Block incoming non-VPN packets to apps under fully-routed VPN
When a fully-routed VPN is running, we want to prevent normal apps
under the VPN from receiving packets originating from any local non-VPN
interfaces. This is achieved by using eBPF to create a per-UID input
interface whitelist and populate the whitelist such that all
non-bypassable apps under a VPN can only receive packets from the VPN's
TUN interface (and loopback implicitly)
This is the Netd part of the change that auguments the existing UidOwner map
to include a new boolean to enable ingress interface filtering as well as
a new field per UID for the whitelisted interface index. The eBPF program
is updated to drop packets according to the ingress interface whitelist map
when present and enabled. This change also exposes two new netd Binder
interfaces to allow ConnectivityService to update the whitelist.
Test: system/netd/tests/runtests.sh
Bug: 114231106
Merged-In: I5e7ffb57f908e794ac8c10ad279cbc96bf3ad0d0
Change-Id: I5e7ffb57f908e794ac8c10ad279cbc96bf3ad0d0
(cherry picked from commit c2f6bd42a52b97ea8083c4799cab6164df0b2f6f)
8 files changed