diff options
| author | Lorenzo Colitti <lorenzo@google.com> | 2014-10-16 00:55:07 +0900 |
|---|---|---|
| committer | Lorenzo Colitti <lorenzo@google.com> | 2014-10-16 01:16:50 +0900 |
| commit | 02c7abac856c3e94f4a2714d673cefb65c55efb7 (patch) | |
| tree | ef05718481146d0d5e92e70c8ccec674db427ba3 /services/core | |
| parent | 0cb7903ddedbbb8a8171926e4460b74af589369d (diff) | |
| download | frameworks_base-02c7abac856c3e94f4a2714d673cefb65c55efb7.zip frameworks_base-02c7abac856c3e94f4a2714d673cefb65c55efb7.tar.gz frameworks_base-02c7abac856c3e94f4a2714d673cefb65c55efb7.tar.bz2 | |
Don't make lockdown VPN source firewall rules over-broad.
Currently, the lockdown VPN adds firewall allow rules matching
the whole subnet that the server assigned, so for example if
the VPN server assigns it the IP address 10.1.23.5/8, it will
allow the whole of 10.0.0.0/8 to pass the firewall.
This is needlessly overbroad and has a particularly bad corner
case where if the prefix length is 0, everything is allowed.
Bug: 17695048
Change-Id: Idbec4b3aea0f72f9bdfd26dcd72d6a97d026fb12
Diffstat (limited to 'services/core')
| -rw-r--r-- | services/core/java/com/android/server/net/LockdownVpnTracker.java | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/services/core/java/com/android/server/net/LockdownVpnTracker.java b/services/core/java/com/android/server/net/LockdownVpnTracker.java index e9c7751..cf0aba4 100644 --- a/services/core/java/com/android/server/net/LockdownVpnTracker.java +++ b/services/core/java/com/android/server/net/LockdownVpnTracker.java @@ -190,7 +190,7 @@ public class LockdownVpnTracker { mNetService.setFirewallInterfaceRule(iface, true); for (LinkAddress addr : sourceAddrs) { - mNetService.setFirewallEgressSourceRule(addr.toString(), true); + setFirewallEgressSourceRule(addr, true); } mErrorCount = 0; @@ -277,7 +277,7 @@ public class LockdownVpnTracker { } if (mAcceptedSourceAddr != null) { for (LinkAddress addr : mAcceptedSourceAddr) { - mNetService.setFirewallEgressSourceRule(addr.toString(), false); + setFirewallEgressSourceRule(addr, false); } mAcceptedSourceAddr = null; } @@ -286,6 +286,14 @@ public class LockdownVpnTracker { } } + private void setFirewallEgressSourceRule( + LinkAddress address, boolean allow) throws RemoteException { + // Our source address based firewall rules must only cover our own source address, not the + // whole subnet + final String addrString = address.getAddress().getHostAddress(); + mNetService.setFirewallEgressSourceRule(addrString, allow); + } + public void onNetworkInfoChanged() { synchronized (mStateLock) { handleStateChangedLocked(); |