Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Connectivity / 0c67f3579f81799c13b439070ec321ceb2e6f9a1^! / .
commit0c67f3579f81799c13b439070ec321ceb2e6f9a1[log] [tgz]
authorJacque Li <jacqueli@google.com>Wed Feb 12 10:53:05 2025 -0500
committerJacque Li <jacqueli@google.com>Wed Feb 12 12:04:04 2025 -0500
tree15b09cf0e1a1613df8d577a534ce22231622a033
parent20293a86ef1851937fada3a570fd8c29c828c9cf [diff]
Set restrict local network aconfig flag for 26q2 dates

Local net protections is introduced in B as a developer opt-in, on dev
builds; the feature flag is meant to be used when enforcement begins in
2026

Bug: 396116600
Test: atest ConnectivityCoverageTests:android.net.connectivity.com.android.server.connectivity.PermissionMonitorTest
Change-Id: Id5e7a7cf825f10f90edd600ea2567cfe6efd2e98

diff --git a/common/flags.aconfig b/common/flags.aconfig
index 5f279fa..51b4fc0 100644
--- a/common/flags.aconfig
+++ b/common/flags.aconfig

@@ -171,6 +171,6 @@
   is_exported: true
   namespace: "android_core_networking"
   description: "Flag for controlling access to the local network behind a new runtime permission. Requires ConnectivityCompatChanges.RESTRICT_LOCAL_NETWORK to enable feature."
-  bug: "365139289"
+  bug: "388774939"
   is_fixed_read_only: true
 }

diff --git a/service/src/com/android/server/BpfNetMaps.java b/service/src/com/android/server/BpfNetMaps.java
index c743573..4fae73a 100644
--- a/service/src/com/android/server/BpfNetMaps.java
+++ b/service/src/com/android/server/BpfNetMaps.java

@@ -464,7 +464,7 @@
      ToDo : Remove this method when SdkLevel.isAtLeastB() is fixed, aosp is at sdk level 36 or use
      NetworkStackUtils.isAtLeast25Q2 when it is moved to a static lib.
      */
-    private static boolean isAtLeast25Q2() {
+    public static boolean isAtLeast25Q2() {
         return SdkLevel.isAtLeastB()  || (SdkLevel.isAtLeastV()
                 && "Baklava".equals(Build.VERSION.CODENAME));
     }

diff --git a/service/src/com/android/server/connectivity/PermissionMonitor.java b/service/src/com/android/server/connectivity/PermissionMonitor.java
index 0d388e8..737e27a 100755
--- a/service/src/com/android/server/connectivity/PermissionMonitor.java
+++ b/service/src/com/android/server/connectivity/PermissionMonitor.java

@@ -282,7 +282,8 @@
         mContext = context;
         mBpfNetMaps = bpfNetMaps;
         mThread = thread;
-        if (Flags.restrictLocalNetwork()) {
+        if (BpfNetMaps.isAtLeast25Q2()) {
+            // Local net restrictions is supported as a developer opt-in starting in Android B.
             // This listener should finish registration by the time the system has completed
             // boot setup such that any changes to runtime permissions for local network
             // restrictions can only occur after this registration has completed.
@@ -1330,7 +1331,8 @@
             // Flags.restrictLocalNetwork() is used to offer the feature to devices, but it will
             // only be enforced when develoeprs choose to enable it.
             // TODO(b/394567896): Update compat change checks
-            if (CompatChanges.isChangeEnabled(RESTRICT_LOCAL_NETWORK, uid)) {
+            if (CompatChanges.isChangeEnabled(RESTRICT_LOCAL_NETWORK, uid)
+                    && BpfNetMaps.isAtLeast25Q2()) {
                 // TODO(b/388803658): Update network permissions and record change
             }
         }