From e5d6f0fa6c3fd77572f5b29f416acbf304abf9da Mon Sep 17 00:00:00 2001
From: Chenbo Feng <fengc@google.com>
Date: Wed, 22 May 2019 15:28:49 -0700
Subject: [PATCH] Fix the internet permission for native services

The native services should specify their permissions in platform.xml if
they need internet permission, otherwise the eBPF program will block the
socket creation request. Fixing the known services that are in group
AID_INET but didn't specify their permission in the xml file.

Bug: 132217906
Test: CtsJdwpTestCases dumpsys netd trafficcontroller
Change-Id: I84cde7d3757953bc0bf761727d64a715bcdd68bb
---
 data/etc/platform.xml                                     | 3 +++
 .../android/server/connectivity/PermissionMonitor.java    | 8 +++-----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/data/etc/platform.xml b/data/etc/platform.xml
index afe791344f7b1..d6ffa8a4de68e 100644
--- a/data/etc/platform.xml
+++ b/data/etc/platform.xml
@@ -147,6 +147,9 @@
     <assign-permission name="android.permission.UPDATE_DEVICE_STATS" uid="media" />
     <assign-permission name="android.permission.UPDATE_APP_OPS_STATS" uid="media" />
     <assign-permission name="android.permission.GET_PROCESS_STATE_AND_OOM_SCORE" uid="media" />
+    <assign-permission name="android.permission.INTERNET" uid="media" />
+
+    <assign-permission name="android.permission.INTERNET" uid="shell" />
 
     <assign-permission name="android.permission.MODIFY_AUDIO_SETTINGS" uid="audioserver" />
     <assign-permission name="android.permission.ACCESS_SURFACE_FLINGER" uid="audioserver" />
diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
index d05369e9cfa14..fbe2589bea2a6 100644
--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
@@ -199,15 +199,13 @@ public class PermissionMonitor {
             ArraySet<String> perms = systemPermission.valueAt(i);
             int uid = systemPermission.keyAt(i);
             int netdPermission = 0;
-            // Get the uids of native services that have UPDATE_DEVICE_STATS permission.
+            // Get the uids of native services that have UPDATE_DEVICE_STATS or INTERNET permission.
             if (perms != null) {
                 netdPermission |= perms.contains(UPDATE_DEVICE_STATS)
                         ? INetd.PERMISSION_UPDATE_DEVICE_STATS : 0;
+                netdPermission |= perms.contains(INTERNET)
+                        ? INetd.PERMISSION_INTERNET : 0;
             }
-            // For internet permission, the native services have their own selinux domains and
-            // sepolicy will control the socket creation during run time. netd cannot block the
-            // socket creation based on the permission information here.
-            netdPermission |= INetd.PERMISSION_INTERNET;
             netdPermsUids.put(uid, netdPermsUids.get(uid) | netdPermission);
         }
         log("Users: " + mUsers.size() + ", Apps: " + mApps.size());