Loading core/java/android/net/NetworkPolicyManager.java +8 −8 Original line number Diff line number Diff line Loading @@ -91,16 +91,16 @@ public class NetworkPolicyManager { public static final int MASK_ALL_NETWORKS = 0b11110000; public static final int FIREWALL_RULE_DEFAULT = 0; public static final int FIREWALL_RULE_ALLOW = 1; public static final int FIREWALL_RULE_DENY = 2; public static final int FIREWALL_RULE_ALLOW = INetd.FIREWALL_RULE_ALLOW; public static final int FIREWALL_RULE_DENY = INetd.FIREWALL_RULE_DENY; public static final int FIREWALL_TYPE_WHITELIST = 0; public static final int FIREWALL_TYPE_BLACKLIST = 1; public static final int FIREWALL_TYPE_WHITELIST = INetd.FIREWALL_WHITELIST; public static final int FIREWALL_TYPE_BLACKLIST = INetd.FIREWALL_BLACKLIST; public static final int FIREWALL_CHAIN_NONE = 0; public static final int FIREWALL_CHAIN_DOZABLE = 1; public static final int FIREWALL_CHAIN_STANDBY = 2; public static final int FIREWALL_CHAIN_POWERSAVE = 3; public static final int FIREWALL_CHAIN_NONE = INetd.FIREWALL_CHAIN_NONE; public static final int FIREWALL_CHAIN_DOZABLE = INetd.FIREWALL_CHAIN_DOZABLE; public static final int FIREWALL_CHAIN_STANDBY = INetd.FIREWALL_CHAIN_STANDBY; public static final int FIREWALL_CHAIN_POWERSAVE = INetd.FIREWALL_CHAIN_POWERSAVE; public static final String FIREWALL_CHAIN_NAME_NONE = "none"; public static final String FIREWALL_CHAIN_NAME_DOZABLE = "dozable"; Loading services/core/java/com/android/server/NetworkManagementService.java +45 −43 Original line number Diff line number Diff line Loading @@ -1929,10 +1929,11 @@ public class NetworkManagementService extends INetworkManagementService.Stub public void setFirewallEnabled(boolean enabled) { enforceSystemUid(); try { mConnector.execute("firewall", "enable", enabled ? "whitelist" : "blacklist"); mNetdService.firewallSetFirewallType( enabled ? INetd.FIREWALL_WHITELIST : INetd.FIREWALL_BLACKLIST); mFirewallEnabled = enabled; } catch (NativeDaemonConnectorException e) { throw e.rethrowAsParcelableException(); } catch (RemoteException | ServiceSpecificException e) { throw new IllegalStateException(e); } } Loading @@ -1946,11 +1947,11 @@ public class NetworkManagementService extends INetworkManagementService.Stub public void setFirewallInterfaceRule(String iface, boolean allow) { enforceSystemUid(); Preconditions.checkState(mFirewallEnabled); final String rule = allow ? "allow" : "deny"; try { mConnector.execute("firewall", "set_interface_rule", iface, rule); } catch (NativeDaemonConnectorException e) { throw e.rethrowAsParcelableException(); mNetdService.firewallSetInterfaceRule(iface, allow ? INetd.FIREWALL_RULE_ALLOW : INetd.FIREWALL_RULE_DENY); } catch (RemoteException | ServiceSpecificException e) { throw new IllegalStateException(e); } } Loading @@ -1961,7 +1962,7 @@ public class NetworkManagementService extends INetworkManagementService.Stub int[] exemptUids; int numUids = 0; if (DBG) Slog.d(TAG, "Closing sockets after enabling chain " + chainName); if (getFirewallType(chain) == FIREWALL_TYPE_WHITELIST) { // Close all sockets on all non-system UIDs... ranges = new UidRange[] { Loading Loading @@ -2031,26 +2032,14 @@ public class NetworkManagementService extends INetworkManagementService.Stub setFirewallChainState(chain, enable); } final String operation = enable ? "enable_chain" : "disable_chain"; final String chainName; switch(chain) { case FIREWALL_CHAIN_STANDBY: chainName = FIREWALL_CHAIN_NAME_STANDBY; break; case FIREWALL_CHAIN_DOZABLE: chainName = FIREWALL_CHAIN_NAME_DOZABLE; break; case FIREWALL_CHAIN_POWERSAVE: chainName = FIREWALL_CHAIN_NAME_POWERSAVE; break; default: if (chain == FIREWALL_CHAIN_NONE) { throw new IllegalArgumentException("Bad child chain: " + chain); } try { mConnector.execute("firewall", operation, chainName); } catch (NativeDaemonConnectorException e) { throw e.rethrowAsParcelableException(); mNetdService.firewallEnableChildChain(chain, enable); } catch (RemoteException | ServiceSpecificException e) { throw new IllegalStateException(e); } // Close any sockets that were opened by the affected UIDs. This has to be done after Loading @@ -2058,12 +2047,24 @@ public class NetworkManagementService extends INetworkManagementService.Stub // the connection and race with the iptables commands that enable the firewall. All // whitelist and blacklist chains allow RSTs through. if (enable) { if (DBG) Slog.d(TAG, "Closing sockets after enabling chain " + chainName); closeSocketsForFirewallChainLocked(chain, chainName); closeSocketsForFirewallChainLocked(chain, getFirewallChainName(chain)); } } } private String getFirewallChainName(int chain) { switch (chain) { case FIREWALL_CHAIN_STANDBY: return FIREWALL_CHAIN_NAME_STANDBY; case FIREWALL_CHAIN_DOZABLE: return FIREWALL_CHAIN_NAME_DOZABLE; case FIREWALL_CHAIN_POWERSAVE: return FIREWALL_CHAIN_NAME_POWERSAVE; default: throw new IllegalArgumentException("Bad child chain: " + chain); } } private int getFirewallType(int chain) { switch (chain) { case FIREWALL_CHAIN_STANDBY: Loading Loading @@ -2136,11 +2137,11 @@ public class NetworkManagementService extends INetworkManagementService.Stub private void setFirewallUidRuleLocked(int chain, int uid, int rule) { if (updateFirewallUidRuleLocked(chain, uid, rule)) { final int ruleType = getFirewallRuleType(chain, rule); try { mConnector.execute("firewall", "set_uid_rule", getFirewallChainName(chain), uid, getFirewallRuleName(chain, rule)); } catch (NativeDaemonConnectorException e) { throw e.rethrowAsParcelableException(); mNetdService.firewallSetUidRule(chain, uid, ruleType); } catch (RemoteException | ServiceSpecificException e) { throw new IllegalStateException(e); } } } Loading Loading @@ -2206,18 +2207,19 @@ public class NetworkManagementService extends INetworkManagementService.Stub } } public @NonNull String getFirewallChainName(int chain) { switch (chain) { case FIREWALL_CHAIN_STANDBY: return FIREWALL_CHAIN_NAME_STANDBY; case FIREWALL_CHAIN_DOZABLE: return FIREWALL_CHAIN_NAME_DOZABLE; case FIREWALL_CHAIN_POWERSAVE: return FIREWALL_CHAIN_NAME_POWERSAVE; case FIREWALL_CHAIN_NONE: return FIREWALL_CHAIN_NAME_NONE; default: throw new IllegalArgumentException("Unknown chain:" + chain); private int getFirewallRuleType(int chain, int rule) { if (getFirewallType(chain) == FIREWALL_TYPE_WHITELIST) { if (rule == NetworkPolicyManager.FIREWALL_RULE_ALLOW) { return INetd.FIREWALL_RULE_ALLOW; } else { return INetd.FIREWALL_RULE_DENY; } } else { // Blacklist mode if (rule == NetworkPolicyManager.FIREWALL_RULE_DENY) { return INetd.FIREWALL_RULE_DENY; } else { return INetd.FIREWALL_RULE_ALLOW; } } } Loading Loading
core/java/android/net/NetworkPolicyManager.java +8 −8 Original line number Diff line number Diff line Loading @@ -91,16 +91,16 @@ public class NetworkPolicyManager { public static final int MASK_ALL_NETWORKS = 0b11110000; public static final int FIREWALL_RULE_DEFAULT = 0; public static final int FIREWALL_RULE_ALLOW = 1; public static final int FIREWALL_RULE_DENY = 2; public static final int FIREWALL_RULE_ALLOW = INetd.FIREWALL_RULE_ALLOW; public static final int FIREWALL_RULE_DENY = INetd.FIREWALL_RULE_DENY; public static final int FIREWALL_TYPE_WHITELIST = 0; public static final int FIREWALL_TYPE_BLACKLIST = 1; public static final int FIREWALL_TYPE_WHITELIST = INetd.FIREWALL_WHITELIST; public static final int FIREWALL_TYPE_BLACKLIST = INetd.FIREWALL_BLACKLIST; public static final int FIREWALL_CHAIN_NONE = 0; public static final int FIREWALL_CHAIN_DOZABLE = 1; public static final int FIREWALL_CHAIN_STANDBY = 2; public static final int FIREWALL_CHAIN_POWERSAVE = 3; public static final int FIREWALL_CHAIN_NONE = INetd.FIREWALL_CHAIN_NONE; public static final int FIREWALL_CHAIN_DOZABLE = INetd.FIREWALL_CHAIN_DOZABLE; public static final int FIREWALL_CHAIN_STANDBY = INetd.FIREWALL_CHAIN_STANDBY; public static final int FIREWALL_CHAIN_POWERSAVE = INetd.FIREWALL_CHAIN_POWERSAVE; public static final String FIREWALL_CHAIN_NAME_NONE = "none"; public static final String FIREWALL_CHAIN_NAME_DOZABLE = "dozable"; Loading
services/core/java/com/android/server/NetworkManagementService.java +45 −43 Original line number Diff line number Diff line Loading @@ -1929,10 +1929,11 @@ public class NetworkManagementService extends INetworkManagementService.Stub public void setFirewallEnabled(boolean enabled) { enforceSystemUid(); try { mConnector.execute("firewall", "enable", enabled ? "whitelist" : "blacklist"); mNetdService.firewallSetFirewallType( enabled ? INetd.FIREWALL_WHITELIST : INetd.FIREWALL_BLACKLIST); mFirewallEnabled = enabled; } catch (NativeDaemonConnectorException e) { throw e.rethrowAsParcelableException(); } catch (RemoteException | ServiceSpecificException e) { throw new IllegalStateException(e); } } Loading @@ -1946,11 +1947,11 @@ public class NetworkManagementService extends INetworkManagementService.Stub public void setFirewallInterfaceRule(String iface, boolean allow) { enforceSystemUid(); Preconditions.checkState(mFirewallEnabled); final String rule = allow ? "allow" : "deny"; try { mConnector.execute("firewall", "set_interface_rule", iface, rule); } catch (NativeDaemonConnectorException e) { throw e.rethrowAsParcelableException(); mNetdService.firewallSetInterfaceRule(iface, allow ? INetd.FIREWALL_RULE_ALLOW : INetd.FIREWALL_RULE_DENY); } catch (RemoteException | ServiceSpecificException e) { throw new IllegalStateException(e); } } Loading @@ -1961,7 +1962,7 @@ public class NetworkManagementService extends INetworkManagementService.Stub int[] exemptUids; int numUids = 0; if (DBG) Slog.d(TAG, "Closing sockets after enabling chain " + chainName); if (getFirewallType(chain) == FIREWALL_TYPE_WHITELIST) { // Close all sockets on all non-system UIDs... ranges = new UidRange[] { Loading Loading @@ -2031,26 +2032,14 @@ public class NetworkManagementService extends INetworkManagementService.Stub setFirewallChainState(chain, enable); } final String operation = enable ? "enable_chain" : "disable_chain"; final String chainName; switch(chain) { case FIREWALL_CHAIN_STANDBY: chainName = FIREWALL_CHAIN_NAME_STANDBY; break; case FIREWALL_CHAIN_DOZABLE: chainName = FIREWALL_CHAIN_NAME_DOZABLE; break; case FIREWALL_CHAIN_POWERSAVE: chainName = FIREWALL_CHAIN_NAME_POWERSAVE; break; default: if (chain == FIREWALL_CHAIN_NONE) { throw new IllegalArgumentException("Bad child chain: " + chain); } try { mConnector.execute("firewall", operation, chainName); } catch (NativeDaemonConnectorException e) { throw e.rethrowAsParcelableException(); mNetdService.firewallEnableChildChain(chain, enable); } catch (RemoteException | ServiceSpecificException e) { throw new IllegalStateException(e); } // Close any sockets that were opened by the affected UIDs. This has to be done after Loading @@ -2058,12 +2047,24 @@ public class NetworkManagementService extends INetworkManagementService.Stub // the connection and race with the iptables commands that enable the firewall. All // whitelist and blacklist chains allow RSTs through. if (enable) { if (DBG) Slog.d(TAG, "Closing sockets after enabling chain " + chainName); closeSocketsForFirewallChainLocked(chain, chainName); closeSocketsForFirewallChainLocked(chain, getFirewallChainName(chain)); } } } private String getFirewallChainName(int chain) { switch (chain) { case FIREWALL_CHAIN_STANDBY: return FIREWALL_CHAIN_NAME_STANDBY; case FIREWALL_CHAIN_DOZABLE: return FIREWALL_CHAIN_NAME_DOZABLE; case FIREWALL_CHAIN_POWERSAVE: return FIREWALL_CHAIN_NAME_POWERSAVE; default: throw new IllegalArgumentException("Bad child chain: " + chain); } } private int getFirewallType(int chain) { switch (chain) { case FIREWALL_CHAIN_STANDBY: Loading Loading @@ -2136,11 +2137,11 @@ public class NetworkManagementService extends INetworkManagementService.Stub private void setFirewallUidRuleLocked(int chain, int uid, int rule) { if (updateFirewallUidRuleLocked(chain, uid, rule)) { final int ruleType = getFirewallRuleType(chain, rule); try { mConnector.execute("firewall", "set_uid_rule", getFirewallChainName(chain), uid, getFirewallRuleName(chain, rule)); } catch (NativeDaemonConnectorException e) { throw e.rethrowAsParcelableException(); mNetdService.firewallSetUidRule(chain, uid, ruleType); } catch (RemoteException | ServiceSpecificException e) { throw new IllegalStateException(e); } } } Loading Loading @@ -2206,18 +2207,19 @@ public class NetworkManagementService extends INetworkManagementService.Stub } } public @NonNull String getFirewallChainName(int chain) { switch (chain) { case FIREWALL_CHAIN_STANDBY: return FIREWALL_CHAIN_NAME_STANDBY; case FIREWALL_CHAIN_DOZABLE: return FIREWALL_CHAIN_NAME_DOZABLE; case FIREWALL_CHAIN_POWERSAVE: return FIREWALL_CHAIN_NAME_POWERSAVE; case FIREWALL_CHAIN_NONE: return FIREWALL_CHAIN_NAME_NONE; default: throw new IllegalArgumentException("Unknown chain:" + chain); private int getFirewallRuleType(int chain, int rule) { if (getFirewallType(chain) == FIREWALL_TYPE_WHITELIST) { if (rule == NetworkPolicyManager.FIREWALL_RULE_ALLOW) { return INetd.FIREWALL_RULE_ALLOW; } else { return INetd.FIREWALL_RULE_DENY; } } else { // Blacklist mode if (rule == NetworkPolicyManager.FIREWALL_RULE_DENY) { return INetd.FIREWALL_RULE_DENY; } else { return INetd.FIREWALL_RULE_ALLOW; } } } Loading
