Delete dead codes within TrafficController in mainline module
Delete tagSocket(), privilegedTagSocket() and untagSocket() since
they are moved out of TrafficController in aosp/1849156.
Test: m
Change-Id: I6162c758446f597eb79734e00348dc8b1fe2d422
diff --git a/service/native/TrafficController.cpp b/service/native/TrafficController.cpp
index 2b4ecb6..c24a41b 100644
--- a/service/native/TrafficController.cpp
+++ b/service/native/TrafficController.cpp
@@ -16,7 +16,6 @@
#define LOG_TAG "TrafficController"
#include <inttypes.h>
-#include <linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/in.h>
#include <linux/inet_diag.h>
@@ -40,11 +39,8 @@
#include <android-base/unique_fd.h>
#include <netdutils/StatusOr.h>
-#include <netdutils/Misc.h>
-#include <netdutils/NetlinkListener.h>
#include <netdutils/Syscalls.h>
#include <netdutils/Utils.h>
-#include <processgroup/processgroup.h>
#include "TrafficController.h"
#include "bpf/BpfMap.h"
@@ -56,13 +52,9 @@
using base::StringPrintf;
using base::unique_fd;
using bpf::BpfMap;
-using bpf::getSocketCookie;
-using bpf::NONEXISTENT_COOKIE;
using bpf::OVERFLOW_COUNTERSET;
-using bpf::retrieveProgram;
using bpf::synchronizeKernelRCU;
using netdutils::DumpWriter;
-using netdutils::extract;
using netdutils::getIfaceList;
using netdutils::NetlinkListener;
using netdutils::NetlinkListenerInterface;
@@ -76,12 +68,6 @@
constexpr int kSockDiagMsgType = SOCK_DIAG_BY_FAMILY;
constexpr int kSockDiagDoneMsgType = NLMSG_DONE;
-constexpr int PER_UID_STATS_ENTRIES_LIMIT = 500;
-// At most 90% of the stats map may be used by tagged traffic entries. This ensures
-// that 10% of the map is always available to count untagged traffic, one entry per UID.
-// Otherwise, apps would be able to avoid data usage accounting entirely by filling up the
-// map with tagged traffic entries.
-constexpr int TOTAL_UID_STATS_ENTRIES_LIMIT = STATS_MAP_SIZE * 0.9;
const char* TrafficController::LOCAL_DOZABLE = "fw_dozable";
const char* TrafficController::LOCAL_STANDBY = "fw_standby";
@@ -92,8 +78,6 @@
"Mismatch between BPF and AIDL permissions: PERMISSION_INTERNET");
static_assert(BPF_PERMISSION_UPDATE_DEVICE_STATS == INetd::PERMISSION_UPDATE_DEVICE_STATS,
"Mismatch between BPF and AIDL permissions: PERMISSION_UPDATE_DEVICE_STATS");
-static_assert(STATS_MAP_SIZE - TOTAL_UID_STATS_ENTRIES_LIMIT > 100,
- "The limit for stats map is to high, stats data may be lost due to overflow");
#define FLAG_MSG_TRANS(result, flag, value) \
do { \
@@ -177,13 +161,6 @@
return listener;
}
-TrafficController::TrafficController()
- : mPerUidStatsEntriesLimit(PER_UID_STATS_ENTRIES_LIMIT),
- mTotalUidStatsEntriesLimit(TOTAL_UID_STATS_ENTRIES_LIMIT) {}
-
-TrafficController::TrafficController(uint32_t perUidLimit, uint32_t totalLimit)
- : mPerUidStatsEntriesLimit(perUidLimit), mTotalUidStatsEntriesLimit(totalLimit) {}
-
Status TrafficController::initMaps() {
std::lock_guard guard(mMutex);
@@ -208,52 +185,6 @@
return netdutils::status::ok;
}
-static Status attachProgramToCgroup(const char* programPath, const unique_fd& cgroupFd,
- bpf_attach_type type) {
- unique_fd cgroupProg(retrieveProgram(programPath));
- if (cgroupProg == -1) {
- int ret = errno;
- ALOGE("Failed to get program from %s: %s", programPath, strerror(ret));
- return statusFromErrno(ret, "cgroup program get failed");
- }
- if (android::bpf::attachProgram(type, cgroupProg, cgroupFd)) {
- int ret = errno;
- ALOGE("Program from %s attach failed: %s", programPath, strerror(ret));
- return statusFromErrno(ret, "program attach failed");
- }
- return netdutils::status::ok;
-}
-
-static Status initPrograms() {
- std::string cg2_path;
-
- if (!CgroupGetControllerPath(CGROUPV2_CONTROLLER_NAME, &cg2_path)) {
- int ret = errno;
- ALOGE("Failed to find cgroup v2 root");
- return statusFromErrno(ret, "Failed to find cgroup v2 root");
- }
-
- unique_fd cg_fd(open(cg2_path.c_str(), O_DIRECTORY | O_RDONLY | O_CLOEXEC));
- if (cg_fd == -1) {
- int ret = errno;
- ALOGE("Failed to open the cgroup directory: %s", strerror(ret));
- return statusFromErrno(ret, "Open the cgroup directory failed");
- }
- RETURN_IF_NOT_OK(attachProgramToCgroup(BPF_EGRESS_PROG_PATH, cg_fd, BPF_CGROUP_INET_EGRESS));
- RETURN_IF_NOT_OK(attachProgramToCgroup(BPF_INGRESS_PROG_PATH, cg_fd, BPF_CGROUP_INET_INGRESS));
-
- // For the devices that support cgroup socket filter, the socket filter
- // should be loaded successfully by bpfloader. So we attach the filter to
- // cgroup if the program is pinned properly.
- // TODO: delete the if statement once all devices should support cgroup
- // socket filter (ie. the minimum kernel version required is 4.14).
- if (!access(CGROUP_SOCKET_PROG_PATH, F_OK)) {
- RETURN_IF_NOT_OK(
- attachProgramToCgroup(CGROUP_SOCKET_PROG_PATH, cg_fd, BPF_CGROUP_INET_SOCK_CREATE));
- }
- return netdutils::status::ok;
-}
-
Status TrafficController::start() {
/* When netd restarts from a crash without total system reboot, the program
* is still attached to the cgroup, detach it so the program can be freed
@@ -265,8 +196,6 @@
RETURN_IF_NOT_OK(initMaps());
- RETURN_IF_NOT_OK(initPrograms());
-
// Fetch the list of currently-existing interfaces. At this point NetlinkHandler is
// already running, so it will call addInterface() when any new interface appears.
std::map<std::string, uint32_t> ifacePairs;
@@ -312,94 +241,6 @@
return netdutils::status::ok;
}
-int TrafficController::tagSocket(int sockFd, uint32_t tag, uid_t uid, uid_t callingUid) {
- std::lock_guard guard(mMutex);
- if (uid != callingUid && !hasUpdateDeviceStatsPermission(callingUid)) {
- return -EPERM;
- }
- return privilegedTagSocketLocked(sockFd, tag, uid);
-}
-
-int TrafficController::privilegedTagSocket(int sockFd, uint32_t tag, uid_t uid) {
- std::lock_guard guard(mMutex);
- return privilegedTagSocketLocked(sockFd, tag, uid);
-}
-
-int TrafficController::privilegedTagSocketLocked(int sockFd, uint32_t tag, uid_t uid) {
- uint64_t sock_cookie = getSocketCookie(sockFd);
- if (sock_cookie == NONEXISTENT_COOKIE) return -errno;
- UidTagValue newKey = {.uid = (uint32_t)uid, .tag = tag};
-
- uint32_t totalEntryCount = 0;
- uint32_t perUidEntryCount = 0;
- // Now we go through the stats map and count how many entries are associated
- // with target uid. If the uid entry hit the limit for each uid, we block
- // the request to prevent the map from overflow. It is safe here to iterate
- // over the map since when mMutex is hold, system server cannot toggle
- // the live stats map and clean it. So nobody can delete entries from the map.
- const auto countUidStatsEntries = [uid, &totalEntryCount, &perUidEntryCount](
- const StatsKey& key,
- const BpfMap<StatsKey, StatsValue>&) {
- if (key.uid == uid) {
- perUidEntryCount++;
- }
- totalEntryCount++;
- return base::Result<void>();
- };
- auto configuration = mConfigurationMap.readValue(CURRENT_STATS_MAP_CONFIGURATION_KEY);
- if (!configuration.ok()) {
- ALOGE("Failed to get current configuration: %s, fd: %d",
- strerror(configuration.error().code()), mConfigurationMap.getMap().get());
- return -configuration.error().code();
- }
- if (configuration.value() != SELECT_MAP_A && configuration.value() != SELECT_MAP_B) {
- ALOGE("unknown configuration value: %d", configuration.value());
- return -EINVAL;
- }
-
- BpfMap<StatsKey, StatsValue>& currentMap =
- (configuration.value() == SELECT_MAP_A) ? mStatsMapA : mStatsMapB;
- base::Result<void> res = currentMap.iterate(countUidStatsEntries);
- if (!res.ok()) {
- ALOGE("Failed to count the stats entry in map %d: %s", currentMap.getMap().get(),
- strerror(res.error().code()));
- return -res.error().code();
- }
-
- if (totalEntryCount > mTotalUidStatsEntriesLimit ||
- perUidEntryCount > mPerUidStatsEntriesLimit) {
- ALOGE("Too many stats entries in the map, total count: %u, uid(%u) count: %u, blocking tag"
- " request to prevent map overflow",
- totalEntryCount, uid, perUidEntryCount);
- return -EMFILE;
- }
- // Update the tag information of a socket to the cookieUidMap. Use BPF_ANY
- // flag so it will insert a new entry to the map if that value doesn't exist
- // yet. And update the tag if there is already a tag stored. Since the eBPF
- // program in kernel only read this map, and is protected by rcu read lock. It
- // should be fine to cocurrently update the map while eBPF program is running.
- res = mCookieTagMap.writeValue(sock_cookie, newKey, BPF_ANY);
- if (!res.ok()) {
- ALOGE("Failed to tag the socket: %s, fd: %d", strerror(res.error().code()),
- mCookieTagMap.getMap().get());
- return -res.error().code();
- }
- return 0;
-}
-
-int TrafficController::untagSocket(int sockFd) {
- std::lock_guard guard(mMutex);
- uint64_t sock_cookie = getSocketCookie(sockFd);
-
- if (sock_cookie == NONEXISTENT_COOKIE) return -errno;
- base::Result<void> res = mCookieTagMap.deleteValue(sock_cookie);
- if (!res.ok()) {
- ALOGE("Failed to untag socket: %s\n", strerror(res.error().code()));
- return -res.error().code();
- }
- return 0;
-}
-
int TrafficController::setCounterSet(int counterSetNum, uid_t uid, uid_t callingUid) {
if (counterSetNum < 0 || counterSetNum >= OVERFLOW_COUNTERSET) return -EINVAL;
diff --git a/service/native/TrafficControllerTest.cpp b/service/native/TrafficControllerTest.cpp
index 29ce250..f5d5911 100644
--- a/service/native/TrafficControllerTest.cpp
+++ b/service/native/TrafficControllerTest.cpp
@@ -47,22 +47,18 @@
using netdutils::isOk;
constexpr int TEST_MAP_SIZE = 10;
-constexpr int TEST_COOKIE = 1;
constexpr uid_t TEST_UID = 10086;
constexpr uid_t TEST_UID2 = 54321;
constexpr uid_t TEST_UID3 = 98765;
constexpr uint32_t TEST_TAG = 42;
constexpr uint32_t TEST_COUNTERSET = 1;
constexpr uint32_t DEFAULT_COUNTERSET = 0;
-constexpr uint32_t TEST_PER_UID_STATS_ENTRIES_LIMIT = 3;
-constexpr uint32_t TEST_TOTAL_UID_STATS_ENTRIES_LIMIT = 7;
#define ASSERT_VALID(x) ASSERT_TRUE((x).isValid())
class TrafficControllerTest : public ::testing::Test {
protected:
- TrafficControllerTest()
- : mTc(TEST_PER_UID_STATS_ENTRIES_LIMIT, TEST_TOTAL_UID_STATS_ENTRIES_LIMIT) {}
+ TrafficControllerTest() {}
TrafficController mTc;
BpfMap<uint64_t, UidTagValue> mFakeCookieTagMap;
BpfMap<uint32_t, uint8_t> mFakeUidCounterSetMap;
@@ -128,25 +124,6 @@
return fcntl(mapFd.get(), F_DUPFD_CLOEXEC, 0);
}
- int setUpSocketAndTag(int protocol, uint64_t* cookie, uint32_t tag, uid_t uid,
- uid_t callingUid) {
- int sock = socket(protocol, SOCK_STREAM | SOCK_CLOEXEC, 0);
- EXPECT_LE(0, sock);
- *cookie = getSocketCookie(sock);
- EXPECT_NE(NONEXISTENT_COOKIE, *cookie);
- EXPECT_EQ(0, mTc.tagSocket(sock, tag, uid, callingUid));
- return sock;
- }
-
- void expectUidTag(uint64_t cookie, uid_t uid, uint32_t tag) {
- Result<UidTagValue> tagResult = mFakeCookieTagMap.readValue(cookie);
- ASSERT_RESULT_OK(tagResult);
- EXPECT_EQ(uid, tagResult.value().uid);
- EXPECT_EQ(tag, tagResult.value().tag);
- }
-
- void expectNoTag(uint64_t cookie) { EXPECT_FALSE(mFakeCookieTagMap.readValue(cookie).ok()); }
-
void populateFakeStats(uint64_t cookie, uint32_t uid, uint32_t tag, StatsKey* key) {
UidTagValue cookieMapkey = {.uid = (uint32_t)uid, .tag = tag};
EXPECT_RESULT_OK(mFakeCookieTagMap.writeValue(cookie, cookieMapkey, BPF_ANY));
@@ -296,123 +273,8 @@
EXPECT_EQ((uint64_t)1, appStatsResult.value().rxPackets);
EXPECT_EQ((uint64_t)100, appStatsResult.value().rxBytes);
}
-
- void expectTagSocketReachLimit(uint32_t tag, uint32_t uid) {
- int sock = socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0);
- EXPECT_LE(0, sock);
- if (sock < 0) return;
- uint64_t sockCookie = getSocketCookie(sock);
- EXPECT_NE(NONEXISTENT_COOKIE, sockCookie);
- EXPECT_EQ(-EMFILE, mTc.tagSocket(sock, tag, uid, uid));
- expectNoTag(sockCookie);
-
- // Delete stats entries then tag socket success
- EXPECT_EQ(0, mTc.deleteTagData(0, uid, 0));
- EXPECT_EQ(0, mTc.tagSocket(sock, tag, uid, uid));
- expectUidTag(sockCookie, uid, tag);
- }
};
-TEST_F(TrafficControllerTest, TestTagSocketV4) {
- uint64_t sockCookie;
- int v4socket = setUpSocketAndTag(AF_INET, &sockCookie, TEST_TAG, TEST_UID, TEST_UID);
- expectUidTag(sockCookie, TEST_UID, TEST_TAG);
- ASSERT_EQ(0, mTc.untagSocket(v4socket));
- expectNoTag(sockCookie);
- expectMapEmpty(mFakeCookieTagMap);
-}
-
-TEST_F(TrafficControllerTest, TestReTagSocket) {
- uint64_t sockCookie;
- int v4socket = setUpSocketAndTag(AF_INET, &sockCookie, TEST_TAG, TEST_UID, TEST_UID);
- expectUidTag(sockCookie, TEST_UID, TEST_TAG);
- ASSERT_EQ(0, mTc.tagSocket(v4socket, TEST_TAG + 1, TEST_UID + 1, TEST_UID + 1));
- expectUidTag(sockCookie, TEST_UID + 1, TEST_TAG + 1);
-}
-
-TEST_F(TrafficControllerTest, TestTagTwoSockets) {
- uint64_t sockCookie1;
- uint64_t sockCookie2;
- int v4socket1 = setUpSocketAndTag(AF_INET, &sockCookie1, TEST_TAG, TEST_UID, TEST_UID);
- setUpSocketAndTag(AF_INET, &sockCookie2, TEST_TAG, TEST_UID, TEST_UID);
- expectUidTag(sockCookie1, TEST_UID, TEST_TAG);
- expectUidTag(sockCookie2, TEST_UID, TEST_TAG);
- ASSERT_EQ(0, mTc.untagSocket(v4socket1));
- expectNoTag(sockCookie1);
- expectUidTag(sockCookie2, TEST_UID, TEST_TAG);
- ASSERT_FALSE(mFakeCookieTagMap.getNextKey(sockCookie2).ok());
-}
-
-TEST_F(TrafficControllerTest, TestTagSocketV6) {
- uint64_t sockCookie;
- int v6socket = setUpSocketAndTag(AF_INET6, &sockCookie, TEST_TAG, TEST_UID, TEST_UID);
- expectUidTag(sockCookie, TEST_UID, TEST_TAG);
- ASSERT_EQ(0, mTc.untagSocket(v6socket));
- expectNoTag(sockCookie);
- expectMapEmpty(mFakeCookieTagMap);
-}
-
-TEST_F(TrafficControllerTest, TestTagInvalidSocket) {
- int invalidSocket = -1;
- ASSERT_GT(0, mTc.tagSocket(invalidSocket, TEST_TAG, TEST_UID, TEST_UID));
- expectMapEmpty(mFakeCookieTagMap);
-}
-
-TEST_F(TrafficControllerTest, TestTagSocketWithoutPermission) {
- int sock = socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0);
- ASSERT_NE(-1, sock);
- ASSERT_EQ(-EPERM, mTc.tagSocket(sock, TEST_TAG, TEST_UID, TEST_UID2));
- expectMapEmpty(mFakeCookieTagMap);
-}
-
-TEST_F(TrafficControllerTest, TestTagSocketWithPermission) {
- // Grant permission to calling uid.
- std::vector<uid_t> callingUid = {TEST_UID2};
- mTc.setPermissionForUids(INetd::PERMISSION_UPDATE_DEVICE_STATS, callingUid);
-
- // Tag a socket to a different uid other then callingUid.
- uint64_t sockCookie;
- int v6socket = setUpSocketAndTag(AF_INET6, &sockCookie, TEST_TAG, TEST_UID, TEST_UID2);
- expectUidTag(sockCookie, TEST_UID, TEST_TAG);
- EXPECT_EQ(0, mTc.untagSocket(v6socket));
- expectNoTag(sockCookie);
- expectMapEmpty(mFakeCookieTagMap);
-
- // Clean up the permission
- mTc.setPermissionForUids(INetd::PERMISSION_NONE, callingUid);
- expectPrivilegedUserSetEmpty();
-}
-
-TEST_F(TrafficControllerTest, TestUntagInvalidSocket) {
- int invalidSocket = -1;
- ASSERT_GT(0, mTc.untagSocket(invalidSocket));
- int v4socket = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
- ASSERT_GT(0, mTc.untagSocket(v4socket));
- expectMapEmpty(mFakeCookieTagMap);
-}
-
-TEST_F(TrafficControllerTest, TestTagSocketReachLimitFail) {
- uid_t uid = TEST_UID;
- StatsKey tagStatsMapKey[4];
- for (int i = 0; i < 3; i++) {
- uint64_t cookie = TEST_COOKIE + i;
- uint32_t tag = TEST_TAG + i;
- populateFakeStats(cookie, uid, tag, &tagStatsMapKey[i]);
- }
- expectTagSocketReachLimit(TEST_TAG, TEST_UID);
-}
-
-TEST_F(TrafficControllerTest, TestTagSocketReachTotalLimitFail) {
- StatsKey tagStatsMapKey[4];
- for (int i = 0; i < 4; i++) {
- uint64_t cookie = TEST_COOKIE + i;
- uint32_t tag = TEST_TAG + i;
- uid_t uid = TEST_UID + i;
- populateFakeStats(cookie, uid, tag, &tagStatsMapKey[i]);
- }
- expectTagSocketReachLimit(TEST_TAG, TEST_UID);
-}
-
TEST_F(TrafficControllerTest, TestSetCounterSet) {
uid_t callingUid = TEST_UID2;
addPrivilegedUid(callingUid);
diff --git a/service/native/include/TrafficController.h b/service/native/include/TrafficController.h
index 2f38f6c..3e98b68 100644
--- a/service/native/include/TrafficController.h
+++ b/service/native/include/TrafficController.h
@@ -19,9 +19,8 @@
#include <linux/bpf.h>
-#include "Network.h"
+#include "NetlinkListener.h"
#include "android-base/thread_annotations.h"
-#include "android-base/unique_fd.h"
#include "bpf/BpfMap.h"
#include "bpf_shared.h"
#include "netdutils/DumpWriter.h"
@@ -34,34 +33,10 @@
class TrafficController {
public:
- TrafficController();
/*
* Initialize the whole controller
*/
netdutils::Status start();
- /*
- * Tag the socket with the specified tag and uid. In the qtaguid module, the
- * first tag request that grab the spinlock of rb_tree can update the tag
- * information first and other request need to wait until it finish. All the
- * tag request will be addressed in the order of they obtaining the spinlock.
- * In the eBPF implementation, the kernel will try to update the eBPF map
- * entry with the tag request. And the hashmap update process is protected by
- * the spinlock initialized with the map. So the behavior of two modules
- * should be the same. No additional lock needed.
- */
- int tagSocket(int sockFd, uint32_t tag, uid_t uid, uid_t callingUid) EXCLUDES(mMutex);
-
- /*
- * Similar as tagSocket, but skip UPDATE_DEVICE_STATS permission check.
- */
- int privilegedTagSocket(int sockFd, uint32_t tag, uid_t uid) EXCLUDES(mMutex);
-
- /*
- * The untag process is similiar to tag socket and both old qtaguid module and
- * new eBPF module have spinlock inside the kernel for concurrent update. No
- * external lock is required.
- */
- int untagSocket(int sockFd);
/*
* Similiar as above, no external lock required.
@@ -229,18 +204,6 @@
// read the map that system_server is cleaning up.
std::mutex mMutex;
- // The limit on the number of stats entries a uid can have in the per uid stats map.
- // TrafficController will block that specific uid from tagging new sockets after the limit is
- // reached.
- const uint32_t mPerUidStatsEntriesLimit;
-
- // The limit on the total number of stats entries in the per uid stats map. TrafficController
- // will block all tagging requests after the limit is reached.
- const uint32_t mTotalUidStatsEntriesLimit;
-
- netdutils::Status loadAndAttachProgram(bpf_attach_type type, const char* path, const char* name,
- base::unique_fd& cg_fd);
-
netdutils::Status initMaps() EXCLUDES(mMutex);
// Keep track of uids that have permission UPDATE_DEVICE_STATS so we don't
@@ -249,11 +212,6 @@
bool hasUpdateDeviceStatsPermission(uid_t uid) REQUIRES(mMutex);
- int privilegedTagSocketLocked(int sockFd, uint32_t tag, uid_t uid) REQUIRES(mMutex);
-
- // For testing
- TrafficController(uint32_t perUidLimit, uint32_t totalLimit);
-
// For testing
friend class TrafficControllerTest;
};