Fix: Firewall: NMS inverts default rule behavior
When setting a chain's firewall rules in NetworkManagementService, do not submit supplied UIDs to ConnectivityManager#replaceFirewallChain directly, as this does not consider what the actual rules are for those UIDs. Instead, supply the keys from the rules chain, which deletes default rules when it is updated via updateFirewallUidRuleLocked. For example, if a given UID's rule is the default rule, and it is part of the restricted chain, then the UID should be blocked, because the restricted chain is an allowlist. Prior to this change, the rules for UIDs are ignored when calling replaceFirewallChain, so the UID's mere presence among the supplied UIDs causes it to be unexpectedly added to the restricted mode allowlist. Test: CtsHostsideNetworkTests Change-Id: I0a71ad376bcfda05cea151144dfab9bec8e8b749
Loading
Please register or sign in to comment