partial fix for DNS leaks in VPN lockdown mode

For now, we need to omit the case where the VPN DNS is being used to avoid compatibility issues.
GrapheneOS · Aug 4, 2024 · 91caf5c · 91caf5c
1 parent 2e032e8
commit 91caf5c
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
@@ -224,6 +224,8 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
         *netId = defaultNetId;
         fwmark.netId = *netId;
         fwmark.explicitlySelected = true;
+        fwmark.protectedFromVpn = canProtectLocked(uid);
+        fwmark.permission = getPermissionForUserLocked(uid);
         return fwmark.intValue;
     }
 
@@ -240,6 +242,11 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
         if (network && network->isVirtual() && !resolv_has_nameservers(*netId)) {
             *netId = defaultNetId;
         }
+
+        if (!network || !network->isVirtual() || !resolv_has_nameservers(*netId)) {
+            fwmark.protectedFromVpn = canProtectLocked(uid);
+            fwmark.permission = getPermissionForUserLocked(uid);
+        }
     } else {
         // If the user is subject to a VPN and the VPN provides DNS servers, use those servers
         // (possibly falling through to the default network if the VPN doesn't provide a route to
@@ -252,6 +259,8 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
             // TODO: return an error instead of silently doing the DNS lookup on the wrong network.
             // http://b/27560555
             *netId = defaultNetId;
+            fwmark.protectedFromVpn = canProtectLocked(uid);
+            fwmark.permission = getPermissionForUserLocked(uid);
         }
     }
     fwmark.netId = *netId;