summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorUldiniad <olivercscott@gmail.com>2018-10-31 02:32:03 (GMT)
committerLuca Stefani <luca.stefani.ge1@gmail.com>2019-07-22 18:10:39 (GMT)
commit8c169086e60ce5c2fc039b6d146373b126edb355 (patch)
tree7ad70cbb432948914e54ced395b04e0560d25b4f
parent8a4810c7e65699a69a977f3c60d242dc376ba7f4 (diff)
downloadframeworks_base-8c169086e60ce5c2fc039b6d146373b126edb355.zip
frameworks_base-8c169086e60ce5c2fc039b6d146373b126edb355.tar.gz
frameworks_base-8c169086e60ce5c2fc039b6d146373b126edb355.tar.bz2
NetworkManagement : Add ability to restrict app vpn usage
Change-Id: Ia6bd0894f3298fe6fb5cca343cbfe025e3b88ee9
-rw-r--r--core/java/android/net/NetworkPolicyManager.java2
-rw-r--r--core/java/android/os/INetworkManagementService.aidl3
-rw-r--r--services/core/java/com/android/server/NetworkManagementService.java83
-rw-r--r--services/core/java/com/android/server/net/NetworkPolicyManagerService.java2
4 files changed, 83 insertions, 7 deletions
diff --git a/core/java/android/net/NetworkPolicyManager.java b/core/java/android/net/NetworkPolicyManager.java
index f291c67..64fef4c 100644
--- a/core/java/android/net/NetworkPolicyManager.java
+++ b/core/java/android/net/NetworkPolicyManager.java
@@ -56,6 +56,8 @@ public class NetworkPolicyManager {
public static final int POLICY_ALLOW_METERED_BACKGROUND = 0x4;
/** Reject application network traffic on cellular network */
public static final int POLICY_REJECT_ON_DATA = 0x10000;
+ /** Reject application network traffic on virtual private network */
+ public static final int POLICY_REJECT_ON_VPN = 0x20000;
/** Reject application network traffic on wifi network */
public static final int POLICY_REJECT_ON_WLAN = 0x8000;
diff --git a/core/java/android/os/INetworkManagementService.aidl b/core/java/android/os/INetworkManagementService.aidl
index 4851597..c5319d0 100644
--- a/core/java/android/os/INetworkManagementService.aidl
+++ b/core/java/android/os/INetworkManagementService.aidl
@@ -452,8 +452,9 @@ interface INetworkManagementService
boolean isNetworkRestricted(int uid);
/**
- * Restrict UID from accessing data/wifi
+ * Restrict UID from accessing mobile data/vpn/wifi
*/
void restrictAppOnData(int uid, boolean restrict);
+ void restrictAppOnVpn(int uid, boolean restrict);
void restrictAppOnWlan(int uid, boolean restrict);
}
diff --git a/services/core/java/com/android/server/NetworkManagementService.java b/services/core/java/com/android/server/NetworkManagementService.java
index 0383e04..b7d2b5b 100644
--- a/services/core/java/com/android/server/NetworkManagementService.java
+++ b/services/core/java/com/android/server/NetworkManagementService.java
@@ -67,6 +67,7 @@ import android.net.IpPrefix;
import android.net.LinkAddress;
import android.net.LinkProperties;
import android.net.Network;
+import android.net.NetworkCapabilities;
import android.net.NetworkPolicyManager;
import android.net.NetworkStats;
import android.net.NetworkUtils;
@@ -241,8 +242,10 @@ public class NetworkManagementService extends INetworkManagementService.Stub
private INetd mNetdService;
private String mDataInterfaceName;
+ private String mVpnInterfaceName;
private String mWlanInterfaceName;
private BroadcastReceiver mPendingDataRestrictReceiver;
+ private BroadcastReceiver mPendingVpnRestrictReceiver;
private IBatteryStats mBatteryStats;
@@ -280,6 +283,9 @@ public class NetworkManagementService extends INetworkManagementService.Stub
/** Set of UIDs blacklisted on cellular networks. */
@GuardedBy("mQuotaLock")
final SparseBooleanArray mDataBlacklist = new SparseBooleanArray();
+ /** Set of UIDs blacklisted on virtual private networks. */
+ @GuardedBy("mQuotaLock")
+ final SparseBooleanArray mVpnBlacklist = new SparseBooleanArray();
/** Set of UIDs blacklisted on WiFi networks. */
@GuardedBy("mQuotaLock")
final SparseBooleanArray mWlanBlacklist = new SparseBooleanArray();
@@ -341,6 +347,7 @@ public class NetworkManagementService extends INetworkManagementService.Stub
new RemoteCallbackList<>();
private boolean mNetworkActive;
private SparseBooleanArray mPendingRestrictOnData = new SparseBooleanArray();
+ private SparseBooleanArray mPendingRestrictOnVpn = new SparseBooleanArray();
/**
* Constructs a new NetworkManagementService instance
@@ -430,9 +437,19 @@ public class NetworkManagementService extends INetworkManagementService.Stub
processPendingDataRestrictRequests();
}
};
+ // Note: processPendingVpnRestrictRequests() will unregister
+ // mPendingVpnRestrictReceiver once it has been able to determine
+ // the vpn network interface name.
+ mPendingVpnRestrictReceiver = new BroadcastReceiver() {
+ @Override
+ public void onReceive(Context context, Intent intent) {
+ processPendingVpnRestrictRequests();
+ }
+ };
final IntentFilter filter = new IntentFilter();
filter.addAction(ConnectivityManager.CONNECTIVITY_ACTION);
mContext.registerReceiver(mPendingDataRestrictReceiver, filter);
+ mContext.registerReceiver(mPendingVpnRestrictReceiver, filter);
}
private IBatteryStats getBatteryStats() {
@@ -1839,8 +1856,37 @@ public class NetworkManagementService extends INetworkManagementService.Stub
try {
final String action = restrict ? "add" : "remove";
- mConnector.execute("bandwidth", action + "restrictappsondata",
- mDataInterfaceName, uid);
+ mConnector.execute("bandwidth", action + "restrictappsondata", mDataInterfaceName, uid);
+ } catch (NativeDaemonConnectorException e) {
+ throw e.rethrowAsParcelableException();
+ }
+ }
+
+ @Override
+ public void restrictAppOnVpn(int uid, boolean restrict) {
+ mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ // silently discard when control disabled
+ if (!mBandwidthControlEnabled) return;
+
+ initVpnInterface();
+ if (TextUtils.isEmpty(mVpnInterfaceName)) {
+ // We don't have an interface name since vpn is not active
+ // yet, so queue up the request for when it comes up alive
+ mPendingRestrictOnVpn.put(uid, restrict);
+ return;
+ }
+
+ synchronized (mQuotaLock) {
+ boolean oldValue = mVpnBlacklist.get(uid, false);
+ if (oldValue == restrict) {
+ return;
+ }
+ mVpnBlacklist.put(uid, restrict);
+ }
+
+ try {
+ final String action = restrict ? "add" : "remove";
+ mConnector.execute("bandwidth", action + "restrictappsonvpn", mVpnInterfaceName, uid);
} catch (NativeDaemonConnectorException e) {
throw e.rethrowAsParcelableException();
}
@@ -1880,12 +1926,27 @@ public class NetworkManagementService extends INetworkManagementService.Stub
}
int count = mPendingRestrictOnData.size();
for (int i = 0; i < count; i++) {
- restrictAppOnData(mPendingRestrictOnData.keyAt(i),
- mPendingRestrictOnData.valueAt(i));
+ restrictAppOnData(mPendingRestrictOnData.keyAt(i), mPendingRestrictOnData.valueAt(i));
}
mPendingRestrictOnData.clear();
}
+ private void processPendingVpnRestrictRequests() {
+ initVpnInterface();
+ if (TextUtils.isEmpty(mVpnInterfaceName)) {
+ return;
+ }
+ if (mPendingVpnRestrictReceiver != null) {
+ mContext.unregisterReceiver(mPendingVpnRestrictReceiver);
+ mPendingVpnRestrictReceiver = null;
+ }
+ int count = mPendingRestrictOnVpn.size();
+ for (int i = 0; i < count; i++) {
+ restrictAppOnVpn(mPendingRestrictOnVpn.keyAt(i), mPendingRestrictOnVpn.valueAt(i));
+ }
+ mPendingRestrictOnVpn.clear();
+ }
+
@Override
public void setAllowOnlyVpnForUids(boolean add, UidRange[] uidRanges)
throws ServiceSpecificException {
@@ -2841,14 +2902,24 @@ public class NetworkManagementService extends INetworkManagementService.Stub
if (!TextUtils.isEmpty(mDataInterfaceName)) {
return;
}
- ConnectivityManager cm = (ConnectivityManager) mContext.getSystemService(
- Context.CONNECTIVITY_SERVICE);
+ ConnectivityManager cm = mContext.getSystemService(ConnectivityManager.class);
LinkProperties linkProperties = cm.getLinkProperties(ConnectivityManager.TYPE_MOBILE);
if (linkProperties != null) {
mDataInterfaceName = linkProperties.getInterfaceName();
}
}
+ private void initVpnInterface() {
+ if (!TextUtils.isEmpty(mVpnInterfaceName)) {
+ return;
+ }
+ ConnectivityManager cm = mContext.getSystemService(ConnectivityManager.class);
+ LinkProperties linkProperties = cm.getLinkProperties(ConnectivityManager.TYPE_VPN);
+ if (linkProperties != null) {
+ mVpnInterfaceName = linkProperties.getInterfaceName();
+ }
+ }
+
@VisibleForTesting
class LocalService extends NetworkManagementInternal {
@Override
diff --git a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
index db33bd8..fee9a42 100644
--- a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
+++ b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
@@ -57,6 +57,7 @@ import static android.net.NetworkPolicyManager.POLICY_ALLOW_METERED_BACKGROUND;
import static android.net.NetworkPolicyManager.POLICY_NONE;
import static android.net.NetworkPolicyManager.POLICY_REJECT_METERED_BACKGROUND;
import static android.net.NetworkPolicyManager.POLICY_REJECT_ON_DATA;
+import static android.net.NetworkPolicyManager.POLICY_REJECT_ON_VPN;
import static android.net.NetworkPolicyManager.POLICY_REJECT_ON_WLAN;
import static android.net.NetworkPolicyManager.RULE_ALLOW_ALL;
import static android.net.NetworkPolicyManager.RULE_ALLOW_METERED;
@@ -3995,6 +3996,7 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
try {
mNetworkManager.restrictAppOnData(uid, (uidPolicy & POLICY_REJECT_ON_DATA) != 0);
+ mNetworkManager.restrictAppOnVpn(uid, (uidPolicy & POLICY_REJECT_ON_VPN) != 0);
mNetworkManager.restrictAppOnWlan(uid, (uidPolicy & POLICY_REJECT_ON_WLAN) != 0);
} catch (RemoteException e) {
// ignored; service lives in system_server