From 7c250aedb1d86ddbaaee95ececdb92dc1142ccd4 Mon Sep 17 00:00:00 2001
From: Nathan Harold <nharold@google.com>
Date: Tue, 15 May 2018 19:18:38 -0700
Subject: [PATCH] Disable the AppOp Restriction for IpSec Tunnels

This CL temporarily removes the AppOp restriction
that disallows creation of IpSec tunnels due to
the lack of the appropriate AppOp in AOSP/master.
When the relevant framework merges out to master,
this CL should be reverted.

Manually merging this due to skipping a merge
conflict at ef9f2740a790feceaa47a24b1a179e93c4ffb5e6

Bug: none
Test: compilation
Change-Id: Ic06c193f85f6bcdd0ead4238825c1add78703cde
---
 .../java/com/android/server/IpSecService.java | 26 +++++++++++--------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/services/core/java/com/android/server/IpSecService.java b/services/core/java/com/android/server/IpSecService.java
index 60f1877d37..744ed25f16 100644
--- a/services/core/java/com/android/server/IpSecService.java
+++ b/services/core/java/com/android/server/IpSecService.java
@@ -1481,19 +1481,23 @@ public class IpSecService extends IIpSecService.Stub {
         }
     }
 
+    private static final String TUNNEL_OP = "STOPSHIP"; // = AppOpsManager.OP_MANAGE_IPSEC_TUNNELS;
+
     private void enforceTunnelPermissions(String callingPackage) {
         checkNotNull(callingPackage, "Null calling package cannot create IpSec tunnels");
-        switch (getAppOpsManager().noteOp(
-                    AppOpsManager.OP_MANAGE_IPSEC_TUNNELS,
-                    Binder.getCallingUid(), callingPackage)) {
-            case AppOpsManager.MODE_DEFAULT:
-                mContext.enforceCallingOrSelfPermission(
-                        android.Manifest.permission.MANAGE_IPSEC_TUNNELS, "IpSecService");
-                break;
-            case AppOpsManager.MODE_ALLOWED:
-                return;
-            default:
-                throw new SecurityException("Request to ignore AppOps for non-legacy API");
+        if (false) { // STOPSHIP if this line is present
+            switch (getAppOpsManager().noteOp(
+                        TUNNEL_OP,
+                        Binder.getCallingUid(), callingPackage)) {
+                case AppOpsManager.MODE_DEFAULT:
+                    mContext.enforceCallingOrSelfPermission(
+                            android.Manifest.permission.MANAGE_IPSEC_TUNNELS, "IpSecService");
+                    break;
+                case AppOpsManager.MODE_ALLOWED:
+                    return;
+                default:
+                    throw new SecurityException("Request to ignore AppOps for non-legacy API");
+            }
         }
     }