Always drop non-VPN ingress in lockdown mode
When "Block connections without VPN" is specified, incoming traffic
from non-VPN interfaces should be blocked regardless of the
determination made by ConnectivityService#getVpnIsolationInterface.
Outgoing traffic to non-VPN interfaces is already blocked in this case.
(Loopback is excluded as usual.)
Test: `adb shell dumpsys connectivity trafficcontroller` will now show
the tunnel interface for uids affected by lockdown when
getVpnIsolationInterface returns null (wildcard), to block non-VPN
ingress to such uids. This will return to 0 (wildcard) when lockdown
is toggled back off.
Co-authored-by: t-m-w <tmwcommits@gmail.com>
Issue: calyxos#1255
Bug: 206482423
Change-Id: Id7954816566cb06bf2e9869ea98b20678835df9d
diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java
index d0cb294..51a5762 100644
--- a/service/src/com/android/server/ConnectivityService.java
+++ b/service/src/com/android/server/ConnectivityService.java
@@ -5983,6 +5983,10 @@
final boolean curMetered = nai.networkCapabilities.isMetered();
maybeNotifyNetworkBlocked(nai, curMetered, curMetered,
mVpnBlockedUidRanges, newVpnBlockedUidRanges);
+
+ if (nai.isVPN()) {
+ updateVpnFiltering(nai.linkProperties, nai.linkProperties, nai, true /* force */);
+ }
}
mVpnBlockedUidRanges = newVpnBlockedUidRanges;
@@ -7473,7 +7477,7 @@
// update filtering rules, need to happen after the interface update so netd knows about the
// new interface (the interface name -> index map becomes initialized)
- updateVpnFiltering(newLp, oldLp, networkAgent);
+ updateVpnFiltering(newLp, oldLp, networkAgent, false /* force */);
updateMtu(newLp, oldLp);
// TODO - figure out what to do for clat
@@ -7741,7 +7745,7 @@
}
private void updateVpnFiltering(LinkProperties newLp, LinkProperties oldLp,
- NetworkAgentInfo nai) {
+ NetworkAgentInfo nai, boolean force) {
final String oldIface = getVpnIsolationInterface(nai, nai.networkCapabilities, oldLp);
final String newIface = getVpnIsolationInterface(nai, nai.networkCapabilities, newLp);
final boolean wasFiltering = requiresVpnAllowRule(nai, oldLp, oldIface);
@@ -7752,7 +7756,7 @@
return;
}
- if (Objects.equals(oldIface, newIface) && (wasFiltering == needsFiltering)) {
+ if (!force && Objects.equals(oldIface, newIface) && (wasFiltering == needsFiltering)) {
// Nothing changed.
return;
}
@@ -7773,9 +7777,13 @@
// by overriding the Lockdown blocking rule.
if (wasFiltering) {
mPermissionMonitor.onVpnUidRangesRemoved(oldIface, ranges, vpnAppUid);
+ mPermissionMonitor.updateVpnLockdownUidInterfaceRules(oldLp.getInterfaceName(), ranges,
+ vpnAppUid, false /* add */);
}
if (needsFiltering) {
mPermissionMonitor.onVpnUidRangesAdded(newIface, ranges, vpnAppUid);
+ mPermissionMonitor.updateVpnLockdownUidInterfaceRules(newLp.getInterfaceName(), ranges,
+ vpnAppUid, true /* add */);
}
}
@@ -8251,9 +8259,15 @@
if (wasFiltering && !prevRanges.isEmpty()) {
mPermissionMonitor.onVpnUidRangesRemoved(oldIface, prevRanges,
prevNc.getOwnerUid());
+ mPermissionMonitor.updateVpnLockdownUidInterfaceRules(
+ nai.linkProperties.getInterfaceName(), prevRanges, prevNc.getOwnerUid(),
+ false /* add */);
}
if (shouldFilter && !newRanges.isEmpty()) {
mPermissionMonitor.onVpnUidRangesAdded(newIface, newRanges, newNc.getOwnerUid());
+ mPermissionMonitor.updateVpnLockdownUidInterfaceRules(
+ nai.linkProperties.getInterfaceName(), newRanges, newNc.getOwnerUid(),
+ true /* add */);
}
} catch (Exception e) {
// Never crash!