1 files changed, 3 insertions, 9 deletions

diff --git a/services/core/java/com/android/server/connectivity/Vpn.java b/services/core/java/com/android/server/connectivity/Vpn.java
index da7774286a87..5b282ced73b5 100644
--- a/services/core/java/com/android/server/connectivity/Vpn.java
+++ b/services/core/java/com/android/server/connectivity/Vpn.java
@@ -1095,7 +1095,7 @@ public class Vpn {
         // Except for Settings and VpnDialogs, the caller should be matched one of oldPackage or
         // newPackage. Otherwise, non VPN owner might get the VPN always-on status of the VPN owner.
         // See b/191382886.
-        if (!hasControlVpnPermission()) {
+        if (mContext.checkCallingOrSelfPermission(CONTROL_VPN) != PERMISSION_GRANTED) {
             if (oldPackage != null) {
                 verifyCallingUidAndPackage(oldPackage);
             }
@@ -2056,10 +2056,6 @@ public class Vpn {
                 "Unauthorized Caller");
     }
 
-    private boolean hasControlVpnPermission() {
-        return mContext.checkCallingOrSelfPermission(CONTROL_VPN) == PERMISSION_GRANTED;
-    }
-
     private class Connection implements ServiceConnection {
         private IBinder mService;
 
@@ -3861,10 +3857,8 @@ public class Vpn {
             Binder.restoreCallingIdentity(token);
         }
 
-        // If package has CONTROL_VPN, grant the ACTIVATE_PLATFORM_VPN appop.
-        if (hasControlVpnPermission()) {
-            setPackageAuthorization(packageName, VpnManager.TYPE_VPN_PLATFORM);
-        }
+        // TODO: if package has CONTROL_VPN, grant the ACTIVATE_PLATFORM_VPN appop.
+        // This mirrors the prepareAndAuthorize that is used by VpnService.
 
         // Return whether the app is already pre-consented
         return isVpnProfilePreConsented(mContext, packageName);