PermissionMonitor#hasPermission only checks permssions that app
requested but it doesn't check whether the permission can be
granted to this app. If requested permission doens't be granted
to app, this method still returns that app has this permission.
Then PermissionMonitor will pass this info to netd that means
this app still can use network even restricted network without
granted privileged permission like CONNECTIVITY_INTERNAL or
CONNECTIVITY_USE_RESTRICTED_NETWORKS.
Bug: 144679405
Test: Build, flash, manual test
Change-Id: Iae9c273af822b18c2e6fce04848a86f8dea6410a
Merged-In: I8a1575dedd6e3b7a8b60ee2ffd475d790aec55c4
Merged-In: I2da730feda4d7ebed1f158b073167bb3964b3e7d
Currently, strict mode private DNS does not work on VPNs because
NetworkMonitor does not validate VPNs. When a VPN connects, it
immediately transitions to ValidatedState, skipping private DNS
hostname resolution.
This change makes NetworkMonitor perform private DNS hostname
resolution and evaluation even on VPNs.
In order to ensure that the system always immediately switches to
the VPN as soon as it connects, remove the unvalidated penalty
for VPN networks. This ensures that the VPN score is always 101
and the VPN always outscores other networks as soon as it
connects. Previously, it would only outscore other networks
when no-op validation completed.
Backport of c455822846.
Bug: 122652057
Test: atest FrameworksNetTests
Test: manually ran a VPN with private DNS in strict mode
Test: atest android.net.cts.ConnectivityManagerTest com.android.cts.net.HostsideVpnTests
Change-Id: Iaa78a7edcf23755c89d7b354edbc28d37d74d891
Merged-In: Iaa78a7edcf23755c89d7b354edbc28d37d74d891
This reverts commit c0e7f75e70.
Reason for revert: Retargeted for June monthly release
Bug: 119129310
Change-Id: I9d543415c5707859cfa2a14a1a8ce5909aae7d11
Merged-In: Id0abc4d304bb096e92479a118168690ccce634ed
This reverts commit bfabfe0ab3.
Bug: 126245192
Reason for revert: This change can lead to a deadlock that was fixed in http://ag/6580635. However, platform PMs think that fixing this is risky enough as this is not a recent problem and has been in the field for 3/4 of the year.
Note: The merged-in tag is used to avoid this change from getting merged into pi-dev-plus-aosp. This is to avoid merge conflicts since we mostly work in aosp/master which merges into pi-dev-plus-aosp.
Change-Id: I3814bcec87efb059f50f00617406501aaeac3b4d
Merged-In: Id0abc4d304bb096e92479a118168690ccce634ed
NSS needed it for getting VpnInfo[], NetworkState[] and
activeLinkProperties which it used to query via ConnectivityManager.
For VpnInfo[], this was racy as NSS may ignore intermediate changes to a
VPN's underlying networks. See http://b/123961098 for more context.
It may also lead to deadlocks b/w ConnectivityService and
NetworkStatsService. See http://b/126245192 for more info.
This change will ensure that NSS is never contending on any of
ConnectivityService locks.
This change also is cherry-picking cleanup made to NSS in
http://aosp/628368.
Bug: 123961098
Bug: 126245192
Bug: 120145746
Test: atest FrameworksNetTests
Change-Id: Ia687845888434c8ddd24bdf44b4c70dfe80e03f5
Merged-In: I57e117bb4e9efe491b19d6b5a479f2d58d1c58e6
Previously, they were only updated when underlying network set was
non-null.
This change also ensures that all the calls b/w ConnectivityService and
Vpn that leads to updating capabilities are on ConnectivityService
handler thread.
Additionally, it also ensures that capabilities are propagated after VPN
enters connected state.
This change also updates VPN capabilities inline from
ConnectivityService handler thread. Previously, there was an additional
loop where Vpn would update capabilities via NetworkAgent thru
AsyncChannel which posts back to CS handler thread, which could
potentially lead to delays in updating VPN capabilities.
Bug: 119129310
Bug: 118856062
Bug: 124268198
Test: atest FrameworksNetTests
Test: manual - verified VPNs capabilities are getting updated and
DownloadManager is working correctly.
(cherry picked from commit 4fa80e8a2f03557221e0371a987e780df7788faa)
Change-Id: Iae5f2024b19df04c31938815b52687781d016cde
Merged-In: Id0abc4d304bb096e92479a118168690ccce634ed
In handleUpdateLinkProperties(), it will always assign newLp
to nai first. Then, the copied newLp would add some configurations
ex: private dns/clatd. This updated newLp wouldn't be assigned back to
nai when linkproperties is not changed.
Bug: 113637648
Test: - build, flash, booted
- atest FrameworksNetTests
- run CtsNetTestCases
Change-Id: I9e25e46718e076d4afa784ee5e1d3abbe0f11911
Rather than use the crufty config.xml list of upstream transport types,
use ConnectivityService's notion of the default network for the upstream.
In cases where a DUN network is required and the default network is
currently a mobile network, look for a DUN network (code in Tethering
is currently responsible for requesting one).
Test: as follows
- built, flashed, booted
- runtest frameworks-net
- tethered via mobile, joined captive portal network, maintained
laptop access via mobile until captive passed (then used wifi)
- disabled client mode wifi, disabled mobile data, plugged in
ethernet adapter, observed connectivity via ethernet
Bug: 32163131
Bug: 62648872
Bug: 63282480
Bug: 109786760
Bug: 110118584
Bug: 110260419
Change-Id: I925b75994e31df8046f3ef9916a2457b4210485e
updateLinkProperties copied the linkProperties in networkAgent,
but the clat fix-up function did not copy stacked link into new one.
This caused an incorrect clat iface removal, and the IPv4 network
to be unreachable.
Bug: 80261579
Test: 1. ping after ipv6 only data call with 2g voice call on/off
2. runtest frameworks-net
3. run cts -m CtsNetTestCases
Change-Id: Ide47a3b0680dddfcf3e2e759a59b19aee3605050
VPNs are not driven by NetworkRequests, so there's no risk of a
capability change on a VPN causing a connect/teardown loop.
Bug: 80439912
Test: builds, boots
Change-Id: Ic4c489ccc9fb97551d1ef440766f6cf6f99522db
...as opposed to after the async channel finished disconnecting.
Bug: 78308259
Test: runtest frameworks-net
also used a device with this patch over the weekend and
tried all I could think of
Change-Id: I77ad6d97abb20815b801a794eaa9685acf2d1173
This is a pinpoint fix against the bug listed below. While a client
is synchronously reading the LinkProperties of a network, the
ConnectivityServiceThread is updating its properties. Make sure
that update is done atomically.
This is a stopgap countermeasure against a problem that is
pervasive with usage of LinkProperties, but fixing the problem
itself will happen later.
Bug: 80077223
Test: runtest frameworks-net
Change-Id: I9302f8fb5303cb39aa82691d4f6d7f38707a41fa
Support keeping IpClient logs around and dumping them
during dumpsys. Previously we got this benefit for
wifi by virtue of WifiStateMachine's long-lived nature.
Now that this is changing we need to be sure we have
logs, and this method gets us Ethernet logs as well.
Bug: 62476366
Bug: 77999594
Test: as follows
- built
- flashed
- booted
- runtest frameworks-net passes
- dumpsys connmetrics [ipclient] works
Change-Id: I1136a83de8097fdb4130debe1eaf689be7132fe5
ApfFilter maintains separate counters for each reason why a packet was
passed or dropped by the filter logic.
There's also a total which should match the individual counters,
*unless* the APF interpreter aborted execution early due to an illegal
instruction or an out-of-bounds access.
Test: both on APFv2 and APFv4-capable device:
runtest -x tests/net/java/android/net/ip/IpClientTest.java
runtest -x tests/net/java/android/net/apf/ApfTest.java
manual tests connected to an AP
Bug: 73804303
Change-Id: I54b17fcbb95dfaea5db975d282314ce73d79d6ec
Bug: 77737389
Test: runtest framework-net
new test don't pass without the main code change, but they
do with it
Change-Id: I0cd83a935ab0b349aa47e065b830e5a43ab9a091
Relies on events sent from netd in aosp/578162.
Test: Added tests to ConnectivityServiceTest. Added a new test
class DnsManagerTest. Built a simple app that appears to
receive onLinkProperties events correctly upon manual changes
to the private DNS settings on a Pixel.
Bug: 71828272
Merged-In: I1e6c54ba016f6a165a302bd135a29d9332aaa235
Merged-In: I7705412803fb9aa707a18ae5a1c50292e084d851
Change-Id: I3223c1285a73d5d531c5051ce70007857caa57e3
(cherry picked from commit 7301aa4140baefb549a737f033fc512e87c55692)
Moves this out of ConnectivityService and into each NetworkMonitor
(where it's more self-contained).
Test: as follows
- builds, flashes, boots
- runtest frameworks-net passes
- manual testing with working and non-working hostnames behaves
somewhat (but not entirely) as expected, and not always quickly
Bug: 64133961
Bug: 72345192
Bug: 73872000
Bug: 77140445
Merged-In: I5dc90ecfe6f6f10967b7501645ad8e030cb38982
Merged-In: Ida4967d22f0781524f0f269e30e653b8ec867258
Change-Id: Ic4322af3cb49149f2d975cb31f54b2ac7927f907
(cherry picked from commit 736353a584aa89a29e737e21e29c49fad0d38a63)
This change comprises the following parts:
[1] android.net.dns.ResolvUtil, containing methods that encapsulate the
use of the high bit in netids used in DNS resolution contexts.
[2] Updates to captive portal apps to call the ResolvUtil method that
enables DNS-over-TLS bypass for the captive portal app process.
Test: as follows
- builds
- flashes
- boots
- runtest frameworks-net passes
Bug: 64133961
Bug: 72345192
Merged-In: I0994b53d24ed25a2eb9e65429c61cf6fa87c7513
Merged-In: I4c49e23d8caa4d485df1c1d2f135a7282d439c0b
Change-Id: I2072c1f68d6978fa0d7e9d8693135a2c51bb0f87
(cherry picked from commit 2140529d9b8e116d88c2a385a0b3179c2ede5ad7)
Tethering currently wants access to complex isTetheringSupported
logic that is only available in ConnectivityService. Instead of
trying to access that via ConnectivityManager, pass this capability
in to Tethering directly, in the TetheringDependencies object.
Also:
- ConnectivityManager is only a source of static constants now,
so "import static" all the constants that are actually used.
Test: as follows
- built
- flashed
- booted
- runtest frameworks-net works
- manual USB towards WiFi tethering works
Bug: 68951715
Merged-In: Ifa121b057f9959ddb980edc940327929e48ea973
Merged-In: Iad6358dc2f1d10b322d22ec90543adc50882962d
Change-Id: Ia64faaadefb4a5d84a50da98bdebd544b6fda101
(cherry picked from commit 465ff3a0c1da8afd5cb13b25ed9a3c95ee0dd2c4)
Useful for clients such as BatteryStats which currently rely
on NetworkStatsFactory. Data at that stage is incomplete as
it does not account for tethering, VT data and corresponding
464xlat corrections.
Test: runtest frameworks-net, CTS tests pass.
Bug: b/72107146
Merged-In: I31c5b9b4a7c6e72910152415894a137f000a5858
Merged-In: I2527d95000c7500c824ede70f87ecb38e21ed323
(cherry picked from aosp 088ff6824f13145ea52207bdead0d7e454a6f3ce)
Change-Id: Ie80f1bb21124241f3414f9be77aceac9a44ec6d1
This will let ConnectivityService send the right callbacks to the
relevant apps.
Test: manual with apps
runtest frameworks-net
cts
new tests for this functionality
Bug: 67408339
Change-Id: I6f08efd9e73c7e191f833d7f307a3bf4c9e2f0b4
