Skip to content

GitLab

Switch branch/tag
  1. 16 May, 2016 2 commits
    • Lorenzo Colitti's avatar
      Make FirewallController::createChain use replaceUidChain. · a55388e3
      Lorenzo Colitti authored 
      This has two benefits:

1. It makes the behaviour of setting firewall chains via the
   firewallReplaceUidChain RPC match the behaviour of creating
   the chains on boot. (As a side effect, it reduces code
   duplication between the two.)
2. It makes creating firewall chains on boot use iptables-restore,
   which is substantially faster than running iptables commands
   one at a time.

This CL will allow the framework to switch to using
firewallReplaceUidChain when the framework starts, providing
substantial speedups over the current behaviour of running two
iptables commands for every app that is whitelisted or idle.

Bug: 26675191
Change-Id: Ifbd15bf9143efd526570dde8f88effc79d164630
      a55388e3
    • Lorenzo Colitti's avatar
      Make firewallReplaceUidChain match the behaviour of createChain. · f157caf3
      Lorenzo Colitti authored 
      The behaviour of the firewallReplaceUidChain was incorrect in
several ways:

1. It was missing the "always allow TCP RST packets" rules which
   were added in http://ag/963000 .
2. It included a RETURN statement at the end of blacklist chains,
   which is superfluous since all user-defined chains implicitly
   return, and became incorrect when http://ag/963000 switched the
   behaviour of blacklist chains from inserting new rules at the
   beginning to appending them at the end.
3. It was missing the rules to allow the types of ICMPv6 packets
   that are critical in maintaining connectivity.

By itself, this change is a no-op since nothing currently calls
firewallReplaceUidRule.

Bug: 26675191
Change-Id: I985e6861812908cbe7eaf0f54ca0ad39c22bbfeb
      f157caf3
  3. 26 Apr, 2016 1 commit
  5. 14 Mar, 2016 1 commit
  7. 02 Mar, 2016 1 commit
  9. 11 Feb, 2016 1 commit
    • Felipe Leme's avatar
      Created a firewall chain for power save mode. · 3f624341
      Felipe Leme authored 
      When power-save mode was first implemented, there were no firewall rules
on netd, so the solution was to make all network interface metered and
re-use the bw_penalty_box chain.

This change removes that workaround by creating a explicit fw_powersave
chain, whose behavior is similar to fw_dozable (in fact, it reuses some
of its code); such change not only makes network restrictions on
power-save mode simpler, but it also allows to optimze how the restrict
network rules are changed.

BUG: 27127112
Change-Id: I52aee49d80386594e3a52fea9667d580d2d944a1
      3f624341
  11. 02 Sep, 2015 1 commit
    • Lorenzo Colitti's avatar
      Don't break IPv6 connectivity when in doze mode. · c8683d7e
      Lorenzo Colitti authored 
      Working IPv6 connectivity relies on the kernel being able to
receive certain ICMPv6 packets (router advertisements, neighbour
solicitations, neighbour advertisements) at all times. Allow
these packets when in doze mode.

This is not necessary for IPv4 because in IPv4 these functions
use ARP, which is invisible to iptables.

Bug: 23158230
Change-Id: I29ed77561db9688486cf58cd14ac3bce7fce4b40
      c8683d7e
  13. 26 Jun, 2015 1 commit
    • Xiaohui Chen's avatar
      netd: add default fw white list for system uids · feb2b61d
      Xiaohui Chen authored 
      In uid firewall white list, we white list the system uid range
by default to make sure system processes will always have network
access.

BUG:22094135
Change-Id: I8f472a98a9fd93591a2887982cec1458d7683613
      feb2b61d
  15. 15 Jun, 2015 1 commit
    • Xiaohui Chen's avatar
      netd: add two child chains to firewall · 1cdfa9ad
      Xiaohui Chen authored 
      This is an attempt to speed up getting out of device idle.  It groups
uid firewall rules in these child chains so we can attach/detach a whole
chain instead of individual uid rules.

BUG:21446713
Change-Id: I61dc7d14110e633c5994e466481b9cac633a7a4f
      1cdfa9ad
  17. 29 Apr, 2015 1 commit
    • Amith Yamasani's avatar
      Blacklist uids for network access · 390e4ea8
      Amith Yamasani authored 
      FirewallController can now be in blacklist mode (aka disabled)
or whitelist mode (aka enabled).

Some of the methods don't do anything when in blacklist mode.

Uid rules updated to allow dropping packets to uids that
shouldn't get any network access, usually for idle apps.

Added a wait option to iptables calls to make sure it doesn't
fail if there's contention. Fixes a flakiness I was seeing in
removing rules.

Bug: 20066058
Change-Id: I815bcb45aa06d04020e902df8c67bb3894e98f40
      390e4ea8
  19. 20 Jun, 2014 1 commit
    • JP Abgrall's avatar
      server: check interface names in RPC arguments for validity · 69261cb6
      JP Abgrall authored 
      
This patch introduces a method isIfaceName that checks interface
names from various RPCs for validity before e.g. using them as
part of iptables arguments or in filenames.

All of these RPC calls can only be called from applications
with at least the CONNECTIVITY_INTERNAL permission in recent
Android versions, so the impact of the missing checks luckily
isn't very high.

Orig-Author: Jann Horn <jann@thejh.net>

Change-Id: I80df8d745a3de99ad02d6649f0d10562c81f6b98
Signed-off-by: default avatarJP Abgrall <jpa@google.com>
      69261cb6
  21. 21 May, 2014 1 commit
  23. 17 Jul, 2012 1 commit
    • Jeff Sharkey's avatar
      Introduce basic firewall controls. · d8c64026
      Jeff Sharkey authored 
      Creates a separate firewall chain that can be used to allow/deny
traffic based on rules.

Firewall is disabled by default.  When enabled, it supports four
types of rules: allowing traffic based on iface name, based on egress
source IP, based on egress destination IP and port, and based on
local UID.

Bug: 5756357
Change-Id: I97f894dca6bddb93b3c56478c5297f79d727cdab
      d8c64026