| Ken Chen | 1647f60 | 2021-10-05 21:55:22 +0800 | [diff] [blame] | 1 | /** |
| 2 | * Copyright (c) 2022, The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #define LOG_TAG "BpfHandler" |
| 18 | |
| 19 | #include "BpfHandler.h" |
| 20 | |
| 21 | #include <linux/bpf.h> |
| 22 | |
| 23 | #include <android-base/unique_fd.h> |
| 24 | #include <bpf/WaitForProgsLoaded.h> |
| 25 | #include <log/log.h> |
| 26 | #include <netdutils/UidConstants.h> |
| 27 | #include <private/android_filesystem_config.h> |
| 28 | |
| 29 | #include "BpfSyscallWrappers.h" |
| 30 | |
| 31 | namespace android { |
| 32 | namespace net { |
| 33 | |
| 34 | using base::unique_fd; |
| 35 | using bpf::NONEXISTENT_COOKIE; |
| 36 | using bpf::getSocketCookie; |
| 37 | using bpf::retrieveProgram; |
| 38 | using netdutils::Status; |
| 39 | using netdutils::statusFromErrno; |
| 40 | |
| 41 | constexpr int PER_UID_STATS_ENTRIES_LIMIT = 500; |
| 42 | // At most 90% of the stats map may be used by tagged traffic entries. This ensures |
| 43 | // that 10% of the map is always available to count untagged traffic, one entry per UID. |
| 44 | // Otherwise, apps would be able to avoid data usage accounting entirely by filling up the |
| 45 | // map with tagged traffic entries. |
| 46 | constexpr int TOTAL_UID_STATS_ENTRIES_LIMIT = STATS_MAP_SIZE * 0.9; |
| 47 | |
| 48 | static_assert(STATS_MAP_SIZE - TOTAL_UID_STATS_ENTRIES_LIMIT > 100, |
| 49 | "The limit for stats map is to high, stats data may be lost due to overflow"); |
| 50 | |
| 51 | static Status attachProgramToCgroup(const char* programPath, const unique_fd& cgroupFd, |
| 52 | bpf_attach_type type) { |
| 53 | unique_fd cgroupProg(retrieveProgram(programPath)); |
| 54 | if (cgroupProg == -1) { |
| 55 | int ret = errno; |
| 56 | ALOGE("Failed to get program from %s: %s", programPath, strerror(ret)); |
| 57 | return statusFromErrno(ret, "cgroup program get failed"); |
| 58 | } |
| 59 | if (android::bpf::attachProgram(type, cgroupProg, cgroupFd)) { |
| 60 | int ret = errno; |
| 61 | ALOGE("Program from %s attach failed: %s", programPath, strerror(ret)); |
| 62 | return statusFromErrno(ret, "program attach failed"); |
| 63 | } |
| 64 | return netdutils::status::ok; |
| 65 | } |
| 66 | |
| 67 | static Status initPrograms(const char* cg2_path) { |
| 68 | unique_fd cg_fd(open(cg2_path, O_DIRECTORY | O_RDONLY | O_CLOEXEC)); |
| 69 | if (cg_fd == -1) { |
| 70 | int ret = errno; |
| 71 | ALOGE("Failed to open the cgroup directory: %s", strerror(ret)); |
| 72 | return statusFromErrno(ret, "Open the cgroup directory failed"); |
| 73 | } |
| 74 | RETURN_IF_NOT_OK(attachProgramToCgroup(BPF_EGRESS_PROG_PATH, cg_fd, BPF_CGROUP_INET_EGRESS)); |
| 75 | RETURN_IF_NOT_OK(attachProgramToCgroup(BPF_INGRESS_PROG_PATH, cg_fd, BPF_CGROUP_INET_INGRESS)); |
| 76 | |
| 77 | // For the devices that support cgroup socket filter, the socket filter |
| 78 | // should be loaded successfully by bpfloader. So we attach the filter to |
| 79 | // cgroup if the program is pinned properly. |
| 80 | // TODO: delete the if statement once all devices should support cgroup |
| 81 | // socket filter (ie. the minimum kernel version required is 4.14). |
| 82 | if (!access(CGROUP_SOCKET_PROG_PATH, F_OK)) { |
| 83 | RETURN_IF_NOT_OK( |
| 84 | attachProgramToCgroup(CGROUP_SOCKET_PROG_PATH, cg_fd, BPF_CGROUP_INET_SOCK_CREATE)); |
| 85 | } |
| 86 | return netdutils::status::ok; |
| 87 | } |
| 88 | |
| 89 | BpfHandler::BpfHandler() |
| 90 | : mPerUidStatsEntriesLimit(PER_UID_STATS_ENTRIES_LIMIT), |
| 91 | mTotalUidStatsEntriesLimit(TOTAL_UID_STATS_ENTRIES_LIMIT) {} |
| 92 | |
| 93 | BpfHandler::BpfHandler(uint32_t perUidLimit, uint32_t totalLimit) |
| 94 | : mPerUidStatsEntriesLimit(perUidLimit), mTotalUidStatsEntriesLimit(totalLimit) {} |
| 95 | |
| 96 | Status BpfHandler::init(const char* cg2_path) { |
| 97 | // Make sure BPF programs are loaded before doing anything |
| 98 | android::bpf::waitForProgsLoaded(); |
| 99 | ALOGI("BPF programs are loaded"); |
| 100 | |
| 101 | RETURN_IF_NOT_OK(initPrograms(cg2_path)); |
| 102 | RETURN_IF_NOT_OK(initMaps()); |
| 103 | |
| 104 | return netdutils::status::ok; |
| 105 | } |
| 106 | |
| 107 | Status BpfHandler::initMaps() { |
| 108 | std::lock_guard guard(mMutex); |
| 109 | RETURN_IF_NOT_OK(mCookieTagMap.init(COOKIE_TAG_MAP_PATH)); |
| 110 | RETURN_IF_NOT_OK(mStatsMapA.init(STATS_MAP_A_PATH)); |
| 111 | RETURN_IF_NOT_OK(mStatsMapB.init(STATS_MAP_B_PATH)); |
| 112 | RETURN_IF_NOT_OK(mConfigurationMap.init(CONFIGURATION_MAP_PATH)); |
| 113 | RETURN_IF_NOT_OK(mConfigurationMap.writeValue(CURRENT_STATS_MAP_CONFIGURATION_KEY, SELECT_MAP_A, |
| 114 | BPF_ANY)); |
| 115 | RETURN_IF_NOT_OK(mUidPermissionMap.init(UID_PERMISSION_MAP_PATH)); |
| 116 | |
| 117 | return netdutils::status::ok; |
| 118 | } |
| 119 | |
| 120 | bool BpfHandler::hasUpdateDeviceStatsPermission(uid_t uid) { |
| 121 | // This implementation is the same logic as method ActivityManager#checkComponentPermission. |
| 122 | // It implies that the real uid can never be the same as PER_USER_RANGE. |
| 123 | uint32_t appId = uid % PER_USER_RANGE; |
| 124 | auto permission = mUidPermissionMap.readValue(appId); |
| 125 | if (permission.ok() && (permission.value() & BPF_PERMISSION_UPDATE_DEVICE_STATS)) { |
| 126 | return true; |
| 127 | } |
| 128 | return ((appId == AID_ROOT) || (appId == AID_SYSTEM) || (appId == AID_DNS)); |
| 129 | } |
| 130 | |
| 131 | int BpfHandler::tagSocket(int sockFd, uint32_t tag, uid_t chargeUid, uid_t realUid) { |
| 132 | std::lock_guard guard(mMutex); |
| 133 | if (chargeUid != realUid && !hasUpdateDeviceStatsPermission(realUid)) { |
| 134 | return -EPERM; |
| 135 | } |
| 136 | |
| Hungming Chen | 436547e | 2022-02-18 17:52:11 +0800 | [diff] [blame] | 137 | // Note that tagging the socket to AID_CLAT is only implemented in JNI ClatCoordinator. |
| 138 | // The process is not allowed to tag socket to AID_CLAT via tagSocket() which would cause |
| 139 | // process data usage accounting to be bypassed. Tagging AID_CLAT is used for avoiding counting |
| 140 | // CLAT traffic data usage twice. See packages/modules/Connectivity/service/jni/ |
| 141 | // com_android_server_connectivity_ClatCoordinator.cpp |
| 142 | if (chargeUid == AID_CLAT) { |
| 143 | return -EPERM; |
| 144 | } |
| 145 | |
| Hungming Chen | 478c0eb | 2022-03-04 21:16:59 +0800 | [diff] [blame] | 146 | // The socket destroy listener only monitors on the group {INET_TCP, INET_UDP, INET6_TCP, |
| 147 | // INET6_UDP}. Tagging listener unsupported socket causes that the tag can't be removed from |
| 148 | // tag map automatically. Eventually, the tag map may run out of space because of dead tag |
| 149 | // entries. |
| 150 | // See TrafficController::makeSkDestroyListener in |
| 151 | // packages/modules/Connectivity/service/native/TrafficController.cpp |
| 152 | // TODO: remove this once the socket destroy listener can detect more types of socket destroy. |
| 153 | int socketProto; |
| 154 | socklen_t intSize = sizeof(socketProto); |
| 155 | if (getsockopt(sockFd, SOL_SOCKET, SO_PROTOCOL, &socketProto, &intSize)) { |
| 156 | ALOGE("Failed to getsockopt: %s, fd: %d", strerror(errno), sockFd); |
| 157 | return -errno; |
| 158 | } else { |
| 159 | if (socketProto != IPPROTO_UDP && socketProto != IPPROTO_TCP) { |
| 160 | ALOGE("Unsupported protocol: %d", socketProto); |
| 161 | return -EPROTONOSUPPORT; |
| 162 | } |
| 163 | } |
| 164 | |
| Ken Chen | 1647f60 | 2021-10-05 21:55:22 +0800 | [diff] [blame] | 165 | uint64_t sock_cookie = getSocketCookie(sockFd); |
| 166 | if (sock_cookie == NONEXISTENT_COOKIE) return -errno; |
| 167 | UidTagValue newKey = {.uid = (uint32_t)chargeUid, .tag = tag}; |
| 168 | |
| 169 | uint32_t totalEntryCount = 0; |
| 170 | uint32_t perUidEntryCount = 0; |
| 171 | // Now we go through the stats map and count how many entries are associated |
| 172 | // with chargeUid. If the uid entry hit the limit for each chargeUid, we block |
| 173 | // the request to prevent the map from overflow. It is safe here to iterate |
| 174 | // over the map since when mMutex is hold, system server cannot toggle |
| 175 | // the live stats map and clean it. So nobody can delete entries from the map. |
| 176 | const auto countUidStatsEntries = [chargeUid, &totalEntryCount, &perUidEntryCount]( |
| 177 | const StatsKey& key, |
| 178 | const BpfMap<StatsKey, StatsValue>&) { |
| 179 | if (key.uid == chargeUid) { |
| 180 | perUidEntryCount++; |
| 181 | } |
| 182 | totalEntryCount++; |
| 183 | return base::Result<void>(); |
| 184 | }; |
| 185 | auto configuration = mConfigurationMap.readValue(CURRENT_STATS_MAP_CONFIGURATION_KEY); |
| 186 | if (!configuration.ok()) { |
| 187 | ALOGE("Failed to get current configuration: %s, fd: %d", |
| 188 | strerror(configuration.error().code()), mConfigurationMap.getMap().get()); |
| 189 | return -configuration.error().code(); |
| 190 | } |
| 191 | if (configuration.value() != SELECT_MAP_A && configuration.value() != SELECT_MAP_B) { |
| 192 | ALOGE("unknown configuration value: %d", configuration.value()); |
| 193 | return -EINVAL; |
| 194 | } |
| 195 | |
| 196 | BpfMap<StatsKey, StatsValue>& currentMap = |
| 197 | (configuration.value() == SELECT_MAP_A) ? mStatsMapA : mStatsMapB; |
| 198 | base::Result<void> res = currentMap.iterate(countUidStatsEntries); |
| 199 | if (!res.ok()) { |
| 200 | ALOGE("Failed to count the stats entry in map %d: %s", currentMap.getMap().get(), |
| 201 | strerror(res.error().code())); |
| 202 | return -res.error().code(); |
| 203 | } |
| 204 | |
| 205 | if (totalEntryCount > mTotalUidStatsEntriesLimit || |
| 206 | perUidEntryCount > mPerUidStatsEntriesLimit) { |
| 207 | ALOGE("Too many stats entries in the map, total count: %u, chargeUid(%u) count: %u," |
| 208 | " blocking tag request to prevent map overflow", |
| 209 | totalEntryCount, chargeUid, perUidEntryCount); |
| 210 | return -EMFILE; |
| 211 | } |
| 212 | // Update the tag information of a socket to the cookieUidMap. Use BPF_ANY |
| 213 | // flag so it will insert a new entry to the map if that value doesn't exist |
| 214 | // yet. And update the tag if there is already a tag stored. Since the eBPF |
| 215 | // program in kernel only read this map, and is protected by rcu read lock. It |
| 216 | // should be fine to cocurrently update the map while eBPF program is running. |
| 217 | res = mCookieTagMap.writeValue(sock_cookie, newKey, BPF_ANY); |
| 218 | if (!res.ok()) { |
| 219 | ALOGE("Failed to tag the socket: %s, fd: %d", strerror(res.error().code()), |
| 220 | mCookieTagMap.getMap().get()); |
| 221 | return -res.error().code(); |
| 222 | } |
| 223 | return 0; |
| 224 | } |
| 225 | |
| 226 | int BpfHandler::untagSocket(int sockFd) { |
| 227 | std::lock_guard guard(mMutex); |
| 228 | uint64_t sock_cookie = getSocketCookie(sockFd); |
| 229 | |
| 230 | if (sock_cookie == NONEXISTENT_COOKIE) return -errno; |
| 231 | base::Result<void> res = mCookieTagMap.deleteValue(sock_cookie); |
| 232 | if (!res.ok()) { |
| 233 | ALOGE("Failed to untag socket: %s\n", strerror(res.error().code())); |
| 234 | return -res.error().code(); |
| 235 | } |
| 236 | return 0; |
| 237 | } |
| 238 | |
| 239 | } // namespace net |
| 240 | } // namespace android |