am: 5fd9ef13f2 -s ours
am skip reason: change_id Ic2faef44831575b2d03bc00ef2553d5c549adc95 with SHA1 07ad31c3ec is in history
Change-Id: I4775263c2f422a9738812b02be61e2af95e9c472
* changes:
Reinstate new VPN uid filtering unit tests
Revert new tests and PackageManager mock
Block incoming non-VPN packets to apps under fully-routed VPN
am: e1754842b8 -s ours
am skip reason: change_id I6dc9029af0df0d3b391210bd315516bdf1b5e4c9 with SHA1 7f38159e5b is in history
Change-Id: Ie9bfef68a5c78272d4c7b31e9427ba2f5c57d056
am: 9ba0569882 -s ours
am skip reason: change_id I6dc9029af0df0d3b391210bd315516bdf1b5e4c9 with SHA1 7f38159e5b is in history
Change-Id: Ic26258dd1ef7a0f3c7c802d764f83a272c3d519f
Mock out PackageManager and returns correct information corresponding
to the test app package itself.
Test: atest --generate-new-metrics 10 com.android.server.ConnectivityServiceTest
Bug: 114231106
Bug: 130397860
Merged-In: Ic2faef44831575b2d03bc00ef2553d5c549adc95
Change-Id: Ic2faef44831575b2d03bc00ef2553d5c549adc95
(cherry picked from commit 4469b1d8a543613d91a58a88488fd2022a0696b9)
rethrowFromSystemServer is throwing DeadSystemException which
is different from the original log message. Thus, update the
way to rethrow the same RemoteException.
Bug: 130028724
Test: atest FrameworksNetTest
Test: Kill NetworkStack and check the log message
Change-Id: I60862e276dd4e2d143278b272a9ba54219acce26
A mocked PackageManager caused test failures in existing tests.
Revert that for now to make tests pass again.
Bug: 114231106
Bug: 130397860
Test: atest FrameworksNetTests
Merged-In: Ib59e211d4329f885108de9ea0a74669ffb144e17
(cherry picked from commit c18f4b5f6f)
Change-Id: I603a0b0dfb67a942679a668c182aa650774c80b2
When a fully-routed VPN is running, we want to prevent normal apps
under the VPN from receiving packets originating from any local non-VPN
interfaces. This is achieved by using eBPF to create a per-UID input
interface whitelist and populate the whitelist such that all
non-bypassable apps under a VPN can only receive packets from the VPN's
TUN interface (and loopback implicitly)
This is the framework part of the change that build the whitelist.
The whitelist needs to be updated in the following cases:
* When a VPN is connected and disconnected
This will cover the change to allowBypass bit, since that can't be
changed without reconnecting.
* When a VPN's NetworkCapabilites is changed (whitelist/blacklist app changes)
* When a new app is installed
* When an existing app is removed
* When a VPN becomes fully-routed or is no longer fully-routed
New user/profile creation will automatically result in a whitelist app change
transition so it doesn't need to be handled specially here.
Due to the limitation of the kernel IPSec interacting with eBPF (sk_buf->ifindex
does not point to the virtual tunnel interface for kernel IPSec), the whitelist
will only apply to app VPNs but not legacy VPN connections, to prevent breaking
connectivity with kernel IPSec entirely.
Test: atest PermissionMonitorTest
Test: atest android.net.RouteInfoTest
Test: atest com.android.server.ConnectivityServiceTest
Test: atest HostsideVpnTests
Bug: 114231106
Merged-In: I5af81bc80dadd086261ba4b1eb706cc873bb7cfa
Change-Id: I5af81bc80dadd086261ba4b1eb706cc873bb7cfa
(cherry picked from commit c81642f1a1)
Mock out PackageManager and returns correct information corresponding
to the test app package itself.
Test: atest --generate-new-metrics 10 com.android.server.ConnectivityServiceTest
Bug: 114231106
Bug: 130397860
Change-Id: Ib921700eda417f411d7a2c77c1140fba9ab50bbb
am: c2f1cc8b8e -s ours
am skip reason: change_id Ideabe73fc93bbefca2d624ee9ca190cf31419424 with SHA1 e72fe2bc46 is in history
Change-Id: I39438b1a3204aa82550ac83117a96f7549d19e42
This freezes the interface as of the latest beta build, not the tip of
tree. IIpClient#setL2KeyAndGroupHint is not in the frozen definition in
particular.
Generated with:
m networkstack-aidl-interfaces-freeze-api \
ipmemorystore-aidl-interfaces-freeze-api
Test: flashed, booted, WiFi and captive portal working
Bug: 128803828
Change-Id: Ideabe73fc93bbefca2d624ee9ca190cf31419424
Merged-In: Ideabe73fc93bbefca2d624ee9ca190cf31419424
(cherry picked from commit 9b89cdaaf401a6b77e160807039c06e537fa600a)
am: 587d6cb141 -s ours
am skip reason: change_id I0fc408d546ae9d72b7dd9415e502252b484d4329 with SHA1 fe8c062223 is in history
Change-Id: I5ebe636715e8cf1ea5e42d12236c1f5fa07c38d0
This freezes the interface as of the latest beta build, not the tip of
tree. IIpClient#setL2KeyAndGroupHint is not in the frozen definition in
particular.
Generated with:
m networkstack-aidl-interfaces-freeze-api \
ipmemorystore-aidl-interfaces-freeze-api
Test: flashed, booted, WiFi and captive portal working
Bug: 128803828
Change-Id: Ideabe73fc93bbefca2d624ee9ca190cf31419424
Since socket keepalive APIs for UDP encapsulation sockets are
public to generic app. In order to ensure the given fd is valid,
this change verifies the resource id inside the UDP
encapsulation socket by using methods provided by IpSecService.
Bug: 125517194
Fix: 123968920
Test: 1. atest FrameworksNetTests --generate-new-metrics 10
2. atestcom.android.server.ConnectivityServiceTest \
#testNattSocketKeepalives --generate-new-metrics 100
Change-Id: I408aacc19b364683854d15a095c34e72389a6e5b
Test: new test for this
Fixes: 62650382
Change-Id: I918b8271d3c3c058553ca888cb54cd36a6efba66
Merged-In: I0fc408d546ae9d72b7dd9415e502252b484d4329
Merged-In: I9282930106d1eee3274d9e5c4e89de60e929a0e6
am: 30096e070d -s ours
am skip reason: change_id Id24e7f0558b5643e4ad7393e85f1f0a2bd875615 with SHA1 dc2d592e68 is in history
Change-Id: Ib3f66d33a54be4216c098e2cde2023ece3fbf41e
