platform_system_netd/client/NetdClient.cpp, branch master Unnamed repository; edit this file 'description' to name the repository. Provide a way to disable socket() and DNS lookups in libnetd_client. 2020-06-24T11:46:20+00:00 Luke Huang huangluke@google.com 2020-06-16T11:14:05+00:00 c94b9c24f3732331cfe7bf71bdb6e4acc5b5e7eb This is a Client-only solution. - Add to NetdClient a per-process std::atomic_boolean similar to netIdForProcess and netIdForResolv. - The boolean says whether the process should be allowed Internet connectivity. - Add an @hide method to NetUtils.java to set the boolean; call it from the initialization code of the new process just after forking from zygote. - Make netdClientSocket and dnsOpenProxy check the boolean. If the boolean is false, return EPERM from socket calls. Bug: 150028556 Test: atest netd_integration_test Test: atest CtsAppSecurityHostTestCases:UseProcessTest (clean cherry-pick from internal branch) Merged-In: Ic697afd284ba250e56bd9492241452762da15770 Change-Id: Ic697afd284ba250e56bd9492241452762da15770 
This is a Client-only solution.
  - Add to NetdClient a per-process std::atomic_boolean
    similar to netIdForProcess and netIdForResolv.
  - The boolean says whether the process should be
    allowed Internet connectivity.
  - Add an @hide method to NetUtils.java to set the boolean;
    call it from the initialization code of the new
    process just after forking from zygote.
  - Make netdClientSocket and dnsOpenProxy check the
    boolean. If the boolean is false, return EPERM from
    socket calls.

Bug: 150028556
Test: atest netd_integration_test
Test: atest CtsAppSecurityHostTestCases:UseProcessTest
(clean cherry-pick from internal branch)
Merged-In: Ic697afd284ba250e56bd9492241452762da15770
Change-Id: Ic697afd284ba250e56bd9492241452762da15770
Seperate header target for DnsResolver from libnetd_client_header 2020-05-31T01:32:42+00:00 Luke Huang huangluke@google.com 2020-05-26T09:21:28+00:00 743e031f6118343760f550678e8d1082e2c56793 0. Move NETID_USE_LOCAL_NAMESERVERS definition to DnsResolver 1. Create libnetdbinder_utils shared to DnsResolver 2. Use dnsproxyd_protocol_headers for NETID_USE_LOCAL_NAMESERVERS Bug: 151895202 Test: build Change-Id: I5315f5214bc7cd399e878b96a06f486dc8e4b874 Merged-In: I5315f5214bc7cd399e878b96a06f486dc8e4b874 
0. Move NETID_USE_LOCAL_NAMESERVERS definition to DnsResolver
1. Create libnetdbinder_utils shared to DnsResolver
2. Use dnsproxyd_protocol_headers for NETID_USE_LOCAL_NAMESERVERS

Bug: 151895202
Test: build
Change-Id: I5315f5214bc7cd399e878b96a06f486dc8e4b874
Merged-In: I5315f5214bc7cd399e878b96a06f486dc8e4b874
netdClient - use constant instead of hardcoding it again 2020-04-21T22:29:44+00:00 Maciej Żenczykowski maze@google.com 2020-04-03T00:05:02+00:00 815b68811c17c4bab8d20e9e3af0677ad757b390 Test: builds Bug: 77870037 Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I50d842ffb80ad6f0b2176269305f2fb02393b325 
Test: builds
Bug: 77870037
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I50d842ffb80ad6f0b2176269305f2fb02393b325
netdclient - attempt to eliminate spurious netd selinux denials on unix_stream_sockets 2020-04-02T14:42:06+00:00 Maciej Żenczykowski maze@google.com 2020-04-02T10:05:18+00:00 3e5b166512c7da1fcbb4b42fa908c3ad0b5eb850 This should hopefully fix for example: avc: denied { read write } for comm="netd" path="socket:[1580915]" dev="sockfs" ino=1580915 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=unix_stream_socket permissive=0 Make sure protectFromVpn() only passes AF_INET/AF_INET6 sockets to netd. Let us make sure that we pass real AF_INET/AF_INET6 sockets to netd from sendmmsg/sendmsg/sendto - the type of the socket when erroneously used by an app might not necessarily match the address family of the passed in sockaddr. ie. sendto(AF_LOCAL_socket, AF_INET_sockaddr) Note that this also means these system calls will now honour the 'ANDROID_NO_USE_FWMARK_CLIENT' env variable for euid=0 processes. While we're at it also add some missing parentheses in a macro. Test: build, atest netdclient_test Bug: 77870037 Change-Id: I1040838950d363f08a02593e9b669fec31fa847b 
This should hopefully fix for example:
  avc: denied { read write } for comm="netd" path="socket:[1580915]" dev="sockfs" ino=1580915 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=unix_stream_socket permissive=0

Make sure protectFromVpn() only passes AF_INET/AF_INET6 sockets to netd.

Let us make sure that we pass real AF_INET/AF_INET6 sockets to netd
from sendmmsg/sendmsg/sendto - the type of the socket when erroneously
used by an app might not necessarily match the address family of the
passed in sockaddr.  ie. sendto(AF_LOCAL_socket, AF_INET_sockaddr)

Note that this also means these system calls will now honour the
'ANDROID_NO_USE_FWMARK_CLIENT' env variable for euid=0 processes.

While we're at it also add some missing parentheses in a macro.

Test: build, atest netdclient_test
Bug: 77870037
Change-Id: I1040838950d363f08a02593e9b669fec31fa847b
Pass connectInfo only if ro.vendor.redirect_socket_calls is set 2020-02-26T13:31:04+00:00 Ken Chen cken@google.com 2020-02-21T08:30:47+00:00 89863936e13f39108485029ca6c6b65f24c162c9 There is a dependency between libnetd_client and netd. The netd checks size of each FwmarkCommand. The earlier built netd does not expect that ON_CONNECT command from libnetd_client includes connectInfo. It causes connect() fail in the combination of new libnetd_client + old netd. With this commit, the ON_CONNECT pass connectInfo only if OEM sets the property ro.vendor.redirect_socket_calls. It's OEM responsibility to ensure that the property is set only on the platform with netd that can support connectInfo in ON_CONNECT command. Minor changes: 1. Remove length protection on property retrieval. The __system_property_get() has built-in length protection. No need to append Null character. 2. refactor some code by macro. Bug: 141611769 Bug: 150126287 Test: atest Test: ./art/tools/run-libcore-tests.sh w/ current and earlier netd, pass Test: ./art/tools/run-libjdwp-tests.sh w/ current and earlier netd, pass Change-Id: I90ecba761effa0a5bc403876b9c3de8e77038232 
There is a dependency between libnetd_client and netd. The netd checks
size of each FwmarkCommand. The earlier built netd does not expect that
ON_CONNECT command from libnetd_client includes connectInfo. It causes
connect() fail in the combination of new libnetd_client + old netd. With
this commit, the ON_CONNECT pass connectInfo only if OEM sets the
property ro.vendor.redirect_socket_calls. It's OEM responsibility to
ensure that the property is set only on the platform with netd that can
support connectInfo in ON_CONNECT command.

Minor changes:
1. Remove length protection on property retrieval. The
   __system_property_get() has built-in length protection. No need to
   append Null character.
2. refactor some code by macro.

Bug: 141611769
Bug: 150126287
Test: atest
Test: ./art/tools/run-libcore-tests.sh w/ current and earlier netd, pass
Test: ./art/tools/run-libjdwp-tests.sh w/ current and earlier netd, pass
Change-Id: I90ecba761effa0a5bc403876b9c3de8e77038232
Revert "Revert "Netd callbacks for socket calls in Bionic"" 2020-02-26T13:11:03+00:00 Ken Chen cken@google.com 2020-02-25T18:05:52+00:00 22e5fb8014a304b199f7599504d3dc0a950dcff3 This reverts commit 6832af896548f1fa7f51546e1f16ad3f7ff4a2ba. Reason for revert: fix is ready Bug: 141611769 Change-Id: Ib36ea5df45bc6d161ea8367e2332f631ea784988 
This reverts commit 6832af896548f1fa7f51546e1f16ad3f7ff4a2ba.

Reason for revert: fix is ready

Bug: 141611769
Change-Id: Ib36ea5df45bc6d161ea8367e2332f631ea784988
Revert "Netd callbacks for socket calls in Bionic" 2020-02-24T15:40:23+00:00 Nicolas Geoffray ngeoffray@google.com 2020-02-24T15:40:23+00:00 6832af896548f1fa7f51546e1f16ad3f7ff4a2ba This reverts commit f24eb88d055ca799d71d99d6ba87f9ebaee0a845. Bug: 141611769 Reason for revert: Reverting to unbreak ART team continuous testing breakages: From Ken: I probably know what's going wrong. The patch did have a platform dependency on netd. Change-Id: Ic931464d9a6e138291297e1c0b3184e709b3ab6d 
This reverts commit f24eb88d055ca799d71d99d6ba87f9ebaee0a845.

Bug: 141611769

Reason for revert: Reverting to unbreak ART team continuous testing breakages:

From Ken:
I probably know what's going wrong. The patch did have a platform dependency on netd.

Change-Id: Ic931464d9a6e138291297e1c0b3184e709b3ab6d
Netd callbacks for socket calls in Bionic 2020-02-19T11:15:35+00:00 Praveen Moongalam Thyagarajan p.thyagarajan@samsung.com 2019-12-18T19:59:47+00:00 f24eb88d055ca799d71d99d6ba87f9ebaee0a845 Netd callbacks for socket calls sendto(), sendmsg() and sendmmsg(). It's controlled by two system properties: [1] ro.vendor.redirect_socket_calls set once in vendor_init context, read by libnetd_client. It determines if socket calls are shimmed. [2] net.redirect_socket_calls.hooked set by System Server, read by shimmed functions. It determines if shimmed functions dispatch FwmarkCommands. Bug: 141611769 Change-Id: I3b4a613469bb2b6c9673219217dab121cf392cd5 
Netd callbacks for socket calls sendto(), sendmsg()
and sendmmsg(). It's controlled by two system properties:

[1] ro.vendor.redirect_socket_calls set once in vendor_init context,
read by libnetd_client. It determines if socket calls are shimmed.

[2] net.redirect_socket_calls.hooked set by System Server, read by
shimmed functions. It determines if shimmed functions dispatch
FwmarkCommands.

Bug: 141611769

Change-Id: I3b4a613469bb2b6c9673219217dab121cf392cd5
Fix kernel net tests fail in user build 2019-07-10T03:47:17+00:00 markchien markchien@google.com 2019-07-02T08:20:08+00:00 3a976373fa2ccedc595c678f7e02362fb430eb08 Before this change, system routing only can be bypassed by the debug build process. This change let the process running as root can bypass system routing if this process have specific env flag. In other word, the other processes own by root would not be affected if they don't set the specific env flag. Bug: 135422468 Test: run vts -m VtsKernelNetTest in both user and eng build Change-Id: I39d0b0141ef51c6f16052ffc785d1d2f523cf11f Merged-In: I39d0b0141ef51c6f16052ffc785d1d2f523cf11f 
Before this change, system routing only can be bypassed by
the debug build process. This change let the process running
as root can bypass system routing if this process have
specific env flag. In other word, the other processes own by
root would not be affected if they don't set the specific env
flag.

Bug: 135422468
Test: run vts -m VtsKernelNetTest in both user and eng build
Change-Id: I39d0b0141ef51c6f16052ffc785d1d2f523cf11f
Merged-In: I39d0b0141ef51c6f16052ffc785d1d2f523cf11f
Make getdnsnetid returning app_netId instead of dns_netId and fix nits 2019-05-30T08:33:19+00:00 Luke Huang huangluke@google.com 2019-05-25T10:24:03+00:00 63df94810631106480f46e3d0b1c2dd1bd2fdd1a 1. getdnsnetid command return app_netId instead of dns_netId. 2. fix nits for ag/7691940 3. Add more tests Bug: 129530368 Test: built, flashed, booted system/netd/tests/runtests.sh Change-Id: Ifd1345e1124088179e38346e3693957a8b5ef63b 
1. getdnsnetid command return app_netId instead of dns_netId.
2. fix nits for ag/7691940
3. Add more tests

Bug: 129530368
Test: built, flashed, booted
          system/netd/tests/runtests.sh

Change-Id: Ifd1345e1124088179e38346e3693957a8b5ef63b