| 89faa349525ad1110b6fa3f2149e6ef825c65662 |
|
26-Feb-2016 |
Lorenzo Colitti <lorenzo@google.com> |
Add an RPC to replace a UID firewall rule.
Also add a binder_test that exercises binder RPCs to the real
netd service running on the device
Bug: 21725996
Bug: 27239233
Change-Id: Ic83d81605021a0578d6cd32f889290be61d76125
/system/netd/server/NetdConstants.cpp
|
| 390e4ea8106f9e741bc80fb962aaee94d5b28cbb |
|
26-Apr-2015 |
Amith Yamasani <yamasani@google.com> |
Blacklist uids for network access
FirewallController can now be in blacklist mode (aka disabled)
or whitelist mode (aka enabled).
Some of the methods don't do anything when in blacklist mode.
Uid rules updated to allow dropping packets to uids that
shouldn't get any network access, usually for idle apps.
Added a wait option to iptables calls to make sure it doesn't
fail if there's contention. Fixes a flakiness I was seeing in
removing rules.
Bug: 20066058
Change-Id: I815bcb45aa06d04020e902df8c67bb3894e98f40
/system/netd/server/NetdConstants.cpp
|
| d161406141619f84d94b2ecee618569cbbabcb30 |
|
03-Feb-2015 |
Elliott Hughes <enh@google.com> |
Switch netd over to <utils/file.h>.
Change-Id: Id79961cc4feee1c307dad06d64e3f4ffe060c4da
/system/netd/server/NetdConstants.cpp
|
| 53ea9cadf6cc5f8be1c16b5b6b660cd7366fd3f0 |
|
31-Jan-2015 |
Nick Kralevich <nnk@google.com> |
Avoid leaking file descriptors
Add O_CLOEXEC on open() calls, and SOCK_CLOEXEC on socket calls.
This avoids leaking file descriptors across execs.
Addresses the following SELinux denial:
audit(1422740213.283:8): avc: denied { read write } for pid=2597 comm="clatd" path="socket:[6709]" dev="sockfs" ino=6709 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket
and allows the removal of some other SELinux rules which were
inappropriately added because of leaking file descriptors.
Change-Id: I9c180488ea1969d610e488f967a7276a672bb477
/system/netd/server/NetdConstants.cpp
|
| aa1be2b3d24d99f3ccb98ff4fbb2a81b63587eff |
|
06-Jan-2015 |
Dan Albert <danalbert@google.com> |
Fix missing errno.h includes after libc cleanup.
These issues hadn't been found yet because a libc++ header was
unconditionally pulling in errno.h. I've fixed the libc++ header now.
Change-Id: Ib096634cdd231fc75bf7548e4b99babc7442dc53
/system/netd/server/NetdConstants.cpp
|
| ba25df989b48f36b784ad39307a49a4fd9c3fd66 |
|
17-Jun-2014 |
Lorenzo Colitti <lorenzo@google.com> |
Use native netlink code instead of /sbin/ip to manipulate routes
Shelling out to /sbin/ip is slow, and more importantly it does
not preserve the error messages returned by the kernel when
adding or deleting a route fails. Instead, use netlink directly.
This change does not yet pass the errors back to CommandListener;
that is done in the next change in the series.
Change-Id: I5ad3c8583580857be6386a620ff5c4f3872d685b
/system/netd/server/NetdConstants.cpp
|
| 69261cb65186e27dfbdc1e3eec796437f9968ff9 |
|
20-Jun-2014 |
JP Abgrall <jpa@google.com> |
server: check interface names in RPC arguments for validity
This patch introduces a method isIfaceName that checks interface
names from various RPCs for validity before e.g. using them as
part of iptables arguments or in filenames.
All of these RPC calls can only be called from applications
with at least the CONNECTIVITY_INTERNAL permission in recent
Android versions, so the impact of the missing checks luckily
isn't very high.
Orig-Author: Jann Horn <jann@thejh.net>
Change-Id: I80df8d745a3de99ad02d6649f0d10562c81f6b98
Signed-off-by: JP Abgrall <jpa@google.com>
/system/netd/server/NetdConstants.cpp
|
| f4cfad361175a7f9ccf4d41e76a9b289c3c3da22 |
|
21-May-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Move netd_client into netd.
Change-Id: Ie4b6b303225c93f2448a503d6ea9cebb552cbad5
/system/netd/server/NetdConstants.cpp
|