Merge "Use tunnel local/remote addresses in security policies" am: 8424a78b75

am: f4c8a61ad7 Change-Id: Id515c008da62a67ecb36ff60a6cfd646074061ab
author: Benedict Wong <benedictwong@google.com> 2018-08-31 11:12:55 -0700
committer: android-build-merger <android-build-merger@google.com> 2018-08-31 11:12:55 -0700
commit: 2cb2f7119ffa3b51abc005771c45072dd01aaa7d (patch)
tree: 29294bc9bdc01aef12ce7ca7b52e18fad74e0c13
parent: 4da4f9b98697225081145076023fd860b6132b9e (diff)
parent: f4c8a61ad73e3b565b97ba0ab73b428beadc98ff (diff)
1 files changed, 48 insertions, 40 deletions
diff --git a/services/core/java/com/android/server/IpSecService.java b/services/core/java/com/android/server/IpSecService.java
index 744ed25f160f..01e81525d5b5 100644
--- a/services/core/java/com/android/server/IpSecService.java
+++ b/services/core/java/com/android/server/IpSecService.java
@@ -27,7 +27,6 @@ import static com.android.internal.util.Preconditions.checkNotNull;
 import android.annotation.NonNull;
 import android.app.AppOpsManager;
 import android.content.Context;
-import android.net.ConnectivityManager;
 import android.net.IIpSecService;
 import android.net.INetd;
 import android.net.IpSecAlgorithm;
@@ -44,7 +43,6 @@ import android.net.NetworkUtils;
 import android.net.TrafficStats;
 import android.net.util.NetdService;
 import android.os.Binder;
-import android.os.DeadSystemException;
 import android.os.IBinder;
 import android.os.ParcelFileDescriptor;
 import android.os.RemoteException;
@@ -89,9 +87,8 @@ public class IpSecService extends IIpSecService.Stub {
     private static final boolean DBG = Log.isLoggable(TAG, Log.DEBUG);
 
     private static final String NETD_SERVICE_NAME = "netd";
-    private static final int[] DIRECTIONS =
-            new int[] {IpSecManager.DIRECTION_OUT, IpSecManager.DIRECTION_IN};
-    private static final String[] WILDCARD_ADDRESSES = new String[]{"0.0.0.0", "::"};
+    private static final int[] ADDRESS_FAMILIES =
+            new int[] {OsConstants.AF_INET, OsConstants.AF_INET6};
 
     private static final int NETD_FETCH_TIMEOUT_MS = 5000; // ms
     private static final int MAX_PORT_BIND_ATTEMPTS = 10;
@@ -819,16 +816,22 @@ public class IpSecService extends IIpSecService.Stub {
             //       Teardown VTI
             //       Delete global policies
             try {
-                mSrvConfig.getNetdInstance().removeVirtualTunnelInterface(mInterfaceName);
-
-                for(String wildcardAddr : WILDCARD_ADDRESSES) {
-                    for (int direction : DIRECTIONS) {
-                        int mark = (direction == IpSecManager.DIRECTION_IN) ? mIkey : mOkey;
-                        mSrvConfig
-                                .getNetdInstance()
-                                .ipSecDeleteSecurityPolicy(
-                                        0, direction, wildcardAddr, wildcardAddr, mark, 0xffffffff);
-                    }
+                final INetd netd = mSrvConfig.getNetdInstance();
+                netd.removeVirtualTunnelInterface(mInterfaceName);
+
+                for (int selAddrFamily : ADDRESS_FAMILIES) {
+                    netd.ipSecDeleteSecurityPolicy(
+                            0,
+                            selAddrFamily,
+                            IpSecManager.DIRECTION_OUT,
+                            mOkey,
+                            0xffffffff);
+                    netd.ipSecDeleteSecurityPolicy(
+                            0,
+                            selAddrFamily,
+                            IpSecManager.DIRECTION_IN,
+                            mIkey,
+                            0xffffffff);
                 }
             } catch (ServiceSpecificException | RemoteException e) {
                 Log.e(
@@ -1276,25 +1279,29 @@ public class IpSecService extends IIpSecService.Stub {
             //       Create VTI
             //       Add inbound/outbound global policies
             //              (use reqid = 0)
-            mSrvConfig
-                    .getNetdInstance()
-                    .addVirtualTunnelInterface(intfName, localAddr, remoteAddr, ikey, okey);
-
-            for(String wildcardAddr : WILDCARD_ADDRESSES) {
-                for (int direction : DIRECTIONS) {
-                    int mark = (direction == IpSecManager.DIRECTION_OUT) ? okey : ikey;
-
-                    mSrvConfig
-                            .getNetdInstance()
-                            .ipSecAddSecurityPolicy(
-                                0, // Use 0 for reqId
-                                direction,
-                                wildcardAddr,
-                                wildcardAddr,
-                                0,
-                                mark,
-                                0xffffffff);
-                }
+            final INetd netd = mSrvConfig.getNetdInstance();
+            netd.addVirtualTunnelInterface(intfName, localAddr, remoteAddr, ikey, okey);
+
+            for (int selAddrFamily : ADDRESS_FAMILIES) {
+                // Always send down correct local/remote addresses for template.
+                netd.ipSecAddSecurityPolicy(
+                        0, // Use 0 for reqId
+                        selAddrFamily,
+                        IpSecManager.DIRECTION_OUT,
+                        localAddr,
+                        remoteAddr,
+                        0,
+                        okey,
+                        0xffffffff);
+                netd.ipSecAddSecurityPolicy(
+                        0, // Use 0 for reqId
+                        selAddrFamily,
+                        IpSecManager.DIRECTION_IN,
+                        remoteAddr,
+                        localAddr,
+                        0,
+                        ikey,
+                        0xffffffff);
             }
 
             userRecord.mTunnelInterfaceRecords.put(
@@ -1693,9 +1700,9 @@ public class IpSecService extends IIpSecService.Stub {
         SpiRecord spiRecord = userRecord.mSpiRecords.getResourceOrThrow(c.getSpiResourceId());
 
         int mark =
-                (direction == IpSecManager.DIRECTION_IN)
-                        ? tunnelInterfaceInfo.getIkey()
-                        : tunnelInterfaceInfo.getOkey();
+                (direction == IpSecManager.DIRECTION_OUT)
+                        ? tunnelInterfaceInfo.getOkey()
+                        : tunnelInterfaceInfo.getIkey();
 
         try {
             c.setMarkValue(mark);
@@ -1706,14 +1713,15 @@ public class IpSecService extends IIpSecService.Stub {
                 c.setNetwork(tunnelInterfaceInfo.getUnderlyingNetwork());
 
                 // If outbound, also add SPI to the policy.
-                for(String wildcardAddr : WILDCARD_ADDRESSES) {
+                for (int selAddrFamily : ADDRESS_FAMILIES) {
                     mSrvConfig
                             .getNetdInstance()
                             .ipSecUpdateSecurityPolicy(
                                     0, // Use 0 for reqId
+                                    selAddrFamily,
                                     direction,
-                                    wildcardAddr,
-                                    wildcardAddr,
+                                    tunnelInterfaceInfo.getLocalAddress(),
+                                    tunnelInterfaceInfo.getRemoteAddress(),
                                     transformInfo.getSpiRecord().getSpi(),
                                     mark,
                                     0xffffffff);
author	Benedict Wong <benedictwong@google.com>	2018-08-31 11:12:55 -0700
committer	android-build-merger <android-build-merger@google.com>	2018-08-31 11:12:55 -0700
commit	2cb2f7119ffa3b51abc005771c45072dd01aaa7d (patch)
tree	29294bc9bdc01aef12ce7ca7b52e18fad74e0c13
parent	4da4f9b98697225081145076023fd860b6132b9e (diff)
parent	f4c8a61ad73e3b565b97ba0ab73b428beadc98ff (diff)