Small updates + Picks

Signed-off-by: Tad <tad@spotco.us>
2025-08-02 03:16:21 -04:00 · 2022-12-07 12:37:13 -05:00 · 2022-12-07 12:37:13 -05:00 · ce47fdae34
commit ce47fdae34
parent a62922e72d
8 changed files with 110 additions and 62 deletions
--- a/Patches/LineageOS-20.0/android_frameworks_base/0029-NetSDKSandboxCrash.patch
+++ b/Patches/LineageOS-20.0/android_frameworks_base/0029-NetSDKSandboxCrash.patch
@ -1,56 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Tad <tad@spotco.us>
-Date: Sat, 3 Dec 2022 23:00:52 -0500
-Subject: [PATCH] Don't crash system when adding SDK sandbox rules
-
-This is an ugly hack to prevent bailing and help debug.
-
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: *** FATAL EXCEPTION IN SYSTEM PROCESS: NetworkPolicy.uid
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 103
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.util.SparseIntArray.keyAt(SparseIntArray.java:183)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at com.android.server.net.NetworkPolicyManagerService.addSdkSandboxUidsIfNeeded(NetworkPolicyManagerService.java:5982)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at com.android.server.net.NetworkPolicyManagerService.setUidFirewallRulesUL(NetworkPolicyManagerService.java:6002)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at com.android.server.net.NetworkPolicyManagerService.updateRestrictedModeAllowlistUL(NetworkPolicyManagerService.java:4454)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at com.android.server.net.NetworkPolicyManagerService$12.onAvailable(NetworkPolicyManagerService.java:1449)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.net.ConnectivityManager$NetworkCallback.onAvailable(ConnectivityManager.java:3801)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.net.ConnectivityManager$NetworkCallback.onAvailable(ConnectivityManager.java:3783)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.net.ConnectivityManager$CallbackHandler.handleMessage(ConnectivityManager.java:4107)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.os.Handler.dispatchMessage(Handler.java:106)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.os.Looper.loopOnce(Looper.java:201)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.os.Looper.loop(Looper.java:288)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at android.os.HandlerThread.run(HandlerThread.java:67)
-12-03 17:15:29.395  1406  1737 E AndroidRuntime: 	at com.android.server.ServiceThread.run(ServiceThread.java:44)
-12-03 17:15:29.396  1406  1737 I am_crash: [1406,0,system_server,-1,java.lang.ArrayIndexOutOfBoundsException,Array index out of range: 103,SparseIntArray.java,183]
-
-Change-Id: I97fead6014ba47e107a90c57e12584b656a8e220
-Signed-off-by: Tad <tad@spotco.us>
---
- .../server/net/NetworkPolicyManagerService.java    | 14 +++++++++-----
- 1 file changed, 9 insertions(+), 5 deletions(-)
-
-diff --git a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
-index 44f8e76c4dd0..030d4f23b11d 100644
--- a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
-+++ b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
-@@ -5978,12 +5978,16 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
-     private void addSdkSandboxUidsIfNeeded(SparseIntArray uidRules) {
-         final int size = uidRules.size();
-         final SparseIntArray sdkSandboxUids = new SparseIntArray();
-        for (int index = 0; index < size; index++) {
-            final int uid = uidRules.keyAt(index);
-            final int rule = uidRules.valueAt(index);
-            if (Process.isApplicationUid(uid)) {
-                sdkSandboxUids.put(Process.toSdkSandboxUid(uid), rule);
-+        try {
-+            for (int index = 0; index < size; index++) {
-+                final int uid = uidRules.keyAt(index);
-+                final int rule = uidRules.valueAt(index);
-+                if (Process.isApplicationUid(uid)) {
-+                    sdkSandboxUids.put(Process.toSdkSandboxUid(uid), rule);
-+                }
-             }
-+        } catch (Exception e) {
-+            Log.e(TAG, "problem setting sandbox uid rules, size: " + size, e);
-         }
- 
-         for (int index = 0; index < sdkSandboxUids.size(); index++) {
--- a/Patches/LineageOS-20.0/android_frameworks_base/0029-Split_Tunnel_Fixes.patch
+++ b/Patches/LineageOS-20.0/android_frameworks_base/0029-Split_Tunnel_Fixes.patch
@ -0,0 +1,101 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tommy Webb <tommy@calyxinstitute.org>
+Date: Mon, 5 Dec 2022 14:42:38 +0100
+Subject: [PATCH] Reland "Fix network leaks with split-tunnel VPNs"
+
+This does two things:
+1. Revert the portion of I48e08f34 "fw/b: Add support for allowing
+   /disallowing apps on cellular, vpn and wifi networks" that was
+   previously responsible for updating the restricted mode allowlist
+   based on changes to the default network.
+2. Bring in Ib4bcf5ae "Fix network leaks with split-tunnel VPNs", which
+   meets the same goal of updating the allowlist, but in a wider range
+   of conditions. Retaining the prior implementation led to a race
+   condition which caused crashes and soft reboots, because the calls
+   to `updateRestrictedModeAllowlistUL()` were not being appropriately
+   guarded by `mUidRulesFirstLock`.
+
+Ultimately, this patch should probably be squashed into I48e08f34.
+
+Co-authored-by: Oliver Scott <olivercscott@gmail.com>
+Issue: calyxos#1081
+Change-Id: I84c7667824cc840724a07e7d0435f5ec59a67986
+---
+ .../net/NetworkPolicyManagerService.java      | 43 ++++++-------------
+ 1 file changed, 12 insertions(+), 31 deletions(-)
+
+diff --git a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
+index 8102d892c2d7..7addf69a28af 100644
+--- a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
+++ b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
+@@ -1105,14 +1105,6 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
+                     ACTION_CARRIER_CONFIG_CHANGED);
+             mContext.registerReceiver(mCarrierConfigReceiver, carrierConfigFilter, null, mHandler);
+ 
+-            for (UserInfo userInfo : mUserManager.getAliveUsers()) {
+-                mConnManager.registerDefaultNetworkCallbackForUid(
+-                        UserHandle.getUid(userInfo.id, Process.myUid()),
+-                        mDefaultNetworkCallback,
+-                        mUidEventHandler
+-                );
+-            }
+-
+             // listen for meteredness changes
+             mConnManager.registerNetworkCallback(
+                     new NetworkRequest.Builder().build(), mNetworkCallback);
+@@ -1303,11 +1295,6 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
+                                 ConnectivitySettingsManager.getUidsAllowedOnRestrictedNetworks(
+                                         mContext);
+                         if (action == ACTION_USER_ADDED) {
+-                            mConnManager.registerDefaultNetworkCallbackForUid(
+-                                    UserHandle.getUid(userId, Process.myUid()),
+-                                    mDefaultNetworkCallback,
+-                                    mUidEventHandler
+-                            );
+                             // Add apps that are allowed by default.
+                             addDefaultRestrictBackgroundAllowlistUidsUL(userId);
+                             try {
+@@ -1443,24 +1430,6 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
+         return changed;
+     }
+ 
+-    private final NetworkCallback mDefaultNetworkCallback = new NetworkCallback() {
+-        @Override
+-        public void onAvailable(@NonNull Network network) {
+-            updateRestrictedModeAllowlistUL();
+-        }
+-
+-        @Override
+-        public void onCapabilitiesChanged(@NonNull Network network,
+-                @NonNull NetworkCapabilities networkCapabilities) {
+-            final int[] newTransports = networkCapabilities.getTransportTypes();
+-            final boolean transportsChanged = updateTransportChange(
+-                    mNetworkTransports, newTransports, network);
+-            if (transportsChanged) {
+-                updateRestrictedModeAllowlistUL();
+-            }
+-        }
+-    };
+-
+     private final NetworkCallback mNetworkCallback = new NetworkCallback() {
+         @Override
+         public void onCapabilitiesChanged(@NonNull Network network,
+@@ -1888,6 +1857,18 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
+         updateSubscriptions();
+ 
+         synchronized (mUidRulesFirstLock) {
+            /* With split-tunnel VPNs (those that only include specific apps),
+             * the usual NetworkCallback handlers are never called, because the call to
+             * registerDefaultNetworkCallbackForUid only detects changes that affect this
+             * process; if this process is not covered by the VPN, it won't get callbacks.
+             * Ordinarily, updateRestrictedModeAllowlistUL() would be called from those.
+             * Firewall restrictions for apps will not be updated properly on VPN connect
+             * or disconnect if we don't call it from somewhere else, like here. */
+            // TODO: Come up with an appropriate callback that runs more promptly.
+            // updateNetworksInternal runs later than NetworkCallback handlers run, so
+            // this may present a window of opportunity for unauthorized network access.
+            updateRestrictedModeAllowlistUL();
+
+             synchronized (mNetworkPoliciesSecondLock) {
+                 ensureActiveCarrierPolicyAL();
+                 normalizePoliciesNL();