Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cf6784bf authored by Bernie Innocenti's avatar Bernie Innocenti Committed by android-build-team Robot
Browse files

vpn: allow IPSec traffic through Always-on VPN 

This won't leak any traffic outside the VPN as long as there are no
processes owned by uid 0 which generate network traffic (which is
currently the case).

Bug: 69873852
Test: compared the output of 'adb shell ip rule show' before and after
Test: runtest -x frameworks/base/tests/net/java/com/android/server/connectivity/VpnTest.java
Test: local CTS tests run: android.net.cts.VpnServiceTest
Test: local CTS tests run: com.android.cts.devicepolicy.MixedDeviceOwnerTest
Change-Id: I8758e576c9d961d73f62bfcf0559dd7ecee6e8e6
Merged-In: I8758e576c9d961d73f62bfcf0559dd7ecee6e8e6
Merged-In: I1f9b78c8f828ec2df7aba71b39d62be0c4db2550
Merged-In: I8edeb0942e661c8385ff0cd3fdb72e6f62a8f218
(cherry picked from commit 00000fe5)
(cherry picked from commit ae07a6bf)
parent 2de620f9

services/core/java/com/android/server/connectivity/Vpn.java

+14 −2
Original line number Diff line number Diff line
@@ -100,8 +100,6 @@ import com.android.server.DeviceIdleController; 
import com.android.server.LocalServices;

import com.android.server.net.BaseNetworkObserver;



import libcore.io.IoUtils;



import java.io.File;

import java.io.IOException;

import java.io.InputStream;
@@ -123,6 +121,8 @@ import java.util.SortedSet; 
import java.util.TreeSet;

import java.util.concurrent.atomic.AtomicInteger;



import libcore.io.IoUtils;



/**

 * @hide

 */
@@ -1327,6 +1327,18 @@ public class Vpn { 
                    /* allowedApplications */ null,

                    /* disallowedApplications */ exemptedPackages);



            // The UID range of the first user (0-99999) would block the IPSec traffic, which comes

            // directly from the kernel and is marked as uid=0. So we adjust the range to allow

            // it through (b/69873852).

            for (UidRange range : addedRanges) {

                if (range.start == 0) {

                    addedRanges.remove(range);

                    if (range.stop != 0) {

                        addedRanges.add(new UidRange(1, range.stop));

                    }

                }

            }



            removedRanges.removeAll(addedRanges);

            addedRanges.removeAll(mBlockedUsers);

        }