Improve error return values on network selection.
It's very confusing to see EPERM when opening or connecting a
socket when the problem is not security-related. In the (common)
case where an app cannot select a network because it does not
exist, return ENONET ("Machine is not on network") instead.
Also, return EREMOTEIO for when we can't figure out who the user
is, and use EPERM for VPN denials and EACCES for permission
bits.
Bug: 17702933
Change-Id: Ia680c485e0ea1efad1ad374231d994e9bfd4cd5a
diff --git a/server/FwmarkServer.cpp b/server/FwmarkServer.cpp
index 8bf8b71..b11e075 100644
--- a/server/FwmarkServer.cpp
+++ b/server/FwmarkServer.cpp
@@ -151,11 +151,13 @@
fwmark.explicitlySelected = false;
fwmark.protectedFromVpn = false;
permission = PERMISSION_NONE;
- } else if (mNetworkController->canUserSelectNetwork(client->getUid(), command.netId)) {
+ } else {
+ if (int ret = mNetworkController->checkUserNetworkAccess(client->getUid(),
+ command.netId)) {
+ return ret;
+ }
fwmark.explicitlySelected = true;
fwmark.protectedFromVpn = mNetworkController->canProtect(client->getUid());
- } else {
- return -EPERM;
}
break;
}