am: 3b5424047c -s ours
am skip reason: change_id I98573a5c68e45abbbaddef01f6ac74a6a18e26f9 with SHA1 0fed3d2c01 is in history
Change-Id: I80f0924a1a1f83962c6dee7fd937a341075327e4
am: 5c7c6a4b7d -s ours
am skip reason: change_id I88bfd7f37c0ba0228f8288fe92212618ce134e4f with SHA1 4f370cefa2 is in history
Change-Id: If600c79a42b040f8323800cc2b6a145d5efb2c39
This commit re-enables enforcement of the MANAGE_TEST_NETWORK
permission, which is only granted to the shell. CTS tests using this
permission should use UiAutomation.adoptShellPermissionIdentity() to
gain access.
Bug: 72950854
Test: IPsec CTS tests using this passing
Change-Id: I98573a5c68e45abbbaddef01f6ac74a6a18e26f9
Merged-In: I98573a5c68e45abbbaddef01f6ac74a6a18e26f9
(cherry picked from commit 0fed3d2c01)
This follow-up change performs some cleanup changes without affecting
functionality
Bug: 72950854
Test: Compiles, CTS tests using this pass
Change-Id: Ic7394f24f11d713c9374b438182e29d2a02ea236
Merged-In: Ic7394f24f11d713c9374b438182e29d2a02ea236
(cherry picked from commit 5f6bc9d438)
To address the API review feedback provided by
the API council.
Bug: 129261432
Test: atest DnsResolverTest
Change-Id: I3de11c913682abf790850b45cd5d50ac28b3fc5c
am: b207526a0b -s ours
am skip reason: change_id Ifd18d1c6ad708c1dbc793f03d8241f572af50317 with SHA1 ec82da1166 is in history
Change-Id: I1a1cac47a948636d6dae934edb3fbf42327f5314
am: c7a083a15e -s ours
am skip reason: change_id I54050b28bbfb93e0b7e509dbe0e987a0b902b7d9 with SHA1 9b84ea14a8 is in history
Change-Id: I15a4acf4355e05833ed15bde3deb0db966f2a75a
am: 610eed67b6 -s ours
am skip reason: change_id I6db75853da9f29e1573512e26351623f22770c5d with SHA1 4dba79cc89 is in history
Change-Id: I3e0bd244d8a2ddf86cf4dab99d4a563ea1e2b01e
When a fully-routed VPN is running, we want to prevent normal apps
under the VPN from receiving packets originating from any local non-VPN
interfaces. This is achieved by using eBPF to create a per-UID input
interface whitelist and populate the whitelist such that all
non-bypassable apps under a VPN can only receive packets from the VPN's
TUN interface (and loopback implicitly)
This is the framework part of the change that build the whitelist.
The whitelist needs to be updated in the following cases:
* When a VPN is connected and disconnected
This will cover the change to allowBypass bit, since that can't be
changed without reconnecting.
* When a VPN's NetworkCapabilites is changed (whitelist/blacklist app changes)
* When a new app is installed
* When an existing app is removed
* When a VPN becomes fully-routed or is no longer fully-routed
New user/profile creation will automatically result in a whitelist app change
transition so it doesn't need to be handled specially here.
Due to the limitation of the kernel IPSec interacting with eBPF (sk_buf->ifindex
does not point to the virtual tunnel interface for kernel IPSec), the whitelist
will only apply to app VPNs but not legacy VPN connections, to prevent breaking
connectivity with kernel IPSec entirely.
Test: atest PermissionMonitorTest
Test: atest android.net.RouteInfoTest
Test: atest com.android.server.ConnectivityServiceTest
Test: atest HostsideVpnTests
Bug: 114231106
Change-Id: I143b03d60e46cb1b04732b4a4034f5847b4d1b1a
This commit re-enables enforcement of the MANAGE_TEST_NETWORK
permission, which is only granted to the shell. CTS tests using this
permission should use UiAutomation.adoptShellPermissionIdentity() to
gain access.
Bug: 72950854
Test: IPsec CTS tests using this passing
Change-Id: I98573a5c68e45abbbaddef01f6ac74a6a18e26f9
There is a logic error in maybeNotifyNetworkBlockedForNewUidRules
that caused function to return if there is no status change in
the first network. This would cause CTS failed in devices which
has volte-enabled SIM inserted.
Bug: 129409153
Fix: 117969394
Test: 1. atest com.android.cts.net.HostsideNetworkCallbackTests \
--generate-new-metrics 20
2. atest FrameworksNetTests
Change-Id: I11168fd07a7c29e0605f2e874e9d9f41b5ad88b6
Merged-In: Ifd18d1c6ad708c1dbc793f03d8241f572af50317
(cherry picked from commit 6d3a92f7c2)
Carriers in Mainland China need to customize certain captive portal
urls. The main issue is that google servers are not accessible in
Mainland China.
Added the following captive portal resources to be targeted for overlay.
- config_captive_portal_http_url
- config_captive_portal_https_url
- config_captive_portal_fallback_urls (string-array)
- config_captive_portal_fallback_probe_specs (string-array)
These values can be customized for e g diffent countries
Bug: 111819230
Test: atest FrameworksNetTests NetworkStackTests
Test: Add a product RRO that targets a specific country code,
insert a SIM card that matches that country code and check the log
what URL is used.
Merged-In: I54050b28bbfb93e0b7e509dbe0e987a0b902b7d9
Merged-In: I1f734c5f864bb2f2bc8ba1a66fe33d3480554f69
(cherry picked from commit e3896f71e1)
Change-Id: I278f2888851d38edb59157f8623541fbe94549b6
This follow-up change performs some cleanup changes without affecting
functionality
Bug: 72950854
Test: Compiles, CTS tests using this pass
Change-Id: Ic7394f24f11d713c9374b438182e29d2a02ea236
Since the Framework net test require jni library
libnetworkstatsfactorytestjni, but the test fails to load that library
unless *all* the dependencies of that library are explicitly listed in
jni_libs, whenever any of the dependencies changes the framework net
test will start failing and it might not be catched since the change
might not related to frameworks/base. And this smoke test is aimed to
spot those native library changes and it should be stable enough to put
in global presubmit.
Bug: 124764595
Test: FrameworksNetSmokeTests
Change-Id: Id24e7f0558b5643e4ad7393e85f1f0a2bd875615
This patch fixes a bug where if a binder dies before the linkToDeath
call, the cleanup will be performed before the entry is added to the
array. While it is safe in that quotas and tracking performs as per
normal, the RefcountedRecord may not be cleaned up.
Rethrowing this exception is safe, since the only paths that would hit
this are all on binder threads coming from applications. Further, it
seems there is only one real way of this getting hit - if the app that
called the creation died during the binder call.
Bug: 126802451
Test: Compiled, CTS tests passing
Change-Id: Ib955acaa5e498c0e977cb5f2e48cffbc9fea8c7c
Merged-In: I6db75853da9f29e1573512e26351623f22770c5d
Merged-In: I416c2e43961ec0e1cc6b2fbcef970fbce858603b
Merged-In: Ib955acaa5e498c0e977cb5f2e48cffbc9fea8c7c
(cherry picked from commit a7bfdf8d8b)
am: 35d521ed42 -s ours
am skip reason: change_id Idf24f42a86bbfcc89e3ea8cf50d1b705d72ac613 with SHA1 061f7a7eef is in history
Change-Id: I6e9043be4c28b73856b72f80971e2b66f8b8926b
Cherry-pick from commit 061f7a7eef,
with small conflict resolution.
Bug: 129510344
Test: m, boots, wifi connects, resolves DNS
Change-Id: Idf24f42a86bbfcc89e3ea8cf50d1b705d72ac613
Merged-In: Idf24f42a86bbfcc89e3ea8cf50d1b705d72ac613
Merged-In: Ia08104f839ef37139a8761e2e625bb10c94c275f
am: 0bf3e765f8 -s ours
am skip reason: change_id I7f185e731db91c30a9b0f14aefbdbb067942190e with SHA1 716a9412cd is in history
Change-Id: I6eddfc7bae967c76c63521b7fbcabd78a913bfd4
am: d74809c670 -s ours
am skip reason: change_id Idf040a67e53d9b9ec6e6c647ce24f8ada501d355 with SHA1 a06b814245 is in history
Change-Id: Ic9b6b8c2ca4aabd3ed18291a94992a2b67286064
