Server API to only allow networking by VPN apps
Secure virtual networks already create rules to route all traffic into
theirselves. This depends on the secure network already existing.
API creates an ip rule at a priority level below SECURE_VPN which
can catch traffic before VPN comes up, if it is a requirement that no
traffic ever leaves without first going through VPN.
Bug: 26694104
Bug: 26354134
Change-Id: If23df0760c6eb0ad137fc26c5124e48edf23b722
diff --git a/server/NetdNativeService.cpp b/server/NetdNativeService.cpp
index 97b41b2..388b6b5 100644
--- a/server/NetdNativeService.cpp
+++ b/server/NetdNativeService.cpp
@@ -30,6 +30,8 @@
#include "DumpWriter.h"
#include "NetdConstants.h"
#include "NetdNativeService.h"
+#include "RouteController.h"
+#include "UidRanges.h"
using android::base::StringPrintf;
@@ -124,5 +126,31 @@
return binder::Status::ok();
}
+binder::Status NetdNativeService::networkRejectNonSecureVpn(bool add,
+ const std::vector<UidRange>& uidRangeArray) {
+ // TODO: elsewhere RouteController is only used from the tethering and network controllers, so
+ // it should be possible to use the same lock as NetworkController. However, every call through
+ // the CommandListener "network" command will need to hold this lock too, not just the ones that
+ // read/modify network internal state (that is sufficient for ::dump() because it doesn't
+ // look at routes, but it's not enough here).
+ NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL);
+
+ UidRanges uidRanges;
+ uidRanges.createFrom(uidRangeArray);
+
+ int err;
+ if (add) {
+ err = RouteController::addUsersToRejectNonSecureNetworkRule(uidRanges);
+ } else {
+ err = RouteController::removeUsersFromRejectNonSecureNetworkRule(uidRanges);
+ }
+
+ if (err != 0) {
+ return binder::Status::fromServiceSpecificError(-err,
+ String8::format("RouteController error: %s", strerror(-err)));
+ }
+ return binder::Status::ok();
+}
+
} // namespace net
} // namespace android