am skip reason: Change-Id Iae9c273af822b18c2e6fce04848a86f8dea6410a with SHA-1 6c93075645 is in history
Change-Id: Ifa87cac191ad07937dc70770ff74a9d025131a40
PermissionMonitor#hasPermission only checks permssions that app
requested but it doesn't check whether the permission can be
granted to this app. If requested permission doens't be granted
to app, this method still returns that app has this permission.
Then PermissionMonitor will pass this info to netd that means
this app still can use network even restricted network without
granted privileged permission like CONNECTIVITY_INTERNAL or
CONNECTIVITY_USE_RESTRICTED_NETWORKS.
Bug: 144679405
Test: Build, flash, manual test
Change-Id: Iae9c273af822b18c2e6fce04848a86f8dea6410a
Merged-In: I8a1575dedd6e3b7a8b60ee2ffd475d790aec55c4
Merged-In: I2da730feda4d7ebed1f158b073167bb3964b3e7d
PermissionMonitor#hasPermission only checks permssions that app
requested but it doesn't check whether the permission can be
granted to this app. If requested permission doens't be granted
to app, this method still returns that app has this permission.
Then PermissionMonitor will pass this info to netd that means
this app still can use network even restricted network without
granted privileged permission like CONNECTIVITY_INTERNAL or
CONNECTIVITY_USE_RESTRICTED_NETWORKS.
Bug: 144679405
Test: Build, flash, manual test
Change-Id: I5eba4909e4c2e1d9f275f66be90ac36466b93e90
Merged-In: I8a1575dedd6e3b7a8b60ee2ffd475d790aec55c4
Merged-In: Iae9c273af822b18c2e6fce04848a86f8dea6410a
Currently, strict mode private DNS does not work on VPNs because
NetworkMonitor does not validate VPNs. When a VPN connects, it
immediately transitions to ValidatedState, skipping private DNS
hostname resolution.
This change makes NetworkMonitor perform private DNS hostname
resolution and evaluation even on VPNs.
In order to ensure that the system always immediately switches to
the VPN as soon as it connects, remove the unvalidated penalty
for VPN networks. This ensures that the VPN score is always 101
and the VPN always outscores other networks as soon as it
connects. Previously, it would only outscore other networks
when no-op validation completed.
Backport of c455822846.
Bug: 122652057
Test: atest FrameworksNetTests
Test: manually ran a VPN with private DNS in strict mode
Test: atest android.net.cts.ConnectivityManagerTest com.android.cts.net.HostsideVpnTests
Change-Id: Iaa78a7edcf23755c89d7b354edbc28d37d74d891
Merged-In: Iaa78a7edcf23755c89d7b354edbc28d37d74d891
Support faking out the DNS lookups used by NetworkMonitor to
resolve strict mode DNS, and add more test coverage.
These tests were partly adapted from tests we have in Q but
also contain new coverage. This is because in Q the interface
between ConnectivityService and NetworkMonitor changed
substantially, and it is impractical to backport
NetworkMonitorTest.
Bug: 122652057
Test: atest FrameworksNetTests
Change-Id: I6497b7efa539267576d38d3036eef0af0df4e9cb
Merged-In: Iaa78a7edcf23755c89d7b354edbc28d37d74d891
This reverts commit c0e7f75e70.
Reason for revert: Retargeted for June monthly release
Bug: 119129310
Change-Id: I9d543415c5707859cfa2a14a1a8ce5909aae7d11
Merged-In: Id0abc4d304bb096e92479a118168690ccce634ed
This reverts commit bfabfe0ab3.
Bug: 126245192
Reason for revert: This change can lead to a deadlock that was fixed in http://ag/6580635. However, platform PMs think that fixing this is risky enough as this is not a recent problem and has been in the field for 3/4 of the year.
Note: The merged-in tag is used to avoid this change from getting merged into pi-dev-plus-aosp. This is to avoid merge conflicts since we mostly work in aosp/master which merges into pi-dev-plus-aosp.
Change-Id: I3814bcec87efb059f50f00617406501aaeac3b4d
Merged-In: Id0abc4d304bb096e92479a118168690ccce634ed
NSS needed it for getting VpnInfo[], NetworkState[] and
activeLinkProperties which it used to query via ConnectivityManager.
For VpnInfo[], this was racy as NSS may ignore intermediate changes to a
VPN's underlying networks. See http://b/123961098 for more context.
It may also lead to deadlocks b/w ConnectivityService and
NetworkStatsService. See http://b/126245192 for more info.
This change will ensure that NSS is never contending on any of
ConnectivityService locks.
This change also is cherry-picking cleanup made to NSS in
http://aosp/628368.
Bug: 123961098
Bug: 126245192
Bug: 120145746
Test: atest FrameworksNetTests
Change-Id: Ia687845888434c8ddd24bdf44b4c70dfe80e03f5
Merged-In: I57e117bb4e9efe491b19d6b5a479f2d58d1c58e6
Previously, they were only updated when underlying network set was
non-null.
This change also ensures that all the calls b/w ConnectivityService and
Vpn that leads to updating capabilities are on ConnectivityService
handler thread.
Additionally, it also ensures that capabilities are propagated after VPN
enters connected state.
This change also updates VPN capabilities inline from
ConnectivityService handler thread. Previously, there was an additional
loop where Vpn would update capabilities via NetworkAgent thru
AsyncChannel which posts back to CS handler thread, which could
potentially lead to delays in updating VPN capabilities.
Bug: 119129310
Bug: 118856062
Bug: 124268198
Test: atest FrameworksNetTests
Test: manual - verified VPNs capabilities are getting updated and
DownloadManager is working correctly.
(cherry picked from commit 4fa80e8a2f03557221e0371a987e780df7788faa)
Change-Id: Iae5f2024b19df04c31938815b52687781d016cde
Merged-In: Id0abc4d304bb096e92479a118168690ccce634ed
In handleUpdateLinkProperties(), it will always assign newLp
to nai first. Then, the copied newLp would add some configurations
ex: private dns/clatd. This updated newLp wouldn't be assigned back to
nai when linkproperties is not changed.
Bug: 113637648
Test: - build, flash, booted
- atest FrameworksNetTests
- run CtsNetTestCases
Change-Id: I9e25e46718e076d4afa784ee5e1d3abbe0f11911
When using xt_qtaguid to count per uid stats,
NetworkStatsService needs to adjust the 464xlat traffic since
iptables module would double count for ipv4 and ipv6 packet.
But for eBPF, the per uid stats is collected in a different
hook, so the adjustment on root uid would only be needed in tx
direction.
Bug: 112226716
Test: 1. Make ipv4 traffic in ipv6-only network and check data
usage.
2. Make ipv4 traffic in a client which connect to
ipv6-only hotspot.
3. runtest frameworks-net
4. cts-tradefed run cts -m CtsNetTestCases -t \
android.net.cts.TrafficStatsTest
5. cts-tradefed run cts -m CtsUsageStatsTestCases
Change-Id: Ic9a84f5446eddc943c255d5f3b89dad171f53cac
Merged-In: Ic9a84f5446eddc943c255d5f3b89dad171f53cac
(cherry picked from commit c33ac0d43b594f6154accf03ae7e3fd34dedc79d)
Several java files had the typo {#link (for cross-references to other
Javadocs) instead of the proper {@link format. This was confusing the
new doc publish tool (Mivi) since that's the format used for {# Django
comments #}.
Fixed a couple of links that had other errors (which prevented building
once the {# -> {@ was done) and other typos.
Replaced throughout the frameworks/base project; I'll need a separate CL
for the AndroidX fixes.
Staged to:
go/dac-stage/reference/android/app/Instrumentation.html
go/dac-stage/reference/android/bluetooth/BluetoothAdapter.html
go/dac-stage/reference/android/bluetooth/BluetoothDevice.html
go/dac-stage/reference/android/bluetooth/BluetoothServerSocket.html
go/dac-stage/reference/android/inputmethodservice/InputMethodService.html
go/dac-stage/reference/android/view/KeyCharacterMap.html
go/dac-stage/reference/android/view/KeyEvent.html
go/dac-stage/reference/android/media/AudioManager.html
go/dac-stage/reference/android/net/wifi/WifiConfiguration.html
(Other files were not in the public Javadocs.)
Bug: 111925950
Test: make ds-docs
Exempt-From-Owner-Approval: Docs-only change
Change-Id: Ia06e1fffd814671289a1caebd5962aedc18a28d7
Merged-In: Ia06e1fffd814671289a1caebd5962aedc18a28d7
Rather than use the crufty config.xml list of upstream transport types,
use ConnectivityService's notion of the default network for the upstream.
In cases where a DUN network is required and the default network is
currently a mobile network, look for a DUN network (code in Tethering
is currently responsible for requesting one).
Test: as follows
- built, flashed, booted
- runtest frameworks-net
- tethered via mobile, joined captive portal network, maintained
laptop access via mobile until captive passed (then used wifi)
- disabled client mode wifi, disabled mobile data, plugged in
ethernet adapter, observed connectivity via ethernet
Bug: 32163131
Bug: 62648872
Bug: 63282480
Bug: 109786760
Bug: 110118584
Bug: 110260419
Change-Id: I925b75994e31df8046f3ef9916a2457b4210485e
updateLinkProperties copied the linkProperties in networkAgent,
but the clat fix-up function did not copy stacked link into new one.
This caused an incorrect clat iface removal, and the IPv4 network
to be unreachable.
Bug: 80261579
Test: 1. ping after ipv6 only data call with 2g voice call on/off
2. runtest frameworks-net
3. run cts -m CtsNetTestCases
Change-Id: Ide47a3b0680dddfcf3e2e759a59b19aee3605050
VPNs are not driven by NetworkRequests, so there's no risk of a
capability change on a VPN causing a connect/teardown loop.
Bug: 80439912
Test: builds, boots
Change-Id: Ic4c489ccc9fb97551d1ef440766f6cf6f99522db
These new tests ensure that VPNs report the meteredness of their
underlying networks correctly. The added test verifies VPN meteredness
for cases of metered and unmetered WiFi and Cell
Bug: 78644887
Test: This; ran on walleye-eng
Change-Id: I28bdc71a336bfd97f7908455d4781d774df44b87
This patch corrects ConnectivityController's meteredness checks to
perform correct meteredness checks while VPNs are running. This fixes a
bug in O-MR1 where any apps using the DownloadProvider with unmetered
network constraints fail to start while the VPN is enabled.
This change adds a bespoke method for ConnectivityController, allowing
it to correctly identify the meteredness without affecting public API
surfaces.
Bug: 78644887
Test: Built, flashed on Walleye, and tested.
Test: Additional test coverage in subsequent patch(es).
Change-Id: Ie1d11d93d51d936ce81cd5984af61bde30325983
...as opposed to after the async channel finished disconnecting.
Bug: 78308259
Test: runtest frameworks-net
also used a device with this patch over the weekend and
tried all I could think of
Change-Id: I77ad6d97abb20815b801a794eaa9685acf2d1173
The probes allow testing for a configurable status code and location
header (regexes). They are disabled by default, so this CL is a
no-op unless the probe configurations are pushed.
Bug: b/79499239
Test: tests in CL pass, manual: captive portal login works
Change-Id: I785723aaed06054b9aa8ebff77803f23d7836db9
NTP may be necessary in order to validate Private DNS certificates,
so it should be allowed to bypass Private DNS.
Test: as follows
- built, flashed, booted
- tcpdump for port 53; adb shell am restart
queries for the NTP hostname appear in the clear
- runtest frameworks-net passes
Bug: 64133961
Bug: 80118648
Change-Id: Id9ceb3fcaaffb48cbbd4cd381d48cae991572c9e
This is a pinpoint fix against the bug listed below. While a client
is synchronously reading the LinkProperties of a network, the
ConnectivityServiceThread is updating its properties. Make sure
that update is done atomically.
This is a stopgap countermeasure against a problem that is
pervasive with usage of LinkProperties, but fixing the problem
itself will happen later.
Bug: 80077223
Test: runtest frameworks-net
Change-Id: I9302f8fb5303cb39aa82691d4f6d7f38707a41fa
Before this change, VPNs having no underlying networks would be
marked as metered as the safe option, but VPNs having only
disconnected underlying networks would be marked as unmetered.
Fix this discrepancy.
Bug: 79748782
Test: runtest frameworks-net
Change-Id: I51c3badde29f43f692f383553bd98327d2da8dd1
Fixes come later. This is complex enough as it is.
Bug: 79748782
Test: new test passes, old tests still pass
Change-Id: I30009f88e68a534c332ca88bae517cacc39a60bb
This is necessary to resolve visibility issues for the next change.
Bug: b/79499239
Test: runtest frameworks-net
Change-Id: I50bc96afe6ae88c8f58a693f0a4e821f1f9b3299
P introduced setSSID, UIDs and unwanted capabilities.
None of these exhibit commutative behavior through combineCapabilities
because their semantics don't allow it. Therefore
NetworkRequest.setCapabilities() is badly broken around any of
these. Look at the comments in the new tests to realize the
extent of the damage.
Bug: 79748782
Test: new tests written, old tests pass
Change-Id: Ie46581bdaf9ecc2f14aab44788bbdb27a3fec8c1
This gives them a way to collect all included values without
resorting to manual probing of each newly added value.
Bug: 16207332
Test: atest com.android.cts.net.HostsideVpnTests
Change-Id: I35ca412512dc8515b44d5518e1ca4caa5bdc678f
Support keeping IpClient logs around and dumping them
during dumpsys. Previously we got this benefit for
wifi by virtue of WifiStateMachine's long-lived nature.
Now that this is changing we need to be sure we have
logs, and this method gets us Ethernet logs as well.
Bug: 62476366
Bug: 77999594
Test: as follows
- built
- flashed
- booted
- runtest frameworks-net passes
- dumpsys connmetrics [ipclient] works
Change-Id: I1136a83de8097fdb4130debe1eaf689be7132fe5
With the new xt_bpf support for iface stats. We no longer need to parse
the per interface stats from /proc/net/dev. And since the old xt_qtaguid
code path also not depend on it, we can completly remove that helper
function since no caller is depending on it now.
Bug: 72111305
Test: runtest frameworks-net -c com.android.internal.net.NetworkStatsFactoryTest
Change-Id: Icb7eaeef0eeb9fdffd32a90316c76ee05bafffbe
Merged-In: Icb7eaeef0eeb9fdffd32a90316c76ee05bafffbe
(cherry picked from aosp commit b815c978b81eee4b1494bd0b9d25bfad52f08b72)
ApfFilter maintains separate counters for each reason why a packet was
passed or dropped by the filter logic.
There's also a total which should match the individual counters,
*unless* the APF interpreter aborted execution early due to an illegal
instruction or an out-of-bounds access.
Test: both on APFv2 and APFv4-capable device:
runtest -x tests/net/java/android/net/ip/IpClientTest.java
runtest -x tests/net/java/android/net/apf/ApfTest.java
manual tests connected to an AP
Bug: 73804303
Change-Id: I54b17fcbb95dfaea5db975d282314ce73d79d6ec
Bug: 77737389
Test: runtest framework-net
new test don't pass without the main code change, but they
do with it
Change-Id: I0cd83a935ab0b349aa47e065b830e5a43ab9a091
