c013c8dd79
Adapt BPF's inet socket creation rule to not only check INTERNET
permission but also to ensure the uid is on the allowlist for
restricted networking (has RESTRICTED_MATCH flag).
Also includes squashed change:
Author: Tommy Webb <tommy@calyxinstitute.org>
Date: Thu Sep 7 03:59:21 2023 -0400
Deny socket creation for transport-blocked apps
Prevent apps whose network access is blocked based on transport
policies from creating sockets, too. Update the logic to match AOSP's
"funky bit-wise arithmetic" from the latest Connectivity mainline.
Test: Manual: Turn on Private DNS. Install Terminal Emulator. Connect
to Wi-Fi (no VPN). Set Terminal Emulator's toggles to disable Wi-Fi.
Run: `ping duckduckgo.com`. Should receive "unknown host" error, NOT
"Network is unreachable". Same "unknown host" error should occur when
testing with overall network access turned off for Terminal Emulator,
with and without its Wi-Fi access also turned off.
Issue: calyxos#581
Change-Id: I995e9929f6f8c1ae0613e05e0cade55a76c35902
Co-authored-by: Oliver Scott <olivercscott@gmail.com>
Change-Id: I912a4a2ee78a29ca8b7d8ff85e5ad7cf617c31a5
Signed-off-by: Mohammad Hasan Keramat J <ikeramat@protonmail.com>
|
||
|---|---|---|
| Cronet | ||
| Tethering | ||
| bpf_progs | ||
| common | ||
| framework | ||
| framework-t | ||
| nearby | ||
| netd | ||
| service | ||
| service-t | ||
| tests | ||
| tools | ||
| .gitignore | ||
| OWNERS | ||
| OWNERS_core_networking | ||
| OWNERS_core_networking_xts | ||
| PREUPLOAD.cfg | ||
| TEST_MAPPING | ||