Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_base / 7a050dfd572ba7b9b689011f12c611a1534bd200^! / .
commit7a050dfd572ba7b9b689011f12c611a1534bd200[log] [tgz]
authorChiachang Wang <chiachangwang@google.com>Tue Feb 04 02:48:20 2025 +0000
committerAndroid Build Coastguard Worker <android-build-coastguard-worker@google.com>Fri Mar 21 22:42:46 2025 -0700
tree3dc5dfff532c94f3e070ceb98596c0c90aaa5eee
parentb94e9942bb1f4c8d3e53c23c474fd4359db59b18 [diff]
Restrict the permission for accessing vpn profile

These vpn profile accessing methods are designed for priviledge
or the owner apps, and they should not be accessible for any
app without correct permission. As these methods are not yet
fully depolyed, restrict these methods with NETWORK_STACK or
PERMISSION_MAINLINE_NETWORK_STACK permission to prevent them
from being accessed from the unexpected apps.

Bug: 341046194
Bug: 341253275
Flag: EXEMPT bugfix
Test: atest VpnManagerServiceTest
Test: Enable vpn from a vpn app and accessing API without
      corresponding permission from other apps. Verify
      result by accessing these hidden methods.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a4919a563a38b2f28cf77b5cc3a8b1fb89b3d271)
Merged-In: If6fd058f40da88a4801b59187631e0c68b236ff5
Change-Id: If6fd058f40da88a4801b59187631e0c68b236ff5

diff --git a/services/core/java/com/android/server/VpnManagerService.java b/services/core/java/com/android/server/VpnManagerService.java
index 626fa70..7e68239 100644
--- a/services/core/java/com/android/server/VpnManagerService.java
+++ b/services/core/java/com/android/server/VpnManagerService.java

@@ -19,6 +19,7 @@
 import static android.Manifest.permission.NETWORK_STACK;
 
 import static com.android.net.module.util.PermissionUtils.enforceAnyPermissionOf;
+import static com.android.net.module.util.PermissionUtils.enforceNetworkStackPermission;
 
 import android.annotation.NonNull;
 import android.annotation.Nullable;
@@ -1020,6 +1021,8 @@
     @Override
     @Nullable
     public byte[] getFromVpnProfileStore(@NonNull String name) {
+        // TODO(b/307903113): Replace NETWORK_STACK permission and adopt proper permission
+        enforceNetworkStackPermission(mContext);
         return mVpnProfileStore.get(name);
     }
 
@@ -1037,6 +1040,8 @@
      */
     @Override
     public boolean putIntoVpnProfileStore(@NonNull String name, @NonNull byte[] blob) {
+        // TODO(b/307903113): Replace NETWORK_STACK permission and adopt proper permission
+        enforceNetworkStackPermission(mContext);
         return mVpnProfileStore.put(name, blob);
     }
 
@@ -1052,6 +1057,8 @@
      */
     @Override
     public boolean removeFromVpnProfileStore(@NonNull String name) {
+        // TODO(b/307903113): Replace NETWORK_STACK permission and adopt proper permission
+        enforceNetworkStackPermission(mContext);
         return mVpnProfileStore.remove(name);
     }
 
@@ -1069,6 +1076,8 @@
     @Override
     @NonNull
     public String[] listFromVpnProfileStore(@NonNull String prefix) {
+        // TODO(b/307903113): Replace NETWORK_STACK permission and adopt proper permission
+        enforceNetworkStackPermission(mContext);
         return mVpnProfileStore.list(prefix);
     }