Loading services/core/java/com/android/server/connectivity/Vpn.java +34 −20 Original line number Diff line number Diff line Loading @@ -19,11 +19,11 @@ package com.android.server.connectivity; import static android.Manifest.permission.BIND_VPN_SERVICE; import static android.net.ConnectivityManager.NETID_UNSET; import static android.net.NetworkCapabilities.NET_CAPABILITY_NOT_METERED; import static android.os.UserHandle.PER_USER_RANGE; import static android.net.RouteInfo.RTN_THROW; import static android.net.RouteInfo.RTN_UNREACHABLE; import static android.net.VpnManager.NOTIFICATION_CHANNEL_VPN; import static android.os.PowerWhitelistManager.REASON_VPN; import static android.os.UserHandle.PER_USER_RANGE; import static com.android.internal.util.Preconditions.checkArgument; import static com.android.internal.util.Preconditions.checkNotNull; Loading Loading @@ -224,7 +224,7 @@ public class Vpn { protected NetworkAgent mNetworkAgent; private final Looper mLooper; @VisibleForTesting protected final NetworkCapabilities mNetworkCapabilities; protected NetworkCapabilities mNetworkCapabilities; private final SystemServices mSystemServices; private final Ikev2SessionCreator mIkev2SessionCreator; private final UserManager mUserManager; Loading Loading @@ -461,11 +461,12 @@ public class Vpn { mLegacyState = LegacyVpnInfo.STATE_DISCONNECTED; mNetworkInfo = new NetworkInfo(ConnectivityManager.TYPE_VPN, 0 /* subtype */, NETWORKTYPE, "" /* subtypeName */); mNetworkCapabilities = new NetworkCapabilities(); mNetworkCapabilities.addTransportType(NetworkCapabilities.TRANSPORT_VPN); mNetworkCapabilities.removeCapability(NetworkCapabilities.NET_CAPABILITY_NOT_VPN); mNetworkCapabilities.addCapability(NetworkCapabilities.NET_CAPABILITY_NOT_VCN_MANAGED); mNetworkCapabilities.setTransportInfo(new VpnTransportInfo(VpnManager.TYPE_VPN_NONE)); mNetworkCapabilities = new NetworkCapabilities.Builder() .addTransportType(NetworkCapabilities.TRANSPORT_VPN) .removeCapability(NetworkCapabilities.NET_CAPABILITY_NOT_VPN) .addCapability(NetworkCapabilities.NET_CAPABILITY_NOT_VCN_MANAGED) .setTransportInfo(new VpnTransportInfo(VpnManager.TYPE_VPN_NONE)) .build(); loadAlwaysOnPackage(); } Loading Loading @@ -526,8 +527,10 @@ public class Vpn { } private void resetNetworkCapabilities() { mNetworkCapabilities.setUids(null); mNetworkCapabilities.setTransportInfo(new VpnTransportInfo(VpnManager.TYPE_VPN_NONE)); mNetworkCapabilities = new NetworkCapabilities.Builder(mNetworkCapabilities) .setUids(null) .setTransportInfo(new VpnTransportInfo(VpnManager.TYPE_VPN_NONE)) .build(); } /** Loading Loading @@ -1239,7 +1242,9 @@ public class Vpn { // registered with registerDefaultNetworkCallback. This in turn protects the invariant // that an app calling ConnectivityManager#bindProcessToNetwork(getDefaultNetwork()) // behaves the same as when it uses the default network. mNetworkCapabilities.addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET); final NetworkCapabilities.Builder capsBuilder = new NetworkCapabilities.Builder(mNetworkCapabilities); capsBuilder.addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET); mLegacyState = LegacyVpnInfo.STATE_CONNECTING; updateState(DetailedState.CONNECTING, "agentConnect"); Loading @@ -1247,21 +1252,22 @@ public class Vpn { NetworkAgentConfig networkAgentConfig = new NetworkAgentConfig.Builder().build(); networkAgentConfig.allowBypass = mConfig.allowBypass && !mLockdown; mNetworkCapabilities.setOwnerUid(mOwnerUID); mNetworkCapabilities.setAdministratorUids(new int[] {mOwnerUID}); mNetworkCapabilities.setUids(createUserAndRestrictedProfilesRanges(mUserId, capsBuilder.setOwnerUid(mOwnerUID); capsBuilder.setAdministratorUids(new int[] {mOwnerUID}); capsBuilder.setUids(createUserAndRestrictedProfilesRanges(mUserId, mConfig.allowedApplications, mConfig.disallowedApplications)); mNetworkCapabilities.setTransportInfo(new VpnTransportInfo(getActiveVpnType())); capsBuilder.setTransportInfo(new VpnTransportInfo(getActiveVpnType())); // Only apps targeting Q and above can explicitly declare themselves as metered. // These VPNs are assumed metered unless they state otherwise. if (mIsPackageTargetingAtLeastQ && mConfig.isMetered) { mNetworkCapabilities.removeCapability(NET_CAPABILITY_NOT_METERED); capsBuilder.removeCapability(NET_CAPABILITY_NOT_METERED); } else { mNetworkCapabilities.addCapability(NET_CAPABILITY_NOT_METERED); capsBuilder.addCapability(NET_CAPABILITY_NOT_METERED); } mNetworkCapabilities = capsBuilder.build(); mNetworkAgent = new NetworkAgent(mContext, mLooper, NETWORKTYPE /* logtag */, mNetworkCapabilities, lp, new NetworkScore.Builder().setLegacyInt(VPN_DEFAULT_SCORE).build(), Loading Loading @@ -1428,7 +1434,8 @@ public class Vpn { // restore old state mConfig = oldConfig; mConnection = oldConnection; mNetworkCapabilities.setUids(oldUsers); mNetworkCapabilities = new NetworkCapabilities.Builder(mNetworkCapabilities).setUids(oldUsers).build(); mNetworkAgent = oldNetworkAgent; mInterface = oldInterface; throw e; Loading Loading @@ -1578,7 +1585,8 @@ public class Vpn { try { addUserToRanges(existingRanges, userId, mConfig.allowedApplications, mConfig.disallowedApplications); mNetworkCapabilities.setUids(existingRanges); mNetworkCapabilities = new NetworkCapabilities.Builder(mNetworkCapabilities) .setUids(existingRanges).build(); } catch (Exception e) { Log.wtf(TAG, "Failed to add restricted user to owner", e); } Loading Loading @@ -1607,7 +1615,8 @@ public class Vpn { final List<Range<Integer>> removedRanges = uidRangesForUser(userId, existingRanges); existingRanges.removeAll(removedRanges); mNetworkCapabilities.setUids(existingRanges); mNetworkCapabilities = new NetworkCapabilities.Builder(mNetworkCapabilities) .setUids(existingRanges).build(); } catch (Exception e) { Log.wtf(TAG, "Failed to remove restricted user to owner", e); } Loading Loading @@ -1888,7 +1897,12 @@ public class Vpn { if (!isRunningLocked()) { return false; } return mNetworkCapabilities.appliesToUid(uid); final Set<Range<Integer>> uids = mNetworkCapabilities.getUids(); if (uids == null) return true; for (final Range<Integer> range : uids) { if (range.contains(uid)) return true; } return false; } /** Loading Loading
services/core/java/com/android/server/connectivity/Vpn.java +34 −20 Original line number Diff line number Diff line Loading @@ -19,11 +19,11 @@ package com.android.server.connectivity; import static android.Manifest.permission.BIND_VPN_SERVICE; import static android.net.ConnectivityManager.NETID_UNSET; import static android.net.NetworkCapabilities.NET_CAPABILITY_NOT_METERED; import static android.os.UserHandle.PER_USER_RANGE; import static android.net.RouteInfo.RTN_THROW; import static android.net.RouteInfo.RTN_UNREACHABLE; import static android.net.VpnManager.NOTIFICATION_CHANNEL_VPN; import static android.os.PowerWhitelistManager.REASON_VPN; import static android.os.UserHandle.PER_USER_RANGE; import static com.android.internal.util.Preconditions.checkArgument; import static com.android.internal.util.Preconditions.checkNotNull; Loading Loading @@ -224,7 +224,7 @@ public class Vpn { protected NetworkAgent mNetworkAgent; private final Looper mLooper; @VisibleForTesting protected final NetworkCapabilities mNetworkCapabilities; protected NetworkCapabilities mNetworkCapabilities; private final SystemServices mSystemServices; private final Ikev2SessionCreator mIkev2SessionCreator; private final UserManager mUserManager; Loading Loading @@ -461,11 +461,12 @@ public class Vpn { mLegacyState = LegacyVpnInfo.STATE_DISCONNECTED; mNetworkInfo = new NetworkInfo(ConnectivityManager.TYPE_VPN, 0 /* subtype */, NETWORKTYPE, "" /* subtypeName */); mNetworkCapabilities = new NetworkCapabilities(); mNetworkCapabilities.addTransportType(NetworkCapabilities.TRANSPORT_VPN); mNetworkCapabilities.removeCapability(NetworkCapabilities.NET_CAPABILITY_NOT_VPN); mNetworkCapabilities.addCapability(NetworkCapabilities.NET_CAPABILITY_NOT_VCN_MANAGED); mNetworkCapabilities.setTransportInfo(new VpnTransportInfo(VpnManager.TYPE_VPN_NONE)); mNetworkCapabilities = new NetworkCapabilities.Builder() .addTransportType(NetworkCapabilities.TRANSPORT_VPN) .removeCapability(NetworkCapabilities.NET_CAPABILITY_NOT_VPN) .addCapability(NetworkCapabilities.NET_CAPABILITY_NOT_VCN_MANAGED) .setTransportInfo(new VpnTransportInfo(VpnManager.TYPE_VPN_NONE)) .build(); loadAlwaysOnPackage(); } Loading Loading @@ -526,8 +527,10 @@ public class Vpn { } private void resetNetworkCapabilities() { mNetworkCapabilities.setUids(null); mNetworkCapabilities.setTransportInfo(new VpnTransportInfo(VpnManager.TYPE_VPN_NONE)); mNetworkCapabilities = new NetworkCapabilities.Builder(mNetworkCapabilities) .setUids(null) .setTransportInfo(new VpnTransportInfo(VpnManager.TYPE_VPN_NONE)) .build(); } /** Loading Loading @@ -1239,7 +1242,9 @@ public class Vpn { // registered with registerDefaultNetworkCallback. This in turn protects the invariant // that an app calling ConnectivityManager#bindProcessToNetwork(getDefaultNetwork()) // behaves the same as when it uses the default network. mNetworkCapabilities.addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET); final NetworkCapabilities.Builder capsBuilder = new NetworkCapabilities.Builder(mNetworkCapabilities); capsBuilder.addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET); mLegacyState = LegacyVpnInfo.STATE_CONNECTING; updateState(DetailedState.CONNECTING, "agentConnect"); Loading @@ -1247,21 +1252,22 @@ public class Vpn { NetworkAgentConfig networkAgentConfig = new NetworkAgentConfig.Builder().build(); networkAgentConfig.allowBypass = mConfig.allowBypass && !mLockdown; mNetworkCapabilities.setOwnerUid(mOwnerUID); mNetworkCapabilities.setAdministratorUids(new int[] {mOwnerUID}); mNetworkCapabilities.setUids(createUserAndRestrictedProfilesRanges(mUserId, capsBuilder.setOwnerUid(mOwnerUID); capsBuilder.setAdministratorUids(new int[] {mOwnerUID}); capsBuilder.setUids(createUserAndRestrictedProfilesRanges(mUserId, mConfig.allowedApplications, mConfig.disallowedApplications)); mNetworkCapabilities.setTransportInfo(new VpnTransportInfo(getActiveVpnType())); capsBuilder.setTransportInfo(new VpnTransportInfo(getActiveVpnType())); // Only apps targeting Q and above can explicitly declare themselves as metered. // These VPNs are assumed metered unless they state otherwise. if (mIsPackageTargetingAtLeastQ && mConfig.isMetered) { mNetworkCapabilities.removeCapability(NET_CAPABILITY_NOT_METERED); capsBuilder.removeCapability(NET_CAPABILITY_NOT_METERED); } else { mNetworkCapabilities.addCapability(NET_CAPABILITY_NOT_METERED); capsBuilder.addCapability(NET_CAPABILITY_NOT_METERED); } mNetworkCapabilities = capsBuilder.build(); mNetworkAgent = new NetworkAgent(mContext, mLooper, NETWORKTYPE /* logtag */, mNetworkCapabilities, lp, new NetworkScore.Builder().setLegacyInt(VPN_DEFAULT_SCORE).build(), Loading Loading @@ -1428,7 +1434,8 @@ public class Vpn { // restore old state mConfig = oldConfig; mConnection = oldConnection; mNetworkCapabilities.setUids(oldUsers); mNetworkCapabilities = new NetworkCapabilities.Builder(mNetworkCapabilities).setUids(oldUsers).build(); mNetworkAgent = oldNetworkAgent; mInterface = oldInterface; throw e; Loading Loading @@ -1578,7 +1585,8 @@ public class Vpn { try { addUserToRanges(existingRanges, userId, mConfig.allowedApplications, mConfig.disallowedApplications); mNetworkCapabilities.setUids(existingRanges); mNetworkCapabilities = new NetworkCapabilities.Builder(mNetworkCapabilities) .setUids(existingRanges).build(); } catch (Exception e) { Log.wtf(TAG, "Failed to add restricted user to owner", e); } Loading Loading @@ -1607,7 +1615,8 @@ public class Vpn { final List<Range<Integer>> removedRanges = uidRangesForUser(userId, existingRanges); existingRanges.removeAll(removedRanges); mNetworkCapabilities.setUids(existingRanges); mNetworkCapabilities = new NetworkCapabilities.Builder(mNetworkCapabilities) .setUids(existingRanges).build(); } catch (Exception e) { Log.wtf(TAG, "Failed to remove restricted user to owner", e); } Loading Loading @@ -1888,7 +1897,12 @@ public class Vpn { if (!isRunningLocked()) { return false; } return mNetworkCapabilities.appliesToUid(uid); final Set<Range<Integer>> uids = mNetworkCapabilities.getUids(); if (uids == null) return true; for (final Range<Integer> range : uids) { if (range.contains(uid)) return true; } return false; } /** Loading
