• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2025 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package com.android.server.connectivity;
18 
19 import android.net.INetd;
20 
21 /**
22  * A wrapper class for managing network and traffic permissions.
23  *
24  * This class encapsulates permissions represented as a bitmask, as defined in INetd.aidl
25  * and used within PermissionMonitor.java.  It distinguishes between two types of permissions:
26  *
27  * 1. Network Permissions: These permissions, declared in INetd.aidl, are used
28  *    by the Android platform's network daemon (system/netd) to control network
29  *    management
30  *
31  * 2. Traffic Permissions: These permissions are used internally by PermissionMonitor.java and
32  *    BpfNetMaps.java to manage fine-grained network traffic filtering and control.
33  *
34  * This wrapper ensures that no new permission definitions, here or in aidl, conflict with any
35  * existing permissions. This prevents unintended interactions or overrides.
36  *
37  * @hide
38  */
39 public class NetworkPermissions {
40 
41     /*
42      * Below are network permissions declared in INetd.aidl and used by the platform. Using these is
43      * equivalent to using the values in android.net.INetd.
44      */
45     public static final int PERMISSION_NONE = INetd.PERMISSION_NONE; /* 0 */
46     public static final int PERMISSION_NETWORK = INetd.PERMISSION_NETWORK; /* 1 */
47     public static final int PERMISSION_SYSTEM = INetd.PERMISSION_SYSTEM; /* 2 */
48 
49     /*
50      * Below are traffic permissions used by PermissionMonitor and BpfNetMaps.
51      */
52 
53     /**
54      * PERMISSION_UNINSTALLED is used when an app is uninstalled from the device. All internet
55      * related permissions need to be cleaned.
56      */
57     public static final int TRAFFIC_PERMISSION_UNINSTALLED = -1;
58 
59     /**
60      * PERMISSION_INTERNET indicates that the app can create AF_INET and AF_INET6 sockets.
61      */
62     public static final int TRAFFIC_PERMISSION_INTERNET = 4;
63 
64     /**
65      * PERMISSION_UPDATE_DEVICE_STATS is used for system UIDs and privileged apps
66      * that have the UPDATE_DEVICE_STATS permission.
67      */
68     public static final int TRAFFIC_PERMISSION_UPDATE_DEVICE_STATS = 8;
69 
70     /**
71      * TRAFFIC_PERMISSION_SDKSANDBOX_LOCALHOST indicates if an SdkSandbox UID will be allowed
72      * to connect to localhost. For non SdkSandbox UIDs this bit is a no-op.
73      */
74     public static final int TRAFFIC_PERMISSION_SDKSANDBOX_LOCALHOST = 16;
75 }
76