Revert "Add blocked reason for internet permission"
This reverts commit ee96ba0e607bc34e8e7be3623ea8efcb4a70eff4.
Reason for revert: Droidmonitor triggered revert due to b/342557183. Will be verifying through ABTD before submission.
Change-Id: I7e185c3ac11da27c7bb9d95e4221f7dfc22cf48c
diff --git a/common/flags.aconfig b/common/flags.aconfig
index 6c3e89d..55a96ac 100644
--- a/common/flags.aconfig
+++ b/common/flags.aconfig
@@ -99,11 +99,3 @@
description: "Flag for oem deny chains blocked reasons API"
bug: "328732146"
}
-
-flag {
- name: "blocked_reason_network_restricted"
- is_exported: true
- namespace: "android_core_networking"
- description: "Flag for BLOCKED_REASON_NETWORK_RESTRICTED API"
- bug: "339559837"
-}
diff --git a/framework/api/module-lib-current.txt b/framework/api/module-lib-current.txt
index cd7307f..d233f3e 100644
--- a/framework/api/module-lib-current.txt
+++ b/framework/api/module-lib-current.txt
@@ -51,7 +51,6 @@
field public static final int BLOCKED_REASON_DOZE = 2; // 0x2
field public static final int BLOCKED_REASON_LOCKDOWN_VPN = 16; // 0x10
field public static final int BLOCKED_REASON_LOW_POWER_STANDBY = 32; // 0x20
- field @FlaggedApi("com.android.net.flags.blocked_reason_network_restricted") public static final int BLOCKED_REASON_NETWORK_RESTRICTED = 256; // 0x100
field public static final int BLOCKED_REASON_NONE = 0; // 0x0
field @FlaggedApi("com.android.net.flags.blocked_reason_oem_deny_chains") public static final int BLOCKED_REASON_OEM_DENY = 128; // 0x80
field public static final int BLOCKED_REASON_RESTRICTED_MODE = 8; // 0x8
diff --git a/framework/src/android/net/ConnectivityManager.java b/framework/src/android/net/ConnectivityManager.java
index 0b37fa5..48ed732 100644
--- a/framework/src/android/net/ConnectivityManager.java
+++ b/framework/src/android/net/ConnectivityManager.java
@@ -132,8 +132,6 @@
"com.android.net.flags.metered_network_firewall_chains";
static final String BLOCKED_REASON_OEM_DENY_CHAINS =
"com.android.net.flags.blocked_reason_oem_deny_chains";
- static final String BLOCKED_REASON_NETWORK_RESTRICTED =
- "com.android.net.flags.blocked_reason_network_restricted";
}
/**
@@ -930,17 +928,6 @@
public static final int BLOCKED_REASON_OEM_DENY = 1 << 7;
/**
- * Flag to indicate that an app does not have permission to access the specified network,
- * for example, because it does not have the {@link android.Manifest.permission#INTERNET}
- * permission.
- *
- * @hide
- */
- @FlaggedApi(Flags.BLOCKED_REASON_NETWORK_RESTRICTED)
- @SystemApi(client = SystemApi.Client.MODULE_LIBRARIES)
- public static final int BLOCKED_REASON_NETWORK_RESTRICTED = 1 << 8;
-
- /**
* Flag to indicate that an app is subject to Data saver restrictions that would
* result in its metered network access being blocked.
*
@@ -981,7 +968,6 @@
BLOCKED_REASON_LOW_POWER_STANDBY,
BLOCKED_REASON_APP_BACKGROUND,
BLOCKED_REASON_OEM_DENY,
- BLOCKED_REASON_NETWORK_RESTRICTED,
BLOCKED_METERED_REASON_DATA_SAVER,
BLOCKED_METERED_REASON_USER_RESTRICTED,
BLOCKED_METERED_REASON_ADMIN_DISABLED,
diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java
index 519391f..cc8eef8 100755
--- a/service/src/com/android/server/ConnectivityService.java
+++ b/service/src/com/android/server/ConnectivityService.java
@@ -38,7 +38,6 @@
import static android.net.ConnectivityManager.BLOCKED_METERED_REASON_MASK;
import static android.net.ConnectivityManager.BLOCKED_REASON_LOCKDOWN_VPN;
import static android.net.ConnectivityManager.BLOCKED_REASON_NONE;
-import static android.net.ConnectivityManager.BLOCKED_REASON_NETWORK_RESTRICTED;
import static android.net.ConnectivityManager.CALLBACK_IP_CHANGED;
import static android.net.ConnectivityManager.CONNECTIVITY_ACTION;
import static android.net.ConnectivityManager.FIREWALL_CHAIN_BACKGROUND;
@@ -11210,7 +11209,7 @@
final boolean metered = nai.networkCapabilities.isMetered();
final boolean vpnBlocked = isUidBlockedByVpn(nri.mAsUid, mVpnBlockedUidRanges);
callCallbackForRequest(nri, nai, ConnectivityManager.CALLBACK_AVAILABLE,
- getBlockedState(nri.mAsUid, blockedReasons, metered, vpnBlocked));
+ getBlockedState(blockedReasons, metered, vpnBlocked));
}
// Notify the requests on this NAI that the network is now lingered.
@@ -11219,21 +11218,7 @@
notifyNetworkCallbacks(nai, ConnectivityManager.CALLBACK_LOSING, lingerTime);
}
- private int getPermissionBlockedState(final int uid, final int reasons) {
- // Before V, the blocked reasons come from NPMS, and that code already behaves as if the
- // change was disabled: apps without the internet permission will never be told they are
- // blocked.
- if (!mDeps.isAtLeastV()) return reasons;
-
- if (hasInternetPermission(uid)) return reasons;
-
- return mDeps.isChangeEnabled(NETWORK_BLOCKED_WITHOUT_INTERNET_PERMISSION, uid)
- ? reasons | BLOCKED_REASON_NETWORK_RESTRICTED
- : BLOCKED_REASON_NONE;
- }
-
- private int getBlockedState(int uid, int reasons, boolean metered, boolean vpnBlocked) {
- reasons = getPermissionBlockedState(uid, reasons);
+ private static int getBlockedState(int reasons, boolean metered, boolean vpnBlocked) {
if (!metered) reasons &= ~BLOCKED_METERED_REASON_MASK;
return vpnBlocked
? reasons | BLOCKED_REASON_LOCKDOWN_VPN
@@ -11274,10 +11259,8 @@
? isUidBlockedByVpn(nri.mAsUid, newBlockedUidRanges)
: oldVpnBlocked;
- final int oldBlockedState = getBlockedState(
- nri.mAsUid, blockedReasons, oldMetered, oldVpnBlocked);
- final int newBlockedState = getBlockedState(
- nri.mAsUid, blockedReasons, newMetered, newVpnBlocked);
+ final int oldBlockedState = getBlockedState(blockedReasons, oldMetered, oldVpnBlocked);
+ final int newBlockedState = getBlockedState(blockedReasons, newMetered, newVpnBlocked);
if (oldBlockedState != newBlockedState) {
callCallbackForRequest(nri, nai, ConnectivityManager.CALLBACK_BLK_CHANGED,
newBlockedState);
@@ -11296,9 +11279,8 @@
final boolean vpnBlocked = isUidBlockedByVpn(uid, mVpnBlockedUidRanges);
final int oldBlockedState = getBlockedState(
- uid, mUidBlockedReasons.get(uid, BLOCKED_REASON_NONE), metered, vpnBlocked);
- final int newBlockedState =
- getBlockedState(uid, blockedReasons, metered, vpnBlocked);
+ mUidBlockedReasons.get(uid, BLOCKED_REASON_NONE), metered, vpnBlocked);
+ final int newBlockedState = getBlockedState(blockedReasons, metered, vpnBlocked);
if (oldBlockedState == newBlockedState) {
continue;
}
diff --git a/tests/integration/src/com/android/server/net/integrationtests/ConnectivityServiceIntegrationTest.kt b/tests/integration/src/com/android/server/net/integrationtests/ConnectivityServiceIntegrationTest.kt
index 06bdca6..d2e46af 100644
--- a/tests/integration/src/com/android/server/net/integrationtests/ConnectivityServiceIntegrationTest.kt
+++ b/tests/integration/src/com/android/server/net/integrationtests/ConnectivityServiceIntegrationTest.kt
@@ -27,7 +27,6 @@
import android.net.ConnectivityManager
import android.net.IDnsResolver
import android.net.INetd
-import android.net.INetd.PERMISSION_INTERNET
import android.net.LinkProperties
import android.net.NetworkCapabilities.NET_CAPABILITY_CAPTIVE_PORTAL
import android.net.NetworkCapabilities.NET_CAPABILITY_INTERNET
@@ -226,9 +225,6 @@
override fun getSystemProperties() = mock(MockableSystemProperties::class.java)
override fun makeNetIdManager() = TestNetIdManager()
override fun getBpfNetMaps(context: Context?, netd: INetd?) = mock(BpfNetMaps::class.java)
- .also {
- doReturn(PERMISSION_INTERNET).`when`(it).getNetPermForUid(anyInt())
- }
override fun isChangeEnabled(changeId: Long, uid: Int) = true
override fun makeMultinetworkPolicyTracker(
diff --git a/tests/unit/java/com/android/server/ConnectivityServiceTest.java b/tests/unit/java/com/android/server/ConnectivityServiceTest.java
index 44a8222..6e63807 100755
--- a/tests/unit/java/com/android/server/ConnectivityServiceTest.java
+++ b/tests/unit/java/com/android/server/ConnectivityServiceTest.java
@@ -53,7 +53,6 @@
import static android.net.ConnectivityManager.BLOCKED_METERED_REASON_MASK;
import static android.net.ConnectivityManager.BLOCKED_METERED_REASON_USER_RESTRICTED;
import static android.net.ConnectivityManager.BLOCKED_REASON_BATTERY_SAVER;
-import static android.net.ConnectivityManager.BLOCKED_REASON_DOZE;
import static android.net.ConnectivityManager.BLOCKED_REASON_NONE;
import static android.net.ConnectivityManager.CONNECTIVITY_ACTION;
import static android.net.ConnectivityManager.EXTRA_DEVICE_TYPE;
@@ -9881,28 +9880,6 @@
assertNetworkInfo(TYPE_MOBILE, DetailedState.CONNECTED);
assertExtraInfoFromCmPresent(mCellAgent);
- // Remove PERMISSION_INTERNET and disable NETWORK_BLOCKED_WITHOUT_INTERNET_PERMISSION
- doReturn(INetd.PERMISSION_NONE).when(mBpfNetMaps).getNetPermForUid(Process.myUid());
- mDeps.setChangeIdEnabled(false,
- NETWORK_BLOCKED_WITHOUT_INTERNET_PERMISSION, Process.myUid());
-
- setBlockedReasonChanged(BLOCKED_REASON_DOZE);
- if (mDeps.isAtLeastV()) {
- // On V+, network access from app that does not have INTERNET permission is considered
- // not blocked if NETWORK_BLOCKED_WITHOUT_INTERNET_PERMISSION is disabled.
- // So blocked status does not change from BLOCKED_REASON_NONE
- cellNetworkCallback.assertNoCallback();
- detailedCallback.assertNoCallback();
- } else {
- // On U-, onBlockedStatusChanged callback is called with blocked reasons CS receives
- // from NPMS callback regardless of permission app has.
- // Note that this cannot actually happen because on U-, NPMS will never notify any
- // blocked reasons for apps that don't have the INTERNET permission.
- cellNetworkCallback.expect(BLOCKED_STATUS, mCellAgent, cb -> cb.getBlocked());
- detailedCallback.expect(BLOCKED_STATUS_INT, mCellAgent,
- cb -> cb.getReason() == BLOCKED_REASON_DOZE);
- }
-
mCm.unregisterNetworkCallback(cellNetworkCallback);
}
diff --git a/tests/unit/java/com/android/server/connectivityservice/CSBlockedReasonsTest.kt b/tests/unit/java/com/android/server/connectivityservice/CSBlockedReasonsTest.kt
index 0590fbb..2694916 100644
--- a/tests/unit/java/com/android/server/connectivityservice/CSBlockedReasonsTest.kt
+++ b/tests/unit/java/com/android/server/connectivityservice/CSBlockedReasonsTest.kt
@@ -20,7 +20,6 @@
import android.net.ConnectivityManager.BLOCKED_METERED_REASON_USER_RESTRICTED
import android.net.ConnectivityManager.BLOCKED_REASON_APP_BACKGROUND
import android.net.ConnectivityManager.BLOCKED_REASON_DOZE
-import android.net.ConnectivityManager.BLOCKED_REASON_NETWORK_RESTRICTED
import android.net.ConnectivityManager.BLOCKED_REASON_NONE
import android.net.ConnectivityManager.FIREWALL_CHAIN_BACKGROUND
import android.net.ConnectivityManager.FIREWALL_CHAIN_DOZABLE
@@ -28,7 +27,6 @@
import android.net.ConnectivityManager.FIREWALL_RULE_ALLOW
import android.net.ConnectivityManager.FIREWALL_RULE_DENY
import android.net.ConnectivitySettingsManager
-import android.net.INetd.PERMISSION_NONE
import android.net.Network
import android.net.NetworkCapabilities
import android.net.NetworkCapabilities.NET_CAPABILITY_INTERNET
@@ -38,7 +36,6 @@
import android.net.NetworkCapabilities.TRANSPORT_CELLULAR
import android.net.NetworkCapabilities.TRANSPORT_WIFI
import android.net.NetworkRequest
-import android.net.connectivity.ConnectivityCompatChanges.NETWORK_BLOCKED_WITHOUT_INTERNET_PERMISSION
import android.os.Build
import android.os.Process
import com.android.testutils.DevSdkIgnoreRule.IgnoreUpTo
@@ -147,12 +144,6 @@
cm.setDataSaverEnabled(false)
cellCb.expectBlockedStatusChanged(cellAgent.network, BLOCKED_REASON_APP_BACKGROUND)
- // waitForIdle since stubbing bpfNetMaps while CS handler thread calls
- // bpfNetMaps.getNetPermForUid throws exception.
- // The expectBlockedStatusChanged just above guarantees that the onBlockedStatusChanged
- // method on this callback was called, but it does not guarantee that ConnectivityService
- // has finished processing all onBlockedStatusChanged callbacks for all requests.
- waitForIdle()
// Enable data saver
doReturn(BLOCKED_REASON_APP_BACKGROUND or BLOCKED_METERED_REASON_DATA_SAVER)
.`when`(bpfNetMaps).getUidNetworkingBlockedReasons(Process.myUid())
@@ -195,12 +186,6 @@
blockedReason = BLOCKED_REASON_DOZE
)
- // waitForIdle since stubbing bpfNetMaps while CS handler thread calls
- // bpfNetMaps.getNetPermForUid throws exception.
- // The expectBlockedStatusChanged just above guarantees that the onBlockedStatusChanged
- // method on this callback was called, but it does not guarantee that ConnectivityService
- // has finished processing all onBlockedStatusChanged callbacks for all requests.
- waitForIdle()
// Set RULE_ALLOW on metered deny chain
doReturn(BLOCKED_REASON_DOZE)
.`when`(bpfNetMaps).getUidNetworkingBlockedReasons(Process.myUid())
@@ -358,61 +343,4 @@
cm.unregisterNetworkCallback(wifiCb)
cm.unregisterNetworkCallback(cb)
}
-
- private fun doTestBlockedReasonsNoInternetPermission(blockedByNoInternetPermission: Boolean) {
- doReturn(PERMISSION_NONE).`when`(bpfNetMaps).getNetPermForUid(Process.myUid())
-
- val wifiCb = DetailedBlockedStatusCallback()
- cm.requestNetwork(wifiRequest(), wifiCb)
- val wifiAgent = Agent(nc = wifiNc())
- wifiAgent.connect()
- val expectedBlockedReason = if (blockedByNoInternetPermission) {
- BLOCKED_REASON_NETWORK_RESTRICTED
- } else {
- BLOCKED_REASON_NONE
- }
- wifiCb.expectAvailableCallbacks(
- wifiAgent.network,
- validated = false,
- blockedReason = expectedBlockedReason
- )
-
- // Enable background firewall chain
- doReturn(BLOCKED_REASON_APP_BACKGROUND)
- .`when`(bpfNetMaps).getUidNetworkingBlockedReasons(Process.myUid())
- cm.setFirewallChainEnabled(FIREWALL_CHAIN_BACKGROUND, true)
- if (blockedByNoInternetPermission) {
- wifiCb.expectBlockedStatusChanged(
- wifiAgent.network,
- BLOCKED_REASON_NETWORK_RESTRICTED or BLOCKED_REASON_APP_BACKGROUND
- )
- }
-
- // Disable background firewall chain
- doReturn(BLOCKED_REASON_NONE)
- .`when`(bpfNetMaps).getUidNetworkingBlockedReasons(Process.myUid())
- cm.setFirewallChainEnabled(FIREWALL_CHAIN_BACKGROUND, false)
- if (blockedByNoInternetPermission) {
- wifiCb.expectBlockedStatusChanged(
- wifiAgent.network,
- BLOCKED_REASON_NETWORK_RESTRICTED
- )
- } else {
- // No callback is expected since blocked reasons does not change from
- // BLOCKED_REASON_NONE.
- wifiCb.assertNoCallback()
- }
- }
-
- @Test
- fun testBlockedReasonsNoInternetPermission_changeDisabled() {
- deps.setChangeIdEnabled(false, NETWORK_BLOCKED_WITHOUT_INTERNET_PERMISSION)
- doTestBlockedReasonsNoInternetPermission(blockedByNoInternetPermission = false)
- }
-
- @Test
- fun testBlockedReasonsNoInternetPermission_changeEnabled() {
- deps.setChangeIdEnabled(true, NETWORK_BLOCKED_WITHOUT_INTERNET_PERMISSION)
- doTestBlockedReasonsNoInternetPermission(blockedByNoInternetPermission = true)
- }
}
diff --git a/tests/unit/java/com/android/server/connectivityservice/CSIngressDiscardRuleTests.kt b/tests/unit/java/com/android/server/connectivityservice/CSIngressDiscardRuleTests.kt
index 93f6e81..bb7fb51 100644
--- a/tests/unit/java/com/android/server/connectivityservice/CSIngressDiscardRuleTests.kt
+++ b/tests/unit/java/com/android/server/connectivityservice/CSIngressDiscardRuleTests.kt
@@ -37,7 +37,6 @@
import com.android.testutils.TestableNetworkCallback
import org.junit.Test
import org.junit.runner.RunWith
-import org.mockito.InOrder
import org.mockito.Mockito.inOrder
import org.mockito.Mockito.never
import org.mockito.Mockito.timeout
@@ -97,11 +96,6 @@
private val LOCAL_IPV6_ADDRRESS = InetAddresses.parseNumericAddress("fe80::1234")
private val LOCAL_IPV6_LINK_ADDRRESS = LinkAddress(LOCAL_IPV6_ADDRRESS, 64)
- fun verifyNoMoreIngressDiscardRuleChange(inorder: InOrder) {
- inorder.verify(bpfNetMaps, never()).setIngressDiscardRule(any(), any())
- inorder.verify(bpfNetMaps, never()).removeIngressDiscardRule(any())
- }
-
@Test
fun testVpnIngressDiscardRule_UpdateVpnAddress() {
// non-VPN network whose address will be not duplicated with VPN address
@@ -154,7 +148,7 @@
// IngressDiscardRule is added to the VPN address
inorder.verify(bpfNetMaps).setIngressDiscardRule(IPV6_ADDRESS, VPN_IFNAME)
- verifyNoMoreIngressDiscardRuleChange(inorder)
+ inorder.verifyNoMoreInteractions()
// The VPN interface name is changed
val newlp = lp(VPN_IFNAME2, IPV6_LINK_ADDRESS, LOCAL_IPV6_LINK_ADDRRESS)
@@ -163,7 +157,7 @@
// IngressDiscardRule is updated with the new interface name
inorder.verify(bpfNetMaps).setIngressDiscardRule(IPV6_ADDRESS, VPN_IFNAME2)
- verifyNoMoreIngressDiscardRuleChange(inorder)
+ inorder.verifyNoMoreInteractions()
agent.disconnect()
inorder.verify(bpfNetMaps, timeout(TIMEOUT_MS)).removeIngressDiscardRule(IPV6_ADDRESS)
@@ -212,10 +206,10 @@
// IngressDiscardRule for IPV6_ADDRESS2 is removed but IngressDiscardRule for
// IPV6_LINK_ADDRESS is not added since Wi-Fi also uses IPV6_LINK_ADDRESS
inorder.verify(bpfNetMaps).removeIngressDiscardRule(IPV6_ADDRESS2)
- verifyNoMoreIngressDiscardRuleChange(inorder)
+ inorder.verifyNoMoreInteractions()
vpnAgent.disconnect()
- verifyNoMoreIngressDiscardRuleChange(inorder)
+ inorder.verifyNoMoreInteractions()
cm.unregisterNetworkCallback(cb)
}
@@ -231,7 +225,7 @@
// IngressDiscardRule is added to the VPN address
inorder.verify(bpfNetMaps).setIngressDiscardRule(IPV6_ADDRESS, VPN_IFNAME)
- verifyNoMoreIngressDiscardRuleChange(inorder)
+ inorder.verifyNoMoreInteractions()
val nr = nr(TRANSPORT_WIFI)
val cb = TestableNetworkCallback()
@@ -253,7 +247,7 @@
// IngressDiscardRule is added to the VPN address since the VPN address is not duplicated
// with the Wi-Fi address
inorder.verify(bpfNetMaps).setIngressDiscardRule(IPV6_ADDRESS, VPN_IFNAME)
- verifyNoMoreIngressDiscardRuleChange(inorder)
+ inorder.verifyNoMoreInteractions()
// The Wi-Fi address is changed back to the same address as the VPN interface
wifiAgent.sendLinkProperties(wifiLp)
diff --git a/tests/unit/java/com/android/server/connectivityservice/base/CSTest.kt b/tests/unit/java/com/android/server/connectivityservice/base/CSTest.kt
index 99a8a3d..63ef86e 100644
--- a/tests/unit/java/com/android/server/connectivityservice/base/CSTest.kt
+++ b/tests/unit/java/com/android/server/connectivityservice/base/CSTest.kt
@@ -27,7 +27,6 @@
import android.content.res.Resources
import android.net.ConnectivityManager
import android.net.INetd
-import android.net.INetd.PERMISSION_INTERNET
import android.net.InetAddresses
import android.net.LinkProperties
import android.net.LocalNetworkConfig
@@ -90,7 +89,6 @@
import org.junit.Rule
import org.junit.rules.TestName
import org.mockito.AdditionalAnswers.delegatesTo
-import org.mockito.ArgumentMatchers.anyInt
import org.mockito.Mockito.doAnswer
import org.mockito.Mockito.doReturn
import org.mockito.Mockito.mock
@@ -189,9 +187,7 @@
val connResources = makeMockConnResources(sysResources, packageManager)
val netd = mock<INetd>()
- val bpfNetMaps = mock<BpfNetMaps>().also {
- doReturn(PERMISSION_INTERNET).`when`(it).getNetPermForUid(anyInt())
- }
+ val bpfNetMaps = mock<BpfNetMaps>()
val clatCoordinator = mock<ClatCoordinator>()
val networkRequestStateStatsMetrics = mock<NetworkRequestStateStatsMetrics>()
val proxyTracker = ProxyTracker(