Loading Android.bp +20 −5 Original line number Diff line number Diff line Loading @@ -148,6 +148,12 @@ cc_defaults { suffix: "64", }, }, // 'resolv_test_config_template' used DisableConfigSyncTargetPreparer provided // by net-tests-utils-host-common; adding it to make the host jar available // after the build process. host_required: [ "net-tests-utils-host-common", ] } cc_defaults { Loading @@ -164,6 +170,12 @@ cc_defaults { suffix: "64", }, }, // 'resolv_test_config_without_root_template' used DisableConfigSyncTargetPreparer // provided by net-tests-utils-host-common; adding it to make the host jar available // after the build process. host_required: [ "net-tests-utils-host-common", ] } cc_library { Loading Loading @@ -236,15 +248,11 @@ cc_library { "libcrypto", "liblog", //Used by libstatslog_resolv "libssl", "libstatssocket", ], header_libs: [ "libnetdbinder_utils_headers", ], runtime_libs: [ // Causes the linkerconfig to create a namespace link from resolv to the // libstatssocket library within the statsd apex "libstatssocket", ], export_include_dirs: ["include"], product_variables: { Loading Loading @@ -349,6 +357,7 @@ doh_rust_deps = [ "liblibc", "liblog_rust", "libring", "libstatslog_rust", "libthiserror", "libtokio", "liburl", Loading Loading @@ -395,6 +404,11 @@ rust_ffi_static { rlibs: doh_rust_deps + ["libquiche_static"], prefer_rlib: true, shared_libs: [ "libstatssocket", ], // TODO(b/194022174), for unit tests to run on the Android 10 platform, // libunwind must be statically linked. whole_static_libs: ["libunwind"], Loading Loading @@ -425,6 +439,7 @@ rust_ffi_static { "liblog_rust", "libquiche_static", "libring", "libstatslog_rust", "libthiserror", "libtokio", "liburl", Loading DnsProxyListener.cpp +16 −2 Original line number Diff line number Diff line Loading @@ -59,6 +59,7 @@ #include "resolv_private.h" #include "stats.h" // RCODE_TIMEOUT #include "stats.pb.h" #include "util.h" using aidl::android::net::metrics::INetdEventListener; using aidl::android::net::resolv::aidl::DnsHealthEventParcel; Loading Loading @@ -678,6 +679,9 @@ DnsProxyListener::GetAddrInfoHandler::GetAddrInfoHandler(SocketClient* c, std::s mHints(std::move(hints)), mNetContext(netcontext) {} // Before U, the Netd callback is implemented by OEM to evaluate if a DNS query for the provided // hostname is allowed. On U+, the Netd callback also checks if the user is allowed to send DNS on // the specified network. static bool evaluate_domain_name(const android_net_context& netcontext, const char* host) { if (!gResNetdCallbacks.evaluate_domain_name) return true; return gResNetdCallbacks.evaluate_domain_name(netcontext, host); Loading Loading @@ -1404,8 +1408,18 @@ void DnsProxyListener::GetHostByAddrHandler::run() { NetworkDnsEventReported event; initDnsEvent(&event, mNetContext); if (queryLimiter.start(uid)) { // From Android U, evaluate_domain_name() is not only for OEM customization, but also tells // DNS resolver whether the UID can send DNS on the specified network. The function needs // to be called even when there is no domain name to evaluate (GetHostByAddr). This is // applied on U+ only so that the behavior won’t change on T- OEM devices. // TODO: pass the actual name into evaluate_domain_name, e.g., 238.26.217.172.in-addr.arpa // when the lookup address is 172.217.26.238. if (isAtLeastU() && !evaluate_domain_name(mNetContext, nullptr)) { rv = EAI_SYSTEM; } else { rv = resolv_gethostbyaddr(&mAddress, mAddressLen, mAddressFamily, &hbuf, tmpbuf, sizeof tmpbuf, &mNetContext, &hp, &event); } queryLimiter.finish(uid); } else { rv = EAI_MEMORY; Loading PrivateDnsConfiguration.cpp +6 −1 Original line number Diff line number Diff line Loading @@ -568,6 +568,9 @@ int PrivateDnsConfiguration::setDoh(int32_t netId, uint32_t mark, return 0; } const NetworkType networkType = resolv_get_network_types_for_net(netId); const PrivateDnsStatus status = getStatusLocked(netId); const auto getTimeoutFromFlag = [&](const std::string_view key, int defaultValue) -> uint64_t { static constexpr int kMinTimeoutMs = 1000; uint64_t timeout = Experiments::getInstance()->getFlag(key, defaultValue); Loading Loading @@ -628,8 +631,10 @@ int PrivateDnsConfiguration::setDoh(int32_t netId, uint32_t mark, << ", use_session_resumption=" << flags.use_session_resumption << ", enable_early_data=" << flags.enable_early_data; const PrivateDnsModes privateDnsMode = convertEnumType(status.mode); return doh_net_new(mDohDispatcher, netId, dohId.httpsTemplate.c_str(), dohId.host.c_str(), dohId.ipAddr.c_str(), mark, caCert.c_str(), &flags); dohId.ipAddr.c_str(), mark, caCert.c_str(), &flags, networkType, privateDnsMode); } LOG(INFO) << __func__ << ": No suitable DoH server found"; Loading PrivateDnsConfiguration.h +6 −1 Original line number Diff line number Diff line Loading @@ -247,12 +247,17 @@ class PrivateDnsConfiguration { // TODO: Move below DoH relevant stuff into Rust implementation. std::map<unsigned, DohIdentity> mDohTracker GUARDED_BY(mPrivateDnsLock); std::array<DohProviderEntry, 4> mAvailableDoHProviders = {{ std::array<DohProviderEntry, 5> mAvailableDoHProviders = {{ {"Google", {"2001:4860:4860::8888", "2001:4860:4860::8844", "8.8.8.8", "8.8.4.4"}, "dns.google", "https://dns.google/dns-query", false}, {"Google DNS64", {"2001:4860:4860::64", "2001:4860:4860::6464"}, "dns64.dns.google", "https://dns64.dns.google/dns-query", false}, {"Cloudflare", {"2606:4700::6810:f8f9", "2606:4700::6810:f9f9", "104.16.248.249", "104.16.249.249"}, "cloudflare-dns.com", Loading doh.h +1 −1 Original line number Diff line number Diff line Loading @@ -92,7 +92,7 @@ void doh_dispatcher_delete(DohDispatcher* doh); /// `url`, `domain`, `ip_addr`, `cert_path` are null terminated strings. int32_t doh_net_new(DohDispatcher* doh, uint32_t net_id, const char* url, const char* domain, const char* ip_addr, uint32_t sk_mark, const char* cert_path, const FeatureFlags* flags); const FeatureFlags* flags, uint32_t network_type, uint32_t private_dns_mode); /// Sends a DNS query via the network associated to the given |net_id| and waits for the response. /// The return code should be either one of the public constant RESULT_* to indicate the error or Loading Loading
Android.bp +20 −5 Original line number Diff line number Diff line Loading @@ -148,6 +148,12 @@ cc_defaults { suffix: "64", }, }, // 'resolv_test_config_template' used DisableConfigSyncTargetPreparer provided // by net-tests-utils-host-common; adding it to make the host jar available // after the build process. host_required: [ "net-tests-utils-host-common", ] } cc_defaults { Loading @@ -164,6 +170,12 @@ cc_defaults { suffix: "64", }, }, // 'resolv_test_config_without_root_template' used DisableConfigSyncTargetPreparer // provided by net-tests-utils-host-common; adding it to make the host jar available // after the build process. host_required: [ "net-tests-utils-host-common", ] } cc_library { Loading Loading @@ -236,15 +248,11 @@ cc_library { "libcrypto", "liblog", //Used by libstatslog_resolv "libssl", "libstatssocket", ], header_libs: [ "libnetdbinder_utils_headers", ], runtime_libs: [ // Causes the linkerconfig to create a namespace link from resolv to the // libstatssocket library within the statsd apex "libstatssocket", ], export_include_dirs: ["include"], product_variables: { Loading Loading @@ -349,6 +357,7 @@ doh_rust_deps = [ "liblibc", "liblog_rust", "libring", "libstatslog_rust", "libthiserror", "libtokio", "liburl", Loading Loading @@ -395,6 +404,11 @@ rust_ffi_static { rlibs: doh_rust_deps + ["libquiche_static"], prefer_rlib: true, shared_libs: [ "libstatssocket", ], // TODO(b/194022174), for unit tests to run on the Android 10 platform, // libunwind must be statically linked. whole_static_libs: ["libunwind"], Loading Loading @@ -425,6 +439,7 @@ rust_ffi_static { "liblog_rust", "libquiche_static", "libring", "libstatslog_rust", "libthiserror", "libtokio", "liburl", Loading
DnsProxyListener.cpp +16 −2 Original line number Diff line number Diff line Loading @@ -59,6 +59,7 @@ #include "resolv_private.h" #include "stats.h" // RCODE_TIMEOUT #include "stats.pb.h" #include "util.h" using aidl::android::net::metrics::INetdEventListener; using aidl::android::net::resolv::aidl::DnsHealthEventParcel; Loading Loading @@ -678,6 +679,9 @@ DnsProxyListener::GetAddrInfoHandler::GetAddrInfoHandler(SocketClient* c, std::s mHints(std::move(hints)), mNetContext(netcontext) {} // Before U, the Netd callback is implemented by OEM to evaluate if a DNS query for the provided // hostname is allowed. On U+, the Netd callback also checks if the user is allowed to send DNS on // the specified network. static bool evaluate_domain_name(const android_net_context& netcontext, const char* host) { if (!gResNetdCallbacks.evaluate_domain_name) return true; return gResNetdCallbacks.evaluate_domain_name(netcontext, host); Loading Loading @@ -1404,8 +1408,18 @@ void DnsProxyListener::GetHostByAddrHandler::run() { NetworkDnsEventReported event; initDnsEvent(&event, mNetContext); if (queryLimiter.start(uid)) { // From Android U, evaluate_domain_name() is not only for OEM customization, but also tells // DNS resolver whether the UID can send DNS on the specified network. The function needs // to be called even when there is no domain name to evaluate (GetHostByAddr). This is // applied on U+ only so that the behavior won’t change on T- OEM devices. // TODO: pass the actual name into evaluate_domain_name, e.g., 238.26.217.172.in-addr.arpa // when the lookup address is 172.217.26.238. if (isAtLeastU() && !evaluate_domain_name(mNetContext, nullptr)) { rv = EAI_SYSTEM; } else { rv = resolv_gethostbyaddr(&mAddress, mAddressLen, mAddressFamily, &hbuf, tmpbuf, sizeof tmpbuf, &mNetContext, &hp, &event); } queryLimiter.finish(uid); } else { rv = EAI_MEMORY; Loading
PrivateDnsConfiguration.cpp +6 −1 Original line number Diff line number Diff line Loading @@ -568,6 +568,9 @@ int PrivateDnsConfiguration::setDoh(int32_t netId, uint32_t mark, return 0; } const NetworkType networkType = resolv_get_network_types_for_net(netId); const PrivateDnsStatus status = getStatusLocked(netId); const auto getTimeoutFromFlag = [&](const std::string_view key, int defaultValue) -> uint64_t { static constexpr int kMinTimeoutMs = 1000; uint64_t timeout = Experiments::getInstance()->getFlag(key, defaultValue); Loading Loading @@ -628,8 +631,10 @@ int PrivateDnsConfiguration::setDoh(int32_t netId, uint32_t mark, << ", use_session_resumption=" << flags.use_session_resumption << ", enable_early_data=" << flags.enable_early_data; const PrivateDnsModes privateDnsMode = convertEnumType(status.mode); return doh_net_new(mDohDispatcher, netId, dohId.httpsTemplate.c_str(), dohId.host.c_str(), dohId.ipAddr.c_str(), mark, caCert.c_str(), &flags); dohId.ipAddr.c_str(), mark, caCert.c_str(), &flags, networkType, privateDnsMode); } LOG(INFO) << __func__ << ": No suitable DoH server found"; Loading
PrivateDnsConfiguration.h +6 −1 Original line number Diff line number Diff line Loading @@ -247,12 +247,17 @@ class PrivateDnsConfiguration { // TODO: Move below DoH relevant stuff into Rust implementation. std::map<unsigned, DohIdentity> mDohTracker GUARDED_BY(mPrivateDnsLock); std::array<DohProviderEntry, 4> mAvailableDoHProviders = {{ std::array<DohProviderEntry, 5> mAvailableDoHProviders = {{ {"Google", {"2001:4860:4860::8888", "2001:4860:4860::8844", "8.8.8.8", "8.8.4.4"}, "dns.google", "https://dns.google/dns-query", false}, {"Google DNS64", {"2001:4860:4860::64", "2001:4860:4860::6464"}, "dns64.dns.google", "https://dns64.dns.google/dns-query", false}, {"Cloudflare", {"2606:4700::6810:f8f9", "2606:4700::6810:f9f9", "104.16.248.249", "104.16.249.249"}, "cloudflare-dns.com", Loading
doh.h +1 −1 Original line number Diff line number Diff line Loading @@ -92,7 +92,7 @@ void doh_dispatcher_delete(DohDispatcher* doh); /// `url`, `domain`, `ip_addr`, `cert_path` are null terminated strings. int32_t doh_net_new(DohDispatcher* doh, uint32_t net_id, const char* url, const char* domain, const char* ip_addr, uint32_t sk_mark, const char* cert_path, const FeatureFlags* flags); const FeatureFlags* flags, uint32_t network_type, uint32_t private_dns_mode); /// Sends a DNS query via the network associated to the given |net_id| and waits for the response. /// The return code should be either one of the public constant RESULT_* to indicate the error or Loading
