Loading core/java/android/net/ConnectivityManager.java +67 −2 Original line number Diff line number Diff line Loading @@ -1014,14 +1014,48 @@ public class ConnectivityManager { * to remove an existing always-on VPN configuration. * @param lockdownEnabled {@code true} to disallow networking when the VPN is not connected or * {@code false} otherwise. * @param lockdownWhitelist The list of packages that are allowed to access network directly * when VPN is in lockdown mode but is not running. Non-existent packages are ignored so * this method must be called when a package that should be whitelisted is installed or * uninstalled. * @return {@code true} if the package is set as always-on VPN controller; * {@code false} otherwise. * @hide */ @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN) public boolean setAlwaysOnVpnPackageForUser(int userId, @Nullable String vpnPackage, boolean lockdownEnabled, @Nullable List<String> lockdownWhitelist) { try { return mService.setAlwaysOnVpnPackage( userId, vpnPackage, lockdownEnabled, lockdownWhitelist); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } } /** * Configures an always-on VPN connection through a specific application. * This connection is automatically granted and persisted after a reboot. * * <p>The designated package should declare a {@link VpnService} in its * manifest guarded by {@link android.Manifest.permission.BIND_VPN_SERVICE}, * otherwise the call will fail. * * @param userId The identifier of the user to set an always-on VPN for. * @param vpnPackage The package name for an installed VPN app on the device, or {@code null} * to remove an existing always-on VPN configuration. * @param lockdownEnabled {@code true} to disallow networking when the VPN is not connected or * {@code false} otherwise. * @return {@code true} if the package is set as always-on VPN controller; * {@code false} otherwise. * @hide */ @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN) public boolean setAlwaysOnVpnPackageForUser(int userId, @Nullable String vpnPackage, boolean lockdownEnabled) { try { return mService.setAlwaysOnVpnPackage(userId, vpnPackage, lockdownEnabled); return mService.setAlwaysOnVpnPackage( userId, vpnPackage, lockdownEnabled, /* whitelist */ null); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } Loading @@ -1036,6 +1070,7 @@ public class ConnectivityManager { * or {@code null} if none is set. * @hide */ @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN) public String getAlwaysOnVpnPackageForUser(int userId) { try { return mService.getAlwaysOnVpnPackage(userId); Loading @@ -1044,6 +1079,36 @@ public class ConnectivityManager { } } /** * @return whether always-on VPN is in lockdown mode. * * @hide **/ @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN) public boolean isVpnLockdownEnabled(int userId) { try { return mService.isVpnLockdownEnabled(userId); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } } /** * @return the list of packages that are allowed to access network when always-on VPN is in * lockdown mode but not connected. Returns {@code null} when VPN lockdown is not active. * * @hide **/ @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN) public List<String> getVpnLockdownWhitelist(int userId) { try { return mService.getVpnLockdownWhitelist(userId); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } } /** * Returns details about the currently active default data network * for a given uid. This is for internal use only to avoid spying Loading core/java/android/net/IConnectivityManager.aidl +4 −1 Original line number Diff line number Diff line Loading @@ -125,8 +125,11 @@ interface IConnectivityManager boolean updateLockdownVpn(); boolean isAlwaysOnVpnPackageSupported(int userId, String packageName); boolean setAlwaysOnVpnPackage(int userId, String packageName, boolean lockdown); boolean setAlwaysOnVpnPackage(int userId, String packageName, boolean lockdown, in List<String> lockdownWhitelist); String getAlwaysOnVpnPackage(int userId); boolean isVpnLockdownEnabled(int userId); List<String> getVpnLockdownWhitelist(int userId); int checkMobileProvisioning(int suggestedTimeOutMs); Loading core/java/android/provider/Settings.java +10 −0 Original line number Diff line number Diff line Loading @@ -5670,6 +5670,16 @@ public final class Settings { */ public static final String ALWAYS_ON_VPN_LOCKDOWN = "always_on_vpn_lockdown"; /** * Comma separated list of packages that are allowed to access the network when VPN is in * lockdown mode but not running. * @see #ALWAYS_ON_VPN_LOCKDOWN * * @hide */ public static final String ALWAYS_ON_VPN_LOCKDOWN_WHITELIST = "always_on_vpn_lockdown_whitelist"; /** * Whether applications can be installed for this user via the system's * {@link Intent#ACTION_INSTALL_PACKAGE} mechanism. Loading core/res/AndroidManifest.xml +6 −0 Original line number Diff line number Diff line Loading @@ -3231,6 +3231,12 @@ android:protectionLevel="signature|privileged" /> <uses-permission android:name="android.permission.CONTROL_VPN" /> <!-- Allows an application to access and modify always-on VPN configuration. <p>Not for use by third-party or privileged applications. @hide --> <permission android:name="android.permission.CONTROL_ALWAYS_ON_VPN" android:protectionLevel="signature" /> <!-- Allows an application to capture audio output. <p>Not for use by third-party applications.</p> --> <permission android:name="android.permission.CAPTURE_AUDIO_OUTPUT" Loading core/tests/coretests/src/android/provider/SettingsBackupTest.java +1 −0 Original line number Diff line number Diff line Loading @@ -512,6 +512,7 @@ public class SettingsBackupTest { Settings.Secure.ALLOWED_GEOLOCATION_ORIGINS, Settings.Secure.ALWAYS_ON_VPN_APP, Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN, Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN_WHITELIST, Settings.Secure.ANDROID_ID, Settings.Secure.ANR_SHOW_BACKGROUND, Settings.Secure.ASSISTANT, Loading Loading
core/java/android/net/ConnectivityManager.java +67 −2 Original line number Diff line number Diff line Loading @@ -1014,14 +1014,48 @@ public class ConnectivityManager { * to remove an existing always-on VPN configuration. * @param lockdownEnabled {@code true} to disallow networking when the VPN is not connected or * {@code false} otherwise. * @param lockdownWhitelist The list of packages that are allowed to access network directly * when VPN is in lockdown mode but is not running. Non-existent packages are ignored so * this method must be called when a package that should be whitelisted is installed or * uninstalled. * @return {@code true} if the package is set as always-on VPN controller; * {@code false} otherwise. * @hide */ @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN) public boolean setAlwaysOnVpnPackageForUser(int userId, @Nullable String vpnPackage, boolean lockdownEnabled, @Nullable List<String> lockdownWhitelist) { try { return mService.setAlwaysOnVpnPackage( userId, vpnPackage, lockdownEnabled, lockdownWhitelist); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } } /** * Configures an always-on VPN connection through a specific application. * This connection is automatically granted and persisted after a reboot. * * <p>The designated package should declare a {@link VpnService} in its * manifest guarded by {@link android.Manifest.permission.BIND_VPN_SERVICE}, * otherwise the call will fail. * * @param userId The identifier of the user to set an always-on VPN for. * @param vpnPackage The package name for an installed VPN app on the device, or {@code null} * to remove an existing always-on VPN configuration. * @param lockdownEnabled {@code true} to disallow networking when the VPN is not connected or * {@code false} otherwise. * @return {@code true} if the package is set as always-on VPN controller; * {@code false} otherwise. * @hide */ @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN) public boolean setAlwaysOnVpnPackageForUser(int userId, @Nullable String vpnPackage, boolean lockdownEnabled) { try { return mService.setAlwaysOnVpnPackage(userId, vpnPackage, lockdownEnabled); return mService.setAlwaysOnVpnPackage( userId, vpnPackage, lockdownEnabled, /* whitelist */ null); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } Loading @@ -1036,6 +1070,7 @@ public class ConnectivityManager { * or {@code null} if none is set. * @hide */ @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN) public String getAlwaysOnVpnPackageForUser(int userId) { try { return mService.getAlwaysOnVpnPackage(userId); Loading @@ -1044,6 +1079,36 @@ public class ConnectivityManager { } } /** * @return whether always-on VPN is in lockdown mode. * * @hide **/ @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN) public boolean isVpnLockdownEnabled(int userId) { try { return mService.isVpnLockdownEnabled(userId); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } } /** * @return the list of packages that are allowed to access network when always-on VPN is in * lockdown mode but not connected. Returns {@code null} when VPN lockdown is not active. * * @hide **/ @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN) public List<String> getVpnLockdownWhitelist(int userId) { try { return mService.getVpnLockdownWhitelist(userId); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } } /** * Returns details about the currently active default data network * for a given uid. This is for internal use only to avoid spying Loading
core/java/android/net/IConnectivityManager.aidl +4 −1 Original line number Diff line number Diff line Loading @@ -125,8 +125,11 @@ interface IConnectivityManager boolean updateLockdownVpn(); boolean isAlwaysOnVpnPackageSupported(int userId, String packageName); boolean setAlwaysOnVpnPackage(int userId, String packageName, boolean lockdown); boolean setAlwaysOnVpnPackage(int userId, String packageName, boolean lockdown, in List<String> lockdownWhitelist); String getAlwaysOnVpnPackage(int userId); boolean isVpnLockdownEnabled(int userId); List<String> getVpnLockdownWhitelist(int userId); int checkMobileProvisioning(int suggestedTimeOutMs); Loading
core/java/android/provider/Settings.java +10 −0 Original line number Diff line number Diff line Loading @@ -5670,6 +5670,16 @@ public final class Settings { */ public static final String ALWAYS_ON_VPN_LOCKDOWN = "always_on_vpn_lockdown"; /** * Comma separated list of packages that are allowed to access the network when VPN is in * lockdown mode but not running. * @see #ALWAYS_ON_VPN_LOCKDOWN * * @hide */ public static final String ALWAYS_ON_VPN_LOCKDOWN_WHITELIST = "always_on_vpn_lockdown_whitelist"; /** * Whether applications can be installed for this user via the system's * {@link Intent#ACTION_INSTALL_PACKAGE} mechanism. Loading
core/res/AndroidManifest.xml +6 −0 Original line number Diff line number Diff line Loading @@ -3231,6 +3231,12 @@ android:protectionLevel="signature|privileged" /> <uses-permission android:name="android.permission.CONTROL_VPN" /> <!-- Allows an application to access and modify always-on VPN configuration. <p>Not for use by third-party or privileged applications. @hide --> <permission android:name="android.permission.CONTROL_ALWAYS_ON_VPN" android:protectionLevel="signature" /> <!-- Allows an application to capture audio output. <p>Not for use by third-party applications.</p> --> <permission android:name="android.permission.CAPTURE_AUDIO_OUTPUT" Loading
core/tests/coretests/src/android/provider/SettingsBackupTest.java +1 −0 Original line number Diff line number Diff line Loading @@ -512,6 +512,7 @@ public class SettingsBackupTest { Settings.Secure.ALLOWED_GEOLOCATION_ORIGINS, Settings.Secure.ALWAYS_ON_VPN_APP, Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN, Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN_WHITELIST, Settings.Secure.ANDROID_ID, Settings.Secure.ANR_SHOW_BACKGROUND, Settings.Secure.ASSISTANT, Loading
