Automatically set IPsec tunnel interface as up
This change makes IPsec tunnel interfaces automatically get brought up
once they are created. Originally this was considered to be an
additional safety check, as they would not be start routing traffic
until explicitly brought up. However, in the intervening time, the
NetworkManagementController now requires the NETWORK_STACK permission to
set an interface as up. Additionally, that call is a hidden API, and
thus not usable for use cases such as IWLAN.
Bug: 149348618
Test: FrameworksNetTests, CtsNetTestCases passing.
Change-Id: I55b63a748463a388e1e2991d2d5d6b3023545e60
diff --git a/services/core/java/com/android/server/IpSecService.java b/services/core/java/com/android/server/IpSecService.java
index 15cbfb5..424407a 100644
--- a/services/core/java/com/android/server/IpSecService.java
+++ b/services/core/java/com/android/server/IpSecService.java
@@ -48,6 +48,7 @@
import android.net.util.NetdService;
import android.os.Binder;
import android.os.IBinder;
+import android.os.INetworkManagementService;
import android.os.ParcelFileDescriptor;
import android.os.RemoteException;
import android.os.ServiceSpecificException;
@@ -76,6 +77,7 @@
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.List;
+import java.util.Objects;
/**
* A service to manage multiple clients that want to access the IpSec API. The service is
@@ -115,6 +117,9 @@
/* Binder context for this service */
private final Context mContext;
+ /* NetworkManager instance */
+ private final INetworkManagementService mNetworkManager;
+
/**
* The next non-repeating global ID for tracking resources between users, this service, and
* kernel data structures. Accessing this variable is not thread safe, so it is only read or
@@ -993,12 +998,13 @@
*
* @param context Binder context for this service
*/
- private IpSecService(Context context) {
- this(context, IpSecServiceConfiguration.GETSRVINSTANCE);
+ private IpSecService(Context context, INetworkManagementService networkManager) {
+ this(context, networkManager, IpSecServiceConfiguration.GETSRVINSTANCE);
}
- static IpSecService create(Context context) throws InterruptedException {
- final IpSecService service = new IpSecService(context);
+ static IpSecService create(Context context, INetworkManagementService networkManager)
+ throws InterruptedException {
+ final IpSecService service = new IpSecService(context, networkManager);
service.connectNativeNetdService();
return service;
}
@@ -1012,9 +1018,11 @@
/** @hide */
@VisibleForTesting
- public IpSecService(Context context, IpSecServiceConfiguration config) {
+ public IpSecService(Context context, INetworkManagementService networkManager,
+ IpSecServiceConfiguration config) {
this(
context,
+ networkManager,
config,
(fd, uid) -> {
try {
@@ -1028,9 +1036,10 @@
/** @hide */
@VisibleForTesting
- public IpSecService(
- Context context, IpSecServiceConfiguration config, UidFdTagger uidFdTagger) {
+ public IpSecService(Context context, INetworkManagementService networkManager,
+ IpSecServiceConfiguration config, UidFdTagger uidFdTagger) {
mContext = context;
+ mNetworkManager = Objects.requireNonNull(networkManager);
mSrvConfig = config;
mUidFdTagger = uidFdTagger;
}
@@ -1309,6 +1318,10 @@
final INetd netd = mSrvConfig.getNetdInstance();
netd.ipSecAddTunnelInterface(intfName, localAddr, remoteAddr, ikey, okey, resourceId);
+ Binder.withCleanCallingIdentity(() -> {
+ mNetworkManager.setInterfaceUp(intfName);
+ });
+
for (int selAddrFamily : ADDRESS_FAMILIES) {
// Always send down correct local/remote addresses for template.
netd.ipSecAddSecurityPolicy(