Block incoming non-VPN packets to apps under fully-routed VPN

When a fully-routed VPN is running, we want to prevent normal apps
under the VPN from receiving packets originating from any local non-VPN
interfaces. This is achieved by using eBPF to create a per-UID input
interface whitelist and populate the whitelist such that all
non-bypassable apps under a VPN can only receive packets from the VPN's
TUN interface (and loopback implicitly)

This is the Netd part of the change that auguments the existing UidOwner map
to include a new boolean to enable ingress interface filtering as well as
a new field per UID for the whitelisted interface index. The eBPF program
is updated to drop packets according to the ingress interface whitelist map
when present and enabled. This change also exposes two new netd Binder
interfaces to allow ConnectivityService to update the whitelist.

Test: system/netd/tests/runtests.sh
Bug: 114231106
Change-Id: I033c068a350af82023c2bf909e3b3e65d9952b66

1 files changed, 3 insertions, 0 deletions

diff --git a/server/NetdNativeService.h b/server/NetdNativeService.h
index 03888cbf1..def4a3aa0 100644
--- a/server/NetdNativeService.h
+++ b/server/NetdNativeService.h
@@ -45,6 +45,9 @@ class NetdNativeService : public BinderService<NetdNativeService>, public BnNetd
     binder::Status firewallSetUidRule(int32_t childChain, int32_t uid,
                                       int32_t firewallRule) override;
     binder::Status firewallEnableChildChain(int32_t childChain, bool enable) override;
+    binder::Status firewallAddUidInterfaceRules(const std::string& ifName,
+                                                const std::vector<int32_t>& uids) override;
+    binder::Status firewallRemoveUidInterfaceRules(const std::vector<int32_t>& uids) override;
 
     // Bandwidth control commands.
     binder::Status bandwidthEnableDataSaver(bool enable, bool *ret) override;