Skip to content
Snippets Groups Projects
Select Git revision
  • fourteen-qpr1
  • fifteen-qpr2
  • fourteen default
  • fifteen-qpr0
  • fifteen-qpr1
  • thirteen
  • staging/fourteen
  • twelve
  • staging/thirteen
  • staging/twelve
10 results
Search by author
  • Any Author
  • Adithya R Adithya R adithya2306
  • Ali Ali ali-nasiri-80
  • Dhina17 Dhina17 Dhina17
  • electimon electimon electimon
  • Erfan Abdi Erfan Abdi erfanoabdi
  • Farzin Kazemzadeh Farzin Kazemzadeh itisFarzin
  • LMO BuildBot LMO BuildBot lmo-buildbot
  • LMO GerritBot LMO GerritBot lmo-gerritbot
  • Mohammad Hasan Keramat J Mohammad Hasan Keramat J ikeramat
  • Nick Nick nift4
10 authors
  1. Oct 06, 2023
    • Maciej Żenczykowski's avatar
      move BPF_CGROUP_INET*_BIND registration into BpfHandler · 3cb494fd
      Maciej Żenczykowski authored 
      
(in preparation for moving it into netbpfload)

The programs themselves (in bpf_progs/block.c) required a 5.4+ kernel.

We relax this restriction to 4.19+ as we don't have any 5.4 device coverage
(while the pixel 4a 5G / 5 / 5a are all 4.19 devices).

I believe we could relax it further to 4.14+ but Pixel 4/4xl/4a that
would exercise those code paths are EOL and probably have poor to
non existent test coverage, and we cannot do anything for 4.9 T devices
anyway.

Note: on <4.19 kernels (ie. T devices running 4.9/4.14, U running 4.14)
this results in ConnectivityNativeService going from null to initialized
(as the bpf map will exist).

This doesn't hurt as the set/clear port interfaces are only ever
called by vendor code on devices where the kernel doesn't support
the older mechanism.  And even if you call them it will just set/clear
the bits in the bpf bitmap, they just won't actually affect anything.

We could flag the map itself as being 4.19+ as well, but I think
I prefer the no-op map to exist...

Test: TreeHugger
Signed-off-by: default avatarMaciej Żenczykowski <maze@google.com>
Change-Id: I1085addd22f4f3b709e1875049633832c5dac836
      3cb494fd
  3. Oct 04, 2023
  5. Sep 29, 2023
    • Maciej Żenczykowski's avatar
      disallow 32-bit *system* userspace on 6.2+ · e061385b
      Maciej Żenczykowski authored 
      https://android-developers.googleblog.com/2022/09/optimize-for-android-go-lessons-from-google-apps-part-1.html



Year   Android   MinRAM
2017   8/O       512 MB
2018   9/P       512 MB
2019   10/Q      512 MB
2020   11/R      1 GB
2021   12/S      1 GB
2022   13/T      2 GB

More than 4GB (and really even ~3..3.5 GB) of ram basically
requires a 64-bit kernel, as no one wants to deal with
debugging PAE kernel complexities.

Devices newly launching on 2023's Android 14/U must use
a 64-bit kernel.  5.15 LTS is highest supported by T.
Hence 5.16+ must be a 64-bit kernel.
(see vts_kernel_isa_test.cpp)

Note:

This change doesn't take effect until 2024's Android 15/V,
and only then on the latest 6.~6 LTS, which will only be used
with the latest SoCs, and will thus only affect the latest
and thus premium devices (which likely have 10+ GB).
By the time these 6.6 using SoCs reach lower end devices,
it'll be 2026 or later, at which point I expect even
low end devices will have 4+GB.

Additionally note that technically this only affects
mainline using devices.  Non mainline usecases can
be customized (ie. for example this change reverted)
by oems/vendors however they wish.  Although we
won't be providing support (but considering the
existing state of 32-bit testing, that's already
pretty much the case).

Test: TreeHugger
Bug: 163141236
Signed-off-by: default avatarMaciej Żenczykowski <maze@google.com>
Change-Id: I64f5db5a440465f0b48368815fea3029619a9681
      e061385b
    • Maciej Żenczykowski's avatar
      reverse BpfMap & BpfMapRO inheritence to make sense · 7e2f53e7
      Maciej Żenczykowski authored 
      
Bug: 235590615
Bug: 235907076
Bug: 286003437
Test: TreeHugger, m droid gpuservice_unittest libtimeinstate_test bpf_benchmark bpf_module_test libbpf_load_test && mma
Signed-off-by: default avatarMaciej Żenczykowski <maze@google.com>
Change-Id: I020a898fe8b257040a100f146654d4a04b19f843
      7e2f53e7
  7. Sep 01, 2023
  9. Aug 20, 2023
  11. Jun 14, 2023
  13. Jun 05, 2023
  15. Jun 02, 2023
  17. May 15, 2023
  19. Apr 19, 2023
  21. Feb 22, 2023
  23. Dec 20, 2022
    • Maciej Żenczykowski's avatar
      wire bpf_base_test into netd_updatable_unit_test · 70d30ec4
      Maciej Żenczykowski authored 
      
The 3 pre-existing //system/netd tests are:
  TEST_F(BpfBasicTest, TestCgroupMounted)
  TEST_F(BpfBasicTest, TestTagSocket)
  TEST_F(BpfBasicTest, TestCloseSocketWithoutUntag)
which are directly related to BpfHandler.cpp implementation,
as it implements:
  Status BpfHandler::init(const char* cg2_path)
  BpfHandler::tagSocket()
  BpfHandler::untagSocket()

Test: TreeHugger
Signed-off-by: default avatarMaciej Żenczykowski <maze@google.com>
Change-Id: I1c01ae90904faaea54b427495c7a5deab8b1b900
      70d30ec4
  25. Dec 18, 2022
  27. Oct 27, 2022
    • Lorenzo Colitti's avatar
      Un-drop support for pre-4.14 kernels. · 3505b584
      Lorenzo Colitti authored 
      This effectively reverts commit 6ed2ab9b,
while ensuring that the program has the right permissions as
defined in r.android.com/2130014 :

oriole:/ # ls -lZ /sys/fs/bpf/netd_shared/prog_netd_cgroupsock_inet_create
-r--r----- 1 root root u:object_r:fs_bpf_netd_readonly:s0  0 2022-10-27 20:05 /sys/fs/bpf/netd_shared/prog_netd_cgroupsock_inet_create

Reason for revert: need to support 4.9 devices upgrading to T.

The only thing that cannot currently be supported on those
devices is the inet_create program which implements the
INTERNET permission.

Also, update bpf_existence_test so it does not check for the
existence of the program on pre-4.14 devices.

Bug: 254001921
Test: atest bpf_existence_test
Change-Id: I14f26cee5feeaae93b4d9710a7b9a2f835ff405f
      3505b584
  29. Sep 01, 2022
  31. Aug 15, 2022
  33. Aug 07, 2022
  35. Jun 21, 2022
    • Maciej Żenczykowski's avatar
      switch netd_configuration_map from hash map to array · 9017a070
      Maciej Żenczykowski authored 
      
This eliminates the need for netd_updatable BpfHandler.cpp
to initialize the hash map with a zero.

On startup the map will be freshly initialized and thus zero.

On restart it might not be empty, but it doesn't matter to netd.
Furthermore the mainline component of the system server will
re-initialize it again anyway:
see service/native/TrafficController.cpp initMaps()

This does remove the ability to call deleteValue on a key,
since that would always return -EINVAL, but since we don't
currently do that, that's really a feature.

(It does suggest though that we should have a BpfMapNonNullable
 class which is writeable, but without a deleteValue() function)

Additionally BpfMap arrays are more efficient for the kernel bpf jit
compiler, as - on newer kernels - it can optimize the read/write
into a simple memory access (as opposed to a bpf helper call).

Before:
  $ adb shell ls -l /sys/fs/bpf/netd_shared/map_netd_configuration_map
  -rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:20 /sys/fs/bpf/netd_shared/ map_netd_configuration_map

After:
  $ adbz shell ls -l /sys/fs/bpf/netd_shared/map_netd_configuration_map
  -r--rw---- 1 root net_bw_acct 0 2022-06-16 15:03 /sys/fs/bpf/netd_shared/map_netd_configuration_map

Bug: 218408035
Bug: 235590615
Test: TreeHugger
Signed-off-by: default avatarMaciej Żenczykowski <maze@google.com>
Change-Id: I21730e4fa22fbf0c94ab0ca5c5db03aa000b7680
(cherry picked from commit b10e055f)
Merged-In: I21730e4fa22fbf0c94ab0ca5c5db03aa000b7680
      9017a070
    • Maciej Żenczykowski's avatar
      BpfHandler.h - switch mStatsMapB from BpfMap to BpfMapRO · eb9b6fad
      Maciej Żenczykowski authored 
      
We'd like to switch more of these (as netd should only be
writing into the cookie map), but this is the only one
where tests (and the BpfMap vs BpfMapRO inheritence inversion)
don't get in our way.

We'll fix the rest later.  This gives us an *example* for
further testing.

Bug: 218408035
Test: TreeHugger
Signed-off-by: default avatarMaciej Żenczykowski <maze@google.com>
Change-Id: I9b280c7ba2d19644fc3cdd0c132de85f45df69b4
(cherry picked from commit 21ce721b)
Merged-In: I9b280c7ba2d19644fc3cdd0c132de85f45df69b4
      eb9b6fad
  37. Jun 16, 2022
    • Maciej Żenczykowski's avatar
      switch netd_configuration_map from hash map to array · b10e055f
      Maciej Żenczykowski authored 
      
This eliminates the need for netd_updatable BpfHandler.cpp
to initialize the hash map with a zero.

On startup the map will be freshly initialized and thus zero.

On restart it might not be empty, but it doesn't matter to netd.
Furthermore the mainline component of the system server will
re-initialize it again anyway:
see service/native/TrafficController.cpp initMaps()

This does remove the ability to call deleteValue on a key,
since that would always return -EINVAL, but since we don't
currently do that, that's really a feature.

(It does suggest though that we should have a BpfMapNonNullable
 class which is writeable, but without a deleteValue() function)

Additionally BpfMap arrays are more efficient for the kernel bpf jit
compiler, as - on newer kernels - it can optimize the read/write
into a simple memory access (as opposed to a bpf helper call).

Before:
  $ adb shell ls -l /sys/fs/bpf/netd_shared/map_netd_configuration_map
  -rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:20 /sys/fs/bpf/netd_shared/ map_netd_configuration_map

After:
  $ adbz shell ls -l /sys/fs/bpf/netd_shared/map_netd_configuration_map
  -r--rw---- 1 root net_bw_acct 0 2022-06-16 15:03 /sys/fs/bpf/netd_shared/map_netd_configuration_map

Bug: 235590615
Test: TreeHugger
Signed-off-by: default avatarMaciej Żenczykowski <maze@google.com>
Change-Id: I21730e4fa22fbf0c94ab0ca5c5db03aa000b7680
      b10e055f
  39. Jun 14, 2022
  41. Jun 08, 2022
  43. Jun 01, 2022
    • Lorenzo Colitti's avatar
      Support more than 8 firewall chains / match types. · 90c0c3fd
      Lorenzo Colitti authored 
      
In the BPF code, per-UID network access (e.g., for doze mode,
standby, etc.) is stored in UidOwnerValue structures. Each of
these stores that UID's rules in a 32-bit bitmask of
UidOwnerMatchType values, so the code can support ~31 match
types.

However, which match types are enabled is stored in
configuration_map at index UID_RULES_CONFIGURATION_KEY, and
configuration_map only stores 8-bit values. So it's not
possible to define more than 7 match types.

Widen configuration_map to from 8 to 32 bits to match the width
of UidOwnerValue.rule. This doesn't impact memory because
configuration_map only has 2 entries.

Bug: 208371987
Test: TreeHugger
Signed-off-by: default avatarMaciej Żenczykowski <maze@google.com>
Change-Id: I7e1eee2daedd66d27965a2dd4ce6b4c3667892f7
(cherry picked from commit 60cbed38)
Merged-In: I7e1eee2daedd66d27965a2dd4ce6b4c3667892f7
      90c0c3fd
  45. May 31, 2022
    • Maciej Żenczykowski's avatar
      tests: simplify BpfMap.reset(createMap()) -> BpfMap.resetMap() · 439bac2e
      Maciej Żenczykowski authored 
      
BpfMap.reset(createMap()) is equivalent to newly added BpfMap.resetMap(),
except that the latter makes it impossible to screw up the Key/Value sizes.

Test: TreeHugger
Signed-off-by: default avatarMaciej Żenczykowski <maze@google.com>
Change-Id: I290986e9ae8660f3fc6f73b086d33f4ab93d6095
      439bac2e
    • Maciej Żenczykowski's avatar
      simplify bpf tests and check type correctness · 55ab87aa
      Maciej Żenczykowski authored 
      
We notice that:
  BpfMap.reset(dupFd_with_cloexec(BpfMap.getMap())
is equivalent to
  BpfMap = BpfMap
due to the current implementation of the BpfMap assignment operator.

Except the latter also verifies BpfMap<K,V> template types match.

Test: TreeHugger
Signed-off-by: default avatarMaciej Żenczykowski <maze@google.com>
Change-Id: I99fcf77bc6aa360b6a19e22c2cd58d67a1e62976
      55ab87aa
    • Lorenzo Colitti's avatar
      Support more than 8 firewall chains / match types. · 60cbed38
      Lorenzo Colitti authored 
      
In the BPF code, per-UID network access (e.g., for doze mode,
standby, etc.) is stored in UidOwnerValue structures. Each of
these stores that UID's rules in a 32-bit bitmask of
UidOwnerMatchType values, so the code can support ~31 match
types.

However, which match types are enabled is stored in
configuration_map at index UID_RULES_CONFIGURATION_KEY, and
configuration_map only stores 8-bit values. So it's not
possible to define more than 7 match types.

Widen configuration_map to from 8 to 32 bits to match the width
of UidOwnerValue.rule. This doesn't impact memory because
configuration_map only has 2 entries.

Bug: 208371987
Test: TreeHugger
Signed-off-by: default avatarMaciej Żenczykowski <maze@google.com>
Change-Id: I7e1eee2daedd66d27965a2dd4ce6b4c3667892f7
      60cbed38
  47. May 27, 2022
  49. May 23, 2022
  51. May 16, 2022
    • Maciej Żenczykowski's avatar
      drop support for pre-4.14 kernels · 6ed2ab9b
      Maciej Żenczykowski authored 
      
S had a minimum kernel requirement of 4.9,
T bumps this up to 4.14, which adds net cgroup bpf support.

It's important to ship T with this otherwise we'll be forced
into trying to somehow support 4.9 kernels with T mainline
module updates for years and years, when we no longer have
any tests of the old code paths...

Test: TreeHugger
Bug: 232017472
Signed-off-by: default avatarMaciej Żenczykowski <maze@google.com>
Change-Id: I6e873f0815f176f5618278087132156c9974d6ea
      6ed2ab9b
  53. Mar 07, 2022
    • Hungming Chen's avatar
      BpfHandler: only allow to tag INET/INET6 socket · bcc0f5b1
      Hungming Chen authored 
      This is a follow up commit for the family validation {INET, INET6}.
The protocol validation {TCP, UDP} has been added in previous
commit.

The TrafficController socket destroy listener only monitors
on the group {INET_TCP, INET_UDP, INET6_TCP, INET6_UDP}.
Tagging listener unsupported socket causes that the tag can't
be removed from tag map automatically. Eventually, the tag map
run out of space because of dead tag entries.

See TrafficController::makeSkDestroyListener in
packages/modules/Connectivity/service/native/TrafficController.cpp

Also address the comments from previous commit.
- Remove the useless else-statment in tagSocket protocol validation.
- Make the socket cookie query and test into one line in
  BpfHandlerTest#TestTagSocketWithUnsupportedProtocol

Bug: 223094609
Test: atest BpfHandlerTest
Change-Id: I0f571fc00caa01c86399f0dbb593e8a40ad94bbd
      bcc0f5b1
    • Hungming Chen's avatar
      BpfHandler: only allow to tag udp/tcp socket · 478c0eb2
      Hungming Chen authored 
      The TrafficController socket destroy listener only monitors
on the group {INET_TCP, INET_UDP, INET6_TCP, INET6_UDP}.
Tagging listener unsupported socket causes that the tag can't
be removed from tag map automatically. Eventually, the tag map
run out of space because of dead tag entries.

See TrafficController::makeSkDestroyListener in
packages/modules/Connectivity/service/native/TrafficController.cpp

Bug: 223094609
Test: atest BpfHandlerTest
Change-Id: Icc19b7c9f37fef498b89f43e44767f6b9e931a5a
      478c0eb2
  55. Mar 04, 2022
  57. Feb 10, 2022
  59. Feb 03, 2022
    • Maciej Żenczykowski's avatar
      link libbase & libnetdutils dynamically - save ~17.5 kiB · dcae3516
      Maciej Żenczykowski authored 
      
Before:
  $ adbz root && adbz wait-for-device && adbz shell ls -l /apex/com.android.tethering/{bin/for-system,lib,liv64}
  /apex/com.android.tethering/bin/for-system:
= -rwsr-sr-x 1 clat clat 18412 1969-12-31 16:00 clatd

  /apex/com.android.tethering/lib:
= -rw-r--r-- 1 system system  64560 1969-12-31 16:00 libandroid_net_connectivity_com_android_net_module_util_jni.so
= -rw-r--r-- 1 system system 713636 1969-12-31 16:00 libc++.so
= -rw-r--r-- 1 system system  13596 1969-12-31 16:00 libframework-connectivity-jni.so
d -rw-r--r-- 1 system system 212624 1969-12-31 16:00 libnetd_updatable.so
d -rw-r--r-- 1 system system 948044 1969-12-31 16:00 libservice-connectivity.so

After:
  $ adbz root && adbz wait-for-device && adbz shell ls -l /apex/com.android.
  /apex/com.android.tethering/bin/for-system:
= -rwsr-sr-x 1 clat clat 18412 1969-12-31 16:00 clatd

  /apex/com.android.tethering/lib:
= -rw-r--r-- 1 system system  64560 1969-12-31 16:00 libandroid_net_connectivity_com_android_net_module_util_jni.so
+ -rw-r--r-- 1 system system 251404 1969-12-31 16:00 libbase.so
= -rw-r--r-- 1 system system 713636 1969-12-31 16:00 libc++.so
= -rw-r--r-- 1 system system  13596 1969-12-31 16:00 libframework-connectivity-jni.so
d -rw-r--r-- 1 system system  45584 1969-12-31 16:00 libnetd_updatable.so
+ -rw-r--r-- 1 system system  95872 1969-12-31 16:00 libnetdutils.so
d -rw-r--r-- 1 system system 749980 1969-12-31 16:00 libservice-connectivity.so

Delta: -212624-948044+251404+45584+95872+749980 == -17828

Test: TreeHugger
Signed-off-by: default avatarMaciej Żenczykowski <maze@google.com>
Change-Id: Id88468442c4f3f24d5bca96b75effb69f20038bf
      dcae3516