Revert "Whitelist packages from VPN lockdown."
This reverts commit bb9cef04c5b6699412d43d82bdd31c7a4f692cbc.
Reason for revert: broke pi-dev-plus-aosp
Change-Id: Iaf5c8aa4a8720eb2852da8cd91c81a77ccb92b68
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
index 7159642..1b08ecd 100644
--- a/core/java/android/app/admin/DevicePolicyManager.java
+++ b/core/java/android/app/admin/DevicePolicyManager.java
@@ -4464,16 +4464,11 @@
}
/**
- * Service-specific error code used in implementation of {@code setAlwaysOnVpnPackage} methods.
- * @hide
- */
- public static final int ERROR_VPN_PACKAGE_NOT_FOUND = 1;
-
- /**
* Called by a device or profile owner to configure an always-on VPN connection through a
* specific application for the current user. This connection is automatically granted and
* persisted after a reboot.
- * <p> To support the always-on feature, an app must
+ * <p>
+ * To support the always-on feature, an app must
* <ul>
* <li>declare a {@link android.net.VpnService} in its manifest, guarded by
* {@link android.Manifest.permission#BIND_VPN_SERVICE};</li>
@@ -4482,13 +4477,12 @@
* {@link android.net.VpnService#SERVICE_META_DATA_SUPPORTS_ALWAYS_ON}.</li>
* </ul>
* The call will fail if called with the package name of an unsupported VPN app.
- * <p> Enabling lockdown via {@code lockdownEnabled} argument carries the risk that any failure
- * of the VPN provider could break networking for all apps.
*
* @param vpnPackage The package name for an installed VPN app on the device, or {@code null} to
* remove an existing always-on VPN configuration.
* @param lockdownEnabled {@code true} to disallow networking when the VPN is not connected or
- * {@code false} otherwise. This has no effect when clearing.
+ * {@code false} otherwise. This carries the risk that any failure of the VPN provider
+ * could break networking for all apps. This has no effect when clearing.
* @throws SecurityException if {@code admin} is not a device or a profile owner.
* @throws NameNotFoundException if {@code vpnPackage} is not installed.
* @throws UnsupportedOperationException if {@code vpnPackage} exists but does not support being
@@ -4497,46 +4491,11 @@
public void setAlwaysOnVpnPackage(@NonNull ComponentName admin, @Nullable String vpnPackage,
boolean lockdownEnabled)
throws NameNotFoundException, UnsupportedOperationException {
- setAlwaysOnVpnPackage(admin, vpnPackage, lockdownEnabled, Collections.emptyList());
- }
-
- /**
- * A version of {@link #setAlwaysOnVpnPackage(ComponentName, String, boolean)} that allows the
- * admin to specify a set of apps that should be able to access the network directly when VPN
- * is not connected. When VPN connects these apps switch over to VPN if allowed to use that VPN.
- * System apps can always bypass VPN.
- * <p> Note that the system doesn't update the whitelist when packages are installed or
- * uninstalled, the admin app must call this method to keep the list up to date.
- *
- * @param vpnPackage package name for an installed VPN app on the device, or {@code null}
- * to remove an existing always-on VPN configuration
- * @param lockdownEnabled {@code true} to disallow networking when the VPN is not connected or
- * {@code false} otherwise. This has no effect when clearing.
- * @param lockdownWhitelist Packages that will be able to access the network directly when VPN
- * is in lockdown mode but not connected. Has no effect when clearing.
- * @throws SecurityException if {@code admin} is not a device or a profile
- * owner.
- * @throws NameNotFoundException if {@code vpnPackage} or one of
- * {@code lockdownWhitelist} is not installed.
- * @throws UnsupportedOperationException if {@code vpnPackage} exists but does
- * not support being set as always-on, or if always-on VPN is not
- * available.
- */
- public void setAlwaysOnVpnPackage(@NonNull ComponentName admin, @Nullable String vpnPackage,
- boolean lockdownEnabled, @Nullable List<String> lockdownWhitelist)
- throws NameNotFoundException, UnsupportedOperationException {
throwIfParentInstance("setAlwaysOnVpnPackage");
if (mService != null) {
try {
- mService.setAlwaysOnVpnPackage(
- admin, vpnPackage, lockdownEnabled, lockdownWhitelist);
- } catch (ServiceSpecificException e) {
- switch (e.errorCode) {
- case ERROR_VPN_PACKAGE_NOT_FOUND:
- throw new NameNotFoundException(e.getMessage());
- default:
- throw new RuntimeException(
- "Unknown error setting always-on VPN: " + e.errorCode);
+ if (!mService.setAlwaysOnVpnPackage(admin, vpnPackage, lockdownEnabled)) {
+ throw new NameNotFoundException(vpnPackage);
}
} catch (RemoteException e) {
throw e.rethrowFromSystemServer();
@@ -4545,51 +4504,6 @@
}
/**
- * Called by device or profile owner to query whether current always-on VPN is configured in
- * lockdown mode. Returns {@code false} when no always-on configuration is set.
- *
- * @param admin Which {@link DeviceAdminReceiver} this request is associated with.
- *
- * @throws SecurityException if {@code admin} is not a device or a profile owner.
- *
- * @see #setAlwaysOnVpnPackage(ComponentName, String, boolean)
- */
- public boolean isAlwaysOnVpnLockdownEnabled(@NonNull ComponentName admin) {
- throwIfParentInstance("isAlwaysOnVpnLockdownEnabled");
- if (mService != null) {
- try {
- return mService.isAlwaysOnVpnLockdownEnabled(admin);
- } catch (RemoteException e) {
- throw e.rethrowFromSystemServer();
- }
- }
- return false;
- }
-
- /**
- * Called by device or profile owner to query the list of packages that are allowed to access
- * the network directly when always-on VPN is in lockdown mode but not connected. Returns
- * {@code null} when always-on VPN is not active or not in lockdown mode.
- *
- * @param admin Which {@link DeviceAdminReceiver} this request is associated with.
- *
- * @throws SecurityException if {@code admin} is not a device or a profile owner.
- *
- * @see #setAlwaysOnVpnPackage(ComponentName, String, boolean, List)
- */
- public List<String> getAlwaysOnVpnLockdownWhitelist(@NonNull ComponentName admin) {
- throwIfParentInstance("getAlwaysOnVpnLockdownWhitelist");
- if (mService != null) {
- try {
- return mService.getAlwaysOnVpnLockdownWhitelist(admin);
- } catch (RemoteException e) {
- throw e.rethrowFromSystemServer();
- }
- }
- return null;
- }
-
- /**
* Called by a device or profile owner to read the name of the package administering an
* always-on VPN connection for the current user. If there is no such package, or the always-on
* VPN is provided by the system instead of by an application, {@code null} will be returned.
diff --git a/core/java/android/app/admin/IDevicePolicyManager.aidl b/core/java/android/app/admin/IDevicePolicyManager.aidl
index 0046302..37508cd 100644
--- a/core/java/android/app/admin/IDevicePolicyManager.aidl
+++ b/core/java/android/app/admin/IDevicePolicyManager.aidl
@@ -182,10 +182,8 @@
void setCertInstallerPackage(in ComponentName who, String installerPackage);
String getCertInstallerPackage(in ComponentName who);
- boolean setAlwaysOnVpnPackage(in ComponentName who, String vpnPackage, boolean lockdown, in List<String> lockdownWhitelist);
+ boolean setAlwaysOnVpnPackage(in ComponentName who, String vpnPackage, boolean lockdown);
String getAlwaysOnVpnPackage(in ComponentName who);
- boolean isAlwaysOnVpnLockdownEnabled(in ComponentName who);
- List<String> getAlwaysOnVpnLockdownWhitelist(in ComponentName who);
void addPersistentPreferredActivity(in ComponentName admin, in IntentFilter filter, in ComponentName activity);
void clearPackagePersistentPreferredActivities(in ComponentName admin, String packageName);
diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java
index e53f883..cee3a40 100644
--- a/core/java/android/net/ConnectivityManager.java
+++ b/core/java/android/net/ConnectivityManager.java
@@ -1007,20 +1007,14 @@
* to remove an existing always-on VPN configuration.
* @param lockdownEnabled {@code true} to disallow networking when the VPN is not connected or
* {@code false} otherwise.
- * @param lockdownWhitelist The list of packages that are allowed to access network directly
- * when VPN is in lockdown mode but is not running. Non-existent packages are ignored so
- * this method must be called when a package that should be whitelisted is installed or
- * uninstalled.
* @return {@code true} if the package is set as always-on VPN controller;
* {@code false} otherwise.
* @hide
*/
- @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN)
public boolean setAlwaysOnVpnPackageForUser(int userId, @Nullable String vpnPackage,
- boolean lockdownEnabled, @Nullable List<String> lockdownWhitelist) {
+ boolean lockdownEnabled) {
try {
- return mService.setAlwaysOnVpnPackage(
- userId, vpnPackage, lockdownEnabled, lockdownWhitelist);
+ return mService.setAlwaysOnVpnPackage(userId, vpnPackage, lockdownEnabled);
} catch (RemoteException e) {
throw e.rethrowFromSystemServer();
}
@@ -1035,7 +1029,6 @@
* or {@code null} if none is set.
* @hide
*/
- @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN)
public String getAlwaysOnVpnPackageForUser(int userId) {
try {
return mService.getAlwaysOnVpnPackage(userId);
@@ -1045,36 +1038,6 @@
}
/**
- * @return whether always-on VPN is in lockdown mode.
- *
- * @hide
- **/
- @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN)
- public boolean isVpnLockdownEnabled(int userId) {
- try {
- return mService.isVpnLockdownEnabled(userId);
- } catch (RemoteException e) {
- throw e.rethrowFromSystemServer();
- }
-
- }
-
- /**
- * @return the list of packages that are allowed to access network when always-on VPN is in
- * lockdown mode but not connected. Returns {@code null} when VPN lockdown is not active.
- *
- * @hide
- **/
- @RequiresPermission(android.Manifest.permission.CONTROL_ALWAYS_ON_VPN)
- public List<String> getVpnLockdownWhitelist(int userId) {
- try {
- return mService.getVpnLockdownWhitelist(userId);
- } catch (RemoteException e) {
- throw e.rethrowFromSystemServer();
- }
- }
-
- /**
* Returns details about the currently active default data network
* for a given uid. This is for internal use only to avoid spying
* other apps.
diff --git a/core/java/android/net/IConnectivityManager.aidl b/core/java/android/net/IConnectivityManager.aidl
index ac6b5b8..3d34574 100644
--- a/core/java/android/net/IConnectivityManager.aidl
+++ b/core/java/android/net/IConnectivityManager.aidl
@@ -125,11 +125,8 @@
boolean updateLockdownVpn();
boolean isAlwaysOnVpnPackageSupported(int userId, String packageName);
- boolean setAlwaysOnVpnPackage(int userId, String packageName, boolean lockdown,
- in List<String> lockdownWhitelist);
+ boolean setAlwaysOnVpnPackage(int userId, String packageName, boolean lockdown);
String getAlwaysOnVpnPackage(int userId);
- boolean isVpnLockdownEnabled(int userId);
- List<String> getVpnLockdownWhitelist(int userId);
int checkMobileProvisioning(int suggestedTimeOutMs);
diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
index e904b07..bbd76d2 100644
--- a/core/java/android/provider/Settings.java
+++ b/core/java/android/provider/Settings.java
@@ -5671,16 +5671,6 @@
public static final String ALWAYS_ON_VPN_LOCKDOWN = "always_on_vpn_lockdown";
/**
- * Comma separated list of packages that are allowed to access the network when VPN is in
- * lockdown mode but not running.
- * @see #ALWAYS_ON_VPN_LOCKDOWN
- *
- * @hide
- */
- public static final String ALWAYS_ON_VPN_LOCKDOWN_WHITELIST =
- "always_on_vpn_lockdown_whitelist";
-
- /**
* Whether applications can be installed for this user via the system's
* {@link Intent#ACTION_INSTALL_PACKAGE} mechanism.
*