Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit a1a11fe1 authored by Tommy Webb's avatar Tommy Webb Committed by Michael Bestas
Browse files

Restrict apps without INTERNET permission 

Ensure that apps which lack the INTERNET permission are not placed on
the restricted mode allowlist; however, also ensure that UidBlockedState
continues to *not* indicate such apps as restricted, in order to work
around issues this causes, like preventing such apps from knowing the
device is connected to a network even with ACCESS_NETWORK_STATE
(see calyxos#1266).

TODO: Handle above issue for INTERNET+blocked apps? See code comments.

Test: Manual: Install app without INTERNET permission. Check that
`adb shell dumpsys connectivity trafficcontroller` does not show
`RESTRICTED_MATCH` for its uid and `adb shell dumpsys netpolicy` *does*
show `REJECT_ALL` for its uid. Update to a variant with INTERNET.
Confirm the same. (Obtain uid using `adb shell pm list packages -U`.)

Issue: calyxos#2657
Reported-by: lucasmz
Related-Change-Id: I11e30bc0c1f8c722d2b5941c17d430dba942594d
Change-Id: I619ffd84d0b495212a98d09edd576f259a663673
parent afc7dde3

services/core/java/com/android/server/net/NetworkPolicyManagerService.java

+17 −1
Original line number Diff line number Diff line
@@ -4832,8 +4832,9 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { 


    @GuardedBy("mUidRulesFirstLock")

    private int updateBlockedReasonsForRestrictedModeUL(int uid) {

        final boolean isBlockedOnAllNetworks = isUidBlockedOnAllNetworks(uid);

        final boolean hasRestrictedModeAccess = hasRestrictedModeAccess(uid)

                || !isUidBlockedOnAllNetworks(uid);

                || !isBlockedOnAllNetworks;

        final int oldEffectiveBlockedReasons;

        final int newEffectiveBlockedReasons;

        final int uidRules;
@@ -4864,6 +4865,21 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { 


            postUidRulesChangedMsg(uid, uidRules);

        }

        // The result of this method is used solely to determine whether the UID belongs on the

        // restricted mode allowlist. If the UID is blocked on all networks, that should never

        // be the case. However, the blocked state that we assign here determines other things,

        // like whether an app with ACCESS_NETWORK_STATE can actually see the active network.

        // As of calyxos#1266, we have been working around this problem, but only for apps

        // without the INTERNET permission, for which the user has no network toggle available.

        // TODO: Now that we have decoupled the blocked state from a UID's actual placement on

        // the restricted mode allowlist (via the lines below), consider looking into a workaround

        // for apps that *do* have INTERNET permission but have their network toggle turned off,

        // so that we do not slightly privilege apps with neither INTERNET nor toggle. We might

        // not be able to do the same thing, though, or the firewall icon may not show such apps

        // as blocked; further research required.

        if (isBlockedOnAllNetworks) {

            return BLOCKED_REASON_RESTRICTED_MODE;

        }

        return newEffectiveBlockedReasons;

    }