-
-
Notifications
You must be signed in to change notification settings - Fork 11.1k
[stealth 05/11] Add stealth direct-connection app exclusions #8783
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
reflog
wants to merge
7
commits into
main
Choose a base branch
from
stealth/8767-direct-app-denylist-clean
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
552f760
Add stealth direct-connection app exclusions
reflog 75d05ff
Address review feedback for direct app exclusions
reflog ef4147c
Use flutter_test in exclusion asset test
reflog 0034a6c
Gate direct connection apps to Android
reflog b09f0bd
fix: batch direct app exclusion updates
reflog d7ca55c
fix: harden direct app defaults
reflog ac556ce
test: use decoded json types
reflog File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
176 changes: 176 additions & 0 deletions
176
...d/app/src/main/kotlin/org/getlantern/lantern/stealth/DirectConnectionAppExclusionStore.kt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,176 @@ | ||
| package org.getlantern.lantern.stealth | ||
|
|
||
| import android.content.Context | ||
| import android.content.pm.PackageManager | ||
| import android.net.VpnService | ||
| import org.getlantern.lantern.BuildConfig | ||
| import org.getlantern.lantern.utils.AppLogger | ||
| import org.json.JSONArray | ||
|
|
||
| class DirectConnectionAppExclusionStore( | ||
| private val context: Context, | ||
| ) { | ||
| private val prefs = context.getSharedPreferences(PREFS_NAME, Context.MODE_PRIVATE) | ||
|
|
||
| private val defaultExclusions: List<DirectConnectionAppExclusion> by lazy { | ||
| cachedDefaultExclusions(context.applicationContext) | ||
| } | ||
|
|
||
| fun defaultPackageNames(): Set<String> { | ||
| return defaultExclusions.mapTo(LinkedHashSet()) { it.packageName } | ||
|
reflog marked this conversation as resolved.
|
||
| } | ||
|
|
||
| fun effectivePackageNames(): Set<String> { | ||
| return DirectConnectionAppExclusions.effectivePackageNames( | ||
| defaultPackages = defaultPackageNames(), | ||
| userAddedPackages = stringSet(KEY_USER_ADDED), | ||
| userRemovedDefaultPackages = stringSet(KEY_USER_REMOVED_DEFAULTS), | ||
| ) | ||
| } | ||
|
|
||
| fun effectivePackageNamesJson(): String { | ||
| return JSONArray(effectivePackageNames()).toString() | ||
| } | ||
|
|
||
| fun addPackage(rawPackageName: String) { | ||
| updatePackages(listOf(rawPackageName), adding = true) | ||
| } | ||
|
|
||
| fun addPackages(rawPackageNames: Iterable<String>) { | ||
| updatePackages(rawPackageNames, adding = true) | ||
| } | ||
|
|
||
| fun removePackage(rawPackageName: String) { | ||
| updatePackages(listOf(rawPackageName), adding = false) | ||
| } | ||
|
|
||
| fun removePackages(rawPackageNames: Iterable<String>) { | ||
| updatePackages(rawPackageNames, adding = false) | ||
| } | ||
|
|
||
| private fun updatePackages(rawPackageNames: Iterable<String>, adding: Boolean) { | ||
| val packageNames = rawPackageNames.map(::requirePackageName) | ||
| if (packageNames.isEmpty()) { | ||
| return | ||
| } | ||
| val defaults = defaultPackageNames() | ||
| val added = stringSet(KEY_USER_ADDED).toMutableSet() | ||
| val removedDefaults = stringSet(KEY_USER_REMOVED_DEFAULTS).toMutableSet() | ||
|
|
||
| for (packageName in packageNames) { | ||
| if (adding) { | ||
| if (packageName in defaults) { | ||
| removedDefaults -= packageName | ||
| } else { | ||
| added += packageName | ||
| } | ||
| } else { | ||
| if (packageName in defaults) { | ||
| removedDefaults += packageName | ||
| } else { | ||
| added -= packageName | ||
| } | ||
| } | ||
| } | ||
|
|
||
| prefs.edit() | ||
| .putStringSet(KEY_USER_ADDED, added) | ||
| .putStringSet(KEY_USER_REMOVED_DEFAULTS, removedDefaults) | ||
| .apply() | ||
| } | ||
|
|
||
| private fun requirePackageName(rawPackageName: String): String { | ||
| val packageName = DirectConnectionAppExclusions.normalizePackageName(rawPackageName) | ||
| require(DirectConnectionAppExclusions.isValidPackageName(packageName)) { | ||
| "Invalid package name: raw='$rawPackageName', normalized='$packageName'" | ||
| } | ||
| return packageName | ||
| } | ||
|
|
||
| private fun stringSet(key: String): Set<String> { | ||
| return prefs.getStringSet(key, emptySet()).orEmpty() | ||
| .map(DirectConnectionAppExclusions::normalizePackageName) | ||
| .filter(DirectConnectionAppExclusions::isValidPackageName) | ||
| .toSet() | ||
| } | ||
|
|
||
| companion object { | ||
| private const val TAG = "DirectAppExclusions" | ||
| private const val PREFS_NAME = "direct_connection_app_exclusions" | ||
| private const val KEY_USER_ADDED = "user_added_packages" | ||
| private const val KEY_USER_REMOVED_DEFAULTS = "user_removed_default_packages" | ||
|
|
||
| private val assetCandidates = listOf( | ||
| DirectConnectionAppExclusions.DEFAULT_ASSET_PATH, | ||
| "assets/stealth/default_exclusions.json", | ||
| "stealth/default_exclusions.json", | ||
| ) | ||
| @Volatile | ||
| private var defaultExclusionsCache: List<DirectConnectionAppExclusion>? = null | ||
|
|
||
| fun enabled(): Boolean = BuildConfig.STEALTH_DIRECT_CONNECTION_APPS | ||
|
|
||
| private fun cachedDefaultExclusions( | ||
| context: Context, | ||
| ): List<DirectConnectionAppExclusion> { | ||
| defaultExclusionsCache?.let { return it } | ||
| return synchronized(this) { | ||
| defaultExclusionsCache ?: loadDefaultExclusions(context).also { | ||
| defaultExclusionsCache = it | ||
| } | ||
| } | ||
| } | ||
|
|
||
| fun loadDefaultExclusions(context: Context): List<DirectConnectionAppExclusion> { | ||
| for (path in assetCandidates) { | ||
| val json = runCatching { | ||
| context.assets.open(path).bufferedReader().use { it.readText() } | ||
| }.getOrNull() | ||
|
|
||
| if (json.isNullOrBlank()) { | ||
| continue | ||
| } | ||
|
|
||
| val parsed = runCatching { | ||
| DirectConnectionAppExclusions.parseDefaults(json) | ||
| }.onFailure { e -> | ||
| AppLogger.w(TAG, "Failed to parse $path", e) | ||
| }.getOrNull() | ||
| if (parsed != null) { | ||
| return parsed | ||
|
reflog marked this conversation as resolved.
|
||
| } | ||
| } | ||
|
|
||
| AppLogger.w(TAG, "No default direct-connection app exclusions asset found") | ||
| return emptyList() | ||
| } | ||
|
|
||
| fun applyToBuilder( | ||
| builder: VpnService.Builder, | ||
| context: Context, | ||
| ): Int { | ||
| if (!enabled()) { | ||
| return 0 | ||
| } | ||
|
|
||
| var applied = 0 | ||
| val packages = DirectConnectionAppExclusionStore(context).effectivePackageNames() | ||
| for (packageName in packages) { | ||
| try { | ||
| builder.addDisallowedApplication(packageName) | ||
| applied += 1 | ||
| } catch (e: PackageManager.NameNotFoundException) { | ||
| AppLogger.d(TAG, "Skipping direct-connection app not installed: $packageName") | ||
| } catch (e: Exception) { | ||
| AppLogger.w(TAG, "Skipping direct-connection app: $packageName", e) | ||
| } | ||
| } | ||
|
|
||
| AppLogger.i( | ||
| TAG, | ||
| "Applied $applied direct-connection app exclusions (${packages.size} configured)" | ||
| ) | ||
| return applied | ||
| } | ||
| } | ||
| } | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.