Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 45ec3191 authored by Lorenzo Colitti's avatar Lorenzo Colitti Committed by Gerrit Code Review
Browse files

Merge changes Ia68f482a,I4911e214,Ied379654,I66d18512,Ie8e1bd63

* changes:
  Check registering system default callback needs NETWORK_SETTINGS.
  Move VPN code from ConnectivityService to VpnManagerService.
  Add a skeleton VpnManagerService, and start it on boot.
  Convert LockdownVpnTracker to NetworkCallbacks.
  Minor fixes to VpnTransportInfo.
parents 944e30cf fad82fdc
Loading
Loading
Loading
Loading
+11 −0
Original line number Diff line number Diff line
@@ -116,11 +116,13 @@ import android.net.EthernetManager;
import android.net.IEthernetManager;
import android.net.IIpSecService;
import android.net.INetworkPolicyManager;
import android.net.IVpnManager;
import android.net.IpSecManager;
import android.net.NetworkPolicyManager;
import android.net.NetworkScoreManager;
import android.net.NetworkWatchlistManager;
import android.net.TetheringManager;
import android.net.VpnManager;
import android.net.lowpan.ILowpanManager;
import android.net.lowpan.LowpanManager;
import android.net.nsd.INsdManager;
@@ -358,6 +360,15 @@ public final class SystemServiceRegistry {
                        ctx, () -> ServiceManager.getService(Context.TETHERING_SERVICE));
            }});

        registerService(Context.VPN_MANAGEMENT_SERVICE, VpnManager.class,
                new CachedServiceFetcher<VpnManager>() {
            @Override
            public VpnManager createService(ContextImpl ctx) throws ServiceNotFoundException {
                IBinder b = ServiceManager.getService(Context.VPN_MANAGEMENT_SERVICE);
                IVpnManager service = IVpnManager.Stub.asInterface(b);
                return new VpnManager(ctx, service);
            }});

        registerService(Context.VCN_MANAGEMENT_SERVICE, VcnManager.class,
                new CachedServiceFetcher<VcnManager>() {
            @Override
+62 −0
Original line number Diff line number Diff line
/**
 * Copyright (c) 2020, The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package android.net;

import android.net.Network;

import com.android.internal.net.LegacyVpnInfo;
import com.android.internal.net.VpnConfig;
import com.android.internal.net.VpnProfile;

/**
 * Interface that manages VPNs.
 */
/** {@hide} */
interface IVpnManager {
    /** VpnService APIs */
    boolean prepareVpn(String oldPackage, String newPackage, int userId);
    void setVpnPackageAuthorization(String packageName, int userId, int vpnType);
    ParcelFileDescriptor establishVpn(in VpnConfig config);
    boolean addVpnAddress(String address, int prefixLength);
    boolean removeVpnAddress(String address, int prefixLength);
    boolean setUnderlyingNetworksForVpn(in Network[] networks);

    /** VpnManager APIs */
    boolean provisionVpnProfile(in VpnProfile profile, String packageName);
    void deleteVpnProfile(String packageName);
    void startVpnProfile(String packageName);
    void stopVpnProfile(String packageName);

    /** Always-on VPN APIs */
    boolean isAlwaysOnVpnPackageSupported(int userId, String packageName);
    boolean setAlwaysOnVpnPackage(int userId, String packageName, boolean lockdown,
            in List<String> lockdownAllowlist);
    String getAlwaysOnVpnPackage(int userId);
    boolean isVpnLockdownEnabled(int userId);
    List<String> getVpnLockdownAllowlist(int userId);
    boolean isCallerCurrentAlwaysOnVpnApp();
    boolean isCallerCurrentAlwaysOnVpnLockdownApp();

    /** Legacy VPN APIs */
    void startLegacyVpn(in VpnProfile profile);
    LegacyVpnInfo getLegacyVpnInfo(int userId);
    boolean updateLockdownVpn();

    /** General system APIs */
    VpnConfig getVpnConfig(int userId);
    void factoryReset();
}
+0 −11
Original line number Diff line number Diff line
@@ -49,17 +49,6 @@ public final class ConnectivityFrameworkInitializer {
                }
        );

        // TODO: move outside of the connectivity JAR
        SystemServiceRegistry.registerContextAwareService(
                Context.VPN_MANAGEMENT_SERVICE,
                VpnManager.class,
                (context) -> {
                    final ConnectivityManager cm = context.getSystemService(
                            ConnectivityManager.class);
                    return cm.createVpnManager();
                }
        );

        SystemServiceRegistry.registerContextAwareService(
                Context.CONNECTIVITY_DIAGNOSTICS_SERVICE,
                ConnectivityDiagnosticsManager.class,
+78 −90
Original line number Diff line number Diff line
@@ -824,6 +824,7 @@ public class ConnectivityManager {

    @UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.P, trackingBug = 130143562)
    private final IConnectivityManager mService;

    /**
     * A kludge to facilitate static access where a Context pointer isn't available, like in the
     * case of the static set/getProcessDefaultNetwork methods and from the Network class.
@@ -1069,106 +1070,55 @@ public class ConnectivityManager {
    }

    /**
     * Checks if a VPN app supports always-on mode.
     *
     * In order to support the always-on feature, an app has to
     * <ul>
     *     <li>target {@link VERSION_CODES#N API 24} or above, and
     *     <li>not opt out through the {@link VpnService#SERVICE_META_DATA_SUPPORTS_ALWAYS_ON}
     *         meta-data field.
     * </ul>
     *
     * @param userId The identifier of the user for whom the VPN app is installed.
     * @param vpnPackage The canonical package name of the VPN app.
     * @return {@code true} if and only if the VPN app exists and supports always-on mode.
     * Calls VpnManager#isAlwaysOnVpnPackageSupportedForUser.
     * @deprecated TODO: remove when callers have migrated to VpnManager.
     * @hide
     */
    @Deprecated
    public boolean isAlwaysOnVpnPackageSupportedForUser(int userId, @Nullable String vpnPackage) {
        try {
            return mService.isAlwaysOnVpnPackageSupported(userId, vpnPackage);
        } catch (RemoteException e) {
            throw e.rethrowFromSystemServer();
        }
        return getVpnManager().isAlwaysOnVpnPackageSupportedForUser(userId, vpnPackage);
    }

    /**
     * Configures an always-on VPN connection through a specific application.
     * This connection is automatically granted and persisted after a reboot.
     *
     * <p>The designated package should declare a {@link VpnService} in its
     *    manifest guarded by {@link android.Manifest.permission.BIND_VPN_SERVICE},
     *    otherwise the call will fail.
     *
     * @param userId The identifier of the user to set an always-on VPN for.
     * @param vpnPackage The package name for an installed VPN app on the device, or {@code null}
     *                   to remove an existing always-on VPN configuration.
     * @param lockdownEnabled {@code true} to disallow networking when the VPN is not connected or
     *        {@code false} otherwise.
     * @param lockdownAllowlist The list of packages that are allowed to access network directly
     *         when VPN is in lockdown mode but is not running. Non-existent packages are ignored so
     *         this method must be called when a package that should be allowed is installed or
     *         uninstalled.
     * @return {@code true} if the package is set as always-on VPN controller;
     *         {@code false} otherwise.
    * Calls VpnManager#setAlwaysOnVpnPackageForUser.
     * @deprecated TODO: remove when callers have migrated to VpnManager.
     * @hide
     */
    @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN)
    @Deprecated
    public boolean setAlwaysOnVpnPackageForUser(int userId, @Nullable String vpnPackage,
            boolean lockdownEnabled, @Nullable List<String> lockdownAllowlist) {
        try {
            return mService.setAlwaysOnVpnPackage(
                    userId, vpnPackage, lockdownEnabled, lockdownAllowlist);
        } catch (RemoteException e) {
            throw e.rethrowFromSystemServer();
        }
        return getVpnManager().setAlwaysOnVpnPackageForUser(userId, vpnPackage, lockdownEnabled,
                lockdownAllowlist);
    }

    /**
     * Returns the package name of the currently set always-on VPN application.
     * If there is no always-on VPN set, or the VPN is provided by the system instead
     * of by an app, {@code null} will be returned.
     *
     * @return Package name of VPN controller responsible for always-on VPN,
     *         or {@code null} if none is set.
     * Calls VpnManager#getAlwaysOnVpnPackageForUser.
     * @deprecated TODO: remove when callers have migrated to VpnManager.
     * @hide
     */
    @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN)
    @Deprecated
    public String getAlwaysOnVpnPackageForUser(int userId) {
        try {
            return mService.getAlwaysOnVpnPackage(userId);
        } catch (RemoteException e) {
            throw e.rethrowFromSystemServer();
        }
        return getVpnManager().getAlwaysOnVpnPackageForUser(userId);
    }

    /**
     * @return whether always-on VPN is in lockdown mode.
     *
     * Calls VpnManager#isVpnLockdownEnabled.
     * @deprecated TODO: remove when callers have migrated to VpnManager.
     * @hide
     **/
    @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN)
     */
    @Deprecated
    public boolean isVpnLockdownEnabled(int userId) {
        try {
            return mService.isVpnLockdownEnabled(userId);
        } catch (RemoteException e) {
            throw e.rethrowFromSystemServer();
        }

        return getVpnManager().isVpnLockdownEnabled(userId);
    }

    /**
     * @return the list of packages that are allowed to access network when always-on VPN is in
     * lockdown mode but not connected. Returns {@code null} when VPN lockdown is not active.
     *
     * Calls VpnManager#getVpnLockdownAllowlist.
     * @deprecated TODO: remove when callers have migrated to VpnManager.
     * @hide
     **/
    @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN)
     */
    @Deprecated
    public List<String> getVpnLockdownWhitelist(int userId) {
        try {
            return mService.getVpnLockdownWhitelist(userId);
        } catch (RemoteException e) {
            throw e.rethrowFromSystemServer();
        }
        return getVpnManager().getVpnLockdownAllowlist(userId);
    }

    /**
@@ -1220,6 +1170,45 @@ public class ConnectivityManager {
        }
    }

    /**
     * Informs ConnectivityService of whether the legacy lockdown VPN, as implemented by
     * LockdownVpnTracker, is in use. This is deprecated for new devices starting from Android 12
     * but is still supported for backwards compatibility.
     * <p>
     * This type of VPN is assumed always to use the system default network, and must always declare
     * exactly one underlying network, which is the network that was the default when the VPN
     * connected.
     * <p>
     * Calling this method with {@code true} enables legacy behaviour, specifically:
     * <ul>
     *     <li>Any VPN that applies to userId 0 behaves specially with respect to deprecated
     *     {@link #CONNECTIVITY_ACTION} broadcasts. Any such broadcasts will have the state in the
     *     {@link #EXTRA_NETWORK_INFO} replaced by state of the VPN network. Also, any time the VPN
     *     connects, a {@link #CONNECTIVITY_ACTION} broadcast will be sent for the network
     *     underlying the VPN.</li>
     *     <li>Deprecated APIs that return {@link NetworkInfo} objects will have their state
     *     similarly replaced by the VPN network state.</li>
     *     <li>Information on current network interfaces passed to NetworkStatsService will not
     *     include any VPN interfaces.</li>
     * </ul>
     *
     * @param enabled whether legacy lockdown VPN is enabled or disabled
     *
     * TODO: @SystemApi(client = MODULE_LIBRARIES)
     *
     * @hide
     */
    @RequiresPermission(anyOf = {
            NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK,
            android.Manifest.permission.NETWORK_SETTINGS})
    public void setLegacyLockdownVpnEnabled(boolean enabled) {
        try {
            mService.setLegacyLockdownVpnEnabled(enabled);
        } catch (RemoteException e) {
            throw e.rethrowFromSystemServer();
        }
    }

    /**
     * Returns details about the currently active default data network
     * for a given uid.  This is for internal use only to avoid spying
@@ -3180,20 +3169,13 @@ public class ConnectivityManager {
    }

    /**
     * If the LockdownVpn mechanism is enabled, updates the vpn
     * with a reload of its profile.
     *
     * @return a boolean with {@code} indicating success
     *
     * <p>This method can only be called by the system UID
     * {@hide}
     * Calls VpnManager#updateLockdownVpn.
     * @deprecated TODO: remove when callers have migrated to VpnManager.
     * @hide
     */
    @Deprecated
    public boolean updateLockdownVpn() {
        try {
            return mService.updateLockdownVpn();
        } catch (RemoteException e) {
            throw e.rethrowFromSystemServer();
        }
        return getVpnManager().updateLockdownVpn();
    }

    /**
@@ -4557,6 +4539,8 @@ public class ConnectivityManager {
        try {
            mService.factoryReset();
            mTetheringManager.stopAllTethering();
            // TODO: Migrate callers to VpnManager#factoryReset.
            getVpnManager().factoryReset();
        } catch (RemoteException e) {
            throw e.rethrowFromSystemServer();
        }
@@ -4850,9 +4834,13 @@ public class ConnectivityManager {
        return new TestNetworkManager(ITestNetworkManager.Stub.asInterface(tnBinder));
    }

    /** @hide */
    public VpnManager createVpnManager() {
        return new VpnManager(mContext, mService);
    /**
     * Temporary hack to shim calls from ConnectivityManager to VpnManager. We cannot store a
     * private final mVpnManager because ConnectivityManager is initialized before VpnManager.
     * @hide TODO: remove.
     */
    public VpnManager getVpnManager() {
        return mContext.getSystemService(VpnManager.class);
    }

    /** @hide */
+1 −37
Original line number Diff line number Diff line
@@ -43,9 +43,6 @@ import android.os.PersistableBundle;
import android.os.ResultReceiver;

import com.android.connectivity.aidl.INetworkAgent;
import com.android.internal.net.LegacyVpnInfo;
import com.android.internal.net.VpnConfig;
import com.android.internal.net.VpnProfile;

/**
 * Interface that answers queries about, and allows changing, the
@@ -123,35 +120,8 @@ interface IConnectivityManager

    ProxyInfo getProxyForNetwork(in Network nework);

    boolean prepareVpn(String oldPackage, String newPackage, int userId);

    void setVpnPackageAuthorization(String packageName, int userId, int vpnType);

    ParcelFileDescriptor establishVpn(in VpnConfig config);

    boolean provisionVpnProfile(in VpnProfile profile, String packageName);

    void deleteVpnProfile(String packageName);

    void startVpnProfile(String packageName);

    void stopVpnProfile(String packageName);

    VpnConfig getVpnConfig(int userId);

    @UnsupportedAppUsage(maxTargetSdk = 30, trackingBug = 170729553)
    void startLegacyVpn(in VpnProfile profile);

    LegacyVpnInfo getLegacyVpnInfo(int userId);

    boolean updateLockdownVpn();
    boolean isAlwaysOnVpnPackageSupported(int userId, String packageName);
    boolean setAlwaysOnVpnPackage(int userId, String packageName, boolean lockdown,
            in List<String> lockdownWhitelist);
    String getAlwaysOnVpnPackage(int userId);
    boolean isVpnLockdownEnabled(int userId);
    List<String> getVpnLockdownWhitelist(int userId);
    void setRequireVpnForUids(boolean requireVpn, in UidRange[] ranges);
    void setLegacyLockdownVpnEnabled(boolean enabled);

    void setProvisioningNotificationVisible(boolean visible, int networkType, in String action);

@@ -200,10 +170,6 @@ interface IConnectivityManager

    int getRestoreDefaultNetworkDelay(int networkType);

    boolean addVpnAddress(String address, int prefixLength);
    boolean removeVpnAddress(String address, int prefixLength);
    boolean setUnderlyingNetworksForVpn(in Network[] networks);

    void factoryReset();

    void startNattKeepalive(in Network network, int intervalSeconds,
@@ -223,8 +189,6 @@ interface IConnectivityManager
    byte[] getNetworkWatchlistConfigHash();

    int getConnectionOwnerUid(in ConnectionInfo connectionInfo);
    boolean isCallerCurrentAlwaysOnVpnApp();
    boolean isCallerCurrentAlwaysOnVpnLockdownApp();

    void registerConnectivityDiagnosticsCallback(in IConnectivityDiagnosticsCallback callback,
            in NetworkRequest request, String callingPackageName);
Loading