This also avoids returning a nonzero multipath preference
if remaining data is low but nonzero.
Bug: b/72877610
Change-Id: I2459ded06de77d284ae1fe81a60d9e1df56b0c26
Fixes: b/72877610
Test: Tests in go/ag/3842960 pass
LinkAddress constructors are currently @hide; this change updates
IpSecManager to use InetAddress and prefixLen, and then construct a
LinkAddress internally. LinkAddress is used over the binder interface to
IpSecService to ensure validity.
Bug: 77528639
Test: CTS, Java unit tests ran on walleye
Change-Id: I19e124adef6d9f4992d8293db3190bcf74c95848
This change forces Socket and DatagramSocket to populate the
SocketImpl, ensuring that the socket file descriptor can be
retrieved when applying Transport mode Transforms
This is done by calling getSoLinger(), triggering a getImpl(), which
triggers setImpl() if needed.
Bug: 77491294
Test: Added tests in IpSecManagerTest, ran on walleye
Merged-In: I40da08b031357710eb794e0f866aec5660c79594
Change-Id: I40da08b031357710eb794e0f866aec5660c79594
(cherry picked from commit d175a3d3a01cfdb5ab6d4e61d15950583f8006d6)
Adds support for a new AppOp to permit services to
use IpSec tunnel mode. The IpSecService now needs
a context so change the service mode to a cached
service rather than a static service.
Bug: 66955045
Test: runtest frameworks-net
Change-Id: I17a4a286225b432c3e15ea1587d946189931b4f4
Usage stats corrections for 464xlat in NetworkStatsFactory are not applied
to tethered traffic. Add adjustments in NetworkStatsService. After
migrating external callers off NetworkStatsFactory, we will be able to
only apply adjustments in NetworkStatsService and remove stacked
interface tracking from NetworkStatsFactory.
Bug: 72107146
Fixes: 72107146
Test: runtest frameworks-net & manual - checked corrected network usage
Merged-In: Ieb25c41c651499fdd01225ae5ac21d95e3d823f5
Merged-In: I016722f3a0ae2ae0a1d48bfacc4fe07ee3578ef7
(cherry-pick of aosp I5ce450e616b4fddf21f2a491fe5d0c9e9f969bda)
Change-Id: Id41cf22a0f9a63cb1832e9375bfb045861f08e52
Currently the NetworkStatsManager APIs allow applications to
query for their own data usage by UID and tag, but do not allow
applications to query by foreground/background state.
This is causing popular apps to resort to parsing xt_qtaguid
stats files directly. Because this is no longer allowed for apps
targeting P and above, provide replacement functionality.
This API allows apps to query for data usage for a given state,
but not to receive data usage broken down by state. This is
consistent with how the current UID and tag APIs work. It is also
not an undue burden on apps: there are currently only two states
of interest (FOREGROUND and everything else), and even if we add
states in the future, unmodified apps can still obtain total
traffic using STATE_ALL.
Bug: 72977484
Test: New CTS test added in other change in this topic.
Change-Id: Ic8c9194569ffd599b49e4a8197c5c2ea0ec3f7f7
Useful for clients such as BatteryStats which currently rely
on NetworkStatsFactory. Data at that stage is incomplete as
it does not account for tethering, VT data and corresponding
464xlat corrections.
Test: runtest frameworks-net, CTS tests pass.
Bug: b/72107146
Merged-In: I31c5b9b4a7c6e72910152415894a137f000a5858
Merged-In: I2527d95000c7500c824ede70f87ecb38e21ed323
(cherry picked from aosp 088ff6824f13145ea52207bdead0d7e454a6f3ce)
Change-Id: Ie80f1bb21124241f3414f9be77aceac9a44ec6d1
Disallow the allocation of SPIs in the range
reserved for future use by RFC 4303.
Bug: 77205120
Test: runtest frameworks-net
Merged-In: I05e26ed34b5871f1a07d5bd7b58b79a64cd74b67
Change-Id: I05e26ed34b5871f1a07d5bd7b58b79a64cd74b67
(cherry picked from commit 7f606ee8e57d9d8b7c5d0cb2a78421aa02efb385)
Instead of providing default truncation lengths (based on RFC or
otherwise), this change imposes a restriction that the truncation length
must be supplied for all auth or aead algorithms.
Bug: 77204048
Test: Updated tests, ran on walleye
Merged-In: I4a0e2e71aa97259e56f44e7c8a2ce53135708d97
Change-Id: I4a0e2e71aa97259e56f44e7c8a2ce53135708d97
(cherry picked from commit bb7f2820f5bcccf8618078c2cbe4ea9836797e3b)
This change updates the getSocket() methods for IPsec to improve clarity
of the return types, both for public APIs, and internal-only methods.
Bug: 72473753
Test: APIs updated, CTS + unit tests ran.
Merged-In: I0afebd432c5d04c47c93daa1ce616d712aa323d7
Change-Id: I0afebd432c5d04c47c93daa1ce616d712aa323d7
(cherry picked from commit 4c987ebade580d4abc8a3d549e0df90baab33140)
Use a MATCH_MOBILE_WILDCARD template to avoid filtering by
subscriberId when querying statistics from NetworkStatsService.
Bug: 74038898
Change-Id: I8296220472a9ba37044dd1a5ede9bdb45d3ed339
Fixes: 74038898
Test: runtest frameworks-net, CTS tests pass
Merged-In: I1e4e283c6eaecf33d12488e41e0c524f6ff83954
Merged-In: Ia84d2c7cc63bf8b8bf30f133e0382fd7103bf490
(cherry-picked from aosp I4b39e7031416cb33b23d89aa36ff0f774eaa942f)
Updates API documentation to mention that TCP sockets where transforms
are deactivated will not send FIN packets.
Bug: 74851550
Test: API updates only
Merged-In: I8169f221c8c747538a8bddfbf02dcc73c9337189
Change-Id: I8169f221c8c747538a8bddfbf02dcc73c9337189
(cherry picked from commit 7d31a2f3579eff80c3cef07feadf77dbfcbfcd17)
Add a new MANAGE_IPSEC_TUNNELS permission and
protect all IPsec Tunnel mode APIs with it.
This permission is only granted to the system or
through an AppOp.
Bug: 66955045
Test: compilation
Change-Id: I0f618373b500c493ef2211bece681f74652a1833
This CL adds NonNull annotations to a large
number of method returns and parameters as
part of API council feedback.
Bug: 72473424
Test: compilation (docstring-only change)
Merged-In: I2f865dde56fe12116c461ad98e9460bf1802ce18
Change-Id: I2f865dde56fe12116c461ad98e9460bf1802ce18
(cherry picked from commit 8fd26f67fdfdedb535ddb8c7d5ededa5dcba40f8)
When exposing the APIs, these were missed.
The outer structure is exposed, so this exposes
the addAddress and removeAddress methods.
Bug: 75234273
Test: compilation
Merged-In: I79911434f9baa660e4d8564cc59d80da4a710c42
Change-Id: I79911434f9baa660e4d8564cc59d80da4a710c42
(cherry picked from commit a83601a511c3f11470109d78d1a736acdb9c6bd8)
This change adds implementation details for add/remove addresses onto a
VTI.
Bug: 73675031
Test: New tests added, passing on Walleye
Merged-In: Idde9d943a5285d2c13c5c6b0f7b8a9faf718e6a5
Change-Id: Idde9d943a5285d2c13c5c6b0f7b8a9faf718e6a5
(cherry picked from commit ecc9f7cc08804e3fa15fea04ae94ea1bc74edbfe)
Kernel limitations prevent auth-only SAs from being created. Explicitly
request a null encryption algorithm instead of omitting the algorithm
to comply with the kernel requirement for ESP.
Bug: 75049573
Test: CTS tests for auth-only, crypt-only transforms added for all
combinations of (UDP, TCP, IPv4, IPv6, UDP-encap) Also added unit
tests to ensure correct triggering of NULL_CRYPT usage.
Merged-In: Ia9a5cfee9c7786412846bc039f326420f6211c08
Change-Id: Ia9a5cfee9c7786412846bc039f326420f6211c08
(cherry picked from commit bf013a3820c69348e034c6340b28e95f3441ebe8)
-Add anotations to usages of PolicyDirection for
apply...() methods.
-Update the comments on DIRECTION_IN and DIRECTION_OUT
to better reflect their current usage.
-Add a better explanation to the rekey procedure doc.
-Remove disused createTunnelInterface() stub.
Bug: 73751066
Test: make docs
Merged-In: I9f2ec864466148a18899f1e952c74a525902ccbc
Change-Id: I9f2ec864466148a18899f1e952c74a525902ccbc
(cherry picked from commit f4cdf25a906d0f52ffd76508d660b843b13b3ff8)
When a single app is responsible for more than half of the data usage
that caused us to trigger a "rapid usage" alert, name that app in the
notification. Tests to verify.
Move NPMS->NSS direct calls to "Internal" pattern, following
best-practices to avoid unnecessary AIDL exposure.
Remove 3G/4G split mobile plan support, which has been deprecated for
years and was never supported in a shipping product.
Move MultipathPolicyTracker in tree to reflect its package name.
Test: bit FrameworksNetTests:*
Test: bit FrameworksServicesTests:com.android.server.NetworkPolicyManagerServiceTest
Bug: 69263587, 64221505, 73431080, 72746951
Exempt-From-Owner-Approval: approved in previous PS
Change-Id: I3e4ec1ae2222d51b232f76f32faca93d4f8cd272
This change prevents IpSecTransforms from being inadvertently modified
by changes to the IpSecConfig. Specifically, once the transform is
created, it takes a copy of the config, rather than a reference.
Bug: 69385347
Test: New tests added, and all test passing
Change-Id: I89b8660c175ca20aa70352dcda893434ff7fd42b
At least until further permissions are agreed upon,
the NETWORK_STACK permission is sufficient to ensure
that access to the tunnel mode APIs is secure, and
this permission will always be a sufficient condition.
Thus, adding NETWORK_STACK.
Bug: 66955045
Test: compilation
Change-Id: I2dc36896a52d2e71fad55041507d68ca91191ffc
This change makes sure tunnel mode transforms are properly activated
upon construction, and corrects bugs with how policy selectors were being
generated for tunnel mode policies. Specifically, the source/destination could
not be empty strings, even for cases where an empty selector was desired.
Bug: 72457770
Test: GTS tests run
Change-Id: I9a9f64c34b07883a02a5c996614f958486d214fc
The current implementation of getMobileRxBytes and all the similiar
method adds up the return values for multiple calls to getRxBytes so if
all of them return UNSUPPORTED for any reason, getMobileRxBytes() would
return a value such as -3. This behavior is not compliance with the cts
TrafficStatsTest which always assume getMobileRxBytes to return a
non-negetive value. The method now will check tha stats get from
getRxBytes method and add them up only if the stats is valid.
Bug: 72473294
Test: run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
Change-Id: I656970ebc8f6506cf17c4353ad46c0178bb65cfd
- add Ethernet interface configurations to config.xml; no vendors can
specify network capabilities (in particular they can mark network as
restricted which make sense for embedded applications + static IP
configuration)
- extend EthernetManager to support multiple interfaces, use interface
name as an identificator
- extend IpConfigStore to store IP configuration based on string
identifier (e.g. ethernet name)
Test: runtest -x frameworks/base/services/tests/servicestests/ -c com.android.server.net.IpConfigStoreTest
Change-Id: Ic1e70003f2380ca8edb4469d6b34e27c5e8cf059
The lifecycle of Keepalive offloading is, unfortunately
different from that of an IpSecTransform. Because starting
a keepalive is fundamentally asynchronous, and isn't valid
until after a transform exists, it will now be a separate
optional procedure that may succeed or fail. It remains
linked with a Transform by the need for a Transform to exist
in order to initiate a Keepalive.
Bug: 38350389
Test: compilation
Change-Id: Ia76fccee41f86d694dff436043293d0c0762c041
