Fix network leaks with split-tunnel VPNs
NetworkCallback handlers that would typically cause firewall
restrictions to be updated on VPN connect/disconnect are *not* called
for split-tunnel VPNs when the system is not included. As a workaround,
we now additionally update app restrictions in a function that *is*
successfully reached in both scenarios, via the broadcast receiver for
CONNECTIVITY_ACTION.
As noted in the comments, the new function call is not reached as
early as the NetworkCallback handlers are, which could present
a window of opportunity for unauthorized network access, but not an
indefinite one, as is the case for the issue this patch addresses.
Issue: calyxos#1081
Change-Id: Ib4bcf5aeabe116cc13a669a01bfa91389d4d06fa
1 file changed