Firewall: Transport-based toggle support (2/3)
Needs corresponding fw/b and Connectivity changes.
Squash of:
Author: Tommy Webb <tommy@calyxinstitute.org>
Date: Tue Feb 28 10:46:05 2023 -0500
Do not add VPN local exclusion rules
Prevent UIDs on a VPN from accessing the private IP ranges of networks
that they are not allowed to access. Without this, when connected to a
VPN, apps that are disallowed from accessing a Wi-Fi network will
become able to access the Wi-Fi network's LAN despite not being able
to access the Wi-Fi network whatsoever before connecting to a VPN.
Stop adding the local exclusion rule that makes this bypass possible.
Change-Id: I9975b5ab1306ee86863979d1fe73203799cce648
Author: Tommy Webb <tommy@calyxinstitute.org>
Date: Thu Apr 27 18:01:41 2023 -0400
Stop setting netId for bypassable VPNs
Code comments claim that a socket's netId needs to be specified for
bypassable VPNs in order for them to have any traffic at all, but this
does not appear to reflect reality today -- at least with our firewall
changes -- as a simple test will show that such VPNs are still usable
even when we don't set the netId to that of the bypassable VPN.
(The comments and code were added in 2014 and may be out-of-date.)
This change resolves an issue resulting from recent firewall changes
that prevents UIDs of bypassable VPNs from accessing other networks,
even when they are allowed to do so.
Issue: calyxos#1650
Change-Id: I18edc8659750044534c9bea5ed49eddbcea89378
Author: Tommy Webb <tommy@calyxinstitute.org>
Date: Thu Apr 27 15:57:54 2023 -0400
Adjust IP rules to accommodate UID-based firewall
* No default implicit network rule. We have UID-based implicit rules.
* Can only use VPN fallthrough with system permission. It is not
UID-based, and other rules fulfill our needs.
* Binding to output interfaces arbitrarily requires system permission.
Other rules cover this where it should be allowed for UIDs.
The behavior resulting from these changes is *almost* identical to
the recently-changed firewall behavior, but it resolves the issue of
default network rules being unusable without system-level permission.
Also includes squashed change:
Author: Tommy Webb <tommy@calyxinstitute.org>
Date: Mon Jul 10 12:27:01 2023 -0400
fixup! Adjust IP rules to accommodate UID-based firewall
* Require system permission for RULE_PRIORITY_DEFAULT_NETWORK rule.
Default network access is already allowed for UIDs permitted on the
network via RULE_PRIORITY_UID_DEFAULT_NETWORK rules.
Change-Id: I8771b012fc90263b2aa7c68fdf3ccebde6670b79
Change-Id: Icd64aa530e8d202abb97d8325160a5d4c0b4c490
Change-Id: I1b89587a54c3178dcbf0a78927392bb8fb36294f
2 files changed