We'd like to switch more of these, but this is the only one
where tests don't get in our way.

We'll fix the rest later.  This gives us an *example* for
further testing.

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I9b280c7ba2d19644fc3cdd0c132de85f45df69b4

Per request of Lorenzo on:
  https://googleplex-android-review.git.corp.google.com/c/platform/frameworks/libs/net/+/18694820
  https://googleplex-android-review.git.corp.google.com/c/platform/packages/modules/Connectivity/+/18695355



Although he'd suggested 'BPF_MAP_TEST_ONLY',
but I think this is even clearer.

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I796c939cba8866aca15f3dfff5a27ba986f74df6

Per request from Lorenzo on:
  https://googleplex-android-review.git.corp.google.com/c/platform/packages/modules/Connectivity/+/18695355


during cherrypick to tm-dev.

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id9e856f1b1c042993e6429e55999bffd9dfb9b12

BpfMap.reset(createMap()) is equivalent to newly added BpfMap.resetMap(),
except that the latter makes it impossible to screw up the Key/Value sizes.

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I290986e9ae8660f3fc6f73b086d33f4ab93d6095

We notice that:
  BpfMap.reset(dupFd_with_cloexec(BpfMap.getMap())
is equivalent to
  BpfMap = BpfMap
due to the current implementation of the BpfMap assignment operator.

Except the latter also verifies BpfMap<K,V> template types match.

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I99fcf77bc6aa360b6a19e22c2cd58d67a1e62976

In the BPF code, per-UID network access (e.g., for doze mode,
standby, etc.) is stored in UidOwnerValue structures. Each of
these stores that UID's rules in a 32-bit bitmask of
UidOwnerMatchType values, so the code can support ~31 match
types.

However, which match types are enabled is stored in
configuration_map at index UID_RULES_CONFIGURATION_KEY, and
configuration_map only stores 8-bit values. So it's not
possible to define more than 7 match types.

Widen configuration_map to from 8 to 32 bits to match the width
of UidOwnerValue.rule. This doesn't impact memory because
configuration_map only has 2 entries.

Bug: 208371987
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I7e1eee2daedd66d27965a2dd4ce6b4c3667892f7

In order to get counted by mts code coverage, these native tests need to
be run as part of mts.

Bug: 233904825
Test: m mts && mts-tradefed run mts-tethering-coverage
Change-Id: I79313197b146c7043ffb5e164faa46c2e16dd1d2

(for consistency with rest of code base)

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5660615f24daf4285e2b6cbacecb7cd99061c5f5

Configuration map index 1(CURRENT_STATS_MAP_CONFIGURATION_KEY) can only
have value 0(SELECT_MAP_A) or 1(SELECT_MAP_B). Return error if it is any
other values. Otherwise, read out of array boundary can cause memory
corruption or security issues.

Bug: 231420457
Test: TH
Change-Id: Ia800ad78781f72b8118469c0230cc550796d334e

S had a minimum kernel requirement of 4.9,
T bumps this up to 4.14, which adds net cgroup bpf support.

It's important to ship T with this otherwise we'll be forced
into trying to somehow support 4.9 kernels with T mainline
module updates for years and years, when we no longer have
any tests of the old code paths...

Test: TreeHugger
Bug: 232017472
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I6e873f0815f176f5618278087132156c9974d6ea

This is a follow up commit for the family validation {INET, INET6}.
The protocol validation {TCP, UDP} has been added in previous
commit.

The TrafficController socket destroy listener only monitors
on the group {INET_TCP, INET_UDP, INET6_TCP, INET6_UDP}.
Tagging listener unsupported socket causes that the tag can't
be removed from tag map automatically. Eventually, the tag map
run out of space because of dead tag entries.

See TrafficController::makeSkDestroyListener in
packages/modules/Connectivity/service/native/TrafficController.cpp

Also address the comments from previous commit.
- Remove the useless else-statment in tagSocket protocol validation.
- Make the socket cookie query and test into one line in
  BpfHandlerTest#TestTagSocketWithUnsupportedProtocol

Bug: 223094609
Test: atest BpfHandlerTest
Change-Id: I0f571fc00caa01c86399f0dbb593e8a40ad94bbd

The TrafficController socket destroy listener only monitors
on the group {INET_TCP, INET_UDP, INET6_TCP, INET6_UDP}.
Tagging listener unsupported socket causes that the tag can't
be removed from tag map automatically. Eventually, the tag map
run out of space because of dead tag entries.

See TrafficController::makeSkDestroyListener in
packages/modules/Connectivity/service/native/TrafficController.cpp

Bug: 223094609
Test: atest BpfHandlerTest
Change-Id: Icc19b7c9f37fef498b89f43e44767f6b9e931a5a

The process is not allowed to tag socket to AID_CLAT via tagSocket()
which would cause process data usage accounting to be bypassed.

Bug: 218407445
Test: atest BpfHandlerTest
Change-Id: Ia7b071e1065733da25e9f02f34ccd17f63653217

Added SPDX-license-identifier-Apache-2.0 to:
  netd/Android.bp

Bug: 68860345
Bug: 151177513
Bug: 151953481

Test: m all
Change-Id: Ib1377fbb050fe52ee195eec58fea67ef769a487a

Before:
  $ adbz root && adbz wait-for-device && adbz shell ls -l /apex/com.android.tethering/{bin/for-system,lib,liv64}
  /apex/com.android.tethering/bin/for-system:
= -rwsr-sr-x 1 clat clat 18412 1969-12-31 16:00 clatd

  /apex/com.android.tethering/lib:
= -rw-r--r-- 1 system system  64560 1969-12-31 16:00 libandroid_net_connectivity_com_android_net_module_util_jni.so
= -rw-r--r-- 1 system system 713636 1969-12-31 16:00 libc++.so
= -rw-r--r-- 1 system system  13596 1969-12-31 16:00 libframework-connectivity-jni.so
d -rw-r--r-- 1 system system 212624 1969-12-31 16:00 libnetd_updatable.so
d -rw-r--r-- 1 system system 948044 1969-12-31 16:00 libservice-connectivity.so

After:
  $ adbz root && adbz wait-for-device && adbz shell ls -l /apex/com.android.
  /apex/com.android.tethering/bin/for-system:
= -rwsr-sr-x 1 clat clat 18412 1969-12-31 16:00 clatd

  /apex/com.android.tethering/lib:
= -rw-r--r-- 1 system system  64560 1969-12-31 16:00 libandroid_net_connectivity_com_android_net_module_util_jni.so
+ -rw-r--r-- 1 system system 251404 1969-12-31 16:00 libbase.so
= -rw-r--r-- 1 system system 713636 1969-12-31 16:00 libc++.so
= -rw-r--r-- 1 system system  13596 1969-12-31 16:00 libframework-connectivity-jni.so
d -rw-r--r-- 1 system system  45584 1969-12-31 16:00 libnetd_updatable.so
+ -rw-r--r-- 1 system system  95872 1969-12-31 16:00 libnetdutils.so
d -rw-r--r-- 1 system system 749980 1969-12-31 16:00 libservice-connectivity.so

Delta: -212624-948044+251404+45584+95872+749980 == -17828

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id88468442c4f3f24d5bca96b75effb69f20038bf

Before (aosp_cf_x86_phone-userdebug):
  $ adbz shell ls -l /apex/com.android.tethering/lib
  -rw-r--r-- 1 system system 251404 1969-12-31 16:00 libbase.so
  -rw-r--r-- 1 system system 713636 1969-12-31 16:00 libc++.so
  -rw-r--r-- 1 system system  64560 1969-12-31 16:00 libcom_android_connectivity_com_android_net_module_util_jni.so
  -rw-r--r-- 1 system system  13596 1969-12-31 16:00 libframework-connectivity-jni.so
  -rw-r--r-- 1 system system  45776 1969-12-31 16:00 libnetd_updatable.so
  -rw-r--r-- 1 system system 948032 1969-12-31 16:00 libservice-connectivity.so

After (aosp_cf_x86_phone-userdebug):
  $ adbz shell ls -l /apex/com.android.tethering/lib
  -rw-r--r-- 1 system system 713636 1969-12-31 16:00 libc++.so
  -rw-r--r-- 1 system system  64560 1969-12-31 16:00 libcom_android_connectivity_com_android_net_module_util_jni.so
  -rw-r--r-- 1 system system  13596 1969-12-31 16:00 libframework-connectivity-jni.so
  -rw-r--r-- 1 system system 212624 1969-12-31 16:00 libnetd_updatable.so
  -rw-r--r-- 1 system system 948032 1969-12-31 16:00 libservice-connectivity.so

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I19c9d73ba3555bbc1987fbdc0be19af1f0511948

1. Add libnetd_updatable.so in com.android.tethering. The library is
loaded by netd. Currently, it mainly targets on a few functions which
access BPF maps. The functionality may extend in the future.

2. Attach gcroup progs from libnetd_updatable.so.

3. Move (privileged)TagSocket and untagSocket implementation to mainline
module. Combine privilegedTagSocket and untagSocket into a single
function.

4. Split related unit tests from netd_unit_test to
libnetd_updatable_unit_test as well.

Bug: 202086915
Test: cd system/netd; atest
Test: atest TrafficStatsTest NetworkUsageStatsTest

Change-Id: Ib556458103a4cbb643c1342d9b689ac692160de0