From 99869f413ab762f902826c56ce51434dcfd8a0a7 Mon Sep 17 00:00:00 2001 From: Chenbo Feng Date: Wed, 22 May 2019 15:28:49 -0700 Subject: [PATCH] Fix the internet permission for native services The native services should specify their permissions in platform.xml if they need internet permission, otherwise the eBPF program will block the socket creation request. Fixing the known services that are in group AID_INET but didn't specify their permission in the xml file. Bug: 132217906 Test: CtsJdwpTestCases dumpsys netd trafficcontroller Change-Id: I84cde7d3757953bc0bf761727d64a715bcdd68bb --- .../android/server/connectivity/PermissionMonitor.java | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java index d05369e9cf..fbe2589bea 100644 --- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java +++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java @@ -199,15 +199,13 @@ public class PermissionMonitor { ArraySet perms = systemPermission.valueAt(i); int uid = systemPermission.keyAt(i); int netdPermission = 0; - // Get the uids of native services that have UPDATE_DEVICE_STATS permission. + // Get the uids of native services that have UPDATE_DEVICE_STATS or INTERNET permission. if (perms != null) { netdPermission |= perms.contains(UPDATE_DEVICE_STATS) ? INetd.PERMISSION_UPDATE_DEVICE_STATS : 0; + netdPermission |= perms.contains(INTERNET) + ? INetd.PERMISSION_INTERNET : 0; } - // For internet permission, the native services have their own selinux domains and - // sepolicy will control the socket creation during run time. netd cannot block the - // socket creation based on the permission information here. - netdPermission |= INetd.PERMISSION_INTERNET; netdPermsUids.put(uid, netdPermsUids.get(uid) | netdPermission); } log("Users: " + mUsers.size() + ", Apps: " + mApps.size());