[ipsec-doze] Add fchown capabilities, and fw rules Add some firewall rules to allow doze mode packets to be sent/received on ESP & no-socket packets. No-socket packets are no security risk because they are either forwarded, going to be forwarded, or will be dropped at routing tables (unless they are ESP). Bug: 62994731 Test: New tests added, run Change-Id: I2d8704498b564403d94123e4938091dee8fb98c1

commit: b2daefb0fd5eb1e6ed4ff2149e13a09ee5748711 [log] [tgz]
author: Benedict Wong <benedictwong@google.com> Wed Dec 06 22:05:46 2017 -0800
committer: Benedict Wong <benedictwong@google.com> Mon Dec 18 15:56:49 2017 -0800
tree: e0eb183f036a0dff44be2ecc60db908dd2b0fd09
parent: 164c8966c6bce401907c2f140e8c69452a89d227 [diff] [blame]
diff --git a/server/NetdNativeService.cpp b/server/NetdNativeService.cpp
index 0afecde..0cb740f 100644
--- a/server/NetdNativeService.cpp
+++ b/server/NetdNativeService.cpp

@@ -393,6 +393,16 @@
             : binder::Status::fromExceptionCode(binder::Status::EX_ILLEGAL_ARGUMENT);
 }
 
+binder::Status NetdNativeService::ipSecSetEncapSocketOwner(const android::base::unique_fd& socket,
+                                                      int newUid) {
+    ENFORCE_PERMISSION(NETWORK_STACK)
+    ALOGD("ipSecSetEncapSocketOwner()");
+
+    uid_t callerUid = IPCThreadState::self()->getCallingUid();
+    return asBinderStatus(gCtls->xfrmCtrl.ipSecSetEncapSocketOwner(socket, newUid, callerUid));
+}
+
+
 binder::Status NetdNativeService::ipSecAllocateSpi(
         int32_t transformId,
         int32_t direction,
commit	b2daefb0fd5eb1e6ed4ff2149e13a09ee5748711	[log] [tgz]
author	Benedict Wong <benedictwong@google.com>	Wed Dec 06 22:05:46 2017 -0800
committer	Benedict Wong <benedictwong@google.com>	Mon Dec 18 15:56:49 2017 -0800
tree	e0eb183f036a0dff44be2ecc60db908dd2b0fd09
parent	164c8966c6bce401907c2f140e8c69452a89d227 [diff] [blame]