Re-enable checks for MANAGE_IPSEC_TUNNELS

This patch ensures that creation and modification of IPsec tunnels
requires the MANAGE_IPSEC_TUNNELS appop.

Bug: 115685048
Test: IpSecManagerTunnelTest fails without appops set
Change-Id: I6c60a2573ca521717877f36e28a392b0d3b62754

services/core/java/com/android/server/IpSecService.java

@@ -1488,23 +1488,19 @@ public class IpSecService extends IIpSecService.Stub {
         }
     }
 
-    private static final String TUNNEL_OP = "STOPSHIP"; // = AppOpsManager.OP_MANAGE_IPSEC_TUNNELS;
+    private static final String TUNNEL_OP = AppOpsManager.OPSTR_MANAGE_IPSEC_TUNNELS;
 
     private void enforceTunnelPermissions(String callingPackage) {
         checkNotNull(callingPackage, "Null calling package cannot create IpSec tunnels");
-        if (false) { // STOPSHIP if this line is present
+        switch (getAppOpsManager().noteOp(TUNNEL_OP, Binder.getCallingUid(), callingPackage)) {
-            switch (getAppOpsManager().noteOp(
+            case AppOpsManager.MODE_DEFAULT:
-                        TUNNEL_OP,
+                mContext.enforceCallingOrSelfPermission(
-                        Binder.getCallingUid(), callingPackage)) {
+                        android.Manifest.permission.MANAGE_IPSEC_TUNNELS, "IpSecService");
-                case AppOpsManager.MODE_DEFAULT:
+                break;
-                    mContext.enforceCallingOrSelfPermission(
+            case AppOpsManager.MODE_ALLOWED:
-                            android.Manifest.permission.MANAGE_IPSEC_TUNNELS, "IpSecService");
+                return;
-                    break;
+            default:
-                case AppOpsManager.MODE_ALLOWED:
+                throw new SecurityException("Request to ignore AppOps for non-legacy API");
-                    return;
-                default:
-                    throw new SecurityException("Request to ignore AppOps for non-legacy API");
-            }
         }
     }