Fix permissions handling. + Rename the permissions as per: http://go/android-multinetwork-routing + Make the SYSTEM permission explicitly include NETWORK. + Grant the SYSTEM permission to system UIDs by default, but allow the framework to override them if necessary. + Move the "string to permission" parsing to CommandListener.cpp, thus allowing us to get rid of Permission.cpp. + There's no need to support multiple permissions string arguments, so tighten that up. Change-Id: I73d51b5e2f44a97e6d5ab5943ff198cebfbcc0c4

commit: ed4bd1f7d219f9f5f56763ea02cf4947e78397f6 [log] [tgz]
author: Sreeram Ramachandran <sreeram@google.com> Sat Jul 05 12:31:05 2014 -0700
committer: Sreeram Ramachandran <sreeram@google.com> Mon Jul 07 13:16:02 2014 -0700
tree: f1ec6176a56c340fd4207058c1b4558ed4b15354
parent: a675b00423e5a370e72a7f10f6b632b4d15a1ff4 [diff] [blame]
diff --git a/server/FwmarkServer.cpp b/server/FwmarkServer.cpp
index 71d15f9..e2d2079 100644
--- a/server/FwmarkServer.cpp
+++ b/server/FwmarkServer.cpp

@@ -117,8 +117,8 @@
             } else {
                 fwmark.explicitlySelected = true;
                 // If the socket already has the protectedFromVpn bit set, don't reset it, because
-                // non-CONNECTIVITY_INTERNAL apps (e.g.: VpnService) may also protect sockets.
-                if (permission & PERMISSION_CONNECTIVITY_INTERNAL) {
+                // non-system apps (e.g.: VpnService) may also protect sockets.
+                if ((permission & PERMISSION_SYSTEM) == PERMISSION_SYSTEM) {
                     fwmark.protectedFromVpn = true;
                 }
                 if (!mNetworkController->isValidNetwork(command.netId)) {
commit	ed4bd1f7d219f9f5f56763ea02cf4947e78397f6	[log] [tgz]
author	Sreeram Ramachandran <sreeram@google.com>	Sat Jul 05 12:31:05 2014 -0700
committer	Sreeram Ramachandran <sreeram@google.com>	Mon Jul 07 13:16:02 2014 -0700
tree	f1ec6176a56c340fd4207058c1b4558ed4b15354
parent	a675b00423e5a370e72a7f10f6b632b4d15a1ff4 [diff] [blame]