android: Protect but don't keep track of sockets used for source address lookups

These sockets are closed immediately again, so no need to re-protect them during roaming events. References strongswan/strongswan#1691 Fixes: 6d87a8651068 ("android: Use new sockets to determine source IP")
2025-10-03 00:00:24 -04:00 · 2025-03-07 10:14:29 +01:00 · 2025-03-07 10:14:29 +01:00 · 0f1f375a21
commit 0f1f375a21
parent 77f99df656
4 changed files with 12 additions and 8 deletions
--- a/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c
+++ b/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c
@ -256,11 +256,14 @@ CALLBACK(bypass_single_socket_cb, void,
 }

 METHOD(charonservice_t, bypass_socket, bool,
-	private_charonservice_t *this, int fd, int family)
+	private_charonservice_t *this, int fd, bool track_fd)
 {
 	if (fd >= 0)
 	{
-		this->sockets->insert_last(this->sockets, (void*)(intptr_t)fd);
+		if (track_fd)
+		{
+			this->sockets->insert_last(this->sockets, (void*)(intptr_t)fd);
+		}
 		return bypass_single_socket(this, fd);
 	}
 	this->sockets->invoke_function(this->sockets, bypass_single_socket_cb, this);
--- a/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.h
+++ b/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.h
@ -109,13 +109,14 @@ struct charonservice_t {
 	 * Install a bypass policy for the given socket using the protect() Method
 	 * of the Android VpnService interface.
 	 *
-	 * Use -1 as fd to re-bypass previously bypassed sockets.
+	 * If track_fd is TRUE, the fd is kept track of. Use -1 as fd to re-bypass
+	 * all of those sockets.
 	 *
 	 * @param fd			socket file descriptor
-	 * @param family		socket protocol family
+	 * @param track_fd		TRUE to keep track of fd
 	 * @return				TRUE if operation successful
 	 */
-	bool (*bypass_socket)(charonservice_t *this, int fd, int family);
+	bool (*bypass_socket)(charonservice_t *this, int fd, bool track_fd);

 	/**
 	 * Get a list of trusted certificates via JNI
--- a/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c
+++ b/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c
@ -159,7 +159,7 @@ METHOD(kernel_ipsec_t, flush_policies, status_t,
 METHOD(kernel_ipsec_t, bypass_socket, bool,
 	private_kernel_android_ipsec_t *this, int fd, int family)
 {
-	return charonservice->bypass_socket(charonservice, fd, family);
+	return charonservice->bypass_socket(charonservice, fd, TRUE);
 }

 METHOD(kernel_ipsec_t, enable_udp_decap, bool,
--- a/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_net.c
+++ b/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_net.c
@ -70,7 +70,7 @@ struct private_android_net_t {
 static job_requeue_t roam_event()
 {
 	/* this will fail if no connection is up */
-	charonservice->bypass_socket(charonservice, -1, 0);
+	charonservice->bypass_socket(charonservice, -1, FALSE);
 	charon->kernel->roam(charon->kernel, TRUE);
 	return JOB_REQUEUE_NONE;
 }
@ -122,7 +122,7 @@ METHOD(kernel_net_t, get_source_addr, host_t*,
 			 strerror(errno));
 		return NULL;
 	}
-	charonservice->bypass_socket(charonservice, skt, dst->get_family(dst));
+	charonservice->bypass_socket(charonservice, skt, FALSE);

 	if (connect(skt, dst->get_sockaddr(dst), addrlen) < 0)
 	{