Merge changes I6c0d0f92,I21bc0644 am: 6d9f3eee8d

Original change: https://android-review.googlesource.com/c/platform/system/netd/+/2370410

Change-Id: Ic1b9d322bd6fe17a880026f5fcb659adff1cf2c4
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

8 files changed, 57 insertions, 22 deletions

diff --git a/server/NetdNativeService.cpp b/server/NetdNativeService.cpp
index dcfc6c2e..c0a98945 100644
--- a/server/NetdNativeService.cpp
+++ b/server/NetdNativeService.cpp
@@ -1248,9 +1248,9 @@ binder::Status NetdNativeService::tetherOffloadGetAndClearStats(
 }
 
 binder::Status NetdNativeService::setNetworkAllowlist(
-        const std::vector<NativeUidRangeConfig>& settings) {
+        const std::vector<NativeUidRangeConfig>& rangeConfigs) {
     ENFORCE_NETWORK_STACK_PERMISSIONS();
-    return statusFromErrcode(gCtls->netCtrl.setNetworkAllowlist(settings));
+    return statusFromErrcode(gCtls->netCtrl.setNetworkAllowlist(rangeConfigs));
 }
 
 }  // namespace net
diff --git a/server/NetdNativeService.h b/server/NetdNativeService.h
index 532acc3c..d5932b01 100644
--- a/server/NetdNativeService.h
+++ b/server/NetdNativeService.h
@@ -267,7 +267,7 @@ class NetdNativeService : public BinderService<NetdNativeService>, public BnNetd
     binder::Status getOemNetd(android::sp<android::IBinder>* listener) override;
     binder::Status getFwmarkForNetwork(int32_t netId, MarkMaskParcel* markmask);
     binder::Status setNetworkAllowlist(
-            const std::vector<netd::aidl::NativeUidRangeConfig>& settings) override;
+            const std::vector<netd::aidl::NativeUidRangeConfig>& rangeConfigs) override;
 
   private:
     std::vector<uid_t> intsToUids(const std::vector<int32_t>& intUids);
diff --git a/server/Network.cpp b/server/Network.cpp
index a3956419..b13970c3 100644
--- a/server/Network.cpp
+++ b/server/Network.cpp
@@ -84,10 +84,10 @@ std::string Network::uidRangesToString() const {
 }
 
 std::string Network::allowedUidsToString() const {
-    if (!mUidsAbleToSelectThisNetwork) {
+    if (!mAllowedUids) {
         return "unrestricted";
     }
-    return mUidsAbleToSelectThisNetwork->toString();
+    return mAllowedUids->toString();
 }
 
 // Check if the user has been added to this network. If yes, the highest priority of matching
@@ -125,15 +125,15 @@ void Network::removeFromUidRangeMap(const UidRanges& uidRanges, int32_t subPrior
 }
 
 void Network::clearAllowedUids() {
-    mUidsAbleToSelectThisNetwork.reset();
+    mAllowedUids.reset();
 }
 
 void Network::setAllowedUids(const UidRanges& uidRanges) {
-    mUidsAbleToSelectThisNetwork = uidRanges;
+    mAllowedUids = uidRanges;
 }
 
 bool Network::isUidAllowed(uid_t uid) {
-    return !mUidsAbleToSelectThisNetwork || mUidsAbleToSelectThisNetwork->hasUid(uid);
+    return !mAllowedUids || mAllowedUids->hasUid(uid);
 }
 
 bool Network::canAddUidRanges(const UidRanges& uidRanges) const {
diff --git a/server/Network.h b/server/Network.h
index bafa1948..6b68defc 100644
--- a/server/Network.h
+++ b/server/Network.h
@@ -80,7 +80,7 @@ public:
     const bool mSecure;
     // UIDs that can explicitly select this network. It means no restriction for all UIDs if the
     // optional variable has no value.
-    std::optional<UidRanges> mUidsAbleToSelectThisNetwork;
+    std::optional<UidRanges> mAllowedUids;
 
   private:
     enum Action {
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index 0d716adf..082eaf84 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp
@@ -801,30 +801,36 @@ void NetworkController::dump(DumpWriter& dw) {
 
 void NetworkController::clearAllowedUidsForAllNetworksLocked() {
     for (const auto& [_, network] : mNetworks) {
-        if (!network->isPhysical()) continue;
-
         network->clearAllowedUids();
     }
 }
 
 int NetworkController::setNetworkAllowlist(
-        const std::vector<netd::aidl::NativeUidRangeConfig>& settings) {
+        const std::vector<netd::aidl::NativeUidRangeConfig>& rangeConfigs) {
     const ScopedWLock lock(mRWLock);
 
-    clearAllowedUidsForAllNetworksLocked();
-    for (const auto& setting : settings) {
-        Network* network = getNetworkLocked(setting.netId);
+    for (const auto& config : rangeConfigs) {
+        Network* network = getNetworkLocked(config.netId);
         if (!network) return -ENONET;
-        if (!network->isPhysical()) return -EINVAL;
     }
 
-    for (const auto& setting : settings) {
-        Network* network = getNetworkLocked(setting.netId);
-        network->setAllowedUids(UidRanges(setting.uidRanges));
+    clearAllowedUidsForAllNetworksLocked();
+    for (const auto& config : rangeConfigs) {
+        Network* network = getNetworkLocked(config.netId);
+        network->setAllowedUids(UidRanges(config.uidRanges));
     }
     return 0;
 }
 
+bool NetworkController::isUidAllowed(unsigned netId, uid_t uid) const {
+    const ScopedRLock lock(mRWLock);
+    Network* network = getNetworkLocked(netId);
+    if (network && network->isUidAllowed(uid)) {
+        return true;
+    }
+    return false;
+}
+
 bool NetworkController::isValidNetworkLocked(unsigned netId) const {
     return getNetworkLocked(netId);
 }
diff --git a/server/NetworkController.h b/server/NetworkController.h
index 386733ad..e7c47da4 100644
--- a/server/NetworkController.h
+++ b/server/NetworkController.h
@@ -147,7 +147,8 @@ public:
     void denyProtect(const std::vector<uid_t>& uids);
 
     void dump(netdutils::DumpWriter& dw);
-    int setNetworkAllowlist(const std::vector<netd::aidl::NativeUidRangeConfig>& settings);
+    int setNetworkAllowlist(const std::vector<netd::aidl::NativeUidRangeConfig>& rangeConfigs);
+    bool isUidAllowed(unsigned netId, uid_t uid) const;
 
   private:
     bool isValidNetworkLocked(unsigned netId) const;
diff --git a/server/main.cpp b/server/main.cpp
index 35c53de7..3c6b0d52 100644
--- a/server/main.cpp
+++ b/server/main.cpp
@@ -96,7 +96,15 @@ int tagSocketCallback(int sockFd, uint32_t tag, uid_t uid, pid_t) {
     return libnetd_updatable_tagSocket(sockFd, tag, uid, AID_DNS);
 }
 
-bool evaluateDomainNameCallback(const android_net_context&, const char* /*name*/) {
+bool evaluateDomainNameCallback(const android_net_context& netcontext, const char* /*name*/) {
+    // OEMs should NOT modify IF statement, or DNS control provided by mainline modules may break.
+    if (!gCtls->netCtrl.isUidAllowed(netcontext.app_netid, netcontext.uid)) {
+        ALOGI("uid %d is not allowed to use netid %u", netcontext.uid, netcontext.app_netid);
+        return false;
+    }
+
+    // Add OEM customization from here
+    // ...
     return true;
 }
 
diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp
index 677018ee..c0a89215 100644
--- a/tests/binder_test.cpp
+++ b/tests/binder_test.cpp
@@ -5451,6 +5451,9 @@ TEST_F(NetdBinderTest, PerProfileNetworkPermission) {
     EXPECT_TRUE(mNetd->networkAddRoute(ENTERPRISE_NETID_3, sTun4.name(), "::/0", "").isOk());
 
     // profile#1
+    // UidRanges::SUB_PRIORITY_HIGHEST + 20 = PREFERENCE_ORDER_PROFILE, which is defined in
+    // ConnectivityService.java. The value here doesn't really matter because user allowed network
+    // does not depends on specific sub-priority.
     NativeUidRangeConfig cfg1 =
             makeNativeUidRangeConfig(ENTERPRISE_NETID_1, {makeUidRangeParcel(TEST_UID1, TEST_UID1)},
                                      UidRanges::SUB_PRIORITY_HIGHEST + 20);
@@ -5555,4 +5558,21 @@ TEST_F(NetdBinderTest, PerProfileNetworkPermission) {
         EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_2));
         EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_3));
     }
-}
+
+    // Update setting: remove ENTERPRISE_NETID_1 from profile#1's allowed network list
+    // +-----------+-----------------------+----------------------------------------+
+    // |    UID    | UID's default network | UID can select networks                |
+    // +-----------+-----------------------+----------------------------------------+
+    // | TEST_UID2 | ENTERPRISE_NETID_3    | ENTERPRISE_NETID_2, ENTERPRISE_NETID_3 |
+    // +-----------+-----------------------+----------------------------------------+
+    EXPECT_TRUE(
+            mNetd->setNetworkAllowlist({nw2UserConfig, nw3UserConfig, nwDefaultUserConfig}).isOk());
+
+    // All UIDs should be able to use ENTERPRISE_NETID_1.
+    for (const int uid : {TEST_UID1, TEST_UID2, TEST_UID3}) {
+        {
+            ScopedUidChange scopedUidChange(uid);
+            EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_1));
+        }
+    }
+}
\ No newline at end of file