Check if we're connected before marking a UID blocked
This kills the always-on test, and any third-party app that correctly
checks whether it's blocked before attempting to make a connection.
Only affects always-on VPN when lockdown=true.
Bug: 28909500
Change-Id: I87aa9598d3872ae2ec409c2b19d73052c21ec878
diff --git a/services/core/java/com/android/server/connectivity/Vpn.java b/services/core/java/com/android/server/connectivity/Vpn.java
index 32b9429..dd9baf4 100644
--- a/services/core/java/com/android/server/connectivity/Vpn.java
+++ b/services/core/java/com/android/server/connectivity/Vpn.java
@@ -1055,18 +1055,27 @@
}
/**
- * @return {@code true} if the set of users blocked whilst waiting for VPN to connect includes
- * the UID {@param uid}, {@code false} otherwise.
+ * @return {@code true} if {@param uid} is blocked by an always-on VPN.
+ * A UID is blocked if it's included in one of the mBlockedUsers ranges and the VPN is
+ * not connected, or if the VPN is connected but does not apply to the UID.
*
* @see #mBlockedUsers
*/
public synchronized boolean isBlockingUid(int uid) {
- for (UidRange uidRange : mBlockedUsers) {
- if (uidRange.contains(uid)) {
- return true;
- }
+ if (!mLockdown) {
+ return false;
}
- return false;
+
+ if (mNetworkInfo.isConnected()) {
+ return !appliesToUid(uid);
+ } else {
+ for (UidRange uidRange : mBlockedUsers) {
+ if (uidRange.contains(uid)) {
+ return true;
+ }
+ }
+ return false;
+ }
}
private native int jniCreate(int mtu);
