Search in sources :

Example 21 with VpnConfig

use of com.android.internal.net.VpnConfig in project android_frameworks_base by DirtyUnicorns.

the class ConnectivityService method factoryReset.

@Override
public void factoryReset() {
    enforceConnectivityInternalPermission();
    if (mUserManager.hasUserRestriction(UserManager.DISALLOW_NETWORK_RESET)) {
        return;
    }
    final int userId = UserHandle.getCallingUserId();
    // Turn airplane mode off
    setAirplaneMode(false);
    if (!mUserManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_TETHERING)) {
        // Untether
        for (String tether : getTetheredIfaces()) {
            untether(tether);
        }
    }
    if (!mUserManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_VPN)) {
        // Remove always-on package
        synchronized (mVpns) {
            final String alwaysOnPackage = getAlwaysOnVpnPackage(userId);
            if (alwaysOnPackage != null) {
                setAlwaysOnVpnPackage(userId, null, false);
                setVpnPackageAuthorization(alwaysOnPackage, userId, false);
            }
        }
        // Turn VPN off
        VpnConfig vpnConfig = getVpnConfig(userId);
        if (vpnConfig != null) {
            if (vpnConfig.legacy) {
                prepareVpn(VpnConfig.LEGACY_VPN, VpnConfig.LEGACY_VPN, userId);
            } else {
                // Prevent this app (packagename = vpnConfig.user) from initiating VPN connections
                // in the future without user intervention.
                setVpnPackageAuthorization(vpnConfig.user, userId, false);
                prepareVpn(null, VpnConfig.LEGACY_VPN, userId);
            }
        }
    }
    Settings.Global.putString(mContext.getContentResolver(), Settings.Global.NETWORK_AVOID_BAD_WIFI, null);
}
Also used : VpnConfig(com.android.internal.net.VpnConfig) NetworkPolicyManager.uidRulesToString(android.net.NetworkPolicyManager.uidRulesToString)

Example 22 with VpnConfig

use of com.android.internal.net.VpnConfig in project android_frameworks_base by AOSPA.

the class Vpn method establish.

/**
     * Establish a VPN network and return the file descriptor of the VPN
     * interface. This methods returns {@code null} if the application is
     * revoked or not prepared.
     *
     * @param config The parameters to configure the network.
     * @return The file descriptor of the VPN interface.
     */
public synchronized ParcelFileDescriptor establish(VpnConfig config) {
    // Check if the caller is already prepared.
    UserManager mgr = UserManager.get(mContext);
    if (Binder.getCallingUid() != mOwnerUID) {
        return null;
    }
    // Check to ensure consent hasn't been revoked since we were prepared.
    if (!isVpnUserPreConsented(mPackage)) {
        return null;
    }
    // Check if the service is properly declared.
    Intent intent = new Intent(VpnConfig.SERVICE_INTERFACE);
    intent.setClassName(mPackage, config.user);
    long token = Binder.clearCallingIdentity();
    try {
        // Restricted users are not allowed to create VPNs, they are tied to Owner
        UserInfo user = mgr.getUserInfo(mUserHandle);
        if (user.isRestricted()) {
            throw new SecurityException("Restricted users cannot establish VPNs");
        }
        ResolveInfo info = AppGlobals.getPackageManager().resolveService(intent, null, 0, mUserHandle);
        if (info == null) {
            throw new SecurityException("Cannot find " + config.user);
        }
        if (!BIND_VPN_SERVICE.equals(info.serviceInfo.permission)) {
            throw new SecurityException(config.user + " does not require " + BIND_VPN_SERVICE);
        }
    } catch (RemoteException e) {
        throw new SecurityException("Cannot find " + config.user);
    } finally {
        Binder.restoreCallingIdentity(token);
    }
    // Save the old config in case we need to go back.
    VpnConfig oldConfig = mConfig;
    String oldInterface = mInterface;
    Connection oldConnection = mConnection;
    NetworkAgent oldNetworkAgent = mNetworkAgent;
    mNetworkAgent = null;
    Set<UidRange> oldUsers = mVpnUsers;
    // Configure the interface. Abort if any of these steps fails.
    ParcelFileDescriptor tun = ParcelFileDescriptor.adoptFd(jniCreate(config.mtu));
    try {
        updateState(DetailedState.CONNECTING, "establish");
        String interfaze = jniGetName(tun.getFd());
        // TEMP use the old jni calls until there is support for netd address setting
        StringBuilder builder = new StringBuilder();
        for (LinkAddress address : config.addresses) {
            builder.append(" " + address);
        }
        if (jniSetAddresses(interfaze, builder.toString()) < 1) {
            throw new IllegalArgumentException("At least one address must be specified");
        }
        Connection connection = new Connection();
        if (!mContext.bindServiceAsUser(intent, connection, Context.BIND_AUTO_CREATE | Context.BIND_FOREGROUND_SERVICE, new UserHandle(mUserHandle))) {
            throw new IllegalStateException("Cannot bind " + config.user);
        }
        mConnection = connection;
        mInterface = interfaze;
        // Fill more values.
        config.user = mPackage;
        config.interfaze = mInterface;
        config.startTime = SystemClock.elapsedRealtime();
        mConfig = config;
        // Set up forwarding and DNS rules.
        agentConnect();
        if (oldConnection != null) {
            mContext.unbindService(oldConnection);
        }
        // Remove the old tun's user forwarding rules
        // The new tun's user rules have already been added so they will take over
        // as rules are deleted. This prevents data leakage as the rules are moved over.
        agentDisconnect(oldNetworkAgent);
        if (oldInterface != null && !oldInterface.equals(interfaze)) {
            jniReset(oldInterface);
        }
        try {
            IoUtils.setBlocking(tun.getFileDescriptor(), config.blocking);
        } catch (IOException e) {
            throw new IllegalStateException("Cannot set tunnel's fd as blocking=" + config.blocking, e);
        }
    } catch (RuntimeException e) {
        IoUtils.closeQuietly(tun);
        agentDisconnect();
        // restore old state
        mConfig = oldConfig;
        mConnection = oldConnection;
        mVpnUsers = oldUsers;
        mNetworkAgent = oldNetworkAgent;
        mInterface = oldInterface;
        throw e;
    }
    Log.i(TAG, "Established by " + config.user + " on " + mInterface);
    return tun;
}
Also used : LinkAddress(android.net.LinkAddress) NetworkAgent(android.net.NetworkAgent) VpnConfig(com.android.internal.net.VpnConfig) UidRange(android.net.UidRange) ServiceConnection(android.content.ServiceConnection) PendingIntent(android.app.PendingIntent) Intent(android.content.Intent) UserInfo(android.content.pm.UserInfo) IOException(java.io.IOException) ResolveInfo(android.content.pm.ResolveInfo) UserManager(android.os.UserManager) UserHandle(android.os.UserHandle) ParcelFileDescriptor(android.os.ParcelFileDescriptor) RemoteException(android.os.RemoteException)

Example 23 with VpnConfig

use of com.android.internal.net.VpnConfig in project android_frameworks_base by AOSPA.

the class Vpn method startLegacyVpnPrivileged.

/**
     * Like {@link #startLegacyVpn(VpnProfile, KeyStore, LinkProperties)}, but does not check
     * permissions under the assumption that the caller is the system.
     *
     * Callers are responsible for checking permissions if needed.
     */
public void startLegacyVpnPrivileged(VpnProfile profile, KeyStore keyStore, LinkProperties egress) {
    UserManager mgr = UserManager.get(mContext);
    UserInfo user = mgr.getUserInfo(mUserHandle);
    if (user.isRestricted() || mgr.hasUserRestriction(UserManager.DISALLOW_CONFIG_VPN, new UserHandle(mUserHandle))) {
        throw new SecurityException("Restricted users cannot establish VPNs");
    }
    final RouteInfo ipv4DefaultRoute = findIPv4DefaultRoute(egress);
    final String gateway = ipv4DefaultRoute.getGateway().getHostAddress();
    final String iface = ipv4DefaultRoute.getInterface();
    // Load certificates.
    String privateKey = "";
    String userCert = "";
    String caCert = "";
    String serverCert = "";
    if (!profile.ipsecUserCert.isEmpty()) {
        privateKey = Credentials.USER_PRIVATE_KEY + profile.ipsecUserCert;
        byte[] value = keyStore.get(Credentials.USER_CERTIFICATE + profile.ipsecUserCert);
        userCert = (value == null) ? null : new String(value, StandardCharsets.UTF_8);
    }
    if (!profile.ipsecCaCert.isEmpty()) {
        byte[] value = keyStore.get(Credentials.CA_CERTIFICATE + profile.ipsecCaCert);
        caCert = (value == null) ? null : new String(value, StandardCharsets.UTF_8);
    }
    if (!profile.ipsecServerCert.isEmpty()) {
        byte[] value = keyStore.get(Credentials.USER_CERTIFICATE + profile.ipsecServerCert);
        serverCert = (value == null) ? null : new String(value, StandardCharsets.UTF_8);
    }
    if (privateKey == null || userCert == null || caCert == null || serverCert == null) {
        throw new IllegalStateException("Cannot load credentials");
    }
    // Prepare arguments for racoon.
    String[] racoon = null;
    switch(profile.type) {
        case VpnProfile.TYPE_L2TP_IPSEC_PSK:
            racoon = new String[] { iface, profile.server, "udppsk", profile.ipsecIdentifier, profile.ipsecSecret, "1701" };
            break;
        case VpnProfile.TYPE_L2TP_IPSEC_RSA:
            racoon = new String[] { iface, profile.server, "udprsa", privateKey, userCert, caCert, serverCert, "1701" };
            break;
        case VpnProfile.TYPE_IPSEC_XAUTH_PSK:
            racoon = new String[] { iface, profile.server, "xauthpsk", profile.ipsecIdentifier, profile.ipsecSecret, profile.username, profile.password, "", gateway };
            break;
        case VpnProfile.TYPE_IPSEC_XAUTH_RSA:
            racoon = new String[] { iface, profile.server, "xauthrsa", privateKey, userCert, caCert, serverCert, profile.username, profile.password, "", gateway };
            break;
        case VpnProfile.TYPE_IPSEC_HYBRID_RSA:
            racoon = new String[] { iface, profile.server, "hybridrsa", caCert, serverCert, profile.username, profile.password, "", gateway };
            break;
    }
    // Prepare arguments for mtpd.
    String[] mtpd = null;
    switch(profile.type) {
        case VpnProfile.TYPE_PPTP:
            mtpd = new String[] { iface, "pptp", profile.server, "1723", "name", profile.username, "password", profile.password, "linkname", "vpn", "refuse-eap", "nodefaultroute", "usepeerdns", "idle", "1800", "mtu", "1400", "mru", "1400", (profile.mppe ? "+mppe" : "nomppe") };
            break;
        case VpnProfile.TYPE_L2TP_IPSEC_PSK:
        case VpnProfile.TYPE_L2TP_IPSEC_RSA:
            mtpd = new String[] { iface, "l2tp", profile.server, "1701", profile.l2tpSecret, "name", profile.username, "password", profile.password, "linkname", "vpn", "refuse-eap", "nodefaultroute", "usepeerdns", "idle", "1800", "mtu", "1400", "mru", "1400" };
            break;
    }
    VpnConfig config = new VpnConfig();
    config.legacy = true;
    config.user = profile.key;
    config.interfaze = iface;
    config.session = profile.name;
    config.addLegacyRoutes(profile.routes);
    if (!profile.dnsServers.isEmpty()) {
        config.dnsServers = Arrays.asList(profile.dnsServers.split(" +"));
    }
    if (!profile.searchDomains.isEmpty()) {
        config.searchDomains = Arrays.asList(profile.searchDomains.split(" +"));
    }
    startLegacyVpn(config, racoon, mtpd);
}
Also used : VpnConfig(com.android.internal.net.VpnConfig) UserManager(android.os.UserManager) UserHandle(android.os.UserHandle) UserInfo(android.content.pm.UserInfo) RouteInfo(android.net.RouteInfo)

Example 24 with VpnConfig

use of com.android.internal.net.VpnConfig in project android_frameworks_base by AOSPA.

the class SecurityControllerImpl method updateState.

private void updateState() {
    // Find all users with an active VPN
    SparseArray<VpnConfig> vpns = new SparseArray<>();
    try {
        for (UserInfo user : mUserManager.getUsers()) {
            VpnConfig cfg = mConnectivityManagerService.getVpnConfig(user.id);
            if (cfg == null) {
                continue;
            } else if (cfg.legacy) {
                // Legacy VPNs should do nothing if the network is disconnected. Third-party
                // VPN warnings need to continue as traffic can still go to the app.
                LegacyVpnInfo legacyVpn = mConnectivityManagerService.getLegacyVpnInfo(user.id);
                if (legacyVpn == null || legacyVpn.state != LegacyVpnInfo.STATE_CONNECTED) {
                    continue;
                }
            }
            vpns.put(user.id, cfg);
        }
    } catch (RemoteException rme) {
        // Roll back to previous state
        Log.e(TAG, "Unable to list active VPNs", rme);
        return;
    }
    mCurrentVpns = vpns;
}
Also used : SparseArray(android.util.SparseArray) VpnConfig(com.android.internal.net.VpnConfig) LegacyVpnInfo(com.android.internal.net.LegacyVpnInfo) UserInfo(android.content.pm.UserInfo) RemoteException(android.os.RemoteException)

Example 25 with VpnConfig

use of com.android.internal.net.VpnConfig in project android_frameworks_base by ResurrectionRemix.

the class Vpn method establish.

/**
     * Establish a VPN network and return the file descriptor of the VPN
     * interface. This methods returns {@code null} if the application is
     * revoked or not prepared.
     *
     * @param config The parameters to configure the network.
     * @return The file descriptor of the VPN interface.
     */
public synchronized ParcelFileDescriptor establish(VpnConfig config) {
    // Check if the caller is already prepared.
    UserManager mgr = UserManager.get(mContext);
    if (Binder.getCallingUid() != mOwnerUID) {
        return null;
    }
    // Check to ensure consent hasn't been revoked since we were prepared.
    if (!isVpnUserPreConsented(mPackage)) {
        return null;
    }
    // Check if the service is properly declared.
    Intent intent = new Intent(VpnConfig.SERVICE_INTERFACE);
    intent.setClassName(mPackage, config.user);
    long token = Binder.clearCallingIdentity();
    try {
        // Restricted users are not allowed to create VPNs, they are tied to Owner
        UserInfo user = mgr.getUserInfo(mUserHandle);
        if (user.isRestricted()) {
            throw new SecurityException("Restricted users cannot establish VPNs");
        }
        ResolveInfo info = AppGlobals.getPackageManager().resolveService(intent, null, 0, mUserHandle);
        if (info == null) {
            throw new SecurityException("Cannot find " + config.user);
        }
        if (!BIND_VPN_SERVICE.equals(info.serviceInfo.permission)) {
            throw new SecurityException(config.user + " does not require " + BIND_VPN_SERVICE);
        }
    } catch (RemoteException e) {
        throw new SecurityException("Cannot find " + config.user);
    } finally {
        Binder.restoreCallingIdentity(token);
    }
    // Save the old config in case we need to go back.
    VpnConfig oldConfig = mConfig;
    String oldInterface = mInterface;
    Connection oldConnection = mConnection;
    NetworkAgent oldNetworkAgent = mNetworkAgent;
    mNetworkAgent = null;
    Set<UidRange> oldUsers = mVpnUsers;
    // Configure the interface. Abort if any of these steps fails.
    ParcelFileDescriptor tun = ParcelFileDescriptor.adoptFd(jniCreate(config.mtu));
    try {
        updateState(DetailedState.CONNECTING, "establish");
        String interfaze = jniGetName(tun.getFd());
        // TEMP use the old jni calls until there is support for netd address setting
        StringBuilder builder = new StringBuilder();
        for (LinkAddress address : config.addresses) {
            builder.append(" " + address);
        }
        if (jniSetAddresses(interfaze, builder.toString()) < 1) {
            throw new IllegalArgumentException("At least one address must be specified");
        }
        Connection connection = new Connection();
        if (!mContext.bindServiceAsUser(intent, connection, Context.BIND_AUTO_CREATE | Context.BIND_FOREGROUND_SERVICE, new UserHandle(mUserHandle))) {
            throw new IllegalStateException("Cannot bind " + config.user);
        }
        mConnection = connection;
        mInterface = interfaze;
        // Fill more values.
        config.user = mPackage;
        config.interfaze = mInterface;
        config.startTime = SystemClock.elapsedRealtime();
        mConfig = config;
        // Set up forwarding and DNS rules.
        agentConnect();
        if (oldConnection != null) {
            mContext.unbindService(oldConnection);
        }
        // Remove the old tun's user forwarding rules
        // The new tun's user rules have already been added so they will take over
        // as rules are deleted. This prevents data leakage as the rules are moved over.
        agentDisconnect(oldNetworkAgent);
        if (oldInterface != null && !oldInterface.equals(interfaze)) {
            jniReset(oldInterface);
        }
        try {
            IoUtils.setBlocking(tun.getFileDescriptor(), config.blocking);
        } catch (IOException e) {
            throw new IllegalStateException("Cannot set tunnel's fd as blocking=" + config.blocking, e);
        }
    } catch (RuntimeException e) {
        IoUtils.closeQuietly(tun);
        agentDisconnect();
        // restore old state
        mConfig = oldConfig;
        mConnection = oldConnection;
        mVpnUsers = oldUsers;
        mNetworkAgent = oldNetworkAgent;
        mInterface = oldInterface;
        throw e;
    }
    Log.i(TAG, "Established by " + config.user + " on " + mInterface);
    return tun;
}
Also used : LinkAddress(android.net.LinkAddress) NetworkAgent(android.net.NetworkAgent) VpnConfig(com.android.internal.net.VpnConfig) UidRange(android.net.UidRange) ServiceConnection(android.content.ServiceConnection) PendingIntent(android.app.PendingIntent) Intent(android.content.Intent) UserInfo(android.content.pm.UserInfo) IOException(java.io.IOException) ResolveInfo(android.content.pm.ResolveInfo) UserManager(android.os.UserManager) UserHandle(android.os.UserHandle) ParcelFileDescriptor(android.os.ParcelFileDescriptor) RemoteException(android.os.RemoteException)

Aggregations

VpnConfig (com.android.internal.net.VpnConfig)32 RemoteException (android.os.RemoteException)16 UserInfo (android.content.pm.UserInfo)15 LinkAddress (android.net.LinkAddress)10 UserHandle (android.os.UserHandle)10 UserManager (android.os.UserManager)10 LinkProperties (android.net.LinkProperties)6 NetworkInfo (android.net.NetworkInfo)6 PendingIntent (android.app.PendingIntent)5 Intent (android.content.Intent)5 ServiceConnection (android.content.ServiceConnection)5 ResolveInfo (android.content.pm.ResolveInfo)5 NetworkAgent (android.net.NetworkAgent)5 NetworkPolicyManager.uidRulesToString (android.net.NetworkPolicyManager.uidRulesToString)5 RouteInfo (android.net.RouteInfo)5 UidRange (android.net.UidRange)5 ParcelFileDescriptor (android.os.ParcelFileDescriptor)5 SparseArray (android.util.SparseArray)5 LegacyVpnInfo (com.android.internal.net.LegacyVpnInfo)5 IOException (java.io.IOException)5