diff --git a/framework/api/module-lib-current.txt b/framework/api/module-lib-current.txt index c7de146c17..ab679fb1d6 100644 --- a/framework/api/module-lib-current.txt +++ b/framework/api/module-lib-current.txt @@ -32,6 +32,7 @@ package android.net { method @Deprecated @RequiresPermission(android.Manifest.permission.NETWORK_STACK) public void setProfileNetworkPreference(@NonNull android.os.UserHandle, int, @Nullable java.util.concurrent.Executor, @Nullable Runnable); method @RequiresPermission(android.Manifest.permission.NETWORK_STACK) public void setProfileNetworkPreferences(@NonNull android.os.UserHandle, @NonNull java.util.List, @Nullable java.util.concurrent.Executor, @Nullable Runnable); method @RequiresPermission(anyOf={android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK, android.Manifest.permission.NETWORK_STACK, android.Manifest.permission.NETWORK_SETTINGS}) public void setRequireVpnForUids(boolean, @NonNull java.util.Collection>); + method @RequiresPermission(anyOf={android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK, android.Manifest.permission.NETWORK_STACK, android.Manifest.permission.NETWORK_SETTINGS}) public void setRequireVpnForUids2(boolean, @NonNull java.util.Collection>, @NonNull java.util.Collection>); method @RequiresPermission(anyOf={android.Manifest.permission.NETWORK_SETTINGS, android.Manifest.permission.NETWORK_STACK, android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK}) public void setUidFirewallRule(int, int, int); method @RequiresPermission(anyOf={android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK, android.Manifest.permission.NETWORK_STACK, android.Manifest.permission.NETWORK_SETTINGS}) public void setVpnDefaultForUids(@NonNull String, @NonNull java.util.Collection>); method @RequiresPermission(anyOf={android.Manifest.permission.MANAGE_TEST_NETWORKS, android.Manifest.permission.NETWORK_STACK}) public void simulateDataStall(int, long, @NonNull android.net.Network, @NonNull android.os.PersistableBundle); diff --git a/framework/src/android/net/ConnectivityManager.java b/framework/src/android/net/ConnectivityManager.java index f4be971da4..87a2a9fab5 100644 --- a/framework/src/android/net/ConnectivityManager.java +++ b/framework/src/android/net/ConnectivityManager.java @@ -1594,6 +1594,22 @@ private static UidRange[] getUidRangeArray(@NonNull Collection> r return rangesArray; } + /** + * @hide + */ + @RequiresPermission(anyOf = { + NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK, + android.Manifest.permission.NETWORK_STACK, + android.Manifest.permission.NETWORK_SETTINGS}) + @SystemApi(client = MODULE_LIBRARIES) + public void setRequireVpnForUids(boolean requireVpn, + @NonNull Collection> ranges) { + // All existing known calls to this have been removed. Any new or unknown calls will have + // ranges set to a value that can result in leaks, so it's an illegal argument. + throw new IllegalArgumentException( + "ranges is not strict, call setRequireVpnForUids2 instead"); + } + /** * Adds or removes a requirement for given UID ranges to use the VPN. * @@ -1622,6 +1638,8 @@ private static UidRange[] getUidRangeArray(@NonNull Collection> r * This method should be called only by the VPN code. * * @param ranges the UID ranges to restrict + * @param strictRanges the UID ranges to restrict, which include the VPN app itself (when not + * using the legacy VPN) * @param requireVpn whether the specified UID ranges must use a VPN * * @hide @@ -1631,16 +1649,19 @@ private static UidRange[] getUidRangeArray(@NonNull Collection> r android.Manifest.permission.NETWORK_STACK, android.Manifest.permission.NETWORK_SETTINGS}) @SystemApi(client = MODULE_LIBRARIES) - public void setRequireVpnForUids(boolean requireVpn, - @NonNull Collection> ranges) { + public void setRequireVpnForUids2(boolean requireVpn, + @NonNull Collection> ranges, + @NonNull Collection> strictRanges) { Objects.requireNonNull(ranges); + Objects.requireNonNull(strictRanges); // The Range class is not parcelable. Convert to UidRange, which is what is used internally. // This method is not necessarily expected to be used outside the system server, so // parceling may not be necessary, but it could be used out-of-process, e.g., by the network // stack process, or by tests. final UidRange[] rangesArray = getUidRangeArray(ranges); + final UidRange[] strictRangesArray = getUidRangeArray(strictRanges); try { - mService.setRequireVpnForUids(requireVpn, rangesArray); + mService.setRequireVpnForUids(requireVpn, rangesArray, strictRangesArray); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } diff --git a/framework/src/android/net/IConnectivityManager.aidl b/framework/src/android/net/IConnectivityManager.aidl index 067a76f5bd..fbcd583232 100644 --- a/framework/src/android/net/IConnectivityManager.aidl +++ b/framework/src/android/net/IConnectivityManager.aidl @@ -133,7 +133,7 @@ interface IConnectivityManager ProxyInfo getProxyForNetwork(in Network nework); - void setRequireVpnForUids(boolean requireVpn, in UidRange[] ranges); + void setRequireVpnForUids(boolean requireVpn, in UidRange[] ranges, in UidRange[] strictRanges); void setLegacyLockdownVpnEnabled(boolean enabled); void setProvisioningNotificationVisible(boolean visible, int networkType, in String action); diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java index 0890a0e853..4681b7b206 100644 --- a/service/src/com/android/server/ConnectivityService.java +++ b/service/src/com/android/server/ConnectivityService.java @@ -7455,9 +7455,12 @@ public void handleMessage(Message msg) { case EVENT_BLOCKED_REASONS_CHANGED: handleBlockedReasonsChanged((List) msg.obj); break; - case EVENT_SET_REQUIRE_VPN_FOR_UIDS: - handleSetRequireVpnForUids(toBool(msg.arg1), (UidRange[]) msg.obj); + case EVENT_SET_REQUIRE_VPN_FOR_UIDS: { + final Pair arg = + (Pair) msg.obj; + handleSetRequireVpnForUids(toBool(msg.arg1), arg.first, arg.second); break; + } case EVENT_SET_OEM_NETWORK_PREFERENCE: { final Pair arg = (Pair) msg.obj; @@ -8047,45 +8050,56 @@ private boolean isUidBlockedByVpn(int uid, List blockedUidRanges) { } @Override - public void setRequireVpnForUids(boolean requireVpn, UidRange[] ranges) { + public void setRequireVpnForUids(boolean requireVpn, UidRange[] ranges, + UidRange[] strictRanges) { enforceNetworkStackOrSettingsPermission(); mHandler.sendMessage(mHandler.obtainMessage(EVENT_SET_REQUIRE_VPN_FOR_UIDS, - encodeBool(requireVpn), 0 /* arg2 */, ranges)); + encodeBool(requireVpn), 0 /* arg2 */, new Pair<>(ranges, strictRanges))); } - private void handleSetRequireVpnForUids(boolean requireVpn, UidRange[] ranges) { + private void handleSetRequireVpnForUids(boolean requireVpn, UidRange[] ranges, + UidRange[] strictRanges) { if (DBG) { Log.d(TAG, "Setting VPN " + (requireVpn ? "" : "not ") + "required for UIDs: " - + Arrays.toString(ranges)); + + Arrays.toString(ranges) + ", and strict UIDs: " + Arrays.toString( + strictRanges)); } - // Cannot use a Set since the list of UID ranges might contain duplicates. - final List newVpnBlockedUidRanges = new ArrayList(mVpnBlockedUidRanges); - for (int i = 0; i < ranges.length; i++) { - if (requireVpn) { - newVpnBlockedUidRanges.add(ranges[i]); - } else { - newVpnBlockedUidRanges.remove(ranges[i]); + + // Keep calling conditions consistent with AOSP. This was originally checked by caller. + if (strictRanges.length > 0) { + try { + mNetd.networkRejectNonSecureVpn(requireVpn, toUidRangeStableParcels(strictRanges)); + } catch (RemoteException | ServiceSpecificException e) { + Log.e(TAG, "setRequireVpnForUids(" + requireVpn + ", " + + Arrays.toString(strictRanges) + "): netd command failed: " + e); + throw new IllegalStateException("lockdown VPN firewall in invalid state"); } } - try { - mNetd.networkRejectNonSecureVpn(requireVpn, toUidRangeStableParcels(ranges)); - } catch (RemoteException | ServiceSpecificException e) { - Log.e(TAG, "setRequireVpnForUids(" + requireVpn + ", " - + Arrays.toString(ranges) + "): netd command failed: " + e); - } + // Keep calling conditions consistent with AOSP. This was originally checked by caller. + if (ranges.length > 0) { + // Cannot use a Set since the list of UID ranges might contain duplicates. + final List newVpnBlockedUidRanges = new ArrayList(mVpnBlockedUidRanges); + for (int i = 0; i < ranges.length; i++) { + if (requireVpn) { + newVpnBlockedUidRanges.add(ranges[i]); + } else { + newVpnBlockedUidRanges.remove(ranges[i]); + } + } - if (mDeps.isAtLeastT()) { - mPermissionMonitor.updateVpnLockdownUidRanges(requireVpn, ranges); - } + if (mDeps.isAtLeastT()) { + mPermissionMonitor.updateVpnLockdownUidRanges(requireVpn, ranges); + } - forEachNetworkAgentInfo(nai -> { - final boolean curMetered = nai.networkCapabilities.isMetered(); - maybeNotifyNetworkBlocked(nai, curMetered, curMetered, - mVpnBlockedUidRanges, newVpnBlockedUidRanges); - }); + forEachNetworkAgentInfo(nai -> { + final boolean curMetered = nai.networkCapabilities.isMetered(); + maybeNotifyNetworkBlocked(nai, curMetered, curMetered, + mVpnBlockedUidRanges, newVpnBlockedUidRanges); + }); - mVpnBlockedUidRanges = newVpnBlockedUidRanges; + mVpnBlockedUidRanges = newVpnBlockedUidRanges; + } } @Override diff --git a/service/src/com/android/server/NetIdManager.java b/service/src/com/android/server/NetIdManager.java index 27b6b9b38b..b0228493b3 100644 --- a/service/src/com/android/server/NetIdManager.java +++ b/service/src/com/android/server/NetIdManager.java @@ -68,7 +68,11 @@ private int getNextAvailableNetIdLocked( int lastId, @NonNull SparseBooleanArray netIdInUse) { int netId = lastId; for (int i = MIN_NET_ID; i <= mMaxNetId; i++) { - netId = netId < mMaxNetId ? netId + 1 : MIN_NET_ID; + if (netId < mMaxNetId) { + netId += 1; + } else { + break; + } if (!netIdInUse.get(netId)) { return netId; } diff --git a/tests/cts/hostside/app/src/com/android/cts/net/hostside/VpnTest.java b/tests/cts/hostside/app/src/com/android/cts/net/hostside/VpnTest.java index 01932a4b81..6dd18bf761 100644 --- a/tests/cts/hostside/app/src/com/android/cts/net/hostside/VpnTest.java +++ b/tests/cts/hostside/app/src/com/android/cts/net/hostside/VpnTest.java @@ -1876,7 +1876,7 @@ public void testBlockIncomingPackets() throws Exception { // Lockdown uid that has the remote UDP socket runWithShellPermissionIdentity(() -> { - mCM.setRequireVpnForUids(true /* requireVpn */, lockdownRange); + mCM.setRequireVpnForUids2(true /* requireVpn */, lockdownRange, lockdownRange); }, NETWORK_SETTINGS); // setRequireVpnForUids setup a lockdown rule asynchronously. So it needs to wait for @@ -1907,7 +1907,7 @@ public void testBlockIncomingPackets() throws Exception { Os.close(remoteUdpFd); }, /* cleanup */ () -> { runWithShellPermissionIdentity(() -> { - mCM.setRequireVpnForUids(false /* requireVpn */, lockdownRange); + mCM.setRequireVpnForUids2(false /* requireVpn */, lockdownRange, lockdownRange); }, NETWORK_SETTINGS); }); } diff --git a/tests/unit/java/com/android/server/ConnectivityServiceTest.java b/tests/unit/java/com/android/server/ConnectivityServiceTest.java index bb13c304ec..3670a5fcea 100644 --- a/tests/unit/java/com/android/server/ConnectivityServiceTest.java +++ b/tests/unit/java/com/android/server/ConnectivityServiceTest.java @@ -504,7 +504,7 @@ * Tests for {@link ConnectivityService}. * * Build, install and run with: - * runtest frameworks-net -c com.android.server.ConnectivityServiceTest + * atest -c ConnectivityCoverageTests:android.net.connectivity.com.android.server.ConnectivityServiceTest */ // TODO : move methods from this test to smaller tests in the 'connectivityservice' directory // to enable faster testing of smaller groups of functionality. @@ -9853,7 +9853,12 @@ public void testLockdownVpnWithRestrictedProfiles() throws Exception { excludedUids.add(toSdkSandboxUid(VPN_UID)); } final List> primaryRanges = intRangesPrimaryExcludingUids(excludedUids); - mCm.setRequireVpnForUids(true, primaryRanges); + + final List strictExcludedUids = new ArrayList<>(); + final List> strictPrimaryRanges = intRangesPrimaryExcludingUids( + strictExcludedUids); + + mCm.setRequireVpnForUids2(true, primaryRanges, strictPrimaryRanges); waitForIdle(); assertNull(mCm.getActiveNetworkForUid(uid)); @@ -9868,7 +9873,9 @@ public void testLockdownVpnWithRestrictedProfiles() throws Exception { // This is equivalent to `mMockVpn.onUserAdded(RESTRICTED_USER);`, coverage in VpnTest. final List> restrictedRanges = intRangesExcludingUids(RESTRICTED_USER, excludedUids); - mCm.setRequireVpnForUids(true, restrictedRanges); + final List> strictRestrictedRanges = + intRangesExcludingUids(RESTRICTED_USER, strictExcludedUids); + mCm.setRequireVpnForUids2(true, restrictedRanges, strictRestrictedRanges); waitForIdle(); assertNull(mCm.getActiveNetworkForUid(uid)); @@ -9877,13 +9884,13 @@ public void testLockdownVpnWithRestrictedProfiles() throws Exception { // Stop the restricted profile, and check that the UID within it has network access again. // Remove the restricted user. // This is equivalent to `mMockVpn.onUserRemoved(RESTRICTED_USER);`, coverage in VpnTest. - mCm.setRequireVpnForUids(false, restrictedRanges); + mCm.setRequireVpnForUids2(false, restrictedRanges, strictRestrictedRanges); waitForIdle(); assertNull(mCm.getActiveNetworkForUid(uid)); assertNotNull(mCm.getActiveNetworkForUid(restrictedUid)); - mCm.setRequireVpnForUids(false, primaryRanges); + mCm.setRequireVpnForUids2(false, primaryRanges, strictPrimaryRanges); waitForIdle(); } @@ -10362,6 +10369,7 @@ public void testNetworkBlockedStatusAlwaysOnVpn() throws Exception { // Enable always-on VPN lockdown, coverage in VpnTest. final List excludedUids = new ArrayList(); + final List strictExcludedUids = new ArrayList<>(); excludedUids.add(VPN_UID); if (mDeps.isAtLeastT()) { // On T onwards, the corresponding SDK sandbox UID should also be excluded @@ -10369,12 +10377,17 @@ public void testNetworkBlockedStatusAlwaysOnVpn() throws Exception { } final List> primaryRanges = intRangesPrimaryExcludingUids(excludedUids); - mCm.setRequireVpnForUids(true, primaryRanges); + final List> strictPrimaryRanges = intRangesPrimaryExcludingUids( + strictExcludedUids); + + mCm.setRequireVpnForUids2(true, primaryRanges, strictPrimaryRanges); + waitForIdle(); - final UidRangeParcel[] uidRangeParcels = intToUidRangeStableParcels(primaryRanges); + final UidRangeParcel[] strictUidRangeParcels = intToUidRangeStableParcels( + strictPrimaryRanges); InOrder inOrder = inOrder(mMockNetd); - expectNetworkRejectNonSecureVpn(inOrder, true, uidRangeParcels); + expectNetworkRejectNonSecureVpn(inOrder, true, strictUidRangeParcels); // Connect a network when lockdown is active, expect to see it blocked. mWiFiAgent = new TestNetworkAgentWrapper(TRANSPORT_WIFI); @@ -10392,14 +10405,14 @@ public void testNetworkBlockedStatusAlwaysOnVpn() throws Exception { assertNetworkInfo(TYPE_WIFI, DetailedState.BLOCKED); // Disable lockdown, expect to see the network unblocked. - mCm.setRequireVpnForUids(false, primaryRanges); + mCm.setRequireVpnForUids2(false, primaryRanges, strictPrimaryRanges); waitForIdle(); callback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> !cb.getBlocked()); defaultCallback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> !cb.getBlocked()); vpnUidCallback.assertNoCallback(); vpnUidDefaultCallback.assertNoCallback(); vpnDefaultCallbackAsUid.assertNoCallback(); - expectNetworkRejectNonSecureVpn(inOrder, false, uidRangeParcels); + expectNetworkRejectNonSecureVpn(inOrder, false, strictUidRangeParcels); assertEquals(mWiFiAgent.getNetwork(), mCm.getActiveNetworkForUid(VPN_UID)); assertEquals(mWiFiAgent.getNetwork(), mCm.getActiveNetwork()); assertActiveNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED); @@ -10408,13 +10421,18 @@ public void testNetworkBlockedStatusAlwaysOnVpn() throws Exception { // Add our UID to the allowlist, expect network is not blocked. Coverage in VpnTest. excludedUids.add(uid); + strictExcludedUids.add(uid); if (mDeps.isAtLeastT()) { // On T onwards, the corresponding SDK sandbox UID should also be excluded excludedUids.add(toSdkSandboxUid(uid)); + strictExcludedUids.add(toSdkSandboxUid(uid)); } final List> primaryRangesExcludingUid = intRangesPrimaryExcludingUids(excludedUids); - mCm.setRequireVpnForUids(true, primaryRangesExcludingUid); + final List> strictPrimaryRangesExcludingUid = + intRangesPrimaryExcludingUids(strictExcludedUids); + mCm.setRequireVpnForUids2(true, primaryRangesExcludingUid, + strictPrimaryRangesExcludingUid); waitForIdle(); callback.assertNoCallback(); @@ -10423,9 +10441,9 @@ public void testNetworkBlockedStatusAlwaysOnVpn() throws Exception { vpnUidDefaultCallback.assertNoCallback(); vpnDefaultCallbackAsUid.assertNoCallback(); - final UidRangeParcel[] uidRangeParcelsAlsoExcludingUs = - intToUidRangeStableParcels(primaryRangesExcludingUid); - expectNetworkRejectNonSecureVpn(inOrder, true, uidRangeParcelsAlsoExcludingUs); + final UidRangeParcel[] strictUidRangeParcelsAlsoExcludingUs = + intToUidRangeStableParcels(strictPrimaryRangesExcludingUid); + expectNetworkRejectNonSecureVpn(inOrder, true, strictUidRangeParcelsAlsoExcludingUs); assertEquals(mWiFiAgent.getNetwork(), mCm.getActiveNetworkForUid(VPN_UID)); assertEquals(mWiFiAgent.getNetwork(), mCm.getActiveNetwork()); assertActiveNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED); @@ -10448,13 +10466,14 @@ public void testNetworkBlockedStatusAlwaysOnVpn() throws Exception { assertNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED); // Disable lockdown - mCm.setRequireVpnForUids(false, primaryRangesExcludingUid); + mCm.setRequireVpnForUids2(false, primaryRangesExcludingUid, + strictPrimaryRangesExcludingUid); waitForIdle(); - expectNetworkRejectNonSecureVpn(inOrder, false, uidRangeParcelsAlsoExcludingUs); + expectNetworkRejectNonSecureVpn(inOrder, false, strictUidRangeParcelsAlsoExcludingUs); // Remove our UID from the allowlist, and re-enable lockdown. - mCm.setRequireVpnForUids(true, primaryRanges); + mCm.setRequireVpnForUids2(true, primaryRanges, strictPrimaryRanges); waitForIdle(); - expectNetworkRejectNonSecureVpn(inOrder, true, uidRangeParcels); + expectNetworkRejectNonSecureVpn(inOrder, true, strictUidRangeParcels); // Everything should now be blocked. defaultCallback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> cb.getBlocked()); assertBlockedCallbackInAnyOrder(callback, true, mWiFiAgent, mCellAgent); @@ -10468,7 +10487,7 @@ public void testNetworkBlockedStatusAlwaysOnVpn() throws Exception { assertNetworkInfo(TYPE_WIFI, DetailedState.BLOCKED); // Disable lockdown. Everything is unblocked. - mCm.setRequireVpnForUids(false, primaryRanges); + mCm.setRequireVpnForUids2(false, primaryRanges, strictPrimaryRanges); defaultCallback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> !cb.getBlocked()); assertBlockedCallbackInAnyOrder(callback, false, mWiFiAgent, mCellAgent); vpnUidCallback.assertNoCallback(); @@ -10481,7 +10500,7 @@ public void testNetworkBlockedStatusAlwaysOnVpn() throws Exception { assertNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED); // Enable lockdown and connect a VPN. The VPN is not blocked. - mCm.setRequireVpnForUids(true, primaryRanges); + mCm.setRequireVpnForUids2(true, primaryRanges, strictPrimaryRanges); defaultCallback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> cb.getBlocked()); assertBlockedCallbackInAnyOrder(callback, true, mWiFiAgent, mCellAgent); vpnUidCallback.assertNoCallback(); @@ -10598,7 +10617,7 @@ private void doTestLockdownVpn(boolean isIkev2Vpn) mCm.setLegacyLockdownVpnEnabled(true); final List> ranges = intRangesPrimaryExcludingUids(Collections.EMPTY_LIST /* excludedeUids */); - mCm.setRequireVpnForUids(true /* requireVpn */, ranges); + mCm.setRequireVpnForUids2(true /* requireVpn */, ranges, ranges); // Bring up a network. final LinkProperties cellLp = new LinkProperties(); @@ -10805,7 +10824,7 @@ public void testLockdownSetFirewallUidRule() throws Exception { final List> lockdownRange = intRangesPrimaryExcludingUids(Collections.EMPTY_LIST /* excludedeUids */); // Enable Lockdown - mCm.setRequireVpnForUids(true /* requireVpn */, lockdownRange); + mCm.setRequireVpnForUids2(true /* requireVpn */, lockdownRange, lockdownRange); waitForIdle(); // Lockdown rule is set to apps uids @@ -10817,7 +10836,7 @@ public void testLockdownSetFirewallUidRule() throws Exception { reset(mBpfNetMaps); // Disable lockdown - mCm.setRequireVpnForUids(false /* requireVPN */, lockdownRange); + mCm.setRequireVpnForUids2(false /* requireVPN */, lockdownRange, lockdownRange); waitForIdle(); // Lockdown rule is removed from apps uids diff --git a/tests/unit/java/com/android/server/connectivity/PermissionMonitorTest.java b/tests/unit/java/com/android/server/connectivity/PermissionMonitorTest.java index 83269bdb05..2b58486648 100644 --- a/tests/unit/java/com/android/server/connectivity/PermissionMonitorTest.java +++ b/tests/unit/java/com/android/server/connectivity/PermissionMonitorTest.java @@ -381,13 +381,15 @@ private void onExternalApplicationsAvailable(String [] pkgList) { } private void sendAppIdsTrafficPermission(SparseIntArray netdPermissionsAppIds) { - processOnHandlerThread(() -> - mPermissionMonitor.sendAppIdsTrafficPermission(netdPermissionsAppIds)); + // This method has been replaced by sendUidsTrafficPermission. + //processOnHandlerThread(() -> + // mPermissionMonitor.sendAppIdsTrafficPermission(netdPermissionsAppIds)); } private void sendPackagePermissionsForAppId(int appId, int permissions) { - processOnHandlerThread(() -> - mPermissionMonitor.sendPackagePermissionsForAppId(appId, permissions)); + // This method has been replaced by sendPackagePermissionsForUid. + //processOnHandlerThread(() -> + // mPermissionMonitor.sendPackagePermissionsForAppId(appId, permissions)); } private void addPackage(String packageName, int uid, String... permissions) throws Exception {