LineageOS/android_packages_modules_Connectivity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge "Merge "Use tunnel local/remote addresses in security policies" am: 8424a78b75 am: 6b66877f18" into pi-dev-plus-aosp

Browse Source 
am: 74fc889c8c

Change-Id: I1c5c03777f1ae8dc3bc08096a06824d99a982738
This commit is contained in:
Benedict Wong
2018-08-31 11:45:09 -07:00
committed by android-build-merger
parent 33ca705a18 9cdc11d5ef
commit 0e2450fddb
1 changed files with 46 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
services/core/java/com/android/server/IpSecService.java
View File

@@ -27,7 +27,6 @@ import static com.android.internal.util.Preconditions.checkNotNull;
import android.annotation.NonNull;
import android.app.AppOpsManager;
import android.content.Context;
import android.net.ConnectivityManager;
import android.net.IIpSecService;
import android.net.INetd;
import android.net.IpSecAlgorithm;
@@ -44,7 +43,6 @@ import android.net.NetworkUtils;
import android.net.TrafficStats;
import android.net.util.NetdService;
import android.os.Binder;
import android.os.DeadSystemException;
import android.os.IBinder;
import android.os.ParcelFileDescriptor;
import android.os.RemoteException;
@@ -89,9 +87,8 @@ public class IpSecService extends IIpSecService.Stub {
private static final boolean DBG = Log.isLoggable(TAG, Log.DEBUG);
private static final String NETD_SERVICE_NAME = "netd";
private static final int[] DIRECTIONS =
new int[] {IpSecManager.DIRECTION_OUT, IpSecManager.DIRECTION_IN};
private static final String[] WILDCARD_ADDRESSES = new String[]{"0.0.0.0", "::"};
private static final int[] ADDRESS_FAMILIES =
new int[] {OsConstants.AF_INET, OsConstants.AF_INET6};
private static final int NETD_FETCH_TIMEOUT_MS = 5000; // ms
private static final int MAX_PORT_BIND_ATTEMPTS = 10;
@@ -819,16 +816,22 @@ public class IpSecService extends IIpSecService.Stub {
// Teardown VTI
// Delete global policies
try {
mSrvConfig.getNetdInstance().removeVirtualTunnelInterface(mInterfaceName);
final INetd netd = mSrvConfig.getNetdInstance();
netd.removeVirtualTunnelInterface(mInterfaceName);
for(String wildcardAddr : WILDCARD_ADDRESSES) {
for (int direction : DIRECTIONS) {
int mark = (direction == IpSecManager.DIRECTION_IN) ? mIkey : mOkey;
mSrvConfig
.getNetdInstance()
.ipSecDeleteSecurityPolicy(
0, direction, wildcardAddr, wildcardAddr, mark, 0xffffffff);
}
for (int selAddrFamily : ADDRESS_FAMILIES) {
netd.ipSecDeleteSecurityPolicy(
0,
selAddrFamily,
IpSecManager.DIRECTION_OUT,
mOkey,
0xffffffff);
netd.ipSecDeleteSecurityPolicy(
0,
selAddrFamily,
IpSecManager.DIRECTION_IN,
mIkey,
0xffffffff);
}
} catch (ServiceSpecificException | RemoteException e) {
Log.e(
@@ -1276,25 +1279,29 @@ public class IpSecService extends IIpSecService.Stub {
// Create VTI
// Add inbound/outbound global policies
// (use reqid = 0)
mSrvConfig
.getNetdInstance()
.addVirtualTunnelInterface(intfName, localAddr, remoteAddr, ikey, okey);
final INetd netd = mSrvConfig.getNetdInstance();
netd.addVirtualTunnelInterface(intfName, localAddr, remoteAddr, ikey, okey);
for(String wildcardAddr : WILDCARD_ADDRESSES) {
for (int direction : DIRECTIONS) {
int mark = (direction == IpSecManager.DIRECTION_OUT) ? okey : ikey;
mSrvConfig
.getNetdInstance()
.ipSecAddSecurityPolicy(
for (int selAddrFamily : ADDRESS_FAMILIES) {
// Always send down correct local/remote addresses for template.
netd.ipSecAddSecurityPolicy(
0, // Use 0 for reqId
direction,
wildcardAddr,
wildcardAddr,
selAddrFamily,
IpSecManager.DIRECTION_OUT,
localAddr,
remoteAddr,
0,
mark,
okey,
0xffffffff);
netd.ipSecAddSecurityPolicy(
0, // Use 0 for reqId
selAddrFamily,
IpSecManager.DIRECTION_IN,
remoteAddr,
localAddr,
0,
ikey,
0xffffffff);
}
}
userRecord.mTunnelInterfaceRecords.put(
@@ -1693,9 +1700,9 @@ public class IpSecService extends IIpSecService.Stub {
SpiRecord spiRecord = userRecord.mSpiRecords.getResourceOrThrow(c.getSpiResourceId());
int mark =
(direction == IpSecManager.DIRECTION_IN)
? tunnelInterfaceInfo.getIkey()
: tunnelInterfaceInfo.getOkey();
(direction == IpSecManager.DIRECTION_OUT)
? tunnelInterfaceInfo.getOkey()
: tunnelInterfaceInfo.getIkey();
try {
c.setMarkValue(mark);
@@ -1706,14 +1713,15 @@ public class IpSecService extends IIpSecService.Stub {
c.setNetwork(tunnelInterfaceInfo.getUnderlyingNetwork());
// If outbound, also add SPI to the policy.
for(String wildcardAddr : WILDCARD_ADDRESSES) {
for (int selAddrFamily : ADDRESS_FAMILIES) {
mSrvConfig
.getNetdInstance()
.ipSecUpdateSecurityPolicy(
0, // Use 0 for reqId
selAddrFamily,
direction,
wildcardAddr,
wildcardAddr,
tunnelInterfaceInfo.getLocalAddress(),
tunnelInterfaceInfo.getRemoteAddress(),
transformInfo.getSpiRecord().getSpi(),
mark,
0xffffffff);