Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

am 75051c3a: am 7f6d8754: am a03ecf7d: Merge "Push firewall rules up to ConnectivityService." into mnc-dr-dev

Browse Source 
* commit '75051c3a62123b4668231d0243ba11462e02ac5a':
  Push firewall rules up to ConnectivityService.
This commit is contained in:
Jeff Sharkey
2015-10-12 16:55:58 +00:00
committed by Android Git Automerger
parent 8cbd7c8a8a 75051c3a62
commit f20a5700a4
3 changed files with 71 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
core/java/android/net/NetworkPolicyManager.java
View File

@@ -51,12 +51,13 @@ public class NetworkPolicyManager {
public static final int POLICY_ALLOW_BACKGROUND_BATTERY_SAVE = 0x2;
/* RULE_* are not masks and they must be exclusive */
public static final int RULE_UNKNOWN = -1;
/** All network traffic should be allowed. */
public static final int RULE_ALLOW_ALL = 0x0;
public static final int RULE_ALLOW_ALL = 0;
/** Reject traffic on metered networks. */
public static final int RULE_REJECT_METERED = 0x1;
public static final int RULE_REJECT_METERED = 1;
/** Reject traffic on all networks. */
public static final int RULE_REJECT_ALL = 0x2;
public static final int RULE_REJECT_ALL = 2;
public static final int FIREWALL_RULE_DEFAULT = 0;
public static final int FIREWALL_RULE_ALLOW = 1;
@@ -375,25 +376,4 @@ public class NetworkPolicyManager {
// nothing found above; we can apply policy to UID
return true;
}
/** {@hide} */
public static void dumpPolicy(PrintWriter fout, int policy) {
fout.write("[");
if ((policy & POLICY_REJECT_METERED_BACKGROUND) != 0) {
fout.write("REJECT_METERED_BACKGROUND");
}
fout.write("]");
}
/** {@hide} */
public static void dumpRules(PrintWriter fout, int rules) {
fout.write("[");
if ((rules & RULE_REJECT_METERED) != 0) {
fout.write("REJECT_METERED");
} else if ((rules & RULE_REJECT_ALL) != 0) {
fout.write("REJECT_ALL");
}
fout.write("]");
}
}

12
services/core/java/com/android/server/ConnectivityService.java
View File

@@ -946,13 +946,13 @@ public class ConnectivityService extends IConnectivityManager.Stub
uidRules = mUidRules.get(uid, RULE_ALLOW_ALL);
}
if ((uidRules & RULE_REJECT_ALL) != 0
|| (networkCostly && (uidRules & RULE_REJECT_METERED) != 0)) {
if (uidRules == RULE_REJECT_ALL) {
return true;
} else if ((uidRules == RULE_REJECT_METERED) && networkCostly) {
return true;
} else {
return false;
}
// no restrictive rules; network is visible
return false;
}
/**
@@ -3724,7 +3724,7 @@ public class ConnectivityService extends IConnectivityManager.Stub
synchronized(mRulesLock) {
uidRules = mUidRules.get(uid, RULE_ALLOW_ALL);
}
if ((uidRules & (RULE_REJECT_METERED | RULE_REJECT_ALL)) != 0) {
if (uidRules != RULE_ALLOW_ALL) {
// we could silently fail or we can filter the available nets to only give
// them those they have access to. Chose the more useful
networkCapabilities.addCapability(NET_CAPABILITY_NOT_METERED);

97
services/core/java/com/android/server/net/NetworkPolicyManagerService.java
View File

@@ -39,17 +39,17 @@ import static android.net.NetworkPolicy.WARNING_DISABLED;
import static android.net.NetworkPolicyManager.EXTRA_NETWORK_TEMPLATE;
import static android.net.NetworkPolicyManager.FIREWALL_CHAIN_DOZABLE;
import static android.net.NetworkPolicyManager.FIREWALL_CHAIN_STANDBY;
import static android.net.NetworkPolicyManager.FIREWALL_RULE_DEFAULT;
import static android.net.NetworkPolicyManager.FIREWALL_RULE_ALLOW;
import static android.net.NetworkPolicyManager.FIREWALL_RULE_DEFAULT;
import static android.net.NetworkPolicyManager.FIREWALL_RULE_DENY;
import static android.net.NetworkPolicyManager.POLICY_ALLOW_BACKGROUND_BATTERY_SAVE;
import static android.net.NetworkPolicyManager.POLICY_NONE;
import static android.net.NetworkPolicyManager.POLICY_REJECT_METERED_BACKGROUND;
import static android.net.NetworkPolicyManager.RULE_ALLOW_ALL;
import static android.net.NetworkPolicyManager.RULE_REJECT_ALL;
import static android.net.NetworkPolicyManager.RULE_REJECT_METERED;
import static android.net.NetworkPolicyManager.RULE_UNKNOWN;
import static android.net.NetworkPolicyManager.computeLastCycleBoundary;
import static android.net.NetworkPolicyManager.dumpPolicy;
import static android.net.NetworkPolicyManager.dumpRules;
import static android.net.NetworkTemplate.MATCH_MOBILE_3G_LOWER;
import static android.net.NetworkTemplate.MATCH_MOBILE_4G;
import static android.net.NetworkTemplate.MATCH_MOBILE_ALL;
@@ -139,6 +139,7 @@ import android.text.format.Time;
import android.util.ArrayMap;
import android.util.ArraySet;
import android.util.AtomicFile;
import android.util.DebugUtils;
import android.util.Log;
import android.util.NtpTrustedTime;
import android.util.Pair;
@@ -148,8 +149,6 @@ import android.util.SparseIntArray;
import android.util.TrustedTime;
import android.util.Xml;
import com.android.server.DeviceIdleController;
import com.android.server.EventLogTags;
import libcore.io.IoUtils;
import com.android.internal.R;
@@ -157,6 +156,8 @@ import com.android.internal.annotations.VisibleForTesting;
import com.android.internal.util.ArrayUtils;
import com.android.internal.util.FastXmlSerializer;
import com.android.internal.util.IndentingPrintWriter;
import com.android.server.DeviceIdleController;
import com.android.server.EventLogTags;
import com.android.server.LocalServices;
import com.google.android.collect.Lists;
@@ -285,6 +286,10 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
final SparseIntArray mUidPolicy = new SparseIntArray();
/** Currently derived rules for each UID. */
final SparseIntArray mUidRules = new SparseIntArray();
final SparseIntArray mUidFirewallStandbyRules = new SparseIntArray();
final SparseIntArray mUidFirewallDozableRules = new SparseIntArray();
/** Set of states for the child firewall chains. True if the chain is active. */
final SparseBooleanArray mFirewallChainStates = new SparseBooleanArray();
@@ -457,14 +462,8 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
// read policy from disk
readPolicyLocked();
if (mRestrictBackground || mRestrictPower || mDeviceIdleMode) {
updateRulesForGlobalChangeLocked(false);
updateNotificationsLocked();
} else {
// If we are not in any special mode, we just need to make sure the current
// app idle state is updated.
updateRulesForAppIdleLocked();
}
updateRulesForGlobalChangeLocked(false);
updateNotificationsLocked();
}
updateScreenOn();
@@ -1888,7 +1887,9 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
if (mDeviceIdleMode != enabled) {
mDeviceIdleMode = enabled;
if (mSystemReady) {
updateRulesForDeviceIdleLocked();
// Device idle change means we need to rebuild rules for all
// known apps, so do a global refresh.
updateRulesForGlobalChangeLocked(false);
}
if (enabled) {
EventLogTags.writeDeviceIdleOnPhase("net");
@@ -2026,7 +2027,7 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
fout.print("UID=");
fout.print(uid);
fout.print(" policy=");
dumpPolicy(fout, policy);
fout.print(DebugUtils.flagsToString(NetworkPolicyManager.class, "POLICY_", policy));
fout.println();
}
fout.decreaseIndent();
@@ -2071,18 +2072,14 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
fout.print("UID=");
fout.print(uid);
int state = mUidState.get(uid, ActivityManager.PROCESS_STATE_CACHED_EMPTY);
final int state = mUidState.get(uid, ActivityManager.PROCESS_STATE_CACHED_EMPTY);
fout.print(" state=");
fout.print(state);
fout.print(state <= ActivityManager.PROCESS_STATE_TOP ? " (fg)" : " (bg)");
fout.print(" rules=");
final int rulesIndex = mUidRules.indexOfKey(uid);
if (rulesIndex < 0) {
fout.print("UNKNOWN");
} else {
dumpRules(fout, mUidRules.valueAt(rulesIndex));
}
final int rule = mUidRules.get(uid, RULE_UNKNOWN);
fout.print(" rule=");
fout.print(DebugUtils.valueToString(NetworkPolicyManager.class, "RULE_", rule));
fout.println();
}
@@ -2117,7 +2114,7 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
updateRulesForUidStateChangeLocked(uid, oldUidState, uidState);
if (mDeviceIdleMode && isProcStateAllowedWhileIdle(oldUidState)
!= isProcStateAllowedWhileIdle(uidState)) {
updateRulesForDeviceIdleLocked();
updateRuleForDeviceIdleLocked(uid);
}
}
}
@@ -2131,7 +2128,7 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
updateRulesForUidStateChangeLocked(uid, oldUidState,
ActivityManager.PROCESS_STATE_CACHED_EMPTY);
if (mDeviceIdleMode) {
updateRulesForDeviceIdleLocked();
updateRuleForDeviceIdleLocked(uid);
}
}
}
@@ -2178,7 +2175,8 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
if (mDeviceIdleMode) {
// sync the whitelists before enable dozable chain. We don't care about the rules if
// we are disabling the chain.
SparseIntArray uidRules = new SparseIntArray();
final SparseIntArray uidRules = mUidFirewallDozableRules;
uidRules.clear();
final List<UserInfo> users = mUserManager.getUsers();
for (int ui = users.size() - 1; ui >= 0; ui--) {
UserInfo user = users.get(ui);
@@ -2202,6 +2200,7 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
}
setUidFirewallRules(FIREWALL_CHAIN_DOZABLE, uidRules);
}
enableFirewallChainLocked(FIREWALL_CHAIN_DOZABLE, mDeviceIdleMode);
}
@@ -2215,11 +2214,15 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
setUidFirewallRule(FIREWALL_CHAIN_DOZABLE, uid, FIREWALL_RULE_DEFAULT);
}
}
updateRulesForUidLocked(uid);
}
void updateRulesForAppIdleLocked() {
final SparseIntArray uidRules = mUidFirewallStandbyRules;
uidRules.clear();
// Fully update the app idle firewall chain.
SparseIntArray uidRules = new SparseIntArray();
final List<UserInfo> users = mUserManager.getUsers();
for (int ui = users.size() - 1; ui >= 0; ui--) {
UserInfo user = users.get(ui);
@@ -2230,6 +2233,7 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
}
}
}
setUidFirewallRules(FIREWALL_CHAIN_STANDBY, uidRules);
}
@@ -2242,11 +2246,14 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
} else {
setUidFirewallRule(FIREWALL_CHAIN_STANDBY, uid, FIREWALL_RULE_DEFAULT);
}
updateRulesForUidLocked(uid);
}
void updateRulesForAppIdleParoleLocked() {
boolean enableChain = !mUsageStats.isAppIdleParoleOn();
enableFirewallChainLocked(FIREWALL_CHAIN_STANDBY, enableChain);
updateRulesForUidsLocked(mUidFirewallStandbyRules);
}
/**
@@ -2316,6 +2323,12 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
return true;
}
void updateRulesForUidsLocked(SparseIntArray uids) {
for (int i = 0; i < uids.size(); i++) {
updateRulesForUidLocked(uids.keyAt(i));
}
}
/**
* Applies network rules to bandwidth and firewall controllers based on uid policy.
* @param uid The uid for which to apply the latest policy
@@ -2337,8 +2350,7 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
final int uidPolicy = mUidPolicy.get(uid, POLICY_NONE);
final boolean uidForeground = isUidForegroundLocked(uid);
// derive active rules based on policy and active state
// Derive active rules based on policy and active state
int appId = UserHandle.getAppId(uid);
int uidRules = RULE_ALLOW_ALL;
if (!uidForeground && (uidPolicy & POLICY_REJECT_METERED_BACKGROUND) != 0) {
@@ -2361,20 +2373,27 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
}
}
final int oldRules = mUidRules.get(uid);
// Check dozable state, which is whitelist
if (mFirewallChainStates.get(FIREWALL_CHAIN_DOZABLE)
&& mUidFirewallDozableRules.get(uid, FIREWALL_RULE_DEFAULT) != FIREWALL_RULE_ALLOW) {
uidRules = RULE_REJECT_ALL;
}
// Check standby state, which is blacklist
if (mFirewallChainStates.get(FIREWALL_CHAIN_STANDBY)
&& mUidFirewallStandbyRules.get(uid, FIREWALL_RULE_DEFAULT) == FIREWALL_RULE_DENY) {
uidRules = RULE_REJECT_ALL;
}
final int oldRules = mUidRules.get(uid);
if (uidRules == RULE_ALLOW_ALL) {
mUidRules.delete(uid);
} else {
mUidRules.put(uid, uidRules);
}
// Update bandwidth rules if necessary
final boolean oldRejectMetered = (oldRules & RULE_REJECT_METERED) != 0;
final boolean rejectMetered = (uidRules & RULE_REJECT_METERED) != 0;
if (oldRejectMetered != rejectMetered) {
setUidNetworkRules(uid, rejectMetered);
}
final boolean rejectMetered = (uidRules == RULE_REJECT_METERED);
setUidNetworkRules(uid, rejectMetered);
// dispatch changed rule to existing listeners
if (oldRules != uidRules) {
@@ -2560,6 +2579,12 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
* Add or remove a uid to the firewall blacklist for all network ifaces.
*/
private void setUidFirewallRule(int chain, int uid, int rule) {
if (chain == FIREWALL_CHAIN_DOZABLE) {
mUidFirewallDozableRules.put(uid, rule);
} else if (chain == FIREWALL_CHAIN_STANDBY) {
mUidFirewallStandbyRules.put(uid, rule);
}
try {
mNetworkManager.setFirewallUidRule(chain, uid, rule);
} catch (IllegalStateException e) {