FirewallController: discover max uid in the current user namespace
This patch gives the capability to FirewallController to discover the
maximum valid uid in the user namespace in which netd is currently
running, and uses that value in the whitelist uid rules.
This is done by parsing the content of /proc/self/uid_map as explained
in the man page of 'user_namespaces'.
On the default root namespace the maximum uid is expected to be
UINT32_MAX - 1, but this assumption is incorrect in other user
namespaces created for instance for container environments.
The uid mapping is de facto constant from within the user namespace and
cannot be modified from inside (more precisely uid_map and gid_map proc
files can only be written once each for a new user namespacE).
netd makes the assumption that the uid mapping stays constant, meaning
it is a bug if the host namespace tries to remap uids after netd starts.
Bug: 110459356
Test: - built,
- flashed and booted a marlin, 'fw_powersave' rule is as expected
- flashed and booted ARC++ container, 'fw_powersave' rule is as
expected
- new unit tests pass
Change-Id: I44a885c34e174b0067848b860be8d7b8f3e83296
3 files changed