 20      // v0.0 struct: 4 uint + bool + 3 byte alignment pad
50 
51 /*
52  * The bpf_{map,prog}_def structures are compiled for different architectures.
53  * Once by the BPF compiler for the BPF architecture, and once by a C++
54  * compiler for the native Android architecture for the bpfloader.
55  *
56  * For things to work, their layout must be the same between the two.
57  * The BPF architecture is platform independent ('64-bit LSB bpf').
58  * So this effectively means these structures must be the same layout
59  * on 5 architectures, all of them little endian:
60  *   64-bit BPF, x86_64, arm  and  32-bit x86 and arm
61  *
62  * As such for any types we use inside of these structs we must make sure that
63  * the size and alignment are the same, so the same amount of padding is used.
64  *
65  * Currently we only use: bool, enum bpf_map_type and unsigned int.
66  * Additionally we use char for padding.
67  *
68  * !!! WARNING: HERE BE DRAGONS !!!
69  *
70  * Be particularly careful with 64-bit integers.
71  * You will need to manually override their alignment to 8 bytes.
72  *
73  * To quote some parts of https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69560
74  *
75  * Some types have weaker alignment requirements when they are structure members.
76  *
77  * unsigned long long on x86 is such a type.
78  *
79  * C distinguishes C11 _Alignof (the minimum alignment the type is guaranteed
80  * to have in all contexts, so 4, see min_align_of_type) from GNU C __alignof
81  * (the normal alignment of the type, so 8).
82  *
83  * alignof / _Alignof == minimum alignment required by target ABI
84  * __alignof / __alignof__ == preferred alignment
85  *
86  * When in a struct, apparently the minimum alignment is used.
87  */
88 
89 _Static_assert(sizeof(bool) == 1, "sizeof bool != 1");
90 _Static_assert(__alignof__(bool) == 1, "__alignof__ bool != 1");
91 _Static_assert(_Alignof(bool) == 1, "_Alignof bool != 1");
92 
93 _Static_assert(sizeof(char) == 1, "sizeof char != 1");
94 _Static_assert(__alignof__(char) == 1, "__alignof__ char != 1");
95 _Static_assert(_Alignof(char) == 1, "_Alignof char != 1");
96 
97 // This basically verifies that an enum is 'just' a 32-bit int
98 _Static_assert(sizeof(enum bpf_map_type) == 4, "sizeof enum bpf_map_type != 4");
99 _Static_assert(__alignof__(enum bpf_map_type) == 4, "__alignof__ enum bpf_map_type != 4");
100 _Static_assert(_Alignof(enum bpf_map_type) == 4, "_Alignof enum bpf_map_type != 4");
101 
102 // Linux kernel requires sizeof(int) == 4, sizeof(void*) == sizeof(long), sizeof(long long) == 8
103 _Static_assert(sizeof(unsigned int) == 4, "sizeof unsigned int != 4");
104 _Static_assert(__alignof__(unsigned int) == 4, "__alignof__ unsigned int != 4");
105 _Static_assert(_Alignof(unsigned int) == 4, "_Alignof unsigned int != 4");
106 
107 // We don't currently use any 64-bit types in these structs, so this is purely to document issue.
108 // Here sizeof & __alignof__ are consistent, but _Alignof is not: compile for 'aosp_cf_x86_phone'
109 _Static_assert(sizeof(unsigned long long) == 8, "sizeof unsigned long long != 8");
110 _Static_assert(__alignof__(unsigned long long) == 8, "__alignof__ unsigned long long != 8");
111 // BPF wants 8, but 32-bit x86 wants 4
112 //_Static_assert(_Alignof(unsigned long long) == 8, "_Alignof unsigned long long != 8");
113 
114 
115 // for maps:
116 struct shared_bool { bool shared; };
117 #define PRIVATE ((struct shared_bool){ .shared = false })
118 #define SHARED ((struct shared_bool){ .shared = true })
119 
120 // for programs:
121 struct optional_bool { bool optional; };
122 #define MANDATORY ((struct optional_bool){ .optional = false })
123 #define OPTIONAL ((struct optional_bool){ .optional = true })
124 
125 // for both maps and programs:
126 struct ignore_on_eng_bool { bool ignore_on_eng; };
127 #define LOAD_ON_ENG ((struct ignore_on_eng_bool){ .ignore_on_eng = false })
128 #define IGNORE_ON_ENG ((struct ignore_on_eng_bool){ .ignore_on_eng = true })
129 
130 struct ignore_on_user_bool { bool ignore_on_user; };
131 #define LOAD_ON_USER ((struct ignore_on_user_bool){ .ignore_on_user = false })
132 #define IGNORE_ON_USER ((struct ignore_on_user_bool){ .ignore_on_user = true })
133 
134 struct ignore_on_userdebug_bool { bool ignore_on_userdebug; };
135 #define LOAD_ON_USERDEBUG ((struct ignore_on_userdebug_bool){ .ignore_on_userdebug = false })
136 #define IGNORE_ON_USERDEBUG ((struct ignore_on_userdebug_bool){ .ignore_on_userdebug = true })
137 
138 
139 // Length of strings (incl. selinux_context and pin_subdir)
140 // in the bpf_map_def and bpf_prog_def structs.
141 //
142 // WARNING: YOU CANNOT *EVER* CHANGE THESE
143 // as this would affect the structure size in backwards incompatible ways
144 // and break mainline module loading on older Android T devices
145 #define BPF_SELINUX_CONTEXT_CHAR_ARRAY_SIZE 32
146 #define BPF_PIN_SUBDIR_CHAR_ARRAY_SIZE 32
147 
148 /*
149  * Map structure to be used by Android eBPF C programs. The Android eBPF loader
150  * uses this structure from eBPF object to create maps at boot time.
151  *
152  * The eBPF C program should define structure in the maps section using
153  * SECTION("maps") otherwise it will be ignored by the eBPF loader.
154  *
155  * For example:
156  *   const struct bpf_map_def SECTION("maps") mymap { .type=... , .key_size=... }
157  *
158  * See 'bpf_helpers.h' for helpful macros for eBPF program use.
159  */
160 struct bpf_map_def {
161     enum bpf_map_type type;
162     unsigned int key_size;
163     unsigned int value_size;
164     unsigned int max_entries;
165     unsigned int map_flags;
166 
167     // The following are not supported by the Android bpfloader:
168     //   unsigned int inner_map_idx;
169     //   unsigned int numa_node;
170 
171     unsigned int zero;  // uid_t, for compat with old (buggy) bpfloader must be AID_ROOT == 0
172     unsigned int gid;   // gid_t
173     unsigned int mode;  // mode_t
174 
175     // The following fields were added in version 0.1
176     unsigned int bpfloader_min_ver;  // if missing, defaults to 0, ie. v0.0
177     unsigned int bpfloader_max_ver;  // if missing, defaults to 0x10000, ie. v1.0
178 
179     // The following fields were added in version 0.2 (S)
180     // kernelVersion() must be >= min_kver and < max_kver
181     unsigned int min_kver;
182     unsigned int max_kver;
183 
184     // The following fields were added in version 0.18 (T)
185     //
186     // These are fixed length strings, padded with null bytes
187     //
188     // Warning: supported values depend on .o location
189     // (additionally a newer Android OS and/or bpfloader may support more values)
190     //
191     // overrides default selinux context (which is based on pin subdir)
192     char selinux_context[BPF_SELINUX_CONTEXT_CHAR_ARRAY_SIZE];
193     //
194     // overrides default prefix (which is based on .o location)
195     char pin_subdir[BPF_PIN_SUBDIR_CHAR_ARRAY_SIZE];
196 
197     bool shared;  // use empty string as 'file' component of pin path - allows cross .o map sharing
198 
199     // The following 3 ignore_on_* fields were added in version 0.32 (U). These are ignored in
200     // older bpfloader versions, and zero in programs compiled before 0.32.
201     bool ignore_on_eng:1;
202     bool ignore_on_user:1;
203     bool ignore_on_userdebug:1;
204     // The following 5 ignore_on_* fields were added in version 0.38 (U). These are ignored in
205     // older bpfloader versions, and zero in programs compiled before 0.38.
206     // These are tests on the kernel architecture, ie. they ignore userspace bit-ness.
207     bool ignore_on_arm32:1;
208     bool ignore_on_aarch64:1;
209     bool ignore_on_x86_32:1;
210     bool ignore_on_x86_64:1;
211     bool ignore_on_riscv64:1;
212 
213     char pad0[2];  // manually pad up to 4 byte alignment, may be used for extensions in the future
214 
215     unsigned int uid;   // uid_t
216 };
217 
218 _Static_assert(sizeof(((struct bpf_map_def *)0)->selinux_context) == 32, "must be 32 bytes");
219 _Static_assert(sizeof(((struct bpf_map_def *)0)->pin_subdir) == 32, "must be 32 bytes");
220 
221 // This needs to be updated whenever the above structure definition is expanded.
222 _Static_assert(sizeof(struct bpf_map_def) == 120, "sizeof struct bpf_map_def != 120");
223 _Static_assert(__alignof__(struct bpf_map_def) == 4, "__alignof__ struct bpf_map_def != 4");
224 _Static_assert(_Alignof(struct bpf_map_def) == 4, "_Alignof struct bpf_map_def != 4");
225 
226 struct bpf_prog_def {
227     unsigned int uid;
228     unsigned int gid;
229 
230     // kernelVersion() must be >= min_kver and < max_kver
231     unsigned int min_kver;
232     unsigned int max_kver;
233 
234     bool optional;  // program section (ie. function) may fail to load, continue onto next func.
235 
236     // The following 3 ignore_on_* fields were added in version 0.33 (U). These are ignored in
237     // older bpfloader versions, and zero in programs compiled before 0.33.
238     bool ignore_on_eng:1;
239     bool ignore_on_user:1;
240     bool ignore_on_userdebug:1;
241     // The following 5 ignore_on_* fields were added in version 0.38 (U). These are ignored in
242     // older bpfloader versions, and zero in programs compiled before 0.38.
243     // These are tests on the kernel architecture, ie. they ignore userspace bit-ness.
244     bool ignore_on_arm32:1;
245     bool ignore_on_aarch64:1;
246     bool ignore_on_x86_32:1;
247     bool ignore_on_x86_64:1;
248     bool ignore_on_riscv64:1;
249 
250     char pad0[2];  // manually pad up to 4 byte alignment, may be used for extensions in the future
251 
252     // The following fields were added in version 0.1
253     unsigned int bpfloader_min_ver;  // if missing, defaults to 0, ie. v0.0
254     unsigned int bpfloader_max_ver;  // if missing, defaults to 0x10000, ie. v1.0
255 
256     // The following fields were added in version 0.18, see description up above in bpf_map_def
257     char selinux_context[BPF_SELINUX_CONTEXT_CHAR_ARRAY_SIZE];
258     char pin_subdir[BPF_PIN_SUBDIR_CHAR_ARRAY_SIZE];
259 };
260 
261 _Static_assert(sizeof(((struct bpf_prog_def *)0)->selinux_context) == 32, "must be 32 bytes");
262 _Static_assert(sizeof(((struct bpf_prog_def *)0)->pin_subdir) == 32, "must be 32 bytes");
263 
264 // This needs to be updated whenever the above structure definition is expanded.
265 _Static_assert(sizeof(struct bpf_prog_def) == 92, "sizeof struct bpf_prog_def != 92");
266 _Static_assert(__alignof__(struct bpf_prog_def) == 4, "__alignof__ struct bpf_prog_def != 4");
267 _Static_assert(_Alignof(struct bpf_prog_def) == 4, "_Alignof struct bpf_prog_def != 4");
268