[BR02] Implement isUidNetworkingBlocked
This is needed for data stall detection mechanism in NetworkStack
to get the information about whether the network is blocked for
a given uid and conditions. Because the API will be called
frequently from NetworkStack to resolve all status for all uids
on the device, the API cannot call into the service which
creates IPC. Instead, the API need to directly access bpf maps
in the user process to retrieve the status. In this case the
user process is the network stack, the access control is provided
by linux file permission and selinux.
Test: atest FrameworksNetTests:android.net.connectivity.android.net.BpfNetMapsReaderTest
Test: atest FrameworksNetTests:android.net.connectivity.android.net.ConnectivityManagerTest
NO_IFTTT=Refactor only change for firewall chains definitions
Bug: 297836825
Change-Id: Iaf983b71ec98cbfe5152dcfade8a3120f938f135
diff --git a/framework/src/android/net/BpfNetMapsConstants.java b/framework/src/android/net/BpfNetMapsConstants.java
index 36848e7..8086809 100644
--- a/framework/src/android/net/BpfNetMapsConstants.java
+++ b/framework/src/android/net/BpfNetMapsConstants.java
@@ -16,6 +16,15 @@
package android.net;
+import static android.net.ConnectivityManager.FIREWALL_CHAIN_DOZABLE;
+import static android.net.ConnectivityManager.FIREWALL_CHAIN_LOW_POWER_STANDBY;
+import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_1;
+import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_2;
+import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_3;
+import static android.net.ConnectivityManager.FIREWALL_CHAIN_POWERSAVE;
+import static android.net.ConnectivityManager.FIREWALL_CHAIN_RESTRICTED;
+import static android.net.ConnectivityManager.FIREWALL_CHAIN_STANDBY;
+
import android.util.Pair;
import com.android.net.module.util.Struct;
@@ -66,7 +75,6 @@
public static final long OEM_DENY_1_MATCH = (1 << 9);
public static final long OEM_DENY_2_MATCH = (1 << 10);
public static final long OEM_DENY_3_MATCH = (1 << 11);
- // LINT.ThenChange(../../../../bpf_progs/netd.h)
public static final List<Pair<Long, String>> MATCH_LIST = Arrays.asList(
Pair.create(HAPPY_BOX_MATCH, "HAPPY_BOX_MATCH"),
@@ -82,4 +90,29 @@
Pair.create(OEM_DENY_2_MATCH, "OEM_DENY_2_MATCH"),
Pair.create(OEM_DENY_3_MATCH, "OEM_DENY_3_MATCH")
);
+
+ /**
+ * List of all firewall allow chains.
+ *
+ * Allow chains mean the firewall denies all uids by default, uids must be explicitly allowed.
+ */
+ public static final List<Integer> ALLOW_CHAINS = List.of(
+ FIREWALL_CHAIN_DOZABLE,
+ FIREWALL_CHAIN_POWERSAVE,
+ FIREWALL_CHAIN_RESTRICTED,
+ FIREWALL_CHAIN_LOW_POWER_STANDBY
+ );
+
+ /**
+ * List of all firewall deny chains.
+ *
+ * Deny chains mean the firewall allows all uids by default, uids must be explicitly denied.
+ */
+ public static final List<Integer> DENY_CHAINS = List.of(
+ FIREWALL_CHAIN_STANDBY,
+ FIREWALL_CHAIN_OEM_DENY_1,
+ FIREWALL_CHAIN_OEM_DENY_2,
+ FIREWALL_CHAIN_OEM_DENY_3
+ );
+ // LINT.ThenChange(../../../../bpf_progs/netd.h)
}
diff --git a/framework/src/android/net/BpfNetMapsReader.java b/framework/src/android/net/BpfNetMapsReader.java
index 49e874a..9bce9cd 100644
--- a/framework/src/android/net/BpfNetMapsReader.java
+++ b/framework/src/android/net/BpfNetMapsReader.java
@@ -57,10 +57,42 @@
private final IBpfMap<S32, UidOwnerValue> mUidOwnerMap;
private final Dependencies mDeps;
- public BpfNetMapsReader() {
+ // Bitmaps for calculating whether a given uid is blocked by firewall chains.
+ private static final long sMaskDropIfSet;
+ private static final long sMaskDropIfUnset;
+
+ static {
+ long maskDropIfSet = 0L;
+ long maskDropIfUnset = 0L;
+
+ for (int chain : BpfNetMapsConstants.ALLOW_CHAINS) {
+ final long match = getMatchByFirewallChain(chain);
+ maskDropIfUnset |= match;
+ }
+ for (int chain : BpfNetMapsConstants.DENY_CHAINS) {
+ final long match = getMatchByFirewallChain(chain);
+ maskDropIfSet |= match;
+ }
+ sMaskDropIfSet = maskDropIfSet;
+ sMaskDropIfUnset = maskDropIfUnset;
+ }
+
+ private static class SingletonHolder {
+ static final BpfNetMapsReader sInstance = new BpfNetMapsReader();
+ }
+
+ @NonNull
+ public static BpfNetMapsReader getInstance() {
+ return SingletonHolder.sInstance;
+ }
+
+ private BpfNetMapsReader() {
this(new Dependencies());
}
+ // While the production code uses the singleton to optimize for performance and deal with
+ // concurrent access, the test needs to use a non-static approach for dependency injection and
+ // mocking virtual bpf maps.
@VisibleForTesting
public BpfNetMapsReader(@NonNull Dependencies deps) {
if (!SdkLevel.isAtLeastT()) {
@@ -176,4 +208,33 @@
"Unable to get uid rule status: " + Os.strerror(e.errno));
}
}
+
+ /**
+ * Return whether the network is blocked by firewall chains for the given uid.
+ *
+ * @param uid The target uid.
+ *
+ * @return True if the network is blocked. Otherwise, false.
+ * @throws ServiceSpecificException if the read fails.
+ *
+ * @hide
+ */
+ public boolean isUidBlockedByFirewallChains(final int uid) {
+ throwIfPreT("isUidBlockedByFirewallChains is not available on pre-T devices");
+
+ final long uidRuleConfig;
+ final long uidMatch;
+ try {
+ uidRuleConfig = mConfigurationMap.getValue(UID_RULES_CONFIGURATION_KEY).val;
+ final UidOwnerValue value = mUidOwnerMap.getValue(new S32(uid));
+ uidMatch = (value != null) ? value.rule : 0L;
+ } catch (ErrnoException e) {
+ throw new ServiceSpecificException(e.errno,
+ "Unable to get firewall chain status: " + Os.strerror(e.errno));
+ }
+
+ final boolean blockedByAllowChains = 0 != (uidRuleConfig & ~uidMatch & sMaskDropIfUnset);
+ final boolean blockedByDenyChains = 0 != (uidRuleConfig & uidMatch & sMaskDropIfSet);
+ return blockedByAllowChains || blockedByDenyChains;
+ }
}
diff --git a/framework/src/android/net/BpfNetMapsUtils.java b/framework/src/android/net/BpfNetMapsUtils.java
index 28d5891..e9c9137 100644
--- a/framework/src/android/net/BpfNetMapsUtils.java
+++ b/framework/src/android/net/BpfNetMapsUtils.java
@@ -16,6 +16,8 @@
package android.net;
+import static android.net.BpfNetMapsConstants.ALLOW_CHAINS;
+import static android.net.BpfNetMapsConstants.DENY_CHAINS;
import static android.net.BpfNetMapsConstants.DOZABLE_MATCH;
import static android.net.BpfNetMapsConstants.LOW_POWER_STANDBY_MATCH;
import static android.net.BpfNetMapsConstants.MATCH_LIST;
@@ -82,26 +84,18 @@
}
/**
- * Get if the chain is allow list or not.
+ * Get whether the chain is an allow-list or a deny-list.
*
* ALLOWLIST means the firewall denies all by default, uids must be explicitly allowed
- * DENYLIST means the firewall allows all by default, uids must be explicitly denyed
+ * DENYLIST means the firewall allows all by default, uids must be explicitly denied
*/
public static boolean isFirewallAllowList(final int chain) {
- switch (chain) {
- case FIREWALL_CHAIN_DOZABLE:
- case FIREWALL_CHAIN_POWERSAVE:
- case FIREWALL_CHAIN_RESTRICTED:
- case FIREWALL_CHAIN_LOW_POWER_STANDBY:
- return true;
- case FIREWALL_CHAIN_STANDBY:
- case FIREWALL_CHAIN_OEM_DENY_1:
- case FIREWALL_CHAIN_OEM_DENY_2:
- case FIREWALL_CHAIN_OEM_DENY_3:
- return false;
- default:
- throw new ServiceSpecificException(EINVAL, "Invalid firewall chain: " + chain);
+ if (ALLOW_CHAINS.contains(chain)) {
+ return true;
+ } else if (DENY_CHAINS.contains(chain)) {
+ return false;
}
+ throw new ServiceSpecificException(EINVAL, "Invalid firewall chain: " + chain);
}
/**
diff --git a/framework/src/android/net/ConnectivityManager.java b/framework/src/android/net/ConnectivityManager.java
index 32058a4..ad76012 100644
--- a/framework/src/android/net/ConnectivityManager.java
+++ b/framework/src/android/net/ConnectivityManager.java
@@ -6198,6 +6198,36 @@
}
}
+ /**
+ * Return whether the network is blocked for the given uid.
+ *
+ * Similar to {@link NetworkPolicyManager#isUidNetworkingBlocked}, but directly reads the BPF
+ * maps and therefore considerably faster. For use by the NetworkStack process only.
+ *
+ * @param uid The target uid.
+ * @return True if all networking is blocked. Otherwise, false.
+ * @throws IllegalStateException if the map cannot be opened.
+ * @throws ServiceSpecificException if the read fails.
+ * @hide
+ */
+ // This isn't protected by a standard Android permission since it can't
+ // afford to do IPC for performance reasons. Instead, the access control
+ // is provided by linux file group permission AID_NET_BW_ACCT and the
+ // selinux context fs_bpf_net*.
+ // Only the system server process and the network stack have access.
+ // TODO: Expose api when ready.
+ // @SystemApi(client = MODULE_LIBRARIES)
+ @RequiresApi(Build.VERSION_CODES.TIRAMISU) // BPF maps were only mainlined in T
+ @RequiresPermission(NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK)
+ public boolean isUidNetworkingBlocked(int uid) {
+ final BpfNetMapsReader reader = BpfNetMapsReader.getInstance();
+
+ return reader.isUidBlockedByFirewallChains(uid);
+
+ // TODO: If isNetworkMetered is true, check the data saver switch, penalty box
+ // and happy box rules.
+ }
+
/** @hide */
public IBinder getCompanionDeviceManagerProxyService() {
try {