Merge changes from topic "ipsec-sync-with-pi"
* changes: Disable the AppOp Restriction for IpSec Tunnels Rework Exception Handling for IpSecManager Update IpSecManager to use InetAddress and prefixLen Add AppOps Checks for MANAGE_IPSEC_TUNNELS Add MANAGE_IPSEC_TUNNELS Permission
This commit is contained in:
nharold
@@ -45,25 +45,31 @@ interface IIpSecService
|
|||||||
in String localAddr,
|
in String localAddr,
|
||||||
in String remoteAddr,
|
in String remoteAddr,
|
||||||
in Network underlyingNetwork,
|
in Network underlyingNetwork,
|
||||||
in IBinder binder);
|
in IBinder binder,
|
||||||
|
in String callingPackage);
|
||||||
|
|
||||||
void addAddressToTunnelInterface(
|
void addAddressToTunnelInterface(
|
||||||
int tunnelResourceId,
|
int tunnelResourceId,
|
||||||
in LinkAddress localAddr);
|
in LinkAddress localAddr,
|
||||||
|
in String callingPackage);
|
||||||
|
|
||||||
void removeAddressFromTunnelInterface(
|
void removeAddressFromTunnelInterface(
|
||||||
int tunnelResourceId,
|
int tunnelResourceId,
|
||||||
in LinkAddress localAddr);
|
in LinkAddress localAddr,
|
||||||
|
in String callingPackage);
|
||||||
|
|
||||||
void deleteTunnelInterface(int resourceId);
|
void deleteTunnelInterface(int resourceId, in String callingPackage);
|
||||||
|
|
||||||
IpSecTransformResponse createTransform(in IpSecConfig c, in IBinder binder);
|
IpSecTransformResponse createTransform(
|
||||||
|
in IpSecConfig c, in IBinder binder, in String callingPackage);
|
||||||
|
|
||||||
void deleteTransform(int transformId);
|
void deleteTransform(int transformId);
|
||||||
|
|
||||||
void applyTransportModeTransform(in ParcelFileDescriptor socket, int direction, int transformId);
|
void applyTransportModeTransform(
|
||||||
|
in ParcelFileDescriptor socket, int direction, int transformId);
|
||||||
|
|
||||||
void applyTunnelModeTransform(int tunnelResourceId, int direction, int transformResourceId);
|
void applyTunnelModeTransform(
|
||||||
|
int tunnelResourceId, int direction, int transformResourceId, in String callingPackage);
|
||||||
|
|
||||||
void removeTransportModeTransforms(in ParcelFileDescriptor socket);
|
void removeTransportModeTransforms(in ParcelFileDescriptor socket);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -27,6 +27,9 @@ import android.content.Context;
|
|||||||
import android.os.Binder;
|
import android.os.Binder;
|
||||||
import android.os.ParcelFileDescriptor;
|
import android.os.ParcelFileDescriptor;
|
||||||
import android.os.RemoteException;
|
import android.os.RemoteException;
|
||||||
|
import android.os.ServiceSpecificException;
|
||||||
|
import android.system.ErrnoException;
|
||||||
|
import android.system.OsConstants;
|
||||||
import android.util.AndroidException;
|
import android.util.AndroidException;
|
||||||
import android.util.Log;
|
import android.util.Log;
|
||||||
|
|
||||||
@@ -140,6 +143,7 @@ public final class IpSecManager {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private final Context mContext;
|
||||||
private final IIpSecService mService;
|
private final IIpSecService mService;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -172,11 +176,16 @@ public final class IpSecManager {
|
|||||||
public void close() {
|
public void close() {
|
||||||
try {
|
try {
|
||||||
mService.releaseSecurityParameterIndex(mResourceId);
|
mService.releaseSecurityParameterIndex(mResourceId);
|
||||||
mResourceId = INVALID_RESOURCE_ID;
|
|
||||||
} catch (RemoteException e) {
|
} catch (RemoteException e) {
|
||||||
throw e.rethrowFromSystemServer();
|
throw e.rethrowFromSystemServer();
|
||||||
|
} catch (Exception e) {
|
||||||
|
// On close we swallow all random exceptions since failure to close is not
|
||||||
|
// actionable by the user.
|
||||||
|
Log.e(TAG, "Failed to close " + this + ", Exception=" + e);
|
||||||
|
} finally {
|
||||||
|
mResourceId = INVALID_RESOURCE_ID;
|
||||||
|
mCloseGuard.close();
|
||||||
}
|
}
|
||||||
mCloseGuard.close();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Check that the SPI was closed properly. */
|
/** Check that the SPI was closed properly. */
|
||||||
@@ -227,7 +236,6 @@ public final class IpSecManager {
|
|||||||
throw new RuntimeException(
|
throw new RuntimeException(
|
||||||
"Invalid Resource ID returned by IpSecService: " + status);
|
"Invalid Resource ID returned by IpSecService: " + status);
|
||||||
}
|
}
|
||||||
|
|
||||||
} catch (RemoteException e) {
|
} catch (RemoteException e) {
|
||||||
throw e.rethrowFromSystemServer();
|
throw e.rethrowFromSystemServer();
|
||||||
}
|
}
|
||||||
@@ -239,6 +247,17 @@ public final class IpSecManager {
|
|||||||
public int getResourceId() {
|
public int getResourceId() {
|
||||||
return mResourceId;
|
return mResourceId;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String toString() {
|
||||||
|
return new StringBuilder()
|
||||||
|
.append("SecurityParameterIndex{spi=")
|
||||||
|
.append(mSpi)
|
||||||
|
.append(",resourceId=")
|
||||||
|
.append(mResourceId)
|
||||||
|
.append("}")
|
||||||
|
.toString();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -261,7 +280,11 @@ public final class IpSecManager {
|
|||||||
mService,
|
mService,
|
||||||
destinationAddress,
|
destinationAddress,
|
||||||
IpSecManager.INVALID_SECURITY_PARAMETER_INDEX);
|
IpSecManager.INVALID_SECURITY_PARAMETER_INDEX);
|
||||||
|
} catch (ServiceSpecificException e) {
|
||||||
|
throw rethrowUncheckedExceptionFromServiceSpecificException(e);
|
||||||
} catch (SpiUnavailableException unlikely) {
|
} catch (SpiUnavailableException unlikely) {
|
||||||
|
// Because this function allocates a totally random SPI, it really shouldn't ever
|
||||||
|
// fail to allocate an SPI; we simply need this because the exception is checked.
|
||||||
throw new ResourceUnavailableException("No SPIs available");
|
throw new ResourceUnavailableException("No SPIs available");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -274,8 +297,8 @@ public final class IpSecManager {
|
|||||||
*
|
*
|
||||||
* @param destinationAddress the destination address for traffic bearing the requested SPI.
|
* @param destinationAddress the destination address for traffic bearing the requested SPI.
|
||||||
* For inbound traffic, the destination should be an address currently assigned on-device.
|
* For inbound traffic, the destination should be an address currently assigned on-device.
|
||||||
* @param requestedSpi the requested SPI, or '0' to allocate a random SPI. The range 1-255 is
|
* @param requestedSpi the requested SPI. The range 1-255 is reserved and may not be used. See
|
||||||
* reserved and may not be used. See RFC 4303 Section 2.1.
|
* RFC 4303 Section 2.1.
|
||||||
* @return the reserved SecurityParameterIndex
|
* @return the reserved SecurityParameterIndex
|
||||||
* @throws {@link #ResourceUnavailableException} indicating that too many SPIs are
|
* @throws {@link #ResourceUnavailableException} indicating that too many SPIs are
|
||||||
* currently allocated for this user
|
* currently allocated for this user
|
||||||
@@ -289,7 +312,11 @@ public final class IpSecManager {
|
|||||||
if (requestedSpi == IpSecManager.INVALID_SECURITY_PARAMETER_INDEX) {
|
if (requestedSpi == IpSecManager.INVALID_SECURITY_PARAMETER_INDEX) {
|
||||||
throw new IllegalArgumentException("Requested SPI must be a valid (non-zero) SPI");
|
throw new IllegalArgumentException("Requested SPI must be a valid (non-zero) SPI");
|
||||||
}
|
}
|
||||||
return new SecurityParameterIndex(mService, destinationAddress, requestedSpi);
|
try {
|
||||||
|
return new SecurityParameterIndex(mService, destinationAddress, requestedSpi);
|
||||||
|
} catch (ServiceSpecificException e) {
|
||||||
|
throw rethrowUncheckedExceptionFromServiceSpecificException(e);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -424,6 +451,8 @@ public final class IpSecManager {
|
|||||||
// constructor takes control and closes the user's FD when we exit the method.
|
// constructor takes control and closes the user's FD when we exit the method.
|
||||||
try (ParcelFileDescriptor pfd = ParcelFileDescriptor.dup(socket)) {
|
try (ParcelFileDescriptor pfd = ParcelFileDescriptor.dup(socket)) {
|
||||||
mService.applyTransportModeTransform(pfd, direction, transform.getResourceId());
|
mService.applyTransportModeTransform(pfd, direction, transform.getResourceId());
|
||||||
|
} catch (ServiceSpecificException e) {
|
||||||
|
throw rethrowCheckedExceptionFromServiceSpecificException(e);
|
||||||
} catch (RemoteException e) {
|
} catch (RemoteException e) {
|
||||||
throw e.rethrowFromSystemServer();
|
throw e.rethrowFromSystemServer();
|
||||||
}
|
}
|
||||||
@@ -482,6 +511,8 @@ public final class IpSecManager {
|
|||||||
public void removeTransportModeTransforms(@NonNull FileDescriptor socket) throws IOException {
|
public void removeTransportModeTransforms(@NonNull FileDescriptor socket) throws IOException {
|
||||||
try (ParcelFileDescriptor pfd = ParcelFileDescriptor.dup(socket)) {
|
try (ParcelFileDescriptor pfd = ParcelFileDescriptor.dup(socket)) {
|
||||||
mService.removeTransportModeTransforms(pfd);
|
mService.removeTransportModeTransforms(pfd);
|
||||||
|
} catch (ServiceSpecificException e) {
|
||||||
|
throw rethrowCheckedExceptionFromServiceSpecificException(e);
|
||||||
} catch (RemoteException e) {
|
} catch (RemoteException e) {
|
||||||
throw e.rethrowFromSystemServer();
|
throw e.rethrowFromSystemServer();
|
||||||
}
|
}
|
||||||
@@ -575,6 +606,13 @@ public final class IpSecManager {
|
|||||||
mResourceId = INVALID_RESOURCE_ID;
|
mResourceId = INVALID_RESOURCE_ID;
|
||||||
} catch (RemoteException e) {
|
} catch (RemoteException e) {
|
||||||
throw e.rethrowFromSystemServer();
|
throw e.rethrowFromSystemServer();
|
||||||
|
} catch (Exception e) {
|
||||||
|
// On close we swallow all random exceptions since failure to close is not
|
||||||
|
// actionable by the user.
|
||||||
|
Log.e(TAG, "Failed to close " + this + ", Exception=" + e);
|
||||||
|
} finally {
|
||||||
|
mResourceId = INVALID_RESOURCE_ID;
|
||||||
|
mCloseGuard.close();
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
@@ -583,7 +621,6 @@ public final class IpSecManager {
|
|||||||
Log.e(TAG, "Failed to close UDP Encapsulation Socket with Port= " + mPort);
|
Log.e(TAG, "Failed to close UDP Encapsulation Socket with Port= " + mPort);
|
||||||
throw e;
|
throw e;
|
||||||
}
|
}
|
||||||
mCloseGuard.close();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Check that the socket was closed properly. */
|
/** Check that the socket was closed properly. */
|
||||||
@@ -600,6 +637,17 @@ public final class IpSecManager {
|
|||||||
public int getResourceId() {
|
public int getResourceId() {
|
||||||
return mResourceId;
|
return mResourceId;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String toString() {
|
||||||
|
return new StringBuilder()
|
||||||
|
.append("UdpEncapsulationSocket{port=")
|
||||||
|
.append(mPort)
|
||||||
|
.append(",resourceId=")
|
||||||
|
.append(mResourceId)
|
||||||
|
.append("}")
|
||||||
|
.toString();
|
||||||
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -627,7 +675,11 @@ public final class IpSecManager {
|
|||||||
if (port == 0) {
|
if (port == 0) {
|
||||||
throw new IllegalArgumentException("Specified port must be a valid port number!");
|
throw new IllegalArgumentException("Specified port must be a valid port number!");
|
||||||
}
|
}
|
||||||
return new UdpEncapsulationSocket(mService, port);
|
try {
|
||||||
|
return new UdpEncapsulationSocket(mService, port);
|
||||||
|
} catch (ServiceSpecificException e) {
|
||||||
|
throw rethrowCheckedExceptionFromServiceSpecificException(e);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -650,7 +702,11 @@ public final class IpSecManager {
|
|||||||
@NonNull
|
@NonNull
|
||||||
public UdpEncapsulationSocket openUdpEncapsulationSocket()
|
public UdpEncapsulationSocket openUdpEncapsulationSocket()
|
||||||
throws IOException, ResourceUnavailableException {
|
throws IOException, ResourceUnavailableException {
|
||||||
return new UdpEncapsulationSocket(mService, 0);
|
try {
|
||||||
|
return new UdpEncapsulationSocket(mService, 0);
|
||||||
|
} catch (ServiceSpecificException e) {
|
||||||
|
throw rethrowCheckedExceptionFromServiceSpecificException(e);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -667,6 +723,7 @@ public final class IpSecManager {
|
|||||||
*/
|
*/
|
||||||
@SystemApi
|
@SystemApi
|
||||||
public static final class IpSecTunnelInterface implements AutoCloseable {
|
public static final class IpSecTunnelInterface implements AutoCloseable {
|
||||||
|
private final String mOpPackageName;
|
||||||
private final IIpSecService mService;
|
private final IIpSecService mService;
|
||||||
private final InetAddress mRemoteAddress;
|
private final InetAddress mRemoteAddress;
|
||||||
private final InetAddress mLocalAddress;
|
private final InetAddress mLocalAddress;
|
||||||
@@ -688,12 +745,17 @@ public final class IpSecManager {
|
|||||||
* tunneled traffic.
|
* tunneled traffic.
|
||||||
*
|
*
|
||||||
* @param address the local address for traffic inside the tunnel
|
* @param address the local address for traffic inside the tunnel
|
||||||
|
* @param prefixLen length of the InetAddress prefix
|
||||||
* @hide
|
* @hide
|
||||||
*/
|
*/
|
||||||
@SystemApi
|
@SystemApi
|
||||||
public void addAddress(@NonNull LinkAddress address) throws IOException {
|
@RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS)
|
||||||
|
public void addAddress(@NonNull InetAddress address, int prefixLen) throws IOException {
|
||||||
try {
|
try {
|
||||||
mService.addAddressToTunnelInterface(mResourceId, address);
|
mService.addAddressToTunnelInterface(
|
||||||
|
mResourceId, new LinkAddress(address, prefixLen), mOpPackageName);
|
||||||
|
} catch (ServiceSpecificException e) {
|
||||||
|
throw rethrowCheckedExceptionFromServiceSpecificException(e);
|
||||||
} catch (RemoteException e) {
|
} catch (RemoteException e) {
|
||||||
throw e.rethrowFromSystemServer();
|
throw e.rethrowFromSystemServer();
|
||||||
}
|
}
|
||||||
@@ -705,21 +767,27 @@ public final class IpSecManager {
|
|||||||
* <p>Remove an address which was previously added to the IpSecTunnelInterface
|
* <p>Remove an address which was previously added to the IpSecTunnelInterface
|
||||||
*
|
*
|
||||||
* @param address to be removed
|
* @param address to be removed
|
||||||
|
* @param prefixLen length of the InetAddress prefix
|
||||||
* @hide
|
* @hide
|
||||||
*/
|
*/
|
||||||
@SystemApi
|
@SystemApi
|
||||||
public void removeAddress(@NonNull LinkAddress address) throws IOException {
|
@RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS)
|
||||||
|
public void removeAddress(@NonNull InetAddress address, int prefixLen) throws IOException {
|
||||||
try {
|
try {
|
||||||
mService.removeAddressFromTunnelInterface(mResourceId, address);
|
mService.removeAddressFromTunnelInterface(
|
||||||
|
mResourceId, new LinkAddress(address, prefixLen), mOpPackageName);
|
||||||
|
} catch (ServiceSpecificException e) {
|
||||||
|
throw rethrowCheckedExceptionFromServiceSpecificException(e);
|
||||||
} catch (RemoteException e) {
|
} catch (RemoteException e) {
|
||||||
throw e.rethrowFromSystemServer();
|
throw e.rethrowFromSystemServer();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private IpSecTunnelInterface(@NonNull IIpSecService service,
|
private IpSecTunnelInterface(@NonNull Context ctx, @NonNull IIpSecService service,
|
||||||
@NonNull InetAddress localAddress, @NonNull InetAddress remoteAddress,
|
@NonNull InetAddress localAddress, @NonNull InetAddress remoteAddress,
|
||||||
@NonNull Network underlyingNetwork)
|
@NonNull Network underlyingNetwork)
|
||||||
throws ResourceUnavailableException, IOException {
|
throws ResourceUnavailableException, IOException {
|
||||||
|
mOpPackageName = ctx.getOpPackageName();
|
||||||
mService = service;
|
mService = service;
|
||||||
mLocalAddress = localAddress;
|
mLocalAddress = localAddress;
|
||||||
mRemoteAddress = remoteAddress;
|
mRemoteAddress = remoteAddress;
|
||||||
@@ -731,7 +799,8 @@ public final class IpSecManager {
|
|||||||
localAddress.getHostAddress(),
|
localAddress.getHostAddress(),
|
||||||
remoteAddress.getHostAddress(),
|
remoteAddress.getHostAddress(),
|
||||||
underlyingNetwork,
|
underlyingNetwork,
|
||||||
new Binder());
|
new Binder(),
|
||||||
|
mOpPackageName);
|
||||||
switch (result.status) {
|
switch (result.status) {
|
||||||
case Status.OK:
|
case Status.OK:
|
||||||
break;
|
break;
|
||||||
@@ -760,12 +829,17 @@ public final class IpSecManager {
|
|||||||
@Override
|
@Override
|
||||||
public void close() {
|
public void close() {
|
||||||
try {
|
try {
|
||||||
mService.deleteTunnelInterface(mResourceId);
|
mService.deleteTunnelInterface(mResourceId, mOpPackageName);
|
||||||
mResourceId = INVALID_RESOURCE_ID;
|
|
||||||
} catch (RemoteException e) {
|
} catch (RemoteException e) {
|
||||||
throw e.rethrowFromSystemServer();
|
throw e.rethrowFromSystemServer();
|
||||||
|
} catch (Exception e) {
|
||||||
|
// On close we swallow all random exceptions since failure to close is not
|
||||||
|
// actionable by the user.
|
||||||
|
Log.e(TAG, "Failed to close " + this + ", Exception=" + e);
|
||||||
|
} finally {
|
||||||
|
mResourceId = INVALID_RESOURCE_ID;
|
||||||
|
mCloseGuard.close();
|
||||||
}
|
}
|
||||||
mCloseGuard.close();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Check that the Interface was closed properly. */
|
/** Check that the Interface was closed properly. */
|
||||||
@@ -782,6 +856,17 @@ public final class IpSecManager {
|
|||||||
public int getResourceId() {
|
public int getResourceId() {
|
||||||
return mResourceId;
|
return mResourceId;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String toString() {
|
||||||
|
return new StringBuilder()
|
||||||
|
.append("IpSecTunnelInterface{ifname=")
|
||||||
|
.append(mInterfaceName)
|
||||||
|
.append(",resourceId=")
|
||||||
|
.append(mResourceId)
|
||||||
|
.append("}")
|
||||||
|
.toString();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -801,11 +886,16 @@ public final class IpSecManager {
|
|||||||
*/
|
*/
|
||||||
@SystemApi
|
@SystemApi
|
||||||
@NonNull
|
@NonNull
|
||||||
@RequiresPermission(android.Manifest.permission.NETWORK_STACK)
|
@RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS)
|
||||||
public IpSecTunnelInterface createIpSecTunnelInterface(@NonNull InetAddress localAddress,
|
public IpSecTunnelInterface createIpSecTunnelInterface(@NonNull InetAddress localAddress,
|
||||||
@NonNull InetAddress remoteAddress, @NonNull Network underlyingNetwork)
|
@NonNull InetAddress remoteAddress, @NonNull Network underlyingNetwork)
|
||||||
throws ResourceUnavailableException, IOException {
|
throws ResourceUnavailableException, IOException {
|
||||||
return new IpSecTunnelInterface(mService, localAddress, remoteAddress, underlyingNetwork);
|
try {
|
||||||
|
return new IpSecTunnelInterface(
|
||||||
|
mContext, mService, localAddress, remoteAddress, underlyingNetwork);
|
||||||
|
} catch (ServiceSpecificException e) {
|
||||||
|
throw rethrowCheckedExceptionFromServiceSpecificException(e);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -826,12 +916,15 @@ public final class IpSecManager {
|
|||||||
* @hide
|
* @hide
|
||||||
*/
|
*/
|
||||||
@SystemApi
|
@SystemApi
|
||||||
@RequiresPermission(android.Manifest.permission.NETWORK_STACK)
|
@RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS)
|
||||||
public void applyTunnelModeTransform(@NonNull IpSecTunnelInterface tunnel,
|
public void applyTunnelModeTransform(@NonNull IpSecTunnelInterface tunnel,
|
||||||
@PolicyDirection int direction, @NonNull IpSecTransform transform) throws IOException {
|
@PolicyDirection int direction, @NonNull IpSecTransform transform) throws IOException {
|
||||||
try {
|
try {
|
||||||
mService.applyTunnelModeTransform(
|
mService.applyTunnelModeTransform(
|
||||||
tunnel.getResourceId(), direction, transform.getResourceId());
|
tunnel.getResourceId(), direction,
|
||||||
|
transform.getResourceId(), mContext.getOpPackageName());
|
||||||
|
} catch (ServiceSpecificException e) {
|
||||||
|
throw rethrowCheckedExceptionFromServiceSpecificException(e);
|
||||||
} catch (RemoteException e) {
|
} catch (RemoteException e) {
|
||||||
throw e.rethrowFromSystemServer();
|
throw e.rethrowFromSystemServer();
|
||||||
}
|
}
|
||||||
@@ -843,7 +936,48 @@ public final class IpSecManager {
|
|||||||
* @param context the application context for this manager
|
* @param context the application context for this manager
|
||||||
* @hide
|
* @hide
|
||||||
*/
|
*/
|
||||||
public IpSecManager(IIpSecService service) {
|
public IpSecManager(Context ctx, IIpSecService service) {
|
||||||
|
mContext = ctx;
|
||||||
mService = checkNotNull(service, "missing service");
|
mService = checkNotNull(service, "missing service");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static void maybeHandleServiceSpecificException(ServiceSpecificException sse) {
|
||||||
|
// OsConstants are late binding, so switch statements can't be used.
|
||||||
|
if (sse.errorCode == OsConstants.EINVAL) {
|
||||||
|
throw new IllegalArgumentException(sse);
|
||||||
|
} else if (sse.errorCode == OsConstants.EAGAIN) {
|
||||||
|
throw new IllegalStateException(sse);
|
||||||
|
} else if (sse.errorCode == OsConstants.EOPNOTSUPP) {
|
||||||
|
throw new UnsupportedOperationException(sse);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Convert an Errno SSE to the correct Unchecked exception type.
|
||||||
|
*
|
||||||
|
* This method never actually returns.
|
||||||
|
*/
|
||||||
|
// package
|
||||||
|
static RuntimeException
|
||||||
|
rethrowUncheckedExceptionFromServiceSpecificException(ServiceSpecificException sse) {
|
||||||
|
maybeHandleServiceSpecificException(sse);
|
||||||
|
throw new RuntimeException(sse);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Convert an Errno SSE to the correct Checked or Unchecked exception type.
|
||||||
|
*
|
||||||
|
* This method may throw IOException, or it may throw an unchecked exception; it will never
|
||||||
|
* actually return.
|
||||||
|
*/
|
||||||
|
// package
|
||||||
|
static IOException rethrowCheckedExceptionFromServiceSpecificException(
|
||||||
|
ServiceSpecificException sse) throws IOException {
|
||||||
|
// First see if this is an unchecked exception of a type we know.
|
||||||
|
// If so, then we prefer the unchecked (specific) type of exception.
|
||||||
|
maybeHandleServiceSpecificException(sse);
|
||||||
|
// If not, then all we can do is provide the SSE in the form of an IOException.
|
||||||
|
throw new ErrnoException(
|
||||||
|
"IpSec encountered errno=" + sse.errorCode, sse.errorCode).rethrowAsIOException();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -29,6 +29,7 @@ import android.os.Handler;
|
|||||||
import android.os.IBinder;
|
import android.os.IBinder;
|
||||||
import android.os.RemoteException;
|
import android.os.RemoteException;
|
||||||
import android.os.ServiceManager;
|
import android.os.ServiceManager;
|
||||||
|
import android.os.ServiceSpecificException;
|
||||||
import android.util.Log;
|
import android.util.Log;
|
||||||
|
|
||||||
import com.android.internal.annotations.VisibleForTesting;
|
import com.android.internal.annotations.VisibleForTesting;
|
||||||
@@ -130,12 +131,15 @@ public final class IpSecTransform implements AutoCloseable {
|
|||||||
synchronized (this) {
|
synchronized (this) {
|
||||||
try {
|
try {
|
||||||
IIpSecService svc = getIpSecService();
|
IIpSecService svc = getIpSecService();
|
||||||
IpSecTransformResponse result = svc.createTransform(mConfig, new Binder());
|
IpSecTransformResponse result = svc.createTransform(
|
||||||
|
mConfig, new Binder(), mContext.getOpPackageName());
|
||||||
int status = result.status;
|
int status = result.status;
|
||||||
checkResultStatus(status);
|
checkResultStatus(status);
|
||||||
mResourceId = result.resourceId;
|
mResourceId = result.resourceId;
|
||||||
Log.d(TAG, "Added Transform with Id " + mResourceId);
|
Log.d(TAG, "Added Transform with Id " + mResourceId);
|
||||||
mCloseGuard.open("build");
|
mCloseGuard.open("build");
|
||||||
|
} catch (ServiceSpecificException e) {
|
||||||
|
throw IpSecManager.rethrowUncheckedExceptionFromServiceSpecificException(e);
|
||||||
} catch (RemoteException e) {
|
} catch (RemoteException e) {
|
||||||
throw e.rethrowAsRuntimeException();
|
throw e.rethrowAsRuntimeException();
|
||||||
}
|
}
|
||||||
@@ -180,6 +184,10 @@ public final class IpSecTransform implements AutoCloseable {
|
|||||||
stopNattKeepalive();
|
stopNattKeepalive();
|
||||||
} catch (RemoteException e) {
|
} catch (RemoteException e) {
|
||||||
throw e.rethrowAsRuntimeException();
|
throw e.rethrowAsRuntimeException();
|
||||||
|
} catch (Exception e) {
|
||||||
|
// On close we swallow all random exceptions since failure to close is not
|
||||||
|
// actionable by the user.
|
||||||
|
Log.e(TAG, "Failed to close " + this + ", Exception=" + e);
|
||||||
} finally {
|
} finally {
|
||||||
mResourceId = INVALID_RESOURCE_ID;
|
mResourceId = INVALID_RESOURCE_ID;
|
||||||
mCloseGuard.close();
|
mCloseGuard.close();
|
||||||
@@ -282,7 +290,7 @@ public final class IpSecTransform implements AutoCloseable {
|
|||||||
*/
|
*/
|
||||||
@SystemApi
|
@SystemApi
|
||||||
@RequiresPermission(anyOf = {
|
@RequiresPermission(anyOf = {
|
||||||
android.Manifest.permission.NETWORK_STACK,
|
android.Manifest.permission.MANAGE_IPSEC_TUNNELS,
|
||||||
android.Manifest.permission.PACKET_KEEPALIVE_OFFLOAD
|
android.Manifest.permission.PACKET_KEEPALIVE_OFFLOAD
|
||||||
})
|
})
|
||||||
public void startNattKeepalive(@NonNull NattKeepaliveCallback userCallback,
|
public void startNattKeepalive(@NonNull NattKeepaliveCallback userCallback,
|
||||||
@@ -325,7 +333,7 @@ public final class IpSecTransform implements AutoCloseable {
|
|||||||
*/
|
*/
|
||||||
@SystemApi
|
@SystemApi
|
||||||
@RequiresPermission(anyOf = {
|
@RequiresPermission(anyOf = {
|
||||||
android.Manifest.permission.NETWORK_STACK,
|
android.Manifest.permission.MANAGE_IPSEC_TUNNELS,
|
||||||
android.Manifest.permission.PACKET_KEEPALIVE_OFFLOAD
|
android.Manifest.permission.PACKET_KEEPALIVE_OFFLOAD
|
||||||
})
|
})
|
||||||
public void stopNattKeepalive() {
|
public void stopNattKeepalive() {
|
||||||
@@ -478,7 +486,7 @@ public final class IpSecTransform implements AutoCloseable {
|
|||||||
*/
|
*/
|
||||||
@SystemApi
|
@SystemApi
|
||||||
@NonNull
|
@NonNull
|
||||||
@RequiresPermission(android.Manifest.permission.NETWORK_STACK)
|
@RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS)
|
||||||
public IpSecTransform buildTunnelModeTransform(
|
public IpSecTransform buildTunnelModeTransform(
|
||||||
@NonNull InetAddress sourceAddress,
|
@NonNull InetAddress sourceAddress,
|
||||||
@NonNull IpSecManager.SecurityParameterIndex spi)
|
@NonNull IpSecManager.SecurityParameterIndex spi)
|
||||||
@@ -506,4 +514,13 @@ public final class IpSecTransform implements AutoCloseable {
|
|||||||
mConfig = new IpSecConfig();
|
mConfig = new IpSecConfig();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String toString() {
|
||||||
|
return new StringBuilder()
|
||||||
|
.append("IpSecTransform{resourceId=")
|
||||||
|
.append(mResourceId)
|
||||||
|
.append("}")
|
||||||
|
.toString();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -24,6 +24,8 @@ import static android.system.OsConstants.IPPROTO_UDP;
|
|||||||
import static android.system.OsConstants.SOCK_DGRAM;
|
import static android.system.OsConstants.SOCK_DGRAM;
|
||||||
import static com.android.internal.util.Preconditions.checkNotNull;
|
import static com.android.internal.util.Preconditions.checkNotNull;
|
||||||
|
|
||||||
|
import android.annotation.NonNull;
|
||||||
|
import android.app.AppOpsManager;
|
||||||
import android.content.Context;
|
import android.content.Context;
|
||||||
import android.net.ConnectivityManager;
|
import android.net.ConnectivityManager;
|
||||||
import android.net.IIpSecService;
|
import android.net.IIpSecService;
|
||||||
@@ -42,6 +44,7 @@ import android.net.NetworkUtils;
|
|||||||
import android.net.TrafficStats;
|
import android.net.TrafficStats;
|
||||||
import android.net.util.NetdService;
|
import android.net.util.NetdService;
|
||||||
import android.os.Binder;
|
import android.os.Binder;
|
||||||
|
import android.os.DeadSystemException;
|
||||||
import android.os.IBinder;
|
import android.os.IBinder;
|
||||||
import android.os.ParcelFileDescriptor;
|
import android.os.ParcelFileDescriptor;
|
||||||
import android.os.RemoteException;
|
import android.os.RemoteException;
|
||||||
@@ -973,6 +976,13 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
return service;
|
return service;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@NonNull
|
||||||
|
private AppOpsManager getAppOpsManager() {
|
||||||
|
AppOpsManager appOps = (AppOpsManager) mContext.getSystemService(Context.APP_OPS_SERVICE);
|
||||||
|
if(appOps == null) throw new RuntimeException("System Server couldn't get AppOps");
|
||||||
|
return appOps;
|
||||||
|
}
|
||||||
|
|
||||||
/** @hide */
|
/** @hide */
|
||||||
@VisibleForTesting
|
@VisibleForTesting
|
||||||
public IpSecService(Context context, IpSecServiceConfiguration config) {
|
public IpSecService(Context context, IpSecServiceConfiguration config) {
|
||||||
@@ -1090,9 +1100,11 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
new RefcountedResource<SpiRecord>(
|
new RefcountedResource<SpiRecord>(
|
||||||
new SpiRecord(resourceId, "", destinationAddress, spi), binder));
|
new SpiRecord(resourceId, "", destinationAddress, spi), binder));
|
||||||
} catch (ServiceSpecificException e) {
|
} catch (ServiceSpecificException e) {
|
||||||
// TODO: Add appropriate checks when other ServiceSpecificException types are supported
|
if (e.errorCode == OsConstants.ENOENT) {
|
||||||
return new IpSecSpiResponse(
|
return new IpSecSpiResponse(
|
||||||
IpSecManager.Status.SPI_UNAVAILABLE, INVALID_RESOURCE_ID, spi);
|
IpSecManager.Status.SPI_UNAVAILABLE, INVALID_RESOURCE_ID, spi);
|
||||||
|
}
|
||||||
|
throw e;
|
||||||
} catch (RemoteException e) {
|
} catch (RemoteException e) {
|
||||||
throw e.rethrowFromSystemServer();
|
throw e.rethrowFromSystemServer();
|
||||||
}
|
}
|
||||||
@@ -1104,7 +1116,6 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
*/
|
*/
|
||||||
private void releaseResource(RefcountedResourceArray resArray, int resourceId)
|
private void releaseResource(RefcountedResourceArray resArray, int resourceId)
|
||||||
throws RemoteException {
|
throws RemoteException {
|
||||||
|
|
||||||
resArray.getRefcountedResourceOrThrow(resourceId).userRelease();
|
resArray.getRefcountedResourceOrThrow(resourceId).userRelease();
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1239,7 +1250,9 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public synchronized IpSecTunnelInterfaceResponse createTunnelInterface(
|
public synchronized IpSecTunnelInterfaceResponse createTunnelInterface(
|
||||||
String localAddr, String remoteAddr, Network underlyingNetwork, IBinder binder) {
|
String localAddr, String remoteAddr, Network underlyingNetwork, IBinder binder,
|
||||||
|
String callingPackage) {
|
||||||
|
enforceTunnelPermissions(callingPackage);
|
||||||
checkNotNull(binder, "Null Binder passed to createTunnelInterface");
|
checkNotNull(binder, "Null Binder passed to createTunnelInterface");
|
||||||
checkNotNull(underlyingNetwork, "No underlying network was specified");
|
checkNotNull(underlyingNetwork, "No underlying network was specified");
|
||||||
checkInetAddress(localAddr);
|
checkInetAddress(localAddr);
|
||||||
@@ -1302,15 +1315,12 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
releaseNetId(ikey);
|
releaseNetId(ikey);
|
||||||
releaseNetId(okey);
|
releaseNetId(okey);
|
||||||
throw e.rethrowFromSystemServer();
|
throw e.rethrowFromSystemServer();
|
||||||
} catch (ServiceSpecificException e) {
|
} catch (Throwable t) {
|
||||||
// FIXME: get the error code and throw is at an IOException from Errno Exception
|
// Release keys if we got an error.
|
||||||
|
releaseNetId(ikey);
|
||||||
|
releaseNetId(okey);
|
||||||
|
throw t;
|
||||||
}
|
}
|
||||||
|
|
||||||
// If we make it to here, then something has gone wrong and we couldn't create a VTI.
|
|
||||||
// Release the keys that we reserved, and return an error status.
|
|
||||||
releaseNetId(ikey);
|
|
||||||
releaseNetId(okey);
|
|
||||||
return new IpSecTunnelInterfaceResponse(IpSecManager.Status.RESOURCE_UNAVAILABLE);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -1319,8 +1329,8 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public synchronized void addAddressToTunnelInterface(
|
public synchronized void addAddressToTunnelInterface(
|
||||||
int tunnelResourceId, LinkAddress localAddr) {
|
int tunnelResourceId, LinkAddress localAddr, String callingPackage) {
|
||||||
enforceNetworkStackPermission();
|
enforceTunnelPermissions(callingPackage);
|
||||||
UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid());
|
UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid());
|
||||||
|
|
||||||
// Get tunnelInterface record; if no such interface is found, will throw
|
// Get tunnelInterface record; if no such interface is found, will throw
|
||||||
@@ -1339,9 +1349,6 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
localAddr.getPrefixLength());
|
localAddr.getPrefixLength());
|
||||||
} catch (RemoteException e) {
|
} catch (RemoteException e) {
|
||||||
throw e.rethrowFromSystemServer();
|
throw e.rethrowFromSystemServer();
|
||||||
} catch (ServiceSpecificException e) {
|
|
||||||
// If we get here, one of the arguments provided was invalid. Wrap the SSE, and throw.
|
|
||||||
throw new IllegalArgumentException(e);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1351,10 +1358,10 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public synchronized void removeAddressFromTunnelInterface(
|
public synchronized void removeAddressFromTunnelInterface(
|
||||||
int tunnelResourceId, LinkAddress localAddr) {
|
int tunnelResourceId, LinkAddress localAddr, String callingPackage) {
|
||||||
enforceNetworkStackPermission();
|
enforceTunnelPermissions(callingPackage);
|
||||||
UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid());
|
|
||||||
|
|
||||||
|
UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid());
|
||||||
// Get tunnelInterface record; if no such interface is found, will throw
|
// Get tunnelInterface record; if no such interface is found, will throw
|
||||||
// IllegalArgumentException
|
// IllegalArgumentException
|
||||||
TunnelInterfaceRecord tunnelInterfaceInfo =
|
TunnelInterfaceRecord tunnelInterfaceInfo =
|
||||||
@@ -1371,9 +1378,6 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
localAddr.getPrefixLength());
|
localAddr.getPrefixLength());
|
||||||
} catch (RemoteException e) {
|
} catch (RemoteException e) {
|
||||||
throw e.rethrowFromSystemServer();
|
throw e.rethrowFromSystemServer();
|
||||||
} catch (ServiceSpecificException e) {
|
|
||||||
// If we get here, one of the arguments provided was invalid. Wrap the SSE, and throw.
|
|
||||||
throw new IllegalArgumentException(e);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1382,7 +1386,9 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
* server
|
* server
|
||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public synchronized void deleteTunnelInterface(int resourceId) throws RemoteException {
|
public synchronized void deleteTunnelInterface(
|
||||||
|
int resourceId, String callingPackage) throws RemoteException {
|
||||||
|
enforceTunnelPermissions(callingPackage);
|
||||||
UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid());
|
UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid());
|
||||||
releaseResource(userRecord.mTunnelInterfaceRecords, resourceId);
|
releaseResource(userRecord.mTunnelInterfaceRecords, resourceId);
|
||||||
}
|
}
|
||||||
@@ -1468,7 +1474,6 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
case IpSecTransform.MODE_TRANSPORT:
|
case IpSecTransform.MODE_TRANSPORT:
|
||||||
break;
|
break;
|
||||||
case IpSecTransform.MODE_TUNNEL:
|
case IpSecTransform.MODE_TUNNEL:
|
||||||
enforceNetworkStackPermission();
|
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
throw new IllegalArgumentException(
|
throw new IllegalArgumentException(
|
||||||
@@ -1476,9 +1481,24 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private void enforceNetworkStackPermission() {
|
private static final String TUNNEL_OP = "STOPSHIP"; // = AppOpsManager.OP_MANAGE_IPSEC_TUNNELS;
|
||||||
mContext.enforceCallingOrSelfPermission(android.Manifest.permission.NETWORK_STACK,
|
|
||||||
"IpSecService");
|
private void enforceTunnelPermissions(String callingPackage) {
|
||||||
|
checkNotNull(callingPackage, "Null calling package cannot create IpSec tunnels");
|
||||||
|
if (false) { // STOPSHIP if this line is present
|
||||||
|
switch (getAppOpsManager().noteOp(
|
||||||
|
TUNNEL_OP,
|
||||||
|
Binder.getCallingUid(), callingPackage)) {
|
||||||
|
case AppOpsManager.MODE_DEFAULT:
|
||||||
|
mContext.enforceCallingOrSelfPermission(
|
||||||
|
android.Manifest.permission.MANAGE_IPSEC_TUNNELS, "IpSecService");
|
||||||
|
break;
|
||||||
|
case AppOpsManager.MODE_ALLOWED:
|
||||||
|
return;
|
||||||
|
default:
|
||||||
|
throw new SecurityException("Request to ignore AppOps for non-legacy API");
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private void createOrUpdateTransform(
|
private void createOrUpdateTransform(
|
||||||
@@ -1534,8 +1554,12 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
* result in all of those sockets becoming unable to send or receive data.
|
* result in all of those sockets becoming unable to send or receive data.
|
||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public synchronized IpSecTransformResponse createTransform(IpSecConfig c, IBinder binder)
|
public synchronized IpSecTransformResponse createTransform(
|
||||||
throws RemoteException {
|
IpSecConfig c, IBinder binder, String callingPackage) throws RemoteException {
|
||||||
|
checkNotNull(c);
|
||||||
|
if (c.getMode() == IpSecTransform.MODE_TUNNEL) {
|
||||||
|
enforceTunnelPermissions(callingPackage);
|
||||||
|
}
|
||||||
checkIpSecConfig(c);
|
checkIpSecConfig(c);
|
||||||
checkNotNull(binder, "Null Binder passed to createTransform");
|
checkNotNull(binder, "Null Binder passed to createTransform");
|
||||||
final int resourceId = mNextResourceId++;
|
final int resourceId = mNextResourceId++;
|
||||||
@@ -1561,12 +1585,7 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
dependencies.add(refcountedSpiRecord);
|
dependencies.add(refcountedSpiRecord);
|
||||||
SpiRecord spiRecord = refcountedSpiRecord.getResource();
|
SpiRecord spiRecord = refcountedSpiRecord.getResource();
|
||||||
|
|
||||||
try {
|
createOrUpdateTransform(c, resourceId, spiRecord, socketRecord);
|
||||||
createOrUpdateTransform(c, resourceId, spiRecord, socketRecord);
|
|
||||||
} catch (ServiceSpecificException e) {
|
|
||||||
// FIXME: get the error code and throw is at an IOException from Errno Exception
|
|
||||||
return new IpSecTransformResponse(IpSecManager.Status.RESOURCE_UNAVAILABLE);
|
|
||||||
}
|
|
||||||
|
|
||||||
// SA was created successfully, time to construct a record and lock it away
|
// SA was created successfully, time to construct a record and lock it away
|
||||||
userRecord.mTransformRecords.put(
|
userRecord.mTransformRecords.put(
|
||||||
@@ -1613,23 +1632,15 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
c.getMode() == IpSecTransform.MODE_TRANSPORT,
|
c.getMode() == IpSecTransform.MODE_TRANSPORT,
|
||||||
"Transform mode was not Transport mode; cannot be applied to a socket");
|
"Transform mode was not Transport mode; cannot be applied to a socket");
|
||||||
|
|
||||||
try {
|
mSrvConfig
|
||||||
mSrvConfig
|
.getNetdInstance()
|
||||||
.getNetdInstance()
|
.ipSecApplyTransportModeTransform(
|
||||||
.ipSecApplyTransportModeTransform(
|
socket.getFileDescriptor(),
|
||||||
socket.getFileDescriptor(),
|
resourceId,
|
||||||
resourceId,
|
direction,
|
||||||
direction,
|
c.getSourceAddress(),
|
||||||
c.getSourceAddress(),
|
c.getDestinationAddress(),
|
||||||
c.getDestinationAddress(),
|
info.getSpiRecord().getSpi());
|
||||||
info.getSpiRecord().getSpi());
|
|
||||||
} catch (ServiceSpecificException e) {
|
|
||||||
if (e.errorCode == EINVAL) {
|
|
||||||
throw new IllegalArgumentException(e.toString());
|
|
||||||
} else {
|
|
||||||
throw e;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -1641,13 +1652,9 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
@Override
|
@Override
|
||||||
public synchronized void removeTransportModeTransforms(ParcelFileDescriptor socket)
|
public synchronized void removeTransportModeTransforms(ParcelFileDescriptor socket)
|
||||||
throws RemoteException {
|
throws RemoteException {
|
||||||
try {
|
mSrvConfig
|
||||||
mSrvConfig
|
.getNetdInstance()
|
||||||
.getNetdInstance()
|
.ipSecRemoveTransportModeTransform(socket.getFileDescriptor());
|
||||||
.ipSecRemoveTransportModeTransform(socket.getFileDescriptor());
|
|
||||||
} catch (ServiceSpecificException e) {
|
|
||||||
// FIXME: get the error code and throw is at an IOException from Errno Exception
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -1656,8 +1663,9 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public synchronized void applyTunnelModeTransform(
|
public synchronized void applyTunnelModeTransform(
|
||||||
int tunnelResourceId, int direction, int transformResourceId) throws RemoteException {
|
int tunnelResourceId, int direction,
|
||||||
enforceNetworkStackPermission();
|
int transformResourceId, String callingPackage) throws RemoteException {
|
||||||
|
enforceTunnelPermissions(callingPackage);
|
||||||
checkDirection(direction);
|
checkDirection(direction);
|
||||||
|
|
||||||
UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid());
|
UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid());
|
||||||
|
|||||||
Reference in New Issue
Block a user