Update language to comply with Android's inclusive language guidance

                Slog.w(TAG, "User " + userId + " has no Vpn configuration");

                return null;

            }

            return vpn.getLockdownWhitelist();

            return vpn.getLockdownAllowlist();

        }

    }

    }

    /**

     * Checks an IpSecConfig parcel to ensure that the contents are sane and throws an

     * Checks an IpSecConfig parcel to ensure that the contents are valid and throws an

     * IllegalArgumentException if they are not.

     */

    private void checkIpSecConfig(IpSecConfig config) {

    private static final boolean LOGD = true;

    // Length of time (in milliseconds) that an app hosting an always-on VPN is placed on

    // the device idle whitelist during service launch and VPN bootstrap.

    private static final long VPN_LAUNCH_IDLE_WHITELIST_DURATION_MS = 60 * 1000;

    // the device idle allowlist during service launch and VPN bootstrap.

    private static final long VPN_LAUNCH_IDLE_ALLOWLIST_DURATION_MS = 60 * 1000;

    // Settings for how much of the address space should be routed so that Vpn considers

    // "most" of the address space is routed. This is used to determine whether this Vpn

    // This is taken as a total of IPv4 + IPV6 routes for simplicity, but the algorithm

    // is actually O(n²)+O(n²).

    private static final int MAX_ROUTES_TO_EVALUATE = 150;

    private static final String LOCKDOWN_ALLOWLIST_SETTING_NAME =

            Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN_WHITELIST;

    /**

     * Largest profile size allowable for Platform VPNs.

     *

     * Set of packages in addition to the VPN app itself that can access the network directly when

     * VPN is not connected even if {@code mLockdown} is set.

     */

    private @NonNull List<String> mLockdownWhitelist = Collections.emptyList();

    private @NonNull List<String> mLockdownAllowlist = Collections.emptyList();

     /**

     * A memory of what UIDs this class told netd to block for the lockdown feature.

            }

        }

        if (!hadUnderlyingNetworks) {

            // No idea what the underlying networks are; assume sane defaults

            // No idea what the underlying networks are; assume the safer defaults

            metered = true;

            roaming = false;

            congested = false;

     *

     * @param packageName the package to designate as always-on VPN supplier.

     * @param lockdown whether to prevent traffic outside of a VPN, for example while connecting.

     * @param lockdownWhitelist packages to be whitelisted from lockdown.

     * @param lockdownAllowlist packages to be allowed from lockdown.

     * @param keyStore the Keystore instance to use for checking of PlatformVpnProfile(s)

     * @return {@code true} if the package has been set as always-on, {@code false} otherwise.

     */

    public synchronized boolean setAlwaysOnPackage(

            @Nullable String packageName,

            boolean lockdown,

            @Nullable List<String> lockdownWhitelist,

            @Nullable List<String> lockdownAllowlist,

            @NonNull KeyStore keyStore) {

        enforceControlPermissionOrInternalCaller();

        if (setAlwaysOnPackageInternal(packageName, lockdown, lockdownWhitelist, keyStore)) {

        if (setAlwaysOnPackageInternal(packageName, lockdown, lockdownAllowlist, keyStore)) {

            saveAlwaysOnPackage();

            return true;

        }

     *

     * @param packageName the package to designate as always-on VPN supplier.

     * @param lockdown whether to prevent traffic outside of a VPN, for example while connecting.

     * @param lockdownWhitelist packages to be whitelisted from lockdown. This is only used if

     * @param lockdownAllowlist packages to be allowed to bypass lockdown. This is only used if

     *     {@code lockdown} is {@code true}. Packages must not contain commas.

     * @param keyStore the system keystore instance to check for profiles

     * @return {@code true} if the package has been set as always-on, {@code false} otherwise.

    @GuardedBy("this")

    private boolean setAlwaysOnPackageInternal(

            @Nullable String packageName, boolean lockdown,

            @Nullable List<String> lockdownWhitelist, @NonNull KeyStore keyStore) {

            @Nullable List<String> lockdownAllowlist, @NonNull KeyStore keyStore) {

        if (VpnConfig.LEGACY_VPN.equals(packageName)) {

            Log.w(TAG, "Not setting legacy VPN \"" + packageName + "\" as always-on.");

            return false;

        }

        if (lockdownWhitelist != null) {

            for (String pkg : lockdownWhitelist) {

        if (lockdownAllowlist != null) {

            for (String pkg : lockdownAllowlist) {

                if (pkg.contains(",")) {

                    Log.w(TAG, "Not setting always-on vpn, invalid whitelisted package: " + pkg);

                    Log.w(TAG, "Not setting always-on vpn, invalid allowed package: " + pkg);

                    return false;

                }

            }

        }

        mLockdown = (mAlwaysOn && lockdown);

        mLockdownWhitelist = (mLockdown && lockdownWhitelist != null)

                ? Collections.unmodifiableList(new ArrayList<>(lockdownWhitelist))

        mLockdownAllowlist = (mLockdown && lockdownAllowlist != null)

                ? Collections.unmodifiableList(new ArrayList<>(lockdownAllowlist))

                : Collections.emptyList();

        if (isCurrentPreparedPackage(packageName)) {

    }

    /**

     * @return an immutable list of packages whitelisted from always-on VPN lockdown.

     * @return an immutable list of packages allowed to bypass always-on VPN lockdown.

     */

    public synchronized List<String> getLockdownWhitelist() {

        return mLockdown ? mLockdownWhitelist : null;

    public synchronized List<String> getLockdownAllowlist() {

        return mLockdown ? mLockdownAllowlist : null;

    }

    /**

            mSystemServices.settingsSecurePutIntForUser(Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN,

                    (mAlwaysOn && mLockdown ? 1 : 0), mUserHandle);

            mSystemServices.settingsSecurePutStringForUser(

                    Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN_WHITELIST,

                    String.join(",", mLockdownWhitelist), mUserHandle);

                    LOCKDOWN_ALLOWLIST_SETTING_NAME,

                    String.join(",", mLockdownAllowlist), mUserHandle);

        } finally {

            Binder.restoreCallingIdentity(token);

        }

                    Settings.Secure.ALWAYS_ON_VPN_APP, mUserHandle);

            final boolean alwaysOnLockdown = mSystemServices.settingsSecureGetIntForUser(

                    Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN, 0 /*default*/, mUserHandle) != 0;

            final String whitelistString = mSystemServices.settingsSecureGetStringForUser(

                    Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN_WHITELIST, mUserHandle);

            final List<String> whitelistedPackages = TextUtils.isEmpty(whitelistString)

                    ? Collections.emptyList() : Arrays.asList(whitelistString.split(","));

            final String allowlistString = mSystemServices.settingsSecureGetStringForUser(

                    LOCKDOWN_ALLOWLIST_SETTING_NAME, mUserHandle);

            final List<String> allowedPackages = TextUtils.isEmpty(allowlistString)

                    ? Collections.emptyList() : Arrays.asList(allowlistString.split(","));

            setAlwaysOnPackageInternal(

                    alwaysOnPackage, alwaysOnLockdown, whitelistedPackages, keyStore);

                    alwaysOnPackage, alwaysOnLockdown, allowedPackages, keyStore);

        } finally {

            Binder.restoreCallingIdentity(token);

        }

            DeviceIdleController.LocalService idleController =

                    LocalServices.getService(DeviceIdleController.LocalService.class);

            idleController.addPowerSaveTempWhitelistApp(Process.myUid(), alwaysOnPackage,

                    VPN_LAUNCH_IDLE_WHITELIST_DURATION_MS, mUserHandle, false, "vpn");

                    VPN_LAUNCH_IDLE_ALLOWLIST_DURATION_MS, mUserHandle, false, "vpn");

            // Start the VPN service declared in the app's manifest.

            Intent serviceIntent = new Intent(VpnConfig.SERVICE_INTERFACE);

        // applications have changed. Consider diffing UID ranges and only applying the delta.

        if (!Objects.equals(oldConfig.allowedApplications, mConfig.allowedApplications) ||

                !Objects.equals(oldConfig.disallowedApplications, mConfig.disallowedApplications)) {

            Log.i(TAG, "Handover not possible due to changes to whitelisted/blacklisted apps");

            Log.i(TAG, "Handover not possible due to changes to allowed/denied apps");

            return false;

        }

     * associated with one user, and any restricted profiles attached to that user.

     *

     * <p>If one of {@param allowedApplications} or {@param disallowedApplications} is provided,

     * the UID ranges will match the app whitelist or blacklist specified there. Otherwise, all UIDs

     * the UID ranges will match the app list specified there. Otherwise, all UIDs

     * in each user and profile will be included.

     *

     * @param userHandle The userId to create UID ranges for along with any of its restricted

     *                   profiles.

     * @param allowedApplications (optional) whitelist of applications to include.

     * @param disallowedApplications (optional) blacklist of applications to exclude.

     * @param allowedApplications (optional) List of applications to allow.

     * @param disallowedApplications (optional) List of applications to deny.

     */

    @VisibleForTesting

    Set<UidRange> createUserAndRestrictedProfilesRanges(@UserIdInt int userHandle,

     * associated with one user.

     *

     * <p>If one of {@param allowedApplications} or {@param disallowedApplications} is provided,

     * the UID ranges will match the app whitelist or blacklist specified there. Otherwise, all UIDs

     * the UID ranges will match the app allowlist or denylist specified there. Otherwise, all UIDs

     * in the user will be included.

     *

     * @param ranges {@link Set} of {@link UidRange}s to which to add.

     * @param userHandle The userId to add to {@param ranges}.

     * @param allowedApplications (optional) whitelist of applications to include.

     * @param disallowedApplications (optional) blacklist of applications to exclude.

     * @param allowedApplications (optional) allowlist of applications to include.

     * @param disallowedApplications (optional) denylist of applications to exclude.

     */

    @VisibleForTesting

    void addUserToRanges(@NonNull Set<UidRange> ranges, @UserIdInt int userHandle,

    /**

     * Restricts network access from all UIDs affected by this {@link Vpn}, apart from the VPN

     * service app itself and whitelisted packages, to only sockets that have had {@code protect()}

     * service app itself and allowed packages, to only sockets that have had {@code protect()}

     * called on them. All non-VPN traffic is blocked via a {@code PROHIBIT} response from the

     * kernel.

     *

        if (isNullOrLegacyVpn(mPackage)) {

            exemptedPackages = null;

        } else {

            exemptedPackages = new ArrayList<>(mLockdownWhitelist);

            exemptedPackages = new ArrayList<>(mLockdownAllowlist);

            exemptedPackages.add(mPackage);

        }

        final Set<UidRange> rangesToTellNetdToRemove = new ArraySet<>(mBlockedUidsAsToldToNetd);

     * Tell netd to add or remove a list of {@link UidRange}s to the list of UIDs that are only

     * allowed to make connections through sockets that have had {@code protect()} called on them.

     *

     * @param enforce {@code true} to add to the blacklist, {@code false} to remove.

     * @param enforce {@code true} to add to the denylist, {@code false} to remove.

     * @param ranges {@link Collection} of {@link UidRange}s to add (if {@param enforce} is

     *               {@code true}) or to remove.

     * @return {@code true} if all of the UIDs were added/removed. {@code false} otherwise,

    }

    @Test

    public void testUidWhiteAndBlacklist() throws Exception {

    public void testUidAllowAndDenylist() throws Exception {

        final Vpn vpn = createVpn(primaryUser.id);

        final UidRange user = UidRange.createForUser(primaryUser.id);

        final String[] packages = {PKGS[0], PKGS[1], PKGS[2]};

        // Whitelist

        // Allowed list

        final Set<UidRange> allow = vpn.createUserAndRestrictedProfilesRanges(primaryUser.id,

                Arrays.asList(packages), null);

        assertEquals(new ArraySet<>(Arrays.asList(new UidRange[] {

            new UidRange(user.start + PKG_UIDS[1], user.start + PKG_UIDS[2])

        })), allow);

        // Blacklist

        // Denied list

        final Set<UidRange> disallow = vpn.createUserAndRestrictedProfilesRanges(primaryUser.id,

                null, Arrays.asList(packages));

        assertEquals(new ArraySet<>(Arrays.asList(new UidRange[] {

    }

    @Test

    public void testLockdownWhitelist() throws Exception {

    public void testLockdownAllowlist() throws Exception {

        final Vpn vpn = createVpn(primaryUser.id);

        final UidRange user = UidRange.createForUser(primaryUser.id);

        // Set always-on with lockdown and whitelist app PKGS[2] from lockdown.

        // Set always-on with lockdown and allow app PKGS[2] from lockdown.

        assertTrue(vpn.setAlwaysOnPackage(

                PKGS[1], true, Collections.singletonList(PKGS[2]), mKeyStore));

        verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(new UidRange[] {

        assertBlocked(vpn, user.start + PKG_UIDS[0], user.start + PKG_UIDS[3]);

        assertUnblocked(vpn, user.start + PKG_UIDS[1], user.start + PKG_UIDS[2]);

        // Change whitelisted app to PKGS[3].

        // Change allowed app list to PKGS[3].

        assertTrue(vpn.setAlwaysOnPackage(

                PKGS[1], true, Collections.singletonList(PKGS[3]), mKeyStore));

        verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(new UidRange[] {

        assertBlocked(vpn, user.start + PKG_UIDS[1], user.start + PKG_UIDS[2]);

        assertUnblocked(vpn, user.start + PKG_UIDS[0], user.start + PKG_UIDS[3]);

        // Remove the whitelist.

        // Remove the list of allowed packages.

        assertTrue(vpn.setAlwaysOnPackage(PKGS[0], true, null, mKeyStore));

        verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(new UidRange[] {

                new UidRange(user.start + PKG_UIDS[0] + 1, user.start + PKG_UIDS[3] - 1),

                user.start + PKG_UIDS[3]);

        assertUnblocked(vpn, user.start + PKG_UIDS[0]);

        // Add the whitelist.

        // Add the list of allowed packages.

        assertTrue(vpn.setAlwaysOnPackage(

                PKGS[0], true, Collections.singletonList(PKGS[1]), mKeyStore));

        verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(new UidRange[] {

        assertBlocked(vpn, user.start + PKG_UIDS[2], user.start + PKG_UIDS[3]);

        assertUnblocked(vpn, user.start + PKG_UIDS[0], user.start + PKG_UIDS[1]);

        // Try whitelisting a package with a comma, should be rejected.

        // Try allowing a package with a comma, should be rejected.

        assertFalse(vpn.setAlwaysOnPackage(

                PKGS[0], true, Collections.singletonList("a.b,c.d"), mKeyStore));

        // Pass a non-existent packages in the whitelist, they (and only they) should be ignored.

        // Whitelisted package should change from PGKS[1] to PKGS[2].

        // Pass a non-existent packages in the allowlist, they (and only they) should be ignored.

        // allowed package should change from PGKS[1] to PKGS[2].

        assertTrue(vpn.setAlwaysOnPackage(

                PKGS[0], true, Arrays.asList("com.foo.app", PKGS[2], "com.bar.app"), mKeyStore));

        verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(new UidRange[]{