diff options
author | Ken Chen <cken@google.com> | 2022-12-24 09:24:56 +0800 |
---|---|---|
committer | Ken Chen <cken@google.com> | 2023-01-13 10:17:44 +0000 |
commit | e22ac8d3d0d96a8eb764e2e22bf22578f563c4aa (patch) | |
tree | 210d0182d1dac53cba26eb067d303debb9b44fad | |
parent | 38bc0844b02212c0dd04e3e4c36a6bfdd54c5acd (diff) | |
download | netd-e22ac8d3d0d96a8eb764e2e22bf22578f563c4aa.tar.gz |
Restrict DNS by UID-based network permission
Modify evaluateDomainNameCallback to report whether the specified
network for DNS query is available for the UID.
Bug: 263219497
Test: resolv_integration_tests
Change-Id: I21bc06442b91f291efd96db98340ebfba0fee99d
-rw-r--r-- | server/NetworkController.cpp | 9 | ||||
-rw-r--r-- | server/NetworkController.h | 1 | ||||
-rw-r--r-- | server/main.cpp | 10 |
3 files changed, 19 insertions, 1 deletions
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp index 0d716adf..c16c7b7d 100644 --- a/server/NetworkController.cpp +++ b/server/NetworkController.cpp @@ -825,6 +825,15 @@ int NetworkController::setNetworkAllowlist( return 0; } +bool NetworkController::isUidAllowed(unsigned netId, uid_t uid) const { + const ScopedRLock lock(mRWLock); + Network* network = getNetworkLocked(netId); + if (network && network->isUidAllowed(uid)) { + return true; + } + return false; +} + bool NetworkController::isValidNetworkLocked(unsigned netId) const { return getNetworkLocked(netId); } diff --git a/server/NetworkController.h b/server/NetworkController.h index 386733ad..dd17d901 100644 --- a/server/NetworkController.h +++ b/server/NetworkController.h @@ -148,6 +148,7 @@ public: void dump(netdutils::DumpWriter& dw); int setNetworkAllowlist(const std::vector<netd::aidl::NativeUidRangeConfig>& settings); + bool isUidAllowed(unsigned netId, uid_t uid) const; private: bool isValidNetworkLocked(unsigned netId) const; diff --git a/server/main.cpp b/server/main.cpp index 35c53de7..3c6b0d52 100644 --- a/server/main.cpp +++ b/server/main.cpp @@ -96,7 +96,15 @@ int tagSocketCallback(int sockFd, uint32_t tag, uid_t uid, pid_t) { return libnetd_updatable_tagSocket(sockFd, tag, uid, AID_DNS); } -bool evaluateDomainNameCallback(const android_net_context&, const char* /*name*/) { +bool evaluateDomainNameCallback(const android_net_context& netcontext, const char* /*name*/) { + // OEMs should NOT modify IF statement, or DNS control provided by mainline modules may break. + if (!gCtls->netCtrl.isUidAllowed(netcontext.app_netid, netcontext.uid)) { + ALOGI("uid %d is not allowed to use netid %u", netcontext.uid, netcontext.app_netid); + return false; + } + + // Add OEM customization from here + // ... return true; } |