diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java index abed1f04da..605acb08ff 100644 --- a/core/java/android/net/ConnectivityManager.java +++ b/core/java/android/net/ConnectivityManager.java @@ -964,41 +964,6 @@ public class ConnectivityManager { return 1; } - /** - * Removes the NET_CAPABILITY_NOT_RESTRICTED capability from the given - * NetworkCapabilities object if all the capabilities it provides are - * typically provided by restricted networks. - * - * TODO: consider: - * - Moving to NetworkCapabilities - * - Renaming it to guessRestrictedCapability and make it set the - * restricted capability bit in addition to clearing it. - * @hide - */ - public static void maybeMarkCapabilitiesRestricted(NetworkCapabilities nc) { - for (int capability : nc.getCapabilities()) { - switch (capability) { - case NetworkCapabilities.NET_CAPABILITY_CBS: - case NetworkCapabilities.NET_CAPABILITY_DUN: - case NetworkCapabilities.NET_CAPABILITY_EIMS: - case NetworkCapabilities.NET_CAPABILITY_FOTA: - case NetworkCapabilities.NET_CAPABILITY_IA: - case NetworkCapabilities.NET_CAPABILITY_IMS: - case NetworkCapabilities.NET_CAPABILITY_RCS: - case NetworkCapabilities.NET_CAPABILITY_XCAP: - case NetworkCapabilities.NET_CAPABILITY_NOT_RESTRICTED: //there by default - continue; - default: - // At least one capability usually provided by unrestricted - // networks. Conclude that this network is unrestricted. - return; - } - } - // All the capabilities are typically provided by restricted networks. - // Conclude that this network is restricted. - nc.removeCapability(NetworkCapabilities.NET_CAPABILITY_NOT_RESTRICTED); - } - private NetworkCapabilities networkCapabilitiesForFeature(int networkType, String feature) { if (networkType == TYPE_MOBILE) { int cap = -1; @@ -1021,14 +986,14 @@ public class ConnectivityManager { } NetworkCapabilities netCap = new NetworkCapabilities(); netCap.addTransportType(NetworkCapabilities.TRANSPORT_CELLULAR).addCapability(cap); - maybeMarkCapabilitiesRestricted(netCap); + netCap.maybeMarkCapabilitiesRestricted(); return netCap; } else if (networkType == TYPE_WIFI) { if ("p2p".equals(feature)) { NetworkCapabilities netCap = new NetworkCapabilities(); netCap.addTransportType(NetworkCapabilities.TRANSPORT_WIFI); netCap.addCapability(NetworkCapabilities.NET_CAPABILITY_WIFI_P2P); - maybeMarkCapabilitiesRestricted(netCap); + netCap.maybeMarkCapabilitiesRestricted(); return netCap; } } diff --git a/core/java/android/net/NetworkCapabilities.java b/core/java/android/net/NetworkCapabilities.java index 651fb355b6..29b063a49f 100644 --- a/core/java/android/net/NetworkCapabilities.java +++ b/core/java/android/net/NetworkCapabilities.java @@ -38,10 +38,7 @@ public final class NetworkCapabilities implements Parcelable { */ public NetworkCapabilities() { clearAll(); - mNetworkCapabilities = - (1 << NET_CAPABILITY_NOT_RESTRICTED) | - (1 << NET_CAPABILITY_TRUSTED) | - (1 << NET_CAPABILITY_NOT_VPN); + mNetworkCapabilities = DEFAULT_CAPABILITIES; } public NetworkCapabilities(NetworkCapabilities nc) { @@ -186,6 +183,28 @@ public final class NetworkCapabilities implements Parcelable { private static final int MIN_NET_CAPABILITY = NET_CAPABILITY_MMS; private static final int MAX_NET_CAPABILITY = NET_CAPABILITY_CAPTIVE_PORTAL; + /** + * Capabilities that are set by default when the object is constructed. + */ + private static final long DEFAULT_CAPABILITIES = + (1 << NET_CAPABILITY_NOT_RESTRICTED) | + (1 << NET_CAPABILITY_TRUSTED) | + (1 << NET_CAPABILITY_NOT_VPN); + + /** + * Capabilities that suggest that a network is restricted. + * {@see #maybeMarkCapabilitiesRestricted}. + */ + private static final long RESTRICTED_CAPABILITIES = + (1 << NET_CAPABILITY_CBS) | + (1 << NET_CAPABILITY_DUN) | + (1 << NET_CAPABILITY_EIMS) | + (1 << NET_CAPABILITY_FOTA) | + (1 << NET_CAPABILITY_IA) | + (1 << NET_CAPABILITY_IMS) | + (1 << NET_CAPABILITY_RCS) | + (1 << NET_CAPABILITY_XCAP); + /** * Adds the given capability to this {@code NetworkCapability} instance. * Multiple capabilities may be applied sequentially. Note that when searching @@ -268,6 +287,22 @@ public final class NetworkCapabilities implements Parcelable { return (nc.mNetworkCapabilities == this.mNetworkCapabilities); } + /** + * Removes the NET_CAPABILITY_NOT_RESTRICTED capability if all the capabilities it provides are + * typically provided by restricted networks. + * + * TODO: consider: + * - Renaming it to guessRestrictedCapability and make it set the + * restricted capability bit in addition to clearing it. + * @hide + */ + public void maybeMarkCapabilitiesRestricted() { + // If all the capabilities are typically provided by restricted networks, conclude that this + // network is restricted. + if ((mNetworkCapabilities & ~(DEFAULT_CAPABILITIES | RESTRICTED_CAPABILITIES)) == 0) + removeCapability(NET_CAPABILITY_NOT_RESTRICTED); + } + /** * Representing the transport type. Apps should generally not care about transport. A * request for a fast internet connection could be satisfied by a number of different diff --git a/core/java/android/net/NetworkRequest.java b/core/java/android/net/NetworkRequest.java index e61594ce8b..e184ec4790 100644 --- a/core/java/android/net/NetworkRequest.java +++ b/core/java/android/net/NetworkRequest.java @@ -83,7 +83,13 @@ public class NetworkRequest implements Parcelable { * Build {@link NetworkRequest} give the current set of capabilities. */ public NetworkRequest build() { - return new NetworkRequest(mNetworkCapabilities, ConnectivityManager.TYPE_NONE, + // Make a copy of mNetworkCapabilities so we don't inadvertently remove NOT_RESTRICTED + // when later an unrestricted capability could be added to mNetworkCapabilities, in + // which case NOT_RESTRICTED should be returned to mNetworkCapabilities, which + // maybeMarkCapabilitiesRestricted() doesn't add back. + final NetworkCapabilities nc = new NetworkCapabilities(mNetworkCapabilities); + nc.maybeMarkCapabilitiesRestricted(); + return new NetworkRequest(nc, ConnectivityManager.TYPE_NONE, ConnectivityManager.REQUEST_ID_UNSET); } diff --git a/services/core/java/com/android/server/ConnectivityService.java b/services/core/java/com/android/server/ConnectivityService.java index 6a22f22e82..0802d301fa 100644 --- a/services/core/java/com/android/server/ConnectivityService.java +++ b/services/core/java/com/android/server/ConnectivityService.java @@ -4024,6 +4024,16 @@ public class ConnectivityService extends IConnectivityManager.Stub } if (!Objects.equals(nai.networkCapabilities, networkCapabilities)) { final int oldScore = nai.getCurrentScore(); + if (nai.networkCapabilities.hasCapability(NET_CAPABILITY_NOT_RESTRICTED) != + networkCapabilities.hasCapability(NET_CAPABILITY_NOT_RESTRICTED)) { + try { + mNetd.setNetworkPermission(nai.network.netId, + networkCapabilities.hasCapability(NET_CAPABILITY_NOT_RESTRICTED) ? + null : NetworkManagementService.PERMISSION_SYSTEM); + } catch (RemoteException e) { + loge("Exception in setNetworkPermission: " + e); + } + } synchronized (nai) { nai.networkCapabilities = networkCapabilities; } @@ -4491,7 +4501,10 @@ public class ConnectivityService extends IConnectivityManager.Stub (networkAgent.networkMisc == null || !networkAgent.networkMisc.allowBypass)); } else { - mNetd.createPhysicalNetwork(networkAgent.network.netId); + mNetd.createPhysicalNetwork(networkAgent.network.netId, + networkAgent.networkCapabilities.hasCapability( + NET_CAPABILITY_NOT_RESTRICTED) ? + null : NetworkManagementService.PERMISSION_SYSTEM); } } catch (Exception e) { loge("Error creating network " + networkAgent.network.netId + ": " diff --git a/services/tests/servicestests/src/com/android/server/ConnectivityServiceTest.java b/services/tests/servicestests/src/com/android/server/ConnectivityServiceTest.java index 19d29f31cc..696f106bce 100644 --- a/services/tests/servicestests/src/com/android/server/ConnectivityServiceTest.java +++ b/services/tests/servicestests/src/com/android/server/ConnectivityServiceTest.java @@ -937,6 +937,19 @@ public class ConnectivityServiceTest extends AndroidTestCase { } private void tryNetworkFactoryRequests(int capability) throws Exception { + // Verify NOT_RESTRICTED is set appropriately + final NetworkCapabilities nc = new NetworkRequest.Builder().addCapability(capability) + .build().networkCapabilities; + if (capability == NET_CAPABILITY_CBS || capability == NET_CAPABILITY_DUN || + capability == NET_CAPABILITY_EIMS || capability == NET_CAPABILITY_FOTA || + capability == NET_CAPABILITY_IA || capability == NET_CAPABILITY_IMS || + capability == NET_CAPABILITY_RCS || capability == NET_CAPABILITY_XCAP || + capability == NET_CAPABILITY_TRUSTED || capability == NET_CAPABILITY_NOT_VPN) { + assertFalse(nc.hasCapability(NET_CAPABILITY_NOT_RESTRICTED)); + } else { + assertTrue(nc.hasCapability(NET_CAPABILITY_NOT_RESTRICTED)); + } + NetworkCapabilities filter = new NetworkCapabilities(); filter.addCapability(capability); final HandlerThread handlerThread = new HandlerThread("testNetworkFactoryRequests");