Merge changes If2201f39,Ia1c366c5

        }

    }

    private void updateVpnCapabilities(Vpn vpn, @Nullable NetworkCapabilities nc) {

        ensureRunningOnConnectivityServiceThread();

        NetworkAgentInfo vpnNai = getNetworkAgentInfoForNetId(vpn.getNetId());

        if (vpnNai == null || nc == null) {

            return;

        }

        updateCapabilities(vpnNai.getCurrentScore(), vpnNai, nc);

    }

    @Override

    public boolean updateLockdownVpn() {

        if (Binder.getCallingUid() != Process.SYSTEM_UID) {

    private void onUserAdded(int userId) {

        mPermissionMonitor.onUserAdded(userId);

        Network defaultNetwork = getNetwork(getDefaultNetwork());

        synchronized (mVpns) {

            final int vpnsSize = mVpns.size();

            for (int i = 0; i < vpnsSize; i++) {

                Vpn vpn = mVpns.valueAt(i);

                vpn.onUserAdded(userId);

                NetworkCapabilities nc = vpn.updateCapabilities(defaultNetwork);

                updateVpnCapabilities(vpn, nc);

            }

        }

    }

    private void onUserRemoved(int userId) {

        mPermissionMonitor.onUserRemoved(userId);

        Network defaultNetwork = getNetwork(getDefaultNetwork());

        synchronized (mVpns) {

            final int vpnsSize = mVpns.size();

            for (int i = 0; i < vpnsSize; i++) {

                Vpn vpn = mVpns.valueAt(i);

                vpn.onUserRemoved(userId);

                NetworkCapabilities nc = vpn.updateCapabilities(defaultNetwork);

                updateVpnCapabilities(vpn, nc);

            }

        }

    }

            return false;

        }

        final Network[] underlyingNetworks;

        synchronized (mVpns) {

            final Vpn vpn = getVpnIfOwner(callbackUid);

            underlyingNetworks = (vpn == null) ? null : vpn.getUnderlyingNetworks();

        for (NetworkAgentInfo virtual : mNetworkAgentInfos.values()) {

            if (virtual.supportsUnderlyingNetworks()

                    && virtual.networkCapabilities.getOwnerUid() == callbackUid

                    && ArrayUtils.contains(virtual.declaredUnderlyingNetworks, nai.network)) {

                return true;

            }

        if (underlyingNetworks != null) {

            if (Arrays.asList(underlyingNetworks).contains(nai.network)) return true;

        }

        // Administrator UIDs also contains the Owner UID

        mNetworkCapabilities = new NetworkCapabilities();

        mNetworkCapabilities.addTransportType(NetworkCapabilities.TRANSPORT_VPN);

        mNetworkCapabilities.removeCapability(NetworkCapabilities.NET_CAPABILITY_NOT_VPN);

        updateCapabilities(null /* defaultNetwork */);

        loadAlwaysOnPackage(keyStore);

    }

                    try {

                        addUserToRanges(existingRanges, userId, mConfig.allowedApplications,

                                mConfig.disallowedApplications);

                        // ConnectivityService will call {@link #updateCapabilities} and apply

                        // those for VPN network.

                        mNetworkCapabilities.setUids(existingRanges);

                    } catch (Exception e) {

                        Log.wtf(TAG, "Failed to add restricted user to owner", e);

                    }

                    if (mNetworkAgent != null) {

                        mNetworkAgent.sendNetworkCapabilities(mNetworkCapabilities);

                    }

                }

                setVpnForcedLocked(mLockdown);

            }

                        final List<UidRange> removedRanges =

                                uidRangesForUser(userId, existingRanges);

                        existingRanges.removeAll(removedRanges);

                        // ConnectivityService will call {@link #updateCapabilities} and

                        // apply those for VPN network.

                        mNetworkCapabilities.setUids(existingRanges);

                    } catch (Exception e) {

                        Log.wtf(TAG, "Failed to remove restricted user to owner", e);

                    }

                    if (mNetworkAgent != null) {

                        mNetworkAgent.sendNetworkCapabilities(mNetworkCapabilities);

                    }

                }

                setVpnForcedLocked(mLockdown);

            }

        public void setUids(Set<UidRange> uids) {

            mNetworkCapabilities.setUids(uids);

            updateCapabilitiesInternal(null /* defaultNetwork */, true);

            if (mAgentRegistered) {

                mMockNetworkAgent.setNetworkCapabilities(mNetworkCapabilities, true);

            }

        }

        public void setVpnType(int vpnType) {

            mMockNetworkAgent.sendLinkProperties(lp);

        }

        private NetworkCapabilities updateCapabilitiesInternal(Network defaultNetwork,

                boolean sendToConnectivityService) {

            if (!mAgentRegistered) return null;

            super.updateCapabilities(defaultNetwork);

            // Because super.updateCapabilities will update the capabilities of the agent but

            // not the mock agent, the mock agent needs to know about them.

            copyCapabilitiesToNetworkAgent(sendToConnectivityService);

            return new NetworkCapabilities(mNetworkCapabilities);

        }

        private void copyCapabilitiesToNetworkAgent(boolean sendToConnectivityService) {

            if (null != mMockNetworkAgent) {

                mMockNetworkAgent.setNetworkCapabilities(mNetworkCapabilities,

                        sendToConnectivityService);

            }

        }

        @Override

        public NetworkCapabilities updateCapabilities(Network defaultNetwork) {

            return updateCapabilitiesInternal(defaultNetwork, false);

        }

        public void disconnect() {

            if (mMockNetworkAgent != null) mMockNetworkAgent.disconnect();

            mAgentRegistered = false;

        setupLocationPermissions(Build.VERSION_CODES.Q, true, AppOpsManager.OPSTR_FINE_LOCATION,

                Manifest.permission.ACCESS_FINE_LOCATION);

        // setUp() calls mockVpn() which adds a VPN with the Test Runner's uid. Configure it to be

        // active

        final VpnInfo info = new VpnInfo();

        info.ownerUid = Process.myUid();

        info.vpnIface = VPN_IFNAME;

        mMockVpn.setVpnInfo(info);

        mMockVpn.establishForMyUid();

        waitForIdle();

        // Wait for networks to connect and broadcasts to be sent before removing permissions.

        waitForIdle();

        mServiceContext.setPermission(android.Manifest.permission.NETWORK_STACK, PERMISSION_DENIED);

        assertTrue(mService.setUnderlyingNetworksForVpn(new Network[] {network}));

        waitForIdle();

        assertTrue(

                "Active VPN permission not applied",

                mService.checkConnectivityDiagnosticsPermissions(

                        mContext.getOpPackageName()));

        assertTrue(mService.setUnderlyingNetworksForVpn(null));

        waitForIdle();

        assertFalse(

                "VPN shouldn't receive callback on non-underlying network",

                mService.checkConnectivityDiagnosticsPermissions(