Firewall: Network access toggle support
Everything needed to support prohibiting apps' overall network access,
apart from changes for Settings / Firewall app.
"Firewall: Migrate to POLICY_REJECT_ALL" is critical to include, too,
if existing installations with prior implementations must be supported.
Squash of:
Author: Tommy Webb <tommy@calyxinstitute.org>
Date: Wed Mar 22 15:31:25 2023 -0400
Use POLICY_REJECT_ALL instead of allowlist
This allows us to keep track of a user's explicit intention to deny
network access to a UID while still allowing newly-added system apps
to have network access by default. It also allows us to retain an
app's network access allowed state when it is hidden and unhidden.
Issue: calyxos#1273
Issue: calyxos#1568
Change-Id: I74407c21cd4ed2cdd932d634577ae07d0bad67b1
Author: Oliver Scott <olivercscott@gmail.com>
Date: Mon Oct 17 15:36:18 2022 +0200
fixup! fw/b: Add support for allowing/disallowing apps on cellular, vpn and wifi networks
Do not set apps without INTERNET permission as blocked by restricted networking mode
Issue: calyxos#1266
Change-Id: I11e30bc0c1f8c722d2b5941c17d430dba942594d
Author: Oliver Scott <olivercscott@gmail.com>
Date: Mon Jan 10 19:17:00 2022 +0100
Clear calling identity when setting restricted networking mode UID firewall rules
* NetworkManager setFirewallUidRule checks that the caller is system uid
* Public service entry points are already protected with MANAGE_NETWORK_POLICY permission so simply clear calling identity around NetworkPolicyManagerService setUidFirewallRule() call to resolve crash for secondary users during settings change.
Change-Id: I2fb22e77c0afa67acfbb5b9d57173df5aefb0d57
Author: Oliver Scott <olivercscott@gmail.com>
Date: Thu Oct 14 13:31:43 2021 -0400
Restricted Networking Mode fixes
[Too long to list -- see Gerrit!]
Co-Authored-By: 
Chirayu Desai <chirayudesai1@gmail.com>
Change-Id: Ia3ec546747057301c65a792e0fabef4c45b4b5a4
Author: Oliver Scott <olivercscott@gmail.com>
Date: Sat Oct 9 22:18:36 2021 -0400
Remove removed package uids from Restricted Mode's uid allowlist
Currently uids from removed packages remain in Restricted Mode's uid allowlist.
This is unsafe given that new packages can be granted the uid and thereby network access by default.
This addresses the problem by listening for ACTION_PACKAGE_REMOVED and removing the uid from the allowlist.
Bug: https://issuetracker.google.com/issues/206947902
Change-Id: I16ee9a8aa869f6e4eaa9dfc494c588e74ac2e8f2
(cherry picked from commit c84c7adcedb16da65c5ce6b6f30441b64f1bcf85)
Author: Oliver Scott <olivercscott@gmail.com>
Date: Sat Oct 9 20:16:19 2021 -0400
Add Restricted Mode uid allowlist setting observer to NetworkPolicyManagerService
This allows to add / remove UIDs from restricted mode's allowlist at runtime.
Bug: https://issuetracker.google.com/issues/206947902
Test: adb shell settings put global uids_allowed_on_restricted_networks "UID"
Change-Id: I1d3edf3fb1ee62ddf9ee07e15cf1da1e23cc18fa
(cherry picked from commit 54217bfab16a9201f35bb1e9be8b26bb56a5809e)
Author: Chirayu Desai <chirayudesai1@gmail.com>
Date: Sun Dec 26 16:08:13 2021 +0530
NetworkPolicyManager: Add POLICY_REJECT_ALL constant
* This was used by network-isolation in 11 and earlier versions
* We've switched to restricted-networking-mode for 12, however
we should still keep this around for usage with migration, and
as a reminder that this value should not be re-used to avoid
future complications
* This is also used for backup and restore now
Change-Id: I1e51cc610ecc8cd0cb8f86b25f9f990f348b4097
Also includes a line from "fw/b: Add support for allowing/disallowing
apps on cellular, vpn and wifi networks" to update restricted mode for a
UID whose policy has changed: I526d0058cda71a9e93046d116c0d79093390a85b
Change-Id: I5fae5389776196175eba31f646efff6771824dcc
Loading
Please register or sign in to comment