Opt-out for always-on VPN

Always-on VPN is a feature introduced in N. Since then, all VPN apps targeting N+ are assumed to support the feature, and the user or the DPC can turn on / off always-on for any such VPN app. However, a few VPN apps are not designed to support the always-on feature. Enabling always-on for these apps will result in undefined behavior and confusing "Always-on VPN disconnected" notification. This feature provides a new manifest meta-data field through which a VPN app can opt out of the always-on feature explicitly. This will stop the always-on feature from being enabled for the app, both by the user and by the DPC, and will clear its existing always-on state. A @hide API is provided to check whether an app supports always-on VPN. Documentation is updated to reflect the behavior change. Bug: 36650087 Test: runtest --path java/com/android/server/connectivity/VpnTest.java Test: cts-tradefed run cts --module CtsDevicePolicyManagerTestCases --test 'com.android.cts.devicepolicy.MixedDeviceOwnerTest#testAlwaysOnVpnUnsupportedPackage' Test: cts-tradefed run cts --module CtsDevicePolicyManagerTestCases --test 'com.android.cts.devicepolicy.MixedDeviceOwnerTest#testAlwaysOnVpnUnsupportedPackageReplaced' Test: cts-tradefed run cts --module CtsDevicePolicyManagerTestCases --test 'com.android.cts.devicepolicy.MixedProfileOwnerTest#testAlwaysOnVpnUnsupportedPackage' Test: cts-tradefed run cts --module CtsDevicePolicyManagerTestCases --test 'com.android.cts.devicepolicy.MixedProfileOwnerTest#testAlwaysOnVpnUnsupportedPackageReplaced' Test: cts-tradefed run cts --module CtsDevicePolicyManagerTestCases --test 'com.android.cts.devicepolicy.MixedManagedProfileOwnerTest#testAlwaysOnVpnUnsupportedPackage' Test: cts-tradefed run cts --module CtsDevicePolicyManagerTestCases --test 'com.android.cts.devicepolicy.MixedManagedProfileOwnerTest#testAlwaysOnVpnUnsupportedPackageReplaced' Change-Id: I477897a29175e3994d4ecf8ec546e26043c90f13
author: Charles He <qiurui@google.com> 2017-05-15 17:07:18 +0100
committer: Charles He <qiurui@google.com> 2017-07-18 00:55:38 +0100
commit: 3673863f3b2ec692201b7fb3089a1c05973e08e4 (patch)
tree: 906b7ca09045581374fe55cec1f78e4efa97481b /core/java/android/net/VpnService.java
parent: 2ee0de2593740e3d60829b0f5d3d47bdfbc0ff4e (diff)
1 files changed, 29 insertions, 2 deletions
diff --git a/core/java/android/net/VpnService.java b/core/java/android/net/VpnService.java
index 4b79cbb98d8c..7fb0c47598c8 100644
--- a/core/java/android/net/VpnService.java
+++ b/core/java/android/net/VpnService.java
@@ -28,8 +28,6 @@ import android.content.Context;
 import android.content.Intent;
 import android.content.pm.IPackageManager;
 import android.content.pm.PackageManager;
-import android.net.Network;
-import android.net.NetworkUtils;
 import android.os.Binder;
 import android.os.IBinder;
 import android.os.Parcel;
@@ -131,6 +129,35 @@ public class VpnService extends Service {
     public static final String SERVICE_INTERFACE = VpnConfig.SERVICE_INTERFACE;
 
     /**
+     * Key for boolean meta-data field indicating whether this VpnService supports always-on mode.
+     *
+     * <p>For a VPN app targeting {@link android.os.Build.VERSION_CODES#N API 24} or above, Android
+     * provides users with the ability to set it as always-on, so that VPN connection is
+     * persisted after device reboot and app upgrade. Always-on VPN can also be enabled by device
+     * owner and profile owner apps through
+     * {@link android.app.admin.DevicePolicyManager#setAlwaysOnVpnPackage}.
+     *
+     * <p>VPN apps not supporting this feature should opt out by adding this meta-data field to the
+     * {@code VpnService} component of {@code AndroidManifest.xml}. In case there is more than one
+     * {@code VpnService} component defined in {@code AndroidManifest.xml}, opting out any one of
+     * them will opt out the entire app. For example,
+     * <pre> {@code
+     * <service android:name=".ExampleVpnService"
+     *         android:permission="android.permission.BIND_VPN_SERVICE">
+     *     <intent-filter>
+     *         <action android:name="android.net.VpnService"/>
+     *     </intent-filter>
+     *     <meta-data android:name="android.net.VpnService.SUPPORTS_ALWAYS_ON"
+     *             android:value=false/>
+     * </service>
+     * } </pre>
+     *
+     * <p>This meta-data field defaults to {@code true} if absent.
+     */
+    public static final String METADATA_SUPPORTS_ALWAYS_ON =
+            "android.net.VpnService.SUPPORTS_ALWAYS_ON";
+
+    /**
      * Use IConnectivityManager since those methods are hidden and not
      * available in ConnectivityManager.
      */
author	Charles He <qiurui@google.com>	2017-05-15 17:07:18 +0100
committer	Charles He <qiurui@google.com>	2017-07-18 00:55:38 +0100
commit	3673863f3b2ec692201b7fb3089a1c05973e08e4 (patch)
tree	906b7ca09045581374fe55cec1f78e4efa97481b /core/java/android/net/VpnService.java
parent	2ee0de2593740e3d60829b0f5d3d47bdfbc0ff4e (diff)