Merge "Whitelist packages from VPN lockdown: DPM API." into pi-dev-plus-aosp

am: 299f825678

Change-Id: I3deb4a865e109e2b2e67dc7d8ffc775747f34303

diff --cc api/current.txt
index fa147db,6d9c3c7..9cd496c
mode 100644,100755..100644
--- 1/api/current.txt
--- 2/api/current.txt
+++ b/api/current.txt

diff --cc core/java/android/app/admin/DevicePolicyManager.java
Simple merge

diff --cc core/java/android/app/admin/IDevicePolicyManager.aidl
Simple merge

diff --cc services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index f79f9bc,9c6b52f..51bdbb3
--- 1/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
--- 2/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@@ -6316,20 -5890,25 +6321,32 @@@ public class DevicePolicyManagerServic
          final long token = mInjector.binderClearCallingIdentity();
          try {
              if (vpnPackage != null && !isPackageInstalledForUser(vpnPackage, userId)) {
-                 return false;
+                 Slog.w(LOG_TAG, "Non-existent VPN package specified: " + vpnPackage);
+                 throw new ServiceSpecificException(
+                         DevicePolicyManager.ERROR_VPN_PACKAGE_NOT_FOUND, vpnPackage);
+             }
+ 
+             if (vpnPackage != null && lockdown && lockdownWhitelist != null) {
+                 for (String packageName : lockdownWhitelist) {
+                     if (!isPackageInstalledForUser(packageName, userId)) {
+                         Slog.w(LOG_TAG, "Non-existent package in VPN whitelist: " + packageName);
+                         throw new ServiceSpecificException(
+                                 DevicePolicyManager.ERROR_VPN_PACKAGE_NOT_FOUND, packageName);
+                     }
+                 }
              }
-             ConnectivityManager connectivityManager = (ConnectivityManager)
-                     mContext.getSystemService(Context.CONNECTIVITY_SERVICE);
-             if (!connectivityManager.setAlwaysOnVpnPackageForUser(userId, vpnPackage, lockdown)) {
+             // If some package is uninstalled after the check above, it will be ignored by CM.
+             if (!mInjector.getConnectivityManager().setAlwaysOnVpnPackageForUser(
+                     userId, vpnPackage, lockdown, lockdownWhitelist)) {
                  throw new UnsupportedOperationException();
              }
 +            DevicePolicyEventLogger
 +                    .createEvent(DevicePolicyEnums.SET_ALWAYS_ON_VPN_PACKAGE)
 +                    .setAdmin(admin)
 +                    .setStrings(vpnPackage)
 +                    .setBoolean(lockdown)
 +                    .setInt(/* number of vpn packages */ 0)
 +                    .write();
          } finally {
              mInjector.binderRestoreCallingIdentity(token);
          }
@@@ -6816,12 -6414,12 +6857,10 @@@
  
      @Override
      public void setRecommendedGlobalProxy(ComponentName who, ProxyInfo proxyInfo) {
 -        synchronized (getLockObject()) {
 -            getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_DEVICE_OWNER);
 -        }
 +        enforceDeviceOwner(who);
          long token = mInjector.binderClearCallingIdentity();
          try {
-             ConnectivityManager connectivityManager = (ConnectivityManager)
-                     mContext.getSystemService(Context.CONNECTIVITY_SERVICE);
-             connectivityManager.setGlobalProxy(proxyInfo);
+             mInjector.getConnectivityManager().setGlobalProxy(proxyInfo);
          } finally {
              mInjector.binderRestoreCallingIdentity(token);
          }