Close sockets from ConnectivityService#setFirewallChainEnabled

And replace netd.socketDestroy by Java implementation Bug: 270298713 Test: atest FrameworksNetTests CtsNetTestCases Change-Id: I0e200247ca010f9649254eeaac02740bd2bfdb21
2023-03-28 18:08:12 +09:00
parent 3ff765537e
commit d44a33adb9
4 changed files with 173 additions and 1 deletions
--- a/service/src/com/android/server/ConnectivityService.java
+++ b/service/src/com/android/server/ConnectivityService.java
@@ -1501,6 +1501,16 @@ public class ConnectivityService extends IConnectivityManager.Stub
                throws SocketException, InterruptedIOException, ErrnoException {
            InetDiagMessage.destroyLiveTcpSockets(ranges, exemptUids);
        }
+
+        /**
+         * Call {@link InetDiagMessage#destroyLiveTcpSocketsByOwnerUids(Set)}
+         *
+         * @param ownerUids target uids to close sockets
+         */
+        public void destroyLiveTcpSocketsByOwnerUids(final Set<Integer> ownerUids)
+                throws SocketException, InterruptedIOException, ErrnoException {
+            InetDiagMessage.destroyLiveTcpSocketsByOwnerUids(ownerUids);
+        }
    }

    public ConnectivityService(Context context) {
@@ -11931,6 +11941,23 @@ public class ConnectivityService extends IConnectivityManager.Stub
        return rule;
    }

+    private void closeSocketsForFirewallChainLocked(final int chain)
+            throws ErrnoException, SocketException, InterruptedIOException {
+        if (mBpfNetMaps.isFirewallAllowList(chain)) {
+            // Allowlist means the firewall denies all by default, uids must be explicitly allowed
+            // So, close all non-system socket owned by uids that are not explicitly allowed
+            Set<Range<Integer>> ranges = new ArraySet<>();
+            ranges.add(new Range<>(Process.FIRST_APPLICATION_UID, Integer.MAX_VALUE));
+            final Set<Integer> exemptUids = mBpfNetMaps.getUidsWithAllowRuleOnAllowListChain(chain);
+            mDeps.destroyLiveTcpSockets(ranges, exemptUids);
+        } else {
+            // Denylist means the firewall allows all by default, uids must be explicitly denied
+            // So, close socket owned by uids that are explicitly denied
+            final Set<Integer> ownerUids = mBpfNetMaps.getUidsWithDenyRuleOnDenyListChain(chain);
+            mDeps.destroyLiveTcpSocketsByOwnerUids(ownerUids);
+        }
+    }
+
    @Override
    public void setFirewallChainEnabled(final int chain, final boolean enable) {
        enforceNetworkStackOrSettingsPermission();
@@ -11940,6 +11967,14 @@ public class ConnectivityService extends IConnectivityManager.Stub
        } catch (ServiceSpecificException e) {
            throw new IllegalStateException(e);
        }
+
+        if (SdkLevel.isAtLeastU() && enable) {
+            try {
+                closeSocketsForFirewallChainLocked(chain);
+            } catch (ErrnoException | SocketException | InterruptedIOException e) {
+                Log.e(TAG, "Failed to close sockets after enabling chain (" + chain + "): " + e);
+            }
+        }
    }

    @Override