Don't trip up when deleting strict iptables rules.
Currently, when applying a cleartext policy to a UID, StrictController will attempt to delete all possible policies that might previously have applied to this UID. Because only two of these rules can exist at any given time, at least one of these deletes is guaranteed to fail, causing the whole operation to fail. Instead of adding a log or reject rule for every UID, add a rule that sends that UID to its own chain which then contains the log or reject rule. That way, deleting the previous policy only requires deleting the chain, which is something we know exists. Bug: 64988066 Test: netd_{unit,integration}_test pass Test: android.os.cts.StrictModeTest passes Change-Id: Ic9d66220a65f2ce9510c4194e7b874d3d5dca5d7
Loading
Please register or sign in to comment