system/netd: Add support for global cleartext penalties
Normally cleartext penalties have 2 states. ACCEPT and LOG/REJECT.
The former returns a UID to default behaviour by removing LOG/REJECT
rules and deleting the uid-specific chain.
The latter does the reverse.
A new state was required to handle allowlisting (applying ACCEPT).
To do so, the unused INVALID penalty has been modified to take over
current ACCEPT functionality and ACCEPT now applies itself.
Additionally, an unused uid (-1) is used to append a global cleartext
penalty (aka penalty without uid owner match) and penalties applied to
UID 0 are restricted to DNS only to allow private DNS to be set up.
Change-Id: I7a26fd0476488fc59e87330e06e3aeeed93da9de
(cherry picked from commit 1cd9332bf0685ee9aa95bf0ff008160281bd3e62)
Signed-off-by: Jis G Jacob <studiokeys@blissroms.org>
3 files changed