Merge changes from topic "vt_enable" into main

* changes:
  Implement disableVmTethering
  Deprecate old implementation around providing network to ferrochrome
  Turn network feature on in VmLauncherApp
  Implement enableVmTethering
diff --git a/docs/custom_vm.md b/docs/custom_vm.md
index 1e15d16..4b027f1 100644
--- a/docs/custom_vm.md
+++ b/docs/custom_vm.md
@@ -222,67 +222,10 @@
 $ adb shell pm grant com.google.android.virtualization.vmlauncher android.permission.USE_CUSTOM_VIRTUAL_MACHINE
 $ adb unroot
 ```
-Then execute the below to set up the network. In the future, this step won't be necessary.
 
-```
-$ cat > setup_network.sh; adb push setup_network.sh /data/local/tmp
-#!/system/bin/sh
+Second, ensure your device is connected to the Internet.
 
-set -e
-
-TAP_IFACE=crosvm_tap
-TAP_ADDR=192.168.1.1
-TAP_NET=192.168.1.0
-
-function setup_network() {
-  local WAN_IFACE=$(ip route get 8.8.8.8 2> /dev/null | awk -- '{printf $5}')
-  if [ "${WAN_IFACE}" == "" ]; then
-    echo "No network. Connect to a WiFi network and start again"
-    return 1
-  fi
-
-  if ip link show ${TAP_IFACE} &> /dev/null ; then
-    echo "TAP interface ${TAP_IFACE} already exists"
-    return 1
-  fi
-
-  ip tuntap add mode tap group virtualmachine vnet_hdr ${TAP_IFACE}
-  ip addr add ${TAP_ADDR}/24 dev ${TAP_IFACE}
-  ip link set ${TAP_IFACE} up
-  ip rule flush
-  ip rule add from all lookup ${WAN_IFACE}
-  ip route add ${TAP_NET}/24 dev ${TAP_IFACE} table ${WAN_IFACE}
-  sysctl net.ipv4.ip_forward=1
-  iptables -t filter -F
-  iptables -t nat -A POSTROUTING -s ${TAP_NET}/24 -j MASQUERADE
-}
-
-function setup_if_necessary() {
-  if [ "$(getprop ro.crosvm.network.setup.done)" == 1 ]; then
-    return
-  fi
-  echo "Setting up..."
-  check_privilege
-  setup_network
-  setenforce 0
-  chmod 666 /dev/tun
-  setprop ro.crosvm.network.setup.done 1
-}
-
-function check_privilege() {
-  if [ "$(id -u)" -ne 0 ]; then
-    echo "Run 'adb root' first"
-    return 1
-  fi
-}
-
-setup_if_necessary
-^D
-
-adb root; adb shell /data/local/tmp/setup_network.sh
-```
-
-Then, finally tap the VmLauncherApp app from the launcher UI. You will see
+Finally, tap the VmLauncherApp app from the launcher UI. You will see
 Ferrochrome booting!
 
 If it doesn’t work well, try
diff --git a/java/service/src/com/android/system/virtualmachine/VirtualizationSystemService.java b/java/service/src/com/android/system/virtualmachine/VirtualizationSystemService.java
index 970f780..f1d89d9 100644
--- a/java/service/src/com/android/system/virtualmachine/VirtualizationSystemService.java
+++ b/java/service/src/com/android/system/virtualmachine/VirtualizationSystemService.java
@@ -21,6 +21,9 @@
 import android.content.Context;
 import android.content.Intent;
 import android.content.IntentFilter;
+import android.net.TetheringManager;
+import android.net.TetheringManager.StartTetheringCallback;
+import android.net.TetheringManager.TetheringRequest;
 import android.os.Handler;
 import android.os.IBinder;
 import android.os.ServiceManager;
@@ -155,10 +158,37 @@
         }
     }
 
-    private static final class TetheringService extends IVmTethering.Stub {
+    private final class TetheringService extends IVmTethering.Stub {
+        private final TetheringManager tm = getContext().getSystemService(TetheringManager.class);
+
         @Override
-        public void enableVmTethering() throws UnsupportedOperationException {
-            throw new UnsupportedOperationException("VM tethering is not supported yet");
+        public void enableVmTethering() {
+            final TetheringRequest tr =
+                    new TetheringRequest.Builder(TetheringManager.TETHERING_VIRTUAL)
+                            .setConnectivityScope(TetheringManager.CONNECTIVITY_SCOPE_GLOBAL)
+                            .build();
+
+            StartTetheringCallback startTetheringCallback =
+                    new StartTetheringCallback() {
+                        @Override
+                        public void onTetheringStarted() {
+                            Log.i(TAG, "VM tethering started successfully");
+                        }
+
+                        @Override
+                        public void onTetheringFailed(int resultCode) {
+                            Log.e(
+                                    TAG,
+                                    "VM tethering failed. Result Code: "
+                                            + Integer.toString(resultCode));
+                        }
+                    };
+            tm.startTethering(tr, c -> c.run() /* executor */, startTetheringCallback);
+        }
+
+        @Override
+        public void disableVmTethering() {
+            tm.stopTethering(TetheringManager.TETHERING_VIRTUAL);
         }
     }
 }
diff --git a/virtualizationmanager/src/crosvm.rs b/virtualizationmanager/src/crosvm.rs
index ee5f5cd..47ef91a 100644
--- a/virtualizationmanager/src/crosvm.rs
+++ b/virtualizationmanager/src/crosvm.rs
@@ -1087,15 +1087,6 @@
         }
     }
 
-    if cfg!(paravirtualized_devices) {
-        // TODO(b/340376951): Remove this after tap in CrosvmConfig is connected to tethering.
-        if rustutils::system_properties::read_bool("ro.crosvm.network.setup.done", false)
-            .unwrap_or(false)
-        {
-            command.arg("--net").arg("tap-name=crosvm_tap");
-        }
-    }
-
     if cfg!(network) {
         if let Some(tap) = &config.tap {
             let tap_fd = tap.as_raw_fd();
diff --git a/virtualizationservice/aidl/android/system/vmtethering/IVmTethering.aidl b/virtualizationservice/aidl/android/system/vmtethering/IVmTethering.aidl
index 732a515..0743ffa 100644
--- a/virtualizationservice/aidl/android/system/vmtethering/IVmTethering.aidl
+++ b/virtualizationservice/aidl/android/system/vmtethering/IVmTethering.aidl
@@ -21,4 +21,9 @@
      * Start VM tethering to provide external network to VM.
      */
     void enableVmTethering();
+
+    /**
+     * Terminate VM tethering that providing external network to VM.
+     */
+    void disableVmTethering();
 }
diff --git a/virtualizationservice/src/aidl.rs b/virtualizationservice/src/aidl.rs
index c0e1cc7..af80998 100644
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs
@@ -518,7 +518,7 @@
         Ok(())
     }
 
-    fn createTapInterface(&self, iface_name_suffix: &str) -> binder::Result<ParcelFileDescriptor> {
+    fn createTapInterface(&self, _iface_name_suffix: &str) -> binder::Result<ParcelFileDescriptor> {
         check_internet_permission()?;
         check_use_custom_virtual_machine()?;
         if !cfg!(network) {
@@ -528,18 +528,14 @@
             ))
             .with_log();
         }
-        let tap_fd = NETWORK_SERVICE.createTapInterface(iface_name_suffix)?;
+        // TODO(340377643): Use iface_name_suffix after introducing bridge interface, not fixed
+        // value.
+        let tap_fd = NETWORK_SERVICE.createTapInterface("fixed")?;
 
         // TODO(340377643): Due to lack of implementation of creating bridge interface, tethering is
         // enabled for TAP interface instead of bridge interface. After introducing creation of
         // bridge interface in AVF, we should modify it.
-        if let Err(e) = TETHERING_SERVICE.enableVmTethering() {
-            if e.exception_code() == ExceptionCode::UNSUPPORTED_OPERATION {
-                warn!("{}", e.get_description());
-            } else {
-                return Err(e);
-            }
-        }
+        TETHERING_SERVICE.enableVmTethering()?;
 
         Ok(tap_fd)
     }
@@ -554,6 +550,10 @@
             ))
             .with_log();
         }
+
+        // TODO(340377643): Disabling tethering should be for bridge interface, not TAP interface.
+        TETHERING_SERVICE.disableVmTethering()?;
+
         NETWORK_SERVICE.deleteTapInterface(tap_fd)
     }
 }
diff --git a/vmlauncher_app/AndroidManifest.xml b/vmlauncher_app/AndroidManifest.xml
index 48e3200..ecfef86 100644
--- a/vmlauncher_app/AndroidManifest.xml
+++ b/vmlauncher_app/AndroidManifest.xml
@@ -7,8 +7,7 @@
     <uses-permission android:name="android.permission.INTERNET" />
     <uses-feature android:name="android.software.virtualization_framework" android:required="true" />
     <application
-        android:label="VmLauncherApp"
-        android:networkSecurityConfig="@xml/network_security_config">
+        android:label="VmLauncherApp">
         <activity android:name=".MainActivity"
                   android:screenOrientation="landscape"
                   android:configChanges="orientation|screenSize|keyboard|keyboardHidden|navigation|uiMode"
diff --git a/vmlauncher_app/java/com/android/virtualization/vmlauncher/MainActivity.java b/vmlauncher_app/java/com/android/virtualization/vmlauncher/MainActivity.java
index 33e4755..a103dd0 100644
--- a/vmlauncher_app/java/com/android/virtualization/vmlauncher/MainActivity.java
+++ b/vmlauncher_app/java/com/android/virtualization/vmlauncher/MainActivity.java
@@ -83,6 +83,7 @@
         configBuilder.setCpuTopology(CPU_TOPOLOGY_MATCH_HOST);
 
         configBuilder.setProtectedVm(false);
+        configBuilder.setNetworkSupported(true);
         if (DEBUG) {
             configBuilder.setDebugLevel(VirtualMachineConfig.DEBUG_LEVEL_FULL);
             configBuilder.setVmOutputCaptured(true);
diff --git a/vmlauncher_app/res/xml/network_security_config.xml b/vmlauncher_app/res/xml/network_security_config.xml
deleted file mode 100644
index f27fa56..0000000
--- a/vmlauncher_app/res/xml/network_security_config.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!--
-  ~ Copyright (C) 2024 The Android Open Source Project
-  ~
-  ~ Licensed under the Apache License, Version 2.0 (the "License");
-  ~ you may not use this file except in compliance with the License.
-  ~ You may obtain a copy of the License at
-  ~
-  ~      http://www.apache.org/licenses/LICENSE-2.0
-  ~
-  ~ Unless required by applicable law or agreed to in writing, software
-  ~ distributed under the License is distributed on an "AS IS" BASIS,
-  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  ~ See the License for the specific language governing permissions and
-  ~ limitations under the License.
-  -->
-
-<network-security-config>
-    <domain-config cleartextTrafficPermitted="true">
-        <domain includeSubdomains="true">localhost</domain>
-    </domain-config>
-</network-security-config>