diff options
| author | chiachangwang <chiachangwang@google.com> | 2022-05-17 05:16:16 +0000 |
|---|---|---|
| committer | Cherrypicker Worker <android-build-cherrypicker-worker@google.com> | 2022-06-02 12:45:54 +0000 |
| commit | 776b68cecb611abb16cce0bf7a02bb939d271e3a (patch) | |
| tree | e073fef85d9e4fbf95235cbacd949ace1006bc49 /server/RouteController.cpp | |
| parent | 8a03faaefe4858b848102ccb596b906e0194ef96 (diff) | |
Add app default local rule
Add an app default local rule prior to the VPN local route rule
to route the per app default local traffic.
If the routes setting for system default and app default are
overlapped with each other, the traffic may be routed
unexpectedly becuase the VPN local rules do not contain the
uid range information. The rule will match first before app
default rule. Thus, add an default local rule piror to the
VPN local route rule to address the issue.
Sample rule after applying the change:
- App UID(99999)
- Default(iface0), app default(iface1), vpn(tun0)
25000: ... 0x0/0x10000 iif lo uidrange 99998-99999 lookup iface1_local
26000: ... 0x0/0x10000 iif lo lookup iface0_local
27000: ... 0x0/0x30000 iif lo uidrange 99997-99998 lookup tun0
28000: ... 0xffdf/0xffff lookup iface0
29000: ... 0x0/0xffff iif lo uidrange 99998-99999 lookup iface1
30000: ... 0x0/0xffff iif lo lookup iface0
Bug: 184750836
Test: cd system/netd ; atest
Change-Id: Ic092398a0d89b0104afcee8e1f22dfa93fa408ae
(cherry picked from commit 0d5ae9805b1dcad074dd171dca62d5e3893d6a72)
Merged-In: Ic092398a0d89b0104afcee8e1f22dfa93fa408ae
Diffstat (limited to 'server/RouteController.cpp')
| -rw-r--r-- | server/RouteController.cpp | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/server/RouteController.cpp b/server/RouteController.cpp index d63dbd2e..ea8baea8 100644 --- a/server/RouteController.cpp +++ b/server/RouteController.cpp @@ -859,6 +859,13 @@ int RouteController::modifyPhysicalNetwork(unsigned netId, const char* interface subPriority, add)) { return ret; } + + // Per-UID local network rules must always match per-app default network rules, + // because their purpose is to allow the UIDs to use the default network for + // local destinations within it. + if (int ret = modifyUidLocalNetworkRule(interface, range.start, range.stop, add)) { + return ret; + } } } } @@ -906,6 +913,32 @@ int RouteController::modifyPhysicalNetwork(unsigned netId, const char* interface return 0; } +int RouteController::modifyUidLocalNetworkRule(const char* interface, uid_t uidStart, uid_t uidEnd, + bool add) { + uint32_t table = getRouteTableForInterface(interface, true /* local */); + if (table == RT_TABLE_UNSPEC) { + return -ESRCH; + } + + if ((uidStart == INVALID_UID) || (uidEnd == INVALID_UID)) { + ALOGE("modifyUidLocalNetworkRule, invalid UIDs (%u, %u)", uidStart, uidEnd); + return -EUSERS; + } + + Fwmark fwmark; + Fwmark mask; + + fwmark.explicitlySelected = false; + mask.explicitlySelected = true; + + // Access to this network is controlled by UID rules, not permission bits. + fwmark.permission = PERMISSION_NONE; + mask.permission = PERMISSION_NONE; + + return modifyIpRule(add ? RTM_NEWRULE : RTM_DELRULE, RULE_PRIORITY_UID_LOCAL_ROUTES, table, + fwmark.intValue, mask.intValue, IIF_LOOPBACK, OIF_NONE, uidStart, uidEnd); +} + [[nodiscard]] static int modifyUidUnreachableRule(unsigned netId, uid_t uidStart, uid_t uidEnd, int32_t subPriority, bool add, bool explicitSelect) { |