diff options
author | Treehugger Robot <treehugger-gerrit@google.com> | 2023-01-14 06:41:47 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2023-01-14 06:41:47 +0000 |
commit | 1a5ca397c4306ec5a90ffc80dbb8060be07cf856 (patch) | |
tree | 9b0f4693d45db5d9044a3e7fe2a3684d2ab2597e | |
parent | cc5311c28931824509261655ff2e8536e892fa83 (diff) | |
parent | f5877d2b47a92a9e71f89f388a29a5e4b2906f8e (diff) | |
download | netd-1a5ca397c4306ec5a90ffc80dbb8060be07cf856.tar.gz |
Merge changes I6c0d0f92,I21bc0644 am: 6d9f3eee8d am: 8442a0b0e3 am: f5877d2b47
Original change: https://android-review.googlesource.com/c/platform/system/netd/+/2370410
Change-Id: Iccf6e4b30cd41ed9ef6ec9164dbca756bfe99f48
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
-rw-r--r-- | server/NetdNativeService.cpp | 4 | ||||
-rw-r--r-- | server/NetdNativeService.h | 2 | ||||
-rw-r--r-- | server/Network.cpp | 10 | ||||
-rw-r--r-- | server/Network.h | 2 | ||||
-rw-r--r-- | server/NetworkController.cpp | 26 | ||||
-rw-r--r-- | server/NetworkController.h | 3 | ||||
-rw-r--r-- | server/main.cpp | 10 | ||||
-rw-r--r-- | tests/binder_test.cpp | 22 |
8 files changed, 57 insertions, 22 deletions
diff --git a/server/NetdNativeService.cpp b/server/NetdNativeService.cpp index dcfc6c2e..c0a98945 100644 --- a/server/NetdNativeService.cpp +++ b/server/NetdNativeService.cpp @@ -1248,9 +1248,9 @@ binder::Status NetdNativeService::tetherOffloadGetAndClearStats( } binder::Status NetdNativeService::setNetworkAllowlist( - const std::vector<NativeUidRangeConfig>& settings) { + const std::vector<NativeUidRangeConfig>& rangeConfigs) { ENFORCE_NETWORK_STACK_PERMISSIONS(); - return statusFromErrcode(gCtls->netCtrl.setNetworkAllowlist(settings)); + return statusFromErrcode(gCtls->netCtrl.setNetworkAllowlist(rangeConfigs)); } } // namespace net diff --git a/server/NetdNativeService.h b/server/NetdNativeService.h index 532acc3c..d5932b01 100644 --- a/server/NetdNativeService.h +++ b/server/NetdNativeService.h @@ -267,7 +267,7 @@ class NetdNativeService : public BinderService<NetdNativeService>, public BnNetd binder::Status getOemNetd(android::sp<android::IBinder>* listener) override; binder::Status getFwmarkForNetwork(int32_t netId, MarkMaskParcel* markmask); binder::Status setNetworkAllowlist( - const std::vector<netd::aidl::NativeUidRangeConfig>& settings) override; + const std::vector<netd::aidl::NativeUidRangeConfig>& rangeConfigs) override; private: std::vector<uid_t> intsToUids(const std::vector<int32_t>& intUids); diff --git a/server/Network.cpp b/server/Network.cpp index a3956419..b13970c3 100644 --- a/server/Network.cpp +++ b/server/Network.cpp @@ -84,10 +84,10 @@ std::string Network::uidRangesToString() const { } std::string Network::allowedUidsToString() const { - if (!mUidsAbleToSelectThisNetwork) { + if (!mAllowedUids) { return "unrestricted"; } - return mUidsAbleToSelectThisNetwork->toString(); + return mAllowedUids->toString(); } // Check if the user has been added to this network. If yes, the highest priority of matching @@ -125,15 +125,15 @@ void Network::removeFromUidRangeMap(const UidRanges& uidRanges, int32_t subPrior } void Network::clearAllowedUids() { - mUidsAbleToSelectThisNetwork.reset(); + mAllowedUids.reset(); } void Network::setAllowedUids(const UidRanges& uidRanges) { - mUidsAbleToSelectThisNetwork = uidRanges; + mAllowedUids = uidRanges; } bool Network::isUidAllowed(uid_t uid) { - return !mUidsAbleToSelectThisNetwork || mUidsAbleToSelectThisNetwork->hasUid(uid); + return !mAllowedUids || mAllowedUids->hasUid(uid); } bool Network::canAddUidRanges(const UidRanges& uidRanges) const { diff --git a/server/Network.h b/server/Network.h index bafa1948..6b68defc 100644 --- a/server/Network.h +++ b/server/Network.h @@ -80,7 +80,7 @@ public: const bool mSecure; // UIDs that can explicitly select this network. It means no restriction for all UIDs if the // optional variable has no value. - std::optional<UidRanges> mUidsAbleToSelectThisNetwork; + std::optional<UidRanges> mAllowedUids; private: enum Action { diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp index 0d716adf..082eaf84 100644 --- a/server/NetworkController.cpp +++ b/server/NetworkController.cpp @@ -801,30 +801,36 @@ void NetworkController::dump(DumpWriter& dw) { void NetworkController::clearAllowedUidsForAllNetworksLocked() { for (const auto& [_, network] : mNetworks) { - if (!network->isPhysical()) continue; - network->clearAllowedUids(); } } int NetworkController::setNetworkAllowlist( - const std::vector<netd::aidl::NativeUidRangeConfig>& settings) { + const std::vector<netd::aidl::NativeUidRangeConfig>& rangeConfigs) { const ScopedWLock lock(mRWLock); - clearAllowedUidsForAllNetworksLocked(); - for (const auto& setting : settings) { - Network* network = getNetworkLocked(setting.netId); + for (const auto& config : rangeConfigs) { + Network* network = getNetworkLocked(config.netId); if (!network) return -ENONET; - if (!network->isPhysical()) return -EINVAL; } - for (const auto& setting : settings) { - Network* network = getNetworkLocked(setting.netId); - network->setAllowedUids(UidRanges(setting.uidRanges)); + clearAllowedUidsForAllNetworksLocked(); + for (const auto& config : rangeConfigs) { + Network* network = getNetworkLocked(config.netId); + network->setAllowedUids(UidRanges(config.uidRanges)); } return 0; } +bool NetworkController::isUidAllowed(unsigned netId, uid_t uid) const { + const ScopedRLock lock(mRWLock); + Network* network = getNetworkLocked(netId); + if (network && network->isUidAllowed(uid)) { + return true; + } + return false; +} + bool NetworkController::isValidNetworkLocked(unsigned netId) const { return getNetworkLocked(netId); } diff --git a/server/NetworkController.h b/server/NetworkController.h index 386733ad..e7c47da4 100644 --- a/server/NetworkController.h +++ b/server/NetworkController.h @@ -147,7 +147,8 @@ public: void denyProtect(const std::vector<uid_t>& uids); void dump(netdutils::DumpWriter& dw); - int setNetworkAllowlist(const std::vector<netd::aidl::NativeUidRangeConfig>& settings); + int setNetworkAllowlist(const std::vector<netd::aidl::NativeUidRangeConfig>& rangeConfigs); + bool isUidAllowed(unsigned netId, uid_t uid) const; private: bool isValidNetworkLocked(unsigned netId) const; diff --git a/server/main.cpp b/server/main.cpp index 35c53de7..3c6b0d52 100644 --- a/server/main.cpp +++ b/server/main.cpp @@ -96,7 +96,15 @@ int tagSocketCallback(int sockFd, uint32_t tag, uid_t uid, pid_t) { return libnetd_updatable_tagSocket(sockFd, tag, uid, AID_DNS); } -bool evaluateDomainNameCallback(const android_net_context&, const char* /*name*/) { +bool evaluateDomainNameCallback(const android_net_context& netcontext, const char* /*name*/) { + // OEMs should NOT modify IF statement, or DNS control provided by mainline modules may break. + if (!gCtls->netCtrl.isUidAllowed(netcontext.app_netid, netcontext.uid)) { + ALOGI("uid %d is not allowed to use netid %u", netcontext.uid, netcontext.app_netid); + return false; + } + + // Add OEM customization from here + // ... return true; } diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp index 677018ee..c0a89215 100644 --- a/tests/binder_test.cpp +++ b/tests/binder_test.cpp @@ -5451,6 +5451,9 @@ TEST_F(NetdBinderTest, PerProfileNetworkPermission) { EXPECT_TRUE(mNetd->networkAddRoute(ENTERPRISE_NETID_3, sTun4.name(), "::/0", "").isOk()); // profile#1 + // UidRanges::SUB_PRIORITY_HIGHEST + 20 = PREFERENCE_ORDER_PROFILE, which is defined in + // ConnectivityService.java. The value here doesn't really matter because user allowed network + // does not depends on specific sub-priority. NativeUidRangeConfig cfg1 = makeNativeUidRangeConfig(ENTERPRISE_NETID_1, {makeUidRangeParcel(TEST_UID1, TEST_UID1)}, UidRanges::SUB_PRIORITY_HIGHEST + 20); @@ -5555,4 +5558,21 @@ TEST_F(NetdBinderTest, PerProfileNetworkPermission) { EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_2)); EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_3)); } -} + + // Update setting: remove ENTERPRISE_NETID_1 from profile#1's allowed network list + // +-----------+-----------------------+----------------------------------------+ + // | UID | UID's default network | UID can select networks | + // +-----------+-----------------------+----------------------------------------+ + // | TEST_UID2 | ENTERPRISE_NETID_3 | ENTERPRISE_NETID_2, ENTERPRISE_NETID_3 | + // +-----------+-----------------------+----------------------------------------+ + EXPECT_TRUE( + mNetd->setNetworkAllowlist({nw2UserConfig, nw3UserConfig, nwDefaultUserConfig}).isOk()); + + // All UIDs should be able to use ENTERPRISE_NETID_1. + for (const int uid : {TEST_UID1, TEST_UID2, TEST_UID3}) { + { + ScopedUidChange scopedUidChange(uid); + EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_1)); + } + } +}
\ No newline at end of file |