LineageOS/android_packages_modules_Connectivity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge "Use Vpn rules (not firewall) for always-on VPN" am: dcb162176e am: cd8557d15a

Browse Source 
am: 4de3794c26

Change-Id: Ic1e96eac68ddc8a713b3c71b5c126cb8b99c59f5
This commit is contained in:
Robin Lee
2017-04-21 22:17:15 +00:00
committed by android-build-merger
parent 1712602711 dcb162176e
commit 8fc4ec1ec4
2 changed files with 60 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
services/core/java/com/android/server/ConnectivityService.java
View File

@@ -3557,17 +3557,9 @@ public class ConnectivityService extends IConnectivityManager.Stub
existing.shutdown(); existing.shutdown();
} }
try {
if (tracker != null) { if (tracker != null) {
mNetd.setFirewallEnabled(true);
mNetd.setFirewallInterfaceRule("lo", true);
mLockdownTracker = tracker; mLockdownTracker = tracker;
mLockdownTracker.init(); mLockdownTracker.init();
} else {
mNetd.setFirewallEnabled(false);
}
} catch (RemoteException e) {
// ignored; NMS lives inside system_server
} }
} }

57
tests/net/java/com/android/server/connectivity/VpnTest.java
View File

@@ -27,6 +27,7 @@ import android.annotation.UserIdInt;
import android.app.AppOpsManager; import android.app.AppOpsManager;
import android.app.NotificationManager; import android.app.NotificationManager;
import android.content.Context; import android.content.Context;
import android.content.Intent;
import android.content.pm.ApplicationInfo; import android.content.pm.ApplicationInfo;
import android.content.pm.PackageManager; import android.content.pm.PackageManager;
import android.content.pm.UserInfo; import android.content.pm.UserInfo;
@@ -42,6 +43,8 @@ import android.test.suitebuilder.annotation.SmallTest;
import android.util.ArrayMap; import android.util.ArrayMap;
import android.util.ArraySet; import android.util.ArraySet;
import com.android.internal.net.VpnConfig;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Arrays; import java.util.Arrays;
import java.util.Map; import java.util.Map;
@@ -101,8 +104,10 @@ public class VpnTest extends AndroidTestCase {
@Override @Override
public void setUp() throws Exception { public void setUp() throws Exception {
MockitoAnnotations.initMocks(this); MockitoAnnotations.initMocks(this);
when(mContext.getPackageManager()).thenReturn(mPackageManager); when(mContext.getPackageManager()).thenReturn(mPackageManager);
setMockedPackages(mPackages); setMockedPackages(mPackages);
when(mContext.getPackageName()).thenReturn(Vpn.class.getPackage().getName()); when(mContext.getPackageName()).thenReturn(Vpn.class.getPackage().getName());
when(mContext.getSystemService(eq(Context.USER_SERVICE))).thenReturn(mUserManager); when(mContext.getSystemService(eq(Context.USER_SERVICE))).thenReturn(mUserManager);
when(mContext.getSystemService(eq(Context.APP_OPS_SERVICE))).thenReturn(mAppOps); when(mContext.getSystemService(eq(Context.APP_OPS_SERVICE))).thenReturn(mAppOps);
@@ -257,6 +262,58 @@ public class VpnTest extends AndroidTestCase {
})); }));
} }
@SmallTest
public void testLockdownRuleRepeatability() throws Exception {
final Vpn vpn = createVpn(primaryUser.id);
// Given legacy lockdown is already enabled,
vpn.setLockdown(true);
verify(mNetService, times(1)).setAllowOnlyVpnForUids(
eq(true), aryEq(new UidRange[] {UidRange.createForUser(primaryUser.id)}));
// Enabling legacy lockdown twice should do nothing.
vpn.setLockdown(true);
verify(mNetService, times(1)).setAllowOnlyVpnForUids(anyBoolean(), any(UidRange[].class));
// And disabling should remove the rules exactly once.
vpn.setLockdown(false);
verify(mNetService, times(1)).setAllowOnlyVpnForUids(
eq(false), aryEq(new UidRange[] {UidRange.createForUser(primaryUser.id)}));
// Removing the lockdown again should have no effect.
vpn.setLockdown(false);
verify(mNetService, times(2)).setAllowOnlyVpnForUids(anyBoolean(), any(UidRange[].class));
}
@SmallTest
public void testLockdownRuleReversibility() throws Exception {
final Vpn vpn = createVpn(primaryUser.id);
final UidRange[] entireUser = {
UidRange.createForUser(primaryUser.id)
};
final UidRange[] exceptPkg0 = {
new UidRange(entireUser[0].start, entireUser[0].start + PKG_UIDS[0] - 1),
new UidRange(entireUser[0].start + PKG_UIDS[0] + 1, entireUser[0].stop)
};
final InOrder order = inOrder(mNetService);
// Given lockdown is enabled with no package (legacy VPN),
vpn.setLockdown(true);
order.verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(entireUser));
// When a new VPN package is set the rules should change to cover that package.
vpn.prepare(null, PKGS[0]);
order.verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(entireUser));
order.verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(exceptPkg0));
// When that VPN package is unset, everything should be undone again in reverse.
vpn.prepare(null, VpnConfig.LEGACY_VPN);
order.verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(exceptPkg0));
order.verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(entireUser));
}
@SmallTest @SmallTest
public void testNotificationShownForAlwaysOnApp() { public void testNotificationShownForAlwaysOnApp() {
final UserHandle userHandle = UserHandle.of(primaryUser.id); final UserHandle userHandle = UserHandle.of(primaryUser.id);