Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 549439cc authored by Chalard Jean's avatar Chalard Jean Committed by android-build-merger
Browse files

Merge "Support strict mode private DNS on VPNs that provide Internet."

am: a56eab41

Change-Id: I6522706917731a944483ad3cb9cdbc20447be6c2
parents 4306080f a56eab41
Loading
Loading
Loading
Loading
+17 −3
Original line number Diff line number Diff line
@@ -520,6 +520,9 @@ public class NetworkMonitor extends StateMachine {
        return NetworkMonitorUtils.isValidationRequired(mNetworkCapabilities);
    }

    private boolean isPrivateDnsValidationRequired() {
        return NetworkMonitorUtils.isPrivateDnsValidationRequired(mNetworkCapabilities);
    }

    private void notifyNetworkTested(int result, @Nullable String redirectUrl) {
        try {
@@ -607,7 +610,7 @@ public class NetworkMonitor extends StateMachine {
                    return HANDLED;
                case CMD_PRIVATE_DNS_SETTINGS_CHANGED: {
                    final PrivateDnsConfig cfg = (PrivateDnsConfig) message.obj;
                    if (!isValidationRequired() || cfg == null || !cfg.inStrictMode()) {
                    if (!isPrivateDnsValidationRequired() || cfg == null || !cfg.inStrictMode()) {
                        // No DNS resolution required.
                        //
                        // We don't force any validation in opportunistic mode
@@ -843,9 +846,20 @@ public class NetworkMonitor extends StateMachine {
                    //    the network so don't bother validating here.  Furthermore sending HTTP
                    //    packets over the network may be undesirable, for example an extremely
                    //    expensive metered network, or unwanted leaking of the User Agent string.
                    //
                    // On networks that need to support private DNS in strict mode (e.g., VPNs, but
                    // not networks that don't provide Internet access), we still need to perform
                    // private DNS server resolution.
                    if (!isValidationRequired()) {
                        validationLog("Network would not satisfy default request, not validating");
                        if (isPrivateDnsValidationRequired()) {
                            validationLog("Network would not satisfy default request, "
                                    + "resolving private DNS");
                            transitionTo(mEvaluatingPrivateDnsState);
                        } else {
                            validationLog("Network would not satisfy default request, "
                                    + "not validating");
                            transitionTo(mValidatedState);
                        }
                        return HANDLED;
                    }
                    mEvaluateAttempts++;
+5 −5
Original line number Diff line number Diff line
@@ -40,7 +40,7 @@ import static android.net.NetworkCapabilities.NET_CAPABILITY_VALIDATED;
import static android.net.NetworkCapabilities.TRANSPORT_VPN;
import static android.net.NetworkPolicyManager.RULE_NONE;
import static android.net.NetworkPolicyManager.uidRulesToString;
import static android.net.shared.NetworkMonitorUtils.isValidationRequired;
import static android.net.shared.NetworkMonitorUtils.isPrivateDnsValidationRequired;
import static android.os.Process.INVALID_UID;
import static android.system.OsConstants.IPPROTO_TCP;
import static android.system.OsConstants.IPPROTO_UDP;
@@ -2824,8 +2824,8 @@ public class ConnectivityService extends IConnectivityManager.Stub
        }
    }

    private boolean networkRequiresValidation(NetworkAgentInfo nai) {
        return isValidationRequired(nai.networkCapabilities);
    private boolean networkRequiresPrivateDnsValidation(NetworkAgentInfo nai) {
        return isPrivateDnsValidationRequired(nai.networkCapabilities);
    }

    private void handleFreshlyValidatedNetwork(NetworkAgentInfo nai) {
@@ -2843,7 +2843,7 @@ public class ConnectivityService extends IConnectivityManager.Stub

        for (NetworkAgentInfo nai : mNetworkAgentInfos.values()) {
            handlePerNetworkPrivateDnsConfig(nai, cfg);
            if (networkRequiresValidation(nai)) {
            if (networkRequiresPrivateDnsValidation(nai)) {
                handleUpdateLinkProperties(nai, new LinkProperties(nai.linkProperties));
            }
        }
@@ -2852,7 +2852,7 @@ public class ConnectivityService extends IConnectivityManager.Stub
    private void handlePerNetworkPrivateDnsConfig(NetworkAgentInfo nai, PrivateDnsConfig cfg) {
        // Private DNS only ever applies to networks that might provide
        // Internet access and therefore also require validation.
        if (!networkRequiresValidation(nai)) return;
        if (!networkRequiresPrivateDnsValidation(nai)) return;

        // Notify the NetworkAgentInfo/NetworkMonitor in case NetworkMonitor needs to cancel or
        // schedule DNS resolutions. If a DNS resolution is required the
+1 −1
Original line number Diff line number Diff line
@@ -29,7 +29,7 @@ public class ConnectivityConstants {
    //
    // This ensures that a) the explicitly selected network is never trumped by anything else, and
    // b) the explicitly selected network is never torn down.
    public static final int MAXIMUM_NETWORK_SCORE = 100;
    public static final int EXPLICITLY_SELECTED_NETWORK_SCORE = 100;
    // VPNs typically have priority over other networks. Give them a score that will
    // let them win every single time.
    public static final int VPN_DEFAULT_SCORE = 101;
+2 −2
Original line number Diff line number Diff line
@@ -483,11 +483,11 @@ public class NetworkAgentInfo implements Comparable<NetworkAgentInfo> {
        // down an explicitly selected network before the user gets a chance to prefer it when
        // a higher-scoring network (e.g., Ethernet) is available.
        if (networkMisc.explicitlySelected && (networkMisc.acceptUnvalidated || pretendValidated)) {
            return ConnectivityConstants.MAXIMUM_NETWORK_SCORE;
            return ConnectivityConstants.EXPLICITLY_SELECTED_NETWORK_SCORE;
        }

        int score = currentScore;
        if (!lastValidated && !pretendValidated && !ignoreWifiUnvalidationPenalty()) {
        if (!lastValidated && !pretendValidated && !ignoreWifiUnvalidationPenalty() && !isVPN()) {
            score -= ConnectivityConstants.UNVALIDATED_SCORE_PENALTY;
        }
        if (score < 0) score = 0;
+12 −5
Original line number Diff line number Diff line
@@ -43,16 +43,23 @@ public class NetworkMonitorUtils {
            "android.permission.ACCESS_NETWORK_CONDITIONS";

    /**
     * Return whether validation is required for a network.
     * @param dfltNetCap Default requested network capabilities.
     * Return whether validation is required for private DNS in strict mode.
     * @param nc Network capabilities of the network to test.
     */
    public static boolean isValidationRequired(NetworkCapabilities nc) {
    public static boolean isPrivateDnsValidationRequired(NetworkCapabilities nc) {
        // TODO: Consider requiring validation for DUN networks.
        return nc != null
                && nc.hasCapability(NET_CAPABILITY_INTERNET)
                && nc.hasCapability(NET_CAPABILITY_NOT_RESTRICTED)
                && nc.hasCapability(NET_CAPABILITY_TRUSTED)
                && nc.hasCapability(NET_CAPABILITY_NOT_VPN);
                && nc.hasCapability(NET_CAPABILITY_TRUSTED);
    }

    /**
     * Return whether validation is required for a network.
     * @param nc Network capabilities of the network to test.
     */
    public static boolean isValidationRequired(NetworkCapabilities nc) {
        // TODO: Consider requiring validation for DUN networks.
        return isPrivateDnsValidationRequired(nc) && nc.hasCapability(NET_CAPABILITY_NOT_VPN);
    }
}
Loading