Merge "Disable the AppOp Restriction for IpSec Tunnels" into stage-aosp-master

am: bda7c96038 Change-Id: I98f2a964b3035daf93b54dc2b72561b16d2ded92
author: Nathan Harold <nharold@google.com> 2018-06-09 09:25:32 -0700
committer: android-build-merger <android-build-merger@google.com> 2018-06-09 09:25:32 -0700
commit: b0df70b6edd13235abde3a0fa526a9938088a267 (patch)
tree: df76fbd4f08bc211b746e471d67fc3d86517ca5e
parent: 94976cab9915b75c18c34eff792c3b067d46442d (diff)
parent: bda7c960380ee89d652ccedb76fd020ce51c4218 (diff)
2 files changed, 17 insertions, 11 deletions
diff --git a/services/core/java/com/android/server/IpSecService.java b/services/core/java/com/android/server/IpSecService.java
index 60f1877d3739..744ed25f160f 100644
--- a/services/core/java/com/android/server/IpSecService.java
+++ b/services/core/java/com/android/server/IpSecService.java
@@ -1481,19 +1481,23 @@ public class IpSecService extends IIpSecService.Stub {
         }
     }
 
+    private static final String TUNNEL_OP = "STOPSHIP"; // = AppOpsManager.OP_MANAGE_IPSEC_TUNNELS;
+
     private void enforceTunnelPermissions(String callingPackage) {
         checkNotNull(callingPackage, "Null calling package cannot create IpSec tunnels");
-        switch (getAppOpsManager().noteOp(
-                    AppOpsManager.OP_MANAGE_IPSEC_TUNNELS,
-                    Binder.getCallingUid(), callingPackage)) {
-            case AppOpsManager.MODE_DEFAULT:
-                mContext.enforceCallingOrSelfPermission(
-                        android.Manifest.permission.MANAGE_IPSEC_TUNNELS, "IpSecService");
-                break;
-            case AppOpsManager.MODE_ALLOWED:
-                return;
-            default:
-                throw new SecurityException("Request to ignore AppOps for non-legacy API");
+        if (false) { // STOPSHIP if this line is present
+            switch (getAppOpsManager().noteOp(
+                        TUNNEL_OP,
+                        Binder.getCallingUid(), callingPackage)) {
+                case AppOpsManager.MODE_DEFAULT:
+                    mContext.enforceCallingOrSelfPermission(
+                            android.Manifest.permission.MANAGE_IPSEC_TUNNELS, "IpSecService");
+                    break;
+                case AppOpsManager.MODE_ALLOWED:
+                    return;
+                default:
+                    throw new SecurityException("Request to ignore AppOps for non-legacy API");
+            }
         }
     }
 
diff --git a/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java b/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java
index e573d3586653..102cb7c77055 100644
--- a/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java
+++ b/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java
@@ -50,6 +50,7 @@ import java.util.Arrays;
 import java.util.Collection;
 
 import org.junit.Before;
+import org.junit.Ignore;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;
@@ -592,6 +593,7 @@ public class IpSecServiceParameterizedTest {
         }
     }
 
+    @Ignore
     @Test
     public void testAddTunnelFailsForBadPackageName() throws Exception {
         try {
author	Nathan Harold <nharold@google.com>	2018-06-09 09:25:32 -0700
committer	android-build-merger <android-build-merger@google.com>	2018-06-09 09:25:32 -0700
commit	b0df70b6edd13235abde3a0fa526a9938088a267 (patch)
tree	df76fbd4f08bc211b746e471d67fc3d86517ca5e
parent	94976cab9915b75c18c34eff792c3b067d46442d (diff)
parent	bda7c960380ee89d652ccedb76fd020ce51c4218 (diff)