Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / ec27ff2610dc4f3db5f5b40131737cb6d93b6552^! / . / server / TrafficController.h
commitec27ff2610dc4f3db5f5b40131737cb6d93b6552[log] [tgz]
authorRubin Xu <rubinxu@google.com>Tue Jan 08 21:33:03 2019 +0000
committerRubin Xu <rubinxu@google.com>Thu Apr 11 16:01:00 2019 +0100
tree5b971e3d8f1996016a5bfbb088f575241ec01b71
parent54b616f335e0c34abbf1b6a85184e03f99a107f0 [diff] [blame]
Block incoming non-VPN packets to apps under fully-routed VPN

When a fully-routed VPN is running, we want to prevent normal apps
under the VPN from receiving packets originating from any local non-VPN
interfaces. This is achieved by using eBPF to create a per-UID input
interface whitelist and populate the whitelist such that all
non-bypassable apps under a VPN can only receive packets from the VPN's
TUN interface (and loopback implicitly)

This is the Netd part of the change that auguments the existing UidOwner map
to include a new boolean to enable ingress interface filtering as well as
a new field per UID for the whitelisted interface index. The eBPF program
is updated to drop packets according to the ingress interface whitelist map
when present and enabled. This change also exposes two new netd Binder
interfaces to allow ConnectivityService to update the whitelist.

Test: system/netd/tests/runtests.sh
Bug: 114231106
Change-Id: I033c068a350af82023c2bf909e3b3e65d9952b66

diff --git a/server/TrafficController.h b/server/TrafficController.h
index e0a4017..454712b 100644
--- a/server/TrafficController.h
+++ b/server/TrafficController.h

@@ -106,6 +106,9 @@
 
     netdutils::Status replaceUidsInMap(UidOwnerMatchType match, const std::vector<int32_t>& uids);
 
+    netdutils::Status addUidInterfaceRules(const int ifIndex, const std::vector<int32_t>& uids);
+    netdutils::Status removeUidInterfaceRules(const std::vector<int32_t>& uids);
+
     netdutils::Status updateUidOwnerMap(const std::vector<std::string>& appStrUids,
                                         BandwidthController::IptJumpOp jumpHandling,
                                         BandwidthController::IptOp op);
@@ -188,7 +191,7 @@
     /*
      * mUidOwnerMap: Store uids that are used for bandwidth control uid match.
      */
-    BpfMap<uint32_t, uint8_t> mUidOwnerMap GUARDED_BY(mOwnerMatchMutex);
+    BpfMap<uint32_t, UidOwnerValue> mUidOwnerMap GUARDED_BY(mOwnerMatchMutex);
 
     /*
      * mUidOwnerMap: Store uids that are used for INTERNET permission check.
@@ -197,11 +200,12 @@
 
     std::unique_ptr<NetlinkListenerInterface> mSkDestroyListener;
 
-    netdutils::Status removeMatch(BpfMap<uint32_t, uint8_t>& map, uint32_t uid,
+    netdutils::Status removeMatch(BpfMap<uint32_t, UidOwnerValue>& map, uint32_t uid,
                                   UidOwnerMatchType match) REQUIRES(mOwnerMatchMutex);
 
-    netdutils::Status addMatch(BpfMap<uint32_t, uint8_t>& map, uint32_t uid,
-                               UidOwnerMatchType match) REQUIRES(mOwnerMatchMutex);
+    netdutils::Status addMatch(BpfMap<uint32_t, UidOwnerValue>& map, uint32_t uid,
+                               UidOwnerMatchType match, uint32_t iif = 0)
+            REQUIRES(mOwnerMatchMutex);
 
     bpf::BpfLevel mBpfLevel;