05393d8d36429a81466725b429ab976ea977fd07 - platform_system_netd

commit	05393d8d36429a81466725b429ab976ea977fd07	[log] [tgz]
author	Chenbo Feng <fengc@google.com>	Tue Jan 09 15:18:43 2018 -0800
committer	Chenbo Feng <fengc@google.com>	Tue Jan 23 05:52:15 2018 +0000
tree	f855f6cb3d50bbccea412d3882a1b72e2f3c1dfd
parent	dc4e3253ddee699cdbb8ac659fab8662353c9194 [diff]

Use a isolated process to load bpf program

For the security reason of the bpf program loading process, the
program loading and running operation is moved to a seperate process out
of netd traffic controller. This can help we isolate the program loading
process into a seperate sandbox and apply more strict selinux and
seccomp security policy on it. This action can help providing additional
security fence on CVE-2017-5753.

Test: bpf program pinned at sys/fs/bpf after device boot.
Bug: 30950746
Change-Id: Id194017692343d1f55ec7f44254ff4918e95e2d3

bpfloader/Android.bp[Added - diff]
bpfloader/BpfLoader.cpp[Added - diff]
bpfloader/BpfProgSets.cpp[Renamed from server/BpfProgSets.cpp - diff]
bpfloader/BpfProgSets.h[Renamed from server/BpfProgSets.h - diff]
libbpf/include/bpf/BpfUtils.h[diff]
server/Android.mk[diff]
server/TrafficController.cpp[diff]
server/TrafficController.h[diff]

8 files changed

tree: f855f6cb3d50bbccea412d3882a1b72e2f3c1dfd