No internet notification may be prompted before partial
connectivity being detected. Partial connectivity status will
be set into NAI and prompted in the Setting. Behavior is not
aligned between Setting and notification. Thus, update
notification again if partial connectivity is detected.
Also, sliently show the updated notification if no internet
notification has already been shown to user to prevent alerting
user in short time.
Bug: 130683832
Test: Verified with simulated partial connectivity
Test: atest FrameworksNetTests
Change-Id: Ie16a8ce6e0fa437048e8c1eea240314ca30e9520
Merged-In: I004e78a33689e2208918d4316bcf9a8f50a0bac3
Merged-In: I14385a39d99a45c4a6a50a665f456f589c2f4da3
(cherry picked from commit a5c68348d89f256cb5f42283d983d05834c7e36c)
Split-tunnel VPN (which are the only ones affected by this change)
always fall through to the default network for routes they don't
handle, and even if the underlying network(s) don't provide access
this may be a pinhole that can actually reach the broader network.
In practice this behaves like the original release of P and is the
safest thing to do for Q. In R we should evaluate giving the VPN
app the ability to simply tell the network stack whether it does
provide Internet access or not.
Bug: 119216095
Test: FrameworksNetTests NetworkStackTests
Change-Id: I262ca41fe0225660551c9a421562405366b6acac
Merged-In: I262ca41fe0225660551c9a421562405366b6acac
(cherry picked from commit 6d5a4a3b1d1c69eb8a542fecf5e8a306822c19b7)
* changes:
Add one more test for VPN usage stats.
Addressing comments for http://ag/7700679.
NetworkStatsService: Fix getDetailedUidStats to take VPNs into account.
Take all VPN underlying networks into account when migrating traffic for VPN uid.
Covers the case where the majority of traffic through the VPN is
caused by the VPN app itself, and ensures that that traffic is
correctly attributed to the VPN app as opposed to spread between
the other apps that use the VPN.
Bug: 120145746
Test: atest NetworkStatsServiceTest
Change-Id: Iffd3f95fc2e11d311691a797b010edb38d2ef3c6
Note, that its in a separate CL so we could cherry-pick this CL to aosp.
http://ag/7700679 is already in aosp.
Bug: 113122541
Bug: 120145746
Test: atest FrameworksNetTests
Change-Id: I7cfda226b4ed11b67002b83b38fba0f5caf96718
(cherry picked from commit 2af0b66aba)
This API is similar to one provided by NetworkStatsFactory with the
difference that NSS also migrates traffic from VPN UID to other apps.
Since traffic can only be migrated over NetworkStats delta, NSS
therefore maintains NetworkStats snapshot across all UIDs/ifaces/tags.
This snapshot gets updated whenever NSS records a new snapshot
(based on various hooks such as VPN updating its underlying networks,
network getting lost, etc.), or getDetailedUidStats API is invoked by
one of its callers.
Bug: 113122541
Bug: 120145746
Test: atest FrameworksNetTests
Test: manually verified that battery stats are migrating traffic off of
TUN (after patching above CL where we point BatteryStats to use this
API).
Change-Id: I4b8d7c5b6905a4a12c1806dfd35c2c4c63610404
VPN uid.
(cherry picked from commit 612520f544)
Bug: 113122541
Bug: 120145746
Test: atest FrameworksNetTests
Test: Manually verified on device that stats from VPN UID are moved
appropriately based on its declared underlying network set.
Test: vogar --mode app_process --benchmark NetworkStatsBenchmark.java
Change-Id: I7f368c5970b2dcb969fe0daf5ef44edb1f51d09d
Also :
- Fix testUidFilteringDuringVpnConnectDisconnectAndUidUpdates that
was failing on devices with a first released SDK >= Q
- Add a test actually tests that the system has the permission, as
the test was only testing what's in the mock
Bug: 119770201
Test: New test making sure this stays true
Merged-In: I74cf5f0fa17fcf818f1fed78c7e3e4375c20152e
Change-Id: I0daa644fbad8e389ad7cfa66c0e3b3480c8bb50a
(cherry picked from commit 629b49d58fe8d108a3d7d47a21471aff913c6b34)
This test is conitnuely fail in cuttlefish.
Lack of ipv6 default route in cuttlefish caused the test failed.
The reason is that the result of rfc6724Sort depends on on the route in system.
It is not good to expect any route should exists, so remove it.
Bug: 133649648
Test: atest DnsUtilsTest
Merged-In: Idc6db433585de067e45088b43665c8e37b310397
(cherry picked from commit 91b35f88429d77ddce0e3f539690e6370b89915b)
Change-Id: Idb6f4c094d3466772e3bfc98a57505bf38f381ef
This is a follow-up commit for aosp/955431 to update commets
and minor updates in unit test.
Test: atest com.android.server.ConnectivityServiceTest#testCaptivePortalOnPartialConnectivity
Bug: 130683832
Change-Id: I581eae8daeddd2c4c186e7b40e27fef2aaa7ab43
Merged-In: I9087ef791b3fee5399ba8e83ef9d8a544845a4dd
Merged-In: I4424663292c5ad29eb7a888fa6975835721a5d2e
(cherry picked from commit 3d3a9fff7b7fa0df4ee627cb082668e642d6f754)
Once a network is determined to have partial connectivity, it
cannot go back to full connectivity without a disconnect. This
is because NetworkMonitor can only communicate either
PARTIAL_CONNECTIVITY or VALID, but not both. Thus, multiple
validation results allow ConnectivityService to know the real
network status.
Bug: 129662877
Bug: 130683832
Test: atest FrameworksNetTests
Test: atest NetworkStackTests
Test: atest --generate-new-metrics 50
NetworkStackTests:com.android.server.connectivity.NetworkMonitorTest
Test: Simulate partial connectvitiy
Change-Id: I406c9368617c03a2dd3ab15fb1f6dbf539d7c714
Merged-In: I243db4c406cca826e803c8035268bc0c6e6e01e2
(cherry picked from commit 4532abd4d2af9ad118873a63cafc6028ed87c52e)
The native services should specify their permissions in platform.xml if
they need internet permission, otherwise the eBPF program will block the
socket creation request. Fixing the known services that are in group
AID_INET but didn't specify their permission in the xml file.
Bug: 132217906
Test: CtsJdwpTestCases dumpsys netd trafficcontroller
Change-Id: I84cde7d3757953bc0bf761727d64a715bcdd68bb
Merged-In: I84cde7d3757953bc0bf761727d64a715bcdd68bb
(cherry picked from commit e5d6f0fa6c3fd77572f5b29f416acbf304abf9da)
When unregistering callback due to ON_UNAVAILABLE did not check for
a non-null callback.
Bug: 132950880
Test: atest ConnectivityServiceTest
Merged-In: Ib3fde31d88c36469cdee1e3578606d130a9817cb
Change-Id: Ib3fde31d88c36469cdee1e3578606d130a9817cb
(cherry picked from commit 51ddc176abd23bd3ddbc26124e5541a983a1db07)
1. pass default network explicitly to fix potential
mis-sync network problem in DnsResolver#query
2. Add rfc6724 sort and related test
3. DnsResolver do rfc6724 sort before response InetAddress answers
4. move haveIpv* function from DnsResolver to DnsUtils
Bug: 129530368
Test: atest DnsResolverTest DnsUtilsTest
Merged-In: I0323f5c7f32fc3fa589b9e87f8e7c9caf744dbd4
(cherry picked from commit d352f4ca85ff8418a5a58d32fb03b85d7e0b843b)
Change-Id: I98455045fa43cc5a5902a08232251c1734feaac3
Our stable AIDL interfaces need to use versioned build targets,
otherwise getVersion will always return 0, which makes it
impossible to support different components at different versions.
List generated with:
find . -name Android.bp -exec egrep \
-H "(netd|dnsresolver|ipmemorystore|networkstack).aidl.interface(s?)-(java|cpp)" {} \; \
| grep -v oemnetd | grep -v tests/
Test: m
Bug: 133124190
(cherry-pick from aosp/968011)
Merged-In: Idf49e840263ef32b9ee4fafa6718d4f893ea7c87
(cherry picked from commit 433f7c4178aaadac7d6a5f6727f39ef83342d436)
Change-Id: I77e2291b52fda24ee01e1b22ddafe4fe7368959e
This notification is shown when the user has already logged in to
the network, so it should not have a question mark on it.
Fix: 130526201
Test: atest FrameworksNetTests
Test: manually signed in to portal
Change-Id: I8250236bc4ba251492a6cb9bf23e67666ef860d3
Merged-In: I8250236bc4ba251492a6cb9bf23e67666ef860d3
(cherry picked from commit fce363555029b92b1532058555797d6ef1afb09c)
Caller should get SecurityException if called
ConnectivityManager#startCaptivePortalApp() w/o
MAINLINE_NETWORK_STACK permission. But now it will not get any
exception and can launch captive portal app successfully.
Bug: 132662433
Test: atest android.net.cts.ConnectivityManagerTest#testStartCaptivePortalApp
w and w/o MAINLINE_NETWORK_STACK permission
Test: atest FrameworksNetTests NetworkStackTests
Change-Id: Ib70fe6fad107f3e9dce9ce673188c5ce5dc1ad7b
Merged-In: I1025da29beb53259f57bd9ca5648b32f2847ed4a
Merged-In: Ib70fe6fad107f3e9dce9ce673188c5ce5dc1ad7b
(cherry picked from commit 72b3ab18ca302a3117f424a0f0ef6c08897c310e)
Delete the unused NetworkManagementService API for set/remove
permissions. Use PERMISSION_NONE to replace NO_PERMISSIONS so the
framework now use the same set of permission constant when communicate
with netd.
Bug: 128944261
Test: PermissionMonitorTest.java
Change-Id: I25224c9576f52d2a0a0bd2182325c7aac7b28eb5
Merged-In: I25224c9576f52d2a0a0bd2182325c7aac7b28eb5
(cherry picked from commit 05887f99c6ca6885db737af2f356023dc6de80a2)
Remove definition of TYPE_NATT and TYPE_TCP since the type
can be identified by checking message.obj is an instance of
NattKeepalivePacketData or TcpKeepalivePacketData.
It's more simple and won't have dependency on KeepaliveInfo.
Bug: 33530442
Test: atest FrameworksNetTests
atest NetworkStackTests
(Clean cherry-pick of aosp/955419)
Change-Id: Ic97ffe9ff5781778efd264460809f5059f0f4230
Merged-In: Ic97ffe9ff5781778efd264460809f5059f0f4230
In aosp/951200, the clean up function delete the item in the
hash map that holds the record while iterating it, where the
list used to iterate the records is backed by the hash map,
so changes to the map are reflected in the list and caused
the concurrent modification exception.
Bug: 132341736
Test: 1. atest com.android.server.ConnectivityServiceTest \
#testNattSocketKeepalives --generate-new-metrics 300
2. atest FrameworksNetTests --generate-new-metrics 10
(Clean cherry-pick of aosp/959599)
Change-Id: I9cdfe6f6d11c5400c856cc30a33ff4a44ba9d811
Merged-In: I0481a469ee23231e5f0ab738a06b5e09f6cdb680
In general, keepalive slots are released after result of
stopping has returned. However, for network disconnect case,
the service side cannot communicate with network agent since
the async channel is broken.
Clean up keepalive slots right after stop in this case.
Bug: 132341736
Test: 1. atest com.android.server.ConnectivityServiceTest \
#testNattSocketKeepalives --generate-new-metrics 100
2. atest FrameworksNetTests --generate-new-metrics 10
Change-Id: Id3e4e159713c0ed7e03f45169e87b73ae6408e4f
(cherry picked from commit a5f6bd16062fba89bcf900aca93aa3514d93f662)
Merged-In: Id3e4e159713c0ed7e03f45169e87b73ae6408e4f
Merged-In: Icb5a1b5bb10617aa5a7b35db6cf48db3dc53b7fd
Currntly, keepalive slot is released when stop() is called. Next
starting keepalive can use the same slot number while previous
keepalive is still stopping. When the previous keepalive is
stopped, the incoming as will be processed by the new keepalive.
This change release keepalive slot after the result of stopping
has returned. Thus, newly created keepalive cannot allocate the
same slot number while lower layer is still processing stop event.
This change also disable flaky assertions that are caused by
test port has been occupied by other process.
Bug: 129512753
Test: 1. atest com.android.server.ConnectivityServiceTest \
#testNattSocketKeepalives --generate-new-metrics 100
2. atest FrameworksNetTests --generate-new-metrics 10
3. simulate the fail case manually.
Change-Id: I790f6bbc5efc3f088034ac45ec379da5f781d0ca
Merged-In: I1991627545519ee5cb408a3df3a006f710f4af7b
(cherry picked from commit 3523a3d02a1f88a3990ab9cc4948c705ecc713c8)
Public APIs for creating unprivileged NATT socket keepalive
might allow users to exhaust resource if malicious apps try
to create keepalives with fd which is not created by
IpSecService through binder call. Thus, this change add
customizable limitation per uid to prevent resource exhaustion
attack.
Bug: 129371366
Bug: 132307230
Test: atest FrameworksNetTests
Clean cherry-pick of aosp/954040
Merged-In: Ibcb91105e46f7e898b8aa7c2babc3344ef2c6257
Merged-In: Ia667386c1a8949839871a6949d79552d9c8b88f0
Change-Id: I92f6d977b6dfde4e1bf74df6b60c9a0b9e8eec40
This change specifies the required minimum supported keepalives
in SDK, and allows OEMs to customize supported keepalive count
per network through resource overlay.
Bug: 129371366
Test: 1. m -j doc-comment-check-docs
2. atest FrameworksNetTests
Clean cherry-pick of aosp/946359
Change-Id: I06840834d0ee8121358bf4829fe47ecf9964d395
Merged-In: I0218f3674628c13ead63fc9a873895ba7f113033
Merged-In: Ia667386c1a8949839871a6949d79552d9c8b88f0
Currently, strict mode private DNS does not work on VPNs because
NetworkMonitor does not validate VPNs. When a VPN connects, it
immediately transitions to ValidatedState, skipping private DNS
hostname resolution.
This change makes NetworkMonitor perform private DNS hostname
resolution and evaluation even on VPNs.
In order to ensure that the system always immediately switches to
the VPN as soon as it connects, remove the unvalidated penalty
for VPN networks. This ensures that the VPN score is always 101
and the VPN always outscores other networks as soon as it
connects. Previously, it would only outscore other networks
when no-op validation completed.
Bug: 122652057
Test: atest FrameworksNetTests NetworkStackTests
Test: manually ran a VPN with private DNS in strict mode
atest android.net.cts.ConnectivityManagerTest com.android.cts.net.HostsideVpnTests
Change-Id: Iaa78a7edcf23755c89d7b354edbc28d37d74d891
Merged-In: Iaa78a7edcf23755c89d7b354edbc28d37d74d891
(cherry picked from commit 414b8c8b1ce8ae2ad6ef95c1ffba19062077d3e6)
