Remove libnetd_resolv dependency on Fwmark
This change help reduce the libnetd_resolv dependency on non-updatable
code.
Bug: 113628807
Test: system/netd/tests/runtests.sh passed
Change-Id: I70b5336f00e5e9b506a76a3a68f5f149c78a89af
diff --git a/resolv/Android.bp b/resolv/Android.bp
index f26d820..252264d 100644
--- a/resolv/Android.bp
+++ b/resolv/Android.bp
@@ -33,11 +33,6 @@
"libssl",
"libcrypto",
],
- // TODO: Remove this after we find an alternative way to substitute Fwmark
- // used in DnsTls* classes.
- include_dirs: [
- "system/netd/include",
- ],
export_include_dirs: ["include"],
// TODO: pie in the sky: make this code clang-tidy clean
tidy: false,
diff --git a/resolv/DnsTlsSocket.cpp b/resolv/DnsTlsSocket.cpp
index 425aa17..b4d0081 100644
--- a/resolv/DnsTlsSocket.cpp
+++ b/resolv/DnsTlsSocket.cpp
@@ -33,7 +33,6 @@
#include "log/log.h"
#include "netdutils/SocketOption.h"
-#include "Permission.h"
namespace android {
diff --git a/resolv/DnsTlsTransport.cpp b/resolv/DnsTlsTransport.cpp
index b4294e2..b1e9205 100644
--- a/resolv/DnsTlsTransport.cpp
+++ b/resolv/DnsTlsTransport.cpp
@@ -26,8 +26,6 @@
#include "netd_resolv/IDnsTlsSocketFactory.h"
#include "log/log.h"
-#include "Fwmark.h"
-#include "Permission.h"
namespace android {
namespace net {
@@ -145,7 +143,7 @@
// static
// TODO: Use this function to preheat the session cache.
// That may require moving it to DnsTlsDispatcher.
-bool DnsTlsTransport::validate(const DnsTlsServer& server, unsigned netid) {
+bool DnsTlsTransport::validate(const DnsTlsServer& server, unsigned netid, uint32_t mark) {
ALOGV("Beginning validation on %u", netid);
// Generate "<random>-dnsotls-ds.metric.gstatic.com", which we will lookup through |ss| in
// order to prove that it is actually a working DNS over TLS server.
@@ -177,14 +175,6 @@
};
const int qlen = std::size(query);
- // At validation time, we only know the netId, so we have to guess/compute the
- // corresponding socket mark.
- Fwmark fwmark;
- fwmark.permission = PERMISSION_SYSTEM;
- fwmark.explicitlySelected = true;
- fwmark.protectedFromVpn = true;
- fwmark.netId = netid;
- unsigned mark = fwmark.intValue;
int replylen = 0;
DnsTlsSocketFactory factory;
DnsTlsTransport transport(server, mark, &factory);
diff --git a/resolv/include/netd_resolv/DnsTlsTransport.h b/resolv/include/netd_resolv/DnsTlsTransport.h
index 0d314ad..011be61 100644
--- a/resolv/include/netd_resolv/DnsTlsTransport.h
+++ b/resolv/include/netd_resolv/DnsTlsTransport.h
@@ -57,7 +57,7 @@
// Check that a given TLS server is fully working on the specified netid, and has the
// provided SHA-256 fingerprint (if nonempty). This function is used in ResolverController
// to ensure that we don't enable DNS over TLS on networks where it doesn't actually work.
- static bool validate(const DnsTlsServer& server, unsigned netid);
+ static bool validate(const DnsTlsServer& server, unsigned netid, uint32_t mark);
// Implement IDnsTlsSocketObserver
void onResponse(std::vector<uint8_t> response) override;
diff --git a/resolv/libnetd_resolv.map.txt b/resolv/libnetd_resolv.map.txt
index db81593..bb1e408 100644
--- a/resolv/libnetd_resolv.map.txt
+++ b/resolv/libnetd_resolv.map.txt
@@ -59,7 +59,7 @@
_ZN7android3net15DnsTlsTransport11doReconnectEv;
_ZN7android3net15DnsTlsTransport5queryENS_9netdutils5SliceE;
_ZN7android3net15DnsTlsTransport8onClosedEv;
- _ZN7android3net15DnsTlsTransport8validateERKNS0_12DnsTlsServerEj;
+ _ZN7android3net15DnsTlsTransport8validateERKNS0_12DnsTlsServerEjj;
_ZN7android3net15DnsTlsTransport9doConnectEv;
_ZN7android3net15DnsTlsTransport9sendQueryENS0_14DnsTlsQueryMap5QueryE;
_ZN7android3net15DnsTlsTransportD0Ev;
diff --git a/server/ResolverController.cpp b/server/ResolverController.cpp
index 2562a97..a299120 100644
--- a/server/ResolverController.cpp
+++ b/server/ResolverController.cpp
@@ -40,7 +40,9 @@
#include "DumpWriter.h"
#include "EventReporter.h"
+#include "Fwmark.h"
#include "NetdConstants.h"
+#include "Permission.h"
#include "ResolverController.h"
#include "ResolverStats.h"
#include "netd_resolv/DnsTlsServer.h"
@@ -108,11 +110,11 @@
typedef ResolverController::Validation Validation;
typedef std::map<DnsTlsServer, Validation, AddressComparator> PrivateDnsTracker;
- int set(int32_t netId, const std::vector<std::string>& servers, const std::string& name,
- const std::set<std::vector<uint8_t>>& fingerprints) {
+ int set(uint32_t netId, uint32_t mark, const std::vector<std::string>& servers,
+ const std::string& name, const std::set<std::vector<uint8_t>>& fingerprints) {
if (DBG) {
- ALOGD("PrivateDnsConfiguration::set(%u, %zu, %s, %zu)",
- netId, servers.size(), name.c_str(), fingerprints.size());
+ ALOGD("PrivateDnsConfiguration::set(%u, 0x%x, %zu, %s, %zu)", netId, mark,
+ servers.size(), name.c_str(), fingerprints.size());
}
const bool explicitlyConfigured = !name.empty() || !fingerprints.empty();
@@ -166,7 +168,7 @@
// Add any new or changed servers to the tracker, and initiate async checks for them.
for (const auto& server : tlsServers) {
if (needsValidation(tracker, server)) {
- validatePrivateDnsProvider(server, tracker, netId);
+ validatePrivateDnsProvider(server, tracker, netId, mark);
}
}
return 0;
@@ -234,7 +236,7 @@
private:
void validatePrivateDnsProvider(const DnsTlsServer& server, PrivateDnsTracker& tracker,
- unsigned netId) REQUIRES(mPrivateDnsLock) {
+ unsigned netId, uint32_t mark) REQUIRES(mPrivateDnsLock) {
if (DBG) {
ALOGD("validatePrivateDnsProvider(%s, %u)", addrToString(&(server.ss)).c_str(), netId);
}
@@ -245,7 +247,7 @@
addrToString(&(server.ss)).c_str(), tracker.size());
}
// Note that capturing |server| and |netId| in this lambda create copies.
- std::thread validate_thread([this, server, netId] {
+ std::thread validate_thread([this, server, netId, mark] {
// cat /proc/sys/net/ipv4/tcp_syn_retries yields "6".
//
// Start with a 1 minute delay and backoff to once per hour.
@@ -267,7 +269,7 @@
while (true) {
// ::validate() is a blocking call that performs network operations.
// It can take milliseconds to minutes, up to the SYN retry limit.
- const bool success = DnsTlsTransport::validate(server, netId);
+ const bool success = DnsTlsTransport::validate(server, netId, mark);
if (DBG) {
ALOGD("validateDnsTlsServer returned %d for %s", success,
addrToString(&(server.ss)).c_str());
@@ -510,7 +512,16 @@
return -EINVAL;
}
- const int err = sPrivateDnsConfiguration.set(netId, tlsServers, tlsName, tlsFingerprints);
+ // At private DNS validation time, we only know the netId, so we have to guess/compute the
+ // corresponding socket mark.
+ Fwmark fwmark;
+ fwmark.netId = netId;
+ fwmark.explicitlySelected = true;
+ fwmark.protectedFromVpn = true;
+ fwmark.permission = PERMISSION_SYSTEM;
+
+ const int err = sPrivateDnsConfiguration.set(netId, fwmark.intValue, tlsServers, tlsName,
+ tlsFingerprints);
if (err != 0) {
return err;
}