Allow VPN lockdown UID ranges to stack properly
When updating lockdown UID ranges, do not remove a UID from lockdown
if it is still present in any of the previously-supplied ranges that
have yet to be removed. This allows supplied lockdown ranges to stack
properly, providing an assurance that a UID will remain subject to
lockdown until all of the ranges including it have been removed.
Change-Id: Ia95724cd19040f83cea2c169a2585ab5dbdddbac
Signed-off-by: Mohammad Hasan Keramat J <ikeramat@protonmail.com>
diff --git a/service/src/com/android/server/connectivity/PermissionMonitor.java b/service/src/com/android/server/connectivity/PermissionMonitor.java
index 1bab186..3bf7fdc 100755
--- a/service/src/com/android/server/connectivity/PermissionMonitor.java
+++ b/service/src/com/android/server/connectivity/PermissionMonitor.java
@@ -1027,8 +1027,10 @@
// exclude privileged apps from the prohibit routing rules used to implement outgoing packet
// filtering, privileged apps can still bypass outgoing packet filtering because the
// prohibit rules observe the protected from VPN bit.
+ // If removing a UID, we ensure it is not present anywhere in the set first.
for (final int uid: affectedUids) {
- if (!hasRestrictedNetworksPermission(uid)) {
+ if (!hasRestrictedNetworksPermission(uid)
+ && (add || !UidRange.containsUid(mVpnLockdownUidRanges.getSet(), uid))) {
updateLockdownUidRule(uid, add);
}
}