Merge "Add updateFirewallRule API"
diff --git a/framework/api/module-lib-current.txt b/framework/api/module-lib-current.txt
index ebc04d6..837b0b7 100644
--- a/framework/api/module-lib-current.txt
+++ b/framework/api/module-lib-current.txt
@@ -25,6 +25,7 @@
method @RequiresPermission(anyOf={android.Manifest.permission.MANAGE_TEST_NETWORKS, android.Manifest.permission.NETWORK_STACK}) public void simulateDataStall(int, long, @NonNull android.net.Network, @NonNull android.os.PersistableBundle);
method @RequiresPermission(anyOf={android.Manifest.permission.NETWORK_SETTINGS, android.Manifest.permission.NETWORK_STACK, android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK}) public void startCaptivePortalApp(@NonNull android.net.Network);
method public void systemReady();
+ method @RequiresPermission(anyOf={android.Manifest.permission.NETWORK_SETTINGS, android.Manifest.permission.NETWORK_STACK, android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK}) public void updateFirewallRule(int, int, boolean);
method @RequiresPermission(anyOf={android.Manifest.permission.NETWORK_SETTINGS, android.Manifest.permission.NETWORK_STACK, android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK}) public void updateMeteredNetworkAllowList(int, boolean);
method @RequiresPermission(anyOf={android.Manifest.permission.NETWORK_SETTINGS, android.Manifest.permission.NETWORK_STACK, android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK}) public void updateMeteredNetworkDenyList(int, boolean);
field public static final String ACTION_CLEAR_DNS_CACHE = "android.net.action.CLEAR_DNS_CACHE";
@@ -41,6 +42,10 @@
field public static final int BLOCKED_REASON_LOCKDOWN_VPN = 16; // 0x10
field public static final int BLOCKED_REASON_NONE = 0; // 0x0
field public static final int BLOCKED_REASON_RESTRICTED_MODE = 8; // 0x8
+ field public static final int FIREWALL_CHAIN_DOZABLE = 1; // 0x1
+ field public static final int FIREWALL_CHAIN_POWERSAVE = 3; // 0x3
+ field public static final int FIREWALL_CHAIN_RESTRICTED = 4; // 0x4
+ field public static final int FIREWALL_CHAIN_STANDBY = 2; // 0x2
field public static final int PROFILE_NETWORK_PREFERENCE_DEFAULT = 0; // 0x0
field public static final int PROFILE_NETWORK_PREFERENCE_ENTERPRISE = 1; // 0x1
field public static final int PROFILE_NETWORK_PREFERENCE_ENTERPRISE_NO_FALLBACK = 2; // 0x2
diff --git a/framework/src/android/net/ConnectivityManager.java b/framework/src/android/net/ConnectivityManager.java
index 38ceabb..a144dc1 100644
--- a/framework/src/android/net/ConnectivityManager.java
+++ b/framework/src/android/net/ConnectivityManager.java
@@ -931,6 +931,48 @@
private final IConnectivityManager mService;
/**
+ * Firewall chain for device idle (doze mode).
+ * Allowlist of apps that have network access in device idle.
+ * @hide
+ */
+ @SystemApi(client = MODULE_LIBRARIES)
+ public static final int FIREWALL_CHAIN_DOZABLE = 1;
+
+ /**
+ * Firewall chain used for app standby.
+ * Denylist of apps that do not have network access.
+ * @hide
+ */
+ @SystemApi(client = MODULE_LIBRARIES)
+ public static final int FIREWALL_CHAIN_STANDBY = 2;
+
+ /**
+ * Firewall chain used for battery saver.
+ * Allowlist of apps that have network access when battery saver is on.
+ * @hide
+ */
+ @SystemApi(client = MODULE_LIBRARIES)
+ public static final int FIREWALL_CHAIN_POWERSAVE = 3;
+
+ /**
+ * Firewall chain used for restricted networking mode.
+ * Allowlist of apps that have access in restricted networking mode.
+ * @hide
+ */
+ @SystemApi(client = MODULE_LIBRARIES)
+ public static final int FIREWALL_CHAIN_RESTRICTED = 4;
+
+ /** @hide */
+ @Retention(RetentionPolicy.SOURCE)
+ @IntDef(flag = false, prefix = "FIREWALL_CHAIN_", value = {
+ FIREWALL_CHAIN_DOZABLE,
+ FIREWALL_CHAIN_STANDBY,
+ FIREWALL_CHAIN_POWERSAVE,
+ FIREWALL_CHAIN_RESTRICTED
+ })
+ public @interface FirewallChain {}
+
+ /**
* A kludge to facilitate static access where a Context pointer isn't available, like in the
* case of the static set/getProcessDefaultNetwork methods and from the Network class.
* TODO: Remove this after deprecating the static methods in favor of non-static methods or
@@ -5566,9 +5608,11 @@
}
/**
- * Allow target application using metered network.
+ * Sets whether the specified UID is allowed to use data on metered networks even when
+ * background data is restricted.
*
* @param uid uid of target app
+ * @throws IllegalStateException if update allow list failed.
* @hide
*/
@SystemApi(client = MODULE_LIBRARIES)
@@ -5582,15 +5626,15 @@
mService.updateMeteredNetworkAllowList(uid, add);
} catch (RemoteException e) {
throw e.rethrowFromSystemServer();
- } catch (IllegalStateException ie) {
- throw ie;
}
}
/**
- * Disallow target application using metered network.
+ * Sets whether the specified UID is prevented from using background data on metered networks.
+ * Takes precedence over {@link #updateMeteredNetworkAllowList}.
*
* @param uid uid of target app
+ * @throws IllegalStateException if update deny list failed.
* @hide
*/
@SystemApi(client = MODULE_LIBRARIES)
@@ -5604,8 +5648,30 @@
mService.updateMeteredNetworkDenyList(uid, add);
} catch (RemoteException e) {
throw e.rethrowFromSystemServer();
- } catch (IllegalStateException ie) {
- throw ie;
+ }
+ }
+
+ /**
+ * Sets a firewall rule for the specified UID on the specified chain.
+ *
+ * @param chain target chain.
+ * @param uid uid to allow/deny.
+ * @param allow either add or remove rule.
+ * @throws IllegalStateException if update firewall rule failed.
+ * @hide
+ */
+ @SystemApi(client = MODULE_LIBRARIES)
+ @RequiresPermission(anyOf = {
+ android.Manifest.permission.NETWORK_SETTINGS,
+ android.Manifest.permission.NETWORK_STACK,
+ NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK
+ })
+ public void updateFirewallRule(@FirewallChain final int chain, final int uid,
+ final boolean allow) {
+ try {
+ mService.updateFirewallRule(chain, uid, allow);
+ } catch (RemoteException e) {
+ throw e.rethrowFromSystemServer();
}
}
}
diff --git a/framework/src/android/net/IConnectivityManager.aidl b/framework/src/android/net/IConnectivityManager.aidl
index 5740d85..6f60a68 100644
--- a/framework/src/android/net/IConnectivityManager.aidl
+++ b/framework/src/android/net/IConnectivityManager.aidl
@@ -234,4 +234,6 @@
void updateMeteredNetworkAllowList(int uid, boolean add);
void updateMeteredNetworkDenyList(int uid, boolean add);
+
+ void updateFirewallRule(int chain, int uid, boolean allow);
}
diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java
index 3280f18..c488832 100644
--- a/service/src/com/android/server/ConnectivityService.java
+++ b/service/src/com/android/server/ConnectivityService.java
@@ -10614,4 +10614,16 @@
throw new IllegalStateException(e);
}
}
+
+ @Override
+ public void updateFirewallRule(final int chain, final int uid, final boolean allow) {
+ enforceNetworkStackOrSettingsPermission();
+
+ try {
+ mNetd.firewallSetUidRule(chain, uid,
+ allow ? INetd.FIREWALL_RULE_ALLOW : INetd.FIREWALL_RULE_DENY);
+ } catch (RemoteException | ServiceSpecificException e) {
+ throw new IllegalStateException(e);
+ }
+ }
}