Disable the AppOp Restriction for IpSec Tunnels
This CL temporarily removes the AppOp restriction
that disallows creation of IpSec tunnels due to
the lack of the appropriate AppOp in AOSP/master.
When the relevant framework merges out to master,
this CL should be reverted.
Manually merging this due to skipping a merge
conflict at ef9f2740a790feceaa47a24b1a179e93c4ffb5e6
Bug: none
Test: compilation
Change-Id: Ic06c193f85f6bcdd0ead4238825c1add78703cde
diff --git a/services/core/java/com/android/server/IpSecService.java b/services/core/java/com/android/server/IpSecService.java
index 60f1877..744ed25 100644
--- a/services/core/java/com/android/server/IpSecService.java
+++ b/services/core/java/com/android/server/IpSecService.java
@@ -1481,19 +1481,23 @@
}
}
+ private static final String TUNNEL_OP = "STOPSHIP"; // = AppOpsManager.OP_MANAGE_IPSEC_TUNNELS;
+
private void enforceTunnelPermissions(String callingPackage) {
checkNotNull(callingPackage, "Null calling package cannot create IpSec tunnels");
- switch (getAppOpsManager().noteOp(
- AppOpsManager.OP_MANAGE_IPSEC_TUNNELS,
- Binder.getCallingUid(), callingPackage)) {
- case AppOpsManager.MODE_DEFAULT:
- mContext.enforceCallingOrSelfPermission(
- android.Manifest.permission.MANAGE_IPSEC_TUNNELS, "IpSecService");
- break;
- case AppOpsManager.MODE_ALLOWED:
- return;
- default:
- throw new SecurityException("Request to ignore AppOps for non-legacy API");
+ if (false) { // STOPSHIP if this line is present
+ switch (getAppOpsManager().noteOp(
+ TUNNEL_OP,
+ Binder.getCallingUid(), callingPackage)) {
+ case AppOpsManager.MODE_DEFAULT:
+ mContext.enforceCallingOrSelfPermission(
+ android.Manifest.permission.MANAGE_IPSEC_TUNNELS, "IpSecService");
+ break;
+ case AppOpsManager.MODE_ALLOWED:
+ return;
+ default:
+ throw new SecurityException("Request to ignore AppOps for non-legacy API");
+ }
}
}