| fff4bd31ff2bad0acfd8f2439eccf7df70e9695f |
|
13-Apr-2016 |
Lorenzo Colitti <lorenzo@google.com> |
Kill sockets when a VPN comes up.
1. Change the SockDiag callback function to be a filter that
returns a bool instead of a function that optionally kills a
socket. All existing callbacks basically only existed to kill
sockets under certain conditions, and making them return a
boolean allows reusing the same callback function signature
to filter sockets as well.
2. Add a new SockDiag method to kill sockets based on a UidRanges
object (which contains a number of UID ranges) and a list of
users to skip.
3. Add a new UIDRANGE mode to SockDiagTest to test the above.
4. When UID ranges are added or removed from the VPN, kill
sockets in those UID ranges unless the socket UIDs are in
mProtectableUsers and thus their creator might have set the
protect bit on their mark. Short of actually being
able to see the socket mark on each socket and basing our
decision on that, this is the best we can do.
Bug: 26976388
Change-Id: I53a30df3feb63254a6451a29fa6041c9b679f9bb
/system/netd/server/VirtualNetwork.cpp
|
| 95684ba176a9fe5ea59207d7202e47fa12bbfdbe |
|
23-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Implement support for bypassable VPNs.
Bypassable VPNs grab all traffic by default (just like secure VPNs), but:
+ They allow all apps to choose other networks using the multinetwork APIs.
If these other networks are insecure ("untrusted"), they will enforce that the
app holds the necessary permissions, such as CHANGE_NETWORK_STATE.
+ They support consistent routing. If an app has an existing connection over
some other network when the bypassable VPN comes up, it's not interrupted.
Bug: 15347374
Change-Id: Iaee9c6f6fa8103215738570d2b65d3fcf10343f3
/system/netd/server/VirtualNetwork.cpp
|
| e09b20aee85f1dfd8c18c3d8581ac875d939ba70 |
|
06-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Add full support for UIDs in VPNs.
Major:
+ Implement the functions mentioned in http://go/android-multinetwork-routing
correctly, including handling accept(), connect(), setNetworkForSocket()
and protect() and supporting functions like canUserSelectNetwork().
+ Eliminate the old code path of getting/setting UID ranges through
SecondaryTableController (which is currently unused) and mUidMap.
Minor:
+ Rename some methods/variables for clarity and consistency.
+ Moved some methods in .cpp files to match declaration order in the .h files.
Bug: 15409918
Change-Id: Ic6ce3646c58cf645db0d9a53cbeefdd7ffafff93
/system/netd/server/VirtualNetwork.cpp
|
| 5009d5ef3fbcdc69d772b528fd22184b7d605afa |
|
03-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Update routing rules.
As per the latest changes to: http://go/android-multinetwork-routing
Functional changes:
+ Add explicit=NO to the implicit network rules, though it's a no-op.
+ Remove most of the UID=0 (kernel access) rules since they are no longer
needed, except in one case to allow access to a VPN.
+ Add the explicit, protect and permissions bits to the incoming packet mark.
+ VPNs now don't need an implicit network rule.
+ Modifying network permissions now modifies the incoming packet mark as well.
Cosmetic changes:
+ Renamed the legacy tables to match their permissions (SYSTEM and NETWORK).
+ Renamed most functions and methods for clarity and consistency.
+ Renamed and adjusted some ule priorities.
+ Move most rule modifications into their own functions, to prevent brittle
reliance on the previous state of the fwmark/mask variables.
Change-Id: I958a7e158ee918d5254de606fcfa55fe23327438
/system/netd/server/VirtualNetwork.cpp
|
| 89dad013e4dd98434b0409a84567f38782894029 |
|
02-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Keep track of users allowed to call protect() explicitly.
This is an API change between ConnectivityService and Netd.
The ownerUid was meant for this purpose, but it's insufficient, as apps need to
call protect() _before_ they create a VPN.
Bug: 15409918
Change-Id: If804aa106002e96d5ffb623d32db35fd76928367
/system/netd/server/VirtualNetwork.cpp
|
| 36ed53e37b2639681055b2d3d8777241e7dd6982 |
|
02-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Cosmetic: Add a way to query the type of a network.
This is a cosmetic change, i.e., there's no change in functionality.
This is the poor man's RTTI. It turns out that maintaining separate lists (or
maps) of the different types of networks gets burdensome pretty quickly
(especially in an upcoming CL where we add functions like
canUserSelectNetwork()).
Change-Id: If5250c0fc106045f681d0fd71278b793addbe1e3
/system/netd/server/VirtualNetwork.cpp
|
| b1425cc09f8a29350520db0d4f489331df5a689b |
|
24-Jun-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Add UID range support to VPNs.
This adds the necessary routing rules.
Future CLs will add the ability to select the right netId for connect(),
setNetworkForSocket(), DNS resolutions, etc.
Bug: 15409918
Change-Id: I88a67660d49cecda834dd72ab947fbfed250f09d
/system/netd/server/VirtualNetwork.cpp
|
| 4043f01f8e25f24246efadc710ad7440aab75529 |
|
23-Jun-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Introduce VPN support.
This change sets up the basic routing rules for VPNs. It doesn't yet handle UID
ranges (that are meant to apply to the VPN) correctly. That's forthcoming in
other CLs.
Bug: 15409918
Change-Id: I284de04f176dcf6ba702361de6a614266256d04e
/system/netd/server/VirtualNetwork.cpp
|