Allow any caller with CONTROL_VPN to disconnect existing VPN

When calling prepare(null, LEGACY_VPN, TYPE_VPN_SERVICE), the caller wants to disconnect the current VPN. The current code checks to make sure an IPC caller, and only an IPC caller, with the CONTROL_VPN permission can do so. But this doesn't allow for other processes in the system server (which also have CONTROL_VPN permission) to do so. Expand the check to allow those callers. Bug: 284803285 Test: VpnTest in http://aosp/2624812 Change-Id: Ib9baa40d6dc870a548ebf8332f2829f4e49be428
author: Cassie Wang <cassiewang@google.com> 2023-06-14 14:53:44 +0900
committer: Cassie Wang <cassiewang@google.com> 2023-06-14 14:53:44 +0900
commit: d097d0c4f8d2cb99d4d98780154831b9478f03ea (patch)
tree: 83068b9e8d7c3a7e6d0d9d52f6f9f7b8f73fa420
parent: af2669d6567694551acecacf960384ab25fa461a (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/services/core/java/com/android/server/connectivity/Vpn.java b/services/core/java/com/android/server/connectivity/Vpn.java
index e85eee817d29..6b69e1caa985 100644
--- a/services/core/java/com/android/server/connectivity/Vpn.java
+++ b/services/core/java/com/android/server/connectivity/Vpn.java
@@ -1389,7 +1389,7 @@ public class Vpn {
         }
 
         // Check that the caller is authorized.
-        enforceControlPermission();
+        enforceControlPermissionOrInternalCaller();
 
         // Stop an existing always-on VPN from being dethroned by other apps.
         if (mAlwaysOn && !isCurrentPreparedPackage(newPackage)) {
author	Cassie Wang <cassiewang@google.com>	2023-06-14 14:53:44 +0900
committer	Cassie Wang <cassiewang@google.com>	2023-06-14 14:53:44 +0900
commit	d097d0c4f8d2cb99d4d98780154831b9478f03ea (patch)
tree	83068b9e8d7c3a7e6d0d9d52f6f9f7b8f73fa420
parent	af2669d6567694551acecacf960384ab25fa461a (diff)