Server API to only allow networking by VPN apps Secure virtual networks already create rules to route all traffic into theirselves. This depends on the secure network already existing. API creates an ip rule at a priority level below SECURE_VPN which can catch traffic before VPN comes up, if it is a requirement that no traffic ever leaves without first going through VPN. Bug: 26694104 Bug: 26354134 Change-Id: If23df0760c6eb0ad137fc26c5124e48edf23b722

commit: b8087363143050d214d48e5620a330776ca95a69 [log] [tgz]
author: Robin Lee <rgl@google.com> Wed Mar 30 18:43:08 2016 +0100
committer: Robin Lee <rgl@google.com> Tue Apr 19 10:09:31 2016 +0100
tree: 72dd7eb2cc094cc7b92796ef37e1682ab108da37
parent: 4ef94642636182e68495f606a65c00f8a830aad4 [diff] [blame]
diff --git a/server/RouteController.h b/server/RouteController.h
index 0694ea2..f1affe3 100644
--- a/server/RouteController.h
+++ b/server/RouteController.h

@@ -61,6 +61,11 @@
     static int removeUsersFromVirtualNetwork(unsigned netId, const char* interface, bool secure,
                                              const UidRanges& uidRanges) WARN_UNUSED_RESULT;
 
+    static int addUsersToRejectNonSecureNetworkRule(const UidRanges& uidRanges)
+                                                    WARN_UNUSED_RESULT;
+    static int removeUsersFromRejectNonSecureNetworkRule(const UidRanges& uidRanges)
+                                                         WARN_UNUSED_RESULT;
+
     static int addInterfaceToDefaultNetwork(const char* interface,
                                             Permission permission) WARN_UNUSED_RESULT;
     static int removeInterfaceFromDefaultNetwork(const char* interface,
commit	b8087363143050d214d48e5620a330776ca95a69	[log] [tgz]
author	Robin Lee <rgl@google.com>	Wed Mar 30 18:43:08 2016 +0100
committer	Robin Lee <rgl@google.com>	Tue Apr 19 10:09:31 2016 +0100
tree	72dd7eb2cc094cc7b92796ef37e1682ab108da37
parent	4ef94642636182e68495f606a65c00f8a830aad4 [diff] [blame]