Always-on VPN.

Adds support for always-on VPN profiles, also called "lockdown." When enabled, LockdownVpnTracker manages the netd firewall to prevent unencrypted traffic from leaving the device. It creates narrow rules to only allow traffic to the selected VPN server. When an egress network becomes available, LockdownVpnTracker will try bringing up the VPN connection, and will reconnect if disconnected. ConnectivityService augments any NetworkInfo based on the lockdown VPN status to help apps wait until the VPN is connected. This feature requires that VPN profiles use an IP address for both VPN server and DNS. It also blocks non-default APN access when enabled. Waits for USER_PRESENT after boot to check KeyStore status. Bug: 5756357 Change-Id: If615f206b1634000d78a8350a17e88bfcac8e0d0
author: Jeff Sharkey <jsharkey@android.com> 2012-08-25 00:05:46 -0700
committer: Jeff Sharkey <jsharkey@android.com> 2012-08-27 12:35:05 -0700
commit: 69ddab4575ff684c533c995e07ca15fe18543fc0 (patch)
tree: dfae3a89b9027c33d47b58f80200af021bbe7426 /core/java
parent: 080ca09c7f4c0033d0efece23687b71f7f8febc9 (diff)
download: frameworks_base-69ddab4575ff684c533c995e07ca15fe18543fc0.zip
frameworks_base-69ddab4575ff684c533c995e07ca15fe18543fc0.tar.gz
frameworks_base-69ddab4575ff684c533c995e07ca15fe18543fc0.tar.bz2
4 files changed, 48 insertions, 2 deletions
diff --git a/core/java/android/app/NotificationManager.java b/core/java/android/app/NotificationManager.java
index bf83f5e..69c20b0 100644
--- a/core/java/android/app/NotificationManager.java
+++ b/core/java/android/app/NotificationManager.java
@@ -17,10 +17,9 @@
 package android.app;
 
 import android.content.Context;
-import android.os.Binder;
-import android.os.RemoteException;
 import android.os.Handler;
 import android.os.IBinder;
+import android.os.RemoteException;
 import android.os.ServiceManager;
 import android.util.Log;
 
@@ -88,6 +87,11 @@ public class NotificationManager
         mContext = context;
     }
 
+    /** {@hide} */
+    public static NotificationManager from(Context context) {
+        return (NotificationManager) context.getSystemService(Context.NOTIFICATION_SERVICE);
+    }
+
     /**
      * Post a notification to be shown in the status bar. If a notification with
      * the same id has already been posted by your application and has not yet been canceled, it
diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java
index d30ef04..60bf4d6 100644
--- a/core/java/android/net/ConnectivityManager.java
+++ b/core/java/android/net/ConnectivityManager.java
@@ -912,4 +912,13 @@ public class ConnectivityManager {
             return false;
         }
     }
+
+    /** {@hide} */
+    public boolean updateLockdownVpn() {
+        try {
+            return mService.updateLockdownVpn();
+        } catch (RemoteException e) {
+            return false;
+        }
+    }
 }
diff --git a/core/java/android/net/IConnectivityManager.aidl b/core/java/android/net/IConnectivityManager.aidl
index dea25dd..3614045 100644
--- a/core/java/android/net/IConnectivityManager.aidl
+++ b/core/java/android/net/IConnectivityManager.aidl
@@ -122,4 +122,6 @@ interface IConnectivityManager
     void startLegacyVpn(in VpnProfile profile);
 
     LegacyVpnInfo getLegacyVpnInfo();
+
+    boolean updateLockdownVpn();
 }
diff --git a/core/java/com/android/internal/net/VpnProfile.java b/core/java/com/android/internal/net/VpnProfile.java
index d6c5702..7287327 100644
--- a/core/java/com/android/internal/net/VpnProfile.java
+++ b/core/java/com/android/internal/net/VpnProfile.java
@@ -18,7 +18,10 @@ package com.android.internal.net;
 
 import android.os.Parcel;
 import android.os.Parcelable;
+import android.text.TextUtils;
+import android.util.Log;
 
+import java.net.InetAddress;
 import java.nio.charset.Charsets;
 
 /**
@@ -31,6 +34,8 @@ import java.nio.charset.Charsets;
  * @hide
  */
 public class VpnProfile implements Cloneable, Parcelable {
+    private static final String TAG = "VpnProfile";
+
     // Match these constants with R.array.vpn_types.
     public static final int TYPE_PPTP = 0;
     public static final int TYPE_L2TP_IPSEC_PSK = 1;
@@ -124,6 +129,32 @@ public class VpnProfile implements Cloneable, Parcelable {
         return builder.toString().getBytes(Charsets.UTF_8);
     }
 
+    /**
+     * Test if profile is valid for lockdown, which requires IPv4 address for
+     * both server and DNS. Server hostnames would require using DNS before
+     * connection.
+     */
+    public boolean isValidLockdownProfile() {
+        try {
+            InetAddress.parseNumericAddress(server);
+
+            for (String dnsServer : dnsServers.split(" +")) {
+                InetAddress.parseNumericAddress(this.dnsServers);
+            }
+            if (TextUtils.isEmpty(dnsServers)) {
+                Log.w(TAG, "DNS required");
+                return false;
+            }
+
+            // Everything checked out above
+            return true;
+
+        } catch (IllegalArgumentException e) {
+            Log.w(TAG, "Invalid address", e);
+            return false;
+        }
+    }
+
     @Override
     public void writeToParcel(Parcel out, int flags) {
         out.writeString(key);
author	Jeff Sharkey <jsharkey@android.com>	2012-08-25 00:05:46 -0700
committer	Jeff Sharkey <jsharkey@android.com>	2012-08-27 12:35:05 -0700
commit	69ddab4575ff684c533c995e07ca15fe18543fc0 (patch)
tree	dfae3a89b9027c33d47b58f80200af021bbe7426 /core/java
parent	080ca09c7f4c0033d0efece23687b71f7f8febc9 (diff)
download	frameworks_base-69ddab4575ff684c533c995e07ca15fe18543fc0.zip frameworks_base-69ddab4575ff684c533c995e07ca15fe18543fc0.tar.gz frameworks_base-69ddab4575ff684c533c995e07ca15fe18543fc0.tar.bz2