fff4bd31ff2bad0acfd8f2439eccf7df70e9695f |
|
13-Apr-2016 |
Lorenzo Colitti <lorenzo@google.com> |
Kill sockets when a VPN comes up. 1. Change the SockDiag callback function to be a filter that returns a bool instead of a function that optionally kills a socket. All existing callbacks basically only existed to kill sockets under certain conditions, and making them return a boolean allows reusing the same callback function signature to filter sockets as well. 2. Add a new SockDiag method to kill sockets based on a UidRanges object (which contains a number of UID ranges) and a list of users to skip. 3. Add a new UIDRANGE mode to SockDiagTest to test the above. 4. When UID ranges are added or removed from the VPN, kill sockets in those UID ranges unless the socket UIDs are in mProtectableUsers and thus their creator might have set the protect bit on their mark. Short of actually being able to see the socket mark on each socket and basing our decision on that, this is the best we can do. Bug: 26976388 Change-Id: I53a30df3feb63254a6451a29fa6041c9b679f9bb
/system/netd/server/VirtualNetwork.cpp
|
95684ba176a9fe5ea59207d7202e47fa12bbfdbe |
|
23-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Implement support for bypassable VPNs. Bypassable VPNs grab all traffic by default (just like secure VPNs), but: + They allow all apps to choose other networks using the multinetwork APIs. If these other networks are insecure ("untrusted"), they will enforce that the app holds the necessary permissions, such as CHANGE_NETWORK_STATE. + They support consistent routing. If an app has an existing connection over some other network when the bypassable VPN comes up, it's not interrupted. Bug: 15347374 Change-Id: Iaee9c6f6fa8103215738570d2b65d3fcf10343f3
/system/netd/server/VirtualNetwork.cpp
|
e09b20aee85f1dfd8c18c3d8581ac875d939ba70 |
|
06-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Add full support for UIDs in VPNs. Major: + Implement the functions mentioned in http://go/android-multinetwork-routing correctly, including handling accept(), connect(), setNetworkForSocket() and protect() and supporting functions like canUserSelectNetwork(). + Eliminate the old code path of getting/setting UID ranges through SecondaryTableController (which is currently unused) and mUidMap. Minor: + Rename some methods/variables for clarity and consistency. + Moved some methods in .cpp files to match declaration order in the .h files. Bug: 15409918 Change-Id: Ic6ce3646c58cf645db0d9a53cbeefdd7ffafff93
/system/netd/server/VirtualNetwork.cpp
|
5009d5ef3fbcdc69d772b528fd22184b7d605afa |
|
03-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Update routing rules. As per the latest changes to: http://go/android-multinetwork-routing Functional changes: + Add explicit=NO to the implicit network rules, though it's a no-op. + Remove most of the UID=0 (kernel access) rules since they are no longer needed, except in one case to allow access to a VPN. + Add the explicit, protect and permissions bits to the incoming packet mark. + VPNs now don't need an implicit network rule. + Modifying network permissions now modifies the incoming packet mark as well. Cosmetic changes: + Renamed the legacy tables to match their permissions (SYSTEM and NETWORK). + Renamed most functions and methods for clarity and consistency. + Renamed and adjusted some ule priorities. + Move most rule modifications into their own functions, to prevent brittle reliance on the previous state of the fwmark/mask variables. Change-Id: I958a7e158ee918d5254de606fcfa55fe23327438
/system/netd/server/VirtualNetwork.cpp
|
89dad013e4dd98434b0409a84567f38782894029 |
|
02-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Keep track of users allowed to call protect() explicitly. This is an API change between ConnectivityService and Netd. The ownerUid was meant for this purpose, but it's insufficient, as apps need to call protect() _before_ they create a VPN. Bug: 15409918 Change-Id: If804aa106002e96d5ffb623d32db35fd76928367
/system/netd/server/VirtualNetwork.cpp
|
36ed53e37b2639681055b2d3d8777241e7dd6982 |
|
02-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Cosmetic: Add a way to query the type of a network. This is a cosmetic change, i.e., there's no change in functionality. This is the poor man's RTTI. It turns out that maintaining separate lists (or maps) of the different types of networks gets burdensome pretty quickly (especially in an upcoming CL where we add functions like canUserSelectNetwork()). Change-Id: If5250c0fc106045f681d0fd71278b793addbe1e3
/system/netd/server/VirtualNetwork.cpp
|
b1425cc09f8a29350520db0d4f489331df5a689b |
|
24-Jun-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Add UID range support to VPNs. This adds the necessary routing rules. Future CLs will add the ability to select the right netId for connect(), setNetworkForSocket(), DNS resolutions, etc. Bug: 15409918 Change-Id: I88a67660d49cecda834dd72ab947fbfed250f09d
/system/netd/server/VirtualNetwork.cpp
|
4043f01f8e25f24246efadc710ad7440aab75529 |
|
23-Jun-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Introduce VPN support. This change sets up the basic routing rules for VPNs. It doesn't yet handle UID ranges (that are meant to apply to the VPN) correctly. That's forthcoming in other CLs. Bug: 15409918 Change-Id: I284de04f176dcf6ba702361de6a614266256d04e
/system/netd/server/VirtualNetwork.cpp
|