Using policies provided by NetworkPolicyManagerService (fw/b), allow
or disallow an app to access a network based on network transport
type, e.g. Wi-Fi or Cellular.
Needs corresponding fw/b and netd changes.
All networks are treated as being restricted, and only UIDs whose
policy allows them on a transport are able to route outgoing traffic
over a network of that type. In addition, to prevent incoming traffic
to UIDs that are not allowed on the active network, and to handle UIDs
that have a policy which prevents them from accessing VPNs, UIDs that
are not allowed to access their active network are added to a denylist
that prevents them from accessing networks in general. Networks which
are truly restricted, however, such as for IMS, are left unchanged.
Also includes squashed changes:
Author: Tommy Webb <tommy@calyxinstitute.org>
Date: Thu Apr 27 15:51:18 2023 -0400
fixup! Set allowed UIDs for networks based on policies
Revert to prior network permission behavior here, and make necessary
changes in netd instead. This improves clarity and allows UIDs to
take advantage of default network rules which would otherwise
require system-level permission, prior to this change.
Related: Icd64aa530e8d202abb97d8325160a5d4c0b4c490
Change-Id: If5493deb96f88fe3ff5fc8a6a0c6d6d9bc77eff4
Author: Tommy Webb <tommy@calyxinstitute.org>
Date: Wed Mar 22 09:05:18 2023 -0400
Expose new isUidCurrentlyDisallowedByPolicy
Allows determining if a UID is blocked based on its transports.
Change-Id: I2729b61c349ec2812a74d7d1c04b90a58b0f5b88
Author: Tommy Webb <tommy@calyxinstitute.org>
Date: Wed Sep 20 15:19:45 2023 -0400
Use framework listener for allowed transports
When allowed transports change, instead of exposing an API from
Connectivity that the framework calls, add a new method to the
framework's NetworkPolicyCallback that we override.
This change benefits the prebuilt mainline module, preventing
the need to fight with the platform to add new module APIs.
Requires fw/b change of the same Change-Id.
Change-Id: Ie476f23684b00397197184e965201d6823b28de2
Author: Tommy Webb <tommy@calyxinstitute.org>
Date: Wed Sep 20 16:10:36 2023 -0400
Notify the framework about denylist changes
When the denylist changes, instead of exposing an API from
Connectivity that the framework calls, add a new method to the
framework's NetworkPolicyManager that we call to inform it of
this directly.
This change benefits the prebuilt mainline module, preventing
the need to fight with the platform to add new module APIs.
Requires fw/b change of the same Change-Id.
Change-Id: I3c3593f110753a3ce02af3739f600190f22e9663
Change-Id: I79342edbec92090cca20853ba50ea7fd48ec81c2
Signed-off-by: Mohammad Hasan Keramat J <ikeramat@protonmail.com>
0e59e79d44