Remove network access for idle apps

 */

public class NetworkPolicyManager {

    /* POLICY_* are masks and can be ORed */

    /** No specific network policy, use system default. */

    public static final int POLICY_NONE = 0x0;

    /** Reject network usage on metered networks when application in background. */

    /** Allow network use (metered or not) in the background in battery save mode. */

    public static final int POLICY_ALLOW_BACKGROUND_BATTERY_SAVE = 0x2;

    /* RULE_* are not masks and they must be exclusive */

    /** All network traffic should be allowed. */

    public static final int RULE_ALLOW_ALL = 0x0;

    /** Reject traffic on metered networks. */

    public static final int RULE_REJECT_METERED = 0x1;

    /** Reject traffic on all networks. */

    public static final int RULE_REJECT_ALL = 0x2;

    public static final int FIREWALL_RULE_DEFAULT = 0;

    public static final int FIREWALL_RULE_ALLOW = 1;

    public static final int FIREWALL_RULE_DENY = 2;

    private static final boolean ALLOW_PLATFORM_APP_POLICY = true;

     * Set policy flags for specific UID.

     *

     * @param policy {@link #POLICY_NONE} or combination of flags like

     * {@link #POLICY_REJECT_METERED_BACKGROUND}, {@link #POLICY_ALLOW_BACKGROUND_BATTERY_SAVE}.

     * {@link #POLICY_REJECT_METERED_BACKGROUND} or {@link #POLICY_ALLOW_BACKGROUND_BATTERY_SAVE}.

     */

    public void setUidPolicy(int uid, int policy) {

        try {

        fout.write("[");

        if ((rules & RULE_REJECT_METERED) != 0) {

            fout.write("REJECT_METERED");

        } else if ((rules & RULE_REJECT_ALL) != 0) {

            fout.write("REJECT_ALL");

        }

        fout.write("]");

    }

    void setFirewallInterfaceRule(String iface, boolean allow);

    void setFirewallEgressSourceRule(String addr, boolean allow);

    void setFirewallEgressDestRule(String addr, int port, boolean allow);

    void setFirewallUidRule(int uid, boolean allow);

    void setFirewallUidRule(int uid, int rule);

    /**

     * Set all packets from users in ranges to go through VPN specified by netId.

import static android.net.ConnectivityManager.getNetworkTypeName;

import static android.net.ConnectivityManager.isNetworkTypeValid;

import static android.net.NetworkPolicyManager.RULE_ALLOW_ALL;

import static android.net.NetworkPolicyManager.RULE_REJECT_ALL;

import static android.net.NetworkPolicyManager.RULE_REJECT_METERED;

import android.annotation.Nullable;

            uidRules = mUidRules.get(uid, RULE_ALLOW_ALL);

        }

        if (networkCostly && (uidRules & RULE_REJECT_METERED) != 0) {

        if ((uidRules & RULE_REJECT_ALL) != 0

                || (networkCostly && (uidRules & RULE_REJECT_METERED) != 0)) {

            return true;

        }

            synchronized(mRulesLock) {

                uidRules = mUidRules.get(uid, RULE_ALLOW_ALL);

            }

            if ((uidRules & RULE_REJECT_METERED) != 0) {

            if ((uidRules & (RULE_REJECT_METERED | RULE_REJECT_ALL)) != 0) {

                // we could silently fail or we can filter the available nets to only give

                // them those they have access to.  Chose the more useful

                networkCapabilities.addCapability(NetworkCapabilities.NET_CAPABILITY_NOT_METERED);

import android.net.IpPrefix;

import android.net.LinkAddress;

import android.net.Network;

import android.net.NetworkPolicyManager;

import android.net.NetworkStats;

import android.net.NetworkUtils;

import android.net.RouteInfo;

 */

public class NetworkManagementService extends INetworkManagementService.Stub

        implements Watchdog.Monitor {

    private static final String TAG = "NetworkManagementService";

    private static final boolean DBG = false;

    private static final String TAG = "NetworkManagement";

    private static final boolean DBG = Log.isLoggable(TAG, Log.DEBUG);

    private static final String NETD_TAG = "NetdConnector";

    private static final String NETD_SOCKET_NAME = "netd";

    /** Set of UIDs with cleartext penalties. */

    @GuardedBy("mQuotaLock")

    private SparseIntArray mUidCleartextPolicy = new SparseIntArray();

    /** Set of UIDs that are to be blocked/allowed by firewall controller. */

    @GuardedBy("mQuotaLock")

    private SparseIntArray mUidFirewallRules = new SparseIntArray();

    private Object mIdleTimerLock = new Object();

    /** Set of interfaces with active idle timers. */

                    setUidCleartextNetworkPolicy(local.keyAt(i), local.valueAt(i));

                }

            }

        }

        // TODO: Push any existing firewall state

            setFirewallEnabled(mFirewallEnabled || LockdownVpnTracker.isEnabled());

            size = mUidFirewallRules.size();

            if (size > 0) {

                Slog.d(TAG, "Pushing " + size + " active firewall UID rules");

                final SparseIntArray uidFirewallRules = mUidFirewallRules;

                mUidFirewallRules = new SparseIntArray();

                for (int i = 0; i < uidFirewallRules.size(); i++) {

                    setFirewallUidRule(uidFirewallRules.keyAt(i), uidFirewallRules.valueAt(i));

                }

            }

        }

    }

    /**

    public void setFirewallEnabled(boolean enabled) {

        enforceSystemUid();

        try {

            mConnector.execute("firewall", enabled ? "enable" : "disable");

            mConnector.execute("firewall", "enable", enabled ? "whitelist" : "blacklist");

            mFirewallEnabled = enabled;

        } catch (NativeDaemonConnectorException e) {

            throw e.rethrowAsParcelableException();

    }

    @Override

    public void setFirewallUidRule(int uid, boolean allow) {

    public void setFirewallUidRule(int uid, int rule) {

        enforceSystemUid();

        if (rule == NetworkPolicyManager.FIREWALL_RULE_ALLOW) {

            Preconditions.checkState(mFirewallEnabled);

        final String rule = allow ? "allow" : "deny";

        }

        synchronized (mQuotaLock) {

            final int oldUidFirewallRule = mUidFirewallRules.get(uid);

            if (DBG) {

                Slog.d(TAG, "oldRule = " + oldUidFirewallRule

                        + ", newRule=" + rule + " for uid=" + uid);

            }

            if (oldUidFirewallRule == rule) {

                if (DBG) Slog.d(TAG, "!!!!! Skipping change");

                // TODO: eventually consider throwing

                return;

            }

            try {

            mConnector.execute("firewall", "set_uid_rule", uid, rule);

                String ruleName;

                if (isFirewallEnabled()) { // Whitelist mode

                    if (rule == NetworkPolicyManager.FIREWALL_RULE_ALLOW) {

                        ruleName = "allow";

                    } else {

                        ruleName = "deny";

                    }

                } else { // Blacklist mode

                    if (rule == NetworkPolicyManager.FIREWALL_RULE_DENY) {

                        ruleName = "deny";

                    } else {

                        ruleName = "allow";

                    }

                }

                if (rule == NetworkPolicyManager.FIREWALL_RULE_DEFAULT) {

                    mUidFirewallRules.delete(uid);

                } else {

                    mUidFirewallRules.put(uid, rule);

                }

                mConnector.execute("firewall", "set_uid_rule", uid, ruleName);

            } catch (NativeDaemonConnectorException e) {

                throw e.rethrowAsParcelableException();

            }

        }

    }

    private static void enforceSystemUid() {

        final int uid = Binder.getCallingUid();

            pw.println("]");

        }

        synchronized (mUidFirewallRules) {

            pw.print("UID firewall rule: [");

            final int size = mUidFirewallRules.size();

            for (int i = 0; i < size; i++) {

                pw.print(mUidFirewallRules.keyAt(i));

                pw.print(":");

                pw.print(mUidFirewallRules.valueAt(i));

                if (i < size - 1) pw.print(",");

            }

            pw.println("]");

        }

        synchronized (mIdleTimerLock) {

            pw.println("Idle timers:");

            for (HashMap.Entry<String, IdleTimerParams> ent : mActiveIdleTimers.entrySet()) {

package com.android.server.net;

import static android.Manifest.permission.CONNECTIVITY_INTERNAL;

import static android.net.NetworkPolicyManager.FIREWALL_RULE_ALLOW;

import static android.net.NetworkPolicyManager.FIREWALL_RULE_DEFAULT;

import android.app.Notification;

import android.app.NotificationManager;

import android.net.NetworkInfo;

import android.net.NetworkInfo.DetailedState;

import android.net.NetworkInfo.State;

import android.net.NetworkPolicyManager;

import android.os.INetworkManagementService;

import android.os.RemoteException;

import android.security.Credentials;

                    setFirewallEgressSourceRule(addr, true);

                }

                mNetService.setFirewallUidRule(ROOT_UID, true);

                mNetService.setFirewallUidRule(Os.getuid(), true);

                mNetService.setFirewallUidRule(ROOT_UID, FIREWALL_RULE_ALLOW);

                mNetService.setFirewallUidRule(Os.getuid(), FIREWALL_RULE_ALLOW);

                mErrorCount = 0;

                mAcceptedIface = iface;

                    setFirewallEgressSourceRule(addr, false);

                }

                mNetService.setFirewallUidRule(ROOT_UID, false);

                mNetService.setFirewallUidRule(Os.getuid(), false);

                mNetService.setFirewallUidRule(ROOT_UID, FIREWALL_RULE_DEFAULT);

                mNetService.setFirewallUidRule(Os.getuid(), FIREWALL_RULE_DEFAULT);

                mAcceptedSourceAddr = null;

            }