Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8ed8915e authored by junyulai's avatar junyulai
Browse files

No-op refactoring of VPN lockdown status check. 

Currently, if VPN lockdown is disabled, the blocking judgement
inside VPN will return false immediately. It will make
ConnectivityService hard to check blocked status by a given
VPN lockdown status.

Thus, move this check into ConnectivityService and check it
externally.

Bug: 117814902
Test: 1. manual test with 3rd-party vpn app
      2. runtest frameworks-net

Change-Id: Ia8319b1a1a12f1058c24badf2431f2ec69bc78e7
parent a01c77a4

services/core/java/com/android/server/ConnectivityService.java

+2 −2
Original line number Diff line number Diff line
@@ -1143,7 +1143,7 @@ public class ConnectivityService extends IConnectivityManager.Stub 
        }

        synchronized (mVpns) {

            final Vpn vpn = mVpns.get(UserHandle.getUserId(uid));

            if (vpn != null && vpn.isBlockingUid(uid)) {

            if (vpn != null && vpn.getLockdown() && vpn.isBlockingUid(uid)) {

                return true;

            }

        }
@@ -1736,7 +1736,7 @@ public class ConnectivityService extends IConnectivityManager.Stub 
            // list all state depending on the return value of this function has to be recomputed.

            // TODO: add a trigger when the always-on VPN sets its blocked UIDs to reevaluate and

            // send the necessary onBlockedStatusChanged callbacks.

            if (vpn != null && vpn.isBlockingUid(uid)) {

            if (vpn != null && vpn.getLockdown() && vpn.isBlockingUid(uid)) {

                return true;

            }

        }

services/core/java/com/android/server/connectivity/Vpn.java

+14 −7
Original line number Diff line number Diff line
@@ -380,6 +380,15 @@ public class Vpn { 
        }

    }



    /**

     * Check whether to prevent all traffic outside of a VPN even when the VPN is not connected.

     *

     * @return {@code true} if VPN lockdown is enabled.

     */

    public boolean getLockdown() {

        return mLockdown;

    }



    /**

     * Checks if a VPN app supports always-on mode.

     *
@@ -1533,17 +1542,15 @@ public class Vpn { 
    }



    /**

     * @return {@code true} if {@param uid} is blocked by an always-on VPN.

     *         A UID is blocked if it's included in one of the mBlockedUsers ranges and the VPN is

     *         not connected, or if the VPN is connected but does not apply to the UID.

     * @param uid The target uid.

     *

     * @return {@code true} if {@code uid} is included in one of the mBlockedUsers ranges and the

     * VPN is not connected, or if the VPN is connected but does not apply to the {@code uid}.

     *

     * @apiNote This method don't check VPN lockdown status.

     * @see #mBlockedUsers

     */

    public synchronized boolean isBlockingUid(int uid) {

        if (!mLockdown) {

            return false;

        }



        if (mNetworkInfo.isConnected()) {

            return !appliesToUid(uid);

        } else {

tests/net/java/com/android/server/connectivity/VpnTest.java

+4 −2
Original line number Diff line number Diff line
@@ -507,13 +507,15 @@ public class VpnTest { 


    private static void assertBlocked(Vpn vpn, int... uids) {

        for (int uid : uids) {

            assertTrue("Uid " + uid + " should be blocked", vpn.isBlockingUid(uid));

            final boolean blocked = vpn.getLockdown() && vpn.isBlockingUid(uid);

            assertTrue("Uid " + uid + " should be blocked", blocked);

        }

    }



    private static void assertUnblocked(Vpn vpn, int... uids) {

        for (int uid : uids) {

            assertFalse("Uid " + uid + " should not be blocked", vpn.isBlockingUid(uid));

            final boolean blocked = vpn.getLockdown() && vpn.isBlockingUid(uid);

            assertFalse("Uid " + uid + " should not be blocked", blocked);

        }

    }