Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "Whitelist packages from VPN lockdown: DPM API."

Browse Source 
am: c9d834e3f5

Change-Id: I5723a0970a0e37995c9db6e42ae527b8692bc48a
This commit is contained in:
Pavel Grafov
2019-01-29 17:41:49 -08:00
committed by android-build-merger
parent 74798a771a c9d834e3f5
commit aade923534
4 changed files with 154 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

102
core/java/android/app/admin/DevicePolicyManager.java
View File

@@ -4463,12 +4463,17 @@ public class DevicePolicyManager {
return null;
}
/**
* Service-specific error code used in implementation of {@code setAlwaysOnVpnPackage} methods.
* @hide
*/
public static final int ERROR_VPN_PACKAGE_NOT_FOUND = 1;
/**
* Called by a device or profile owner to configure an always-on VPN connection through a
* specific application for the current user. This connection is automatically granted and
* persisted after a reboot.
* <p>
* To support the always-on feature, an app must
* <p> To support the always-on feature, an app must
* <ul>
* <li>declare a {@link android.net.VpnService} in its manifest, guarded by
* {@link android.Manifest.permission#BIND_VPN_SERVICE};</li>
@@ -4477,25 +4482,61 @@ public class DevicePolicyManager {
* {@link android.net.VpnService#SERVICE_META_DATA_SUPPORTS_ALWAYS_ON}.</li>
* </ul>
* The call will fail if called with the package name of an unsupported VPN app.
* <p> Enabling lockdown via {@code lockdownEnabled} argument carries the risk that any failure
* of the VPN provider could break networking for all apps.
*
* @param vpnPackage The package name for an installed VPN app on the device, or {@code null} to
* remove an existing always-on VPN configuration.
* @param lockdownEnabled {@code true} to disallow networking when the VPN is not connected or
* {@code false} otherwise. This carries the risk that any failure of the VPN provider
* could break networking for all apps. This has no effect when clearing.
* {@code false} otherwise. This has no effect when clearing.
* @throws SecurityException if {@code admin} is not a device or a profile owner.
* @throws NameNotFoundException if {@code vpnPackage} is not installed.
* @throws UnsupportedOperationException if {@code vpnPackage} exists but does not support being
* set as always-on, or if always-on VPN is not available.
* @see #setAlwaysOnVpnPackage(ComponentName, String, boolean, List)
*/
public void setAlwaysOnVpnPackage(@NonNull ComponentName admin, @Nullable String vpnPackage,
boolean lockdownEnabled)
throws NameNotFoundException, UnsupportedOperationException {
boolean lockdownEnabled) throws NameNotFoundException {
setAlwaysOnVpnPackage(admin, vpnPackage, lockdownEnabled, Collections.emptyList());
}
/**
* A version of {@link #setAlwaysOnVpnPackage(ComponentName, String, boolean)} that allows the
* admin to specify a set of apps that should be able to access the network directly when VPN
* is not connected. When VPN connects these apps switch over to VPN if allowed to use that VPN.
* System apps can always bypass VPN.
* <p> Note that the system doesn't update the whitelist when packages are installed or
* uninstalled, the admin app must call this method to keep the list up to date.
*
* @param vpnPackage package name for an installed VPN app on the device, or {@code null}
* to remove an existing always-on VPN configuration
* @param lockdownEnabled {@code true} to disallow networking when the VPN is not connected or
* {@code false} otherwise. This has no effect when clearing.
* @param lockdownWhitelist Packages that will be able to access the network directly when VPN
* is in lockdown mode but not connected. Has no effect when clearing.
* @throws SecurityException if {@code admin} is not a device or a profile
* owner.
* @throws NameNotFoundException if {@code vpnPackage} or one of
* {@code lockdownWhitelist} is not installed.
* @throws UnsupportedOperationException if {@code vpnPackage} exists but does
* not support being set as always-on, or if always-on VPN is not
* available.
*/
public void setAlwaysOnVpnPackage(@NonNull ComponentName admin, @Nullable String vpnPackage,
boolean lockdownEnabled, @Nullable List<String> lockdownWhitelist)
throws NameNotFoundException {
throwIfParentInstance("setAlwaysOnVpnPackage");
if (mService != null) {
try {
if (!mService.setAlwaysOnVpnPackage(admin, vpnPackage, lockdownEnabled)) {
throw new NameNotFoundException(vpnPackage);
mService.setAlwaysOnVpnPackage(
admin, vpnPackage, lockdownEnabled, lockdownWhitelist);
} catch (ServiceSpecificException e) {
switch (e.errorCode) {
case ERROR_VPN_PACKAGE_NOT_FOUND:
throw new NameNotFoundException(e.getMessage());
default:
throw new RuntimeException(
"Unknown error setting always-on VPN: " + e.errorCode, e);
}
} catch (RemoteException e) {
throw e.rethrowFromSystemServer();
@@ -4503,6 +4544,51 @@ public class DevicePolicyManager {
}
}
/**
* Called by device or profile owner to query whether current always-on VPN is configured in
* lockdown mode. Returns {@code false} when no always-on configuration is set.
*
* @param admin Which {@link DeviceAdminReceiver} this request is associated with.
*
* @throws SecurityException if {@code admin} is not a device or a profile owner.
*
* @see #setAlwaysOnVpnPackage(ComponentName, String, boolean)
*/
public boolean isAlwaysOnVpnLockdownEnabled(@NonNull ComponentName admin) {
throwIfParentInstance("isAlwaysOnVpnLockdownEnabled");
if (mService != null) {
try {
return mService.isAlwaysOnVpnLockdownEnabled(admin);
} catch (RemoteException e) {
throw e.rethrowFromSystemServer();
}
}
return false;
}
/**
* Called by device or profile owner to query the list of packages that are allowed to access
* the network directly when always-on VPN is in lockdown mode but not connected. Returns
* {@code null} when always-on VPN is not active or not in lockdown mode.
*
* @param admin Which {@link DeviceAdminReceiver} this request is associated with.
*
* @throws SecurityException if {@code admin} is not a device or a profile owner.
*
* @see #setAlwaysOnVpnPackage(ComponentName, String, boolean, List)
*/
public @Nullable List<String> getAlwaysOnVpnLockdownWhitelist(@NonNull ComponentName admin) {
throwIfParentInstance("getAlwaysOnVpnLockdownWhitelist");
if (mService != null) {
try {
return mService.getAlwaysOnVpnLockdownWhitelist(admin);
} catch (RemoteException e) {
throw e.rethrowFromSystemServer();
}
}
return null;
}
/**
* Called by a device or profile owner to read the name of the package administering an
* always-on VPN connection for the current user. If there is no such package, or the always-on

4
core/java/android/app/admin/IDevicePolicyManager.aidl
View File

@@ -182,8 +182,10 @@ interface IDevicePolicyManager {
void setCertInstallerPackage(in ComponentName who, String installerPackage);
String getCertInstallerPackage(in ComponentName who);
boolean setAlwaysOnVpnPackage(in ComponentName who, String vpnPackage, boolean lockdown);
boolean setAlwaysOnVpnPackage(in ComponentName who, String vpnPackage, boolean lockdown, in List<String> lockdownWhitelist);
String getAlwaysOnVpnPackage(in ComponentName who);
boolean isAlwaysOnVpnLockdownEnabled(in ComponentName who);
List<String> getAlwaysOnVpnLockdownWhitelist(in ComponentName who);
void addPersistentPreferredActivity(in ComponentName admin, in IntentFilter filter, in ComponentName activity);
void clearPackagePersistentPreferredActivities(in ComponentName admin, String packageName);