Skip to content
Snippets Groups Projects
Select Git revision
  • fourteen-qpr1
  • fifteen-qpr2
  • fourteen default
  • fifteen-qpr0
  • fifteen-qpr1
  • thirteen
  • staging/fourteen
  • twelve
  • staging/thirteen
  • staging/twelve
10 results
Search by author
  • Any Author
  • Adithya R Adithya R adithya2306
  • Ali Ali ali-nasiri-80
  • Dhina17 Dhina17 Dhina17
  • electimon electimon electimon
  • Erfan Abdi Erfan Abdi erfanoabdi
  • Farzin Kazemzadeh Farzin Kazemzadeh itisFarzin
  • LMO BuildBot LMO BuildBot lmo-buildbot
  • LMO GerritBot LMO GerritBot lmo-gerritbot
  • Mohammad Hasan Keramat J Mohammad Hasan Keramat J ikeramat
  • Nick Nick nift4
10 authors
  1. Apr 02, 2024
  3. Apr 01, 2024
  5. Mar 19, 2024
    • Dhina17's avatar
      Merge tag 'android-14.0.0_r29' into fourteen · 528e3863
      Dhina17 authored 
      Android 14.0.0 release 29

 Conflicts:
	Tethering/src/com/android/networkstack/tethering/UpstreamNetworkMonitor.java
	bpf_progs/netd.c
	service/src/com/android/server/ConnectivityService.java

Change-Id: I28318b3004dd28c4ec8c53b46177961671e06993
      528e3863
  7. Jan 18, 2024
    • Subhajeet Muhuri's avatar
      TrafficStats: Stop the spam · 0df67917
      Subhajeet Muhuri authored and Mohammad Hasan Keramat J's avatar Mohammad Hasan Keramat J committed 
      
Change-Id: I812bc7c3af0ea75db3a6c980f6f9ce4ec5ab6671
Signed-off-by: default avatarMohammad Hasan Keramat J <ikeramat@protonmail.com>
      0df67917
    • Tommy Webb's avatar
      Keep UID in lockdown when present in any range · 48c356ed
      Tommy Webb authored and Mohammad Hasan Keramat J's avatar Mohammad Hasan Keramat J committed 
      
Do not remove LOCKDOWN_VPN_MATCH from a UID if it is present in any of
the supplied ranges that have yet to be removed.

Change-Id: Ia95724cd19040f83cea2c169a2585ab5dbdddbac
Signed-off-by: default avatarMohammad Hasan Keramat J <ikeramat@protonmail.com>
      48c356ed
    • Oliver Scott's avatar
      Always drop non-VPN ingress in lockdown mode · f15adf53
      Oliver Scott authored and Mohammad Hasan Keramat J's avatar Mohammad Hasan Keramat J committed 
      
When "Block connections without VPN" is specified, incoming traffic
from non-VPN interfaces should be blocked regardless of the
determination made by ConnectivityService#getVpnIsolationInterface.
Outgoing traffic to non-VPN interfaces is already blocked in this case.
(Loopback is excluded as usual.)

Test: `adb shell dumpsys connectivity trafficcontroller` will now show
the tunnel interface for uids affected by lockdown when
getVpnIsolationInterface returns null (wildcard), to block non-VPN
ingress to such uids. This will return to 0 (wildcard) when lockdown
is toggled back off.

Also includes squashed change:

Author: Tommy Webb <tommy@calyxinstitute.org>
Date:   Mon May 1 16:52:28 2023 -0400

    fixup! Always drop non-VPN ingress in lockdown mode

    For lockdown purposes, force an update of VPN filtering whenever the
    interface names for a VPN have changed, to ensure that the BPF owner
    map uses the most up-to-date interface for ingress filtering.

    Issue: calyxos#1651
    Change-Id: Ia0c75a723134023906134597b395653c7a570686

Co-authored-by: default avatarTommy Webb <tommy@calyxinstitute.org>
Issue: calyxos#1255
Bug: 206482423
Change-Id: Id7954816566cb06bf2e9869ea98b20678835df9d
Signed-off-by: default avatarMohammad Hasan Keramat J <ikeramat@protonmail.com>
      f15adf53
    • Tommy Webb's avatar
      Use BPF to block socket creation when restricted · 6b3aa3fa
      Tommy Webb authored and Mohammad Hasan Keramat J's avatar Mohammad Hasan Keramat J committed 
      
Adapt BPF's inet socket creation rule to not only check INTERNET
permission but also to ensure the uid is on the allowlist for
restricted networking (has RESTRICTED_MATCH flag).

Also includes squashed change:

Author: Tommy Webb <tommy@calyxinstitute.org>
Date:   Thu Sep 7 03:59:21 2023 -0400

    Deny socket creation for transport-blocked apps

    Prevent apps whose network access is blocked based on transport
    policies from creating sockets, too. Update the logic to match AOSP's
    "funky bit-wise arithmetic" from the latest Connectivity mainline.

    Test: Manual: Turn on Private DNS. Install Terminal Emulator. Connect
    to Wi-Fi (no VPN). Set Terminal Emulator's toggles to disable Wi-Fi.
    Run: `ping duckduckgo.com`. Should receive "unknown host" error, NOT
    "Network is unreachable". Same "unknown host" error should occur when
    testing with overall network access turned off for Terminal Emulator,
    with and without its Wi-Fi access also turned off.

    Issue: calyxos#581
    Change-Id: I995e9929f6f8c1ae0613e05e0cade55a76c35902

Co-authored-by: default avatarOliver Scott <olivercscott@gmail.com>
Change-Id: I912a4a2ee78a29ca8b7d8ff85e5ad7cf617c31a5
Signed-off-by: default avatarMohammad Hasan Keramat J <ikeramat@protonmail.com>
      6b3aa3fa
    • Tommy Webb's avatar
      Firewall: Transport-based toggle support (3/3) · 732072bf
      Tommy Webb authored and Mohammad Hasan Keramat J's avatar Mohammad Hasan Keramat J committed 
      
Using policies provided by NetworkPolicyManagerService (fw/b), allow
or disallow an app to access a network based on network transport
type, e.g. Wi-Fi or Cellular.

Needs corresponding fw/b and netd changes.

All networks are treated as being restricted, and only UIDs whose
policy allows them on a transport are able to route outgoing traffic
over a network of that type. In addition, to prevent incoming traffic
to UIDs that are not allowed on the active network, and to handle UIDs
that have a policy which prevents them from accessing VPNs, UIDs that
are not allowed to access their active network are added to a denylist
that prevents them from accessing networks in general. Networks which
are truly restricted, however, such as for IMS, are left unchanged.

Also includes squashed changes:

Author: Tommy Webb <tommy@calyxinstitute.org>
Date:   Thu Apr 27 15:51:18 2023 -0400

    fixup! Set allowed UIDs for networks based on policies

    Revert to prior network permission behavior here, and make necessary
    changes in netd instead. This improves clarity and allows UIDs to
    take advantage of default network rules which would otherwise
    require system-level permission, prior to this change.

    Related: Icd64aa530e8d202abb97d8325160a5d4c0b4c490
    Change-Id: If5493deb96f88fe3ff5fc8a6a0c6d6d9bc77eff4

Author: Tommy Webb <tommy@calyxinstitute.org>
Date:   Wed Mar 22 09:05:18 2023 -0400

    Expose new isUidCurrentlyDisallowedByPolicy

    Allows determining if a UID is blocked based on its transports.

    Change-Id: I2729b61c349ec2812a74d7d1c04b90a58b0f5b88

Author: Tommy Webb <tommy@calyxinstitute.org>
Date:   Wed Sep 20 15:19:45 2023 -0400

    Use framework listener for allowed transports

    When allowed transports change, instead of exposing an API from
    Connectivity that the framework calls, add a new method to the
    framework's NetworkPolicyCallback that we override.

    This change benefits the prebuilt mainline module, preventing
    the need to fight with the platform to add new module APIs.

    Requires fw/b change of the same Change-Id.

    Change-Id: Ie476f23684b00397197184e965201d6823b28de2

Author: Tommy Webb <tommy@calyxinstitute.org>
Date:   Wed Sep 20 16:10:36 2023 -0400

    Notify the framework about denylist changes

    When the denylist changes, instead of exposing an API from
    Connectivity that the framework calls, add a new method to the
    framework's NetworkPolicyManager that we call to inform it of
    this directly.

    This change benefits the prebuilt mainline module, preventing
    the need to fight with the platform to add new module APIs.

    Requires fw/b change of the same Change-Id.

    Change-Id: I3c3593f110753a3ce02af3739f600190f22e9663

Change-Id: I79342edbec92090cca20853ba50ea7fd48ec81c2
Signed-off-by: default avatarMohammad Hasan Keramat J <ikeramat@protonmail.com>
      732072bf
    • Oliver Scott's avatar
      Stop reading UIDS_ALLOWED_ON_RESTRICTED_NETWORKS setting in PermissionMonitor · 39651317
      Oliver Scott authored and Mohammad Hasan Keramat J's avatar Mohammad Hasan Keramat J committed 
      
The setting is a factor used to determine the network permission level that is granted to an app. Restricted networking mode defaults to granting PERMISSION_SYSTEM to UIDs that are listed in the setting. This removal avoids this.

Change-Id: I1e5af36f0fc9d4828b693bbb4b888c449bac3d29
Signed-off-by: default avatarMohammad Hasan Keramat J <ikeramat@protonmail.com>
      39651317
    • Oliver Scott's avatar
      Disallow non-VPN tethering upstreams on always-on VPN lockdown mode · 3c21364c
      Oliver Scott authored and Mohammad Hasan Keramat J's avatar Mohammad Hasan Keramat J committed 
      
* This ensures that the Hotspot "Allow clients to use VPN" option
  respects the VPN "Block connections without VPN" option,
  to avoid any leaks.

Issue: calyxos#555
Change-Id: Ibd690c605a3d87e3c493550039a65862be16848b
Signed-off-by: default avatarMohammad Hasan Keramat J <ikeramat@protonmail.com>
      3c21364c
    • Oliver Scott's avatar
      Connectivity: Add capability to allow tethering to use VPN upstreams · d5b9b6f0
      Oliver Scott authored and Mohammad Hasan Keramat J's avatar Mohammad Hasan Keramat J committed 
      
Updated for Android 14, which does not handle CONNECTIVITY_ACTION and
therefore does not react to VPN connections as it previously did. The
new way to handle this is EVENT_DEFAULT_SWITCHED, but this only
considered the system default network, not VPNs; now, in 14, when VPN
upstreams are allowed, we follow the default network for ROOT_UID,
mirroring this change's existing consideration of ROOT_UID.

Uses AOSP Settings for easier APEX updates

Squash of:

Author: Sam Mortimer <sam@mortimer.me.uk>
Date:   Thu Aug 15 19:40:55 2019 -0700

    fw/b: Add capability to allow tethering to use VPN upstreams

    * Toggled on/off at runtime via a new hotspot lineage setting.

    * Dynamically updates the tethering upstream for existing hotspot
      clients as VPNs are brought up / down or the hotspot setting
      is changed.

    * This implementation depends on fw/b config_tether_upstream_automatic
      being set to true.

    Change-Id: I2ac0b4acc0ea686dfdf54561cb3428808e337160

Author: Sam Mortimer <sam@mortimer.me.uk>
Date:   Fri Sep 13 16:27:37 2019 -0700

    fw/b: Prevent trying to enable hw offload for tethering via VPN upstreams

    * Tethering via VPN upstream requires a sw path.

    * hw offload setup happened to be being disabled anyway owing to a fail
      return code from setDataLimit().  However, it was causing offload to be
      disabled entirely (until next hotspot off / on event).

    * Gracefully skip hw offload for vpn upstreams so that it is automatically
      used again when a vpn is disconnected.

    Change-Id: I4df13f02889305560903b7b1e919eedc7af78c07

* Previously if you had a VPN running in a work profile, it'd end up using that over user 0 VPN
* Only use user 0 VPNs, as that makes most sense logically for a device-wide feature (hotspot)

Issue: calyxos#912
Co-authored-by: default avatarTommy Webb <tommy@calyxinstitute.org>
Change-Id: I77ed0142e653f4993486eea44e4dac21e3f67f17
Signed-off-by: default avatarMohammad Hasan Keramat J <ikeramat@protonmail.com>
      d5b9b6f0
    • Dave Daynard's avatar
      Remove DUN requirement for tethering · 97623603
      Dave Daynard authored and Mohammad Hasan Keramat J's avatar Mohammad Hasan Keramat J committed 
      
Change-Id: I296f303a23351e4ab29898895abfcd313c747db9
Signed-off-by: default avatarMohammad Hasan Keramat J <ikeramat@protonmail.com>
      97623603
  9. Dec 15, 2023
  11. Dec 14, 2023
  13. Dec 13, 2023