Loading services/core/java/com/android/server/VpnManagerService.java +1 −9 Original line number Diff line number Diff line Loading @@ -33,7 +33,6 @@ import android.content.pm.UserInfo; import android.net.ConnectivityManager; import android.net.INetd; import android.net.IVpnManager; import android.net.LinkProperties; import android.net.Network; import android.net.NetworkStack; import android.net.UnderlyingNetworkInfo; Loading Loading @@ -437,16 +436,9 @@ public class VpnManagerService extends IVpnManager.Stub { throw new UnsupportedOperationException("Legacy VPN is deprecated"); } int user = UserHandle.getUserId(mDeps.getCallingUid()); // Note that if the caller is not system (uid >= Process.FIRST_APPLICATION_UID), // the code might not work well since getActiveNetwork might return null if the uid is // blocked by NetworkPolicyManagerService. final LinkProperties egress = mCm.getLinkProperties(mCm.getActiveNetwork()); if (egress == null) { throw new IllegalStateException("Missing active network connection"); } synchronized (mVpns) { throwIfLockdownEnabled(); mVpns.get(user).startLegacyVpn(profile, null /* underlying */, egress); mVpns.get(user).startLegacyVpn(profile); } } Loading services/core/java/com/android/server/connectivity/Vpn.java +6 −8 Original line number Diff line number Diff line Loading @@ -2549,15 +2549,14 @@ public class Vpn { * secondary thread to perform connection work, returning quickly. * * Should only be called to respond to Binder requests as this enforces caller permission. Use * {@link #startLegacyVpnPrivileged(VpnProfile, Network, LinkProperties)} to skip the * {@link #startLegacyVpnPrivileged(VpnProfile)} to skip the * permission check only when the caller is trusted (or the call is initiated by the system). */ public void startLegacyVpn(VpnProfile profile, @Nullable Network underlying, LinkProperties egress) { public void startLegacyVpn(VpnProfile profile) { enforceControlPermission(); final long token = Binder.clearCallingIdentity(); try { startLegacyVpnPrivileged(profile, underlying, egress); startLegacyVpnPrivileged(profile); } finally { Binder.restoreCallingIdentity(token); } Loading Loading @@ -2616,13 +2615,12 @@ public class Vpn { } /** * Like {@link #startLegacyVpn(VpnProfile, Network, LinkProperties)}, but does not * check permissions under the assumption that the caller is the system. * Like {@link #startLegacyVpn(VpnProfile)}, but does not check permissions under * the assumption that the caller is the system. * * Callers are responsible for checking permissions if needed. */ public void startLegacyVpnPrivileged(VpnProfile profileToStart, @Nullable Network underlying, @NonNull LinkProperties egress) { public void startLegacyVpnPrivileged(VpnProfile profileToStart) { final VpnProfile profile = profileToStart.clone(); UserInfo user = mUserManager.getUserInfo(mUserId); if (user.isRestricted() || mUserManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_VPN, Loading services/core/java/com/android/server/net/LockdownVpnTracker.java +1 −1 Original line number Diff line number Diff line Loading @@ -208,7 +208,7 @@ public class LockdownVpnTracker { // network is the system default. So, if the VPN is up and underlying network // (e.g., wifi) disconnects, CS will inform apps that the VPN's capabilities have // changed to match the new default network (e.g., cell). mVpn.startLegacyVpnPrivileged(mProfile, network, egressProp); mVpn.startLegacyVpnPrivileged(mProfile); } catch (IllegalStateException e) { mAcceptedEgressIface = null; Log.e(TAG, "Failed to start VPN", e); Loading services/tests/servicestests/src/com/android/server/net/LockdownVpnTrackerTest.java +3 −3 Original line number Diff line number Diff line Loading @@ -221,7 +221,7 @@ public class LockdownVpnTrackerTest { callCallbacksForNetworkConnect(defaultCallback, mNetwork); // Vpn is starting verify(mVpn).startLegacyVpnPrivileged(mProfile, mNetwork, TEST_CELL_LP); verify(mVpn).startLegacyVpnPrivileged(mProfile); verify(mNotificationManager).notify(any(), eq(SystemMessage.NOTE_VPN_STATUS), argThat(notification -> isExpectedNotification(notification, R.string.vpn_lockdown_connecting, R.drawable.vpn_disconnected))); Loading @@ -242,7 +242,7 @@ public class LockdownVpnTrackerTest { // LockdownVpnTracker#handleStateChangedLocked. This is a bug. // TODO: consider fixing this. verify(mVpn, never()).stopVpnRunnerPrivileged(); verify(mVpn, never()).startLegacyVpnPrivileged(any(), any(), any()); verify(mVpn, never()).startLegacyVpnPrivileged(any()); verify(mNotificationManager, never()).cancel(any(), eq(SystemMessage.NOTE_VPN_STATUS)); } Loading Loading @@ -302,7 +302,7 @@ public class LockdownVpnTrackerTest { // Vpn is restarted. verify(mVpn).stopVpnRunnerPrivileged(); verify(mVpn).startLegacyVpnPrivileged(mProfile, mNetwork2, wifiLp); verify(mVpn).startLegacyVpnPrivileged(mProfile); verify(mNotificationManager, never()).cancel(any(), eq(SystemMessage.NOTE_VPN_STATUS)); verify(mNotificationManager).notify(any(), eq(SystemMessage.NOTE_VPN_STATUS), argThat(notification -> isExpectedNotification(notification, Loading Loading
services/core/java/com/android/server/VpnManagerService.java +1 −9 Original line number Diff line number Diff line Loading @@ -33,7 +33,6 @@ import android.content.pm.UserInfo; import android.net.ConnectivityManager; import android.net.INetd; import android.net.IVpnManager; import android.net.LinkProperties; import android.net.Network; import android.net.NetworkStack; import android.net.UnderlyingNetworkInfo; Loading Loading @@ -437,16 +436,9 @@ public class VpnManagerService extends IVpnManager.Stub { throw new UnsupportedOperationException("Legacy VPN is deprecated"); } int user = UserHandle.getUserId(mDeps.getCallingUid()); // Note that if the caller is not system (uid >= Process.FIRST_APPLICATION_UID), // the code might not work well since getActiveNetwork might return null if the uid is // blocked by NetworkPolicyManagerService. final LinkProperties egress = mCm.getLinkProperties(mCm.getActiveNetwork()); if (egress == null) { throw new IllegalStateException("Missing active network connection"); } synchronized (mVpns) { throwIfLockdownEnabled(); mVpns.get(user).startLegacyVpn(profile, null /* underlying */, egress); mVpns.get(user).startLegacyVpn(profile); } } Loading
services/core/java/com/android/server/connectivity/Vpn.java +6 −8 Original line number Diff line number Diff line Loading @@ -2549,15 +2549,14 @@ public class Vpn { * secondary thread to perform connection work, returning quickly. * * Should only be called to respond to Binder requests as this enforces caller permission. Use * {@link #startLegacyVpnPrivileged(VpnProfile, Network, LinkProperties)} to skip the * {@link #startLegacyVpnPrivileged(VpnProfile)} to skip the * permission check only when the caller is trusted (or the call is initiated by the system). */ public void startLegacyVpn(VpnProfile profile, @Nullable Network underlying, LinkProperties egress) { public void startLegacyVpn(VpnProfile profile) { enforceControlPermission(); final long token = Binder.clearCallingIdentity(); try { startLegacyVpnPrivileged(profile, underlying, egress); startLegacyVpnPrivileged(profile); } finally { Binder.restoreCallingIdentity(token); } Loading Loading @@ -2616,13 +2615,12 @@ public class Vpn { } /** * Like {@link #startLegacyVpn(VpnProfile, Network, LinkProperties)}, but does not * check permissions under the assumption that the caller is the system. * Like {@link #startLegacyVpn(VpnProfile)}, but does not check permissions under * the assumption that the caller is the system. * * Callers are responsible for checking permissions if needed. */ public void startLegacyVpnPrivileged(VpnProfile profileToStart, @Nullable Network underlying, @NonNull LinkProperties egress) { public void startLegacyVpnPrivileged(VpnProfile profileToStart) { final VpnProfile profile = profileToStart.clone(); UserInfo user = mUserManager.getUserInfo(mUserId); if (user.isRestricted() || mUserManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_VPN, Loading
services/core/java/com/android/server/net/LockdownVpnTracker.java +1 −1 Original line number Diff line number Diff line Loading @@ -208,7 +208,7 @@ public class LockdownVpnTracker { // network is the system default. So, if the VPN is up and underlying network // (e.g., wifi) disconnects, CS will inform apps that the VPN's capabilities have // changed to match the new default network (e.g., cell). mVpn.startLegacyVpnPrivileged(mProfile, network, egressProp); mVpn.startLegacyVpnPrivileged(mProfile); } catch (IllegalStateException e) { mAcceptedEgressIface = null; Log.e(TAG, "Failed to start VPN", e); Loading
services/tests/servicestests/src/com/android/server/net/LockdownVpnTrackerTest.java +3 −3 Original line number Diff line number Diff line Loading @@ -221,7 +221,7 @@ public class LockdownVpnTrackerTest { callCallbacksForNetworkConnect(defaultCallback, mNetwork); // Vpn is starting verify(mVpn).startLegacyVpnPrivileged(mProfile, mNetwork, TEST_CELL_LP); verify(mVpn).startLegacyVpnPrivileged(mProfile); verify(mNotificationManager).notify(any(), eq(SystemMessage.NOTE_VPN_STATUS), argThat(notification -> isExpectedNotification(notification, R.string.vpn_lockdown_connecting, R.drawable.vpn_disconnected))); Loading @@ -242,7 +242,7 @@ public class LockdownVpnTrackerTest { // LockdownVpnTracker#handleStateChangedLocked. This is a bug. // TODO: consider fixing this. verify(mVpn, never()).stopVpnRunnerPrivileged(); verify(mVpn, never()).startLegacyVpnPrivileged(any(), any(), any()); verify(mVpn, never()).startLegacyVpnPrivileged(any()); verify(mNotificationManager, never()).cancel(any(), eq(SystemMessage.NOTE_VPN_STATUS)); } Loading Loading @@ -302,7 +302,7 @@ public class LockdownVpnTrackerTest { // Vpn is restarted. verify(mVpn).stopVpnRunnerPrivileged(); verify(mVpn).startLegacyVpnPrivileged(mProfile, mNetwork2, wifiLp); verify(mVpn).startLegacyVpnPrivileged(mProfile); verify(mNotificationManager, never()).cancel(any(), eq(SystemMessage.NOTE_VPN_STATUS)); verify(mNotificationManager).notify(any(), eq(SystemMessage.NOTE_VPN_STATUS), argThat(notification -> isExpectedNotification(notification, Loading
