Clean up restrictions on network agent capabilities

This is a no-op change. Test: FrameworkNetTests Change-Id: I658e579bf49e1baf57a8aeaabc8d07d7d3293c56
2022-01-28 19:29:12 +09:00
parent 366c525b15
commit 1522857564
2 changed files with 23 additions and 15 deletions
--- a/service/src/com/android/server/ConnectivityService.java
+++ b/service/src/com/android/server/ConnectivityService.java
@@ -3348,15 +3348,8 @@ public class ConnectivityService extends IConnectivityManager.Stub

            switch (msg.what) {
                case NetworkAgent.EVENT_NETWORK_CAPABILITIES_CHANGED: {
-                    NetworkCapabilities networkCapabilities = (NetworkCapabilities) arg.second;
-                    if (networkCapabilities.hasConnectivityManagedCapability()) {
-                        Log.wtf(TAG, "BUG: " + nai + " has CS-managed capability.");
-                    }
-                    // Make sure the original object is not mutated. NetworkAgent normally
-                    // makes a copy of the capabilities when sending the message through
-                    // the Messenger, but if this ever changes, not making a defensive copy
-                    // here will give attack vectors to clients using this code path.
-                    networkCapabilities = new NetworkCapabilities(networkCapabilities);
+                    final NetworkCapabilities networkCapabilities = new NetworkCapabilities(
+                            (NetworkCapabilities) arg.second);
                    processCapabilitiesFromAgent(nai, networkCapabilities);
                    updateCapabilities(nai.getCurrentScore(), nai, networkCapabilities);
                    break;
@@ -6451,9 +6444,10 @@ public class ConnectivityService extends IConnectivityManager.Stub
        ensureRequestableCapabilities(networkCapabilities);
        ensureSufficientPermissionsForRequest(networkCapabilities,
                Binder.getCallingPid(), callingUid, callingPackageName);
-        ensureValidNetworkSpecifier(networkCapabilities);
        restrictRequestUidsForCallerAndSetRequestorInfo(networkCapabilities,
                callingUid, callingPackageName);
+        ensureValid(networkCapabilities);
+
        NetworkRequest networkRequest = new NetworkRequest(networkCapabilities, TYPE_NONE,
                nextNetworkRequestId(), NetworkRequest.Type.REQUEST);
        NetworkRequestInfo nri = new NetworkRequestInfo(callingUid, networkRequest, operation,
@@ -7471,9 +7465,11 @@ public class ConnectivityService extends IConnectivityManager.Stub
     * Stores into |nai| any data coming from the agent that might also be written to the network's
     * NetworkCapabilities by ConnectivityService itself. This ensures that the data provided by the
     * agent is not lost when updateCapabilities is called.
-     * This method should never alter the agent's NetworkCapabilities, only store data in |nai|.
     */
    private void processCapabilitiesFromAgent(NetworkAgentInfo nai, NetworkCapabilities nc) {
+        if (nc.hasConnectivityManagedCapability()) {
+            Log.wtf(TAG, "BUG: " + nai + " has CS-managed capability.");
+        }
        // Note: resetting the owner UID before storing the agent capabilities in NAI means that if
        // the agent attempts to change the owner UID, then nai.declaredCapabilities will not
        // actually be the same as the capabilities sent by the agent. Still, it is safer to reset
@@ -7484,9 +7480,7 @@ public class ConnectivityService extends IConnectivityManager.Stub
            nc.setOwnerUid(nai.networkCapabilities.getOwnerUid());
        }
        nai.declaredCapabilities = new NetworkCapabilities(nc);
-        if (nc.hasTransport(TRANSPORT_TEST)) {
-            nc.restrictCapabilitiesForTestNetwork(nai.creatorUid);
-        }
+        NetworkAgentInfo.restrictCapabilitiesFromNetworkAgent(nc, nai.creatorUid);
    }

    /** Modifies |newNc| based on the capabilities of |underlyingNetworks| and |agentCaps|. */
@@ -9847,7 +9841,7 @@ public class ConnectivityService extends IConnectivityManager.Stub
                android.Manifest.permission.NETWORK_STACK);
        final NetworkCapabilities nc = getNetworkCapabilitiesInternal(network);
        if (!nc.hasTransport(TRANSPORT_TEST)) {
-            throw new SecurityException("Data Stall simluation is only possible for test networks");
+            throw new SecurityException("Data Stall simulation is only possible for test networks");
        }

        final NetworkAgentInfo nai = getNetworkAgentInfoForNetwork(network);
--- a/service/src/com/android/server/connectivity/NetworkAgentInfo.java
+++ b/service/src/com/android/server/connectivity/NetworkAgentInfo.java
@@ -18,6 +18,7 @@ package com.android.server.connectivity;

 import static android.net.ConnectivityDiagnosticsManager.ConnectivityReport;
 import static android.net.NetworkCapabilities.TRANSPORT_CELLULAR;
+import static android.net.NetworkCapabilities.TRANSPORT_TEST;
 import static android.net.NetworkCapabilities.transportNamesOf;

 import android.annotation.NonNull;
@@ -1188,6 +1189,19 @@ public class NetworkAgentInfo implements Comparable<NetworkAgentInfo>, NetworkRa
        return mConnectivityReport;
    }

+    /**
+     * Make sure the NC from network agents don't contain stuff they shouldn't.
+     *
+     * @param nc the capabilities to sanitize
+     * @param creatorUid the UID of the process creating this network agent
+     */
+    public static void restrictCapabilitiesFromNetworkAgent(@NonNull final NetworkCapabilities nc,
+            final int creatorUid) {
+        if (nc.hasTransport(TRANSPORT_TEST)) {
+            nc.restrictCapabilitiesForTestNetwork(creatorUid);
+        }
+    }
+
    // TODO: Print shorter members first and only print the boolean variable which value is true
    // to improve readability.
    public String toString() {