Always drop non-VPN ingress in lockdown mode
When "Block connections without VPN" is specified, incoming traffic
from non-VPN interfaces should be blocked regardless of the
determination made by ConnectivityService#getVpnIsolationInterface.
Outgoing traffic to non-VPN interfaces is already blocked in this case.
(Loopback is excluded as usual.)
Test: `adb shell dumpsys connectivity trafficcontroller` will now show
the tunnel interface for uids affected by lockdown when
getVpnIsolationInterface returns null (wildcard), to block non-VPN
ingress to such uids. This will return to 0 (wildcard) when lockdown
is toggled back off.
Also includes squashed change:
Author: Tommy Webb <tommy@calyxinstitute.org>
Date: Mon May 1 16:52:28 2023 -0400
fixup! Always drop non-VPN ingress in lockdown mode
For lockdown purposes, force an update of VPN filtering whenever the
interface names for a VPN have changed, to ensure that the BPF owner
map uses the most up-to-date interface for ingress filtering.
Issue: calyxos#1651
Change-Id: Ia0c75a723134023906134597b395653c7a570686
Co-authored-by: Tommy Webb <tommy@calyxinstitute.org>
Issue: calyxos#1255
Bug: 206482423
Change-Id: Id7954816566cb06bf2e9869ea98b20678835df9d
Signed-off-by: Dmitrii <bankersenator@gmail.com>
Signed-off-by: Jis G Jacob <studiokeys@blissroms.org>
2 files changed