This class is useless at this point and introduces overhead.
Bug: 113554781
Test: FrameworksNetTests
Change-Id: Ib6da6c1c7f2a0b97c847d2e64e5ce16dd821e1e7
Remove the old connected notification since there is a new file
- NetworkStackNotifier.java which will send the connected
notification when captive portal validated.
Bug: 149883761
Test: 1. atest FrameworksNetTests
2. Sign-in a captive portal and see if there is a redundant
connected notification.
Change-Id: I4ec9d26623af4bfc65156a28a96b982466aede31
Merged-In: Id11a9b99dd04772a92af8d527104906c47bf64cd
This commit allows the startLegacyVpn() call to start Platform VPN
profiles, allowing Settings to use the IKEv2/IPsec VPN options
When using an aliased private key, the
Ikev2VpnProfile.KEYSTORE_ALIAS_PREFIX must be prepended to the front of
the alias. This will in turn result in the fromVpnProfile() function to
pull the key from the KeyStore, as opposed to the inline-key that the
VpnManager API uses.
Bug: 148991741
Test: FrameworksNetTests passing, new tests added in subsequent CL
Test: Manually tested
Change-Id: Icbca695c353b2e12e99305676404dbf1a4495949
This commit allows Platform VPNs to be started as part of always-on
mode.
Test: FrameworksNetTests passing, new tests added in subsequent CL
Test: Manually tested.
Change-Id: I5eda88e5b406a0e425eb7424665cf702e0979324
Merged-In: I5eda88e5b406a0e425eb7424665cf702e0979324
This CL adds checks to ensure restricted users cannot change or
start/stop platform VPNs. In addition, this also adds checks to the
ConnectivityManager#getConnectionOwnerUid() to ensure that only
VpnService based VPNs can identify connections
Bug: 148040659
Test: FrameworksNetTests run
Change-Id: Id47ada5766036bfc84f3ba47f66f2d2683af916d
This change adds a new VPN user consent flow (using the same text) for
granting the lesser OP_ACTIVATE_PLATFORM_VPN. A new
PlatformVpnConfirmDialog is created as a subclass to preserve all logic,
but ensure the right appop is granted for the relevant dialog.
Intent extras were considered, but are inherently unsafe, since the
caller may add any extras that they would want.
Bug: 144246835
Test: FrameworksNetTests passing
Change-Id: Ia6f36207d43c3748f938430c2780dcf29e5623f3
Merged-In: Ia6f36207d43c3748f938430c2780dcf29e5623f3
This change adds stubs for the Platform built-in VPNs, along with
implementing some basic permissions checks.
Bug: 144246837
Test: FrameworksNetTests passing, new tests added
Change-Id: I68d2293fc1468544f0d9f64d02ea7e1c80c8d18c
Currently, only support the three elements in the config that are
known to be used.
Bug: 138306002
Test: builds, boots
Test: atest FrameworksTelephonyTests
Change-Id: I1d231ec2ddcff97c039bcbc815a39c1d3e26c410
Merged-In: I1d231ec2ddcff97c039bcbc815a39c1d3e26c410
NetworkMisc is not really an appropriate name for a system API.
Bug: 138306002
Test: builds, boots, wifi works, telephony works
Test: atest FrameworksNetTests FrameworksWifiTests FrameworksTelephonyTests
Change-Id: I621cfbe165996c67b201ca2dd2f95a5ab9af10ee
Merged-In: I621cfbe165996c67b201ca2dd2f95a5ab9af10ee
StringNetworkSpecifier is widely used to specify subscription id for
the NetworkRequest. The raw string field introduce ambiguity and leave
large space for bugs. With TelephonyNetworkSpecifer, we are able to
settle down the type and value of the fields (although currently only
one) and introduce validation to detect the bug in the beginning.
Bug: 145993724
Test: atest FrameworksNetTests FrameworksTelephonyTests &
make offline-sdk-docs
Change-Id: Iefbad9b1deb3de2c0b262d9ce5ae0704a50d08a6
A number of connectivity checks that protect system-only methods
check for CONNECTIVITY_INTERNAL, but CONNECTIVITY_INTERNAL is a
signature|privileged permission. We should audit the permission
checks, and convert checks that protect code that should not be
called outside the system to a signature permission. So replace
all CONNECTIVITY_INTERNAL to other proper permissions.
Bug: 32963470
Test: atest FrameworksNetTests NetworkPolicyManagerServiceTest
Change-Id: I8f2dd1cd0609056494eaf612d39820e273ae093f
Merged-In: I8f2dd1cd0609056494eaf612d39820e273ae093f
* changes:
[Tether10]Remove UserManagerInternal usage in Tethering
[Tether07] Migrate Tethering into module
[Tether07] Clean up build rule for libtetheroffloadjni
Now tethering would be run in dedicated service.
TetheringManager is the interface used to communicate with
TetheringService. The new call flow would be: ConnectivityManager
-> ConnectivityService -> TetheringManager -> TetheringService.
Note: the return value of #tether(), #untether() and #setUsbTethering()
APIs would always be no error. Client can use #getLastTetherError()
or #getTetheredIfaces or listen tether state change to check
status of corresponding interface.
Bug: 136040414
Bug: 144742179
Test: -build, flash, boot
-atest TetheringTests
-atest FrameworksNetTests
Change-Id: I7e78c0e0a3e70f940a749ba2a39ece7c7ec5b9b3
Merged-In: I7e78c0e0a3e70f940a749ba2a39ece7c7ec5b9b3
PermissionMonitor#hasUseBackgroundNetworksPermission only uses
the first package name of the uid for checking permission.
This is incorrect since each package declared different
permissions. So using the mApps which already checked both
network and using restricted network permissions. If uid is in
the mApps list that means uid has one of permission at least.
Bug: 135897744
Test: atest FrameworksNetTests
Change-Id: I3500a03ce06b5b822311ad0c67b606ce4039216a
NetworkNotificationManager will only get the first transport
type from the NetworkCapabilities of network, and if the device
connects to a VPN and its underlying network is wifi, then the
first finding transport type will be TRANSPORT_WIFI. So, if the
private DNS is broken when device connected to VPN,
NetworkNotificationManager will try to get the SSID for the
title of notification but failed. For this kind of case, the
title of PRIVATE_DNS_BROKEN notification will show
"null has no internet access".
Bug: 143340533
Test: 1. Build pass.
2. Connect to VPN and let private DNS to be broken, check
title of PRIVATE_DNS_BROKEN notification.
3. atest FrameworksNetTests
Change-Id: I1ed018cc8774d4fce4b94854f8e8703a28818463
It's the first patch for refounding network selection. The new
network selection will try to compare the networks by more
factors, and will try to choose the best network after doing
the evaluation of trade-off.
Create the object that will serve to represent network quality
for more comprehensive ranking.
Bug: 143676287
Test: 1. Build pass.
2. atest FrameworksNetTests
Change-Id: I4b6071d14365aa84d06be9802516fedf527e70f7
The tether offload JNI library in this patch still have many dependencies
with internal libraries. Will have follow up changes to cut the
dependencies to let it be a unbundled library.
Bug: 136040414
Test: -build, flash, boot
-atest TetheringTests
-atest FrameworksNetTests
Change-Id: Iacf8e0b94135e35672de3ee77c474ee39a00c591
TetheringConfiguration is a utility class to encapsulate the various
configuration elements.
Bug: 136040414
Test: -build, flash, boot
-atest TetheringTests
Change-Id: I9434ab213bc5e0fca59f14a6c8cea554abefc3a4
Bug: 137602441
Bug: 139783330
Test: atest FrameworksNetTests
Test: atest FrameworksWifiTests
Test: CtsVerifier - Wi-Fi Direct
Test: Enable hotspot when P2P GO is running
* P2P GO is terminated
* hotspot is running
Test: Enable P2P GO when hotspot is running
* hotspot is intact
* P2P GO could not be launched
Test: Verify P2P functions with legacy WifiP2pService
Change-Id: Icb2e2b106ae52b19af29b7a1ebc55d3cdf80db9c
The current test we have for a package changing TrafficController
permissions (i.e., INTERNET or UPDATE_DEVICE_STATS permissions)
is not realistic.
This is because the test simulates the update by removing and
adding the package. But TrafficController permissions are not
driven by broadcasts, they are driven by PackageListObserver,
and when an app is updated, PackageListObserver does not see a
remove and and add, but a single change event.
Add a new test for this.
Bug: 137864893
Test: new unit test added
Change-Id: I691b928f57c79c19dfb6ddb01983d55ef305c472
When turning on/off SoftAp with high frequency, sometime calling
WifiManager#updateInterfaceIpState with IFACE_IP_MODE_TETHERED
is performed after handling WIFI_AP_STATE_DISABLED event in
WifiServiceImpl while SoftAp is being terminated. This leads to
the issue that SoftAp is unable to start as startSoftAp always
returns "false". This is because mIfaceIpModes in WifiServiceImpl
keeps the mode WifiManager.IFACE_IP_MODE_TETHERED and the CL below
rejects SoftAp start request.
e257c5c9e79e3675375ca20731cfb74df02b1064 @ frameworks/opt/net/wifi
(WifiServiceImpl: Reject startSoftAp when already tethering)
This CL updates the interface ip state upon receiving ap disable
event from Tethering class to set proper state to mIfaceIpModes.
Bug: 134806980
Test: Ran script to turn on/off soft ap frequently
Signed-off-by: Daichi Ueura <daichi.ueura@sony.com>
Change-Id: I2f89214414d93f1aa942fb8a21264a9baae3452a
In case tethering donwstream is setup but don't ask EntitlementManager
to run provisioning. Cellular upstream should not be allowed if
EntilementManager don't have any donwstream record.
Bug: 134649258
Test: -build, flash, boot
-manual test with carrier SIM
Change-Id: I609722c79f0a45a1c2164d39721ef5883e436feb
Tethering may use wrong sub id for entitlement when data
subscription is changed from preferred data sub id to CBRS
sub id. Fix by using the active data sub id for tethering.
Bug: 134994718
Test: -build, flash, boot
-FrameworkNetTests
-manual test with carrier SIMs
Change-Id: Icb3f5eeb2319e50b2dc98369ad152988c934da57
Merged-In: Icb3f5eeb2319e50b2dc98369ad152988c934da57
Also a few utilities that were in the way, and some opportunistic
cleanups.
Test: FrameworksNetTest NetworkStackTest
Change-Id: I385070e2044fd967cb18f1ffea9a86a4627b742e
Split-tunnel VPN (which are the only ones affected by this change)
always fall through to the default network for routes they don't
handle, and even if the underlying network(s) don't provide access
this may be a pinhole that can actually reach the broader network.
In practice this behaves like the original release of P and is the
safest thing to do for Q. In R we should evaluate giving the VPN
app the ability to simply tell the network stack whether it does
provide Internet access or not.
Bug: 119216095
Test: FrameworksNetTests NetworkStackTests
Change-Id: I262ca41fe0225660551c9a421562405366b6acac
This is the most common test library for Connectivity tests. It is
meant to be usable in framework tests, network stack tests, CTS,
GTS. To achieve that, it can only depend on framework classes.
Bug: none
Test: NetworkMonitorTest
Test: NsdManagerTest
Test: ConnectivityServiceTest
Test: OffloadControllerTest
Test: NetworkStatsObserversTest
Test: NetworkStatsServiceTest
(all the touched classes)
Change-Id: Ic47cbe7ba0e407145fa6bc49bb2adb3c5937dbc4
Also :
- Fix testUidFilteringDuringVpnConnectDisconnectAndUidUpdates that
was failing on devices with a first released SDK >= Q
- Add a test actually tests that the system has the permission, as
the test was only testing what's in the mock
Bug: 119770201
Test: New test making sure this stays true
Change-Id: I74cf5f0fa17fcf818f1fed78c7e3e4375c20152e
Delete the unused NetworkManagementService API for set/remove
permissions. Use PERMISSION_NONE to replace NO_PERMISSIONS so the
framework now use the same set of permission constant when communicate
with netd.
Bug: 128944261
Test: PermissionMonitorTest.java
Change-Id: I25224c9576f52d2a0a0bd2182325c7aac7b28eb5
There is the potential bug[1] that default data subId change
intent may lose. So tethering may cache the outdated default
data subId in TetheringConfiguration. Now EntitlementManager
would fetch configuration every time and this would re-exam
whether subId is changed.
Additional passing subId to Settings to avoid default data
subId change right away when launching entitlement check.
Thus, Settings can know whether this is outdated entitlement
check request.
[1] b/129224596
Bug: 129751453
Test: -build, flash, boot
-atest FrameworksNetTests
-manual test with carrier SIM
Change-Id: If334dd1cd383cced9db5cf0d0bc9dc60ed198816
This reverts commit 3897df2e36.
Reason for revert: Rolling forward, will fix tests in same CL stack.
Bug: 114231106
Bug: 130397860
Test: FrameworksNetTests
Change-Id: Ia8a0c99b4e1fd5dff26c881715cd876618ca4321
This reverts commit fd8f96d719.
This change does not have any topic: not reverting the other 2 commits in the original topic.
Reason for revert: broke FrameworksNetTests presubmit: b/130397860
Change-Id: Iff41d9fe97fafea44680c8d67d1ce19277548cc0
When a fully-routed VPN is running, we want to prevent normal apps
under the VPN from receiving packets originating from any local non-VPN
interfaces. This is achieved by using eBPF to create a per-UID input
interface whitelist and populate the whitelist such that all
non-bypassable apps under a VPN can only receive packets from the VPN's
TUN interface (and loopback implicitly)
This is the framework part of the change that build the whitelist.
The whitelist needs to be updated in the following cases:
* When a VPN is connected and disconnected
This will cover the change to allowBypass bit, since that can't be
changed without reconnecting.
* When a VPN's NetworkCapabilites is changed (whitelist/blacklist app changes)
* When a new app is installed
* When an existing app is removed
* When a VPN becomes fully-routed or is no longer fully-routed
New user/profile creation will automatically result in a whitelist app change
transition so it doesn't need to be handled specially here.
Due to the limitation of the kernel IPSec interacting with eBPF (sk_buf->ifindex
does not point to the virtual tunnel interface for kernel IPSec), the whitelist
will only apply to app VPNs but not legacy VPN connections, to prevent breaking
connectivity with kernel IPSec entirely.
Test: atest PermissionMonitorTest
Test: atest android.net.RouteInfoTest
Test: atest com.android.server.ConnectivityServiceTest
Test: atest HostsideVpnTests
Bug: 114231106
Change-Id: I143b03d60e46cb1b04732b4a4034f5847b4d1b1a
