use of android.net.UidRange in project android_frameworks_base by DirtyUnicorns.
the class NetworkManagementService method closeSocketsForFirewallChainLocked.
private void closeSocketsForFirewallChainLocked(int chain, String chainName) {
// UID ranges to close sockets on.
UidRange[] ranges;
// UID ranges whose sockets we won't touch.
int[] exemptUids;
final SparseIntArray rules = getUidFirewallRules(chain);
int numUids = 0;
if (getFirewallType(chain) == FIREWALL_TYPE_WHITELIST) {
// Close all sockets on all non-system UIDs...
ranges = new UidRange[] { // specify their ranges here.
new UidRange(Process.FIRST_APPLICATION_UID, Integer.MAX_VALUE) };
// ... except for the UIDs that have allow rules.
exemptUids = new int[rules.size()];
for (int i = 0; i < exemptUids.length; i++) {
if (rules.valueAt(i) == NetworkPolicyManager.FIREWALL_RULE_ALLOW) {
exemptUids[numUids] = rules.keyAt(i);
numUids++;
}
}
// fix setFirewallEnabled to grab mQuotaLock and clear rules.
if (numUids != exemptUids.length) {
exemptUids = Arrays.copyOf(exemptUids, numUids);
}
} else {
// Close sockets for every UID that has a deny rule...
ranges = new UidRange[rules.size()];
for (int i = 0; i < ranges.length; i++) {
if (rules.valueAt(i) == NetworkPolicyManager.FIREWALL_RULE_DENY) {
int uid = rules.keyAt(i);
ranges[numUids] = new UidRange(uid, uid);
numUids++;
}
}
// As above; usually numUids == ranges.length, but not always.
if (numUids != ranges.length) {
ranges = Arrays.copyOf(ranges, numUids);
}
// ... with no exceptions.
exemptUids = new int[0];
}
try {
mNetdService.socketDestroy(ranges, exemptUids);
} catch (RemoteException | ServiceSpecificException e) {
Slog.e(TAG, "Error closing sockets after enabling chain " + chainName + ": " + e);
}
}
use of android.net.UidRange in project platform_frameworks_base by android.
the class VpnTest method testLockdownAddingAProfile.
@SmallTest
public void testLockdownAddingAProfile() throws Exception {
final Vpn vpn = spyVpn(primaryUser.id);
setMockedUsers(primaryUser);
// Make a copy of the restricted profile, as we're going to mark it deleted halfway through.
final UserInfo tempProfile = new UserInfo(restrictedProfileA.id, restrictedProfileA.name, restrictedProfileA.flags);
tempProfile.restrictedProfileParentId = primaryUser.id;
final UidRange user = UidRange.createForUser(primaryUser.id);
final UidRange profile = UidRange.createForUser(tempProfile.id);
// Set lockdown.
assertTrue(vpn.setAlwaysOnPackage(PKGS[3], true));
verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(new UidRange[] { new UidRange(user.start, user.start + PKG_UIDS[3] - 1), new UidRange(user.start + PKG_UIDS[3] + 1, user.stop) }));
// Verify restricted user isn't affected at first.
assertUnblocked(vpn, profile.start + PKG_UIDS[0]);
// Add the restricted user.
setMockedUsers(primaryUser, tempProfile);
vpn.onUserAdded(tempProfile.id);
verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(new UidRange[] { new UidRange(profile.start, profile.start + PKG_UIDS[3] - 1), new UidRange(profile.start + PKG_UIDS[3] + 1, profile.stop) }));
// Remove the restricted user.
tempProfile.partial = true;
vpn.onUserRemoved(tempProfile.id);
verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(new UidRange[] { new UidRange(profile.start, profile.start + PKG_UIDS[3] - 1), new UidRange(profile.start + PKG_UIDS[3] + 1, profile.stop) }));
}
use of android.net.UidRange in project platform_frameworks_base by android.
the class Vpn method establish.
/**
* Establish a VPN network and return the file descriptor of the VPN
* interface. This methods returns {@code null} if the application is
* revoked or not prepared.
*
* @param config The parameters to configure the network.
* @return The file descriptor of the VPN interface.
*/
public synchronized ParcelFileDescriptor establish(VpnConfig config) {
// Check if the caller is already prepared.
UserManager mgr = UserManager.get(mContext);
if (Binder.getCallingUid() != mOwnerUID) {
return null;
}
// Check to ensure consent hasn't been revoked since we were prepared.
if (!isVpnUserPreConsented(mPackage)) {
return null;
}
// Check if the service is properly declared.
Intent intent = new Intent(VpnConfig.SERVICE_INTERFACE);
intent.setClassName(mPackage, config.user);
long token = Binder.clearCallingIdentity();
try {
// Restricted users are not allowed to create VPNs, they are tied to Owner
UserInfo user = mgr.getUserInfo(mUserHandle);
if (user.isRestricted()) {
throw new SecurityException("Restricted users cannot establish VPNs");
}
ResolveInfo info = AppGlobals.getPackageManager().resolveService(intent, null, 0, mUserHandle);
if (info == null) {
throw new SecurityException("Cannot find " + config.user);
}
if (!BIND_VPN_SERVICE.equals(info.serviceInfo.permission)) {
throw new SecurityException(config.user + " does not require " + BIND_VPN_SERVICE);
}
} catch (RemoteException e) {
throw new SecurityException("Cannot find " + config.user);
} finally {
Binder.restoreCallingIdentity(token);
}
// Save the old config in case we need to go back.
VpnConfig oldConfig = mConfig;
String oldInterface = mInterface;
Connection oldConnection = mConnection;
NetworkAgent oldNetworkAgent = mNetworkAgent;
mNetworkAgent = null;
Set<UidRange> oldUsers = mVpnUsers;
// Configure the interface. Abort if any of these steps fails.
ParcelFileDescriptor tun = ParcelFileDescriptor.adoptFd(jniCreate(config.mtu));
try {
updateState(DetailedState.CONNECTING, "establish");
String interfaze = jniGetName(tun.getFd());
// TEMP use the old jni calls until there is support for netd address setting
StringBuilder builder = new StringBuilder();
for (LinkAddress address : config.addresses) {
builder.append(" " + address);
}
if (jniSetAddresses(interfaze, builder.toString()) < 1) {
throw new IllegalArgumentException("At least one address must be specified");
}
Connection connection = new Connection();
if (!mContext.bindServiceAsUser(intent, connection, Context.BIND_AUTO_CREATE | Context.BIND_FOREGROUND_SERVICE, new UserHandle(mUserHandle))) {
throw new IllegalStateException("Cannot bind " + config.user);
}
mConnection = connection;
mInterface = interfaze;
// Fill more values.
config.user = mPackage;
config.interfaze = mInterface;
config.startTime = SystemClock.elapsedRealtime();
mConfig = config;
// Set up forwarding and DNS rules.
agentConnect();
if (oldConnection != null) {
mContext.unbindService(oldConnection);
}
// Remove the old tun's user forwarding rules
// The new tun's user rules have already been added so they will take over
// as rules are deleted. This prevents data leakage as the rules are moved over.
agentDisconnect(oldNetworkAgent);
if (oldInterface != null && !oldInterface.equals(interfaze)) {
jniReset(oldInterface);
}
try {
IoUtils.setBlocking(tun.getFileDescriptor(), config.blocking);
} catch (IOException e) {
throw new IllegalStateException("Cannot set tunnel's fd as blocking=" + config.blocking, e);
}
} catch (RuntimeException e) {
IoUtils.closeQuietly(tun);
agentDisconnect();
// restore old state
mConfig = oldConfig;
mConnection = oldConnection;
mVpnUsers = oldUsers;
mNetworkAgent = oldNetworkAgent;
mInterface = oldInterface;
throw e;
}
Log.i(TAG, "Established by " + config.user + " on " + mInterface);
return tun;
}
use of android.net.UidRange in project platform_frameworks_base by android.
the class Vpn method createUserAndRestrictedProfilesRanges.
/**
* Creates a {@link Set} of non-intersecting {@link UidRange} objects including all UIDs
* associated with one user, and any restricted profiles attached to that user.
*
* <p>If one of {@param allowedApplications} or {@param disallowedApplications} is provided,
* the UID ranges will match the app whitelist or blacklist specified there. Otherwise, all UIDs
* in each user and profile will be included.
*
* @param userHandle The userId to create UID ranges for along with any of its restricted
* profiles.
* @param allowedApplications (optional) whitelist of applications to include.
* @param disallowedApplications (optional) blacklist of applications to exclude.
*/
@VisibleForTesting
Set<UidRange> createUserAndRestrictedProfilesRanges(@UserIdInt int userHandle, @Nullable List<String> allowedApplications, @Nullable List<String> disallowedApplications) {
final Set<UidRange> ranges = new ArraySet<>();
// Assign the top-level user to the set of ranges
addUserToRanges(ranges, userHandle, allowedApplications, disallowedApplications);
// If the user can have restricted profiles, assign all its restricted profiles too
if (canHaveRestrictedProfile(userHandle)) {
final long token = Binder.clearCallingIdentity();
List<UserInfo> users;
try {
users = UserManager.get(mContext).getUsers(true);
} finally {
Binder.restoreCallingIdentity(token);
}
for (UserInfo user : users) {
if (user.isRestricted() && (user.restrictedProfileParentId == userHandle)) {
addUserToRanges(ranges, user.id, allowedApplications, disallowedApplications);
}
}
}
return ranges;
}
use of android.net.UidRange in project android_frameworks_base by crdroidandroid.
the class VpnTest method testLockdownChangingPackage.
@SmallTest
public void testLockdownChangingPackage() throws Exception {
final MockVpn vpn = new MockVpn(primaryUser.id);
final UidRange user = UidRange.createForUser(primaryUser.id);
// Default state.
vpn.assertUnblocked(user.start + PKG_UIDS[0], user.start + PKG_UIDS[1], user.start + PKG_UIDS[2], user.start + PKG_UIDS[3]);
// Set always-on without lockdown.
assertTrue(vpn.setAlwaysOnPackage(PKGS[1], false));
vpn.assertUnblocked(user.start + PKG_UIDS[0], user.start + PKG_UIDS[1], user.start + PKG_UIDS[2], user.start + PKG_UIDS[3]);
// Set always-on with lockdown.
assertTrue(vpn.setAlwaysOnPackage(PKGS[1], true));
verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(new UidRange[] { new UidRange(user.start, user.start + PKG_UIDS[1] - 1), new UidRange(user.start + PKG_UIDS[1] + 1, user.stop) }));
vpn.assertBlocked(user.start + PKG_UIDS[0], user.start + PKG_UIDS[2], user.start + PKG_UIDS[3]);
vpn.assertUnblocked(user.start + PKG_UIDS[1]);
// Switch to another app.
assertTrue(vpn.setAlwaysOnPackage(PKGS[3], true));
verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(new UidRange[] { new UidRange(user.start, user.start + PKG_UIDS[1] - 1), new UidRange(user.start + PKG_UIDS[1] + 1, user.stop) }));
verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(new UidRange[] { new UidRange(user.start, user.start + PKG_UIDS[3] - 1), new UidRange(user.start + PKG_UIDS[3] + 1, user.stop) }));
vpn.assertBlocked(user.start + PKG_UIDS[0], user.start + PKG_UIDS[1], user.start + PKG_UIDS[2]);
vpn.assertUnblocked(user.start + PKG_UIDS[3]);
}
Aggregations