DivestOS/Patches/LineageOS-18.1/android_system_netd/0002-Fix_DNS_leaks-relaxed.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Wed, 31 Jul 2024 02:44:05 -0400
Subject: [PATCH] relax VPN DNS leak prevention for incompatible apps

This avoids attempting to fix the leaks for VPN apps causing leaks
through not configuring DNS. This can be reliably fixed from the VPN
app's side.
---
 server/NetworkController.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index 93ccf202..c7a8a132 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp
@@ -204,7 +204,7 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
 
 uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
     Fwmark fwmark;
-    fwmark.protectedFromVpn = canProtectLocked(uid);
+    fwmark.protectedFromVpn = true;
     fwmark.permission = getPermissionForUserLocked(uid);
 
     // Common case: there is no VPN that applies to the user, and the query did not specify a netId.
@@ -216,6 +216,7 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
         *netId = mDefaultNetId;
         fwmark.netId = *netId;
         fwmark.explicitlySelected = true;
+         fwmark.protectedFromVpn = canProtectLocked(uid);
         return fwmark.intValue;
     }
 
@@ -231,6 +232,8 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
         Network *network = getNetworkLocked(*netId);
         if (network && network->getType() == Network::VIRTUAL && !resolv_has_nameservers(*netId)) {
             *netId = mDefaultNetId;
+        } else {
+            fwmark.protectedFromVpn = canProtectLocked(uid);
         }
     } else {
         // If the user is subject to a VPN and the VPN provides DNS servers, use those servers
16.0+: Relaxed fix for DNS leaks with app based VPNs from GrapheneOS Signed-off-by: Tavi <tavi@divested.dev> 2024-08-01 00:40:22 +00:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
			`From: Daniel Micay <daniel.micay@grapheneos.org>`
			`Date: Wed, 31 Jul 2024 02:44:05 -0400`
			`Subject: [PATCH] relax VPN DNS leak prevention for incompatible apps`

			`This avoids attempting to fix the leaks for VPN apps causing leaks`
			`through not configuring DNS. This can be reliably fixed from the VPN`
			`app's side.`
			`---`
			`server/NetworkController.cpp \| 5 ++++-`
			`1 file changed, 4 insertions(+), 1 deletion(-)`

			`diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp`
			`index 93ccf202..c7a8a132 100644`
			`--- a/server/NetworkController.cpp`
			`+++ b/server/NetworkController.cpp`
			`@@ -204,7 +204,7 @@ int NetworkController::setDefaultNetwork(unsigned netId) {`

			`uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {`
			`Fwmark fwmark;`
			`- fwmark.protectedFromVpn = canProtectLocked(uid);`
			`+ fwmark.protectedFromVpn = true;`
			`fwmark.permission = getPermissionForUserLocked(uid);`

			`// Common case: there is no VPN that applies to the user, and the query did not specify a netId.`
			`@@ -216,6 +216,7 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c`
			`*netId = mDefaultNetId;`
			`fwmark.netId = *netId;`
			`fwmark.explicitlySelected = true;`
			`+ fwmark.protectedFromVpn = canProtectLocked(uid);`
			`return fwmark.intValue;`
			`}`

			`@@ -231,6 +232,8 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c`
			`Network network = getNetworkLocked(netId);`
			`if (network && network->getType() == Network::VIRTUAL && !resolv_has_nameservers(*netId)) {`
			`*netId = mDefaultNetId;`
			`+ } else {`
			`+ fwmark.protectedFromVpn = canProtectLocked(uid);`
			`}`
			`} else {`
			`// If the user is subject to a VPN and the VPN provides DNS servers, use those servers`