Merge "Allow root and system to bypass the always-on VPN firewall rules" into lmp-dev
diff --git a/services/core/java/com/android/server/net/LockdownVpnTracker.java b/services/core/java/com/android/server/net/LockdownVpnTracker.java
index cf0aba4..3a1e4a4 100644
--- a/services/core/java/com/android/server/net/LockdownVpnTracker.java
+++ b/services/core/java/com/android/server/net/LockdownVpnTracker.java
@@ -35,6 +35,7 @@
import android.os.RemoteException;
import android.security.Credentials;
import android.security.KeyStore;
+import android.system.Os;
import android.text.TextUtils;
import android.util.Slog;
@@ -64,6 +65,8 @@
private static final String ACTION_VPN_SETTINGS = "android.net.vpn.SETTINGS";
private static final String EXTRA_PICK_LOCKDOWN = "android.net.vpn.PICK_LOCKDOWN";
+ private static final int ROOT_UID = 0;
+
private final Context mContext;
private final INetworkManagementService mNetService;
private final ConnectivityService mConnService;
@@ -193,6 +196,9 @@
setFirewallEgressSourceRule(addr, true);
}
+ mNetService.setFirewallUidRule(ROOT_UID, true);
+ mNetService.setFirewallUidRule(Os.getuid(), true);
+
mErrorCount = 0;
mAcceptedIface = iface;
mAcceptedSourceAddr = sourceAddrs;
@@ -279,6 +285,10 @@
for (LinkAddress addr : mAcceptedSourceAddr) {
setFirewallEgressSourceRule(addr, false);
}
+
+ mNetService.setFirewallUidRule(ROOT_UID, false);
+ mNetService.setFirewallUidRule(Os.getuid(), false);
+
mAcceptedSourceAddr = null;
}
} catch (RemoteException e) {