Offer to detect non-SSL/TLS network traffic.
Introduces new module that provides network-related features for
the StrictMode developer API. The first feature offers to detect
sockets sending data not wrapped inside a layer of SSL/TLS
encryption.
This carefully only adds overhead to UIDs that have requested
detection, and it uses CONNMARK to quickly accept/reject packets
from streams that have already been inspected. Detection is done
by looking for a well-known TLS handshake header; it's not future
proof, but it's a good start. Handles both IPv4 and IPv6.
When requested, we also log the triggering packet through NFLOG and
back up to the framework to aid investigation.
Bug: 18335678
Change-Id: Ie8fab785139dfb55a71b6dc7a0f3c75a8408224b
diff --git a/server/NetlinkManager.h b/server/NetlinkManager.h
index 5187a59..2bfaee9 100644
--- a/server/NetlinkManager.h
+++ b/server/NetlinkManager.h
@@ -32,9 +32,11 @@
NetlinkHandler *mUeventHandler;
NetlinkHandler *mRouteHandler;
NetlinkHandler *mQuotaHandler;
+ NetlinkHandler *mStrictHandler;
int mUeventSock;
int mRouteSock;
int mQuotaSock;
+ int mStrictSock;
public:
virtual ~NetlinkManager();
@@ -47,11 +49,10 @@
static NetlinkManager *Instance();
- /* This is the nflog group arg that the xt_quota2 neftiler will use. */
+ /* Group used by xt_quota2 */
static const int NFLOG_QUOTA_GROUP;
-
- /* This is the group that the xt_IDLETIMER netfilter will use. */
- static const int IDLETIMER_GROUP;
+ /* Group used by StrictController rules */
+ static const int NETFILTER_STRICT_GROUP;
private:
NetlinkManager();