Allow passing the underlying network to startLegacyVpn. (00aa2977) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/ConnectivityService.java

+1 −1

Original line number	Diff line number	Diff line
		@@ -4838,7 +4838,7 @@ public class ConnectivityService extends IConnectivityManager.Stub
		}
		synchronized (mVpns) {
		throwIfLockdownEnabled();
		mVpns.get(user).startLegacyVpn(profile, mKeyStore, egress);
		mVpns.get(user).startLegacyVpn(profile, mKeyStore, null /* underlying */, egress);
		}
		}

services/core/java/com/android/server/connectivity/Vpn.java

+10 −6

Original line number	Diff line number	Diff line
		@@ -1982,27 +1982,28 @@ public class Vpn {
		* secondary thread to perform connection work, returning quickly.
		*
		* Should only be called to respond to Binder requests as this enforces caller permission. Use
		* {@link #startLegacyVpnPrivileged(VpnProfile, KeyStore, LinkProperties)} to skip the
		* {@link #startLegacyVpnPrivileged(VpnProfile, KeyStore, Network, LinkProperties)} to skip the
		* permission check only when the caller is trusted (or the call is initiated by the system).
		*/
		public void startLegacyVpn(VpnProfile profile, KeyStore keyStore, LinkProperties egress) {
		public void startLegacyVpn(VpnProfile profile, KeyStore keyStore, @Nullable Network underlying,
		LinkProperties egress) {
		enforceControlPermission();
		final long token = Binder.clearCallingIdentity();
		try {
		startLegacyVpnPrivileged(profile, keyStore, egress);
		startLegacyVpnPrivileged(profile, keyStore, underlying, egress);
		} finally {
		Binder.restoreCallingIdentity(token);
		}
		}

		/**
		* Like {@link #startLegacyVpn(VpnProfile, KeyStore, LinkProperties)}, but does not check
		* permissions under the assumption that the caller is the system.
		* Like {@link #startLegacyVpn(VpnProfile, KeyStore, Network, LinkProperties)}, but does not
		* check permissions under the assumption that the caller is the system.
		*
		* Callers are responsible for checking permissions if needed.
		*/
		public void startLegacyVpnPrivileged(VpnProfile profile, KeyStore keyStore,
		LinkProperties egress) {
		@Nullable Network underlying, @NonNull LinkProperties egress) {
		UserManager mgr = UserManager.get(mContext);
		UserInfo user = mgr.getUserInfo(mUserId);
		if (user.isRestricted() \|\| mgr.hasUserRestriction(UserManager.DISALLOW_CONFIG_VPN,
		@@ -2128,6 +2129,9 @@ public class Vpn {
		config.session = profile.name;
		config.isMetered = false;
		config.proxyInfo = profile.proxy;
		if (underlying != null) {
		config.underlyingNetworks = new Network[] { underlying };
		}

		config.addLegacyRoutes(profile.routes);
		if (!profile.dnsServers.isEmpty()) {

services/core/java/com/android/server/net/LockdownVpnTracker.java

+1 −1

Original line number	Diff line number	Diff line
		@@ -155,7 +155,7 @@ public class LockdownVpnTracker {
		try {
		// Use the privileged method because Lockdown VPN is initiated by the system, so
		// no additional permission checks are necessary.
		mVpn.startLegacyVpnPrivileged(mProfile, mKeyStore, egressProp);
		mVpn.startLegacyVpnPrivileged(mProfile, mKeyStore, null, egressProp);
		} catch (IllegalStateException e) {
		mAcceptedEgressIface = null;
		Log.e(TAG, "Failed to start VPN", e);

tests/net/java/com/android/server/connectivity/VpnTest.java

+2 −1

Original line number	Diff line number	Diff line
		@@ -148,6 +148,7 @@ public class VpnTest {
		managedProfileA.profileGroupId = primaryUser.id;
		}

		static final Network EGRESS_NETWORK = new Network(101);
		static final String EGRESS_IFACE = "wlan0";
		static final String TEST_VPN_PKG = "com.testvpn.vpn";
		private static final String TEST_VPN_SERVER = "1.2.3.4";
		@@ -963,7 +964,7 @@ public class VpnTest {
		InetAddresses.parseNumericAddress("192.0.2.0"), EGRESS_IFACE);
		lp.addRoute(defaultRoute);

		vpn.startLegacyVpn(vpnProfile, mKeyStore, lp);
		vpn.startLegacyVpn(vpnProfile, mKeyStore, EGRESS_NETWORK, lp);
		return vpn;
		}