Fix: Firewall: NMS inverts default rule behavior
When setting a chain's firewall rules in NetworkManagementService, do
not submit supplied UIDs to ConnectivityManager#replaceFirewallChain
directly, as this does not consider what the actual rules are for those
UIDs. Instead, supply the keys from the rules chain, which deletes
default rules when it is updated via updateFirewallUidRuleLocked.
For example, if a given UID's rule is the default rule, and it is part
of the restricted chain, then the UID should be blocked, because the
restricted chain is an allowlist. Prior to this change, the rules for
UIDs are ignored when calling replaceFirewallChain, so the UID's mere
presence among the supplied UIDs causes it to be unexpectedly added
to the restricted mode allowlist.
Test: CtsHostsideNetworkTests
Change-Id: I0a71ad376bcfda05cea151144dfab9bec8e8b749
1 file changed