1 /**
2 * Copyright (c) 2022, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "BpfHandler"
18
19 #include "BpfHandler.h"
20
21 #include <linux/bpf.h>
22
23 #include <android-base/unique_fd.h>
24 #include <bpf/WaitForProgsLoaded.h>
25 #include <log/log.h>
26 #include <netdutils/UidConstants.h>
27 #include <private/android_filesystem_config.h>
28
29 #include "BpfSyscallWrappers.h"
30
31 namespace android {
32 namespace net {
33
34 using base::unique_fd;
35 using bpf::NONEXISTENT_COOKIE;
36 using bpf::getSocketCookie;
37 using bpf::retrieveProgram;
38 using netdutils::Status;
39 using netdutils::statusFromErrno;
40
41 constexpr int PER_UID_STATS_ENTRIES_LIMIT = 500;
42 // At most 90% of the stats map may be used by tagged traffic entries. This ensures
43 // that 10% of the map is always available to count untagged traffic, one entry per UID.
44 // Otherwise, apps would be able to avoid data usage accounting entirely by filling up the
45 // map with tagged traffic entries.
46 constexpr int TOTAL_UID_STATS_ENTRIES_LIMIT = STATS_MAP_SIZE * 0.9;
47
48 static_assert(STATS_MAP_SIZE - TOTAL_UID_STATS_ENTRIES_LIMIT > 100,
49 "The limit for stats map is to high, stats data may be lost due to overflow");
50
attachProgramToCgroup(const char * programPath,const unique_fd & cgroupFd,bpf_attach_type type)51 static Status attachProgramToCgroup(const char* programPath, const unique_fd& cgroupFd,
52 bpf_attach_type type) {
53 unique_fd cgroupProg(retrieveProgram(programPath));
54 if (cgroupProg == -1) {
55 int ret = errno;
56 ALOGE("Failed to get program from %s: %s", programPath, strerror(ret));
57 return statusFromErrno(ret, "cgroup program get failed");
58 }
59 if (android::bpf::attachProgram(type, cgroupProg, cgroupFd)) {
60 int ret = errno;
61 ALOGE("Program from %s attach failed: %s", programPath, strerror(ret));
62 return statusFromErrno(ret, "program attach failed");
63 }
64 return netdutils::status::ok;
65 }
66
initPrograms(const char * cg2_path)67 static Status initPrograms(const char* cg2_path) {
68 unique_fd cg_fd(open(cg2_path, O_DIRECTORY | O_RDONLY | O_CLOEXEC));
69 if (cg_fd == -1) {
70 int ret = errno;
71 ALOGE("Failed to open the cgroup directory: %s", strerror(ret));
72 return statusFromErrno(ret, "Open the cgroup directory failed");
73 }
74 RETURN_IF_NOT_OK(attachProgramToCgroup(BPF_EGRESS_PROG_PATH, cg_fd, BPF_CGROUP_INET_EGRESS));
75 RETURN_IF_NOT_OK(attachProgramToCgroup(BPF_INGRESS_PROG_PATH, cg_fd, BPF_CGROUP_INET_INGRESS));
76
77 // For the devices that support cgroup socket filter, the socket filter
78 // should be loaded successfully by bpfloader. So we attach the filter to
79 // cgroup if the program is pinned properly.
80 // TODO: delete the if statement once all devices should support cgroup
81 // socket filter (ie. the minimum kernel version required is 4.14).
82 if (!access(CGROUP_SOCKET_PROG_PATH, F_OK)) {
83 RETURN_IF_NOT_OK(
84 attachProgramToCgroup(CGROUP_SOCKET_PROG_PATH, cg_fd, BPF_CGROUP_INET_SOCK_CREATE));
85 }
86 return netdutils::status::ok;
87 }
88
BpfHandler()89 BpfHandler::BpfHandler()
90 : mPerUidStatsEntriesLimit(PER_UID_STATS_ENTRIES_LIMIT),
91 mTotalUidStatsEntriesLimit(TOTAL_UID_STATS_ENTRIES_LIMIT) {}
92
BpfHandler(uint32_t perUidLimit,uint32_t totalLimit)93 BpfHandler::BpfHandler(uint32_t perUidLimit, uint32_t totalLimit)
94 : mPerUidStatsEntriesLimit(perUidLimit), mTotalUidStatsEntriesLimit(totalLimit) {}
95
init(const char * cg2_path)96 Status BpfHandler::init(const char* cg2_path) {
97 // Make sure BPF programs are loaded before doing anything
98 android::bpf::waitForProgsLoaded();
99 ALOGI("BPF programs are loaded");
100
101 RETURN_IF_NOT_OK(initPrograms(cg2_path));
102 RETURN_IF_NOT_OK(initMaps());
103
104 return netdutils::status::ok;
105 }
106
initMaps()107 Status BpfHandler::initMaps() {
108 std::lock_guard guard(mMutex);
109 RETURN_IF_NOT_OK(mCookieTagMap.init(COOKIE_TAG_MAP_PATH));
110 RETURN_IF_NOT_OK(mStatsMapA.init(STATS_MAP_A_PATH));
111 RETURN_IF_NOT_OK(mStatsMapB.init(STATS_MAP_B_PATH));
112 RETURN_IF_NOT_OK(mConfigurationMap.init(CONFIGURATION_MAP_PATH));
113 RETURN_IF_NOT_OK(mUidPermissionMap.init(UID_PERMISSION_MAP_PATH));
114
115 return netdutils::status::ok;
116 }
117
hasUpdateDeviceStatsPermission(uid_t uid)118 bool BpfHandler::hasUpdateDeviceStatsPermission(uid_t uid) {
119 // This implementation is the same logic as method ActivityManager#checkComponentPermission.
120 // It implies that the real uid can never be the same as PER_USER_RANGE.
121 uint32_t appId = uid % PER_USER_RANGE;
122 auto permission = mUidPermissionMap.readValue(appId);
123 if (permission.ok() && (permission.value() & BPF_PERMISSION_UPDATE_DEVICE_STATS)) {
124 return true;
125 }
126 return ((appId == AID_ROOT) || (appId == AID_SYSTEM) || (appId == AID_DNS));
127 }
128
tagSocket(int sockFd,uint32_t tag,uid_t chargeUid,uid_t realUid)129 int BpfHandler::tagSocket(int sockFd, uint32_t tag, uid_t chargeUid, uid_t realUid) {
130 std::lock_guard guard(mMutex);
131 if (chargeUid != realUid && !hasUpdateDeviceStatsPermission(realUid)) {
132 return -EPERM;
133 }
134
135 // Note that tagging the socket to AID_CLAT is only implemented in JNI ClatCoordinator.
136 // The process is not allowed to tag socket to AID_CLAT via tagSocket() which would cause
137 // process data usage accounting to be bypassed. Tagging AID_CLAT is used for avoiding counting
138 // CLAT traffic data usage twice. See packages/modules/Connectivity/service/jni/
139 // com_android_server_connectivity_ClatCoordinator.cpp
140 if (chargeUid == AID_CLAT) {
141 return -EPERM;
142 }
143
144 // The socket destroy listener only monitors on the group {INET_TCP, INET_UDP, INET6_TCP,
145 // INET6_UDP}. Tagging listener unsupported socket causes that the tag can't be removed from
146 // tag map automatically. Eventually, the tag map may run out of space because of dead tag
147 // entries. Note that although tagSocket() of net client has already denied the family which
148 // is neither AF_INET nor AF_INET6, the family validation is still added here just in case.
149 // See tagSocket in system/netd/client/NetdClient.cpp and
150 // TrafficController::makeSkDestroyListener in
151 // packages/modules/Connectivity/service/native/TrafficController.cpp
152 // TODO: remove this once the socket destroy listener can detect more types of socket destroy.
153 int socketFamily;
154 socklen_t familyLen = sizeof(socketFamily);
155 if (getsockopt(sockFd, SOL_SOCKET, SO_DOMAIN, &socketFamily, &familyLen)) {
156 ALOGE("Failed to getsockopt SO_DOMAIN: %s, fd: %d", strerror(errno), sockFd);
157 return -errno;
158 }
159 if (socketFamily != AF_INET && socketFamily != AF_INET6) {
160 ALOGE("Unsupported family: %d", socketFamily);
161 return -EAFNOSUPPORT;
162 }
163
164 int socketProto;
165 socklen_t protoLen = sizeof(socketProto);
166 if (getsockopt(sockFd, SOL_SOCKET, SO_PROTOCOL, &socketProto, &protoLen)) {
167 ALOGE("Failed to getsockopt SO_PROTOCOL: %s, fd: %d", strerror(errno), sockFd);
168 return -errno;
169 }
170 if (socketProto != IPPROTO_UDP && socketProto != IPPROTO_TCP) {
171 ALOGE("Unsupported protocol: %d", socketProto);
172 return -EPROTONOSUPPORT;
173 }
174
175 uint64_t sock_cookie = getSocketCookie(sockFd);
176 if (sock_cookie == NONEXISTENT_COOKIE) return -errno;
177 UidTagValue newKey = {.uid = (uint32_t)chargeUid, .tag = tag};
178
179 uint32_t totalEntryCount = 0;
180 uint32_t perUidEntryCount = 0;
181 // Now we go through the stats map and count how many entries are associated
182 // with chargeUid. If the uid entry hit the limit for each chargeUid, we block
183 // the request to prevent the map from overflow. It is safe here to iterate
184 // over the map since when mMutex is hold, system server cannot toggle
185 // the live stats map and clean it. So nobody can delete entries from the map.
186 const auto countUidStatsEntries = [chargeUid, &totalEntryCount, &perUidEntryCount](
187 const StatsKey& key,
188 const BpfMap<StatsKey, StatsValue>&) {
189 if (key.uid == chargeUid) {
190 perUidEntryCount++;
191 }
192 totalEntryCount++;
193 return base::Result<void>();
194 };
195 auto configuration = mConfigurationMap.readValue(CURRENT_STATS_MAP_CONFIGURATION_KEY);
196 if (!configuration.ok()) {
197 ALOGE("Failed to get current configuration: %s, fd: %d",
198 strerror(configuration.error().code()), mConfigurationMap.getMap().get());
199 return -configuration.error().code();
200 }
201 if (configuration.value() != SELECT_MAP_A && configuration.value() != SELECT_MAP_B) {
202 ALOGE("unknown configuration value: %d", configuration.value());
203 return -EINVAL;
204 }
205
206 BpfMap<StatsKey, StatsValue>& currentMap =
207 (configuration.value() == SELECT_MAP_A) ? mStatsMapA : mStatsMapB;
208 // HACK: mStatsMapB becomes RW BpfMap here, but countUidStatsEntries doesn't modify so it works
209 base::Result<void> res = currentMap.iterate(countUidStatsEntries);
210 if (!res.ok()) {
211 ALOGE("Failed to count the stats entry in map %d: %s", currentMap.getMap().get(),
212 strerror(res.error().code()));
213 return -res.error().code();
214 }
215
216 if (totalEntryCount > mTotalUidStatsEntriesLimit ||
217 perUidEntryCount > mPerUidStatsEntriesLimit) {
218 ALOGE("Too many stats entries in the map, total count: %u, chargeUid(%u) count: %u,"
219 " blocking tag request to prevent map overflow",
220 totalEntryCount, chargeUid, perUidEntryCount);
221 return -EMFILE;
222 }
223 // Update the tag information of a socket to the cookieUidMap. Use BPF_ANY
224 // flag so it will insert a new entry to the map if that value doesn't exist
225 // yet. And update the tag if there is already a tag stored. Since the eBPF
226 // program in kernel only read this map, and is protected by rcu read lock. It
227 // should be fine to cocurrently update the map while eBPF program is running.
228 res = mCookieTagMap.writeValue(sock_cookie, newKey, BPF_ANY);
229 if (!res.ok()) {
230 ALOGE("Failed to tag the socket: %s, fd: %d", strerror(res.error().code()),
231 mCookieTagMap.getMap().get());
232 return -res.error().code();
233 }
234 return 0;
235 }
236
untagSocket(int sockFd)237 int BpfHandler::untagSocket(int sockFd) {
238 std::lock_guard guard(mMutex);
239 uint64_t sock_cookie = getSocketCookie(sockFd);
240
241 if (sock_cookie == NONEXISTENT_COOKIE) return -errno;
242 base::Result<void> res = mCookieTagMap.deleteValue(sock_cookie);
243 if (!res.ok()) {
244 ALOGE("Failed to untag socket: %s\n", strerror(res.error().code()));
245 return -res.error().code();
246 }
247 return 0;
248 }
249
250 } // namespace net
251 } // namespace android
252