Merge "Re-implement NetworkUtils#queryUserAccess." (4de248ae) · Commits · e / os / android_frameworks_base

core/jni/android_net_NetworkUtils.cpp

+0 −6

Original line number	Diff line number	Diff line
		@@ -102,11 +102,6 @@ static jint android_net_utils_bindSocketToNetwork(JNIEnv *env, jobject thiz, job
		return setNetworkForSocket(netId, AFileDescriptor_getFD(env, javaFd));
		}

		static jboolean android_net_utils_queryUserAccess(JNIEnv *env, jobject thiz, jint uid, jint netId)
		{
		return (jboolean) !queryUserAccess(uid, netId);
		}

		static bool checkLenAndCopy(JNIEnv* env, const jbyteArray& addr, int len, void* dst)
		{
		if (env->GetArrayLength(addr) != len) {
		@@ -246,7 +241,6 @@ static const JNINativeMethod gNetworkUtilMethods[] = {
		{ "getBoundNetworkForProcess", "()I", (void*) android_net_utils_getBoundNetworkForProcess },
		{ "bindProcessToNetworkForHostResolution", "(I)Z", (void*) android_net_utils_bindProcessToNetworkForHostResolution },
		{ "bindSocketToNetwork", "(Ljava/io/FileDescriptor;I)I", (void*) android_net_utils_bindSocketToNetwork },
		{ "queryUserAccess", "(II)Z", (void*)android_net_utils_queryUserAccess },
		{ "attachDropAllBPFFilter", "(Ljava/io/FileDescriptor;)V", (void*) android_net_utils_attachDropAllBPFFilter },
		{ "detachBPFFilter", "(Ljava/io/FileDescriptor;)V", (void*) android_net_utils_detachBPFFilter },
		{ "getTcpRepairWindow", "(Ljava/io/FileDescriptor;)Landroid/net/TcpRepairWindow;", (void*) android_net_utils_getTcpRepairWindow },

packages/Connectivity/framework/src/android/net/NetworkUtils.java

+4 −1

Original line number	Diff line number	Diff line
		@@ -92,7 +92,10 @@ public class NetworkUtils {
		* Determine if {@code uid} can access network designated by {@code netId}.
		* @return {@code true} if {@code uid} can access network, {@code false} otherwise.
		*/
		public native static boolean queryUserAccess(int uid, int netId);
		public static boolean queryUserAccess(int uid, int netId) {
		// TODO (b/183485986): remove this method
		return false;
		}

		/**
		* DNS resolver series jni method.

services/core/java/com/android/server/ConnectivityService.java

+39 −3

Original line number	Diff line number	Diff line
		@@ -1149,8 +1149,8 @@ public class ConnectivityService extends IConnectivityManager.Stub
		/**
		* @see NetworkUtils#queryUserAccess(int, int)
		*/
		public boolean queryUserAccess(int uid, int netId) {
		return NetworkUtils.queryUserAccess(uid, netId);
		public boolean queryUserAccess(int uid, Network network, ConnectivityService cs) {
		return cs.queryUserAccess(uid, network);
		}

		/**
		@@ -4843,6 +4843,42 @@ public class ConnectivityService extends IConnectivityManager.Stub
		nai.networkMonitor().forceReevaluation(uid);
		}

		// TODO: call into netd.
		private boolean queryUserAccess(int uid, Network network) {
		final NetworkAgentInfo nai = getNetworkAgentInfoForNetwork(network);
		if (nai == null) return false;

		// Any UID can use its default network.
		if (nai == getDefaultNetworkForUid(uid)) return true;

		// Privileged apps can use any network.
		if (mPermissionMonitor.hasRestrictedNetworksPermission(uid)) {
		return true;
		}

		// An unprivileged UID can use a VPN iff the VPN applies to it.
		if (nai.isVPN()) {
		return nai.networkCapabilities.appliesToUid(uid);
		}

		// An unprivileged UID can bypass the VPN that applies to it only if it can protect its
		// sockets, i.e., if it is the owner.
		final NetworkAgentInfo vpn = getVpnForUid(uid);
		if (vpn != null && !vpn.networkAgentConfig.allowBypass
		&& uid != vpn.networkCapabilities.getOwnerUid()) {
		return false;
		}

		// The UID's permission must be at least sufficient for the network. Since the restricted
		// permission was already checked above, that just leaves background networks.
		if (!nai.networkCapabilities.hasCapability(NET_CAPABILITY_FOREGROUND)) {
		return mPermissionMonitor.hasUseBackgroundNetworksPermission(uid);
		}

		// Unrestricted network. Anyone gets to use it.
		return true;
		}

		/**
		* Returns information about the proxy a certain network is using. If given a null network, it
		* it will return the proxy for the bound network for the caller app or the default proxy if
		@@ -4863,7 +4899,7 @@ public class ConnectivityService extends IConnectivityManager.Stub
		return null;
		}
		return getLinkPropertiesProxyInfo(activeNetwork);
		} else if (mDeps.queryUserAccess(mDeps.getCallingUid(), network.getNetId())) {
		} else if (mDeps.queryUserAccess(mDeps.getCallingUid(), network, this)) {
		// Don't call getLinkProperties() as it requires ACCESS_NETWORK_STATE permission, which
		// caller may not have.
		return getLinkPropertiesProxyInfo(network);

services/core/java/com/android/server/connectivity/PermissionMonitor.java

+7 −0

Original line number	Diff line number	Diff line
		@@ -271,6 +271,13 @@ public class PermissionMonitor {
		return mApps.containsKey(uid);
		}

		/**
		* Returns whether the given uid has permission to use restricted networks.
		*/
		public synchronized boolean hasRestrictedNetworksPermission(int uid) {
		return Boolean.TRUE.equals(mApps.get(uid));
		}

		private void update(Set<UserHandle> users, Map<Integer, Boolean> apps, boolean add) {
		List<Integer> network = new ArrayList<>();
		List<Integer> system = new ArrayList<>();

tests/net/java/com/android/server/ConnectivityServiceTest.java

+1 −1

Original line number	Diff line number	Diff line
		@@ -1571,7 +1571,7 @@ public class ConnectivityServiceTest {
		doReturn(mNetworkStack).when(deps).getNetworkStack();
		doReturn(mSystemProperties).when(deps).getSystemProperties();
		doReturn(mock(ProxyTracker.class)).when(deps).makeProxyTracker(any(), any());
		doReturn(true).when(deps).queryUserAccess(anyInt(), anyInt());
		doReturn(true).when(deps).queryUserAccess(anyInt(), any(), any());
		doAnswer(inv -> {
		mPolicyTracker = new WrappedMultinetworkPolicyTracker(
		inv.getArgument(0), inv.getArgument(1), inv.getArgument(2));