1 /**
2 * Copyright (c) 2022, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "NetdUpdatable"
18
19 #include "BpfHandler.h"
20
21 #include <linux/bpf.h>
22 #include <inttypes.h>
23
24 #include <android-base/unique_fd.h>
25 #include <android-modules-utils/sdk_level.h>
26 #include <bpf/WaitForProgsLoaded.h>
27 #include <log/log.h>
28 #include <netdutils/UidConstants.h>
29 #include <private/android_filesystem_config.h>
30
31 #include "BpfSyscallWrappers.h"
32
33 namespace android {
34 namespace net {
35
36 using base::unique_fd;
37 using base::WaitForProperty;
38 using bpf::getSocketCookie;
39 using bpf::retrieveProgram;
40 using netdutils::Status;
41 using netdutils::statusFromErrno;
42
43 constexpr int PER_UID_STATS_ENTRIES_LIMIT = 500;
44 // At most 90% of the stats map may be used by tagged traffic entries. This ensures
45 // that 10% of the map is always available to count untagged traffic, one entry per UID.
46 // Otherwise, apps would be able to avoid data usage accounting entirely by filling up the
47 // map with tagged traffic entries.
48 constexpr int TOTAL_UID_STATS_ENTRIES_LIMIT = STATS_MAP_SIZE * 0.9;
49
50 static_assert(STATS_MAP_SIZE - TOTAL_UID_STATS_ENTRIES_LIMIT > 100,
51 "The limit for stats map is to high, stats data may be lost due to overflow");
52
attachProgramToCgroup(const char * programPath,const unique_fd & cgroupFd,bpf_attach_type type)53 static Status attachProgramToCgroup(const char* programPath, const unique_fd& cgroupFd,
54 bpf_attach_type type) {
55 unique_fd cgroupProg(retrieveProgram(programPath));
56 if (!cgroupProg.ok()) {
57 return statusFromErrno(errno, fmt::format("Failed to get program from {}", programPath));
58 }
59 if (android::bpf::attachProgram(type, cgroupProg, cgroupFd)) {
60 return statusFromErrno(errno, fmt::format("Program {} attach failed", programPath));
61 }
62 return netdutils::status::ok;
63 }
64
checkProgramAccessible(const char * programPath)65 static Status checkProgramAccessible(const char* programPath) {
66 unique_fd prog(retrieveProgram(programPath));
67 if (!prog.ok()) {
68 return statusFromErrno(errno, fmt::format("Failed to get program from {}", programPath));
69 }
70 return netdutils::status::ok;
71 }
72
initPrograms(const char * cg2_path)73 static Status initPrograms(const char* cg2_path) {
74 if (!cg2_path) return Status("cg2_path is NULL");
75
76 // This code was mainlined in T, so this should be trivially satisfied.
77 if (!modules::sdklevel::IsAtLeastT()) return Status("S- platform is unsupported");
78
79 // S requires eBPF support which was only added in 4.9, so this should be satisfied.
80 if (!bpf::isAtLeastKernelVersion(4, 9, 0)) {
81 return Status("kernel version < 4.9.0 is unsupported");
82 }
83
84 // U bumps the kernel requirement up to 4.14
85 if (modules::sdklevel::IsAtLeastU() && !bpf::isAtLeastKernelVersion(4, 14, 0)) {
86 return Status("U+ platform with kernel version < 4.14.0 is unsupported");
87 }
88
89 // U mandates this mount point (though it should also be the case on T)
90 if (modules::sdklevel::IsAtLeastU() && !!strcmp(cg2_path, "/sys/fs/cgroup")) {
91 return Status("U+ platform with cg2_path != /sys/fs/cgroup is unsupported");
92 }
93
94 unique_fd cg_fd(open(cg2_path, O_DIRECTORY | O_RDONLY | O_CLOEXEC));
95 if (!cg_fd.ok()) {
96 const int err = errno;
97 ALOGE("Failed to open the cgroup directory: %s", strerror(err));
98 return statusFromErrno(err, "Open the cgroup directory failed");
99 }
100 RETURN_IF_NOT_OK(checkProgramAccessible(XT_BPF_ALLOWLIST_PROG_PATH));
101 RETURN_IF_NOT_OK(checkProgramAccessible(XT_BPF_DENYLIST_PROG_PATH));
102 RETURN_IF_NOT_OK(checkProgramAccessible(XT_BPF_EGRESS_PROG_PATH));
103 RETURN_IF_NOT_OK(checkProgramAccessible(XT_BPF_INGRESS_PROG_PATH));
104 RETURN_IF_NOT_OK(attachProgramToCgroup(BPF_EGRESS_PROG_PATH, cg_fd, BPF_CGROUP_INET_EGRESS));
105 RETURN_IF_NOT_OK(attachProgramToCgroup(BPF_INGRESS_PROG_PATH, cg_fd, BPF_CGROUP_INET_INGRESS));
106
107 // For the devices that support cgroup socket filter, the socket filter
108 // should be loaded successfully by bpfloader. So we attach the filter to
109 // cgroup if the program is pinned properly.
110 // TODO: delete the if statement once all devices should support cgroup
111 // socket filter (ie. the minimum kernel version required is 4.14).
112 if (bpf::isAtLeastKernelVersion(4, 14, 0)) {
113 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_INET_CREATE_PROG_PATH,
114 cg_fd, BPF_CGROUP_INET_SOCK_CREATE));
115 }
116
117 if (modules::sdklevel::IsAtLeastV()) {
118 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_CONNECT4_PROG_PATH,
119 cg_fd, BPF_CGROUP_INET4_CONNECT));
120 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_CONNECT6_PROG_PATH,
121 cg_fd, BPF_CGROUP_INET6_CONNECT));
122 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_UDP4_RECVMSG_PROG_PATH,
123 cg_fd, BPF_CGROUP_UDP4_RECVMSG));
124 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_UDP6_RECVMSG_PROG_PATH,
125 cg_fd, BPF_CGROUP_UDP6_RECVMSG));
126 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_UDP4_SENDMSG_PROG_PATH,
127 cg_fd, BPF_CGROUP_UDP4_SENDMSG));
128 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_UDP6_SENDMSG_PROG_PATH,
129 cg_fd, BPF_CGROUP_UDP6_SENDMSG));
130
131 if (bpf::isAtLeastKernelVersion(5, 4, 0)) {
132 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_GETSOCKOPT_PROG_PATH,
133 cg_fd, BPF_CGROUP_GETSOCKOPT));
134 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_SETSOCKOPT_PROG_PATH,
135 cg_fd, BPF_CGROUP_SETSOCKOPT));
136 }
137
138 if (bpf::isAtLeastKernelVersion(5, 10, 0)) {
139 RETURN_IF_NOT_OK(attachProgramToCgroup(CGROUP_INET_RELEASE_PROG_PATH,
140 cg_fd, BPF_CGROUP_INET_SOCK_RELEASE));
141 }
142 }
143
144 if (bpf::isAtLeastKernelVersion(4, 19, 0)) {
145 RETURN_IF_NOT_OK(attachProgramToCgroup(
146 "/sys/fs/bpf/netd_readonly/prog_block_bind4_block_port",
147 cg_fd, BPF_CGROUP_INET4_BIND));
148 RETURN_IF_NOT_OK(attachProgramToCgroup(
149 "/sys/fs/bpf/netd_readonly/prog_block_bind6_block_port",
150 cg_fd, BPF_CGROUP_INET6_BIND));
151
152 // This should trivially pass, since we just attached up above,
153 // but BPF_PROG_QUERY is only implemented on 4.19+ kernels.
154 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET_EGRESS) <= 0) abort();
155 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET_INGRESS) <= 0) abort();
156 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET_SOCK_CREATE) <= 0) abort();
157 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET4_BIND) <= 0) abort();
158 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET6_BIND) <= 0) abort();
159 }
160
161 if (modules::sdklevel::IsAtLeastV()) {
162 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET4_CONNECT) <= 0) abort();
163 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET6_CONNECT) <= 0) abort();
164 if (bpf::queryProgram(cg_fd, BPF_CGROUP_UDP4_RECVMSG) <= 0) abort();
165 if (bpf::queryProgram(cg_fd, BPF_CGROUP_UDP6_RECVMSG) <= 0) abort();
166 if (bpf::queryProgram(cg_fd, BPF_CGROUP_UDP4_SENDMSG) <= 0) abort();
167 if (bpf::queryProgram(cg_fd, BPF_CGROUP_UDP6_SENDMSG) <= 0) abort();
168
169 if (bpf::isAtLeastKernelVersion(5, 4, 0)) {
170 if (bpf::queryProgram(cg_fd, BPF_CGROUP_GETSOCKOPT) <= 0) abort();
171 if (bpf::queryProgram(cg_fd, BPF_CGROUP_SETSOCKOPT) <= 0) abort();
172 }
173
174 if (bpf::isAtLeastKernelVersion(5, 10, 0)) {
175 if (bpf::queryProgram(cg_fd, BPF_CGROUP_INET_SOCK_RELEASE) <= 0) abort();
176 }
177 }
178
179 return netdutils::status::ok;
180 }
181
BpfHandler()182 BpfHandler::BpfHandler()
183 : mPerUidStatsEntriesLimit(PER_UID_STATS_ENTRIES_LIMIT),
184 mTotalUidStatsEntriesLimit(TOTAL_UID_STATS_ENTRIES_LIMIT) {}
185
BpfHandler(uint32_t perUidLimit,uint32_t totalLimit)186 BpfHandler::BpfHandler(uint32_t perUidLimit, uint32_t totalLimit)
187 : mPerUidStatsEntriesLimit(perUidLimit), mTotalUidStatsEntriesLimit(totalLimit) {}
188
mainlineNetBpfLoadDone()189 static bool mainlineNetBpfLoadDone() {
190 return !access("/sys/fs/bpf/netd_shared/mainline_done", F_OK);
191 }
192
193 // copied with minor changes from waitForProgsLoaded()
194 // p/m/C's staticlibs/native/bpf_headers/include/bpf/WaitForProgsLoaded.h
waitForNetProgsLoaded()195 static inline void waitForNetProgsLoaded() {
196 // infinite loop until success with 5/10/20/40/60/60/60... delay
197 for (int delay = 5;; delay *= 2) {
198 if (delay > 60) delay = 60;
199 if (WaitForProperty("init.svc.mdnsd_netbpfload", "stopped", std::chrono::seconds(delay))
200 && mainlineNetBpfLoadDone())
201 return;
202 ALOGW("Waited %ds for init.svc.mdnsd_netbpfload=stopped, still waiting...", delay);
203 }
204 }
205
init(const char * cg2_path)206 Status BpfHandler::init(const char* cg2_path) {
207 // Note: netd *can* be restarted, so this might get called a second time after boot is complete
208 // at which point we don't need to (and shouldn't) wait for (more importantly start) loading bpf
209
210 if (base::GetProperty("bpf.progs_loaded", "") != "1") {
211 // AOSP platform netd & mainline don't need this (at least prior to U QPR3),
212 // but there could be platform provided (xt_)bpf programs that oem/vendor
213 // modified netd (which calls us during init) depends on...
214 ALOGI("Waiting for platform BPF programs");
215 android::bpf::waitForProgsLoaded();
216 }
217
218 if (!mainlineNetBpfLoadDone()) {
219 const bool enforce_mainline = false; // TODO: flip to true
220
221 // We're on < U QPR3 & it's the first time netd is starting up (unless crashlooping)
222 //
223 // On U QPR3+ netbpfload is guaranteed to run before the platform bpfloader,
224 // so waitForProgsLoaded() implies mainlineNetBpfLoadDone().
225 if (!base::SetProperty("ctl.start", "mdnsd_netbpfload")) {
226 ALOGE("Failed to set property ctl.start=mdnsd_netbpfload, see dmesg for reason.");
227 if (enforce_mainline) abort();
228 }
229
230 if (enforce_mainline) {
231 ALOGI("Waiting for Networking BPF programs");
232 waitForNetProgsLoaded();
233 ALOGI("Networking BPF programs are loaded");
234 } else {
235 ALOGI("Started mdnsd_netbpfload asynchronously.");
236 }
237 }
238
239 ALOGI("BPF programs are loaded");
240
241 RETURN_IF_NOT_OK(initPrograms(cg2_path));
242 RETURN_IF_NOT_OK(initMaps());
243
244 return netdutils::status::ok;
245 }
246
mapLockTest(void)247 static void mapLockTest(void) {
248 // The maps must be R/W, and as yet unopened (or more specifically not yet lock'ed).
249 const char * const m1 = BPF_NETD_PATH "map_netd_lock_array_test_map";
250 const char * const m2 = BPF_NETD_PATH "map_netd_lock_hash_test_map";
251
252 unique_fd fd0(bpf::mapRetrieveExclusiveRW(m1)); if (!fd0.ok()) abort(); // grabs exclusive lock
253
254 unique_fd fd1(bpf::mapRetrieveExclusiveRW(m2)); if (!fd1.ok()) abort(); // no conflict with fd0
255 unique_fd fd2(bpf::mapRetrieveExclusiveRW(m2)); if ( fd2.ok()) abort(); // busy due to fd1
256 unique_fd fd3(bpf::mapRetrieveRO(m2)); if (!fd3.ok()) abort(); // no lock taken
257 unique_fd fd4(bpf::mapRetrieveRW(m2)); if ( fd4.ok()) abort(); // busy due to fd1
258 fd1.reset(); // releases exclusive lock
259 unique_fd fd5(bpf::mapRetrieveRO(m2)); if (!fd5.ok()) abort(); // no lock taken
260 unique_fd fd6(bpf::mapRetrieveRW(m2)); if (!fd6.ok()) abort(); // now ok
261 unique_fd fd7(bpf::mapRetrieveRO(m2)); if (!fd7.ok()) abort(); // no lock taken
262 unique_fd fd8(bpf::mapRetrieveExclusiveRW(m2)); if ( fd8.ok()) abort(); // busy due to fd6
263
264 fd0.reset(); // releases exclusive lock
265 unique_fd fd9(bpf::mapRetrieveWO(m1)); if (!fd9.ok()) abort(); // grabs exclusive lock
266 }
267
initMaps()268 Status BpfHandler::initMaps() {
269 // bpfLock() requires bpfGetFdMapId which is only available on 4.14+ kernels.
270 if (bpf::isAtLeastKernelVersion(4, 14, 0)) {
271 mapLockTest();
272 }
273
274 RETURN_IF_NOT_OK(mStatsMapA.init(STATS_MAP_A_PATH));
275 RETURN_IF_NOT_OK(mStatsMapB.init(STATS_MAP_B_PATH));
276 RETURN_IF_NOT_OK(mConfigurationMap.init(CONFIGURATION_MAP_PATH));
277 RETURN_IF_NOT_OK(mUidPermissionMap.init(UID_PERMISSION_MAP_PATH));
278 // initialized last so mCookieTagMap.isValid() implies everything else is valid too
279 RETURN_IF_NOT_OK(mCookieTagMap.init(COOKIE_TAG_MAP_PATH));
280 ALOGI("%s successfully", __func__);
281
282 return netdutils::status::ok;
283 }
284
hasUpdateDeviceStatsPermission(uid_t uid)285 bool BpfHandler::hasUpdateDeviceStatsPermission(uid_t uid) {
286 // This implementation is the same logic as method ActivityManager#checkComponentPermission.
287 // It implies that the real uid can never be the same as PER_USER_RANGE.
288 uint32_t appId = uid % PER_USER_RANGE;
289 auto permission = mUidPermissionMap.readValue(appId);
290 if (permission.ok() && (permission.value() & BPF_PERMISSION_UPDATE_DEVICE_STATS)) {
291 return true;
292 }
293 return ((appId == AID_ROOT) || (appId == AID_SYSTEM) || (appId == AID_DNS));
294 }
295
tagSocket(int sockFd,uint32_t tag,uid_t chargeUid,uid_t realUid)296 int BpfHandler::tagSocket(int sockFd, uint32_t tag, uid_t chargeUid, uid_t realUid) {
297 if (!mCookieTagMap.isValid()) return -EPERM;
298
299 if (chargeUid != realUid && !hasUpdateDeviceStatsPermission(realUid)) return -EPERM;
300
301 // Note that tagging the socket to AID_CLAT is only implemented in JNI ClatCoordinator.
302 // The process is not allowed to tag socket to AID_CLAT via tagSocket() which would cause
303 // process data usage accounting to be bypassed. Tagging AID_CLAT is used for avoiding counting
304 // CLAT traffic data usage twice. See packages/modules/Connectivity/service/jni/
305 // com_android_server_connectivity_ClatCoordinator.cpp
306 if (chargeUid == AID_CLAT) return -EPERM;
307
308 // The socket destroy listener only monitors on the group {INET_TCP, INET_UDP, INET6_TCP,
309 // INET6_UDP}. Tagging listener unsupported socket causes that the tag can't be removed from
310 // tag map automatically. Eventually, the tag map may run out of space because of dead tag
311 // entries. Note that although tagSocket() of net client has already denied the family which
312 // is neither AF_INET nor AF_INET6, the family validation is still added here just in case.
313 // See tagSocket in system/netd/client/NetdClient.cpp and
314 // TrafficController::makeSkDestroyListener in
315 // packages/modules/Connectivity/service/native/TrafficController.cpp
316 // TODO: remove this once the socket destroy listener can detect more types of socket destroy.
317 int socketFamily;
318 socklen_t familyLen = sizeof(socketFamily);
319 if (getsockopt(sockFd, SOL_SOCKET, SO_DOMAIN, &socketFamily, &familyLen)) {
320 ALOGE("Failed to getsockopt SO_DOMAIN: %s, fd: %d", strerror(errno), sockFd);
321 return -errno;
322 }
323 if (socketFamily != AF_INET && socketFamily != AF_INET6) {
324 ALOGE("Unsupported family: %d", socketFamily);
325 return -EAFNOSUPPORT;
326 }
327
328 int socketProto;
329 socklen_t protoLen = sizeof(socketProto);
330 if (getsockopt(sockFd, SOL_SOCKET, SO_PROTOCOL, &socketProto, &protoLen)) {
331 ALOGE("Failed to getsockopt SO_PROTOCOL: %s, fd: %d", strerror(errno), sockFd);
332 return -errno;
333 }
334 if (socketProto != IPPROTO_UDP && socketProto != IPPROTO_TCP) {
335 ALOGE("Unsupported protocol: %d", socketProto);
336 return -EPROTONOSUPPORT;
337 }
338
339 uint64_t sock_cookie = getSocketCookie(sockFd);
340 if (!sock_cookie) return -errno;
341
342 UidTagValue newKey = {.uid = (uint32_t)chargeUid, .tag = tag};
343
344 uint32_t totalEntryCount = 0;
345 uint32_t perUidEntryCount = 0;
346 // Now we go through the stats map and count how many entries are associated
347 // with chargeUid. If the uid entry hit the limit for each chargeUid, we block
348 // the request to prevent the map from overflow. Note though that it isn't really
349 // safe here to iterate over the map since it might be modified by the system server,
350 // which might toggle the live stats map and clean it.
351 const auto countUidStatsEntries = [chargeUid, &totalEntryCount, &perUidEntryCount](
352 const StatsKey& key,
353 const BpfMapRO<StatsKey, StatsValue>&) {
354 if (key.uid == chargeUid) {
355 perUidEntryCount++;
356 }
357 totalEntryCount++;
358 return base::Result<void>();
359 };
360 auto configuration = mConfigurationMap.readValue(CURRENT_STATS_MAP_CONFIGURATION_KEY);
361 if (!configuration.ok()) {
362 ALOGE("Failed to get current configuration: %s",
363 strerror(configuration.error().code()));
364 return -configuration.error().code();
365 }
366 if (configuration.value() != SELECT_MAP_A && configuration.value() != SELECT_MAP_B) {
367 ALOGE("unknown configuration value: %d", configuration.value());
368 return -EINVAL;
369 }
370
371 BpfMapRO<StatsKey, StatsValue>& currentMap =
372 (configuration.value() == SELECT_MAP_A) ? mStatsMapA : mStatsMapB;
373 base::Result<void> res = currentMap.iterate(countUidStatsEntries);
374 if (!res.ok()) {
375 ALOGE("Failed to count the stats entry in map: %s",
376 strerror(res.error().code()));
377 return -res.error().code();
378 }
379
380 if (totalEntryCount > mTotalUidStatsEntriesLimit ||
381 perUidEntryCount > mPerUidStatsEntriesLimit) {
382 ALOGE("Too many stats entries in the map, total count: %u, chargeUid(%u) count: %u,"
383 " blocking tag request to prevent map overflow",
384 totalEntryCount, chargeUid, perUidEntryCount);
385 return -EMFILE;
386 }
387 // Update the tag information of a socket to the cookieUidMap. Use BPF_ANY
388 // flag so it will insert a new entry to the map if that value doesn't exist
389 // yet and update the tag if there is already a tag stored. Since the eBPF
390 // program in kernel only read this map, and is protected by rcu read lock. It
391 // should be fine to concurrently update the map while eBPF program is running.
392 res = mCookieTagMap.writeValue(sock_cookie, newKey, BPF_ANY);
393 if (!res.ok()) {
394 ALOGE("Failed to tag the socket: %s", strerror(res.error().code()));
395 return -res.error().code();
396 }
397 ALOGD("Socket with cookie %" PRIu64 " tagged successfully with tag %" PRIu32 " uid %u "
398 "and real uid %u", sock_cookie, tag, chargeUid, realUid);
399 return 0;
400 }
401
untagSocket(int sockFd)402 int BpfHandler::untagSocket(int sockFd) {
403 uint64_t sock_cookie = getSocketCookie(sockFd);
404 if (!sock_cookie) return -errno;
405
406 if (!mCookieTagMap.isValid()) return -EPERM;
407 base::Result<void> res = mCookieTagMap.deleteValue(sock_cookie);
408 if (!res.ok()) {
409 ALOGE("Failed to untag socket: %s", strerror(res.error().code()));
410 return -res.error().code();
411 }
412 ALOGD("Socket with cookie %" PRIu64 " untagged successfully.", sock_cookie);
413 return 0;
414 }
415
416 } // namespace net
417 } // namespace android
418