1 /*
2 * Copyright (C) 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #ifndef LOG_TAG
18 #define LOG_TAG "bpfloader"
19 #endif
20
21 #include <arpa/inet.h>
22 #include <dirent.h>
23 #include <elf.h>
24 #include <error.h>
25 #include <fcntl.h>
26 #include <inttypes.h>
27 #include <linux/bpf.h>
28 #include <linux/unistd.h>
29 #include <net/if.h>
30 #include <stdint.h>
31 #include <stdio.h>
32 #include <stdlib.h>
33 #include <string.h>
34 #include <unistd.h>
35
36 #include <sys/mman.h>
37 #include <sys/socket.h>
38 #include <sys/stat.h>
39 #include <sys/types.h>
40
41 #include <android-base/logging.h>
42 #include <android-base/macros.h>
43 #include <android-base/properties.h>
44 #include <android-base/stringprintf.h>
45 #include <android-base/strings.h>
46 #include <android-base/unique_fd.h>
47 #include <libbpf_android.h>
48 #include <log/log.h>
49 #include <netdutils/Misc.h>
50 #include <netdutils/Slice.h>
51 #include "bpf/BpfUtils.h"
52
53 using android::base::EndsWith;
54 using android::bpf::domain;
55 using std::string;
56
57 constexpr unsigned long long kTetheringApexDomainBitmask =
58 domainToBitmask(domain::tethering) |
59 domainToBitmask(domain::net_private) |
60 domainToBitmask(domain::net_shared) |
61 domainToBitmask(domain::netd_readonly) |
62 domainToBitmask(domain::netd_shared);
63
64 // see b/162057235. For arbitrary program types, the concern is that due to the lack of
65 // SELinux access controls over BPF program attachpoints, we have no way to control the
66 // attachment of programs to shared resources (or to detect when a shared resource
67 // has one BPF program replace another that is attached there)
68 constexpr bpf_prog_type kVendorAllowedProgTypes[] = {
69 BPF_PROG_TYPE_SOCKET_FILTER,
70 };
71
72 struct Location {
73 const char* const dir;
74 const char* const prefix;
75 unsigned long long allowedDomainBitmask;
76 const bpf_prog_type* allowedProgTypes = nullptr;
77 size_t allowedProgTypesLength = 0;
78 };
79
80 const Location locations[] = {
81 // S+ Tethering mainline module (network_stack): tether offload
82 {
83 .dir = "/apex/com.android.tethering/etc/bpf/",
84 .prefix = "tethering/",
85 .allowedDomainBitmask = kTetheringApexDomainBitmask,
86 },
87 // T+ Tethering mainline module (shared with netd & system server)
88 // netutils_wrapper (for iptables xt_bpf) has access to programs
89 {
90 .dir = "/apex/com.android.tethering/etc/bpf/netd_shared/",
91 .prefix = "netd_shared/",
92 .allowedDomainBitmask = kTetheringApexDomainBitmask,
93 },
94 // T+ Tethering mainline module (shared with netd & system server)
95 // netutils_wrapper has no access, netd has read only access
96 {
97 .dir = "/apex/com.android.tethering/etc/bpf/netd_readonly/",
98 .prefix = "netd_readonly/",
99 .allowedDomainBitmask = kTetheringApexDomainBitmask,
100 },
101 // T+ Tethering mainline module (shared with system server)
102 {
103 .dir = "/apex/com.android.tethering/etc/bpf/net_shared/",
104 .prefix = "net_shared/",
105 .allowedDomainBitmask = kTetheringApexDomainBitmask,
106 },
107 // T+ Tethering mainline module (not shared, just network_stack)
108 {
109 .dir = "/apex/com.android.tethering/etc/bpf/net_private/",
110 .prefix = "net_private/",
111 .allowedDomainBitmask = kTetheringApexDomainBitmask,
112 },
113 // Core operating system
114 {
115 .dir = "/system/etc/bpf/",
116 .prefix = "",
117 .allowedDomainBitmask = domainToBitmask(domain::platform),
118 },
119 // Vendor operating system
120 {
121 .dir = "/vendor/etc/bpf/",
122 .prefix = "vendor/",
123 .allowedDomainBitmask = domainToBitmask(domain::vendor),
124 .allowedProgTypes = kVendorAllowedProgTypes,
125 .allowedProgTypesLength = arraysize(kVendorAllowedProgTypes),
126 },
127 };
128
loadAllElfObjects(const Location & location)129 int loadAllElfObjects(const Location& location) {
130 int retVal = 0;
131 DIR* dir;
132 struct dirent* ent;
133
134 if ((dir = opendir(location.dir)) != NULL) {
135 while ((ent = readdir(dir)) != NULL) {
136 string s = ent->d_name;
137 if (!EndsWith(s, ".o")) continue;
138
139 string progPath(location.dir);
140 progPath += s;
141
142 bool critical;
143 int ret = android::bpf::loadProg(progPath.c_str(), &critical,
144 location.prefix,
145 location.allowedDomainBitmask,
146 location.allowedProgTypes,
147 location.allowedProgTypesLength);
148 if (ret) {
149 if (critical) retVal = ret;
150 ALOGE("Failed to load object: %s, ret: %s", progPath.c_str(), std::strerror(-ret));
151 } else {
152 ALOGI("Loaded object: %s", progPath.c_str());
153 }
154 }
155 closedir(dir);
156 }
157 return retVal;
158 }
159
createSysFsBpfSubDir(const char * const prefix)160 void createSysFsBpfSubDir(const char* const prefix) {
161 if (*prefix) {
162 mode_t prevUmask = umask(0);
163
164 string s = "/sys/fs/bpf/";
165 s += prefix;
166
167 errno = 0;
168 int ret = mkdir(s.c_str(), S_ISVTX | S_IRWXU | S_IRWXG | S_IRWXO);
169 if (ret && errno != EEXIST) {
170 ALOGW("Failed to create directory: %s, ret: %s", s.c_str(), std::strerror(errno));
171 }
172
173 umask(prevUmask);
174 }
175 }
176
main(int argc,char ** argv)177 int main(int argc, char** argv) {
178 (void)argc;
179 android::base::InitLogging(argv, &android::base::KernelLogger);
180
181 // Create all the pin subdirectories
182 // (this must be done first to allow selinux_context and pin_subdir functionality,
183 // which could otherwise fail with ENOENT during object pinning or renaming,
184 // due to ordering issues)
185 for (const auto& location : locations) {
186 createSysFsBpfSubDir(location.prefix);
187 }
188
189 // Load all ELF objects, create programs and maps, and pin them
190 for (const auto& location : locations) {
191 if (loadAllElfObjects(location) != 0) {
192 ALOGE("=== CRITICAL FAILURE LOADING BPF PROGRAMS FROM %s ===", location.dir);
193 ALOGE("If this triggers reliably, you're probably missing kernel options or patches.");
194 ALOGE("If this triggers randomly, you might be hitting some memory allocation "
195 "problems or startup script race.");
196 ALOGE("--- DO NOT EXPECT SYSTEM TO BOOT SUCCESSFULLY ---");
197 sleep(20);
198 return 2;
199 }
200 }
201
202 int key = 1;
203 int value = 123;
204 android::base::unique_fd map(
205 android::bpf::createMap(BPF_MAP_TYPE_ARRAY, sizeof(key), sizeof(value), 2, 0));
206 if (android::bpf::writeToMapEntry(map, &key, &value, BPF_ANY)) {
207 ALOGE("Critical kernel bug - failure to write into index 1 of 2 element bpf map array.");
208 return 1;
209 }
210
211 if (android::base::SetProperty("bpf.progs_loaded", "1") == false) {
212 ALOGE("Failed to set bpf.progs_loaded property");
213 return 1;
214 }
215
216 return 0;
217 }
218