Add new appop for Platform VPNs
This change introduces a new appop, ACTIVATE_PLATFORM_VPN, that is a
subset of the ACTIVATE_VPN appop. VPN apps that have been granted the
more dangerous ACTIVATE_VPN appop should be allowed to use platform
VPNs, as they are more restricted, and safer. However, the opposite
must not be true.
Bug: 144246835
Test: Compiles, FrameworksNetTests passing
Change-Id: I609e87e688432f957751058b09f350fa641753d7
diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java
index 4a8e4e2..a11f41f 100644
--- a/core/java/android/app/AppOpsManager.java
+++ b/core/java/android/app/AppOpsManager.java
@@ -726,7 +726,17 @@
/** @hide Capture the device's display contents and/or audio */
@UnsupportedAppUsage
public static final int OP_PROJECT_MEDIA = 46;
- /** @hide Activate a VPN connection without user intervention. */
+ /**
+ * Start (without additional user intervention) a VPN connection, as used by {@link
+ * android.net.VpnService} along with as Platform VPN connections, as used by {@link
+ * android.net.VpnManager}
+ *
+ * <p>This appop is granted to apps that have already been given user consent to start
+ * VpnService based VPN connections. As this is a superset of OP_ACTIVATE_PLATFORM_VPN, this
+ * appop also allows the starting of Platform VPNs.
+ *
+ * @hide
+ */
@UnsupportedAppUsage
public static final int OP_ACTIVATE_VPN = 47;
/** @hide Access the WallpaperManagerAPI to write wallpapers. */
@@ -852,10 +862,21 @@
public static final int OP_MANAGE_EXTERNAL_STORAGE = 92;
/** @hide Communicate cross-profile within the same profile group. */
public static final int OP_INTERACT_ACROSS_PROFILES = 93;
+ /**
+ * Start (without additional user intervention) a Platform VPN connection, as used by {@link
+ * android.net.VpnManager}
+ *
+ * <p>This appop is granted to apps that have already been given user consent to start Platform
+ * VPN connections. This appop is insufficient to start VpnService based VPNs; OP_ACTIVATE_VPN
+ * is needed for that.
+ *
+ * @hide
+ */
+ public static final int OP_ACTIVATE_PLATFORM_VPN = 94;
/** @hide */
@UnsupportedAppUsage
- public static final int _NUM_OP = 94;
+ public static final int _NUM_OP = 95;
/** Access to coarse location information. */
public static final String OPSTR_COARSE_LOCATION = "android:coarse_location";
@@ -1149,6 +1170,8 @@
/** @hide Communicate cross-profile within the same profile group. */
@SystemApi
public static final String OPSTR_INTERACT_ACROSS_PROFILES = "android:interact_across_profiles";
+ /** @hide Start Platform VPN without user intervention */
+ public static final String OPSTR_ACTIVATE_PLATFORM_VPN = "android:activate_platform_vpn";
/** {@link #sAppOpsToNote} not initialized yet for this op */
@@ -1333,6 +1356,7 @@
OP_QUERY_ALL_PACKAGES, // QUERY_ALL_PACKAGES
OP_MANAGE_EXTERNAL_STORAGE, // MANAGE_EXTERNAL_STORAGE
OP_INTERACT_ACROSS_PROFILES, //INTERACT_ACROSS_PROFILES
+ OP_ACTIVATE_PLATFORM_VPN, // ACTIVATE_PLATFORM_VPN
};
/**
@@ -1433,6 +1457,7 @@
OPSTR_QUERY_ALL_PACKAGES,
OPSTR_MANAGE_EXTERNAL_STORAGE,
OPSTR_INTERACT_ACROSS_PROFILES,
+ OPSTR_ACTIVATE_PLATFORM_VPN,
};
/**
@@ -1533,7 +1558,8 @@
"ACCESS_MEDIA_LOCATION",
"QUERY_ALL_PACKAGES",
"MANAGE_EXTERNAL_STORAGE",
- "INTERACT_ACROSS_PROFILES"
+ "INTERACT_ACROSS_PROFILES",
+ "ACTIVATE_PLATFORM_VPN",
};
/**
@@ -1636,6 +1662,7 @@
null, // no permission for OP_QUERY_ALL_PACKAGES
Manifest.permission.MANAGE_EXTERNAL_STORAGE,
android.Manifest.permission.INTERACT_ACROSS_PROFILES,
+ null, // no permission for OP_ACTIVATE_PLATFORM_VPN
};
/**
@@ -1738,6 +1765,7 @@
null, // QUERY_ALL_PACKAGES
null, // MANAGE_EXTERNAL_STORAGE
null, // INTERACT_ACROSS_PROFILES
+ null, // ACTIVATE_PLATFORM_VPN
};
/**
@@ -1839,6 +1867,7 @@
false, // QUERY_ALL_PACKAGES
false, // MANAGE_EXTERNAL_STORAGE
false, // INTERACT_ACROSS_PROFILES
+ false, // ACTIVATE_PLATFORM_VPN
};
/**
@@ -1939,6 +1968,7 @@
AppOpsManager.MODE_DEFAULT, // QUERY_ALL_PACKAGES
AppOpsManager.MODE_DEFAULT, // MANAGE_EXTERNAL_STORAGE
AppOpsManager.MODE_DEFAULT, // INTERACT_ACROSS_PROFILES
+ AppOpsManager.MODE_IGNORED, // ACTIVATE_PLATFORM_VPN
};
/**
@@ -2043,6 +2073,7 @@
false, // QUERY_ALL_PACKAGES
false, // MANAGE_EXTERNAL_STORAGE
false, // INTERACT_ACROSS_PROFILES
+ false, // ACTIVATE_PLATFORM_VPN
};
/**
diff --git a/core/java/android/app/AsyncNotedAppOp.java b/core/java/android/app/AsyncNotedAppOp.java
index d993ec1..3febf71 100644
--- a/core/java/android/app/AsyncNotedAppOp.java
+++ b/core/java/android/app/AsyncNotedAppOp.java
@@ -256,10 +256,10 @@
};
@DataClass.Generated(
- time = 1578321462996L,
+ time = 1578516519372L,
codegenVersion = "1.0.14",
sourceFile = "frameworks/base/core/java/android/app/AsyncNotedAppOp.java",
- inputSignatures = "private final @android.annotation.IntRange(from=0L, to=93L) int mOpCode\nprivate final @android.annotation.IntRange(from=0L) int mNotingUid\nprivate final @android.annotation.Nullable java.lang.String mFeatureId\nprivate final @android.annotation.NonNull java.lang.String mMessage\nprivate final @android.annotation.IntRange(from=0L) long mTime\npublic @android.annotation.NonNull java.lang.String getOp()\nclass AsyncNotedAppOp extends java.lang.Object implements [android.os.Parcelable]\n@com.android.internal.util.DataClass(genEqualsHashCode=true, genAidl=true, genHiddenConstructor=true)")
+ inputSignatures = "private final @android.annotation.IntRange(from=0L, to=94L) int mOpCode\nprivate final @android.annotation.IntRange(from=0L) int mNotingUid\nprivate final @android.annotation.Nullable java.lang.String mFeatureId\nprivate final @android.annotation.NonNull java.lang.String mMessage\nprivate final @android.annotation.IntRange(from=0L) long mTime\npublic @android.annotation.NonNull java.lang.String getOp()\nclass AsyncNotedAppOp extends java.lang.Object implements [android.os.Parcelable]\n@com.android.internal.util.DataClass(genEqualsHashCode=true, genAidl=true, genHiddenConstructor=true)")
@Deprecated
private void __metadata() {}