Merge changes from topic "switch_uid_owner_map_api" am: eec62aafe4
Original change: https://android-review.googlesource.com/c/platform/packages/modules/Connectivity/+/2173595
Change-Id: Ica75de60fac7bcd3216be718dd230c118ee22e15
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/service/src/com/android/server/BpfNetMaps.java b/service/src/com/android/server/BpfNetMaps.java
index 7e6285a..594223c 100644
--- a/service/src/com/android/server/BpfNetMaps.java
+++ b/service/src/com/android/server/BpfNetMaps.java
@@ -40,7 +40,6 @@
import android.system.Os;
import android.util.Log;
-import com.android.internal.annotations.GuardedBy;
import com.android.internal.annotations.VisibleForTesting;
import com.android.modules.utils.build.SdkLevel;
import com.android.net.module.util.BpfMap;
@@ -365,7 +364,13 @@
*/
public void addNaughtyApp(final int uid) {
throwIfPreT("addNaughtyApp is not available on pre-T devices");
- addRule(uid, PENALTY_BOX_MATCH, "addNaughtyApp");
+
+ if (sEnableJavaBpfMap) {
+ addRule(uid, PENALTY_BOX_MATCH, "addNaughtyApp");
+ } else {
+ final int err = native_addNaughtyApp(uid);
+ maybeThrow(err, "Unable to add naughty app");
+ }
}
/**
@@ -377,7 +382,13 @@
*/
public void removeNaughtyApp(final int uid) {
throwIfPreT("removeNaughtyApp is not available on pre-T devices");
- removeRule(uid, PENALTY_BOX_MATCH, "removeNaughtyApp");
+
+ if (sEnableJavaBpfMap) {
+ removeRule(uid, PENALTY_BOX_MATCH, "removeNaughtyApp");
+ } else {
+ final int err = native_removeNaughtyApp(uid);
+ maybeThrow(err, "Unable to remove naughty app");
+ }
}
/**
@@ -389,7 +400,13 @@
*/
public void addNiceApp(final int uid) {
throwIfPreT("addNiceApp is not available on pre-T devices");
- addRule(uid, HAPPY_BOX_MATCH, "addNiceApp");
+
+ if (sEnableJavaBpfMap) {
+ addRule(uid, HAPPY_BOX_MATCH, "addNiceApp");
+ } else {
+ final int err = native_addNiceApp(uid);
+ maybeThrow(err, "Unable to add nice app");
+ }
}
/**
@@ -401,7 +418,13 @@
*/
public void removeNiceApp(final int uid) {
throwIfPreT("removeNiceApp is not available on pre-T devices");
- removeRule(uid, HAPPY_BOX_MATCH, "removeNiceApp");
+
+ if (sEnableJavaBpfMap) {
+ removeRule(uid, HAPPY_BOX_MATCH, "removeNiceApp");
+ } else {
+ final int err = native_removeNiceApp(uid);
+ maybeThrow(err, "Unable to remove nice app");
+ }
}
/**
@@ -468,36 +491,73 @@
public void replaceUidChain(final int chain, final int[] uids) {
throwIfPreT("replaceUidChain is not available on pre-T devices");
- final long match;
- try {
- match = getMatchByFirewallChain(chain);
- } catch (ServiceSpecificException e) {
- // Throws IllegalArgumentException to keep the behavior of
- // ConnectivityManager#replaceFirewallChain API
- throw new IllegalArgumentException("Invalid firewall chain: " + chain);
- }
- final Set<Integer> uidSet = Arrays.stream(uids).boxed().collect(Collectors.toSet());
- final Set<Integer> uidSetToRemoveRule = new HashSet<>();
- try {
- synchronized (sUidOwnerMap) {
- sUidOwnerMap.forEach((uid, config) -> {
- // config could be null if there is a concurrent entry deletion.
- // http://b/220084230.
- if (config != null
- && !uidSet.contains((int) uid.val) && (config.rule & match) != 0) {
- uidSetToRemoveRule.add((int) uid.val);
- }
- });
-
- for (final int uid : uidSetToRemoveRule) {
- removeRule(uid, match, "replaceUidChain");
- }
- for (final int uid : uids) {
- addRule(uid, match, "replaceUidChain");
- }
+ if (sEnableJavaBpfMap) {
+ final long match;
+ try {
+ match = getMatchByFirewallChain(chain);
+ } catch (ServiceSpecificException e) {
+ // Throws IllegalArgumentException to keep the behavior of
+ // ConnectivityManager#replaceFirewallChain API
+ throw new IllegalArgumentException("Invalid firewall chain: " + chain);
}
- } catch (ErrnoException | ServiceSpecificException e) {
- Log.e(TAG, "replaceUidChain failed: " + e);
+ final Set<Integer> uidSet = Arrays.stream(uids).boxed().collect(Collectors.toSet());
+ final Set<Integer> uidSetToRemoveRule = new HashSet<>();
+ try {
+ synchronized (sUidOwnerMap) {
+ sUidOwnerMap.forEach((uid, config) -> {
+ // config could be null if there is a concurrent entry deletion.
+ // http://b/220084230.
+ if (config != null
+ && !uidSet.contains((int) uid.val) && (config.rule & match) != 0) {
+ uidSetToRemoveRule.add((int) uid.val);
+ }
+ });
+
+ for (final int uid : uidSetToRemoveRule) {
+ removeRule(uid, match, "replaceUidChain");
+ }
+ for (final int uid : uids) {
+ addRule(uid, match, "replaceUidChain");
+ }
+ }
+ } catch (ErrnoException | ServiceSpecificException e) {
+ Log.e(TAG, "replaceUidChain failed: " + e);
+ }
+ } else {
+ final int err;
+ switch (chain) {
+ case FIREWALL_CHAIN_DOZABLE:
+ err = native_replaceUidChain("fw_dozable", true /* isAllowList */, uids);
+ break;
+ case FIREWALL_CHAIN_STANDBY:
+ err = native_replaceUidChain("fw_standby", false /* isAllowList */, uids);
+ break;
+ case FIREWALL_CHAIN_POWERSAVE:
+ err = native_replaceUidChain("fw_powersave", true /* isAllowList */, uids);
+ break;
+ case FIREWALL_CHAIN_RESTRICTED:
+ err = native_replaceUidChain("fw_restricted", true /* isAllowList */, uids);
+ break;
+ case FIREWALL_CHAIN_LOW_POWER_STANDBY:
+ err = native_replaceUidChain(
+ "fw_low_power_standby", true /* isAllowList */, uids);
+ break;
+ case FIREWALL_CHAIN_OEM_DENY_1:
+ err = native_replaceUidChain("fw_oem_deny_1", false /* isAllowList */, uids);
+ break;
+ case FIREWALL_CHAIN_OEM_DENY_2:
+ err = native_replaceUidChain("fw_oem_deny_2", false /* isAllowList */, uids);
+ break;
+ case FIREWALL_CHAIN_OEM_DENY_3:
+ err = native_replaceUidChain("fw_oem_deny_3", false /* isAllowList */, uids);
+ break;
+ default:
+ throw new IllegalArgumentException("replaceFirewallChain with invalid chain: "
+ + chain);
+ }
+ if (err != 0) {
+ Log.e(TAG, "replaceUidChain failed: " + Os.strerror(-err));
+ }
}
}
@@ -513,15 +573,20 @@
public void setUidRule(final int childChain, final int uid, final int firewallRule) {
throwIfPreT("setUidRule is not available on pre-T devices");
- final long match = getMatchByFirewallChain(childChain);
- final boolean isAllowList = isFirewallAllowList(childChain);
- final boolean add = (firewallRule == FIREWALL_RULE_ALLOW && isAllowList)
- || (firewallRule == FIREWALL_RULE_DENY && !isAllowList);
+ if (sEnableJavaBpfMap) {
+ final long match = getMatchByFirewallChain(childChain);
+ final boolean isAllowList = isFirewallAllowList(childChain);
+ final boolean add = (firewallRule == FIREWALL_RULE_ALLOW && isAllowList)
+ || (firewallRule == FIREWALL_RULE_DENY && !isAllowList);
- if (add) {
- addRule(uid, match, "setUidRule");
+ if (add) {
+ addRule(uid, match, "setUidRule");
+ } else {
+ removeRule(uid, match, "setUidRule");
+ }
} else {
- removeRule(uid, match, "setUidRule");
+ final int err = native_setUidRule(childChain, uid, firewallRule);
+ maybeThrow(err, "Unable to set uid rule");
}
}
@@ -547,24 +612,30 @@
mNetd.firewallAddUidInterfaceRules(ifName, uids);
return;
}
- // Null ifName is a wildcard to allow apps to receive packets on all interfaces and ifIndex
- // is set to 0.
- final int ifIndex;
- if (ifName == null) {
- ifIndex = 0;
+
+ if (sEnableJavaBpfMap) {
+ // Null ifName is a wildcard to allow apps to receive packets on all interfaces and
+ // ifIndex is set to 0.
+ final int ifIndex;
+ if (ifName == null) {
+ ifIndex = 0;
+ } else {
+ ifIndex = mDeps.getIfIndex(ifName);
+ if (ifIndex == 0) {
+ throw new ServiceSpecificException(ENODEV,
+ "Failed to get index of interface " + ifName);
+ }
+ }
+ for (final int uid : uids) {
+ try {
+ addRule(uid, IIF_MATCH, ifIndex, "addUidInterfaceRules");
+ } catch (ServiceSpecificException e) {
+ Log.e(TAG, "addRule failed uid=" + uid + " ifName=" + ifName + ", " + e);
+ }
+ }
} else {
- ifIndex = mDeps.getIfIndex(ifName);
- if (ifIndex == 0) {
- throw new ServiceSpecificException(ENODEV,
- "Failed to get index of interface " + ifName);
- }
- }
- for (final int uid: uids) {
- try {
- addRule(uid, IIF_MATCH, ifIndex, "addUidInterfaceRules");
- } catch (ServiceSpecificException e) {
- Log.e(TAG, "addRule failed uid=" + uid + " ifName=" + ifName + ", " + e);
- }
+ final int err = native_addUidInterfaceRules(ifName, uids);
+ maybeThrow(err, "Unable to add uid interface rules");
}
}
@@ -584,12 +655,18 @@
mNetd.firewallRemoveUidInterfaceRules(uids);
return;
}
- for (final int uid: uids) {
- try {
- removeRule(uid, IIF_MATCH, "removeUidInterfaceRules");
- } catch (ServiceSpecificException e) {
- Log.e(TAG, "removeRule failed uid=" + uid + ", " + e);
+
+ if (sEnableJavaBpfMap) {
+ for (final int uid : uids) {
+ try {
+ removeRule(uid, IIF_MATCH, "removeUidInterfaceRules");
+ } catch (ServiceSpecificException e) {
+ Log.e(TAG, "removeRule failed uid=" + uid + ", " + e);
+ }
}
+ } else {
+ final int err = native_removeUidInterfaceRules(uids);
+ maybeThrow(err, "Unable to remove uid interface rules");
}
}
@@ -603,10 +680,16 @@
*/
public void updateUidLockdownRule(final int uid, final boolean add) {
throwIfPreT("updateUidLockdownRule is not available on pre-T devices");
- if (add) {
- addRule(uid, LOCKDOWN_VPN_MATCH, "updateUidLockdownRule");
+
+ if (sEnableJavaBpfMap) {
+ if (add) {
+ addRule(uid, LOCKDOWN_VPN_MATCH, "updateUidLockdownRule");
+ } else {
+ removeRule(uid, LOCKDOWN_VPN_MATCH, "updateUidLockdownRule");
+ }
} else {
- removeRule(uid, LOCKDOWN_VPN_MATCH, "updateUidLockdownRule");
+ final int err = native_updateUidLockdownRule(uid, add);
+ maybeThrow(err, "Unable to update lockdown rule");
}
}
@@ -657,24 +740,15 @@
}
private static native void native_init();
- @GuardedBy("sUidOwnerMap")
private native int native_addNaughtyApp(int uid);
- @GuardedBy("sUidOwnerMap")
private native int native_removeNaughtyApp(int uid);
- @GuardedBy("sUidOwnerMap")
private native int native_addNiceApp(int uid);
- @GuardedBy("sUidOwnerMap")
private native int native_removeNiceApp(int uid);
private native int native_setChildChain(int childChain, boolean enable);
- @GuardedBy("sUidOwnerMap")
private native int native_replaceUidChain(String name, boolean isAllowlist, int[] uids);
- @GuardedBy("sUidOwnerMap")
private native int native_setUidRule(int childChain, int uid, int firewallRule);
- @GuardedBy("sUidOwnerMap")
private native int native_addUidInterfaceRules(String ifName, int[] uids);
- @GuardedBy("sUidOwnerMap")
private native int native_removeUidInterfaceRules(int[] uids);
- @GuardedBy("sUidOwnerMap")
private native int native_updateUidLockdownRule(int uid, boolean add);
private native int native_swapActiveStatsMap();
private native void native_setPermissionForUids(int permissions, int[] uids);