commit 11d3345daacc84dea87d6d36be8caad437e378b3
author Motomu Utsumi <motomuman@google.com> Tue Apr 02 18:29:08 2024 +0900
committer Motomu Utsumi <motomuman@google.com> Tue Apr 23 15:04:28 2024 +0900
tree f5cec4dc8d4385c04c609a661e60367161793144
parent 21b36d8c6856849c491578e8b86909b2475e2de7

Add firewall chains for HAPPY_BOX and user/admin PENALTY_BOX

Follow up CLs will update CS to generate blocked reason from bpf map
instead of asking NPMS.

However, one issue is NPMS set PENALTY_BOX for
BLOCKED_METERED_REASON_USER_RESTRICTED and
BLOCKED_METERED_REASON_ADMIN_DISABLED without telling the reason.
So, CS can not know the reason of PENALTY_BOX.

This CL add new firewall chain and match to distinguish reasons.
NPMS must call setUidFirewallRule with
FIREWALL_CHAIN_METERED_DENY_USER or FIREWALL_CHAIN_METERED_DENY_ADMIN
based on the reason so that CS can know the reason of restriction.

Bug: 332628891
Test: atest com.android.cts.net.HostsideRestrictBackgroundNetworkTests
Change-Id: Ia4ad4bdb345abc22c782630e828edfad2452db36

bpf_progs/netd.c

diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
index dfc7699..2aff89c 100644
--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
@@ -644,7 +644,8 @@
 (struct __sk_buff* skb) {
     uint32_t sock_uid = bpf_get_socket_uid(skb);
     UidOwnerValue* denylistMatch = bpf_uid_owner_map_lookup_elem(&sock_uid);
-    if (denylistMatch) return denylistMatch->rule & PENALTY_BOX_MATCH ? BPF_MATCH : BPF_NOMATCH;
+    uint32_t penalty_box = PENALTY_BOX_USER_MATCH | PENALTY_BOX_ADMIN_MATCH;
+    if (denylistMatch) return denylistMatch->rule & penalty_box ? BPF_MATCH : BPF_NOMATCH;
     return BPF_NOMATCH;
 }