From 2a390120a9e90ec414d347921039ff98724d0dda Mon Sep 17 00:00:00 2001 From: Chad Brubaker Date: Wed, 19 Feb 2014 17:51:05 -0800 Subject: [PATCH] Mark uids without rules with PROTECT_MARK The default result for a uid without a mark should be MARK_PROTECT because the service using the uid's mark may be covered by a VPN that should not cover the user it is acting for. Bug: 12608570 Change-Id: I2402cb86ddb2fe6e670d1793263ff6c2c31d32fe --- DnsProxyListener.cpp | 6 ++---- NetdConstants.h | 2 ++ SecondaryTableController.h | 1 - UidMarkMap.cpp | 5 ++++- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/DnsProxyListener.cpp b/DnsProxyListener.cpp index eb02f01..6990f26 100644 --- a/DnsProxyListener.cpp +++ b/DnsProxyListener.cpp @@ -133,8 +133,7 @@ void DnsProxyListener::GetAddrInfoHandler::run() { if (mIface == NULL) { //fall back to the per uid interface if no per pid interface exists if(!_resolv_get_pids_associated_interface(mPid, tmp, sizeof(tmp))) - if(!_resolv_get_uids_associated_interface(mUid, tmp, sizeof(tmp))) - mark = -1; // if we don't have a targeted iface don't use a mark + _resolv_get_uids_associated_interface(mUid, tmp, sizeof(tmp)); } struct addrinfo* result = NULL; @@ -473,8 +472,7 @@ void DnsProxyListener::GetHostByAddrHandler::run() { if (mIface == NULL) { //fall back to the per uid interface if no per pid interface exists if(!_resolv_get_pids_associated_interface(mPid, tmp, sizeof(tmp))) - if(!_resolv_get_uids_associated_interface(mUid, tmp, sizeof(tmp))) - mark = -1; + _resolv_get_uids_associated_interface(mUid, tmp, sizeof(tmp)); } struct hostent* hp; diff --git a/NetdConstants.h b/NetdConstants.h index d686968..2508ea2 100644 --- a/NetdConstants.h +++ b/NetdConstants.h @@ -21,6 +21,8 @@ #include #include +const int PROTECT_MARK = 0x1; + extern const char * const IPTABLES_PATH; extern const char * const IP6TABLES_PATH; extern const char * const IP_PATH; diff --git a/SecondaryTableController.h b/SecondaryTableController.h index a153685..716e11d 100644 --- a/SecondaryTableController.h +++ b/SecondaryTableController.h @@ -30,7 +30,6 @@ static const int INTERFACES_TRACKED = 10; static const int BASE_TABLE_NUMBER = 60; static int MAX_TABLE_NUMBER = BASE_TABLE_NUMBER + INTERFACES_TRACKED; -static const int PROTECT_MARK = 0x1; static const char *EXEMPT_PRIO = "99"; static const char *RULE_PRIO = "100"; diff --git a/UidMarkMap.cpp b/UidMarkMap.cpp index d30ac53..932d3de 100644 --- a/UidMarkMap.cpp +++ b/UidMarkMap.cpp @@ -15,6 +15,7 @@ */ #include "UidMarkMap.h" +#include "NetdConstants.h" UidMarkMap::UidMarkEntry::UidMarkEntry(int start, int end, int new_mark) : uid_start(start), @@ -63,7 +64,9 @@ int UidMarkMap::getMark(int uid) { return entry->mark; } } - return -1; + // If the uid has no mark specified then it should be protected from any VPN rules that might + // be affecting the service acting on its behalf. + return PROTECT_MARK; }; bool UidMarkMap::anyRulesForMark(int mark) { -- 2.11.0