Android-x86
Fork
Donation

  • R/O
  • HTTP
  • SSH
  • HTTPS

system-netd: Commit

system/netd


Commit MetaInfo

Revision5a4b04582613bdd0cbcf679d7e95f977256c2fb9 (tree)
Time2018-02-13 12:25:25
AuthorChih-Wei Huang <cwhuang@linu...>
CommiterChih-Wei Huang

Log Message

Merge remote-tracking branch 'lineage/cm-14.1' into cm-14.1-x86

Conflicts:
server/RouteController.cpp

Change Summary

Incremental Difference

--- a/server/PhysicalNetwork.cpp
+++ b/server/PhysicalNetwork.cpp
@@ -83,6 +83,18 @@ int PhysicalNetwork::destroySocketsLackingPermission(Permission permission) {
8383 return 0;
8484 }
8585
86+void PhysicalNetwork::invalidateRouteCache(const std::string& interface) {
87+ for (const auto& dst : { "0.0.0.0/0", "::/0" }) {
88+ // If any of these operations fail, there's no point in logging because RouteController will
89+ // have already logged a message. There's also no point returning an error since there's
90+ // nothing we can do.
91+ (void) RouteController::addRoute(interface.c_str(), dst, "throw",
92+ RouteController::INTERFACE);
93+ (void) RouteController::removeRoute(interface.c_str(), dst, "throw",
94+ RouteController::INTERFACE);
95+ }
96+}
97+
8698 int PhysicalNetwork::setPermission(Permission permission) {
8799 if (permission == mPermission) {
88100 return 0;
@@ -100,6 +112,7 @@ int PhysicalNetwork::setPermission(Permission permission) {
100112 interface.c_str(), mNetId, mPermission, permission);
101113 return ret;
102114 }
115+ invalidateRouteCache(interface);
103116 }
104117 if (mIsDefault) {
105118 for (const std::string& interface : mInterfaces) {
--- a/server/PhysicalNetwork.h
+++ b/server/PhysicalNetwork.h
@@ -47,6 +47,7 @@ private:
4747 int addInterface(const std::string& interface) override WARN_UNUSED_RESULT;
4848 int removeInterface(const std::string& interface) override WARN_UNUSED_RESULT;
4949 int destroySocketsLackingPermission(Permission permission);
50+ void invalidateRouteCache(const std::string& interface);
5051
5152 Delegate* const mDelegate;
5253 Permission mPermission;
--- a/server/RouteController.cpp
+++ b/server/RouteController.cpp
@@ -86,6 +86,14 @@ const uint16_t NETLINK_CREATE_REQUEST_FLAGS = NETLINK_REQUEST_FLAGS | NLM_F_CREA
8686
8787 const sockaddr_nl NETLINK_ADDRESS = {AF_NETLINK, 0, 0, 0};
8888
89+// None of our routes specify priority, which causes them to have the default
90+// priority. For throw routes, we use a fixed priority of 100000. This is
91+// because we use throw routes either for maximum-length routes (/32 for IPv4,
92+// /128 for IPv6), which we never create with any other priority, or for
93+// purposely-low-priority default routes that should never match if there is
94+// any other route in the table.
95+uint32_t PRIO_THROW = 100000;
96+
8997 const uint8_t AF_FAMILIES[] = {AF_INET, AF_INET6};
9098
9199 const char* const IP_VERSIONS[] = {"-4", "-6"};
@@ -119,6 +127,7 @@ rtattr FRATTR_UID_RANGE = { U16_RTA_LENGTH(sizeof(fib_rule_uid_range)), FRA_UID_
119127
120128 rtattr RTATTR_TABLE = { U16_RTA_LENGTH(sizeof(uint32_t)), RTA_TABLE };
121129 rtattr RTATTR_OIF = { U16_RTA_LENGTH(sizeof(uint32_t)), RTA_OIF };
130+rtattr RTATTR_PRIO = { U16_RTA_LENGTH(sizeof(uint32_t)), RTA_PRIORITY };
122131
123132 uint8_t PADDING_BUFFER[RTA_ALIGNTO] = {0, 0, 0, 0};
124133
@@ -410,6 +419,8 @@ WARN_UNUSED_RESULT int modifyIpRoute(uint16_t action, uint32_t table, const char
410419 }
411420 }
412421
422+ bool isDefaultThrowRoute = (type == RTN_THROW && prefixLength == 0);
423+
413424 // Assemble a rtmsg and put it in an array of iovec structures.
414425 rtmsg route = {
415426 .rtm_protocol = RTPROT_STATIC,
@@ -433,6 +444,8 @@ WARN_UNUSED_RESULT int modifyIpRoute(uint16_t action, uint32_t table, const char
433444 { &ifindex, interface != OIF_NONE ? sizeof(ifindex) : 0 },
434445 { &rtaGateway, nexthop ? sizeof(rtaGateway) : 0 },
435446 { rawNexthop, nexthop ? static_cast<size_t>(rawLength) : 0 },
447+ { &RTATTR_PRIO, isDefaultThrowRoute ? sizeof(RTATTR_PRIO) : 0 },
448+ { &PRIO_THROW, isDefaultThrowRoute ? sizeof(PRIO_THROW) : 0 },
436449 };
437450
438451 uint16_t flags = (action == RTM_NEWROUTE) ? NETLINK_CREATE_REQUEST_FLAGS :
@@ -586,8 +599,7 @@ WARN_UNUSED_RESULT int modifyOutputInterfaceRules(const char* interface, uint32_
586599 // This is for sockets that have not explicitly requested a particular network, but have been
587600 // bound to one when they called connect(). This ensures that sockets connected on a particular
588601 // network stay on that network even if the default network changes.
589-WARN_UNUSED_RESULT int modifyImplicitNetworkRule(unsigned netId, uint32_t table,
590- Permission permission, bool add) {
602+WARN_UNUSED_RESULT int modifyImplicitNetworkRule(unsigned netId, uint32_t table, bool add) {
591603 Fwmark fwmark;
592604 Fwmark mask;
593605
@@ -597,8 +609,8 @@ WARN_UNUSED_RESULT int modifyImplicitNetworkRule(unsigned netId, uint32_t table,
597609 fwmark.explicitlySelected = false;
598610 mask.explicitlySelected = true;
599611
600- fwmark.permission = permission;
601- mask.permission = permission;
612+ fwmark.permission = PERMISSION_NONE;
613+ mask.permission = PERMISSION_NONE;
602614
603615 return modifyIpRule(add ? RTM_NEWRULE : RTM_DELRULE, RULE_PRIORITY_IMPLICIT_NETWORK, table,
604616 fwmark.intValue, mask.intValue);
@@ -762,7 +774,31 @@ WARN_UNUSED_RESULT int modifyPhysicalNetwork(unsigned netId, const char* interfa
762774 add)) {
763775 return ret;
764776 }
765- return modifyImplicitNetworkRule(netId, table, permission, add);
777+
778+ // Only set implicit rules for networks that don't require permissions.
779+ //
780+ // This is so that if the default network ceases to be the default network and then switches
781+ // from requiring no permissions to requiring permissions, we ensure that apps only use the
782+ // network if they explicitly select it. This is consistent with destroySocketsLackingPermission
783+ // - it closes all sockets on the network except sockets that are explicitly selected.
784+ //
785+ // The lack of this rule only affects the special case above, because:
786+ // - The only cases where we implicitly bind a socket to a network are the default network and
787+ // the bypassable VPN that applies to the app, if any.
788+ // - This rule doesn't affect VPNs because they don't support permissions at all.
789+ // - The default network doesn't require permissions. While we support doing this, the framework
790+ // never does it (partly because we'd end up in the situation where we tell apps that there is
791+ // a default network, but they can't use it).
792+ // - If the network is still the default network, the presence or absence of this rule does not
793+ // matter.
794+ //
795+ // Therefore, for the lack of this rule to affect a socket, the socket has to have been
796+ // implicitly bound to a network because at the time of connect() it was the default, and that
797+ // network must no longer be the default, and must now require permissions.
798+ if (permission == PERMISSION_NONE) {
799+ return modifyImplicitNetworkRule(netId, table, add);
800+ }
801+ return 0;
766802 }
767803
768804 WARN_UNUSED_RESULT int modifyRejectNonSecureNetworkRule(const UidRanges& uidRanges, bool add) {
Show on old repository browser