Require IPSEC_TUNNEL_MIGRATION feature flag to migrate transforms
Bug: 169169973
Test: atest IpSecServiceParameterizedTest (new tests added)
Change-Id: I3dd45b29163cd1e0cdbef08cb8aabdb629cf73bc
diff --git a/service-t/src/com/android/server/IpSecService.java b/service-t/src/com/android/server/IpSecService.java
index ca96c06..9e71eb3 100644
--- a/service-t/src/com/android/server/IpSecService.java
+++ b/service-t/src/com/android/server/IpSecService.java
@@ -17,6 +17,7 @@
package com.android.server;
import static android.Manifest.permission.DUMP;
+import static android.net.IpSecManager.FEATURE_IPSEC_TUNNEL_MIGRATION;
import static android.net.IpSecManager.INVALID_RESOURCE_ID;
import static android.system.OsConstants.AF_INET;
import static android.system.OsConstants.AF_INET6;
@@ -1681,6 +1682,14 @@
android.Manifest.permission.MANAGE_IPSEC_TUNNELS, "IpSecService");
}
+ private void enforceMigrateFeature() {
+ if (!mContext.getPackageManager().hasSystemFeature(FEATURE_IPSEC_TUNNEL_MIGRATION)) {
+ throw new UnsupportedOperationException(
+ "IPsec Tunnel migration requires"
+ + " PackageManager.FEATURE_IPSEC_TUNNEL_MIGRATION");
+ }
+ }
+
private void createOrUpdateTransform(
IpSecConfig c, int resourceId, SpiRecord spiRecord, EncapSocketRecord socketRecord)
throws RemoteException {
@@ -1807,6 +1816,7 @@
Objects.requireNonNull(newDestinationAddress, "newDestinationAddress was null");
enforceTunnelFeatureAndPermissions(callingPackage);
+ enforceMigrateFeature();
UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid());
TransformRecord transformInfo =
@@ -1962,6 +1972,14 @@
createOrUpdateTransform(c, transformResourceId, spiRecord, socketRecord);
if (transformInfo.isMigrating()) {
+ if (!mContext.getPackageManager()
+ .hasSystemFeature(FEATURE_IPSEC_TUNNEL_MIGRATION)) {
+ Log.wtf(
+ TAG,
+ "Attempted to migrate a transform without"
+ + " FEATURE_IPSEC_TUNNEL_MIGRATION");
+ }
+
for (int selAddrFamily : ADDRESS_FAMILIES) {
final IpSecMigrateInfoParcel migrateInfo =
new IpSecMigrateInfoParcel(