Merge "Require NETWORK_STACK Permission for IpSec Tunnel Mode"
am: 43699e90f3
Change-Id: I1f286f0215ce88f947775ded0ddfbc8e0cd7bc55
diff --git a/core/java/android/net/IpSecManager.java b/core/java/android/net/IpSecManager.java
index 24a078f..b609847 100644
--- a/core/java/android/net/IpSecManager.java
+++ b/core/java/android/net/IpSecManager.java
@@ -19,6 +19,7 @@
import android.annotation.IntDef;
import android.annotation.NonNull;
+import android.annotation.RequiresPermission;
import android.annotation.SystemApi;
import android.annotation.SystemService;
import android.annotation.TestApi;
@@ -761,6 +762,7 @@
* @hide
*/
@SystemApi
+ @RequiresPermission(android.Manifest.permission.NETWORK_STACK)
public IpSecTunnelInterface createIpSecTunnelInterface(@NonNull InetAddress localAddress,
@NonNull InetAddress remoteAddress, @NonNull Network underlyingNetwork)
throws ResourceUnavailableException, IOException {
@@ -780,6 +782,7 @@
* @hide
*/
@SystemApi
+ @RequiresPermission(android.Manifest.permission.NETWORK_STACK)
public void applyTunnelModeTransform(IpSecTunnelInterface tunnel, int direction,
IpSecTransform transform) throws IOException {
try {
diff --git a/core/java/android/net/IpSecTransform.java b/core/java/android/net/IpSecTransform.java
index 0829b4a..38759a9 100644
--- a/core/java/android/net/IpSecTransform.java
+++ b/core/java/android/net/IpSecTransform.java
@@ -21,6 +21,7 @@
import android.annotation.IntDef;
import android.annotation.NonNull;
+import android.annotation.RequiresPermission;
import android.annotation.SystemApi;
import android.content.Context;
import android.os.Binder;
@@ -266,6 +267,10 @@
* @hide
*/
@SystemApi
+ @RequiresPermission(anyOf = {
+ android.Manifest.permission.NETWORK_STACK,
+ android.Manifest.permission.PACKET_KEEPALIVE_OFFLOAD
+ })
public void startNattKeepalive(@NonNull NattKeepaliveCallback userCallback,
int intervalSeconds, @NonNull Handler handler) throws IOException {
checkNotNull(userCallback);
@@ -305,6 +310,10 @@
* @hide
*/
@SystemApi
+ @RequiresPermission(anyOf = {
+ android.Manifest.permission.NETWORK_STACK,
+ android.Manifest.permission.PACKET_KEEPALIVE_OFFLOAD
+ })
public void stopNattKeepalive() {
synchronized (mKeepaliveCallback) {
if (mKeepalive == null) {
@@ -449,6 +458,7 @@
* @hide
*/
@SystemApi
+ @RequiresPermission(android.Manifest.permission.NETWORK_STACK)
public IpSecTransform buildTunnelModeTransform(
@NonNull InetAddress sourceAddress,
@NonNull IpSecManager.SecurityParameterIndex spi)
diff --git a/services/core/java/com/android/server/IpSecService.java b/services/core/java/com/android/server/IpSecService.java
index a07a982..45a4dfb9 100644
--- a/services/core/java/com/android/server/IpSecService.java
+++ b/services/core/java/com/android/server/IpSecService.java
@@ -1438,7 +1438,9 @@
switch (config.getMode()) {
case IpSecTransform.MODE_TRANSPORT:
+ break;
case IpSecTransform.MODE_TUNNEL:
+ enforceNetworkStackPermission();
break;
default:
throw new IllegalArgumentException(
@@ -1446,6 +1448,11 @@
}
}
+ private void enforceNetworkStackPermission() {
+ mContext.enforceCallingOrSelfPermission(android.Manifest.permission.NETWORK_STACK,
+ "IpSecService");
+ }
+
private void createOrUpdateTransform(
IpSecConfig c, int resourceId, SpiRecord spiRecord, EncapSocketRecord socketRecord)
throws RemoteException {
@@ -1615,6 +1622,7 @@
@Override
public synchronized void applyTunnelModeTransform(
int tunnelResourceId, int direction, int transformResourceId) throws RemoteException {
+ enforceNetworkStackPermission();
checkDirection(direction);
UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid());