LineageOS/android_packages_modules_Connectivity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use UID as requestID

Browse Source 
This change makes all requestIDs use the UID of the creator, ensuring
that rekeys always use the same requestID. This also has the nice
property of separating app's resources from each other, and allowing for
identification of which app/UID allocated the resources from
command-line dumps (eg ip xfrm state show)

Bug: 111841561
Test: Updated tests & passing taimen
Change-Id: I4f1eadcdb795766ae4682b15e41727359c52fa38
This commit is contained in:
Benedict Wong
2018-07-25 13:06:29 -07:00
parent 38e52973d2
commit 6d0cd0b7b6
1 changed files with 19 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
services/core/java/com/android/server/IpSecService.java
View File

@@ -612,7 +612,7 @@ public class IpSecService extends IIpSecService.Stub {
mSrvConfig
.getNetdInstance()
.ipSecDeleteSecurityAssociation(
mResourceId,
uid,
mConfig.getSourceAddress(),
mConfig.getDestinationAddress(),
spi,
@@ -679,7 +679,7 @@ public class IpSecService extends IIpSecService.Stub {
mSrvConfig
.getNetdInstance()
.ipSecDeleteSecurityAssociation(
mResourceId, mSourceAddress, mDestinationAddress, mSpi, 0, 0);
uid, mSourceAddress, mDestinationAddress, mSpi, 0, 0);
}
} catch (ServiceSpecificException | RemoteException e) {
Log.e(TAG, "Failed to delete SPI reservation with ID: " + mResourceId, e);
@@ -821,13 +821,13 @@ public class IpSecService extends IIpSecService.Stub {
for (int selAddrFamily : ADDRESS_FAMILIES) {
netd.ipSecDeleteSecurityPolicy(
0,
uid,
selAddrFamily,
IpSecManager.DIRECTION_OUT,
mOkey,
0xffffffff);
netd.ipSecDeleteSecurityPolicy(
0,
uid,
selAddrFamily,
IpSecManager.DIRECTION_IN,
mIkey,
@@ -1083,7 +1083,8 @@ public class IpSecService extends IIpSecService.Stub {
}
checkNotNull(binder, "Null Binder passed to allocateSecurityParameterIndex");
UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid());
int callingUid = Binder.getCallingUid();
UserRecord userRecord = mUserResourceTracker.getUserRecord(callingUid);
final int resourceId = mNextResourceId++;
int spi = IpSecManager.INVALID_SECURITY_PARAMETER_INDEX;
@@ -1096,7 +1097,7 @@ public class IpSecService extends IIpSecService.Stub {
spi =
mSrvConfig
.getNetdInstance()
.ipSecAllocateSpi(resourceId, "", destinationAddress, requestedSpi);
.ipSecAllocateSpi(callingUid, "", destinationAddress, requestedSpi);
Log.d(TAG, "Allocated SPI " + spi);
userRecord.mSpiRecords.put(
resourceId,
@@ -1264,7 +1265,8 @@ public class IpSecService extends IIpSecService.Stub {
// TODO: Check that underlying network exists, and IP addresses not assigned to a different
// network (b/72316676).
UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid());
int callerUid = Binder.getCallingUid();
UserRecord userRecord = mUserResourceTracker.getUserRecord(callerUid);
if (!userRecord.mTunnelQuotaTracker.isAvailable()) {
return new IpSecTunnelInterfaceResponse(IpSecManager.Status.RESOURCE_UNAVAILABLE);
}
@@ -1285,7 +1287,7 @@ public class IpSecService extends IIpSecService.Stub {
for (int selAddrFamily : ADDRESS_FAMILIES) {
// Always send down correct local/remote addresses for template.
netd.ipSecAddSecurityPolicy(
0, // Use 0 for reqId
callerUid,
selAddrFamily,
IpSecManager.DIRECTION_OUT,
localAddr,
@@ -1294,7 +1296,7 @@ public class IpSecService extends IIpSecService.Stub {
okey,
0xffffffff);
netd.ipSecAddSecurityPolicy(
0, // Use 0 for reqId
callerUid,
selAddrFamily,
IpSecManager.DIRECTION_IN,
remoteAddr,
@@ -1532,7 +1534,7 @@ public class IpSecService extends IIpSecService.Stub {
mSrvConfig
.getNetdInstance()
.ipSecAddSecurityAssociation(
resourceId,
Binder.getCallingUid(),
c.getMode(),
c.getSourceAddress(),
c.getDestinationAddress(),
@@ -1623,13 +1625,14 @@ public class IpSecService extends IIpSecService.Stub {
@Override
public synchronized void applyTransportModeTransform(
ParcelFileDescriptor socket, int direction, int resourceId) throws RemoteException {
UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid());
int callingUid = Binder.getCallingUid();
UserRecord userRecord = mUserResourceTracker.getUserRecord(callingUid);
checkDirection(direction);
// Get transform record; if no transform is found, will throw IllegalArgumentException
TransformRecord info = userRecord.mTransformRecords.getResourceOrThrow(resourceId);
// TODO: make this a function.
if (info.pid != getCallingPid() || info.uid != getCallingUid()) {
if (info.pid != getCallingPid() || info.uid != callingUid) {
throw new SecurityException("Only the owner of an IpSec Transform may apply it!");
}
@@ -1643,7 +1646,7 @@ public class IpSecService extends IIpSecService.Stub {
.getNetdInstance()
.ipSecApplyTransportModeTransform(
socket.getFileDescriptor(),
resourceId,
callingUid,
direction,
c.getSourceAddress(),
c.getDestinationAddress(),
@@ -1675,7 +1678,8 @@ public class IpSecService extends IIpSecService.Stub {
enforceTunnelPermissions(callingPackage);
checkDirection(direction);
UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid());
int callingUid = Binder.getCallingUid();
UserRecord userRecord = mUserResourceTracker.getUserRecord(callingUid);
// Get transform record; if no transform is found, will throw IllegalArgumentException
TransformRecord transformInfo =
@@ -1717,7 +1721,7 @@ public class IpSecService extends IIpSecService.Stub {
mSrvConfig
.getNetdInstance()
.ipSecUpdateSecurityPolicy(
0, // Use 0 for reqId
callingUid,
selAddrFamily,
direction,
tunnelInterfaceInfo.getLocalAddress(),