From f7d2d091dc7693b8dc710a879af3bd51b6285a6e Mon Sep 17 00:00:00 2001
From: Oli Lan <olilan@google.com>
Date: Tue, 22 Nov 2022 17:07:45 +0000
Subject: Make lockdown VPN work for the main user.

This changes lockdown VPN to support the main user, rather than just the
system user.

Bug: 259515323
Test: atest VpnManagerServiceTest
Change-Id: I3468d14d92f1e8c66e3188b4a5a00e98bce18dac
---
 .../java/com/android/server/VpnManagerService.java | 30 +++++++++++++---------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/services/core/java/com/android/server/VpnManagerService.java b/services/core/java/com/android/server/VpnManagerService.java
index ae50b2358139..2b43ef48b922 100644
--- a/services/core/java/com/android/server/VpnManagerService.java
+++ b/services/core/java/com/android/server/VpnManagerService.java
@@ -22,6 +22,7 @@ import static com.android.net.module.util.PermissionUtils.enforceAnyPermissionOf
 
 import android.annotation.NonNull;
 import android.annotation.Nullable;
+import android.annotation.UserIdInt;
 import android.content.BroadcastReceiver;
 import android.content.Context;
 import android.content.Intent;
@@ -67,6 +68,7 @@ import com.android.internal.util.IndentingPrintWriter;
 import com.android.server.connectivity.Vpn;
 import com.android.server.connectivity.VpnProfileStore;
 import com.android.server.net.LockdownVpnTracker;
+import com.android.server.pm.UserManagerInternal;
 
 import java.io.FileDescriptor;
 import java.io.PrintWriter;
@@ -93,6 +95,7 @@ public class VpnManagerService extends IVpnManager.Stub {
     private final INetworkManagementService mNMS;
     private final INetd mNetd;
     private final UserManager mUserManager;
+    private final int mMainUserId;
 
     @VisibleForTesting
     @GuardedBy("mVpns")
@@ -145,6 +148,12 @@ public class VpnManagerService extends IVpnManager.Stub {
                 Vpn vpn, VpnProfile profile) {
             return new LockdownVpnTracker(context, handler, vpn,  profile);
         }
+
+        /** Get the main user on the device. */
+        public @UserIdInt int getMainUserId() {
+            // TODO(b/265785220): Change to use UserManager method instead.
+            return LocalServices.getService(UserManagerInternal.class).getMainUserId();
+        }
     }
 
     public VpnManagerService(Context context, Dependencies deps) {
@@ -159,6 +168,7 @@ public class VpnManagerService extends IVpnManager.Stub {
         mNMS = mDeps.getINetworkManagementService();
         mNetd = mDeps.getNetd();
         mUserManager = mContext.getSystemService(UserManager.class);
+        mMainUserId = mDeps.getMainUserId();
         registerReceivers();
         log("VpnManagerService starting up");
     }
@@ -478,11 +488,12 @@ public class VpnManagerService extends IVpnManager.Stub {
 
     @Override
     public boolean updateLockdownVpn() {
-        // Allow the system UID for the system server and for Settings.
+        // Allow the system UID for the system server and for Settings (from user 0 or main user).
         // Also, for unit tests, allow the process that ConnectivityService is running in.
         if (mDeps.getCallingUid() != Process.SYSTEM_UID
+                && mDeps.getCallingUid() != UserHandle.getUid(mMainUserId, Process.SYSTEM_UID)
                 && Binder.getCallingPid() != Process.myPid()) {
-            logw("Lockdown VPN only available to system process or AID_SYSTEM");
+            logw("Lockdown VPN only available to system process or AID_SYSTEM on main user");
             return false;
         }
 
@@ -697,7 +708,7 @@ public class VpnManagerService extends IVpnManager.Stub {
                 intentFilter,
                 null /* broadcastPermission */,
                 mHandler);
-        mContext.createContextAsUser(UserHandle.SYSTEM, 0 /* flags */).registerReceiver(
+        mContext.createContextAsUser(UserHandle.of(mMainUserId), 0 /* flags */).registerReceiver(
                 mUserPresentReceiver,
                 new IntentFilter(Intent.ACTION_USER_PRESENT),
                 null /* broadcastPermission */,
@@ -735,6 +746,7 @@ public class VpnManagerService extends IVpnManager.Stub {
 
             if (LockdownVpnTracker.ACTION_LOCKDOWN_RESET.equals(action)) {
                 onVpnLockdownReset();
+                return;
             }
 
             // UserId should be filled for below intents, check the existence.
@@ -795,7 +807,7 @@ public class VpnManagerService extends IVpnManager.Stub {
             userVpn = mDeps.createVpn(mHandler.getLooper(), mContext, mNMS, mNetd, userId);
             mVpns.put(userId, userVpn);
 
-            if (user.isPrimary() && isLockdownVpnEnabled()) {
+            if (userId == mMainUserId && isLockdownVpnEnabled()) {
                 updateLockdownVpn();
             }
         }
@@ -910,15 +922,9 @@ public class VpnManagerService extends IVpnManager.Stub {
     }
 
     private void onUserUnlocked(int userId) {
-        UserInfo user = mUserManager.getUserInfo(userId);
-        if (user == null) {
-            logw("Unlocked user doesn't exist. UserId: " + userId);
-            return;
-        }
-
         synchronized (mVpns) {
             // User present may be sent because of an unlock, which might mean an unlocked keystore.
-            if (user.isPrimary() && isLockdownVpnEnabled()) {
+            if (userId == mMainUserId && isLockdownVpnEnabled()) {
                 updateLockdownVpn();
             } else {
                 startAlwaysOnVpn(userId);
@@ -984,7 +990,7 @@ public class VpnManagerService extends IVpnManager.Stub {
             }
 
             // Turn Always-on VPN off
-            if (mLockdownEnabled && userId == UserHandle.USER_SYSTEM) {
+            if (mLockdownEnabled && userId == mMainUserId) {
                 final long ident = Binder.clearCallingIdentity();
                 try {
                     mVpnProfileStore.remove(Credentials.LOCKDOWN_VPN);
-- 
cgit v1.2.3-59-g8ed1b