More correctly set app_mark in getNetworkContext.

Specifically: set explicitlySelected, protectedFromVpn and permissions.

Bug: 26256264
Change-Id: I1ebd2c1878fb7166ac63c061c8731e66b0050a30

diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index 93a0763..7890fd2 100644 (file)
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp
@@ -247,11 +247,29 @@ void NetworkController::getNetworkContext(
             .uid = uid,
     };
 
-    if (nc.app_netid == NETID_UNSET) {
+    // |netId| comes directly (via dnsproxyd) from the value returned by netIdForResolv() in the
+    // client process. This value is nonzero iff.:
+    //
+    // 1. The app specified a netid/nethandle to a DNS resolution method such as:
+    //        - [Java] android.net.Network#getAllByName()
+    //        - [C/++] android_getaddrinfofornetwork()
+    // 2. The app specified a netid/nethandle to be used as a process default via:
+    //        - [Java] android.net.ConnectivityManager#bindProcessToNetwork()
+    //        - [C/++] android_setprocnetwork()
+    // 3. The app called android.net.ConnectivityManager#startUsingNetworkFeature().
+    //
+    // In all these cases (with the possible exception of #3), the right thing to do is to treat
+    // such cases as explicitlySelected.
+    const bool explicitlySelected = (nc.app_netid != NETID_UNSET);
+    if (!explicitlySelected) {
         nc.app_netid = getNetworkForConnect(uid);
     }
+
     Fwmark fwmark;
     fwmark.netId = nc.app_netid;
+    fwmark.explicitlySelected = explicitlySelected;
+    fwmark.protectedFromVpn = canProtect(uid);
+    fwmark.permission = getPermissionForUser(uid);
     nc.app_mark = fwmark.intValue;
 
     nc.dns_mark = getNetworkForDns(&(nc.dns_netid), uid);