Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 048bc5ea authored by Patrick Rohr's avatar Patrick Rohr
Browse files

Add Restricted Mode handling to NetworkPolicyManager 

Adds Restricted Mode functionality to NetworkPolicyManager. When this
mode is turned on (via setting), only apps with
android.permission.CONNECTIVITY_USE_RESTRICTED_NETWORKS will be able to
use the network. For all other apps, the network will be blocked by the
firewall. This is controlled by a new allowlist firewall chain
fw_restricted_mode.

As a first step, this implementation still requires a reboot after the
enabling / disabling the mode to take effect. I will provide the dynamic
configuration in the next CL.

Test: atest CtsHostsideNetworkTests && atest
NetworkPolicyManagerServiceTest
Bug: 170322816
Bug: 157505406
Bug: 170322455
Bug: 175281879

Exempt-From-Owner-Approval: Change already merged on internal gerrit.
Change-Id: I0731fa842c69683953baaf9ec3a9a03454f4c607
Merged-In: I0731fa842c69683953baaf9ec3a9a03454f4c607
parent e944af5b

core/java/android/net/NetworkPolicyManager.java

+11 −2
Original line number Diff line number Diff line
@@ -122,17 +122,26 @@ public class NetworkPolicyManager { 
     * @hide

     */

    public static final int RULE_REJECT_ALL = 1 << 6;

    /**

     * Reject traffic on all networks for restricted networking mode.

     */

    public static final int RULE_REJECT_RESTRICTED_MODE = 1 << 10;



    /**

     * Mask used to get the {@code RULE_xxx_METERED} rules

     * @hide

     */

    public static final int MASK_METERED_NETWORKS = 0b00001111;

    public static final int MASK_METERED_NETWORKS = 0b000000001111;

    /**

     * Mask used to get the {@code RULE_xxx_ALL} rules

     * @hide

     */

    public static final int MASK_ALL_NETWORKS     = 0b11110000;

    public static final int MASK_ALL_NETWORKS     = 0b000011110000;

    /**

     * Mask used to get the {@code RULE_xxx_RESTRICTED_MODE} rules

     * @hide

     */

    public static final int MASK_RESTRICTED_MODE_NETWORKS     = 0b111100000000;



    /** @hide */

    public static final int FIREWALL_RULE_DEFAULT = 0;

core/java/android/provider/Settings.java

+11 −0
Original line number Diff line number Diff line
@@ -14406,6 +14406,17 @@ public final class Settings { 
         */

        public static final String NR_NSA_TRACKING_SCREEN_OFF_MODE =

                "nr_nsa_tracking_screen_off_mode";













        /**













         * Used to enable / disable the Restricted Networking Mode in which network access is













         * restricted to apps holding the CONNECTIVITY_USE_RESTRICTED_NETWORKS permission.













         *













         * Values are:













         * 0: disabled













         * 1: enabled













         * @hide













         */













        public static final String RESTRICTED_NETWORKING_MODE = "restricted_networking_mode";















    }





























    /**

























packages/SettingsProvider/src/android/provider/settings/validators/GlobalSettingsValidators.java



+1
−0




























Original line number
Diff line number
Diff line








@@ -149,5 +149,6 @@ public class GlobalSettingsValidators {













        VALIDATORS.put(Global.CUSTOM_BUGREPORT_HANDLER_APP, ANY_STRING_VALIDATOR);















        VALIDATORS.put(Global.CUSTOM_BUGREPORT_HANDLER_USER, ANY_INTEGER_VALIDATOR);















        VALIDATORS.put(Global.DEVELOPMENT_SETTINGS_ENABLED, BOOLEAN_VALIDATOR);













        VALIDATORS.put(Global.RESTRICTED_NETWORKING_MODE, BOOLEAN_VALIDATOR);















    }















}
























packages/SettingsProvider/test/src/android/provider/SettingsBackupTest.java



+1
−0




























Original line number
Diff line number
Diff line








@@ -420,6 +420,7 @@ public class SettingsBackupTest {













                    Settings.Global.RADIO_WIMAX,















                    Settings.Global.RECOMMENDED_NETWORK_EVALUATOR_CACHE_EXPIRY_MS,















                    Settings.Global.READ_EXTERNAL_STORAGE_ENFORCED_DEFAULT,













                    Settings.Global.RESTRICTED_NETWORKING_MODE,















                    Settings.Global.REQUIRE_PASSWORD_TO_DECRYPT,















                    Settings.Global.SAFE_BOOT_DISALLOWED,















                    Settings.Global.SELINUX_STATUS,

































services/core/java/com/android/server/net/NetworkPolicyLogger.java



+3
−0




























Original line number
Diff line number
Diff line








@@ -78,6 +78,7 @@ public class NetworkPolicyLogger {













    static final int NTWK_BLOCKED_BG_RESTRICT = 5;















    static final int NTWK_ALLOWED_DEFAULT = 6;















    static final int NTWK_ALLOWED_SYSTEM = 7;













    static final int NTWK_BLOCKED_RESTRICTED_MODE = 8;































    private final LogBuffer mNetworkBlockedBuffer = new LogBuffer(MAX_NETWORK_BLOCKED_LOG_SIZE);















    private final LogBuffer mUidStateChangeBuffer = new LogBuffer(MAX_LOG_SIZE);










@@ -281,6 +282,8 @@ public class NetworkPolicyLogger {













                return "blocked when background is restricted";















            case NTWK_ALLOWED_DEFAULT:















                return "allowed by default";













            case NTWK_BLOCKED_RESTRICTED_MODE:













                return "blocked by restricted networking mode";















            default:















                return String.valueOf(reason);















        }