Loading packages/NetworkStack/src/com/android/server/connectivity/NetworkMonitor.java +17 −3 Original line number Diff line number Diff line Loading @@ -520,6 +520,9 @@ public class NetworkMonitor extends StateMachine { return NetworkMonitorUtils.isValidationRequired(mNetworkCapabilities); } private boolean isPrivateDnsValidationRequired() { return NetworkMonitorUtils.isPrivateDnsValidationRequired(mNetworkCapabilities); } private void notifyNetworkTested(int result, @Nullable String redirectUrl) { try { Loading Loading @@ -607,7 +610,7 @@ public class NetworkMonitor extends StateMachine { return HANDLED; case CMD_PRIVATE_DNS_SETTINGS_CHANGED: { final PrivateDnsConfig cfg = (PrivateDnsConfig) message.obj; if (!isValidationRequired() || cfg == null || !cfg.inStrictMode()) { if (!isPrivateDnsValidationRequired() || cfg == null || !cfg.inStrictMode()) { // No DNS resolution required. // // We don't force any validation in opportunistic mode Loading Loading @@ -843,9 +846,20 @@ public class NetworkMonitor extends StateMachine { // the network so don't bother validating here. Furthermore sending HTTP // packets over the network may be undesirable, for example an extremely // expensive metered network, or unwanted leaking of the User Agent string. // // On networks that need to support private DNS in strict mode (e.g., VPNs, but // not networks that don't provide Internet access), we still need to perform // private DNS server resolution. if (!isValidationRequired()) { validationLog("Network would not satisfy default request, not validating"); if (isPrivateDnsValidationRequired()) { validationLog("Network would not satisfy default request, " + "resolving private DNS"); transitionTo(mEvaluatingPrivateDnsState); } else { validationLog("Network would not satisfy default request, " + "not validating"); transitionTo(mValidatedState); } return HANDLED; } mEvaluateAttempts++; Loading services/core/java/com/android/server/ConnectivityService.java +5 −5 Original line number Diff line number Diff line Loading @@ -40,7 +40,7 @@ import static android.net.NetworkCapabilities.NET_CAPABILITY_VALIDATED; import static android.net.NetworkCapabilities.TRANSPORT_VPN; import static android.net.NetworkPolicyManager.RULE_NONE; import static android.net.NetworkPolicyManager.uidRulesToString; import static android.net.shared.NetworkMonitorUtils.isValidationRequired; import static android.net.shared.NetworkMonitorUtils.isPrivateDnsValidationRequired; import static android.os.Process.INVALID_UID; import static android.system.OsConstants.IPPROTO_TCP; import static android.system.OsConstants.IPPROTO_UDP; Loading Loading @@ -2824,8 +2824,8 @@ public class ConnectivityService extends IConnectivityManager.Stub } } private boolean networkRequiresValidation(NetworkAgentInfo nai) { return isValidationRequired(nai.networkCapabilities); private boolean networkRequiresPrivateDnsValidation(NetworkAgentInfo nai) { return isPrivateDnsValidationRequired(nai.networkCapabilities); } private void handleFreshlyValidatedNetwork(NetworkAgentInfo nai) { Loading @@ -2843,7 +2843,7 @@ public class ConnectivityService extends IConnectivityManager.Stub for (NetworkAgentInfo nai : mNetworkAgentInfos.values()) { handlePerNetworkPrivateDnsConfig(nai, cfg); if (networkRequiresValidation(nai)) { if (networkRequiresPrivateDnsValidation(nai)) { handleUpdateLinkProperties(nai, new LinkProperties(nai.linkProperties)); } } Loading @@ -2852,7 +2852,7 @@ public class ConnectivityService extends IConnectivityManager.Stub private void handlePerNetworkPrivateDnsConfig(NetworkAgentInfo nai, PrivateDnsConfig cfg) { // Private DNS only ever applies to networks that might provide // Internet access and therefore also require validation. if (!networkRequiresValidation(nai)) return; if (!networkRequiresPrivateDnsValidation(nai)) return; // Notify the NetworkAgentInfo/NetworkMonitor in case NetworkMonitor needs to cancel or // schedule DNS resolutions. If a DNS resolution is required the Loading services/core/java/com/android/server/connectivity/ConnectivityConstants.java +1 −1 Original line number Diff line number Diff line Loading @@ -29,7 +29,7 @@ public class ConnectivityConstants { // // This ensures that a) the explicitly selected network is never trumped by anything else, and // b) the explicitly selected network is never torn down. public static final int MAXIMUM_NETWORK_SCORE = 100; public static final int EXPLICITLY_SELECTED_NETWORK_SCORE = 100; // VPNs typically have priority over other networks. Give them a score that will // let them win every single time. public static final int VPN_DEFAULT_SCORE = 101; Loading services/core/java/com/android/server/connectivity/NetworkAgentInfo.java +2 −2 Original line number Diff line number Diff line Loading @@ -483,11 +483,11 @@ public class NetworkAgentInfo implements Comparable<NetworkAgentInfo> { // down an explicitly selected network before the user gets a chance to prefer it when // a higher-scoring network (e.g., Ethernet) is available. if (networkMisc.explicitlySelected && (networkMisc.acceptUnvalidated || pretendValidated)) { return ConnectivityConstants.MAXIMUM_NETWORK_SCORE; return ConnectivityConstants.EXPLICITLY_SELECTED_NETWORK_SCORE; } int score = currentScore; if (!lastValidated && !pretendValidated && !ignoreWifiUnvalidationPenalty()) { if (!lastValidated && !pretendValidated && !ignoreWifiUnvalidationPenalty() && !isVPN()) { score -= ConnectivityConstants.UNVALIDATED_SCORE_PENALTY; } if (score < 0) score = 0; Loading services/net/java/android/net/shared/NetworkMonitorUtils.java +12 −5 Original line number Diff line number Diff line Loading @@ -43,16 +43,23 @@ public class NetworkMonitorUtils { "android.permission.ACCESS_NETWORK_CONDITIONS"; /** * Return whether validation is required for a network. * @param dfltNetCap Default requested network capabilities. * Return whether validation is required for private DNS in strict mode. * @param nc Network capabilities of the network to test. */ public static boolean isValidationRequired(NetworkCapabilities nc) { public static boolean isPrivateDnsValidationRequired(NetworkCapabilities nc) { // TODO: Consider requiring validation for DUN networks. return nc != null && nc.hasCapability(NET_CAPABILITY_INTERNET) && nc.hasCapability(NET_CAPABILITY_NOT_RESTRICTED) && nc.hasCapability(NET_CAPABILITY_TRUSTED) && nc.hasCapability(NET_CAPABILITY_NOT_VPN); && nc.hasCapability(NET_CAPABILITY_TRUSTED); } /** * Return whether validation is required for a network. * @param nc Network capabilities of the network to test. */ public static boolean isValidationRequired(NetworkCapabilities nc) { // TODO: Consider requiring validation for DUN networks. return isPrivateDnsValidationRequired(nc) && nc.hasCapability(NET_CAPABILITY_NOT_VPN); } } Loading
packages/NetworkStack/src/com/android/server/connectivity/NetworkMonitor.java +17 −3 Original line number Diff line number Diff line Loading @@ -520,6 +520,9 @@ public class NetworkMonitor extends StateMachine { return NetworkMonitorUtils.isValidationRequired(mNetworkCapabilities); } private boolean isPrivateDnsValidationRequired() { return NetworkMonitorUtils.isPrivateDnsValidationRequired(mNetworkCapabilities); } private void notifyNetworkTested(int result, @Nullable String redirectUrl) { try { Loading Loading @@ -607,7 +610,7 @@ public class NetworkMonitor extends StateMachine { return HANDLED; case CMD_PRIVATE_DNS_SETTINGS_CHANGED: { final PrivateDnsConfig cfg = (PrivateDnsConfig) message.obj; if (!isValidationRequired() || cfg == null || !cfg.inStrictMode()) { if (!isPrivateDnsValidationRequired() || cfg == null || !cfg.inStrictMode()) { // No DNS resolution required. // // We don't force any validation in opportunistic mode Loading Loading @@ -843,9 +846,20 @@ public class NetworkMonitor extends StateMachine { // the network so don't bother validating here. Furthermore sending HTTP // packets over the network may be undesirable, for example an extremely // expensive metered network, or unwanted leaking of the User Agent string. // // On networks that need to support private DNS in strict mode (e.g., VPNs, but // not networks that don't provide Internet access), we still need to perform // private DNS server resolution. if (!isValidationRequired()) { validationLog("Network would not satisfy default request, not validating"); if (isPrivateDnsValidationRequired()) { validationLog("Network would not satisfy default request, " + "resolving private DNS"); transitionTo(mEvaluatingPrivateDnsState); } else { validationLog("Network would not satisfy default request, " + "not validating"); transitionTo(mValidatedState); } return HANDLED; } mEvaluateAttempts++; Loading
services/core/java/com/android/server/ConnectivityService.java +5 −5 Original line number Diff line number Diff line Loading @@ -40,7 +40,7 @@ import static android.net.NetworkCapabilities.NET_CAPABILITY_VALIDATED; import static android.net.NetworkCapabilities.TRANSPORT_VPN; import static android.net.NetworkPolicyManager.RULE_NONE; import static android.net.NetworkPolicyManager.uidRulesToString; import static android.net.shared.NetworkMonitorUtils.isValidationRequired; import static android.net.shared.NetworkMonitorUtils.isPrivateDnsValidationRequired; import static android.os.Process.INVALID_UID; import static android.system.OsConstants.IPPROTO_TCP; import static android.system.OsConstants.IPPROTO_UDP; Loading Loading @@ -2824,8 +2824,8 @@ public class ConnectivityService extends IConnectivityManager.Stub } } private boolean networkRequiresValidation(NetworkAgentInfo nai) { return isValidationRequired(nai.networkCapabilities); private boolean networkRequiresPrivateDnsValidation(NetworkAgentInfo nai) { return isPrivateDnsValidationRequired(nai.networkCapabilities); } private void handleFreshlyValidatedNetwork(NetworkAgentInfo nai) { Loading @@ -2843,7 +2843,7 @@ public class ConnectivityService extends IConnectivityManager.Stub for (NetworkAgentInfo nai : mNetworkAgentInfos.values()) { handlePerNetworkPrivateDnsConfig(nai, cfg); if (networkRequiresValidation(nai)) { if (networkRequiresPrivateDnsValidation(nai)) { handleUpdateLinkProperties(nai, new LinkProperties(nai.linkProperties)); } } Loading @@ -2852,7 +2852,7 @@ public class ConnectivityService extends IConnectivityManager.Stub private void handlePerNetworkPrivateDnsConfig(NetworkAgentInfo nai, PrivateDnsConfig cfg) { // Private DNS only ever applies to networks that might provide // Internet access and therefore also require validation. if (!networkRequiresValidation(nai)) return; if (!networkRequiresPrivateDnsValidation(nai)) return; // Notify the NetworkAgentInfo/NetworkMonitor in case NetworkMonitor needs to cancel or // schedule DNS resolutions. If a DNS resolution is required the Loading
services/core/java/com/android/server/connectivity/ConnectivityConstants.java +1 −1 Original line number Diff line number Diff line Loading @@ -29,7 +29,7 @@ public class ConnectivityConstants { // // This ensures that a) the explicitly selected network is never trumped by anything else, and // b) the explicitly selected network is never torn down. public static final int MAXIMUM_NETWORK_SCORE = 100; public static final int EXPLICITLY_SELECTED_NETWORK_SCORE = 100; // VPNs typically have priority over other networks. Give them a score that will // let them win every single time. public static final int VPN_DEFAULT_SCORE = 101; Loading
services/core/java/com/android/server/connectivity/NetworkAgentInfo.java +2 −2 Original line number Diff line number Diff line Loading @@ -483,11 +483,11 @@ public class NetworkAgentInfo implements Comparable<NetworkAgentInfo> { // down an explicitly selected network before the user gets a chance to prefer it when // a higher-scoring network (e.g., Ethernet) is available. if (networkMisc.explicitlySelected && (networkMisc.acceptUnvalidated || pretendValidated)) { return ConnectivityConstants.MAXIMUM_NETWORK_SCORE; return ConnectivityConstants.EXPLICITLY_SELECTED_NETWORK_SCORE; } int score = currentScore; if (!lastValidated && !pretendValidated && !ignoreWifiUnvalidationPenalty()) { if (!lastValidated && !pretendValidated && !ignoreWifiUnvalidationPenalty() && !isVPN()) { score -= ConnectivityConstants.UNVALIDATED_SCORE_PENALTY; } if (score < 0) score = 0; Loading
services/net/java/android/net/shared/NetworkMonitorUtils.java +12 −5 Original line number Diff line number Diff line Loading @@ -43,16 +43,23 @@ public class NetworkMonitorUtils { "android.permission.ACCESS_NETWORK_CONDITIONS"; /** * Return whether validation is required for a network. * @param dfltNetCap Default requested network capabilities. * Return whether validation is required for private DNS in strict mode. * @param nc Network capabilities of the network to test. */ public static boolean isValidationRequired(NetworkCapabilities nc) { public static boolean isPrivateDnsValidationRequired(NetworkCapabilities nc) { // TODO: Consider requiring validation for DUN networks. return nc != null && nc.hasCapability(NET_CAPABILITY_INTERNET) && nc.hasCapability(NET_CAPABILITY_NOT_RESTRICTED) && nc.hasCapability(NET_CAPABILITY_TRUSTED) && nc.hasCapability(NET_CAPABILITY_NOT_VPN); && nc.hasCapability(NET_CAPABILITY_TRUSTED); } /** * Return whether validation is required for a network. * @param nc Network capabilities of the network to test. */ public static boolean isValidationRequired(NetworkCapabilities nc) { // TODO: Consider requiring validation for DUN networks. return isPrivateDnsValidationRequired(nc) && nc.hasCapability(NET_CAPABILITY_NOT_VPN); } }
