From c62368fd7ae1004acd60bc1de06118d8f5d879c9 Mon Sep 17 00:00:00 2001 From: Lorenzo Colitti Date: Mon, 22 Mar 2021 02:12:04 +0900 Subject: [PATCH] Fix privileged apps calling registerDefaultNetworkCallback. When registerDefaultNetworkCallback is called by an app that has NETWORK_SETTINGS, the UID of the app is forgotten and the request that is filed has an empty UID set. This results in that request matching networks that have UID ranges that do not include it, e.g., VPNs. Fix this by ensuring that the UID ranges are properly set. Bug: 165835257 Test: updated specific tests for this bug Change-Id: I90bf79573342c144d1cfbc2f61a3155fdd5b1fa7 --- .../core/java/com/android/server/ConnectivityService.java | 7 ++++++- .../java/com/android/server/ConnectivityServiceTest.java | 5 ++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/services/core/java/com/android/server/ConnectivityService.java b/services/core/java/com/android/server/ConnectivityService.java index 3923063096..6fcb3f74c7 100644 --- a/services/core/java/com/android/server/ConnectivityService.java +++ b/services/core/java/com/android/server/ConnectivityService.java @@ -6116,10 +6116,15 @@ public class ConnectivityService extends IConnectivityManager.Stub private NetworkCapabilities copyDefaultNetworkCapabilitiesForUid( @NonNull final NetworkCapabilities netCapToCopy, @NonNull final int requestorUid, @NonNull final String requestorPackageName) { + // These capabilities are for a TRACK_DEFAULT callback, so: + // 1. Remove NET_CAPABILITY_VPN, because it's (currently!) the only difference between + // mDefaultRequest and a per-UID default request. + // TODO: stop depending on the fact that these two unrelated things happen to be the same + // 2. Always set the UIDs to mAsUid. restrictRequestUidsForCallerAndSetRequestorInfo will + // not do this in the case of a privileged application. final NetworkCapabilities netCap = new NetworkCapabilities(netCapToCopy); netCap.removeCapability(NET_CAPABILITY_NOT_VPN); netCap.setSingleUid(requestorUid); - netCap.setUids(new ArraySet<>()); restrictRequestUidsForCallerAndSetRequestorInfo( netCap, requestorUid, requestorPackageName); return netCap; diff --git a/tests/net/java/com/android/server/ConnectivityServiceTest.java b/tests/net/java/com/android/server/ConnectivityServiceTest.java index 2ec8707000..ed9a44b614 100644 --- a/tests/net/java/com/android/server/ConnectivityServiceTest.java +++ b/tests/net/java/com/android/server/ConnectivityServiceTest.java @@ -7641,8 +7641,7 @@ public class ConnectivityServiceTest { assertUidRangesUpdatedForMyUid(true); defaultCallback.expectAvailableThenValidatedCallbacks(mMockVpn); vpnUidCallback.assertNoCallback(); // vpnUidCallback has NOT_VPN capability. - // TODO: this is a bug. The VPN does not apply to VPN_UID. - vpnUidDefaultCallback.expectAvailableThenValidatedCallbacks(mMockVpn); + vpnUidDefaultCallback.assertNoCallback(); // VPN does not apply to VPN_UID assertEquals(mMockVpn.getNetwork(), mCm.getActiveNetwork()); assertEquals(mWiFiNetworkAgent.getNetwork(), mCm.getActiveNetworkForUid(VPN_UID)); assertActiveNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED); @@ -7654,7 +7653,7 @@ public class ConnectivityServiceTest { defaultCallback.expectCallback(CallbackEntry.LOST, mMockVpn); defaultCallback.expectAvailableCallbacksUnvalidatedAndBlocked(mWiFiNetworkAgent); vpnUidCallback.assertNoCallback(); - vpnUidDefaultCallback.expectCallback(CallbackEntry.LOST, mMockVpn); // BUG! + vpnUidDefaultCallback.assertNoCallback(); assertNull(mCm.getActiveNetwork()); mCm.unregisterNetworkCallback(callback);