From 407ba4ce6ecd76421df5100a2e5ed312460a1df3 Mon Sep 17 00:00:00 2001
From: Tommy Webb <tommy@calyxinstitute.org>
Date: Sun, 26 Feb 2023 15:50:50 -0500
Subject: [PATCH] Keep UID in lockdown when present in any range

Do not remove LOCKDOWN_VPN_MATCH from a UID if it is present in any of
the supplied ranges that have yet to be removed.

Change-Id: Ia95724cd19040f83cea2c169a2585ab5dbdddbac
---
 .../com/android/server/connectivity/PermissionMonitor.java    | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/service/src/com/android/server/connectivity/PermissionMonitor.java b/service/src/com/android/server/connectivity/PermissionMonitor.java
index 0e2823dd15..5ba904ad19 100755
--- a/service/src/com/android/server/connectivity/PermissionMonitor.java
+++ b/service/src/com/android/server/connectivity/PermissionMonitor.java
@@ -1067,8 +1067,10 @@ public class PermissionMonitor {
         // exclude privileged apps from the prohibit routing rules used to implement outgoing packet
         // filtering, privileged apps can still bypass outgoing packet filtering because the
         // prohibit rules observe the protected from VPN bit.
+        // If removing a UID, we ensure it is not present anywhere in the set first.
         for (final int uid: affectedUids) {
-            if (!hasRestrictedNetworksPermission(uid)) {
+            if (!hasRestrictedNetworksPermission(uid)
+                    && (add || !UidRange.containsUid(mVpnLockdownUidRanges.getSet(), uid))) {
                 updateLockdownUidRule(uid, add);
             }
         }