Merge "Update VPN app exclusion list when packages are added or removed" am: 1af24cfdbf am: 5583658286 am: 1da9a8ec6e am: e5e33d71fb am: eaa809568c
Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/2106205
Change-Id: I6897699fe6635473302fc52e6a06ca2db9a46c41
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/services/core/java/com/android/server/VpnManagerService.java b/services/core/java/com/android/server/VpnManagerService.java
index d3ef6be..07b6843 100644
--- a/services/core/java/com/android/server/VpnManagerService.java
+++ b/services/core/java/com/android/server/VpnManagerService.java
@@ -45,6 +45,7 @@
import android.os.Handler;
import android.os.HandlerThread;
import android.os.INetworkManagementService;
+import android.os.Looper;
import android.os.ParcelFileDescriptor;
import android.os.Process;
import android.os.ServiceManager;
@@ -131,6 +132,12 @@
return INetworkManagementService.Stub.asInterface(
ServiceManager.getService(Context.NETWORKMANAGEMENT_SERVICE));
}
+
+ /** Create a VPN. */
+ public Vpn createVpn(Looper looper, Context context, INetworkManagementService nms,
+ INetd netd, int userId) {
+ return new Vpn(looper, context, nms, netd, userId, new VpnProfileStore());
+ }
}
public VpnManagerService(Context context, Dependencies deps) {
@@ -688,6 +695,7 @@
// Listen to package add and removal events for all users.
intentFilter = new IntentFilter();
+ intentFilter.addAction(Intent.ACTION_PACKAGE_ADDED);
intentFilter.addAction(Intent.ACTION_PACKAGE_REPLACED);
intentFilter.addAction(Intent.ACTION_PACKAGE_REMOVED);
intentFilter.addDataScheme("package");
@@ -738,6 +746,10 @@
final boolean isReplacing = intent.getBooleanExtra(
Intent.EXTRA_REPLACING, false);
onPackageRemoved(packageName, uid, isReplacing);
+ } else if (Intent.ACTION_PACKAGE_ADDED.equals(action)) {
+ final boolean isReplacing = intent.getBooleanExtra(
+ Intent.EXTRA_REPLACING, false);
+ onPackageAdded(packageName, uid, isReplacing);
} else {
Log.wtf(TAG, "received unexpected intent: " + action);
}
@@ -757,15 +769,15 @@
}
};
- private void onUserStarted(int userId) {
+ @VisibleForTesting
+ void onUserStarted(int userId) {
synchronized (mVpns) {
Vpn userVpn = mVpns.get(userId);
if (userVpn != null) {
loge("Starting user already has a VPN");
return;
}
- userVpn = new Vpn(mHandler.getLooper(), mContext, mNMS, mNetd, userId,
- new VpnProfileStore());
+ userVpn = mDeps.createVpn(mHandler.getLooper(), mContext, mNMS, mNetd, userId);
mVpns.put(userId, userVpn);
if (mUserManager.getUserInfo(userId).isPrimary() && isLockdownVpnEnabled()) {
updateLockdownVpn();
@@ -842,7 +854,8 @@
}
}
- private void onPackageRemoved(String packageName, int uid, boolean isReplacing) {
+ @VisibleForTesting
+ void onPackageRemoved(String packageName, int uid, boolean isReplacing) {
if (TextUtils.isEmpty(packageName) || uid < 0) {
Log.wtf(TAG, "Invalid package in onPackageRemoved: " + packageName + " | " + uid);
return;
@@ -851,15 +864,34 @@
final int userId = UserHandle.getUserId(uid);
synchronized (mVpns) {
final Vpn vpn = mVpns.get(userId);
- if (vpn == null) {
+ if (vpn == null || isReplacing) {
return;
}
// Legacy always-on VPN won't be affected since the package name is not set.
- if (TextUtils.equals(vpn.getAlwaysOnPackage(), packageName) && !isReplacing) {
+ if (TextUtils.equals(vpn.getAlwaysOnPackage(), packageName)) {
log("Removing always-on VPN package " + packageName + " for user "
+ userId);
vpn.setAlwaysOnPackage(null, false, null);
}
+
+ vpn.refreshPlatformVpnAppExclusionList();
+ }
+ }
+
+ @VisibleForTesting
+ void onPackageAdded(String packageName, int uid, boolean isReplacing) {
+ if (TextUtils.isEmpty(packageName) || uid < 0) {
+ Log.wtf(TAG, "Invalid package in onPackageAdded: " + packageName + " | " + uid);
+ return;
+ }
+
+ final int userId = UserHandle.getUserId(uid);
+ synchronized (mVpns) {
+ final Vpn vpn = mVpns.get(userId);
+
+ if (vpn != null && !isReplacing) {
+ vpn.refreshPlatformVpnAppExclusionList();
+ }
}
}
diff --git a/services/core/java/com/android/server/connectivity/Vpn.java b/services/core/java/com/android/server/connectivity/Vpn.java
index 5b282ce..4e5ce8a 100644
--- a/services/core/java/com/android/server/connectivity/Vpn.java
+++ b/services/core/java/com/android/server/connectivity/Vpn.java
@@ -4085,6 +4085,20 @@
@NonNull List<String> excludedApps) {
enforceNotRestrictedUser();
if (!storeAppExclusionList(packageName, excludedApps)) return false;
+
+ updateAppExclusionList(excludedApps);
+
+ return true;
+ }
+
+ /**
+ * Triggers an update of the VPN network's excluded UIDs if a VPN is running.
+ */
+ public synchronized void refreshPlatformVpnAppExclusionList() {
+ updateAppExclusionList(getAppExclusionList(mPackage));
+ }
+
+ private synchronized void updateAppExclusionList(@NonNull List<String> excludedApps) {
// Re-build and update NetworkCapabilities via NetworkAgent.
if (mNetworkAgent != null) {
// Only update the platform VPN
@@ -4097,8 +4111,6 @@
mNetworkAgent.sendNetworkCapabilities(mNetworkCapabilities);
}
}
-
- return true;
}
/**