From e22ac8d3d0d96a8eb764e2e22bf22578f563c4aa Mon Sep 17 00:00:00 2001
From: Ken Chen <cken@google.com>
Date: Sat, 24 Dec 2022 09:24:56 +0800
Subject: Restrict DNS by UID-based network permission

Modify evaluateDomainNameCallback to report whether the specified
network for DNS query is available for the UID.

Bug: 263219497
Test: resolv_integration_tests
Change-Id: I21bc06442b91f291efd96db98340ebfba0fee99d
---
 server/NetworkController.cpp |  9 +++++++++
 server/NetworkController.h   |  1 +
 server/main.cpp              | 10 +++++++++-
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index 0d716adf..c16c7b7d 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp
@@ -825,6 +825,15 @@ int NetworkController::setNetworkAllowlist(
     return 0;
 }
 
+bool NetworkController::isUidAllowed(unsigned netId, uid_t uid) const {
+    const ScopedRLock lock(mRWLock);
+    Network* network = getNetworkLocked(netId);
+    if (network && network->isUidAllowed(uid)) {
+        return true;
+    }
+    return false;
+}
+
 bool NetworkController::isValidNetworkLocked(unsigned netId) const {
     return getNetworkLocked(netId);
 }
diff --git a/server/NetworkController.h b/server/NetworkController.h
index 386733ad..dd17d901 100644
--- a/server/NetworkController.h
+++ b/server/NetworkController.h
@@ -148,6 +148,7 @@ public:
 
     void dump(netdutils::DumpWriter& dw);
     int setNetworkAllowlist(const std::vector<netd::aidl::NativeUidRangeConfig>& settings);
+    bool isUidAllowed(unsigned netId, uid_t uid) const;
 
   private:
     bool isValidNetworkLocked(unsigned netId) const;
diff --git a/server/main.cpp b/server/main.cpp
index 35c53de7..3c6b0d52 100644
--- a/server/main.cpp
+++ b/server/main.cpp
@@ -96,7 +96,15 @@ int tagSocketCallback(int sockFd, uint32_t tag, uid_t uid, pid_t) {
     return libnetd_updatable_tagSocket(sockFd, tag, uid, AID_DNS);
 }
 
-bool evaluateDomainNameCallback(const android_net_context&, const char* /*name*/) {
+bool evaluateDomainNameCallback(const android_net_context& netcontext, const char* /*name*/) {
+    // OEMs should NOT modify IF statement, or DNS control provided by mainline modules may break.
+    if (!gCtls->netCtrl.isUidAllowed(netcontext.app_netid, netcontext.uid)) {
+        ALOGI("uid %d is not allowed to use netid %u", netcontext.uid, netcontext.app_netid);
+        return false;
+    }
+
+    // Add OEM customization from here
+    // ...
     return true;
 }
 
-- 
cgit v1.2.3