Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ad4cd0c0 authored by Lorenzo Colitti's avatar Lorenzo Colitti
Browse files

Allow root and system to bypass the always-on VPN firewall rules 

This is needed to allow the always-on VPN to survive network
switches. In L, network switches are graceful, and in order to
switch to a network, the system first has to validate it using
DNS requests (from netd, running as root) and HTTP requests
(from NetworkMonitor, running inside the system_server).

This should also allow always-on VPN to work on networks like
T-Mobile that use 464xlat, fixing a bug that has been present
since K.

Bug: 9597277
Bug: 17695048
Change-Id: I0daa5707f2139339f9ececde0e73aac3bf23fdc3
parent 02c7abac

services/core/java/com/android/server/net/LockdownVpnTracker.java

+10 −0
Original line number Diff line number Diff line
@@ -35,6 +35,7 @@ import android.os.INetworkManagementService; 
import android.os.RemoteException;

import android.security.Credentials;

import android.security.KeyStore;

import android.system.Os;

import android.text.TextUtils;

import android.util.Slog;
@@ -64,6 +65,8 @@ public class LockdownVpnTracker { 
    private static final String ACTION_VPN_SETTINGS = "android.net.vpn.SETTINGS";

    private static final String EXTRA_PICK_LOCKDOWN = "android.net.vpn.PICK_LOCKDOWN";



    private static final int ROOT_UID = 0;



    private final Context mContext;

    private final INetworkManagementService mNetService;

    private final ConnectivityService mConnService;
@@ -193,6 +196,9 @@ public class LockdownVpnTracker { 
                    setFirewallEgressSourceRule(addr, true);

                }



                mNetService.setFirewallUidRule(ROOT_UID, true);

                mNetService.setFirewallUidRule(Os.getuid(), true);



                mErrorCount = 0;

                mAcceptedIface = iface;

                mAcceptedSourceAddr = sourceAddrs;
@@ -279,6 +285,10 @@ public class LockdownVpnTracker { 
                for (LinkAddress addr : mAcceptedSourceAddr) {

                    setFirewallEgressSourceRule(addr, false);

                }



                mNetService.setFirewallUidRule(ROOT_UID, false);

                mNetService.setFirewallUidRule(Os.getuid(), false);



                mAcceptedSourceAddr = null;

            }

        } catch (RemoteException e) {