1 /*
2 * Copyright (C) 2018 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 // The resulting .o needs to load on the Android T Beta 3 bpfloader
18 #define BPFLOADER_MIN_VER BPFLOADER_T_BETA3_VERSION
19
20 #include <bpf_helpers.h>
21 #include <linux/bpf.h>
22 #include <linux/if.h>
23 #include <linux/if_ether.h>
24 #include <linux/if_packet.h>
25 #include <linux/in.h>
26 #include <linux/in6.h>
27 #include <linux/ip.h>
28 #include <linux/ipv6.h>
29 #include <linux/pkt_cls.h>
30 #include <linux/tcp.h>
31 #include <stdbool.h>
32 #include <stdint.h>
33 #include "bpf_net_helpers.h"
34 #include "netd.h"
35
36 // This is defined for cgroup bpf filter only.
37 static const int DROP = 0;
38 static const int PASS = 1;
39 static const int DROP_UNLESS_DNS = 2; // internal to our program
40
41 // This is used for xt_bpf program only.
42 static const int BPF_NOMATCH = 0;
43 static const int BPF_MATCH = 1;
44
45 // Used for 'bool enable_tracing'
46 static const bool TRACE_ON = true;
47 static const bool TRACE_OFF = false;
48
49 // offsetof(struct iphdr, ihl) -- but that's a bitfield
50 #define IPPROTO_IHL_OFF 0
51
52 // This is offsetof(struct tcphdr, "32 bit tcp flag field")
53 // The tcp flags are after be16 source, dest & be32 seq, ack_seq, hence 12 bytes in.
54 //
55 // Note that TCP_FLAG_{ACK,PSH,RST,SYN,FIN} are htonl(0x00{10,08,04,02,01}0000)
56 // see include/uapi/linux/tcp.h
57 #define TCP_FLAG32_OFF 12
58
59 // For maps netd does not need to access
60 #define DEFINE_BPF_MAP_NO_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \
61 DEFINE_BPF_MAP_EXT(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries, \
62 AID_ROOT, AID_NET_BW_ACCT, 0060, "fs_bpf_net_shared", "", false, \
63 BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, LOAD_ON_ENG, \
64 LOAD_ON_USER, LOAD_ON_USERDEBUG)
65
66 // For maps netd only needs read only access to
67 #define DEFINE_BPF_MAP_RO_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \
68 DEFINE_BPF_MAP_EXT(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries, \
69 AID_ROOT, AID_NET_BW_ACCT, 0460, "fs_bpf_netd_readonly", "", false, \
70 BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, LOAD_ON_ENG, \
71 LOAD_ON_USER, LOAD_ON_USERDEBUG)
72
73 // For maps netd needs to be able to read and write
74 #define DEFINE_BPF_MAP_RW_NETD(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries) \
75 DEFINE_BPF_MAP_UGM(the_map, TYPE, TypeOfKey, TypeOfValue, num_entries, \
76 AID_ROOT, AID_NET_BW_ACCT, 0660)
77
78 // Bpf map arrays on creation are preinitialized to 0 and do not support deletion of a key,
79 // see: kernel/bpf/arraymap.c array_map_delete_elem() returns -EINVAL (from both syscall and ebpf)
80 // Additionally on newer kernels the bpf jit can optimize out the lookups.
81 // only valid indexes are [0..CONFIGURATION_MAP_SIZE-1]
82 DEFINE_BPF_MAP_RO_NETD(configuration_map, ARRAY, uint32_t, uint32_t, CONFIGURATION_MAP_SIZE)
83
84 // TODO: consider whether we can merge some of these maps
85 // for example it might be possible to merge 2 or 3 of:
86 // uid_counterset_map + uid_owner_map + uid_permission_map
87 DEFINE_BPF_MAP_RW_NETD(cookie_tag_map, HASH, uint64_t, UidTagValue, COOKIE_UID_MAP_SIZE)
88 DEFINE_BPF_MAP_NO_NETD(uid_counterset_map, HASH, uint32_t, uint8_t, UID_COUNTERSET_MAP_SIZE)
89 DEFINE_BPF_MAP_NO_NETD(app_uid_stats_map, HASH, uint32_t, StatsValue, APP_STATS_MAP_SIZE)
90 DEFINE_BPF_MAP_RW_NETD(stats_map_A, HASH, StatsKey, StatsValue, STATS_MAP_SIZE)
91 DEFINE_BPF_MAP_RO_NETD(stats_map_B, HASH, StatsKey, StatsValue, STATS_MAP_SIZE)
92 DEFINE_BPF_MAP_NO_NETD(iface_stats_map, HASH, uint32_t, StatsValue, IFACE_STATS_MAP_SIZE)
93 DEFINE_BPF_MAP_NO_NETD(uid_owner_map, HASH, uint32_t, UidOwnerValue, UID_OWNER_MAP_SIZE)
94 DEFINE_BPF_MAP_RW_NETD(uid_permission_map, HASH, uint32_t, uint8_t, UID_OWNER_MAP_SIZE)
95
96 /* never actually used from ebpf */
97 DEFINE_BPF_MAP_NO_NETD(iface_index_name_map, HASH, uint32_t, IfaceValue, IFACE_INDEX_NAME_MAP_SIZE)
98
99 // A single-element configuration array, packet tracing is enabled when 'true'.
100 DEFINE_BPF_MAP_EXT(packet_trace_enabled_map, ARRAY, uint32_t, bool, 1,
101 AID_ROOT, AID_SYSTEM, 0060, "fs_bpf_net_shared", "", false,
102 BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, LOAD_ON_ENG,
103 IGNORE_ON_USER, LOAD_ON_USERDEBUG)
104
105 // A ring buffer on which packet information is pushed. This map will only be loaded
106 // on eng and userdebug devices. User devices won't load this to save memory.
107 DEFINE_BPF_RINGBUF_EXT(packet_trace_ringbuf, PacketTrace, PACKET_TRACE_BUF_SIZE,
108 AID_ROOT, AID_SYSTEM, 0060, "fs_bpf_net_shared", "", false,
109 BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, LOAD_ON_ENG,
110 IGNORE_ON_USER, LOAD_ON_USERDEBUG);
111
112 // iptables xt_bpf programs need to be usable by both netd and netutils_wrappers
113 // selinux contexts, because even non-xt_bpf iptables mutations are implemented as
114 // a full table dump, followed by an update in userspace, and then a reload into the kernel,
115 // where any already in-use xt_bpf matchers are serialized as the path to the pinned
116 // program (see XT_BPF_MODE_PATH_PINNED) and then the iptables binary (or rather
117 // the kernel acting on behalf of it) must be able to retrieve the pinned program
118 // for the reload to succeed
119 #define DEFINE_XTBPF_PROG(SECTION_NAME, prog_uid, prog_gid, the_prog) \
120 DEFINE_BPF_PROG(SECTION_NAME, prog_uid, prog_gid, the_prog)
121
122 // programs that need to be usable by netd, but not by netutils_wrappers
123 // (this is because these are currently attached by the mainline provided libnetd_updatable .so
124 // which is loaded into netd and thus runs as netd uid/gid/selinux context)
125 #define DEFINE_NETD_BPF_PROG_KVER_RANGE(SECTION_NAME, prog_uid, prog_gid, the_prog, minKV, maxKV) \
126 DEFINE_BPF_PROG_EXT(SECTION_NAME, prog_uid, prog_gid, the_prog, \
127 minKV, maxKV, BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, false, \
128 "fs_bpf_netd_readonly", "", false, false, false)
129
130 #define DEFINE_NETD_BPF_PROG_KVER(SECTION_NAME, prog_uid, prog_gid, the_prog, min_kv) \
131 DEFINE_NETD_BPF_PROG_KVER_RANGE(SECTION_NAME, prog_uid, prog_gid, the_prog, min_kv, KVER_INF)
132
133 #define DEFINE_NETD_BPF_PROG(SECTION_NAME, prog_uid, prog_gid, the_prog) \
134 DEFINE_NETD_BPF_PROG_KVER(SECTION_NAME, prog_uid, prog_gid, the_prog, KVER_NONE)
135
136 // programs that only need to be usable by the system server
137 #define DEFINE_SYS_BPF_PROG(SECTION_NAME, prog_uid, prog_gid, the_prog) \
138 DEFINE_BPF_PROG_EXT(SECTION_NAME, prog_uid, prog_gid, the_prog, KVER_NONE, KVER_INF, \
139 BPFLOADER_MIN_VER, BPFLOADER_MAX_VER, false, "fs_bpf_net_shared", \
140 "", false, false, false)
141
is_system_uid(uint32_t uid)142 static __always_inline int is_system_uid(uint32_t uid) {
143 // MIN_SYSTEM_UID is AID_ROOT == 0, so uint32_t is *always* >= 0
144 // MAX_SYSTEM_UID is AID_NOBODY == 9999, while AID_APP_START == 10000
145 return (uid < AID_APP_START);
146 }
147
148 /*
149 * Note: this blindly assumes an MTU of 1500, and that packets > MTU are always TCP,
150 * and that TCP is using the Linux default settings with TCP timestamp option enabled
151 * which uses 12 TCP option bytes per frame.
152 *
153 * These are not unreasonable assumptions:
154 *
155 * The internet does not really support MTUs greater than 1500, so most TCP traffic will
156 * be at that MTU, or slightly below it (worst case our upwards adjustment is too small).
157 *
158 * The chance our traffic isn't IP at all is basically zero, so the IP overhead correction
159 * is bound to be needed.
160 *
161 * Furthermore, the likelyhood that we're having to deal with GSO (ie. > MTU) packets that
162 * are not IP/TCP is pretty small (few other things are supported by Linux) and worse case
163 * our extra overhead will be slightly off, but probably still better than assuming none.
164 *
165 * Most servers are also Linux and thus support/default to using TCP timestamp option
166 * (and indeed TCP timestamp option comes from RFC 1323 titled "TCP Extensions for High
167 * Performance" which also defined TCP window scaling and are thus absolutely ancient...).
168 *
169 * All together this should be more correct than if we simply ignored GSO frames
170 * (ie. counted them as single packets with no extra overhead)
171 *
172 * Especially since the number of packets is important for any future clat offload correction.
173 * (which adjusts upward by 20 bytes per packet to account for ipv4 -> ipv6 header conversion)
174 */
175 #define DEFINE_UPDATE_STATS(the_stats_map, TypeOfKey) \
176 static __always_inline inline void update_##the_stats_map(const struct __sk_buff* const skb, \
177 const TypeOfKey* const key, \
178 const bool egress, \
179 const unsigned kver) { \
180 StatsValue* value = bpf_##the_stats_map##_lookup_elem(key); \
181 if (!value) { \
182 StatsValue newValue = {}; \
183 bpf_##the_stats_map##_update_elem(key, &newValue, BPF_NOEXIST); \
184 value = bpf_##the_stats_map##_lookup_elem(key); \
185 } \
186 if (value) { \
187 const int mtu = 1500; \
188 uint64_t packets = 1; \
189 uint64_t bytes = skb->len; \
190 if (bytes > mtu) { \
191 bool is_ipv6 = (skb->protocol == htons(ETH_P_IPV6)); \
192 int ip_overhead = (is_ipv6 ? sizeof(struct ipv6hdr) : sizeof(struct iphdr)); \
193 int tcp_overhead = ip_overhead + sizeof(struct tcphdr) + 12; \
194 int mss = mtu - tcp_overhead; \
195 uint64_t payload = bytes - tcp_overhead; \
196 packets = (payload + mss - 1) / mss; \
197 bytes = tcp_overhead * packets + payload; \
198 } \
199 if (egress) { \
200 __sync_fetch_and_add(&value->txPackets, packets); \
201 __sync_fetch_and_add(&value->txBytes, bytes); \
202 } else { \
203 __sync_fetch_and_add(&value->rxPackets, packets); \
204 __sync_fetch_and_add(&value->rxBytes, bytes); \
205 } \
206 } \
207 }
208
DEFINE_UPDATE_STATS(app_uid_stats_map,uint32_t)209 DEFINE_UPDATE_STATS(app_uid_stats_map, uint32_t)
210 DEFINE_UPDATE_STATS(iface_stats_map, uint32_t)
211 DEFINE_UPDATE_STATS(stats_map_A, StatsKey)
212 DEFINE_UPDATE_STATS(stats_map_B, StatsKey)
213
214 // both of these return 0 on success or -EFAULT on failure (and zero out the buffer)
215 static __always_inline inline int bpf_skb_load_bytes_net(const struct __sk_buff* const skb,
216 const int L3_off,
217 void* const to,
218 const int len,
219 const unsigned kver) {
220 // 'kver' (here and throughout) is the compile time guaranteed minimum kernel version,
221 // ie. we're building (a version of) the bpf program for kver (or newer!) kernels.
222 //
223 // 4.19+ kernels support the 'bpf_skb_load_bytes_relative()' bpf helper function,
224 // so we can use it. On pre-4.19 kernels we cannot use the relative load helper,
225 // and thus will simply get things wrong if there's any L2 (ethernet) header in the skb.
226 //
227 // Luckily, for cellular traffic, there likely isn't any, as cell is usually 'rawip'.
228 //
229 // However, this does mean that wifi (and ethernet) on 4.14 is basically a lost cause:
230 // we'll be making decisions based on the *wrong* bytes (fetched from the wrong offset),
231 // because the 'L3_off' passed to bpf_skb_load_bytes() should be increased by l2_header_size,
232 // which for ethernet is 14 and not 0 like it is for rawip.
233 //
234 // For similar reasons this will fail with non-offloaded VLAN tags on < 4.19 kernels,
235 // since those extend the ethernet header from 14 to 18 bytes.
236 return kver >= KVER(4, 19, 0)
237 ? bpf_skb_load_bytes_relative(skb, L3_off, to, len, BPF_HDR_START_NET)
238 : bpf_skb_load_bytes(skb, L3_off, to, len);
239 }
240
do_packet_tracing(const struct __sk_buff * const skb,const bool egress,const uint32_t uid,const uint32_t tag,const bool enable_tracing,const unsigned kver)241 static __always_inline inline void do_packet_tracing(
242 const struct __sk_buff* const skb, const bool egress, const uint32_t uid,
243 const uint32_t tag, const bool enable_tracing, const unsigned kver) {
244 if (!enable_tracing) return;
245 if (kver < KVER(5, 8, 0)) return;
246
247 uint32_t mapKey = 0;
248 bool* traceConfig = bpf_packet_trace_enabled_map_lookup_elem(&mapKey);
249 if (traceConfig == NULL) return;
250 if (*traceConfig == false) return;
251
252 PacketTrace* pkt = bpf_packet_trace_ringbuf_reserve();
253 if (pkt == NULL) return;
254
255 // Errors from bpf_skb_load_bytes_net are ignored to favor returning something
256 // over returning nothing. In the event of an error, the kernel will fill in
257 // zero for the destination memory. Do not change the default '= 0' below.
258
259 uint8_t proto = 0;
260 uint8_t L4_off = 0;
261 uint8_t ipVersion = 0;
262 if (skb->protocol == htons(ETH_P_IP)) {
263 (void)bpf_skb_load_bytes_net(skb, IP4_OFFSET(protocol), &proto, sizeof(proto), kver);
264 (void)bpf_skb_load_bytes_net(skb, IPPROTO_IHL_OFF, &L4_off, sizeof(L4_off), kver);
265 L4_off = (L4_off & 0x0F) * 4; // IHL calculation.
266 ipVersion = 4;
267 } else if (skb->protocol == htons(ETH_P_IPV6)) {
268 (void)bpf_skb_load_bytes_net(skb, IP6_OFFSET(nexthdr), &proto, sizeof(proto), kver);
269 L4_off = sizeof(struct ipv6hdr);
270 ipVersion = 6;
271 }
272
273 uint8_t flags = 0;
274 __be16 sport = 0, dport = 0;
275 if (proto == IPPROTO_TCP && L4_off >= 20) {
276 (void)bpf_skb_load_bytes_net(skb, L4_off + TCP_FLAG32_OFF + 1, &flags, sizeof(flags), kver);
277 (void)bpf_skb_load_bytes_net(skb, L4_off + TCP_OFFSET(source), &sport, sizeof(sport), kver);
278 (void)bpf_skb_load_bytes_net(skb, L4_off + TCP_OFFSET(dest), &dport, sizeof(dport), kver);
279 } else if (proto == IPPROTO_UDP && L4_off >= 20) {
280 (void)bpf_skb_load_bytes_net(skb, L4_off + UDP_OFFSET(source), &sport, sizeof(sport), kver);
281 (void)bpf_skb_load_bytes_net(skb, L4_off + UDP_OFFSET(dest), &dport, sizeof(dport), kver);
282 }
283
284 pkt->timestampNs = bpf_ktime_get_boot_ns();
285 pkt->ifindex = skb->ifindex;
286 pkt->length = skb->len;
287
288 pkt->uid = uid;
289 pkt->tag = tag;
290 pkt->sport = sport;
291 pkt->dport = dport;
292
293 pkt->egress = egress;
294 pkt->ipProto = proto;
295 pkt->tcpFlags = flags;
296 pkt->ipVersion = ipVersion;
297
298 bpf_packet_trace_ringbuf_submit(pkt);
299 }
300
skip_owner_match(struct __sk_buff * skb,bool egress,const unsigned kver)301 static __always_inline inline bool skip_owner_match(struct __sk_buff* skb, bool egress,
302 const unsigned kver) {
303 uint32_t flag = 0;
304 if (skb->protocol == htons(ETH_P_IP)) {
305 uint8_t proto;
306 // no need to check for success, proto will be zeroed if bpf_skb_load_bytes_net() fails
307 (void)bpf_skb_load_bytes_net(skb, IP4_OFFSET(protocol), &proto, sizeof(proto), kver);
308 if (proto == IPPROTO_ESP) return true;
309 if (proto != IPPROTO_TCP) return false; // handles read failure above
310 uint8_t ihl;
311 // we don't check for success, as this cannot fail, as it is earlier in the packet than
312 // proto, the reading of which must have succeeded, additionally the next read
313 // (a little bit deeper in the packet in spite of ihl being zeroed) of the tcp flags
314 // field will also fail, and that failure we already handle correctly
315 // (we also don't check that ihl in [0x45,0x4F] nor that ipv4 header checksum is correct)
316 (void)bpf_skb_load_bytes_net(skb, IPPROTO_IHL_OFF, &ihl, sizeof(ihl), kver);
317 // if the read below fails, we'll just assume no TCP flags are set, which is fine.
318 (void)bpf_skb_load_bytes_net(skb, (ihl & 0xF) * 4 + TCP_FLAG32_OFF,
319 &flag, sizeof(flag), kver);
320 } else if (skb->protocol == htons(ETH_P_IPV6)) {
321 uint8_t proto;
322 // no need to check for success, proto will be zeroed if bpf_skb_load_bytes_net() fails
323 (void)bpf_skb_load_bytes_net(skb, IP6_OFFSET(nexthdr), &proto, sizeof(proto), kver);
324 if (proto == IPPROTO_ESP) return true;
325 if (proto != IPPROTO_TCP) return false; // handles read failure above
326 // if the read below fails, we'll just assume no TCP flags are set, which is fine.
327 (void)bpf_skb_load_bytes_net(skb, sizeof(struct ipv6hdr) + TCP_FLAG32_OFF,
328 &flag, sizeof(flag), kver);
329 } else {
330 return false;
331 }
332 // Always allow RST's, and additionally allow ingress FINs
333 return flag & (TCP_FLAG_RST | (egress ? 0 : TCP_FLAG_FIN)); // false on read failure
334 }
335
getConfig(uint32_t configKey)336 static __always_inline inline BpfConfig getConfig(uint32_t configKey) {
337 uint32_t mapSettingKey = configKey;
338 BpfConfig* config = bpf_configuration_map_lookup_elem(&mapSettingKey);
339 if (!config) {
340 // Couldn't read configuration entry. Assume everything is disabled.
341 return DEFAULT_CONFIG;
342 }
343 return *config;
344 }
345
346 // DROP_IF_SET is set of rules that DROP if rule is globally enabled, and per-uid bit is set
347 #define DROP_IF_SET (STANDBY_MATCH | OEM_DENY_1_MATCH | OEM_DENY_2_MATCH | OEM_DENY_3_MATCH)
348 // DROP_IF_UNSET is set of rules that should DROP if globally enabled, and per-uid bit is NOT set
349 #define DROP_IF_UNSET (DOZABLE_MATCH | POWERSAVE_MATCH | RESTRICTED_MATCH | LOW_POWER_STANDBY_MATCH)
350
bpf_owner_match(struct __sk_buff * skb,uint32_t uid,bool egress,const unsigned kver)351 static __always_inline inline int bpf_owner_match(struct __sk_buff* skb, uint32_t uid,
352 bool egress, const unsigned kver) {
353 if (is_system_uid(uid)) return PASS;
354
355 if (skip_owner_match(skb, egress, kver)) return PASS;
356
357 BpfConfig enabledRules = getConfig(UID_RULES_CONFIGURATION_KEY);
358
359 UidOwnerValue* uidEntry = bpf_uid_owner_map_lookup_elem(&uid);
360 uint32_t uidRules = uidEntry ? uidEntry->rule : 0;
361 uint32_t allowed_iif = uidEntry ? uidEntry->iif : 0;
362
363 // Warning: funky bit-wise arithmetic: in parallel, for all DROP_IF_SET/UNSET rules
364 // check whether the rules are globally enabled, and if so whether the rules are
365 // set/unset for the specific uid. DROP if that is the case for ANY of the rules.
366 // We achieve this by masking out only the bits/rules we're interested in checking,
367 // and negating (via bit-wise xor) the bits/rules that should drop if unset.
368 if (enabledRules & (DROP_IF_SET | DROP_IF_UNSET) & (uidRules ^ DROP_IF_UNSET)) return DROP;
369
370 if (!egress && skb->ifindex != 1) {
371 if (uidRules & IIF_MATCH) {
372 if (allowed_iif && skb->ifindex != allowed_iif) {
373 // Drops packets not coming from lo nor the allowed interface
374 // allowed interface=0 is a wildcard and does not drop packets
375 return DROP_UNLESS_DNS;
376 }
377 } else if (uidRules & LOCKDOWN_VPN_MATCH) {
378 // Drops packets not coming from lo and rule does not have IIF_MATCH but has
379 // LOCKDOWN_VPN_MATCH
380 return DROP_UNLESS_DNS;
381 }
382 }
383 return PASS;
384 }
385
update_stats_with_config(const uint32_t selectedMap,const struct __sk_buff * const skb,const StatsKey * const key,const bool egress,const unsigned kver)386 static __always_inline inline void update_stats_with_config(const uint32_t selectedMap,
387 const struct __sk_buff* const skb,
388 const StatsKey* const key,
389 const bool egress,
390 const unsigned kver) {
391 if (selectedMap == SELECT_MAP_A) {
392 update_stats_map_A(skb, key, egress, kver);
393 } else {
394 update_stats_map_B(skb, key, egress, kver);
395 }
396 }
397
bpf_traffic_account(struct __sk_buff * skb,bool egress,const bool enable_tracing,const unsigned kver)398 static __always_inline inline int bpf_traffic_account(struct __sk_buff* skb, bool egress,
399 const bool enable_tracing,
400 const unsigned kver) {
401 uint32_t sock_uid = bpf_get_socket_uid(skb);
402 uint64_t cookie = bpf_get_socket_cookie(skb);
403 UidTagValue* utag = bpf_cookie_tag_map_lookup_elem(&cookie);
404 uint32_t uid, tag;
405 if (utag) {
406 uid = utag->uid;
407 tag = utag->tag;
408 } else {
409 uid = sock_uid;
410 tag = 0;
411 }
412
413 // Always allow and never count clat traffic. Only the IPv4 traffic on the stacked
414 // interface is accounted for and subject to usage restrictions.
415 // TODO: remove sock_uid check once Nat464Xlat javaland adds the socket tag AID_CLAT for clat.
416 if (sock_uid == AID_CLAT || uid == AID_CLAT) {
417 return PASS;
418 }
419
420 int match = bpf_owner_match(skb, sock_uid, egress, kver);
421
422 // Workaround for secureVPN with VpnIsolation enabled, refer to b/159994981 for details.
423 // Keep TAG_SYSTEM_DNS in sync with DnsResolver/include/netd_resolv/resolv.h
424 // and TrafficStatsConstants.java
425 #define TAG_SYSTEM_DNS 0xFFFFFF82
426 if (tag == TAG_SYSTEM_DNS && uid == AID_DNS) {
427 uid = sock_uid;
428 if (match == DROP_UNLESS_DNS) match = PASS;
429 } else {
430 if (match == DROP_UNLESS_DNS) match = DROP;
431 }
432
433 // If an outbound packet is going to be dropped, we do not count that traffic.
434 if (egress && (match == DROP)) return DROP;
435
436 StatsKey key = {.uid = uid, .tag = tag, .counterSet = 0, .ifaceIndex = skb->ifindex};
437
438 uint8_t* counterSet = bpf_uid_counterset_map_lookup_elem(&uid);
439 if (counterSet) key.counterSet = (uint32_t)*counterSet;
440
441 uint32_t mapSettingKey = CURRENT_STATS_MAP_CONFIGURATION_KEY;
442 uint32_t* selectedMap = bpf_configuration_map_lookup_elem(&mapSettingKey);
443
444 // Use asm("%0 &= 1" : "+r"(match)) before return match,
445 // to help kernel's bpf verifier, so that it can be 100% certain
446 // that the returned value is always BPF_NOMATCH(0) or BPF_MATCH(1).
447 if (!selectedMap) {
448 asm("%0 &= 1" : "+r"(match));
449 return match;
450 }
451
452 do_packet_tracing(skb, egress, uid, tag, enable_tracing, kver);
453 update_stats_with_config(*selectedMap, skb, &key, egress, kver);
454 update_app_uid_stats_map(skb, &uid, egress, kver);
455 asm("%0 &= 1" : "+r"(match));
456 return match;
457 }
458
459 DEFINE_BPF_PROG_EXT("cgroupskb/ingress/stats$trace", AID_ROOT, AID_SYSTEM,
460 bpf_cgroup_ingress_trace, KVER(5, 8, 0), KVER_INF,
461 BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, false,
462 "fs_bpf_netd_readonly", "", false, true, false)
463 (struct __sk_buff* skb) {
464 return bpf_traffic_account(skb, INGRESS, TRACE_ON, KVER(5, 8, 0));
465 }
466
467 DEFINE_NETD_BPF_PROG_KVER_RANGE("cgroupskb/ingress/stats$4_19", AID_ROOT, AID_SYSTEM,
468 bpf_cgroup_ingress_4_19, KVER(4, 19, 0), KVER_INF)
469 (struct __sk_buff* skb) {
470 return bpf_traffic_account(skb, INGRESS, TRACE_OFF, KVER(4, 19, 0));
471 }
472
473 DEFINE_NETD_BPF_PROG_KVER_RANGE("cgroupskb/ingress/stats$4_14", AID_ROOT, AID_SYSTEM,
474 bpf_cgroup_ingress_4_14, KVER_NONE, KVER(4, 19, 0))
475 (struct __sk_buff* skb) {
476 return bpf_traffic_account(skb, INGRESS, TRACE_OFF, KVER_NONE);
477 }
478
479 DEFINE_BPF_PROG_EXT("cgroupskb/egress/stats$trace", AID_ROOT, AID_SYSTEM,
480 bpf_cgroup_egress_trace, KVER(5, 8, 0), KVER_INF,
481 BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, false,
482 "fs_bpf_netd_readonly", "", false, true, false)
483 (struct __sk_buff* skb) {
484 return bpf_traffic_account(skb, EGRESS, TRACE_ON, KVER(5, 8, 0));
485 }
486
487 DEFINE_NETD_BPF_PROG_KVER_RANGE("cgroupskb/egress/stats$4_19", AID_ROOT, AID_SYSTEM,
488 bpf_cgroup_egress_4_19, KVER(4, 19, 0), KVER_INF)
489 (struct __sk_buff* skb) {
490 return bpf_traffic_account(skb, EGRESS, TRACE_OFF, KVER(4, 19, 0));
491 }
492
493 DEFINE_NETD_BPF_PROG_KVER_RANGE("cgroupskb/egress/stats$4_14", AID_ROOT, AID_SYSTEM,
494 bpf_cgroup_egress_4_14, KVER_NONE, KVER(4, 19, 0))
495 (struct __sk_buff* skb) {
496 return bpf_traffic_account(skb, EGRESS, TRACE_OFF, KVER_NONE);
497 }
498
499 // WARNING: Android T's non-updatable netd depends on the name of this program.
500 DEFINE_XTBPF_PROG("skfilter/egress/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_egress_prog)
501 (struct __sk_buff* skb) {
502 // Clat daemon does not generate new traffic, all its traffic is accounted for already
503 // on the v4-* interfaces (except for the 20 (or 28) extra bytes of IPv6 vs IPv4 overhead,
504 // but that can be corrected for later when merging v4-foo stats into interface foo's).
505 // TODO: remove sock_uid check once Nat464Xlat javaland adds the socket tag AID_CLAT for clat.
506 uint32_t sock_uid = bpf_get_socket_uid(skb);
507 if (sock_uid == AID_CLAT) return BPF_NOMATCH;
508 if (sock_uid == AID_SYSTEM) {
509 uint64_t cookie = bpf_get_socket_cookie(skb);
510 UidTagValue* utag = bpf_cookie_tag_map_lookup_elem(&cookie);
511 if (utag && utag->uid == AID_CLAT) return BPF_NOMATCH;
512 }
513
514 uint32_t key = skb->ifindex;
515 update_iface_stats_map(skb, &key, EGRESS, KVER_NONE);
516 return BPF_MATCH;
517 }
518
519 // WARNING: Android T's non-updatable netd depends on the name of this program.
520 DEFINE_XTBPF_PROG("skfilter/ingress/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_ingress_prog)
521 (struct __sk_buff* skb) {
522 // Clat daemon traffic is not accounted by virtue of iptables raw prerouting drop rule
523 // (in clat_raw_PREROUTING chain), which triggers before this (in bw_raw_PREROUTING chain).
524 // It will be accounted for on the v4-* clat interface instead.
525 // Keep that in mind when moving this out of iptables xt_bpf and into tc ingress (or xdp).
526
527 uint32_t key = skb->ifindex;
528 update_iface_stats_map(skb, &key, INGRESS, KVER_NONE);
529 return BPF_MATCH;
530 }
531
532 DEFINE_SYS_BPF_PROG("schedact/ingress/account", AID_ROOT, AID_NET_ADMIN,
533 tc_bpf_ingress_account_prog)
534 (struct __sk_buff* skb) {
535 if (is_received_skb(skb)) {
536 // Account for ingress traffic before tc drops it.
537 uint32_t key = skb->ifindex;
538 update_iface_stats_map(skb, &key, INGRESS, KVER_NONE);
539 }
540 return TC_ACT_UNSPEC;
541 }
542
543 // WARNING: Android T's non-updatable netd depends on the name of this program.
544 DEFINE_XTBPF_PROG("skfilter/allowlist/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_allowlist_prog)
545 (struct __sk_buff* skb) {
546 uint32_t sock_uid = bpf_get_socket_uid(skb);
547 if (is_system_uid(sock_uid)) return BPF_MATCH;
548
549 // 65534 is the overflow 'nobody' uid, usually this being returned means
550 // that skb->sk is NULL during RX (early decap socket lookup failure),
551 // which commonly happens for incoming packets to an unconnected udp socket.
552 // Additionally bpf_get_socket_cookie() returns 0 if skb->sk is NULL
553 if ((sock_uid == 65534) && !bpf_get_socket_cookie(skb) && is_received_skb(skb))
554 return BPF_MATCH;
555
556 UidOwnerValue* allowlistMatch = bpf_uid_owner_map_lookup_elem(&sock_uid);
557 if (allowlistMatch) return allowlistMatch->rule & HAPPY_BOX_MATCH ? BPF_MATCH : BPF_NOMATCH;
558 return BPF_NOMATCH;
559 }
560
561 // WARNING: Android T's non-updatable netd depends on the name of this program.
562 DEFINE_XTBPF_PROG("skfilter/denylist/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_denylist_prog)
563 (struct __sk_buff* skb) {
564 uint32_t sock_uid = bpf_get_socket_uid(skb);
565 UidOwnerValue* denylistMatch = bpf_uid_owner_map_lookup_elem(&sock_uid);
566 if (denylistMatch) return denylistMatch->rule & PENALTY_BOX_MATCH ? BPF_MATCH : BPF_NOMATCH;
567 return BPF_NOMATCH;
568 }
569
570 DEFINE_NETD_BPF_PROG_KVER("cgroupsock/inet/create", AID_ROOT, AID_ROOT, inet_socket_create,
571 KVER(4, 14, 0))
572 (struct bpf_sock* sk) {
573 uint64_t gid_uid = bpf_get_current_uid_gid();
574 /*
575 * A given app is guaranteed to have the same app ID in all the profiles in
576 * which it is installed, and install permission is granted to app for all
577 * user at install time so we only check the appId part of a request uid at
578 * run time. See UserHandle#isSameApp for detail.
579 */
580 uint32_t appId = (gid_uid & 0xffffffff) % AID_USER_OFFSET; // == PER_USER_RANGE == 100000
581 uint8_t* permissions = bpf_uid_permission_map_lookup_elem(&appId);
582 if (!permissions) {
583 // UID not in map. Default to just INTERNET permission.
584 return 1;
585 }
586
587 // A return value of 1 means allow, everything else means deny.
588 return (*permissions & BPF_PERMISSION_INTERNET) == BPF_PERMISSION_INTERNET;
589 }
590
591 LICENSE("Apache 2.0");
592 CRITICAL("Connectivity and netd");
593