LineageOS/android_packages_modules_Connectivity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge "Add clarifying comments on for IPsec forward policies" am: 1a88665f3c

Browse Source 
Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/1702525

Change-Id: I7267d331065ceadb830a14170920810f053eacb8
This commit is contained in:
Benedict Wong
2021-05-11 17:17:53 +00:00
committed by Automerger Merge Worker
parent a47a93c64d 0c8ff5c720
commit 5ef4da5dd2
1 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
services/core/java/com/android/server/IpSecService.java
View File

@@ -1112,7 +1112,7 @@ public class IpSecService extends IIpSecService.Stub {
case IpSecManager.DIRECTION_IN: case IpSecManager.DIRECTION_IN:
return; return;
case IpSecManager.DIRECTION_FWD: case IpSecManager.DIRECTION_FWD:
// Only NETWORK_STACK or PERMISSION_NETWORK_STACK allowed to use forward policies // Only NETWORK_STACK or MAINLINE_NETWORK_STACK allowed to use forward policies
PermissionUtils.enforceNetworkStackPermission(mContext); PermissionUtils.enforceNetworkStackPermission(mContext);
return; return;
} }
@@ -1358,6 +1358,16 @@ public class IpSecService extends IIpSecService.Stub {
ikey, ikey,
0xffffffff, 0xffffffff,
resourceId); resourceId);
// Add a forwarding policy on the tunnel interface. In order to support forwarding
// the IpSecTunnelInterface must have a forwarding policy matching the incoming SA.
//
// Unless a IpSecTransform is also applied against this interface in DIRECTION_FWD,
// forwarding will be blocked by default (as would be the case if this policy was
// absent).
//
// This is necessary only on the tunnel interface, and not any the interface to
// which traffic will be forwarded to.
netd.ipSecAddSecurityPolicy( netd.ipSecAddSecurityPolicy(
callerUid, callerUid,
selAddrFamily, selAddrFamily,