diff options
| author | Mike Yu <yumike@google.com> | 2020-05-21 14:43:20 +0000 |
|---|---|---|
| committer | Mike Yu <yumike@google.com> | 2020-05-25 13:52:57 +0800 |
| commit | d5389f155cb30ec5f8fd217cdaa607b14d4682f3 (patch) | |
| tree | 8a16b824bfcecefceb48e78169460f74574e97f5 | |
| parent | ad315c9d74d28390285ff33143ec0ad7d9f8adfb (diff) | |
| download | DnsResolver-d5389f155cb30ec5f8fd217cdaa607b14d4682f3.tar.gz | |
Drop the dependency of Fwmark
The resolver used to generate the desired network mark for
DoT sockets. Now, change to get the network mark from netd.
Bug: 151895202
Test: Private DNS works as usual (even on VPN)
Merged-In: Ibb3e3e1ce0b43cb74962dd4436a47e9b458fa19a
Change-Id: I9698b3c73e410fce79dac044919f874768fc6a04
(cherry picked from commit ab43958ef7dbdf10b5ba310bc436173a0785f58f)
| -rw-r--r-- | DnsTlsDispatcher.cpp | 4 | ||||
| -rw-r--r-- | ResolverController.cpp | 18 |
2 files changed, 13 insertions, 9 deletions
diff --git a/DnsTlsDispatcher.cpp b/DnsTlsDispatcher.cpp index 8747e462..1fa40013 100644 --- a/DnsTlsDispatcher.cpp +++ b/DnsTlsDispatcher.cpp @@ -147,6 +147,10 @@ DnsTlsTransport::Response DnsTlsDispatcher::query(const DnsTlsServer& server, un const Slice query, const Slice ans, int* resplen, bool* connectTriggered) { int connectCounter; + + // TODO: This can cause the resolver to create multiple connections to the same DoT server + // merely due to different mark, such as the bit explicitlySelected unset. + // See if we can save them and just create one connection for one DoT server. const Key key = std::make_pair(mark, server); Transport* xport; { diff --git a/ResolverController.cpp b/ResolverController.cpp index 13600b87..be0b989f 100644 --- a/ResolverController.cpp +++ b/ResolverController.cpp @@ -24,7 +24,6 @@ #include <netdb.h> -#include <Fwmark.h> #include <aidl/android/net/IDnsResolver.h> #include <android-base/logging.h> #include <android-base/strings.h> @@ -202,21 +201,22 @@ int ResolverController::flushNetworkCache(unsigned netId) { int ResolverController::setResolverConfiguration(const ResolverParamsParcel& resolverParams) { using aidl::android::net::IDnsResolver; - // At private DNS validation time, we only know the netId, so we have to guess/compute the - // corresponding socket mark. - Fwmark fwmark; - fwmark.netId = resolverParams.netId; - fwmark.explicitlySelected = true; - fwmark.protectedFromVpn = true; - fwmark.permission = PERMISSION_SYSTEM; + // Expect to get the mark with system permission. + android_net_context netcontext; + gResNetdCallbacks.get_network_context(resolverParams.netId, 0 /* uid */, &netcontext); // Allow at most MAXNS private DNS servers in a network to prevent too many broken servers. std::vector<std::string> tlsServers = resolverParams.tlsServers; if (tlsServers.size() > MAXNS) { tlsServers.resize(MAXNS); } + + // Use app_mark for DoT connection. Using dns_mark might result in reaching the DoT servers + // through a different network. For example, on a VPN with no DNS servers (Do53), if the VPN + // applies to UID 0, dns_mark is assigned for default network rathan the VPN. (note that it's + // possible that a VPN doesn't have any DNS servers but DoT servers in DNS strict mode) const int err = - gPrivateDnsConfiguration.set(resolverParams.netId, fwmark.intValue, tlsServers, + gPrivateDnsConfiguration.set(resolverParams.netId, netcontext.app_mark, tlsServers, resolverParams.tlsName, resolverParams.caCertificate); if (err != 0) { |