Offer to detect non-SSL/TLS network traffic.
Introduces new module that provides network-related features for
the StrictMode developer API. The first feature offers to detect
sockets sending data not wrapped inside a layer of SSL/TLS
encryption.
This carefully only adds overhead to UIDs that have requested
detection, and it uses CONNMARK to quickly accept/reject packets
from streams that have already been inspected. Detection is done
by looking for a well-known TLS handshake header; it's not future
proof, but it's a good start. Handles both IPv4 and IPv6.
When requested, we also log the triggering packet through NFLOG and
back up to the framework to aid investigation.
Bug: 18335678
Change-Id: Ie8fab785139dfb55a71b6dc7a0f3c75a8408224b
diff --git a/server/NetlinkHandler.cpp b/server/NetlinkHandler.cpp
index 6c81c18..0a5a3f0 100644
--- a/server/NetlinkHandler.cpp
+++ b/server/NetlinkHandler.cpp
@@ -109,6 +109,11 @@
const char *iface = evt->findParam("INTERFACE");
notifyQuotaLimitReached(alertName, iface);
+ } else if (!strcmp(subsys, "strict")) {
+ const char *uid = evt->findParam("UID");
+ const char *hex = evt->findParam("HEX");
+ notifyStrictCleartext(uid, hex);
+
} else if (!strcmp(subsys, "xt_idletimer")) {
const char *label = evt->findParam("INTERFACE");
const char *state = evt->findParam("STATE");
@@ -196,3 +201,7 @@
*iface ? " dev " : "",
iface);
}
+
+void NetlinkHandler::notifyStrictCleartext(const char* uid, const char* hex) {
+ notify(ResponseCode::StrictCleartext, "%s %s", uid, hex);
+}