diff options
| author | Maciej Żenczykowski <maze@google.com> | 2020-07-16 07:54:37 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-07-16 07:54:37 +0000 |
| commit | aa64110f6709ac15db79ba2b909803a811320ea8 (patch) | |
| tree | 97dcda1ebd79c607ac45deace4cd71b3468f3377 | |
| parent | 238ed8e246efc4513902e0e12dc2920b87d261dc (diff) | |
| parent | e2ad8628b0244fc7d2b9565369923864b9e3a751 (diff) | |
| download | netd-aa64110f6709ac15db79ba2b909803a811320ea8.tar.gz | |
do not drop ingress dns replies with non bypassable vpn am: e2ad8628b0
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/netd/+/12166582
Change-Id: I9bd3e184e79433ff4470fa8470d52f8269326e62
| -rw-r--r-- | bpf_progs/netd.c | 14 | ||||
| -rw-r--r-- | server/main.cpp | 2 |
2 files changed, 15 insertions, 1 deletions
diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c index 70e0ae7c..f3470280 100644 --- a/bpf_progs/netd.c +++ b/bpf_progs/netd.c @@ -30,6 +30,7 @@ #include "netdbpf/bpf_shared.h" // This is defined for cgroup bpf filter only. +#define BPF_DROP_UNLESS_DNS 2 #define BPF_PASS 1 #define BPF_DROP 0 @@ -206,7 +207,7 @@ static inline int bpf_owner_match(struct __sk_buff* skb, uint32_t uid, int direc if (direction == BPF_INGRESS && (uidRules & IIF_MATCH)) { // Drops packets not coming from lo nor the whitelisted interface if (allowed_iif && skb->ifindex != 1 && skb->ifindex != allowed_iif) { - return BPF_DROP; + return BPF_DROP_UNLESS_DNS; } } return BPF_PASS; @@ -247,6 +248,17 @@ static __always_inline inline int bpf_traffic_account(struct __sk_buff* skb, int tag = 0; } +// Workaround for secureVPN with VpnIsolation enabled, refer to b/159994981 for details. +// Keep TAG_SYSTEM_DNS in sync with DnsResolver/include/netd_resolv/resolv.h +// and TrafficStatsConstants.java +#define TAG_SYSTEM_DNS 0xFFFFFF82 + if (tag == TAG_SYSTEM_DNS && uid == AID_DNS) { + uid = sock_uid; + if (match == BPF_DROP_UNLESS_DNS) match = BPF_PASS; + } else { + if (match == BPF_DROP_UNLESS_DNS) match = BPF_DROP; + } + StatsKey key = {.uid = uid, .tag = tag, .counterSet = 0, .ifaceIndex = skb->ifindex}; uint8_t* counterSet = bpf_uid_counterset_map_lookup_elem(&uid); diff --git a/server/main.cpp b/server/main.cpp index 0a86b0a2..4949ff6f 100644 --- a/server/main.cpp +++ b/server/main.cpp @@ -83,6 +83,8 @@ void logCallback(const char* msg) { } int tagSocketCallback(int sockFd, uint32_t tag, uid_t uid, pid_t) { + // Workaround for secureVPN with VpnIsolation enabled, refer to b/159994981 for details. + if (tag == TAG_SYSTEM_DNS) uid = AID_DNS; return gCtls->trafficCtrl.tagSocket(sockFd, tag, uid, geteuid()); } |