Revert "Grant the ACTIVATE_PLATFORM_VPN appop if VPN app has CON..."

Revert submission 2141595-GRANT_PLATFORM_VPN Reason for revert: Refer to the comment in ag/19491935. Reverted Changes: I0e0566bb8:Grant the ACTIVATE_PLATFORM_VPN appop if VPN app h... I0580baca6:Test if VPN app can grant ACTIVATE_PLATFORM_VPN wi... Change-Id: I6cfdd2b75aa6e7427ffa6024e1c3ff183a3e0379
author: Lucas Lin <lucaslin@google.com> 2022-08-17 06:31:29 +0000
committer: Lucas Lin <lucaslin@google.com> 2022-08-17 06:31:29 +0000
commit: f2d911662eaf89cd000be80dfef2c7776c0e3e74 (patch)
tree: 44ae8a1e0795f579353f77857ecbbfad13a6c654
parent: deda02392219705dbd610ca4db5479f355787c4e (diff)
1 files changed, 3 insertions, 9 deletions
diff --git a/services/core/java/com/android/server/connectivity/Vpn.java b/services/core/java/com/android/server/connectivity/Vpn.java
index da7774286a87..5b282ced73b5 100644
--- a/services/core/java/com/android/server/connectivity/Vpn.java
+++ b/services/core/java/com/android/server/connectivity/Vpn.java
@@ -1095,7 +1095,7 @@ public class Vpn {
         // Except for Settings and VpnDialogs, the caller should be matched one of oldPackage or
         // newPackage. Otherwise, non VPN owner might get the VPN always-on status of the VPN owner.
         // See b/191382886.
-        if (!hasControlVpnPermission()) {
+        if (mContext.checkCallingOrSelfPermission(CONTROL_VPN) != PERMISSION_GRANTED) {
             if (oldPackage != null) {
                 verifyCallingUidAndPackage(oldPackage);
             }
@@ -2056,10 +2056,6 @@ public class Vpn {
                 "Unauthorized Caller");
     }
 
-    private boolean hasControlVpnPermission() {
-        return mContext.checkCallingOrSelfPermission(CONTROL_VPN) == PERMISSION_GRANTED;
-    }
-
     private class Connection implements ServiceConnection {
         private IBinder mService;
 
@@ -3861,10 +3857,8 @@ public class Vpn {
             Binder.restoreCallingIdentity(token);
         }
 
-        // If package has CONTROL_VPN, grant the ACTIVATE_PLATFORM_VPN appop.
-        if (hasControlVpnPermission()) {
-            setPackageAuthorization(packageName, VpnManager.TYPE_VPN_PLATFORM);
-        }
+        // TODO: if package has CONTROL_VPN, grant the ACTIVATE_PLATFORM_VPN appop.
+        // This mirrors the prepareAndAuthorize that is used by VpnService.
 
         // Return whether the app is already pre-consented
         return isVpnProfilePreConsented(mContext, packageName);
author	Lucas Lin <lucaslin@google.com>	2022-08-17 06:31:29 +0000
committer	Lucas Lin <lucaslin@google.com>	2022-08-17 06:31:29 +0000
commit	f2d911662eaf89cd000be80dfef2c7776c0e3e74 (patch)
tree	44ae8a1e0795f579353f77857ecbbfad13a6c654
parent	deda02392219705dbd610ca4db5479f355787c4e (diff)