Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Connectivity / c71cff88374c7f0fd5904ffce064caa5993657be^! / .
commitc71cff88374c7f0fd5904ffce064caa5993657be[log] [tgz]
authorLorenzo Colitti <lorenzo@google.com>Fri Jan 15 01:29:01 2021 +0900
committerLorenzo Colitti <lorenzo@google.com>Fri Feb 12 01:07:29 2021 +0900
treee0d2da0debab1da73429f507f36237aa4c56aa22
parent026fbb8a1fd6abfe69a135d4654c7701396a6f7e [diff]
Convert LockdownVpnTracker to NetworkCallbacks.

This will allow moving LockdownVpnTracker from the connectivity
to the VPN code. This requires moderate refactoring since it's
pretty tightly coupled to both.

In this CL:

1. Add an @hide API to tell ConnectivityService that legacy
   lockdown VPN is enabled. I chose not to use the existing
   setVpnRequiredForUids API because that method has specific
   semantics and because it will be required long term since
   it's used by non-legacy VPN types.

2. Instead of updating LockdownVpnTracker inline from the
   ConnectivityService handler thread, have it listen to
   NetworkCallbacks. This introduces an extra thread hop, but
   most of the interactions between the lockdown VPN and CS were
   via NetworkAgent, which is asynchronous anyway.

3. Add code to LegacyTypeTracker to send the extra
   CONNECTIVITY_ACTION broadcast for the underlying network type
   that is sent after the VPN connects. In order to do this, make
   Make LockdownVpnTracker specify its underlying network
   (via setUnderlyingNetworks) when it connects.

4. Reimplement LockdownVpnTracker#augmentNetworkInfo based on
   information that is available in ConnectivityService.

5. Remove the code in LockdownVpnTracker that counted errors.
   I think this code has not worked since lollipop, because
   ConnectivityService never sees NetworkInfo objects in state
   FAILED. This is because ConnectivityService only hears about
   NetworkInfo objects via NetworkAgents, and LegacyVpnRunner
   only registers its NetworkAgent when the connection succeeds.

Bug: 173331190
Test: passes existing tests in ConnectivityServiceTest
Change-Id: I66d18512882efd468ee0ecec61f28786a195b357

diff --git a/framework/src/android/net/ConnectivityManager.java b/framework/src/android/net/ConnectivityManager.java
index 0976b75..8437798 100644
--- a/framework/src/android/net/ConnectivityManager.java
+++ b/framework/src/android/net/ConnectivityManager.java

@@ -1221,6 +1221,45 @@
     }
 
     /**
+     * Informs ConnectivityService of whether the legacy lockdown VPN, as implemented by
+     * LockdownVpnTracker, is in use. This is deprecated for new devices starting from Android 12
+     * but is still supported for backwards compatibility.
+     * <p>
+     * This type of VPN is assumed always to use the system default network, and must always declare
+     * exactly one underlying network, which is the network that was the default when the VPN
+     * connected.
+     * <p>
+     * Calling this method with {@code true} enables legacy behaviour, specifically:
+     * <ul>
+     *     <li>Any VPN that applies to userId 0 behaves specially with respect to deprecated
+     *     {@link #CONNECTIVITY_ACTION} broadcasts. Any such broadcasts will have the state in the
+     *     {@link #EXTRA_NETWORK_INFO} replaced by state of the VPN network. Also, any time the VPN
+     *     connects, a {@link #CONNECTIVITY_ACTION} broadcast will be sent for the network
+     *     underlying the VPN.</li>
+     *     <li>Deprecated APIs that return {@link NetworkInfo} objects will have their state
+     *     similarly replaced by the VPN network state.</li>
+     *     <li>Information on current network interfaces passed to NetworkStatsService will not
+     *     include any VPN interfaces.</li>
+     * </ul>
+     *
+     * @param enabled whether legacy lockdown VPN is enabled or disabled
+     *
+     * TODO: @SystemApi(client = MODULE_LIBRARIES)
+     *
+     * @hide
+     */
+    @RequiresPermission(anyOf = {
+            NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK,
+            android.Manifest.permission.NETWORK_SETTINGS})
+    public void setLegacyLockdownVpnEnabled(boolean enabled) {
+        try {
+            mService.setLegacyLockdownVpnEnabled(enabled);
+        } catch (RemoteException e) {
+            throw e.rethrowFromSystemServer();
+        }
+    }
+
+    /**
      * Returns details about the currently active default data network
      * for a given uid.  This is for internal use only to avoid spying
      * other apps.

diff --git a/framework/src/android/net/IConnectivityManager.aidl b/framework/src/android/net/IConnectivityManager.aidl
index f909d13..ab134eb 100644
--- a/framework/src/android/net/IConnectivityManager.aidl
+++ b/framework/src/android/net/IConnectivityManager.aidl

@@ -151,6 +151,7 @@
     boolean isVpnLockdownEnabled(int userId);
     List<String> getVpnLockdownWhitelist(int userId);
     void setRequireVpnForUids(boolean requireVpn, in UidRange[] ranges);
+    void setLegacyLockdownVpnEnabled(boolean enabled);
 
     void setProvisioningNotificationVisible(boolean visible, int networkType, in String action);