Move away from storing the configs in the Intent to prevent issues with
PendingIntents and multiple configs.
The Dialog now queries ConnectivityService for the configuration to
display in the management dialog.
Change-Id: I0e0ef52db840152914d117a24f776d8106e836ff
VPNs are now per user instead of global. A VPN set by user A routes only
user A's traffic and no other user can access it.
Change-Id: Ia66463637b6bd088b05768076a1db897fe95c46c
On stacked interfaces like 464xlat, Legacy VPN can't find the
default gateway because it uses getRoutes, which only returns
routes for the base link and not for the stacked links. It also
assumes that the interface that the default route points to is
the interface for the base link (e.g., rmnet0) instead of the
interface the route actually points to (e.g., clat4).
Fix this by calling getAllRoutes to find the default IPv4 route,
and get the interface name from the route we find instead of
assuming it's the base interface.
Bug: 9597516
Change-Id: Ia6ce0b6258a421cd22f60dedca7e94176b32176b
Recent changes started watching for CONNECTIVITY_ACTION broadcasts
to handle the case where a network is disconnected without the
interface going down.
However, when lockdown VPN is enabled, the broadcast contents are
augmented, and all connections appear disconnected until the VPN
comes online. This caused a reset feedback loop to occur.
Since LockdownVpnTracker already handles networks being disconnected
separately from interfaces going down, this change disables handling
the broadcast when lockdown is enabled.
Bug: 8755148
Change-Id: I70a348aa97a4b22eaaf23aa5ed344de3e9a9ab0b
VPN used to just watch the interface, but that is insufficient. There
is no promise that the interface will go down when we're done with it.
Now that wifi stays on in scan-only mode despite user turning it off
it seems that the interface is left up, even in AP mode.
Now listening for ConnectivityService broadcast that the network we were on
has disconnected and tearing down the VPN then or when the interface
goes away.
bug:8550083
Change-Id: Icf414497bc55bead69de04e91f39f90ac2e6578a
Must remember the outer interface - undoes a change from a
couple months ago that broke things.
bug:7336302
Change-Id: Ia4f60862c60f3078853e151980e09cbf22a57222
Also fix a bunch of system services that should be doing this. And
while doing that, found I needed to fix PendingIntent to evaluate
USER_CURRENT at the point of sending, not creation.
Note that this may end up with us having some notification shown to
non-primary users that lead to settings UI that should only be for
the primary user (such as the vpn notification). I'm not sure what
to do about this, maybe we need a different UI to come up there or
something, but showing the actual notification for those users at
least seems less broken than not telling them at all.
Change-Id: Iffc51e2d7c847e3d05064d292ab93937646a1ab7
Adds support for always-on VPN profiles, also called "lockdown." When
enabled, LockdownVpnTracker manages the netd firewall to prevent
unencrypted traffic from leaving the device. It creates narrow rules
to only allow traffic to the selected VPN server. When an egress
network becomes available, LockdownVpnTracker will try bringing up
the VPN connection, and will reconnect if disconnected.
ConnectivityService augments any NetworkInfo based on the lockdown
VPN status to help apps wait until the VPN is connected.
This feature requires that VPN profiles use an IP address for both
VPN server and DNS. It also blocks non-default APN access when
enabled. Waits for USER_PRESENT after boot to check KeyStore status.
Bug: 5756357
Change-Id: If615f206b1634000d78a8350a17e88bfcac8e0d0
Generate the racoon and mtpd daemon arguments in system_server,
instead of accepting them from Settings.
Bug: 5756357
Change-Id: I42c1a644f6add477fe4222342640d7db15982cb8
Created base tracker that handles common bookkeeping, and move VPN
to become a tracker. VPN status is now reflected in NetworkInfo, and
is mapped to LegacyVpnInfo.
Legacy VPN now "babysits" any init services it starts, watching for
when they stop unexpectedly.
Bug: 5756357
Change-Id: Iba7ec79da69469f6bd9a970cc39cf6b885b4c9c4
The activity notification is received from netd, an intent
DATA_ACTIVITY_CHANGE is then raised for other part of the system to
consume.
Change-Id: Idfcc4763c51c5b314c57f546c12557082f06bebf
As init now uses SIGKILL to stop daemons, performing graceful shutdown
becomes impossible. Here we implement our own solution by asking daemons
to monitor the control socket and terminate when it is closed.
Change-Id: I07a28807173a81b7f95e70f4193e974317acf88a
Currently legacy VPN only works on IPv4, and it should always
turn down when the addresses are changed. It assumed that the
interface will be brought down and up, so the event can be
detected via interfaceStatusChanged(). However, the assumption
was incorrect and the event is actually driver-dependent. To
fix this issue, ConnectivityService now tells VPN that the
interface is down when resetting IPv4 addresses.
Change-Id: I76d15e56552d86635c5b274ca980be5da905a6fb
Some VPN needs more time than others in order to create the secure tunnel.
For example, L2TP/IPSec PSK on average needs 15 seconds on WiFi. On mobile
connection, variation gets larger, and it sometimes needs more than 30
seconds. This change increases timeout period from 30 to 60 seconds.
Change-Id: I6006fd254a7bc91c22f63d2f3f20ea79ee9b05e2
This is a 1st pass at receiving events that indicate
some quota has been reached e.g. warning quota, data collection quota,
cutoff quota,...
It needs:
- new kernel with quota2 logging support
- new net:bandwidthcontroller that supports
. quota2,
. setting alerts.
- new NetlinkEvent/NetlinkManager/NetlinkHandler to process
NETLINK NFLOG messages.
Change-Id: Ibfbb13512c5350cdee0e544ec14caa6f59812409
1. No more End-Of-Arguments.
2. Daemons close the control socket after they are initialized.
3. No more system properties.
4. ip-up-vpn now creates state to pass the configuration.
5. JNI methods are split again for legacy VPN.
Change-Id: I02fafdf01d425c965345ef712b2bd5fdee3a0cab
When someone tries to revoke packageA, it is possible that packageA is
already revoked by packageB. In this case packageB should not be revoked,
and the new prepare() can help solve this problem.
Change-Id: Iee056a191dd99467b8ad1b5379a17b02d404bad1
After unreverting the linkstate change patch, hook up notification handlers
that didn't exist when the first patch was created, like
EthernetDataTracker.java and Vpn.java.
For the observers that handle interfaceStatusChanged(), I made
interfaceLinkStatusChanged() call it so they both do the same thing.
Change-Id: I0077e5e5f48f3932ba98f5bf363243892f2de6cc
Signed-off-by: Mike J. Chen <mjchen@google.com>
This might not be the best place for the glue code, but it is
known that choosing VpnBuilder will introduce a dependency
cycle of VpnBuilder, ConnectivityService, and the Vpn class.
Change-Id: I3f03617d1fe1a0b8fb3705c23265676fff51a75c
