From fa0036f1dd7da9feed2502b1b73453427f0f27da Mon Sep 17 00:00:00 2001
From: Patrick Rohr <prohr@google.com>
Date: Wed, 2 Dec 2020 16:22:28 +0100
Subject: Add Restricted Mode Firewall Chain

Adding a new allowlist firewall chain to support restricted networking
mode. See go/restricted-networking-mode.

Bug: b/157505406
Test: atest netd_integration_test && atest netd_unit_test
Change-Id: I0028e6fa47460e5516d759c5807a459a4700a83e
---
 server/TrafficController.cpp | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'server/TrafficController.cpp')

diff --git a/server/TrafficController.cpp b/server/TrafficController.cpp
index 95363779f..45d546759 100644
--- a/server/TrafficController.cpp
+++ b/server/TrafficController.cpp
@@ -100,6 +100,7 @@ const std::string uidMatchTypeToString(uint8_t match) {
     FLAG_MSG_TRANS(matchType, DOZABLE_MATCH, match);
     FLAG_MSG_TRANS(matchType, STANDBY_MATCH, match);
     FLAG_MSG_TRANS(matchType, POWERSAVE_MATCH, match);
+    FLAG_MSG_TRANS(matchType, RESTRICTED_MATCH, match);
     FLAG_MSG_TRANS(matchType, IIF_MATCH, match);
     if (match) {
         return StringPrintf("Unknown match: %u", match);
@@ -631,6 +632,9 @@ int TrafficController::changeUidOwnerRule(ChildChain chain, uid_t uid, FirewallR
         case POWERSAVE:
             res = updateOwnerMapEntry(POWERSAVE_MATCH, uid, rule, type);
             break;
+        case RESTRICTED:
+            res = updateOwnerMapEntry(RESTRICTED_MATCH, uid, rule, type);
+            break;
         case NONE:
         default:
             return -EINVAL;
@@ -714,6 +718,8 @@ int TrafficController::replaceUidOwnerMap(const std::string& name, bool isAllowl
         res = replaceRulesInMap(STANDBY_MATCH, uids);
     } else if (!name.compare(FirewallController::LOCAL_POWERSAVE)) {
         res = replaceRulesInMap(POWERSAVE_MATCH, uids);
+    } else if (!name.compare(FirewallController::LOCAL_RESTRICTED)) {
+        res = replaceRulesInMap(RESTRICTED_MATCH, uids);
     } else {
         ALOGE("unknown chain name: %s", name.c_str());
         return -EINVAL;
@@ -747,6 +753,9 @@ int TrafficController::toggleUidOwnerMap(ChildChain chain, bool enable) {
         case POWERSAVE:
             match = POWERSAVE_MATCH;
             break;
+        case RESTRICTED:
+            match = RESTRICTED_MATCH;
+            break;
         default:
             return -EINVAL;
     }
-- 
cgit v1.2.3