Require IPSEC_TUNNEL_MIGRATION feature flag to migrate transforms

Bug: 169169973 Test: atest IpSecServiceParameterizedTest (new tests added) Change-Id: I3dd45b29163cd1e0cdbef08cb8aabdb629cf73bc
2022-10-18 00:03:20 +00:00
parent e114b38f07
commit a48dcd9d1f
3 changed files with 52 additions and 3 deletions
--- a/service-t/src/com/android/server/IpSecService.java
+++ b/service-t/src/com/android/server/IpSecService.java
@@ -17,6 +17,7 @@
 package com.android.server;

 import static android.Manifest.permission.DUMP;
+import static android.net.IpSecManager.FEATURE_IPSEC_TUNNEL_MIGRATION;
 import static android.net.IpSecManager.INVALID_RESOURCE_ID;
 import static android.system.OsConstants.AF_INET;
 import static android.system.OsConstants.AF_INET6;
@@ -1681,6 +1682,14 @@ public class IpSecService extends IIpSecService.Stub {
                android.Manifest.permission.MANAGE_IPSEC_TUNNELS, "IpSecService");
    }

+    private void enforceMigrateFeature() {
+        if (!mContext.getPackageManager().hasSystemFeature(FEATURE_IPSEC_TUNNEL_MIGRATION)) {
+            throw new UnsupportedOperationException(
+                    "IPsec Tunnel migration requires"
+                            + " PackageManager.FEATURE_IPSEC_TUNNEL_MIGRATION");
+        }
+    }
+
    private void createOrUpdateTransform(
            IpSecConfig c, int resourceId, SpiRecord spiRecord, EncapSocketRecord socketRecord)
            throws RemoteException {
@@ -1807,6 +1816,7 @@ public class IpSecService extends IIpSecService.Stub {
        Objects.requireNonNull(newDestinationAddress, "newDestinationAddress was null");

        enforceTunnelFeatureAndPermissions(callingPackage);
+        enforceMigrateFeature();

        UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid());
        TransformRecord transformInfo =
@@ -1962,6 +1972,14 @@ public class IpSecService extends IIpSecService.Stub {
            createOrUpdateTransform(c, transformResourceId, spiRecord, socketRecord);

            if (transformInfo.isMigrating()) {
+                if (!mContext.getPackageManager()
+                        .hasSystemFeature(FEATURE_IPSEC_TUNNEL_MIGRATION)) {
+                    Log.wtf(
+                            TAG,
+                            "Attempted to migrate a transform without"
+                                    + " FEATURE_IPSEC_TUNNEL_MIGRATION");
+                }
+
                for (int selAddrFamily : ADDRESS_FAMILIES) {
                    final IpSecMigrateInfoParcel migrateInfo =
                            new IpSecMigrateInfoParcel(