Set allowed UIDs for networks based on policies
Use both per-network allowlisting and all-network denylisting to ensure
consistent and expected firewall behavior for denied transport types.
* [Allowlist] Only allow UIDs to send traffic over a physical network
of a given transport type when their policy permits it.
This addresses previously-unhandled problems that allowed access to
physical network types that should be denied, e.g. when connected to
split-tunnel VPNs. Internally, this uses IP rules that only consult
the routing table for a network for UIDs that are allowed on that
network, using the same methods that are used to implement a VPN's
inclusion or exclusion of UIDs. (Also requires a netd change to
remove default rules; see the referenced change ID.)
* [Denylist] When UIDs' policies deny them access on their active
network's transport type, add them to an overall networking deny-
list, providing similar functionality to the restricted mode
allowlist that was previously also involved in transport-based
restrictions. This accomplishes three things: it prevents incoming
traffic to such UIDs; it allows a UID's active network blocked state
to be tracked for firewall indicator purposes via a later change; and
it's needed for UIDs whose policy prevents them from accessing VPNs,
because the underlying allowlist approach is already in use for
another purpose for virtual networks, as described earlier.
Requires: Icd64aa530e8d202abb97d8325160a5d4c0b4c490
Change-Id: I79342edbec92090cca20853ba50ea7fd48ec81c2
Signed-off-by: Mohammad Hasan Keramat J <ikeramat@protonmail.com>
4 files changed