[automerger skipped] bpfRingbufProg: use named values not raw true/false values. am: a8e1252c3f -s ours
am skip reason: Merged-In Idd8055d823d98d8d0e2b3fe26246edc0c457e16b with SHA-1 4038b8f63e is already in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bpf/+/25167020
Change-Id: I1b3a324914f51c19b6fb84b159e6fd0fd331852e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/OWNERS b/OWNERS
index e58fb39..f37daeb 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,2 +1,2 @@
set noparent
-file:platform/system/bpf:master:/OWNERS_bpf
+file:platform/system/bpf:main:/OWNERS_bpf
diff --git a/OWNERS_bpf b/OWNERS_bpf
index f787768..7ba5ef1 100644
--- a/OWNERS_bpf
+++ b/OWNERS_bpf
@@ -2,3 +2,4 @@
maze@google.com
smoreland@google.com
sspatil@google.com
+nkapron@google.com
\ No newline at end of file
diff --git a/bpfloader/Android.bp b/bpfloader/Android.bp
index 09a5d3d..981c207 100644
--- a/bpfloader/Android.bp
+++ b/bpfloader/Android.bp
@@ -36,16 +36,13 @@
],
sanitize: {
integer_overflow: true,
- memtag_heap: true,
},
header_libs: ["bpf_headers"],
shared_libs: [
- "libcutils",
- "libbpf_android",
"libbase",
+ "libbpf_android",
"liblog",
- "libnetdutils",
],
srcs: [
"BpfLoader.cpp",
@@ -54,7 +51,8 @@
init_rc: ["bpfloader.rc"],
required: [
- "timeInState.o"
+ "netbpfload",
+ "timeInState.o",
],
product_variables: {
diff --git a/bpfloader/BpfLoader.cpp b/bpfloader/BpfLoader.cpp
index e53669a..f153b40 100644
--- a/bpfloader/BpfLoader.cpp
+++ b/bpfloader/BpfLoader.cpp
@@ -46,8 +46,6 @@
#include <android-base/unique_fd.h>
#include <libbpf_android.h>
#include <log/log.h>
-#include <netdutils/Misc.h>
-#include <netdutils/Slice.h>
#include "BpfSyscallWrappers.h"
#include "bpf/BpfUtils.h"
@@ -66,33 +64,6 @@
abort(); // can only hit this if permissions (likely selinux) are screwed up
}
-constexpr unsigned long long kTetheringApexDomainBitmask =
- domainToBitmask(domain::tethering) |
- domainToBitmask(domain::net_private) |
- domainToBitmask(domain::net_shared) |
- domainToBitmask(domain::netd_readonly) |
- domainToBitmask(domain::netd_shared);
-
-// Programs shipped inside the tethering apex should be limited to networking stuff,
-// as KPROBE, PERF_EVENT, TRACEPOINT are dangerous to use from mainline updatable code,
-// since they are less stable abi/api and may conflict with platform uses of bpf.
-constexpr bpf_prog_type kTetheringApexAllowedProgTypes[] = {
- BPF_PROG_TYPE_CGROUP_SKB,
- BPF_PROG_TYPE_CGROUP_SOCK,
- BPF_PROG_TYPE_CGROUP_SOCKOPT,
- BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
- BPF_PROG_TYPE_CGROUP_SYSCTL,
- BPF_PROG_TYPE_LWT_IN,
- BPF_PROG_TYPE_LWT_OUT,
- BPF_PROG_TYPE_LWT_SEG6LOCAL,
- BPF_PROG_TYPE_LWT_XMIT,
- BPF_PROG_TYPE_SCHED_ACT,
- BPF_PROG_TYPE_SCHED_CLS,
- BPF_PROG_TYPE_SOCKET_FILTER,
- BPF_PROG_TYPE_SOCK_OPS,
- BPF_PROG_TYPE_XDP,
-};
-
// Networking-related program types are limited to the Tethering Apex
// to prevent things from breaking due to conflicts on mainline updates
// (exception made for socket filters, ie. xt_bpf for potential use in iptables,
@@ -115,48 +86,6 @@
const android::bpf::Location locations[] = {
- // S+ Tethering mainline module (network_stack): tether offload
- {
- .dir = "/apex/com.android.tethering/etc/bpf/",
- .prefix = "tethering/",
- .allowedDomainBitmask = kTetheringApexDomainBitmask,
- .allowedProgTypes = kTetheringApexAllowedProgTypes,
- .allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
- },
- // T+ Tethering mainline module (shared with netd & system server)
- // netutils_wrapper (for iptables xt_bpf) has access to programs
- {
- .dir = "/apex/com.android.tethering/etc/bpf/netd_shared/",
- .prefix = "netd_shared/",
- .allowedDomainBitmask = kTetheringApexDomainBitmask,
- .allowedProgTypes = kTetheringApexAllowedProgTypes,
- .allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
- },
- // T+ Tethering mainline module (shared with netd & system server)
- // netutils_wrapper has no access, netd has read only access
- {
- .dir = "/apex/com.android.tethering/etc/bpf/netd_readonly/",
- .prefix = "netd_readonly/",
- .allowedDomainBitmask = kTetheringApexDomainBitmask,
- .allowedProgTypes = kTetheringApexAllowedProgTypes,
- .allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
- },
- // T+ Tethering mainline module (shared with system server)
- {
- .dir = "/apex/com.android.tethering/etc/bpf/net_shared/",
- .prefix = "net_shared/",
- .allowedDomainBitmask = kTetheringApexDomainBitmask,
- .allowedProgTypes = kTetheringApexAllowedProgTypes,
- .allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
- },
- // T+ Tethering mainline module (not shared, just network_stack)
- {
- .dir = "/apex/com.android.tethering/etc/bpf/net_private/",
- .prefix = "net_private/",
- .allowedDomainBitmask = kTetheringApexDomainBitmask,
- .allowedProgTypes = kTetheringApexAllowedProgTypes,
- .allowedProgTypesLength = arraysize(kTetheringApexAllowedProgTypes),
- },
// Core operating system
{
.dir = "/system/etc/bpf/",
@@ -251,13 +180,6 @@
(void)argc;
android::base::InitLogging(argv, &android::base::KernelLogger);
- // Ensure we can determine the Android build type.
- if (!android::bpf::isEng() && !android::bpf::isUser() && !android::bpf::isUserdebug()) {
- ALOGE("Failed to determine the build type: got %s, want 'eng', 'user', or 'userdebug'",
- android::bpf::getBuildType().c_str());
- return 1;
- }
-
// Linux 5.16-rc1 changed the default to 2 (disabled but changeable), but we need 0 (enabled)
// (this writeFile is known to fail on at least 4.19, but always defaults to 0 on pre-5.13,
// on 5.13+ it depends on CONFIG_BPF_UNPRIV_DEFAULT_OFF)
@@ -270,14 +192,12 @@
// kernel does not have CONFIG_BPF_JIT=y)
// BPF_JIT is required by R VINTF (which means 4.14/4.19/5.4 kernels),
// but 4.14/4.19 were released with P & Q, and only 5.4 is new in R+.
- if (writeProcSysFile("/proc/sys/net/core/bpf_jit_enable", "1\n") &&
- android::bpf::isAtLeastKernelVersion(5, 4, 0)) return 1;
+ if (writeProcSysFile("/proc/sys/net/core/bpf_jit_enable", "1\n")) return 1;
// Enable JIT kallsyms export for privileged users only
// (Note: this (open) will fail with ENOENT 'No such file or directory' if
// kernel does not have CONFIG_HAVE_EBPF_JIT=y)
- if (writeProcSysFile("/proc/sys/net/core/bpf_jit_kallsyms", "1\n") &&
- android::bpf::isAtLeastKernelVersion(5, 4, 0)) return 1;
+ if (writeProcSysFile("/proc/sys/net/core/bpf_jit_kallsyms", "1\n")) return 1;
// Create all the pin subdirectories
// (this must be done first to allow selinux_context and pin_subdir functionality,
@@ -307,15 +227,6 @@
}
}
- int key = 1;
- int value = 123;
- android::base::unique_fd map(
- android::bpf::createMap(BPF_MAP_TYPE_ARRAY, sizeof(key), sizeof(value), 2, 0));
- if (android::bpf::writeToMapEntry(map, &key, &value, BPF_ANY)) {
- ALOGE("Critical kernel bug - failure to write into index 1 of 2 element bpf map array.");
- return 1;
- }
-
if (android::base::SetProperty("bpf.progs_loaded", "1") == false) {
ALOGE("Failed to set bpf.progs_loaded property");
return 1;
diff --git a/bpfloader/bpfloader.rc b/bpfloader/bpfloader.rc
index fd6eaea..14181dc 100644
--- a/bpfloader/bpfloader.rc
+++ b/bpfloader/bpfloader.rc
@@ -17,7 +17,8 @@
on load_bpf_programs
exec_start bpfloader
-service bpfloader /system/bin/bpfloader
+service bpfloader /system/bin/netbpfload
+ # netbpfload will do network bpf loading, then execute /system/bin/bpfloader
capabilities CHOWN SYS_ADMIN NET_ADMIN
# The following group memberships are a workaround for lack of DAC_OVERRIDE
# and allow us to open (among other things) files that we created and are
@@ -67,10 +68,10 @@
# 2. comment out 'reboot_on_failure reboot,bpfloader-failed' below
# 3. rebuild/reflash/reboot
# 4. as the device is booting up capture bpfloader logs via:
- # adb logcat -s 'bpfloader:*' 'LibBpfLoader:*'
+ # adb logcat -s 'bpfloader:*' 'LibBpfLoader:*' 'NetBpfLoad:*' 'NetBpfLoader:*'
#
# something like:
- # $ adb reboot; sleep 1; adb wait-for-device; adb root; sleep 1; adb wait-for-device; adb logcat -s 'bpfloader:*' 'LibBpfLoader:*'
+ # $ adb reboot; sleep 1; adb wait-for-device; adb root; sleep 1; adb wait-for-device; adb logcat -s 'bpfloader:*' 'LibBpfLoader:*' 'NetBpfLoad:*' 'NetBpfLoader:*'
# will take care of capturing logs as early as possible
#
# 5. look through the logs from the kernel's bpf verifier that bpfloader dumps out,
diff --git a/libbpf_android/Android.bp b/libbpf_android/Android.bp
index d8272cc..52fb043 100644
--- a/libbpf_android/Android.bp
+++ b/libbpf_android/Android.bp
@@ -39,7 +39,6 @@
shared_libs: [
"libbase",
- "libcutils",
"libutils",
"liblog",
],
diff --git a/libbpf_android/Loader.cpp b/libbpf_android/Loader.cpp
index d817614..229dd93 100644
--- a/libbpf_android/Loader.cpp
+++ b/libbpf_android/Loader.cpp
@@ -59,9 +59,9 @@
#include <android-base/cmsg.h>
#include <android-base/file.h>
+#include <android-base/properties.h>
#include <android-base/strings.h>
#include <android-base/unique_fd.h>
-#include <cutils/properties.h>
#define BPF_FS_PATH "/sys/fs/bpf/"
@@ -79,17 +79,11 @@
using std::string;
using std::vector;
-static std::string getBuildTypeInternal() {
- char value[PROPERTY_VALUE_MAX] = {};
- (void)property_get("ro.build.type", value, "unknown"); // ignore length
- return value;
-}
-
namespace android {
namespace bpf {
const std::string& getBuildType() {
- static std::string t = getBuildTypeInternal();
+ static std::string t = android::base::GetProperty("ro.build.type", "unknown");
return t;
}
@@ -99,11 +93,6 @@
switch (d) {
case domain::unspecified: return unspecified;
case domain::platform: return "fs_bpf";
- case domain::tethering: return "fs_bpf_tethering";
- case domain::net_private: return "fs_bpf_net_private";
- case domain::net_shared: return "fs_bpf_net_shared";
- case domain::netd_readonly: return "fs_bpf_netd_readonly";
- case domain::netd_shared: return "fs_bpf_netd_shared";
case domain::vendor: return "fs_bpf_vendor";
case domain::loader: return "fs_bpf_loader";
default: return "(unrecognized)";
@@ -131,11 +120,6 @@
switch (d) {
case domain::unspecified: return unspecified;
case domain::platform: return "/";
- case domain::tethering: return "tethering/";
- case domain::net_private: return "net_private/";
- case domain::net_shared: return "net_shared/";
- case domain::netd_readonly: return "netd_readonly/";
- case domain::netd_shared: return "netd_shared/";
case domain::vendor: return "vendor/";
case domain::loader: return "loader/";
default: return "(unrecognized)";
@@ -186,38 +170,13 @@
* Instead use the DEFINE_(BPF|XDP)_(PROG|MAP)... & LICENSE/CRITICAL macros.
*/
sectionType sectionNameTypes[] = {
- {"bind4/", BPF_PROG_TYPE_CGROUP_SOCK_ADDR, BPF_CGROUP_INET4_BIND},
- {"bind6/", BPF_PROG_TYPE_CGROUP_SOCK_ADDR, BPF_CGROUP_INET6_BIND},
- {"cgroupskb/", BPF_PROG_TYPE_CGROUP_SKB, BPF_ATTACH_TYPE_UNSPEC},
- {"cgroupsock/", BPF_PROG_TYPE_CGROUP_SOCK, BPF_ATTACH_TYPE_UNSPEC},
- {"connect4/", BPF_PROG_TYPE_CGROUP_SOCK_ADDR, BPF_CGROUP_INET4_CONNECT},
- {"connect6/", BPF_PROG_TYPE_CGROUP_SOCK_ADDR, BPF_CGROUP_INET6_CONNECT},
- {"egress/", BPF_PROG_TYPE_CGROUP_SKB, BPF_CGROUP_INET_EGRESS},
- {"getsockopt/", BPF_PROG_TYPE_CGROUP_SOCKOPT, BPF_CGROUP_GETSOCKOPT},
- {"ingress/", BPF_PROG_TYPE_CGROUP_SKB, BPF_CGROUP_INET_INGRESS},
{"kprobe/", BPF_PROG_TYPE_KPROBE, BPF_ATTACH_TYPE_UNSPEC},
{"kretprobe/", BPF_PROG_TYPE_KPROBE, BPF_ATTACH_TYPE_UNSPEC},
- {"lwt_in/", BPF_PROG_TYPE_LWT_IN, BPF_ATTACH_TYPE_UNSPEC},
- {"lwt_out/", BPF_PROG_TYPE_LWT_OUT, BPF_ATTACH_TYPE_UNSPEC},
- {"lwt_seg6local/", BPF_PROG_TYPE_LWT_SEG6LOCAL, BPF_ATTACH_TYPE_UNSPEC},
- {"lwt_xmit/", BPF_PROG_TYPE_LWT_XMIT, BPF_ATTACH_TYPE_UNSPEC},
{"perf_event/", BPF_PROG_TYPE_PERF_EVENT, BPF_ATTACH_TYPE_UNSPEC},
- {"postbind4/", BPF_PROG_TYPE_CGROUP_SOCK, BPF_CGROUP_INET4_POST_BIND},
- {"postbind6/", BPF_PROG_TYPE_CGROUP_SOCK, BPF_CGROUP_INET6_POST_BIND},
- {"recvmsg4/", BPF_PROG_TYPE_CGROUP_SOCK_ADDR, BPF_CGROUP_UDP4_RECVMSG},
- {"recvmsg6/", BPF_PROG_TYPE_CGROUP_SOCK_ADDR, BPF_CGROUP_UDP6_RECVMSG},
- {"schedact/", BPF_PROG_TYPE_SCHED_ACT, BPF_ATTACH_TYPE_UNSPEC},
- {"schedcls/", BPF_PROG_TYPE_SCHED_CLS, BPF_ATTACH_TYPE_UNSPEC},
- {"sendmsg4/", BPF_PROG_TYPE_CGROUP_SOCK_ADDR, BPF_CGROUP_UDP4_SENDMSG},
- {"sendmsg6/", BPF_PROG_TYPE_CGROUP_SOCK_ADDR, BPF_CGROUP_UDP6_SENDMSG},
- {"setsockopt/", BPF_PROG_TYPE_CGROUP_SOCKOPT, BPF_CGROUP_SETSOCKOPT},
{"skfilter/", BPF_PROG_TYPE_SOCKET_FILTER, BPF_ATTACH_TYPE_UNSPEC},
- {"sockops/", BPF_PROG_TYPE_SOCK_OPS, BPF_CGROUP_SOCK_OPS},
- {"sysctl", BPF_PROG_TYPE_CGROUP_SYSCTL, BPF_CGROUP_SYSCTL},
{"tracepoint/", BPF_PROG_TYPE_TRACEPOINT, BPF_ATTACH_TYPE_UNSPEC},
{"uprobe/", BPF_PROG_TYPE_KPROBE, BPF_ATTACH_TYPE_UNSPEC},
{"uretprobe/", BPF_PROG_TYPE_KPROBE, BPF_ATTACH_TYPE_UNSPEC},
- {"xdp/", BPF_PROG_TYPE_XDP, BPF_ATTACH_TYPE_UNSPEC},
};
typedef struct {
diff --git a/libbpf_android/include/libbpf_android.h b/libbpf_android/include/libbpf_android.h
index cc8a942..46c7970 100644
--- a/libbpf_android/include/libbpf_android.h
+++ b/libbpf_android/include/libbpf_android.h
@@ -40,11 +40,6 @@
unrecognized = -1, // invalid for this version of the bpfloader
unspecified = 0, // means just use the default for that specific pin location
platform, // fs_bpf /sys/fs/bpf
- tethering, // (S+) fs_bpf_tethering /sys/fs/bpf/tethering
- net_private, // (T+) fs_bpf_net_private /sys/fs/bpf/net_private
- net_shared, // (T+) fs_bpf_net_shared /sys/fs/bpf/net_shared
- netd_readonly, // (T+) fs_bpf_netd_readonly /sys/fs/bpf/netd_readonly
- netd_shared, // (T+) fs_bpf_netd_shared /sys/fs/bpf/netd_shared
vendor, // (T+) fs_bpf_vendor /sys/fs/bpf/vendor
loader, // (U+) fs_bpf_loader /sys/fs/bpf/loader
};
@@ -53,11 +48,6 @@
static constexpr domain AllDomains[] = {
domain::unspecified,
domain::platform,
- domain::tethering,
- domain::net_private,
- domain::net_shared,
- domain::netd_readonly,
- domain::netd_shared,
domain::vendor,
domain::loader,
};