Drop the dependency of Fwmark (e9b78d82) · Commits · e / os / android_packages_modules_DnsResolver

DnsTlsDispatcher.cpp

+4 −0

Original line number	Original line	Diff line number	Diff line
	@@ -147,6 +147,10 @@ DnsTlsTransport::Response DnsTlsDispatcher::query(const DnsTlsServer& server, un
	const Slice query, const Slice ans, int* resplen,		const Slice query, const Slice ans, int* resplen,
	bool* connectTriggered) {		bool* connectTriggered) {
	int connectCounter;		int connectCounter;

			// TODO: This can cause the resolver to create multiple connections to the same DoT server
			// merely due to different mark, such as the bit explicitlySelected unset.
			// See if we can save them and just create one connection for one DoT server.
	const Key key = std::make_pair(mark, server);		const Key key = std::make_pair(mark, server);
	Transport* xport;		Transport* xport;
	{		{

ResolverController.cpp

+9 −9

Original line number	Original line	Diff line number	Diff line
	@@ -24,7 +24,6 @@

	#include <netdb.h>		#include <netdb.h>

	#include <Fwmark.h>
	#include <aidl/android/net/IDnsResolver.h>		#include <aidl/android/net/IDnsResolver.h>
	#include <android-base/logging.h>		#include <android-base/logging.h>
	#include <android-base/strings.h>		#include <android-base/strings.h>
	@@ -202,21 +201,22 @@ int ResolverController::flushNetworkCache(unsigned netId) {
	int ResolverController::setResolverConfiguration(const ResolverParamsParcel& resolverParams) {		int ResolverController::setResolverConfiguration(const ResolverParamsParcel& resolverParams) {
	using aidl::android::net::IDnsResolver;		using aidl::android::net::IDnsResolver;

	// At private DNS validation time, we only know the netId, so we have to guess/compute the		// Expect to get the mark with system permission.
	// corresponding socket mark.		android_net_context netcontext;
	Fwmark fwmark;		gResNetdCallbacks.get_network_context(resolverParams.netId, 0 /* uid */, &netcontext);
	fwmark.netId = resolverParams.netId;
	fwmark.explicitlySelected = true;
	fwmark.protectedFromVpn = true;
	fwmark.permission = PERMISSION_SYSTEM;

	// Allow at most MAXNS private DNS servers in a network to prevent too many broken servers.		// Allow at most MAXNS private DNS servers in a network to prevent too many broken servers.
	std::vector<std::string> tlsServers = resolverParams.tlsServers;		std::vector<std::string> tlsServers = resolverParams.tlsServers;
	if (tlsServers.size() > MAXNS) {		if (tlsServers.size() > MAXNS) {
	tlsServers.resize(MAXNS);		tlsServers.resize(MAXNS);
	}		}

			// Use app_mark for DoT connection. Using dns_mark might result in reaching the DoT servers
			// through a different network. For example, on a VPN with no DNS servers (Do53), if the VPN
			// applies to UID 0, dns_mark is assigned for default network rathan the VPN. (note that it's
			// possible that a VPN doesn't have any DNS servers but DoT servers in DNS strict mode)
	const int err =		const int err =
	gPrivateDnsConfiguration.set(resolverParams.netId, fwmark.intValue, tlsServers,		gPrivateDnsConfiguration.set(resolverParams.netId, netcontext.app_mark, tlsServers,
	resolverParams.tlsName, resolverParams.caCertificate);		resolverParams.tlsName, resolverParams.caCertificate);

	if (err != 0) {		if (err != 0) {