Add a resolver option to enforce AID_DNS on query (85fb9ea5) · Commits · e / os / android_packages_modules_DnsResolver

aidl_api/dnsresolver_aidl_interface/current/android/net/ResolverOptionsParcel.aidl

+1 −0

Original line number	Diff line number	Diff line
		@@ -20,4 +20,5 @@ package android.net;
		parcelable ResolverOptionsParcel {
		android.net.ResolverHostsParcel[] hosts = {};
		int tcMode = 0;
		boolean enforceDnsUid = false;
		}

+14 −0

Original line number	Diff line number	Diff line
		@@ -43,4 +43,18 @@ parcelable ResolverOptionsParcel {
		* Other values are invalid.
		*/
		int tcMode = 0;

		/**
		* The default behavior is that plaintext DNS queries are sent by the application's UID using
		* fchown(). DoT are sent with an UID of AID_DNS. This option control the plaintext uid of DNS
		* query.
		* Setting this option to true decreases battery life because it results in the device sending
		* UDP DNS queries even if the app that made the DNS lookup does not have network access.
		* Anecdotal data from the field suggests that about 15% of DNS lookups are in this category.
		* This option also results in data usage for UDP DNS queries being attributed to the OS instead
		* of to the requesting app.
		* false: set application uid on DNS sockets (default)
		* true: set AID_DNS on DNS sockets
		*/
		boolean enforceDnsUid = false;
		}

+3 −0

Original line number	Diff line number	Diff line
		@@ -1003,6 +1003,7 @@ struct NetConfig {
		// If resolverParams.hosts is empty, the existing customized table will be erased.
		HostMapping customizedTable = {};
		int tc_mode = aidl::android::net::IDnsResolver::TC_MODE_DEFAULT;
		bool enforceDnsUid = false;
		std::vector<int32_t> transportTypes;
		};

		@@ -1645,6 +1646,7 @@ int resolv_set_nameservers(unsigned netid, const std::vector<std::string>& serve
		return -EINVAL;
		}
		netconfig->tc_mode = resolverOptions.tcMode;
		netconfig->enforceDnsUid = resolverOptions.enforceDnsUid;

		netconfig->transportTypes = transportTypes;

		@@ -1683,6 +1685,7 @@ void resolv_populate_res_for_net(ResState* statp) {
		statp->nsaddrs = info->nameserverSockAddrs;
		statp->search_domains = info->search_domains;
		statp->tc_mode = info->tc_mode;
		statp->enforce_dns_uid = info->enforceDnsUid;
		}

		/* Resolver reachability statistics. */

+4 −2

Original line number	Diff line number	Diff line
		@@ -707,7 +707,8 @@ same_ns:
		return -1;
		}
		}
		resolv_tag_socket(statp->tcp_nssock, statp->uid, statp->pid);
		const uid_t uid = statp->enforce_dns_uid ? AID_DNS : statp->uid;
		resolv_tag_socket(statp->tcp_nssock, uid, statp->pid);
		if (statp->_mark != MARK_UNSET) {
		if (setsockopt(statp->tcp_nssock, SOL_SOCKET, SO_MARK, &statp->_mark,
		sizeof(statp->_mark)) < 0) {
		@@ -1018,7 +1019,8 @@ static int send_dg(res_state statp, res_params* params, const uint8_t* buf, int
		}
		}

		resolv_tag_socket(statp->nssocks[*ns], statp->uid, statp->pid);
		const uid_t uid = statp->enforce_dns_uid ? AID_DNS : statp->uid;
		resolv_tag_socket(statp->nssocks[*ns], uid, statp->pid);
		if (statp->_mark != MARK_UNSET) {
		if (setsockopt(statp->nssocks[*ns], SOL_SOCKET, SO_MARK, &(statp->_mark),
		sizeof(statp->_mark)) < 0) {

+2 −1

Original line number	Diff line number	Diff line
		@@ -84,7 +84,8 @@ int resolv_set_nameservers(unsigned netid, const std::vector<std::string>& serve
		const std::vector<std::string>& domains, const res_params& params,
		const aidl::android::net::ResolverOptionsParcel& resolverOptions =
		{{} /* hosts */,
		aidl::android::net::IDnsResolver::TC_MODE_DEFAULT},
		aidl::android::net::IDnsResolver::TC_MODE_DEFAULT,
		false /* enforceDnsUid */},
		const std::vector<int32_t>& transportTypes = {});

		// Creates the cache associated with the given network.