Example 6 with UidRange
use of android.net.UidRange in project android_frameworks_base by DirtyUnicorns.
the class VpnTest method testUidWhiteAndBlacklist.
@SmallTest
public void testUidWhiteAndBlacklist() throws Exception {
final Vpn vpn = new MockVpn(primaryUser.id);
final UidRange user = UidRange.createForUser(primaryUser.id);
final String[] packages = { PKGS[0], PKGS[1], PKGS[2] };
// Whitelist
final Set<UidRange> allow = vpn.createUserAndRestrictedProfilesRanges(primaryUser.id, Arrays.asList(packages), null);
assertEquals(new ArraySet<>(Arrays.asList(new UidRange[] { new UidRange(user.start + PKG_UIDS[0], user.start + PKG_UIDS[0]), new UidRange(user.start + PKG_UIDS[1], user.start + PKG_UIDS[2]) })), allow);
// Blacklist
final Set<UidRange> disallow = vpn.createUserAndRestrictedProfilesRanges(primaryUser.id, null, Arrays.asList(packages));
assertEquals(new ArraySet<>(Arrays.asList(new UidRange[] { new UidRange(user.start, user.start + PKG_UIDS[0] - 1), new UidRange(user.start + PKG_UIDS[0] + 1, user.start + PKG_UIDS[1] - 1), /* Empty range between UIDS[1] and UIDS[2], should be excluded, */
new UidRange(user.start + PKG_UIDS[2] + 1, user.stop) })), disallow);
}Example 7 with UidRange
use of android.net.UidRange in project android_frameworks_base by DirtyUnicorns.
the class Vpn method uidRangesForUser.
// Returns the subset of the full list of active UID ranges the VPN applies to (mVpnUsers) that
// apply to userHandle.
private List<UidRange> uidRangesForUser(int userHandle) {
final UidRange userRange = UidRange.createForUser(userHandle);
final List<UidRange> ranges = new ArrayList<UidRange>();
for (UidRange range : mVpnUsers) {
if (userRange.containsRange(range)) {
ranges.add(range);
}
}
return ranges;
}Example 8 with UidRange
use of android.net.UidRange in project android_frameworks_base by DirtyUnicorns.
the class Vpn method establish.
/**
* Establish a VPN network and return the file descriptor of the VPN
* interface. This methods returns {@code null} if the application is
* revoked or not prepared.
*
* @param config The parameters to configure the network.
* @return The file descriptor of the VPN interface.
*/
public synchronized ParcelFileDescriptor establish(VpnConfig config) {
// Check if the caller is already prepared.
UserManager mgr = UserManager.get(mContext);
if (Binder.getCallingUid() != mOwnerUID) {
return null;
}
// Check to ensure consent hasn't been revoked since we were prepared.
if (!isVpnUserPreConsented(mPackage)) {
return null;
}
// Check if the service is properly declared.
Intent intent = new Intent(VpnConfig.SERVICE_INTERFACE);
intent.setClassName(mPackage, config.user);
long token = Binder.clearCallingIdentity();
try {
// Restricted users are not allowed to create VPNs, they are tied to Owner
UserInfo user = mgr.getUserInfo(mUserHandle);
if (user.isRestricted()) {
throw new SecurityException("Restricted users cannot establish VPNs");
}
ResolveInfo info = AppGlobals.getPackageManager().resolveService(intent, null, 0, mUserHandle);
if (info == null) {
throw new SecurityException("Cannot find " + config.user);
}
if (!BIND_VPN_SERVICE.equals(info.serviceInfo.permission)) {
throw new SecurityException(config.user + " does not require " + BIND_VPN_SERVICE);
}
} catch (RemoteException e) {
throw new SecurityException("Cannot find " + config.user);
} finally {
Binder.restoreCallingIdentity(token);
}
// Save the old config in case we need to go back.
VpnConfig oldConfig = mConfig;
String oldInterface = mInterface;
Connection oldConnection = mConnection;
NetworkAgent oldNetworkAgent = mNetworkAgent;
mNetworkAgent = null;
Set<UidRange> oldUsers = mVpnUsers;
// Configure the interface. Abort if any of these steps fails.
ParcelFileDescriptor tun = ParcelFileDescriptor.adoptFd(jniCreate(config.mtu));
try {
updateState(DetailedState.CONNECTING, "establish");
String interfaze = jniGetName(tun.getFd());
// TEMP use the old jni calls until there is support for netd address setting
StringBuilder builder = new StringBuilder();
for (LinkAddress address : config.addresses) {
builder.append(" " + address);
}
if (jniSetAddresses(interfaze, builder.toString()) < 1) {
throw new IllegalArgumentException("At least one address must be specified");
}
Connection connection = new Connection();
if (!mContext.bindServiceAsUser(intent, connection, Context.BIND_AUTO_CREATE | Context.BIND_FOREGROUND_SERVICE, new UserHandle(mUserHandle))) {
throw new IllegalStateException("Cannot bind " + config.user);
}
mConnection = connection;
mInterface = interfaze;
// Fill more values.
config.user = mPackage;
config.interfaze = mInterface;
config.startTime = SystemClock.elapsedRealtime();
mConfig = config;
// Set up forwarding and DNS rules.
agentConnect();
if (oldConnection != null) {
mContext.unbindService(oldConnection);
}
// Remove the old tun's user forwarding rules
// The new tun's user rules have already been added so they will take over
// as rules are deleted. This prevents data leakage as the rules are moved over.
agentDisconnect(oldNetworkAgent);
if (oldInterface != null && !oldInterface.equals(interfaze)) {
jniReset(oldInterface);
}
try {
IoUtils.setBlocking(tun.getFileDescriptor(), config.blocking);
} catch (IOException e) {
throw new IllegalStateException("Cannot set tunnel's fd as blocking=" + config.blocking, e);
}
} catch (RuntimeException e) {
IoUtils.closeQuietly(tun);
agentDisconnect();
// restore old state
mConfig = oldConfig;
mConnection = oldConnection;
mVpnUsers = oldUsers;
mNetworkAgent = oldNetworkAgent;
mInterface = oldInterface;
throw e;
}
Log.i(TAG, "Established by " + config.user + " on " + mInterface);
return tun;
}
Also used :
LinkAddress(android.net.LinkAddress)
NetworkAgent(android.net.NetworkAgent)
VpnConfig(com.android.internal.net.VpnConfig)
UidRange(android.net.UidRange)
ServiceConnection(android.content.ServiceConnection)
PendingIntent(android.app.PendingIntent)
Intent(android.content.Intent)
UserInfo(android.content.pm.UserInfo)
IOException(java.io.IOException)
ResolveInfo(android.content.pm.ResolveInfo)
UserManager(android.os.UserManager)
UserHandle(android.os.UserHandle)
ParcelFileDescriptor(android.os.ParcelFileDescriptor)
RemoteException(android.os.RemoteException)
Example 9 with UidRange
use of android.net.UidRange in project android_frameworks_base by DirtyUnicorns.
the class Vpn method onUserAdded.
public void onUserAdded(int userHandle) {
// If the user is restricted tie them to the parent user's VPN
UserInfo user = UserManager.get(mContext).getUserInfo(userHandle);
if (user.isRestricted() && user.restrictedProfileParentId == mUserHandle) {
synchronized (Vpn.this) {
if (mVpnUsers != null) {
try {
addUserToRanges(mVpnUsers, userHandle, mConfig.allowedApplications, mConfig.disallowedApplications);
if (mNetworkAgent != null) {
final List<UidRange> ranges = uidRangesForUser(userHandle);
mNetworkAgent.addUidRanges(ranges.toArray(new UidRange[ranges.size()]));
}
} catch (Exception e) {
Log.wtf(TAG, "Failed to add restricted user to owner", e);
}
}
if (mAlwaysOn) {
setVpnForcedLocked(mLockdown);
}
}
}
}
Also used :
UidRange(android.net.UidRange)
UserInfo(android.content.pm.UserInfo)
NameNotFoundException(android.content.pm.PackageManager.NameNotFoundException)
RemoteException(android.os.RemoteException)
IOException(java.io.IOException)
Example 10 with UidRange
use of android.net.UidRange in project android_frameworks_base by DirtyUnicorns.
the class Vpn method createUserAndRestrictedProfilesRanges.
/**
* Creates a {@link Set} of non-intersecting {@link UidRange} objects including all UIDs
* associated with one user, and any restricted profiles attached to that user.
*
* <p>If one of {@param allowedApplications} or {@param disallowedApplications} is provided,
* the UID ranges will match the app whitelist or blacklist specified there. Otherwise, all UIDs
* in each user and profile will be included.
*
* @param userHandle The userId to create UID ranges for along with any of its restricted
* profiles.
* @param allowedApplications (optional) whitelist of applications to include.
* @param disallowedApplications (optional) blacklist of applications to exclude.
*/
@VisibleForTesting
Set<UidRange> createUserAndRestrictedProfilesRanges(@UserIdInt int userHandle, @Nullable List<String> allowedApplications, @Nullable List<String> disallowedApplications) {
final Set<UidRange> ranges = new ArraySet<>();
// Assign the top-level user to the set of ranges
addUserToRanges(ranges, userHandle, allowedApplications, disallowedApplications);
// If the user can have restricted profiles, assign all its restricted profiles too
if (canHaveRestrictedProfile(userHandle)) {
final long token = Binder.clearCallingIdentity();
List<UserInfo> users;
try {
users = UserManager.get(mContext).getUsers(true);
} finally {
Binder.restoreCallingIdentity(token);
}
for (UserInfo user : users) {
if (user.isRestricted() && (user.restrictedProfileParentId == userHandle)) {
addUserToRanges(ranges, user.id, allowedApplications, disallowedApplications);
}
}
}
return ranges;
}
Also used :
ArraySet(android.util.ArraySet)
UidRange(android.net.UidRange)
UserInfo(android.content.pm.UserInfo)
VisibleForTesting(com.android.internal.annotations.VisibleForTesting)
Aggregations
UidRange (android.net.UidRange)42
UserInfo (android.content.pm.UserInfo)19
RemoteException (android.os.RemoteException)15
SmallTest (android.test.suitebuilder.annotation.SmallTest)12
NetworkAgent (android.net.NetworkAgent)10
IOException (java.io.IOException)10
PendingIntent (android.app.PendingIntent)5
Intent (android.content.Intent)5
ServiceConnection (android.content.ServiceConnection)5
NameNotFoundException (android.content.pm.PackageManager.NameNotFoundException)5
ResolveInfo (android.content.pm.ResolveInfo)5
LinkAddress (android.net.LinkAddress)5
LinkProperties (android.net.LinkProperties)5
NetworkMisc (android.net.NetworkMisc)5
ParcelFileDescriptor (android.os.ParcelFileDescriptor)5
ServiceSpecificException (android.os.ServiceSpecificException)5
UserHandle (android.os.UserHandle)5
UserManager (android.os.UserManager)5
ArraySet (android.util.ArraySet)5
SparseIntArray (android.util.SparseIntArray)5
