Merge "Add check to prevent resetting VPN always-on setting in safe mode" into main am: d5c28dd736 am: 1b4bce34a0

Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/3529966

Change-Id: I8086599a741527e98a6d88efe0982a5db472883d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

2 files changed, 31 insertions, 1 deletions

diff --git a/services/core/java/com/android/server/connectivity/Vpn.java b/services/core/java/com/android/server/connectivity/Vpn.java
index ac0892b92646..aa985907071f 100644
--- a/services/core/java/com/android/server/connectivity/Vpn.java
+++ b/services/core/java/com/android/server/connectivity/Vpn.java
@@ -1113,7 +1113,11 @@ public class Vpn {
             }
             // Remove always-on VPN if it's not supported.
             if (!isAlwaysOnPackageSupported(alwaysOnPackage)) {
-                setAlwaysOnPackage(null, false, null);
+                // Do not remove the always-on setting due to the restricted ability in safe mode.
+                // The always-on VPN can then start after the device reboots to normal mode.
+                if (!mContext.getPackageManager().isSafeMode()) {
+                    setAlwaysOnPackage(null, false, null);
+                }
                 return false;
             }
             // Skip if the service is already established. This isn't bulletproof: it's not bound
diff --git a/services/tests/VpnTests/java/com/android/server/connectivity/VpnTest.java b/services/tests/VpnTests/java/com/android/server/connectivity/VpnTest.java
index 9117cc8e5ab8..a38ecc8523b1 100644
--- a/services/tests/VpnTests/java/com/android/server/connectivity/VpnTest.java
+++ b/services/tests/VpnTests/java/com/android/server/connectivity/VpnTest.java
@@ -3186,6 +3186,32 @@ public class VpnTest extends VpnTestBase {
         assertEquals(profile, ikev2VpnProfile.toVpnProfile());
     }
 
+    @Test
+    public void testStartAlwaysOnVpnOnSafeMode() throws Exception {
+        final Vpn vpn = createVpn(PRIMARY_USER.id);
+        setMockedUsers(PRIMARY_USER);
+
+        // UID checks must return a different UID; otherwise it'll be treated as already prepared.
+        final int uid = Process.myUid() + 1;
+        when(mPackageManager.getPackageUidAsUser(eq(TEST_VPN_PKG), anyInt()))
+                .thenReturn(uid);
+        when(mVpnProfileStore.get(vpn.getProfileNameForPackage(TEST_VPN_PKG)))
+                .thenReturn(mVpnProfile.encode());
+
+        setAndVerifyAlwaysOnPackage(vpn, uid, false);
+        assertTrue(vpn.startAlwaysOnVpn());
+        assertEquals(TEST_VPN_PKG, vpn.getAlwaysOnPackage());
+
+        // Simulate safe mode and restart the always-on VPN to verify the always-on package is not
+        // reset.
+        doReturn(null).when(mVpnProfileStore).get(vpn.getProfileNameForPackage(TEST_VPN_PKG));
+        doReturn(null).when(mPackageManager).queryIntentServicesAsUser(
+                any(), any(), eq(PRIMARY_USER.id));
+        doReturn(true).when(mPackageManager).isSafeMode();
+        assertFalse(vpn.startAlwaysOnVpn());
+        assertEquals(TEST_VPN_PKG, vpn.getAlwaysOnPackage());
+    }
+
     // Make it public and un-final so as to spy it
     public class TestDeps extends Vpn.Dependencies {
         TestDeps() {}