Revert "Whitelist packages from VPN lockdown."

This reverts commit bb9cef04c5b6699412d43d82bdd31c7a4f692cbc.

Reason for revert: broke pi-dev-plus-aosp

Change-Id: Iaf5c8aa4a8720eb2852da8cd91c81a77ccb92b68

5 files changed, 10 insertions, 148 deletions

diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
index 71596421f16d..1b08ecd32fca 100644
--- a/core/java/android/app/admin/DevicePolicyManager.java
+++ b/core/java/android/app/admin/DevicePolicyManager.java
@@ -4464,16 +4464,11 @@ public class DevicePolicyManager {
     }
 
     /**
-     * Service-specific error code used in implementation of {@code setAlwaysOnVpnPackage} methods.
-     * @hide
-     */
-    public static final int ERROR_VPN_PACKAGE_NOT_FOUND = 1;
-
-    /**
      * Called by a device or profile owner to configure an always-on VPN connection through a
      * specific application for the current user. This connection is automatically granted and
      * persisted after a reboot.
-     * <p> To support the always-on feature, an app must
+     * <p>
+     * To support the always-on feature, an app must
      * <ul>
      *     <li>declare a {@link android.net.VpnService} in its manifest, guarded by
      *         {@link android.Manifest.permission#BIND_VPN_SERVICE};</li>
@@ -4482,13 +4477,12 @@ public class DevicePolicyManager {
      *         {@link android.net.VpnService#SERVICE_META_DATA_SUPPORTS_ALWAYS_ON}.</li>
      * </ul>
      * The call will fail if called with the package name of an unsupported VPN app.
-     * <p> Enabling lockdown via {@code lockdownEnabled} argument carries the risk that any failure
-     * of the VPN provider could break networking for all apps.
      *
      * @param vpnPackage The package name for an installed VPN app on the device, or {@code null} to
      *        remove an existing always-on VPN configuration.
      * @param lockdownEnabled {@code true} to disallow networking when the VPN is not connected or
-     *        {@code false} otherwise. This has no effect when clearing.
+     *        {@code false} otherwise. This carries the risk that any failure of the VPN provider
+     *        could break networking for all apps. This has no effect when clearing.
      * @throws SecurityException if {@code admin} is not a device or a profile owner.
      * @throws NameNotFoundException if {@code vpnPackage} is not installed.
      * @throws UnsupportedOperationException if {@code vpnPackage} exists but does not support being
@@ -4497,46 +4491,11 @@ public class DevicePolicyManager {
     public void setAlwaysOnVpnPackage(@NonNull ComponentName admin, @Nullable String vpnPackage,
             boolean lockdownEnabled)
             throws NameNotFoundException, UnsupportedOperationException {
-        setAlwaysOnVpnPackage(admin, vpnPackage, lockdownEnabled, Collections.emptyList());
-    }
-
-    /**
-     * A version of {@link #setAlwaysOnVpnPackage(ComponentName, String, boolean)} that allows the
-     * admin to specify a set of apps that should be able to access the network directly when VPN
-     * is not connected. When VPN connects these apps switch over to VPN if allowed to use that VPN.
-     * System apps can always bypass VPN.
-     * <p> Note that the system doesn't update the whitelist when packages are installed or
-     * uninstalled, the admin app must call this method to keep the list up to date.
-     *
-     * @param vpnPackage package name for an installed VPN app on the device, or {@code null}
-     *         to remove an existing always-on VPN configuration
-     * @param lockdownEnabled {@code true} to disallow networking when the VPN is not connected or
-     *         {@code false} otherwise. This has no effect when clearing.
-     * @param lockdownWhitelist Packages that will be able to access the network directly when VPN
-     *         is in lockdown mode but not connected. Has no effect when clearing.
-     * @throws SecurityException if {@code admin} is not a device or a profile
-     *         owner.
-     * @throws NameNotFoundException if {@code vpnPackage} or one of
-     *         {@code lockdownWhitelist} is not installed.
-     * @throws UnsupportedOperationException if {@code vpnPackage} exists but does
-     *         not support being set as always-on, or if always-on VPN is not
-     *         available.
-     */
-    public void setAlwaysOnVpnPackage(@NonNull ComponentName admin, @Nullable String vpnPackage,
-            boolean lockdownEnabled, @Nullable List<String> lockdownWhitelist)
-            throws NameNotFoundException, UnsupportedOperationException {
         throwIfParentInstance("setAlwaysOnVpnPackage");
         if (mService != null) {
             try {
-                mService.setAlwaysOnVpnPackage(
-                        admin, vpnPackage, lockdownEnabled, lockdownWhitelist);
-            } catch (ServiceSpecificException e) {
-                switch (e.errorCode) {
-                    case ERROR_VPN_PACKAGE_NOT_FOUND:
-                        throw new NameNotFoundException(e.getMessage());
-                    default:
-                        throw new RuntimeException(
-                                "Unknown error setting always-on VPN: " + e.errorCode);
+                if (!mService.setAlwaysOnVpnPackage(admin, vpnPackage, lockdownEnabled)) {
+                    throw new NameNotFoundException(vpnPackage);
                 }
             } catch (RemoteException e) {
                 throw e.rethrowFromSystemServer();
@@ -4545,51 +4504,6 @@ public class DevicePolicyManager {
     }
 
     /**
-     * Called by device or profile owner to query whether current always-on VPN is configured in
-     * lockdown mode. Returns {@code false} when no always-on configuration is set.
-     *
-     * @param admin Which {@link DeviceAdminReceiver} this request is associated with.
-     *
-     * @throws SecurityException if {@code admin} is not a device or a profile owner.
-     *
-     * @see #setAlwaysOnVpnPackage(ComponentName, String, boolean)
-     */
-    public boolean isAlwaysOnVpnLockdownEnabled(@NonNull ComponentName admin) {
-        throwIfParentInstance("isAlwaysOnVpnLockdownEnabled");
-        if (mService != null) {
-            try {
-                return mService.isAlwaysOnVpnLockdownEnabled(admin);
-            } catch (RemoteException e) {
-                throw e.rethrowFromSystemServer();
-            }
-        }
-        return false;
-    }
-
-    /**
-     * Called by device or profile owner to query the list of packages that are allowed to access
-     * the network directly when always-on VPN is in lockdown mode but not connected. Returns
-     * {@code null} when always-on VPN is not active or not in lockdown mode.
-     *
-     * @param admin Which {@link DeviceAdminReceiver} this request is associated with.
-     *
-     * @throws SecurityException if {@code admin} is not a device or a profile owner.
-     *
-     * @see #setAlwaysOnVpnPackage(ComponentName, String, boolean, List)
-     */
-    public List<String> getAlwaysOnVpnLockdownWhitelist(@NonNull ComponentName admin) {
-        throwIfParentInstance("getAlwaysOnVpnLockdownWhitelist");
-        if (mService != null) {
-            try {
-                return mService.getAlwaysOnVpnLockdownWhitelist(admin);
-            } catch (RemoteException e) {
-                throw e.rethrowFromSystemServer();
-            }
-        }
-        return null;
-    }
-
-    /**
      * Called by a device or profile owner to read the name of the package administering an
      * always-on VPN connection for the current user. If there is no such package, or the always-on
      * VPN is provided by the system instead of by an application, {@code null} will be returned.
diff --git a/core/java/android/app/admin/IDevicePolicyManager.aidl b/core/java/android/app/admin/IDevicePolicyManager.aidl
index 00463028a685..37508cdc1119 100644
--- a/core/java/android/app/admin/IDevicePolicyManager.aidl
+++ b/core/java/android/app/admin/IDevicePolicyManager.aidl
@@ -182,10 +182,8 @@ interface IDevicePolicyManager {
     void setCertInstallerPackage(in ComponentName who, String installerPackage);
     String getCertInstallerPackage(in ComponentName who);
 
-    boolean setAlwaysOnVpnPackage(in ComponentName who, String vpnPackage, boolean lockdown, in List<String> lockdownWhitelist);
+    boolean setAlwaysOnVpnPackage(in ComponentName who, String vpnPackage, boolean lockdown);
     String getAlwaysOnVpnPackage(in ComponentName who);
-    boolean isAlwaysOnVpnLockdownEnabled(in ComponentName who);
-    List<String> getAlwaysOnVpnLockdownWhitelist(in ComponentName who);
 
     void addPersistentPreferredActivity(in ComponentName admin, in IntentFilter filter, in ComponentName activity);
     void clearPackagePersistentPreferredActivities(in ComponentName admin, String packageName);
diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java
index e53f883c479e..cee3a409fc23 100644
--- a/core/java/android/net/ConnectivityManager.java
+++ b/core/java/android/net/ConnectivityManager.java
@@ -1007,20 +1007,14 @@ public class ConnectivityManager {
      *                   to remove an existing always-on VPN configuration.
      * @param lockdownEnabled {@code true} to disallow networking when the VPN is not connected or
      *        {@code false} otherwise.
-     * @param lockdownWhitelist The list of packages that are allowed to access network directly
-     *         when VPN is in lockdown mode but is not running. Non-existent packages are ignored so
-     *         this method must be called when a package that should be whitelisted is installed or
-     *         uninstalled.
      * @return {@code true} if the package is set as always-on VPN controller;
      *         {@code false} otherwise.
      * @hide
      */
-    @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN)
     public boolean setAlwaysOnVpnPackageForUser(int userId, @Nullable String vpnPackage,
-            boolean lockdownEnabled, @Nullable List<String> lockdownWhitelist) {
+            boolean lockdownEnabled) {
         try {
-            return mService.setAlwaysOnVpnPackage(
-                    userId, vpnPackage, lockdownEnabled, lockdownWhitelist);
+            return mService.setAlwaysOnVpnPackage(userId, vpnPackage, lockdownEnabled);
         } catch (RemoteException e) {
             throw e.rethrowFromSystemServer();
         }
@@ -1035,7 +1029,6 @@ public class ConnectivityManager {
      *         or {@code null} if none is set.
      * @hide
      */
-    @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN)
     public String getAlwaysOnVpnPackageForUser(int userId) {
         try {
             return mService.getAlwaysOnVpnPackage(userId);
@@ -1045,36 +1038,6 @@ public class ConnectivityManager {
     }
 
     /**
-     * @return whether always-on VPN is in lockdown mode.
-     *
-     * @hide
-     **/
-    @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN)
-    public boolean isVpnLockdownEnabled(int userId) {
-        try {
-            return mService.isVpnLockdownEnabled(userId);
-        } catch (RemoteException e) {
-            throw e.rethrowFromSystemServer();
-        }
-
-    }
-
-    /**
-     * @return the list of packages that are allowed to access network when always-on VPN is in
-     * lockdown mode but not connected. Returns {@code null} when VPN lockdown is not active.
-     *
-     * @hide
-     **/
-    @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN)
-    public List<String> getVpnLockdownWhitelist(int userId) {
-        try {
-            return mService.getVpnLockdownWhitelist(userId);
-        } catch (RemoteException e) {
-            throw e.rethrowFromSystemServer();
-        }
-    }
-
-    /**
      * Returns details about the currently active default data network
      * for a given uid.  This is for internal use only to avoid spying
      * other apps.
diff --git a/core/java/android/net/IConnectivityManager.aidl b/core/java/android/net/IConnectivityManager.aidl
index ac6b5b81b56b..3d34574440dd 100644
--- a/core/java/android/net/IConnectivityManager.aidl
+++ b/core/java/android/net/IConnectivityManager.aidl
@@ -125,11 +125,8 @@ interface IConnectivityManager
 
     boolean updateLockdownVpn();
     boolean isAlwaysOnVpnPackageSupported(int userId, String packageName);
-    boolean setAlwaysOnVpnPackage(int userId, String packageName, boolean lockdown,
-            in List<String> lockdownWhitelist);
+    boolean setAlwaysOnVpnPackage(int userId, String packageName, boolean lockdown);
     String getAlwaysOnVpnPackage(int userId);
-    boolean isVpnLockdownEnabled(int userId);
-    List<String> getVpnLockdownWhitelist(int userId);
 
     int checkMobileProvisioning(int suggestedTimeOutMs);
 
diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
index e904b0713e24..bbd76d2a1f12 100644
--- a/core/java/android/provider/Settings.java
+++ b/core/java/android/provider/Settings.java
@@ -5671,16 +5671,6 @@ public final class Settings {
         public static final String ALWAYS_ON_VPN_LOCKDOWN = "always_on_vpn_lockdown";
 
         /**
-         * Comma separated list of packages that are allowed to access the network when VPN is in
-         * lockdown mode but not running.
-         * @see #ALWAYS_ON_VPN_LOCKDOWN
-         *
-         * @hide
-         */
-        public static final String ALWAYS_ON_VPN_LOCKDOWN_WHITELIST =
-                "always_on_vpn_lockdown_whitelist";
-
-        /**
          * Whether applications can be installed for this user via the system's
          * {@link Intent#ACTION_INSTALL_PACKAGE} mechanism.
          *