Always-on VPN is a feature introduced in N. Since then, all VPN apps
targeting N+ are assumed to support the feature, and the user or the DPC
can turn on / off always-on for any such VPN app. However, a few VPN
apps are not designed to support the always-on feature. Enabling
always-on for these apps will result in undefined behavior and confusing
"Always-on VPN disconnected" notification.
This feature provides a new manifest meta-data field through which a VPN
app can opt out of the always-on feature explicitly. This will stop the
always-on feature from being enabled for the app, both by the user and
by the DPC, and will clear its existing always-on state.
A @hide API is provided to check whether an app supports always-on VPN.
Documentation is updated to reflect the behavior change.
Bug: 36650087
Test: runtest --path java/com/android/server/connectivity/VpnTest.java
Test: cts-tradefed run cts --module CtsDevicePolicyManagerTestCases --test 'com.android.cts.devicepolicy.MixedDeviceOwnerTest#testAlwaysOnVpnUnsupportedPackage'
Test: cts-tradefed run cts --module CtsDevicePolicyManagerTestCases --test 'com.android.cts.devicepolicy.MixedDeviceOwnerTest#testAlwaysOnVpnUnsupportedPackageReplaced'
Test: cts-tradefed run cts --module CtsDevicePolicyManagerTestCases --test 'com.android.cts.devicepolicy.MixedProfileOwnerTest#testAlwaysOnVpnUnsupportedPackage'
Test: cts-tradefed run cts --module CtsDevicePolicyManagerTestCases --test 'com.android.cts.devicepolicy.MixedProfileOwnerTest#testAlwaysOnVpnUnsupportedPackageReplaced'
Test: cts-tradefed run cts --module CtsDevicePolicyManagerTestCases --test 'com.android.cts.devicepolicy.MixedManagedProfileOwnerTest#testAlwaysOnVpnUnsupportedPackage'
Test: cts-tradefed run cts --module CtsDevicePolicyManagerTestCases --test 'com.android.cts.devicepolicy.MixedManagedProfileOwnerTest#testAlwaysOnVpnUnsupportedPackageReplaced'
Change-Id: I477897a29175e3994d4ecf8ec546e26043c90f13
Merged-In: I477897a29175e3994d4ecf8ec546e26043c90f13
(cherry picked from commit 9369e61e2d)
For some networks such as mobile data connections, its LinkProperties
does not contain routes for the local subnet so no such route is added
to the interface's routing table. This can be problematic especially
if the device is in VPN lockdown mode where there exists high-priority
PROHIBIT routing rule which in turn blocks the network's default gateway
route from being added (next hop address hitting the prohibit rule).
We fix this by patching LinkProperties to always include direct connected routes
when they are received by ConnectivityService. This has the added advantage that
when apps get LinkProperties, they see the directly connected routes as well.
Bug: 63662962
Test: runtest frameworks-core -c android.net.LinkPropertiesTest
Test: runtest frameworks-services -c com.android.server.ConnectivityServiceTest
Test: Start with device with mobile data, set up ics-OpenVPN in always-on
lockdown mode. Turn off mobile data then turn it back on, observe
mobile data connectivity is restored and VPN successfully reconnects.
Change-Id: I35b614eebccfd22c4a5270f40256f9be1e25abfb
This patch adds the following wakelock related counters to connectivity
service dumps included in bug reports:
- total number of wakelok acquisitions and releases
- total cumulative wakelock duration
- longest time the lock was held
Bug: 65085354
Test: runtest frameworks-net, also manually dumped connectivity service
and check new logging
Merged-In: I8f67750c2eea73abf3d44f7f6df484427a8ea3f9
Merged-In: I93c0eb7c8add966378647400e11e33765d952345
Merged-In: Iabe99993001e069b8a8077533bca1fa7fb2f59ba
(cherry picked from commit 88f49acd03)
Change-Id: I4d6bb43110916b440819813b478523546ac5570e
This patch relays the NetworkBaseObserver notifications about nat
464xlat stacked interfaces onto the ConnectivityService handler.
This allows to process interface up and down notifications in the
same thread context and eliminates several races:
- NPE risk due to race between fixupLinkProperties called on
ConnectivityService thread and interfaceRemoved called on
NetworkManagementService thread.
- stale LinkProperties pointer reads in both NetworkBaseObserver
callbacks not called on ConnectivityService handler.
- removes the race between stop() and interfaceRemoved().
- removes superfluous LinkProperties notifications when stop() is
called before the stacked interface goes up.
The teardown procedure logic common to stop() and interfaceRemoved() is
put into enterStoppedState() and enterIdleState().
This allows to distinguish and correctly handle the following teardown
scenarios:
- an IPv4 appears -> ConnectivityService calls Nat464Xlat#stop()
-> Nat464Xlat calls stopClatd
-> clatd stops
-> if the stacked interface was up, it is removed
-> Nat464Xlat#interfaceRemoved() is triggered and
a LinkProperties update is sent.
- network disconnects -> ConnectivityService calls Nat464Xlat#stop()
-> Nat464Xlat calls stopClatd
-> clatd stops
-> if the stacked interface was up, it is removed
-> Nat464Xlat#interfaceRemoved() is triggered and
a LinkProperties update is sent.
- clatd crashes or exit -> Nat464Xlat#interfaceRemoved() is triggered
-> Nat464Xlat unregisters itself as a network
observer
-> ConnectivityService is updated about the
stacked interface missing, and restarts
Nat464Xlat if needed.
Note that the first two scenarios have two cases: stop() can be called
before the notification for the stacked interface going up (STARTED), or
after (RUNNING). In the first case, Nat464Xlat must unregister
immediately as a network observer to avoid leaks.
This patch also:
- removes/simplifies comments related to the threading model which
are no obsolete.
- extract clatd management logic from ConnectivityService into
NetworkAgentInfo
- add new unit tests where there was none before.
Bug: 62918393
Bug: 62997041
Bug: 64571917
Bug: 65225023
Test: runtest frameworks-net
Change-Id: I27221a8a60fd9760b567ed322cc79228df877e56
This patch adds a layer of asynchonicity to the NetworkBaseObserver
callbacks implemented by Nat464Xlat in order to allow these callbacks
to run on the main ConnectivityService handler.
This allows to run interfaceLinkStateChanged and interfaceRemoved
callbacks in the same thread context as other Nat464Xlat methods and
solves the following issues:
- NPE risk due to race between fixupLinkProperties called on the
ConnectivityService thread and interfaceRemoved called as a
callback by NetworkManagementService.
- stale LinkProperties reads in both callbacks not called on
ConnectivityService handler.
- removes the race between stop() and interfaceRemoved().
This patch also:
- removes/simplifies comments related to the threading
model which are no obsolete.
- extract clatd management logic from ConnectivityService into
NetworkAgentInfo
Bug: 62997041
Bug: 64571917
Test: runtest frameworks-net
manually connected to ipv6 network and went to test-ipv6.com
Change-Id: I889d98e47423ff3d4746d6ed8015b265286e7c52
This patch does some cleanup of Nat464Xlat internal state guards
against the Nat464Xlat state Idle | Started | Running, which reduces
code nesting.
It also replaces introspection of internal state for distinguishing
between different stages in 464xlat lifecycle with an enum explicitly
introducing these three Idle | Started | Running states.
Bug: 62997041
Bug: 64571917
Test: runtest frameworks-net
manually connected to ipv6 network and went to test-ipv6.com
Change-Id: I6efc9fed2420ca488731a2b9b9c3c025b16eca10
This patch does some minor refactoring of clat starting/stopping code:
- remove unused LinkProperties arguments in updateClat
- remove unused Context argument in Nat464Xlat ctor
- introduce ensureClatIsStarted and ensureClatIsStopped methods and
simplify updateClat
- add clatd to NetworkAgentInfo toString() method
- clarify some comments
This changes prepare for moving BaseNetworkObserver callbacks to
ConnectivityService.
Bug: 62997041
Bug: 64571917
Test: runtest frameworks-net
manually connected to IPv6 only network and went to test-ipv6.com
Change-Id: Idb204784614cfe700f73255a7a7b78c5e9ee6eca
1. Mock the service manager so that NMS can fetch mock versions
of INetd and IBatteryStats.
2. Call LocalServices.removeServiceForTest to avoid a duplicate
service registration error. // check this
3. Change the timeout from 100ms to 200ms, as otherwise the tests
that check for IfaceClass fail.
4. Convert NetworkManagementServiceTest to JUnit 4.
5. Move NetworkManagementServiceTest to tests/net
Bug: 29337859
Bug: 32163131
Bug: 32561414
Bug: 62918393
Test: runtest frameworks-net
Change-Id: Ic7371b427b35809ccd446addf35c9d8ae99ccfd3
Currently, we only count add tethering traffic to per-UID
stats, but not to total data usage (i.e., dev and XT stats). This
is correct for software tethering, because all software forwarded
packets are already included in interface counters, but it is
incorrect for hardware offload, because such packets do not
increment interface counters.
To fix this:
1. Add an argument to ITetheringStatsProvider#getTetherStats to
indicate whether per-UID stats are requested. For clarity,
define integer constants STATS_PER_IFACE and STATS_PER_UID
to represent these operations.
2. Make NetdTetheringStatsProvider return stats only if per-UID
stats are requested. (Otherwise tethering traffic would be
double-counted).
3. Make OffloadController's stats provider return the same
stats regardless of whether per-UID stats were requested or
not.
4. Make NetworkStatsService add non-per-UID tethering stats to
the dev and XT snapshots. The per-UID snapshots were already
correctly adding in per-UID stats.
(cherry picked from commit 49ab263c0b)
Bug: 29337859
Bug: 32163131
Test: runtest frameworks-net
Test: runtest frameworks-telephony
Change-Id: I325b13d50e88841dfb0db4c35e7e27f163ee72fe
Merged-In: I4e8e923d68dce1a4a68608dbd6c75a91165aa4ee
This patch completes commit 1ebf219ed9 to
really allow updates of immutable capabilities to NetworkCapabilities of
NetworkAgents by using satisfiedByImmutableNetworkCapabilities instead
satisfiedByNetworkCapabilities.
Bug: 64125969
Test: runtest frameworks-net
Change-Id: I9beeb623792f0ee31abcd4ba9d0ba2451304fb2e
Also moving relevant test files into tests/net as part of runtest
framworks-net.
Also removes testHashCode in LinkAddress() because this test relies on
the assumption that hashCode() is stable across releases or jdk
versions, which is absolutely not true.
This creates maintenance work for little benefit since hashCode is
already tested as part of the equality test.
For instance this test is now broken because hashing for InetAddress
changed.
Bug: 62988545
Bug: 62918393
Test: runtest frameworks-net, added coverage in tests
Change-Id: I695bc3f0e801bf13bc4fc0706565758f12b775b4
This patch loosens the validation checks when a NetworkAgent updates it
NetworkCapabilities: instead of checking that capabilities labeled as
"immutable" stay identical across updates, it is now accepted to change
immutable capabilities in a way that the new NetworkCapabilities
satisfies the old NetworkCapabilities.
This allows a NetworkAgent to update itself in order to match more
requests, but will still catch NetworkAgents that sends degradation
updates causing potentially requests to not match anymore.
Bug: 64125969
Test: runtest frameworks-net
Change-Id: I2a1b3f9c0be6415e40edc989d0c1b03b5631f7b1
This is a refactoring with no behavior change.
The new class provides an abstraction layer to hide knowledge
about OkHttp-specific APIs. Logic from android.net.Network that
knew about OkHttp is moving into that abstraction layer.
This CL refactors android.net.Network to make use of this
abstraction layer instead of the tight coupling onto OkHttp
APIs. The class no longer imports any classes from okhttp
packages.
The values of mDns and mConnectionPool, which never change after
the initial call to maybeInitHttpClient(), are now set directly on
the AndroidHttpClient instance when it is constructed in that method.
Applications can overwrite getSocketFactory() and might depend on
that method being called (and the result used) every time a
connection is opened; therefore, for maximum app compatibility this
call was kept inside openConnection().
This CL is a prerequisite for introducing an additional frameworks
dependency on a richer API than HttpURLConnection.
Test: Build and install apk for FrameworksCoreTests, then run:
adb shell am instrument -e class android.net.NetworkTest -w com.android.frameworks.coretests
Bug: 64021405
Change-Id: I2c73d260508ee20c6a40fd6e95e2d058d3ea2330
This patch fixes the mask used in describeImmutableDifferences which did
not correctly turn NET_CAPABILITY_NOT_METERED into bit flag.
Bug: 63326103
Test: added unit tests, runtest frameworks-net
Change-Id: Ib6b390b1daef5912859302692af7dcd6cfd3e39a
This patch improves the wtf() logging in updateCapabilities to
better distinguish between the cases of a changed specifiers, changed
transports, or changed capabilities. The case of NOT_METERED being added
or removed is ignored.
Bug: 63326103
Test: runtest frameworks-net, runtest frameworks-wifi
Merged-In: I05c6e78891e1eac658f1cf883223af520a9a4f8f
Merged-In: I4f6cbc0adb461cef6610460daeba72ca38b8f10c
Merged-In: I165a8bbe8362100f1e2bb909459fb45b1c68d5ae
Merged-In: Iec6d92e9a3a12bab87c5adfaf17f776465077060
Merged-In: I633d6347a7f852c27c03fc96b36ca2a60f70c73c
Merged-In: I38739184fc0db105bfd3b4c02cce01e803739e5d
Merged-In: Ia58b877056e2442136cc8b145ac8f4e6560cfc2c
(cherry pick from commit d9806e8014)
Change-Id: Id32ca66068c8ff549627e8e8c0e50897ef928c58
This patch corrects a regression added by commit fd35080555 that did
not take into account the case of multiple notifications shown for a
single network id. Given how network notifications are triggered, it can
happen that NO_INTERNET and SIGN_IN notifications are both triggered for
the same network when captive portal detection is slow.
Contrary to the situation before commit fd35080555, a notification
priority order is introduced so that SIGN_IN always overrides
NO_INTERNET, and NO_INTERNET is ignored if SIGN_IN is already present.
Bug: 63676954
Bug: 62503737
Test: runtest frameworks-net, added new unit tests
Change-Id: Ib8658601e8d4dc6c41b335ab7dd8caa0cccd9531
libnativehelper exports headers under nativehelper. These were
available before incorrectly as global headers in order to give
access to jni.h.
Test: modules using frameworks/base find headers
Bug: 63762847
Change-Id: I0f9f231acdebe460f279135462f43d3e32eff64d
This patch fixes a couple of flakyness issues with
testNetworkInfoOfTypeNone. It also fixes some typos and naming issues.
Bug: 62918393, 62918393
Test: runtest frameworks-net
Change-Id: I1c56557ab113d3ef57dbc06a6e882634d03c5b09
