Merge changes I6c0d0f92,I21bc0644
* changes:
Follow-up commit of aosp/2367328
Restrict DNS by UID-based network permission
diff --git a/server/NetdNativeService.cpp b/server/NetdNativeService.cpp
index dcfc6c2..c0a9894 100644
--- a/server/NetdNativeService.cpp
+++ b/server/NetdNativeService.cpp
@@ -1248,9 +1248,9 @@
}
binder::Status NetdNativeService::setNetworkAllowlist(
- const std::vector<NativeUidRangeConfig>& settings) {
+ const std::vector<NativeUidRangeConfig>& rangeConfigs) {
ENFORCE_NETWORK_STACK_PERMISSIONS();
- return statusFromErrcode(gCtls->netCtrl.setNetworkAllowlist(settings));
+ return statusFromErrcode(gCtls->netCtrl.setNetworkAllowlist(rangeConfigs));
}
} // namespace net
diff --git a/server/NetdNativeService.h b/server/NetdNativeService.h
index 532acc3..d5932b0 100644
--- a/server/NetdNativeService.h
+++ b/server/NetdNativeService.h
@@ -267,7 +267,7 @@
binder::Status getOemNetd(android::sp<android::IBinder>* listener) override;
binder::Status getFwmarkForNetwork(int32_t netId, MarkMaskParcel* markmask);
binder::Status setNetworkAllowlist(
- const std::vector<netd::aidl::NativeUidRangeConfig>& settings) override;
+ const std::vector<netd::aidl::NativeUidRangeConfig>& rangeConfigs) override;
private:
std::vector<uid_t> intsToUids(const std::vector<int32_t>& intUids);
diff --git a/server/Network.cpp b/server/Network.cpp
index a395641..b13970c 100644
--- a/server/Network.cpp
+++ b/server/Network.cpp
@@ -84,10 +84,10 @@
}
std::string Network::allowedUidsToString() const {
- if (!mUidsAbleToSelectThisNetwork) {
+ if (!mAllowedUids) {
return "unrestricted";
}
- return mUidsAbleToSelectThisNetwork->toString();
+ return mAllowedUids->toString();
}
// Check if the user has been added to this network. If yes, the highest priority of matching
@@ -125,15 +125,15 @@
}
void Network::clearAllowedUids() {
- mUidsAbleToSelectThisNetwork.reset();
+ mAllowedUids.reset();
}
void Network::setAllowedUids(const UidRanges& uidRanges) {
- mUidsAbleToSelectThisNetwork = uidRanges;
+ mAllowedUids = uidRanges;
}
bool Network::isUidAllowed(uid_t uid) {
- return !mUidsAbleToSelectThisNetwork || mUidsAbleToSelectThisNetwork->hasUid(uid);
+ return !mAllowedUids || mAllowedUids->hasUid(uid);
}
bool Network::canAddUidRanges(const UidRanges& uidRanges) const {
diff --git a/server/Network.h b/server/Network.h
index bafa194..6b68def 100644
--- a/server/Network.h
+++ b/server/Network.h
@@ -80,7 +80,7 @@
const bool mSecure;
// UIDs that can explicitly select this network. It means no restriction for all UIDs if the
// optional variable has no value.
- std::optional<UidRanges> mUidsAbleToSelectThisNetwork;
+ std::optional<UidRanges> mAllowedUids;
private:
enum Action {
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index 0d716ad..082eaf8 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp
@@ -801,30 +801,36 @@
void NetworkController::clearAllowedUidsForAllNetworksLocked() {
for (const auto& [_, network] : mNetworks) {
- if (!network->isPhysical()) continue;
-
network->clearAllowedUids();
}
}
int NetworkController::setNetworkAllowlist(
- const std::vector<netd::aidl::NativeUidRangeConfig>& settings) {
+ const std::vector<netd::aidl::NativeUidRangeConfig>& rangeConfigs) {
const ScopedWLock lock(mRWLock);
- clearAllowedUidsForAllNetworksLocked();
- for (const auto& setting : settings) {
- Network* network = getNetworkLocked(setting.netId);
+ for (const auto& config : rangeConfigs) {
+ Network* network = getNetworkLocked(config.netId);
if (!network) return -ENONET;
- if (!network->isPhysical()) return -EINVAL;
}
- for (const auto& setting : settings) {
- Network* network = getNetworkLocked(setting.netId);
- network->setAllowedUids(UidRanges(setting.uidRanges));
+ clearAllowedUidsForAllNetworksLocked();
+ for (const auto& config : rangeConfigs) {
+ Network* network = getNetworkLocked(config.netId);
+ network->setAllowedUids(UidRanges(config.uidRanges));
}
return 0;
}
+bool NetworkController::isUidAllowed(unsigned netId, uid_t uid) const {
+ const ScopedRLock lock(mRWLock);
+ Network* network = getNetworkLocked(netId);
+ if (network && network->isUidAllowed(uid)) {
+ return true;
+ }
+ return false;
+}
+
bool NetworkController::isValidNetworkLocked(unsigned netId) const {
return getNetworkLocked(netId);
}
diff --git a/server/NetworkController.h b/server/NetworkController.h
index 386733a..e7c47da 100644
--- a/server/NetworkController.h
+++ b/server/NetworkController.h
@@ -147,7 +147,8 @@
void denyProtect(const std::vector<uid_t>& uids);
void dump(netdutils::DumpWriter& dw);
- int setNetworkAllowlist(const std::vector<netd::aidl::NativeUidRangeConfig>& settings);
+ int setNetworkAllowlist(const std::vector<netd::aidl::NativeUidRangeConfig>& rangeConfigs);
+ bool isUidAllowed(unsigned netId, uid_t uid) const;
private:
bool isValidNetworkLocked(unsigned netId) const;
diff --git a/server/main.cpp b/server/main.cpp
index 35c53de..3c6b0d5 100644
--- a/server/main.cpp
+++ b/server/main.cpp
@@ -96,7 +96,15 @@
return libnetd_updatable_tagSocket(sockFd, tag, uid, AID_DNS);
}
-bool evaluateDomainNameCallback(const android_net_context&, const char* /*name*/) {
+bool evaluateDomainNameCallback(const android_net_context& netcontext, const char* /*name*/) {
+ // OEMs should NOT modify IF statement, or DNS control provided by mainline modules may break.
+ if (!gCtls->netCtrl.isUidAllowed(netcontext.app_netid, netcontext.uid)) {
+ ALOGI("uid %d is not allowed to use netid %u", netcontext.uid, netcontext.app_netid);
+ return false;
+ }
+
+ // Add OEM customization from here
+ // ...
return true;
}
diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp
index 677018e..c0a8921 100644
--- a/tests/binder_test.cpp
+++ b/tests/binder_test.cpp
@@ -5451,6 +5451,9 @@
EXPECT_TRUE(mNetd->networkAddRoute(ENTERPRISE_NETID_3, sTun4.name(), "::/0", "").isOk());
// profile#1
+ // UidRanges::SUB_PRIORITY_HIGHEST + 20 = PREFERENCE_ORDER_PROFILE, which is defined in
+ // ConnectivityService.java. The value here doesn't really matter because user allowed network
+ // does not depends on specific sub-priority.
NativeUidRangeConfig cfg1 =
makeNativeUidRangeConfig(ENTERPRISE_NETID_1, {makeUidRangeParcel(TEST_UID1, TEST_UID1)},
UidRanges::SUB_PRIORITY_HIGHEST + 20);
@@ -5555,4 +5558,21 @@
EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_2));
EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_3));
}
-}
+
+ // Update setting: remove ENTERPRISE_NETID_1 from profile#1's allowed network list
+ // +-----------+-----------------------+----------------------------------------+
+ // | UID | UID's default network | UID can select networks |
+ // +-----------+-----------------------+----------------------------------------+
+ // | TEST_UID2 | ENTERPRISE_NETID_3 | ENTERPRISE_NETID_2, ENTERPRISE_NETID_3 |
+ // +-----------+-----------------------+----------------------------------------+
+ EXPECT_TRUE(
+ mNetd->setNetworkAllowlist({nw2UserConfig, nw3UserConfig, nwDefaultUserConfig}).isOk());
+
+ // All UIDs should be able to use ENTERPRISE_NETID_1.
+ for (const int uid : {TEST_UID1, TEST_UID2, TEST_UID3}) {
+ {
+ ScopedUidChange scopedUidChange(uid);
+ EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_1));
+ }
+ }
+}
\ No newline at end of file
