Fix policy leak by deleting forwarding security policies
Fix the policy leak by deleting forwarding policies when deleting
the IPsec tunnel interface.
Bug: 254566085
Test: atest IpSecServiceParameterizedTest (new tests added)
Change-Id: I29dd4810abb978fe886776b2fbacdfc74325436d
diff --git a/service-t/src/com/android/server/IpSecService.java b/service-t/src/com/android/server/IpSecService.java
index 16b9f1e..6cee08a 100644
--- a/service-t/src/com/android/server/IpSecService.java
+++ b/service-t/src/com/android/server/IpSecService.java
@@ -859,6 +859,13 @@
mIkey,
0xffffffff,
mIfId);
+ mNetd.ipSecDeleteSecurityPolicy(
+ mUid,
+ selAddrFamily,
+ IpSecManager.DIRECTION_FWD,
+ mIkey,
+ 0xffffffff,
+ mIfId);
}
} catch (ServiceSpecificException | RemoteException e) {
Log.e(
diff --git a/tests/unit/java/com/android/server/IpSecServiceParameterizedTest.java b/tests/unit/java/com/android/server/IpSecServiceParameterizedTest.java
index 9401d47..624071a 100644
--- a/tests/unit/java/com/android/server/IpSecServiceParameterizedTest.java
+++ b/tests/unit/java/com/android/server/IpSecServiceParameterizedTest.java
@@ -748,6 +748,13 @@
// Verify quota and RefcountedResource objects cleaned up
assertEquals(0, userRecord.mTunnelQuotaTracker.mCurrent);
verify(mMockNetd).ipSecRemoveTunnelInterface(eq(createTunnelResp.interfaceName));
+
+ for (int direction : new int[] {DIRECTION_OUT, DIRECTION_IN, DIRECTION_FWD}) {
+ verify(mMockNetd, times(ADDRESS_FAMILIES.length))
+ .ipSecDeleteSecurityPolicy(
+ anyInt(), anyInt(), eq(direction), anyInt(), anyInt(), anyInt());
+ }
+
try {
userRecord.mTunnelInterfaceRecords.getRefcountedResourceOrThrow(
createTunnelResp.resourceId);