Drop the dependency of Fwmark

The resolver used to generate the desired network mark for DoT sockets. Now, change to get the network mark from netd. Bug: 151895202 Test: Private DNS works as usual (even on VPN) Change-Id: Ibb3e3e1ce0b43cb74962dd4436a47e9b458fa19a
author: Mike Yu <yumike@google.com> 2020-05-20 20:58:49 +0800
committer: Mike Yu <yumike@google.com> 2020-05-21 20:21:20 +0800
commit: e9b78d82c89214c8f754a5c8fb2b15c437a598fb (patch)
tree: 3fdec46dc96c6e69fb9e3d990bd320f905b2bbd8 /ResolverController.cpp
parent: 17bb79ae1e454fad03eab7e915c9aeebda826547 (diff)
1 files changed, 9 insertions, 9 deletions
diff --git a/ResolverController.cpp b/ResolverController.cpp
index 13600b87..be0b989f 100644
--- a/ResolverController.cpp
+++ b/ResolverController.cpp
@@ -24,7 +24,6 @@
 
 #include <netdb.h>
 
-#include <Fwmark.h>
 #include <aidl/android/net/IDnsResolver.h>
 #include <android-base/logging.h>
 #include <android-base/strings.h>
@@ -202,21 +201,22 @@ int ResolverController::flushNetworkCache(unsigned netId) {
 int ResolverController::setResolverConfiguration(const ResolverParamsParcel& resolverParams) {
     using aidl::android::net::IDnsResolver;
 
-    // At private DNS validation time, we only know the netId, so we have to guess/compute the
-    // corresponding socket mark.
-    Fwmark fwmark;
-    fwmark.netId = resolverParams.netId;
-    fwmark.explicitlySelected = true;
-    fwmark.protectedFromVpn = true;
-    fwmark.permission = PERMISSION_SYSTEM;
+    // Expect to get the mark with system permission.
+    android_net_context netcontext;
+    gResNetdCallbacks.get_network_context(resolverParams.netId, 0 /* uid */, &netcontext);
 
     // Allow at most MAXNS private DNS servers in a network to prevent too many broken servers.
     std::vector<std::string> tlsServers = resolverParams.tlsServers;
     if (tlsServers.size() > MAXNS) {
         tlsServers.resize(MAXNS);
     }
+
+    // Use app_mark for DoT connection. Using dns_mark might result in reaching the DoT servers
+    // through a different network. For example, on a VPN with no DNS servers (Do53), if the VPN
+    // applies to UID 0, dns_mark is assigned for default network rathan the VPN. (note that it's
+    // possible that a VPN doesn't have any DNS servers but DoT servers in DNS strict mode)
     const int err =
-            gPrivateDnsConfiguration.set(resolverParams.netId, fwmark.intValue, tlsServers,
+            gPrivateDnsConfiguration.set(resolverParams.netId, netcontext.app_mark, tlsServers,
                                          resolverParams.tlsName, resolverParams.caCertificate);
 
     if (err != 0) {
author	Mike Yu <yumike@google.com>	2020-05-20 20:58:49 +0800
committer	Mike Yu <yumike@google.com>	2020-05-21 20:21:20 +0800
commit	e9b78d82c89214c8f754a5c8fb2b15c437a598fb (patch)
tree	3fdec46dc96c6e69fb9e3d990bd320f905b2bbd8 /ResolverController.cpp
parent	17bb79ae1e454fad03eab7e915c9aeebda826547 (diff)