diff options
author | Robin Lee <rgl@google.com> | 2017-03-10 16:07:39 +0000 |
---|---|---|
committer | Robin Lee <rgl@google.com> | 2017-03-17 13:12:08 +0000 |
commit | 1a2c5e916d91b6efe0d57595b7b783dfdc15ad7d (patch) | |
tree | 9464345e2ff860e2c6c6dbe18ca9012e57540cc2 | |
parent | fcef899dfa8a801cce07701d84bece9294e201cf (diff) | |
download | ipsec-tools-1a2c5e916d91b6efe0d57595b7b783dfdc15ad7d.tar.gz |
Use NetdClient to exempt racoon sockets from VPN
So that if we create a networkRejectNonSecureVpn rule, racoon doesn't
get its connection shut down.
This means we can drop the special-cased firewall code for racoon from
Android, and just use the same set of VPN ip rules as for third-party
apps.
Later on it might be possible to protect the socket without depending
on libnetd_client, see bug 34524989
Test: manual - enable always-on VPN with a legacy Ipsec PSK VPN on 464xlat network
Bug: 33159037
Change-Id: I89740d110cff8e67eb661b0b3d191eb49aa1e9d8
-rw-r--r-- | Android.mk | 5 | ||||
-rw-r--r-- | src/racoon/grabmyaddr.c | 17 | ||||
-rw-r--r-- | src/racoon/isakmp.c | 7 | ||||
-rw-r--r-- | src/racoon/sockmisc.c | 15 |
4 files changed, 42 insertions, 2 deletions
@@ -55,11 +55,12 @@ LOCAL_C_INCLUDES += \ $(LOCAL_PATH)/src/include-glibc \ $(LOCAL_PATH)/src/libipsec \ $(LOCAL_PATH)/src/racoon \ - $(LOCAL_PATH)/src/racoon/missing + $(LOCAL_PATH)/src/racoon/missing \ + system/netd/include LOCAL_STATIC_LIBRARIES := libipsec -LOCAL_SHARED_LIBRARIES := libcutils liblog libcrypto libkeystore-engine +LOCAL_SHARED_LIBRARIES := libcutils liblog libcrypto libkeystore-engine libnetd_client LOCAL_CFLAGS := -DANDROID_CHANGES -DHAVE_CONFIG_H -D_BSD_SOURCE=1 diff --git a/src/racoon/grabmyaddr.c b/src/racoon/grabmyaddr.c index 8155001..057084e 100644 --- a/src/racoon/grabmyaddr.c +++ b/src/racoon/grabmyaddr.c @@ -86,6 +86,10 @@ #endif #endif +#ifdef ANDROID_CHANGES +#include "NetdClient.h" +#endif + #ifndef HAVE_GETIFADDRS static unsigned int if_maxindex __P((void)); #endif @@ -411,6 +415,9 @@ grab_myaddrs() "my interface: %s (%s)\n", addr1, ifap->ifa_name); q = find_myaddr(old, p); +#ifdef ANDROID_CHANGES + protectFromVpn(q->sock); +#endif if (q) p->sock = q->sock; else @@ -457,6 +464,10 @@ grab_myaddrs() exit(1); /*NOTREACHED*/ } +#ifdef ANDROID_CHANGES + protectFromVpn(s); +#endif + memset(&ifconf, 0, sizeof(ifconf)); ifconf.ifc_req = iflist; ifconf.ifc_len = len; @@ -527,6 +538,9 @@ grab_myaddrs() "my interface: %s (%s)\n", addr1, ifr->ifr_name); q = find_myaddr(old, p); +#ifdef ANDROID_CHANGES + protectFromVpn(q->sock); +#endif if (q) p->sock = q->sock; else @@ -592,6 +606,9 @@ suitable_ifaddr6(ifname, ifaddr) "socket(SOCK_DGRAM) failed:%s\n", strerror(errno)); return 0; } +#ifdef ANDROID_CHANGES + protectFromVpn(s); +#endif memset(&ifr6, 0, sizeof(ifr6)); strncpy(ifr6.ifr_name, ifname, strlen(ifname)); diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c index d0f6cbd..b9fc5ee 100644 --- a/src/racoon/isakmp.c +++ b/src/racoon/isakmp.c @@ -129,6 +129,10 @@ # define SOL_UDP IPPROTO_UDP # endif /* __NetBSD__ / __FreeBSD__ */ +#ifdef ANDROID_CHANGES +#include "NetdClient.h" +#endif + static int nostate1 __P((struct ph1handle *, vchar_t *)); static int nostate2 __P((struct ph2handle *, vchar_t *)); @@ -1625,6 +1629,9 @@ isakmp_open() "socket (%s)\n", strerror(errno)); goto err_and_next; } +#ifdef ANDROID_CHANGES + protectFromVpn(p->sock); +#endif if (fcntl(p->sock, F_SETFL, O_NONBLOCK) == -1) plog(LLV_WARNING, LOCATION, NULL, diff --git a/src/racoon/sockmisc.c b/src/racoon/sockmisc.c index e683884..4dd7cf1 100644 --- a/src/racoon/sockmisc.c +++ b/src/racoon/sockmisc.c @@ -63,6 +63,10 @@ #include "debugrm.h" #include "libpfkey.h" +#ifdef ANDROID_CHANGES +#include "NetdClient.h" +#endif + #ifndef IP_IPSEC_POLICY #define IP_IPSEC_POLICY 16 /* XXX: from linux/in.h */ #endif @@ -260,6 +264,10 @@ struct sockaddr *getlocaladdr(struct sockaddr *remote) struct sockaddr_storage local; socklen_t len = sysdep_sa_len(remote); int s = socket(remote->sa_family, SOCK_DGRAM, 0); +#ifdef ANDROID_CHANGES + protectFromVpn(s); +#endif + if (s == -1 || connect(s, remote, len) == -1 || getsockname(s, (struct sockaddr *)&local, &len) == -1) { close(s); @@ -340,6 +348,9 @@ getlocaladdr(remote) "socket (%s)\n", strerror(errno)); goto err; } +#ifdef ANDROID_CHANGES + protectFromVpn(s); +#endif setsockopt_bypass(s, remote->sa_family); @@ -707,6 +718,10 @@ sendfromto(s, buf, buflen, src, dst, cnt) "socket (%s)\n", strerror(errno)); return -1; } +#ifdef ANDROID_CHANGES + protectFromVpn(sendsock); +#endif + if (setsockopt(sendsock, SOL_SOCKET, #ifdef __linux__ SO_REUSEADDR, |