diff options
author | Xiaohui Chen <xiaohuic@google.com> | 2015-06-25 21:19:38 -0700 |
---|---|---|
committer | Xiaohui Chen <xiaohuic@google.com> | 2015-06-25 21:19:38 -0700 |
commit | feb2b61d3010d52e530357116c3b22c6d77da3cf (patch) | |
tree | 55103e34abfce893bc2c219a74644af3616087bd | |
parent | 1cdfa9adfa584029cb6d9ac13a2896786001b3a1 (diff) | |
download | netd-feb2b61d3010d52e530357116c3b22c6d77da3cf.tar.gz |
netd: add default fw white list for system uids
In uid firewall white list, we white list the system uid range
by default to make sure system processes will always have network
access.
BUG:22094135
Change-Id: I8f472a98a9fd93591a2887982cec1458d7683613
-rw-r--r-- | server/FirewallController.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp index 4847c85d..bcf7524c 100644 --- a/server/FirewallController.cpp +++ b/server/FirewallController.cpp @@ -23,6 +23,7 @@ #define LOG_NDEBUG 0 #include <cutils/log.h> +#include <private/android_filesystem_config.h> #include "NetdConstants.h" #include "FirewallController.h" @@ -263,6 +264,11 @@ int FirewallController::createChain(const char* childChain, int res = 0; res |= execIptables(V4V6, "-t", TABLE, "-N", childChain, NULL); if (type == WHITELIST) { + // create default white list for system uid range + char uidStr[16]; + sprintf(uidStr, "0-%d", AID_APP - 1); + res |= execIptables(V4V6, "-A", childChain, "-m", "owner", "--uid-owner", + uidStr, "-j", "RETURN", NULL); // create default rule to drop all traffic res |= execIptables(V4V6, "-A", childChain, "-j", "DROP", NULL); } |