Only set protectFromVpn if explicitlySelected is also true.

When a secure VPN is up, setting protectFromVpn=1 and explicitlySelected=0
causes the probe routing lookups used by _have_ipv4 and _have_ipv6 to skip
the VPN rule, instead selecting the default network.

This means that the address families for which we query DNS records are
determined by the address families of the the default network, not those of
the VPN.

If explicitlySelected==true, setting protectFromVpn=true (if the app can
protect its sockets) results in querying the address families from the
specified network, which is correct.

Test: as follows
    - built
    - flashed
    - booted
    - runtest -x netd_integration_test.cpp passes
    - testing per bug discussion
Bug: 37131664
Bug: 37347238
Change-Id: I7cf322a047494fd70c3c4d8862d53d6a6dac66de

1 files changed, 8 insertions, 1 deletions

diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index 8e4c69dfd..b90976b6b 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp
@@ -47,6 +47,8 @@
 #include "RouteController.h"
 #include "VirtualNetwork.h"
 
+#define DBG 0
+
 namespace android {
 namespace net {
 
@@ -287,12 +289,17 @@ void NetworkController::getNetworkContext(
     Fwmark fwmark;
     fwmark.netId = nc.app_netid;
     fwmark.explicitlySelected = explicitlySelected;
-    fwmark.protectedFromVpn = canProtect(uid);
+    fwmark.protectedFromVpn = explicitlySelected && canProtect(uid);
     fwmark.permission = getPermissionForUser(uid);
     nc.app_mark = fwmark.intValue;
 
     nc.dns_mark = getNetworkForDns(&(nc.dns_netid), uid);
 
+    if (DBG) {
+        ALOGD("app_netid:0x%x app_mark:0x%x dns_netid:0x%x dns_mark:0x%x uid:%d",
+              nc.app_netid, nc.app_mark, nc.dns_netid, nc.dns_mark, uid);
+    }
+
     if (netcontext) {
         *netcontext = nc;
     }