Gitiles
Code Review Sign In
review.blissroms.org / platform_packages_modules_Connectivity-old / d1b3b02c27e3fb88dfa5f92c7a06fbe4ff3ff7cd / . / bpf_progs / netd.c
blob: acb2f9c3d3eaa64bcc5328853809d0e6092ef704 [file] [log] [blame]
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]1/*
2 * Copyright (C) 2018 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Maciej Żenczykowskib6efc7f2022-05-24 15:56:03 -0700[diff] [blame]17// The resulting .o needs to load on the Android T Beta 3 bpfloader
18#define BPFLOADER_MIN_VER BPFLOADER_T_BETA3_VERSION
Maciej Żenczykowskifa61d492022-05-16 16:05:15 -0700[diff] [blame]19
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]20#include <bpf_helpers.h>
21#include <linux/bpf.h>
22#include <linux/if.h>
23#include <linux/if_ether.h>
24#include <linux/if_packet.h>
25#include <linux/in.h>
26#include <linux/in6.h>
27#include <linux/ip.h>
28#include <linux/ipv6.h>
29#include <linux/pkt_cls.h>
30#include <linux/tcp.h>
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]31#include <stdbool.h>
32#include <stdint.h>
33#include "bpf_net_helpers.h"
34#include "bpf_shared.h"
35
36// This is defined for cgroup bpf filter only.
37#define BPF_DROP_UNLESS_DNS 2
38#define BPF_PASS 1
39#define BPF_DROP 0
40
41// This is used for xt_bpf program only.
42#define BPF_NOMATCH 0
43#define BPF_MATCH 1
44
45#define BPF_EGRESS 0
46#define BPF_INGRESS 1
47
48#define IP_PROTO_OFF offsetof(struct iphdr, protocol)
49#define IPV6_PROTO_OFF offsetof(struct ipv6hdr, nexthdr)
50#define IPPROTO_IHL_OFF 0
51#define TCP_FLAG_OFF 13
52#define RST_OFFSET 2
53
Maciej Żenczykowski30e54762022-06-13 17:56:06 -0700[diff] [blame]54// For maps netd does not need to access
55#define DEFINE_BPF_MAP_NO_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \
56 DEFINE_BPF_MAP_UGM(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries, AID_ROOT, AID_NET_BW_ACCT, 0060)
57
58// For maps netd only needs read only access to
59#define DEFINE_BPF_MAP_RO_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \
60 DEFINE_BPF_MAP_UGM(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries, AID_ROOT, AID_NET_BW_ACCT, 0460)
61
62// For maps netd needs to be able to read and write
63#define DEFINE_BPF_MAP_RW_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \
64 DEFINE_BPF_MAP_UGM(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries, AID_ROOT, AID_NET_BW_ACCT, 0660)
65
66DEFINE_BPF_MAP_RW_NETD(cookie_tag_map, HASH, uint64_t, UidTagValue, COOKIE_UID_MAP_SIZE)
67DEFINE_BPF_MAP_NO_NETD(uid_counterset_map, HASH, uint32_t, uint8_t, UID_COUNTERSET_MAP_SIZE)
68DEFINE_BPF_MAP_NO_NETD(app_uid_stats_map, HASH, uint32_t, StatsValue, APP_STATS_MAP_SIZE)
69DEFINE_BPF_MAP_RW_NETD(stats_map_A, HASH, StatsKey, StatsValue, STATS_MAP_SIZE)
70DEFINE_BPF_MAP_RO_NETD(stats_map_B, HASH, StatsKey, StatsValue, STATS_MAP_SIZE)
71DEFINE_BPF_MAP_NO_NETD(iface_stats_map, HASH, uint32_t, StatsValue, IFACE_STATS_MAP_SIZE)
72DEFINE_BPF_MAP_RW_NETD(configuration_map, HASH, uint32_t, uint32_t, CONFIGURATION_MAP_SIZE)
73DEFINE_BPF_MAP_NO_NETD(uid_owner_map, HASH, uint32_t, UidOwnerValue, UID_OWNER_MAP_SIZE)
74DEFINE_BPF_MAP_RW_NETD(uid_permission_map, HASH, uint32_t, uint8_t, UID_OWNER_MAP_SIZE)
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]75
76/* never actually used from ebpf */
Maciej Żenczykowski30e54762022-06-13 17:56:06 -0700[diff] [blame]77DEFINE_BPF_MAP_NO_NETD(iface_index_name_map, HASH, uint32_t, IfaceValue, IFACE_INDEX_NAME_MAP_SIZE)
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]78
79static __always_inline int is_system_uid(uint32_t uid) {
Maciej Żenczykowskid1b3b022022-06-15 00:40:43 -0700[diff] [blame^]80 // MIN_SYSTEM_UID is AID_ROOT == 0, so uint32_t is *always* >= 0
81 // MAX_SYSTEM_UID is AID_NOBODY == 9999, while AID_APP_START == 10000
82 return (uid < AID_APP_START);
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]83}
84
85/*
86 * Note: this blindly assumes an MTU of 1500, and that packets > MTU are always TCP,
87 * and that TCP is using the Linux default settings with TCP timestamp option enabled
88 * which uses 12 TCP option bytes per frame.
89 *
90 * These are not unreasonable assumptions:
91 *
92 * The internet does not really support MTUs greater than 1500, so most TCP traffic will
93 * be at that MTU, or slightly below it (worst case our upwards adjustment is too small).
94 *
95 * The chance our traffic isn't IP at all is basically zero, so the IP overhead correction
96 * is bound to be needed.
97 *
98 * Furthermore, the likelyhood that we're having to deal with GSO (ie. > MTU) packets that
99 * are not IP/TCP is pretty small (few other things are supported by Linux) and worse case
100 * our extra overhead will be slightly off, but probably still better than assuming none.
101 *
102 * Most servers are also Linux and thus support/default to using TCP timestamp option
103 * (and indeed TCP timestamp option comes from RFC 1323 titled "TCP Extensions for High
104 * Performance" which also defined TCP window scaling and are thus absolutely ancient...).
105 *
106 * All together this should be more correct than if we simply ignored GSO frames
107 * (ie. counted them as single packets with no extra overhead)
108 *
109 * Especially since the number of packets is important for any future clat offload correction.
110 * (which adjusts upward by 20 bytes per packet to account for ipv4 -> ipv6 header conversion)
111 */
112#define DEFINE_UPDATE_STATS(the_stats_map, TypeOfKey) \
113 static __always_inline inline void update_##the_stats_map(struct __sk_buff* skb, \
114 int direction, TypeOfKey* key) { \
115 StatsValue* value = bpf_##the_stats_map##_lookup_elem(key); \
116 if (!value) { \
117 StatsValue newValue = {}; \
118 bpf_##the_stats_map##_update_elem(key, &newValue, BPF_NOEXIST); \
119 value = bpf_##the_stats_map##_lookup_elem(key); \
120 } \
121 if (value) { \
122 const int mtu = 1500; \
123 uint64_t packets = 1; \
124 uint64_t bytes = skb->len; \
125 if (bytes > mtu) { \
126 bool is_ipv6 = (skb->protocol == htons(ETH_P_IPV6)); \
127 int ip_overhead = (is_ipv6 ? sizeof(struct ipv6hdr) : sizeof(struct iphdr)); \
128 int tcp_overhead = ip_overhead + sizeof(struct tcphdr) + 12; \
129 int mss = mtu - tcp_overhead; \
130 uint64_t payload = bytes - tcp_overhead; \
131 packets = (payload + mss - 1) / mss; \
132 bytes = tcp_overhead * packets + payload; \
133 } \
134 if (direction == BPF_EGRESS) { \
135 __sync_fetch_and_add(&value->txPackets, packets); \
136 __sync_fetch_and_add(&value->txBytes, bytes); \
137 } else if (direction == BPF_INGRESS) { \
138 __sync_fetch_and_add(&value->rxPackets, packets); \
139 __sync_fetch_and_add(&value->rxBytes, bytes); \
140 } \
141 } \
142 }
143
144DEFINE_UPDATE_STATS(app_uid_stats_map, uint32_t)
145DEFINE_UPDATE_STATS(iface_stats_map, uint32_t)
146DEFINE_UPDATE_STATS(stats_map_A, StatsKey)
147DEFINE_UPDATE_STATS(stats_map_B, StatsKey)
148
149static inline bool skip_owner_match(struct __sk_buff* skb) {
150 int offset = -1;
151 int ret = 0;
152 if (skb->protocol == htons(ETH_P_IP)) {
153 offset = IP_PROTO_OFF;
154 uint8_t proto, ihl;
155 uint8_t flag;
156 ret = bpf_skb_load_bytes(skb, offset, &proto, 1);
157 if (!ret) {
158 if (proto == IPPROTO_ESP) {
159 return true;
160 } else if (proto == IPPROTO_TCP) {
161 ret = bpf_skb_load_bytes(skb, IPPROTO_IHL_OFF, &ihl, 1);
162 ihl = ihl & 0x0F;
163 ret = bpf_skb_load_bytes(skb, ihl * 4 + TCP_FLAG_OFF, &flag, 1);
164 if (ret == 0 && (flag >> RST_OFFSET & 1)) {
165 return true;
166 }
167 }
168 }
169 } else if (skb->protocol == htons(ETH_P_IPV6)) {
170 offset = IPV6_PROTO_OFF;
171 uint8_t proto;
172 ret = bpf_skb_load_bytes(skb, offset, &proto, 1);
173 if (!ret) {
174 if (proto == IPPROTO_ESP) {
175 return true;
176 } else if (proto == IPPROTO_TCP) {
177 uint8_t flag;
178 ret = bpf_skb_load_bytes(skb, sizeof(struct ipv6hdr) + TCP_FLAG_OFF, &flag, 1);
179 if (ret == 0 && (flag >> RST_OFFSET & 1)) {
180 return true;
181 }
182 }
183 }
184 }
185 return false;
186}
187
188static __always_inline BpfConfig getConfig(uint32_t configKey) {
189 uint32_t mapSettingKey = configKey;
190 BpfConfig* config = bpf_configuration_map_lookup_elem(&mapSettingKey);
191 if (!config) {
192 // Couldn't read configuration entry. Assume everything is disabled.
193 return DEFAULT_CONFIG;
194 }
195 return *config;
196}
197
198static inline int bpf_owner_match(struct __sk_buff* skb, uint32_t uid, int direction) {
199 if (skip_owner_match(skb)) return BPF_PASS;
200
201 if (is_system_uid(uid)) return BPF_PASS;
202
203 BpfConfig enabledRules = getConfig(UID_RULES_CONFIGURATION_KEY);
204
205 UidOwnerValue* uidEntry = bpf_uid_owner_map_lookup_elem(&uid);
Motomu Utsumi7f9c79b2022-05-12 13:57:42 +0000[diff] [blame]206 uint32_t uidRules = uidEntry ? uidEntry->rule : 0;
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]207 uint32_t allowed_iif = uidEntry ? uidEntry->iif : 0;
208
209 if (enabledRules) {
210 if ((enabledRules & DOZABLE_MATCH) && !(uidRules & DOZABLE_MATCH)) {
211 return BPF_DROP;
212 }
213 if ((enabledRules & STANDBY_MATCH) && (uidRules & STANDBY_MATCH)) {
214 return BPF_DROP;
215 }
216 if ((enabledRules & POWERSAVE_MATCH) && !(uidRules & POWERSAVE_MATCH)) {
217 return BPF_DROP;
218 }
219 if ((enabledRules & RESTRICTED_MATCH) && !(uidRules & RESTRICTED_MATCH)) {
220 return BPF_DROP;
221 }
Robert Horvath54423022022-01-27 19:53:27 +0100[diff] [blame]222 if ((enabledRules & LOW_POWER_STANDBY_MATCH) && !(uidRules & LOW_POWER_STANDBY_MATCH)) {
223 return BPF_DROP;
224 }
Motomu Utsumi9cd47262022-06-01 13:57:27 +0000[diff] [blame]225 if ((enabledRules & OEM_DENY_1_MATCH) && (uidRules & OEM_DENY_1_MATCH)) {
226 return BPF_DROP;
227 }
228 if ((enabledRules & OEM_DENY_2_MATCH) && (uidRules & OEM_DENY_2_MATCH)) {
229 return BPF_DROP;
230 }
Motomu Utsumi608015f2022-06-06 07:44:05 +0000[diff] [blame]231 if ((enabledRules & OEM_DENY_3_MATCH) && (uidRules & OEM_DENY_3_MATCH)) {
232 return BPF_DROP;
233 }
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]234 }
Motomu Utsumi966ff7f2022-05-11 05:56:26 +0000[diff] [blame]235 if (direction == BPF_INGRESS && skb->ifindex != 1) {
236 if (uidRules & IIF_MATCH) {
237 if (allowed_iif && skb->ifindex != allowed_iif) {
238 // Drops packets not coming from lo nor the allowed interface
239 // allowed interface=0 is a wildcard and does not drop packets
240 return BPF_DROP_UNLESS_DNS;
241 }
242 } else if (uidRules & LOCKDOWN_VPN_MATCH) {
243 // Drops packets not coming from lo and rule does not have IIF_MATCH but has
244 // LOCKDOWN_VPN_MATCH
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]245 return BPF_DROP_UNLESS_DNS;
246 }
247 }
248 return BPF_PASS;
249}
250
251static __always_inline inline void update_stats_with_config(struct __sk_buff* skb, int direction,
Lorenzo Colitti90c0c3f2022-03-03 17:49:01 +0900[diff] [blame]252 StatsKey* key, uint32_t selectedMap) {
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]253 if (selectedMap == SELECT_MAP_A) {
254 update_stats_map_A(skb, direction, key);
255 } else if (selectedMap == SELECT_MAP_B) {
256 update_stats_map_B(skb, direction, key);
257 }
258}
259
260static __always_inline inline int bpf_traffic_account(struct __sk_buff* skb, int direction) {
261 uint32_t sock_uid = bpf_get_socket_uid(skb);
262 uint64_t cookie = bpf_get_socket_cookie(skb);
263 UidTagValue* utag = bpf_cookie_tag_map_lookup_elem(&cookie);
264 uint32_t uid, tag;
265 if (utag) {
266 uid = utag->uid;
267 tag = utag->tag;
268 } else {
269 uid = sock_uid;
270 tag = 0;
271 }
272
273 // Always allow and never count clat traffic. Only the IPv4 traffic on the stacked
274 // interface is accounted for and subject to usage restrictions.
275 // TODO: remove sock_uid check once Nat464Xlat javaland adds the socket tag AID_CLAT for clat.
276 if (sock_uid == AID_CLAT || uid == AID_CLAT) {
277 return BPF_PASS;
278 }
279
280 int match = bpf_owner_match(skb, sock_uid, direction);
281 if ((direction == BPF_EGRESS) && (match == BPF_DROP)) {
282 // If an outbound packet is going to be dropped, we do not count that
283 // traffic.
284 return match;
285 }
286
287// Workaround for secureVPN with VpnIsolation enabled, refer to b/159994981 for details.
288// Keep TAG_SYSTEM_DNS in sync with DnsResolver/include/netd_resolv/resolv.h
289// and TrafficStatsConstants.java
290#define TAG_SYSTEM_DNS 0xFFFFFF82
291 if (tag == TAG_SYSTEM_DNS && uid == AID_DNS) {
292 uid = sock_uid;
293 if (match == BPF_DROP_UNLESS_DNS) match = BPF_PASS;
294 } else {
295 if (match == BPF_DROP_UNLESS_DNS) match = BPF_DROP;
296 }
297
298 StatsKey key = {.uid = uid, .tag = tag, .counterSet = 0, .ifaceIndex = skb->ifindex};
299
300 uint8_t* counterSet = bpf_uid_counterset_map_lookup_elem(&uid);
301 if (counterSet) key.counterSet = (uint32_t)*counterSet;
302
303 uint32_t mapSettingKey = CURRENT_STATS_MAP_CONFIGURATION_KEY;
Lorenzo Colitti90c0c3f2022-03-03 17:49:01 +0900[diff] [blame]304 uint32_t* selectedMap = bpf_configuration_map_lookup_elem(&mapSettingKey);
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]305
306 // Use asm("%0 &= 1" : "+r"(match)) before return match,
307 // to help kernel's bpf verifier, so that it can be 100% certain
308 // that the returned value is always BPF_NOMATCH(0) or BPF_MATCH(1).
309 if (!selectedMap) {
310 asm("%0 &= 1" : "+r"(match));
311 return match;
312 }
313
314 if (key.tag) {
315 update_stats_with_config(skb, direction, &key, *selectedMap);
316 key.tag = 0;
317 }
318
319 update_stats_with_config(skb, direction, &key, *selectedMap);
320 update_app_uid_stats_map(skb, direction, &uid);
321 asm("%0 &= 1" : "+r"(match));
322 return match;
323}
324
Ken Chene541aa42022-02-09 10:00:30 +0800[diff] [blame]325DEFINE_BPF_PROG("cgroupskb/ingress/stats", AID_ROOT, AID_SYSTEM, bpf_cgroup_ingress)
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]326(struct __sk_buff* skb) {
327 return bpf_traffic_account(skb, BPF_INGRESS);
328}
329
Ken Chene541aa42022-02-09 10:00:30 +0800[diff] [blame]330DEFINE_BPF_PROG("cgroupskb/egress/stats", AID_ROOT, AID_SYSTEM, bpf_cgroup_egress)
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]331(struct __sk_buff* skb) {
332 return bpf_traffic_account(skb, BPF_EGRESS);
333}
334
Maciej Żenczykowski801154a2022-06-14 14:36:34 -0700[diff] [blame]335// WARNING: Android T's non-updatable netd depends on the name of this program.
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]336DEFINE_BPF_PROG("skfilter/egress/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_egress_prog)
337(struct __sk_buff* skb) {
338 // Clat daemon does not generate new traffic, all its traffic is accounted for already
339 // on the v4-* interfaces (except for the 20 (or 28) extra bytes of IPv6 vs IPv4 overhead,
340 // but that can be corrected for later when merging v4-foo stats into interface foo's).
341 // TODO: remove sock_uid check once Nat464Xlat javaland adds the socket tag AID_CLAT for clat.
342 uint32_t sock_uid = bpf_get_socket_uid(skb);
343 if (sock_uid == AID_CLAT) return BPF_NOMATCH;
344 if (sock_uid == AID_SYSTEM) {
345 uint64_t cookie = bpf_get_socket_cookie(skb);
346 UidTagValue* utag = bpf_cookie_tag_map_lookup_elem(&cookie);
347 if (utag && utag->uid == AID_CLAT) return BPF_NOMATCH;
348 }
349
350 uint32_t key = skb->ifindex;
351 update_iface_stats_map(skb, BPF_EGRESS, &key);
352 return BPF_MATCH;
353}
354
Maciej Żenczykowski801154a2022-06-14 14:36:34 -0700[diff] [blame]355// WARNING: Android T's non-updatable netd depends on the name of this program.
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]356DEFINE_BPF_PROG("skfilter/ingress/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_ingress_prog)
357(struct __sk_buff* skb) {
358 // Clat daemon traffic is not accounted by virtue of iptables raw prerouting drop rule
359 // (in clat_raw_PREROUTING chain), which triggers before this (in bw_raw_PREROUTING chain).
360 // It will be accounted for on the v4-* clat interface instead.
361 // Keep that in mind when moving this out of iptables xt_bpf and into tc ingress (or xdp).
362
363 uint32_t key = skb->ifindex;
364 update_iface_stats_map(skb, BPF_INGRESS, &key);
365 return BPF_MATCH;
366}
367
368DEFINE_BPF_PROG("schedact/ingress/account", AID_ROOT, AID_NET_ADMIN, tc_bpf_ingress_account_prog)
369(struct __sk_buff* skb) {
Patrick Rohr148aea82022-02-24 14:12:32 +0100[diff] [blame]370 if (is_received_skb(skb)) {
371 // Account for ingress traffic before tc drops it.
372 uint32_t key = skb->ifindex;
373 update_iface_stats_map(skb, BPF_INGRESS, &key);
374 }
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]375 return TC_ACT_UNSPEC;
376}
377
Maciej Żenczykowski801154a2022-06-14 14:36:34 -0700[diff] [blame]378// WARNING: Android T's non-updatable netd depends on the name of this program.
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]379DEFINE_BPF_PROG("skfilter/allowlist/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_allowlist_prog)
380(struct __sk_buff* skb) {
381 uint32_t sock_uid = bpf_get_socket_uid(skb);
382 if (is_system_uid(sock_uid)) return BPF_MATCH;
383
384 // 65534 is the overflow 'nobody' uid, usually this being returned means
385 // that skb->sk is NULL during RX (early decap socket lookup failure),
386 // which commonly happens for incoming packets to an unconnected udp socket.
387 // Additionally bpf_get_socket_cookie() returns 0 if skb->sk is NULL
388 if ((sock_uid == 65534) && !bpf_get_socket_cookie(skb) && is_received_skb(skb))
389 return BPF_MATCH;
390
391 UidOwnerValue* allowlistMatch = bpf_uid_owner_map_lookup_elem(&sock_uid);
392 if (allowlistMatch) return allowlistMatch->rule & HAPPY_BOX_MATCH ? BPF_MATCH : BPF_NOMATCH;
393 return BPF_NOMATCH;
394}
395
Maciej Żenczykowski801154a2022-06-14 14:36:34 -0700[diff] [blame]396// WARNING: Android T's non-updatable netd depends on the name of this program.
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]397DEFINE_BPF_PROG("skfilter/denylist/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_denylist_prog)
398(struct __sk_buff* skb) {
399 uint32_t sock_uid = bpf_get_socket_uid(skb);
400 UidOwnerValue* denylistMatch = bpf_uid_owner_map_lookup_elem(&sock_uid);
401 if (denylistMatch) return denylistMatch->rule & PENALTY_BOX_MATCH ? BPF_MATCH : BPF_NOMATCH;
402 return BPF_NOMATCH;
403}
404
405DEFINE_BPF_PROG_KVER("cgroupsock/inet/create", AID_ROOT, AID_ROOT, inet_socket_create,
406 KVER(4, 14, 0))
407(struct bpf_sock* sk) {
408 uint64_t gid_uid = bpf_get_current_uid_gid();
409 /*
410 * A given app is guaranteed to have the same app ID in all the profiles in
411 * which it is installed, and install permission is granted to app for all
412 * user at install time so we only check the appId part of a request uid at
413 * run time. See UserHandle#isSameApp for detail.
414 */
Maciej Żenczykowskid1b3b022022-06-15 00:40:43 -0700[diff] [blame^]415 uint32_t appId = (gid_uid & 0xffffffff) % AID_USER_OFFSET; // == PER_USER_RANGE == 100000
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]416 uint8_t* permissions = bpf_uid_permission_map_lookup_elem(&appId);
417 if (!permissions) {
418 // UID not in map. Default to just INTERNET permission.
419 return 1;
420 }
421
422 // A return value of 1 means allow, everything else means deny.
423 return (*permissions & BPF_PERMISSION_INTERNET) == BPF_PERMISSION_INTERNET;
424}
425
426LICENSE("Apache 2.0");
427CRITICAL("netd");