From d097d0c4f8d2cb99d4d98780154831b9478f03ea Mon Sep 17 00:00:00 2001 From: Cassie Wang Date: Wed, 14 Jun 2023 14:53:44 +0900 Subject: Allow any caller with CONTROL_VPN to disconnect existing VPN When calling prepare(null, LEGACY_VPN, TYPE_VPN_SERVICE), the caller wants to disconnect the current VPN. The current code checks to make sure an IPC caller, and only an IPC caller, with the CONTROL_VPN permission can do so. But this doesn't allow for other processes in the system server (which also have CONTROL_VPN permission) to do so. Expand the check to allow those callers. Bug: 284803285 Test: VpnTest in http://aosp/2624812 Change-Id: Ib9baa40d6dc870a548ebf8332f2829f4e49be428 --- services/core/java/com/android/server/connectivity/Vpn.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/core/java/com/android/server/connectivity/Vpn.java b/services/core/java/com/android/server/connectivity/Vpn.java index e85eee817d29..6b69e1caa985 100644 --- a/services/core/java/com/android/server/connectivity/Vpn.java +++ b/services/core/java/com/android/server/connectivity/Vpn.java @@ -1389,7 +1389,7 @@ public class Vpn { } // Check that the caller is authorized. - enforceControlPermission(); + enforceControlPermissionOrInternalCaller(); // Stop an existing always-on VPN from being dethroned by other apps. if (mAlwaysOn && !isCurrentPreparedPackage(newPackage)) { -- cgit v1.2.3-59-g8ed1b