Add SDK sandbox UIDs to network policy. am: d25240eb25 (2e36bb8e) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/net/NetworkPolicyManagerService.java

+47 −9

Original line number	Original line	Diff line number	Diff line
	@@ -5438,6 +5438,11 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
	try {		try {
	mNetworkManager.setUidOnMeteredNetworkDenylist(uid, enable);		mNetworkManager.setUidOnMeteredNetworkDenylist(uid, enable);
	mLogger.meteredAllowlistChanged(uid, enable);		mLogger.meteredAllowlistChanged(uid, enable);
			if (Process.isApplicationUid(uid)) {
			final int sdkSandboxUid = Process.toSdkSandboxUid(uid);
			mNetworkManager.setUidOnMeteredNetworkDenylist(sdkSandboxUid, enable);
			mLogger.meteredAllowlistChanged(sdkSandboxUid, enable);
			}
	} catch (IllegalStateException e) {		} catch (IllegalStateException e) {
	Log.wtf(TAG, "problem setting denylist (" + enable + ") rules for " + uid, e);		Log.wtf(TAG, "problem setting denylist (" + enable + ") rules for " + uid, e);
	} catch (RemoteException e) {		} catch (RemoteException e) {
	@@ -5450,6 +5455,11 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
	try {		try {
	mNetworkManager.setUidOnMeteredNetworkAllowlist(uid, enable);		mNetworkManager.setUidOnMeteredNetworkAllowlist(uid, enable);
	mLogger.meteredDenylistChanged(uid, enable);		mLogger.meteredDenylistChanged(uid, enable);
			if (Process.isApplicationUid(uid)) {
			final int sdkSandboxUid = Process.toSdkSandboxUid(uid);
			mNetworkManager.setUidOnMeteredNetworkAllowlist(sdkSandboxUid, enable);
			mLogger.meteredDenylistChanged(sdkSandboxUid, enable);
			}
	} catch (IllegalStateException e) {		} catch (IllegalStateException e) {
	Log.wtf(TAG, "problem setting allowlist (" + enable + ") rules for " + uid, e);		Log.wtf(TAG, "problem setting allowlist (" + enable + ") rules for " + uid, e);
	} catch (RemoteException e) {		} catch (RemoteException e) {
	@@ -5488,12 +5498,31 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
	}		}
	}		}

			private void addSdkSandboxUidsIfNeeded(SparseIntArray uidRules) {
			final int size = uidRules.size();
			final SparseIntArray sdkSandboxUids = new SparseIntArray();
			for (int index = 0; index < size; index++) {
			final int uid = uidRules.keyAt(index);
			final int rule = uidRules.valueAt(index);
			if (Process.isApplicationUid(uid)) {
			sdkSandboxUids.put(Process.toSdkSandboxUid(uid), rule);
			}
			}

			for (int index = 0; index < sdkSandboxUids.size(); index++) {
			final int uid = sdkSandboxUids.keyAt(index);
			final int rule = sdkSandboxUids.valueAt(index);
			uidRules.put(uid, rule);
			}
			}

	/**		/**
	* Set uid rules on a particular firewall chain. This is going to synchronize the rules given		* Set uid rules on a particular firewall chain. This is going to synchronize the rules given
	* here to netd. It will clean up dead rules and make sure the target chain only contains rules		* here to netd. It will clean up dead rules and make sure the target chain only contains rules
	* specified here.		* specified here.
	*/		*/
	private void setUidFirewallRulesUL(int chain, SparseIntArray uidRules) {		private void setUidFirewallRulesUL(int chain, SparseIntArray uidRules) {
			addSdkSandboxUidsIfNeeded(uidRules);
	try {		try {
	int size = uidRules.size();		int size = uidRules.size();
	int[] uids = new int[size];		int[] uids = new int[size];
	@@ -5536,6 +5565,11 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
	try {		try {
	mNetworkManager.setFirewallUidRule(chain, uid, rule);		mNetworkManager.setFirewallUidRule(chain, uid, rule);
	mLogger.uidFirewallRuleChanged(chain, uid, rule);		mLogger.uidFirewallRuleChanged(chain, uid, rule);
			if (Process.isApplicationUid(uid)) {
			final int sdkSandboxUid = Process.toSdkSandboxUid(uid);
			mNetworkManager.setFirewallUidRule(chain, sdkSandboxUid, rule);
			mLogger.uidFirewallRuleChanged(chain, sdkSandboxUid, rule);
			}
	} catch (IllegalStateException e) {		} catch (IllegalStateException e) {
	Log.wtf(TAG, "problem setting firewall uid rules", e);		Log.wtf(TAG, "problem setting firewall uid rules", e);
	} catch (RemoteException e) {		} catch (RemoteException e) {
	@@ -5572,14 +5606,15 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
	*/		*/
	private void resetUidFirewallRules(int uid) {		private void resetUidFirewallRules(int uid) {
	try {		try {
	mNetworkManager.setFirewallUidRule(FIREWALL_CHAIN_DOZABLE, uid, FIREWALL_RULE_DEFAULT);		mNetworkManager.setFirewallUidRule(FIREWALL_CHAIN_DOZABLE, uid,
	mNetworkManager.setFirewallUidRule(FIREWALL_CHAIN_STANDBY, uid, FIREWALL_RULE_DEFAULT);		FIREWALL_RULE_DEFAULT);
	mNetworkManager		mNetworkManager.setFirewallUidRule(FIREWALL_CHAIN_STANDBY, uid,
	.setFirewallUidRule(FIREWALL_CHAIN_POWERSAVE, uid, FIREWALL_RULE_DEFAULT);		FIREWALL_RULE_DEFAULT);
	mNetworkManager		mNetworkManager.setFirewallUidRule(FIREWALL_CHAIN_POWERSAVE, uid,
	.setFirewallUidRule(FIREWALL_CHAIN_RESTRICTED, uid, FIREWALL_RULE_DEFAULT);		FIREWALL_RULE_DEFAULT);
	mNetworkManager		mNetworkManager.setFirewallUidRule(FIREWALL_CHAIN_RESTRICTED, uid,
	.setFirewallUidRule(FIREWALL_CHAIN_LOW_POWER_STANDBY, uid,		FIREWALL_RULE_DEFAULT);
			mNetworkManager.setFirewallUidRule(FIREWALL_CHAIN_LOW_POWER_STANDBY, uid,
	FIREWALL_RULE_DEFAULT);		FIREWALL_RULE_DEFAULT);
	mNetworkManager.setUidOnMeteredNetworkAllowlist(uid, false);		mNetworkManager.setUidOnMeteredNetworkAllowlist(uid, false);
	mLogger.meteredAllowlistChanged(uid, false);		mLogger.meteredAllowlistChanged(uid, false);
	@@ -5590,6 +5625,9 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
	} catch (RemoteException e) {		} catch (RemoteException e) {
	// ignored; service lives in system_server		// ignored; service lives in system_server
	}		}
			if (Process.isApplicationUid(uid)) {
			resetUidFirewallRules(Process.toSdkSandboxUid(uid));
			}
	}		}

	@Deprecated		@Deprecated