OSDN > Developer > hafixie93 > Chamber > frameworks-base > Commit

frameworks-base
Fork

Fork origin: android-x86 / frameworks-base

R/O
HTTP
SSH
HTTPS

Commit

Commit MetaInfo

Revision	2de275c9a3b0f472f617089f1f817b09f6dad493 (tree)
Time	2015-09-29 08:29:49
Author	Paul Jensen <pauljensen@goog...>
Commiter	The Android Automerger

Log Message

Fix NOT_RESTRICTED network capability and enforce it.

With this change:
1. NOT_RESTRICTED should be removed from NetworkRequests that bring up

special restricted carrier networks (e.g. IMS, FOTA).

2. NetworkRequests without NOT_RESTRICTED require CONNECTIVITY_INTERNAL

permission to register

3. Binding sockets to networks without NOT_RESTRICTED requires

CONNECTIVITY_INTERNAL permission

Bug:21637535
Change-Id: I5991d39facaa6b690e969fe15dcbeec52e918321
(cherry picked from commit 487ffe7d3d84bf65212158f7098e8a84b5b55e09)

Change Summary

modified: core/java/android/net/ConnectivityManager.java (diff)
modified: core/java/android/net/NetworkCapabilities.java (diff)
modified: core/java/android/net/NetworkRequest.java (diff)
modified: core/java/android/os/INetworkManagementService.aidl (diff)
modified: services/core/java/com/android/server/ConnectivityService.java (diff)
modified: services/core/java/com/android/server/NetworkManagementService.java (diff)

Incremental Difference

--- a/core/java/android/net/ConnectivityManager.java

+++ b/core/java/android/net/ConnectivityManager.java

		@@ -939,41 +939,6 @@ public class ConnectivityManager {
939	939	return 1;
940	940	}
941	941
942		- /**
943		- * Removes the NET_CAPABILITY_NOT_RESTRICTED capability from the given
944		- * NetworkCapabilities object if all the capabilities it provides are
945		- * typically provided by restricted networks.
946		- *
947		- * TODO: consider:
948		- * - Moving to NetworkCapabilities
949		- * - Renaming it to guessRestrictedCapability and make it set the
950		- * restricted capability bit in addition to clearing it.
951		- * @hide
952		- */
953		- public static void maybeMarkCapabilitiesRestricted(NetworkCapabilities nc) {
954		- for (int capability : nc.getCapabilities()) {
955		- switch (capability) {
956		- case NetworkCapabilities.NET_CAPABILITY_CBS:
957		- case NetworkCapabilities.NET_CAPABILITY_DUN:
958		- case NetworkCapabilities.NET_CAPABILITY_EIMS:
959		- case NetworkCapabilities.NET_CAPABILITY_FOTA:
960		- case NetworkCapabilities.NET_CAPABILITY_IA:
961		- case NetworkCapabilities.NET_CAPABILITY_IMS:
962		- case NetworkCapabilities.NET_CAPABILITY_RCS:
963		- case NetworkCapabilities.NET_CAPABILITY_XCAP:
964		- case NetworkCapabilities.NET_CAPABILITY_NOT_RESTRICTED: //there by default
965		- continue;
966		- default:
967		- // At least one capability usually provided by unrestricted
968		- // networks. Conclude that this network is unrestricted.
969		- return;
970		- }
971		- }
972		- // All the capabilities are typically provided by restricted networks.
973		- // Conclude that this network is restricted.
974		- nc.removeCapability(NetworkCapabilities.NET_CAPABILITY_NOT_RESTRICTED);
975		- }
976		-
977	942	private NetworkCapabilities networkCapabilitiesForFeature(int networkType, String feature) {
978	943	if (networkType == TYPE_MOBILE) {
979	944	int cap = -1;

		@@ -996,14 +961,14 @@ public class ConnectivityManager {
996	961	}
997	962	NetworkCapabilities netCap = new NetworkCapabilities();
998	963	netCap.addTransportType(NetworkCapabilities.TRANSPORT_CELLULAR).addCapability(cap);
999		- maybeMarkCapabilitiesRestricted(netCap);
	964	+ netCap.maybeMarkCapabilitiesRestricted();
1000	965	return netCap;
1001	966	} else if (networkType == TYPE_WIFI) {
1002	967	if ("p2p".equals(feature)) {
1003	968	NetworkCapabilities netCap = new NetworkCapabilities();
1004	969	netCap.addTransportType(NetworkCapabilities.TRANSPORT_WIFI);
1005	970	netCap.addCapability(NetworkCapabilities.NET_CAPABILITY_WIFI_P2P);
1006		- maybeMarkCapabilitiesRestricted(netCap);
	971	+ netCap.maybeMarkCapabilitiesRestricted();
1007	972	return netCap;
1008	973	}
1009	974	}

--- a/core/java/android/net/NetworkCapabilities.java

+++ b/core/java/android/net/NetworkCapabilities.java

		@@ -37,6 +37,7 @@ public final class NetworkCapabilities implements Parcelable {
37	37	* @hide
38	38	*/
39	39	public NetworkCapabilities() {
	40	+ mNetworkCapabilities = DEFAULT_CAPABILITIES;
40	41	}
41	42
42	43	public NetworkCapabilities(NetworkCapabilities nc) {

		@@ -53,8 +54,7 @@ public final class NetworkCapabilities implements Parcelable {
53	54	* Represents the network's capabilities. If any are specified they will be satisfied
54	55	* by any Network that matches all of them.
55	56	*/
56		- private long mNetworkCapabilities = (1 << NET_CAPABILITY_NOT_RESTRICTED) \|
57		- (1 << NET_CAPABILITY_TRUSTED) \| (1 << NET_CAPABILITY_NOT_VPN);
	57	+ private long mNetworkCapabilities;
58	58
59	59	/**
60	60	* Indicates this is a network that has the ability to reach the

		@@ -166,6 +166,28 @@ public final class NetworkCapabilities implements Parcelable {
166	166	private static final int MAX_NET_CAPABILITY = NET_CAPABILITY_VALIDATED;
167	167
168	168	/**
	169	+ * Capabilities that are set by default when the object is constructed.
	170	+ */
	171	+ private static final long DEFAULT_CAPABILITIES =
	172	+ (1 << NET_CAPABILITY_NOT_RESTRICTED) \|
	173	+ (1 << NET_CAPABILITY_TRUSTED) \|
	174	+ (1 << NET_CAPABILITY_NOT_VPN);
	175	+
	176	+ /**
	177	+ * Capabilities that suggest that a network is restricted.
	178	+ * {@see #maybeMarkCapabilitiesRestricted}.
	179	+ */
	180	+ private static final long RESTRICTED_CAPABILITIES =
	181	+ (1 << NET_CAPABILITY_CBS) \|
	182	+ (1 << NET_CAPABILITY_DUN) \|
	183	+ (1 << NET_CAPABILITY_EIMS) \|
	184	+ (1 << NET_CAPABILITY_FOTA) \|
	185	+ (1 << NET_CAPABILITY_IA) \|
	186	+ (1 << NET_CAPABILITY_IMS) \|
	187	+ (1 << NET_CAPABILITY_RCS) \|
	188	+ (1 << NET_CAPABILITY_XCAP);
	189	+
	190	+ /**
169	191	* Adds the given capability to this {@code NetworkCapability} instance.
170	192	* Multiple capabilities may be applied sequentially. Note that when searching
171	193	* for a network to satisfy a request, all capabilities requested must be satisfied.

		@@ -248,6 +270,22 @@ public final class NetworkCapabilities implements Parcelable {
248	270	}
249	271
250	272	/**
	273	+ * Removes the NET_CAPABILITY_NOT_RESTRICTED capability if all the capabilities it provides are
	274	+ * typically provided by restricted networks.
	275	+ *
	276	+ * TODO: consider:
	277	+ * - Renaming it to guessRestrictedCapability and make it set the
	278	+ * restricted capability bit in addition to clearing it.
	279	+ * @hide
	280	+ */
	281	+ public void maybeMarkCapabilitiesRestricted() {
	282	+ // If all the capabilities are typically provided by restricted networks, conclude that this
	283	+ // network is restricted.
	284	+ if ((mNetworkCapabilities & ~(DEFAULT_CAPABILITIES \| RESTRICTED_CAPABILITIES)) == 0)
	285	+ removeCapability(NET_CAPABILITY_NOT_RESTRICTED);
	286	+ }
	287	+
	288	+ /**
251	289	* Representing the transport type. Apps should generally not care about transport. A
252	290	* request for a fast internet connection could be satisfied by a number of different
253	291	* transports. If any are specified here it will be satisfied a Network that matches

--- a/core/java/android/net/NetworkRequest.java

+++ b/core/java/android/net/NetworkRequest.java

		@@ -85,7 +85,13 @@ public class NetworkRequest implements Parcelable {
85	85	* Build {@link NetworkRequest} give the current set of capabilities.
86	86	*/
87	87	public NetworkRequest build() {
88		- return new NetworkRequest(mNetworkCapabilities, ConnectivityManager.TYPE_NONE,
	88	+ // Make a copy of mNetworkCapabilities so we don't inadvertently remove NOT_RESTRICTED
	89	+ // when later an unrestricted capability could be added to mNetworkCapabilities, in
	90	+ // which case NOT_RESTRICTED should be returned to mNetworkCapabilities, which
	91	+ // maybeMarkCapabilitiesRestricted() doesn't add back.
	92	+ final NetworkCapabilities nc = new NetworkCapabilities(mNetworkCapabilities);
	93	+ nc.maybeMarkCapabilitiesRestricted();
	94	+ return new NetworkRequest(nc, ConnectivityManager.TYPE_NONE,
89	95	ConnectivityManager.REQUEST_ID_UNSET);
90	96	}
91	97

--- a/core/java/android/os/INetworkManagementService.aidl

+++ b/core/java/android/os/INetworkManagementService.aidl

		@@ -372,8 +372,10 @@ interface INetworkManagementService
372	372
373	373	/**
374	374	* Setup a new physical network.
	375	+ * @param permission null if no permissions required to access this network. PERMISSION_NETWORK
	376	+ * or PERMISSION_SYSTEM to set respective permission.
375	377	*/
376		- void createPhysicalNetwork(int netId);
	378	+ void createPhysicalNetwork(int netId, String permission);
377	379
378	380	/**
379	381	* Setup a new VPN.

		@@ -400,6 +402,13 @@ interface INetworkManagementService
400	402	void setDefaultNetId(int netId);
401	403	void clearDefaultNetId();
402	404
	405	+ /**
	406	+ * Set permission for a network.
	407	+ * @param permission null to clear permissions. PERMISSION_NETWORK or PERMISSION_SYSTEM to set
	408	+ * permission.
	409	+ */
	410	+ void setNetworkPermission(int netId, String permission);
	411	+
403	412	void setPermission(String permission, in int[] uids);
404	413	void clearPermission(in int[] uids);
405	414

--- a/services/core/java/com/android/server/ConnectivityService.java

+++ b/services/core/java/com/android/server/ConnectivityService.java

		@@ -24,6 +24,7 @@ import static android.net.ConnectivityManager.TYPE_NONE;
24	24	import static android.net.ConnectivityManager.TYPE_VPN;
25	25	import static android.net.ConnectivityManager.getNetworkTypeName;
26	26	import static android.net.ConnectivityManager.isNetworkTypeValid;
	27	+import static android.net.NetworkCapabilities.NET_CAPABILITY_NOT_RESTRICTED;
27	28	import static android.net.NetworkPolicyManager.RULE_ALLOW_ALL;
28	29	import static android.net.NetworkPolicyManager.RULE_REJECT_METERED;
29	30

		@@ -3900,6 +3901,16 @@ public class ConnectivityService extends IConnectivityManager.Stub
3900	3901	private void updateCapabilities(NetworkAgentInfo networkAgent,
3901	3902	NetworkCapabilities networkCapabilities) {
3902	3903	if (!Objects.equals(networkAgent.networkCapabilities, networkCapabilities)) {
	3904	+ if (networkAgent.networkCapabilities.hasCapability(NET_CAPABILITY_NOT_RESTRICTED) !=
	3905	+ networkCapabilities.hasCapability(NET_CAPABILITY_NOT_RESTRICTED)) {
	3906	+ try {
	3907	+ mNetd.setNetworkPermission(networkAgent.network.netId,
	3908	+ networkCapabilities.hasCapability(NET_CAPABILITY_NOT_RESTRICTED) ?
	3909	+ null : NetworkManagementService.PERMISSION_SYSTEM);
	3910	+ } catch (RemoteException e) {
	3911	+ loge("Exception in setNetworkPermission: " + e);
	3912	+ }
	3913	+ }
3903	3914	synchronized (networkAgent) {
3904	3915	networkAgent.networkCapabilities = networkCapabilities;
3905	3916	}

		@@ -4329,7 +4340,10 @@ public class ConnectivityService extends IConnectivityManager.Stub
4329	4340	(networkAgent.networkMisc == null \|\|
4330	4341	!networkAgent.networkMisc.allowBypass));
4331	4342	} else {
4332		- mNetd.createPhysicalNetwork(networkAgent.network.netId);
	4343	+ mNetd.createPhysicalNetwork(networkAgent.network.netId,
	4344	+ networkAgent.networkCapabilities.hasCapability(
	4345	+ NET_CAPABILITY_NOT_RESTRICTED) ?
	4346	+ null : NetworkManagementService.PERMISSION_SYSTEM);
4333	4347	}
4334	4348	} catch (Exception e) {
4335	4349	loge("Error creating network " + networkAgent.network.netId + ": "

--- a/services/core/java/com/android/server/NetworkManagementService.java

+++ b/services/core/java/com/android/server/NetworkManagementService.java

		@@ -120,6 +120,19 @@ public class NetworkManagementService extends INetworkManagementService.Stub
120	120	*/
121	121	public static final String LIMIT_GLOBAL_ALERT = "globalAlert";
122	122
	123	+ /**
	124	+ * String to pass to netd to indicate that a network is only accessible
	125	+ * to apps that have the CHANGE_NETWORK_STATE permission.
	126	+ */
	127	+ public static final String PERMISSION_NETWORK = "NETWORK";
	128	+
	129	+ /**
	130	+ * String to pass to netd to indicate that a network is only
	131	+ * accessible to system apps and those with the CONNECTIVITY_INTERNAL
	132	+ * permission.
	133	+ */
	134	+ public static final String PERMISSION_SYSTEM = "SYSTEM";
	135	+
123	136	class NetdResponseCode {
124	137	/* Keep in sync with system/netd/server/ResponseCode.h */
125	138	public static final int InterfaceListResult = 110;

		@@ -1977,11 +1990,15 @@ public class NetworkManagementService extends INetworkManagementService.Stub
1977	1990	}
1978	1991
1979	1992	@Override
1980		- public void createPhysicalNetwork(int netId) {
	1993	+ public void createPhysicalNetwork(int netId, String permission) {
1981	1994	mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
1982	1995
1983	1996	try {
1984		- mConnector.execute("network", "create", netId);
	1997	+ if (permission != null) {
	1998	+ mConnector.execute("network", "create", netId, permission);
	1999	+ } else {
	2000	+ mConnector.execute("network", "create", netId);
	2001	+ }
1985	2002	} catch (NativeDaemonConnectorException e) {
1986	2003	throw e.rethrowAsParcelableException();
1987	2004	}

		@@ -2073,6 +2090,22 @@ public class NetworkManagementService extends INetworkManagementService.Stub
2073	2090	}
2074	2091
2075	2092	@Override
	2093	+ public void setNetworkPermission(int netId, String permission) {
	2094	+ mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
	2095	+
	2096	+ try {
	2097	+ if (permission != null) {
	2098	+ mConnector.execute("network", "permission", "network", "set", permission, netId);
	2099	+ } else {
	2100	+ mConnector.execute("network", "permission", "network", "clear", netId);
	2101	+ }
	2102	+ } catch (NativeDaemonConnectorException e) {
	2103	+ throw e.rethrowAsParcelableException();
	2104	+ }
	2105	+ }
	2106	+
	2107	+
	2108	+ @Override
2076	2109	public void setPermission(String permission, int[] uids) {
2077	2110	mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
2078	2111

frameworks-base Fork