Merge "Add MANAGE_IPSEC_TUNNELS Permission" into pi-dev

am: 0205fd1064 Change-Id: I7f1c987901c3634fb81d93402d5cb0af80fff11e
2018-03-23 01:57:41 +00:00
parent f2e9567dbf 0205fd1064
commit 4ca771aa5c
4 changed files with 15 additions and 5 deletions
--- a/api/system-current.txt
+++ b/api/system-current.txt
@@ -100,6 +100,7 @@ package android {
    field public static final java.lang.String MANAGE_CARRIER_OEM_UNLOCK_STATE = "android.permission.MANAGE_CARRIER_OEM_UNLOCK_STATE";
    field public static final java.lang.String MANAGE_CA_CERTIFICATES = "android.permission.MANAGE_CA_CERTIFICATES";
    field public static final java.lang.String MANAGE_DEVICE_ADMINS = "android.permission.MANAGE_DEVICE_ADMINS";
+    field public static final java.lang.String MANAGE_IPSEC_TUNNELS = "android.permission.MANAGE_IPSEC_TUNNELS";
    field public static final java.lang.String MANAGE_SOUND_TRIGGER = "android.permission.MANAGE_SOUND_TRIGGER";
    field public static final java.lang.String MANAGE_SUBSCRIPTION_PLANS = "android.permission.MANAGE_SUBSCRIPTION_PLANS";
    field public static final java.lang.String MANAGE_USB = "android.permission.MANAGE_USB";
--- a/core/java/android/net/IpSecManager.java
+++ b/core/java/android/net/IpSecManager.java
@@ -658,6 +658,7 @@ public final class IpSecManager {
         * @hide
         */
        @SystemApi
+        @RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS)
        public void addAddress(@NonNull LinkAddress address) throws IOException {
            try {
                mService.addAddressToTunnelInterface(mResourceId, address);
@@ -675,6 +676,7 @@ public final class IpSecManager {
         * @hide
         */
        @SystemApi
+        @RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS)
        public void removeAddress(@NonNull LinkAddress address) throws IOException {
            try {
                mService.removeAddressFromTunnelInterface(mResourceId, address);
@@ -768,7 +770,7 @@ public final class IpSecManager {
     */
    @SystemApi
    @NonNull
-    @RequiresPermission(android.Manifest.permission.NETWORK_STACK)
+    @RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS)
    public IpSecTunnelInterface createIpSecTunnelInterface(@NonNull InetAddress localAddress,
            @NonNull InetAddress remoteAddress, @NonNull Network underlyingNetwork)
            throws ResourceUnavailableException, IOException {
@@ -793,7 +795,7 @@ public final class IpSecManager {
     * @hide
     */
    @SystemApi
-    @RequiresPermission(android.Manifest.permission.NETWORK_STACK)
+    @RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS)
    public void applyTunnelModeTransform(@NonNull IpSecTunnelInterface tunnel,
            @PolicyDirection int direction, @NonNull IpSecTransform transform) throws IOException {
        try {
--- a/core/java/android/net/IpSecTransform.java
+++ b/core/java/android/net/IpSecTransform.java
@@ -282,7 +282,7 @@ public final class IpSecTransform implements AutoCloseable {
     */
    @SystemApi
    @RequiresPermission(anyOf = {
-            android.Manifest.permission.NETWORK_STACK,
+            android.Manifest.permission.MANAGE_IPSEC_TUNNELS,
            android.Manifest.permission.PACKET_KEEPALIVE_OFFLOAD
    })
    public void startNattKeepalive(@NonNull NattKeepaliveCallback userCallback,
@@ -325,7 +325,7 @@ public final class IpSecTransform implements AutoCloseable {
     */
    @SystemApi
    @RequiresPermission(anyOf = {
-            android.Manifest.permission.NETWORK_STACK,
+            android.Manifest.permission.MANAGE_IPSEC_TUNNELS,
            android.Manifest.permission.PACKET_KEEPALIVE_OFFLOAD
    })
    public void stopNattKeepalive() {
@@ -478,7 +478,7 @@ public final class IpSecTransform implements AutoCloseable {
         */
        @SystemApi
        @NonNull
-        @RequiresPermission(android.Manifest.permission.NETWORK_STACK)
+        @RequiresPermission(android.Manifest.permission.MANAGE_IPSEC_TUNNELS)
        public IpSecTransform buildTunnelModeTransform(
                @NonNull InetAddress sourceAddress,
                @NonNull IpSecManager.SecurityParameterIndex spi)
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1341,6 +1341,13 @@
        android:label="@string/permlab_changeWifiState"
        android:protectionLevel="normal" />

+    <!-- @SystemApi @hide Allows apps to create and manage IPsec tunnels.
+         <p>Only granted to applications that are currently bound by the
+         system for creating and managing IPsec-based interfaces.
+    -->
+    <permission android:name="android.permission.MANAGE_IPSEC_TUNNELS"
+        android:protectionLevel="signature|appop" />
+
    <!-- @SystemApi @hide Allows applications to read Wi-Fi credential.
         <p>Not for use by third-party applications. -->
    <permission android:name="android.permission.READ_WIFI_CREDENTIAL"