netdclient - attempt to eliminate spurious netd selinux denials on unix_stream_sockets
This should hopefully fix for example:
avc: denied { read write } for comm="netd" path="socket:[1580915]" dev="sockfs" ino=1580915 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=unix_stream_socket permissive=0
Make sure protectFromVpn() only passes AF_INET/AF_INET6 sockets to netd.
Let us make sure that we pass real AF_INET/AF_INET6 sockets to netd
from sendmmsg/sendmsg/sendto - the type of the socket when erroneously
used by an app might not necessarily match the address family of the
passed in sockaddr. ie. sendto(AF_LOCAL_socket, AF_INET_sockaddr)
Note that this also means these system calls will now honour the
'ANDROID_NO_USE_FWMARK_CLIENT' env variable for euid=0 processes.
While we're at it also add some missing parentheses in a macro.
Test: build, atest netdclient_test
Bug: 77870037
Change-Id: I1040838950d363f08a02593e9b669fec31fa847b
Merged-In: I1040838950d363f08a02593e9b669fec31fa847b
diff --git a/client/NetdClientTest.cpp b/client/NetdClientTest.cpp
index b523ccc..126c7fd 100644
--- a/client/NetdClientTest.cpp
+++ b/client/NetdClientTest.cpp
@@ -74,3 +74,21 @@
unsigned* testNull = nullptr;
EXPECT_EQ(-EFAULT, getNetworkForDns(testNull));
}
+
+TEST(NetdClientTest, protectFromVpnBadFd) {
+ EXPECT_EQ(-EBADF, protectFromVpn(-1));
+}
+
+TEST(NetdClientTest, protectFromVpnUnixStream) {
+ int s = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
+ ASSERT_GE(s, 3);
+ EXPECT_EQ(-EAFNOSUPPORT, protectFromVpn(s));
+ close(s);
+}
+
+TEST(NetdClientTest, protectFromVpnTcp6) {
+ int s = socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0);
+ ASSERT_GE(s, 3);
+ EXPECT_EQ(0, protectFromVpn(s));
+ close(s);
+}