Add bpf map and lock for UidOwnerMap
This commit is a preparation for replacing JNI codes that modify
UidOwnerMap by Java.
Bug: 217624062
Test: atest BpfNetMapsTest HostsideRestrictBackgroundNetworkTests
android.net.cts.ConnectivityManagerTest#testFirewallBlocking
Change-Id: Ie595cf1f77a3ed86addbcdaea1a1be972e0265b3
diff --git a/service/src/com/android/server/BpfNetMaps.java b/service/src/com/android/server/BpfNetMaps.java
index 5650e31..3a5fc06 100644
--- a/service/src/com/android/server/BpfNetMaps.java
+++ b/service/src/com/android/server/BpfNetMaps.java
@@ -35,6 +35,7 @@
import android.util.Log;
import android.util.SparseLongArray;
+import com.android.internal.annotations.GuardedBy;
import com.android.internal.annotations.VisibleForTesting;
import com.android.modules.utils.build.SdkLevel;
import com.android.net.module.util.BpfMap;
@@ -68,8 +69,12 @@
private static final String CONFIGURATION_MAP_PATH =
"/sys/fs/bpf/netd_shared/map_netd_configuration_map";
+ private static final String UID_OWNER_MAP_PATH =
+ "/sys/fs/bpf/netd_shared/map_netd_uid_owner_map";
private static final U32 UID_RULES_CONFIGURATION_KEY = new U32(0);
private static BpfMap<U32, U32> sConfigurationMap = null;
+ // BpfMap for UID_OWNER_MAP_PATH. This map is not accessed by others.
+ private static BpfMap<U32, UidOwnerValue> sUidOwnerMap = null;
// LINT.IfChange(match_type)
private static final long NO_MATCH = 0;
@@ -111,6 +116,14 @@
sConfigurationMap = configurationMap;
}
+ /**
+ * Set uidOwnerMap for test.
+ */
+ @VisibleForTesting
+ public static void setUidOwnerMapForTest(BpfMap<U32, UidOwnerValue> uidOwnerMap) {
+ sUidOwnerMap = uidOwnerMap;
+ }
+
private static BpfMap<U32, U32> getConfigurationMap() {
try {
return new BpfMap<>(
@@ -120,10 +133,22 @@
}
}
+ private static BpfMap<U32, UidOwnerValue> getUidOwnerMap() {
+ try {
+ return new BpfMap<>(
+ UID_OWNER_MAP_PATH, BpfMap.BPF_F_RDWR, U32.class, UidOwnerValue.class);
+ } catch (ErrnoException e) {
+ throw new IllegalStateException("Cannot open uid owner map", e);
+ }
+ }
+
private static void setBpfMaps() {
if (sConfigurationMap == null) {
sConfigurationMap = getConfigurationMap();
}
+ if (sUidOwnerMap == null) {
+ sUidOwnerMap = getUidOwnerMap();
+ }
}
/**
@@ -183,8 +208,10 @@
* cause of the failure.
*/
public void addNaughtyApp(final int uid) {
- final int err = native_addNaughtyApp(uid);
- maybeThrow(err, "Unable to add naughty app");
+ synchronized (sUidOwnerMap) {
+ final int err = native_addNaughtyApp(uid);
+ maybeThrow(err, "Unable to add naughty app");
+ }
}
/**
@@ -195,8 +222,10 @@
* cause of the failure.
*/
public void removeNaughtyApp(final int uid) {
- final int err = native_removeNaughtyApp(uid);
- maybeThrow(err, "Unable to remove naughty app");
+ synchronized (sUidOwnerMap) {
+ final int err = native_removeNaughtyApp(uid);
+ maybeThrow(err, "Unable to remove naughty app");
+ }
}
/**
@@ -207,8 +236,10 @@
* cause of the failure.
*/
public void addNiceApp(final int uid) {
- final int err = native_addNiceApp(uid);
- maybeThrow(err, "Unable to add nice app");
+ synchronized (sUidOwnerMap) {
+ final int err = native_addNiceApp(uid);
+ maybeThrow(err, "Unable to add nice app");
+ }
}
/**
@@ -219,8 +250,10 @@
* cause of the failure.
*/
public void removeNiceApp(final int uid) {
- final int err = native_removeNiceApp(uid);
- maybeThrow(err, "Unable to remove nice app");
+ synchronized (sUidOwnerMap) {
+ final int err = native_removeNiceApp(uid);
+ maybeThrow(err, "Unable to remove nice app");
+ }
}
/**
@@ -285,11 +318,13 @@
*/
public int replaceUidChain(final String chainName, final boolean isAllowlist,
final int[] uids) {
- final int err = native_replaceUidChain(chainName, isAllowlist, uids);
- if (err != 0) {
- Log.e(TAG, "replaceUidChain failed: " + Os.strerror(-err));
+ synchronized (sUidOwnerMap) {
+ final int err = native_replaceUidChain(chainName, isAllowlist, uids);
+ if (err != 0) {
+ Log.e(TAG, "replaceUidChain failed: " + Os.strerror(-err));
+ }
+ return -err;
}
- return -err;
}
/**
@@ -302,8 +337,10 @@
* cause of the failure.
*/
public void setUidRule(final int childChain, final int uid, final int firewallRule) {
- final int err = native_setUidRule(childChain, uid, firewallRule);
- maybeThrow(err, "Unable to set uid rule");
+ synchronized (sUidOwnerMap) {
+ final int err = native_setUidRule(childChain, uid, firewallRule);
+ maybeThrow(err, "Unable to set uid rule");
+ }
}
/**
@@ -328,8 +365,10 @@
mNetd.firewallAddUidInterfaceRules(ifName, uids);
return;
}
- final int err = native_addUidInterfaceRules(ifName, uids);
- maybeThrow(err, "Unable to add uid interface rules");
+ synchronized (sUidOwnerMap) {
+ final int err = native_addUidInterfaceRules(ifName, uids);
+ maybeThrow(err, "Unable to add uid interface rules");
+ }
}
/**
@@ -348,8 +387,10 @@
mNetd.firewallRemoveUidInterfaceRules(uids);
return;
}
- final int err = native_removeUidInterfaceRules(uids);
- maybeThrow(err, "Unable to remove uid interface rules");
+ synchronized (sUidOwnerMap) {
+ final int err = native_removeUidInterfaceRules(uids);
+ maybeThrow(err, "Unable to remove uid interface rules");
+ }
}
/**
@@ -361,8 +402,10 @@
* cause of the failure.
*/
public void updateUidLockdownRule(final int uid, final boolean add) {
- final int err = native_updateUidLockdownRule(uid, add);
- maybeThrow(err, "Unable to update lockdown rule");
+ synchronized (sUidOwnerMap) {
+ final int err = native_updateUidLockdownRule(uid, add);
+ maybeThrow(err, "Unable to update lockdown rule");
+ }
}
/**
@@ -412,14 +455,23 @@
}
private static native void native_init();
+ @GuardedBy("sUidOwnerMap")
private native int native_addNaughtyApp(int uid);
+ @GuardedBy("sUidOwnerMap")
private native int native_removeNaughtyApp(int uid);
+ @GuardedBy("sUidOwnerMap")
private native int native_addNiceApp(int uid);
+ @GuardedBy("sUidOwnerMap")
private native int native_removeNiceApp(int uid);
+ @GuardedBy("sUidOwnerMap")
private native int native_replaceUidChain(String name, boolean isAllowlist, int[] uids);
+ @GuardedBy("sUidOwnerMap")
private native int native_setUidRule(int childChain, int uid, int firewallRule);
+ @GuardedBy("sUidOwnerMap")
private native int native_addUidInterfaceRules(String ifName, int[] uids);
+ @GuardedBy("sUidOwnerMap")
private native int native_removeUidInterfaceRules(int[] uids);
+ @GuardedBy("sUidOwnerMap")
private native int native_updateUidLockdownRule(int uid, boolean add);
private native int native_swapActiveStatsMap();
private native void native_setPermissionForUids(int permissions, int[] uids);