Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / 1384605a89775dcaae48e8d5f0081143f896a8cb
commit1384605a89775dcaae48e8d5f0081143f896a8cb[log] [tgz]
authorSreeram Ramachandran <sreeram@google.com>Thu Jul 10 12:35:23 2014 -0700
committerSreeram Ramachandran <sreeram@google.com>Thu Jul 10 20:59:51 2014 +0000
tree7127a5a24f594c67de792cbc032134ee7279790c
parent5f90bccd96397f23b988c5e668b13f5344fd104b [diff]
Update VpnService API documentation.

The goal of blocking an address family by default is to prevent unintended
security holes. For example, a VPN that only deals with IPv4 doesn't know or
care about IPv6 at all, so it doesn't do anything for IPv6. An app shouldn't be
able to get around (bypass) the VPN by using IPv6.

Therefore, it is not necessary to block an address family in removeAddress().
The VPN was clearly aware of the address family (since it had configured such an
address before), so if it wants to block that family, it should add a default
route for that family and explicitly drop/block/reject those packets.

Bug: 15972465
Bug: 15409819
Change-Id: I845426fa90dc2358d3e11bc601db0b4bd5d3b7ac
1 file changed
tree: 7127a5a24f594c67de792cbc032134ee7279790c
  1. api/
  2. cmds/
  3. core/
  4. data/
  5. docs/
  6. drm/
  7. graphics/
  8. include/
  9. keystore/
  10. libs/
  11. location/
  12. media/
  13. native/
  14. nfc-extras/
  15. obex/
  16. opengl/
  17. packages/
  18. phone/
  19. policy/
  20. rs/
  21. samples/
  22. sax/
  23. services/
  24. telecomm/
  25. telephony/
  26. test-runner/
  27. tests/
  28. tools/
  29. wifi/
  30. Android.mk
  31. CleanSpec.mk
  32. MODULE_LICENSE_APACHE2
  33. NOTICE
  34. preloaded-classes