diff options
author | Mike Yu <yumike@google.com> | 2018-11-02 13:30:04 +0800 |
---|---|---|
committer | Mike Yu <yumike@google.com> | 2018-11-07 13:51:36 +0800 |
commit | 2cc198a23662a3dc141c64e2c84be5badbf8abf3 (patch) | |
tree | 45545bde6feae7f37d46d400693cf826b7f34b11 | |
parent | 3e72428a0d04d006231d6282e037a1864d0d61f4 (diff) | |
download | netd-2cc198a23662a3dc141c64e2c84be5badbf8abf3.tar.gz |
Remove libnetd_resolv dependency on Fwmark
This change help reduce the libnetd_resolv dependency on non-updatable
code.
Bug: 113628807
Test: system/netd/tests/runtests.sh passed
Change-Id: I70b5336f00e5e9b506a76a3a68f5f149c78a89af
-rw-r--r-- | resolv/Android.bp | 5 | ||||
-rw-r--r-- | resolv/DnsTlsSocket.cpp | 1 | ||||
-rw-r--r-- | resolv/DnsTlsTransport.cpp | 12 | ||||
-rw-r--r-- | resolv/include/netd_resolv/DnsTlsTransport.h | 2 | ||||
-rw-r--r-- | resolv/libnetd_resolv.map.txt | 2 | ||||
-rw-r--r-- | server/ResolverController.cpp | 29 |
6 files changed, 23 insertions, 28 deletions
diff --git a/resolv/Android.bp b/resolv/Android.bp index f26d8209..252264d2 100644 --- a/resolv/Android.bp +++ b/resolv/Android.bp @@ -33,11 +33,6 @@ cc_library_shared { "libssl", "libcrypto", ], - // TODO: Remove this after we find an alternative way to substitute Fwmark - // used in DnsTls* classes. - include_dirs: [ - "system/netd/include", - ], export_include_dirs: ["include"], // TODO: pie in the sky: make this code clang-tidy clean tidy: false, diff --git a/resolv/DnsTlsSocket.cpp b/resolv/DnsTlsSocket.cpp index 425aa170..b4d00813 100644 --- a/resolv/DnsTlsSocket.cpp +++ b/resolv/DnsTlsSocket.cpp @@ -33,7 +33,6 @@ #include "log/log.h" #include "netdutils/SocketOption.h" -#include "Permission.h" namespace android { diff --git a/resolv/DnsTlsTransport.cpp b/resolv/DnsTlsTransport.cpp index b4294e23..b1e92057 100644 --- a/resolv/DnsTlsTransport.cpp +++ b/resolv/DnsTlsTransport.cpp @@ -26,8 +26,6 @@ #include "netd_resolv/IDnsTlsSocketFactory.h" #include "log/log.h" -#include "Fwmark.h" -#include "Permission.h" namespace android { namespace net { @@ -145,7 +143,7 @@ DnsTlsTransport::~DnsTlsTransport() { // static // TODO: Use this function to preheat the session cache. // That may require moving it to DnsTlsDispatcher. -bool DnsTlsTransport::validate(const DnsTlsServer& server, unsigned netid) { +bool DnsTlsTransport::validate(const DnsTlsServer& server, unsigned netid, uint32_t mark) { ALOGV("Beginning validation on %u", netid); // Generate "<random>-dnsotls-ds.metric.gstatic.com", which we will lookup through |ss| in // order to prove that it is actually a working DNS over TLS server. @@ -177,14 +175,6 @@ bool DnsTlsTransport::validate(const DnsTlsServer& server, unsigned netid) { }; const int qlen = std::size(query); - // At validation time, we only know the netId, so we have to guess/compute the - // corresponding socket mark. - Fwmark fwmark; - fwmark.permission = PERMISSION_SYSTEM; - fwmark.explicitlySelected = true; - fwmark.protectedFromVpn = true; - fwmark.netId = netid; - unsigned mark = fwmark.intValue; int replylen = 0; DnsTlsSocketFactory factory; DnsTlsTransport transport(server, mark, &factory); diff --git a/resolv/include/netd_resolv/DnsTlsTransport.h b/resolv/include/netd_resolv/DnsTlsTransport.h index 0d314ade..011be610 100644 --- a/resolv/include/netd_resolv/DnsTlsTransport.h +++ b/resolv/include/netd_resolv/DnsTlsTransport.h @@ -57,7 +57,7 @@ public: // Check that a given TLS server is fully working on the specified netid, and has the // provided SHA-256 fingerprint (if nonempty). This function is used in ResolverController // to ensure that we don't enable DNS over TLS on networks where it doesn't actually work. - static bool validate(const DnsTlsServer& server, unsigned netid); + static bool validate(const DnsTlsServer& server, unsigned netid, uint32_t mark); // Implement IDnsTlsSocketObserver void onResponse(std::vector<uint8_t> response) override; diff --git a/resolv/libnetd_resolv.map.txt b/resolv/libnetd_resolv.map.txt index db815931..bb1e4080 100644 --- a/resolv/libnetd_resolv.map.txt +++ b/resolv/libnetd_resolv.map.txt @@ -59,7 +59,7 @@ LIBNETD_RESOLV { _ZN7android3net15DnsTlsTransport11doReconnectEv; _ZN7android3net15DnsTlsTransport5queryENS_9netdutils5SliceE; _ZN7android3net15DnsTlsTransport8onClosedEv; - _ZN7android3net15DnsTlsTransport8validateERKNS0_12DnsTlsServerEj; + _ZN7android3net15DnsTlsTransport8validateERKNS0_12DnsTlsServerEjj; _ZN7android3net15DnsTlsTransport9doConnectEv; _ZN7android3net15DnsTlsTransport9sendQueryENS0_14DnsTlsQueryMap5QueryE; _ZN7android3net15DnsTlsTransportD0Ev; diff --git a/server/ResolverController.cpp b/server/ResolverController.cpp index 2562a97d..a2991205 100644 --- a/server/ResolverController.cpp +++ b/server/ResolverController.cpp @@ -40,7 +40,9 @@ #include "DumpWriter.h" #include "EventReporter.h" +#include "Fwmark.h" #include "NetdConstants.h" +#include "Permission.h" #include "ResolverController.h" #include "ResolverStats.h" #include "netd_resolv/DnsTlsServer.h" @@ -108,11 +110,11 @@ class PrivateDnsConfiguration { typedef ResolverController::Validation Validation; typedef std::map<DnsTlsServer, Validation, AddressComparator> PrivateDnsTracker; - int set(int32_t netId, const std::vector<std::string>& servers, const std::string& name, - const std::set<std::vector<uint8_t>>& fingerprints) { + int set(uint32_t netId, uint32_t mark, const std::vector<std::string>& servers, + const std::string& name, const std::set<std::vector<uint8_t>>& fingerprints) { if (DBG) { - ALOGD("PrivateDnsConfiguration::set(%u, %zu, %s, %zu)", - netId, servers.size(), name.c_str(), fingerprints.size()); + ALOGD("PrivateDnsConfiguration::set(%u, 0x%x, %zu, %s, %zu)", netId, mark, + servers.size(), name.c_str(), fingerprints.size()); } const bool explicitlyConfigured = !name.empty() || !fingerprints.empty(); @@ -166,7 +168,7 @@ class PrivateDnsConfiguration { // Add any new or changed servers to the tracker, and initiate async checks for them. for (const auto& server : tlsServers) { if (needsValidation(tracker, server)) { - validatePrivateDnsProvider(server, tracker, netId); + validatePrivateDnsProvider(server, tracker, netId, mark); } } return 0; @@ -234,7 +236,7 @@ class PrivateDnsConfiguration { private: void validatePrivateDnsProvider(const DnsTlsServer& server, PrivateDnsTracker& tracker, - unsigned netId) REQUIRES(mPrivateDnsLock) { + unsigned netId, uint32_t mark) REQUIRES(mPrivateDnsLock) { if (DBG) { ALOGD("validatePrivateDnsProvider(%s, %u)", addrToString(&(server.ss)).c_str(), netId); } @@ -245,7 +247,7 @@ class PrivateDnsConfiguration { addrToString(&(server.ss)).c_str(), tracker.size()); } // Note that capturing |server| and |netId| in this lambda create copies. - std::thread validate_thread([this, server, netId] { + std::thread validate_thread([this, server, netId, mark] { // cat /proc/sys/net/ipv4/tcp_syn_retries yields "6". // // Start with a 1 minute delay and backoff to once per hour. @@ -267,7 +269,7 @@ class PrivateDnsConfiguration { while (true) { // ::validate() is a blocking call that performs network operations. // It can take milliseconds to minutes, up to the SYN retry limit. - const bool success = DnsTlsTransport::validate(server, netId); + const bool success = DnsTlsTransport::validate(server, netId, mark); if (DBG) { ALOGD("validateDnsTlsServer returned %d for %s", success, addrToString(&(server.ss)).c_str()); @@ -510,7 +512,16 @@ int ResolverController::setResolverConfiguration(int32_t netId, return -EINVAL; } - const int err = sPrivateDnsConfiguration.set(netId, tlsServers, tlsName, tlsFingerprints); + // At private DNS validation time, we only know the netId, so we have to guess/compute the + // corresponding socket mark. + Fwmark fwmark; + fwmark.netId = netId; + fwmark.explicitlySelected = true; + fwmark.protectedFromVpn = true; + fwmark.permission = PERMISSION_SYSTEM; + + const int err = sPrivateDnsConfiguration.set(netId, fwmark.intValue, tlsServers, tlsName, + tlsFingerprints); if (err != 0) { return err; } |