Fix permissions handling.
+ Rename the permissions as per: http://go/android-multinetwork-routing
+ Make the SYSTEM permission explicitly include NETWORK.
+ Grant the SYSTEM permission to system UIDs by default, but allow the framework
to override them if necessary.
+ Move the "string to permission" parsing to CommandListener.cpp, thus allowing
us to get rid of Permission.cpp.
+ There's no need to support multiple permissions string arguments, so tighten
that up.
Change-Id: I73d51b5e2f44a97e6d5ab5943ff198cebfbcc0c4
diff --git a/server/RouteController.cpp b/server/RouteController.cpp
index 799a531..d2d1841 100644
--- a/server/RouteController.cpp
+++ b/server/RouteController.cpp
@@ -459,8 +459,8 @@
fwmark.netId = netId;
mask.netId = FWMARK_NET_ID_MASK;
- fwmark.permission = PERMISSION_CONNECTIVITY_INTERNAL;
- mask.permission = PERMISSION_CONNECTIVITY_INTERNAL;
+ fwmark.permission = PERMISSION_SYSTEM;
+ mask.permission = PERMISSION_SYSTEM;
if (int ret = modifyIpRule(action, RULE_PRIORITY_SECURE_VPN, table, fwmark.intValue,
mask.intValue, NULL, INVALID_UID, INVALID_UID)) {
@@ -613,9 +613,9 @@
return ret;
}
- // Add a rule to allow legacy routes from privileged apps to override VPNs.
- fwmark.permission = PERMISSION_CONNECTIVITY_INTERNAL;
- mask.permission = PERMISSION_CONNECTIVITY_INTERNAL;
+ // Add a rule to allow legacy routes from system apps to override VPNs.
+ fwmark.permission = PERMISSION_SYSTEM;
+ mask.permission = PERMISSION_SYSTEM;
if (int ret = modifyIpRule(RTM_NEWRULE, RULE_PRIORITY_VPN_OVERRIDES,
RouteController::ROUTE_TABLE_PRIVILEGED_LEGACY, fwmark.intValue,