Loading core/java/android/app/SystemServiceRegistry.java +3 −3 Original line number Diff line number Diff line Loading @@ -279,12 +279,12 @@ final class SystemServiceRegistry { }}); registerService(Context.IPSEC_SERVICE, IpSecManager.class, new StaticServiceFetcher<IpSecManager>() { new CachedServiceFetcher<IpSecManager>() { @Override public IpSecManager createService() { public IpSecManager createService(ContextImpl ctx) throws ServiceNotFoundException { IBinder b = ServiceManager.getService(Context.IPSEC_SERVICE); IIpSecService service = IIpSecService.Stub.asInterface(b); return new IpSecManager(service); return new IpSecManager(ctx, service); }}); registerService(Context.COUNTRY_DETECTOR, CountryDetector.class, Loading core/java/android/net/IIpSecService.aidl +13 −7 Original line number Diff line number Diff line Loading @@ -45,25 +45,31 @@ interface IIpSecService in String localAddr, in String remoteAddr, in Network underlyingNetwork, in IBinder binder); in IBinder binder, in String callingPackage); void addAddressToTunnelInterface( int tunnelResourceId, in LinkAddress localAddr); in LinkAddress localAddr, in String callingPackage); void removeAddressFromTunnelInterface( int tunnelResourceId, in LinkAddress localAddr); in LinkAddress localAddr, in String callingPackage); void deleteTunnelInterface(int resourceId); void deleteTunnelInterface(int resourceId, in String callingPackage); IpSecTransformResponse createTransform(in IpSecConfig c, in IBinder binder); IpSecTransformResponse createTransform( in IpSecConfig c, in IBinder binder, in String callingPackage); void deleteTransform(int transformId); void applyTransportModeTransform(in ParcelFileDescriptor socket, int direction, int transformId); void applyTransportModeTransform( in ParcelFileDescriptor socket, int direction, int transformId); void applyTunnelModeTransform(int tunnelResourceId, int direction, int transformResourceId); void applyTunnelModeTransform( int tunnelResourceId, int direction, int transformResourceId, in String callingPackage); void removeTransportModeTransforms(in ParcelFileDescriptor socket); } core/java/android/net/IpSecManager.java +17 −8 Original line number Diff line number Diff line Loading @@ -140,6 +140,7 @@ public final class IpSecManager { } } private final Context mContext; private final IIpSecService mService; /** Loading Loading @@ -661,6 +662,7 @@ public final class IpSecManager { */ @SystemApi public static final class IpSecTunnelInterface implements AutoCloseable { private final String mOpPackageName; private final IIpSecService mService; private final InetAddress mRemoteAddress; private final InetAddress mLocalAddress; Loading Loading @@ -688,7 +690,8 @@ public final class IpSecManager { @RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS) public void addAddress(@NonNull LinkAddress address) throws IOException { try { mService.addAddressToTunnelInterface(mResourceId, address); mService.addAddressToTunnelInterface( mResourceId, address, mOpPackageName); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } Loading @@ -706,16 +709,18 @@ public final class IpSecManager { @RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS) public void removeAddress(@NonNull LinkAddress address) throws IOException { try { mService.removeAddressFromTunnelInterface(mResourceId, address); mService.removeAddressFromTunnelInterface( mResourceId, address, mOpPackageName); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } } private IpSecTunnelInterface(@NonNull IIpSecService service, private IpSecTunnelInterface(@NonNull Context ctx, @NonNull IIpSecService service, @NonNull InetAddress localAddress, @NonNull InetAddress remoteAddress, @NonNull Network underlyingNetwork) throws ResourceUnavailableException, IOException { mOpPackageName = ctx.getOpPackageName(); mService = service; mLocalAddress = localAddress; mRemoteAddress = remoteAddress; Loading @@ -727,7 +732,8 @@ public final class IpSecManager { localAddress.getHostAddress(), remoteAddress.getHostAddress(), underlyingNetwork, new Binder()); new Binder(), mOpPackageName); switch (result.status) { case Status.OK: break; Loading Loading @@ -756,7 +762,7 @@ public final class IpSecManager { @Override public void close() { try { mService.deleteTunnelInterface(mResourceId); mService.deleteTunnelInterface(mResourceId, mOpPackageName); mResourceId = INVALID_RESOURCE_ID; } catch (RemoteException e) { throw e.rethrowFromSystemServer(); Loading Loading @@ -801,7 +807,8 @@ public final class IpSecManager { public IpSecTunnelInterface createIpSecTunnelInterface(@NonNull InetAddress localAddress, @NonNull InetAddress remoteAddress, @NonNull Network underlyingNetwork) throws ResourceUnavailableException, IOException { return new IpSecTunnelInterface(mService, localAddress, remoteAddress, underlyingNetwork); return new IpSecTunnelInterface( mContext, mService, localAddress, remoteAddress, underlyingNetwork); } /** Loading @@ -827,7 +834,8 @@ public final class IpSecManager { @PolicyDirection int direction, @NonNull IpSecTransform transform) throws IOException { try { mService.applyTunnelModeTransform( tunnel.getResourceId(), direction, transform.getResourceId()); tunnel.getResourceId(), direction, transform.getResourceId(), mContext.getOpPackageName()); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } Loading @@ -839,7 +847,8 @@ public final class IpSecManager { * @param context the application context for this manager * @hide */ public IpSecManager(IIpSecService service) { public IpSecManager(Context ctx, IIpSecService service) { mContext = ctx; mService = checkNotNull(service, "missing service"); } } core/java/android/net/IpSecTransform.java +2 −1 Original line number Diff line number Diff line Loading @@ -130,7 +130,8 @@ public final class IpSecTransform implements AutoCloseable { synchronized (this) { try { IIpSecService svc = getIpSecService(); IpSecTransformResponse result = svc.createTransform(mConfig, new Binder()); IpSecTransformResponse result = svc.createTransform( mConfig, new Binder(), mContext.getOpPackageName()); int status = result.status; checkResultStatus(status); mResourceId = result.resourceId; Loading services/core/java/com/android/server/IpSecService.java +44 −15 Original line number Diff line number Diff line Loading @@ -24,6 +24,8 @@ import static android.system.OsConstants.IPPROTO_UDP; import static android.system.OsConstants.SOCK_DGRAM; import static com.android.internal.util.Preconditions.checkNotNull; import android.annotation.NonNull; import android.app.AppOpsManager; import android.content.Context; import android.net.ConnectivityManager; import android.net.IIpSecService; Loading @@ -42,6 +44,7 @@ import android.net.NetworkUtils; import android.net.TrafficStats; import android.net.util.NetdService; import android.os.Binder; import android.os.DeadSystemException; import android.os.IBinder; import android.os.ParcelFileDescriptor; import android.os.RemoteException; Loading Loading @@ -974,6 +977,13 @@ public class IpSecService extends IIpSecService.Stub { return service; } @NonNull private AppOpsManager getAppOpsManager() { AppOpsManager appOps = (AppOpsManager) mContext.getSystemService(Context.APP_OPS_SERVICE); if(appOps == null) throw new RuntimeException("System Server couldn't get AppOps"); return appOps; } /** @hide */ @VisibleForTesting public IpSecService(Context context, IpSecServiceConfiguration config) { Loading Loading @@ -1240,7 +1250,9 @@ public class IpSecService extends IIpSecService.Stub { */ @Override public synchronized IpSecTunnelInterfaceResponse createTunnelInterface( String localAddr, String remoteAddr, Network underlyingNetwork, IBinder binder) { String localAddr, String remoteAddr, Network underlyingNetwork, IBinder binder, String callingPackage) { enforceTunnelPermissions(callingPackage); checkNotNull(binder, "Null Binder passed to createTunnelInterface"); checkNotNull(underlyingNetwork, "No underlying network was specified"); checkInetAddress(localAddr); Loading Loading @@ -1320,8 +1332,8 @@ public class IpSecService extends IIpSecService.Stub { */ @Override public synchronized void addAddressToTunnelInterface( int tunnelResourceId, LinkAddress localAddr) { enforceNetworkStackPermission(); int tunnelResourceId, LinkAddress localAddr, String callingPackage) { enforceTunnelPermissions(callingPackage); UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); // Get tunnelInterface record; if no such interface is found, will throw Loading Loading @@ -1352,10 +1364,10 @@ public class IpSecService extends IIpSecService.Stub { */ @Override public synchronized void removeAddressFromTunnelInterface( int tunnelResourceId, LinkAddress localAddr) { enforceNetworkStackPermission(); UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); int tunnelResourceId, LinkAddress localAddr, String callingPackage) { enforceTunnelPermissions(callingPackage); UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); // Get tunnelInterface record; if no such interface is found, will throw // IllegalArgumentException TunnelInterfaceRecord tunnelInterfaceInfo = Loading Loading @@ -1383,7 +1395,9 @@ public class IpSecService extends IIpSecService.Stub { * server */ @Override public synchronized void deleteTunnelInterface(int resourceId) throws RemoteException { public synchronized void deleteTunnelInterface( int resourceId, String callingPackage) throws RemoteException { enforceTunnelPermissions(callingPackage); UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); releaseResource(userRecord.mTunnelInterfaceRecords, resourceId); } Loading Loading @@ -1469,7 +1483,6 @@ public class IpSecService extends IIpSecService.Stub { case IpSecTransform.MODE_TRANSPORT: break; case IpSecTransform.MODE_TUNNEL: enforceNetworkStackPermission(); break; default: throw new IllegalArgumentException( Loading @@ -1477,9 +1490,20 @@ public class IpSecService extends IIpSecService.Stub { } } private void enforceNetworkStackPermission() { mContext.enforceCallingOrSelfPermission(android.Manifest.permission.NETWORK_STACK, "IpSecService"); private void enforceTunnelPermissions(String callingPackage) { checkNotNull(callingPackage, "Null calling package cannot create IpSec tunnels"); switch (getAppOpsManager().noteOp( AppOpsManager.OP_MANAGE_IPSEC_TUNNELS, Binder.getCallingUid(), callingPackage)) { case AppOpsManager.MODE_DEFAULT: mContext.enforceCallingOrSelfPermission( android.Manifest.permission.MANAGE_IPSEC_TUNNELS, "IpSecService"); break; case AppOpsManager.MODE_ALLOWED: return; default: throw new SecurityException("Request to ignore AppOps for non-legacy API"); } } private void createOrUpdateTransform( Loading Loading @@ -1535,8 +1559,12 @@ public class IpSecService extends IIpSecService.Stub { * result in all of those sockets becoming unable to send or receive data. */ @Override public synchronized IpSecTransformResponse createTransform(IpSecConfig c, IBinder binder) throws RemoteException { public synchronized IpSecTransformResponse createTransform( IpSecConfig c, IBinder binder, String callingPackage) throws RemoteException { checkNotNull(c); if (c.getMode() == IpSecTransform.MODE_TUNNEL) { enforceTunnelPermissions(callingPackage); } checkIpSecConfig(c); checkNotNull(binder, "Null Binder passed to createTransform"); final int resourceId = mNextResourceId++; Loading Loading @@ -1657,8 +1685,9 @@ public class IpSecService extends IIpSecService.Stub { */ @Override public synchronized void applyTunnelModeTransform( int tunnelResourceId, int direction, int transformResourceId) throws RemoteException { enforceNetworkStackPermission(); int tunnelResourceId, int direction, int transformResourceId, String callingPackage) throws RemoteException { enforceTunnelPermissions(callingPackage); checkDirection(direction); UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); Loading Loading
core/java/android/app/SystemServiceRegistry.java +3 −3 Original line number Diff line number Diff line Loading @@ -279,12 +279,12 @@ final class SystemServiceRegistry { }}); registerService(Context.IPSEC_SERVICE, IpSecManager.class, new StaticServiceFetcher<IpSecManager>() { new CachedServiceFetcher<IpSecManager>() { @Override public IpSecManager createService() { public IpSecManager createService(ContextImpl ctx) throws ServiceNotFoundException { IBinder b = ServiceManager.getService(Context.IPSEC_SERVICE); IIpSecService service = IIpSecService.Stub.asInterface(b); return new IpSecManager(service); return new IpSecManager(ctx, service); }}); registerService(Context.COUNTRY_DETECTOR, CountryDetector.class, Loading
core/java/android/net/IIpSecService.aidl +13 −7 Original line number Diff line number Diff line Loading @@ -45,25 +45,31 @@ interface IIpSecService in String localAddr, in String remoteAddr, in Network underlyingNetwork, in IBinder binder); in IBinder binder, in String callingPackage); void addAddressToTunnelInterface( int tunnelResourceId, in LinkAddress localAddr); in LinkAddress localAddr, in String callingPackage); void removeAddressFromTunnelInterface( int tunnelResourceId, in LinkAddress localAddr); in LinkAddress localAddr, in String callingPackage); void deleteTunnelInterface(int resourceId); void deleteTunnelInterface(int resourceId, in String callingPackage); IpSecTransformResponse createTransform(in IpSecConfig c, in IBinder binder); IpSecTransformResponse createTransform( in IpSecConfig c, in IBinder binder, in String callingPackage); void deleteTransform(int transformId); void applyTransportModeTransform(in ParcelFileDescriptor socket, int direction, int transformId); void applyTransportModeTransform( in ParcelFileDescriptor socket, int direction, int transformId); void applyTunnelModeTransform(int tunnelResourceId, int direction, int transformResourceId); void applyTunnelModeTransform( int tunnelResourceId, int direction, int transformResourceId, in String callingPackage); void removeTransportModeTransforms(in ParcelFileDescriptor socket); }
core/java/android/net/IpSecManager.java +17 −8 Original line number Diff line number Diff line Loading @@ -140,6 +140,7 @@ public final class IpSecManager { } } private final Context mContext; private final IIpSecService mService; /** Loading Loading @@ -661,6 +662,7 @@ public final class IpSecManager { */ @SystemApi public static final class IpSecTunnelInterface implements AutoCloseable { private final String mOpPackageName; private final IIpSecService mService; private final InetAddress mRemoteAddress; private final InetAddress mLocalAddress; Loading Loading @@ -688,7 +690,8 @@ public final class IpSecManager { @RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS) public void addAddress(@NonNull LinkAddress address) throws IOException { try { mService.addAddressToTunnelInterface(mResourceId, address); mService.addAddressToTunnelInterface( mResourceId, address, mOpPackageName); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } Loading @@ -706,16 +709,18 @@ public final class IpSecManager { @RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS) public void removeAddress(@NonNull LinkAddress address) throws IOException { try { mService.removeAddressFromTunnelInterface(mResourceId, address); mService.removeAddressFromTunnelInterface( mResourceId, address, mOpPackageName); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } } private IpSecTunnelInterface(@NonNull IIpSecService service, private IpSecTunnelInterface(@NonNull Context ctx, @NonNull IIpSecService service, @NonNull InetAddress localAddress, @NonNull InetAddress remoteAddress, @NonNull Network underlyingNetwork) throws ResourceUnavailableException, IOException { mOpPackageName = ctx.getOpPackageName(); mService = service; mLocalAddress = localAddress; mRemoteAddress = remoteAddress; Loading @@ -727,7 +732,8 @@ public final class IpSecManager { localAddress.getHostAddress(), remoteAddress.getHostAddress(), underlyingNetwork, new Binder()); new Binder(), mOpPackageName); switch (result.status) { case Status.OK: break; Loading Loading @@ -756,7 +762,7 @@ public final class IpSecManager { @Override public void close() { try { mService.deleteTunnelInterface(mResourceId); mService.deleteTunnelInterface(mResourceId, mOpPackageName); mResourceId = INVALID_RESOURCE_ID; } catch (RemoteException e) { throw e.rethrowFromSystemServer(); Loading Loading @@ -801,7 +807,8 @@ public final class IpSecManager { public IpSecTunnelInterface createIpSecTunnelInterface(@NonNull InetAddress localAddress, @NonNull InetAddress remoteAddress, @NonNull Network underlyingNetwork) throws ResourceUnavailableException, IOException { return new IpSecTunnelInterface(mService, localAddress, remoteAddress, underlyingNetwork); return new IpSecTunnelInterface( mContext, mService, localAddress, remoteAddress, underlyingNetwork); } /** Loading @@ -827,7 +834,8 @@ public final class IpSecManager { @PolicyDirection int direction, @NonNull IpSecTransform transform) throws IOException { try { mService.applyTunnelModeTransform( tunnel.getResourceId(), direction, transform.getResourceId()); tunnel.getResourceId(), direction, transform.getResourceId(), mContext.getOpPackageName()); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } Loading @@ -839,7 +847,8 @@ public final class IpSecManager { * @param context the application context for this manager * @hide */ public IpSecManager(IIpSecService service) { public IpSecManager(Context ctx, IIpSecService service) { mContext = ctx; mService = checkNotNull(service, "missing service"); } }
core/java/android/net/IpSecTransform.java +2 −1 Original line number Diff line number Diff line Loading @@ -130,7 +130,8 @@ public final class IpSecTransform implements AutoCloseable { synchronized (this) { try { IIpSecService svc = getIpSecService(); IpSecTransformResponse result = svc.createTransform(mConfig, new Binder()); IpSecTransformResponse result = svc.createTransform( mConfig, new Binder(), mContext.getOpPackageName()); int status = result.status; checkResultStatus(status); mResourceId = result.resourceId; Loading
services/core/java/com/android/server/IpSecService.java +44 −15 Original line number Diff line number Diff line Loading @@ -24,6 +24,8 @@ import static android.system.OsConstants.IPPROTO_UDP; import static android.system.OsConstants.SOCK_DGRAM; import static com.android.internal.util.Preconditions.checkNotNull; import android.annotation.NonNull; import android.app.AppOpsManager; import android.content.Context; import android.net.ConnectivityManager; import android.net.IIpSecService; Loading @@ -42,6 +44,7 @@ import android.net.NetworkUtils; import android.net.TrafficStats; import android.net.util.NetdService; import android.os.Binder; import android.os.DeadSystemException; import android.os.IBinder; import android.os.ParcelFileDescriptor; import android.os.RemoteException; Loading Loading @@ -974,6 +977,13 @@ public class IpSecService extends IIpSecService.Stub { return service; } @NonNull private AppOpsManager getAppOpsManager() { AppOpsManager appOps = (AppOpsManager) mContext.getSystemService(Context.APP_OPS_SERVICE); if(appOps == null) throw new RuntimeException("System Server couldn't get AppOps"); return appOps; } /** @hide */ @VisibleForTesting public IpSecService(Context context, IpSecServiceConfiguration config) { Loading Loading @@ -1240,7 +1250,9 @@ public class IpSecService extends IIpSecService.Stub { */ @Override public synchronized IpSecTunnelInterfaceResponse createTunnelInterface( String localAddr, String remoteAddr, Network underlyingNetwork, IBinder binder) { String localAddr, String remoteAddr, Network underlyingNetwork, IBinder binder, String callingPackage) { enforceTunnelPermissions(callingPackage); checkNotNull(binder, "Null Binder passed to createTunnelInterface"); checkNotNull(underlyingNetwork, "No underlying network was specified"); checkInetAddress(localAddr); Loading Loading @@ -1320,8 +1332,8 @@ public class IpSecService extends IIpSecService.Stub { */ @Override public synchronized void addAddressToTunnelInterface( int tunnelResourceId, LinkAddress localAddr) { enforceNetworkStackPermission(); int tunnelResourceId, LinkAddress localAddr, String callingPackage) { enforceTunnelPermissions(callingPackage); UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); // Get tunnelInterface record; if no such interface is found, will throw Loading Loading @@ -1352,10 +1364,10 @@ public class IpSecService extends IIpSecService.Stub { */ @Override public synchronized void removeAddressFromTunnelInterface( int tunnelResourceId, LinkAddress localAddr) { enforceNetworkStackPermission(); UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); int tunnelResourceId, LinkAddress localAddr, String callingPackage) { enforceTunnelPermissions(callingPackage); UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); // Get tunnelInterface record; if no such interface is found, will throw // IllegalArgumentException TunnelInterfaceRecord tunnelInterfaceInfo = Loading Loading @@ -1383,7 +1395,9 @@ public class IpSecService extends IIpSecService.Stub { * server */ @Override public synchronized void deleteTunnelInterface(int resourceId) throws RemoteException { public synchronized void deleteTunnelInterface( int resourceId, String callingPackage) throws RemoteException { enforceTunnelPermissions(callingPackage); UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); releaseResource(userRecord.mTunnelInterfaceRecords, resourceId); } Loading Loading @@ -1469,7 +1483,6 @@ public class IpSecService extends IIpSecService.Stub { case IpSecTransform.MODE_TRANSPORT: break; case IpSecTransform.MODE_TUNNEL: enforceNetworkStackPermission(); break; default: throw new IllegalArgumentException( Loading @@ -1477,9 +1490,20 @@ public class IpSecService extends IIpSecService.Stub { } } private void enforceNetworkStackPermission() { mContext.enforceCallingOrSelfPermission(android.Manifest.permission.NETWORK_STACK, "IpSecService"); private void enforceTunnelPermissions(String callingPackage) { checkNotNull(callingPackage, "Null calling package cannot create IpSec tunnels"); switch (getAppOpsManager().noteOp( AppOpsManager.OP_MANAGE_IPSEC_TUNNELS, Binder.getCallingUid(), callingPackage)) { case AppOpsManager.MODE_DEFAULT: mContext.enforceCallingOrSelfPermission( android.Manifest.permission.MANAGE_IPSEC_TUNNELS, "IpSecService"); break; case AppOpsManager.MODE_ALLOWED: return; default: throw new SecurityException("Request to ignore AppOps for non-legacy API"); } } private void createOrUpdateTransform( Loading Loading @@ -1535,8 +1559,12 @@ public class IpSecService extends IIpSecService.Stub { * result in all of those sockets becoming unable to send or receive data. */ @Override public synchronized IpSecTransformResponse createTransform(IpSecConfig c, IBinder binder) throws RemoteException { public synchronized IpSecTransformResponse createTransform( IpSecConfig c, IBinder binder, String callingPackage) throws RemoteException { checkNotNull(c); if (c.getMode() == IpSecTransform.MODE_TUNNEL) { enforceTunnelPermissions(callingPackage); } checkIpSecConfig(c); checkNotNull(binder, "Null Binder passed to createTransform"); final int resourceId = mNextResourceId++; Loading Loading @@ -1657,8 +1685,9 @@ public class IpSecService extends IIpSecService.Stub { */ @Override public synchronized void applyTunnelModeTransform( int tunnelResourceId, int direction, int transformResourceId) throws RemoteException { enforceNetworkStackPermission(); int tunnelResourceId, int direction, int transformResourceId, String callingPackage) throws RemoteException { enforceTunnelPermissions(callingPackage); checkDirection(direction); UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); Loading
