Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 69ddab45 authored by Jeff Sharkey's avatar Jeff Sharkey
Browse files

Always-on VPN. 

Adds support for always-on VPN profiles, also called "lockdown." When
enabled, LockdownVpnTracker manages the netd firewall to prevent
unencrypted traffic from leaving the device. It creates narrow rules
to only allow traffic to the selected VPN server. When an egress
network becomes available, LockdownVpnTracker will try bringing up
the VPN connection, and will reconnect if disconnected.

ConnectivityService augments any NetworkInfo based on the lockdown
VPN status to help apps wait until the VPN is connected.

This feature requires that VPN profiles use an IP address for both
VPN server and DNS. It also blocks non-default APN access when
enabled. Waits for USER_PRESENT after boot to check KeyStore status.

Bug: 5756357
Change-Id: If615f206b1634000d78a8350a17e88bfcac8e0d0
parent 080ca09c

core/java/android/app/NotificationManager.java

+6 −2
Original line number Diff line number Diff line
@@ -17,10 +17,9 @@ 
package android.app;



import android.content.Context;

import android.os.Binder;

import android.os.RemoteException;

import android.os.Handler;

import android.os.IBinder;

import android.os.RemoteException;

import android.os.ServiceManager;

import android.util.Log;
@@ -88,6 +87,11 @@ public class NotificationManager 
        mContext = context;

    }



    /** {@hide} */

    public static NotificationManager from(Context context) {

        return (NotificationManager) context.getSystemService(Context.NOTIFICATION_SERVICE);

    }



    /**

     * Post a notification to be shown in the status bar. If a notification with

     * the same id has already been posted by your application and has not yet been canceled, it

core/java/android/net/ConnectivityManager.java

+9 −0
Original line number Diff line number Diff line
@@ -912,4 +912,13 @@ public class ConnectivityManager { 
            return false;

        }

    }



    /** {@hide} */

    public boolean updateLockdownVpn() {

        try {

            return mService.updateLockdownVpn();

        } catch (RemoteException e) {

            return false;

        }

    }

}

core/java/android/net/IConnectivityManager.aidl

+2 −0
Original line number Diff line number Diff line
@@ -122,4 +122,6 @@ interface IConnectivityManager 
    void startLegacyVpn(in VpnProfile profile);



    LegacyVpnInfo getLegacyVpnInfo();



    boolean updateLockdownVpn();

}

core/java/com/android/internal/net/VpnProfile.java

+31 −0
Original line number Diff line number Diff line
@@ -18,7 +18,10 @@ package com.android.internal.net; 


import android.os.Parcel;

import android.os.Parcelable;

import android.text.TextUtils;

import android.util.Log;



import java.net.InetAddress;

import java.nio.charset.Charsets;



/**
@@ -31,6 +34,8 @@ import java.nio.charset.Charsets; 
 * @hide

 */

public class VpnProfile implements Cloneable, Parcelable {

    private static final String TAG = "VpnProfile";



    // Match these constants with R.array.vpn_types.

    public static final int TYPE_PPTP = 0;

    public static final int TYPE_L2TP_IPSEC_PSK = 1;
@@ -124,6 +129,32 @@ public class VpnProfile implements Cloneable, Parcelable { 
        return builder.toString().getBytes(Charsets.UTF_8);

    }



    /**

     * Test if profile is valid for lockdown, which requires IPv4 address for

     * both server and DNS. Server hostnames would require using DNS before

     * connection.

     */

    public boolean isValidLockdownProfile() {

        try {

            InetAddress.parseNumericAddress(server);



            for (String dnsServer : dnsServers.split(" +")) {

                InetAddress.parseNumericAddress(this.dnsServers);

            }

            if (TextUtils.isEmpty(dnsServers)) {

                Log.w(TAG, "DNS required");

                return false;

            }



            // Everything checked out above

            return true;



        } catch (IllegalArgumentException e) {

            Log.w(TAG, "Invalid address", e);

            return false;

        }

    }



    @Override

    public void writeToParcel(Parcel out, int flags) {

        out.writeString(key);

core/res/res/values/public.xml

+5 −0
Original line number Diff line number Diff line
@@ -1442,6 +1442,7 @@ 
  <java-symbol type="drawable" name="stat_sys_tether_usb" />

  <java-symbol type="drawable" name="stat_sys_throttled" />

  <java-symbol type="drawable" name="vpn_connected" />

  <java-symbol type="drawable" name="vpn_disconnected" />

  <java-symbol type="id" name="ask_checkbox" />

  <java-symbol type="id" name="compat_checkbox" />

  <java-symbol type="id" name="original_app_icon" />
@@ -1557,6 +1558,10 @@ 
  <java-symbol type="string" name="vpn_text_long" />

  <java-symbol type="string" name="vpn_title" />

  <java-symbol type="string" name="vpn_title_long" />

  <java-symbol type="string" name="vpn_lockdown_connecting" />

  <java-symbol type="string" name="vpn_lockdown_connected" />

  <java-symbol type="string" name="vpn_lockdown_error" />

  <java-symbol type="string" name="vpn_lockdown_reset" />

  <java-symbol type="string" name="wallpaper_binding_label" />

  <java-symbol type="style" name="Theme.Dialog.AppError" />

  <java-symbol type="style" name="Theme.Toast" />