LineageOS/android_packages_modules_Connectivity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use UID as requestID

Browse Source 
This change makes all requestIDs use the UID of the creator, ensuring
that rekeys always use the same requestID. This also has the nice
property of separating app's resources from each other, and allowing for
identification of which app/UID allocated the resources from
command-line dumps (eg ip xfrm state show)

Bug: 111841561
Test: Updated tests & passing taimen
Change-Id: I4f1eadcdb795766ae4682b15e41727359c52fa38
This commit is contained in:
Benedict Wong
2018-07-25 13:06:29 -07:00
parent 38e52973d2
commit 6d0cd0b7b6
1 changed files with 19 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
services/core/java/com/android/server/IpSecService.java
View File

@@ -612,7 +612,7 @@ public class IpSecService extends IIpSecService.Stub {
mSrvConfig mSrvConfig
.getNetdInstance() .getNetdInstance()
.ipSecDeleteSecurityAssociation( .ipSecDeleteSecurityAssociation(
mResourceId, uid,
mConfig.getSourceAddress(), mConfig.getSourceAddress(),
mConfig.getDestinationAddress(), mConfig.getDestinationAddress(),
spi, spi,
@@ -679,7 +679,7 @@ public class IpSecService extends IIpSecService.Stub {
mSrvConfig mSrvConfig
.getNetdInstance() .getNetdInstance()
.ipSecDeleteSecurityAssociation( .ipSecDeleteSecurityAssociation(
mResourceId, mSourceAddress, mDestinationAddress, mSpi, 0, 0); uid, mSourceAddress, mDestinationAddress, mSpi, 0, 0);
} }
} catch (ServiceSpecificException | RemoteException e) { } catch (ServiceSpecificException | RemoteException e) {
Log.e(TAG, "Failed to delete SPI reservation with ID: " + mResourceId, e); Log.e(TAG, "Failed to delete SPI reservation with ID: " + mResourceId, e);
@@ -821,13 +821,13 @@ public class IpSecService extends IIpSecService.Stub {
for (int selAddrFamily : ADDRESS_FAMILIES) { for (int selAddrFamily : ADDRESS_FAMILIES) {
netd.ipSecDeleteSecurityPolicy( netd.ipSecDeleteSecurityPolicy(
0, uid,
selAddrFamily, selAddrFamily,
IpSecManager.DIRECTION_OUT, IpSecManager.DIRECTION_OUT,
mOkey, mOkey,
0xffffffff); 0xffffffff);
netd.ipSecDeleteSecurityPolicy( netd.ipSecDeleteSecurityPolicy(
0, uid,
selAddrFamily, selAddrFamily,
IpSecManager.DIRECTION_IN, IpSecManager.DIRECTION_IN,
mIkey, mIkey,
@@ -1083,7 +1083,8 @@ public class IpSecService extends IIpSecService.Stub {
} }
checkNotNull(binder, "Null Binder passed to allocateSecurityParameterIndex"); checkNotNull(binder, "Null Binder passed to allocateSecurityParameterIndex");
UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); int callingUid = Binder.getCallingUid();
UserRecord userRecord = mUserResourceTracker.getUserRecord(callingUid);
final int resourceId = mNextResourceId++; final int resourceId = mNextResourceId++;
int spi = IpSecManager.INVALID_SECURITY_PARAMETER_INDEX; int spi = IpSecManager.INVALID_SECURITY_PARAMETER_INDEX;
@@ -1096,7 +1097,7 @@ public class IpSecService extends IIpSecService.Stub {
spi = spi =
mSrvConfig mSrvConfig
.getNetdInstance() .getNetdInstance()
.ipSecAllocateSpi(resourceId, "", destinationAddress, requestedSpi); .ipSecAllocateSpi(callingUid, "", destinationAddress, requestedSpi);
Log.d(TAG, "Allocated SPI " + spi); Log.d(TAG, "Allocated SPI " + spi);
userRecord.mSpiRecords.put( userRecord.mSpiRecords.put(
resourceId, resourceId,
@@ -1264,7 +1265,8 @@ public class IpSecService extends IIpSecService.Stub {
// TODO: Check that underlying network exists, and IP addresses not assigned to a different // TODO: Check that underlying network exists, and IP addresses not assigned to a different
// network (b/72316676). // network (b/72316676).
UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); int callerUid = Binder.getCallingUid();
UserRecord userRecord = mUserResourceTracker.getUserRecord(callerUid);
if (!userRecord.mTunnelQuotaTracker.isAvailable()) { if (!userRecord.mTunnelQuotaTracker.isAvailable()) {
return new IpSecTunnelInterfaceResponse(IpSecManager.Status.RESOURCE_UNAVAILABLE); return new IpSecTunnelInterfaceResponse(IpSecManager.Status.RESOURCE_UNAVAILABLE);
} }
@@ -1285,7 +1287,7 @@ public class IpSecService extends IIpSecService.Stub {
for (int selAddrFamily : ADDRESS_FAMILIES) { for (int selAddrFamily : ADDRESS_FAMILIES) {
// Always send down correct local/remote addresses for template. // Always send down correct local/remote addresses for template.
netd.ipSecAddSecurityPolicy( netd.ipSecAddSecurityPolicy(
0, // Use 0 for reqId callerUid,
selAddrFamily, selAddrFamily,
IpSecManager.DIRECTION_OUT, IpSecManager.DIRECTION_OUT,
localAddr, localAddr,
@@ -1294,7 +1296,7 @@ public class IpSecService extends IIpSecService.Stub {
okey, okey,
0xffffffff); 0xffffffff);
netd.ipSecAddSecurityPolicy( netd.ipSecAddSecurityPolicy(
0, // Use 0 for reqId callerUid,
selAddrFamily, selAddrFamily,
IpSecManager.DIRECTION_IN, IpSecManager.DIRECTION_IN,
remoteAddr, remoteAddr,
@@ -1532,7 +1534,7 @@ public class IpSecService extends IIpSecService.Stub {
mSrvConfig mSrvConfig
.getNetdInstance() .getNetdInstance()
.ipSecAddSecurityAssociation( .ipSecAddSecurityAssociation(
resourceId, Binder.getCallingUid(),
c.getMode(), c.getMode(),
c.getSourceAddress(), c.getSourceAddress(),
c.getDestinationAddress(), c.getDestinationAddress(),
@@ -1623,13 +1625,14 @@ public class IpSecService extends IIpSecService.Stub {
@Override @Override
public synchronized void applyTransportModeTransform( public synchronized void applyTransportModeTransform(
ParcelFileDescriptor socket, int direction, int resourceId) throws RemoteException { ParcelFileDescriptor socket, int direction, int resourceId) throws RemoteException {
UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); int callingUid = Binder.getCallingUid();
UserRecord userRecord = mUserResourceTracker.getUserRecord(callingUid);
checkDirection(direction); checkDirection(direction);
// Get transform record; if no transform is found, will throw IllegalArgumentException // Get transform record; if no transform is found, will throw IllegalArgumentException
TransformRecord info = userRecord.mTransformRecords.getResourceOrThrow(resourceId); TransformRecord info = userRecord.mTransformRecords.getResourceOrThrow(resourceId);
// TODO: make this a function. // TODO: make this a function.
if (info.pid != getCallingPid() || info.uid != getCallingUid()) { if (info.pid != getCallingPid() || info.uid != callingUid) {
throw new SecurityException("Only the owner of an IpSec Transform may apply it!"); throw new SecurityException("Only the owner of an IpSec Transform may apply it!");
} }
@@ -1643,7 +1646,7 @@ public class IpSecService extends IIpSecService.Stub {
.getNetdInstance() .getNetdInstance()
.ipSecApplyTransportModeTransform( .ipSecApplyTransportModeTransform(
socket.getFileDescriptor(), socket.getFileDescriptor(),
resourceId, callingUid,
direction, direction,
c.getSourceAddress(), c.getSourceAddress(),
c.getDestinationAddress(), c.getDestinationAddress(),
@@ -1675,7 +1678,8 @@ public class IpSecService extends IIpSecService.Stub {
enforceTunnelPermissions(callingPackage); enforceTunnelPermissions(callingPackage);
checkDirection(direction); checkDirection(direction);
UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); int callingUid = Binder.getCallingUid();
UserRecord userRecord = mUserResourceTracker.getUserRecord(callingUid);
// Get transform record; if no transform is found, will throw IllegalArgumentException // Get transform record; if no transform is found, will throw IllegalArgumentException
TransformRecord transformInfo = TransformRecord transformInfo =
@@ -1717,7 +1721,7 @@ public class IpSecService extends IIpSecService.Stub {
mSrvConfig mSrvConfig
.getNetdInstance() .getNetdInstance()
.ipSecUpdateSecurityPolicy( .ipSecUpdateSecurityPolicy(
0, // Use 0 for reqId callingUid,
selAddrFamily, selAddrFamily,
direction, direction,
tunnelInterfaceInfo.getLocalAddress(), tunnelInterfaceInfo.getLocalAddress(),