Merge "Close sockets from ConnectivityService#setFirewallChainEnabled"

author: Motomu Utsumi <motomuman@google.com> 2023-05-12 09:18:40 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> 2023-05-12 09:18:40 +0000
commit: 2a97522e77d98509be0cd997f2544ca9c4375bf6 (patch)
tree: 9e6e0d411961efa8b43ac593845461b3aef86945
parent: 843e9d609b60e58bfb2904b2e9ec27973cfb43e0 (diff)
parent: d37e335cfbab0586255c3e9b0b1fadd09c263f95 (diff)
1 files changed, 0 insertions, 74 deletions
diff --git a/services/core/java/com/android/server/NetworkManagementService.java b/services/core/java/com/android/server/NetworkManagementService.java
index 2aa93783c501..17cdfdb29b98 100644
--- a/services/core/java/com/android/server/NetworkManagementService.java
+++ b/services/core/java/com/android/server/NetworkManagementService.java
@@ -56,7 +56,6 @@ import android.net.NetworkPolicyManager;
 import android.net.NetworkStack;
 import android.net.NetworkStats;
 import android.net.RouteInfo;
-import android.net.UidRangeParcel;
 import android.net.util.NetdService;
 import android.os.BatteryStats;
 import android.os.Binder;
@@ -97,7 +96,6 @@ import java.io.PrintWriter;
 import java.net.InetAddress;
 import java.net.InterfaceAddress;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -1346,70 +1344,6 @@ public class NetworkManagementService extends INetworkManagementService.Stub {
         }
     }
 
-    private void closeSocketsForFirewallChainLocked(int chain, String chainName) {
-        // UID ranges to close sockets on.
-        UidRangeParcel[] ranges;
-        // UID ranges whose sockets we won't touch.
-        int[] exemptUids;
-
-        int numUids = 0;
-        if (DBG) Slog.d(TAG, "Closing sockets after enabling chain " + chainName);
-        if (getFirewallType(chain) == FIREWALL_ALLOWLIST) {
-            // Close all sockets on all non-system UIDs...
-            ranges = new UidRangeParcel[] {
-                // TODO: is there a better way of finding all existing users? If so, we could
-                // specify their ranges here.
-                new UidRangeParcel(Process.FIRST_APPLICATION_UID, Integer.MAX_VALUE),
-            };
-            // ... except for the UIDs that have allow rules.
-            synchronized (mRulesLock) {
-                final SparseIntArray rules = getUidFirewallRulesLR(chain);
-                exemptUids = new int[rules.size()];
-                for (int i = 0; i < exemptUids.length; i++) {
-                    if (rules.valueAt(i) == FIREWALL_RULE_ALLOW) {
-                        exemptUids[numUids] = rules.keyAt(i);
-                        numUids++;
-                    }
-                }
-            }
-            // Normally, allowlist chains only contain deny rules, so numUids == exemptUids.length.
-            // But the code does not guarantee this in any way, and at least in one case - if we add
-            // a UID rule to the firewall, and then disable the firewall - the chains can contain
-            // the wrong type of rule. In this case, don't close connections that we shouldn't.
-            //
-            // TODO: tighten up this code by ensuring we never set the wrong type of rule, and
-            // fix setFirewallEnabled to grab mQuotaLock and clear rules.
-            if (numUids != exemptUids.length) {
-                exemptUids = Arrays.copyOf(exemptUids, numUids);
-            }
-        } else {
-            // Close sockets for every UID that has a deny rule...
-            synchronized (mRulesLock) {
-                final SparseIntArray rules = getUidFirewallRulesLR(chain);
-                ranges = new UidRangeParcel[rules.size()];
-                for (int i = 0; i < ranges.length; i++) {
-                    if (rules.valueAt(i) == FIREWALL_RULE_DENY) {
-                        int uid = rules.keyAt(i);
-                        ranges[numUids] = new UidRangeParcel(uid, uid);
-                        numUids++;
-                    }
-                }
-            }
-            // As above; usually numUids == ranges.length, but not always.
-            if (numUids != ranges.length) {
-                ranges = Arrays.copyOf(ranges, numUids);
-            }
-            // ... with no exceptions.
-            exemptUids = new int[0];
-        }
-
-        try {
-            mNetdService.socketDestroy(ranges, exemptUids);
-        } catch(RemoteException | ServiceSpecificException e) {
-            Slog.e(TAG, "Error closing sockets after enabling chain " + chainName + ": " + e);
-        }
-    }
-
     @Override
     public void setFirewallChainEnabled(int chain, boolean enable) {
         enforceSystemUid();
@@ -1434,14 +1368,6 @@ public class NetworkManagementService extends INetworkManagementService.Stub {
             } catch (RuntimeException e) {
                 throw new IllegalStateException(e);
             }
-
-            // Close any sockets that were opened by the affected UIDs. This has to be done after
-            // disabling network connectivity, in case they react to the socket close by reopening
-            // the connection and race with the iptables commands that enable the firewall. All
-            // allowlist and denylist chains allow RSTs through.
-            if (enable) {
-                closeSocketsForFirewallChainLocked(chain, chainName);
-            }
         }
     }
author	Motomu Utsumi <motomuman@google.com>	2023-05-12 09:18:40 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	2023-05-12 09:18:40 +0000
commit	2a97522e77d98509be0cd997f2544ca9c4375bf6 (patch)
tree	9e6e0d411961efa8b43ac593845461b3aef86945
parent	843e9d609b60e58bfb2904b2e9ec27973cfb43e0 (diff)
parent	d37e335cfbab0586255c3e9b0b1fadd09c263f95 (diff)