GitLab

This reverts commit 4a0ab5ff.

Breaks internal master.

This reverts commit b67219a7.

Change-Id: I43145f0724ad2d669b65d20b6fd6ccc44b8f0a4f

StringPrintf and the string based file I/O are being moved to libbase.

Change-Id: I765d9e53f65a76d318d9d0d9503403fc092254d5

* commit '7a269cb3':
  Store MARK/CONNMARK flags in a central location.

* commit 'f48d6abf':
  Switch writing to <utils/file.h>.

Change-Id: Idb2de24414f4dd8e926e625b62e4d12152dc4527

* commit '50c6639a':
  Use StringPrintf.

This doesn't replace every asprintf in netd, but it replaces the ones in code
I touched.

Change-Id: I2de5c7772523372bb36145e66e885aa8132ad58e

Change-Id: I8f4c9ae0d13d30e69b7a197eafdfcb9b2b9050c0

* commit '6c08cd6a':
  Avoid leaking file descriptors

Change-Id: Id79961cc4feee1c307dad06d64e3f4ffe060c4da

MARK/CONNMARK values/tags are shared accross all controllers because
of the way the firewall works. To avoid accidental clashes, it's best
to store the values used in a central place.

Change-Id: I76aaba38cba6554704a5635b1e7297a144e6e2ff

Add O_CLOEXEC on open() calls, and SOCK_CLOEXEC on socket calls.
This avoids leaking file descriptors across execs.

Addresses the following SELinux denial:

  audit(1422740213.283:8): avc: denied { read write } for pid=2597 comm="clatd" path="socket:[6709]" dev="sockfs" ino=6709 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket

and allows the removal of some other SELinux rules which were
inappropriately added because of leaking file descriptors.

Change-Id: I9c180488ea1969d610e488f967a7276a672bb477

* commit 'aea68fdd':
  Don't fail when trying to add routes that already exist.

Previously, we suppressed failures for the special case of
requestRouteToHost() being called multiple times. Turns out that other
parts of the system also try to add duplicate routes, so just suppress
EEXIST errors in general (as far as adding routes is concerned). For
example, this happens when the WiFi P2P DHCP client renews its lease
and blindly requests to add a route that it had already added before.

(cherry picked from commit 64166e76)

Bug: 17205769
Change-Id: I11d50052f616cb48a912d647b8024ccef01b736d

* commit 'b1842acd':
  Add missing <string.h> include.

* commit '883d129b':
  Add missing <malloc.h> include.

Change-Id: I0259da35f2dc8ff87c928eb5bd378f39cbfc9f9c

Change-Id: I14ea45e98b8271d6b53ac86e92ad3b5c7dac8f75

* commit '6ef96c48':
  Config NFLOG target before listening.

Otherwise the listener thread races with us and can eat the
responses to the config messages.

Bug: 19066761
Change-Id: I484fd79414731ab74ebc3ea50446e374a50eac77

* commit '535b94fa':
  Offer to detect non-SSL/TLS network traffic.

Introduces new module that provides network-related features for
the StrictMode developer API.  The first feature offers to detect
sockets sending data not wrapped inside a layer of SSL/TLS
encryption.

This carefully only adds overhead to UIDs that have requested
detection, and it uses CONNMARK to quickly accept/reject packets
from streams that have already been inspected.  Detection is done
by looking for a well-known TLS handshake header; it's not future
proof, but it's a good start.  Handles both IPv4 and IPv6.

When requested, we also log the triggering packet through NFLOG and
back up to the framework to aid investigation.

Bug: 18335678
Change-Id: Ie8fab785139dfb55a71b6dc7a0f3c75a8408224b

* commit '32b2e795':
  exit instead of returning when execv()ing clatd fails.

Returning instead of exiting when execv() fails causes mayhem, as
it results in two netd processes running, and netd commands being
processed by one of the two at random.

Bug: 18893886
Change-Id: I25afbabaef5955c9af7053b0333969b4e83549f1

* commit '1a3c689b':
  Fix missing errno.h includes after libc cleanup.