netdclient - attempt to eliminate spurious netd selinux denials on unix_stream_sockets

This should hopefully fix for example:
  avc: denied { read write } for comm="netd" path="socket:[1580915]" dev="sockfs" ino=1580915 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=unix_stream_socket permissive=0

Make sure protectFromVpn() only passes AF_INET/AF_INET6 sockets to netd.

Let us make sure that we pass real AF_INET/AF_INET6 sockets to netd
from sendmmsg/sendmsg/sendto - the type of the socket when erroneously
used by an app might not necessarily match the address family of the
passed in sockaddr.  ie. sendto(AF_LOCAL_socket, AF_INET_sockaddr)

Note that this also means these system calls will now honour the
'ANDROID_NO_USE_FWMARK_CLIENT' env variable for euid=0 processes.

While we're at it also add some missing parentheses in a macro.

Test: build, atest netdclient_test
Bug: 77870037
Change-Id: I1040838950d363f08a02593e9b669fec31fa847b
Merged-In: I1040838950d363f08a02593e9b669fec31fa847b

1 files changed, 18 insertions, 0 deletions

diff --git a/client/NetdClientTest.cpp b/client/NetdClientTest.cpp
index b523ccc9..126c7fd1 100644
--- a/client/NetdClientTest.cpp
+++ b/client/NetdClientTest.cpp
@@ -74,3 +74,21 @@ TEST(NetdClientTest, getNetworkForDns) {
     unsigned* testNull = nullptr;
     EXPECT_EQ(-EFAULT, getNetworkForDns(testNull));
 }
+
+TEST(NetdClientTest, protectFromVpnBadFd) {
+    EXPECT_EQ(-EBADF, protectFromVpn(-1));
+}
+
+TEST(NetdClientTest, protectFromVpnUnixStream) {
+    int s = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
+    ASSERT_GE(s, 3);
+    EXPECT_EQ(-EAFNOSUPPORT, protectFromVpn(s));
+    close(s);
+}
+
+TEST(NetdClientTest, protectFromVpnTcp6) {
+    int s = socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0);
+    ASSERT_GE(s, 3);
+    EXPECT_EQ(0, protectFromVpn(s));
+    close(s);
+}