Fix NOT_RESTRICTED network capability and enforce it.
With this change:
1. NOT_RESTRICTED should be removed from NetworkRequests that bring up
special restricted carrier networks (e.g. IMS, FOTA).
2. NetworkRequests without NOT_RESTRICTED require CONNECTIVITY_INTERNAL
permission to register
3. Binding sockets to networks without NOT_RESTRICTED requires
CONNECTIVITY_INTERNAL permission
Bug:21637535
Change-Id: I5991d39facaa6b690e969fe15dcbeec52e918321
diff --git a/services/core/java/com/android/server/ConnectivityService.java b/services/core/java/com/android/server/ConnectivityService.java
index eb74ab0..62e8532 100644
--- a/services/core/java/com/android/server/ConnectivityService.java
+++ b/services/core/java/com/android/server/ConnectivityService.java
@@ -4021,6 +4021,16 @@
}
if (!Objects.equals(nai.networkCapabilities, networkCapabilities)) {
final int oldScore = nai.getCurrentScore();
+ if (nai.networkCapabilities.hasCapability(NET_CAPABILITY_NOT_RESTRICTED) !=
+ networkCapabilities.hasCapability(NET_CAPABILITY_NOT_RESTRICTED)) {
+ try {
+ mNetd.setNetworkPermission(nai.network.netId,
+ networkCapabilities.hasCapability(NET_CAPABILITY_NOT_RESTRICTED) ?
+ null : NetworkManagementService.PERMISSION_SYSTEM);
+ } catch (RemoteException e) {
+ loge("Exception in setNetworkPermission: " + e);
+ }
+ }
synchronized (nai) {
nai.networkCapabilities = networkCapabilities;
}
@@ -4456,7 +4466,10 @@
(networkAgent.networkMisc == null ||
!networkAgent.networkMisc.allowBypass));
} else {
- mNetd.createPhysicalNetwork(networkAgent.network.netId);
+ mNetd.createPhysicalNetwork(networkAgent.network.netId,
+ networkAgent.networkCapabilities.hasCapability(
+ NET_CAPABILITY_NOT_RESTRICTED) ?
+ null : NetworkManagementService.PERMISSION_SYSTEM);
}
} catch (Exception e) {
loge("Error creating network " + networkAgent.network.netId + ": "
diff --git a/services/core/java/com/android/server/NetworkManagementService.java b/services/core/java/com/android/server/NetworkManagementService.java
index 0e3134d..433f707 100644
--- a/services/core/java/com/android/server/NetworkManagementService.java
+++ b/services/core/java/com/android/server/NetworkManagementService.java
@@ -131,6 +131,19 @@
*/
public static final String LIMIT_GLOBAL_ALERT = "globalAlert";
+ /**
+ * String to pass to netd to indicate that a network is only accessible
+ * to apps that have the CHANGE_NETWORK_STATE permission.
+ */
+ public static final String PERMISSION_NETWORK = "NETWORK";
+
+ /**
+ * String to pass to netd to indicate that a network is only
+ * accessible to system apps and those with the CONNECTIVITY_INTERNAL
+ * permission.
+ */
+ public static final String PERMISSION_SYSTEM = "SYSTEM";
+
class NetdResponseCode {
/* Keep in sync with system/netd/server/ResponseCode.h */
public static final int InterfaceListResult = 110;
@@ -2329,11 +2342,15 @@
}
@Override
- public void createPhysicalNetwork(int netId) {
+ public void createPhysicalNetwork(int netId, String permission) {
mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
try {
- mConnector.execute("network", "create", netId);
+ if (permission != null) {
+ mConnector.execute("network", "create", netId, permission);
+ } else {
+ mConnector.execute("network", "create", netId);
+ }
} catch (NativeDaemonConnectorException e) {
throw e.rethrowAsParcelableException();
}
@@ -2425,6 +2442,22 @@
}
@Override
+ public void setNetworkPermission(int netId, String permission) {
+ mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+
+ try {
+ if (permission != null) {
+ mConnector.execute("network", "permission", "network", "set", permission, netId);
+ } else {
+ mConnector.execute("network", "permission", "network", "clear", netId);
+ }
+ } catch (NativeDaemonConnectorException e) {
+ throw e.rethrowAsParcelableException();
+ }
+ }
+
+
+ @Override
public void setPermission(String permission, int[] uids) {
mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);