Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9bde0884 authored by Benedict Wong's avatar Benedict Wong
Browse files

Add clarifying comments on for IPsec forward policies 

This change adds clarifying comments for the usage of the forward
policies in IPsec, and corrects a comment to properly specify the
permissions allowed.

Bug: 185495453
Test: Comment-only changes
Change-Id: I6d36522c344c41b0ebd90d46b216d115b678dd31
parent 0c1a3b9d

services/core/java/com/android/server/IpSecService.java

+11 −1
Original line number Diff line number Diff line
@@ -1112,7 +1112,7 @@ public class IpSecService extends IIpSecService.Stub { 
            case IpSecManager.DIRECTION_IN:

                return;

            case IpSecManager.DIRECTION_FWD:

                // Only NETWORK_STACK or PERMISSION_NETWORK_STACK allowed to use forward policies

                // Only NETWORK_STACK or MAINLINE_NETWORK_STACK allowed to use forward policies

                PermissionUtils.enforceNetworkStackPermission(mContext);

                return;

        }
@@ -1358,6 +1358,16 @@ public class IpSecService extends IIpSecService.Stub { 
                        ikey,

                        0xffffffff,

                        resourceId);



                // Add a forwarding policy on the tunnel interface. In order to support forwarding

                // the IpSecTunnelInterface must have a forwarding policy matching the incoming SA.

                //

                // Unless a IpSecTransform is also applied against this interface in DIRECTION_FWD,

                // forwarding will be blocked by default (as would be the case if this policy was

                // absent).

                //

                // This is necessary only on the tunnel interface, and not any the interface to

                // which traffic will be forwarded to.

                netd.ipSecAddSecurityPolicy(

                        callerUid,

                        selAddrFamily,