| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Network preference per-profile and OEM network preferences can't be set
at the same time, because it is unclear what should happen if both
preferences are active for one given UID. Therefore, it needs a
parameter for ConnectivityService to specify which preference is prior
to others.
In this commit:
1. Adds a pair of methods with parcelable parameter, which currently
includes netId, UID range array and subsidiary priority.
2. The subsidiary priority will be used to adjust the original IP rule
priority. UID ranges can applies to different network with different
subsidiary priority. But a single UID should not apply to multiple
networks with the same subsidiary priority.
3. The possible value of subsidiary priority for physical and
unreachable networks is 0-999. 0 is the highest priority. 0 is also
the default value. Virtual network supports only the default value.
4. Netd and its tests reference to latest AIDL version (unstable).
Bug: 182460808
Test: m; flash; cd system/netd/; atest
Test: atest FrameworksNetTests
Test: atest HostsideVpnTests
Change-Id: I94e8830d0a21ffcca17757fe4783a4be9438c8b4
|
| |
|
|
|
|
|
|
|
| |
Enumeration Network::Type and member function Network::getType() can be
removed after aosp/1657760. Specializations of each type of network are
implemented in subclass. No functionality changes.
Test: atest
Change-Id: Ib57bf26e4f0a60f7f01bec3109fb84458fb3abfb
|
| |
|
|
|
|
|
|
|
| |
The implementation of addUsers() and removeUsers() are different between
virtual network, physical network, and others. Virtualize both functions
in base class and override them in derived classes for specialization.
Test: atest
Change-Id: Ie3baeb404d2cd9513efb95857de53b4b3079be0b
|
| |
|
|
|
|
|
|
|
|
| |
Move uid ranges code from sub class VirtualNetwork to super class
Network. So they can be reused when we support uid ranges on physical
network. No functionality change.
Test: cd system/netd; atest
Test: atest HostsideVpnTests
Change-Id: I6a170264c82418ae1e625c0fc587cd091e56f9dd
|
| |
|
|
|
|
|
| |
Make funtion generic for followed physical network use case.
Test: atest
Change-Id: I30f61815a2626068a99c4b4bd77bea8b2c16bd47
|
| |
|
|
|
|
|
|
|
|
| |
getHasDns() and VirtualNetwork.mHasDns are no more useful after commit
aops/658122.
Bug: 116539103
Test: system/netd/tests/runtests.sh pass
Change-Id: Ica04984a954a9e89a5eb38a9b262775d686f8ed4
|
| |
|
|
|
|
|
|
|
| |
Use stable aidl generated structure instead of UidRange
Test: built, flashed, booted
system/netd/tests/runtests.sh passes
Change-Id: I136afcff167eac7d3c4774b9e60f607e086488bf
|
| |
|
|
|
|
|
| |
Test: netd_{unit,integration}_test pass
Test: bullhead builds, boots
Bug: 34873832
Change-Id: I0a252328041b342f9c03cd08c11a69d452b045b3
|
| |
|
|
|
| |
Bug: 30186506
Change-Id: I8bae7b004c3bb9f6e9e0db99774a6ff6505578b4
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Change the SockDiag callback function to be a filter that
returns a bool instead of a function that optionally kills a
socket. All existing callbacks basically only existed to kill
sockets under certain conditions, and making them return a
boolean allows reusing the same callback function signature
to filter sockets as well.
2. Add a new SockDiag method to kill sockets based on a UidRanges
object (which contains a number of UID ranges) and a list of
users to skip.
3. Add a new UIDRANGE mode to SockDiagTest to test the above.
4. When UID ranges are added or removed from the VPN, kill
sockets in those UID ranges unless the socket UIDs are in
mProtectableUsers and thus their creator might have set the
protect bit on their mark. Short of actually being
able to see the socket mark on each socket and basing our
decision on that, this is the best we can do.
Bug: 26976388
Change-Id: I53a30df3feb63254a6451a29fa6041c9b679f9bb
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bypassable VPNs grab all traffic by default (just like secure VPNs), but:
+ They allow all apps to choose other networks using the multinetwork APIs.
If these other networks are insecure ("untrusted"), they will enforce that the
app holds the necessary permissions, such as CHANGE_NETWORK_STATE.
+ They support consistent routing. If an app has an existing connection over
some other network when the bypassable VPN comes up, it's not interrupted.
Bug: 15347374
Change-Id: Iaee9c6f6fa8103215738570d2b65d3fcf10343f3
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Major:
+ Implement the functions mentioned in http://go/android-multinetwork-routing
correctly, including handling accept(), connect(), setNetworkForSocket()
and protect() and supporting functions like canUserSelectNetwork().
+ Eliminate the old code path of getting/setting UID ranges through
SecondaryTableController (which is currently unused) and mUidMap.
Minor:
+ Rename some methods/variables for clarity and consistency.
+ Moved some methods in .cpp files to match declaration order in the .h files.
Bug: 15409918
Change-Id: Ic6ce3646c58cf645db0d9a53cbeefdd7ffafff93
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As per the latest changes to: http://go/android-multinetwork-routing
Functional changes:
+ Add explicit=NO to the implicit network rules, though it's a no-op.
+ Remove most of the UID=0 (kernel access) rules since they are no longer
needed, except in one case to allow access to a VPN.
+ Add the explicit, protect and permissions bits to the incoming packet mark.
+ VPNs now don't need an implicit network rule.
+ Modifying network permissions now modifies the incoming packet mark as well.
Cosmetic changes:
+ Renamed the legacy tables to match their permissions (SYSTEM and NETWORK).
+ Renamed most functions and methods for clarity and consistency.
+ Renamed and adjusted some ule priorities.
+ Move most rule modifications into their own functions, to prevent brittle
reliance on the previous state of the fwmark/mask variables.
Change-Id: I958a7e158ee918d5254de606fcfa55fe23327438
|
| |
|
|
|
|
|
|
|
|
| |
This is an API change between ConnectivityService and Netd.
The ownerUid was meant for this purpose, but it's insufficient, as apps need to
call protect() _before_ they create a VPN.
Bug: 15409918
Change-Id: If804aa106002e96d5ffb623d32db35fd76928367
|
| |
|
|
|
|
|
|
|
|
|
| |
This is a cosmetic change, i.e., there's no change in functionality.
This is the poor man's RTTI. It turns out that maintaining separate lists (or
maps) of the different types of networks gets burdensome pretty quickly
(especially in an upcoming CL where we add functions like
canUserSelectNetwork()).
Change-Id: If5250c0fc106045f681d0fd71278b793addbe1e3
|
| |
|
|
|
|
|
|
|
|
| |
This adds the necessary routing rules.
Future CLs will add the ability to select the right netId for connect(),
setNetworkForSocket(), DNS resolutions, etc.
Bug: 15409918
Change-Id: I88a67660d49cecda834dd72ab947fbfed250f09d
|
|
|
This change sets up the basic routing rules for VPNs. It doesn't yet handle UID
ranges (that are meant to apply to the VPN) correctly. That's forthcoming in
other CLs.
Bug: 15409918
Change-Id: I284de04f176dcf6ba702361de6a614266256d04e
|
