LineageOS/android_packages_modules_Connectivity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge "Require NETWORK_STACK Permission for IpSec Tunnel Mode" am: 43699e90f3 am: e736f83caf

Browse Source 
am: 34c6697356

Change-Id: Ib33ccecfe2fc600c05a208d24df10a474addb0e5
This commit is contained in:
nharold
2018-02-10 02:11:15 +00:00
committed by android-build-merger
parent 5a89c8e36e 34c6697356
commit c40b5fb671
3 changed files with 21 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
core/java/android/net/IpSecManager.java
View File

@@ -19,6 +19,7 @@ import static com.android.internal.util.Preconditions.checkNotNull;
import android.annotation.IntDef; import android.annotation.IntDef;
import android.annotation.NonNull; import android.annotation.NonNull;
import android.annotation.RequiresPermission;
import android.annotation.SystemApi; import android.annotation.SystemApi;
import android.annotation.SystemService; import android.annotation.SystemService;
import android.annotation.TestApi; import android.annotation.TestApi;
@@ -761,6 +762,7 @@ public final class IpSecManager {
* @hide * @hide
*/ */
@SystemApi @SystemApi
@RequiresPermission(android.Manifest.permission.NETWORK_STACK)
public IpSecTunnelInterface createIpSecTunnelInterface(@NonNull InetAddress localAddress, public IpSecTunnelInterface createIpSecTunnelInterface(@NonNull InetAddress localAddress,
@NonNull InetAddress remoteAddress, @NonNull Network underlyingNetwork) @NonNull InetAddress remoteAddress, @NonNull Network underlyingNetwork)
throws ResourceUnavailableException, IOException { throws ResourceUnavailableException, IOException {
@@ -780,6 +782,7 @@ public final class IpSecManager {
* @hide * @hide
*/ */
@SystemApi @SystemApi
@RequiresPermission(android.Manifest.permission.NETWORK_STACK)
public void applyTunnelModeTransform(IpSecTunnelInterface tunnel, int direction, public void applyTunnelModeTransform(IpSecTunnelInterface tunnel, int direction,
IpSecTransform transform) throws IOException { IpSecTransform transform) throws IOException {
try { try {

10
core/java/android/net/IpSecTransform.java
View File

@@ -21,6 +21,7 @@ import static com.android.internal.util.Preconditions.checkNotNull;
import android.annotation.IntDef; import android.annotation.IntDef;
import android.annotation.NonNull; import android.annotation.NonNull;
import android.annotation.RequiresPermission;
import android.annotation.SystemApi; import android.annotation.SystemApi;
import android.content.Context; import android.content.Context;
import android.os.Binder; import android.os.Binder;
@@ -266,6 +267,10 @@ public final class IpSecTransform implements AutoCloseable {
* @hide * @hide
*/ */
@SystemApi @SystemApi
@RequiresPermission(anyOf = {
android.Manifest.permission.NETWORK_STACK,
android.Manifest.permission.PACKET_KEEPALIVE_OFFLOAD
})
public void startNattKeepalive(@NonNull NattKeepaliveCallback userCallback, public void startNattKeepalive(@NonNull NattKeepaliveCallback userCallback,
int intervalSeconds, @NonNull Handler handler) throws IOException { int intervalSeconds, @NonNull Handler handler) throws IOException {
checkNotNull(userCallback); checkNotNull(userCallback);
@@ -305,6 +310,10 @@ public final class IpSecTransform implements AutoCloseable {
* @hide * @hide
*/ */
@SystemApi @SystemApi
@RequiresPermission(anyOf = {
android.Manifest.permission.NETWORK_STACK,
android.Manifest.permission.PACKET_KEEPALIVE_OFFLOAD
})
public void stopNattKeepalive() { public void stopNattKeepalive() {
synchronized (mKeepaliveCallback) { synchronized (mKeepaliveCallback) {
if (mKeepalive == null) { if (mKeepalive == null) {
@@ -449,6 +458,7 @@ public final class IpSecTransform implements AutoCloseable {
* @hide * @hide
*/ */
@SystemApi @SystemApi
@RequiresPermission(android.Manifest.permission.NETWORK_STACK)
public IpSecTransform buildTunnelModeTransform( public IpSecTransform buildTunnelModeTransform(
@NonNull InetAddress sourceAddress, @NonNull InetAddress sourceAddress,
@NonNull IpSecManager.SecurityParameterIndex spi) @NonNull IpSecManager.SecurityParameterIndex spi)

8
services/core/java/com/android/server/IpSecService.java
View File

@@ -1438,7 +1438,9 @@ public class IpSecService extends IIpSecService.Stub {
switch (config.getMode()) { switch (config.getMode()) {
case IpSecTransform.MODE_TRANSPORT: case IpSecTransform.MODE_TRANSPORT:
break;
case IpSecTransform.MODE_TUNNEL: case IpSecTransform.MODE_TUNNEL:
enforceNetworkStackPermission();
break; break;
default: default:
throw new IllegalArgumentException( throw new IllegalArgumentException(
@@ -1446,6 +1448,11 @@ public class IpSecService extends IIpSecService.Stub {
} }
} }
private void enforceNetworkStackPermission() {
mContext.enforceCallingOrSelfPermission(android.Manifest.permission.NETWORK_STACK,
"IpSecService");
}
private void createOrUpdateTransform( private void createOrUpdateTransform(
IpSecConfig c, int resourceId, SpiRecord spiRecord, EncapSocketRecord socketRecord) IpSecConfig c, int resourceId, SpiRecord spiRecord, EncapSocketRecord socketRecord)
throws RemoteException { throws RemoteException {
@@ -1615,6 +1622,7 @@ public class IpSecService extends IIpSecService.Stub {
@Override @Override
public synchronized void applyTunnelModeTransform( public synchronized void applyTunnelModeTransform(
int tunnelResourceId, int direction, int transformResourceId) throws RemoteException { int tunnelResourceId, int direction, int transformResourceId) throws RemoteException {
enforceNetworkStackPermission();
checkDirection(direction); checkDirection(direction);
UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid());