16.0+: Relaxed fix for DNS leaks with app based VPNs from GrapheneOS

Signed-off-by: Tavi <tavi@divested.dev>

Patches/LineageOS-16.0/android_system_netd/0001-Fix_DNS_leaks-relaxed.patch

@@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <daniel.micay@grapheneos.org>
+Date: Wed, 31 Jul 2024 02:44:05 -0400
+Subject: [PATCH] relax VPN DNS leak prevention for incompatible apps
+
+This avoids attempting to fix the leaks for VPN apps causing leaks
+through not configuring DNS. This can be reliably fixed from the VPN
+app's side.
+---
+ server/NetworkController.cpp | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
+index e2467709..fbf136ce 100644
+--- a/server/NetworkController.cpp
++++ b/server/NetworkController.cpp
+@@ -192,7 +192,7 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
+ 
+ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
+     Fwmark fwmark;
+-    fwmark.protectedFromVpn = canProtectLocked(uid);
++    fwmark.protectedFromVpn = true;
+     fwmark.permission = getPermissionForUserLocked(uid);
+ 
+     // Common case: there is no VPN that applies to the user, and the query did not specify a netId.
+@@ -204,6 +204,7 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
+         *netId = mDefaultNetId;
+         fwmark.netId = *netId;
+         fwmark.explicitlySelected = true;
++         fwmark.protectedFromVpn = canProtectLocked(uid);
+         return fwmark.intValue;
+     }
+ 
+@@ -221,6 +222,8 @@ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) c
+         if (network && network->getType() == Network::VIRTUAL &&
+                 !static_cast<VirtualNetwork *>(network)->getHasDns()) {
+             *netId = mDefaultNetId;
++        } else {
++            fwmark.protectedFromVpn = canProtectLocked(uid);
+         }
+     } else {
+         // If the user is subject to a VPN and the VPN provides DNS servers, use those servers

Patches/LineageOS-16.0/android_system_netd/0001-Fix_DNS_leaks.patch

@@ -0,0 +1,24 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
+Date: Thu, 9 May 2024 23:02:17 +0300
+Subject: [PATCH] fix DNS leak in VPN lockdown mode when VPN is down
+
+---
+ server/NetworkController.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
+index 20ae44b2..93ccf202 100644
+--- a/server/NetworkController.cpp
++++ b/server/NetworkController.cpp
+@@ -204,8 +204,8 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
+ 
+ uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
+     Fwmark fwmark;
+-    fwmark.protectedFromVpn = true;
+-    fwmark.permission = PERMISSION_SYSTEM;
++    fwmark.protectedFromVpn = canProtectLocked(uid);
++    fwmark.permission = getPermissionForUserLocked(uid);
+ 
+     // Common case: there is no VPN that applies to the user, and the query did not specify a netId.
+     // Therefore, it is safe to set the explicit bit on this query and skip all the complex logic