From e1561fa800dd287221d91edd453f524fa59eddba Mon Sep 17 00:00:00 2001 From: markchien Date: Thu, 9 Dec 2021 22:00:56 +0800 Subject: [PATCH] Add updateFirewallRule API To deprecated firewallSetUidRule netd binder and move the functionality to tethering (connectivity) mainline module, expose updateFirewallRule to support the caller outside the module. Currently the API are still call to netd. Will replace with the implementation inside tethering (connectivity) module. Bug: 209935649 Test: atest CtsHostsideNetworkTests Change-Id: I0b53c999e06c2378afec0eb491815ec398c91b0b --- framework/api/module-lib-current.txt | 5 ++ .../src/android/net/ConnectivityManager.java | 78 +++++++++++++++++-- .../src/android/net/IConnectivityManager.aidl | 2 + .../android/server/ConnectivityService.java | 12 +++ 4 files changed, 91 insertions(+), 6 deletions(-) diff --git a/framework/api/module-lib-current.txt b/framework/api/module-lib-current.txt index fea880aed6..119878e072 100644 --- a/framework/api/module-lib-current.txt +++ b/framework/api/module-lib-current.txt @@ -25,6 +25,7 @@ package android.net { method @RequiresPermission(anyOf={android.Manifest.permission.MANAGE_TEST_NETWORKS, android.Manifest.permission.NETWORK_STACK}) public void simulateDataStall(int, long, @NonNull android.net.Network, @NonNull android.os.PersistableBundle); method @RequiresPermission(anyOf={android.Manifest.permission.NETWORK_SETTINGS, android.Manifest.permission.NETWORK_STACK, android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK}) public void startCaptivePortalApp(@NonNull android.net.Network); method public void systemReady(); + method @RequiresPermission(anyOf={android.Manifest.permission.NETWORK_SETTINGS, android.Manifest.permission.NETWORK_STACK, android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK}) public void updateFirewallRule(int, int, boolean); method @RequiresPermission(anyOf={android.Manifest.permission.NETWORK_SETTINGS, android.Manifest.permission.NETWORK_STACK, android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK}) public void updateMeteredNetworkAllowList(int, boolean); method @RequiresPermission(anyOf={android.Manifest.permission.NETWORK_SETTINGS, android.Manifest.permission.NETWORK_STACK, android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK}) public void updateMeteredNetworkDenyList(int, boolean); field public static final String ACTION_CLEAR_DNS_CACHE = "android.net.action.CLEAR_DNS_CACHE"; @@ -41,6 +42,10 @@ package android.net { field public static final int BLOCKED_REASON_LOCKDOWN_VPN = 16; // 0x10 field public static final int BLOCKED_REASON_NONE = 0; // 0x0 field public static final int BLOCKED_REASON_RESTRICTED_MODE = 8; // 0x8 + field public static final int FIREWALL_CHAIN_DOZABLE = 1; // 0x1 + field public static final int FIREWALL_CHAIN_POWERSAVE = 3; // 0x3 + field public static final int FIREWALL_CHAIN_RESTRICTED = 4; // 0x4 + field public static final int FIREWALL_CHAIN_STANDBY = 2; // 0x2 field public static final int PROFILE_NETWORK_PREFERENCE_DEFAULT = 0; // 0x0 field public static final int PROFILE_NETWORK_PREFERENCE_ENTERPRISE = 1; // 0x1 } diff --git a/framework/src/android/net/ConnectivityManager.java b/framework/src/android/net/ConnectivityManager.java index 465595fbc3..b0bb25c0ce 100644 --- a/framework/src/android/net/ConnectivityManager.java +++ b/framework/src/android/net/ConnectivityManager.java @@ -930,6 +930,48 @@ public class ConnectivityManager { @UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.P, trackingBug = 130143562) private final IConnectivityManager mService; + /** + * Firewall chain for device idle (doze mode). + * Allowlist of apps that have network access in device idle. + * @hide + */ + @SystemApi(client = MODULE_LIBRARIES) + public static final int FIREWALL_CHAIN_DOZABLE = 1; + + /** + * Firewall chain used for app standby. + * Denylist of apps that do not have network access. + * @hide + */ + @SystemApi(client = MODULE_LIBRARIES) + public static final int FIREWALL_CHAIN_STANDBY = 2; + + /** + * Firewall chain used for battery saver. + * Allowlist of apps that have network access when battery saver is on. + * @hide + */ + @SystemApi(client = MODULE_LIBRARIES) + public static final int FIREWALL_CHAIN_POWERSAVE = 3; + + /** + * Firewall chain used for restricted networking mode. + * Allowlist of apps that have access in restricted networking mode. + * @hide + */ + @SystemApi(client = MODULE_LIBRARIES) + public static final int FIREWALL_CHAIN_RESTRICTED = 4; + + /** @hide */ + @Retention(RetentionPolicy.SOURCE) + @IntDef(flag = false, prefix = "FIREWALL_CHAIN_", value = { + FIREWALL_CHAIN_DOZABLE, + FIREWALL_CHAIN_STANDBY, + FIREWALL_CHAIN_POWERSAVE, + FIREWALL_CHAIN_RESTRICTED + }) + public @interface FirewallChain {} + /** * A kludge to facilitate static access where a Context pointer isn't available, like in the * case of the static set/getProcessDefaultNetwork methods and from the Network class. @@ -5552,9 +5594,11 @@ public class ConnectivityManager { } /** - * Allow target application using metered network. + * Sets whether the specified UID is allowed to use data on metered networks even when + * background data is restricted. * * @param uid uid of target app + * @throws IllegalStateException if update allow list failed. * @hide */ @SystemApi(client = MODULE_LIBRARIES) @@ -5568,15 +5612,15 @@ public class ConnectivityManager { mService.updateMeteredNetworkAllowList(uid, add); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); - } catch (IllegalStateException ie) { - throw ie; } } /** - * Disallow target application using metered network. + * Sets whether the specified UID is prevented from using background data on metered networks. + * Takes precedence over {@link #updateMeteredNetworkAllowList}. * * @param uid uid of target app + * @throws IllegalStateException if update deny list failed. * @hide */ @SystemApi(client = MODULE_LIBRARIES) @@ -5590,8 +5634,30 @@ public class ConnectivityManager { mService.updateMeteredNetworkDenyList(uid, add); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); - } catch (IllegalStateException ie) { - throw ie; + } + } + + /** + * Sets a firewall rule for the specified UID on the specified chain. + * + * @param chain target chain. + * @param uid uid to allow/deny. + * @param allow either add or remove rule. + * @throws IllegalStateException if update firewall rule failed. + * @hide + */ + @SystemApi(client = MODULE_LIBRARIES) + @RequiresPermission(anyOf = { + android.Manifest.permission.NETWORK_SETTINGS, + android.Manifest.permission.NETWORK_STACK, + NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK + }) + public void updateFirewallRule(@FirewallChain final int chain, final int uid, + final boolean allow) { + try { + mService.updateFirewallRule(chain, uid, allow); + } catch (RemoteException e) { + throw e.rethrowFromSystemServer(); } } } diff --git a/framework/src/android/net/IConnectivityManager.aidl b/framework/src/android/net/IConnectivityManager.aidl index 5740d853d6..6f60a685c8 100644 --- a/framework/src/android/net/IConnectivityManager.aidl +++ b/framework/src/android/net/IConnectivityManager.aidl @@ -234,4 +234,6 @@ interface IConnectivityManager void updateMeteredNetworkAllowList(int uid, boolean add); void updateMeteredNetworkDenyList(int uid, boolean add); + + void updateFirewallRule(int chain, int uid, boolean allow); } diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java index 578fabea58..41257f460b 100644 --- a/service/src/com/android/server/ConnectivityService.java +++ b/service/src/com/android/server/ConnectivityService.java @@ -10610,4 +10610,16 @@ public class ConnectivityService extends IConnectivityManager.Stub throw new IllegalStateException(e); } } + + @Override + public void updateFirewallRule(final int chain, final int uid, final boolean allow) { + enforceNetworkStackOrSettingsPermission(); + + try { + mNetd.firewallSetUidRule(chain, uid, + allow ? INetd.FIREWALL_RULE_ALLOW : INetd.FIREWALL_RULE_DENY); + } catch (RemoteException | ServiceSpecificException e) { + throw new IllegalStateException(e); + } + } }