Block incoming packets in VPN Lockdown mode.

Currently, even when VPN Lockdown mode is enabled, incoming packets are not dropped if VPN is not connected. This commit fixed this issue. After this commit, If VPN Lockdown mode is enabled, incoming packets are dropped regardless of the VPN connectivity. Bug: 206482423 Test: atest TrafficControllerTest ConnectivityServiceTest PermissionMonitorTest Change-Id: If52ece613c8aac1073355e43b6fb9cb3fcc87d1d
2022-05-11 05:56:26 +00:00
parent 77a794868f
commit b08654ca04
11 changed files with 567 additions and 70 deletions
--- a/framework/src/android/net/ConnectivityManager.java
+++ b/framework/src/android/net/ConnectivityManager.java
@@ -982,6 +982,16 @@ public class ConnectivityManager {
    @SystemApi(client = MODULE_LIBRARIES)
    public static final int FIREWALL_CHAIN_LOW_POWER_STANDBY = 5;

+    /**
+     * Firewall chain used for lockdown VPN.
+     * Denylist of apps that cannot receive incoming packets except on loopback because they are
+     * subject to an always-on VPN which is not currently connected.
+     *
+     * @see #BLOCKED_REASON_LOCKDOWN_VPN
+     * @hide
+     */
+    public static final int FIREWALL_CHAIN_LOCKDOWN_VPN = 6;
+
    /** @hide */
    @Retention(RetentionPolicy.SOURCE)
    @IntDef(flag = false, prefix = "FIREWALL_CHAIN_", value = {
@@ -989,7 +999,8 @@ public class ConnectivityManager {
        FIREWALL_CHAIN_STANDBY,
        FIREWALL_CHAIN_POWERSAVE,
        FIREWALL_CHAIN_RESTRICTED,
-        FIREWALL_CHAIN_LOW_POWER_STANDBY
+        FIREWALL_CHAIN_LOW_POWER_STANDBY,
+        FIREWALL_CHAIN_LOCKDOWN_VPN
    })
    public @interface FirewallChain {}
    // LINT.ThenChange(packages/modules/Connectivity/service/native/include/Common.h)