Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d040b254 authored by Benedict Wong's avatar Benedict Wong
Browse files

Add new appop for Platform VPNs 

This change introduces a new appop, ACTIVATE_PLATFORM_VPN, that is a
subset of the ACTIVATE_VPN appop. VPN apps that have been granted the
more dangerous ACTIVATE_VPN appop should be allowed to use platform
VPNs, as they are more restricted, and safer. However, the opposite
must not be true.

Bug: 144246835
Test: Compiles, FrameworksNetTests passing
Change-Id: I609e87e688432f957751058b09f350fa641753d7
Merged-In: I609e87e688432f957751058b09f350fa641753d7
parent 5c76e6a4

core/java/android/app/AppOpsManager.java

+34 −2
Original line number Diff line number Diff line
@@ -720,7 +720,18 @@ public class AppOpsManager { 
    /** @hide Capture the device's display contents and/or audio */

    @UnsupportedAppUsage

    public static final int OP_PROJECT_MEDIA = 46;

    /** @hide Activate a VPN connection without user intervention. */



    /**

     * Start (without additional user intervention) a VPN connection, as used by {@link

     * android.net.VpnService} along with as Platform VPN connections, as used by {@link

     * android.net.VpnManager}

     *

     * <p>This appop is granted to apps that have already been given user consent to start

     * VpnService based VPN connections. As this is a superset of OP_ACTIVATE_PLATFORM_VPN, this

     * appop also allows the starting of Platform VPNs.

     *

     * @hide

     */

    @UnsupportedAppUsage

    public static final int OP_ACTIVATE_VPN = 47;

    /** @hide Access the WallpaperManagerAPI to write wallpapers. */
@@ -840,10 +851,21 @@ public class AppOpsManager { 
    public static final int OP_READ_DEVICE_IDENTIFIERS = 89;

    /** @hide Read location metadata from media */

    public static final int OP_ACCESS_MEDIA_LOCATION = 90;

    /**

     * Start (without additional user intervention) a Platform VPN connection, as used by {@link

     * android.net.VpnManager}

     *

     * <p>This appop is granted to apps that have already been given user consent to start Platform

     * VPN connections. This appop is insufficient to start VpnService based VPNs (but the opposite

     * is true).

     *

     * @hide

     */

    public static final int OP_ACTIVATE_PLATFORM_VPN = 91;



    /** @hide */

    @UnsupportedAppUsage

    public static final int _NUM_OP = 91;

    public static final int _NUM_OP = 92;



    /** Access to coarse location information. */

    public static final String OPSTR_COARSE_LOCATION = "android:coarse_location";
@@ -1122,6 +1144,8 @@ public class AppOpsManager { 
    public static final String OPSTR_ACCESS_ACCESSIBILITY = "android:access_accessibility";

    /** @hide Read device identifiers */

    public static final String OPSTR_READ_DEVICE_IDENTIFIERS = "android:read_device_identifiers";

    /** @hide Start Platform VPN without user intervention */

    public static final String OPSTR_ACTIVATE_PLATFORM_VPN = "android:activate_platform_vpn";



    // Warning: If an permission is added here it also has to be added to

    // com.android.packageinstaller.permission.utils.EventLogger
@@ -1285,6 +1309,7 @@ public class AppOpsManager { 
            OP_ACCESS_ACCESSIBILITY,            // ACCESS_ACCESSIBILITY

            OP_READ_DEVICE_IDENTIFIERS,         // READ_DEVICE_IDENTIFIERS

            OP_ACCESS_MEDIA_LOCATION,           // ACCESS_MEDIA_LOCATION

            OP_ACTIVATE_PLATFORM_VPN,           // ACTIVATE_PLATFORM_VPN

    };



    /**
@@ -1382,6 +1407,7 @@ public class AppOpsManager { 
            OPSTR_ACCESS_ACCESSIBILITY,

            OPSTR_READ_DEVICE_IDENTIFIERS,

            OPSTR_ACCESS_MEDIA_LOCATION,

            OPSTR_ACTIVATE_PLATFORM_VPN,

    };



    /**
@@ -1480,6 +1506,7 @@ public class AppOpsManager { 
            "ACCESS_ACCESSIBILITY",

            "READ_DEVICE_IDENTIFIERS",

            "ACCESS_MEDIA_LOCATION",

            "ACTIVATE_PLATFORM_VPN"

    };



    /**
@@ -1579,6 +1606,7 @@ public class AppOpsManager { 
            null, // no permission for OP_ACCESS_ACCESSIBILITY

            null, // no direct permission for OP_READ_DEVICE_IDENTIFIERS

            Manifest.permission.ACCESS_MEDIA_LOCATION,

            null, // no permission for OP_ACTIVATE_PLATFORM_VPN

    };



    /**
@@ -1678,6 +1706,7 @@ public class AppOpsManager { 
            null, // ACCESS_ACCESSIBILITY

            null, // READ_DEVICE_IDENTIFIERS

            null, // ACCESS_MEDIA_LOCATION

            null, // ACTIVATE_PLATFORM_VPN

    };



    /**
@@ -1776,6 +1805,7 @@ public class AppOpsManager { 
            false, // ACCESS_ACCESSIBILITY

            false, // READ_DEVICE_IDENTIFIERS

            false, // ACCESS_MEDIA_LOCATION

            false, // ACTIVATE_PLATFORM_VPN

    };



    /**
@@ -1873,6 +1903,7 @@ public class AppOpsManager { 
            AppOpsManager.MODE_ALLOWED, // ACCESS_ACCESSIBILITY

            AppOpsManager.MODE_ERRORED, // READ_DEVICE_IDENTIFIERS

            AppOpsManager.MODE_ALLOWED, // ALLOW_MEDIA_LOCATION

            AppOpsManager.MODE_IGNORED, // ACTIVATE_PLATFORM_VPN

    };



    /**
@@ -1974,6 +2005,7 @@ public class AppOpsManager { 
            false, // ACCESS_ACCESSIBILITY

            false, // READ_DEVICE_IDENTIFIERS

            false, // ACCESS_MEDIA_LOCATION

            false, // ACTIVATE_PLATFORM_VPN

    };



    /**