Merge "Add 3rd deny firewall chain for OEM" am: 1259ebcb59
Original change: https://android-review.googlesource.com/c/platform/packages/modules/Connectivity/+/2117038 Change-Id: Iae98db11c017af25313e7a29de62c1341f887b7b Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Motomu Utsumi
@@ -135,6 +135,7 @@ enum UidOwnerMatchType {
|
||||
LOCKDOWN_VPN_MATCH = (1 << 8),
|
||||
OEM_DENY_1_MATCH = (1 << 9),
|
||||
OEM_DENY_2_MATCH = (1 << 10),
|
||||
OEM_DENY_3_MATCH = (1 << 11),
|
||||
};
|
||||
|
||||
enum BpfPermissionMatch {
|
||||
|
||||
@@ -222,6 +222,9 @@ static inline int bpf_owner_match(struct __sk_buff* skb, uint32_t uid, int direc
|
||||
if ((enabledRules & OEM_DENY_2_MATCH) && (uidRules & OEM_DENY_2_MATCH)) {
|
||||
return BPF_DROP;
|
||||
}
|
||||
if ((enabledRules & OEM_DENY_3_MATCH) && (uidRules & OEM_DENY_3_MATCH)) {
|
||||
return BPF_DROP;
|
||||
}
|
||||
}
|
||||
if (direction == BPF_INGRESS && skb->ifindex != 1) {
|
||||
if (uidRules & IIF_MATCH) {
|
||||
|
||||
@@ -1006,6 +1006,13 @@ public class ConnectivityManager {
|
||||
*/
|
||||
public static final int FIREWALL_CHAIN_OEM_DENY_2 = 8;
|
||||
|
||||
/**
|
||||
* Firewall chain used for OEM-specific application restrictions.
|
||||
* Denylist of apps that will not have network access due to OEM-specific restrictions.
|
||||
* @hide
|
||||
*/
|
||||
public static final int FIREWALL_CHAIN_OEM_DENY_3 = 9;
|
||||
|
||||
/** @hide */
|
||||
@Retention(RetentionPolicy.SOURCE)
|
||||
@IntDef(flag = false, prefix = "FIREWALL_CHAIN_", value = {
|
||||
@@ -1016,7 +1023,8 @@ public class ConnectivityManager {
|
||||
FIREWALL_CHAIN_LOW_POWER_STANDBY,
|
||||
FIREWALL_CHAIN_LOCKDOWN_VPN,
|
||||
FIREWALL_CHAIN_OEM_DENY_1,
|
||||
FIREWALL_CHAIN_OEM_DENY_2
|
||||
FIREWALL_CHAIN_OEM_DENY_2,
|
||||
FIREWALL_CHAIN_OEM_DENY_3
|
||||
})
|
||||
public @interface FirewallChain {}
|
||||
// LINT.ThenChange(packages/modules/Connectivity/service/native/include/Common.h)
|
||||
|
||||
@@ -76,6 +76,7 @@ const char* TrafficController::LOCAL_RESTRICTED = "fw_restricted";
|
||||
const char* TrafficController::LOCAL_LOW_POWER_STANDBY = "fw_low_power_standby";
|
||||
const char* TrafficController::LOCAL_OEM_DENY_1 = "fw_oem_deny_1";
|
||||
const char* TrafficController::LOCAL_OEM_DENY_2 = "fw_oem_deny_2";
|
||||
const char* TrafficController::LOCAL_OEM_DENY_3 = "fw_oem_deny_3";
|
||||
|
||||
static_assert(BPF_PERMISSION_INTERNET == INetd::PERMISSION_INTERNET,
|
||||
"Mismatch between BPF and AIDL permissions: PERMISSION_INTERNET");
|
||||
@@ -103,6 +104,7 @@ const std::string uidMatchTypeToString(uint32_t match) {
|
||||
FLAG_MSG_TRANS(matchType, LOCKDOWN_VPN_MATCH, match);
|
||||
FLAG_MSG_TRANS(matchType, OEM_DENY_1_MATCH, match);
|
||||
FLAG_MSG_TRANS(matchType, OEM_DENY_2_MATCH, match);
|
||||
FLAG_MSG_TRANS(matchType, OEM_DENY_3_MATCH, match);
|
||||
if (match) {
|
||||
return StringPrintf("Unknown match: %u", match);
|
||||
}
|
||||
@@ -344,6 +346,8 @@ FirewallType TrafficController::getFirewallType(ChildChain chain) {
|
||||
return DENYLIST;
|
||||
case OEM_DENY_2:
|
||||
return DENYLIST;
|
||||
case OEM_DENY_3:
|
||||
return DENYLIST;
|
||||
case NONE:
|
||||
default:
|
||||
return DENYLIST;
|
||||
@@ -378,6 +382,9 @@ int TrafficController::changeUidOwnerRule(ChildChain chain, uid_t uid, FirewallR
|
||||
case OEM_DENY_2:
|
||||
res = updateOwnerMapEntry(OEM_DENY_2_MATCH, uid, rule, type);
|
||||
break;
|
||||
case OEM_DENY_3:
|
||||
res = updateOwnerMapEntry(OEM_DENY_3_MATCH, uid, rule, type);
|
||||
break;
|
||||
case NONE:
|
||||
default:
|
||||
ALOGW("Unknown child chain: %d", chain);
|
||||
@@ -459,6 +466,8 @@ int TrafficController::replaceUidOwnerMap(const std::string& name, bool isAllowl
|
||||
res = replaceRulesInMap(OEM_DENY_1_MATCH, uids);
|
||||
} else if (!name.compare(LOCAL_OEM_DENY_2)) {
|
||||
res = replaceRulesInMap(OEM_DENY_2_MATCH, uids);
|
||||
} else if (!name.compare(LOCAL_OEM_DENY_3)) {
|
||||
res = replaceRulesInMap(OEM_DENY_3_MATCH, uids);
|
||||
} else {
|
||||
ALOGE("unknown chain name: %s", name.c_str());
|
||||
return -EINVAL;
|
||||
@@ -504,6 +513,9 @@ int TrafficController::toggleUidOwnerMap(ChildChain chain, bool enable) {
|
||||
case OEM_DENY_2:
|
||||
match = OEM_DENY_2_MATCH;
|
||||
break;
|
||||
case OEM_DENY_3:
|
||||
match = OEM_DENY_3_MATCH;
|
||||
break;
|
||||
default:
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
@@ -392,6 +392,7 @@ TEST_F(TrafficControllerTest, TestChangeUidOwnerRule) {
|
||||
checkUidOwnerRuleForChain(LOCKDOWN, LOCKDOWN_VPN_MATCH);
|
||||
checkUidOwnerRuleForChain(OEM_DENY_1, OEM_DENY_1_MATCH);
|
||||
checkUidOwnerRuleForChain(OEM_DENY_2, OEM_DENY_2_MATCH);
|
||||
checkUidOwnerRuleForChain(OEM_DENY_3, OEM_DENY_3_MATCH);
|
||||
ASSERT_EQ(-EINVAL, mTc.changeUidOwnerRule(NONE, TEST_UID, ALLOW, ALLOWLIST));
|
||||
ASSERT_EQ(-EINVAL, mTc.changeUidOwnerRule(INVALID_CHAIN, TEST_UID, ALLOW, ALLOWLIST));
|
||||
}
|
||||
@@ -405,6 +406,7 @@ TEST_F(TrafficControllerTest, TestReplaceUidOwnerMap) {
|
||||
checkUidMapReplace("fw_low_power_standby", uids, LOW_POWER_STANDBY_MATCH);
|
||||
checkUidMapReplace("fw_oem_deny_1", uids, OEM_DENY_1_MATCH);
|
||||
checkUidMapReplace("fw_oem_deny_2", uids, OEM_DENY_2_MATCH);
|
||||
checkUidMapReplace("fw_oem_deny_3", uids, OEM_DENY_3_MATCH);
|
||||
ASSERT_EQ(-EINVAL, mTc.replaceUidOwnerMap("unknow", true, uids));
|
||||
}
|
||||
|
||||
|
||||
@@ -38,6 +38,7 @@ enum ChildChain {
|
||||
LOCKDOWN = 6,
|
||||
OEM_DENY_1 = 7,
|
||||
OEM_DENY_2 = 8,
|
||||
OEM_DENY_3 = 9,
|
||||
INVALID_CHAIN
|
||||
};
|
||||
// LINT.ThenChange(packages/modules/Connectivity/framework/src/android/net/ConnectivityManager.java)
|
||||
|
||||
@@ -90,6 +90,7 @@ class TrafficController {
|
||||
static const char* LOCAL_LOW_POWER_STANDBY;
|
||||
static const char* LOCAL_OEM_DENY_1;
|
||||
static const char* LOCAL_OEM_DENY_2;
|
||||
static const char* LOCAL_OEM_DENY_3;
|
||||
|
||||
private:
|
||||
/*
|
||||
|
||||
@@ -11361,6 +11361,7 @@ public class ConnectivityService extends IConnectivityManager.Stub
|
||||
case ConnectivityManager.FIREWALL_CHAIN_STANDBY:
|
||||
case ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_1:
|
||||
case ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_2:
|
||||
case ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_3:
|
||||
defaultRule = FIREWALL_RULE_ALLOW;
|
||||
break;
|
||||
case ConnectivityManager.FIREWALL_CHAIN_DOZABLE:
|
||||
@@ -11416,6 +11417,9 @@ public class ConnectivityService extends IConnectivityManager.Stub
|
||||
case ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_2:
|
||||
mBpfNetMaps.replaceUidChain("fw_oem_deny_2", false /* isAllowList */, uids);
|
||||
break;
|
||||
case ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_3:
|
||||
mBpfNetMaps.replaceUidChain("fw_oem_deny_3", false /* isAllowList */, uids);
|
||||
break;
|
||||
default:
|
||||
throw new IllegalArgumentException("replaceFirewallChain with invalid chain: "
|
||||
+ chain);
|
||||
|
||||
@@ -39,6 +39,7 @@ import static android.net.ConnectivityManager.EXTRA_NETWORK;
|
||||
import static android.net.ConnectivityManager.EXTRA_NETWORK_REQUEST;
|
||||
import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_1;
|
||||
import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_2;
|
||||
import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_3;
|
||||
import static android.net.ConnectivityManager.FIREWALL_RULE_ALLOW;
|
||||
import static android.net.ConnectivityManager.FIREWALL_RULE_DENY;
|
||||
import static android.net.ConnectivityManager.PROFILE_NETWORK_PREFERENCE_ENTERPRISE;
|
||||
@@ -3385,6 +3386,7 @@ public class ConnectivityManagerTest {
|
||||
// doTestFirewallBlockingDenyRule(FIREWALL_CHAIN_STANDBY);
|
||||
doTestFirewallBlockingDenyRule(FIREWALL_CHAIN_OEM_DENY_1);
|
||||
doTestFirewallBlockingDenyRule(FIREWALL_CHAIN_OEM_DENY_2);
|
||||
doTestFirewallBlockingDenyRule(FIREWALL_CHAIN_OEM_DENY_3);
|
||||
}
|
||||
|
||||
private void assumeTestSApis() {
|
||||
|
||||
@@ -56,6 +56,7 @@ import static android.net.ConnectivityManager.FIREWALL_CHAIN_LOCKDOWN_VPN;
|
||||
import static android.net.ConnectivityManager.FIREWALL_CHAIN_LOW_POWER_STANDBY;
|
||||
import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_1;
|
||||
import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_2;
|
||||
import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_3;
|
||||
import static android.net.ConnectivityManager.FIREWALL_CHAIN_POWERSAVE;
|
||||
import static android.net.ConnectivityManager.FIREWALL_CHAIN_RESTRICTED;
|
||||
import static android.net.ConnectivityManager.FIREWALL_CHAIN_STANDBY;
|
||||
@@ -9577,6 +9578,7 @@ public class ConnectivityServiceTest {
|
||||
doTestSetUidFirewallRule(FIREWALL_CHAIN_LOW_POWER_STANDBY, FIREWALL_RULE_DENY);
|
||||
doTestSetUidFirewallRule(FIREWALL_CHAIN_OEM_DENY_1, FIREWALL_RULE_ALLOW);
|
||||
doTestSetUidFirewallRule(FIREWALL_CHAIN_OEM_DENY_2, FIREWALL_RULE_ALLOW);
|
||||
doTestSetUidFirewallRule(FIREWALL_CHAIN_OEM_DENY_3, FIREWALL_RULE_ALLOW);
|
||||
}
|
||||
|
||||
@Test @IgnoreUpTo(SC_V2)
|
||||
@@ -9588,7 +9590,8 @@ public class ConnectivityServiceTest {
|
||||
FIREWALL_CHAIN_RESTRICTED,
|
||||
FIREWALL_CHAIN_LOW_POWER_STANDBY,
|
||||
FIREWALL_CHAIN_OEM_DENY_1,
|
||||
FIREWALL_CHAIN_OEM_DENY_2);
|
||||
FIREWALL_CHAIN_OEM_DENY_2,
|
||||
FIREWALL_CHAIN_OEM_DENY_3);
|
||||
for (final int chain: firewallChains) {
|
||||
mCm.setFirewallChainEnabled(chain, true /* enabled */);
|
||||
verify(mBpfNetMaps).setChildChain(chain, true /* enable */);
|
||||
@@ -9617,6 +9620,7 @@ public class ConnectivityServiceTest {
|
||||
doTestReplaceFirewallChain(FIREWALL_CHAIN_LOW_POWER_STANDBY, "fw_low_power_standby", true);
|
||||
doTestReplaceFirewallChain(FIREWALL_CHAIN_OEM_DENY_1, "fw_oem_deny_1", false);
|
||||
doTestReplaceFirewallChain(FIREWALL_CHAIN_OEM_DENY_2, "fw_oem_deny_2", false);
|
||||
doTestReplaceFirewallChain(FIREWALL_CHAIN_OEM_DENY_3, "fw_oem_deny_3", false);
|
||||
}
|
||||
|
||||
@Test @IgnoreUpTo(SC_V2)
|
||||
|
||||
Reference in New Issue
Block a user