Currently, strict mode private DNS does not work on VPNs because
NetworkMonitor does not validate VPNs. When a VPN connects, it
immediately transitions to ValidatedState, skipping private DNS
hostname resolution.
This change makes NetworkMonitor perform private DNS hostname
resolution and evaluation even on VPNs.
In order to ensure that the system always immediately switches to
the VPN as soon as it connects, remove the unvalidated penalty
for VPN networks. This ensures that the VPN score is always 101
and the VPN always outscores other networks as soon as it
connects. Previously, it would only outscore other networks
when no-op validation completed.
Bug: 122652057
Test: atest FrameworksNetTests NetworkStackTests
Test: manually ran a VPN with private DNS in strict mode
atest android.net.cts.ConnectivityManagerTest com.android.cts.net.HostsideVpnTests
Change-Id: Iaa78a7edcf23755c89d7b354edbc28d37d74d891
In general, keepalive slots are released after result of
stopping has returned. However, for network disconnect case,
the service side cannot communicate with network agent since
the async channel is broken.
Clean up keepalive slots right after stop in this case.
Bug: 132341736
Test: 1. atest com.android.server.ConnectivityServiceTest \
#testNattSocketKeepalives --generate-new-metrics 100
2. atest FrameworksNetTests --generate-new-metrics 10
Change-Id: Ia30741f71fa72fc117e071976fd73991fa3c9535
This reverts commit bdf7048571.
Reason for revert: Adds dependency between IpSecService and
ConnectivityService may lead to future deadlock
problems. Uses a simpler approach instead,
hence the solution is not needed.
See aosp/954040.
Change-Id: Ibff278a6eee666cd85dba81c2bed94d568679b02
Public APIs for creating unprivileged NATT socket keepalive
might allow users to exhaust resource if malicious apps try
to create keepalives with fd which is not created by
IpSecService through binder call. Thus, this change add
customizable limitation per uid to prevent resource exhaustion
attack.
Bug: 129371366
Bug: 132307230
Test: atest FrameworksNetTests
Change-Id: Ibcb91105e46f7e898b8aa7c2babc3344ef2c6257
This change specifies the required minimum supported keepalives
in SDK, and allows OEMs to customize supported keepalive count
per network through resource overlay.
Bug: 129371366
Test: 1. m -j doc-comment-check-docs
2. atest FrameworksNetTests
Change-Id: I0218f3674628c13ead63fc9a873895ba7f113033
The onUnavailable semantics promise that it is equivalent to calling
the unregister callback method. But - it doesn't unregister the callback
allowing it to be reused. Fixed.
Additionally, modified the unregisterNetworkCallback method to not fail
on duplicate unregistration (since a callback could now self
unregister). Instead simply print a log.
Bug: 130651445
Test: atest ConnectivityServiceTest
Change-Id: I4c54b003a733eb0b1e4fd8674ed13081b1bef8e3
This reverts commit 2bb85a0bc0.
Reason for revert: Adds dependency between IpSecService and
ConnectivityService may lead to future deadlock
problems. Uses a simpler approach instead,
hence the solution is not needed.
See aosp/954040.
Change-Id: If6d537a39595cf132d3ed81d4eaac6700f5f0ab3
Delete the unused NetworkManagementService API for set/remove
permissions. Use PERMISSION_NONE to replace NO_PERMISSIONS so the
framework now use the same set of permission constant when communicate
with netd.
Bug: 128944261
Test: PermissionMonitorTest.java
Change-Id: I25224c9576f52d2a0a0bd2182325c7aac7b28eb5
Remove definition of TYPE_NATT and TYPE_TCP since the type
can be identified by checking message.obj is an instance of
NattKeepalivePacketData or TcpKeepalivePacketData.
It's more simple and won't have dependency on KeepaliveInfo.
Bug: 33530442
Test: atest FrameworksNetTests
atest NetworkStackTests
Change-Id: Ic97ffe9ff5781778efd264460809f5059f0f4230
Support adding NATT keepalive packet filter to APF
filter.
Generating APF program will be addressed in another CL.
Bug: 33530442
Test: - atest NetworkStackTests
- atest FrameworksNetTests
Change-Id: I4961d5da343d8700600269632787c28112f0f9f1
