GitLab

Bug: 30298058
Change-Id: If4cd1f2e2b782ff08d667eb065138c06559b3394

Bug: 30298058
Change-Id: Ib16f02667cdae06688106bf064d17db693d60cd5

Bug: 30298058
Change-Id: Ic25cd165476d1a781595460b7d764e8df4707c65

Bug: 9580643
Bug: 30298058
Change-Id: I45c1f46994a07f656434088cafe753d58731faa0

Restricting networking on loopback is needlessly restrictive
because it doesn't have substantial power impact.

Bug: 30186506
Change-Id: Ibe31aff7c43ae02821fdf4a00b600fb5f5f5bc30

Bug: 30186506
Change-Id: I8bae7b004c3bb9f6e9e0db99774a6ff6505578b4

On real devices, we often don't want to destroy sockets that
are on loopback. This CL makes our integration tests use
sockets that don't look like they're on loopback, making it
possible to test code that does not destroy sockets that are
on loopback.

Bug: 30186506
Change-Id: I1ea56f069f528f25dddd5898b2269a638318f820

Bug: 9580643
Change-Id: I781a422c969deb153bc8370edda4578612af6dc6

Bug: 9580643
Change-Id: Icbfd8c6480a4e14433004e90b71a104ae4da9c5d

Bug: 9580643
Change-Id: I60ff10cea8e8e90eeaf5412f1b6254696073506d

Bug: 9580643
Change-Id: I11565cafbefbc06a7992d1ff18c707165d5b31ed

Bug: 9580643
Change-Id: Ia2f273b518399f42bfa8efb98445f1ff043bc07e

Bug: 9580643
Change-Id: I6ac3b754ec0b720674c6221e3a776314e86fe58c

Bug: 9580643
Change-Id: I26f7adb9639f1ddf4eda0c98bcc6cd3a83d3ba0b

Including:
    - set the interface for router mode (accept_ra = 0)
    - reset the interface for client mode (accept_ra = 1)
    - InterfaceController::setAcceptIPv6Ra()
    - InterfaceController::setAcceptIPv6Dad()
    - make InterfaceController static
    - refactor for more modern C++ usage here and there
    - sporadic style guide fixes

Bug: 9580643
Change-Id: Ia557c8770e18c58b12ad16d982c63b6ebd525516

am: c63059c8

Change-Id: I2e7f91b5c50cee056c97e75b65b2683285582899

When a VPN provides no DNS servers, DNS lookups are usually sent
to the default network's DNS servers. However, if a DNS lookup
is explicitly made on the VPN (e.g., via Network#openConnection),
then it just fails.

This breaks system proxies which perform network traffic on VPNs
on behalf of other apps, e.g., the download manager.

Fix this by doing the query to the default DNS servers (via the
default network) instead. This is consistent with what we do with
DNS queries that do not specify a network. While this is a change
in behaviour, it shouldn't cause much breakage because the query
would previously just fail.

Bug: 29498052
Change-Id: Ie4002c9835bb1ff6d3d92c00c9c04e634fc3cda4

Allow quota limit reached notification to originate from both
qlog and xt_quota2 subsystem.  On 3.18 Kernel, modify xt_quota2
module to broadcast the Netlink notification via kobject.

Change-Id: Iaafe521e455d658ed8a2f95fb5114b029323d5ef
CRs-Fixed: 1008025
Bug: 24140541

Currently SockDiagTest only checks for socket errors, it does not
check that the socket was closed via SOCK_DESTROY. This can cause
us to think that SOCK_DESTROY is working when it isn't.

Fix this by checking the error codes and expecting that at least
one socket was closed by SOCK_DESTROY.

Bug: 28508161
Change-Id: Iab423dba0aa30466481dd3a7304aa8f69c5cf605

Change-Id: Ib4db989fdb35df3f517ce4db1526e5c1f78ad4b5

am: 0452cb56

* commit '0452cb56':
  Do not configure more DNS servers than supported.

Change-Id: I0893649176126b46fc493d353e32fba38226dd8e

BUG: 28984564
Change-Id: I1b580d725f0aafe887db894e19971cc29adf8951

BUG: 28529315
Change-Id: I4818b3833464502a44d9cdb92e3c59802882397b

am: bdcba112

* commit 'bdcba112':
  Update wlutil path

Change-Id: Ieb82f51d47c33d10b32400e007322d35dc423b61

The path to wlutil changed to /system/vendor/xbin with ag/893600 .

Bug: 28850734
Change-Id: I101517e7d849c288cbe9877e874b8d7914fbc1e9

am: 5bbe13bd

* commit '5bbe13bd':
  Drop PROHIBIT_NON_VPN priority 11500 -> 12500

Change-Id: I22e4e178b25d579eabde255da1d5b1a6c954556d

am: 7ad3c888

* commit '7ad3c888':
  Make FirewallController::createChain use replaceUidChain.
  Make firewallReplaceUidChain match the behaviour of createChain.
  Don't crash the test if expecting more commands than were run.

Change-Id: Ib9dac62413187fc9b4978dfe14b7d29dbf328328

* changes:
  Make FirewallController::createChain use replaceUidChain.
  Make firewallReplaceUidChain match the behaviour of createChain.
  Don't crash the test if expecting more commands than were run.

This has two benefits:

1. It makes the behaviour of setting firewall chains via the
   firewallReplaceUidChain RPC match the behaviour of creating
   the chains on boot. (As a side effect, it reduces code
   duplication between the two.)
2. It makes creating firewall chains on boot use iptables-restore,
   which is substantially faster than running iptables commands
   one at a time.

This CL will allow the framework to switch to using
firewallReplaceUidChain when the framework starts, providing
substantial speedups over the current behaviour of running two
iptables commands for every app that is whitelisted or idle.

Bug: 26675191
Change-Id: Ifbd15bf9143efd526570dde8f88effc79d164630

The behaviour of the firewallReplaceUidChain was incorrect in
several ways:

1. It was missing the "always allow TCP RST packets" rules which
   were added in http://ag/963000 .
2. It included a RETURN statement at the end of blacklist chains,
   which is superfluous since all user-defined chains implicitly
   return, and became incorrect when http://ag/963000 switched the
   behaviour of blacklist chains from inserting new rules at the
   beginning to appending them at the end.
3. It was missing the rules to allow the types of ICMPv6 packets
   that are critical in maintaining connectivity.

By itself, this change is a no-op since nothing currently calls
firewallReplaceUidRule.

Bug: 26675191
Change-Id: I985e6861812908cbe7eaf0f54ca0ad39c22bbfeb

Bug: 26675191
Change-Id: I54860c7cf7b79bb6ace89c3130467ba7c0473e03

am: 4f882991

* commit '4f882991':
  Fix P2TP VPNs by adding an exception for VPN user.

Change-Id: Ic8528dd6d589f08324ecbc69a4024086e9054a7f