Disallow non-VPN tethering upstreams on always-on VPN lockdown mode
* This ensures that the Hotspot "Allow clients to use VPN" option
respects the VPN "Block connections without VPN" option,
to avoid any leaks.
Issue: calyxos#555
Change-Id: Ibd690c605a3d87e3c493550039a65862be16848b
Signed-off-by: Dmitrii <bankersenator@gmail.com>
Signed-off-by: Jis G Jacob <studiokeys@blissroms.org>
diff --git a/Tethering/src/com/android/networkstack/tethering/UpstreamNetworkMonitor.java b/Tethering/src/com/android/networkstack/tethering/UpstreamNetworkMonitor.java
index de7a98c..e95590d 100644
--- a/Tethering/src/com/android/networkstack/tethering/UpstreamNetworkMonitor.java
+++ b/Tethering/src/com/android/networkstack/tethering/UpstreamNetworkMonitor.java
@@ -90,6 +90,7 @@
private static final boolean VDBG = false;
// Copied from frameworks/base/core/java/android/provider/Settings.java
+ private static final String ALWAYS_ON_VPN_LOCKDOWN = "always_on_vpn_lockdown";
private static final String TETHERING_ALLOW_VPN_UPSTREAMS = "tethering_allow_vpn_upstreams";
public static final int EVENT_ON_CAPABILITIES = 1;
@@ -357,8 +358,13 @@
*/
public UpstreamNetworkState getCurrentPreferredUpstream() {
// Use VPN upstreams if hotspot settings allow.
- if (mTetheringUpstreamVpn != null && isAllowedToUseVpnUpstreams()) {
- return mNetworkMap.get(mTetheringUpstreamVpn);
+ if (isAllowedToUseVpnUpstreams()) {
+ if (mTetheringUpstreamVpn != null) {
+ return mNetworkMap.get(mTetheringUpstreamVpn);
+ } else if (Settings.Secure.getInt(mContext.getContentResolver(),
+ ALWAYS_ON_VPN_LOCKDOWN, 0) == 1) {
+ return null;
+ }
}
final UpstreamNetworkState dfltState = (mDefaultInternetNetwork != null)
? mNetworkMap.get(mDefaultInternetNetwork)