When a secure VPN is up, setting protectFromVpn=1 and explicitlySelected=0
causes the probe routing lookups used by _have_ipv4 and _have_ipv6 to skip
the VPN rule, instead selecting the default network.
This means that the address families for which we query DNS records are
determined by the address families of the the default network, not those of
the VPN.
If explicitlySelected==true, setting protectFromVpn=true (if the app can
protect its sockets) results in querying the address families from the
specified network, which is correct.
Test: as follows
- built
- flashed
- booted
- runtest -x netd_integration_test.cpp passes
- testing per bug discussion
Bug:
37131664
Bug:
37347238
Change-Id: I7cf322a047494fd70c3c4d8862d53d6a6dac66de
#include "RouteController.h"
#include "VirtualNetwork.h"
+#define DBG 0
+
namespace {
// Keep these in sync with ConnectivityService.java.
Fwmark fwmark;
fwmark.netId = nc.app_netid;
fwmark.explicitlySelected = explicitlySelected;
- fwmark.protectedFromVpn = canProtect(uid);
+ fwmark.protectedFromVpn = explicitlySelected && canProtect(uid);
fwmark.permission = getPermissionForUser(uid);
nc.app_mark = fwmark.intValue;
nc.dns_mark = getNetworkForDns(&(nc.dns_netid), uid);
+ if (DBG) {
+ ALOGD("app_netid:0x%x app_mark:0x%x dns_netid:0x%x dns_mark:0x%x uid:%d",
+ nc.app_netid, nc.app_mark, nc.dns_netid, nc.dns_mark, uid);
+ }
+
if (netcontext) {
*netcontext = nc;
}
std::map<unsigned, Network*> mNetworks; // Map keys are NetIds.
std::map<uid_t, Permission> mUsers;
std::set<uid_t> mProtectableUsers;
-
};
#endif // NETD_SERVER_NETWORK_CONTROLLER_H
OSDN Git Service
