1 /*
2 * Copyright (C) 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "TrafficController"
18 #include <inttypes.h>
19 #include <linux/bpf.h>
20 #include <linux/if_ether.h>
21 #include <linux/in.h>
22 #include <linux/inet_diag.h>
23 #include <linux/netlink.h>
24 #include <linux/sock_diag.h>
25 #include <linux/unistd.h>
26 #include <net/if.h>
27 #include <stdlib.h>
28 #include <string.h>
29 #include <sys/socket.h>
30 #include <sys/stat.h>
31 #include <sys/types.h>
32 #include <sys/utsname.h>
33 #include <sys/wait.h>
34 #include <mutex>
35 #include <unordered_set>
36 #include <vector>
37
38 #include <android-base/stringprintf.h>
39 #include <android-base/strings.h>
40 #include <android-base/unique_fd.h>
41 #include <netdutils/StatusOr.h>
42
43 #include <netdutils/Misc.h>
44 #include <netdutils/Syscalls.h>
45 #include <processgroup/processgroup.h>
46 #include "TrafficController.h"
47 #include "bpf/BpfMap.h"
48
49 #include "FirewallController.h"
50 #include "InterfaceController.h"
51 #include "NetlinkListener.h"
52 #include "netdutils/DumpWriter.h"
53 #include "qtaguid/qtaguid.h"
54
55 namespace android {
56 namespace net {
57
58 using base::StringPrintf;
59 using base::unique_fd;
60 using bpf::getSocketCookie;
61 using bpf::NONEXISTENT_COOKIE;
62 using bpf::OVERFLOW_COUNTERSET;
63 using bpf::retrieveProgram;
64 using bpf::synchronizeKernelRCU;
65 using netdutils::DumpWriter;
66 using netdutils::extract;
67 using netdutils::ScopedIndent;
68 using netdutils::Slice;
69 using netdutils::sSyscalls;
70 using netdutils::Status;
71 using netdutils::statusFromErrno;
72 using netdutils::StatusOr;
73 using netdutils::status::ok;
74
75 constexpr int kSockDiagMsgType = SOCK_DIAG_BY_FAMILY;
76 constexpr int kSockDiagDoneMsgType = NLMSG_DONE;
77 constexpr int PER_UID_STATS_ENTRIES_LIMIT = 500;
78 // At most 90% of the stats map may be used by tagged traffic entries. This ensures
79 // that 10% of the map is always available to count untagged traffic, one entry per UID.
80 // Otherwise, apps would be able to avoid data usage accounting entirely by filling up the
81 // map with tagged traffic entries.
82 constexpr int TOTAL_UID_STATS_ENTRIES_LIMIT = STATS_MAP_SIZE * 0.9;
83
84 static_assert(BPF_PERMISSION_INTERNET == INetd::PERMISSION_INTERNET,
85 "Mismatch between BPF and AIDL permissions: PERMISSION_INTERNET");
86 static_assert(BPF_PERMISSION_UPDATE_DEVICE_STATS == INetd::PERMISSION_UPDATE_DEVICE_STATS,
87 "Mismatch between BPF and AIDL permissions: PERMISSION_UPDATE_DEVICE_STATS");
88 static_assert(STATS_MAP_SIZE - TOTAL_UID_STATS_ENTRIES_LIMIT > 100,
89 "The limit for stats map is to high, stats data may be lost due to overflow");
90
91 #define FLAG_MSG_TRANS(result, flag, value) \
92 do { \
93 if ((value) & (flag)) { \
94 (result).append(" " #flag); \
95 (value) &= ~(flag); \
96 } \
97 } while (0)
98
uidMatchTypeToString(uint8_t match)99 const std::string uidMatchTypeToString(uint8_t match) {
100 std::string matchType;
101 FLAG_MSG_TRANS(matchType, HAPPY_BOX_MATCH, match);
102 FLAG_MSG_TRANS(matchType, PENALTY_BOX_MATCH, match);
103 FLAG_MSG_TRANS(matchType, DOZABLE_MATCH, match);
104 FLAG_MSG_TRANS(matchType, STANDBY_MATCH, match);
105 FLAG_MSG_TRANS(matchType, POWERSAVE_MATCH, match);
106 FLAG_MSG_TRANS(matchType, RESTRICTED_MATCH, match);
107 FLAG_MSG_TRANS(matchType, IIF_MATCH, match);
108 if (match) {
109 return StringPrintf("Unknown match: %u", match);
110 }
111 return matchType;
112 }
113
hasUpdateDeviceStatsPermission(uid_t uid)114 bool TrafficController::hasUpdateDeviceStatsPermission(uid_t uid) {
115 // This implementation is the same logic as method ActivityManager#checkComponentPermission.
116 // It implies that the calling uid can never be the same as PER_USER_RANGE.
117 uint32_t appId = uid % PER_USER_RANGE;
118 return ((appId == AID_ROOT) || (appId == AID_SYSTEM) ||
119 mPrivilegedUser.find(appId) != mPrivilegedUser.end());
120 }
121
UidPermissionTypeToString(int permission)122 const std::string UidPermissionTypeToString(int permission) {
123 if (permission == INetd::PERMISSION_NONE) {
124 return "PERMISSION_NONE";
125 }
126 if (permission == INetd::PERMISSION_UNINSTALLED) {
127 // This should never appear in the map, complain loudly if it does.
128 return "PERMISSION_UNINSTALLED error!";
129 }
130 std::string permissionType;
131 FLAG_MSG_TRANS(permissionType, BPF_PERMISSION_INTERNET, permission);
132 FLAG_MSG_TRANS(permissionType, BPF_PERMISSION_UPDATE_DEVICE_STATS, permission);
133 if (permission) {
134 return StringPrintf("Unknown permission: %u", permission);
135 }
136 return permissionType;
137 }
138
makeSkDestroyListener()139 StatusOr<std::unique_ptr<NetlinkListenerInterface>> TrafficController::makeSkDestroyListener() {
140 const auto& sys = sSyscalls.get();
141 ASSIGN_OR_RETURN(auto event, sys.eventfd(0, EFD_CLOEXEC));
142 const int domain = AF_NETLINK;
143 const int type = SOCK_DGRAM | SOCK_CLOEXEC | SOCK_NONBLOCK;
144 const int protocol = NETLINK_INET_DIAG;
145 ASSIGN_OR_RETURN(auto sock, sys.socket(domain, type, protocol));
146
147 // TODO: if too many sockets are closed too quickly, we can overflow the socket buffer, and
148 // some entries in mCookieTagMap will not be freed. In order to fix this we would need to
149 // periodically dump all sockets and remove the tag entries for sockets that have been closed.
150 // For now, set a large-enough buffer that we can close hundreds of sockets without getting
151 // ENOBUFS and leaking mCookieTagMap entries.
152 int rcvbuf = 512 * 1024;
153 auto ret = sys.setsockopt(sock, SOL_SOCKET, SO_RCVBUF, &rcvbuf, sizeof(rcvbuf));
154 if (!ret.ok()) {
155 ALOGW("Failed to set SkDestroyListener buffer size to %d: %s", rcvbuf, ret.msg().c_str());
156 }
157
158 sockaddr_nl addr = {
159 .nl_family = AF_NETLINK,
160 .nl_groups = 1 << (SKNLGRP_INET_TCP_DESTROY - 1) | 1 << (SKNLGRP_INET_UDP_DESTROY - 1) |
161 1 << (SKNLGRP_INET6_TCP_DESTROY - 1) | 1 << (SKNLGRP_INET6_UDP_DESTROY - 1)};
162 RETURN_IF_NOT_OK(sys.bind(sock, addr));
163
164 const sockaddr_nl kernel = {.nl_family = AF_NETLINK};
165 RETURN_IF_NOT_OK(sys.connect(sock, kernel));
166
167 std::unique_ptr<NetlinkListenerInterface> listener =
168 std::make_unique<NetlinkListener>(std::move(event), std::move(sock), "SkDestroyListen");
169
170 return listener;
171 }
172
TrafficController()173 TrafficController::TrafficController()
174 : mPerUidStatsEntriesLimit(PER_UID_STATS_ENTRIES_LIMIT),
175 mTotalUidStatsEntriesLimit(TOTAL_UID_STATS_ENTRIES_LIMIT) {}
176
TrafficController(uint32_t perUidLimit,uint32_t totalLimit)177 TrafficController::TrafficController(uint32_t perUidLimit, uint32_t totalLimit)
178 : mPerUidStatsEntriesLimit(perUidLimit), mTotalUidStatsEntriesLimit(totalLimit) {}
179
initMaps()180 Status TrafficController::initMaps() {
181 std::lock_guard guard(mMutex);
182
183 RETURN_IF_NOT_OK(mCookieTagMap.init(COOKIE_TAG_MAP_PATH));
184 RETURN_IF_NOT_OK(mUidCounterSetMap.init(UID_COUNTERSET_MAP_PATH));
185 RETURN_IF_NOT_OK(mAppUidStatsMap.init(APP_UID_STATS_MAP_PATH));
186 RETURN_IF_NOT_OK(mStatsMapA.init(STATS_MAP_A_PATH));
187 RETURN_IF_NOT_OK(mStatsMapB.init(STATS_MAP_B_PATH));
188 RETURN_IF_NOT_OK(mIfaceIndexNameMap.init(IFACE_INDEX_NAME_MAP_PATH));
189 RETURN_IF_NOT_OK(mIfaceStatsMap.init(IFACE_STATS_MAP_PATH));
190
191 RETURN_IF_NOT_OK(mConfigurationMap.init(CONFIGURATION_MAP_PATH));
192 RETURN_IF_NOT_OK(
193 mConfigurationMap.writeValue(UID_RULES_CONFIGURATION_KEY, DEFAULT_CONFIG, BPF_ANY));
194 RETURN_IF_NOT_OK(mConfigurationMap.writeValue(CURRENT_STATS_MAP_CONFIGURATION_KEY, SELECT_MAP_A,
195 BPF_ANY));
196
197 RETURN_IF_NOT_OK(mUidOwnerMap.init(UID_OWNER_MAP_PATH));
198 RETURN_IF_NOT_OK(mUidOwnerMap.clear());
199 RETURN_IF_NOT_OK(mUidPermissionMap.init(UID_PERMISSION_MAP_PATH));
200
201 return netdutils::status::ok;
202 }
203
attachProgramToCgroup(const char * programPath,const unique_fd & cgroupFd,bpf_attach_type type)204 static Status attachProgramToCgroup(const char* programPath, const unique_fd& cgroupFd,
205 bpf_attach_type type) {
206 unique_fd cgroupProg(retrieveProgram(programPath));
207 if (cgroupProg == -1) {
208 int ret = errno;
209 ALOGE("Failed to get program from %s: %s", programPath, strerror(ret));
210 return statusFromErrno(ret, "cgroup program get failed");
211 }
212 if (android::bpf::attachProgram(type, cgroupProg, cgroupFd)) {
213 int ret = errno;
214 ALOGE("Program from %s attach failed: %s", programPath, strerror(ret));
215 return statusFromErrno(ret, "program attach failed");
216 }
217 return netdutils::status::ok;
218 }
219
initPrograms()220 static Status initPrograms() {
221 std::string cg2_path;
222
223 if (!CgroupGetControllerPath(CGROUPV2_CONTROLLER_NAME, &cg2_path)) {
224 int ret = errno;
225 ALOGE("Failed to find cgroup v2 root");
226 return statusFromErrno(ret, "Failed to find cgroup v2 root");
227 }
228
229 unique_fd cg_fd(open(cg2_path.c_str(), O_DIRECTORY | O_RDONLY | O_CLOEXEC));
230 if (cg_fd == -1) {
231 int ret = errno;
232 ALOGE("Failed to open the cgroup directory: %s", strerror(ret));
233 return statusFromErrno(ret, "Open the cgroup directory failed");
234 }
235 RETURN_IF_NOT_OK(attachProgramToCgroup(BPF_EGRESS_PROG_PATH, cg_fd, BPF_CGROUP_INET_EGRESS));
236 RETURN_IF_NOT_OK(attachProgramToCgroup(BPF_INGRESS_PROG_PATH, cg_fd, BPF_CGROUP_INET_INGRESS));
237
238 // For the devices that support cgroup socket filter, the socket filter
239 // should be loaded successfully by bpfloader. So we attach the filter to
240 // cgroup if the program is pinned properly.
241 // TODO: delete the if statement once all devices should support cgroup
242 // socket filter (ie. the minimum kernel version required is 4.14).
243 if (!access(CGROUP_SOCKET_PROG_PATH, F_OK)) {
244 RETURN_IF_NOT_OK(
245 attachProgramToCgroup(CGROUP_SOCKET_PROG_PATH, cg_fd, BPF_CGROUP_INET_SOCK_CREATE));
246 }
247 return netdutils::status::ok;
248 }
249
start()250 Status TrafficController::start() {
251 /* When netd restarts from a crash without total system reboot, the program
252 * is still attached to the cgroup, detach it so the program can be freed
253 * and we can load and attach new program into the target cgroup.
254 *
255 * TODO: Scrape existing socket when run-time restart and clean up the map
256 * if the socket no longer exist
257 */
258
259 RETURN_IF_NOT_OK(initMaps());
260
261 RETURN_IF_NOT_OK(initPrograms());
262
263 // Fetch the list of currently-existing interfaces. At this point NetlinkHandler is
264 // already running, so it will call addInterface() when any new interface appears.
265 std::map<std::string, uint32_t> ifacePairs;
266 ASSIGN_OR_RETURN(ifacePairs, InterfaceController::getIfaceList());
267 for (const auto& ifacePair:ifacePairs) {
268 addInterface(ifacePair.first.c_str(), ifacePair.second);
269 }
270
271 auto result = makeSkDestroyListener();
272 if (!isOk(result)) {
273 ALOGE("Unable to create SkDestroyListener: %s", toString(result).c_str());
274 } else {
275 mSkDestroyListener = std::move(result.value());
276 }
277 // Rx handler extracts nfgenmsg looks up and invokes registered dispatch function.
278 const auto rxHandler = [this](const nlmsghdr&, const Slice msg) {
279 std::lock_guard guard(mMutex);
280 inet_diag_msg diagmsg = {};
281 if (extract(msg, diagmsg) < sizeof(inet_diag_msg)) {
282 ALOGE("Unrecognized netlink message: %s", toString(msg).c_str());
283 return;
284 }
285 uint64_t sock_cookie = static_cast<uint64_t>(diagmsg.id.idiag_cookie[0]) |
286 (static_cast<uint64_t>(diagmsg.id.idiag_cookie[1]) << 32);
287
288 Status s = mCookieTagMap.deleteValue(sock_cookie);
289 if (!isOk(s) && s.code() != ENOENT) {
290 ALOGE("Failed to delete cookie %" PRIx64 ": %s", sock_cookie, toString(s).c_str());
291 return;
292 }
293 };
294 expectOk(mSkDestroyListener->subscribe(kSockDiagMsgType, rxHandler));
295
296 // In case multiple netlink message comes in as a stream, we need to handle the rxDone message
297 // properly.
298 const auto rxDoneHandler = [](const nlmsghdr&, const Slice msg) {
299 // Ignore NLMSG_DONE messages
300 inet_diag_msg diagmsg = {};
301 extract(msg, diagmsg);
302 };
303 expectOk(mSkDestroyListener->subscribe(kSockDiagDoneMsgType, rxDoneHandler));
304
305 return netdutils::status::ok;
306 }
307
tagSocket(int sockFd,uint32_t tag,uid_t uid,uid_t callingUid)308 int TrafficController::tagSocket(int sockFd, uint32_t tag, uid_t uid, uid_t callingUid) {
309 std::lock_guard guard(mMutex);
310 if (uid != callingUid && !hasUpdateDeviceStatsPermission(callingUid)) {
311 return -EPERM;
312 }
313
314 uint64_t sock_cookie = getSocketCookie(sockFd);
315 if (sock_cookie == NONEXISTENT_COOKIE) return -errno;
316 UidTagValue newKey = {.uid = (uint32_t)uid, .tag = tag};
317
318 uint32_t totalEntryCount = 0;
319 uint32_t perUidEntryCount = 0;
320 // Now we go through the stats map and count how many entries are associated
321 // with target uid. If the uid entry hit the limit for each uid, we block
322 // the request to prevent the map from overflow. It is safe here to iterate
323 // over the map since when mMutex is hold, system server cannot toggle
324 // the live stats map and clean it. So nobody can delete entries from the map.
325 const auto countUidStatsEntries = [uid, &totalEntryCount, &perUidEntryCount](
326 const StatsKey& key,
327 const BpfMap<StatsKey, StatsValue>&) {
328 if (key.uid == uid) {
329 perUidEntryCount++;
330 }
331 totalEntryCount++;
332 return base::Result<void>();
333 };
334 auto configuration = mConfigurationMap.readValue(CURRENT_STATS_MAP_CONFIGURATION_KEY);
335 if (!configuration.ok()) {
336 ALOGE("Failed to get current configuration: %s, fd: %d",
337 strerror(configuration.error().code()), mConfigurationMap.getMap().get());
338 return -configuration.error().code();
339 }
340 if (configuration.value() != SELECT_MAP_A && configuration.value() != SELECT_MAP_B) {
341 ALOGE("unknown configuration value: %d", configuration.value());
342 return -EINVAL;
343 }
344
345 BpfMap<StatsKey, StatsValue>& currentMap =
346 (configuration.value() == SELECT_MAP_A) ? mStatsMapA : mStatsMapB;
347 base::Result<void> res = currentMap.iterate(countUidStatsEntries);
348 if (!res.ok()) {
349 ALOGE("Failed to count the stats entry in map %d: %s", currentMap.getMap().get(),
350 strerror(res.error().code()));
351 return -res.error().code();
352 }
353
354 if (totalEntryCount > mTotalUidStatsEntriesLimit ||
355 perUidEntryCount > mPerUidStatsEntriesLimit) {
356 ALOGE("Too many stats entries in the map, total count: %u, uid(%u) count: %u, blocking tag"
357 " request to prevent map overflow",
358 totalEntryCount, uid, perUidEntryCount);
359 return -EMFILE;
360 }
361 // Update the tag information of a socket to the cookieUidMap. Use BPF_ANY
362 // flag so it will insert a new entry to the map if that value doesn't exist
363 // yet. And update the tag if there is already a tag stored. Since the eBPF
364 // program in kernel only read this map, and is protected by rcu read lock. It
365 // should be fine to cocurrently update the map while eBPF program is running.
366 res = mCookieTagMap.writeValue(sock_cookie, newKey, BPF_ANY);
367 if (!res.ok()) {
368 ALOGE("Failed to tag the socket: %s, fd: %d", strerror(res.error().code()),
369 mCookieTagMap.getMap().get());
370 return -res.error().code();
371 }
372 return 0;
373 }
374
untagSocket(int sockFd)375 int TrafficController::untagSocket(int sockFd) {
376 std::lock_guard guard(mMutex);
377 uint64_t sock_cookie = getSocketCookie(sockFd);
378
379 if (sock_cookie == NONEXISTENT_COOKIE) return -errno;
380 base::Result<void> res = mCookieTagMap.deleteValue(sock_cookie);
381 if (!res.ok()) {
382 ALOGE("Failed to untag socket: %s\n", strerror(res.error().code()));
383 return -res.error().code();
384 }
385 return 0;
386 }
387
setCounterSet(int counterSetNum,uid_t uid,uid_t callingUid)388 int TrafficController::setCounterSet(int counterSetNum, uid_t uid, uid_t callingUid) {
389 if (counterSetNum < 0 || counterSetNum >= OVERFLOW_COUNTERSET) return -EINVAL;
390
391 std::lock_guard guard(mMutex);
392 if (!hasUpdateDeviceStatsPermission(callingUid)) return -EPERM;
393
394 // The default counter set for all uid is 0, so deleting the current counterset for that uid
395 // will automatically set it to 0.
396 if (counterSetNum == 0) {
397 Status res = mUidCounterSetMap.deleteValue(uid);
398 if (isOk(res) || (!isOk(res) && res.code() == ENOENT)) {
399 return 0;
400 } else {
401 ALOGE("Failed to delete the counterSet: %s\n", strerror(res.code()));
402 return -res.code();
403 }
404 }
405 uint8_t tmpCounterSetNum = (uint8_t)counterSetNum;
406 Status res = mUidCounterSetMap.writeValue(uid, tmpCounterSetNum, BPF_ANY);
407 if (!isOk(res)) {
408 ALOGE("Failed to set the counterSet: %s, fd: %d", strerror(res.code()),
409 mUidCounterSetMap.getMap().get());
410 return -res.code();
411 }
412 return 0;
413 }
414
415 // This method only get called by system_server when an app get uinstalled, it
416 // is called inside removeUidsLocked() while holding mStatsLock. So it is safe
417 // to iterate and modify the stats maps.
deleteTagData(uint32_t tag,uid_t uid,uid_t callingUid)418 int TrafficController::deleteTagData(uint32_t tag, uid_t uid, uid_t callingUid) {
419 std::lock_guard guard(mMutex);
420 if (!hasUpdateDeviceStatsPermission(callingUid)) return -EPERM;
421
422 // First we go through the cookieTagMap to delete the target uid tag combination. Or delete all
423 // the tags related to the uid if the tag is 0.
424 const auto deleteMatchedCookieEntries = [uid, tag](const uint64_t& key,
425 const UidTagValue& value,
426 BpfMap<uint64_t, UidTagValue>& map) {
427 if (value.uid == uid && (value.tag == tag || tag == 0)) {
428 auto res = map.deleteValue(key);
429 if (res.ok() || (res.error().code() == ENOENT)) {
430 return base::Result<void>();
431 }
432 ALOGE("Failed to delete data(cookie = %" PRIu64 "): %s\n", key,
433 strerror(res.error().code()));
434 }
435 // Move forward to next cookie in the map.
436 return base::Result<void>();
437 };
438 mCookieTagMap.iterateWithValue(deleteMatchedCookieEntries);
439 // Now we go through the Tag stats map and delete the data entry with correct uid and tag
440 // combination. Or all tag stats under that uid if the target tag is 0.
441 const auto deleteMatchedUidTagEntries = [uid, tag](const StatsKey& key,
442 BpfMap<StatsKey, StatsValue>& map) {
443 if (key.uid == uid && (key.tag == tag || tag == 0)) {
444 auto res = map.deleteValue(key);
445 if (res.ok() || (res.error().code() == ENOENT)) {
446 //Entry is deleted, use the current key to get a new nextKey;
447 return base::Result<void>();
448 }
449 ALOGE("Failed to delete data(uid=%u, tag=%u): %s\n", key.uid, key.tag,
450 strerror(res.error().code()));
451 }
452 return base::Result<void>();
453 };
454 mStatsMapB.iterate(deleteMatchedUidTagEntries);
455 mStatsMapA.iterate(deleteMatchedUidTagEntries);
456 // If the tag is not zero, we already deleted all the data entry required. If tag is 0, we also
457 // need to delete the stats stored in uidStatsMap and counterSet map.
458 if (tag != 0) return 0;
459
460 auto res = mUidCounterSetMap.deleteValue(uid);
461 if (!res.ok() && res.error().code() != ENOENT) {
462 ALOGE("Failed to delete counterSet data(uid=%u, tag=%u): %s\n", uid, tag,
463 strerror(res.error().code()));
464 }
465
466 auto deleteAppUidStatsEntry = [uid](const uint32_t& key,
467 BpfMap<uint32_t, StatsValue>& map) -> base::Result<void> {
468 if (key == uid) {
469 auto res = map.deleteValue(key);
470 if (res.ok() || (res.error().code() == ENOENT)) {
471 return {};
472 }
473 ALOGE("Failed to delete data(uid=%u): %s", key, strerror(res.error().code()));
474 }
475 return {};
476 };
477 mAppUidStatsMap.iterate(deleteAppUidStatsEntry);
478 return 0;
479 }
480
addInterface(const char * name,uint32_t ifaceIndex)481 int TrafficController::addInterface(const char* name, uint32_t ifaceIndex) {
482 IfaceValue iface;
483 if (ifaceIndex == 0) {
484 ALOGE("Unknown interface %s(%d)", name, ifaceIndex);
485 return -1;
486 }
487
488 strlcpy(iface.name, name, sizeof(IfaceValue));
489 Status res = mIfaceIndexNameMap.writeValue(ifaceIndex, iface, BPF_ANY);
490 if (!isOk(res)) {
491 ALOGE("Failed to add iface %s(%d): %s", name, ifaceIndex, strerror(res.code()));
492 return -res.code();
493 }
494 return 0;
495 }
496
updateOwnerMapEntry(UidOwnerMatchType match,uid_t uid,FirewallRule rule,FirewallType type)497 Status TrafficController::updateOwnerMapEntry(UidOwnerMatchType match, uid_t uid, FirewallRule rule,
498 FirewallType type) {
499 std::lock_guard guard(mMutex);
500 if ((rule == ALLOW && type == ALLOWLIST) || (rule == DENY && type == DENYLIST)) {
501 RETURN_IF_NOT_OK(addRule(uid, match));
502 } else if ((rule == ALLOW && type == DENYLIST) || (rule == DENY && type == ALLOWLIST)) {
503 RETURN_IF_NOT_OK(removeRule(uid, match));
504 } else {
505 //Cannot happen.
506 return statusFromErrno(EINVAL, "");
507 }
508 return netdutils::status::ok;
509 }
510
removeRule(uint32_t uid,UidOwnerMatchType match)511 Status TrafficController::removeRule(uint32_t uid, UidOwnerMatchType match) {
512 auto oldMatch = mUidOwnerMap.readValue(uid);
513 if (oldMatch.ok()) {
514 UidOwnerValue newMatch = {
515 .iif = (match == IIF_MATCH) ? 0 : oldMatch.value().iif,
516 .rule = static_cast<uint8_t>(oldMatch.value().rule & ~match),
517 };
518 if (newMatch.rule == 0) {
519 RETURN_IF_NOT_OK(mUidOwnerMap.deleteValue(uid));
520 } else {
521 RETURN_IF_NOT_OK(mUidOwnerMap.writeValue(uid, newMatch, BPF_ANY));
522 }
523 } else {
524 return statusFromErrno(ENOENT, StringPrintf("uid: %u does not exist in map", uid));
525 }
526 return netdutils::status::ok;
527 }
528
addRule(uint32_t uid,UidOwnerMatchType match,uint32_t iif)529 Status TrafficController::addRule(uint32_t uid, UidOwnerMatchType match, uint32_t iif) {
530 // iif should be non-zero if and only if match == MATCH_IIF
531 if (match == IIF_MATCH && iif == 0) {
532 return statusFromErrno(EINVAL, "Interface match must have nonzero interface index");
533 } else if (match != IIF_MATCH && iif != 0) {
534 return statusFromErrno(EINVAL, "Non-interface match must have zero interface index");
535 }
536 auto oldMatch = mUidOwnerMap.readValue(uid);
537 if (oldMatch.ok()) {
538 UidOwnerValue newMatch = {
539 .iif = iif ? iif : oldMatch.value().iif,
540 .rule = static_cast<uint8_t>(oldMatch.value().rule | match),
541 };
542 RETURN_IF_NOT_OK(mUidOwnerMap.writeValue(uid, newMatch, BPF_ANY));
543 } else {
544 UidOwnerValue newMatch = {
545 .iif = iif,
546 .rule = static_cast<uint8_t>(match),
547 };
548 RETURN_IF_NOT_OK(mUidOwnerMap.writeValue(uid, newMatch, BPF_ANY));
549 }
550 return netdutils::status::ok;
551 }
552
updateUidOwnerMap(const std::vector<uint32_t> & appUids,UidOwnerMatchType matchType,BandwidthController::IptOp op)553 Status TrafficController::updateUidOwnerMap(const std::vector<uint32_t>& appUids,
554 UidOwnerMatchType matchType,
555 BandwidthController::IptOp op) {
556 std::lock_guard guard(mMutex);
557 for (uint32_t uid : appUids) {
558 if (op == BandwidthController::IptOpDelete) {
559 RETURN_IF_NOT_OK(removeRule(uid, matchType));
560 } else if (op == BandwidthController::IptOpInsert) {
561 RETURN_IF_NOT_OK(addRule(uid, matchType));
562 } else {
563 // Cannot happen.
564 return statusFromErrno(EINVAL, StringPrintf("invalid IptOp: %d, %d", op, matchType));
565 }
566 }
567 return netdutils::status::ok;
568 }
569
changeUidOwnerRule(ChildChain chain,uid_t uid,FirewallRule rule,FirewallType type)570 int TrafficController::changeUidOwnerRule(ChildChain chain, uid_t uid, FirewallRule rule,
571 FirewallType type) {
572 Status res;
573 switch (chain) {
574 case DOZABLE:
575 res = updateOwnerMapEntry(DOZABLE_MATCH, uid, rule, type);
576 break;
577 case STANDBY:
578 res = updateOwnerMapEntry(STANDBY_MATCH, uid, rule, type);
579 break;
580 case POWERSAVE:
581 res = updateOwnerMapEntry(POWERSAVE_MATCH, uid, rule, type);
582 break;
583 case RESTRICTED:
584 res = updateOwnerMapEntry(RESTRICTED_MATCH, uid, rule, type);
585 break;
586 case NONE:
587 default:
588 return -EINVAL;
589 }
590 if (!isOk(res)) {
591 ALOGE("change uid(%u) rule of %d failed: %s, rule: %d, type: %d", uid, chain,
592 res.msg().c_str(), rule, type);
593 return -res.code();
594 }
595 return 0;
596 }
597
replaceRulesInMap(const UidOwnerMatchType match,const std::vector<int32_t> & uids)598 Status TrafficController::replaceRulesInMap(const UidOwnerMatchType match,
599 const std::vector<int32_t>& uids) {
600 std::lock_guard guard(mMutex);
601 std::set<int32_t> uidSet(uids.begin(), uids.end());
602 std::vector<uint32_t> uidsToDelete;
603 auto getUidsToDelete = [&uidsToDelete, &uidSet](const uint32_t& key,
604 const BpfMap<uint32_t, UidOwnerValue>&) {
605 if (uidSet.find((int32_t) key) == uidSet.end()) {
606 uidsToDelete.push_back(key);
607 }
608 return base::Result<void>();
609 };
610 RETURN_IF_NOT_OK(mUidOwnerMap.iterate(getUidsToDelete));
611
612 for(auto uid : uidsToDelete) {
613 RETURN_IF_NOT_OK(removeRule(uid, match));
614 }
615
616 for (auto uid : uids) {
617 RETURN_IF_NOT_OK(addRule(uid, match));
618 }
619 return netdutils::status::ok;
620 }
621
addUidInterfaceRules(const int iif,const std::vector<int32_t> & uidsToAdd)622 Status TrafficController::addUidInterfaceRules(const int iif,
623 const std::vector<int32_t>& uidsToAdd) {
624 if (!iif) {
625 return statusFromErrno(EINVAL, "Interface rule must specify interface");
626 }
627 std::lock_guard guard(mMutex);
628
629 for (auto uid : uidsToAdd) {
630 netdutils::Status result = addRule(uid, IIF_MATCH, iif);
631 if (!isOk(result)) {
632 ALOGW("addRule failed(%d): uid=%d iif=%d", result.code(), uid, iif);
633 }
634 }
635 return netdutils::status::ok;
636 }
637
removeUidInterfaceRules(const std::vector<int32_t> & uidsToDelete)638 Status TrafficController::removeUidInterfaceRules(const std::vector<int32_t>& uidsToDelete) {
639 std::lock_guard guard(mMutex);
640
641 for (auto uid : uidsToDelete) {
642 netdutils::Status result = removeRule(uid, IIF_MATCH);
643 if (!isOk(result)) {
644 ALOGW("removeRule failed(%d): uid=%d", result.code(), uid);
645 }
646 }
647 return netdutils::status::ok;
648 }
649
replaceUidOwnerMap(const std::string & name,bool isAllowlist __unused,const std::vector<int32_t> & uids)650 int TrafficController::replaceUidOwnerMap(const std::string& name, bool isAllowlist __unused,
651 const std::vector<int32_t>& uids) {
652 // FirewallRule rule = isAllowlist ? ALLOW : DENY;
653 // FirewallType type = isAllowlist ? ALLOWLIST : DENYLIST;
654 Status res;
655 if (!name.compare(FirewallController::LOCAL_DOZABLE)) {
656 res = replaceRulesInMap(DOZABLE_MATCH, uids);
657 } else if (!name.compare(FirewallController::LOCAL_STANDBY)) {
658 res = replaceRulesInMap(STANDBY_MATCH, uids);
659 } else if (!name.compare(FirewallController::LOCAL_POWERSAVE)) {
660 res = replaceRulesInMap(POWERSAVE_MATCH, uids);
661 } else if (!name.compare(FirewallController::LOCAL_RESTRICTED)) {
662 res = replaceRulesInMap(RESTRICTED_MATCH, uids);
663 } else {
664 ALOGE("unknown chain name: %s", name.c_str());
665 return -EINVAL;
666 }
667 if (!isOk(res)) {
668 ALOGE("Failed to clean up chain: %s: %s", name.c_str(), res.msg().c_str());
669 return -res.code();
670 }
671 return 0;
672 }
673
toggleUidOwnerMap(ChildChain chain,bool enable)674 int TrafficController::toggleUidOwnerMap(ChildChain chain, bool enable) {
675 std::lock_guard guard(mMutex);
676 uint32_t key = UID_RULES_CONFIGURATION_KEY;
677 auto oldConfiguration = mConfigurationMap.readValue(key);
678 if (!oldConfiguration.ok()) {
679 ALOGE("Cannot read the old configuration from map: %s",
680 oldConfiguration.error().message().c_str());
681 return -oldConfiguration.error().code();
682 }
683 Status res;
684 BpfConfig newConfiguration;
685 uint8_t match;
686 switch (chain) {
687 case DOZABLE:
688 match = DOZABLE_MATCH;
689 break;
690 case STANDBY:
691 match = STANDBY_MATCH;
692 break;
693 case POWERSAVE:
694 match = POWERSAVE_MATCH;
695 break;
696 case RESTRICTED:
697 match = RESTRICTED_MATCH;
698 break;
699 default:
700 return -EINVAL;
701 }
702 newConfiguration =
703 enable ? (oldConfiguration.value() | match) : (oldConfiguration.value() & (~match));
704 res = mConfigurationMap.writeValue(key, newConfiguration, BPF_EXIST);
705 if (!isOk(res)) {
706 ALOGE("Failed to toggleUidOwnerMap(%d): %s", chain, res.msg().c_str());
707 }
708 return -res.code();
709 }
710
swapActiveStatsMap()711 Status TrafficController::swapActiveStatsMap() {
712 std::lock_guard guard(mMutex);
713
714 uint32_t key = CURRENT_STATS_MAP_CONFIGURATION_KEY;
715 auto oldConfiguration = mConfigurationMap.readValue(key);
716 if (!oldConfiguration.ok()) {
717 ALOGE("Cannot read the old configuration from map: %s",
718 oldConfiguration.error().message().c_str());
719 return Status(oldConfiguration.error().code(), oldConfiguration.error().message());
720 }
721
722 // Write to the configuration map to inform the kernel eBPF program to switch
723 // from using one map to the other. Use flag BPF_EXIST here since the map should
724 // be already populated in initMaps.
725 uint8_t newConfigure = (oldConfiguration.value() == SELECT_MAP_A) ? SELECT_MAP_B : SELECT_MAP_A;
726 auto res = mConfigurationMap.writeValue(CURRENT_STATS_MAP_CONFIGURATION_KEY, newConfigure,
727 BPF_EXIST);
728 if (!res.ok()) {
729 ALOGE("Failed to toggle the stats map: %s", strerror(res.error().code()));
730 return res;
731 }
732 // After changing the config, we need to make sure all the current running
733 // eBPF programs are finished and all the CPUs are aware of this config change
734 // before we modify the old map. So we do a special hack here to wait for
735 // the kernel to do a synchronize_rcu(). Once the kernel called
736 // synchronize_rcu(), the config we just updated will be available to all cores
737 // and the next eBPF programs triggered inside the kernel will use the new
738 // map configuration. So once this function returns we can safely modify the
739 // old stats map without concerning about race between the kernel and
740 // userspace.
741 int ret = synchronizeKernelRCU();
742 if (ret) {
743 ALOGE("map swap synchronize_rcu() ended with failure: %s", strerror(-ret));
744 return statusFromErrno(-ret, "map swap synchronize_rcu() failed");
745 }
746 return netdutils::status::ok;
747 }
748
setPermissionForUids(int permission,const std::vector<uid_t> & uids)749 void TrafficController::setPermissionForUids(int permission, const std::vector<uid_t>& uids) {
750 std::lock_guard guard(mMutex);
751 if (permission == INetd::PERMISSION_UNINSTALLED) {
752 for (uid_t uid : uids) {
753 // Clean up all permission information for the related uid if all the
754 // packages related to it are uninstalled.
755 mPrivilegedUser.erase(uid);
756 Status ret = mUidPermissionMap.deleteValue(uid);
757 if (!isOk(ret) && ret.code() != ENOENT) {
758 ALOGE("Failed to clean up the permission for %u: %s", uid, strerror(ret.code()));
759 }
760 }
761 return;
762 }
763
764 bool privileged = (permission & INetd::PERMISSION_UPDATE_DEVICE_STATS);
765
766 for (uid_t uid : uids) {
767 if (privileged) {
768 mPrivilegedUser.insert(uid);
769 } else {
770 mPrivilegedUser.erase(uid);
771 }
772
773 // The map stores all the permissions that the UID has, except if the only permission
774 // the UID has is the INTERNET permission, then the UID should not appear in the map.
775 if (permission != INetd::PERMISSION_INTERNET) {
776 Status ret = mUidPermissionMap.writeValue(uid, permission, BPF_ANY);
777 if (!isOk(ret)) {
778 ALOGE("Failed to set permission: %s of uid(%u) to permission map: %s",
779 UidPermissionTypeToString(permission).c_str(), uid, strerror(ret.code()));
780 }
781 } else {
782 Status ret = mUidPermissionMap.deleteValue(uid);
783 if (!isOk(ret) && ret.code() != ENOENT) {
784 ALOGE("Failed to remove uid %u from permission map: %s", uid, strerror(ret.code()));
785 }
786 }
787 }
788 }
789
getProgramStatus(const char * path)790 std::string getProgramStatus(const char *path) {
791 int ret = access(path, R_OK);
792 if (ret == 0) {
793 return StringPrintf("OK");
794 }
795 if (ret != 0 && errno == ENOENT) {
796 return StringPrintf("program is missing at: %s", path);
797 }
798 return StringPrintf("check Program %s error: %s", path, strerror(errno));
799 }
800
getMapStatus(const base::unique_fd & map_fd,const char * path)801 std::string getMapStatus(const base::unique_fd& map_fd, const char* path) {
802 if (map_fd.get() < 0) {
803 return StringPrintf("map fd lost");
804 }
805 if (access(path, F_OK) != 0) {
806 return StringPrintf("map not pinned to location: %s", path);
807 }
808 return StringPrintf("OK");
809 }
810
811 // NOLINTNEXTLINE(google-runtime-references): grandfathered pass by non-const reference
dumpBpfMap(const std::string & mapName,DumpWriter & dw,const std::string & header)812 void dumpBpfMap(const std::string& mapName, DumpWriter& dw, const std::string& header) {
813 dw.blankline();
814 dw.println("%s:", mapName.c_str());
815 if (!header.empty()) {
816 dw.println(header);
817 }
818 }
819
820 const String16 TrafficController::DUMP_KEYWORD = String16("trafficcontroller");
821
dump(DumpWriter & dw,bool verbose)822 void TrafficController::dump(DumpWriter& dw, bool verbose) {
823 std::lock_guard guard(mMutex);
824 ScopedIndent indentTop(dw);
825 dw.println("TrafficController");
826
827 ScopedIndent indentPreBpfModule(dw);
828
829 dw.blankline();
830 dw.println("mCookieTagMap status: %s",
831 getMapStatus(mCookieTagMap.getMap(), COOKIE_TAG_MAP_PATH).c_str());
832 dw.println("mUidCounterSetMap status: %s",
833 getMapStatus(mUidCounterSetMap.getMap(), UID_COUNTERSET_MAP_PATH).c_str());
834 dw.println("mAppUidStatsMap status: %s",
835 getMapStatus(mAppUidStatsMap.getMap(), APP_UID_STATS_MAP_PATH).c_str());
836 dw.println("mStatsMapA status: %s",
837 getMapStatus(mStatsMapA.getMap(), STATS_MAP_A_PATH).c_str());
838 dw.println("mStatsMapB status: %s",
839 getMapStatus(mStatsMapB.getMap(), STATS_MAP_B_PATH).c_str());
840 dw.println("mIfaceIndexNameMap status: %s",
841 getMapStatus(mIfaceIndexNameMap.getMap(), IFACE_INDEX_NAME_MAP_PATH).c_str());
842 dw.println("mIfaceStatsMap status: %s",
843 getMapStatus(mIfaceStatsMap.getMap(), IFACE_STATS_MAP_PATH).c_str());
844 dw.println("mConfigurationMap status: %s",
845 getMapStatus(mConfigurationMap.getMap(), CONFIGURATION_MAP_PATH).c_str());
846 dw.println("mUidOwnerMap status: %s",
847 getMapStatus(mUidOwnerMap.getMap(), UID_OWNER_MAP_PATH).c_str());
848
849 dw.blankline();
850 dw.println("Cgroup ingress program status: %s",
851 getProgramStatus(BPF_INGRESS_PROG_PATH).c_str());
852 dw.println("Cgroup egress program status: %s", getProgramStatus(BPF_EGRESS_PROG_PATH).c_str());
853 dw.println("xt_bpf ingress program status: %s",
854 getProgramStatus(XT_BPF_INGRESS_PROG_PATH).c_str());
855 dw.println("xt_bpf egress program status: %s",
856 getProgramStatus(XT_BPF_EGRESS_PROG_PATH).c_str());
857 dw.println("xt_bpf bandwidth allowlist program status: %s",
858 getProgramStatus(XT_BPF_ALLOWLIST_PROG_PATH).c_str());
859 dw.println("xt_bpf bandwidth denylist program status: %s",
860 getProgramStatus(XT_BPF_DENYLIST_PROG_PATH).c_str());
861
862 if (!verbose) {
863 return;
864 }
865
866 dw.blankline();
867 dw.println("BPF map content:");
868
869 ScopedIndent indentForMapContent(dw);
870
871 // Print CookieTagMap content.
872 dumpBpfMap("mCookieTagMap", dw, "");
873 const auto printCookieTagInfo = [&dw](const uint64_t& key, const UidTagValue& value,
874 const BpfMap<uint64_t, UidTagValue>&) {
875 dw.println("cookie=%" PRIu64 " tag=0x%x uid=%u", key, value.tag, value.uid);
876 return base::Result<void>();
877 };
878 base::Result<void> res = mCookieTagMap.iterateWithValue(printCookieTagInfo);
879 if (!res.ok()) {
880 dw.println("mCookieTagMap print end with error: %s", res.error().message().c_str());
881 }
882
883 // Print UidCounterSetMap Content
884 dumpBpfMap("mUidCounterSetMap", dw, "");
885 const auto printUidInfo = [&dw](const uint32_t& key, const uint8_t& value,
886 const BpfMap<uint32_t, uint8_t>&) {
887 dw.println("%u %u", key, value);
888 return base::Result<void>();
889 };
890 res = mUidCounterSetMap.iterateWithValue(printUidInfo);
891 if (!res.ok()) {
892 dw.println("mUidCounterSetMap print end with error: %s", res.error().message().c_str());
893 }
894
895 // Print AppUidStatsMap content
896 std::string appUidStatsHeader = StringPrintf("uid rxBytes rxPackets txBytes txPackets");
897 dumpBpfMap("mAppUidStatsMap:", dw, appUidStatsHeader);
898 auto printAppUidStatsInfo = [&dw](const uint32_t& key, const StatsValue& value,
899 const BpfMap<uint32_t, StatsValue>&) {
900 dw.println("%u %" PRIu64 " %" PRIu64 " %" PRIu64 " %" PRIu64, key, value.rxBytes,
901 value.rxPackets, value.txBytes, value.txPackets);
902 return base::Result<void>();
903 };
904 res = mAppUidStatsMap.iterateWithValue(printAppUidStatsInfo);
905 if (!res.ok()) {
906 dw.println("mAppUidStatsMap print end with error: %s", res.error().message().c_str());
907 }
908
909 // Print uidStatsMap content
910 std::string statsHeader = StringPrintf("ifaceIndex ifaceName tag_hex uid_int cnt_set rxBytes"
911 " rxPackets txBytes txPackets");
912 dumpBpfMap("mStatsMapA", dw, statsHeader);
913 const auto printStatsInfo = [&dw, this](const StatsKey& key, const StatsValue& value,
914 const BpfMap<StatsKey, StatsValue>&) {
915 uint32_t ifIndex = key.ifaceIndex;
916 auto ifname = mIfaceIndexNameMap.readValue(ifIndex);
917 if (!ifname.ok()) {
918 ifname = IfaceValue{"unknown"};
919 }
920 dw.println("%u %s 0x%x %u %u %" PRIu64 " %" PRIu64 " %" PRIu64 " %" PRIu64, ifIndex,
921 ifname.value().name, key.tag, key.uid, key.counterSet, value.rxBytes,
922 value.rxPackets, value.txBytes, value.txPackets);
923 return base::Result<void>();
924 };
925 res = mStatsMapA.iterateWithValue(printStatsInfo);
926 if (!res.ok()) {
927 dw.println("mStatsMapA print end with error: %s", res.error().message().c_str());
928 }
929
930 // Print TagStatsMap content.
931 dumpBpfMap("mStatsMapB", dw, statsHeader);
932 res = mStatsMapB.iterateWithValue(printStatsInfo);
933 if (!res.ok()) {
934 dw.println("mStatsMapB print end with error: %s", res.error().message().c_str());
935 }
936
937 // Print ifaceIndexToNameMap content.
938 dumpBpfMap("mIfaceIndexNameMap", dw, "");
939 const auto printIfaceNameInfo = [&dw](const uint32_t& key, const IfaceValue& value,
940 const BpfMap<uint32_t, IfaceValue>&) {
941 const char* ifname = value.name;
942 dw.println("ifaceIndex=%u ifaceName=%s", key, ifname);
943 return base::Result<void>();
944 };
945 res = mIfaceIndexNameMap.iterateWithValue(printIfaceNameInfo);
946 if (!res.ok()) {
947 dw.println("mIfaceIndexNameMap print end with error: %s", res.error().message().c_str());
948 }
949
950 // Print ifaceStatsMap content
951 std::string ifaceStatsHeader = StringPrintf("ifaceIndex ifaceName rxBytes rxPackets txBytes"
952 " txPackets");
953 dumpBpfMap("mIfaceStatsMap:", dw, ifaceStatsHeader);
954 const auto printIfaceStatsInfo = [&dw, this](const uint32_t& key, const StatsValue& value,
955 const BpfMap<uint32_t, StatsValue>&) {
956 auto ifname = mIfaceIndexNameMap.readValue(key);
957 if (!ifname.ok()) {
958 ifname = IfaceValue{"unknown"};
959 }
960 dw.println("%u %s %" PRIu64 " %" PRIu64 " %" PRIu64 " %" PRIu64, key, ifname.value().name,
961 value.rxBytes, value.rxPackets, value.txBytes, value.txPackets);
962 return base::Result<void>();
963 };
964 res = mIfaceStatsMap.iterateWithValue(printIfaceStatsInfo);
965 if (!res.ok()) {
966 dw.println("mIfaceStatsMap print end with error: %s", res.error().message().c_str());
967 }
968
969 dw.blankline();
970
971 uint32_t key = UID_RULES_CONFIGURATION_KEY;
972 auto configuration = mConfigurationMap.readValue(key);
973 if (configuration.ok()) {
974 dw.println("current ownerMatch configuration: %d%s", configuration.value(),
975 uidMatchTypeToString(configuration.value()).c_str());
976 } else {
977 dw.println("mConfigurationMap read ownerMatch configure failed with error: %s",
978 configuration.error().message().c_str());
979 }
980
981 key = CURRENT_STATS_MAP_CONFIGURATION_KEY;
982 configuration = mConfigurationMap.readValue(key);
983 if (configuration.ok()) {
984 const char* statsMapDescription = "???";
985 switch (configuration.value()) {
986 case SELECT_MAP_A:
987 statsMapDescription = "SELECT_MAP_A";
988 break;
989 case SELECT_MAP_B:
990 statsMapDescription = "SELECT_MAP_B";
991 break;
992 // No default clause, so if we ever add a third map, this code will fail to build.
993 }
994 dw.println("current statsMap configuration: %d %s", configuration.value(),
995 statsMapDescription);
996 } else {
997 dw.println("mConfigurationMap read stats map configure failed with error: %s",
998 configuration.error().message().c_str());
999 }
1000 dumpBpfMap("mUidOwnerMap", dw, "");
1001 const auto printUidMatchInfo = [&dw, this](const uint32_t& key, const UidOwnerValue& value,
1002 const BpfMap<uint32_t, UidOwnerValue>&) {
1003 if (value.rule & IIF_MATCH) {
1004 auto ifname = mIfaceIndexNameMap.readValue(value.iif);
1005 if (ifname.ok()) {
1006 dw.println("%u %s %s", key, uidMatchTypeToString(value.rule).c_str(),
1007 ifname.value().name);
1008 } else {
1009 dw.println("%u %s %u", key, uidMatchTypeToString(value.rule).c_str(), value.iif);
1010 }
1011 } else {
1012 dw.println("%u %s", key, uidMatchTypeToString(value.rule).c_str());
1013 }
1014 return base::Result<void>();
1015 };
1016 res = mUidOwnerMap.iterateWithValue(printUidMatchInfo);
1017 if (!res.ok()) {
1018 dw.println("mUidOwnerMap print end with error: %s", res.error().message().c_str());
1019 }
1020 dumpBpfMap("mUidPermissionMap", dw, "");
1021 const auto printUidPermissionInfo = [&dw](const uint32_t& key, const int& value,
1022 const BpfMap<uint32_t, uint8_t>&) {
1023 dw.println("%u %s", key, UidPermissionTypeToString(value).c_str());
1024 return base::Result<void>();
1025 };
1026 res = mUidPermissionMap.iterateWithValue(printUidPermissionInfo);
1027 if (!res.ok()) {
1028 dw.println("mUidPermissionMap print end with error: %s", res.error().message().c_str());
1029 }
1030
1031 dumpBpfMap("mPrivilegedUser", dw, "");
1032 for (uid_t uid : mPrivilegedUser) {
1033 dw.println("%u ALLOW_UPDATE_DEVICE_STATS", (uint32_t)uid);
1034 }
1035 }
1036
1037 } // namespace net
1038 } // namespace android
1039