Skip adding ingress discard rule to OEM VPNu14.0

Cherry-pick of aosp/3208090 to backport VPN security fix to non-mainline U devices. OEM VPNs might need to receive packets to VPN address via non-VPN interface. Bug: 193031925 Test: TH (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df163f70fd3f456604019072b796eaeab71418ae) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:595c611192c340588278b88686e095b13e883929) Merged-In: I6c0080e8205410f4b6a389b793d56b63ebcc5e95 Change-Id: I6c0080e8205410f4b6a389b793d56b63ebcc5e95
author: Motomu Utsumi <motomuman@google.com> 2024-08-06 19:00:22 +0900
committer: Julian Veit <Claymore1298@gmail.com> 2025-01-13 08:19:18 +0100
commit: 9bbf15682def31567860841a69053d10aaa8e40d (patch)
tree: b15e1e75ec71292abf94f18667b98f1d5794c455
parent: 9de8c556245d5e02c3b6f9b3b10a234820ba1ce3 (diff)
1 files changed, 7 insertions, 5 deletions
diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java
index 52889beb7c..5024f14166 100755
--- a/service/src/com/android/server/ConnectivityService.java
+++ b/service/src/com/android/server/ConnectivityService.java
@@ -8984,10 +8984,10 @@ public class ConnectivityService extends IConnectivityManager.Stub
      * interfaces.
      * Ingress discard rule is added to the address iff
      *   1. The address is not a link local address
-     *   2. The address is used by a single non-Legacy VPN interface and not used by any other
-     *      interfaces even non-VPN ones
-     * Ingress discard rule is not be added to Legacy VPN since some Legacy VPNs need to receive
-     * packet to VPN address via non-VPN interface.
+     *   2. The address is used by a single interface of VPN whose VPN type is not TYPE_VPN_LEGACY
+     *      or TYPE_VPN_OEM and the address is not used by any other interfaces even non-VPN ones
+     * Ingress discard rule is not be added to TYPE_VPN_LEGACY or TYPE_VPN_OEM VPN since these VPNs
+     * might need to receive packet to VPN address via non-VPN interface.
      * This method can be called during network disconnects, when nai has already been removed from
      * mNetworkAgentInfos.
      *
@@ -9022,8 +9022,10 @@ public class ConnectivityService extends IConnectivityManager.Stub
         // for different network.
         final Set<Pair<InetAddress, String>> ingressDiscardRules = new ArraySet<>();
         for (final NetworkAgentInfo agent : nais) {
+            final int vpnType = getVpnType(agent);
             if (!agent.isVPN() || agent.isDestroyed()
-                    || getVpnType(agent) == VpnManager.TYPE_VPN_LEGACY) {
+                    || vpnType == VpnManager.TYPE_VPN_LEGACY
+                    || vpnType == VpnManager.TYPE_VPN_OEM) {
                 continue;
             }
             final LinkProperties agentLp = (nai == agent) ? lp : agent.linkProperties;
author	Motomu Utsumi <motomuman@google.com>	2024-08-06 19:00:22 +0900
committer	Julian Veit <Claymore1298@gmail.com>	2025-01-13 08:19:18 +0100
commit	9bbf15682def31567860841a69053d10aaa8e40d (patch)
tree	b15e1e75ec71292abf94f18667b98f1d5794c455
parent	9de8c556245d5e02c3b6f9b3b10a234820ba1ce3 (diff)