Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Track VPN mode changes #225

Closed
ignoramous opened this issue Jan 14, 2021 · 5 comments
Closed

Track VPN mode changes #225

ignoramous opened this issue Jan 14, 2021 · 5 comments
Assignees
@hussainmohd-a
Labels
P1 Priority: 1 (urgent)
Milestone
v053

Comments

@ignoramous
Copy link
Collaborator

ignoramous commented Jan 14, 2021
edited
Loading

From a quick glance at AOSP code, it looks like we can fully expect ConnectivityManager.NetworkCallback#onCapabilitiesChange to trigger whenever the VPN goes in and out of the lockdown ("Block connections without VPN") mode.

Check for VpnService#isLockdownEnabled then when the callback triggers and rebuild the VPN as required (enabling exclude-apps and allowing VPN bypass when VPN not locked down, for example).

See: #178, #39, #224
@ignoramous ignoramous added the P1 Priority: 1 (urgent) label Jan 14, 2021
@ignoramous ignoramous added this to the v053 milestone Jan 14, 2021
@ignoramous ignoramous mentioned this issue Jan 14, 2021
Open
hussainmohd-a added a commit that referenced this issue Jan 20, 2021
@hussainmohd-a
VPN mode changes, Accessibility service changes
b0be266 
#225 Introduced ConnectivityManager.NetworkCallback() to track down
the changes for the "Block connections without VPN" in Settings->
VPN. The callback will restart the VPN services if necessary and
include/exclude the apps which are part of excluded apps list.

#193 - Now the universal firewall(Block apps not in use) feature
will prompt for the application force stop in case of application
crash/failure in getting the accessibility permission.

Removed the scroll calculation done for the swipe from one
fragment to other in the view pager(firewall and DNS screen).
Instead introduced new NestedScrollableHost(FrameLayout) to
detect the swipe.
@ignoramous
Copy link
Collaborator Author

So, it looks like neither onCapabilitiesChanged nor onLinkPropertiesChanged can be relied upon to be called when VPN switches to lockdown mode.

@ignoramous
Copy link
Collaborator Author

Or, wait, may be we were doing it incorrectly, ref: com.android.cts.vpnfirewall.ReflectorVpnService.

        final NetworkRequest request = new NetworkRequest.Builder()
            .addTransportType(NetworkCapabilities.TRANSPORT_VPN)
            .removeCapability(NetworkCapabilities.NET_CAPABILITY_NOT_VPN)
            .removeCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET)
            .build();
        mNetworkCallback = new ConnectivityManager.NetworkCallback() {
                @Override
                public void onAvailable(final Network net) {
                    final Intent intent = new Intent(ACTION_VPN_IS_UP);
                    intent.setPackage(DEVICE_AND_PROFILE_OWNER_PACKAGE);
                    intent.putExtra(EXTRA_ALWAYS_ON, isAlwaysOn());
                    intent.putExtra(EXTRA_LOCKDOWN, isLockdownEnabled());
                    sendBroadcast(intent);
                    ensureNetworkCallbackUnregistered();
                }
            };

@ignoramous ignoramous reopened this Mar 29, 2021
@ignoramous
Copy link
Collaborator Author

The above callback works only when "Always-on VPN" is toggled but not for "Block connections without VPN".

One approach to consider now is, to check VpnService#isLockdownEnabled atmost once every 30s on every firewall decision in BraveVpnService#block.

@hussainmohd-a hussainmohd-a mentioned this issue Apr 3, 2021
Closed
@hussainmohd-a
Copy link
Collaborator

As of now, work around is introduced to check for the lockdown mode. Callbacks for the "Block Connection without VPN" is not
available. Need to figure out a better way to track the lockdown mode.
Closing this issue. New issue #257

@ignoramous
Copy link
Collaborator Author

ignoramous commented Apr 3, 2021
edited
Loading

As of now, work around is introduced to check for the lockdown mode.

So, BraveVPNService#checkLockdown is called on every protect.Blocker.block call which happens once per connection / flow.

0a18f65

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hussainmohd-a hussainmohd-a

Labels
P1 Priority: 1 (urgent)
Projects
None yet
Milestone
v053
Development

No branches or pull requests
2 participants
@ignoramous @hussainmohd-a