Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / a04ffa7f20ab0b962ac153075fd5fe34de15f92f^! / . / server / NetdNativeService.cpp
commita04ffa7f20ab0b962ac153075fd5fe34de15f92f[log] [tgz]
authorBenedict Wong <benedictwong@google.com>Wed May 09 21:42:42 2018 -0700
committerBenedict Wong <benedictwong@google.com>Thu Aug 30 11:22:41 2018 -0700
tree083fb1d84f31506325a1d42aac5471c304dcdb82
parentad600cb86a32f490a6d2855fc32fb480edc0360b [diff] [blame]
Use independent address families for SP selector and template

This patch allows Security Policy selectors and templates to have
different address families, allowing for wildcard selectors, but
specified templates. This is required for IPsec tunnel mode to work
properly, as selectors match inner addresses (and thus must be dual
IPv4/IPv6), while templates match outer addresses.

Bug: 79384676
Test: CTS tests passing, ip xfrm monitor shows correct results
Change-Id: I60214e17f50f91deb1ffdc71158131d237d1e642

diff --git a/server/NetdNativeService.cpp b/server/NetdNativeService.cpp
index c8e0c7e..c0ca209 100644
--- a/server/NetdNativeService.cpp
+++ b/server/NetdNativeService.cpp

@@ -601,7 +601,8 @@
                     socket));
 }
 
-binder::Status NetdNativeService::ipSecAddSecurityPolicy(int32_t transformId, int32_t direction,
+binder::Status NetdNativeService::ipSecAddSecurityPolicy(int32_t transformId, int32_t selAddrFamily,
+                                                         int32_t direction,
                                                          const std::string& tmplSrcAddress,
                                                          const std::string& tmplDstAddress,
                                                          int32_t spi, int32_t markValue,
@@ -610,10 +611,13 @@
     ENFORCE_PERMISSION(NETWORK_STACK);
     gLog.log("ipSecAddSecurityPolicy()");
     return asBinderStatus(gCtls->xfrmCtrl.ipSecAddSecurityPolicy(
-            transformId, direction, tmplSrcAddress, tmplDstAddress, spi, markValue, markMask));
+            transformId, selAddrFamily, direction, tmplSrcAddress, tmplDstAddress, spi, markValue,
+            markMask));
 }
 
-binder::Status NetdNativeService::ipSecUpdateSecurityPolicy(int32_t transformId, int32_t direction,
+binder::Status NetdNativeService::ipSecUpdateSecurityPolicy(int32_t transformId,
+                                                            int32_t selAddrFamily,
+                                                            int32_t direction,
                                                             const std::string& tmplSrcAddress,
                                                             const std::string& tmplDstAddress,
                                                             int32_t spi, int32_t markValue,
@@ -622,18 +626,19 @@
     ENFORCE_PERMISSION(NETWORK_STACK);
     gLog.log("ipSecAddSecurityPolicy()");
     return asBinderStatus(gCtls->xfrmCtrl.ipSecUpdateSecurityPolicy(
-            transformId, direction, tmplSrcAddress, tmplDstAddress, spi, markValue, markMask));
+            transformId, selAddrFamily, direction, tmplSrcAddress, tmplDstAddress, spi, markValue,
+            markMask));
 }
 
-binder::Status NetdNativeService::ipSecDeleteSecurityPolicy(int32_t transformId, int32_t direction,
-                                                            const std::string& tmplSrcAddress,
-                                                            const std::string& tmplDstAddress,
-                                                            int32_t markValue, int32_t markMask) {
+binder::Status NetdNativeService::ipSecDeleteSecurityPolicy(int32_t transformId,
+                                                            int32_t selAddrFamily,
+                                                            int32_t direction, int32_t markValue,
+                                                            int32_t markMask) {
     // Necessary locking done in IpSecService and kernel
     ENFORCE_PERMISSION(NETWORK_STACK);
     gLog.log("ipSecAddSecurityPolicy()");
     return asBinderStatus(gCtls->xfrmCtrl.ipSecDeleteSecurityPolicy(
-            transformId, direction, tmplSrcAddress, tmplDstAddress, markValue, markMask));
+            transformId, selAddrFamily, direction, markValue, markMask));
 }
 
 binder::Status NetdNativeService::addVirtualTunnelInterface(