From eb970d77ab6dd3ff981bb38b0d0ee8051e0d2381 Mon Sep 17 00:00:00 2001
From: Lorenzo Colitti <lorenzo@google.com>
Date: Wed, 24 Apr 2019 19:28:20 -0700
Subject: [PATCH] Add privapp permissions to network modules.

When built as part of the system, the network stack and the
captive portal login app should have the BYPASS_PRIVATE_DNS
and CONNECTIVITY_USE_RESTRICTED_NETWORKS permissions.
These are necessary to validate restricted networks, bypass VPNs,
bypass private DNS for captive portal login, etc. Add these
permissions to privapp-permissions-platform.xml.

When installed as mainline modules that cannot use signature
permissions, the modules get this ability by virtue of having the
MAINLINE_NETWORK_STACK permissions.

Additionally, add the CONNECTIVITY_USE_RESTRICTED_NETWORKS
permission to the captive portal login app manifest, which did
not contain it.

Bug: 129789428
Test: builds, boots
Test: dumpsys package shows permissions
Change-Id: I632359f7eff09fed71167733ac75824a5aa57894
Merged-In: I632359f7eff09fed71167733ac75824a5aa57894
(cherry picked from commit 109dbf9c05f325d6f8298ffa81b9e90668fddaf3)
---
 data/etc/privapp-permissions-platform.xml       | 6 ++++++
 packages/CaptivePortalLogin/AndroidManifest.xml | 1 +
 2 files changed, 7 insertions(+)

diff --git a/data/etc/privapp-permissions-platform.xml b/data/etc/privapp-permissions-platform.xml
index dbbe1b4ca5748..485add9fa11fc 100644
--- a/data/etc/privapp-permissions-platform.xml
+++ b/data/etc/privapp-permissions-platform.xml
@@ -35,6 +35,11 @@ applications that come with the platform
         <permission name="android.permission.CRYPT_KEEPER"/>
     </privapp-permissions>
 
+    <privapp-permissions package="com.android.captiveportallogin">
+        <permission name="android.permission.CONNECTIVITY_USE_RESTRICTED_NETWORKS"/>
+        <permission name="android.permission.NETWORK_BYPASS_PRIVATE_DNS"/>
+    </privapp-permissions>
+
     <privapp-permissions package="com.android.cellbroadcastreceiver">
         <permission name="android.permission.INTERACT_ACROSS_USERS"/>
         <permission name="android.permission.MANAGE_USERS"/>
@@ -213,6 +218,7 @@ applications that come with the platform
         <permission name="android.permission.LOCAL_MAC_ADDRESS"/>
         <permission name="android.permission.MANAGE_SUBSCRIPTION_PLANS"/>
         <permission name="android.permission.MANAGE_USB"/>
+        <permission name="android.permission.NETWORK_BYPASS_PRIVATE_DNS"/>
         <permission name="android.permission.PACKET_KEEPALIVE_OFFLOAD"/>
         <permission name="android.permission.READ_NETWORK_USAGE_HISTORY"/>
         <permission name="android.permission.READ_PRECISE_PHONE_STATE"/>
diff --git a/packages/CaptivePortalLogin/AndroidManifest.xml b/packages/CaptivePortalLogin/AndroidManifest.xml
index 355bdd8dfc98f..9add24718d8a1 100644
--- a/packages/CaptivePortalLogin/AndroidManifest.xml
+++ b/packages/CaptivePortalLogin/AndroidManifest.xml
@@ -26,6 +26,7 @@
     <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
     <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
     <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
+    <uses-permission android:name="android.permission.CONNECTIVITY_USE_RESTRICTED_NETWORKS" />
     <uses-permission android:name="android.permission.NETWORK_BYPASS_PRIVATE_DNS" />
     <uses-permission android:name="android.permission.MAINLINE_NETWORK_STACK" />