Gitiles
Code Review Sign In
review.blissroms.org / platform_system_netd / refs/heads/universe
commit7039e82e14d2172db9f3ede40e61423bd671e95e[log] [tgz]
authorTommy Webb <tommy@calyxinstitute.org>Tue Sep 20 19:07:31 2022 +0000
committerJis G Jacob <studiokeys@blissroms.org>Sun Jun 16 07:30:36 2024 -0400
treef72a052282fe74970a241b5f87c7b7ed2185022c
parent415d14cca5da0aef03aead02517ac422dd80e389 [diff]
Return ECONNREFUSED when socket creation blocked

Fail gracefully when restricted apps try to perform DNS lookups.

If an app cannot create an inet socket, this means network access is
blocked for the uid, so we must not allow it to resolve DNS. However,
when we do not return a socket/file descriptor to dnsproxyd in
dns_open_proxy, bionic attempts to resolve DNS directly rather than
through dnsproxyd, which requires creating an inet socket. This fails,
too, which leads to a SecurityException complaining about an app
lacking the INTERNET permission, unless we alter the errno from
EPERM to something else. We change it to ECONNREFUSED.

Requires: I912a4a2ee78a29ca8b7d8ff85e5ad7cf617c31a5

Co-authored-by: Oliver Scott <olivercscott@gmail.com>
Issue: calyxos#581
Change-Id: I7939ee036c9c25a3f7827742194f8469fb13ba49
Signed-off-by: Jis G Jacob <studiokeys@blissroms.org>
1 file changed
tree: f72a052282fe74970a241b5f87c7b7ed2185022c
  1. client/
  2. include/
  3. netutils_wrappers/
  4. server/
  5. tests/
  6. .clang-format ⇨ ../../build/soong/scripts/system-clang-format
  7. .editorconfig
  8. Android.bp
  9. NOTICE
  10. OWNERS
  11. PREUPLOAD.cfg
  12. TEST_MAPPING