2024-07-31 20:40:22 -04:00
|
|
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
|
From: Daniel Micay <daniel.micay@grapheneos.org>
|
|
|
|
Date: Wed, 31 Jul 2024 02:44:05 -0400
|
|
|
|
Subject: [PATCH] relax VPN DNS leak prevention for incompatible apps
|
|
|
|
|
|
|
|
This avoids attempting to fix the leaks for VPN apps causing leaks
|
|
|
|
through not configuring DNS. This can be reliably fixed from the VPN
|
|
|
|
app's side.
|
|
|
|
---
|
|
|
|
server/NetworkController.cpp | 5 ++++-
|
|
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
|
|
|
|
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
|
|
|
|
index 93ccf202..c7a8a132 100644
|
|
|
|
--- a/server/NetworkController.cpp
|
|
|
|
+++ b/server/NetworkController.cpp
|
|
|
|
@@ -204,7 +204,7 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
|
|
|
|
|
|
|
|
uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
|
|
|
|
Fwmark fwmark;
|
|
|
|
- fwmark.protectedFromVpn = canProtectLocked(uid);
|
|
|
|
+ fwmark.protectedFromVpn = true;
|
|
|
|
fwmark.permission = getPermissionForUserLocked(uid);
|
|
|
|
|
|
|
|
// Common case: there is no VPN that applies to the user, and the query did not specify a netId.
|
|
|
|
@@ -216,6 +216,7 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
|
|
|
|
*netId = mDefaultNetId;
|
|
|
|
fwmark.netId = *netId;
|
|
|
|
fwmark.explicitlySelected = true;
|
2024-07-31 20:52:05 -04:00
|
|
|
+ fwmark.protectedFromVpn = canProtectLocked(uid);
|
2024-07-31 20:40:22 -04:00
|
|
|
return fwmark.intValue;
|
|
|
|
}
|
|
|
|
|
|
|
|
@@ -231,6 +232,8 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
|
|
|
|
Network *network = getNetworkLocked(*netId);
|
|
|
|
if (network && network->getType() == Network::VIRTUAL && !resolv_has_nameservers(*netId)) {
|
|
|
|
*netId = mDefaultNetId;
|
|
|
|
+ } else {
|
|
|
|
+ fwmark.protectedFromVpn = canProtectLocked(uid);
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
// If the user is subject to a VPN and the VPN provides DNS servers, use those servers
|