Offer to detect non-SSL/TLS network traffic. Introduces new module that provides network-related features for the StrictMode developer API. The first feature offers to detect sockets sending data not wrapped inside a layer of SSL/TLS encryption. This carefully only adds overhead to UIDs that have requested detection, and it uses CONNMARK to quickly accept/reject packets from streams that have already been inspected. Detection is done by looking for a well-known TLS handshake header; it's not future proof, but it's a good start. Handles both IPv4 and IPv6. When requested, we also log the triggering packet through NFLOG and back up to the framework to aid investigation. Bug: 18335678 Change-Id: Ie8fab785139dfb55a71b6dc7a0f3c75a8408224b

commit: fbe497fcd808e4317572ad48c42545105309a347 [log] [tgz]
author: Jeff Sharkey <jsharkey@android.com> Tue Oct 28 16:50:07 2014 -0700
committer: Jeff Sharkey <jsharkey@android.com> Thu Jan 15 15:46:59 2015 -0800
tree: aceefeed8789d8a4145c4b467f98e10538d66f1a
parent: 1a3c689be29bfbe0c7f3eb3134e9b2a2208f839c [diff] [blame]
diff --git a/server/NetlinkHandler.h b/server/NetlinkHandler.h
index 83baa2b..bee52dc 100644
--- a/server/NetlinkHandler.h
+++ b/server/NetlinkHandler.h

@@ -46,5 +46,6 @@
     void notifyInterfaceDnsServers(const char *iface, const char *lifetime,
                                    const char *servers);
     void notifyRouteChange(int action, const char *route, const char *gateway, const char *iface);
+    void notifyStrictCleartext(const char* uid, const char* hex);
 };
 #endif
commit	fbe497fcd808e4317572ad48c42545105309a347	[log] [tgz]
author	Jeff Sharkey <jsharkey@android.com>	Tue Oct 28 16:50:07 2014 -0700
committer	Jeff Sharkey <jsharkey@android.com>	Thu Jan 15 15:46:59 2015 -0800
tree	aceefeed8789d8a4145c4b467f98e10538d66f1a
parent	1a3c689be29bfbe0c7f3eb3134e9b2a2208f839c [diff] [blame]