summaryrefslogtreecommitdiff
path: root/service/src
Commit message (Collapse)AuthorAgeFilesLines
* Add missing permission check to offerNetworkHEADt13.0Patrick Rohr2025-10-071-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | The missing permission check means that an unauthorized app could have registered a network offer to intercept all NetworkRequests (by trivially guessing an existing provider ID) which would have leaked information about other apps on the system. This adds a NETWORK_FACTORY or MAINLINE_NETWORK_STACK permission check to offerNetwork per the API annotations in ConnectivityManager. Test networks can be offered when holding the MANAGE_TEST_NETWORKS permission which is consistent with similar APIs in this class. There can be no legitimate use of this API a) offerNetwork is @hide and only exposed via NetworkProvider, and b) it requires getting a provider ID by calling registerNetworkProvider which correctly enforces permissions. unofferNetwork does not currently require any permissions. Again, this is consistent with the API annotations in ConnectivityManager. Test: TH (cherry picked from https://android-review.googlesource.com/q/commit:ff65257bd07c791a5bfef2f54bf96ae224c03273) Bug: 388828859 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1917a04ae0ebf221232f9f3bf80fe329a01c6ed2) Merged-In: If71ce012f927a34c647d36b5eaf3723de2c01879 Change-Id: If71ce012f927a34c647d36b5eaf3723de2c01879
* Merge tag 'android-13.0.0_r16' into t13.0Semavi Ulusoy2022-12-171-3/+4
|\ | | | | | | | | | | Android 13.0.0 Release 16 (TQ1A.221205.011) Change-Id: I11c23ee1f0766b6c32efe2df223c9615a30752d2
| * fix clat on restricted networksMaciej Żenczykowski2022-08-181-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | this is the case for example when a tethering dun is in use Bug: 235523181 Bug: 241055859 Change-Id: Ie261db0329179ff7f92c61202af30ab55130ae03 Test: TreeHugger Signed-off-by: Maciej Żenczykowski <maze@google.com> (cherry picked from commit ef4b1bc50f81b8d321a868c31246883ebc1f10d2) Merged-In: Ie261db0329179ff7f92c61202af30ab55130ae03
* | Bypass VPN lockdown for clat initializationt-m-w2022-11-041-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | This allows clat to initialize properly when VPNs are configured with "Block connections without VPN", rather than to error out with "no IPv6 addresses were available for clat". This issue primarily affects particular mobile networks configured with NAT64 (without direct IPv4 connectivity). Issue: calyxos#1288 Bug: 255040839 Change-Id: I4a8ee0295e0f5d1e330f7529856347b8bd10360c
* | Add more DNS providers [2/3]minaripenguin372022-11-031-0/+18
| | | | | | | | | | | | Signed-off-by: minaripenguin37 <alexfinhart@gmail.com> Signed-off-by: Hưng Phan <phandinhhungvp2001@gmail.com> Change-Id: Id216ea3f806d2847059f6b8037865af254fd2676
* | Add AdGuard DNS as a private DNS providerAdam Lawson2022-11-031-0/+6
| | | | | | | | | | Signed-off-by: Pranav Vashi <neobuddy89@gmail.com> Change-Id: I55a74f9b6e1a37798ee899623e3ded536e11172c
* | NetworkDiagnostics: Use Cloudflare DNS instead of Google DNSChirayu Desai2022-10-161-2/+2
| | | | | | | | | | Change-Id: I1300cff1609ebe87a6bec58b65cc724920a091bc (cherry picked from commit 8649aebad397dc3544348f88fac51fc8e4ac7347)
* | Add Cloudflare DNS as a private DNS providerChirayu Desai2022-10-161-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TODO: Add tests Also includes: commit d82a7a0585671903ba18cd1d8fab25d9275c2a25 Author: Oliver Scott <olivercscott@gmail.com> Date: Fri Jan 29 10:57:26 2021 -0500 Fix Cloudflare private DNS provider Change-Id: I5932d8d7e82621220eb119a212ccecf15e284421 (cherry picked from commit 24abf646a0df5e00285d1b698adec03eb897388f) Change-Id: I7e8a320d47e7c5ddbcb9acfaf23032ae92d5d70d (cherry picked from commit 96ce93f7bf7233008591d22a0d24a6d7cd0a94ff)
* | Stop reading UIDS_ALLOWED_ON_RESTRICTED_NETWORKS setting in PermissionMonitorOliver Scott2022-09-131-1/+0
|/ | | | | | The setting is a factor used to determine the network permission level that is granted to an app. Restricted networking mode defaults to granting PERMISSION_SYSTEM to UIDs that are listed in the setting. This removal avoids this. Change-Id: I1e5af36f0fc9d4828b693bbb4b888c449bac3d29
* Add 3rd deny firewall chain for OEMMotomu Utsumi2022-06-071-0/+4
| | | | | | | | | | | Bug: 208371987 Test: atest CtsNetTestCases:android.net.cts.ConnectivityManagerTest#testFirewallBlocking ConnectivityServiceTest Change-Id: Ib521fa02f6a19270cb88a3d85321bda822516c78 (cherry picked from commit 1d9054ba5fbbf86c821e0a74a5a2f9d3c9865e67) Merged-In: Ib521fa02f6a19270cb88a3d85321bda822516c78
* Add deny firewall chain for OEMMotomu Utsumi2022-06-031-0/+8
| | | | | | | | | | | | Bug: 207773349 Bug: 208371987 Test: atest CtsNetTestCases:android.net.cts.ConnectivityManagerTest#testFirewallBlocking --iterations 50 && atest ConnectivityServiceTest --iterations 10 Change-Id: I60d5540821abcced03356f366775f16ee369d7f9 (cherry picked from commit d980149817948d11de0631caee8aee3172e4e159) Merged-In: I60d5540821abcced03356f366775f16ee369d7f9
* Disable PendingIntent background activity launchchiachangwang2022-05-271-1/+9
| | | | | | | | | | | | Set BroadcastOptions to explicitly disallow the receiver from starting activities, to prevent apps from utilizing the PendingIntent as a backdoor to do this. Bug: 230866011 Test: Test with PoC app to verify app does not be launched Test: atest FrameworksNetTests Ignore-AOSP-First: security patch Change-Id: Ie795d5c40a3fa2d8f30c1d0f6530be554ececb61
* Changing automotive ethernet allowed UIDs checkJames Mattis2022-05-191-1/+1
| | | | | | | | | | | | Updating the automotive allowed UIDs check to only work if the capabilities have a single transport equal to ethernet. CP of https://r.android.com/2101472 Bug: 229419469 Test: atest FrameworksNetTests Change-Id: I91e987d6b943a3c5986ab88553a6eef0d479b079 Merged-In: I91e987d6b943a3c5986ab88553a6eef0d479b079
* Allow ethernet on automotive to set allowed UIDsJames Mattis2022-05-192-5/+12
| | | | | | | | | | | | Allow ethernet factories on automotive devices to set the allowed UIDs on NetworkCapabilities. CP of https://r.android.com/2072767 Bug: 229419469 Test: atest FrameworksNetTests Change-Id: I03e7cda75f1c530e0d0e4a756330bc9847a96668 Merged-In: I03e7cda75f1c530e0d0e4a756330bc9847a96668
* move netd maps and progs into /sys/fs/bpf/netd_shared/...Maciej Żenczykowski2022-05-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | (out of current /sys/fs/bpf/net_shared/...) This will allow genfscon regexp changes in a followup selinux commit. Note that this has a hard dependency on system/bpf change 'bpfloader: add support for netd_shared and net_private subdirs' which also bumps bpfloader to v0.13. This was merged May 12, 2022 (into both aosp/master and tm-dev) and it is in Android T starting with Beta 3 release. This isn't really an issue since amusingly T Beta 2 is already incompatible with current mainline releases due to the snap reverting a previous required bpfloader system/bpf change: move net_shared bpf programs into net_shared subdirectory See: http://b/232050459#comment14 So this doesn't break T Beta1/2, since they already don't work, and Beta3 will work. Bug: 218408035 Test: TreeHugger Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: Id5f14d6e3f11cfe35d9d8a9496548a2bc4d022ec (cherry picked from commit 6d116d0f38196625d205e8c76a17b01b61fff246) Merged-In: Id5f14d6e3f11cfe35d9d8a9496548a2bc4d022ec
* Merge changes from topics ↵Lorenzo Colitti2022-05-172-40/+208
|\ | | | | | | | | | | | | | | | | "cherrypicker-L31300000954565189:N38500001265926579", "cherrypicker-L33500000954572563:N23000001265907389", "cherrypicker-L61500000954569605:N47200001265868358" into tm-dev * changes: Block incoming packets in VPN Lockdown mode. Refactor VPN interface filtering necessity check Support 32 match types in UidOwnerValue rule
| * Block incoming packets in VPN Lockdown mode.Motomu Utsumi2022-05-172-31/+186
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, even when VPN Lockdown mode is enabled, incoming packets are not dropped if VPN is not connected. This commit fixed this issue. After this commit, If VPN Lockdown mode is enabled, incoming packets are dropped regardless of the VPN connectivity. Bug: 206482423 Test: atest TrafficControllerTest ConnectivityServiceTest PermissionMonitorTest Change-Id: If52ece613c8aac1073355e43b6fb9cb3fcc87d1d (cherry picked from commit b08654ca0450d021da709a762ab509a8d4f87d40) Merged-In: If52ece613c8aac1073355e43b6fb9cb3fcc87d1d
| * Refactor VPN interface filtering necessity checkMotomu Utsumi2022-05-171-16/+29
| | | | | | | | | | | | | | | | Bug: 206482423 Test: atest ConnectivityServiceTest Change-Id: Iedf344f6275d4c6b23716eb11e3eecf54c6a2f9a (cherry picked from commit 77a794868fd478dadb90e5e1fa71debd7257db4d) Merged-In: Iedf344f6275d4c6b23716eb11e3eecf54c6a2f9a
* | Limit data usage request per uidJunyu Lai2022-05-131-0/+1
|/ | | | | | | | | | | | | Currently, there is no limtation for an app to request data usage callback, which is dangerous if the app fire hundreds of thousands requests and potientially this might cause OOM if the apps don't free them. Test: atest NetworkStatsObserversTest#testRegister_limit Bug: 229103088 Change-Id: I8299f46fd47a82ec9b25ba2e0d3c95db5512c331 (cherry picked from commit f3c946278c83ab07ec18b5eb258a54865fc0993f) Merged-In: I8299f46fd47a82ec9b25ba2e0d3c95db5512c331
* Merge changes from topic ↵Paul Hu2022-05-122-63/+52
|\ | | | | | | | | | | | | | | "cherrypicker-L53700000954454916:N44100001263878999" into tm-dev * changes: Check carrier privilege for CBS network requests synchronously Allow 3p apps to request restricted networks
| * Check carrier privilege for CBS network requests synchronouslyjunyulai2022-05-111-48/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Normally if an app calls requestNetwork with capabilities that it does not have permission to request, it gets a SecurityException, except if it requests NET_CAPABILITY_CBS, in which case the request will not throw but the app will get an onUnavailable callback. Make this codepath throw as well. This simplifies the code and makes the app-visible behaviour more consistent (and consistent with what happens in S and below). The reason the code was written this way is because the carrier privilege app should receive a callback if it loses permission. But onUnavailable is also not the best callback to send, since it is used very rarely and also releases the app's request. It seems better to leave the request registered and send onLost. Test: atest FrameworksNetTests Bug: 194332512 Change-Id: I5eaeb415a6654851246e38599a996fbd9366fde0 (cherry picked from commit 96bd9fe4dec806ba615691d091b2f696ecd798fe) Merged-In: I5eaeb415a6654851246e38599a996fbd9366fde0
| * Allow 3p apps to request restricted networksPaul Hu2022-05-112-16/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Since 3p apps are allowed to use restricted networks in S, they should be allowed to request a restricted network reasonably. Otherwise, the functionalities of 3p apps will break if they rely on restricted networks. Thus, CS needs to allow 3p apps to request restricted networks if 3p apps are in the allowed list. Bug: 230509118 Test: atest FrameworksNetTests CtsNetTestCases Change-Id: I236f1550095ee2be29adbc3b28d3ac2561a8b072 (cherry picked from commit 8fc2a55a16da30a668d026b51bcdd99ce424139a) Merged-In: I236f1550095ee2be29adbc3b28d3ac2561a8b072
* | Fallback should be evaluated for each preferenceSooraj Sasindran2022-05-112-11/+21
|/ | | | | | | | | | | | | | | | 1) alowFallback flag was incorrectly not reset while setting profile preference. Corrected it. 2) Threw exception if default preference and enterprise preference are set together 3) renamed clearUser to withoutUser Bug: 231670730 Test: ConnectivityServiceTest Change-Id: If92ebe0cc23f18c8808893926d5e1d12ff2e3650 Merged-In: Iaf49237bdc791c7e1dd884d069eff64e74757477
* Merge "Update VPN isolation code for excluded routes" into tm-devPrerana Patil2022-05-091-1/+2
|\
| * Update VPN isolation code for excluded routesPrerana2022-05-061-1/+2
| | | | | | | | | | | | | | | | | | | | | | Bug: 230058738 Test: atest LinkPropertiesTest Result: https://paste.googleplex.com/4706859672928256 Change-Id: I970fca6b0e2cd358e9bd77152563d13367867c74 (cherry picked from commit 2b97bbebf4b85e0024fc75298e760fc03516be40) Merged-In: I970fca6b0e2cd358e9bd77152563d13367867c74
* | Do not remove profile network preference for different uidsSooraj Sasindran2022-05-092-7/+27
| | | | | | | | | | | | | | | | | | | | | | | | Multiple enterprise slice can be setup within single user profile based on different uids. So do not remove profile network preference with same user profile but with different uids Bug: 229644102 Test: manual system test and ConnectivityServciceTest Change-Id: I897b643e01240958fff575de9e15182069efc698 (cherry picked from commit 9cc129f37d2ceeaafdcc5ad05402810ae035288c) Merged-In: I897b643e01240958fff575de9e15182069efc698
* | Allow device owner to configure profile network preferenceSooraj Sasindran2022-05-041-5/+22
|/ | | | | | | | | | | | | | | isMangedProfile returns true for managed profiles. But enterprise device can be fully managed like device owner. Hence check specifically if request is coming on fully managed device. Bug: 226966328 Bug: 231071836 Test: ran DevicePolicyManager CTS and ConnectivityServiceTest Change-Id: I7827466bd61e24ba9c36c3a2e25043257e2ed602 (cherry picked from commit bb65aa8fc24fe3325e0a4b5197dda3904ea2589d) Merged-In: I7827466bd61e24ba9c36c3a2e25043257e2ed602
* ClatCoordinator: dump BPF forwarding rulesTreehugger Robot2022-04-274-0/+97
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a preparation for moving clat map dump from netd to mainline module. Test: compare dumpsys connectivity and netd $ adb shell dumpsys connectivity Nat464Xlat: ClatCoordinator: Forwarding rules: BPF ingress map: iif nat64Prefix v6Addr -> v4Addr oif 47 /64:ff9b::/96 /2a00:79e1:abc:6f02:4aac:17dd:b40e:8bcc -> /192.0.0.4 52 BPF egress map: iif v4Addr -> v6Addr nat64Prefix oif 52 /192.0.0.4 -> /2a00:79e1:abc:6f02:4aac:17dd:b40e:8bcc /64:ff9b::/96 47 ether $ adb shell dumpsys netd ClatdController BPF ingress map: iif(iface) nat64Prefix v6Addr -> v4Addr oif(iface) 47(wlan0) 64:ff9b::/96 2a00:79e1:abc:6f02:4aac:17dd:b40e:8bcc -> 192.0.0.4 52(v4-wlan0) BPF egress map: iif(iface) v4Addr -> v6Addr nat64Prefix oif(iface) 52(v4-wlan0) 192.0.0.4 -> 2a00:79e1:abc:6f02:4aac:17dd:b40e:8bcc 64:ff9b::/96 47(wlan0) ether Original change: https://android-review.googlesource.com/c/platform/packages/modules/Connectivity/+/2017317 Merged-In: I597709663477b62005b0bc5cc1bf0fc22743e10b Change-Id: I597709663477b62005b0bc5cc1bf0fc22743e10b Signed-off-by: Nucca Chen <nuccachen@google.com> (cherry picked from commit 8be50a6d905d1d6810c0c148ba50f8bef614cde9)
* adjust for new T bpfloader net_shared location am: 0736d7bd91 am: 96706b661fMaciej Żenczykowski2022-04-234-8/+9
|\ | | | | | | | | | | | | | | Original change: https://android-review.googlesource.com/c/platform/packages/modules/Connectivity/+/2071008 Change-Id: Iba57cbfe6f3c41fc7c396098f0caa662d68b1e0e Ignore-AOSP-First: this is an automerge Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
| * adjust for new T bpfloader net_shared locationMaciej Żenczykowski2022-04-234-8/+9
| | | | | | | | | | | | | | | | | | | | (this is safe because on pre-T none of these maps and programs are mainlined and thus safe to access from mainline code anyway) Test: TreeHugger, manual Bug: 218408035 Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I23e565d665247f33e084978890a1ee8ffe0fe568
* | Merge "Add a method to create a TAP interface with a given interface name." ↵Xiao Ma2022-04-221-7/+22
|\| | | | | | | | | | | | | | | | | am: 7d7e7cd1fe am: 3c78a24a9a Original change: https://android-review.googlesource.com/c/platform/packages/modules/Connectivity/+/2059333 Change-Id: I02068707effdb1f3308c4b1997c0ece8bdb21f28 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
| * Merge "Add a method to create a TAP interface with a given interface name."Xiao Ma2022-04-221-7/+22
| |\
| | * Add a method to create a TAP interface with a given interface name.Xiao Ma2022-04-211-7/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a method that allows the caller to specify whether to create a tap interface with a given specific interface name instead of the default one. So far only the given name that starts with "v4-testtap" or "v4-testtun" prefix is allowed. That's helpful to create a clat interface which always has "v4-" clat prefix in the IpClient integration test, to verify the callbacks happend on adding/removing clat interface. Bug: 163492391 Test: atest CtsNetTestCases Change-Id: I9ea7013fce919cafb719998a123164b5507f9ac0
* | | Merge "Remove UserId from UID when checking against BLUETOOTH_UID" am: ↵Lorenzo Colitti2022-04-221-4/+4
|\| | | | | | | | | | | | | | | | | | | | | | | | | | 64ac247056 am: e2a68b9829 Original change: https://android-review.googlesource.com/c/platform/packages/modules/Connectivity/+/2065564 Change-Id: Ic7542b64306a1a944877a1b381c4984d2dfd1296 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
| * | Merge "Remove UserId from UID when checking against BLUETOOTH_UID"Lorenzo Colitti2022-04-221-4/+4
| |\ \
| | * | Remove UserId from UID when checking against BLUETOOTH_UIDAndrew Cheng2022-04-201-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A UID can be a concatenation of a UserID with a 5 digit package UID. E.g., Bluetooth under User10 would have UID 1001002. This CL removes the UserID (if any), before checking against BLUETOOTH_UID. Bug: 228598338 Test: m Change-Id: I532583345cc9ab474fc848a3ede6be9d8be9c5b0
* | | | Merge "[CLATJ#27] Use ClatdCoordinator since T+ devices" am: b4bf6cea38 am: ↵Maciej Żenczykowski2022-04-213-9/+47
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 8d75a93995 Original change: https://android-review.googlesource.com/c/platform/packages/modules/Connectivity/+/1951099 Change-Id: I3878e5359349d8195e8741ea69ae437edab68909 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
| * | | Merge "[CLATJ#27] Use ClatdCoordinator since T+ devices"Maciej Żenczykowski2022-04-213-9/+47
| |\ \ \
| | * | | [CLATJ#27] Use ClatdCoordinator since T+ devicesHungming Chen2022-04-213-9/+47
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - For clatd start and stop, use ClatdCoordinator on T+ and Netd on S- - Fix the unit test for T+ and S- devices Note that mokito.verify(.., times(1)) is replaced by verify(..) because times(1) is the default and can be omitted. See verify in mockito/src/main/java/org/mockito/Mockito.java Note that this commit needs to be merged with aosp/1956072. Bug: 212345928 Test: atest FrameworksNetTests manual test 1. Connect to ipv6-only wifi. 2. Try IPv4 traffic. $ ping 8.8.8.8 3. Check bpf entries are added 4. Disconnect from ipv6-only wifi. 5. Check bpf entries are removed 6. testipv4.com shows 10/10 Change-Id: I7dfda6eec19de94e4258971effcd8a1210542473
* | | | | Merge "Update some descriptions and refine code" am: db9f10c8cc am: 0beef85fd0Paul Hu2022-04-211-14/+16
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Original change: https://android-review.googlesource.com/c/platform/packages/modules/Connectivity/+/2063711 Change-Id: I41d6996752febb5c3a1ebf9563773b84814e0d3e Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
| * | | | Merge "Update some descriptions and refine code"Paul Hu2022-04-211-14/+16
| |\ \ \ \ | | |/ / / | |/| | |
| | * | | Update some descriptions and refine codePaul Hu2022-04-211-14/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Address aosp/2052545 leftover comments: - Log a wtf when the received user is unknown. - Move the code to where it's used. - PermissionMonitor is using BpfNetMaps for sending traffic permission. So it’s useless to do the netd null check before sending permission. Thus, remove this redundant check. bug: 224775316 Test: atest FrameworksNetTests Change-Id: I5c1291b6b855747d7900372b800dd039dd0730fe
* | | | | Merge "Improve dumpsys logs for NetworkProvider and NetworkOffer" am: ↵Junyu Lai2022-04-202-4/+19
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 58f5b1a89e am: 7bc11250bd Original change: https://android-review.googlesource.com/c/platform/packages/modules/Connectivity/+/2067234 Change-Id: I4cc65e510fcc39ae4e9da0c6821b0ac5f8a97195 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
| * | | | Improve dumpsys logs for NetworkProvider and NetworkOfferJunyu Lai2022-04-202-4/+19
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It will look like below: NetworkProviders for: 2: WIFI_AWARE_FACTORY 1: Ethernet Network Offers: NetworkOffer [ Provider Id (1) Score(...) Caps [...] Needed by [1, 2, 3]] NetworkOffer [ Provider Id (2) Score(...) Caps [...] Needed by [4, 5, 6]] Test: manual Bug: 227408533 Change-Id: I84cb03757877d7127d39c359010c8092a8ca87d9
* / | | Fix permission bypass problem for Tethering deprecated APIsmarkchien2022-04-191-0/+6
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since the tethering functions in ConnectivityService is delegated to TetheringManager instance and get caches informataion in TetheringManager without checking ACCESS_NETWORK_STATE permission. If application use reflection call getTetherXXX functions in ConnectivityService, it can get tethering status with no additional execution privileges needed. Bug: 162952629 Test: manual Ignore-AOSP-First: security fix Change-Id: I5b897f216db19fead6ba6ac07915aa0f6ff5bf42
* | | Merge "Add IPv6 Handling for DSCP Policies and Support Interfaces with MAC ↵Lorenzo Colitti2022-04-163-62/+138
|\ \ \ | | | | | | | | | | | | Addresses"
| * | | Add IPv6 Handling for DSCP Policies and Support Interfaces with MAC AddressesTyler Wear2022-04-153-62/+138
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add bpf functionality to handle IPv6 packets and apply DSCP value. Also support DSCP policy rules on multiple interfaces simultaneously. Test: atest DscpPolicyTest Bug: 217166486 Change-Id: I452a87355fd0382a4c38b84aa3465505951d9bf0
* | | Merge changes from topic "vpn-api-fixes"Lucas Lin2022-04-131-0/+1
|\ \ \ | |/ / |/| | | | | | | | | | | * changes: Test getProvisionedVpnProfileState Make test networks not be VPNs
| * | Make test networks not be VPNsLorenzo Colitti2022-04-131-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make this change for below reasons: - This API is intended to be used for testing. - This change correct because almost all the tests that use this API are not doing so to create VPNs. - It makes it easier to write tests for IKEv2 VPNs because without this change, a VPN that is restricted to test networks would pick itself as the underlying network(since it does not have NET_CAPABILITY_NOT_VPN). Test: treehugger Change-Id: I91582f398e426c0efb2dec28943df5f572e1c8da
* | | Merge "Save appIds permissions for each user"Natasha Lee2022-04-121-16/+111
|\ \ \ | |_|/ |/| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-21 06:08:07 +0000