Add 3rd deny firewall chain for OEM
Bug: 208371987
Test: atest
CtsNetTestCases:android.net.cts.ConnectivityManagerTest#testFirewallBlocking
ConnectivityServiceTest
Change-Id: Ib521fa02f6a19270cb88a3d85321bda822516c78
(cherry picked from commit 1d9054ba5fbbf86c821e0a74a5a2f9d3c9865e67)
Merged-In: Ib521fa02f6a19270cb88a3d85321bda822516c78
diff --git a/service/native/TrafficController.cpp b/service/native/TrafficController.cpp
index 548ecbe..4923b00 100644
--- a/service/native/TrafficController.cpp
+++ b/service/native/TrafficController.cpp
@@ -76,6 +76,7 @@
const char* TrafficController::LOCAL_LOW_POWER_STANDBY = "fw_low_power_standby";
const char* TrafficController::LOCAL_OEM_DENY_1 = "fw_oem_deny_1";
const char* TrafficController::LOCAL_OEM_DENY_2 = "fw_oem_deny_2";
+const char* TrafficController::LOCAL_OEM_DENY_3 = "fw_oem_deny_3";
static_assert(BPF_PERMISSION_INTERNET == INetd::PERMISSION_INTERNET,
"Mismatch between BPF and AIDL permissions: PERMISSION_INTERNET");
@@ -103,6 +104,7 @@
FLAG_MSG_TRANS(matchType, LOCKDOWN_VPN_MATCH, match);
FLAG_MSG_TRANS(matchType, OEM_DENY_1_MATCH, match);
FLAG_MSG_TRANS(matchType, OEM_DENY_2_MATCH, match);
+ FLAG_MSG_TRANS(matchType, OEM_DENY_3_MATCH, match);
if (match) {
return StringPrintf("Unknown match: %u", match);
}
@@ -343,6 +345,8 @@
return DENYLIST;
case OEM_DENY_2:
return DENYLIST;
+ case OEM_DENY_3:
+ return DENYLIST;
case NONE:
default:
return DENYLIST;
@@ -377,6 +381,9 @@
case OEM_DENY_2:
res = updateOwnerMapEntry(OEM_DENY_2_MATCH, uid, rule, type);
break;
+ case OEM_DENY_3:
+ res = updateOwnerMapEntry(OEM_DENY_3_MATCH, uid, rule, type);
+ break;
case NONE:
default:
ALOGW("Unknown child chain: %d", chain);
@@ -458,6 +465,8 @@
res = replaceRulesInMap(OEM_DENY_1_MATCH, uids);
} else if (!name.compare(LOCAL_OEM_DENY_2)) {
res = replaceRulesInMap(OEM_DENY_2_MATCH, uids);
+ } else if (!name.compare(LOCAL_OEM_DENY_3)) {
+ res = replaceRulesInMap(OEM_DENY_3_MATCH, uids);
} else {
ALOGE("unknown chain name: %s", name.c_str());
return -EINVAL;
@@ -503,6 +512,9 @@
case OEM_DENY_2:
match = OEM_DENY_2_MATCH;
break;
+ case OEM_DENY_3:
+ match = OEM_DENY_3_MATCH;
+ break;
default:
return -EINVAL;
}
diff --git a/service/native/TrafficControllerTest.cpp b/service/native/TrafficControllerTest.cpp
index 9ec50af..df5955f 100644
--- a/service/native/TrafficControllerTest.cpp
+++ b/service/native/TrafficControllerTest.cpp
@@ -310,6 +310,7 @@
checkUidOwnerRuleForChain(LOCKDOWN, LOCKDOWN_VPN_MATCH);
checkUidOwnerRuleForChain(OEM_DENY_1, OEM_DENY_1_MATCH);
checkUidOwnerRuleForChain(OEM_DENY_2, OEM_DENY_2_MATCH);
+ checkUidOwnerRuleForChain(OEM_DENY_3, OEM_DENY_3_MATCH);
ASSERT_EQ(-EINVAL, mTc.changeUidOwnerRule(NONE, TEST_UID, ALLOW, ALLOWLIST));
ASSERT_EQ(-EINVAL, mTc.changeUidOwnerRule(INVALID_CHAIN, TEST_UID, ALLOW, ALLOWLIST));
}
@@ -323,6 +324,7 @@
checkUidMapReplace("fw_low_power_standby", uids, LOW_POWER_STANDBY_MATCH);
checkUidMapReplace("fw_oem_deny_1", uids, OEM_DENY_1_MATCH);
checkUidMapReplace("fw_oem_deny_2", uids, OEM_DENY_2_MATCH);
+ checkUidMapReplace("fw_oem_deny_3", uids, OEM_DENY_3_MATCH);
ASSERT_EQ(-EINVAL, mTc.replaceUidOwnerMap("unknow", true, uids));
}
diff --git a/service/native/include/Common.h b/service/native/include/Common.h
index 48f68ea..2427aa9 100644
--- a/service/native/include/Common.h
+++ b/service/native/include/Common.h
@@ -38,6 +38,7 @@
LOCKDOWN = 6,
OEM_DENY_1 = 7,
OEM_DENY_2 = 8,
+ OEM_DENY_3 = 9,
INVALID_CHAIN
};
// LINT.ThenChange(packages/modules/Connectivity/framework/src/android/net/ConnectivityManager.java)
diff --git a/service/native/include/TrafficController.h b/service/native/include/TrafficController.h
index 7a36e1e..c019ce7 100644
--- a/service/native/include/TrafficController.h
+++ b/service/native/include/TrafficController.h
@@ -90,6 +90,7 @@
static const char* LOCAL_LOW_POWER_STANDBY;
static const char* LOCAL_OEM_DENY_1;
static const char* LOCAL_OEM_DENY_2;
+ static const char* LOCAL_OEM_DENY_3;
private:
/*