Fix NOT_RESTRICTED network capability and enforce it.
With this change:
1. NOT_RESTRICTED should be removed from NetworkRequests that bring up
special restricted carrier networks (e.g. IMS, FOTA).
2. NetworkRequests without NOT_RESTRICTED require CONNECTIVITY_INTERNAL
permission to register
3. Binding sockets to networks without NOT_RESTRICTED requires
CONNECTIVITY_INTERNAL permission
Bug:21637535
Change-Id: I5991d39facaa6b690e969fe15dcbeec52e918321
diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java
index dc8ff8f..4d45076 100644
--- a/core/java/android/net/ConnectivityManager.java
+++ b/core/java/android/net/ConnectivityManager.java
@@ -956,41 +956,6 @@
return 1;
}
- /**
- * Removes the NET_CAPABILITY_NOT_RESTRICTED capability from the given
- * NetworkCapabilities object if all the capabilities it provides are
- * typically provided by restricted networks.
- *
- * TODO: consider:
- * - Moving to NetworkCapabilities
- * - Renaming it to guessRestrictedCapability and make it set the
- * restricted capability bit in addition to clearing it.
- * @hide
- */
- public static void maybeMarkCapabilitiesRestricted(NetworkCapabilities nc) {
- for (int capability : nc.getCapabilities()) {
- switch (capability) {
- case NetworkCapabilities.NET_CAPABILITY_CBS:
- case NetworkCapabilities.NET_CAPABILITY_DUN:
- case NetworkCapabilities.NET_CAPABILITY_EIMS:
- case NetworkCapabilities.NET_CAPABILITY_FOTA:
- case NetworkCapabilities.NET_CAPABILITY_IA:
- case NetworkCapabilities.NET_CAPABILITY_IMS:
- case NetworkCapabilities.NET_CAPABILITY_RCS:
- case NetworkCapabilities.NET_CAPABILITY_XCAP:
- case NetworkCapabilities.NET_CAPABILITY_NOT_RESTRICTED: //there by default
- continue;
- default:
- // At least one capability usually provided by unrestricted
- // networks. Conclude that this network is unrestricted.
- return;
- }
- }
- // All the capabilities are typically provided by restricted networks.
- // Conclude that this network is restricted.
- nc.removeCapability(NetworkCapabilities.NET_CAPABILITY_NOT_RESTRICTED);
- }
-
private NetworkCapabilities networkCapabilitiesForFeature(int networkType, String feature) {
if (networkType == TYPE_MOBILE) {
int cap = -1;
@@ -1013,14 +978,14 @@
}
NetworkCapabilities netCap = new NetworkCapabilities();
netCap.addTransportType(NetworkCapabilities.TRANSPORT_CELLULAR).addCapability(cap);
- maybeMarkCapabilitiesRestricted(netCap);
+ netCap.maybeMarkCapabilitiesRestricted();
return netCap;
} else if (networkType == TYPE_WIFI) {
if ("p2p".equals(feature)) {
NetworkCapabilities netCap = new NetworkCapabilities();
netCap.addTransportType(NetworkCapabilities.TRANSPORT_WIFI);
netCap.addCapability(NetworkCapabilities.NET_CAPABILITY_WIFI_P2P);
- maybeMarkCapabilitiesRestricted(netCap);
+ netCap.maybeMarkCapabilitiesRestricted();
return netCap;
}
}
diff --git a/core/java/android/net/NetworkCapabilities.java b/core/java/android/net/NetworkCapabilities.java
index 514d24a..0154eb5 100644
--- a/core/java/android/net/NetworkCapabilities.java
+++ b/core/java/android/net/NetworkCapabilities.java
@@ -38,10 +38,7 @@
*/
public NetworkCapabilities() {
clearAll();
- mNetworkCapabilities =
- (1 << NET_CAPABILITY_NOT_RESTRICTED) |
- (1 << NET_CAPABILITY_TRUSTED) |
- (1 << NET_CAPABILITY_NOT_VPN);
+ mNetworkCapabilities = DEFAULT_CAPABILITIES;
}
public NetworkCapabilities(NetworkCapabilities nc) {
@@ -187,6 +184,28 @@
private static final int MAX_NET_CAPABILITY = NET_CAPABILITY_CAPTIVE_PORTAL;
/**
+ * Capabilities that are set by default when the object is constructed.
+ */
+ private static final long DEFAULT_CAPABILITIES =
+ (1 << NET_CAPABILITY_NOT_RESTRICTED) |
+ (1 << NET_CAPABILITY_TRUSTED) |
+ (1 << NET_CAPABILITY_NOT_VPN);
+
+ /**
+ * Capabilities that suggest that a network is restricted.
+ * {@see #maybeMarkCapabilitiesRestricted}.
+ */
+ private static final long RESTRICTED_CAPABILITIES =
+ (1 << NET_CAPABILITY_CBS) |
+ (1 << NET_CAPABILITY_DUN) |
+ (1 << NET_CAPABILITY_EIMS) |
+ (1 << NET_CAPABILITY_FOTA) |
+ (1 << NET_CAPABILITY_IA) |
+ (1 << NET_CAPABILITY_IMS) |
+ (1 << NET_CAPABILITY_RCS) |
+ (1 << NET_CAPABILITY_XCAP);
+
+ /**
* Adds the given capability to this {@code NetworkCapability} instance.
* Multiple capabilities may be applied sequentially. Note that when searching
* for a network to satisfy a request, all capabilities requested must be satisfied.
@@ -269,6 +288,22 @@
}
/**
+ * Removes the NET_CAPABILITY_NOT_RESTRICTED capability if all the capabilities it provides are
+ * typically provided by restricted networks.
+ *
+ * TODO: consider:
+ * - Renaming it to guessRestrictedCapability and make it set the
+ * restricted capability bit in addition to clearing it.
+ * @hide
+ */
+ public void maybeMarkCapabilitiesRestricted() {
+ // If all the capabilities are typically provided by restricted networks, conclude that this
+ // network is restricted.
+ if ((mNetworkCapabilities & ~(DEFAULT_CAPABILITIES | RESTRICTED_CAPABILITIES)) == 0)
+ removeCapability(NET_CAPABILITY_NOT_RESTRICTED);
+ }
+
+ /**
* Representing the transport type. Apps should generally not care about transport. A
* request for a fast internet connection could be satisfied by a number of different
* transports. If any are specified here it will be satisfied a Network that matches
diff --git a/core/java/android/net/NetworkRequest.java b/core/java/android/net/NetworkRequest.java
index e61594c..e184ec4 100644
--- a/core/java/android/net/NetworkRequest.java
+++ b/core/java/android/net/NetworkRequest.java
@@ -83,7 +83,13 @@
* Build {@link NetworkRequest} give the current set of capabilities.
*/
public NetworkRequest build() {
- return new NetworkRequest(mNetworkCapabilities, ConnectivityManager.TYPE_NONE,
+ // Make a copy of mNetworkCapabilities so we don't inadvertently remove NOT_RESTRICTED
+ // when later an unrestricted capability could be added to mNetworkCapabilities, in
+ // which case NOT_RESTRICTED should be returned to mNetworkCapabilities, which
+ // maybeMarkCapabilitiesRestricted() doesn't add back.
+ final NetworkCapabilities nc = new NetworkCapabilities(mNetworkCapabilities);
+ nc.maybeMarkCapabilitiesRestricted();
+ return new NetworkRequest(nc, ConnectivityManager.TYPE_NONE,
ConnectivityManager.REQUEST_ID_UNSET);
}
diff --git a/core/java/android/os/INetworkManagementService.aidl b/core/java/android/os/INetworkManagementService.aidl
index 8114155..cd84c8f 100644
--- a/core/java/android/os/INetworkManagementService.aidl
+++ b/core/java/android/os/INetworkManagementService.aidl
@@ -388,8 +388,10 @@
/**
* Setup a new physical network.
+ * @param permission null if no permissions required to access this network. PERMISSION_NETWORK
+ * or PERMISSION_SYSTEM to set respective permission.
*/
- void createPhysicalNetwork(int netId);
+ void createPhysicalNetwork(int netId, String permission);
/**
* Setup a new VPN.
@@ -416,6 +418,13 @@
void setDefaultNetId(int netId);
void clearDefaultNetId();
+ /**
+ * Set permission for a network.
+ * @param permission null to clear permissions. PERMISSION_NETWORK or PERMISSION_SYSTEM to set
+ * permission.
+ */
+ void setNetworkPermission(int netId, String permission);
+
void setPermission(String permission, in int[] uids);
void clearPermission(in int[] uids);
diff --git a/services/core/java/com/android/server/ConnectivityService.java b/services/core/java/com/android/server/ConnectivityService.java
index eb74ab0..62e8532 100644
--- a/services/core/java/com/android/server/ConnectivityService.java
+++ b/services/core/java/com/android/server/ConnectivityService.java
@@ -4021,6 +4021,16 @@
}
if (!Objects.equals(nai.networkCapabilities, networkCapabilities)) {
final int oldScore = nai.getCurrentScore();
+ if (nai.networkCapabilities.hasCapability(NET_CAPABILITY_NOT_RESTRICTED) !=
+ networkCapabilities.hasCapability(NET_CAPABILITY_NOT_RESTRICTED)) {
+ try {
+ mNetd.setNetworkPermission(nai.network.netId,
+ networkCapabilities.hasCapability(NET_CAPABILITY_NOT_RESTRICTED) ?
+ null : NetworkManagementService.PERMISSION_SYSTEM);
+ } catch (RemoteException e) {
+ loge("Exception in setNetworkPermission: " + e);
+ }
+ }
synchronized (nai) {
nai.networkCapabilities = networkCapabilities;
}
@@ -4456,7 +4466,10 @@
(networkAgent.networkMisc == null ||
!networkAgent.networkMisc.allowBypass));
} else {
- mNetd.createPhysicalNetwork(networkAgent.network.netId);
+ mNetd.createPhysicalNetwork(networkAgent.network.netId,
+ networkAgent.networkCapabilities.hasCapability(
+ NET_CAPABILITY_NOT_RESTRICTED) ?
+ null : NetworkManagementService.PERMISSION_SYSTEM);
}
} catch (Exception e) {
loge("Error creating network " + networkAgent.network.netId + ": "
diff --git a/services/core/java/com/android/server/NetworkManagementService.java b/services/core/java/com/android/server/NetworkManagementService.java
index 0e3134d..433f707 100644
--- a/services/core/java/com/android/server/NetworkManagementService.java
+++ b/services/core/java/com/android/server/NetworkManagementService.java
@@ -131,6 +131,19 @@
*/
public static final String LIMIT_GLOBAL_ALERT = "globalAlert";
+ /**
+ * String to pass to netd to indicate that a network is only accessible
+ * to apps that have the CHANGE_NETWORK_STATE permission.
+ */
+ public static final String PERMISSION_NETWORK = "NETWORK";
+
+ /**
+ * String to pass to netd to indicate that a network is only
+ * accessible to system apps and those with the CONNECTIVITY_INTERNAL
+ * permission.
+ */
+ public static final String PERMISSION_SYSTEM = "SYSTEM";
+
class NetdResponseCode {
/* Keep in sync with system/netd/server/ResponseCode.h */
public static final int InterfaceListResult = 110;
@@ -2329,11 +2342,15 @@
}
@Override
- public void createPhysicalNetwork(int netId) {
+ public void createPhysicalNetwork(int netId, String permission) {
mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
try {
- mConnector.execute("network", "create", netId);
+ if (permission != null) {
+ mConnector.execute("network", "create", netId, permission);
+ } else {
+ mConnector.execute("network", "create", netId);
+ }
} catch (NativeDaemonConnectorException e) {
throw e.rethrowAsParcelableException();
}
@@ -2425,6 +2442,22 @@
}
@Override
+ public void setNetworkPermission(int netId, String permission) {
+ mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+
+ try {
+ if (permission != null) {
+ mConnector.execute("network", "permission", "network", "set", permission, netId);
+ } else {
+ mConnector.execute("network", "permission", "network", "clear", netId);
+ }
+ } catch (NativeDaemonConnectorException e) {
+ throw e.rethrowAsParcelableException();
+ }
+ }
+
+
+ @Override
public void setPermission(String permission, int[] uids) {
mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
diff --git a/services/tests/servicestests/src/com/android/server/ConnectivityServiceTest.java b/services/tests/servicestests/src/com/android/server/ConnectivityServiceTest.java
index cb9c6a76..9994964 100644
--- a/services/tests/servicestests/src/com/android/server/ConnectivityServiceTest.java
+++ b/services/tests/servicestests/src/com/android/server/ConnectivityServiceTest.java
@@ -896,6 +896,19 @@
}
private void tryNetworkFactoryRequests(int capability) throws Exception {
+ // Verify NOT_RESTRICTED is set appropriately
+ final NetworkCapabilities nc = new NetworkRequest.Builder().addCapability(capability)
+ .build().networkCapabilities;
+ if (capability == NET_CAPABILITY_CBS || capability == NET_CAPABILITY_DUN ||
+ capability == NET_CAPABILITY_EIMS || capability == NET_CAPABILITY_FOTA ||
+ capability == NET_CAPABILITY_IA || capability == NET_CAPABILITY_IMS ||
+ capability == NET_CAPABILITY_RCS || capability == NET_CAPABILITY_XCAP ||
+ capability == NET_CAPABILITY_TRUSTED || capability == NET_CAPABILITY_NOT_VPN) {
+ assertFalse(nc.hasCapability(NET_CAPABILITY_NOT_RESTRICTED));
+ } else {
+ assertTrue(nc.hasCapability(NET_CAPABILITY_NOT_RESTRICTED));
+ }
+
NetworkCapabilities filter = new NetworkCapabilities();
filter.addCapability(capability);
final HandlerThread handlerThread = new HandlerThread("testNetworkFactoryRequests");
