From feb2b61d3010d52e530357116c3b22c6d77da3cf Mon Sep 17 00:00:00 2001
From: Xiaohui Chen <xiaohuic@google.com>
Date: Thu, 25 Jun 2015 21:19:38 -0700
Subject: [PATCH] netd: add default fw white list for system uids

In uid firewall white list, we white list the system uid range
by default to make sure system processes will always have network
access.

BUG:22094135
Change-Id: I8f472a98a9fd93591a2887982cec1458d7683613
---
 server/FirewallController.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp
index 4847c85..bcf7524 100644
--- a/server/FirewallController.cpp
+++ b/server/FirewallController.cpp
@@ -23,6 +23,7 @@
 #define LOG_NDEBUG 0
 
 #include <cutils/log.h>
+#include <private/android_filesystem_config.h>
 
 #include "NetdConstants.h"
 #include "FirewallController.h"
@@ -263,6 +264,11 @@ int FirewallController::createChain(const char* childChain,
     int res = 0;
     res |= execIptables(V4V6, "-t", TABLE, "-N", childChain, NULL);
     if (type == WHITELIST) {
+        // create default white list for system uid range
+        char uidStr[16];
+        sprintf(uidStr, "0-%d", AID_APP - 1);
+        res |= execIptables(V4V6, "-A", childChain, "-m", "owner", "--uid-owner",
+                uidStr, "-j", "RETURN", NULL);
         // create default rule to drop all traffic
         res |= execIptables(V4V6, "-A", childChain, "-j", "DROP", NULL);
     }
-- 
2.11.0