Merge "Allow root and system to bypass the always-on VPN firewall rules" into lmp-dev
diff --git a/services/core/java/com/android/server/net/LockdownVpnTracker.java b/services/core/java/com/android/server/net/LockdownVpnTracker.java
index cf0aba4..3a1e4a4 100644
--- a/services/core/java/com/android/server/net/LockdownVpnTracker.java
+++ b/services/core/java/com/android/server/net/LockdownVpnTracker.java
@@ -35,6 +35,7 @@
 import android.os.RemoteException;
 import android.security.Credentials;
 import android.security.KeyStore;
+import android.system.Os;
 import android.text.TextUtils;
 import android.util.Slog;
 
@@ -64,6 +65,8 @@
     private static final String ACTION_VPN_SETTINGS = "android.net.vpn.SETTINGS";
     private static final String EXTRA_PICK_LOCKDOWN = "android.net.vpn.PICK_LOCKDOWN";
 
+    private static final int ROOT_UID = 0;
+
     private final Context mContext;
     private final INetworkManagementService mNetService;
     private final ConnectivityService mConnService;
@@ -193,6 +196,9 @@
                     setFirewallEgressSourceRule(addr, true);
                 }
 
+                mNetService.setFirewallUidRule(ROOT_UID, true);
+                mNetService.setFirewallUidRule(Os.getuid(), true);
+
                 mErrorCount = 0;
                 mAcceptedIface = iface;
                 mAcceptedSourceAddr = sourceAddrs;
@@ -279,6 +285,10 @@
                 for (LinkAddress addr : mAcceptedSourceAddr) {
                     setFirewallEgressSourceRule(addr, false);
                 }
+
+                mNetService.setFirewallUidRule(ROOT_UID, false);
+                mNetService.setFirewallUidRule(Os.getuid(), false);
+
                 mAcceptedSourceAddr = null;
             }
         } catch (RemoteException e) {