LineageOS/android_packages_modules_Connectivity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Disable attempted updating of SA marks

Browse Source 
SA marks are never updated during the UPDSA call. This change disables
the attempts to update the specified SAs, ensuring that the config
stored in IpSecService matches that of the allocated kernel resources.

Bug: 111854872
Test: Unit, CTS tests passing
Change-Id: Ic1fb862c8021ffa260c3e262ec698d8af0a826d9
This commit is contained in:
Benedict Wong
2018-07-25 18:46:19 -07:00
parent 6d49d8da7e
commit 683441d87a
2 changed files with 28 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
core/java/android/net/IpSecConfig.java
View File

@@ -65,7 +65,7 @@ public final class IpSecConfig implements Parcelable {
// An interval, in seconds between the NattKeepalive packets
private int mNattKeepaliveInterval;
// XFRM mark and mask
// XFRM mark and mask; defaults to 0 (no mark/mask)
private int mMarkValue;
private int mMarkMask;
@@ -125,10 +125,22 @@ public final class IpSecConfig implements Parcelable {
mNattKeepaliveInterval = interval;
}
/**
* Sets the mark value
*
* <p>Internal (System server) use only. Marks passed in by users will be overwritten or
* ignored.
*/
public void setMarkValue(int mark) {
mMarkValue = mark;
}
/**
* Sets the mark mask
*
* <p>Internal (System server) use only. Marks passed in by users will be overwritten or
* ignored.
*/
public void setMarkMask(int mask) {
mMarkMask = mask;
}

20
services/core/java/com/android/server/IpSecService.java
View File

@@ -24,6 +24,7 @@ import static android.system.OsConstants.AF_UNSPEC;
import static android.system.OsConstants.EINVAL;
import static android.system.OsConstants.IPPROTO_UDP;
import static android.system.OsConstants.SOCK_DGRAM;
import static com.android.internal.util.Preconditions.checkNotNull;
import android.annotation.NonNull;
@@ -62,6 +63,8 @@ import com.android.internal.annotations.GuardedBy;
import com.android.internal.annotations.VisibleForTesting;
import com.android.internal.util.Preconditions;
import libcore.io.IoUtils;
import java.io.FileDescriptor;
import java.io.IOException;
import java.io.PrintWriter;
@@ -73,8 +76,6 @@ import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.List;
import libcore.io.IoUtils;
/**
* A service to manage multiple clients that want to access the IpSec API. The service is
* responsible for maintaining a list of clients and managing the resources (and related quotas)
@@ -1523,6 +1524,9 @@ public class IpSecService extends IIpSecService.Stub {
throw new IllegalArgumentException(
"Invalid IpSecTransform.mode: " + config.getMode());
}
config.setMarkValue(0);
config.setMarkMask(0);
}
private static final String TUNNEL_OP = AppOpsManager.OPSTR_MANAGE_IPSEC_TUNNELS;
@@ -1740,8 +1744,14 @@ public class IpSecService extends IIpSecService.Stub {
: tunnelInterfaceInfo.getIkey();
try {
c.setMarkValue(mark);
c.setMarkMask(0xffffffff);
// TODO: enable this when UPDSA supports updating marks. Adding kernel support upstream
// (and backporting) would allow us to narrow the mark space, and ensure that the SA
// and SPs have matching marks (as VTI are meant to be built).
// Currently update does nothing with marks. Leave empty (defaulting to 0) to ensure the
// config matches the actual allocated resources in the kernel.
//
// c.setMarkValue(mark);
// c.setMarkMask(0xffffffff);
if (direction == IpSecManager.DIRECTION_OUT) {
// Set output mark via underlying network (output only)
@@ -1758,7 +1768,7 @@ public class IpSecService extends IIpSecService.Stub {
tunnelInterfaceInfo.getLocalAddress(),
tunnelInterfaceInfo.getRemoteAddress(),
transformInfo.getSpiRecord().getSpi(),
mark,
mark, // Must always set policy mark; ikey/okey for VTIs
0xffffffff);
}
}