Block incoming non-VPN packets to apps under fully-routed VPN
When a fully-routed VPN is running, we want to prevent normal apps under the VPN from receiving packets originating from any local non-VPN interfaces. This is achieved by using eBPF to create a per-UID input interface whitelist and populate the whitelist such that all non-bypassable apps under a VPN can only receive packets from the VPN's TUN interface (and loopback implicitly) This is the Netd part of the change that auguments the existing UidOwner map to include a new boolean to enable ingress interface filtering as well as a new field per UID for the whitelisted interface index. The eBPF program is updated to drop packets according to the ingress interface whitelist map when present and enabled. This change also exposes two new netd Binder interfaces to allow ConnectivityService to update the whitelist. Test: system/netd/tests/runtests.sh Bug: 114231106 Change-Id: I033c068a350af82023c2bf909e3b3e65d9952b66
Loading
Please register or sign in to comment