1 /**
2  * Copyright (c) 2022, The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #pragma once
18 
19 #include <netdutils/Status.h>
20 #include "bpf/BpfMap.h"
21 #include "netd.h"
22 
23 using android::bpf::BpfMap;
24 using android::bpf::BpfMapRO;
25 
26 namespace android {
27 namespace net {
28 
29 class BpfHandler {
30   public:
31     BpfHandler();
32     BpfHandler(const BpfHandler&) = delete;
33     BpfHandler& operator=(const BpfHandler&) = delete;
34     netdutils::Status init(const char* cg2_path);
35     /*
36      * Tag the socket with the specified tag and uid. In the qtaguid module, the
37      * first tag request that grab the spinlock of rb_tree can update the tag
38      * information first and other request need to wait until it finish. All the
39      * tag request will be addressed in the order of they obtaining the spinlock.
40      * In the eBPF implementation, the kernel will try to update the eBPF map
41      * entry with the tag request. And the hashmap update process is protected by
42      * the spinlock initialized with the map. So the behavior of two modules
43      * should be the same. No additional lock needed.
44      */
45     int tagSocket(int sockFd, uint32_t tag, uid_t chargeUid, uid_t realUid);
46 
47     /*
48      * The untag process is similar to tag socket and both old qtaguid module and
49      * new eBPF module have spinlock inside the kernel for concurrent update. No
50      * external lock is required.
51      */
52     int untagSocket(int sockFd);
53 
54   private:
55     // For testing
56     BpfHandler(uint32_t perUidLimit, uint32_t totalLimit);
57 
58     netdutils::Status initMaps();
59     bool hasUpdateDeviceStatsPermission(uid_t uid);
60 
61     BpfMap<uint64_t, UidTagValue> mCookieTagMap;
62     BpfMapRO<StatsKey, StatsValue> mStatsMapA;
63     BpfMapRO<StatsKey, StatsValue> mStatsMapB;
64     BpfMapRO<uint32_t, uint32_t> mConfigurationMap;
65     BpfMapRO<uint32_t, uint8_t> mUidPermissionMap;
66 
67     // The limit on the number of stats entries a uid can have in the per uid stats map. BpfHandler
68     // will block that specific uid from tagging new sockets after the limit is reached.
69     const uint32_t mPerUidStatsEntriesLimit;
70 
71     // The limit on the total number of stats entries in the per uid stats map. BpfHandler will
72     // block all tagging requests after the limit is reached.
73     const uint32_t mTotalUidStatsEntriesLimit;
74 
75     // For testing
76     friend class BpfHandlerTest;
77 };
78 
79 }  // namespace net
80 }  // namespace android