commit 1d9054ba5fbbf86c821e0a74a5a2f9d3c9865e67
author Motomu Utsumi <motomuman@google.com> Mon Jun 06 07:44:05 2022 +0000
committer Motomu Utsumi <motomuman@google.com> Mon Jun 06 07:47:35 2022 +0000
tree 4c50199fae8c7418929701298e7b07f9f6468ffe
parent 9424810659d27874017f1c07b6b6fbc5eea9cf0c

Add 3rd deny firewall chain for OEM

Bug: 208371987
Test: atest
CtsNetTestCases:android.net.cts.ConnectivityManagerTest#testFirewallBlocking
ConnectivityServiceTest

Change-Id: Ib521fa02f6a19270cb88a3d85321bda822516c78

bpf_progs/bpf_shared.h

diff --git a/bpf_progs/bpf_shared.h b/bpf_progs/bpf_shared.h
index 2afb789..706dd1d 100644
--- a/bpf_progs/bpf_shared.h
+++ b/bpf_progs/bpf_shared.h
@@ -135,6 +135,7 @@
     LOCKDOWN_VPN_MATCH = (1 << 8),
     OEM_DENY_1_MATCH = (1 << 9),
     OEM_DENY_2_MATCH = (1 << 10),
+    OEM_DENY_3_MATCH = (1 << 11),
 };
 
 enum BpfPermissionMatch {

bpf_progs/netd.c

diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
index 9ae8ab2..94d5ed8 100644
--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
@@ -222,6 +222,9 @@
         if ((enabledRules & OEM_DENY_2_MATCH) && (uidRules & OEM_DENY_2_MATCH)) {
             return BPF_DROP;
         }
+        if ((enabledRules & OEM_DENY_3_MATCH) && (uidRules & OEM_DENY_3_MATCH)) {
+            return BPF_DROP;
+        }
     }
     if (direction == BPF_INGRESS && skb->ifindex != 1) {
         if (uidRules & IIF_MATCH) {