android: Protect but don't keep track of sockets used for source address lookups

author Tobias Brunner <tobias@strongswan.org>

Fri, 7 Mar 2025 09:14:29 +0000 (10:14 +0100)

committer Tobias Brunner <tobias@strongswan.org>

Mon, 14 Apr 2025 09:54:42 +0000 (11:54 +0200)
author Tobias Brunner <tobias@strongswan.org>
Fri, 7 Mar 2025 09:14:29 +0000 (10:14 +0100)
committer Tobias Brunner <tobias@strongswan.org>
Mon, 14 Apr 2025 09:54:42 +0000 (11:54 +0200)
diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c b/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c

index b9a34d15bd1c2c68c49340b744d5b723c803325a..531fd94c6a7456605f07ebca22b5cb64fa903e73 100644 (file)
--- a/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c
+++ b/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c
@@ -256,11 +256,14 @@ CALLBACK(bypass_single_socket_cb, void,
  }
  
  METHOD(charonservice_t, bypass_socket, bool,
-       private_charonservice_t *this, int fd, int family)
+       private_charonservice_t *this, int fd, bool track_fd)
  {
         if (fd >= 0)
         {
-               this->sockets->insert_last(this->sockets, (void*)(intptr_t)fd);
+               if (track_fd)
+               {
+                       this->sockets->insert_last(this->sockets, (void*)(intptr_t)fd);
+               }
                 return bypass_single_socket(this, fd);
         }
         this->sockets->invoke_function(this->sockets, bypass_single_socket_cb, this);
diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.h b/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.h

index e59d7e106ec3f12b59e7a539b3b84d73fab26ae0..bcce99a4e44be0e6f1a57b52d4687e8232f02290 100644 (file)
--- a/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.h
+++ b/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.h
@@ -109,13 +109,14 @@ struct charonservice_t {
          * Install a bypass policy for the given socket using the protect() Method
          * of the Android VpnService interface.
          *
-        * Use -1 as fd to re-bypass previously bypassed sockets.
+        * If track_fd is TRUE, the fd is kept track of. Use -1 as fd to re-bypass
+        * all of those sockets.
          *
          * @param fd                    socket file descriptor
-        * @param family                socket protocol family
+        * @param track_fd              TRUE to keep track of fd
          * @return                              TRUE if operation successful
          */
-       bool (*bypass_socket)(charonservice_t *this, int fd, int family);
+       bool (*bypass_socket)(charonservice_t *this, int fd, bool track_fd);
  
         /**
          * Get a list of trusted certificates via JNI
diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c b/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c

index b2caed97cc36cec4fdbec3f0a7e4560b9c8cb677..9c2913f4d8d80299e4b8cac5baacde04d454bc62 100644 (file)
--- a/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c
+++ b/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c
@@ -159,7 +159,7 @@ METHOD(kernel_ipsec_t, flush_policies, status_t,
  METHOD(kernel_ipsec_t, bypass_socket, bool,
         private_kernel_android_ipsec_t *this, int fd, int family)
  {
-       return charonservice->bypass_socket(charonservice, fd, family);
+       return charonservice->bypass_socket(charonservice, fd, TRUE);
  }
  
  METHOD(kernel_ipsec_t, enable_udp_decap, bool,
diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_net.c b/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_net.c

index 7b556b4bb508577e1e42d8fe9e1700d83c953c9e..27f75d2ba3c5ff5342ace59e40842c7eec8ac04e 100644 (file)
--- a/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_net.c
+++ b/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_net.c
@@ -70,7 +70,7 @@ struct private_android_net_t {
  static job_requeue_t roam_event()
  {
         /* this will fail if no connection is up */
-       charonservice->bypass_socket(charonservice, -1, 0);
+       charonservice->bypass_socket(charonservice, -1, FALSE);
         charon->kernel->roam(charon->kernel, TRUE);
         return JOB_REQUEUE_NONE;
  }
@@ -122,7 +122,7 @@ METHOD(kernel_net_t, get_source_addr, host_t*,
                          strerror(errno));
                 return NULL;
         }
-       charonservice->bypass_socket(charonservice, skt, dst->get_family(dst));
+       charonservice->bypass_socket(charonservice, skt, FALSE);
  
         if (connect(skt, dst->get_sockaddr(dst), addrlen) < 0)
         {
author	Tobias Brunner <tobias@strongswan.org>
	Fri, 7 Mar 2025 09:14:29 +0000 (10:14 +0100)
committer	Tobias Brunner <tobias@strongswan.org>
	Mon, 14 Apr 2025 09:54:42 +0000 (11:54 +0200)
src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c		patch \| blob \| blame \| history
src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.h		patch \| blob \| blame \| history
src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c		patch \| blob \| blame \| history
src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_net.c		patch \| blob \| blame \| history