OSDN Git Service

(root) / android-x86 / frameworks-base.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 44f897a)
vpn: allow IPSec traffic through Always-on VPN
authorBernie Innocenti <codewiz@google.com>
Mon, 28 May 2018 13:04:37 +0000 (22:04 +0900)
committerandroid-build-team Robot <android-build-team-robot@google.com>
Fri, 3 Aug 2018 19:06:54 +0000 (19:06 +0000)
This won't leak any traffic outside the VPN as long as there are no
processes owned by uid 0 which generate network traffic (which is
currently the case).

Bug: 69873852
Test: compared the output of 'adb shell ip rule show' before and after
Test: runtest -x frameworks/base/tests/net/java/com/android/server/connectivity/VpnTest.java
Test: local CTS tests run: android.net.cts.VpnServiceTest
Test: local CTS tests run: com.android.cts.devicepolicy.MixedDeviceOwnerTest
Change-Id: I8758e576c9d961d73f62bfcf0559dd7ecee6e8e6
Merged-In: I8758e576c9d961d73f62bfcf0559dd7ecee6e8e6
Merged-In: I1f9b78c8f828ec2df7aba71b39d62be0c4db2550
Merged-In: I8edeb0942e661c8385ff0cd3fdb72e6f62a8f218
(cherry picked from commit 00000fe55a4729f8339afdc7eab5c970b2549813)
(cherry picked from commit ef2910dc709d698b6476e8d462c608d04c784a26)

services/core/java/com/android/server/connectivity/Vpn.java patch | blob | history

diff --git a/services/core/java/com/android/server/connectivity/Vpn.java b/services/core/java/com/android/server/connectivity/Vpn.java
index 56cff7c..d51e1f7 100644 (file)
--- a/services/core/java/com/android/server/connectivity/Vpn.java
+++ b/services/core/java/com/android/server/connectivity/Vpn.java
@@ -94,8 +94,6 @@ import com.android.server.DeviceIdleController;
 import com.android.server.LocalServices;
 import com.android.server.net.BaseNetworkObserver;
 
-import libcore.io.IoUtils;
-
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
@@ -114,6 +112,8 @@ import java.util.SortedSet;
 import java.util.TreeSet;
 import java.util.concurrent.atomic.AtomicInteger;
 
+import libcore.io.IoUtils;
+
 /**
  * @hide
  */
@@ -1184,6 +1184,18 @@ public class Vpn {
                     /* allowedApplications */ null,
                     /* disallowedApplications */ exemptedPackages);
 
+            // The UID range of the first user (0-99999) would block the IPSec traffic, which comes
+            // directly from the kernel and is marked as uid=0. So we adjust the range to allow
+            // it through (b/69873852).
+            for (UidRange range : addedRanges) {
+                if (range.start == 0) {
+                    addedRanges.remove(range);
+                    if (range.stop != 0) {
+                        addedRanges.add(new UidRange(1, range.stop));
+                    }
+                }
+            }
+
             removedRanges.removeAll(addedRanges);
             addedRanges.removeAll(mBlockedUsers);
         }
frameworks/base
About OSDN
Find Software
Develop Software
Help