Drop PROHIBIT_NON_VPN priority 11500 -> 12500

[android-x86/system-netd.git] / server / VirtualNetwork.h

diff --git a/server/VirtualNetwork.h b/server/VirtualNetwork.h
index 92a1b0e..1a6a136 100644 (file)
--- a/server/VirtualNetwork.h
+++ b/server/VirtualNetwork.h
@@ -17,26 +17,41 @@
 #ifndef NETD_SERVER_VIRTUAL_NETWORK_H
 #define NETD_SERVER_VIRTUAL_NETWORK_H
 
+#include <set>
+
 #include "Network.h"
 #include "UidRanges.h"
 
+// A VirtualNetwork may be "secure" or not.
+//
+// A secure VPN is the usual type of VPN that grabs the default route (and thus all user traffic).
+// Only a few privileged UIDs may skip the VPN and go directly to the underlying physical network.
+//
+// A non-secure VPN ("bypassable" VPN) also grabs all user traffic by default. But all apps are
+// permitted to skip it and pick any other network for their connections.
 class VirtualNetwork : public Network {
 public:
-    VirtualNetwork(unsigned netId, bool hasDns);
+    VirtualNetwork(unsigned netId, bool hasDns, bool secure);
     virtual ~VirtualNetwork();
 
     bool getHasDns() const;
+    bool isSecure() const;
     bool appliesToUser(uid_t uid) const;
 
-    int addUsers(const UidRanges& uidRanges) WARN_UNUSED_RESULT;
-    int removeUsers(const UidRanges& uidRanges) WARN_UNUSED_RESULT;
+    int addUsers(const UidRanges& uidRanges,
+                 const std::set<uid_t>& protectableUsers) WARN_UNUSED_RESULT;
+    int removeUsers(const UidRanges& uidRanges,
+                    const std::set<uid_t>& protectableUsers) WARN_UNUSED_RESULT;
 
 private:
     Type getType() const override;
     int addInterface(const std::string& interface) override WARN_UNUSED_RESULT;
     int removeInterface(const std::string& interface) override WARN_UNUSED_RESULT;
+    int maybeCloseSockets(bool add, const UidRanges& uidRanges,
+                          const std::set<uid_t>& protectableUsers);
 
     const bool mHasDns;
+    const bool mSecure;
     UidRanges mUidRanges;
 };