diff --git a/bpf_progs/bpf_shared.h b/bpf_progs/bpf_shared.h index 2afb789e6b..706dd1dbee 100644 --- a/bpf_progs/bpf_shared.h +++ b/bpf_progs/bpf_shared.h @@ -135,6 +135,7 @@ enum UidOwnerMatchType { LOCKDOWN_VPN_MATCH = (1 << 8), OEM_DENY_1_MATCH = (1 << 9), OEM_DENY_2_MATCH = (1 << 10), + OEM_DENY_3_MATCH = (1 << 11), }; enum BpfPermissionMatch { diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c index 9ae8ab2220..94d5ed8f9e 100644 --- a/bpf_progs/netd.c +++ b/bpf_progs/netd.c @@ -222,6 +222,9 @@ static inline int bpf_owner_match(struct __sk_buff* skb, uint32_t uid, int direc if ((enabledRules & OEM_DENY_2_MATCH) && (uidRules & OEM_DENY_2_MATCH)) { return BPF_DROP; } + if ((enabledRules & OEM_DENY_3_MATCH) && (uidRules & OEM_DENY_3_MATCH)) { + return BPF_DROP; + } } if (direction == BPF_INGRESS && skb->ifindex != 1) { if (uidRules & IIF_MATCH) { diff --git a/framework/src/android/net/ConnectivityManager.java b/framework/src/android/net/ConnectivityManager.java index fdc7bf74df..5769b92642 100644 --- a/framework/src/android/net/ConnectivityManager.java +++ b/framework/src/android/net/ConnectivityManager.java @@ -1006,6 +1006,13 @@ public class ConnectivityManager { */ public static final int FIREWALL_CHAIN_OEM_DENY_2 = 8; + /** + * Firewall chain used for OEM-specific application restrictions. + * Denylist of apps that will not have network access due to OEM-specific restrictions. + * @hide + */ + public static final int FIREWALL_CHAIN_OEM_DENY_3 = 9; + /** @hide */ @Retention(RetentionPolicy.SOURCE) @IntDef(flag = false, prefix = "FIREWALL_CHAIN_", value = { @@ -1016,7 +1023,8 @@ public class ConnectivityManager { FIREWALL_CHAIN_LOW_POWER_STANDBY, FIREWALL_CHAIN_LOCKDOWN_VPN, FIREWALL_CHAIN_OEM_DENY_1, - FIREWALL_CHAIN_OEM_DENY_2 + FIREWALL_CHAIN_OEM_DENY_2, + FIREWALL_CHAIN_OEM_DENY_3 }) public @interface FirewallChain {} // LINT.ThenChange(packages/modules/Connectivity/service/native/include/Common.h) diff --git a/service/native/TrafficController.cpp b/service/native/TrafficController.cpp index 68fc9c87cd..d05e6fa21b 100644 --- a/service/native/TrafficController.cpp +++ b/service/native/TrafficController.cpp @@ -76,6 +76,7 @@ const char* TrafficController::LOCAL_RESTRICTED = "fw_restricted"; const char* TrafficController::LOCAL_LOW_POWER_STANDBY = "fw_low_power_standby"; const char* TrafficController::LOCAL_OEM_DENY_1 = "fw_oem_deny_1"; const char* TrafficController::LOCAL_OEM_DENY_2 = "fw_oem_deny_2"; +const char* TrafficController::LOCAL_OEM_DENY_3 = "fw_oem_deny_3"; static_assert(BPF_PERMISSION_INTERNET == INetd::PERMISSION_INTERNET, "Mismatch between BPF and AIDL permissions: PERMISSION_INTERNET"); @@ -103,6 +104,7 @@ const std::string uidMatchTypeToString(uint32_t match) { FLAG_MSG_TRANS(matchType, LOCKDOWN_VPN_MATCH, match); FLAG_MSG_TRANS(matchType, OEM_DENY_1_MATCH, match); FLAG_MSG_TRANS(matchType, OEM_DENY_2_MATCH, match); + FLAG_MSG_TRANS(matchType, OEM_DENY_3_MATCH, match); if (match) { return StringPrintf("Unknown match: %u", match); } @@ -344,6 +346,8 @@ FirewallType TrafficController::getFirewallType(ChildChain chain) { return DENYLIST; case OEM_DENY_2: return DENYLIST; + case OEM_DENY_3: + return DENYLIST; case NONE: default: return DENYLIST; @@ -378,6 +382,9 @@ int TrafficController::changeUidOwnerRule(ChildChain chain, uid_t uid, FirewallR case OEM_DENY_2: res = updateOwnerMapEntry(OEM_DENY_2_MATCH, uid, rule, type); break; + case OEM_DENY_3: + res = updateOwnerMapEntry(OEM_DENY_3_MATCH, uid, rule, type); + break; case NONE: default: ALOGW("Unknown child chain: %d", chain); @@ -459,6 +466,8 @@ int TrafficController::replaceUidOwnerMap(const std::string& name, bool isAllowl res = replaceRulesInMap(OEM_DENY_1_MATCH, uids); } else if (!name.compare(LOCAL_OEM_DENY_2)) { res = replaceRulesInMap(OEM_DENY_2_MATCH, uids); + } else if (!name.compare(LOCAL_OEM_DENY_3)) { + res = replaceRulesInMap(OEM_DENY_3_MATCH, uids); } else { ALOGE("unknown chain name: %s", name.c_str()); return -EINVAL; @@ -504,6 +513,9 @@ int TrafficController::toggleUidOwnerMap(ChildChain chain, bool enable) { case OEM_DENY_2: match = OEM_DENY_2_MATCH; break; + case OEM_DENY_3: + match = OEM_DENY_3_MATCH; + break; default: return -EINVAL; } diff --git a/service/native/TrafficControllerTest.cpp b/service/native/TrafficControllerTest.cpp index ff2ebad9f1..1aca633644 100644 --- a/service/native/TrafficControllerTest.cpp +++ b/service/native/TrafficControllerTest.cpp @@ -392,6 +392,7 @@ TEST_F(TrafficControllerTest, TestChangeUidOwnerRule) { checkUidOwnerRuleForChain(LOCKDOWN, LOCKDOWN_VPN_MATCH); checkUidOwnerRuleForChain(OEM_DENY_1, OEM_DENY_1_MATCH); checkUidOwnerRuleForChain(OEM_DENY_2, OEM_DENY_2_MATCH); + checkUidOwnerRuleForChain(OEM_DENY_3, OEM_DENY_3_MATCH); ASSERT_EQ(-EINVAL, mTc.changeUidOwnerRule(NONE, TEST_UID, ALLOW, ALLOWLIST)); ASSERT_EQ(-EINVAL, mTc.changeUidOwnerRule(INVALID_CHAIN, TEST_UID, ALLOW, ALLOWLIST)); } @@ -405,6 +406,7 @@ TEST_F(TrafficControllerTest, TestReplaceUidOwnerMap) { checkUidMapReplace("fw_low_power_standby", uids, LOW_POWER_STANDBY_MATCH); checkUidMapReplace("fw_oem_deny_1", uids, OEM_DENY_1_MATCH); checkUidMapReplace("fw_oem_deny_2", uids, OEM_DENY_2_MATCH); + checkUidMapReplace("fw_oem_deny_3", uids, OEM_DENY_3_MATCH); ASSERT_EQ(-EINVAL, mTc.replaceUidOwnerMap("unknow", true, uids)); } diff --git a/service/native/include/Common.h b/service/native/include/Common.h index 48f68ea2e5..2427aa906c 100644 --- a/service/native/include/Common.h +++ b/service/native/include/Common.h @@ -38,6 +38,7 @@ enum ChildChain { LOCKDOWN = 6, OEM_DENY_1 = 7, OEM_DENY_2 = 8, + OEM_DENY_3 = 9, INVALID_CHAIN }; // LINT.ThenChange(packages/modules/Connectivity/framework/src/android/net/ConnectivityManager.java) diff --git a/service/native/include/TrafficController.h b/service/native/include/TrafficController.h index 7a36e1e69d..c019ce78b0 100644 --- a/service/native/include/TrafficController.h +++ b/service/native/include/TrafficController.h @@ -90,6 +90,7 @@ class TrafficController { static const char* LOCAL_LOW_POWER_STANDBY; static const char* LOCAL_OEM_DENY_1; static const char* LOCAL_OEM_DENY_2; + static const char* LOCAL_OEM_DENY_3; private: /* diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java index 8d8442fd1a..848901fdec 100644 --- a/service/src/com/android/server/ConnectivityService.java +++ b/service/src/com/android/server/ConnectivityService.java @@ -11361,6 +11361,7 @@ public class ConnectivityService extends IConnectivityManager.Stub case ConnectivityManager.FIREWALL_CHAIN_STANDBY: case ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_1: case ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_2: + case ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_3: defaultRule = FIREWALL_RULE_ALLOW; break; case ConnectivityManager.FIREWALL_CHAIN_DOZABLE: @@ -11416,6 +11417,9 @@ public class ConnectivityService extends IConnectivityManager.Stub case ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_2: mBpfNetMaps.replaceUidChain("fw_oem_deny_2", false /* isAllowList */, uids); break; + case ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_3: + mBpfNetMaps.replaceUidChain("fw_oem_deny_3", false /* isAllowList */, uids); + break; default: throw new IllegalArgumentException("replaceFirewallChain with invalid chain: " + chain); diff --git a/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java b/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java index d97ebcbc40..08cf0d7c6f 100644 --- a/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java +++ b/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java @@ -39,6 +39,7 @@ import static android.net.ConnectivityManager.EXTRA_NETWORK; import static android.net.ConnectivityManager.EXTRA_NETWORK_REQUEST; import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_1; import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_2; +import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_3; import static android.net.ConnectivityManager.FIREWALL_RULE_ALLOW; import static android.net.ConnectivityManager.FIREWALL_RULE_DENY; import static android.net.ConnectivityManager.PROFILE_NETWORK_PREFERENCE_ENTERPRISE; @@ -3385,6 +3386,7 @@ public class ConnectivityManagerTest { // doTestFirewallBlockingDenyRule(FIREWALL_CHAIN_STANDBY); doTestFirewallBlockingDenyRule(FIREWALL_CHAIN_OEM_DENY_1); doTestFirewallBlockingDenyRule(FIREWALL_CHAIN_OEM_DENY_2); + doTestFirewallBlockingDenyRule(FIREWALL_CHAIN_OEM_DENY_3); } private void assumeTestSApis() { diff --git a/tests/unit/java/com/android/server/ConnectivityServiceTest.java b/tests/unit/java/com/android/server/ConnectivityServiceTest.java index 0c5420d18e..e84df162e1 100644 --- a/tests/unit/java/com/android/server/ConnectivityServiceTest.java +++ b/tests/unit/java/com/android/server/ConnectivityServiceTest.java @@ -56,6 +56,7 @@ import static android.net.ConnectivityManager.FIREWALL_CHAIN_LOCKDOWN_VPN; import static android.net.ConnectivityManager.FIREWALL_CHAIN_LOW_POWER_STANDBY; import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_1; import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_2; +import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_3; import static android.net.ConnectivityManager.FIREWALL_CHAIN_POWERSAVE; import static android.net.ConnectivityManager.FIREWALL_CHAIN_RESTRICTED; import static android.net.ConnectivityManager.FIREWALL_CHAIN_STANDBY; @@ -9577,6 +9578,7 @@ public class ConnectivityServiceTest { doTestSetUidFirewallRule(FIREWALL_CHAIN_LOW_POWER_STANDBY, FIREWALL_RULE_DENY); doTestSetUidFirewallRule(FIREWALL_CHAIN_OEM_DENY_1, FIREWALL_RULE_ALLOW); doTestSetUidFirewallRule(FIREWALL_CHAIN_OEM_DENY_2, FIREWALL_RULE_ALLOW); + doTestSetUidFirewallRule(FIREWALL_CHAIN_OEM_DENY_3, FIREWALL_RULE_ALLOW); } @Test @IgnoreUpTo(SC_V2) @@ -9588,7 +9590,8 @@ public class ConnectivityServiceTest { FIREWALL_CHAIN_RESTRICTED, FIREWALL_CHAIN_LOW_POWER_STANDBY, FIREWALL_CHAIN_OEM_DENY_1, - FIREWALL_CHAIN_OEM_DENY_2); + FIREWALL_CHAIN_OEM_DENY_2, + FIREWALL_CHAIN_OEM_DENY_3); for (final int chain: firewallChains) { mCm.setFirewallChainEnabled(chain, true /* enabled */); verify(mBpfNetMaps).setChildChain(chain, true /* enable */); @@ -9617,6 +9620,7 @@ public class ConnectivityServiceTest { doTestReplaceFirewallChain(FIREWALL_CHAIN_LOW_POWER_STANDBY, "fw_low_power_standby", true); doTestReplaceFirewallChain(FIREWALL_CHAIN_OEM_DENY_1, "fw_oem_deny_1", false); doTestReplaceFirewallChain(FIREWALL_CHAIN_OEM_DENY_2, "fw_oem_deny_2", false); + doTestReplaceFirewallChain(FIREWALL_CHAIN_OEM_DENY_3, "fw_oem_deny_3", false); } @Test @IgnoreUpTo(SC_V2)