LineageOS/android_packages_modules_Connectivity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge "Merge "Use tunnel local/remote addresses in security policies" am: 8424a78b75 am: 6b66877f18" into pi-dev-plus-aosp

Browse Source 
am: 74fc889c8c

Change-Id: I1c5c03777f1ae8dc3bc08096a06824d99a982738
This commit is contained in:
Benedict Wong
2018-08-31 11:45:09 -07:00
committed by android-build-merger
parent 33ca705a18 9cdc11d5ef
commit 0e2450fddb
1 changed files with 46 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
services/core/java/com/android/server/IpSecService.java
View File

@@ -27,7 +27,6 @@ import static com.android.internal.util.Preconditions.checkNotNull;
import android.annotation.NonNull; import android.annotation.NonNull;
import android.app.AppOpsManager; import android.app.AppOpsManager;
import android.content.Context; import android.content.Context;
import android.net.ConnectivityManager;
import android.net.IIpSecService; import android.net.IIpSecService;
import android.net.INetd; import android.net.INetd;
import android.net.IpSecAlgorithm; import android.net.IpSecAlgorithm;
@@ -44,7 +43,6 @@ import android.net.NetworkUtils;
import android.net.TrafficStats; import android.net.TrafficStats;
import android.net.util.NetdService; import android.net.util.NetdService;
import android.os.Binder; import android.os.Binder;
import android.os.DeadSystemException;
import android.os.IBinder; import android.os.IBinder;
import android.os.ParcelFileDescriptor; import android.os.ParcelFileDescriptor;
import android.os.RemoteException; import android.os.RemoteException;
@@ -89,9 +87,8 @@ public class IpSecService extends IIpSecService.Stub {
private static final boolean DBG = Log.isLoggable(TAG, Log.DEBUG); private static final boolean DBG = Log.isLoggable(TAG, Log.DEBUG);
private static final String NETD_SERVICE_NAME = "netd"; private static final String NETD_SERVICE_NAME = "netd";
private static final int[] DIRECTIONS = private static final int[] ADDRESS_FAMILIES =
new int[] {IpSecManager.DIRECTION_OUT, IpSecManager.DIRECTION_IN}; new int[] {OsConstants.AF_INET, OsConstants.AF_INET6};
private static final String[] WILDCARD_ADDRESSES = new String[]{"0.0.0.0", "::"};
private static final int NETD_FETCH_TIMEOUT_MS = 5000; // ms private static final int NETD_FETCH_TIMEOUT_MS = 5000; // ms
private static final int MAX_PORT_BIND_ATTEMPTS = 10; private static final int MAX_PORT_BIND_ATTEMPTS = 10;
@@ -819,16 +816,22 @@ public class IpSecService extends IIpSecService.Stub {
// Teardown VTI // Teardown VTI
// Delete global policies // Delete global policies
try { try {
mSrvConfig.getNetdInstance().removeVirtualTunnelInterface(mInterfaceName); final INetd netd = mSrvConfig.getNetdInstance();
netd.removeVirtualTunnelInterface(mInterfaceName);
for(String wildcardAddr : WILDCARD_ADDRESSES) { for (int selAddrFamily : ADDRESS_FAMILIES) {
for (int direction : DIRECTIONS) { netd.ipSecDeleteSecurityPolicy(
int mark = (direction == IpSecManager.DIRECTION_IN) ? mIkey : mOkey; 0,
mSrvConfig selAddrFamily,
.getNetdInstance() IpSecManager.DIRECTION_OUT,
.ipSecDeleteSecurityPolicy( mOkey,
0, direction, wildcardAddr, wildcardAddr, mark, 0xffffffff); 0xffffffff);
} netd.ipSecDeleteSecurityPolicy(
0,
selAddrFamily,
IpSecManager.DIRECTION_IN,
mIkey,
0xffffffff);
} }
} catch (ServiceSpecificException | RemoteException e) { } catch (ServiceSpecificException | RemoteException e) {
Log.e( Log.e(
@@ -1276,25 +1279,29 @@ public class IpSecService extends IIpSecService.Stub {
// Create VTI // Create VTI
// Add inbound/outbound global policies // Add inbound/outbound global policies
// (use reqid = 0) // (use reqid = 0)
mSrvConfig final INetd netd = mSrvConfig.getNetdInstance();
.getNetdInstance() netd.addVirtualTunnelInterface(intfName, localAddr, remoteAddr, ikey, okey);
.addVirtualTunnelInterface(intfName, localAddr, remoteAddr, ikey, okey);
for(String wildcardAddr : WILDCARD_ADDRESSES) { for (int selAddrFamily : ADDRESS_FAMILIES) {
for (int direction : DIRECTIONS) { // Always send down correct local/remote addresses for template.
int mark = (direction == IpSecManager.DIRECTION_OUT) ? okey : ikey; netd.ipSecAddSecurityPolicy(
0, // Use 0 for reqId
mSrvConfig selAddrFamily,
.getNetdInstance() IpSecManager.DIRECTION_OUT,
.ipSecAddSecurityPolicy( localAddr,
0, // Use 0 for reqId remoteAddr,
direction, 0,
wildcardAddr, okey,
wildcardAddr, 0xffffffff);
0, netd.ipSecAddSecurityPolicy(
mark, 0, // Use 0 for reqId
0xffffffff); selAddrFamily,
} IpSecManager.DIRECTION_IN,
remoteAddr,
localAddr,
0,
ikey,
0xffffffff);
} }
userRecord.mTunnelInterfaceRecords.put( userRecord.mTunnelInterfaceRecords.put(
@@ -1693,9 +1700,9 @@ public class IpSecService extends IIpSecService.Stub {
SpiRecord spiRecord = userRecord.mSpiRecords.getResourceOrThrow(c.getSpiResourceId()); SpiRecord spiRecord = userRecord.mSpiRecords.getResourceOrThrow(c.getSpiResourceId());
int mark = int mark =
(direction == IpSecManager.DIRECTION_IN) (direction == IpSecManager.DIRECTION_OUT)
? tunnelInterfaceInfo.getIkey() ? tunnelInterfaceInfo.getOkey()
: tunnelInterfaceInfo.getOkey(); : tunnelInterfaceInfo.getIkey();
try { try {
c.setMarkValue(mark); c.setMarkValue(mark);
@@ -1706,14 +1713,15 @@ public class IpSecService extends IIpSecService.Stub {
c.setNetwork(tunnelInterfaceInfo.getUnderlyingNetwork()); c.setNetwork(tunnelInterfaceInfo.getUnderlyingNetwork());
// If outbound, also add SPI to the policy. // If outbound, also add SPI to the policy.
for(String wildcardAddr : WILDCARD_ADDRESSES) { for (int selAddrFamily : ADDRESS_FAMILIES) {
mSrvConfig mSrvConfig
.getNetdInstance() .getNetdInstance()
.ipSecUpdateSecurityPolicy( .ipSecUpdateSecurityPolicy(
0, // Use 0 for reqId 0, // Use 0 for reqId
selAddrFamily,
direction, direction,
wildcardAddr, tunnelInterfaceInfo.getLocalAddress(),
wildcardAddr, tunnelInterfaceInfo.getRemoteAddress(),
transformInfo.getSpiRecord().getSpi(), transformInfo.getSpiRecord().getSpi(),
mark, mark,
0xffffffff); 0xffffffff);