7b0ab7a59ad1f28b8985cb673beb551b42c07059 |
|
28-Aug-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Ensure the sockets we inherit from init are FD_CLOEXEC. Bug: 65104811 Test: bullhead builds, boots Test: lsof of iptables-restore doesn't show /dev/socket/netd and friends (cherry picked from commit 548bbd4643841bbd058c31e832af5e9d213edf90) Change-Id: Ic360b756729176a47fd2d04940913f098cf0e9b6
/system/netd/server/NetdConstants.cpp
|
066b822f78666758ff82c43321ade07fd0d54eb3 |
|
10-Aug-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Delete all remaining callers of iptables. Also move to binder_test.cpp some string constants that are used only there. (cherry picked from commit 5c68b9c1e4b7d8cf05b6ce9f6d1458ffda225eac) Bug: 28362720 Test: bullhead builds,boots Test: netd_{unit,integration}_test pass Change-Id: Icebaac93fc3a661902deced985119d2d1735732e Merged-In: I3f72946de374a7deaeef88b1dd5589d9a20ccce7
/system/netd/server/NetdConstants.cpp
|
e760181ff41a5f4526e4f543f3838eb05690e2aa |
|
28-Apr-2017 |
Ben Schwartz <bemasc@google.com> |
Support RFC 7858 DNS over TLS This change adds the core capability for DNS over TLS, and creates private APIs for activating it, but does not provide any way to activate the functionality in a development environment or on a real device. Based on https://android-review.googlesource.com/#/c/373776/ Test: Complete unit+integration tests. Manual tests look good. Bug: 34953048 Change-Id: Ib99ac1f631fd2c2c8fbf53bdb05f67f8be7713ac
/system/netd/server/NetdConstants.cpp
|
bcad661ab90d5e4d04d41747d109f9c97c5f9490 |
|
30-May-2017 |
Joel Scherpelz <jscherpelz@google.com> |
Modernize string handling in BandwidthController This change is preparation for removal of xt_quota2 in favor of NFLOG. Note that the scope of changes is mostly limited to mechanical single line changes from "const char*" to "const std::string&". Test: as follows - built - flashed - booted - "runtest -x .../netd_unit_test.cpp" passes - "runtest -x .../netd_integration_test.cpp" passes Bug: 38143143 Bug: 28362720 Change-Id: I56ba810ff6fa2f409e32d86508cfdb1a81a50a4e
/system/netd/server/NetdConstants.cpp
|
839d7d6b8e3558b92e55aa70894e13c12870e310 |
|
03-Apr-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Block SIGPIPE in IptablesRestoreControllerTest. Otherwise, testRestartOnMalformedCommand fails most of the time on sailfish. Test: netd_unit_test no longer crashes Change-Id: I546950cd3f4cbaed358020f25a27b70702566e54
/system/netd/server/NetdConstants.cpp
|
c1306ea230c95ef0268d4d20a213911799982671 |
|
26-Mar-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Use iptables-restore to set the incoming packet mark rule. This speeds up network switching because one rule needs to be added/removed per interface. Bug: 28362720 Test: bullhead builds, boots Test: netd_{unit,integration}_test pass Test: watch -n1 "adb shell iptables -v -n -t mangle -L INPUT" while switching networks Change-Id: Ie536db6a50d018c88bb03c5f069965e99e0d162e
/system/netd/server/NetdConstants.cpp
|
cd28377ac7736aa18700ffdc075e3b16c1d1f656 |
|
31-Jan-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Support reading output from IptablesRestoreController. Add the ability to IptablesRestoreController to return the output of a command. This is useful to run commands that list chains or return counters through the ip[6]tables-restore. Also enable unsigned-integer-overflow sanitization the unit tests because their behaviour should be representative of actual code. Having address sanitization enabled would have saved a fair amount of time debugging an on-device abort() that did not affect the tests. Test: new unit test passes Bug: 32323979 Change-Id: I70726ebbade0cb792aba38787c57378df177f2d8
/system/netd/server/NetdConstants.cpp
|
a5ace89be511d5a9f76d2d987fe8f61c0a8102f5 |
|
06-Jan-2017 |
Narayan Kamath <narayan@google.com> |
netd: Use a persistent iptables[6]-restore process iptables-restore and ip[6]tables-restore are forked on demand whenever we need them, and their stdin/out/err are replaced by pipes to the parent process. All commands are sent via the stdin pipe. We also add SIGCHLD handling so that we can detect error conditions and restart the process whenever required. Bug: 32323979 Test: Manual Test: netd_unit_test, netd_integration_test Change-Id: Ia12ee01f8b45e5b8a699c27eea1b6b55d40f16b5
/system/netd/server/NetdConstants.cpp
|
89faa349525ad1110b6fa3f2149e6ef825c65662 |
|
26-Feb-2016 |
Lorenzo Colitti <lorenzo@google.com> |
Add an RPC to replace a UID firewall rule. Also add a binder_test that exercises binder RPCs to the real netd service running on the device Bug: 21725996 Bug: 27239233 Change-Id: Ic83d81605021a0578d6cd32f889290be61d76125
/system/netd/server/NetdConstants.cpp
|
390e4ea8106f9e741bc80fb962aaee94d5b28cbb |
|
26-Apr-2015 |
Amith Yamasani <yamasani@google.com> |
Blacklist uids for network access FirewallController can now be in blacklist mode (aka disabled) or whitelist mode (aka enabled). Some of the methods don't do anything when in blacklist mode. Uid rules updated to allow dropping packets to uids that shouldn't get any network access, usually for idle apps. Added a wait option to iptables calls to make sure it doesn't fail if there's contention. Fixes a flakiness I was seeing in removing rules. Bug: 20066058 Change-Id: I815bcb45aa06d04020e902df8c67bb3894e98f40
/system/netd/server/NetdConstants.cpp
|
d161406141619f84d94b2ecee618569cbbabcb30 |
|
03-Feb-2015 |
Elliott Hughes <enh@google.com> |
Switch netd over to <utils/file.h>. Change-Id: Id79961cc4feee1c307dad06d64e3f4ffe060c4da
/system/netd/server/NetdConstants.cpp
|
53ea9cadf6cc5f8be1c16b5b6b660cd7366fd3f0 |
|
31-Jan-2015 |
Nick Kralevich <nnk@google.com> |
Avoid leaking file descriptors Add O_CLOEXEC on open() calls, and SOCK_CLOEXEC on socket calls. This avoids leaking file descriptors across execs. Addresses the following SELinux denial: audit(1422740213.283:8): avc: denied { read write } for pid=2597 comm="clatd" path="socket:[6709]" dev="sockfs" ino=6709 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket and allows the removal of some other SELinux rules which were inappropriately added because of leaking file descriptors. Change-Id: I9c180488ea1969d610e488f967a7276a672bb477
/system/netd/server/NetdConstants.cpp
|
aa1be2b3d24d99f3ccb98ff4fbb2a81b63587eff |
|
06-Jan-2015 |
Dan Albert <danalbert@google.com> |
Fix missing errno.h includes after libc cleanup. These issues hadn't been found yet because a libc++ header was unconditionally pulling in errno.h. I've fixed the libc++ header now. Change-Id: Ib096634cdd231fc75bf7548e4b99babc7442dc53
/system/netd/server/NetdConstants.cpp
|
ba25df989b48f36b784ad39307a49a4fd9c3fd66 |
|
17-Jun-2014 |
Lorenzo Colitti <lorenzo@google.com> |
Use native netlink code instead of /sbin/ip to manipulate routes Shelling out to /sbin/ip is slow, and more importantly it does not preserve the error messages returned by the kernel when adding or deleting a route fails. Instead, use netlink directly. This change does not yet pass the errors back to CommandListener; that is done in the next change in the series. Change-Id: I5ad3c8583580857be6386a620ff5c4f3872d685b
/system/netd/server/NetdConstants.cpp
|
69261cb65186e27dfbdc1e3eec796437f9968ff9 |
|
20-Jun-2014 |
JP Abgrall <jpa@google.com> |
server: check interface names in RPC arguments for validity This patch introduces a method isIfaceName that checks interface names from various RPCs for validity before e.g. using them as part of iptables arguments or in filenames. All of these RPC calls can only be called from applications with at least the CONNECTIVITY_INTERNAL permission in recent Android versions, so the impact of the missing checks luckily isn't very high. Orig-Author: Jann Horn <jann@thejh.net> Change-Id: I80df8d745a3de99ad02d6649f0d10562c81f6b98 Signed-off-by: JP Abgrall <jpa@google.com>
/system/netd/server/NetdConstants.cpp
|
f4cfad361175a7f9ccf4d41e76a9b289c3c3da22 |
|
21-May-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Move netd_client into netd. Change-Id: Ie4b6b303225c93f2448a503d6ea9cebb552cbad5
/system/netd/server/NetdConstants.cpp
|