Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e9b78d82 authored by Mike Yu's avatar Mike Yu
Browse files

Drop the dependency of Fwmark 

The resolver used to generate the desired network mark for
DoT sockets. Now, change to get the network mark from netd.

Bug: 151895202
Test: Private DNS works as usual (even on VPN)
Change-Id: Ibb3e3e1ce0b43cb74962dd4436a47e9b458fa19a
parent 17bb79ae

DnsTlsDispatcher.cpp

+4 −0
Original line number Diff line number Diff line
@@ -147,6 +147,10 @@ DnsTlsTransport::Response DnsTlsDispatcher::query(const DnsTlsServer& server, un 
                                                  const Slice query, const Slice ans, int* resplen,

                                                  bool* connectTriggered) {

    int connectCounter;



    // TODO: This can cause the resolver to create multiple connections to the same DoT server

    // merely due to different mark, such as the bit explicitlySelected unset.

    // See if we can save them and just create one connection for one DoT server.

    const Key key = std::make_pair(mark, server);

    Transport* xport;

    {

ResolverController.cpp

+9 −9
Original line number Diff line number Diff line
@@ -24,7 +24,6 @@ 


#include <netdb.h>



#include <Fwmark.h>

#include <aidl/android/net/IDnsResolver.h>

#include <android-base/logging.h>

#include <android-base/strings.h>
@@ -202,21 +201,22 @@ int ResolverController::flushNetworkCache(unsigned netId) { 
int ResolverController::setResolverConfiguration(const ResolverParamsParcel& resolverParams) {

    using aidl::android::net::IDnsResolver;



    // At private DNS validation time, we only know the netId, so we have to guess/compute the

    // corresponding socket mark.

    Fwmark fwmark;

    fwmark.netId = resolverParams.netId;

    fwmark.explicitlySelected = true;

    fwmark.protectedFromVpn = true;

    fwmark.permission = PERMISSION_SYSTEM;

    // Expect to get the mark with system permission.

    android_net_context netcontext;

    gResNetdCallbacks.get_network_context(resolverParams.netId, 0 /* uid */, &netcontext);



    // Allow at most MAXNS private DNS servers in a network to prevent too many broken servers.

    std::vector<std::string> tlsServers = resolverParams.tlsServers;

    if (tlsServers.size() > MAXNS) {

        tlsServers.resize(MAXNS);

    }



    // Use app_mark for DoT connection. Using dns_mark might result in reaching the DoT servers

    // through a different network. For example, on a VPN with no DNS servers (Do53), if the VPN

    // applies to UID 0, dns_mark is assigned for default network rathan the VPN. (note that it's

    // possible that a VPN doesn't have any DNS servers but DoT servers in DNS strict mode)

    const int err =

            gPrivateDnsConfiguration.set(resolverParams.netId, fwmark.intValue, tlsServers,

            gPrivateDnsConfiguration.set(resolverParams.netId, netcontext.app_mark, tlsServers,

                                         resolverParams.tlsName, resolverParams.caCertificate);



    if (err != 0) {