From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
Date: Thu, 9 May 2024 23:02:17 +0300
Subject: [PATCH] fix DNS leak in VPN lockdown mode when VPN is down

---
 server/NetworkController.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index 20ae44b2..93ccf202 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp
@@ -204,8 +204,8 @@ int NetworkController::setDefaultNetwork(unsigned netId) {
 
 uint32_t NetworkController::getNetworkForDnsLocked(unsigned* netId, uid_t uid) const {
     Fwmark fwmark;
-    fwmark.protectedFromVpn = true;
-    fwmark.permission = PERMISSION_SYSTEM;
+    fwmark.protectedFromVpn = canProtectLocked(uid);
+    fwmark.permission = getPermissionForUserLocked(uid);
 
     // Common case: there is no VPN that applies to the user, and the query did not specify a netId.
     // Therefore, it is safe to set the explicit bit on this query and skip all the complex logic