| b21298a686b04d55ff97223dd317497845713f4b |
|
10-Feb-2015 |
Jeff Davidson <jpd@google.com> |
Do not enforce CONTROL_VPN for calls from lockdown VPN.
Clearly document which methods in Vpn.java are designed to be used to
service a Binder call, and which must therefore check permissions and
clear the calling identity, and which methods are designed for
internal use only and which therefore need not check permission.
Add a new startLegacyVpnPrivileged method which bypasses the
permission checks, to be used by lockdown VPN which is a trusted
system service. Ensure that the existing startLegacyVpn method checks
permissions as this is used whenever we respond to a binder call.
Bug: 19311172
Change-Id: I34f13258ee7481f1356bc523124cf5db068b4972
/frameworks/base/services/core/java/com/android/server/net/LockdownVpnTracker.java
|
| ad4cd0c01966017e2f51ec3d23d06de3874f100c |
|
15-Oct-2014 |
Lorenzo Colitti <lorenzo@google.com> |
Allow root and system to bypass the always-on VPN firewall rules
This is needed to allow the always-on VPN to survive network
switches. In L, network switches are graceful, and in order to
switch to a network, the system first has to validate it using
DNS requests (from netd, running as root) and HTTP requests
(from NetworkMonitor, running inside the system_server).
This should also allow always-on VPN to work on networks like
T-Mobile that use 464xlat, fixing a bug that has been present
since K.
Bug: 9597277
Bug: 17695048
Change-Id: I0daa5707f2139339f9ececde0e73aac3bf23fdc3
/frameworks/base/services/core/java/com/android/server/net/LockdownVpnTracker.java
|
| 02c7abac856c3e94f4a2714d673cefb65c55efb7 |
|
15-Oct-2014 |
Lorenzo Colitti <lorenzo@google.com> |
Don't make lockdown VPN source firewall rules over-broad.
Currently, the lockdown VPN adds firewall allow rules matching
the whole subnet that the server assigned, so for example if
the VPN server assigns it the IP address 10.1.23.5/8, it will
allow the whole of 10.0.0.0/8 to pass the firewall.
This is needlessly overbroad and has a particularly bad corner
case where if the prefix length is 0, everything is allowed.
Bug: 17695048
Change-Id: Idbec4b3aea0f72f9bdfd26dcd72d6a97d026fb12
/frameworks/base/services/core/java/com/android/server/net/LockdownVpnTracker.java
|
| 0cb7903ddedbbb8a8171926e4460b74af589369d |
|
15-Oct-2014 |
Lorenzo Colitti <lorenzo@google.com> |
Propagate network state changes to the LockdownVpnTracker.
Bug: 17695048
Change-Id: I10378df0ab545729a6a315fd1bc8870cd98f47b3
/frameworks/base/services/core/java/com/android/server/net/LockdownVpnTracker.java
|
| 05542603dd4f1e0ea47a3dca01de3999a9a329a9 |
|
11-Aug-2014 |
Jeff Davidson <jpd@google.com> |
Less intrusive VPN dialog and other UX tweaks.
-The ability to launch VPNs is now sticky; once approved by the user,
further approvals are not needed UNLESS the connection is revoked in
Quick Settings.
-The old persistent notification has been removed in favor of the new
Quick Settings UI.
-The name of the VPN app is now pulled from the label of the VPN
service rather than the app itself, if one is set.
Bug: 12878887
Bug: 16578022
Change-Id: I102a14c05db26ee3aef030cda971e5165f078a91
/frameworks/base/services/core/java/com/android/server/net/LockdownVpnTracker.java
|
| 255dd04271088590fedc46c8e22b2fd4ab142d39 |
|
19-Aug-2014 |
Selim Cinek <cinek@google.com> |
Added notification color to all system notifications
Bug: 17128331
Change-Id: I81a94510ef51b99916f314c0dd65852426a1fbeb
/frameworks/base/services/core/java/com/android/server/net/LockdownVpnTracker.java
|
| 9158825f9c41869689d6b1786d7c7aa8bdd524ce |
|
22-Nov-2013 |
Amith Yamasani <yamasani@google.com> |
Move some system services to separate directories
Refactored the directory structure so that services can be optionally
excluded. This is step 1. Will be followed by another change that makes
it possible to remove services from the build.
Change-Id: Ideacedfd34b5e213217ad3ff4ebb21c4a8e73f85
/frameworks/base/services/core/java/com/android/server/net/LockdownVpnTracker.java
|