| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Test: m; flash; boot
Test: atest FirewallControllerTest
Change-Id: If9e03b3094819b6431b51658221c3528a0293b0e
|
| |
|
|
|
|
|
|
|
|
| |
FirewallControllerTest.
Delete TestReplaceAllowlistUidRule, TestReplaceDenylistUidRule and
TestDiscoverMaximumValidUid from test cases because they call the
function makeUidRules() which run non-bpf codes.
Change-Id: I7e423efc5e3a9885a15e1616a9b6e738ead1c146
|
| |
|
|
|
|
|
|
| |
The test sets member variable mUseBpfOwnerMatch as false.
It calls the function enableChildChains() and not runs eBPF code path.
It is used to test forming iptable rules.
Change-Id: I3153add4cda11b7cdaabeac062f348e0901b03b5
|
| |
|
|
|
|
|
|
| |
All tests set member variable mUseBpfOwnerMatch as false.
They call the function setUidRule() and not run eBPF code path.
In all tests they are used to test forming iptable rules.
Change-Id: I31426a73cda282a222e3ce5f71a7c3a318788ee2
|
| |
|
|
|
|
|
|
|
|
| |
Both tests set member variable mUseBpfOwnerMatch as false.
They call the function createChain() and not run eBPF code path.
In both tests they are used to test forming iptable rules.
Test: m; flash; boot
Test: atest FirewallControllerTest
Change-Id: I4a95277903f11a0db8943518a21f34f674113d0c
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Doing so is obviously invalid, and certain carriers will tear
down the connection if such packets are sent on their network.
This is done by adding an ip6tables rule to fw_OUTPUT that drops
all packets with a non-lo egress interface and a source of ::1.
Test: boot device, "adb root && adb shell ip6tables-save | egrep fw_OUTPUT"
Bug: 190368103
Bug: 198896920
Bug: 203096965
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ifb272d48705ba756ccd7bac806e4dc2dd7488cd5
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rename these to allowlist and denylist.
This change is mostly automatically generated with:
sed -i 's/WHITE/ALLOW/g' server/*.{cpp,h} libnetdbpf/{*.cpp,/include/netdbpf/*.h} bpf_progs/*.[ch]
sed -i 's/white/allow/g' server/*.{cpp,h} libnetdbpf/{*.cpp,/include/netdbpf/*.h} bpf_progs/*.[ch]
sed -i 's/BLACK/DENY/g' server/*.{cpp,h} libnetdbpf/{*.cpp,/include/netdbpf/*.h} bpf_progs/*.[ch]
sed -i 's/black/deny/g' server/*.{cpp,h} libnetdbpf/{*.cpp,/include/netdbpf/*.h} bpf_progs/*.[ch]
sed -i 's/White/Allow/g' server/*.{cpp,h} libnetdbpf/{*.cpp,/include/netdbpf/*.h} bpf_progs/*.[ch]
sed -i 's/Black/Deny/g' server/*.{cpp,h} libnetdbpf/{*.cpp,/include/netdbpf/*.h} bpf_progs/*.[ch]
plus manual changes to FirewallController.h and NdcDispatcher.cpp
to make them continue to use INetd::FIREWALL_WHITELIST and
INetd::FIREWALL_BLACKLIST.
INetd (and FIREWALL_WHITELIST and FIREWALL_BLACKLIST) are not
being fixed in this change because doing so would require
changing frozen AIDL files, which is a more complex undertaking.
Also manually change occurrences in the test.
Finally, fix some formatting errors found by clang-format, and
some errors such as "a allowlist" (should be "an allowlist") or`
"allowspace" (should be "whitespace").
Bug: 161896447
Test: atest netd_unit_test netd_integration_test
Test: crosshatch builds, boots, no IptablesRestoreController errors in logs
Change-Id: I3f5b864686651134a50e90b28fc9914bfa3f9a8e
|
| |
|
|
|
|
| |
Test: builds, atest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I422a74e7a6f44259bb5f0c7a88222328e432c35b
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Instead of return boolean, bpf support check now returns a integer
represent the current bpf level on device. This level is used to decide
if the device support some advanced bpf feature such as map_in_map and
bpf cgroup socket filter. Delete the binder call for bpf status check
since no one is using it.
Bug: 111441138
Test: libnetdbpf_test, netd_integration_test
Change-Id: Ib70c07647ffe491d493b4582b4b4b0eba7caf3a9
|
| |
|
|
|
| |
Test: tests/runtests.sh
Change-Id: If59480cee6460847f5c1cef17e3ef036b8e75651
|
| |
|
|
|
|
|
| |
Test: built, flashed, booted
system/netd/tests/runtests.sh passes
Change-Id: I0fcf6ac4e5d96cbf63d6752bee7202cdef940e82
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch gives the capability to FirewallController to discover the
maximum valid uid in the user namespace in which netd is currently
running, and uses that value in the whitelist uid rules.
This is done by parsing the content of /proc/self/uid_map as explained
in the man page of 'user_namespaces'.
On the default root namespace the maximum uid is expected to be
UINT32_MAX - 1, but this assumption is incorrect in other user
namespaces created for instance for container environments.
The uid mapping is de facto constant from within the user namespace and
cannot be modified from inside (more precisely uid_map and gid_map proc
files can only be written once each for a new user namespacE).
netd makes the assumption that the uid mapping stays constant, meaning
it is a bug if the host namespace tries to remap uids after netd starts.
Bug: 110459356
Test: - built,
- flashed and booted a marlin, 'fw_powersave' rule is as expected
- flashed and booted ARC++ container, 'fw_powersave' rule is as
expected
- new unit tests pass
Change-Id: I44a885c34e174b0067848b860be8d7b8f3e83296
|
| |
|
|
|
|
|
|
|
|
| |
Add bpf maps for recording rules about socket owner uid filtering.
Modified the bpf program so that packets with uid listed in the
the uidOwnerMap will get handled according to userspace settings
Test: bpf program can be loaded and attached when boot
Bug: 72381727 30950746
Change-Id: I39497334fcb5e200dbf07a0046b85c227d59e2d7
|
| |
|
|
|
|
|
|
|
|
|
| |
Add some firewall rules to allow doze mode packets to be sent/received
on ESP & no-socket packets. No-socket packets are no security risk
because they are either forwarded, going to be forwarded, or will be
dropped at routing tables (unless they are ESP).
Bug: 62994731
Test: New tests added, run
Change-Id: I2d8704498b564403d94123e4938091dee8fb98c1
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This code currently has no callers, but it is the only remaining
user of iptables in FirewallController. Move it to
iptables-restore and delete support for iptables commands from
the class.
Bug: 28362720
Test: unit tests pass
Test: adb shell ndc firewall set_interface_rule rmnet_data0 <allow|deny>
Change-Id: I0a934283ca4479f870139d1ecf90096ae59eb19d
|
| |
|
|
|
|
| |
Bug: 28362720
Test: new unit test passes
Change-Id: I29c2272458b5fda46d2fc110663e01841b2e895b
|
| |
|
|
|
|
| |
Bug: 28362720
Test: netd_{unit,integration}_test pass
Change-Id: I7c3ddf0812f40124ac83f36d3fd3a8c595ce5472
|
| |
|
|
|
|
| |
Bug: 28362720
Test: new unit test passes
Change-Id: If15a46e98318d8f10acd860f00547048027c7d0a
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This saves 100-200ms on boot.
(cherry picked from commit 0b64071d1326214b83e7dfb90701a4ee14ab6036)
Bug: 37641280
Test: marlin builds and boots
Test: new unit test passes
Test: netd_{unit,integration}_test pass
Test: fw_dozable added/removed from fw_INPUT/fw_OUTPUT on "adb shell dumpsys deviceidle <force-idle|unforce>"
Change-Id: Iaa8daba011cf187d07526b2b85f9e9aba83adf4f
Merged-In: Iabd2fa6ea260495feee3335b1605f3699b1722c5
|
| |
|
|
|
|
|
|
|
|
|
| |
(cherry picked from commit d352b5ec74c63d02aefb530743d33121607f215e)
Bug: 37641280
Test: marlin builds and boots
Test: new unit test passes
Test: netd_{unit,integration}_test pass
Change-Id: Ie39a6eac1707e4a1b085a02c2c7b1976806f4c0c
Merged-In: I6fb056abeb45ab1fc2bc45bcf2d8f9a95114b1d9
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently FirewallController::replaceUidChain uses the same
layout when building whitelist and blacklist chains: first it
writes the exception rules (e.g., system apps, RST packets,
ICMPv6 packets, etc.), and then the UIDs in the chain.
This works, but it looks strange because unlike whitelist chains,
insertion into whitelist chains always happens at the front of
the chain. Make whitelist chains start with the UIDs, so that
when UIDs are added at the beginning, they are contiguous to the
UIDs that are already there.
Bug: 32073253
Test: netd_{unit,integration}_test passes
Test: bullhead builds, boots
Test: fw_powersave chain looks sane
Change-Id: I8a0ac7a33604455171b56e1d503cfe028a37a062
|
| |
|
|
|
|
|
|
|
| |
Bug: 32073253
Test: netd_{unit,integration}_test passes
Test: bullhead builds, boots
Test: fw_powersave chain correctly updated when updating battery optimization whitelist
Test: fw_powersave chain correctly updated when bringing apps into foreground
Change-Id: I964b7664718f353057047c66e69351169b5cf453
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://android-review.googlesource.com/#/c/294359/ attempted to
allow networking on loopback, but actually does not do anything
because no packet has both -i lo and -o lo: loopback packets have
-i lo in INPUT and -o lo in OUTPUT.
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Test: loopback traffic is matched by new "-i lo" and "-o lo" rules
Test: originated and received traffic is not matched by new rules
Bug: 34444781
Change-Id: I090cbeafce5bbdcf36a7aecaafbf832feddc06e1
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FirewallController::createChain runs iptables commands to remove
the newly-created chain from fw_INPUT. This is not necessary,
because createChain is only called from setupIptablesHooks, which
is only called immediately after initIptablesRules, which clears
fw_INPUT. So there is nothing to delete.
Removing these unnecessary commands speeds up netd startup by
~150ms. Before:
02-03 18:51:40.075 492 492 I Netd : Setting up FirewallController hooks: 159.9ms
After:
02-03 18:45:22.005 489 489 I Netd : Setting up FirewallController hooks: 11.3ms
Bug: 34873832
Test: unit tests continue to pass
Change-Id: I651d96a71c98d6aba989927cd23036d5cc371dd7
|
| |
|
|
|
|
|
|
| |
Restricting networking on loopback is needlessly restrictive
because it doesn't have substantial power impact.
Bug: 30186506
Change-Id: Ibe31aff7c43ae02821fdf4a00b600fb5f5f5bc30
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This has two benefits:
1. It makes the behaviour of setting firewall chains via the
firewallReplaceUidChain RPC match the behaviour of creating
the chains on boot. (As a side effect, it reduces code
duplication between the two.)
2. It makes creating firewall chains on boot use iptables-restore,
which is substantially faster than running iptables commands
one at a time.
This CL will allow the framework to switch to using
firewallReplaceUidChain when the framework starts, providing
substantial speedups over the current behaviour of running two
iptables commands for every app that is whitelisted or idle.
Bug: 26675191
Change-Id: Ifbd15bf9143efd526570dde8f88effc79d164630
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The behaviour of the firewallReplaceUidChain was incorrect in
several ways:
1. It was missing the "always allow TCP RST packets" rules which
were added in http://ag/963000 .
2. It included a RETURN statement at the end of blacklist chains,
which is superfluous since all user-defined chains implicitly
return, and became incorrect when http://ag/963000 switched the
behaviour of blacklist chains from inserting new rules at the
beginning to appending them at the end.
3. It was missing the rules to allow the types of ICMPv6 packets
that are critical in maintaining connectivity.
By itself, this change is a no-op since nothing currently calls
firewallReplaceUidRule.
Bug: 26675191
Change-Id: I985e6861812908cbe7eaf0f54ca0ad39c22bbfeb
|
| |
|
|
|
|
|
|
| |
This allows us to cleanly close apps' TCP connections when we
remove their network connectivity.
Bug: 27824851
Change-Id: I69ae0e860536139d30d14d580a36c82f79dc2f82
|
|
|
Also add a binder_test that exercises binder RPCs to the real
netd service running on the device
Bug: 21725996
Bug: 27239233
Change-Id: Ic83d81605021a0578d6cd32f889290be61d76125
|
