Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / b8087363143050d214d48e5620a330776ca95a69^! / . / server / RouteController.cpp
commitb8087363143050d214d48e5620a330776ca95a69[log] [tgz]
authorRobin Lee <rgl@google.com>Wed Mar 30 18:43:08 2016 +0100
committerRobin Lee <rgl@google.com>Tue Apr 19 10:09:31 2016 +0100
tree72dd7eb2cc094cc7b92796ef37e1682ab108da37
parent4ef94642636182e68495f606a65c00f8a830aad4 [diff] [blame]
Server API to only allow networking by VPN apps

Secure virtual networks already create rules to route all traffic into
theirselves. This depends on the secure network already existing.

API creates an ip rule at a priority level below SECURE_VPN which
can catch traffic before VPN comes up, if it is a requirement that no
traffic ever leaves without first going through VPN.

Bug: 26694104
Bug: 26354134
Change-Id: If23df0760c6eb0ad137fc26c5124e48edf23b722

diff --git a/server/RouteController.cpp b/server/RouteController.cpp
index a087a12..1e17509 100644
--- a/server/RouteController.cpp
+++ b/server/RouteController.cpp

@@ -47,6 +47,7 @@
 const uint32_t RULE_PRIORITY_VPN_OVERRIDE_SYSTEM = 10000;
 const uint32_t RULE_PRIORITY_VPN_OVERRIDE_OIF    = 10500;
 const uint32_t RULE_PRIORITY_VPN_OUTPUT_TO_LOCAL = 11000;
+const uint32_t RULE_PRIORITY_PROHIBIT_NON_VPN    = 11500;
 const uint32_t RULE_PRIORITY_SECURE_VPN          = 12000;
 const uint32_t RULE_PRIORITY_EXPLICIT_NETWORK    = 13000;
 const uint32_t RULE_PRIORITY_OUTPUT_INTERFACE    = 14000;
@@ -768,6 +769,24 @@
     return modifyImplicitNetworkRule(netId, table, permission, add);
 }
 
+WARN_UNUSED_RESULT int modifyRejectNonSecureNetworkRule(const UidRanges& uidRanges, bool add) {
+    Fwmark fwmark;
+    Fwmark mask;
+    fwmark.protectedFromVpn = false;
+    mask.protectedFromVpn = true;
+
+    for (const UidRanges::Range& range : uidRanges.getRanges()) {
+        if (int ret = modifyIpRule(add ? RTM_NEWRULE : RTM_DELRULE,
+                                   RULE_PRIORITY_PROHIBIT_NON_VPN, FR_ACT_PROHIBIT, RT_TABLE_UNSPEC,
+                                   fwmark.intValue, mask.intValue, IIF_LOOPBACK, OIF_NONE,
+                                   range.first, range.second)) {
+            return ret;
+        }
+    }
+
+    return 0;
+}
+
 WARN_UNUSED_RESULT int modifyVirtualNetwork(unsigned netId, const char* interface,
                                             const UidRanges& uidRanges, bool secure, bool add,
                                             bool modifyNonUidBasedRules) {
@@ -1045,6 +1064,14 @@
     return modifyPhysicalNetwork(netId, interface, oldPermission, ACTION_DEL);
 }
 
+int RouteController::addUsersToRejectNonSecureNetworkRule(const UidRanges& uidRanges) {
+    return modifyRejectNonSecureNetworkRule(uidRanges, true);
+}
+
+int RouteController::removeUsersFromRejectNonSecureNetworkRule(const UidRanges& uidRanges) {
+    return modifyRejectNonSecureNetworkRule(uidRanges, false);
+}
+
 int RouteController::addUsersToVirtualNetwork(unsigned netId, const char* interface, bool secure,
                                               const UidRanges& uidRanges) {
     return modifyVirtualNetwork(netId, interface, uidRanges, secure, ACTION_ADD,