1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd. All rights reserved.
3
4 * The netsys.c is dual licensed: you can use it either under the terms of
5 * the GPL V2, or the 3-Clause BSD license, at your option.
6 * See the LICENSE file in the root of this repository for complete details.
7 */
8
9 #include <linux/bpf.h>
10 #include <linux/if_packet.h>
11 #include <linux/if.h>
12 #include <linux/if_ether.h>
13 #include <linux/string.h>
14 #include <string.h>
15 #include <stddef.h>
16 #include <stdint.h>
17
18 #include "bpf_helpers.h"
19 #include "bpf_def.h"
20
21 #ifdef FEATURE_NET_FIREWALL_ENABLE
22 #include "netfirewall/netfirewall.h"
23 #endif //FEATURE_NET_FIREWALL_ENABLE
24
25 #define SEC(NAME) __attribute__((section(NAME), used))
26
27 #ifdef SUPPORT_EBPF_MEM_MIN
28 static const int32_t APP_STATS_MAP_SIZE = 200;
29 static const int32_t APP_STATS_MAP_SIZE_MIN = 1;
30 static const int32_t IFACE_STATS_MAP_SIZE = 64;
31 static const int32_t IFACE_NAME_MAP_SIZE = 200;
32 static const int32_t IFACE_NAME_MAP_SIZE_MIN = 1;
33 static const int32_t OH_SOCK_PERMISSION_MAP_SIZE = 200;
34 static const int32_t BROKER_SOCK_PERMISSION_MAP_SIZE = 1;
35 static const int32_t UID_ACCESS_POLICY_ARRAY_SIZE = 1000;
36 static const int32_t NET_NS_MAP_SIZE = 2000;
37 #else
38 static const int32_t APP_STATS_MAP_SIZE = 5000;
39 static const int32_t APP_STATS_MAP_SIZE_MIN = 5000;
40 static const int32_t IFACE_STATS_MAP_SIZE = 1000;
41 static const int32_t IFACE_NAME_MAP_SIZE = 1000;
42 static const int32_t IFACE_NAME_MAP_SIZE_MIN = 1000;
43 static const int32_t OH_SOCK_PERMISSION_MAP_SIZE = 1000;
44 static const int32_t BROKER_SOCK_PERMISSION_MAP_SIZE = 1000;
45 static const int32_t UID_ACCESS_POLICY_ARRAY_SIZE = 65535;
46 static const int32_t NET_NS_MAP_SIZE = 5000;
47 #endif
48 static const int32_t TRAFFIC_INCREASE_MAP_SIZE = 9;
49 static const uint32_t TRAFFIC_NOTIFY_TYPE = 3;
50
51 // network stats begin
52 bpf_map_def SEC("maps") iface_stats_map = {
53 .type = BPF_MAP_TYPE_HASH,
54 .key_size = sizeof(uint64_t),
55 .value_size = sizeof(iface_stats_value),
56 .max_entries = IFACE_STATS_MAP_SIZE,
57 .map_flags = 0,
58 .inner_map_idx = 0,
59 .numa_node = 0,
60 };
61
62 bpf_map_def SEC("maps") app_uid_stats_map = {
63 .type = BPF_MAP_TYPE_HASH,
64 .key_size = sizeof(uint64_t),
65 .value_size = sizeof(app_uid_stats_value),
66 .max_entries = APP_STATS_MAP_SIZE,
67 .map_flags = 0,
68 .inner_map_idx = 0,
69 .numa_node = 0,
70 };
71
72 bpf_map_def SEC("maps") sock_netns_map = {
73 .type = BPF_MAP_TYPE_HASH,
74 .key_size = sizeof(sock_netns_key),
75 .value_size = sizeof(sock_netns_value),
76 .max_entries = NET_NS_MAP_SIZE,
77 .map_flags = 0,
78 .inner_map_idx = 0,
79 .numa_node = 0,
80 };
81
82 bpf_map_def SEC("maps") app_uid_sim_stats_map = {
83 .type = BPF_MAP_TYPE_HASH,
84 .key_size = sizeof(app_uid_sim_stats_key),
85 .value_size = sizeof(app_uid_sim_stats_value),
86 .max_entries = APP_STATS_MAP_SIZE,
87 .map_flags = 0,
88 .inner_map_idx = 0,
89 .numa_node = 0,
90 };
91
92 bpf_map_def SEC("maps") app_uid_if_stats_map = {
93 .type = BPF_MAP_TYPE_HASH,
94 .key_size = sizeof(app_uid_if_stats_key),
95 .value_size = sizeof(app_uid_if_stats_value),
96 .max_entries = IFACE_NAME_MAP_SIZE,
97 .map_flags = 0,
98 .inner_map_idx = 0,
99 .numa_node = 0,
100 };
101
102 bpf_map_def SEC("maps") app_cookie_stats_map = {
103 .type = BPF_MAP_TYPE_HASH,
104 .key_size = sizeof(socket_cookie_stats_key),
105 .value_size = sizeof(app_cookie_stats_value),
106 .max_entries = IFACE_NAME_MAP_SIZE_MIN,
107 .map_flags = 0,
108 .inner_map_idx = 0,
109 .numa_node = 0,
110 };
111
112 // 1. 建立一个可用限额map
113 bpf_map_def SEC("maps") limits_stats_map = {
114 .type = BPF_MAP_TYPE_HASH,
115 .key_size = sizeof(traffic_notify_flag),
116 .value_size = sizeof(traffic_value),
117 .max_entries = TRAFFIC_INCREASE_MAP_SIZE, // slot0:0-monthly limit 1-monthly mark 2-daily mark;slot1: 3 4 5
118 .map_flags = 0,
119 .inner_map_idx = 0,
120 .numa_node = 0,
121 };
122
123 // 2. 建立一个增量map
124 bpf_map_def SEC("maps") increment_stats_map = {
125 .type = BPF_MAP_TYPE_HASH,
126 .key_size = sizeof(uint64_t),
127 .value_size = sizeof(traffic_value),
128 .max_entries = TRAFFIC_INCREASE_MAP_SIZE,
129 .map_flags = 0,
130 .inner_map_idx = 0,
131 .numa_node = 0,
132 };
133
134 // 3. 网卡index
135 bpf_map_def SEC("maps") ifindex_map = {
136 .type = BPF_MAP_TYPE_HASH,
137 .key_size = sizeof(uint8_t),
138 .value_size = sizeof(uint64_t),
139 .max_entries = 20,
140 .map_flags = 0,
141 .inner_map_idx = 0,
142 .numa_node = 0,
143 };
144
145 bpf_map_def SEC("maps") net_stats_ringbuf_map = {
146 .type = BPF_MAP_TYPE_RINGBUF,
147 .max_entries = 256 * 1024 /* 256 KB */,
148 };
149
150 bpf_map_def SEC("maps") net_status_map = {
151 .type =BPF_MAP_TYPE_HASH,
152 .key_size = sizeof(uint8_t),
153 .value_size = sizeof(uint8_t),
154 .max_entries = 3,
155 .map_flags = 0,
156 .inner_map_idx = 0,
157 .numa_node = 0,
158 };
159
160 bpf_map_def SEC("maps") net_wlan1_map = {
161 .type =BPF_MAP_TYPE_HASH,
162 .key_size = sizeof(uint8_t),
163 .value_size = sizeof(uint64_t),
164 .max_entries = 1,
165 .map_flags = 0,
166 .inner_map_idx = 0,
167 .numa_node = 0,
168 };
169
socket_ringbuf_net_stats_event_submit(__u8 flag)170 static inline __u8 socket_ringbuf_net_stats_event_submit(__u8 flag)
171 {
172 uint8_t *e;
173 e = bpf_ringbuf_reserve(&net_stats_ringbuf_map, sizeof(uint8_t), 0);
174 if (e) {
175 *e = flag;
176 bpf_ringbuf_submit(e, 0);
177 return 1;
178 }
179 return 0;
180 }
181
get_data_len(struct __sk_buff * skb)182 static inline __u32 get_data_len(struct __sk_buff *skb)
183 {
184 __u32 length = skb->len;
185 __u32 packages = skb->gso_segs;
186 if (packages < 1) {
187 packages = 1;
188 }
189
190 if (skb->vlan_present == 1) {
191 length += VLAN_HEADER_LENGTH;
192 }
193 if (skb->family == AF_INET) {
194 length += (IPV4_HEADER_LENGTH + TRANSFER_HEADER_LENGTH) * (packages - 1);
195 }
196 if (skb->family == AF_INET6) {
197 length += (IPV6_HEADER_LENGTH + TRANSFER_HEADER_LENGTH) * (packages - 1);
198 }
199 return length;
200 }
201
update_new_incre_value(uint64_t ifindex,__u32 len)202 static traffic_value update_new_incre_value(uint64_t ifindex, __u32 len)
203 {
204 traffic_value *old_value = bpf_map_lookup_elem(&increment_stats_map, &ifindex);
205 if (old_value == NULL) {
206 traffic_value newValue = 0;
207 bpf_map_update_elem(&increment_stats_map, &ifindex, &newValue, BPF_NOEXIST);
208 old_value = bpf_map_lookup_elem(&increment_stats_map, &ifindex);
209 }
210
211 if (old_value != NULL) {
212 *old_value = (*old_value) + len;
213 bpf_map_update_elem(&increment_stats_map, &ifindex, old_value, BPF_ANY);
214 return *old_value;
215 }
216 return 0;
217 }
218
is_exceed_daily_mark(uint32_t slotId,traffic_value used_value)219 static traffic_notify_flag is_exceed_daily_mark(uint32_t slotId, traffic_value used_value)
220 {
221 traffic_notify_flag daily_mark = slotId * TRAFFIC_NOTIFY_TYPE + 2; // 2: DAILY_MARK
222 traffic_value *day_mark_avai = bpf_map_lookup_elem(&limits_stats_map, &daily_mark);
223
224 traffic_value max_value = UINT64_MAX;
225 if (day_mark_avai == NULL) {
226 bpf_map_update_elem(&limits_stats_map, &daily_mark, &max_value, BPF_NOEXIST);
227 day_mark_avai = bpf_map_lookup_elem(&limits_stats_map, &daily_mark);
228 }
229 if (day_mark_avai != NULL && used_value > *day_mark_avai) {
230 bpf_map_update_elem(&limits_stats_map, &daily_mark, &max_value, BPF_ANY);
231 return daily_mark;
232 }
233 return UINT8_MAX;
234 }
235
is_exceed_mothly_mark(uint32_t slotId,traffic_value used_value)236 static traffic_notify_flag is_exceed_mothly_mark(uint32_t slotId, traffic_value used_value)
237 {
238 traffic_notify_flag monthly_mark = slotId * TRAFFIC_NOTIFY_TYPE + 1; // 1: MONTHLY_MARK
239 traffic_value *monthly_mark_avai = bpf_map_lookup_elem(&limits_stats_map, &monthly_mark);
240
241 traffic_value max_value = UINT64_MAX;
242 if (monthly_mark_avai == NULL) {
243 bpf_map_update_elem(&limits_stats_map, &monthly_mark, &max_value, BPF_NOEXIST);
244 monthly_mark_avai = bpf_map_lookup_elem(&limits_stats_map, &monthly_mark);
245 }
246 if (monthly_mark_avai != NULL && used_value > *monthly_mark_avai) {
247 bpf_map_update_elem(&limits_stats_map, &monthly_mark, &max_value, BPF_ANY);
248 return monthly_mark;
249 }
250 return UINT8_MAX;
251 }
252
is_exceed_mothly_limit(uint32_t slotId,traffic_value used_value)253 static traffic_notify_flag is_exceed_mothly_limit(uint32_t slotId, traffic_value used_value)
254 {
255 traffic_notify_flag monthly_limit = slotId * TRAFFIC_NOTIFY_TYPE + 0; // 0: MONTHLY_LIMIT
256 traffic_value *monthly_limit_avai = bpf_map_lookup_elem(&limits_stats_map, &monthly_limit);
257
258 traffic_value max_value = UINT64_MAX;
259 if (monthly_limit_avai == NULL) {
260 bpf_map_update_elem(&limits_stats_map, &monthly_limit, &max_value, BPF_NOEXIST);
261 monthly_limit_avai = bpf_map_lookup_elem(&limits_stats_map, &monthly_limit);
262 }
263 if (monthly_limit_avai != NULL && used_value > *monthly_limit_avai) {
264 bpf_map_update_elem(&limits_stats_map, &monthly_limit, &max_value, BPF_ANY);
265 return monthly_limit;
266 }
267 return UINT8_MAX;
268 }
269
process_traffic_notify(struct __sk_buff * skb,uint64_t ifindex)270 static void process_traffic_notify(struct __sk_buff *skb, uint64_t ifindex)
271 {
272 uint8_t slot0 = 0;
273 uint8_t slot1 = 1;
274 uint8_t curSlotId = UINT8_MAX;
275 uint64_t *cur_rmnet_ifindex = bpf_map_lookup_elem(&ifindex_map, &slot0);
276 if (cur_rmnet_ifindex == NULL || *cur_rmnet_ifindex != ifindex) {
277 cur_rmnet_ifindex = bpf_map_lookup_elem(&ifindex_map, &slot1);
278 if (cur_rmnet_ifindex == NULL || *cur_rmnet_ifindex != ifindex) {
279 return;
280 } else {
281 curSlotId = slot1;
282 }
283 } else {
284 curSlotId = slot0;
285 }
286
287 traffic_value used_value = update_new_incre_value(ifindex, skb->len);
288 if (used_value == 0) {
289 return;
290 }
291 traffic_notify_flag flag = is_exceed_mothly_limit(curSlotId, used_value);
292 if (flag == UINT8_MAX) {
293 flag = is_exceed_mothly_mark(curSlotId, used_value);
294 if (flag == UINT8_MAX) {
295 flag = is_exceed_daily_mark(curSlotId, used_value);
296 }
297 }
298 if (flag != UINT8_MAX) {
299 socket_ringbuf_net_stats_event_submit(flag);
300 }
301 }
302
is_need_discard(void)303 static uint8_t is_need_discard(void)
304 {
305 uint8_t wifi_type = 0;
306 uint8_t cellular_type = 1;
307 uint8_t *wifi_status = bpf_map_lookup_elem(&net_status_map, &wifi_type);
308 uint8_t *cellular_status = bpf_map_lookup_elem(&net_status_map, &cellular_type);
309
310 if (wifi_status != NULL && *wifi_status == 0 &&
311 cellular_status != NULL && *cellular_status == 0) {
312 return 1;
313 }
314 return 0;
315 }
316
317 SEC("socket/iface/stats")
socket_iface_stats(struct __sk_buff * skb)318 int socket_iface_stats(struct __sk_buff *skb)
319 {
320 if (skb == NULL) {
321 return 1;
322 }
323
324 if (skb->pkt_type == PACKET_LOOPBACK) {
325 return 1;
326 }
327
328 if (is_need_discard() == 1) {
329 return 1;
330 }
331
332 uint64_t ifindex = skb->ifindex;
333 iface_stats_value *value_if = bpf_map_lookup_elem(&iface_stats_map, &ifindex);
334 if (value_if == NULL) {
335 iface_stats_value newValue = {};
336 bpf_map_update_elem(&iface_stats_map, &ifindex, &newValue, BPF_NOEXIST);
337 value_if = bpf_map_lookup_elem(&iface_stats_map, &ifindex);
338 }
339
340 if (skb->pkt_type == PACKET_OUTGOING) {
341 if (value_if != NULL) {
342 __sync_fetch_and_add(&value_if->txPackets, 1);
343 __sync_fetch_and_add(&value_if->txBytes, skb->len);
344 }
345 } else {
346 if (value_if != NULL) {
347 __sync_fetch_and_add(&value_if->rxPackets, 1);
348 __sync_fetch_and_add(&value_if->rxBytes, skb->len);
349 }
350 }
351
352 process_traffic_notify(skb, ifindex);
353 return 1;
354 }
355
356 bpf_map_def SEC("maps") app_uid_access_policy_map = {
357 .type = BPF_MAP_TYPE_HASH,
358 .key_size = sizeof(app_uid_key),
359 .value_size = sizeof(uid_access_policy_value),
360 .max_entries = UID_ACCESS_POLICY_ARRAY_SIZE,
361 .map_flags = BPF_F_NO_PREALLOC,
362 .inner_map_idx = 0,
363 .numa_node = 0,
364 };
365
366 bpf_map_def SEC("maps") broker_uid_access_policy_map = {
367 .type = BPF_MAP_TYPE_HASH,
368 .key_size = sizeof(app_uid_key),
369 .value_size = sizeof(app_uid_key),
370 .max_entries = APP_STATS_MAP_SIZE_MIN,
371 .map_flags = BPF_F_NO_PREALLOC,
372 .inner_map_idx = 0,
373 .numa_node = 0,
374 };
375
376 bpf_map_def SEC("maps") net_index_and_iface_map = {
377 .type = BPF_MAP_TYPE_HASH,
378 .key_size = sizeof(net_index),
379 .value_size = sizeof(net_interface_name_id),
380 .max_entries = 5,
381 .map_flags = 0,
382 .inner_map_idx = 0,
383 .numa_node = 0,
384 };
385
386 bpf_map_def SEC("maps") ifindex_and_net_type_map = {
387 .type = BPF_MAP_TYPE_HASH,
388 .key_size = sizeof(if_index),
389 .value_size = sizeof(net_interface_name_id),
390 .max_entries = 5,
391 .map_flags = 0,
392 .inner_map_idx = 0,
393 .numa_node = 0,
394 };
395
check_socket_fwmark(__u32 mark)396 static inline net_bear_type_map_value check_socket_fwmark(__u32 mark)
397 {
398 __u8 explicitlySelected = (mark >> 16) & (0x1);
399 net_bear_type_map_value net_bear_mark_type = NETWORK_BEARER_TYPE_INITIAL;
400 // explicitlySelected == 1 means the socket fwmark is set
401 if (explicitlySelected == 1) {
402 void *ifaceC_map_ptr = &net_index_and_iface_map;
403 __u16 TmpnetId = mark & (0x0000FFFF);
404 net_interface_name_id *ifaceC = bpf_map_lookup_elem(ifaceC_map_ptr, &TmpnetId);
405 // ifaceC == NULL, default bear type (*net_bear_type) is used.
406 if (ifaceC != NULL) {
407 net_bear_mark_type = *ifaceC;
408 }
409 }
410 return net_bear_mark_type;
411 }
412
check_socket_bound_dev_if(__u32 ifIndex)413 static inline net_bear_type_map_value check_socket_bound_dev_if(__u32 ifIndex)
414 {
415 net_bear_type_map_value net_bear_mark_type = NETWORK_BEARER_TYPE_INITIAL;
416 void *ifnet_map_ptr = &ifindex_and_net_type_map;
417 net_interface_name_id *ifaceC = bpf_map_lookup_elem(ifnet_map_ptr, &ifIndex);
418 if (ifaceC != NULL) {
419 net_bear_mark_type = *ifaceC;
420 }
421 return net_bear_mark_type;
422 }
423
check_socket_select_net(struct bpf_sock * sk)424 static inline net_bear_type_map_value check_socket_select_net(struct bpf_sock *sk)
425 {
426 net_bear_type_map_value net_bear_mark_type = NETWORK_BEARER_TYPE_INITIAL;
427 if (sk == NULL) {
428 return net_bear_mark_type;
429 }
430 net_bear_mark_type = check_socket_fwmark(sk->mark);
431 net_bear_type_map_value net_bear_bound_type = check_socket_bound_dev_if(sk->bound_dev_if);
432 if (net_bear_bound_type != NETWORK_BEARER_TYPE_INITIAL) {
433 net_bear_mark_type = net_bear_bound_type;
434 }
435 return net_bear_mark_type;
436 }
437
438 bpf_map_def SEC("maps") net_bear_type_map = {
439 .type = BPF_MAP_TYPE_HASH,
440 .key_size = sizeof(net_bear_id_key),
441 .value_size = sizeof(net_bear_type_map_value),
442 .max_entries = IFACE_NAME_MAP_SIZE,
443 .map_flags = 0,
444 .inner_map_idx = 0,
445 .numa_node = 0,
446 };
447
check_network_policy(net_bear_type_map_value net_bear_mark_type,uid_access_policy_value * netAccessPolicyValue)448 static inline __u8 check_network_policy(net_bear_type_map_value net_bear_mark_type,
449 uid_access_policy_value *netAccessPolicyValue)
450 {
451 if (((net_bear_mark_type == NETWORK_BEARER_TYPE_WIFI) && (!netAccessPolicyValue->wifiPolicy)) ||
452 ((net_bear_mark_type == NETWORK_BEARER_TYPE_CELLULAR) && (!netAccessPolicyValue->cellularPolicy))) {
453 return 0;
454 } else if (net_bear_mark_type != NETWORK_BEARER_TYPE_INITIAL) {
455 return 1;
456 }
457 if (((netAccessPolicyValue->netIfIndex == NETWORK_BEARER_TYPE_WIFI) && (!netAccessPolicyValue->wifiPolicy)) ||
458 ((netAccessPolicyValue->netIfIndex == NETWORK_BEARER_TYPE_CELLULAR) &&
459 (!netAccessPolicyValue->cellularPolicy))) {
460 return 0;
461 }
462 if (netAccessPolicyValue->netIfIndex == NETWORK_BEARER_TYPE_INITIAL) {
463 void *net_bear_map_ptr = &net_bear_type_map;
464 net_bear_id_key net_bear_id = DEFAULT_NETWORK_BEARER_MAP_KEY;
465 net_bear_type_map_value *net_bear_type = bpf_map_lookup_elem(net_bear_map_ptr, &net_bear_id);
466 if (net_bear_type == NULL) {
467 return 1;
468 }
469
470 if (((*net_bear_type == NETWORK_BEARER_TYPE_CELLULAR)) && (!netAccessPolicyValue->cellularPolicy)) {
471 return 0;
472 }
473 if (((*net_bear_type == NETWORK_BEARER_TYPE_WIFI)) && (!netAccessPolicyValue->wifiPolicy)) {
474 return 0;
475 }
476 }
477 return 1;
478 }
479
check_broker_policy(uint64_t uid)480 static inline __u64 check_broker_policy(uint64_t uid)
481 {
482 uint64_t network_access_uid = uid;
483 void *broker_map_ptr = &broker_uid_access_policy_map;
484 app_uid_key *broker_uid_key = (app_uid_key *)&uid;
485 app_uid_key *broker_uid_value = bpf_map_lookup_elem(broker_map_ptr, broker_uid_key);
486 if (broker_uid_value != NULL) {
487 network_access_uid = *broker_uid_value;
488 return network_access_uid;
489 } else {
490 __u32 broker_default_uid = DEFAULT_BROKER_UID_KEY;
491 app_uid_key *broker_default_value = bpf_map_lookup_elem(broker_map_ptr, &broker_default_uid);
492 if (broker_default_value != NULL && uid > SIM_UID_MIN && uid < SIM_UID_MAX) {
493 network_access_uid = *broker_default_value;
494 bpf_map_update_elem(broker_map_ptr, broker_uid_key, broker_default_value, BPF_NOEXIST);
495 }
496 }
497 return network_access_uid;
498 }
499
filter_sim_stats(__u32 ipv4)500 static inline __u32 filter_sim_stats(__u32 ipv4)
501 {
502 if (IS_MATCHED_IP(ipv4, WLAN_IPv4) || IS_MATCHED_IP(ipv4, CELLULAR_IPv4) || IS_MATCHED_IP(ipv4, CELLULAR_IPv42)) {
503 return 1;
504 }
505 return 0;
506 }
507
get_iface_type(__u32 ipv4)508 static inline __u32 get_iface_type(__u32 ipv4)
509 {
510 if (IS_MATCHED_IP(ipv4, WLAN_IPv4)) {
511 return IFACE_TYPE_WIFI;
512 }
513 if (IS_MATCHED_IP(ipv4, CELLULAR_IPv4) || IS_MATCHED_IP(ipv4, CELLULAR_IPv42)) {
514 return IFACE_TYPE_CELLULAR;
515 }
516 return 0;
517 }
518
519 SEC("cgroup_skb/uid/ingress")
bpf_cgroup_skb_uid_ingress(struct __sk_buff * skb)520 int bpf_cgroup_skb_uid_ingress(struct __sk_buff *skb)
521 {
522 #ifdef FEATURE_NET_FIREWALL_ENABLE
523 if (skb == NULL) {
524 return 1;
525 }
526 if (netfirewall_policy_ingress(skb) != SK_PASS) {
527 return SK_DROP;
528 }
529 if (skb->pkt_type == PACKET_LOOPBACK) {
530 return 1;
531 }
532 #else
533 if (skb == NULL || skb->pkt_type == PACKET_LOOPBACK) {
534 return 1;
535 }
536 #endif
537
538 uint64_t sock_uid = bpf_get_socket_uid(skb);
539 sock_netns_key key_sock_netns1 = sock_uid;
540 sock_netns_value *value_sock_netns1 = bpf_map_lookup_elem(&sock_netns_map, &key_sock_netns1);
541 sock_netns_key key_sock_netns2 = SOCK_COOKIE_ID_NULL;
542 sock_netns_value *value_sock_netns2 = bpf_map_lookup_elem(&sock_netns_map, &key_sock_netns2);
543 uint64_t network_access_uid = sock_uid;
544 if (value_sock_netns1 != NULL && value_sock_netns2 != NULL && *value_sock_netns1 != *value_sock_netns2) {
545 network_access_uid = check_broker_policy(sock_uid);
546 }
547
548 uid_access_policy_value *netAccessPolicyValue =
549 bpf_map_lookup_elem(&app_uid_access_policy_map, &network_access_uid);
550 if (netAccessPolicyValue != NULL) {
551 net_bear_type_map_value net_bear_mark_type = check_socket_fwmark(skb->mark);
552 net_bear_type_map_value net_bear_bound_type = check_socket_bound_dev_if(skb->ifindex);
553 if (net_bear_bound_type != NETWORK_BEARER_TYPE_INITIAL) {
554 net_bear_mark_type = net_bear_bound_type;
555 }
556 if (check_network_policy(net_bear_mark_type, netAccessPolicyValue) == 0) {
557 return 0;
558 }
559 }
560 app_uid_stats_value *value = bpf_map_lookup_elem(&app_uid_stats_map, &sock_uid);
561 if (value == NULL) {
562 app_uid_stats_value newValue = {};
563 bpf_map_update_elem(&app_uid_stats_map, &sock_uid, &newValue, BPF_NOEXIST);
564 value = bpf_map_lookup_elem(&app_uid_stats_map, &sock_uid);
565 }
566 if (value != NULL) {
567 __sync_fetch_and_add(&value->rxPackets, 1);
568 __sync_fetch_and_add(&value->rxBytes, skb->len);
569 }
570 socket_cookie_stats_key sock_cookie = bpf_get_socket_cookie(skb);
571 app_cookie_stats_value *value_cookie = bpf_map_lookup_elem(&app_cookie_stats_map, &sock_cookie);
572 if (value_cookie == NULL) {
573 app_cookie_stats_value newValue = {};
574 bpf_map_update_elem(&app_cookie_stats_map, &sock_cookie, &newValue, BPF_NOEXIST);
575 value_cookie = bpf_map_lookup_elem(&app_cookie_stats_map, &sock_cookie);
576 }
577 if (value_cookie != NULL) {
578 __sync_fetch_and_add(&value_cookie->rxPackets, 1);
579 __sync_fetch_and_add(&value_cookie->rxBytes, skb->len);
580 }
581
582 if (value_sock_netns1 != NULL && value_sock_netns2 != NULL && *value_sock_netns1 == *value_sock_netns2) {
583 app_uid_if_stats_key key = {.uId = sock_uid, .ifIndex = skb->ifindex};
584 app_uid_if_stats_value *value_uid_if = bpf_map_lookup_elem(&app_uid_if_stats_map, &key);
585 if (value_uid_if == NULL) {
586 app_uid_if_stats_value newValue = {};
587 bpf_map_update_elem(&app_uid_if_stats_map, &key, &newValue, BPF_NOEXIST);
588 value_uid_if = bpf_map_lookup_elem(&app_uid_if_stats_map, &key);
589 }
590 if (value_uid_if != NULL) {
591 __sync_fetch_and_add(&value_uid_if->rxPackets, 1);
592 __sync_fetch_and_add(&value_uid_if->rxBytes, get_data_len(skb));
593 }
594 } else {
595 if (filter_sim_stats(skb->local_ip4) == 1) {
596 app_uid_sim_stats_key key_sim = {.uId = sock_uid, .ifIndex = skb->ifindex,
597 .ifType = get_iface_type(skb->local_ip4)};
598 app_uid_sim_stats_value *value_uid_sim = bpf_map_lookup_elem(&app_uid_sim_stats_map, &key_sim);
599 if (value_uid_sim == NULL) {
600 app_uid_sim_stats_value newValue = {};
601 bpf_map_update_elem(&app_uid_sim_stats_map, &key_sim, &newValue, BPF_NOEXIST);
602 value_uid_sim = bpf_map_lookup_elem(&app_uid_sim_stats_map, &key_sim);
603 }
604 if (value_uid_sim != NULL) {
605 __sync_fetch_and_add(&value_uid_sim->rxPackets, 1);
606 __sync_fetch_and_add(&value_uid_sim->rxBytes, get_data_len(skb));
607 }
608 }
609 }
610 return 1;
611 }
612
613 SEC("cgroup_skb/uid/egress")
bpf_cgroup_skb_uid_egress(struct __sk_buff * skb)614 int bpf_cgroup_skb_uid_egress(struct __sk_buff *skb)
615 {
616 #ifdef FEATURE_NET_FIREWALL_ENABLE
617 if (skb == NULL) {
618 return 1;
619 }
620 if (netfirewall_policy_egress(skb) != SK_PASS) {
621 return SK_DROP;
622 }
623 if (skb->pkt_type == PACKET_LOOPBACK) {
624 return 1;
625 }
626 #else
627 if (skb == NULL || skb->pkt_type == PACKET_LOOPBACK) {
628 return 1;
629 }
630 #endif
631
632 uint64_t sock_uid = bpf_get_socket_uid(skb);
633 sock_netns_key key_sock_netns1 = sock_uid;
634 sock_netns_value *value_sock_netns1 = bpf_map_lookup_elem(&sock_netns_map, &key_sock_netns1);
635 sock_netns_key key_sock_netns2 = SOCK_COOKIE_ID_NULL;
636 sock_netns_value *value_sock_netns2 = bpf_map_lookup_elem(&sock_netns_map, &key_sock_netns2);
637 uint64_t network_access_uid = sock_uid;
638 if (value_sock_netns1 != NULL && value_sock_netns2 != NULL && *value_sock_netns1 != *value_sock_netns2) {
639 network_access_uid = check_broker_policy(sock_uid);
640 }
641 uid_access_policy_value *netAccessPolicyValue =
642 bpf_map_lookup_elem(&app_uid_access_policy_map, &network_access_uid);
643 if (netAccessPolicyValue != NULL) {
644 net_bear_type_map_value net_bear_mark_type = check_socket_fwmark(skb->mark);
645 net_bear_type_map_value net_bear_bound_type = check_socket_bound_dev_if(skb->ifindex);
646 if (net_bear_bound_type != NETWORK_BEARER_TYPE_INITIAL) {
647 net_bear_mark_type = net_bear_bound_type;
648 }
649 if (check_network_policy(net_bear_mark_type, netAccessPolicyValue) == 0) {
650 return 0;
651 }
652 }
653
654 app_uid_stats_value *value = bpf_map_lookup_elem(&app_uid_stats_map, &sock_uid);
655 if (value == NULL) {
656 app_uid_stats_value newValue = {};
657 bpf_map_update_elem(&app_uid_stats_map, &sock_uid, &newValue, BPF_NOEXIST);
658 value = bpf_map_lookup_elem(&app_uid_stats_map, &sock_uid);
659 }
660 if (value != NULL) {
661 __sync_fetch_and_add(&value->txPackets, 1);
662 __sync_fetch_and_add(&value->txBytes, skb->len);
663 }
664 socket_cookie_stats_key sock_cookie = bpf_get_socket_cookie(skb);
665 app_cookie_stats_value *value_cookie = bpf_map_lookup_elem(&app_cookie_stats_map, &sock_cookie);
666 if (value_cookie == NULL) {
667 app_cookie_stats_value newValue = {};
668 bpf_map_update_elem(&app_cookie_stats_map, &sock_cookie, &newValue, BPF_NOEXIST);
669 value_cookie = bpf_map_lookup_elem(&app_cookie_stats_map, &sock_cookie);
670 }
671 if (value_cookie != NULL) {
672 __sync_fetch_and_add(&value_cookie->txPackets, 1);
673 __sync_fetch_and_add(&value_cookie->txBytes, skb->len);
674 }
675
676 if (value_sock_netns1 != NULL && value_sock_netns2 != NULL && *value_sock_netns1 == *value_sock_netns2) {
677 app_uid_if_stats_key key = {.uId = sock_uid, .ifIndex = skb->ifindex};
678 app_uid_if_stats_value *value_uid_if = bpf_map_lookup_elem(&app_uid_if_stats_map, &key);
679 if (value_uid_if == NULL) {
680 app_uid_if_stats_value newValue = {};
681 bpf_map_update_elem(&app_uid_if_stats_map, &key, &newValue, BPF_NOEXIST);
682 value_uid_if = bpf_map_lookup_elem(&app_uid_if_stats_map, &key);
683 }
684 if (value_uid_if != NULL) {
685 __sync_fetch_and_add(&value_uid_if->txPackets, 1);
686 __sync_fetch_and_add(&value_uid_if->txBytes, get_data_len(skb));
687 }
688 } else {
689 if (filter_sim_stats(skb->local_ip4) == 1) {
690 app_uid_sim_stats_key key_sim = {.uId = sock_uid, .ifIndex = skb->ifindex,
691 .ifType = get_iface_type(skb->local_ip4)};
692 app_uid_sim_stats_value *value_uid_sim = bpf_map_lookup_elem(&app_uid_sim_stats_map, &key_sim);
693 if (value_uid_sim == NULL) {
694 app_uid_sim_stats_value newValue = {};
695 bpf_map_update_elem(&app_uid_sim_stats_map, &key_sim, &newValue, BPF_NOEXIST);
696 value_uid_sim = bpf_map_lookup_elem(&app_uid_sim_stats_map, &key_sim);
697 }
698 if (value_uid_sim != NULL) {
699 __sync_fetch_and_add(&value_uid_sim->txPackets, 1);
700 __sync_fetch_and_add(&value_uid_sim->txBytes, get_data_len(skb));
701 }
702 }
703 }
704 return 1;
705 }
706 // network stats end
707
708 // internet permission begin
709 bpf_map_def SEC("maps") oh_sock_permission_map = {
710 .type = BPF_MAP_TYPE_HASH,
711 .key_size = sizeof(sock_permission_key),
712 .value_size = sizeof(sock_permission_value),
713 .max_entries = OH_SOCK_PERMISSION_MAP_SIZE,
714 };
715
716 bpf_map_def SEC("maps") broker_sock_permission_map = {
717 .type = BPF_MAP_TYPE_HASH,
718 .key_size = sizeof(sock_permission_key),
719 .value_size = sizeof(sock_permission_value),
720 .max_entries = BROKER_SOCK_PERMISSION_MAP_SIZE,
721 };
722
723 SEC("cgroup_sock/inet_create_socket")
inet_create_socket(struct bpf_sock * sk)724 int inet_create_socket(struct bpf_sock *sk)
725 {
726 __u64 uid_gid = bpf_get_current_uid_gid();
727 sock_netns_key key_sock_netns1 = uid_gid & 0x00000000FFFFFFFF;
728 sock_netns_value value_sock_netns1 = bpf_get_netns_cookie(sk);
729 bpf_map_update_elem(&sock_netns_map, &key_sock_netns1, &value_sock_netns1, BPF_NOEXIST);
730 sock_netns_key key_sock_netns2 = SOCK_COOKIE_ID_NULL;
731 sock_netns_value value_sock_netns2 = bpf_get_netns_cookie(NULL);
732 bpf_map_update_elem(&sock_netns_map, &key_sock_netns2, &value_sock_netns2, BPF_NOEXIST);
733
734 void *map_ptr = &oh_sock_permission_map;
735 if (bpf_get_netns_cookie(sk) != bpf_get_netns_cookie(NULL)) {
736 map_ptr = &broker_sock_permission_map;
737 }
738
739 __u32 uid = (__u32)(uid_gid & 0x00000000FFFFFFFF);
740 sock_permission_value *value = bpf_map_lookup_elem(map_ptr, &uid);
741 // value == NULL means that the process attached to this uid is not a hap process which started by appspawn
742 // it is a native process, native process should have this permission
743 if (value == NULL) {
744 return 1;
745 }
746 // *value == 0 means no permission
747 if (*value == 0) {
748 return 0;
749 }
750 return 1;
751 }
752
753 SEC("cgroup_sock/inet_release_socket")
inet_release_socket(struct bpf_sock * sk)754 int inet_release_socket(struct bpf_sock *sk)
755 {
756 sock_netns_key key_sock_netns = bpf_get_socket_cookie(sk);
757 bpf_map_delete_elem(&sock_netns_map, &key_sock_netns);
758
759 socket_cookie_stats_key key_sock_cookie = bpf_get_socket_cookie(sk);
760 bpf_map_delete_elem(&app_cookie_stats_map, &key_sock_cookie);
761 return 1;
762 }
763 // internet permission end
764
765 bpf_map_def SEC("maps") ringbuf_map = {
766 .type = BPF_MAP_TYPE_RINGBUF,
767 .max_entries = 256 * 1024 /* 256 KB */,
768 };
769
socket_check_network_policy(net_bear_type_map_value net_bear_mark_type,net_bear_type_map_value * net_bear_type,uid_access_policy_value * value)770 static inline __u8 socket_check_network_policy(net_bear_type_map_value net_bear_mark_type,
771 net_bear_type_map_value *net_bear_type, uid_access_policy_value *value)
772 {
773 if (((net_bear_mark_type == NETWORK_BEARER_TYPE_WIFI) && (!value->wifiPolicy)) ||
774 ((net_bear_mark_type == NETWORK_BEARER_TYPE_CELLULAR) && (!value->cellularPolicy))) {
775 return 0;
776 } else if (net_bear_mark_type != NETWORK_BEARER_TYPE_INITIAL) {
777 return 1;
778 }
779 if (((*net_bear_type == NETWORK_BEARER_TYPE_WIFI) && (!value->wifiPolicy)) ||
780 ((*net_bear_type == NETWORK_BEARER_TYPE_CELLULAR) && (!value->cellularPolicy))) {
781 return 0;
782 }
783 return 1;
784 }
785
socket_ringbuf_event_submit(__u32 uid)786 static inline __u8 socket_ringbuf_event_submit(__u32 uid)
787 {
788 uint32_t *e;
789 e = bpf_ringbuf_reserve(&ringbuf_map, sizeof(*e), 0);
790 if (e) {
791 *e = uid;
792 bpf_ringbuf_submit(e, 0);
793 return 1;
794 }
795 return 0;
796 }
797
798 SEC("cgroup_addr/bind4")
inet_check_bind4(struct bpf_sock_addr * ctx)799 static int inet_check_bind4(struct bpf_sock_addr *ctx)
800 {
801 void *map_ptr = &app_uid_access_policy_map;
802 __u64 uid_gid = bpf_get_current_uid_gid();
803 __u32 uid = (__u32)(uid_gid & 0x00000000FFFFFFFF);
804 if (bpf_get_netns_cookie(ctx) != bpf_get_netns_cookie(NULL)) {
805 uid = check_broker_policy(uid);
806 }
807
808 uid_access_policy_value *value = bpf_map_lookup_elem(map_ptr, &uid);
809 // value == NULL means that the process attached to this uid is not a hap process which has a default configuration
810 if (value == NULL) {
811 return 1;
812 }
813
814 void *net_bear_map_ptr = &net_bear_type_map;
815 net_bear_id_key net_bear_id = DEFAULT_NETWORK_BEARER_MAP_KEY;
816 net_bear_type_map_value *net_bear_type = bpf_map_lookup_elem(net_bear_map_ptr, &net_bear_id);
817 if (net_bear_type == NULL) {
818 return 1;
819 }
820
821 struct bpf_sock *sk = ctx->sk;
822 net_bear_type_map_value net_bear_mark_type = check_socket_select_net(sk);
823 if (socket_check_network_policy(net_bear_mark_type, net_bear_type, value) == 0) {
824 if (value->diagAckFlag) {
825 return 0;
826 }
827
828 // the policy configuration needs to be reconfirmed or the network bearer changes
829 if (value->configSetFromFlag) {
830 if (socket_ringbuf_event_submit(uid) != 0) {
831 value->diagAckFlag = 1;
832 }
833 }
834 value->netIfIndex = *net_bear_type;
835 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
836 return 0;
837 }
838
839 value->netIfIndex = *net_bear_type;
840 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
841 return 1;
842 }
843
844 SEC("cgroup_addr/bind6")
inet_check_bind6(struct bpf_sock_addr * ctx)845 static int inet_check_bind6(struct bpf_sock_addr *ctx)
846 {
847 void *map_ptr = &app_uid_access_policy_map;
848 __u64 uid_gid = bpf_get_current_uid_gid();
849 __u32 uid = (__u32)(uid_gid & 0x00000000FFFFFFFF);
850 if (bpf_get_netns_cookie(ctx) != bpf_get_netns_cookie(NULL)) {
851 uid = check_broker_policy(uid);
852 }
853
854 uid_access_policy_value *value = bpf_map_lookup_elem(map_ptr, &uid);
855 // value == NULL means that the process attached to this uid is not a hap process which has a default configuration
856 if (value == NULL) {
857 return 1;
858 }
859
860 void *net_bear_map_ptr = &net_bear_type_map;
861 net_bear_id_key net_bear_id = DEFAULT_NETWORK_BEARER_MAP_KEY;
862 net_bear_type_map_value *net_bear_type = bpf_map_lookup_elem(net_bear_map_ptr, &net_bear_id);
863 if (net_bear_type == NULL) {
864 return 1;
865 }
866
867 struct bpf_sock *sk = ctx->sk;
868 net_bear_type_map_value net_bear_mark_type = check_socket_select_net(sk);
869 if (socket_check_network_policy(net_bear_mark_type, net_bear_type, value) == 0) {
870 if (value->diagAckFlag) {
871 return 0;
872 }
873
874 // the policy configuration needs to be reconfirmed or the network bearer changes
875 if (value->configSetFromFlag) {
876 if (socket_ringbuf_event_submit(uid) != 0) {
877 value->diagAckFlag = 1;
878 }
879 }
880 value->netIfIndex = *net_bear_type;
881 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
882 return 0;
883 }
884
885 value->netIfIndex = *net_bear_type;
886 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
887 return 1;
888 }
889
890 SEC("cgroup_addr/connect4")
inet_check_connect4(struct bpf_sock_addr * ctx)891 static int inet_check_connect4(struct bpf_sock_addr *ctx)
892 {
893 void *map_ptr = &app_uid_access_policy_map;
894 __u64 uid_gid = bpf_get_current_uid_gid();
895 __u32 uid = (__u32)(uid_gid & 0x00000000FFFFFFFF);
896 if (bpf_get_netns_cookie(ctx) != bpf_get_netns_cookie(NULL)) {
897 uid = check_broker_policy(uid);
898 }
899
900 uid_access_policy_value *value = bpf_map_lookup_elem(map_ptr, &uid);
901 // value == NULL means that the process attached to this uid is not a hap process which has a default configuration
902 if (value == NULL) {
903 return 1;
904 }
905
906 void *net_bear_map_ptr = &net_bear_type_map;
907 net_bear_id_key net_bear_id = DEFAULT_NETWORK_BEARER_MAP_KEY;
908 net_bear_type_map_value *net_bear_type = bpf_map_lookup_elem(net_bear_map_ptr, &net_bear_id);
909 if (net_bear_type == NULL) {
910 return 1;
911 }
912
913 struct bpf_sock *sk = ctx->sk;
914 net_bear_type_map_value net_bear_mark_type = check_socket_select_net(sk);
915 if (socket_check_network_policy(net_bear_mark_type, net_bear_type, value) == 0) {
916 if (value->diagAckFlag) {
917 return 0;
918 }
919
920 // the policy configuration needs to be reconfirmed or the network bearer changes
921 if (value->configSetFromFlag) {
922 if (socket_ringbuf_event_submit(uid) != 0) {
923 value->diagAckFlag = 1;
924 }
925 }
926 value->netIfIndex = *net_bear_type;
927 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
928 return 0;
929 }
930
931 value->netIfIndex = *net_bear_type;
932 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
933 return 1;
934 }
935
936
937 SEC("cgroup_addr/connect6")
inet_check_connect6(struct bpf_sock_addr * ctx)938 static int inet_check_connect6(struct bpf_sock_addr *ctx)
939 {
940 void *map_ptr = &app_uid_access_policy_map;
941 __u64 uid_gid = bpf_get_current_uid_gid();
942 __u32 uid = (__u32)(uid_gid & 0x00000000FFFFFFFF);
943 if (bpf_get_netns_cookie(ctx) != bpf_get_netns_cookie(NULL)) {
944 uid = check_broker_policy(uid);
945 }
946
947 uid_access_policy_value *value = bpf_map_lookup_elem(map_ptr, &uid);
948 // value == NULL means that the process attached to this uid is not a hap process which has a default configuration
949 if (value == NULL) {
950 return 1;
951 }
952
953 void *net_bear_map_ptr = &net_bear_type_map;
954 net_bear_id_key net_bear_id = DEFAULT_NETWORK_BEARER_MAP_KEY;
955 net_bear_type_map_value *net_bear_type = bpf_map_lookup_elem(net_bear_map_ptr, &net_bear_id);
956 if (net_bear_type == NULL) {
957 return 1;
958 }
959
960 struct bpf_sock *sk = ctx->sk;
961 net_bear_type_map_value net_bear_mark_type = check_socket_select_net(sk);
962 if (socket_check_network_policy(net_bear_mark_type, net_bear_type, value) == 0) {
963 if (value->diagAckFlag) {
964 return 0;
965 }
966
967 // the policy configuration needs to be reconfirmed or the network bearer changes
968 if (value->configSetFromFlag) {
969 if (socket_ringbuf_event_submit(uid) != 0) {
970 value->diagAckFlag = 1;
971 }
972 }
973 value->netIfIndex = *net_bear_type;
974 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
975 return 0;
976 }
977
978 value->netIfIndex = *net_bear_type;
979 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
980 return 1;
981 }
982
983 SEC("cgroup_addr/sendmsg4")
inet_check_sendmsg4(struct bpf_sock_addr * ctx)984 static int inet_check_sendmsg4(struct bpf_sock_addr *ctx)
985 {
986 void *map_ptr = &app_uid_access_policy_map;
987 __u64 uid_gid = bpf_get_current_uid_gid();
988 __u32 uid = (__u32)(uid_gid & 0x00000000FFFFFFFF);
989 if (bpf_get_netns_cookie(ctx) != bpf_get_netns_cookie(NULL)) {
990 uid = check_broker_policy(uid);
991 }
992
993 uid_access_policy_value *value = bpf_map_lookup_elem(map_ptr, &uid);
994 // value == NULL means that the process attached to this uid is not a hap process which has a default configuration
995 if (value == NULL) {
996 return 1;
997 }
998
999 void *net_bear_map_ptr = &net_bear_type_map;
1000 net_bear_id_key net_bear_id = DEFAULT_NETWORK_BEARER_MAP_KEY;
1001 net_bear_type_map_value *net_bear_type = bpf_map_lookup_elem(net_bear_map_ptr, &net_bear_id);
1002 if (net_bear_type == NULL) {
1003 return 1;
1004 }
1005
1006 struct bpf_sock *sk = ctx->sk;
1007 net_bear_type_map_value net_bear_mark_type = check_socket_select_net(sk);
1008 if (socket_check_network_policy(net_bear_mark_type, net_bear_type, value) == 0) {
1009 if (value->diagAckFlag) {
1010 return 0;
1011 }
1012
1013 // the policy configuration needs to be reconfirmed or the network bearer changes
1014 if (value->configSetFromFlag) {
1015 if (socket_ringbuf_event_submit(uid) != 0) {
1016 value->diagAckFlag = 1;
1017 }
1018 }
1019 value->netIfIndex = *net_bear_type;
1020 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
1021 return 0;
1022 }
1023
1024 value->netIfIndex = *net_bear_type;
1025 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
1026 return 1;
1027 }
1028
1029 SEC("cgroup_addr/sendmsg6")
inet_check_sendmsg6(struct bpf_sock_addr * ctx)1030 static int inet_check_sendmsg6(struct bpf_sock_addr *ctx)
1031 {
1032 void *map_ptr = &app_uid_access_policy_map;
1033 __u64 uid_gid = bpf_get_current_uid_gid();
1034 __u32 uid = (__u32)(uid_gid & 0x00000000FFFFFFFF);
1035 if (bpf_get_netns_cookie(ctx) != bpf_get_netns_cookie(NULL)) {
1036 uid = check_broker_policy(uid);
1037 }
1038
1039 uid_access_policy_value *value = bpf_map_lookup_elem(map_ptr, &uid);
1040 // value == NULL means that the process attached to this uid is not a hap process which has a default configuration
1041 if (value == NULL) {
1042 return 1;
1043 }
1044
1045 void *net_bear_map_ptr = &net_bear_type_map;
1046 net_bear_id_key net_bear_id = DEFAULT_NETWORK_BEARER_MAP_KEY;
1047 net_bear_type_map_value *net_bear_type = bpf_map_lookup_elem(net_bear_map_ptr, &net_bear_id);
1048 if (net_bear_type == NULL) {
1049 return 1;
1050 }
1051
1052 struct bpf_sock *sk = ctx->sk;
1053 net_bear_type_map_value net_bear_mark_type = check_socket_select_net(sk);
1054 if (socket_check_network_policy(net_bear_mark_type, net_bear_type, value) == 0) {
1055 if (value->diagAckFlag) {
1056 return 0;
1057 }
1058
1059 // the policy configuration needs to be reconfirmed or the network bearer changes
1060 if (value->configSetFromFlag) {
1061 if (socket_ringbuf_event_submit(uid) != 0) {
1062 value->diagAckFlag = 1;
1063 }
1064 }
1065 value->netIfIndex = *net_bear_type;
1066 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
1067 return 0;
1068 }
1069
1070 value->netIfIndex = *net_bear_type;
1071 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
1072 return 1;
1073 }
1074
1075 char g_license[] SEC("license") = "GPL";
1076