Automatically set IPsec tunnel interface as up

This change makes IPsec tunnel interfaces automatically get brought up
once they are created. Originally this was considered to be an
additional safety check, as they would not be start routing traffic
until explicitly brought up. However, in the intervening time, the
NetworkManagementController now requires the NETWORK_STACK permission to
set an interface as up. Additionally, that call is a hidden API, and
thus not usable for use cases such as IWLAN.

Bug: 149348618
Test: FrameworksNetTests, CtsNetTestCases passing.
Change-Id: I55b63a748463a388e1e2991d2d5d6b3023545e60
Merged-In: I55b63a748463a388e1e2991d2d5d6b3023545e60
(cherry picked from commit 7c5704d177a903034ae1b6ae4800cc3b8457977a)

services/core/java/com/android/server/IpSecService.java

@@ -46,6 +46,7 @@ import android.net.TrafficStats;
 import android.net.util.NetdService;
 import android.os.Binder;
 import android.os.IBinder;
+import android.os.INetworkManagementService;
 import android.os.ParcelFileDescriptor;
 import android.os.RemoteException;
 import android.os.ServiceSpecificException;
@@ -114,6 +115,9 @@ public class IpSecService extends IIpSecService.Stub {
     /* Binder context for this service */
     private final Context mContext;
 
+    /* NetworkManager instance */
+    private final INetworkManagementService mNetworkManager;
+
     /**
      * The next non-repeating global ID for tracking resources between users, this service, and
      * kernel data structures. Accessing this variable is not thread safe, so it is only read or
@@ -992,12 +996,13 @@ public class IpSecService extends IIpSecService.Stub {
      *
      * @param context Binder context for this service
      */
-    private IpSecService(Context context) {
+    private IpSecService(Context context, INetworkManagementService networkManager) {
-        this(context, IpSecServiceConfiguration.GETSRVINSTANCE);
+        this(context, networkManager, IpSecServiceConfiguration.GETSRVINSTANCE);
     }
 
-    static IpSecService create(Context context) throws InterruptedException {
+    static IpSecService create(Context context, INetworkManagementService networkManager)
-        final IpSecService service = new IpSecService(context);
+            throws InterruptedException {
+        final IpSecService service = new IpSecService(context, networkManager);
         service.connectNativeNetdService();
         return service;
     }
@@ -1011,9 +1016,11 @@ public class IpSecService extends IIpSecService.Stub {
 
     /** @hide */
     @VisibleForTesting
-    public IpSecService(Context context, IpSecServiceConfiguration config) {
+    public IpSecService(Context context, INetworkManagementService networkManager,
+            IpSecServiceConfiguration config) {
         this(
                 context,
+                networkManager,
                 config,
                 (fd, uid) -> {
                     try {
@@ -1027,9 +1034,10 @@ public class IpSecService extends IIpSecService.Stub {
 
     /** @hide */
     @VisibleForTesting
-    public IpSecService(
+    public IpSecService(Context context, INetworkManagementService networkManager,
-            Context context, IpSecServiceConfiguration config, UidFdTagger uidFdTagger) {
+            IpSecServiceConfiguration config, UidFdTagger uidFdTagger) {
         mContext = context;
+        mNetworkManager = Objects.requireNonNull(networkManager);
         mSrvConfig = config;
         mUidFdTagger = uidFdTagger;
     }
@@ -1308,6 +1316,10 @@ public class IpSecService extends IIpSecService.Stub {
             final INetd netd = mSrvConfig.getNetdInstance();
             netd.ipSecAddTunnelInterface(intfName, localAddr, remoteAddr, ikey, okey, resourceId);
 
+            Binder.withCleanCallingIdentity(() -> {
+                mNetworkManager.setInterfaceUp(intfName);
+            });
+
             for (int selAddrFamily : ADDRESS_FAMILIES) {
                 // Always send down correct local/remote addresses for template.
                 netd.ipSecAddSecurityPolicy(