Merge changes Ic5750d4f,I9fa888c9,I4211475f am: b330b5b71a am: 301f376e82 am: bc481755f4 (9713e3e4) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/ConnectivityService.java

+21 −8

Original line number	Original line	Diff line number	Diff line
	@@ -887,6 +887,13 @@ public class ConnectivityService extends IConnectivityManager.Stub
	return NetworkStackClient.getInstance();		return NetworkStackClient.getInstance();
	}		}

			/**
			* Get a reference to the system keystore.
			*/
			public KeyStore getKeyStore() {
			return KeyStore.getInstance();
			}

	/**		/**
	* @see ProxyTracker		* @see ProxyTracker
	*/		*/
	@@ -981,7 +988,7 @@ public class ConnectivityService extends IConnectivityManager.Stub
	mProxyTracker = mDeps.makeProxyTracker(mContext, mHandler);		mProxyTracker = mDeps.makeProxyTracker(mContext, mHandler);

	mNetd = netd;		mNetd = netd;
	mKeyStore = KeyStore.getInstance();		mKeyStore = mDeps.getKeyStore();
	mTelephonyManager = (TelephonyManager) mContext.getSystemService(Context.TELEPHONY_SERVICE);		mTelephonyManager = (TelephonyManager) mContext.getSystemService(Context.TELEPHONY_SERVICE);
	mAppOpsManager = (AppOpsManager) mContext.getSystemService(Context.APP_OPS_SERVICE);		mAppOpsManager = (AppOpsManager) mContext.getSystemService(Context.APP_OPS_SERVICE);
	mLocationPermissionChecker = new LocationPermissionChecker(mContext);		mLocationPermissionChecker = new LocationPermissionChecker(mContext);
	@@ -4982,16 +4989,21 @@ public class ConnectivityService extends IConnectivityManager.Stub
	mVpnBlockedUidRanges = newVpnBlockedUidRanges;		mVpnBlockedUidRanges = newVpnBlockedUidRanges;
	}		}

			private boolean isLockdownVpnEnabled() {
			return mKeyStore.contains(Credentials.LOCKDOWN_VPN);
			}

	@Override		@Override
	public boolean updateLockdownVpn() {		public boolean updateLockdownVpn() {
	if (mDeps.getCallingUid() != Process.SYSTEM_UID) {		if (mDeps.getCallingUid() != Process.SYSTEM_UID
	logw("Lockdown VPN only available to AID_SYSTEM");		&& Binder.getCallingPid() != Process.myPid()) {
			logw("Lockdown VPN only available to system process or AID_SYSTEM");
	return false;		return false;
	}		}

	synchronized (mVpns) {		synchronized (mVpns) {
	// Tear down existing lockdown if profile was removed		// Tear down existing lockdown if profile was removed
	mLockdownEnabled = LockdownVpnTracker.isEnabled();		mLockdownEnabled = isLockdownVpnEnabled();
	if (mLockdownEnabled) {		if (mLockdownEnabled) {
	byte[] profileTag = mKeyStore.get(Credentials.LOCKDOWN_VPN);		byte[] profileTag = mKeyStore.get(Credentials.LOCKDOWN_VPN);
	if (profileTag == null) {		if (profileTag == null) {
	@@ -5012,7 +5024,8 @@ public class ConnectivityService extends IConnectivityManager.Stub
	logw("VPN for user " + user + " not ready yet. Skipping lockdown");		logw("VPN for user " + user + " not ready yet. Skipping lockdown");
	return false;		return false;
	}		}
	setLockdownTracker(new LockdownVpnTracker(mContext, this, mHandler, vpn, profile));		setLockdownTracker(
			new LockdownVpnTracker(mContext, this, mHandler, mKeyStore, vpn, profile));
	} else {		} else {
	setLockdownTracker(null);		setLockdownTracker(null);
	}		}
	@@ -5100,7 +5113,7 @@ public class ConnectivityService extends IConnectivityManager.Stub

	synchronized (mVpns) {		synchronized (mVpns) {
	// Can't set always-on VPN if legacy VPN is already in lockdown mode.		// Can't set always-on VPN if legacy VPN is already in lockdown mode.
	if (LockdownVpnTracker.isEnabled()) {		if (isLockdownVpnEnabled()) {
	return false;		return false;
	}		}

	@@ -5206,7 +5219,7 @@ public class ConnectivityService extends IConnectivityManager.Stub
	}		}
	userVpn = new Vpn(mHandler.getLooper(), mContext, mNMS, mNetd, userId, mKeyStore);		userVpn = new Vpn(mHandler.getLooper(), mContext, mNMS, mNetd, userId, mKeyStore);
	mVpns.put(userId, userVpn);		mVpns.put(userId, userVpn);
	if (mUserManager.getUserInfo(userId).isPrimary() && LockdownVpnTracker.isEnabled()) {		if (mUserManager.getUserInfo(userId).isPrimary() && isLockdownVpnEnabled()) {
	updateLockdownVpn();		updateLockdownVpn();
	}		}
	}		}
	@@ -5290,7 +5303,7 @@ public class ConnectivityService extends IConnectivityManager.Stub
	private void onUserUnlocked(int userId) {		private void onUserUnlocked(int userId) {
	synchronized (mVpns) {		synchronized (mVpns) {
	// User present may be sent because of an unlock, which might mean an unlocked keystore.		// User present may be sent because of an unlock, which might mean an unlocked keystore.
	if (mUserManager.getUserInfo(userId).isPrimary() && LockdownVpnTracker.isEnabled()) {		if (mUserManager.getUserInfo(userId).isPrimary() && isLockdownVpnEnabled()) {
	updateLockdownVpn();		updateLockdownVpn();
	} else {		} else {
	startAlwaysOnVpn(userId);		startAlwaysOnVpn(userId);

services/core/java/com/android/server/connectivity/Vpn.java

+10 −0

Original line number	Original line	Diff line number	Diff line
	@@ -439,6 +439,11 @@ public class Vpn {
	mEnableTeardown = enableTeardown;		mEnableTeardown = enableTeardown;
	}		}

			@VisibleForTesting
			public boolean getEnableTeardown() {
			return mEnableTeardown;
			}

	/**		/**
	* Update current state, dispatching event to listeners.		* Update current state, dispatching event to listeners.
	*/		*/
	@@ -2146,6 +2151,11 @@ public class Vpn {

	// Start a new LegacyVpnRunner and we are done!		// Start a new LegacyVpnRunner and we are done!
	mVpnRunner = new LegacyVpnRunner(config, racoon, mtpd, profile);		mVpnRunner = new LegacyVpnRunner(config, racoon, mtpd, profile);
			startLegacyVpnRunner();
			}

			@VisibleForTesting
			protected void startLegacyVpnRunner() {
	mVpnRunner.start();		mVpnRunner.start();
	}		}

services/core/java/com/android/server/net/LockdownVpnTracker.java

+4 −6

Original line number	Original line	Diff line number	Diff line
	@@ -34,7 +34,6 @@ import android.net.NetworkInfo;
	import android.net.NetworkInfo.DetailedState;		import android.net.NetworkInfo.DetailedState;
	import android.net.NetworkInfo.State;		import android.net.NetworkInfo.State;
	import android.os.Handler;		import android.os.Handler;
	import android.security.Credentials;
	import android.security.KeyStore;		import android.security.KeyStore;
	import android.text.TextUtils;		import android.text.TextUtils;
	import android.util.Log;		import android.util.Log;
	@@ -70,6 +69,7 @@ public class LockdownVpnTracker {
	@NonNull private final Handler mHandler;		@NonNull private final Handler mHandler;
	@NonNull private final Vpn mVpn;		@NonNull private final Vpn mVpn;
	@NonNull private final VpnProfile mProfile;		@NonNull private final VpnProfile mProfile;
			@NonNull private final KeyStore mKeyStore;

	@NonNull private final Object mStateLock = new Object();		@NonNull private final Object mStateLock = new Object();

	@@ -81,13 +81,10 @@ public class LockdownVpnTracker {

	private int mErrorCount;		private int mErrorCount;

	public static boolean isEnabled() {
	return KeyStore.getInstance().contains(Credentials.LOCKDOWN_VPN);
	}

	public LockdownVpnTracker(@NonNull Context context,		public LockdownVpnTracker(@NonNull Context context,
	@NonNull ConnectivityService connService,		@NonNull ConnectivityService connService,
	@NonNull Handler handler,		@NonNull Handler handler,
			@NonNull KeyStore keyStore,
	@NonNull Vpn vpn,		@NonNull Vpn vpn,
	@NonNull VpnProfile profile) {		@NonNull VpnProfile profile) {
	mContext = Objects.requireNonNull(context);		mContext = Objects.requireNonNull(context);
	@@ -95,6 +92,7 @@ public class LockdownVpnTracker {
	mHandler = Objects.requireNonNull(handler);		mHandler = Objects.requireNonNull(handler);
	mVpn = Objects.requireNonNull(vpn);		mVpn = Objects.requireNonNull(vpn);
	mProfile = Objects.requireNonNull(profile);		mProfile = Objects.requireNonNull(profile);
			mKeyStore = Objects.requireNonNull(keyStore);
	mNotificationManager = mContext.getSystemService(NotificationManager.class);		mNotificationManager = mContext.getSystemService(NotificationManager.class);

	final Intent configIntent = new Intent(ACTION_VPN_SETTINGS);		final Intent configIntent = new Intent(ACTION_VPN_SETTINGS);
	@@ -157,7 +155,7 @@ public class LockdownVpnTracker {
	try {		try {
	// Use the privileged method because Lockdown VPN is initiated by the system, so		// Use the privileged method because Lockdown VPN is initiated by the system, so
	// no additional permission checks are necessary.		// no additional permission checks are necessary.
	mVpn.startLegacyVpnPrivileged(mProfile, KeyStore.getInstance(), egressProp);		mVpn.startLegacyVpnPrivileged(mProfile, mKeyStore, egressProp);
	} catch (IllegalStateException e) {		} catch (IllegalStateException e) {
	mAcceptedEgressIface = null;		mAcceptedEgressIface = null;
	Log.e(TAG, "Failed to start VPN", e);		Log.e(TAG, "Failed to start VPN", e);

tests/net/java/com/android/server/ConnectivityServiceTest.java

+311 −50

File changed.

Preview size limit exceeded, changes collapsed.