Gitiles
Code Review Sign In
review.blissroms.org / platform_packages_modules_Connectivity-old / d8965edd3d49ff266004a42b4c4265ca4962d567 / . / bpf_progs / netd.c
blob: c1a74e735c3a9f94c82adaa2a25a8564684795e3 [file] [log] [blame]
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]1/*
2 * Copyright (C) 2018 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include <bpf_helpers.h>
18#include <linux/bpf.h>
19#include <linux/if.h>
20#include <linux/if_ether.h>
21#include <linux/if_packet.h>
22#include <linux/in.h>
23#include <linux/in6.h>
24#include <linux/ip.h>
25#include <linux/ipv6.h>
26#include <linux/pkt_cls.h>
27#include <linux/tcp.h>
Ken Chenf426b2b2022-01-23 15:39:13 +0800[diff] [blame]28#include <netdutils/UidConstants.h>
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]29#include <stdbool.h>
30#include <stdint.h>
31#include "bpf_net_helpers.h"
32#include "bpf_shared.h"
33
34// This is defined for cgroup bpf filter only.
35#define BPF_DROP_UNLESS_DNS 2
36#define BPF_PASS 1
37#define BPF_DROP 0
38
39// This is used for xt_bpf program only.
40#define BPF_NOMATCH 0
41#define BPF_MATCH 1
42
43#define BPF_EGRESS 0
44#define BPF_INGRESS 1
45
46#define IP_PROTO_OFF offsetof(struct iphdr, protocol)
47#define IPV6_PROTO_OFF offsetof(struct ipv6hdr, nexthdr)
48#define IPPROTO_IHL_OFF 0
49#define TCP_FLAG_OFF 13
50#define RST_OFFSET 2
51
52DEFINE_BPF_MAP_GRW(cookie_tag_map, HASH, uint64_t, UidTagValue, COOKIE_UID_MAP_SIZE,
53 AID_NET_BW_ACCT)
54DEFINE_BPF_MAP_GRW(uid_counterset_map, HASH, uint32_t, uint8_t, UID_COUNTERSET_MAP_SIZE,
55 AID_NET_BW_ACCT)
56DEFINE_BPF_MAP_GRW(app_uid_stats_map, HASH, uint32_t, StatsValue, APP_STATS_MAP_SIZE,
57 AID_NET_BW_ACCT)
58DEFINE_BPF_MAP_GRW(stats_map_A, HASH, StatsKey, StatsValue, STATS_MAP_SIZE, AID_NET_BW_ACCT)
59DEFINE_BPF_MAP_GRW(stats_map_B, HASH, StatsKey, StatsValue, STATS_MAP_SIZE, AID_NET_BW_ACCT)
60DEFINE_BPF_MAP_GRW(iface_stats_map, HASH, uint32_t, StatsValue, IFACE_STATS_MAP_SIZE,
61 AID_NET_BW_ACCT)
62DEFINE_BPF_MAP_GRW(configuration_map, HASH, uint32_t, uint8_t, CONFIGURATION_MAP_SIZE,
63 AID_NET_BW_ACCT)
64DEFINE_BPF_MAP_GRW(uid_owner_map, HASH, uint32_t, UidOwnerValue, UID_OWNER_MAP_SIZE,
65 AID_NET_BW_ACCT)
66DEFINE_BPF_MAP_GRW(uid_permission_map, HASH, uint32_t, uint8_t, UID_OWNER_MAP_SIZE, AID_NET_BW_ACCT)
67
68/* never actually used from ebpf */
69DEFINE_BPF_MAP_GRW(iface_index_name_map, HASH, uint32_t, IfaceValue, IFACE_INDEX_NAME_MAP_SIZE,
70 AID_NET_BW_ACCT)
71
72static __always_inline int is_system_uid(uint32_t uid) {
73 return (uid <= MAX_SYSTEM_UID) && (uid >= MIN_SYSTEM_UID);
74}
75
76/*
77 * Note: this blindly assumes an MTU of 1500, and that packets > MTU are always TCP,
78 * and that TCP is using the Linux default settings with TCP timestamp option enabled
79 * which uses 12 TCP option bytes per frame.
80 *
81 * These are not unreasonable assumptions:
82 *
83 * The internet does not really support MTUs greater than 1500, so most TCP traffic will
84 * be at that MTU, or slightly below it (worst case our upwards adjustment is too small).
85 *
86 * The chance our traffic isn't IP at all is basically zero, so the IP overhead correction
87 * is bound to be needed.
88 *
89 * Furthermore, the likelyhood that we're having to deal with GSO (ie. > MTU) packets that
90 * are not IP/TCP is pretty small (few other things are supported by Linux) and worse case
91 * our extra overhead will be slightly off, but probably still better than assuming none.
92 *
93 * Most servers are also Linux and thus support/default to using TCP timestamp option
94 * (and indeed TCP timestamp option comes from RFC 1323 titled "TCP Extensions for High
95 * Performance" which also defined TCP window scaling and are thus absolutely ancient...).
96 *
97 * All together this should be more correct than if we simply ignored GSO frames
98 * (ie. counted them as single packets with no extra overhead)
99 *
100 * Especially since the number of packets is important for any future clat offload correction.
101 * (which adjusts upward by 20 bytes per packet to account for ipv4 -> ipv6 header conversion)
102 */
103#define DEFINE_UPDATE_STATS(the_stats_map, TypeOfKey) \
104 static __always_inline inline void update_##the_stats_map(struct __sk_buff* skb, \
105 int direction, TypeOfKey* key) { \
106 StatsValue* value = bpf_##the_stats_map##_lookup_elem(key); \
107 if (!value) { \
108 StatsValue newValue = {}; \
109 bpf_##the_stats_map##_update_elem(key, &newValue, BPF_NOEXIST); \
110 value = bpf_##the_stats_map##_lookup_elem(key); \
111 } \
112 if (value) { \
113 const int mtu = 1500; \
114 uint64_t packets = 1; \
115 uint64_t bytes = skb->len; \
116 if (bytes > mtu) { \
117 bool is_ipv6 = (skb->protocol == htons(ETH_P_IPV6)); \
118 int ip_overhead = (is_ipv6 ? sizeof(struct ipv6hdr) : sizeof(struct iphdr)); \
119 int tcp_overhead = ip_overhead + sizeof(struct tcphdr) + 12; \
120 int mss = mtu - tcp_overhead; \
121 uint64_t payload = bytes - tcp_overhead; \
122 packets = (payload + mss - 1) / mss; \
123 bytes = tcp_overhead * packets + payload; \
124 } \
125 if (direction == BPF_EGRESS) { \
126 __sync_fetch_and_add(&value->txPackets, packets); \
127 __sync_fetch_and_add(&value->txBytes, bytes); \
128 } else if (direction == BPF_INGRESS) { \
129 __sync_fetch_and_add(&value->rxPackets, packets); \
130 __sync_fetch_and_add(&value->rxBytes, bytes); \
131 } \
132 } \
133 }
134
135DEFINE_UPDATE_STATS(app_uid_stats_map, uint32_t)
136DEFINE_UPDATE_STATS(iface_stats_map, uint32_t)
137DEFINE_UPDATE_STATS(stats_map_A, StatsKey)
138DEFINE_UPDATE_STATS(stats_map_B, StatsKey)
139
140static inline bool skip_owner_match(struct __sk_buff* skb) {
141 int offset = -1;
142 int ret = 0;
143 if (skb->protocol == htons(ETH_P_IP)) {
144 offset = IP_PROTO_OFF;
145 uint8_t proto, ihl;
146 uint8_t flag;
147 ret = bpf_skb_load_bytes(skb, offset, &proto, 1);
148 if (!ret) {
149 if (proto == IPPROTO_ESP) {
150 return true;
151 } else if (proto == IPPROTO_TCP) {
152 ret = bpf_skb_load_bytes(skb, IPPROTO_IHL_OFF, &ihl, 1);
153 ihl = ihl & 0x0F;
154 ret = bpf_skb_load_bytes(skb, ihl * 4 + TCP_FLAG_OFF, &flag, 1);
155 if (ret == 0 && (flag >> RST_OFFSET & 1)) {
156 return true;
157 }
158 }
159 }
160 } else if (skb->protocol == htons(ETH_P_IPV6)) {
161 offset = IPV6_PROTO_OFF;
162 uint8_t proto;
163 ret = bpf_skb_load_bytes(skb, offset, &proto, 1);
164 if (!ret) {
165 if (proto == IPPROTO_ESP) {
166 return true;
167 } else if (proto == IPPROTO_TCP) {
168 uint8_t flag;
169 ret = bpf_skb_load_bytes(skb, sizeof(struct ipv6hdr) + TCP_FLAG_OFF, &flag, 1);
170 if (ret == 0 && (flag >> RST_OFFSET & 1)) {
171 return true;
172 }
173 }
174 }
175 }
176 return false;
177}
178
179static __always_inline BpfConfig getConfig(uint32_t configKey) {
180 uint32_t mapSettingKey = configKey;
181 BpfConfig* config = bpf_configuration_map_lookup_elem(&mapSettingKey);
182 if (!config) {
183 // Couldn't read configuration entry. Assume everything is disabled.
184 return DEFAULT_CONFIG;
185 }
186 return *config;
187}
188
189static inline int bpf_owner_match(struct __sk_buff* skb, uint32_t uid, int direction) {
190 if (skip_owner_match(skb)) return BPF_PASS;
191
192 if (is_system_uid(uid)) return BPF_PASS;
193
194 BpfConfig enabledRules = getConfig(UID_RULES_CONFIGURATION_KEY);
195
196 UidOwnerValue* uidEntry = bpf_uid_owner_map_lookup_elem(&uid);
197 uint8_t uidRules = uidEntry ? uidEntry->rule : 0;
198 uint32_t allowed_iif = uidEntry ? uidEntry->iif : 0;
199
200 if (enabledRules) {
201 if ((enabledRules & DOZABLE_MATCH) && !(uidRules & DOZABLE_MATCH)) {
202 return BPF_DROP;
203 }
204 if ((enabledRules & STANDBY_MATCH) && (uidRules & STANDBY_MATCH)) {
205 return BPF_DROP;
206 }
207 if ((enabledRules & POWERSAVE_MATCH) && !(uidRules & POWERSAVE_MATCH)) {
208 return BPF_DROP;
209 }
210 if ((enabledRules & RESTRICTED_MATCH) && !(uidRules & RESTRICTED_MATCH)) {
211 return BPF_DROP;
212 }
Robert Horvath54423022022-01-27 19:53:27 +0100[diff] [blame]213 if ((enabledRules & LOW_POWER_STANDBY_MATCH) && !(uidRules & LOW_POWER_STANDBY_MATCH)) {
214 return BPF_DROP;
215 }
Ken Chen587d4232022-01-17 17:18:43 +0800[diff] [blame]216 }
217 if (direction == BPF_INGRESS && (uidRules & IIF_MATCH)) {
218 // Drops packets not coming from lo nor the allowlisted interface
219 if (allowed_iif && skb->ifindex != 1 && skb->ifindex != allowed_iif) {
220 return BPF_DROP_UNLESS_DNS;
221 }
222 }
223 return BPF_PASS;
224}
225
226static __always_inline inline void update_stats_with_config(struct __sk_buff* skb, int direction,
227 StatsKey* key, uint8_t selectedMap) {
228 if (selectedMap == SELECT_MAP_A) {
229 update_stats_map_A(skb, direction, key);
230 } else if (selectedMap == SELECT_MAP_B) {
231 update_stats_map_B(skb, direction, key);
232 }
233}
234
235static __always_inline inline int bpf_traffic_account(struct __sk_buff* skb, int direction) {
236 uint32_t sock_uid = bpf_get_socket_uid(skb);
237 uint64_t cookie = bpf_get_socket_cookie(skb);
238 UidTagValue* utag = bpf_cookie_tag_map_lookup_elem(&cookie);
239 uint32_t uid, tag;
240 if (utag) {
241 uid = utag->uid;
242 tag = utag->tag;
243 } else {
244 uid = sock_uid;
245 tag = 0;
246 }
247
248 // Always allow and never count clat traffic. Only the IPv4 traffic on the stacked
249 // interface is accounted for and subject to usage restrictions.
250 // TODO: remove sock_uid check once Nat464Xlat javaland adds the socket tag AID_CLAT for clat.
251 if (sock_uid == AID_CLAT || uid == AID_CLAT) {
252 return BPF_PASS;
253 }
254
255 int match = bpf_owner_match(skb, sock_uid, direction);
256 if ((direction == BPF_EGRESS) && (match == BPF_DROP)) {
257 // If an outbound packet is going to be dropped, we do not count that
258 // traffic.
259 return match;
260 }
261
262// Workaround for secureVPN with VpnIsolation enabled, refer to b/159994981 for details.
263// Keep TAG_SYSTEM_DNS in sync with DnsResolver/include/netd_resolv/resolv.h
264// and TrafficStatsConstants.java
265#define TAG_SYSTEM_DNS 0xFFFFFF82
266 if (tag == TAG_SYSTEM_DNS && uid == AID_DNS) {
267 uid = sock_uid;
268 if (match == BPF_DROP_UNLESS_DNS) match = BPF_PASS;
269 } else {
270 if (match == BPF_DROP_UNLESS_DNS) match = BPF_DROP;
271 }
272
273 StatsKey key = {.uid = uid, .tag = tag, .counterSet = 0, .ifaceIndex = skb->ifindex};
274
275 uint8_t* counterSet = bpf_uid_counterset_map_lookup_elem(&uid);
276 if (counterSet) key.counterSet = (uint32_t)*counterSet;
277
278 uint32_t mapSettingKey = CURRENT_STATS_MAP_CONFIGURATION_KEY;
279 uint8_t* selectedMap = bpf_configuration_map_lookup_elem(&mapSettingKey);
280
281 // Use asm("%0 &= 1" : "+r"(match)) before return match,
282 // to help kernel's bpf verifier, so that it can be 100% certain
283 // that the returned value is always BPF_NOMATCH(0) or BPF_MATCH(1).
284 if (!selectedMap) {
285 asm("%0 &= 1" : "+r"(match));
286 return match;
287 }
288
289 if (key.tag) {
290 update_stats_with_config(skb, direction, &key, *selectedMap);
291 key.tag = 0;
292 }
293
294 update_stats_with_config(skb, direction, &key, *selectedMap);
295 update_app_uid_stats_map(skb, direction, &uid);
296 asm("%0 &= 1" : "+r"(match));
297 return match;
298}
299
300DEFINE_BPF_PROG("cgroupskb/ingress/stats", AID_ROOT, AID_ROOT, bpf_cgroup_ingress)
301(struct __sk_buff* skb) {
302 return bpf_traffic_account(skb, BPF_INGRESS);
303}
304
305DEFINE_BPF_PROG("cgroupskb/egress/stats", AID_ROOT, AID_ROOT, bpf_cgroup_egress)
306(struct __sk_buff* skb) {
307 return bpf_traffic_account(skb, BPF_EGRESS);
308}
309
310DEFINE_BPF_PROG("skfilter/egress/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_egress_prog)
311(struct __sk_buff* skb) {
312 // Clat daemon does not generate new traffic, all its traffic is accounted for already
313 // on the v4-* interfaces (except for the 20 (or 28) extra bytes of IPv6 vs IPv4 overhead,
314 // but that can be corrected for later when merging v4-foo stats into interface foo's).
315 // TODO: remove sock_uid check once Nat464Xlat javaland adds the socket tag AID_CLAT for clat.
316 uint32_t sock_uid = bpf_get_socket_uid(skb);
317 if (sock_uid == AID_CLAT) return BPF_NOMATCH;
318 if (sock_uid == AID_SYSTEM) {
319 uint64_t cookie = bpf_get_socket_cookie(skb);
320 UidTagValue* utag = bpf_cookie_tag_map_lookup_elem(&cookie);
321 if (utag && utag->uid == AID_CLAT) return BPF_NOMATCH;
322 }
323
324 uint32_t key = skb->ifindex;
325 update_iface_stats_map(skb, BPF_EGRESS, &key);
326 return BPF_MATCH;
327}
328
329DEFINE_BPF_PROG("skfilter/ingress/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_ingress_prog)
330(struct __sk_buff* skb) {
331 // Clat daemon traffic is not accounted by virtue of iptables raw prerouting drop rule
332 // (in clat_raw_PREROUTING chain), which triggers before this (in bw_raw_PREROUTING chain).
333 // It will be accounted for on the v4-* clat interface instead.
334 // Keep that in mind when moving this out of iptables xt_bpf and into tc ingress (or xdp).
335
336 uint32_t key = skb->ifindex;
337 update_iface_stats_map(skb, BPF_INGRESS, &key);
338 return BPF_MATCH;
339}
340
341DEFINE_BPF_PROG("schedact/ingress/account", AID_ROOT, AID_NET_ADMIN, tc_bpf_ingress_account_prog)
342(struct __sk_buff* skb) {
343 // Account for ingress traffic before tc drops it.
344 uint32_t key = skb->ifindex;
345 update_iface_stats_map(skb, BPF_INGRESS, &key);
346 return TC_ACT_UNSPEC;
347}
348
349DEFINE_BPF_PROG("skfilter/allowlist/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_allowlist_prog)
350(struct __sk_buff* skb) {
351 uint32_t sock_uid = bpf_get_socket_uid(skb);
352 if (is_system_uid(sock_uid)) return BPF_MATCH;
353
354 // 65534 is the overflow 'nobody' uid, usually this being returned means
355 // that skb->sk is NULL during RX (early decap socket lookup failure),
356 // which commonly happens for incoming packets to an unconnected udp socket.
357 // Additionally bpf_get_socket_cookie() returns 0 if skb->sk is NULL
358 if ((sock_uid == 65534) && !bpf_get_socket_cookie(skb) && is_received_skb(skb))
359 return BPF_MATCH;
360
361 UidOwnerValue* allowlistMatch = bpf_uid_owner_map_lookup_elem(&sock_uid);
362 if (allowlistMatch) return allowlistMatch->rule & HAPPY_BOX_MATCH ? BPF_MATCH : BPF_NOMATCH;
363 return BPF_NOMATCH;
364}
365
366DEFINE_BPF_PROG("skfilter/denylist/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_denylist_prog)
367(struct __sk_buff* skb) {
368 uint32_t sock_uid = bpf_get_socket_uid(skb);
369 UidOwnerValue* denylistMatch = bpf_uid_owner_map_lookup_elem(&sock_uid);
370 if (denylistMatch) return denylistMatch->rule & PENALTY_BOX_MATCH ? BPF_MATCH : BPF_NOMATCH;
371 return BPF_NOMATCH;
372}
373
374DEFINE_BPF_PROG_KVER("cgroupsock/inet/create", AID_ROOT, AID_ROOT, inet_socket_create,
375 KVER(4, 14, 0))
376(struct bpf_sock* sk) {
377 uint64_t gid_uid = bpf_get_current_uid_gid();
378 /*
379 * A given app is guaranteed to have the same app ID in all the profiles in
380 * which it is installed, and install permission is granted to app for all
381 * user at install time so we only check the appId part of a request uid at
382 * run time. See UserHandle#isSameApp for detail.
383 */
384 uint32_t appId = (gid_uid & 0xffffffff) % PER_USER_RANGE;
385 uint8_t* permissions = bpf_uid_permission_map_lookup_elem(&appId);
386 if (!permissions) {
387 // UID not in map. Default to just INTERNET permission.
388 return 1;
389 }
390
391 // A return value of 1 means allow, everything else means deny.
392 return (*permissions & BPF_PERMISSION_INTERNET) == BPF_PERMISSION_INTERNET;
393}
394
395LICENSE("Apache 2.0");
396CRITICAL("netd");