DivestOS/Patches/LineageOS-14.1/android_system_netd/244387.patch

From 0cd7a28a999b9be67251989f8d434dde172157bd Mon Sep 17 00:00:00 2001
From: Lorenzo Colitti <lorenzo@google.com>
Date: Thu, 30 Mar 2017 02:50:09 +0900
Subject: [PATCH] Really always allow networking on loopback.

https://android-review.googlesource.com/#/c/294359/ attempted to
allow networking on loopback, but actually does not do anything
because no packet has both -i lo and -o lo: loopback packets have
-i lo in INPUT and -o lo in OUTPUT.

Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Test: loopback traffic is matched by new "-i lo" and "-o lo" rules
Test: originated and received traffic is not matched by new rules
Bug: 34444781
Change-Id: I090cbeafce5bbdcf36a7aecaafbf832feddc06e1
---
 server/FirewallController.cpp     |  3 ++-
 server/FirewallControllerTest.cpp | 15 ++++++++++-----
 tests/binder_test.cpp             | 16 ++++++++--------
 3 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp
index 826cf758..ffc99e16 100644
--- a/server/FirewallController.cpp
+++ b/server/FirewallController.cpp
@@ -301,7 +301,8 @@ std::string FirewallController::makeUidRules(IptablesTarget target, const char *
     StringAppendF(&commands, "*filter\n:%s -\n", name);
 
     // Always allow networking on loopback.
-    StringAppendF(&commands, "-A %s -i lo -o lo -j RETURN\n", name);
+    StringAppendF(&commands, "-A %s -i lo -j RETURN\n", name);
+    StringAppendF(&commands, "-A %s -o lo -j RETURN\n", name);
 
     // Allow TCP RSTs so we can cleanly close TCP connections of apps that no longer have network
     // access. Both incoming and outgoing RSTs are allowed.
diff --git a/server/FirewallControllerTest.cpp b/server/FirewallControllerTest.cpp
index 7d96c61c..ba449db0 100644
--- a/server/FirewallControllerTest.cpp
+++ b/server/FirewallControllerTest.cpp
@@ -56,7 +56,8 @@ TEST_F(FirewallControllerTest, TestCreateWhitelistChain) {
     std::vector<std::string> expectedRestore4 = {
         "*filter",
         ":fw_whitelist -",
-        "-A fw_whitelist -i lo -o lo -j RETURN",
+        "-A fw_whitelist -i lo -j RETURN",
+        "-A fw_whitelist -o lo -j RETURN",
         "-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN",
         "-A fw_whitelist -m owner --uid-owner 0-9999 -j RETURN",
         "-A fw_whitelist -j DROP",
@@ -65,7 +66,8 @@ TEST_F(FirewallControllerTest, TestCreateWhitelistChain) {
     std::vector<std::string> expectedRestore6 = {
         "*filter",
         ":fw_whitelist -",
-        "-A fw_whitelist -i lo -o lo -j RETURN",
+        "-A fw_whitelist -i lo -j RETURN",
+        "-A fw_whitelist -o lo -j RETURN",
         "-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN",
         "-A fw_whitelist -p icmpv6 --icmpv6-type packet-too-big -j RETURN",
         "-A fw_whitelist -p icmpv6 --icmpv6-type router-solicitation -j RETURN",
@@ -95,7 +97,8 @@ TEST_F(FirewallControllerTest, TestCreateBlacklistChain) {
     std::vector<std::string> expectedRestore = {
         "*filter",
         ":fw_blacklist -",
-        "-A fw_blacklist -i lo -o lo -j RETURN",
+        "-A fw_blacklist -i lo -j RETURN",
+        "-A fw_blacklist -o lo -j RETURN",
         "-A fw_blacklist -p tcp --tcp-flags RST RST -j RETURN",
         "COMMIT\n\x04"
     };
@@ -141,7 +144,8 @@ TEST_F(FirewallControllerTest, TestReplaceWhitelistUidRule) {
     std::string expected =
             "*filter\n"
             ":FW_whitechain -\n"
-            "-A FW_whitechain -i lo -o lo -j RETURN\n"
+            "-A FW_whitechain -i lo -j RETURN\n"
+            "-A FW_whitechain -o lo -j RETURN\n"
             "-A FW_whitechain -p tcp --tcp-flags RST RST -j RETURN\n"
             "-A FW_whitechain -p icmpv6 --icmpv6-type packet-too-big -j RETURN\n"
             "-A FW_whitechain -p icmpv6 --icmpv6-type router-solicitation -j RETURN\n"
@@ -168,7 +172,8 @@ TEST_F(FirewallControllerTest, TestReplaceBlacklistUidRule) {
     std::string expected =
             "*filter\n"
             ":FW_blackchain -\n"
-            "-A FW_blackchain -i lo -o lo -j RETURN\n"
+            "-A FW_blackchain -i lo -j RETURN\n"
+            "-A FW_blackchain -o lo -j RETURN\n"
             "-A FW_blackchain -p tcp --tcp-flags RST RST -j RETURN\n"
             "-A FW_blackchain -m owner --uid-owner 10023 -j DROP\n"
             "-A FW_blackchain -m owner --uid-owner 10059 -j DROP\n"
diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp
index 5395f1d2..dcaf2302 100644
--- a/tests/binder_test.cpp
+++ b/tests/binder_test.cpp
@@ -176,31 +176,31 @@ TEST_F(BinderTest, TestFirewallReplaceUidChain) {
         mNetd->firewallReplaceUidChain(String16(chainName.c_str()), true, uids, &ret);
     }
     EXPECT_EQ(true, ret);
-    EXPECT_EQ((int) uids.size() + 6, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
-    EXPECT_EQ((int) uids.size() + 12, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+    EXPECT_EQ((int) uids.size() + 7, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+    EXPECT_EQ((int) uids.size() + 13, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
     {
         TimedOperation op("Clearing whitelist chain");
         mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, noUids, &ret);
     }
     EXPECT_EQ(true, ret);
-    EXPECT_EQ(4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
-    EXPECT_EQ(4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+    EXPECT_EQ(5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+    EXPECT_EQ(5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
 
     {
         TimedOperation op(StringPrintf("Programming %d-UID blacklist chain", kNumUids));
         mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, uids, &ret);
     }
     EXPECT_EQ(true, ret);
-    EXPECT_EQ((int) uids.size() + 4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
-    EXPECT_EQ((int) uids.size() + 4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+    EXPECT_EQ((int) uids.size() + 5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+    EXPECT_EQ((int) uids.size() + 5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
 
     {
         TimedOperation op("Clearing blacklist chain");
         mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, noUids, &ret);
     }
     EXPECT_EQ(true, ret);
-    EXPECT_EQ(4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
-    EXPECT_EQ(4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+    EXPECT_EQ(5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+    EXPECT_EQ(5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
 
     // Check that the call fails if iptables returns an error.
     std::string veryLongStringName = "netd_binder_test_UnacceptablyLongIptablesChainName";
14.1: move n-netd cherry picks in tree 2020-07-13 20:15:08 -04:00			`From 0cd7a28a999b9be67251989f8d434dde172157bd Mon Sep 17 00:00:00 2001`
			`From: Lorenzo Colitti <lorenzo@google.com>`
			`Date: Thu, 30 Mar 2017 02:50:09 +0900`
			`Subject: [PATCH] Really always allow networking on loopback.`

			`https://android-review.googlesource.com/#/c/294359/ attempted to`
			`allow networking on loopback, but actually does not do anything`
			`because no packet has both -i lo and -o lo: loopback packets have`
			`-i lo in INPUT and -o lo in OUTPUT.`

			`Test: bullhead builds, boots`
			`Test: netd_{unit,integration}_test pass`
			`Test: loopback traffic is matched by new "-i lo" and "-o lo" rules`
			`Test: originated and received traffic is not matched by new rules`
			`Bug: 34444781`
			`Change-Id: I090cbeafce5bbdcf36a7aecaafbf832feddc06e1`
			`---`
			`server/FirewallController.cpp \| 3 ++-`
			`server/FirewallControllerTest.cpp \| 15 ++++++++++-----`
			`tests/binder_test.cpp \| 16 ++++++++--------`
			`3 files changed, 20 insertions(+), 14 deletions(-)`

			`diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp`
			`index 826cf758..ffc99e16 100644`
			`--- a/server/FirewallController.cpp`
			`+++ b/server/FirewallController.cpp`
			`@@ -301,7 +301,8 @@ std::string FirewallController::makeUidRules(IptablesTarget target, const char *`
			`StringAppendF(&commands, "*filter\n:%s -\n", name);`

			`// Always allow networking on loopback.`
			`- StringAppendF(&commands, "-A %s -i lo -o lo -j RETURN\n", name);`
			`+ StringAppendF(&commands, "-A %s -i lo -j RETURN\n", name);`
			`+ StringAppendF(&commands, "-A %s -o lo -j RETURN\n", name);`

			`// Allow TCP RSTs so we can cleanly close TCP connections of apps that no longer have network`
			`// access. Both incoming and outgoing RSTs are allowed.`
			`diff --git a/server/FirewallControllerTest.cpp b/server/FirewallControllerTest.cpp`
			`index 7d96c61c..ba449db0 100644`
			`--- a/server/FirewallControllerTest.cpp`
			`+++ b/server/FirewallControllerTest.cpp`
			`@@ -56,7 +56,8 @@ TEST_F(FirewallControllerTest, TestCreateWhitelistChain) {`
			`std::vector<std::string> expectedRestore4 = {`
			`"*filter",`
			`":fw_whitelist -",`
			`- "-A fw_whitelist -i lo -o lo -j RETURN",`
			`+ "-A fw_whitelist -i lo -j RETURN",`
			`+ "-A fw_whitelist -o lo -j RETURN",`
			`"-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN",`
			`"-A fw_whitelist -m owner --uid-owner 0-9999 -j RETURN",`
			`"-A fw_whitelist -j DROP",`
			`@@ -65,7 +66,8 @@ TEST_F(FirewallControllerTest, TestCreateWhitelistChain) {`
			`std::vector<std::string> expectedRestore6 = {`
			`"*filter",`
			`":fw_whitelist -",`
			`- "-A fw_whitelist -i lo -o lo -j RETURN",`
			`+ "-A fw_whitelist -i lo -j RETURN",`
			`+ "-A fw_whitelist -o lo -j RETURN",`
			`"-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN",`
			`"-A fw_whitelist -p icmpv6 --icmpv6-type packet-too-big -j RETURN",`
			`"-A fw_whitelist -p icmpv6 --icmpv6-type router-solicitation -j RETURN",`
			`@@ -95,7 +97,8 @@ TEST_F(FirewallControllerTest, TestCreateBlacklistChain) {`
			`std::vector<std::string> expectedRestore = {`
			`"*filter",`
			`":fw_blacklist -",`
			`- "-A fw_blacklist -i lo -o lo -j RETURN",`
			`+ "-A fw_blacklist -i lo -j RETURN",`
			`+ "-A fw_blacklist -o lo -j RETURN",`
			`"-A fw_blacklist -p tcp --tcp-flags RST RST -j RETURN",`
			`"COMMIT\n\x04"`
			`};`
			`@@ -141,7 +144,8 @@ TEST_F(FirewallControllerTest, TestReplaceWhitelistUidRule) {`
			`std::string expected =`
			`"*filter\n"`
			`":FW_whitechain -\n"`
			`- "-A FW_whitechain -i lo -o lo -j RETURN\n"`
			`+ "-A FW_whitechain -i lo -j RETURN\n"`
			`+ "-A FW_whitechain -o lo -j RETURN\n"`
			`"-A FW_whitechain -p tcp --tcp-flags RST RST -j RETURN\n"`
			`"-A FW_whitechain -p icmpv6 --icmpv6-type packet-too-big -j RETURN\n"`
			`"-A FW_whitechain -p icmpv6 --icmpv6-type router-solicitation -j RETURN\n"`
			`@@ -168,7 +172,8 @@ TEST_F(FirewallControllerTest, TestReplaceBlacklistUidRule) {`
			`std::string expected =`
			`"*filter\n"`
			`":FW_blackchain -\n"`
			`- "-A FW_blackchain -i lo -o lo -j RETURN\n"`
			`+ "-A FW_blackchain -i lo -j RETURN\n"`
			`+ "-A FW_blackchain -o lo -j RETURN\n"`
			`"-A FW_blackchain -p tcp --tcp-flags RST RST -j RETURN\n"`
			`"-A FW_blackchain -m owner --uid-owner 10023 -j DROP\n"`
			`"-A FW_blackchain -m owner --uid-owner 10059 -j DROP\n"`
			`diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp`
			`index 5395f1d2..dcaf2302 100644`
			`--- a/tests/binder_test.cpp`
			`+++ b/tests/binder_test.cpp`
			`@@ -176,31 +176,31 @@ TEST_F(BinderTest, TestFirewallReplaceUidChain) {`
			`mNetd->firewallReplaceUidChain(String16(chainName.c_str()), true, uids, &ret);`
			`}`
			`EXPECT_EQ(true, ret);`
			`- EXPECT_EQ((int) uids.size() + 6, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));`
			`- EXPECT_EQ((int) uids.size() + 12, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));`
			`+ EXPECT_EQ((int) uids.size() + 7, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));`
			`+ EXPECT_EQ((int) uids.size() + 13, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));`
			`{`
			`TimedOperation op("Clearing whitelist chain");`
			`mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, noUids, &ret);`
			`}`
			`EXPECT_EQ(true, ret);`
			`- EXPECT_EQ(4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));`
			`- EXPECT_EQ(4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));`
			`+ EXPECT_EQ(5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));`
			`+ EXPECT_EQ(5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));`

			`{`
			`TimedOperation op(StringPrintf("Programming %d-UID blacklist chain", kNumUids));`
			`mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, uids, &ret);`
			`}`
			`EXPECT_EQ(true, ret);`
			`- EXPECT_EQ((int) uids.size() + 4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));`
			`- EXPECT_EQ((int) uids.size() + 4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));`
			`+ EXPECT_EQ((int) uids.size() + 5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));`
			`+ EXPECT_EQ((int) uids.size() + 5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));`

			`{`
			`TimedOperation op("Clearing blacklist chain");`
			`mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, noUids, &ret);`
			`}`
			`EXPECT_EQ(true, ret);`
			`- EXPECT_EQ(4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));`
			`- EXPECT_EQ(4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));`
			`+ EXPECT_EQ(5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));`
			`+ EXPECT_EQ(5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));`

			`// Check that the call fails if iptables returns an error.`
			`std::string veryLongStringName = "netd_binder_test_UnacceptablyLongIptablesChainName";`