Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2012 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package com.android.server.net; |
| 18 | |
| 19 | import static android.Manifest.permission.CONNECTIVITY_INTERNAL; |
Xiaohui Chen | b41c9f7 | 2015-06-17 15:55:37 -0700 | [diff] [blame] | 20 | import static android.net.NetworkPolicyManager.FIREWALL_CHAIN_NONE; |
Amith Yamasani | 15e47235 | 2015-04-24 19:06:07 -0700 | [diff] [blame] | 21 | import static android.net.NetworkPolicyManager.FIREWALL_RULE_ALLOW; |
| 22 | import static android.net.NetworkPolicyManager.FIREWALL_RULE_DEFAULT; |
Robin Lee | a249aee | 2016-02-03 13:42:56 +0000 | [diff] [blame] | 23 | import static android.provider.Settings.ACTION_VPN_SETTINGS; |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 24 | |
| 25 | import android.app.Notification; |
| 26 | import android.app.NotificationManager; |
| 27 | import android.app.PendingIntent; |
| 28 | import android.content.BroadcastReceiver; |
| 29 | import android.content.Context; |
| 30 | import android.content.Intent; |
| 31 | import android.content.IntentFilter; |
Lorenzo Colitti | 0cb7903 | 2014-10-15 16:06:07 +0900 | [diff] [blame] | 32 | import android.net.ConnectivityManager; |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 33 | import android.net.LinkProperties; |
Chad Brubaker | 4ca19e8 | 2013-06-14 11:16:51 -0700 | [diff] [blame] | 34 | import android.net.LinkAddress; |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 35 | import android.net.NetworkInfo; |
| 36 | import android.net.NetworkInfo.DetailedState; |
| 37 | import android.net.NetworkInfo.State; |
Amith Yamasani | 15e47235 | 2015-04-24 19:06:07 -0700 | [diff] [blame] | 38 | import android.net.NetworkPolicyManager; |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 39 | import android.os.INetworkManagementService; |
| 40 | import android.os.RemoteException; |
| 41 | import android.security.Credentials; |
| 42 | import android.security.KeyStore; |
Lorenzo Colitti | ad4cd0c | 2014-10-16 01:06:29 +0900 | [diff] [blame] | 43 | import android.system.Os; |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 44 | import android.text.TextUtils; |
| 45 | import android.util.Slog; |
| 46 | |
| 47 | import com.android.internal.R; |
| 48 | import com.android.internal.net.VpnConfig; |
| 49 | import com.android.internal.net.VpnProfile; |
| 50 | import com.android.internal.util.Preconditions; |
| 51 | import com.android.server.ConnectivityService; |
Jeff Sharkey | 91c6a64 | 2012-09-06 18:33:14 -0700 | [diff] [blame] | 52 | import com.android.server.EventLogTags; |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 53 | import com.android.server.connectivity.Vpn; |
| 54 | |
Chad Brubaker | 4ca19e8 | 2013-06-14 11:16:51 -0700 | [diff] [blame] | 55 | import java.util.List; |
| 56 | |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 57 | /** |
| 58 | * State tracker for lockdown mode. Watches for normal {@link NetworkInfo} to be |
| 59 | * connected and kicks off VPN connection, managing any required {@code netd} |
| 60 | * firewall rules. |
| 61 | */ |
| 62 | public class LockdownVpnTracker { |
| 63 | private static final String TAG = "LockdownVpnTracker"; |
| 64 | |
| 65 | /** Number of VPN attempts before waiting for user intervention. */ |
| 66 | private static final int MAX_ERROR_COUNT = 4; |
| 67 | |
| 68 | private static final String ACTION_LOCKDOWN_RESET = "com.android.server.action.LOCKDOWN_RESET"; |
Jeff Sharkey | 4fa63b2 | 2013-02-20 18:21:19 -0800 | [diff] [blame] | 69 | |
Lorenzo Colitti | ad4cd0c | 2014-10-16 01:06:29 +0900 | [diff] [blame] | 70 | private static final int ROOT_UID = 0; |
| 71 | |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 72 | private final Context mContext; |
| 73 | private final INetworkManagementService mNetService; |
| 74 | private final ConnectivityService mConnService; |
| 75 | private final Vpn mVpn; |
| 76 | private final VpnProfile mProfile; |
| 77 | |
| 78 | private final Object mStateLock = new Object(); |
| 79 | |
Jeff Sharkey | 4fa63b2 | 2013-02-20 18:21:19 -0800 | [diff] [blame] | 80 | private final PendingIntent mConfigIntent; |
| 81 | private final PendingIntent mResetIntent; |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 82 | |
| 83 | private String mAcceptedEgressIface; |
| 84 | private String mAcceptedIface; |
Chad Brubaker | 4ca19e8 | 2013-06-14 11:16:51 -0700 | [diff] [blame] | 85 | private List<LinkAddress> mAcceptedSourceAddr; |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 86 | |
| 87 | private int mErrorCount; |
| 88 | |
| 89 | public static boolean isEnabled() { |
| 90 | return KeyStore.getInstance().contains(Credentials.LOCKDOWN_VPN); |
| 91 | } |
| 92 | |
| 93 | public LockdownVpnTracker(Context context, INetworkManagementService netService, |
| 94 | ConnectivityService connService, Vpn vpn, VpnProfile profile) { |
| 95 | mContext = Preconditions.checkNotNull(context); |
| 96 | mNetService = Preconditions.checkNotNull(netService); |
| 97 | mConnService = Preconditions.checkNotNull(connService); |
| 98 | mVpn = Preconditions.checkNotNull(vpn); |
| 99 | mProfile = Preconditions.checkNotNull(profile); |
| 100 | |
Jeff Sharkey | 4fa63b2 | 2013-02-20 18:21:19 -0800 | [diff] [blame] | 101 | final Intent configIntent = new Intent(ACTION_VPN_SETTINGS); |
Jeff Sharkey | 4fa63b2 | 2013-02-20 18:21:19 -0800 | [diff] [blame] | 102 | mConfigIntent = PendingIntent.getActivity(mContext, 0, configIntent, 0); |
| 103 | |
Jeff Sharkey | 580dd31 | 2012-08-29 22:27:39 -0700 | [diff] [blame] | 104 | final Intent resetIntent = new Intent(ACTION_LOCKDOWN_RESET); |
| 105 | resetIntent.addFlags(Intent.FLAG_RECEIVER_REGISTERED_ONLY); |
| 106 | mResetIntent = PendingIntent.getBroadcast(mContext, 0, resetIntent, 0); |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 107 | } |
| 108 | |
| 109 | private BroadcastReceiver mResetReceiver = new BroadcastReceiver() { |
| 110 | @Override |
| 111 | public void onReceive(Context context, Intent intent) { |
| 112 | reset(); |
| 113 | } |
| 114 | }; |
| 115 | |
| 116 | /** |
| 117 | * Watch for state changes to both active egress network, kicking off a VPN |
| 118 | * connection when ready, or setting firewall rules once VPN is connected. |
| 119 | */ |
| 120 | private void handleStateChangedLocked() { |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 121 | |
| 122 | final NetworkInfo egressInfo = mConnService.getActiveNetworkInfoUnfiltered(); |
| 123 | final LinkProperties egressProp = mConnService.getActiveLinkProperties(); |
| 124 | |
| 125 | final NetworkInfo vpnInfo = mVpn.getNetworkInfo(); |
| 126 | final VpnConfig vpnConfig = mVpn.getLegacyVpnConfig(); |
| 127 | |
| 128 | // Restart VPN when egress network disconnected or changed |
| 129 | final boolean egressDisconnected = egressInfo == null |
| 130 | || State.DISCONNECTED.equals(egressInfo.getState()); |
| 131 | final boolean egressChanged = egressProp == null |
| 132 | || !TextUtils.equals(mAcceptedEgressIface, egressProp.getInterfaceName()); |
Lorenzo Colitti | 0cb7903 | 2014-10-15 16:06:07 +0900 | [diff] [blame] | 133 | |
| 134 | final String egressTypeName = (egressInfo == null) ? |
| 135 | null : ConnectivityManager.getNetworkTypeName(egressInfo.getType()); |
| 136 | final String egressIface = (egressProp == null) ? |
| 137 | null : egressProp.getInterfaceName(); |
| 138 | Slog.d(TAG, "handleStateChanged: egress=" + egressTypeName + |
| 139 | " " + mAcceptedEgressIface + "->" + egressIface); |
| 140 | |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 141 | if (egressDisconnected || egressChanged) { |
Jeff Sharkey | 580dd31 | 2012-08-29 22:27:39 -0700 | [diff] [blame] | 142 | clearSourceRulesLocked(); |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 143 | mAcceptedEgressIface = null; |
Jeff Davidson | b21298a | 2015-02-10 10:02:11 -0800 | [diff] [blame] | 144 | mVpn.stopLegacyVpnPrivileged(); |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 145 | } |
Jeff Sharkey | 5766693 | 2013-04-30 17:01:57 -0700 | [diff] [blame] | 146 | if (egressDisconnected) { |
| 147 | hideNotification(); |
| 148 | return; |
| 149 | } |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 150 | |
Jeff Sharkey | 91c6a64 | 2012-09-06 18:33:14 -0700 | [diff] [blame] | 151 | final int egressType = egressInfo.getType(); |
| 152 | if (vpnInfo.getDetailedState() == DetailedState.FAILED) { |
| 153 | EventLogTags.writeLockdownVpnError(egressType); |
| 154 | } |
| 155 | |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 156 | if (mErrorCount > MAX_ERROR_COUNT) { |
| 157 | showNotification(R.string.vpn_lockdown_error, R.drawable.vpn_disconnected); |
| 158 | |
| 159 | } else if (egressInfo.isConnected() && !vpnInfo.isConnectedOrConnecting()) { |
| 160 | if (mProfile.isValidLockdownProfile()) { |
| 161 | Slog.d(TAG, "Active network connected; starting VPN"); |
Jeff Sharkey | 91c6a64 | 2012-09-06 18:33:14 -0700 | [diff] [blame] | 162 | EventLogTags.writeLockdownVpnConnecting(egressType); |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 163 | showNotification(R.string.vpn_lockdown_connecting, R.drawable.vpn_disconnected); |
| 164 | |
| 165 | mAcceptedEgressIface = egressProp.getInterfaceName(); |
Jeff Sharkey | 421fab8 | 2013-06-27 10:57:45 -0700 | [diff] [blame] | 166 | try { |
Jeff Davidson | b21298a | 2015-02-10 10:02:11 -0800 | [diff] [blame] | 167 | // Use the privileged method because Lockdown VPN is initiated by the system, so |
| 168 | // no additional permission checks are necessary. |
| 169 | mVpn.startLegacyVpnPrivileged(mProfile, KeyStore.getInstance(), egressProp); |
Jeff Sharkey | 421fab8 | 2013-06-27 10:57:45 -0700 | [diff] [blame] | 170 | } catch (IllegalStateException e) { |
| 171 | mAcceptedEgressIface = null; |
| 172 | Slog.e(TAG, "Failed to start VPN", e); |
| 173 | showNotification(R.string.vpn_lockdown_error, R.drawable.vpn_disconnected); |
| 174 | } |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 175 | } else { |
| 176 | Slog.e(TAG, "Invalid VPN profile; requires IP-based server and DNS"); |
| 177 | showNotification(R.string.vpn_lockdown_error, R.drawable.vpn_disconnected); |
| 178 | } |
| 179 | |
| 180 | } else if (vpnInfo.isConnected() && vpnConfig != null) { |
| 181 | final String iface = vpnConfig.interfaze; |
Chad Brubaker | 4ca19e8 | 2013-06-14 11:16:51 -0700 | [diff] [blame] | 182 | final List<LinkAddress> sourceAddrs = vpnConfig.addresses; |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 183 | |
| 184 | if (TextUtils.equals(iface, mAcceptedIface) |
Chad Brubaker | 4ca19e8 | 2013-06-14 11:16:51 -0700 | [diff] [blame] | 185 | && sourceAddrs.equals(mAcceptedSourceAddr)) { |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 186 | return; |
| 187 | } |
| 188 | |
Chad Brubaker | 4ca19e8 | 2013-06-14 11:16:51 -0700 | [diff] [blame] | 189 | Slog.d(TAG, "VPN connected using iface=" + iface + |
| 190 | ", sourceAddr=" + sourceAddrs.toString()); |
Jeff Sharkey | 91c6a64 | 2012-09-06 18:33:14 -0700 | [diff] [blame] | 191 | EventLogTags.writeLockdownVpnConnected(egressType); |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 192 | showNotification(R.string.vpn_lockdown_connected, R.drawable.vpn_connected); |
| 193 | |
| 194 | try { |
Jeff Sharkey | 580dd31 | 2012-08-29 22:27:39 -0700 | [diff] [blame] | 195 | clearSourceRulesLocked(); |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 196 | |
| 197 | mNetService.setFirewallInterfaceRule(iface, true); |
Chad Brubaker | 4ca19e8 | 2013-06-14 11:16:51 -0700 | [diff] [blame] | 198 | for (LinkAddress addr : sourceAddrs) { |
Lorenzo Colitti | 02c7aba | 2014-10-16 00:55:07 +0900 | [diff] [blame] | 199 | setFirewallEgressSourceRule(addr, true); |
Chad Brubaker | 4ca19e8 | 2013-06-14 11:16:51 -0700 | [diff] [blame] | 200 | } |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 201 | |
Xiaohui Chen | b41c9f7 | 2015-06-17 15:55:37 -0700 | [diff] [blame] | 202 | mNetService.setFirewallUidRule(FIREWALL_CHAIN_NONE, ROOT_UID, FIREWALL_RULE_ALLOW); |
| 203 | mNetService.setFirewallUidRule(FIREWALL_CHAIN_NONE, Os.getuid(), FIREWALL_RULE_ALLOW); |
Lorenzo Colitti | ad4cd0c | 2014-10-16 01:06:29 +0900 | [diff] [blame] | 204 | |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 205 | mErrorCount = 0; |
| 206 | mAcceptedIface = iface; |
Chad Brubaker | 4ca19e8 | 2013-06-14 11:16:51 -0700 | [diff] [blame] | 207 | mAcceptedSourceAddr = sourceAddrs; |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 208 | } catch (RemoteException e) { |
| 209 | throw new RuntimeException("Problem setting firewall rules", e); |
| 210 | } |
| 211 | |
Jeff Sharkey | f07c7b9 | 2016-04-22 09:50:16 -0600 | [diff] [blame] | 212 | final NetworkInfo clone = new NetworkInfo(egressInfo); |
| 213 | augmentNetworkInfo(clone); |
| 214 | mConnService.sendConnectedBroadcast(clone); |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 215 | } |
| 216 | } |
| 217 | |
| 218 | public void init() { |
Jeff Sharkey | 580dd31 | 2012-08-29 22:27:39 -0700 | [diff] [blame] | 219 | synchronized (mStateLock) { |
| 220 | initLocked(); |
| 221 | } |
| 222 | } |
| 223 | |
| 224 | private void initLocked() { |
| 225 | Slog.d(TAG, "initLocked()"); |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 226 | |
Jeff Sharkey | 5766693 | 2013-04-30 17:01:57 -0700 | [diff] [blame] | 227 | mVpn.setEnableTeardown(false); |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 228 | |
| 229 | final IntentFilter resetFilter = new IntentFilter(ACTION_LOCKDOWN_RESET); |
| 230 | mContext.registerReceiver(mResetReceiver, resetFilter, CONNECTIVITY_INTERNAL, null); |
| 231 | |
| 232 | try { |
| 233 | // TODO: support non-standard port numbers |
| 234 | mNetService.setFirewallEgressDestRule(mProfile.server, 500, true); |
| 235 | mNetService.setFirewallEgressDestRule(mProfile.server, 4500, true); |
Jeff Sharkey | 42c0c9f | 2013-02-21 10:31:45 -0800 | [diff] [blame] | 236 | mNetService.setFirewallEgressDestRule(mProfile.server, 1701, true); |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 237 | } catch (RemoteException e) { |
| 238 | throw new RuntimeException("Problem setting firewall rules", e); |
| 239 | } |
| 240 | |
Robin Lee | aca5e7e3 | 2015-11-12 10:28:06 +0000 | [diff] [blame] | 241 | handleStateChangedLocked(); |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 242 | } |
| 243 | |
| 244 | public void shutdown() { |
Jeff Sharkey | 580dd31 | 2012-08-29 22:27:39 -0700 | [diff] [blame] | 245 | synchronized (mStateLock) { |
| 246 | shutdownLocked(); |
| 247 | } |
| 248 | } |
| 249 | |
| 250 | private void shutdownLocked() { |
| 251 | Slog.d(TAG, "shutdownLocked()"); |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 252 | |
| 253 | mAcceptedEgressIface = null; |
| 254 | mErrorCount = 0; |
| 255 | |
Jeff Davidson | b21298a | 2015-02-10 10:02:11 -0800 | [diff] [blame] | 256 | mVpn.stopLegacyVpnPrivileged(); |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 257 | try { |
| 258 | mNetService.setFirewallEgressDestRule(mProfile.server, 500, false); |
| 259 | mNetService.setFirewallEgressDestRule(mProfile.server, 4500, false); |
Jeff Sharkey | 42c0c9f | 2013-02-21 10:31:45 -0800 | [diff] [blame] | 260 | mNetService.setFirewallEgressDestRule(mProfile.server, 1701, false); |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 261 | } catch (RemoteException e) { |
| 262 | throw new RuntimeException("Problem setting firewall rules", e); |
| 263 | } |
Jeff Sharkey | 580dd31 | 2012-08-29 22:27:39 -0700 | [diff] [blame] | 264 | clearSourceRulesLocked(); |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 265 | hideNotification(); |
| 266 | |
| 267 | mContext.unregisterReceiver(mResetReceiver); |
Jeff Sharkey | 5766693 | 2013-04-30 17:01:57 -0700 | [diff] [blame] | 268 | mVpn.setEnableTeardown(true); |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 269 | } |
| 270 | |
| 271 | public void reset() { |
Lorenzo Colitti | 0cb7903 | 2014-10-15 16:06:07 +0900 | [diff] [blame] | 272 | Slog.d(TAG, "reset()"); |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 273 | synchronized (mStateLock) { |
Jeff Sharkey | 580dd31 | 2012-08-29 22:27:39 -0700 | [diff] [blame] | 274 | // cycle tracker, reset error count, and trigger retry |
| 275 | shutdownLocked(); |
| 276 | initLocked(); |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 277 | handleStateChangedLocked(); |
| 278 | } |
| 279 | } |
| 280 | |
Jeff Sharkey | 580dd31 | 2012-08-29 22:27:39 -0700 | [diff] [blame] | 281 | private void clearSourceRulesLocked() { |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 282 | try { |
| 283 | if (mAcceptedIface != null) { |
| 284 | mNetService.setFirewallInterfaceRule(mAcceptedIface, false); |
| 285 | mAcceptedIface = null; |
| 286 | } |
| 287 | if (mAcceptedSourceAddr != null) { |
Chad Brubaker | 4ca19e8 | 2013-06-14 11:16:51 -0700 | [diff] [blame] | 288 | for (LinkAddress addr : mAcceptedSourceAddr) { |
Lorenzo Colitti | 02c7aba | 2014-10-16 00:55:07 +0900 | [diff] [blame] | 289 | setFirewallEgressSourceRule(addr, false); |
Chad Brubaker | 4ca19e8 | 2013-06-14 11:16:51 -0700 | [diff] [blame] | 290 | } |
Lorenzo Colitti | ad4cd0c | 2014-10-16 01:06:29 +0900 | [diff] [blame] | 291 | |
Xiaohui Chen | b41c9f7 | 2015-06-17 15:55:37 -0700 | [diff] [blame] | 292 | mNetService.setFirewallUidRule(FIREWALL_CHAIN_NONE, ROOT_UID, FIREWALL_RULE_DEFAULT); |
| 293 | mNetService.setFirewallUidRule(FIREWALL_CHAIN_NONE,Os.getuid(), FIREWALL_RULE_DEFAULT); |
Lorenzo Colitti | ad4cd0c | 2014-10-16 01:06:29 +0900 | [diff] [blame] | 294 | |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 295 | mAcceptedSourceAddr = null; |
| 296 | } |
| 297 | } catch (RemoteException e) { |
| 298 | throw new RuntimeException("Problem setting firewall rules", e); |
| 299 | } |
| 300 | } |
| 301 | |
Lorenzo Colitti | 02c7aba | 2014-10-16 00:55:07 +0900 | [diff] [blame] | 302 | private void setFirewallEgressSourceRule( |
| 303 | LinkAddress address, boolean allow) throws RemoteException { |
| 304 | // Our source address based firewall rules must only cover our own source address, not the |
| 305 | // whole subnet |
| 306 | final String addrString = address.getAddress().getHostAddress(); |
| 307 | mNetService.setFirewallEgressSourceRule(addrString, allow); |
| 308 | } |
| 309 | |
Lorenzo Colitti | 0cb7903 | 2014-10-15 16:06:07 +0900 | [diff] [blame] | 310 | public void onNetworkInfoChanged() { |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 311 | synchronized (mStateLock) { |
| 312 | handleStateChangedLocked(); |
| 313 | } |
| 314 | } |
| 315 | |
| 316 | public void onVpnStateChanged(NetworkInfo info) { |
| 317 | if (info.getDetailedState() == DetailedState.FAILED) { |
| 318 | mErrorCount++; |
| 319 | } |
| 320 | synchronized (mStateLock) { |
| 321 | handleStateChangedLocked(); |
| 322 | } |
| 323 | } |
| 324 | |
Jeff Sharkey | f07c7b9 | 2016-04-22 09:50:16 -0600 | [diff] [blame] | 325 | public void augmentNetworkInfo(NetworkInfo info) { |
Jeff Sharkey | 0b81be6 | 2012-09-18 15:44:16 -0700 | [diff] [blame] | 326 | if (info.isConnected()) { |
| 327 | final NetworkInfo vpnInfo = mVpn.getNetworkInfo(); |
Jeff Sharkey | 0b81be6 | 2012-09-18 15:44:16 -0700 | [diff] [blame] | 328 | info.setDetailedState(vpnInfo.getDetailedState(), vpnInfo.getReason(), null); |
| 329 | } |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 330 | } |
| 331 | |
| 332 | private void showNotification(int titleRes, int iconRes) { |
Selim Cinek | 255dd04 | 2014-08-19 22:29:02 +0200 | [diff] [blame] | 333 | final Notification.Builder builder = new Notification.Builder(mContext) |
| 334 | .setWhen(0) |
| 335 | .setSmallIcon(iconRes) |
| 336 | .setContentTitle(mContext.getString(titleRes)) |
| 337 | .setContentText(mContext.getString(R.string.vpn_lockdown_config)) |
| 338 | .setContentIntent(mConfigIntent) |
| 339 | .setPriority(Notification.PRIORITY_LOW) |
| 340 | .setOngoing(true) |
| 341 | .addAction(R.drawable.ic_menu_refresh, mContext.getString(R.string.reset), |
| 342 | mResetIntent) |
Alan Viverette | 4a357cd | 2015-03-18 18:37:18 -0700 | [diff] [blame] | 343 | .setColor(mContext.getColor( |
Selim Cinek | 255dd04 | 2014-08-19 22:29:02 +0200 | [diff] [blame] | 344 | com.android.internal.R.color.system_notification_accent_color)); |
Jeff Sharkey | 4fa63b2 | 2013-02-20 18:21:19 -0800 | [diff] [blame] | 345 | |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 346 | NotificationManager.from(mContext).notify(TAG, 0, builder.build()); |
| 347 | } |
| 348 | |
| 349 | private void hideNotification() { |
| 350 | NotificationManager.from(mContext).cancel(TAG, 0); |
| 351 | } |
| 352 | } |