Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 282ed251 authored by Lorenzo Colitti's avatar Lorenzo Colitti
Browse files

Inform ConnectivityService about always-on VPN lockdown. 

Currently, when an always-on VPN is set in lockdown mode, Vpn
configures prohibit UID rules in netd directly and does not
inform ConnectivityService of the fact.

This means that ConnectivityService cannot send NetworkCallbacks
that tells apps that they are blocked or unblocked. It also means
that ConnectivityService has to take the mVpns lock and call into
Vpn to allow synchronous APIs such as getActiveNetwork to return
BLOCKED if the app is blocked.

Move all this to ConnectivityService:
- Add a setRequireVpnForUids API to ConnectivityManager, and have
  that pass the routing rules to netd.
- Update VpnTest to expect calls to ConnectivityManager instead
  of to netd.
- Whenever setRequireVpnForUids is called, ensure that
  ConnectivityService sends onBlockedStatusChanged to the
  affected callbacks.
- Update existing unit tests to check for callbacks.
- Add a way to find the VPN that applies to a given UID without
  taking the VPN lock, by instead scanning all connected VPNs.
  Use this as a replacement for direct access to mVpns.

For simplicity, and in order to ensure proper ordering between
the NetworkCallbacks sent for VPNs connecting and disconnecting,
process blocked UID ranges on the handler thread. This means that
when setRequireVpnForUids returns, the rule changes might not
have been applied. This shouldn't impact apps using network
connectivity, but it might mean that apps setting an always-on
package, and then immediately checking whether networking is
blocked, will see a behaviour change.

Bug: 173331190
Fix: 175670887
Test: new test coverage in ConnectivityServiceTest
Test: atest MixedDeviceOwnerTest#testAlwaysOnVpn \
            MixedDeviceOwnerTest#testAlwaysOnVpnLockDown \
	    MixedDeviceOwnerTest#testAlwaysOnVpnAcrossReboot \
	    MixedDeviceOwnerTest#testAlwaysOnVpnPackageUninstalled \
	    MixedDeviceOwnerTest#testAlwaysOnVpnUnsupportedPackage \
	    MixedDeviceOwnerTest#testAlwaysOnVpnUnsupportedPackageReplaced \
	    MixedDeviceOwnerTest#testAlwaysOnVpnPackageLogged \
            MixedProfileOwnerTest#testAlwaysOnVpn \
            MixedProfileOwnerTest#testAlwaysOnVpnLockDown \
	    MixedProfileOwnerTest#testAlwaysOnVpnAcrossReboot \
	    MixedProfileOwnerTest#testAlwaysOnVpnPackageUninstalled \
	    MixedProfileOwnerTest#testAlwaysOnVpnUnsupportedPackage \
	    MixedProfileOwnerTest#testAlwaysOnVpnUnsupportedPackageReplaced \
	    MixedProfileOwnerTest#testAlwaysOnVpnPackageLogged \
            MixedManagedProfileOwnerTest#testAlwaysOnVpn \
            MixedManagedProfileOwnerTest#testAlwaysOnVpnLockDown \
	    MixedManagedProfileOwnerTest#testAlwaysOnVpnAcrossReboot \
	    MixedManagedProfileOwnerTest#testAlwaysOnVpnPackageUninstalled \
	    MixedManagedProfileOwnerTest#testAlwaysOnVpnUnsupportedPackage \
	    MixedManagedProfileOwnerTest#testAlwaysOnVpnUnsupportedPackageReplaced \
	    MixedManagedProfileOwnerTest#testAlwaysOnVpnPackageLogged
Test: atest FrameworksNetTests HostsideVpnTests \
            CtsNetTestCases:VpnServiceTest \
	    CtsNetTestCases:Ikev2VpnTest
Change-Id: Iaca8a7cc343aef52706cff62a7735f338cb1b772
parent 60dfb880
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment