commit d980149817948d11de0631caee8aee3172e4e159
author Motomu Utsumi <motomuman@google.com> Wed Jun 01 13:57:27 2022 +0000
committer Motomu Utsumi <motomuman@google.com> Fri Jun 03 09:10:57 2022 +0000
tree 955766665419685e6608c89865348abdbbe02223
parent 89687392859deadc1c272c739846564fa9506c6e

Add deny firewall chain for OEM

Bug: 207773349
Bug: 208371987
Test: atest
CtsNetTestCases:android.net.cts.ConnectivityManagerTest#testFirewallBlocking
--iterations 50 && atest ConnectivityServiceTest --iterations 10

Change-Id: I60d5540821abcced03356f366775f16ee369d7f9

bpf_progs/netd.c

diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
index 2a63e81..9ae8ab2 100644
--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
@@ -216,6 +216,12 @@
         if ((enabledRules & LOW_POWER_STANDBY_MATCH) && !(uidRules & LOW_POWER_STANDBY_MATCH)) {
             return BPF_DROP;
         }
+        if ((enabledRules & OEM_DENY_1_MATCH) && (uidRules & OEM_DENY_1_MATCH)) {
+            return BPF_DROP;
+        }
+        if ((enabledRules & OEM_DENY_2_MATCH) && (uidRules & OEM_DENY_2_MATCH)) {
+            return BPF_DROP;
+        }
     }
     if (direction == BPF_INGRESS && skb->ifindex != 1) {
         if (uidRules & IIF_MATCH) {