Skip to content
Snippets Groups Projects
  1. Apr 02, 2024
  2. Apr 01, 2024
  3. Mar 19, 2024
    • Dhina17's avatar
      Merge tag 'android-14.0.0_r29' into fourteen · 528e3863
      Dhina17 authored
      Android 14.0.0 release 29
      
       Conflicts:
      	Tethering/src/com/android/networkstack/tethering/UpstreamNetworkMonitor.java
      	bpf_progs/netd.c
      	service/src/com/android/server/ConnectivityService.java
      
      Change-Id: I28318b3004dd28c4ec8c53b46177961671e06993
      528e3863
  4. Jan 18, 2024
    • Subhajeet Muhuri's avatar
      TrafficStats: Stop the spam · 0df67917
      Subhajeet Muhuri authored and Mohammad Hasan Keramat J's avatar Mohammad Hasan Keramat J committed
      
      Change-Id: I812bc7c3af0ea75db3a6c980f6f9ce4ec5ab6671
      Signed-off-by: default avatarMohammad Hasan Keramat J <ikeramat@protonmail.com>
      0df67917
    • Tommy Webb's avatar
      Keep UID in lockdown when present in any range · 48c356ed
      Tommy Webb authored and Mohammad Hasan Keramat J's avatar Mohammad Hasan Keramat J committed
      
      Do not remove LOCKDOWN_VPN_MATCH from a UID if it is present in any of
      the supplied ranges that have yet to be removed.
      
      Change-Id: Ia95724cd19040f83cea2c169a2585ab5dbdddbac
      Signed-off-by: default avatarMohammad Hasan Keramat J <ikeramat@protonmail.com>
      48c356ed
    • Oliver Scott's avatar
      Always drop non-VPN ingress in lockdown mode · f15adf53
      Oliver Scott authored and Mohammad Hasan Keramat J's avatar Mohammad Hasan Keramat J committed
      
      When "Block connections without VPN" is specified, incoming traffic
      from non-VPN interfaces should be blocked regardless of the
      determination made by ConnectivityService#getVpnIsolationInterface.
      Outgoing traffic to non-VPN interfaces is already blocked in this case.
      (Loopback is excluded as usual.)
      
      Test: `adb shell dumpsys connectivity trafficcontroller` will now show
      the tunnel interface for uids affected by lockdown when
      getVpnIsolationInterface returns null (wildcard), to block non-VPN
      ingress to such uids. This will return to 0 (wildcard) when lockdown
      is toggled back off.
      
      Also includes squashed change:
      
      Author: Tommy Webb <tommy@calyxinstitute.org>
      Date:   Mon May 1 16:52:28 2023 -0400
      
          fixup! Always drop non-VPN ingress in lockdown mode
      
          For lockdown purposes, force an update of VPN filtering whenever the
          interface names for a VPN have changed, to ensure that the BPF owner
          map uses the most up-to-date interface for ingress filtering.
      
          Issue: calyxos#1651
          Change-Id: Ia0c75a723134023906134597b395653c7a570686
      
      Co-authored-by: default avatarTommy Webb <tommy@calyxinstitute.org>
      Issue: calyxos#1255
      Bug: 206482423
      Change-Id: Id7954816566cb06bf2e9869ea98b20678835df9d
      Signed-off-by: default avatarMohammad Hasan Keramat J <ikeramat@protonmail.com>
      f15adf53
    • Tommy Webb's avatar
      Use BPF to block socket creation when restricted · 6b3aa3fa
      Tommy Webb authored and Mohammad Hasan Keramat J's avatar Mohammad Hasan Keramat J committed
      
      Adapt BPF's inet socket creation rule to not only check INTERNET
      permission but also to ensure the uid is on the allowlist for
      restricted networking (has RESTRICTED_MATCH flag).
      
      Also includes squashed change:
      
      Author: Tommy Webb <tommy@calyxinstitute.org>
      Date:   Thu Sep 7 03:59:21 2023 -0400
      
          Deny socket creation for transport-blocked apps
      
          Prevent apps whose network access is blocked based on transport
          policies from creating sockets, too. Update the logic to match AOSP's
          "funky bit-wise arithmetic" from the latest Connectivity mainline.
      
          Test: Manual: Turn on Private DNS. Install Terminal Emulator. Connect
          to Wi-Fi (no VPN). Set Terminal Emulator's toggles to disable Wi-Fi.
          Run: `ping duckduckgo.com`. Should receive "unknown host" error, NOT
          "Network is unreachable". Same "unknown host" error should occur when
          testing with overall network access turned off for Terminal Emulator,
          with and without its Wi-Fi access also turned off.
      
          Issue: calyxos#581
          Change-Id: I995e9929f6f8c1ae0613e05e0cade55a76c35902
      
      Co-authored-by: default avatarOliver Scott <olivercscott@gmail.com>
      Change-Id: I912a4a2ee78a29ca8b7d8ff85e5ad7cf617c31a5
      Signed-off-by: default avatarMohammad Hasan Keramat J <ikeramat@protonmail.com>
      6b3aa3fa
    • Tommy Webb's avatar
      Firewall: Transport-based toggle support (3/3) · 732072bf
      Tommy Webb authored and Mohammad Hasan Keramat J's avatar Mohammad Hasan Keramat J committed
      
      Using policies provided by NetworkPolicyManagerService (fw/b), allow
      or disallow an app to access a network based on network transport
      type, e.g. Wi-Fi or Cellular.
      
      Needs corresponding fw/b and netd changes.
      
      All networks are treated as being restricted, and only UIDs whose
      policy allows them on a transport are able to route outgoing traffic
      over a network of that type. In addition, to prevent incoming traffic
      to UIDs that are not allowed on the active network, and to handle UIDs
      that have a policy which prevents them from accessing VPNs, UIDs that
      are not allowed to access their active network are added to a denylist
      that prevents them from accessing networks in general. Networks which
      are truly restricted, however, such as for IMS, are left unchanged.
      
      Also includes squashed changes:
      
      Author: Tommy Webb <tommy@calyxinstitute.org>
      Date:   Thu Apr 27 15:51:18 2023 -0400
      
          fixup! Set allowed UIDs for networks based on policies
      
          Revert to prior network permission behavior here, and make necessary
          changes in netd instead. This improves clarity and allows UIDs to
          take advantage of default network rules which would otherwise
          require system-level permission, prior to this change.
      
          Related: Icd64aa530e8d202abb97d8325160a5d4c0b4c490
          Change-Id: If5493deb96f88fe3ff5fc8a6a0c6d6d9bc77eff4
      
      Author: Tommy Webb <tommy@calyxinstitute.org>
      Date:   Wed Mar 22 09:05:18 2023 -0400
      
          Expose new isUidCurrentlyDisallowedByPolicy
      
          Allows determining if a UID is blocked based on its transports.
      
          Change-Id: I2729b61c349ec2812a74d7d1c04b90a58b0f5b88
      
      Author: Tommy Webb <tommy@calyxinstitute.org>
      Date:   Wed Sep 20 15:19:45 2023 -0400
      
          Use framework listener for allowed transports
      
          When allowed transports change, instead of exposing an API from
          Connectivity that the framework calls, add a new method to the
          framework's NetworkPolicyCallback that we override.
      
          This change benefits the prebuilt mainline module, preventing
          the need to fight with the platform to add new module APIs.
      
          Requires fw/b change of the same Change-Id.
      
          Change-Id: Ie476f23684b00397197184e965201d6823b28de2
      
      Author: Tommy Webb <tommy@calyxinstitute.org>
      Date:   Wed Sep 20 16:10:36 2023 -0400
      
          Notify the framework about denylist changes
      
          When the denylist changes, instead of exposing an API from
          Connectivity that the framework calls, add a new method to the
          framework's NetworkPolicyManager that we call to inform it of
          this directly.
      
          This change benefits the prebuilt mainline module, preventing
          the need to fight with the platform to add new module APIs.
      
          Requires fw/b change of the same Change-Id.
      
          Change-Id: I3c3593f110753a3ce02af3739f600190f22e9663
      
      Change-Id: I79342edbec92090cca20853ba50ea7fd48ec81c2
      Signed-off-by: default avatarMohammad Hasan Keramat J <ikeramat@protonmail.com>
      732072bf
    • Oliver Scott's avatar
      Stop reading UIDS_ALLOWED_ON_RESTRICTED_NETWORKS setting in PermissionMonitor · 39651317
      Oliver Scott authored and Mohammad Hasan Keramat J's avatar Mohammad Hasan Keramat J committed
      
      The setting is a factor used to determine the network permission level that is granted to an app. Restricted networking mode defaults to granting PERMISSION_SYSTEM to UIDs that are listed in the setting. This removal avoids this.
      
      Change-Id: I1e5af36f0fc9d4828b693bbb4b888c449bac3d29
      Signed-off-by: default avatarMohammad Hasan Keramat J <ikeramat@protonmail.com>
      39651317
    • Oliver Scott's avatar
      Disallow non-VPN tethering upstreams on always-on VPN lockdown mode · 3c21364c
      Oliver Scott authored and Mohammad Hasan Keramat J's avatar Mohammad Hasan Keramat J committed
      
      * This ensures that the Hotspot "Allow clients to use VPN" option
        respects the VPN "Block connections without VPN" option,
        to avoid any leaks.
      
      Issue: calyxos#555
      Change-Id: Ibd690c605a3d87e3c493550039a65862be16848b
      Signed-off-by: default avatarMohammad Hasan Keramat J <ikeramat@protonmail.com>
      3c21364c
    • Oliver Scott's avatar
      Connectivity: Add capability to allow tethering to use VPN upstreams · d5b9b6f0
      Oliver Scott authored and Mohammad Hasan Keramat J's avatar Mohammad Hasan Keramat J committed
      
      Updated for Android 14, which does not handle CONNECTIVITY_ACTION and
      therefore does not react to VPN connections as it previously did. The
      new way to handle this is EVENT_DEFAULT_SWITCHED, but this only
      considered the system default network, not VPNs; now, in 14, when VPN
      upstreams are allowed, we follow the default network for ROOT_UID,
      mirroring this change's existing consideration of ROOT_UID.
      
      Uses AOSP Settings for easier APEX updates
      
      Squash of:
      
      Author: Sam Mortimer <sam@mortimer.me.uk>
      Date:   Thu Aug 15 19:40:55 2019 -0700
      
          fw/b: Add capability to allow tethering to use VPN upstreams
      
          * Toggled on/off at runtime via a new hotspot lineage setting.
      
          * Dynamically updates the tethering upstream for existing hotspot
            clients as VPNs are brought up / down or the hotspot setting
            is changed.
      
          * This implementation depends on fw/b config_tether_upstream_automatic
            being set to true.
      
          Change-Id: I2ac0b4acc0ea686dfdf54561cb3428808e337160
      
      Author: Sam Mortimer <sam@mortimer.me.uk>
      Date:   Fri Sep 13 16:27:37 2019 -0700
      
          fw/b: Prevent trying to enable hw offload for tethering via VPN upstreams
      
          * Tethering via VPN upstream requires a sw path.
      
          * hw offload setup happened to be being disabled anyway owing to a fail
            return code from setDataLimit().  However, it was causing offload to be
            disabled entirely (until next hotspot off / on event).
      
          * Gracefully skip hw offload for vpn upstreams so that it is automatically
            used again when a vpn is disconnected.
      
          Change-Id: I4df13f02889305560903b7b1e919eedc7af78c07
      
      * Previously if you had a VPN running in a work profile, it'd end up using that over user 0 VPN
      * Only use user 0 VPNs, as that makes most sense logically for a device-wide feature (hotspot)
      
      Issue: calyxos#912
      Co-authored-by: default avatarTommy Webb <tommy@calyxinstitute.org>
      Change-Id: I77ed0142e653f4993486eea44e4dac21e3f67f17
      Signed-off-by: default avatarMohammad Hasan Keramat J <ikeramat@protonmail.com>
      d5b9b6f0
    • Dave Daynard's avatar
      Remove DUN requirement for tethering · 97623603
      Dave Daynard authored and Mohammad Hasan Keramat J's avatar Mohammad Hasan Keramat J committed
      
      Change-Id: I296f303a23351e4ab29898895abfcd313c747db9
      Signed-off-by: default avatarMohammad Hasan Keramat J <ikeramat@protonmail.com>
      97623603
  5. Dec 15, 2023
  6. Dec 14, 2023
  7. Dec 13, 2023
Loading