Add Restricted Mode Firewall Chain

Adding a new allowlist firewall chain to support restricted networking mode. See go/restricted-networking-mode. Bug: b/157505406 Test: atest netd_integration_test && atest netd_unit_test Change-Id: I0028e6fa47460e5516d759c5807a459a4700a83e
author: Patrick Rohr <prohr@google.com> 2020-12-02 16:22:28 +0100
committer: Patrick Rohr <prohr@google.com> 2020-12-02 16:22:28 +0100
commit: fa0036f1dd7da9feed2502b1b73453427f0f27da (patch)
tree: dc9bb0f0f1a58e80e0a9c28751b2704a3c9ab9dc /server/TrafficController.cpp
parent: 6d228fb03a45954a7552a02bd838e1c719e5e378 (diff)
download: platform_system_netd-fa0036f1dd7da9feed2502b1b73453427f0f27da.tar.gz
platform_system_netd-fa0036f1dd7da9feed2502b1b73453427f0f27da.tar.bz2
platform_system_netd-fa0036f1dd7da9feed2502b1b73453427f0f27da.zip
1 files changed, 9 insertions, 0 deletions
diff --git a/server/TrafficController.cpp b/server/TrafficController.cpp
index 95363779f..45d546759 100644
--- a/server/TrafficController.cpp
+++ b/server/TrafficController.cpp
@@ -100,6 +100,7 @@ const std::string uidMatchTypeToString(uint8_t match) {
     FLAG_MSG_TRANS(matchType, DOZABLE_MATCH, match);
     FLAG_MSG_TRANS(matchType, STANDBY_MATCH, match);
     FLAG_MSG_TRANS(matchType, POWERSAVE_MATCH, match);
+    FLAG_MSG_TRANS(matchType, RESTRICTED_MATCH, match);
     FLAG_MSG_TRANS(matchType, IIF_MATCH, match);
     if (match) {
         return StringPrintf("Unknown match: %u", match);
@@ -631,6 +632,9 @@ int TrafficController::changeUidOwnerRule(ChildChain chain, uid_t uid, FirewallR
         case POWERSAVE:
             res = updateOwnerMapEntry(POWERSAVE_MATCH, uid, rule, type);
             break;
+        case RESTRICTED:
+            res = updateOwnerMapEntry(RESTRICTED_MATCH, uid, rule, type);
+            break;
         case NONE:
         default:
             return -EINVAL;
@@ -714,6 +718,8 @@ int TrafficController::replaceUidOwnerMap(const std::string& name, bool isAllowl
         res = replaceRulesInMap(STANDBY_MATCH, uids);
     } else if (!name.compare(FirewallController::LOCAL_POWERSAVE)) {
         res = replaceRulesInMap(POWERSAVE_MATCH, uids);
+    } else if (!name.compare(FirewallController::LOCAL_RESTRICTED)) {
+        res = replaceRulesInMap(RESTRICTED_MATCH, uids);
     } else {
         ALOGE("unknown chain name: %s", name.c_str());
         return -EINVAL;
@@ -747,6 +753,9 @@ int TrafficController::toggleUidOwnerMap(ChildChain chain, bool enable) {
         case POWERSAVE:
             match = POWERSAVE_MATCH;
             break;
+        case RESTRICTED:
+            match = RESTRICTED_MATCH;
+            break;
         default:
             return -EINVAL;
     }
author	Patrick Rohr <prohr@google.com>	2020-12-02 16:22:28 +0100
committer	Patrick Rohr <prohr@google.com>	2020-12-02 16:22:28 +0100
commit	fa0036f1dd7da9feed2502b1b73453427f0f27da (patch)
tree	dc9bb0f0f1a58e80e0a9c28751b2704a3c9ab9dc /server/TrafficController.cpp
parent	6d228fb03a45954a7552a02bd838e1c719e5e378 (diff)
download	platform_system_netd-fa0036f1dd7da9feed2502b1b73453427f0f27da.tar.gz platform_system_netd-fa0036f1dd7da9feed2502b1b73453427f0f27da.tar.bz2 platform_system_netd-fa0036f1dd7da9feed2502b1b73453427f0f27da.zip