Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / d286198c26c3d80bfaf5f53d6faeea5d0ce6faf5^! / . / server / NetworkController.cpp
commitd286198c26c3d80bfaf5f53d6faeea5d0ce6faf5[log] [tgz]
authorLuke Huang <huangluke@google.com>Fri May 17 19:47:28 2019 +0800
committerLuke Huang <huangluke@google.com>Thu May 23 14:49:59 2019 +0800
treee952010ccae2c09808bbb0329c7de7bec45971f3
parentb3a2bf094086b011c0ad91b25cbaf34ad6e0104f [diff] [blame]
Remove explicitlySelected bit for vpn fallthrough rule

Previously, netd use explicitlySelected bit to ensure that
the VPN fallthrough rule does not match if a non-zero NetId was
explicitly specified. This is inconsistent with the normal case
of an application that is subject to the VPN, because in that case,
the fallthrough rule does match.
This commit removes the explicitlySelected bit and relax the guarantee.
This ensure that the behaviour of an app that selects the VPN network
is the same as the behaviour of an app that specifies no network but
is subject to the VPN.
VPN traffic will fallthrough default network if no route is hit in VPN
route table.

Assume vpn netId is 102, default network interface is wlan0 with no
permisiion. Below is the result of route rule before/after this commit.
Before:
21000:	from all fwmark 0x10066/0x1ffff lookup wlan0

After:
21000:	from all fwmark 0x66/0xffff lookup wlan0

Bug: 119216095
Test: built, flashed, booted
      system/netd/tests/runtests.sh

Change-Id: I03411644dc82cabcaf1f3274a17f36ec4e173c2e

diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index f7cb8dd..1e4894f 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp

@@ -206,9 +206,8 @@
 
     if (checkUserNetworkAccessLocked(uid, *netId) == 0) {
         // If a non-zero NetId was explicitly specified, and the user has permission for that
-        // network, use that network's DNS servers. Do not fall through to the default network even
-        // if the explicitly selected network is a split tunnel VPN: the explicitlySelected bit
-        // ensures that the VPN fallthrough rule does not match.
+        // network, use that network's DNS servers. (possibly falling through the to the default
+        // network if the VPN doesn't provide a route to them).
         fwmark.explicitlySelected = true;
 
         // If the network is a VPN and it doesn't have DNS servers, use the default network's DNS
@@ -222,8 +221,8 @@
     } else {
         // If the user is subject to a VPN and the VPN provides DNS servers, use those servers
         // (possibly falling through to the default network if the VPN doesn't provide a route to
-        // them). Otherwise, use the default network's DNS servers. We cannot set the explicit bit
-        // because we need to be able to fall through a split tunnel to the default network.
+        // them). Otherwise, use the default network's DNS servers.
+        // TODO: Consider if we should set the explicit bit here.
         VirtualNetwork* virtualNetwork = getVirtualNetworkForUserLocked(uid);
         if (virtualNetwork && RESOLV_STUB.resolv_has_nameservers(virtualNetwork->getNetId())) {
             *netId = virtualNetwork->getNetId();