From 6c13b4e0f475c853c0a02098ad8e3510159cd0c3 Mon Sep 17 00:00:00 2001
From: Lorenzo Colitti <lorenzo@google.com>
Date: Wed, 24 Apr 2019 22:51:49 +0900
Subject: [PATCH] Add privapp permissions to network modules.

When built as part of the system, the network stack and the
captive portal login app should have the BYPASS_PRIVATE_DNS
and CONNECTIVITY_USE_RESTRICTED_NETWORKS permissions.
These are necessary to validate restricted networks, bypass VPNs,
bypass private DNS for captive portal login, etc. Add these
permissions to privapp-permissions-platform.xml.

When installed as mainline modules that cannot use signature
permissions, the modules get this ability by virtue of having the
MAINLINE_NETWORK_STACK permissions.

Additionally, add the CONNECTIVITY_USE_RESTRICTED_NETWORKS
permission to the captive portal login app manifest, which did
not contain it.

Bug: 129789428
Test: builds, boots
Test: dumpsys package shows permissions
Change-Id: I632359f7eff09fed71167733ac75824a5aa57894
---
 data/etc/privapp-permissions-platform.xml       | 6 ++++++
 packages/CaptivePortalLogin/AndroidManifest.xml | 1 +
 2 files changed, 7 insertions(+)

diff --git a/data/etc/privapp-permissions-platform.xml b/data/etc/privapp-permissions-platform.xml
index 28099a16cda56..37a2a87a44bc2 100644
--- a/data/etc/privapp-permissions-platform.xml
+++ b/data/etc/privapp-permissions-platform.xml
@@ -33,6 +33,11 @@ applications that come with the platform
         <permission name="android.permission.CRYPT_KEEPER"/>
     </privapp-permissions>
 
+    <privapp-permissions package="com.android.captiveportallogin">
+        <permission name="android.permission.CONNECTIVITY_USE_RESTRICTED_NETWORKS"/>
+        <permission name="android.permission.NETWORK_BYPASS_PRIVATE_DNS"/>
+    </privapp-permissions>
+
     <privapp-permissions package="com.android.cellbroadcastreceiver">
         <permission name="android.permission.INTERACT_ACROSS_USERS"/>
         <permission name="android.permission.MANAGE_USERS"/>
@@ -203,6 +208,7 @@ applications that come with the platform
         <permission name="android.permission.LOCAL_MAC_ADDRESS"/>
         <permission name="android.permission.MANAGE_SUBSCRIPTION_PLANS"/>
         <permission name="android.permission.MANAGE_USB"/>
+        <permission name="android.permission.NETWORK_BYPASS_PRIVATE_DNS"/>
         <permission name="android.permission.PACKET_KEEPALIVE_OFFLOAD"/>
         <permission name="android.permission.READ_NETWORK_USAGE_HISTORY"/>
         <permission name="android.permission.READ_PRECISE_PHONE_STATE"/>
diff --git a/packages/CaptivePortalLogin/AndroidManifest.xml b/packages/CaptivePortalLogin/AndroidManifest.xml
index 44e0a659212a7..ffd4d9d9acc6d 100644
--- a/packages/CaptivePortalLogin/AndroidManifest.xml
+++ b/packages/CaptivePortalLogin/AndroidManifest.xml
@@ -26,6 +26,7 @@
     <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
     <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
     <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
+    <uses-permission android:name="android.permission.CONNECTIVITY_USE_RESTRICTED_NETWORKS" />
     <uses-permission android:name="android.permission.NETWORK_BYPASS_PRIVATE_DNS" />
     <uses-permission android:name="android.permission.MAINLINE_NETWORK_STACK" />