commit 1f8bf657bbcd3b4a020df27ca6a000b6f36e7804
author junyulai <junyulai@google.com> Tue Apr 30 14:42:05 2019 +0800
committer junyulai <junyulai@google.com> Fri May 10 00:36:58 2019 +0800
tree 45a91f4f92fbf0ff4ff50a39af8506501b0b90e4
parent 15e26fb48528ba475ceeb61d7e9160a8764a1ea3

Limit unprivileged keepalives per uid

Public APIs for creating unprivileged NATT socket keepalive
might allow users to exhaust resource if malicious apps try
to create keepalives with fd which is not created by
IpSecService through binder call. Thus, this change add
customizable limitation per uid to prevent resource exhaustion
attack.

Bug: 129371366
Bug: 132307230
Test: atest FrameworksNetTests
Change-Id: Ibcb91105e46f7e898b8aa7c2babc3344ef2c6257

services/core/java/com/android/server/connectivity/KeepaliveTracker.java

diff --git a/services/core/java/com/android/server/connectivity/KeepaliveTracker.java b/services/core/java/com/android/server/connectivity/KeepaliveTracker.java
index 4ba88a8..ae58e99 100644
--- a/services/core/java/com/android/server/connectivity/KeepaliveTracker.java
+++ b/services/core/java/com/android/server/connectivity/KeepaliveTracker.java
@@ -104,6 +104,10 @@
     // the number of remaining keepalive slots is less than or equal to the threshold.
     private final int mReservedPrivilegedSlots;
 
+    // Allowed unprivileged keepalive slots per uid. Caller's permission will be enforced if
+    // the number of remaining keepalive slots is less than or equal to the threshold.
+    private final int mAllowedUnprivilegedSlotsForUid;
+
     public KeepaliveTracker(Context context, Handler handler) {
         mConnectivityServiceHandler = handler;
         mTcpController = new TcpKeepaliveController(handler);
@@ -111,6 +115,8 @@
         mSupportedKeepalives = KeepaliveUtils.getSupportedKeepalives(mContext);
         mReservedPrivilegedSlots = mContext.getResources().getInteger(
                 R.integer.config_reservedPrivilegedKeepaliveSlots);
+        mAllowedUnprivilegedSlotsForUid = mContext.getResources().getInteger(
+                R.integer.config_allowedUnprivilegedKeepalivePerUid);
     }
 
     /**
@@ -276,6 +282,18 @@
                 return ERROR_INSUFFICIENT_RESOURCES;
             }
 
+            // Count unprivileged keepalives for the same uid across networks.
+            int unprivilegedCountSameUid = 0;
+            for (final HashMap<Integer, KeepaliveInfo> kaForNetwork : mKeepalives.values()) {
+                for (final KeepaliveInfo ki : kaForNetwork.values()) {
+                    if (ki.mUid == mUid) {
+                        unprivilegedCountSameUid++;
+                    }
+                }
+            }
+            if (unprivilegedCountSameUid > mAllowedUnprivilegedSlotsForUid) {
+                return ERROR_INSUFFICIENT_RESOURCES;
+            }
             return SUCCESS;
         }
 
@@ -701,6 +719,7 @@
     public void dump(IndentingPrintWriter pw) {
         pw.println("Supported Socket keepalives: " + Arrays.toString(mSupportedKeepalives));
         pw.println("Reserved Privileged keepalives: " + mReservedPrivilegedSlots);
+        pw.println("Allowed Unprivileged keepalives per uid: " + mAllowedUnprivilegedSlotsForUid);
         pw.println("Socket keepalives:");
         pw.increaseIndent();
         for (NetworkAgentInfo nai : mKeepalives.keySet()) {