From c6fcedd7790fd703f3b49de5bd54abe50812c99d Mon Sep 17 00:00:00 2001 From: Benedict Wong Date: Wed, 21 Nov 2018 21:24:55 -0800 Subject: [PATCH] Cleanup and update comments SA mark disabling comments This commit cleans up and upates comments with regard to changes in aosp/721999, clarifying the restrictions and potential pitfalls we would see with regards to IPsec tunnel mode without updatable SAs. Bug: 111854872 Test: Compiles, comment-only change Change-Id: I07b0063987463c1a3cf42e112839a31739947c80 --- services/core/java/com/android/server/IpSecService.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/services/core/java/com/android/server/IpSecService.java b/services/core/java/com/android/server/IpSecService.java index 71a7a2b5ab..7ee3d3b3bd 100644 --- a/services/core/java/com/android/server/IpSecService.java +++ b/services/core/java/com/android/server/IpSecService.java @@ -1770,6 +1770,11 @@ public class IpSecService extends IIpSecService.Stub { // and SPs have matching marks (as VTI are meant to be built). // Currently update does nothing with marks. Leave empty (defaulting to 0) to ensure the // config matches the actual allocated resources in the kernel. + // All SAs will have zero marks (from creation time), and any policy that matches the + // same src/dst could match these SAs. Non-IpSecService governed processes that + // establish floating policies with the same src/dst may result in undefined + // behavior. This is generally limited to vendor code due to the permissions + // (CAP_NET_ADMIN) required. // // c.setMarkValue(mark); // c.setMarkMask(0xffffffff);