Keep track of users allowed to call protect() explicitly.
This is an API change between ConnectivityService and Netd.
The ownerUid was meant for this purpose, but it's insufficient, as apps need to
call protect() _before_ they create a VPN.
Bug: 15409918
Change-Id: If804aa106002e96d5ffb623d32db35fd76928367
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index f062dcf..0e341e5 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp
@@ -177,7 +177,7 @@
return 0;
}
-int NetworkController::createVpn(unsigned netId, uid_t ownerUid) {
+int NetworkController::createVpn(unsigned netId) {
if (netId < MIN_NET_ID || netId > MAX_NET_ID) {
ALOGE("invalid netId %u", netId);
return -EINVAL;
@@ -189,7 +189,7 @@
}
android::RWLock::AutoWLock lock(mRWLock);
- mNetworks[netId] = new VirtualNetwork(netId, ownerUid);
+ mNetworks[netId] = new VirtualNetwork(netId);
return 0;
}
@@ -331,6 +331,18 @@
return modifyRoute(netId, interface, destination, nexthop, false, legacy, uid);
}
+void NetworkController::allowProtect(const std::vector<uid_t>& uids) {
+ android::RWLock::AutoWLock lock(mRWLock);
+ mProtectableUsers.insert(uids.begin(), uids.end());
+}
+
+void NetworkController::denyProtect(const std::vector<uid_t>& uids) {
+ android::RWLock::AutoWLock lock(mRWLock);
+ for (uid_t uid : uids) {
+ mProtectableUsers.erase(uid);
+ }
+}
+
Network* NetworkController::getNetworkLocked(unsigned netId) const {
auto iter = mNetworks.find(netId);
return iter == mNetworks.end() ? NULL : iter->second;