1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd. All rights reserved.
3
4 * The netsys.c is dual licensed: you can use it either under the terms of
5 * the GPL V2, or the 3-Clause BSD license, at your option.
6 * See the LICENSE file in the root of this repository for complete details.
7 */
8
9 #include <linux/bpf.h>
10 #include <linux/if_packet.h>
11 #include <linux/if.h>
12 #include <linux/if_ether.h>
13 #include <linux/string.h>
14 #include <stddef.h>
15 #include <stdint.h>
16
17 #include "bpf/bpf_helpers.h"
18 #include "bpf_def.h"
19
20 #ifdef FEATURE_NET_FIREWALL_ENABLE
21 #include "netfirewall/netfirewall.h"
22 #endif //FEATURE_NET_FIREWALL_ENABLE
23
24 #define SEC(NAME) __attribute__((section(NAME), used))
25
26 // network stats begin
27 bpf_map_def SEC("maps") iface_stats_map = {
28 .type = BPF_MAP_TYPE_HASH,
29 .key_size = sizeof(uint64_t),
30 .value_size = sizeof(iface_stats_value),
31 .max_entries = IFACE_STATS_MAP_SIZE,
32 .map_flags = 0,
33 .inner_map_idx = 0,
34 .numa_node = 0,
35 };
36
37 bpf_map_def SEC("maps") app_uid_stats_map = {
38 .type = BPF_MAP_TYPE_HASH,
39 .key_size = sizeof(uint64_t),
40 .value_size = sizeof(app_uid_stats_value),
41 .max_entries = APP_STATS_MAP_SIZE,
42 .map_flags = 0,
43 .inner_map_idx = 0,
44 .numa_node = 0,
45 };
46
47 bpf_map_def SEC("maps") sock_netns_map = {
48 .type = BPF_MAP_TYPE_HASH,
49 .key_size = sizeof(sock_netns_key),
50 .value_size = sizeof(sock_netns_value),
51 .max_entries = NET_NS_MAP_SIZE,
52 .map_flags = 0,
53 .inner_map_idx = 0,
54 .numa_node = 0,
55 };
56
57 bpf_map_def SEC("maps") app_uid_sim_stats_map = {
58 .type = BPF_MAP_TYPE_HASH,
59 .key_size = sizeof(app_uid_sim_stats_key),
60 .value_size = sizeof(app_uid_sim_stats_value),
61 .max_entries = APP_STATS_MAP_SIZE,
62 .map_flags = 0,
63 .inner_map_idx = 0,
64 .numa_node = 0,
65 };
66
67 bpf_map_def SEC("maps") app_uid_if_stats_map = {
68 .type = BPF_MAP_TYPE_HASH,
69 .key_size = sizeof(app_uid_if_stats_key),
70 .value_size = sizeof(app_uid_if_stats_value),
71 .max_entries = IFACE_NAME_MAP_SIZE,
72 .map_flags = 0,
73 .inner_map_idx = 0,
74 .numa_node = 0,
75 };
76
77 bpf_map_def SEC("maps") app_cookie_stats_map = {
78 .type = BPF_MAP_TYPE_HASH,
79 .key_size = sizeof(socket_cookie_stats_key),
80 .value_size = sizeof(app_cookie_stats_value),
81 .max_entries = IFACE_NAME_MAP_SIZE,
82 .map_flags = 0,
83 .inner_map_idx = 0,
84 .numa_node = 0,
85 };
86
get_data_len(struct __sk_buff * skb)87 static inline __u32 get_data_len(struct __sk_buff *skb)
88 {
89 __u32 length = skb->len;
90 if (skb->vlan_present == 1) {
91 length += VLAN_HEADER_LENGTH;
92 }
93 if (skb->family == AF_INET) {
94 length += IPV4_HEADERS_LENGTH;
95 }
96 if (skb->family == AF_INET6) {
97 length += IPV6_HEADERS_LENGTH;
98 }
99 return length;
100 }
101
102 SEC("socket/iface/stats")
socket_iface_stats(struct __sk_buff * skb)103 int socket_iface_stats(struct __sk_buff *skb)
104 {
105 if (skb == NULL) {
106 return 1;
107 }
108
109 if (skb->pkt_type == PACKET_LOOPBACK) {
110 return 1;
111 }
112
113 uint64_t ifindex = skb->ifindex;
114 iface_stats_value *value_if = bpf_map_lookup_elem(&iface_stats_map, &ifindex);
115 if (value_if == NULL) {
116 iface_stats_value newValue = {};
117 bpf_map_update_elem(&iface_stats_map, &ifindex, &newValue, BPF_NOEXIST);
118 value_if = bpf_map_lookup_elem(&iface_stats_map, &ifindex);
119 }
120
121 if (skb->pkt_type == PACKET_OUTGOING) {
122 if (value_if != NULL) {
123 __sync_fetch_and_add(&value_if->txPackets, 1);
124 __sync_fetch_and_add(&value_if->txBytes, skb->len);
125 }
126 } else {
127 if (value_if != NULL) {
128 __sync_fetch_and_add(&value_if->rxPackets, 1);
129 __sync_fetch_and_add(&value_if->rxBytes, skb->len);
130 }
131 }
132 return 1;
133 }
134
135 bpf_map_def SEC("maps") app_uid_access_policy_map = {
136 .type = BPF_MAP_TYPE_HASH,
137 .key_size = sizeof(app_uid_key),
138 .value_size = sizeof(uid_access_policy_value),
139 .max_entries = UID_ACCESS_POLICY_ARRAY_SIZE,
140 .map_flags = BPF_F_NO_PREALLOC,
141 .inner_map_idx = 0,
142 .numa_node = 0,
143 };
144
145 bpf_map_def SEC("maps") broker_uid_access_policy_map = {
146 .type = BPF_MAP_TYPE_HASH,
147 .key_size = sizeof(app_uid_key),
148 .value_size = sizeof(app_uid_key),
149 .max_entries = 1,
150 .map_flags = BPF_F_NO_PREALLOC,
151 .inner_map_idx = 0,
152 .numa_node = 0,
153 };
154
155 bpf_map_def SEC("maps") net_index_and_iface_map = {
156 .type = BPF_MAP_TYPE_HASH,
157 .key_size = sizeof(net_index),
158 .value_size = sizeof(net_interface_name_id),
159 .max_entries = 5,
160 .map_flags = 0,
161 .inner_map_idx = 0,
162 .numa_node = 0,
163 };
164
check_socket_fwmark(__u32 mark)165 static inline net_bear_type_map_value check_socket_fwmark(__u32 mark)
166 {
167 __u8 explicitlySelected = (mark >> 16) & (0x1);
168 net_bear_type_map_value net_bear_mark_type = NETWORK_BEARER_TYPE_INITIAL;
169 // explicitlySelected == 1 means the socket fwmark is set
170 if (explicitlySelected == 1) {
171 void *ifaceC_map_ptr = &net_index_and_iface_map;
172 __u16 TmpnetId = mark & (0x0000FFFF);
173 net_interface_name_id *ifaceC = bpf_map_lookup_elem(ifaceC_map_ptr, &TmpnetId);
174 // ifaceC == NULL, default bear type (*net_bear_type) is used.
175 if (ifaceC != NULL) {
176 net_bear_mark_type = *ifaceC;
177 }
178 }
179 return net_bear_mark_type;
180 }
181
182 bpf_map_def SEC("maps") net_bear_type_map = {
183 .type = BPF_MAP_TYPE_HASH,
184 .key_size = sizeof(net_bear_id_key),
185 .value_size = sizeof(net_bear_type_map_value),
186 .max_entries = IFACE_NAME_MAP_SIZE,
187 .map_flags = 0,
188 .inner_map_idx = 0,
189 .numa_node = 0,
190 };
191
check_network_policy(net_bear_type_map_value net_bear_mark_type,uid_access_policy_value * netAccessPolicyValue)192 static inline __u8 check_network_policy(net_bear_type_map_value net_bear_mark_type,
193 uid_access_policy_value *netAccessPolicyValue)
194 {
195 if (((net_bear_mark_type == NETWORK_BEARER_TYPE_CELLULAR) ||
196 (netAccessPolicyValue->netIfIndex == NETWORK_BEARER_TYPE_CELLULAR)) &&
197 (!netAccessPolicyValue->cellularPolicy)) {
198 return 0;
199 }
200 if (((net_bear_mark_type == NETWORK_BEARER_TYPE_WIFI) ||
201 (netAccessPolicyValue->netIfIndex == NETWORK_BEARER_TYPE_WIFI)) &&
202 (!netAccessPolicyValue->wifiPolicy)) {
203 return 0;
204 }
205 if (netAccessPolicyValue->netIfIndex == NETWORK_BEARER_TYPE_INITIAL) {
206 void *net_bear_map_ptr = &net_bear_type_map;
207 net_bear_id_key net_bear_id = DEFAULT_NETWORK_BEARER_MAP_KEY;
208 net_bear_type_map_value *net_bear_type = bpf_map_lookup_elem(net_bear_map_ptr, &net_bear_id);
209 if (net_bear_type == NULL) {
210 return 1;
211 }
212
213 if (((*net_bear_type == NETWORK_BEARER_TYPE_CELLULAR)) && (!netAccessPolicyValue->cellularPolicy)) {
214 return 0;
215 }
216 if (((*net_bear_type == NETWORK_BEARER_TYPE_WIFI)) && (!netAccessPolicyValue->wifiPolicy)) {
217 return 0;
218 }
219 }
220 return 1;
221 }
222
check_broker_policy(uint64_t uid)223 static inline __u64 check_broker_policy(uint64_t uid)
224 {
225 uint64_t network_access_uid = uid;
226 void* broker_map_ptr = &broker_uid_access_policy_map;
227 __u32 broker_default_uid = DEFAULT_BROKER_UID_KEY;
228 app_uid_key *broker_uid_value = bpf_map_lookup_elem(broker_map_ptr, &broker_default_uid);
229 if (broker_uid_value != NULL) {
230 network_access_uid = *broker_uid_value;
231 }
232 return network_access_uid;
233 }
234
filter_sim_stats(__u32 ipv4)235 static inline __u32 filter_sim_stats(__u32 ipv4)
236 {
237 if (IS_MATCHED_IP(ipv4, WLAN_IPv4) || IS_MATCHED_IP(ipv4, CELLULAR_IPv4) || IS_MATCHED_IP(ipv4, CELLULAR_IPv42)) {
238 return 1;
239 }
240 return 0;
241 }
242
get_iface_type(__u32 ipv4)243 static inline __u32 get_iface_type(__u32 ipv4)
244 {
245 if (IS_MATCHED_IP(ipv4, WLAN_IPv4)) {
246 return IFACE_TYPE_WIFI;
247 }
248 if (IS_MATCHED_IP(ipv4, CELLULAR_IPv4) || IS_MATCHED_IP(ipv4, CELLULAR_IPv42)) {
249 return IFACE_TYPE_CELLULAR;
250 }
251 return 0;
252 }
253
254 SEC("cgroup_skb/uid/ingress")
bpf_cgroup_skb_uid_ingress(struct __sk_buff * skb)255 int bpf_cgroup_skb_uid_ingress(struct __sk_buff *skb)
256 {
257 #ifdef FEATURE_NET_FIREWALL_ENABLE
258 if (skb == NULL) {
259 return 1;
260 }
261 if (netfirewall_policy_ingress(skb) != SK_PASS) {
262 return SK_DROP;
263 }
264 if (skb->pkt_type == PACKET_LOOPBACK) {
265 return 1;
266 }
267 #else
268 if (skb == NULL || skb->pkt_type == PACKET_LOOPBACK) {
269 return 1;
270 }
271 #endif
272
273 sock_netns_key key_sock_netns1 = bpf_get_socket_cookie(skb);
274 sock_netns_value *value_sock_netns1 = bpf_map_lookup_elem(&sock_netns_map, &key_sock_netns1);
275 sock_netns_key key_sock_netns2 = SOCK_COOKIE_ID_NULL;
276 sock_netns_value *value_sock_netns2 = bpf_map_lookup_elem(&sock_netns_map, &key_sock_netns2);
277 uint64_t sock_uid = bpf_get_socket_uid(skb);
278 uint64_t network_access_uid = sock_uid;
279 if (value_sock_netns1 != NULL && value_sock_netns2 != NULL && *value_sock_netns1 != *value_sock_netns2) {
280 network_access_uid = check_broker_policy(sock_uid);
281 }
282
283 uid_access_policy_value *netAccessPolicyValue =
284 bpf_map_lookup_elem(&app_uid_access_policy_map, &network_access_uid);
285 if (netAccessPolicyValue != NULL) {
286 net_bear_type_map_value net_bear_mark_type = check_socket_fwmark(skb->mark);
287 if (check_network_policy(net_bear_mark_type, netAccessPolicyValue) == 0) {
288 return 0;
289 }
290 }
291 app_uid_stats_value *value = bpf_map_lookup_elem(&app_uid_stats_map, &sock_uid);
292 if (value == NULL) {
293 app_uid_stats_value newValue = {};
294 bpf_map_update_elem(&app_uid_stats_map, &sock_uid, &newValue, BPF_NOEXIST);
295 value = bpf_map_lookup_elem(&app_uid_stats_map, &sock_uid);
296 }
297 if (value != NULL) {
298 __sync_fetch_and_add(&value->rxPackets, 1);
299 __sync_fetch_and_add(&value->rxBytes, skb->len);
300 }
301 socket_cookie_stats_key sock_cookie = bpf_get_socket_cookie(skb);
302 app_cookie_stats_value *value_cookie = bpf_map_lookup_elem(&app_cookie_stats_map, &sock_cookie);
303 if (value_cookie == NULL) {
304 app_cookie_stats_value newValue = {};
305 bpf_map_update_elem(&app_cookie_stats_map, &sock_cookie, &newValue, BPF_NOEXIST);
306 value_cookie = bpf_map_lookup_elem(&app_cookie_stats_map, &sock_cookie);
307 }
308 if (value_cookie != NULL) {
309 __sync_fetch_and_add(&value_cookie->rxPackets, 1);
310 __sync_fetch_and_add(&value_cookie->rxBytes, skb->len);
311 }
312
313 if ((sock_uid >= SIM_UID_MIN && sock_uid < SIM_UID_MAX) ||
314 (value_sock_netns1 != NULL && value_sock_netns2 != NULL && *value_sock_netns1 != *value_sock_netns2)) {
315 if (filter_sim_stats(skb->local_ip4) == 1) {
316 app_uid_sim_stats_key key_sim = {.uId = sock_uid, .ifIndex = skb->ifindex,
317 .ifType = get_iface_type(skb->local_ip4)};
318 app_uid_sim_stats_value *value_uid_sim = bpf_map_lookup_elem(&app_uid_sim_stats_map, &key_sim);
319 if (value_uid_sim == NULL) {
320 app_uid_sim_stats_value newValue = {};
321 bpf_map_update_elem(&app_uid_sim_stats_map, &key_sim, &newValue, BPF_NOEXIST);
322 value_uid_sim = bpf_map_lookup_elem(&app_uid_sim_stats_map, &key_sim);
323 }
324 if (value_uid_sim != NULL) {
325 __sync_fetch_and_add(&value_uid_sim->rxPackets, 1);
326 __sync_fetch_and_add(&value_uid_sim->rxBytes, get_data_len(skb));
327 }
328 }
329 } else {
330 app_uid_if_stats_key key = {.uId = sock_uid, .ifIndex = skb->ifindex};
331 app_uid_if_stats_value *value_uid_if = bpf_map_lookup_elem(&app_uid_if_stats_map, &key);
332 if (value_uid_if == NULL) {
333 app_uid_if_stats_value newValue = {};
334 bpf_map_update_elem(&app_uid_if_stats_map, &key, &newValue, BPF_NOEXIST);
335 value_uid_if = bpf_map_lookup_elem(&app_uid_if_stats_map, &key);
336 }
337 if (value_uid_if != NULL) {
338 __sync_fetch_and_add(&value_uid_if->rxPackets, 1);
339 __sync_fetch_and_add(&value_uid_if->rxBytes, get_data_len(skb));
340 }
341 }
342 return 1;
343 }
344
345 SEC("cgroup_skb/uid/egress")
bpf_cgroup_skb_uid_egress(struct __sk_buff * skb)346 int bpf_cgroup_skb_uid_egress(struct __sk_buff *skb)
347 {
348 #ifdef FEATURE_NET_FIREWALL_ENABLE
349 if (skb == NULL) {
350 return 1;
351 }
352 if (netfirewall_policy_egress(skb) != SK_PASS) {
353 return SK_DROP;
354 }
355 if (skb->pkt_type == PACKET_LOOPBACK) {
356 return 1;
357 }
358 #else
359 if (skb == NULL || skb->pkt_type == PACKET_LOOPBACK) {
360 return 1;
361 }
362 #endif
363
364 sock_netns_key key_sock_netns1 = bpf_get_socket_cookie(skb);
365 sock_netns_value *value_sock_netns1 = bpf_map_lookup_elem(&sock_netns_map, &key_sock_netns1);
366 sock_netns_key key_sock_netns2 = SOCK_COOKIE_ID_NULL;
367 sock_netns_value *value_sock_netns2 = bpf_map_lookup_elem(&sock_netns_map, &key_sock_netns2);
368 uint64_t sock_uid = bpf_get_socket_uid(skb);
369 uint64_t network_access_uid = sock_uid;
370 if (value_sock_netns1 != NULL && value_sock_netns2 != NULL && *value_sock_netns1 != *value_sock_netns2) {
371 network_access_uid = check_broker_policy(sock_uid);
372 }
373 uid_access_policy_value *netAccessPolicyValue =
374 bpf_map_lookup_elem(&app_uid_access_policy_map, &network_access_uid);
375 if (netAccessPolicyValue != NULL) {
376 net_bear_type_map_value net_bear_mark_type = check_socket_fwmark(skb->mark);
377 if (check_network_policy(net_bear_mark_type, netAccessPolicyValue) == 0) {
378 return 0;
379 }
380 }
381
382 app_uid_stats_value *value = bpf_map_lookup_elem(&app_uid_stats_map, &sock_uid);
383 if (value == NULL) {
384 app_uid_stats_value newValue = {};
385 bpf_map_update_elem(&app_uid_stats_map, &sock_uid, &newValue, BPF_NOEXIST);
386 value = bpf_map_lookup_elem(&app_uid_stats_map, &sock_uid);
387 }
388 if (value != NULL) {
389 __sync_fetch_and_add(&value->txPackets, 1);
390 __sync_fetch_and_add(&value->txBytes, skb->len);
391 }
392 socket_cookie_stats_key sock_cookie = bpf_get_socket_cookie(skb);
393 app_cookie_stats_value *value_cookie = bpf_map_lookup_elem(&app_cookie_stats_map, &sock_cookie);
394 if (value_cookie == NULL) {
395 app_cookie_stats_value newValue = {};
396 bpf_map_update_elem(&app_cookie_stats_map, &sock_cookie, &newValue, BPF_NOEXIST);
397 value_cookie = bpf_map_lookup_elem(&app_cookie_stats_map, &sock_cookie);
398 }
399 if (value_cookie != NULL) {
400 __sync_fetch_and_add(&value_cookie->txPackets, 1);
401 __sync_fetch_and_add(&value_cookie->txBytes, skb->len);
402 }
403
404 if ((sock_uid >= SIM_UID_MIN && sock_uid < SIM_UID_MAX) ||
405 (value_sock_netns1 != NULL && value_sock_netns2 != NULL && *value_sock_netns1 != *value_sock_netns2)) {
406 if (filter_sim_stats(skb->local_ip4) == 1) {
407 app_uid_sim_stats_key key_sim = {.uId = sock_uid, .ifIndex = skb->ifindex,
408 .ifType = get_iface_type(skb->local_ip4)};
409 app_uid_sim_stats_value *value_uid_sim = bpf_map_lookup_elem(&app_uid_sim_stats_map, &key_sim);
410 if (value_uid_sim == NULL) {
411 app_uid_sim_stats_value newValue = {};
412 bpf_map_update_elem(&app_uid_sim_stats_map, &key_sim, &newValue, BPF_NOEXIST);
413 value_uid_sim = bpf_map_lookup_elem(&app_uid_sim_stats_map, &key_sim);
414 }
415 if (value_uid_sim != NULL) {
416 __sync_fetch_and_add(&value_uid_sim->txPackets, 1);
417 __sync_fetch_and_add(&value_uid_sim->txBytes, get_data_len(skb));
418 }
419 }
420 } else {
421 app_uid_if_stats_key key = {.uId = sock_uid, .ifIndex = skb->ifindex};
422 app_uid_if_stats_value *value_uid_if = bpf_map_lookup_elem(&app_uid_if_stats_map, &key);
423 if (value_uid_if == NULL) {
424 app_uid_if_stats_value newValue = {};
425 bpf_map_update_elem(&app_uid_if_stats_map, &key, &newValue, BPF_NOEXIST);
426 value_uid_if = bpf_map_lookup_elem(&app_uid_if_stats_map, &key);
427 }
428 if (value_uid_if != NULL) {
429 __sync_fetch_and_add(&value_uid_if->txPackets, 1);
430 __sync_fetch_and_add(&value_uid_if->txBytes, get_data_len(skb));
431 }
432 }
433 return 1;
434 }
435 // network stats end
436
437 // internet permission begin
438 bpf_map_def SEC("maps") oh_sock_permission_map = {
439 .type = BPF_MAP_TYPE_HASH,
440 .key_size = sizeof(sock_permission_key),
441 .value_size = sizeof(sock_permission_value),
442 .max_entries = OH_SOCK_PERMISSION_MAP_SIZE,
443 };
444
445 bpf_map_def SEC("maps") broker_sock_permission_map = {
446 .type = BPF_MAP_TYPE_HASH,
447 .key_size = sizeof(sock_permission_key),
448 .value_size = sizeof(sock_permission_value),
449 .max_entries = BROKER_SOCK_PERMISSION_MAP_SIZE,
450 };
451
452 SEC("cgroup_sock/inet_create_socket")
inet_create_socket(struct bpf_sock * sk)453 int inet_create_socket(struct bpf_sock *sk)
454 {
455 sock_netns_key key_sock_netns1 = bpf_get_socket_cookie(sk);
456 sock_netns_value value_sock_netns1 = bpf_get_netns_cookie(sk);
457 bpf_map_update_elem(&sock_netns_map, &key_sock_netns1, &value_sock_netns1, BPF_NOEXIST);
458 sock_netns_key key_sock_netns2 = SOCK_COOKIE_ID_NULL;
459 sock_netns_value value_sock_netns2 = bpf_get_netns_cookie(NULL);
460 bpf_map_update_elem(&sock_netns_map, &key_sock_netns2, &value_sock_netns2, BPF_NOEXIST);
461
462 void *map_ptr = &oh_sock_permission_map;
463 if (bpf_get_netns_cookie(sk) != bpf_get_netns_cookie(NULL)) {
464 map_ptr = &broker_sock_permission_map;
465 }
466
467 __u64 uid_gid = bpf_get_current_uid_gid();
468 __u32 uid = (__u32)(uid_gid & 0x00000000FFFFFFFF);
469 sock_permission_value *value = bpf_map_lookup_elem(map_ptr, &uid);
470 // value == NULL means that the process attached to this uid is not a hap process which started by appspawn
471 // it is a native process, native process should have this permission
472 if (value == NULL) {
473 return 1;
474 }
475 // *value == 0 means no permission
476 if (*value == 0) {
477 return 0;
478 }
479 return 1;
480 }
481
482 SEC("cgroup_sock/inet_release_socket")
inet_release_socket(struct bpf_sock * sk)483 int inet_release_socket(struct bpf_sock *sk)
484 {
485 sock_netns_key key_sock_netns = bpf_get_socket_cookie(sk);
486 bpf_map_delete_elem(&sock_netns_map, &key_sock_netns);
487
488 socket_cookie_stats_key key_sock_cookie = bpf_get_socket_cookie(sk);
489 bpf_map_delete_elem(&app_cookie_stats_map, &key_sock_cookie);
490 return 1;
491 }
492 // internet permission end
493
494 bpf_map_def SEC("maps") ringbuf_map = {
495 .type = BPF_MAP_TYPE_RINGBUF,
496 .max_entries = 256 * 1024 /* 256 KB */,
497 };
498
socket_check_network_policy(net_bear_type_map_value net_bear_mark_type,net_bear_type_map_value * net_bear_type,uid_access_policy_value * value)499 static inline __u8 socket_check_network_policy(net_bear_type_map_value net_bear_mark_type,
500 net_bear_type_map_value *net_bear_type, uid_access_policy_value *value)
501 {
502 if ((((net_bear_mark_type == NETWORK_BEARER_TYPE_WIFI) || (*net_bear_type == NETWORK_BEARER_TYPE_WIFI)) &&
503 (!value->wifiPolicy)) ||
504 (((net_bear_mark_type == NETWORK_BEARER_TYPE_CELLULAR) || (*net_bear_type == NETWORK_BEARER_TYPE_CELLULAR)) &&
505 (!value->cellularPolicy))) {
506 return 0;
507 }
508 return 1;
509 }
510
socket_ringbuf_event_submit(__u32 uid)511 static inline __u8 socket_ringbuf_event_submit(__u32 uid)
512 {
513 uint32_t *e;
514 e = bpf_ringbuf_reserve(&ringbuf_map, sizeof(*e), 0);
515 if (e) {
516 *e = uid;
517 bpf_ringbuf_submit(e, 0);
518 return 1;
519 }
520 return 0;
521 }
522
523 SEC("cgroup_addr/bind4")
inet_check_bind4(struct bpf_sock_addr * ctx)524 static int inet_check_bind4(struct bpf_sock_addr *ctx)
525 {
526 void *map_ptr = &app_uid_access_policy_map;
527 __u64 uid_gid = bpf_get_current_uid_gid();
528 __u32 uid = (__u32)(uid_gid & 0x00000000FFFFFFFF);
529 if (bpf_get_netns_cookie(ctx) != bpf_get_netns_cookie(NULL)) {
530 uid = check_broker_policy(uid);
531 }
532
533 uid_access_policy_value *value = bpf_map_lookup_elem(map_ptr, &uid);
534 // value == NULL means that the process attached to this uid is not a hap process which has a default configuration
535 if (value == NULL) {
536 return 1;
537 }
538
539 void *net_bear_map_ptr = &net_bear_type_map;
540 net_bear_id_key net_bear_id = DEFAULT_NETWORK_BEARER_MAP_KEY;
541 net_bear_type_map_value *net_bear_type = bpf_map_lookup_elem(net_bear_map_ptr, &net_bear_id);
542 if (net_bear_type == NULL) {
543 return 1;
544 }
545
546 struct bpf_sock *sk = ctx->sk;
547 net_bear_type_map_value net_bear_mark_type = check_socket_fwmark(sk->mark);
548 if (socket_check_network_policy(net_bear_mark_type, net_bear_type, value) == 0) {
549 if (value->diagAckFlag) {
550 return 0;
551 }
552
553 // the policy configuration needs to be reconfirmed or the network bearer changes
554 if (value->configSetFromFlag) {
555 if (socket_ringbuf_event_submit(uid) != 0) {
556 value->diagAckFlag = 1;
557 }
558 }
559 value->netIfIndex = *net_bear_type;
560 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
561 return 0;
562 }
563
564 value->netIfIndex = *net_bear_type;
565 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
566 return 1;
567 }
568
569 SEC("cgroup_addr/bind6")
inet_check_bind6(struct bpf_sock_addr * ctx)570 static int inet_check_bind6(struct bpf_sock_addr *ctx)
571 {
572 void *map_ptr = &app_uid_access_policy_map;
573 __u64 uid_gid = bpf_get_current_uid_gid();
574 __u32 uid = (__u32)(uid_gid & 0x00000000FFFFFFFF);
575 if (bpf_get_netns_cookie(ctx) != bpf_get_netns_cookie(NULL)) {
576 uid = check_broker_policy(uid);
577 }
578
579 uid_access_policy_value *value = bpf_map_lookup_elem(map_ptr, &uid);
580 // value == NULL means that the process attached to this uid is not a hap process which has a default configuration
581 if (value == NULL) {
582 return 1;
583 }
584
585 void *net_bear_map_ptr = &net_bear_type_map;
586 net_bear_id_key net_bear_id = DEFAULT_NETWORK_BEARER_MAP_KEY;
587 net_bear_type_map_value *net_bear_type = bpf_map_lookup_elem(net_bear_map_ptr, &net_bear_id);
588 if (net_bear_type == NULL) {
589 return 1;
590 }
591
592 struct bpf_sock *sk = ctx->sk;
593 net_bear_type_map_value net_bear_mark_type = check_socket_fwmark(sk->mark);
594 if (socket_check_network_policy(net_bear_mark_type, net_bear_type, value) == 0) {
595 if (value->diagAckFlag) {
596 return 0;
597 }
598
599 // the policy configuration needs to be reconfirmed or the network bearer changes
600 if (value->configSetFromFlag) {
601 if (socket_ringbuf_event_submit(uid) != 0) {
602 value->diagAckFlag = 1;
603 }
604 }
605 value->netIfIndex = *net_bear_type;
606 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
607 return 0;
608 }
609
610 value->netIfIndex = *net_bear_type;
611 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
612 return 1;
613 }
614
615 SEC("cgroup_addr/connect4")
inet_check_connect4(struct bpf_sock_addr * ctx)616 static int inet_check_connect4(struct bpf_sock_addr *ctx)
617 {
618 void *map_ptr = &app_uid_access_policy_map;
619 __u64 uid_gid = bpf_get_current_uid_gid();
620 __u32 uid = (__u32)(uid_gid & 0x00000000FFFFFFFF);
621 if (bpf_get_netns_cookie(ctx) != bpf_get_netns_cookie(NULL)) {
622 uid = check_broker_policy(uid);
623 }
624
625 uid_access_policy_value *value = bpf_map_lookup_elem(map_ptr, &uid);
626 // value == NULL means that the process attached to this uid is not a hap process which has a default configuration
627 if (value == NULL) {
628 return 1;
629 }
630
631 void *net_bear_map_ptr = &net_bear_type_map;
632 net_bear_id_key net_bear_id = DEFAULT_NETWORK_BEARER_MAP_KEY;
633 net_bear_type_map_value *net_bear_type = bpf_map_lookup_elem(net_bear_map_ptr, &net_bear_id);
634 if (net_bear_type == NULL) {
635 return 1;
636 }
637
638 struct bpf_sock *sk = ctx->sk;
639 net_bear_type_map_value net_bear_mark_type = check_socket_fwmark(sk->mark);
640 if (socket_check_network_policy(net_bear_mark_type, net_bear_type, value) == 0) {
641 if (value->diagAckFlag) {
642 return 0;
643 }
644
645 // the policy configuration needs to be reconfirmed or the network bearer changes
646 if (value->configSetFromFlag) {
647 if (socket_ringbuf_event_submit(uid) != 0) {
648 value->diagAckFlag = 1;
649 }
650 }
651 value->netIfIndex = *net_bear_type;
652 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
653 return 0;
654 }
655
656 value->netIfIndex = *net_bear_type;
657 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
658 return 1;
659 }
660
661
662 SEC("cgroup_addr/connect6")
inet_check_connect6(struct bpf_sock_addr * ctx)663 static int inet_check_connect6(struct bpf_sock_addr *ctx)
664 {
665 void *map_ptr = &app_uid_access_policy_map;
666 __u64 uid_gid = bpf_get_current_uid_gid();
667 __u32 uid = (__u32)(uid_gid & 0x00000000FFFFFFFF);
668 if (bpf_get_netns_cookie(ctx) != bpf_get_netns_cookie(NULL)) {
669 uid = check_broker_policy(uid);
670 }
671
672 uid_access_policy_value *value = bpf_map_lookup_elem(map_ptr, &uid);
673 // value == NULL means that the process attached to this uid is not a hap process which has a default configuration
674 if (value == NULL) {
675 return 1;
676 }
677
678 void *net_bear_map_ptr = &net_bear_type_map;
679 net_bear_id_key net_bear_id = DEFAULT_NETWORK_BEARER_MAP_KEY;
680 net_bear_type_map_value *net_bear_type = bpf_map_lookup_elem(net_bear_map_ptr, &net_bear_id);
681 if (net_bear_type == NULL) {
682 return 1;
683 }
684
685 struct bpf_sock *sk = ctx->sk;
686 net_bear_type_map_value net_bear_mark_type = check_socket_fwmark(sk->mark);
687 if (socket_check_network_policy(net_bear_mark_type, net_bear_type, value) == 0) {
688 if (value->diagAckFlag) {
689 return 0;
690 }
691
692 // the policy configuration needs to be reconfirmed or the network bearer changes
693 if (value->configSetFromFlag) {
694 if (socket_ringbuf_event_submit(uid) != 0) {
695 value->diagAckFlag = 1;
696 }
697 }
698 value->netIfIndex = *net_bear_type;
699 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
700 return 0;
701 }
702
703 value->netIfIndex = *net_bear_type;
704 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
705 return 1;
706 }
707
708 SEC("cgroup_addr/sendmsg4")
inet_check_sendmsg4(struct bpf_sock_addr * ctx)709 static int inet_check_sendmsg4(struct bpf_sock_addr *ctx)
710 {
711 void *map_ptr = &app_uid_access_policy_map;
712 __u64 uid_gid = bpf_get_current_uid_gid();
713 __u32 uid = (__u32)(uid_gid & 0x00000000FFFFFFFF);
714 if (bpf_get_netns_cookie(ctx) != bpf_get_netns_cookie(NULL)) {
715 uid = check_broker_policy(uid);
716 }
717
718 uid_access_policy_value *value = bpf_map_lookup_elem(map_ptr, &uid);
719 // value == NULL means that the process attached to this uid is not a hap process which has a default configuration
720 if (value == NULL) {
721 return 1;
722 }
723
724 void *net_bear_map_ptr = &net_bear_type_map;
725 net_bear_id_key net_bear_id = DEFAULT_NETWORK_BEARER_MAP_KEY;
726 net_bear_type_map_value *net_bear_type = bpf_map_lookup_elem(net_bear_map_ptr, &net_bear_id);
727 if (net_bear_type == NULL) {
728 return 1;
729 }
730
731 struct bpf_sock *sk = ctx->sk;
732 net_bear_type_map_value net_bear_mark_type = check_socket_fwmark(sk->mark);
733 if (socket_check_network_policy(net_bear_mark_type, net_bear_type, value) == 0) {
734 if (value->diagAckFlag) {
735 return 0;
736 }
737
738 // the policy configuration needs to be reconfirmed or the network bearer changes
739 if (value->configSetFromFlag) {
740 if (socket_ringbuf_event_submit(uid) != 0) {
741 value->diagAckFlag = 1;
742 }
743 }
744 value->netIfIndex = *net_bear_type;
745 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
746 return 0;
747 }
748
749 value->netIfIndex = *net_bear_type;
750 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
751 return 1;
752 }
753
754 SEC("cgroup_addr/sendmsg6")
inet_check_sendmsg6(struct bpf_sock_addr * ctx)755 static int inet_check_sendmsg6(struct bpf_sock_addr *ctx)
756 {
757 void *map_ptr = &app_uid_access_policy_map;
758 __u64 uid_gid = bpf_get_current_uid_gid();
759 __u32 uid = (__u32)(uid_gid & 0x00000000FFFFFFFF);
760 if (bpf_get_netns_cookie(ctx) != bpf_get_netns_cookie(NULL)) {
761 uid = check_broker_policy(uid);
762 }
763
764 uid_access_policy_value *value = bpf_map_lookup_elem(map_ptr, &uid);
765 // value == NULL means that the process attached to this uid is not a hap process which has a default configuration
766 if (value == NULL) {
767 return 1;
768 }
769
770 void *net_bear_map_ptr = &net_bear_type_map;
771 net_bear_id_key net_bear_id = DEFAULT_NETWORK_BEARER_MAP_KEY;
772 net_bear_type_map_value *net_bear_type = bpf_map_lookup_elem(net_bear_map_ptr, &net_bear_id);
773 if (net_bear_type == NULL) {
774 return 1;
775 }
776
777 struct bpf_sock *sk = ctx->sk;
778 net_bear_type_map_value net_bear_mark_type = check_socket_fwmark(sk->mark);
779 if (socket_check_network_policy(net_bear_mark_type, net_bear_type, value) == 0) {
780 if (value->diagAckFlag) {
781 return 0;
782 }
783
784 // the policy configuration needs to be reconfirmed or the network bearer changes
785 if (value->configSetFromFlag) {
786 if (socket_ringbuf_event_submit(uid) != 0) {
787 value->diagAckFlag = 1;
788 }
789 }
790 value->netIfIndex = *net_bear_type;
791 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
792 return 0;
793 }
794
795 value->netIfIndex = *net_bear_type;
796 bpf_map_update_elem(map_ptr, &uid, value, BPF_NOEXIST);
797 return 1;
798 }
799
800 char g_license[] SEC("license") = "GPL";
801