diff options
| author | Bernie Innocenti <codewiz@google.com> | 2018-05-28 22:04:37 +0900 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-08-01 21:32:15 +0000 |
| commit | b9d3f2349cb507b7469c016e42b9412eed7e907c (patch) | |
| tree | 0b53efbe99ca0378f46f98c01b243d27b15dc5c9 | |
| parent | 27a24c0a4882780e20981c286428b43ee7b4ac8c (diff) | |
| download | base-b9d3f2349cb507b7469c016e42b9412eed7e907c.tar.gz | |
vpn: allow IPSec traffic through Always-on VPN
This won't leak any traffic outside the VPN as long as there are no
processes owned by uid 0 which generate network traffic (which is
currently the case).
Bug: 69873852
Test: compared the output of 'adb shell ip rule show' before and after
Test: runtest -x frameworks/base/tests/net/java/com/android/server/connectivity/VpnTest.java
Test: local CTS tests run: android.net.cts.VpnServiceTest
Test: local CTS tests run: com.android.cts.devicepolicy.MixedDeviceOwnerTest
Change-Id: I8758e576c9d961d73f62bfcf0559dd7ecee6e8e6
Merged-In: I8758e576c9d961d73f62bfcf0559dd7ecee6e8e6
Merged-In: I1f9b78c8f828ec2df7aba71b39d62be0c4db2550
Merged-In: I8edeb0942e661c8385ff0cd3fdb72e6f62a8f218
(cherry picked from commit 00000fe55a4729f8339afdc7eab5c970b2549813)
(cherry picked from commit ae07a6bf53cc9650039c4f2918baf58d522b49f9)
| -rw-r--r-- | services/core/java/com/android/server/connectivity/Vpn.java | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/services/core/java/com/android/server/connectivity/Vpn.java b/services/core/java/com/android/server/connectivity/Vpn.java index b77c1443e850..2a80f0e7c291 100644 --- a/services/core/java/com/android/server/connectivity/Vpn.java +++ b/services/core/java/com/android/server/connectivity/Vpn.java @@ -100,8 +100,6 @@ import com.android.server.DeviceIdleController; import com.android.server.LocalServices; import com.android.server.net.BaseNetworkObserver; -import libcore.io.IoUtils; - import java.io.File; import java.io.IOException; import java.io.InputStream; @@ -123,6 +121,8 @@ import java.util.SortedSet; import java.util.TreeSet; import java.util.concurrent.atomic.AtomicInteger; +import libcore.io.IoUtils; + /** * @hide */ @@ -1327,6 +1327,18 @@ public class Vpn { /* allowedApplications */ null, /* disallowedApplications */ exemptedPackages); + // The UID range of the first user (0-99999) would block the IPSec traffic, which comes + // directly from the kernel and is marked as uid=0. So we adjust the range to allow + // it through (b/69873852). + for (UidRange range : addedRanges) { + if (range.start == 0) { + addedRanges.remove(range); + if (range.stop != 0) { + addedRanges.add(new UidRange(1, range.stop)); + } + } + } + removedRanges.removeAll(addedRanges); addedRanges.removeAll(mBlockedUsers); } |