From 1b803efb0718f3ac87677cc1fc98c4b868b2176c Mon Sep 17 00:00:00 2001
From: Mygod <contact-git@mygod.be>
Date: Sat, 4 May 2024 22:35:11 -0400
Subject: [PATCH] Better support VPN lockdown mode on Android 13+

Fixes #565.
---
 README.md                                     |  2 ++
 .../net/RemoveUidInterfaceRuleCommand.kt      | 26 ++++++++++++++-----
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index cfa5b291..91b977fc 100644
--- a/README.md
+++ b/README.md
@@ -167,6 +167,7 @@ Greylisted/blacklisted APIs or internal constants: (some constants are hardcoded
 * (since API 30) `Landroid/net/TetheringManager$TetheringEventCallback;->onTetherableInterfaceRegexpsChanged(Landroid/net/TetheringManager$TetheringInterfaceRegexps;)V,blocked`
 * (since API 31) `Landroid/net/TetheringManager$TetheringEventCallback;->onSupportedTetheringTypes(Ljava/util/Set;)V,blocked`
 * (since API 33) `Landroid/net/connectivity/android/net/BpfNetMapsConstants;->IIF_MATCH:J,blocked`
+* (since API 33) `Landroid/net/connectivity/android/net/BpfNetMapsConstants;->LOCKDOWN_VPN_MATCH:J,blocked`
 * (since API 33) `Landroid/net/connectivity/android/net/UidOwnerValue;-><init>(IJ)V,blocked`
 * (since API 33) `Landroid/net/connectivity/android/net/UidOwnerValue;->rule:J,blocked`
 * (since API 33) `Landroid/net/connectivity/com/android/net/module/util/BpfMap;-><init>(Ljava/lang/String;ILjava/lang/Class;Ljava/lang/Class;)V,blocked`
@@ -205,6 +206,7 @@ Greylisted/blacklisted APIs or internal constants: (some constants are hardcoded
 * (since API 33) `Lcom/android/server/BpfNetMaps;->native_init()V`
 * (since API 33) `Lcom/android/server/BpfNetMaps;->native_init(Z)V`
 * (since API 33) `Lcom/android/server/BpfNetMaps;->native_removeUidInterfaceRules([I)I`
+* (since API 33) `Lcom/android/server/BpfNetMaps;->native_updateUidLockdownRule(IZ)I`
 * (since API 33) `Lcom/android/server/BpfNetMaps;->sInitialized:Z`
 * (since API 30) `Lcom/android/server/SystemServer;->TETHERING_CONNECTOR_CLASS:Ljava/lang/String;`
 * `Ljava/lang/invoke/MethodHandles$Lookup;-><init>(Ljava/lang/Class;I)V,unsupported`
diff --git a/mobile/src/main/java/be/mygod/vpnhotspot/net/RemoveUidInterfaceRuleCommand.kt b/mobile/src/main/java/be/mygod/vpnhotspot/net/RemoveUidInterfaceRuleCommand.kt
index 4170fc97..7b038961 100644
--- a/mobile/src/main/java/be/mygod/vpnhotspot/net/RemoveUidInterfaceRuleCommand.kt
+++ b/mobile/src/main/java/be/mygod/vpnhotspot/net/RemoveUidInterfaceRuleCommand.kt
@@ -71,8 +71,16 @@ data class RemoveUidInterfaceRuleCommand(private val uid: Int) : RootCommand<Par
         private val newS32 by lazy { S32.getDeclaredConstructor(Int::class.java) }
         private val newUidOwnerValue by lazy { UidOwnerValue.getDeclaredConstructor(Int::class.java, Long::class.java) }
         private val ruleUidOwnerValue by lazy { UidOwnerValue.getDeclaredField("rule") }
-        private val iifMatch by lazy {
-            findConnectivityClass("android.net.BpfNetMapsConstants").getDeclaredField("IIF_MATCH").getLong(null)
+        private val matches by lazy {
+            try {
+                val constants = findConnectivityClass("android.net.BpfNetMapsConstants")
+                constants.getDeclaredField("IIF_MATCH").getLong(null) or
+                        constants.getDeclaredField("LOCKDOWN_VPN_MATCH").getLong(null)
+            } catch (e: ReflectiveOperationException) {
+                Timber.w(e)
+                // https://android.googlesource.com/platform/packages/modules/Connectivity/+/android-13.0.0_r1/bpf_progs/bpf_shared.h#160
+                3 shl 7
+            }
         }
 
         private val deleteEntry by lazy { BpfMap.getDeclaredMethod("deleteEntry", Struct) }
@@ -88,10 +96,10 @@ data class RemoveUidInterfaceRuleCommand(private val uid: Int) : RootCommand<Par
             val uidS32 = newS32.newInstance(uid)
             val oldRule = ruleUidOwnerValue.getLong(value(uidOwnerMap, uidS32) ?: return false)
             return when {
-                oldRule and iifMatch == 0L -> false
-                oldRule == iifMatch -> deleteEntry(uidOwnerMap, uidS32) as Boolean
+                oldRule and matches == 0L -> false
+                oldRule == matches -> deleteEntry(uidOwnerMap, uidS32) as Boolean
                 else -> true.also {
-                    updateEntry(uidOwnerMap, uidS32, newUidOwnerValue.newInstance(0, oldRule and iifMatch.inv()))
+                    updateEntry(uidOwnerMap, uidS32, newUidOwnerValue.newInstance(0, oldRule and matches.inv()))
                 }
             }
         }
@@ -131,9 +139,15 @@ data class RemoveUidInterfaceRuleCommand(private val uid: Int) : RootCommand<Par
             BpfNetMaps.getDeclaredMethod("native_removeUidInterfaceRules", IntArray::class.java)
                 .apply { isAccessible = true }
         }
+        private val updateUidLockdownRule by lazy {
+            BpfNetMaps.getDeclaredMethod("native_updateUidLockdownRule", Int::class.java, Boolean::class.java)
+                .apply { isAccessible = true }
+        }
         operator fun invoke(uid: Int) {
-            val ret = removeUidInterfaceRules(bpfNetMaps, intArrayOf(uid)) as Int
+            var ret = removeUidInterfaceRules(bpfNetMaps, intArrayOf(uid)) as Int
             check(ret == 0) { "native_removeUidInterfaceRules returns $ret" }
+            ret = updateUidLockdownRule(bpfNetMaps, uid, false) as Int
+            check(ret == 0) { "native_updateUidLockdownRule returns $ret" }
         }
     }