| 7b0ab7a59ad1f28b8985cb673beb551b42c07059 |
|
28-Aug-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Ensure the sockets we inherit from init are FD_CLOEXEC.
Bug: 65104811
Test: bullhead builds, boots
Test: lsof of iptables-restore doesn't show /dev/socket/netd and friends
(cherry picked from commit 548bbd4643841bbd058c31e832af5e9d213edf90)
Change-Id: Ic360b756729176a47fd2d04940913f098cf0e9b6
/system/netd/server/NetdConstants.cpp
|
| 066b822f78666758ff82c43321ade07fd0d54eb3 |
|
10-Aug-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Delete all remaining callers of iptables.
Also move to binder_test.cpp some string constants that are used
only there.
(cherry picked from commit 5c68b9c1e4b7d8cf05b6ce9f6d1458ffda225eac)
Bug: 28362720
Test: bullhead builds,boots
Test: netd_{unit,integration}_test pass
Change-Id: Icebaac93fc3a661902deced985119d2d1735732e
Merged-In: I3f72946de374a7deaeef88b1dd5589d9a20ccce7
/system/netd/server/NetdConstants.cpp
|
| e760181ff41a5f4526e4f543f3838eb05690e2aa |
|
28-Apr-2017 |
Ben Schwartz <bemasc@google.com> |
Support RFC 7858 DNS over TLS
This change adds the core capability for DNS over TLS, and creates
private APIs for activating it, but does not provide any way to
activate the functionality in a development environment or on a
real device.
Based on https://android-review.googlesource.com/#/c/373776/
Test: Complete unit+integration tests. Manual tests look good.
Bug: 34953048
Change-Id: Ib99ac1f631fd2c2c8fbf53bdb05f67f8be7713ac
/system/netd/server/NetdConstants.cpp
|
| bcad661ab90d5e4d04d41747d109f9c97c5f9490 |
|
30-May-2017 |
Joel Scherpelz <jscherpelz@google.com> |
Modernize string handling in BandwidthController
This change is preparation for removal of xt_quota2 in favor of NFLOG.
Note that the scope of changes is mostly limited to mechanical single
line changes from "const char*" to "const std::string&".
Test: as follows
- built
- flashed
- booted
- "runtest -x .../netd_unit_test.cpp" passes
- "runtest -x .../netd_integration_test.cpp" passes
Bug: 38143143
Bug: 28362720
Change-Id: I56ba810ff6fa2f409e32d86508cfdb1a81a50a4e
/system/netd/server/NetdConstants.cpp
|
| 839d7d6b8e3558b92e55aa70894e13c12870e310 |
|
03-Apr-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Block SIGPIPE in IptablesRestoreControllerTest.
Otherwise, testRestartOnMalformedCommand fails most of the time
on sailfish.
Test: netd_unit_test no longer crashes
Change-Id: I546950cd3f4cbaed358020f25a27b70702566e54
/system/netd/server/NetdConstants.cpp
|
| c1306ea230c95ef0268d4d20a213911799982671 |
|
26-Mar-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Use iptables-restore to set the incoming packet mark rule.
This speeds up network switching because one rule needs to be
added/removed per interface.
Bug: 28362720
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Test: watch -n1 "adb shell iptables -v -n -t mangle -L INPUT" while switching networks
Change-Id: Ie536db6a50d018c88bb03c5f069965e99e0d162e
/system/netd/server/NetdConstants.cpp
|
| cd28377ac7736aa18700ffdc075e3b16c1d1f656 |
|
31-Jan-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Support reading output from IptablesRestoreController.
Add the ability to IptablesRestoreController to return the output
of a command. This is useful to run commands that list chains or
return counters through the ip[6]tables-restore.
Also enable unsigned-integer-overflow sanitization the unit tests
because their behaviour should be representative of actual code.
Having address sanitization enabled would have saved a fair
amount of time debugging an on-device abort() that did not affect
the tests.
Test: new unit test passes
Bug: 32323979
Change-Id: I70726ebbade0cb792aba38787c57378df177f2d8
/system/netd/server/NetdConstants.cpp
|
| a5ace89be511d5a9f76d2d987fe8f61c0a8102f5 |
|
06-Jan-2017 |
Narayan Kamath <narayan@google.com> |
netd: Use a persistent iptables[6]-restore process
iptables-restore and ip[6]tables-restore are forked on demand
whenever we need them, and their stdin/out/err are replaced by
pipes to the parent process. All commands are sent via the stdin
pipe. We also add SIGCHLD handling so that we can detect error
conditions and restart the process whenever required.
Bug: 32323979
Test: Manual
Test: netd_unit_test, netd_integration_test
Change-Id: Ia12ee01f8b45e5b8a699c27eea1b6b55d40f16b5
/system/netd/server/NetdConstants.cpp
|
| 89faa349525ad1110b6fa3f2149e6ef825c65662 |
|
26-Feb-2016 |
Lorenzo Colitti <lorenzo@google.com> |
Add an RPC to replace a UID firewall rule.
Also add a binder_test that exercises binder RPCs to the real
netd service running on the device
Bug: 21725996
Bug: 27239233
Change-Id: Ic83d81605021a0578d6cd32f889290be61d76125
/system/netd/server/NetdConstants.cpp
|
| 390e4ea8106f9e741bc80fb962aaee94d5b28cbb |
|
26-Apr-2015 |
Amith Yamasani <yamasani@google.com> |
Blacklist uids for network access
FirewallController can now be in blacklist mode (aka disabled)
or whitelist mode (aka enabled).
Some of the methods don't do anything when in blacklist mode.
Uid rules updated to allow dropping packets to uids that
shouldn't get any network access, usually for idle apps.
Added a wait option to iptables calls to make sure it doesn't
fail if there's contention. Fixes a flakiness I was seeing in
removing rules.
Bug: 20066058
Change-Id: I815bcb45aa06d04020e902df8c67bb3894e98f40
/system/netd/server/NetdConstants.cpp
|
| d161406141619f84d94b2ecee618569cbbabcb30 |
|
03-Feb-2015 |
Elliott Hughes <enh@google.com> |
Switch netd over to <utils/file.h>.
Change-Id: Id79961cc4feee1c307dad06d64e3f4ffe060c4da
/system/netd/server/NetdConstants.cpp
|
| 53ea9cadf6cc5f8be1c16b5b6b660cd7366fd3f0 |
|
31-Jan-2015 |
Nick Kralevich <nnk@google.com> |
Avoid leaking file descriptors
Add O_CLOEXEC on open() calls, and SOCK_CLOEXEC on socket calls.
This avoids leaking file descriptors across execs.
Addresses the following SELinux denial:
audit(1422740213.283:8): avc: denied { read write } for pid=2597 comm="clatd" path="socket:[6709]" dev="sockfs" ino=6709 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket
and allows the removal of some other SELinux rules which were
inappropriately added because of leaking file descriptors.
Change-Id: I9c180488ea1969d610e488f967a7276a672bb477
/system/netd/server/NetdConstants.cpp
|
| aa1be2b3d24d99f3ccb98ff4fbb2a81b63587eff |
|
06-Jan-2015 |
Dan Albert <danalbert@google.com> |
Fix missing errno.h includes after libc cleanup.
These issues hadn't been found yet because a libc++ header was
unconditionally pulling in errno.h. I've fixed the libc++ header now.
Change-Id: Ib096634cdd231fc75bf7548e4b99babc7442dc53
/system/netd/server/NetdConstants.cpp
|
| ba25df989b48f36b784ad39307a49a4fd9c3fd66 |
|
17-Jun-2014 |
Lorenzo Colitti <lorenzo@google.com> |
Use native netlink code instead of /sbin/ip to manipulate routes
Shelling out to /sbin/ip is slow, and more importantly it does
not preserve the error messages returned by the kernel when
adding or deleting a route fails. Instead, use netlink directly.
This change does not yet pass the errors back to CommandListener;
that is done in the next change in the series.
Change-Id: I5ad3c8583580857be6386a620ff5c4f3872d685b
/system/netd/server/NetdConstants.cpp
|
| 69261cb65186e27dfbdc1e3eec796437f9968ff9 |
|
20-Jun-2014 |
JP Abgrall <jpa@google.com> |
server: check interface names in RPC arguments for validity
This patch introduces a method isIfaceName that checks interface
names from various RPCs for validity before e.g. using them as
part of iptables arguments or in filenames.
All of these RPC calls can only be called from applications
with at least the CONNECTIVITY_INTERNAL permission in recent
Android versions, so the impact of the missing checks luckily
isn't very high.
Orig-Author: Jann Horn <jann@thejh.net>
Change-Id: I80df8d745a3de99ad02d6649f0d10562c81f6b98
Signed-off-by: JP Abgrall <jpa@google.com>
/system/netd/server/NetdConstants.cpp
|
| f4cfad361175a7f9ccf4d41e76a9b289c3c3da22 |
|
21-May-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Move netd_client into netd.
Change-Id: Ie4b6b303225c93f2448a503d6ea9cebb552cbad5
/system/netd/server/NetdConstants.cpp
|