Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d7e71641 authored by Sreeram Ramachandran's avatar Sreeram Ramachandran
Browse files

Block address families by default in VpnService. 

If a VpnService only configures IPv4 addresses, routes and DNS servers, block
IPv6 by default, and vice versa. Also add an API to unblock a family without
needing to add an address, route or DNS server.

New API with stub implementation to be filled out later.

Bug: 15972465
Change-Id: I70d4d5c30ee71802610f6e16f100db6cbccef42c
parent 81c295e1

api/current.txt

+1 −0
Original line number Diff line number Diff line
@@ -16834,6 +16834,7 @@ package android.net { 
    method public android.net.VpnService.Builder addRoute(java.net.InetAddress, int);

    method public android.net.VpnService.Builder addRoute(java.lang.String, int);

    method public android.net.VpnService.Builder addSearchDomain(java.lang.String);

    method public android.net.VpnService.Builder allowFamily(int);

    method public android.os.ParcelFileDescriptor establish();

    method public android.net.VpnService.Builder setConfigureIntent(android.app.PendingIntent);

    method public android.net.VpnService.Builder setMtu(int);

core/java/android/net/VpnService.java

+44 −0
Original line number Diff line number Diff line
@@ -16,6 +16,9 @@ 


package android.net;



import static android.system.OsConstants.AF_INET;

import static android.system.OsConstants.AF_INET6;



import android.app.Activity;

import android.app.PendingIntent;

import android.app.Service;
@@ -360,6 +363,9 @@ public class VpnService extends Service { 
         * addresses are supported. At least one address must be set before

         * calling {@link #establish}.

         *

         * Adding an address implicitly allows traffic from that address family

         * (i.e., IPv4 or IPv6) to be routed over the VPN. @see #allowFamily

         *

         * @throws IllegalArgumentException if the address is invalid.

         */

        public Builder addAddress(InetAddress address, int prefixLength) {
@@ -377,6 +383,9 @@ public class VpnService extends Service { 
         * using a numeric address string. See {@link InetAddress} for the

         * definitions of numeric address formats.

         *

         * Adding an address implicitly allows traffic from that address family

         * (i.e., IPv4 or IPv6) to be routed over the VPN. @see #allowFamily

         *

         * @throws IllegalArgumentException if the address is invalid.

         * @see #addAddress(InetAddress, int)

         */
@@ -388,6 +397,9 @@ public class VpnService extends Service { 
         * Add a network route to the VPN interface. Both IPv4 and IPv6

         * routes are supported.

         *

         * Adding a route implicitly allows traffic from that address family

         * (i.e., IPv4 or IPv6) to be routed over the VPN. @see #allowFamily

         *

         * @throws IllegalArgumentException if the route is invalid.

         */

        public Builder addRoute(InetAddress address, int prefixLength) {
@@ -411,6 +423,9 @@ public class VpnService extends Service { 
         * using a numeric address string. See {@link InetAddress} for the

         * definitions of numeric address formats.

         *

         * Adding a route implicitly allows traffic from that address family

         * (i.e., IPv4 or IPv6) to be routed over the VPN. @see #allowFamily

         *

         * @throws IllegalArgumentException if the route is invalid.

         * @see #addRoute(InetAddress, int)

         */
@@ -423,6 +438,9 @@ public class VpnService extends Service { 
         * addresses are supported. If none is set, the DNS servers of

         * the default network will be used.

         *

         * Adding a server implicitly allows traffic from that address family

         * (i.e., IPv4 or IPv6) to be routed over the VPN. @see #allowFamily

         *

         * @throws IllegalArgumentException if the address is invalid.

         */

        public Builder addDnsServer(InetAddress address) {
@@ -441,6 +459,9 @@ public class VpnService extends Service { 
         * using a numeric address string. See {@link InetAddress} for the

         * definitions of numeric address formats.

         *

         * Adding a server implicitly allows traffic from that address family

         * (i.e., IPv4 or IPv6) to be routed over the VPN. @see #allowFamily

         *

         * @throws IllegalArgumentException if the address is invalid.

         * @see #addDnsServer(InetAddress)

         */
@@ -459,6 +480,29 @@ public class VpnService extends Service { 
            return this;

        }



        /**

         * Allows traffic from the specified address family.

         *

         * By default, if no address, route or DNS server of a specific family (IPv4 or IPv6) is

         * added to this VPN, then all outgoing traffic of that family is blocked. If any address,

         * route or DNS server is added, that family is allowed.

         *

         * This method allows an address family to be unblocked even without adding an address,

         * route or DNS server of that family. Traffic of that family will then typically

         * fall-through to the underlying network if it's supported.

         *

         * {@code family} must be either {@code AF_INET} (for IPv4) or {@code AF_INET6} (for IPv6).

         * {@link IllegalArgumentException} is thrown if it's neither.

         *

         * @param family The address family ({@code AF_INET} or {@code AF_INET6}) to allow.

         *

         * @return this {@link Builder} object to facilitate chaining of method calls.

         */

        public Builder allowFamily(int family) {

            // TODO

            return this;

        }



        /**

         * Create a VPN interface using the parameters supplied to this

         * builder. The interface works on IP packets, and a file descriptor