Fix the internet permission for native services
The native services should specify their permissions in platform.xml if they need internet permission, otherwise the eBPF program will block the socket creation request. Fixing the known services that are in group AID_INET but didn't specify their permission in the xml file. Bug: 132217906 Test: CtsJdwpTestCases dumpsys netd trafficcontroller Change-Id: I84cde7d3757953bc0bf761727d64a715bcdd68bb
This commit is contained in:
Chenbo Feng
@@ -199,15 +199,13 @@ public class PermissionMonitor {
|
|||||||
ArraySet<String> perms = systemPermission.valueAt(i);
|
ArraySet<String> perms = systemPermission.valueAt(i);
|
||||||
int uid = systemPermission.keyAt(i);
|
int uid = systemPermission.keyAt(i);
|
||||||
int netdPermission = 0;
|
int netdPermission = 0;
|
||||||
// Get the uids of native services that have UPDATE_DEVICE_STATS permission.
|
// Get the uids of native services that have UPDATE_DEVICE_STATS or INTERNET permission.
|
||||||
if (perms != null) {
|
if (perms != null) {
|
||||||
netdPermission |= perms.contains(UPDATE_DEVICE_STATS)
|
netdPermission |= perms.contains(UPDATE_DEVICE_STATS)
|
||||||
? INetd.PERMISSION_UPDATE_DEVICE_STATS : 0;
|
? INetd.PERMISSION_UPDATE_DEVICE_STATS : 0;
|
||||||
|
netdPermission |= perms.contains(INTERNET)
|
||||||
|
? INetd.PERMISSION_INTERNET : 0;
|
||||||
}
|
}
|
||||||
// For internet permission, the native services have their own selinux domains and
|
|
||||||
// sepolicy will control the socket creation during run time. netd cannot block the
|
|
||||||
// socket creation based on the permission information here.
|
|
||||||
netdPermission |= INetd.PERMISSION_INTERNET;
|
|
||||||
netdPermsUids.put(uid, netdPermsUids.get(uid) | netdPermission);
|
netdPermsUids.put(uid, netdPermsUids.get(uid) | netdPermission);
|
||||||
}
|
}
|
||||||
log("Users: " + mUsers.size() + ", Apps: " + mApps.size());
|
log("Users: " + mUsers.size() + ", Apps: " + mApps.size());
|
||||||
|
|||||||
Reference in New Issue
Block a user