netd: add default fw white list for system uids

In uid firewall white list, we white list the system uid range by default to make sure system processes will always have network access. BUG:22094135 Change-Id: I8f472a98a9fd93591a2887982cec1458d7683613
author: Xiaohui Chen <xiaohuic@google.com> 2015-06-25 21:19:38 -0700
committer: Xiaohui Chen <xiaohuic@google.com> 2015-06-25 21:19:38 -0700
commit: feb2b61d3010d52e530357116c3b22c6d77da3cf (patch)
tree: 55103e34abfce893bc2c219a74644af3616087bd
parent: 1cdfa9adfa584029cb6d9ac13a2896786001b3a1 (diff)
download: netd-feb2b61d3010d52e530357116c3b22c6d77da3cf.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp
index 4847c85d..bcf7524c 100644
--- a/server/FirewallController.cpp
+++ b/server/FirewallController.cpp
@@ -23,6 +23,7 @@
 #define LOG_NDEBUG 0
 
 #include <cutils/log.h>
+#include <private/android_filesystem_config.h>
 
 #include "NetdConstants.h"
 #include "FirewallController.h"
@@ -263,6 +264,11 @@ int FirewallController::createChain(const char* childChain,
     int res = 0;
     res |= execIptables(V4V6, "-t", TABLE, "-N", childChain, NULL);
     if (type == WHITELIST) {
+        // create default white list for system uid range
+        char uidStr[16];
+        sprintf(uidStr, "0-%d", AID_APP - 1);
+        res |= execIptables(V4V6, "-A", childChain, "-m", "owner", "--uid-owner",
+                uidStr, "-j", "RETURN", NULL);
         // create default rule to drop all traffic
         res |= execIptables(V4V6, "-A", childChain, "-j", "DROP", NULL);
     }
author	Xiaohui Chen <xiaohuic@google.com>	2015-06-25 21:19:38 -0700
committer	Xiaohui Chen <xiaohuic@google.com>	2015-06-25 21:19:38 -0700
commit	feb2b61d3010d52e530357116c3b22c6d77da3cf (patch)
tree	55103e34abfce893bc2c219a74644af3616087bd
parent	1cdfa9adfa584029cb6d9ac13a2896786001b3a1 (diff)
download	netd-feb2b61d3010d52e530357116c3b22c6d77da3cf.tar.gz