commit b2daefb0fd5eb1e6ed4ff2149e13a09ee5748711
author Benedict Wong <benedictwong@google.com> Wed Dec 06 22:05:46 2017 -0800
committer Benedict Wong <benedictwong@google.com> Mon Dec 18 15:56:49 2017 -0800
tree e0eb183f036a0dff44be2ecc60db908dd2b0fd09
parent 164c8966c6bce401907c2f140e8c69452a89d227

[ipsec-doze] Add fchown capabilities, and fw rules

Add some firewall rules to allow doze mode packets to be sent/received
on ESP & no-socket packets. No-socket packets are no security risk
because they are either forwarded, going to be forwarded, or will be
dropped at routing tables (unless they are ESP).

Bug: 62994731
Test: New tests added, run
Change-Id: I2d8704498b564403d94123e4938091dee8fb98c1

server/FirewallController.cpp

diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp
index f5da069..dc4fa36 100644
--- a/server/FirewallController.cpp
+++ b/server/FirewallController.cpp
@@ -16,6 +16,7 @@
 
 #include <set>
 
+#include <cstdint>
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -266,6 +267,14 @@
         // Always whitelist system UIDs.
         StringAppendF(&commands,
                 "-A %s -m owner --uid-owner %d-%d -j RETURN\n", name, 0, MAX_SYSTEM_UID);
+
+        // This rule inverts the match for all UIDs; ie, if there is no UID match here,
+        // there is no socket to be found
+        StringAppendF(&commands,
+                "-A %s -m owner ! --uid-owner %d-%u -j RETURN\n", name, 0, UINT32_MAX-1);
+
+        // Always whitelist traffic with protocol ESP, or no known socket - required for IPSec
+        StringAppendF(&commands, "-A %s -p esp -j RETURN\n", name);
     }
 
     // Always allow networking on loopback.