New firewall chain for default background restrictions
A new firewall chain is needed to configure background network
restrictions for apps.
This change only adds the API stubs and traffic controller constants to
make the chain work. Policy changes using this chain will follow in
the framework code.
Test: atest CtsNetTestCases:ConnectivityManagerTest
Test: atest ConnectivityServiceTest
NO_IFTTT=The Lint rule along with the relevant code in Common.h is
being deleted in aosp/2819759
Bug: 304347838
Change-Id: I33e2db6671431f7c576fc931d9f96e684fc1e78a
diff --git a/framework/api/module-lib-current.txt b/framework/api/module-lib-current.txt
index 4d55067..bfb4981 100644
--- a/framework/api/module-lib-current.txt
+++ b/framework/api/module-lib-current.txt
@@ -45,6 +45,7 @@
field public static final int BLOCKED_METERED_REASON_DATA_SAVER = 65536; // 0x10000
field public static final int BLOCKED_METERED_REASON_MASK = -65536; // 0xffff0000
field public static final int BLOCKED_METERED_REASON_USER_RESTRICTED = 131072; // 0x20000
+ field @FlaggedApi("com.android.net.flags.basic_background_restrictions_enabled") public static final int BLOCKED_REASON_APP_BACKGROUND = 64; // 0x40
field public static final int BLOCKED_REASON_APP_STANDBY = 4; // 0x4
field public static final int BLOCKED_REASON_BATTERY_SAVER = 1; // 0x1
field public static final int BLOCKED_REASON_DOZE = 2; // 0x2
@@ -52,6 +53,7 @@
field public static final int BLOCKED_REASON_LOW_POWER_STANDBY = 32; // 0x20
field public static final int BLOCKED_REASON_NONE = 0; // 0x0
field public static final int BLOCKED_REASON_RESTRICTED_MODE = 8; // 0x8
+ field @FlaggedApi("com.android.net.flags.basic_background_restrictions_enabled") public static final int FIREWALL_CHAIN_BACKGROUND = 6; // 0x6
field public static final int FIREWALL_CHAIN_DOZABLE = 1; // 0x1
field public static final int FIREWALL_CHAIN_LOW_POWER_STANDBY = 5; // 0x5
field public static final int FIREWALL_CHAIN_OEM_DENY_1 = 7; // 0x7
diff --git a/framework/src/android/net/BpfNetMapsConstants.java b/framework/src/android/net/BpfNetMapsConstants.java
index c784597..5d0fe73 100644
--- a/framework/src/android/net/BpfNetMapsConstants.java
+++ b/framework/src/android/net/BpfNetMapsConstants.java
@@ -16,6 +16,7 @@
package android.net;
+import static android.net.ConnectivityManager.FIREWALL_CHAIN_BACKGROUND;
import static android.net.ConnectivityManager.FIREWALL_CHAIN_DOZABLE;
import static android.net.ConnectivityManager.FIREWALL_CHAIN_LOW_POWER_STANDBY;
import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_1;
@@ -77,6 +78,7 @@
public static final long OEM_DENY_1_MATCH = (1 << 9);
public static final long OEM_DENY_2_MATCH = (1 << 10);
public static final long OEM_DENY_3_MATCH = (1 << 11);
+ public static final long BACKGROUND_MATCH = (1 << 12);
public static final List<Pair<Long, String>> MATCH_LIST = Arrays.asList(
Pair.create(HAPPY_BOX_MATCH, "HAPPY_BOX_MATCH"),
@@ -90,7 +92,8 @@
Pair.create(LOCKDOWN_VPN_MATCH, "LOCKDOWN_VPN_MATCH"),
Pair.create(OEM_DENY_1_MATCH, "OEM_DENY_1_MATCH"),
Pair.create(OEM_DENY_2_MATCH, "OEM_DENY_2_MATCH"),
- Pair.create(OEM_DENY_3_MATCH, "OEM_DENY_3_MATCH")
+ Pair.create(OEM_DENY_3_MATCH, "OEM_DENY_3_MATCH"),
+ Pair.create(BACKGROUND_MATCH, "BACKGROUND_MATCH")
);
/**
@@ -102,7 +105,8 @@
FIREWALL_CHAIN_DOZABLE,
FIREWALL_CHAIN_POWERSAVE,
FIREWALL_CHAIN_RESTRICTED,
- FIREWALL_CHAIN_LOW_POWER_STANDBY
+ FIREWALL_CHAIN_LOW_POWER_STANDBY,
+ FIREWALL_CHAIN_BACKGROUND
);
/**
diff --git a/framework/src/android/net/BpfNetMapsUtils.java b/framework/src/android/net/BpfNetMapsUtils.java
index e9c9137..11d610c 100644
--- a/framework/src/android/net/BpfNetMapsUtils.java
+++ b/framework/src/android/net/BpfNetMapsUtils.java
@@ -17,6 +17,7 @@
package android.net;
import static android.net.BpfNetMapsConstants.ALLOW_CHAINS;
+import static android.net.BpfNetMapsConstants.BACKGROUND_MATCH;
import static android.net.BpfNetMapsConstants.DENY_CHAINS;
import static android.net.BpfNetMapsConstants.DOZABLE_MATCH;
import static android.net.BpfNetMapsConstants.LOW_POWER_STANDBY_MATCH;
@@ -28,6 +29,7 @@
import static android.net.BpfNetMapsConstants.POWERSAVE_MATCH;
import static android.net.BpfNetMapsConstants.RESTRICTED_MATCH;
import static android.net.BpfNetMapsConstants.STANDBY_MATCH;
+import static android.net.ConnectivityManager.FIREWALL_CHAIN_BACKGROUND;
import static android.net.ConnectivityManager.FIREWALL_CHAIN_DOZABLE;
import static android.net.ConnectivityManager.FIREWALL_CHAIN_LOW_POWER_STANDBY;
import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_1;
@@ -70,6 +72,8 @@
return POWERSAVE_MATCH;
case FIREWALL_CHAIN_RESTRICTED:
return RESTRICTED_MATCH;
+ case FIREWALL_CHAIN_BACKGROUND:
+ return BACKGROUND_MATCH;
case FIREWALL_CHAIN_LOW_POWER_STANDBY:
return LOW_POWER_STANDBY_MATCH;
case FIREWALL_CHAIN_OEM_DENY_1:
diff --git a/framework/src/android/net/ConnectivityManager.java b/framework/src/android/net/ConnectivityManager.java
index 586e4b0..57ecf49 100644
--- a/framework/src/android/net/ConnectivityManager.java
+++ b/framework/src/android/net/ConnectivityManager.java
@@ -135,6 +135,8 @@
"com.android.net.flags.set_data_saver_via_cm";
static final String SUPPORT_IS_UID_NETWORKING_BLOCKED =
"com.android.net.flags.support_is_uid_networking_blocked";
+ static final String BASIC_BACKGROUND_RESTRICTIONS_ENABLED =
+ "com.android.net.flags.basic_background_restrictions_enabled";
}
/**
@@ -908,6 +910,16 @@
public static final int BLOCKED_REASON_LOW_POWER_STANDBY = 1 << 5;
/**
+ * Flag to indicate that an app is subject to default background restrictions that would
+ * result in its network access being blocked.
+ *
+ * @hide
+ */
+ @FlaggedApi(Flags.BASIC_BACKGROUND_RESTRICTIONS_ENABLED)
+ @SystemApi(client = SystemApi.Client.MODULE_LIBRARIES)
+ public static final int BLOCKED_REASON_APP_BACKGROUND = 1 << 6;
+
+ /**
* Flag to indicate that an app is subject to Data saver restrictions that would
* result in its metered network access being blocked.
*
@@ -946,6 +958,7 @@
BLOCKED_REASON_RESTRICTED_MODE,
BLOCKED_REASON_LOCKDOWN_VPN,
BLOCKED_REASON_LOW_POWER_STANDBY,
+ BLOCKED_REASON_APP_BACKGROUND,
BLOCKED_METERED_REASON_DATA_SAVER,
BLOCKED_METERED_REASON_USER_RESTRICTED,
BLOCKED_METERED_REASON_ADMIN_DISABLED,
@@ -1004,6 +1017,16 @@
public static final int FIREWALL_CHAIN_LOW_POWER_STANDBY = 5;
/**
+ * Firewall chain used for always-on default background restrictions.
+ * Allowlist of apps that have access because either they are in the foreground or they are
+ * exempted for specific situations while in the background.
+ * @hide
+ */
+ @FlaggedApi(Flags.BASIC_BACKGROUND_RESTRICTIONS_ENABLED)
+ @SystemApi(client = MODULE_LIBRARIES)
+ public static final int FIREWALL_CHAIN_BACKGROUND = 6;
+
+ /**
* Firewall chain used for OEM-specific application restrictions.
*
* Denylist of apps that will not have network access due to OEM-specific restrictions. If an
@@ -1062,6 +1085,7 @@
FIREWALL_CHAIN_POWERSAVE,
FIREWALL_CHAIN_RESTRICTED,
FIREWALL_CHAIN_LOW_POWER_STANDBY,
+ FIREWALL_CHAIN_BACKGROUND,
FIREWALL_CHAIN_OEM_DENY_1,
FIREWALL_CHAIN_OEM_DENY_2,
FIREWALL_CHAIN_OEM_DENY_3