Use Vpn rules (not firewall) for always-on VPN
Firewall rules don't work on 464xlat because they were created under
an assumption that there's only one address for the server and it's
ipv4, which doesn't go so well when we're on an ipv6-only network.
Bug: 33159037
Test: runtest -x net/java/com/android/server/connectivity/VpnTest.java
Change-Id: Id331526367fe13838874961da194b07bd50d4c97
diff --git a/services/core/java/com/android/server/ConnectivityService.java b/services/core/java/com/android/server/ConnectivityService.java
index 5b029d1..5467a34 100644
--- a/services/core/java/com/android/server/ConnectivityService.java
+++ b/services/core/java/com/android/server/ConnectivityService.java
@@ -3702,17 +3702,9 @@
existing.shutdown();
}
- try {
- if (tracker != null) {
- mNetd.setFirewallEnabled(true);
- mNetd.setFirewallInterfaceRule("lo", true);
- mLockdownTracker = tracker;
- mLockdownTracker.init();
- } else {
- mNetd.setFirewallEnabled(false);
- }
- } catch (RemoteException e) {
- // ignored; NMS lives inside system_server
+ if (tracker != null) {
+ mLockdownTracker = tracker;
+ mLockdownTracker.init();
}
}
diff --git a/services/core/java/com/android/server/NetworkManagementService.java b/services/core/java/com/android/server/NetworkManagementService.java
index 87938cb..f4e11c7 100644
--- a/services/core/java/com/android/server/NetworkManagementService.java
+++ b/services/core/java/com/android/server/NetworkManagementService.java
@@ -95,7 +95,6 @@
import com.android.internal.util.Preconditions;
import com.android.server.NativeDaemonConnector.Command;
import com.android.server.NativeDaemonConnector.SensitiveArg;
-import com.android.server.net.LockdownVpnTracker;
import com.google.android.collect.Maps;
import java.io.BufferedReader;
@@ -628,7 +627,7 @@
}
}
- setFirewallEnabled(mFirewallEnabled || LockdownVpnTracker.isEnabled());
+ setFirewallEnabled(mFirewallEnabled);
syncFirewallChainLocked(FIREWALL_CHAIN_NONE, mUidFirewallRules, "");
syncFirewallChainLocked(FIREWALL_CHAIN_STANDBY, mUidFirewallStandbyRules, "standby ");
diff --git a/services/core/java/com/android/server/connectivity/Vpn.java b/services/core/java/com/android/server/connectivity/Vpn.java
index 584994a..5dc8640 100644
--- a/services/core/java/com/android/server/connectivity/Vpn.java
+++ b/services/core/java/com/android/server/connectivity/Vpn.java
@@ -264,6 +264,30 @@
}
/**
+ * Chooses whether to force all connections to go though VPN.
+ *
+ * Used to enable/disable legacy VPN lockdown.
+ *
+ * This uses the same ip rule mechanism as {@link #setAlwaysOnPackage(String, boolean)};
+ * previous settings from calling that function will be replaced and saved with the
+ * always-on state.
+ *
+ * @param lockdown whether to prevent all traffic outside of a VPN.
+ */
+ public synchronized void setLockdown(boolean lockdown) {
+ enforceControlPermissionOrInternalCaller();
+
+ setVpnForcedLocked(lockdown);
+ mLockdown = lockdown;
+
+ // Update app lockdown setting if it changed. Legacy VPN lockdown status is controlled by
+ // LockdownVpnTracker.isEnabled() which keeps track of its own state.
+ if (mAlwaysOn) {
+ saveAlwaysOnPackage();
+ }
+ }
+
+ /**
* Configures an always-on VPN connection through a specific application.
* This connection is automatically granted and persisted after a reboot.
*
@@ -376,7 +400,7 @@
mSystemServices.settingsSecurePutStringForUser(Settings.Secure.ALWAYS_ON_VPN_APP,
getAlwaysOnPackage(), mUserHandle);
mSystemServices.settingsSecurePutIntForUser(Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN,
- (mLockdown ? 1 : 0), mUserHandle);
+ (mAlwaysOn && mLockdown ? 1 : 0), mUserHandle);
} finally {
Binder.restoreCallingIdentity(token);
}
@@ -557,6 +581,7 @@
mConfig = null;
updateState(DetailedState.IDLE, "prepare");
+ setVpnForcedLocked(mLockdown);
} finally {
Binder.restoreCallingIdentity(token);
}
@@ -1003,9 +1028,7 @@
Log.wtf(TAG, "Failed to add restricted user to owner", e);
}
}
- if (mAlwaysOn) {
- setVpnForcedLocked(mLockdown);
- }
+ setVpnForcedLocked(mLockdown);
}
}
}
@@ -1022,9 +1045,7 @@
Log.wtf(TAG, "Failed to remove restricted user to owner", e);
}
}
- if (mAlwaysOn) {
- setVpnForcedLocked(mLockdown);
- }
+ setVpnForcedLocked(mLockdown);
}
}
}
@@ -1034,7 +1055,7 @@
*/
public synchronized void onUserStopped() {
// Switch off networking lockdown (if it was enabled)
- setVpnForcedLocked(false);
+ setLockdown(false);
mAlwaysOn = false;
unregisterPackageChangeReceiverLocked();
@@ -1061,20 +1082,31 @@
*/
@GuardedBy("this")
private void setVpnForcedLocked(boolean enforce) {
+ final List<String> exemptedPackages =
+ isNullOrLegacyVpn(mPackage) ? null : Collections.singletonList(mPackage);
+ setVpnForcedWithExemptionsLocked(enforce, exemptedPackages);
+ }
+
+ /**
+ * @see #setVpnForcedLocked
+ */
+ @GuardedBy("this")
+ private void setVpnForcedWithExemptionsLocked(boolean enforce,
+ @Nullable List<String> exemptedPackages) {
final Set<UidRange> removedRanges = new ArraySet<>(mBlockedUsers);
+
+ Set<UidRange> addedRanges = Collections.emptySet();
if (enforce) {
- final Set<UidRange> addedRanges = createUserAndRestrictedProfilesRanges(mUserHandle,
+ addedRanges = createUserAndRestrictedProfilesRanges(mUserHandle,
/* allowedApplications */ null,
- /* disallowedApplications */ Collections.singletonList(mPackage));
+ /* disallowedApplications */ exemptedPackages);
removedRanges.removeAll(addedRanges);
addedRanges.removeAll(mBlockedUsers);
-
- setAllowOnlyVpnForUids(false, removedRanges);
- setAllowOnlyVpnForUids(true, addedRanges);
- } else {
- setAllowOnlyVpnForUids(false, removedRanges);
}
+
+ setAllowOnlyVpnForUids(false, removedRanges);
+ setAllowOnlyVpnForUids(true, addedRanges);
}
/**
diff --git a/services/core/java/com/android/server/net/LockdownVpnTracker.java b/services/core/java/com/android/server/net/LockdownVpnTracker.java
index 4a8539a..b40a7e5 100644
--- a/services/core/java/com/android/server/net/LockdownVpnTracker.java
+++ b/services/core/java/com/android/server/net/LockdownVpnTracker.java
@@ -139,7 +139,6 @@
" " + mAcceptedEgressIface + "->" + egressIface);
if (egressDisconnected || egressChanged) {
- clearSourceRulesLocked();
mAcceptedEgressIface = null;
mVpn.stopLegacyVpnPrivileged();
}
@@ -191,24 +190,6 @@
EventLogTags.writeLockdownVpnConnected(egressType);
showNotification(R.string.vpn_lockdown_connected, R.drawable.vpn_connected);
- try {
- clearSourceRulesLocked();
-
- mNetService.setFirewallInterfaceRule(iface, true);
- for (LinkAddress addr : sourceAddrs) {
- setFirewallEgressSourceRule(addr, true);
- }
-
- mNetService.setFirewallUidRule(FIREWALL_CHAIN_NONE, ROOT_UID, FIREWALL_RULE_ALLOW);
- mNetService.setFirewallUidRule(FIREWALL_CHAIN_NONE, Os.getuid(), FIREWALL_RULE_ALLOW);
-
- mErrorCount = 0;
- mAcceptedIface = iface;
- mAcceptedSourceAddr = sourceAddrs;
- } catch (RemoteException e) {
- throw new RuntimeException("Problem setting firewall rules", e);
- }
-
final NetworkInfo clone = new NetworkInfo(egressInfo);
augmentNetworkInfo(clone);
mConnService.sendConnectedBroadcast(clone);
@@ -225,19 +206,11 @@
Slog.d(TAG, "initLocked()");
mVpn.setEnableTeardown(false);
+ mVpn.setLockdown(true);
final IntentFilter resetFilter = new IntentFilter(ACTION_LOCKDOWN_RESET);
mContext.registerReceiver(mResetReceiver, resetFilter, CONNECTIVITY_INTERNAL, null);
- try {
- // TODO: support non-standard port numbers
- mNetService.setFirewallEgressDestRule(mProfile.server, 500, true);
- mNetService.setFirewallEgressDestRule(mProfile.server, 4500, true);
- mNetService.setFirewallEgressDestRule(mProfile.server, 1701, true);
- } catch (RemoteException e) {
- throw new RuntimeException("Problem setting firewall rules", e);
- }
-
handleStateChangedLocked();
}
@@ -254,14 +227,7 @@
mErrorCount = 0;
mVpn.stopLegacyVpnPrivileged();
- try {
- mNetService.setFirewallEgressDestRule(mProfile.server, 500, false);
- mNetService.setFirewallEgressDestRule(mProfile.server, 4500, false);
- mNetService.setFirewallEgressDestRule(mProfile.server, 1701, false);
- } catch (RemoteException e) {
- throw new RuntimeException("Problem setting firewall rules", e);
- }
- clearSourceRulesLocked();
+ mVpn.setLockdown(false);
hideNotification();
mContext.unregisterReceiver(mResetReceiver);
@@ -278,35 +244,6 @@
}
}
- private void clearSourceRulesLocked() {
- try {
- if (mAcceptedIface != null) {
- mNetService.setFirewallInterfaceRule(mAcceptedIface, false);
- mAcceptedIface = null;
- }
- if (mAcceptedSourceAddr != null) {
- for (LinkAddress addr : mAcceptedSourceAddr) {
- setFirewallEgressSourceRule(addr, false);
- }
-
- mNetService.setFirewallUidRule(FIREWALL_CHAIN_NONE, ROOT_UID, FIREWALL_RULE_DEFAULT);
- mNetService.setFirewallUidRule(FIREWALL_CHAIN_NONE,Os.getuid(), FIREWALL_RULE_DEFAULT);
-
- mAcceptedSourceAddr = null;
- }
- } catch (RemoteException e) {
- throw new RuntimeException("Problem setting firewall rules", e);
- }
- }
-
- private void setFirewallEgressSourceRule(
- LinkAddress address, boolean allow) throws RemoteException {
- // Our source address based firewall rules must only cover our own source address, not the
- // whole subnet
- final String addrString = address.getAddress().getHostAddress();
- mNetService.setFirewallEgressSourceRule(addrString, allow);
- }
-
public void onNetworkInfoChanged() {
synchronized (mStateLock) {
handleStateChangedLocked();