From d3e8d7b4ce81f118ccfe57d9b5a8c98e348b0369 Mon Sep 17 00:00:00 2001
From: Paul Jensen <pauljensen@google.com>
Date: Fri, 28 Aug 2015 12:00:15 -0400
Subject: [PATCH] Don't mark NetworkRequests restricted when they don't have
 restricted caps

Requests without NET_CAPABILITIES_INTERNET and just the default network
capabilities should not be marked restricted.  Without this fix apps
can hit permissions exceptions if they inadvertently make requests
without NET_CAPABILITIES_INTERNET.

Bug:23164917
Change-Id: I4c7136821315bcb05dfc42ffbc505a5d4f6109e6
(cherry picked from commit 5d87922526639c98690836ef8a92105fec4b450a)
---
 core/java/android/net/NetworkCapabilities.java | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/core/java/android/net/NetworkCapabilities.java b/core/java/android/net/NetworkCapabilities.java
index 2e22697cab..04ebc7c7dd 100644
--- a/core/java/android/net/NetworkCapabilities.java
+++ b/core/java/android/net/NetworkCapabilities.java
@@ -285,8 +285,12 @@ public final class NetworkCapabilities implements Parcelable {
     public void maybeMarkCapabilitiesRestricted() {
         // If all the capabilities are typically provided by restricted networks, conclude that this
         // network is restricted.
-        if ((mNetworkCapabilities & ~(DEFAULT_CAPABILITIES | RESTRICTED_CAPABILITIES)) == 0)
+        if ((mNetworkCapabilities & ~(DEFAULT_CAPABILITIES | RESTRICTED_CAPABILITIES)) == 0 &&
+                // Must have at least some restricted capabilities, otherwise a request for an
+                // internet-less network will get marked restricted.
+                (mNetworkCapabilities & RESTRICTED_CAPABILITIES) != 0) {
             removeCapability(NET_CAPABILITY_NOT_RESTRICTED);
+        }
     }
 
     /**