Merge cherrypicks of ['android-review.googlesource.com/3144280', 'android-review.googlesource.com/3151359'] into 24Q3-release.
Change-Id: I00a0befcaba506213c989d6f9b45145e90c77103
diff --git a/bpf_progs/netd.h b/bpf_progs/netd.h
index 332979b..4877a4b 100644
--- a/bpf_progs/netd.h
+++ b/bpf_progs/netd.h
@@ -270,5 +270,5 @@
static inline bool is_system_uid(uint32_t uid) {
// MIN_SYSTEM_UID is AID_ROOT == 0, so uint32_t is *always* >= 0
// MAX_SYSTEM_UID is AID_NOBODY == 9999, while AID_APP_START == 10000
- return (uid < AID_APP_START);
+ return ((uid % AID_USER_OFFSET) < AID_APP_START);
}
diff --git a/framework/src/android/net/BpfNetMapsUtils.java b/framework/src/android/net/BpfNetMapsUtils.java
index 4099e2a..282a11e 100644
--- a/framework/src/android/net/BpfNetMapsUtils.java
+++ b/framework/src/android/net/BpfNetMapsUtils.java
@@ -68,6 +68,7 @@
import android.os.Build;
import android.os.Process;
import android.os.ServiceSpecificException;
+import android.os.UserHandle;
import android.system.ErrnoException;
import android.system.Os;
import android.util.Pair;
@@ -330,9 +331,9 @@
) {
throwIfPreT("isUidBlockedByFirewallChains is not available on pre-T devices");
- // System uid is not blocked by firewall chains, see bpf_progs/netd.c
- // TODO: use UserHandle.isCore() once it is accessible
- if (uid < Process.FIRST_APPLICATION_UID) {
+ // System uids are not blocked by firewall chains, see bpf_progs/netd.c
+ // TODO: b/348513058 - use UserHandle.isCore() once it is accessible
+ if (UserHandle.getAppId(uid) < Process.FIRST_APPLICATION_UID) {
return false;
}
diff --git a/netd/BpfHandler.cpp b/netd/BpfHandler.cpp
index 5d64ae7..0f84656 100644
--- a/netd/BpfHandler.cpp
+++ b/netd/BpfHandler.cpp
@@ -266,7 +266,10 @@
}
Status BpfHandler::initMaps() {
- mapLockTest();
+ // bpfLock() requires bpfGetFdMapId which is only available on 4.14+ kernels.
+ if (bpf::isAtLeastKernelVersion(4, 14, 0)) {
+ mapLockTest();
+ }
RETURN_IF_NOT_OK(mStatsMapA.init(STATS_MAP_A_PATH));
RETURN_IF_NOT_OK(mStatsMapB.init(STATS_MAP_B_PATH));
diff --git a/tests/unit/java/com/android/server/BpfNetMapsTest.java b/tests/unit/java/com/android/server/BpfNetMapsTest.java
index cbc060a..859c54a 100644
--- a/tests/unit/java/com/android/server/BpfNetMapsTest.java
+++ b/tests/unit/java/com/android/server/BpfNetMapsTest.java
@@ -87,7 +87,9 @@
import android.net.InetAddresses;
import android.net.UidOwnerValue;
import android.os.Build;
+import android.os.Process;
import android.os.ServiceSpecificException;
+import android.os.UserHandle;
import android.system.ErrnoException;
import android.util.ArraySet;
import android.util.IndentingPrintWriter;
@@ -1249,6 +1251,32 @@
);
}
+ @Test
+ @IgnoreUpTo(Build.VERSION_CODES.S_V2)
+ public void testIsUidNetworkingBlockedForCoreUids() throws Exception {
+ final long allowlistMatch = BACKGROUND_MATCH; // Enable any allowlist match.
+ mConfigurationMap.updateEntry(UID_RULES_CONFIGURATION_KEY, new U32(allowlistMatch));
+
+ // Verify that a normal uid that is not on this chain is indeed blocked.
+ assertTrue(BpfNetMapsUtils.isUidNetworkingBlocked(TEST_UID, false, mConfigurationMap,
+ mUidOwnerMap, mDataSaverEnabledMap));
+
+ final int[] coreAids = new int[] {
+ Process.ROOT_UID,
+ Process.SYSTEM_UID,
+ Process.FIRST_APPLICATION_UID - 10,
+ Process.FIRST_APPLICATION_UID - 1,
+ };
+ // Core appIds are not on the chain but should still be allowed on any user.
+ for (int userId = 0; userId < 20; userId++) {
+ for (final int aid : coreAids) {
+ final int uid = UserHandle.getUid(userId, aid);
+ assertFalse(BpfNetMapsUtils.isUidNetworkingBlocked(uid, false, mConfigurationMap,
+ mUidOwnerMap, mDataSaverEnabledMap));
+ }
+ }
+ }
+
private void doTestIsUidRestrictedOnMeteredNetworks(
final long enabledMatches,
final long uidRules,