[ipsec-doze] Add fchown capabilities, and fw rules
Add some firewall rules to allow doze mode packets to be sent/received
on ESP & no-socket packets. No-socket packets are no security risk
because they are either forwarded, going to be forwarded, or will be
dropped at routing tables (unless they are ESP).
Bug: 62994731
Test: New tests added, run
Change-Id: I2d8704498b564403d94123e4938091dee8fb98c1
diff --git a/server/FirewallControllerTest.cpp b/server/FirewallControllerTest.cpp
index 74dbbad..c1f43eb 100644
--- a/server/FirewallControllerTest.cpp
+++ b/server/FirewallControllerTest.cpp
@@ -54,6 +54,8 @@
"*filter",
":fw_whitelist -",
"-A fw_whitelist -m owner --uid-owner 0-9999 -j RETURN",
+ "-A fw_whitelist -m owner ! --uid-owner 0-4294967294 -j RETURN",
+ "-A fw_whitelist -p esp -j RETURN",
"-A fw_whitelist -i lo -j RETURN",
"-A fw_whitelist -o lo -j RETURN",
"-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN",
@@ -64,6 +66,8 @@
"*filter",
":fw_whitelist -",
"-A fw_whitelist -m owner --uid-owner 0-9999 -j RETURN",
+ "-A fw_whitelist -m owner ! --uid-owner 0-4294967294 -j RETURN",
+ "-A fw_whitelist -p esp -j RETURN",
"-A fw_whitelist -i lo -j RETURN",
"-A fw_whitelist -o lo -j RETURN",
"-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN",
@@ -163,6 +167,8 @@
"-A FW_whitechain -m owner --uid-owner 210153 -j RETURN\n"
"-A FW_whitechain -m owner --uid-owner 210024 -j RETURN\n"
"-A FW_whitechain -m owner --uid-owner 0-9999 -j RETURN\n"
+ "-A FW_whitechain -m owner ! --uid-owner 0-4294967294 -j RETURN\n"
+ "-A FW_whitechain -p esp -j RETURN\n"
"-A FW_whitechain -i lo -j RETURN\n"
"-A FW_whitechain -o lo -j RETURN\n"
"-A FW_whitechain -p tcp --tcp-flags RST RST -j RETURN\n"