am 917c547b: Merge "Don\'t make lockdown VPN source firewall rules over-broad." into lmp-dev

* commit '917c547beb9adecf2e7d2b355e85e37c2557c5d3':
  Don't make lockdown VPN source firewall rules over-broad.

1 files changed, 10 insertions, 2 deletions

diff --git a/services/core/java/com/android/server/net/LockdownVpnTracker.java b/services/core/java/com/android/server/net/LockdownVpnTracker.java
index e9c77515de81..cf0aba44a774 100644
--- a/services/core/java/com/android/server/net/LockdownVpnTracker.java
+++ b/services/core/java/com/android/server/net/LockdownVpnTracker.java
@@ -190,7 +190,7 @@ public class LockdownVpnTracker {
 
                 mNetService.setFirewallInterfaceRule(iface, true);
                 for (LinkAddress addr : sourceAddrs) {
-                    mNetService.setFirewallEgressSourceRule(addr.toString(), true);
+                    setFirewallEgressSourceRule(addr, true);
                 }
 
                 mErrorCount = 0;
@@ -277,7 +277,7 @@ public class LockdownVpnTracker {
             }
             if (mAcceptedSourceAddr != null) {
                 for (LinkAddress addr : mAcceptedSourceAddr) {
-                    mNetService.setFirewallEgressSourceRule(addr.toString(), false);
+                    setFirewallEgressSourceRule(addr, false);
                 }
                 mAcceptedSourceAddr = null;
             }
@@ -286,6 +286,14 @@ public class LockdownVpnTracker {
         }
     }
 
+    private void setFirewallEgressSourceRule(
+            LinkAddress address, boolean allow) throws RemoteException {
+        // Our source address based firewall rules must only cover our own source address, not the
+        // whole subnet
+        final String addrString = address.getAddress().getHostAddress();
+        mNetService.setFirewallEgressSourceRule(addrString, allow);
+    }
+
     public void onNetworkInfoChanged() {
         synchronized (mStateLock) {
             handleStateChangedLocked();