package com.android.server.connectivity;

import android.Manifest;
import android.app.AppOpsManager;
import android.app.Notification;
import android.app.NotificationManager;
import android.app.PendingIntent;
import android.app.StatsManager;
import android.content.BroadcastReceiver;
import android.content.ComponentName;
import android.content.ContentResolver;
import android.content.Context;
import android.content.Intent;
import android.content.IntentFilter;
import android.content.ServiceConnection;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageManager;
import android.content.pm.ResolveInfo;
import android.content.pm.UserInfo;
import android.hardware.audio.common.V2_0.AudioFormat;
import android.media.MediaMetrics;
import android.net.ConnectivityManager;
import android.net.DnsResolver;
import android.net.INetd;
import android.net.INetworkManagementEventObserver;
import android.net.Ikev2VpnProfile;
import android.net.InetAddresses;
import android.net.IpPrefix;
import android.net.IpSecManager;
import android.net.IpSecTransform;
import android.net.LinkAddress;
import android.net.LinkProperties;
import android.net.LocalSocket;
import android.net.LocalSocketAddress;
import android.net.Network;
import android.net.NetworkAgent;
import android.net.NetworkAgentConfig;
import android.net.NetworkCapabilities;
import android.net.NetworkInfo;
import android.net.NetworkProvider;
import android.net.NetworkRequest;
import android.net.NetworkScore;
import android.net.RouteInfo;
import android.net.UidRangeParcel;
import android.net.UnderlyingNetworkInfo;
import android.net.VpnService;
import android.net.VpnTransportInfo;
import android.net.ipsec.ike.ChildSessionCallback;
import android.net.ipsec.ike.ChildSessionConfiguration;
import android.net.ipsec.ike.ChildSessionParams;
import android.net.ipsec.ike.IkeSession;
import android.net.ipsec.ike.IkeSessionCallback;
import android.net.ipsec.ike.IkeSessionParams;
import android.net.ipsec.ike.exceptions.IkeProtocolException;
import android.os.Binder;
import android.os.Bundle;
import android.os.CancellationSignal;
import android.os.FileUtils;
import android.os.IBinder;
import android.os.INetworkManagementService;
import android.os.Looper;
import android.os.Parcel;
import android.os.ParcelFileDescriptor;
import android.os.Process;
import android.os.RemoteException;
import android.os.SystemClock;
import android.os.SystemService;
import android.os.UserHandle;
import android.os.UserManager;
import android.provider.Settings;
import android.security.Credentials;
import android.security.KeyStore2;
import android.security.KeyStoreException;
import android.system.keystore2.KeyDescriptor;
import android.text.TextUtils;
import android.util.ArraySet;
import android.util.Log;
import android.util.Range;
import com.android.internal.R;
import com.android.internal.annotations.GuardedBy;
import com.android.internal.annotations.VisibleForTesting;
import com.android.internal.net.LegacyVpnInfo;
import com.android.internal.net.VpnConfig;
import com.android.internal.net.VpnProfile;
import com.android.internal.util.Preconditions;
import com.android.net.module.util.NetdUtils;
import com.android.net.module.util.NetworkStackConstants;
import com.android.server.DeviceIdleInternal;
import com.android.server.LocalServices;
import com.android.server.connectivity.VpnIkev2Utils;
import com.android.server.net.BaseNetworkObserver;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Inet4Address;
import java.net.Inet6Address;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.Executor;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.RejectedExecutionException;
import java.util.concurrent.atomic.AtomicInteger;
import libcore.io.IoUtils;

/* loaded from: input_file:com/android/server/connectivity/Vpn.class */
public class Vpn {
    private static final String NETWORKTYPE = "VPN";
    private static final String TAG = "Vpn";
    private static final String VPN_PROVIDER_NAME_BASE = "VpnNetworkProvider:";
    private static final boolean LOGD = true;
    private static final String ANDROID_KEYSTORE_PROVIDER = "AndroidKeyStore";
    private static final long VPN_LAUNCH_IDLE_ALLOWLIST_DURATION_MS = 60000;
    private static final String LOCKDOWN_ALLOWLIST_SETTING_NAME = "always_on_vpn_lockdown_whitelist";

    @VisibleForTesting
    static final int MAX_VPN_PROFILE_SIZE_BYTES = 131072;
    private static final int VPN_DEFAULT_SCORE = 101;
    private final Context mContext;
    private final ConnectivityManager mConnectivityManager;
    private final Context mUserIdContext;

    @VisibleForTesting
    final Dependencies mDeps;
    private final NetworkInfo mNetworkInfo;
    private int mLegacyState;

    @VisibleForTesting
    protected String mPackage;
    private int mOwnerUID;
    private boolean mIsPackageTargetingAtLeastQ;

    @VisibleForTesting
    protected String mInterface;
    private Connection mConnection;

    @VisibleForTesting
    protected VpnRunner mVpnRunner;
    private PendingIntent mStatusIntent;
    private volatile boolean mEnableTeardown;
    private final INetworkManagementService mNms;
    private final INetd mNetd;

    @VisibleForTesting
    protected VpnConfig mConfig;
    private final NetworkProvider mNetworkProvider;

    @VisibleForTesting
    protected NetworkAgent mNetworkAgent;
    private final Looper mLooper;

    @VisibleForTesting
    protected NetworkCapabilities mNetworkCapabilities;
    private final SystemServices mSystemServices;
    private final Ikev2SessionCreator mIkev2SessionCreator;
    private final UserManager mUserManager;
    private final VpnProfileStore mVpnProfileStore;

    @VisibleForTesting
    protected boolean mAlwaysOn;

    @VisibleForTesting
    protected boolean mLockdown;
    private List<String> mLockdownAllowlist;

    @GuardedBy({"this"})
    private final Set<UidRangeParcel> mBlockedUidsAsToldToConnectivity;
    private final int mUserId;
    private INetworkManagementEventObserver mObserver;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/android/server/connectivity/Vpn$Connection.class */
    public class Connection implements ServiceConnection {
        private IBinder mService;

        private Connection() {
        }

        @Override // android.content.ServiceConnection
        public void onServiceConnected(ComponentName componentName, IBinder iBinder) {
            this.mService = iBinder;
        }

        @Override // android.content.ServiceConnection
        public void onServiceDisconnected(ComponentName componentName) {
            this.mService = null;
        }
    }

    @VisibleForTesting
    /* loaded from: input_file:com/android/server/connectivity/Vpn$Dependencies.class */
    public static class Dependencies {
        public boolean isCallerSystem() {
            return Binder.getCallingUid() == 1000;
        }

        public void startService(String str) {
            SystemService.start(str);
        }

        public void stopService(String str) {
            SystemService.stop(str);
        }

        public boolean isServiceRunning(String str) {
            return SystemService.isRunning(str);
        }

        public boolean isServiceStopped(String str) {
            return SystemService.isStopped(str);
        }

        public File getStateFile() {
            return new File("/data/misc/vpn/state");
        }

        public DeviceIdleInternal getDeviceIdleInternal() {
            return (DeviceIdleInternal) LocalServices.getService(DeviceIdleInternal.class);
        }

        public PendingIntent getIntentForStatusPanel(Context context) {
            return VpnConfig.getIntentForStatusPanel(context);
        }

        public void sendArgumentsToDaemon(String str, LocalSocket localSocket, String[] strArr, RetryScheduler retryScheduler) throws IOException, InterruptedException {
            LocalSocketAddress localSocketAddress = new LocalSocketAddress(str, LocalSocketAddress.Namespace.RESERVED);
            while (true) {
                try {
                    localSocket.connect(localSocketAddress);
                    break;
                } catch (Exception e) {
                    retryScheduler.checkInterruptAndDelay(true);
                }
            }
            localSocket.setSoTimeout(500);
            OutputStream outputStream = localSocket.getOutputStream();
            for (String str2 : strArr) {
                byte[] bytes = str2.getBytes(StandardCharsets.UTF_8);
                if (bytes.length >= 65535) {
                    throw new IllegalArgumentException("Argument is too large");
                }
                outputStream.write(bytes.length >> 8);
                outputStream.write(bytes.length);
                outputStream.write(bytes);
                retryScheduler.checkInterruptAndDelay(false);
            }
            outputStream.write(255);
            outputStream.write(255);
            InputStream inputStream = localSocket.getInputStream();
            while (inputStream.read() != -1) {
                retryScheduler.checkInterruptAndDelay(true);
            }
        }

        public InetAddress resolve(final String str) throws ExecutionException, InterruptedException {
            try {
                return InetAddresses.parseNumericAddress(str);
            } catch (IllegalArgumentException e) {
                CancellationSignal cancellationSignal = new CancellationSignal();
                try {
                    DnsResolver dnsResolver = DnsResolver.getInstance();
                    final CompletableFuture completableFuture = new CompletableFuture();
                    dnsResolver.query(null, str, 0, runnable -> {
                        runnable.run();
                    }, cancellationSignal, new DnsResolver.Callback<List<InetAddress>>() { // from class: com.android.server.connectivity.Vpn.Dependencies.1
                        @Override // android.net.DnsResolver.Callback
                        public void onAnswer(List<InetAddress> list, int i) {
                            if (list.size() > 0) {
                                completableFuture.complete(list.get(0));
                            } else {
                                completableFuture.completeExceptionally(new UnknownHostException(str));
                            }
                        }

                        @Override // android.net.DnsResolver.Callback
                        public void onError(DnsResolver.DnsException dnsException) {
                            Log.e(Vpn.TAG, "Async dns resolver error : " + dnsException);
                            completableFuture.completeExceptionally(new UnknownHostException(str));
                        }
                    });
                    return (InetAddress) completableFuture.get();
                } catch (InterruptedException e2) {
                    Log.e(Vpn.TAG, "Legacy VPN was interrupted while resolving the endpoint", e2);
                    cancellationSignal.cancel();
                    throw e2;
                } catch (ExecutionException e3) {
                    Log.e(Vpn.TAG, "Cannot resolve VPN endpoint : " + str + MediaMetrics.SEPARATOR, e3);
                    throw e3;
                }
            }
        }

        public boolean isInterfacePresent(Vpn vpn, String str) {
            return vpn.jniCheck(str) != 0;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/android/server/connectivity/Vpn$IkeV2VpnRunner.class */
    public class IkeV2VpnRunner extends VpnRunner implements IkeV2VpnRunnerCallback {
        private static final String TAG = "IkeV2VpnRunner";
        private final IpSecManager mIpSecManager;
        private final Ikev2VpnProfile mProfile;
        private final ConnectivityManager.NetworkCallback mNetworkCallback;
        private final ExecutorService mExecutor;
        private boolean mIsRunning;
        private IpSecManager.IpSecTunnelInterface mTunnelIface;
        private IkeSession mSession;
        private Network mActiveNetwork;

        IkeV2VpnRunner(Ikev2VpnProfile ikev2VpnProfile) {
            super(TAG);
            this.mExecutor = Executors.newSingleThreadExecutor();
            this.mIsRunning = true;
            this.mProfile = ikev2VpnProfile;
            this.mIpSecManager = (IpSecManager) Vpn.this.mContext.getSystemService("ipsec");
            this.mNetworkCallback = new VpnIkev2Utils.Ikev2VpnNetworkCallback(TAG, this);
        }

        @Override // com.android.server.connectivity.Vpn.VpnRunner, java.lang.Thread, java.lang.Runnable
        public void run() {
            Vpn.this.mConnectivityManager.requestNetwork(this.mProfile.isRestrictedToTestNetworks() ? new NetworkRequest.Builder().clearCapabilities().addTransportType(7).build() : new NetworkRequest.Builder().addCapability(12).build(), this.mNetworkCallback);
        }

        private boolean isActiveNetwork(Network network) {
            return Objects.equals(this.mActiveNetwork, network) && this.mIsRunning;
        }

        @Override // com.android.server.connectivity.Vpn.IkeV2VpnRunnerCallback
        public void onChildOpened(Network network, ChildSessionConfiguration childSessionConfiguration) {
            if (!isActiveNetwork(network)) {
                Log.d(TAG, "onOpened called for obsolete network " + network);
                return;
            }
            try {
                String interfaceName = this.mTunnelIface.getInterfaceName();
                int maxMtu = this.mProfile.getMaxMtu();
                List<LinkAddress> internalAddresses = childSessionConfiguration.getInternalAddresses();
                ArrayList arrayList = new ArrayList();
                Collection<RouteInfo> routesFromTrafficSelectors = VpnIkev2Utils.getRoutesFromTrafficSelectors(childSessionConfiguration.getOutboundTrafficSelectors());
                for (LinkAddress linkAddress : internalAddresses) {
                    this.mTunnelIface.addAddress(linkAddress.getAddress(), linkAddress.getPrefixLength());
                }
                Iterator<InetAddress> it = childSessionConfiguration.getInternalDnsServers().iterator();
                while (it.hasNext()) {
                    arrayList.add(it.next().getHostAddress());
                }
                synchronized (Vpn.this) {
                    Vpn.this.mInterface = interfaceName;
                    Vpn.this.mConfig.mtu = maxMtu;
                    Vpn.this.mConfig.interfaze = Vpn.this.mInterface;
                    Vpn.this.mConfig.addresses.clear();
                    Vpn.this.mConfig.addresses.addAll(internalAddresses);
                    Vpn.this.mConfig.routes.clear();
                    Vpn.this.mConfig.routes.addAll(routesFromTrafficSelectors);
                    if (Vpn.this.mConfig.dnsServers == null) {
                        Vpn.this.mConfig.dnsServers = new ArrayList();
                    }
                    Vpn.this.mConfig.dnsServers.clear();
                    Vpn.this.mConfig.dnsServers.addAll(arrayList);
                    Vpn.this.mConfig.underlyingNetworks = new Network[]{network};
                    NetworkAgent networkAgent = Vpn.this.mNetworkAgent;
                    if (networkAgent == null) {
                        if (Vpn.this.isSettingsVpnLocked()) {
                            Vpn.this.prepareStatusIntent();
                        }
                        Vpn.this.agentConnect();
                    } else {
                        networkAgent.setUnderlyingNetworks(Collections.singletonList(network));
                        networkAgent.sendLinkProperties(Vpn.this.makeLinkProperties());
                    }
                }
            } catch (Exception e) {
                Log.d(TAG, "Error in ChildOpened for network " + network, e);
                onSessionLost(network, e);
            }
        }

        @Override // com.android.server.connectivity.Vpn.IkeV2VpnRunnerCallback
        public void onChildTransformCreated(Network network, IpSecTransform ipSecTransform, int i) {
            if (!isActiveNetwork(network)) {
                Log.d(TAG, "ChildTransformCreated for obsolete network " + network);
                return;
            }
            try {
                this.mIpSecManager.applyTunnelModeTransform(this.mTunnelIface, i, ipSecTransform);
            } catch (IOException e) {
                Log.d(TAG, "Transform application failed for network " + network, e);
                onSessionLost(network, e);
            }
        }

        @Override // com.android.server.connectivity.Vpn.IkeV2VpnRunnerCallback
        public void onDefaultNetworkChanged(Network network) {
            Log.d(TAG, "Starting IKEv2/IPsec session on new network: " + network);
            this.mExecutor.execute(() -> {
                try {
                    if (!this.mIsRunning) {
                        Log.d(TAG, "onDefaultNetworkChanged after exit");
                        return;
                    }
                    resetIkeState();
                    this.mActiveNetwork = network;
                    IkeSessionParams buildIkeSessionParams = VpnIkev2Utils.buildIkeSessionParams(Vpn.this.mContext, this.mProfile, network);
                    ChildSessionParams buildChildSessionParams = VpnIkev2Utils.buildChildSessionParams(this.mProfile.getAllowedAlgorithms());
                    InetAddress localHost = InetAddress.getLocalHost();
                    this.mTunnelIface = this.mIpSecManager.createIpSecTunnelInterface(localHost, localHost, network);
                    NetdUtils.setInterfaceUp(Vpn.this.mNetd, this.mTunnelIface.getInterfaceName());
                    this.mSession = Vpn.this.mIkev2SessionCreator.createIkeSession(Vpn.this.mContext, buildIkeSessionParams, buildChildSessionParams, this.mExecutor, new VpnIkev2Utils.IkeSessionCallbackImpl(TAG, this, network), new VpnIkev2Utils.ChildSessionCallbackImpl(TAG, this, network));
                    Log.d(TAG, "Ike Session started for network " + network);
                } catch (Exception e) {
                    Log.i(TAG, "Setup failed for network " + network + ". Aborting", e);
                    onSessionLost(network, e);
                }
            });
        }

        private void markFailedAndDisconnect(Exception exc) {
            synchronized (Vpn.this) {
                Vpn.this.updateState(NetworkInfo.DetailedState.FAILED, exc.getMessage());
            }
            disconnectVpnRunner();
        }

        @Override // com.android.server.connectivity.Vpn.IkeV2VpnRunnerCallback
        public void onSessionLost(Network network, Exception exc) {
            if (!isActiveNetwork(network)) {
                Log.d(TAG, "onSessionLost() called for obsolete network " + network);
                return;
            }
            if (exc instanceof IkeProtocolException) {
                switch (((IkeProtocolException) exc).getErrorType()) {
                    case 14:
                    case 17:
                    case 24:
                    case 34:
                    case 37:
                    case 38:
                        markFailedAndDisconnect(exc);
                        return;
                }
            } else if (exc instanceof IllegalArgumentException) {
                markFailedAndDisconnect(exc);
                return;
            }
            this.mActiveNetwork = null;
            Log.d(TAG, "Resetting state for network: " + network);
            synchronized (Vpn.this) {
                Vpn.this.mInterface = null;
                if (Vpn.this.mConfig != null) {
                    Vpn.this.mConfig.interfaze = null;
                    if (Vpn.this.mConfig.routes != null) {
                        ArrayList arrayList = new ArrayList(Vpn.this.mConfig.routes);
                        Vpn.this.mConfig.routes.clear();
                        Iterator it = arrayList.iterator();
                        while (it.hasNext()) {
                            Vpn.this.mConfig.routes.add(new RouteInfo(((RouteInfo) it.next()).getDestination(), null, null, 7));
                        }
                        if (Vpn.this.mNetworkAgent != null) {
                            Vpn.this.mNetworkAgent.sendLinkProperties(Vpn.this.makeLinkProperties());
                        }
                    }
                }
            }
            resetIkeState();
        }

        private void resetIkeState() {
            if (this.mTunnelIface != null) {
                this.mTunnelIface.close();
                this.mTunnelIface = null;
            }
            if (this.mSession != null) {
                this.mSession.kill();
                this.mSession = null;
            }
        }

        private void disconnectVpnRunner() {
            this.mActiveNetwork = null;
            this.mIsRunning = false;
            resetIkeState();
            Vpn.this.mConnectivityManager.unregisterNetworkCallback(this.mNetworkCallback);
            this.mExecutor.shutdown();
        }

        @Override // com.android.server.connectivity.Vpn.VpnRunner
        public void exitVpnRunner() {
            try {
                this.mExecutor.execute(() -> {
                    disconnectVpnRunner();
                });
            } catch (RejectedExecutionException e) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/android/server/connectivity/Vpn$IkeV2VpnRunnerCallback.class */
    public interface IkeV2VpnRunnerCallback {
        void onDefaultNetworkChanged(Network network);

        void onChildOpened(Network network, ChildSessionConfiguration childSessionConfiguration);

        void onChildTransformCreated(Network network, IpSecTransform ipSecTransform, int i);

        void onSessionLost(Network network, Exception exc);
    }

    @VisibleForTesting
    /* loaded from: input_file:com/android/server/connectivity/Vpn$Ikev2SessionCreator.class */
    public static class Ikev2SessionCreator {
        public IkeSession createIkeSession(Context context, IkeSessionParams ikeSessionParams, ChildSessionParams childSessionParams, Executor executor, IkeSessionCallback ikeSessionCallback, ChildSessionCallback childSessionCallback) {
            return new IkeSession(context, ikeSessionParams, childSessionParams, executor, ikeSessionCallback, childSessionCallback);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/android/server/connectivity/Vpn$LegacyVpnRunner.class */
    public class LegacyVpnRunner extends VpnRunner {
        private static final String TAG = "LegacyVpnRunner";
        private final String[] mDaemons;
        private final String[][] mArguments;
        private final LocalSocket[] mSockets;
        private final String mOuterInterface;
        private final AtomicInteger mOuterConnection;
        private final VpnProfile mProfile;
        private long mBringupStartTime;
        private final BroadcastReceiver mBroadcastReceiver;

        /* JADX WARN: Type inference failed for: r1v10, types: [java.lang.String[], java.lang.String[][]] */
        LegacyVpnRunner(VpnConfig vpnConfig, String[] strArr, String[] strArr2, VpnProfile vpnProfile) {
            super(TAG);
            NetworkInfo networkInfo;
            this.mOuterConnection = new AtomicInteger(-1);
            this.mBringupStartTime = -1L;
            this.mBroadcastReceiver = new BroadcastReceiver() { // from class: com.android.server.connectivity.Vpn.LegacyVpnRunner.1
                @Override // android.content.BroadcastReceiver
                public void onReceive(Context context, Intent intent) {
                    NetworkInfo networkInfo2;
                    if (Vpn.this.mEnableTeardown && intent.getAction().equals(ConnectivityManager.CONNECTIVITY_ACTION) && intent.getIntExtra("networkType", -1) == LegacyVpnRunner.this.mOuterConnection.get() && (networkInfo2 = (NetworkInfo) intent.getExtra("networkInfo")) != null && !networkInfo2.isConnectedOrConnecting()) {
                        try {
                            Vpn.this.mObserver.interfaceStatusChanged(LegacyVpnRunner.this.mOuterInterface, false);
                        } catch (RemoteException e) {
                        }
                    }
                }
            };
            Preconditions.checkArgument((strArr == null && strArr2 == null) ? false : true, "Arguments to racoon and mtpd must not both be null");
            Vpn.this.mConfig = vpnConfig;
            this.mDaemons = new String[]{"racoon", "mtpd"};
            this.mArguments = new String[]{strArr, strArr2};
            this.mSockets = new LocalSocket[this.mDaemons.length];
            this.mOuterInterface = Vpn.this.mConfig.interfaze;
            this.mProfile = vpnProfile;
            if (!TextUtils.isEmpty(this.mOuterInterface)) {
                Network[] allNetworks = Vpn.this.mConnectivityManager.getAllNetworks();
                int length = allNetworks.length;
                int i = 0;
                while (true) {
                    if (i < length) {
                        Network network = allNetworks[i];
                        LinkProperties linkProperties = Vpn.this.mConnectivityManager.getLinkProperties(network);
                        if (linkProperties != null && linkProperties.getAllInterfaceNames().contains(this.mOuterInterface) && (networkInfo = Vpn.this.mConnectivityManager.getNetworkInfo(network)) != null) {
                            this.mOuterConnection.set(networkInfo.getType());
                            break;
                        }
                        i++;
                    } else {
                        break;
                    }
                }
            }
            IntentFilter intentFilter = new IntentFilter();
            intentFilter.addAction(ConnectivityManager.CONNECTIVITY_ACTION);
            Vpn.this.mContext.registerReceiver(this.mBroadcastReceiver, intentFilter);
        }

        public void exitIfOuterInterfaceIs(String str) {
            if (str.equals(this.mOuterInterface)) {
                Log.i(TAG, "Legacy VPN is going down with " + str);
                exitVpnRunner();
            }
        }

        @Override // com.android.server.connectivity.Vpn.VpnRunner
        public void exitVpnRunner() {
            interrupt();
            Vpn.this.agentDisconnect();
            try {
                Vpn.this.mContext.unregisterReceiver(this.mBroadcastReceiver);
            } catch (IllegalArgumentException e) {
            }
        }

        @Override // com.android.server.connectivity.Vpn.VpnRunner, java.lang.Thread, java.lang.Runnable
        public void run() {
            Log.v(TAG, "Waiting");
            synchronized (TAG) {
                Log.v(TAG, "Executing");
                try {
                    bringup();
                    waitForDaemonsToStop();
                    interrupted();
                    for (LocalSocket localSocket : this.mSockets) {
                        IoUtils.closeQuietly(localSocket);
                    }
                    try {
                        Thread.sleep(50L);
                    } catch (InterruptedException e) {
                    }
                    for (String str : this.mDaemons) {
                        Vpn.this.mDeps.stopService(str);
                    }
                } catch (InterruptedException e2) {
                    for (LocalSocket localSocket2 : this.mSockets) {
                        IoUtils.closeQuietly(localSocket2);
                    }
                    try {
                        Thread.sleep(50L);
                    } catch (InterruptedException e3) {
                    }
                    for (String str2 : this.mDaemons) {
                        Vpn.this.mDeps.stopService(str2);
                    }
                } catch (Throwable th) {
                    for (LocalSocket localSocket3 : this.mSockets) {
                        IoUtils.closeQuietly(localSocket3);
                    }
                    try {
                        Thread.sleep(50L);
                    } catch (InterruptedException e4) {
                    }
                    for (String str3 : this.mDaemons) {
                        Vpn.this.mDeps.stopService(str3);
                    }
                    throw th;
                }
                Vpn.this.agentDisconnect();
            }
        }

        private void checkInterruptAndDelay(boolean z) throws InterruptedException {
            if (SystemClock.elapsedRealtime() - this.mBringupStartTime <= 60000) {
                Thread.sleep(z ? 200L : 1L);
            } else {
                Vpn.this.updateState(NetworkInfo.DetailedState.FAILED, "checkpoint");
                throw new IllegalStateException("VPN bringup took too long");
            }
        }

        private void checkAndFixupArguments(InetAddress inetAddress) {
            String hostAddress = inetAddress.getHostAddress();
            if (!"racoon".equals(this.mDaemons[0]) || !"mtpd".equals(this.mDaemons[1])) {
                throw new IllegalStateException("Unexpected daemons order");
            }
            if (this.mArguments[0] != null) {
                if (!this.mProfile.server.equals(this.mArguments[0][1])) {
                    throw new IllegalStateException("Invalid server argument for racoon");
                }
                this.mArguments[0][1] = hostAddress;
            }
            if (this.mArguments[1] != null) {
                if (!this.mProfile.server.equals(this.mArguments[1][2])) {
                    throw new IllegalStateException("Invalid server argument for mtpd");
                }
                this.mArguments[1][2] = hostAddress;
            }
        }

        private void bringup() {
            try {
                InetAddress resolve = Vpn.this.mDeps.resolve(this.mProfile.server);
                checkAndFixupArguments(resolve);
                this.mBringupStartTime = SystemClock.elapsedRealtime();
                for (String str : this.mDaemons) {
                    while (!Vpn.this.mDeps.isServiceStopped(str)) {
                        checkInterruptAndDelay(true);
                    }
                }
                File stateFile = Vpn.this.mDeps.getStateFile();
                stateFile.delete();
                if (stateFile.exists()) {
                    throw new IllegalStateException("Cannot delete the state");
                }
                new File("/data/misc/vpn/abort").delete();
                Vpn.this.updateState(NetworkInfo.DetailedState.CONNECTING, "execute");
                for (int i = 0; i < this.mDaemons.length; i++) {
                    String[] strArr = this.mArguments[i];
                    if (strArr != null) {
                        String str2 = this.mDaemons[i];
                        Vpn.this.mDeps.startService(str2);
                        while (!Vpn.this.mDeps.isServiceRunning(str2)) {
                            checkInterruptAndDelay(true);
                        }
                        this.mSockets[i] = new LocalSocket();
                        Vpn.this.mDeps.sendArgumentsToDaemon(str2, this.mSockets[i], strArr, this::checkInterruptAndDelay);
                    }
                }
                while (!stateFile.exists()) {
                    for (int i2 = 0; i2 < this.mDaemons.length; i2++) {
                        String str3 = this.mDaemons[i2];
                        if (this.mArguments[i2] != null && !Vpn.this.mDeps.isServiceRunning(str3)) {
                            throw new IllegalStateException(str3 + " is dead");
                        }
                    }
                    checkInterruptAndDelay(true);
                }
                String[] split = FileUtils.readTextFile(stateFile, 0, null).split("\n", -1);
                if (split.length != 7) {
                    throw new IllegalStateException("Cannot parse the state: '" + String.join("', '", split) + "'");
                }
                Vpn.this.mConfig.interfaze = split[0].trim();
                Vpn.this.mConfig.addLegacyAddresses(split[1]);
                if (Vpn.this.mConfig.routes == null || Vpn.this.mConfig.routes.isEmpty()) {
                    Vpn.this.mConfig.addLegacyRoutes(split[2]);
                }
                if (Vpn.this.mConfig.dnsServers == null || Vpn.this.mConfig.dnsServers.size() == 0) {
                    String trim = split[3].trim();
                    if (!trim.isEmpty()) {
                        Vpn.this.mConfig.dnsServers = Arrays.asList(trim.split(" "));
                    }
                }
                if (Vpn.this.mConfig.searchDomains == null || Vpn.this.mConfig.searchDomains.size() == 0) {
                    String trim2 = split[4].trim();
                    if (!trim2.isEmpty()) {
                        Vpn.this.mConfig.searchDomains = Arrays.asList(trim2.split(" "));
                    }
                }
                if (resolve instanceof Inet4Address) {
                    Vpn.this.mConfig.routes.add(new RouteInfo(new IpPrefix(resolve, 32), null, null, 9));
                } else if (resolve instanceof Inet6Address) {
                    Vpn.this.mConfig.routes.add(new RouteInfo(new IpPrefix(resolve, 128), null, null, 9));
                } else {
                    Log.e(TAG, "Unknown IP address family for VPN endpoint: " + resolve);
                }
                synchronized (Vpn.this) {
                    Vpn.this.mConfig.startTime = SystemClock.elapsedRealtime();
                    checkInterruptAndDelay(false);
                    if (!Vpn.this.mDeps.isInterfacePresent(Vpn.this, Vpn.this.mConfig.interfaze)) {
                        throw new IllegalStateException(Vpn.this.mConfig.interfaze + " is gone");
                    }
                    Vpn.this.mInterface = Vpn.this.mConfig.interfaze;
                    Vpn.this.prepareStatusIntent();
                    Vpn.this.agentConnect();
                    Log.i(TAG, "Connected!");
                }
            } catch (Exception e) {
                Log.i(TAG, "Aborting", e);
                Vpn.this.updateState(NetworkInfo.DetailedState.FAILED, e.getMessage());
                exitVpnRunner();
            }
        }

        private void waitForDaemonsToStop() throws InterruptedException {
            if (!Vpn.this.mNetworkInfo.isConnected()) {
                return;
            }
            while (true) {
                Thread.sleep(StatsManager.DEFAULT_TIMEOUT_MILLIS);
                for (int i = 0; i < this.mDaemons.length; i++) {
                    if (this.mArguments[i] != null && Vpn.this.mDeps.isServiceStopped(this.mDaemons[i])) {
                        return;
                    }
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/android/server/connectivity/Vpn$RetryScheduler.class */
    public interface RetryScheduler {
        void checkInterruptAndDelay(boolean z) throws InterruptedException;
    }

    @VisibleForTesting
    /* loaded from: input_file:com/android/server/connectivity/Vpn$SystemServices.class */
    public static class SystemServices {
        private final Context mContext;

        public SystemServices(Context context) {
            this.mContext = context;
        }

        public PendingIntent pendingIntentGetActivityAsUser(Intent intent, int i, UserHandle userHandle) {
            return PendingIntent.getActivity(this.mContext.createContextAsUser(userHandle, 0), 0, intent, i);
        }

        public void settingsSecurePutStringForUser(String str, String str2, int i) {
            Settings.Secure.putString(getContentResolverAsUser(i), str, str2);
        }

        public void settingsSecurePutIntForUser(String str, int i, int i2) {
            Settings.Secure.putInt(getContentResolverAsUser(i2), str, i);
        }

        public String settingsSecureGetStringForUser(String str, int i) {
            return Settings.Secure.getString(getContentResolverAsUser(i), str);
        }

        public int settingsSecureGetIntForUser(String str, int i, int i2) {
            return Settings.Secure.getInt(getContentResolverAsUser(i2), str, i);
        }

        private ContentResolver getContentResolverAsUser(int i) {
            return this.mContext.createContextAsUser(UserHandle.of(i), 0).getContentResolver();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    /* loaded from: input_file:com/android/server/connectivity/Vpn$VpnRunner.class */
    public abstract class VpnRunner extends Thread {
        protected VpnRunner(String str) {
            super(str);
        }

        @Override // java.lang.Thread, java.lang.Runnable
        public abstract void run();

        protected abstract void exitVpnRunner();

        protected final void exit() {
            synchronized (Vpn.this) {
                exitVpnRunner();
                Vpn.this.cleanupVpnStateLocked();
            }
        }
    }

    @VisibleForTesting
    VpnProfileStore getVpnProfileStore() {
        return this.mVpnProfileStore;
    }

    public Vpn(Looper looper, Context context, INetworkManagementService iNetworkManagementService, INetd iNetd, int i, VpnProfileStore vpnProfileStore) {
        this(looper, context, new Dependencies(), iNetworkManagementService, iNetd, i, vpnProfileStore, new SystemServices(context), new Ikev2SessionCreator());
    }

    @VisibleForTesting
    public Vpn(Looper looper, Context context, Dependencies dependencies, INetworkManagementService iNetworkManagementService, INetd iNetd, int i, VpnProfileStore vpnProfileStore) {
        this(looper, context, dependencies, iNetworkManagementService, iNetd, i, vpnProfileStore, new SystemServices(context), new Ikev2SessionCreator());
    }

    @VisibleForTesting
    protected Vpn(Looper looper, Context context, Dependencies dependencies, INetworkManagementService iNetworkManagementService, INetd iNetd, int i, VpnProfileStore vpnProfileStore, SystemServices systemServices, Ikev2SessionCreator ikev2SessionCreator) {
        this.mEnableTeardown = true;
        this.mAlwaysOn = false;
        this.mLockdown = false;
        this.mLockdownAllowlist = Collections.emptyList();
        this.mBlockedUidsAsToldToConnectivity = new ArraySet();
        this.mObserver = new BaseNetworkObserver() { // from class: com.android.server.connectivity.Vpn.2
            @Override // com.android.server.net.BaseNetworkObserver, android.net.INetworkManagementEventObserver
            public void interfaceStatusChanged(String str, boolean z) {
                synchronized (Vpn.this) {
                    if (!z) {
                        if (Vpn.this.mVpnRunner != null && (Vpn.this.mVpnRunner instanceof LegacyVpnRunner)) {
                            ((LegacyVpnRunner) Vpn.this.mVpnRunner).exitIfOuterInterfaceIs(str);
                        }
                    }
                }
            }

            @Override // com.android.server.net.BaseNetworkObserver, android.net.INetworkManagementEventObserver
            public void interfaceRemoved(String str) {
                synchronized (Vpn.this) {
                    if (str.equals(Vpn.this.mInterface) && Vpn.this.jniCheck(str) == 0) {
                        if (Vpn.this.mConnection != null) {
                            Vpn.this.mContext.unbindService(Vpn.this.mConnection);
                            Vpn.this.cleanupVpnStateLocked();
                        } else if (Vpn.this.mVpnRunner != null) {
                            Vpn.this.mVpnRunner.exit();
                        }
                    }
                }
            }
        };
        this.mVpnProfileStore = vpnProfileStore;
        this.mContext = context;
        this.mConnectivityManager = (ConnectivityManager) this.mContext.getSystemService(ConnectivityManager.class);
        this.mUserIdContext = context.createContextAsUser(UserHandle.of(i), 0);
        this.mDeps = dependencies;
        this.mNms = iNetworkManagementService;
        this.mNetd = iNetd;
        this.mUserId = i;
        this.mLooper = looper;
        this.mSystemServices = systemServices;
        this.mIkev2SessionCreator = ikev2SessionCreator;
        this.mUserManager = (UserManager) this.mContext.getSystemService(UserManager.class);
        this.mPackage = VpnConfig.LEGACY_VPN;
        this.mOwnerUID = getAppUid(this.mPackage, this.mUserId);
        this.mIsPackageTargetingAtLeastQ = doesPackageTargetAtLeastQ(this.mPackage);
        try {
            iNetworkManagementService.registerObserver(this.mObserver);
        } catch (RemoteException e) {
            Log.wtf(TAG, "Problem registering observer", e);
        }
        this.mNetworkProvider = new NetworkProvider(context, looper, VPN_PROVIDER_NAME_BASE + this.mUserId);
        this.mConnectivityManager.registerNetworkProvider(this.mNetworkProvider);
        this.mLegacyState = 0;
        this.mNetworkInfo = new NetworkInfo(17, 0, "VPN", "");
        this.mNetworkCapabilities = new NetworkCapabilities.Builder().addTransportType(4).removeCapability(15).addCapability(28).setTransportInfo(new VpnTransportInfo(-1, null)).build();
        loadAlwaysOnPackage();
    }

    public void setEnableTeardown(boolean z) {
        this.mEnableTeardown = z;
    }

    @VisibleForTesting
    public boolean getEnableTeardown() {
        return this.mEnableTeardown;
    }

    @VisibleForTesting
    @GuardedBy({"this"})
    protected void updateState(NetworkInfo.DetailedState detailedState, String str) {
        Log.d(TAG, "setting state=" + detailedState + ", reason=" + str);
        this.mLegacyState = LegacyVpnInfo.stateFromNetworkInfo(detailedState);
        this.mNetworkInfo.setDetailedState(detailedState, str, null);
        switch (detailedState) {
            case CONNECTED:
                if (null != this.mNetworkAgent) {
                    this.mNetworkAgent.markConnected();
                    break;
                }
                break;
            case DISCONNECTED:
            case FAILED:
                if (null != this.mNetworkAgent) {
                    this.mNetworkAgent.unregister();
                    this.mNetworkAgent = null;
                    break;
                }
                break;
            case CONNECTING:
                if (null != this.mNetworkAgent) {
                    throw new IllegalStateException("VPN can only go to CONNECTING state when the agent is null.");
                }
                break;
            default:
                throw new IllegalArgumentException("Illegal state argument " + detailedState);
        }
        updateAlwaysOnNotification(detailedState);
    }

    private void resetNetworkCapabilities() {
        this.mNetworkCapabilities = new NetworkCapabilities.Builder(this.mNetworkCapabilities).setUids(null).setTransportInfo(new VpnTransportInfo(-1, null)).build();
    }

    public synchronized void setLockdown(boolean z) {
        enforceControlPermissionOrInternalCaller();
        setVpnForcedLocked(z);
        this.mLockdown = z;
        if (this.mAlwaysOn) {
            saveAlwaysOnPackage();
        }
    }

    public String getPackage() {
        return this.mPackage;
    }

    public synchronized boolean getLockdown() {
        return this.mLockdown;
    }

    public synchronized boolean getAlwaysOn() {
        return this.mAlwaysOn;
    }

    public boolean isAlwaysOnPackageSupported(String str) {
        enforceSettingsPermission();
        if (str == null) {
            return false;
        }
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            if (getVpnProfilePrivileged(str) != null) {
                return true;
            }
            Binder.restoreCallingIdentity(clearCallingIdentity);
            PackageManager packageManager = this.mContext.getPackageManager();
            ApplicationInfo applicationInfo = null;
            try {
                applicationInfo = packageManager.getApplicationInfoAsUser(str, 0, this.mUserId);
            } catch (PackageManager.NameNotFoundException e) {
                Log.w(TAG, "Can't find \"" + str + "\" when checking always-on support");
            }
            if (applicationInfo == null || applicationInfo.targetSdkVersion < 24) {
                return false;
            }
            Intent intent = new Intent("android.net.VpnService");
            intent.setPackage(str);
            List<ResolveInfo> queryIntentServicesAsUser = packageManager.queryIntentServicesAsUser(intent, 128, this.mUserId);
            if (queryIntentServicesAsUser == null || queryIntentServicesAsUser.size() == 0) {
                return false;
            }
            Iterator<ResolveInfo> it = queryIntentServicesAsUser.iterator();
            while (it.hasNext()) {
                Bundle bundle = it.next().serviceInfo.metaData;
                if (bundle != null && !bundle.getBoolean(VpnService.SERVICE_META_DATA_SUPPORTS_ALWAYS_ON, true)) {
                    return false;
                }
            }
            return true;
        } finally {
            Binder.restoreCallingIdentity(clearCallingIdentity);
        }
    }

    public synchronized boolean setAlwaysOnPackage(String str, boolean z, List<String> list) {
        enforceControlPermissionOrInternalCaller();
        if (!setAlwaysOnPackageInternal(str, z, list)) {
            return false;
        }
        saveAlwaysOnPackage();
        return true;
    }

    @GuardedBy({"this"})
    private boolean setAlwaysOnPackageInternal(String str, boolean z, List<String> list) {
        if (VpnConfig.LEGACY_VPN.equals(str)) {
            Log.w(TAG, "Not setting legacy VPN \"" + str + "\" as always-on.");
            return false;
        }
        if (list != null) {
            for (String str2 : list) {
                if (str2.contains(",")) {
                    Log.w(TAG, "Not setting always-on vpn, invalid allowed package: " + str2);
                    return false;
                }
            }
        }
        if (str != null) {
            long clearCallingIdentity = Binder.clearCallingIdentity();
            try {
                VpnProfile vpnProfilePrivileged = getVpnProfilePrivileged(str);
                Binder.restoreCallingIdentity(clearCallingIdentity);
                if (!setPackageAuthorization(str, vpnProfilePrivileged == null ? 1 : 2)) {
                    return false;
                }
                this.mAlwaysOn = true;
            } catch (Throwable th) {
                Binder.restoreCallingIdentity(clearCallingIdentity);
                throw th;
            }
        } else {
            str = VpnConfig.LEGACY_VPN;
            this.mAlwaysOn = false;
        }
        this.mLockdown = this.mAlwaysOn && z;
        this.mLockdownAllowlist = (!this.mLockdown || list == null) ? Collections.emptyList() : Collections.unmodifiableList(new ArrayList(list));
        if (!isCurrentPreparedPackage(str)) {
            prepareInternal(str);
            return true;
        }
        updateAlwaysOnNotification(this.mNetworkInfo.getDetailedState());
        setVpnForcedLocked(this.mLockdown);
        return true;
    }

    private static boolean isNullOrLegacyVpn(String str) {
        return str == null || VpnConfig.LEGACY_VPN.equals(str);
    }

    public synchronized String getAlwaysOnPackage() {
        enforceControlPermissionOrInternalCaller();
        if (this.mAlwaysOn) {
            return this.mPackage;
        }
        return null;
    }

    public synchronized List<String> getLockdownAllowlist() {
        if (this.mLockdown) {
            return this.mLockdownAllowlist;
        }
        return null;
    }

    @GuardedBy({"this"})
    private void saveAlwaysOnPackage() {
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            this.mSystemServices.settingsSecurePutStringForUser(Settings.Secure.ALWAYS_ON_VPN_APP, getAlwaysOnPackage(), this.mUserId);
            this.mSystemServices.settingsSecurePutIntForUser(Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN, (this.mAlwaysOn && this.mLockdown) ? 1 : 0, this.mUserId);
            this.mSystemServices.settingsSecurePutStringForUser("always_on_vpn_lockdown_whitelist", String.join(",", this.mLockdownAllowlist), this.mUserId);
        } finally {
            Binder.restoreCallingIdentity(clearCallingIdentity);
        }
    }

    @GuardedBy({"this"})
    private void loadAlwaysOnPackage() {
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            String str = this.mSystemServices.settingsSecureGetStringForUser(Settings.Secure.ALWAYS_ON_VPN_APP, this.mUserId);
            boolean z = this.mSystemServices.settingsSecureGetIntForUser(Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN, 0, this.mUserId) != 0;
            String str2 = this.mSystemServices.settingsSecureGetStringForUser("always_on_vpn_lockdown_whitelist", this.mUserId);
            setAlwaysOnPackageInternal(str, z, TextUtils.isEmpty(str2) ? Collections.emptyList() : Arrays.asList(str2.split(",")));
            Binder.restoreCallingIdentity(clearCallingIdentity);
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    public boolean startAlwaysOnVpn() {
        synchronized (this) {
            String alwaysOnPackage = getAlwaysOnPackage();
            if (alwaysOnPackage == null) {
                return true;
            }
            if (!isAlwaysOnPackageSupported(alwaysOnPackage)) {
                setAlwaysOnPackage(null, false, null);
                return false;
            }
            if (getNetworkInfo().isConnected()) {
                return true;
            }
            long clearCallingIdentity = Binder.clearCallingIdentity();
            try {
                try {
                    VpnProfile vpnProfilePrivileged = getVpnProfilePrivileged(alwaysOnPackage);
                    if (vpnProfilePrivileged != null) {
                        startVpnProfilePrivileged(vpnProfilePrivileged, alwaysOnPackage);
                        Binder.restoreCallingIdentity(clearCallingIdentity);
                        return true;
                    }
                    this.mDeps.getDeviceIdleInternal().addPowerSaveTempWhitelistApp(Process.myUid(), alwaysOnPackage, 60000L, this.mUserId, false, 309, "vpn");
                    Intent intent = new Intent("android.net.VpnService");
                    intent.setPackage(alwaysOnPackage);
                    try {
                        boolean z = this.mUserIdContext.startService(intent) != null;
                        Binder.restoreCallingIdentity(clearCallingIdentity);
                        return z;
                    } catch (RuntimeException e) {
                        Log.e(TAG, "VpnService " + intent + " failed to start", e);
                        Binder.restoreCallingIdentity(clearCallingIdentity);
                        return false;
                    }
                } catch (Exception e2) {
                    Log.e(TAG, "Error starting always-on VPN", e2);
                    Binder.restoreCallingIdentity(clearCallingIdentity);
                    return false;
                }
            } catch (Throwable th) {
                Binder.restoreCallingIdentity(clearCallingIdentity);
                throw th;
            }
        }
    }

    public synchronized boolean prepare(String str, String str2, int i) {
        if (this.mContext.checkCallingOrSelfPermission(Manifest.permission.CONTROL_VPN) != 0) {
            if (str != null) {
                verifyCallingUidAndPackage(str);
            }
            if (str2 != null) {
                verifyCallingUidAndPackage(str2);
            }
        }
        if (str != null) {
            if (this.mAlwaysOn && !isCurrentPreparedPackage(str)) {
                return false;
            }
            if (!isCurrentPreparedPackage(str)) {
                if (str.equals(VpnConfig.LEGACY_VPN) || !isVpnPreConsented(this.mContext, str, i)) {
                    return false;
                }
                prepareInternal(str);
                return true;
            }
            if (!str.equals(VpnConfig.LEGACY_VPN) && !isVpnPreConsented(this.mContext, str, i)) {
                prepareInternal(VpnConfig.LEGACY_VPN);
                return false;
            }
        }
        if (str2 == null) {
            return true;
        }
        if (!str2.equals(VpnConfig.LEGACY_VPN) && isCurrentPreparedPackage(str2)) {
            return true;
        }
        enforceControlPermission();
        if (this.mAlwaysOn && !isCurrentPreparedPackage(str2)) {
            return false;
        }
        prepareInternal(str2);
        return true;
    }

    private boolean isCurrentPreparedPackage(String str) {
        return getAppUid(str, this.mUserId) == this.mOwnerUID && this.mPackage.equals(str);
    }

    @GuardedBy({"this"})
    private void prepareInternal(String str) {
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            if (this.mInterface != null) {
                this.mStatusIntent = null;
                agentDisconnect();
                jniReset(this.mInterface);
                this.mInterface = null;
                resetNetworkCapabilities();
            }
            if (this.mConnection != null) {
                try {
                    this.mConnection.mService.transact(16777215, Parcel.obtain(), null, 1);
                } catch (Exception e) {
                }
                this.mContext.unbindService(this.mConnection);
                cleanupVpnStateLocked();
            } else if (this.mVpnRunner != null) {
                this.mVpnRunner.exit();
            }
            try {
                this.mNms.denyProtect(this.mOwnerUID);
            } catch (Exception e2) {
                Log.wtf(TAG, "Failed to disallow UID " + this.mOwnerUID + " to call protect() " + e2);
            }
            Log.i(TAG, "Switched from " + this.mPackage + " to " + str);
            this.mPackage = str;
            this.mOwnerUID = getAppUid(str, this.mUserId);
            this.mIsPackageTargetingAtLeastQ = doesPackageTargetAtLeastQ(str);
            try {
                this.mNms.allowProtect(this.mOwnerUID);
            } catch (Exception e3) {
                Log.wtf(TAG, "Failed to allow UID " + this.mOwnerUID + " to call protect() " + e3);
            }
            this.mConfig = null;
            updateState(NetworkInfo.DetailedState.DISCONNECTED, "prepare");
            setVpnForcedLocked(this.mLockdown);
            Binder.restoreCallingIdentity(clearCallingIdentity);
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    public boolean setPackageAuthorization(String str, int i) {
        String[] strArr;
        enforceControlPermissionOrInternalCaller();
        int appUid = getAppUid(str, this.mUserId);
        if (appUid == -1 || VpnConfig.LEGACY_VPN.equals(str)) {
            return false;
        }
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            try {
                switch (i) {
                    case -1:
                        strArr = new String[]{AppOpsManager.OPSTR_ACTIVATE_VPN, AppOpsManager.OPSTR_ACTIVATE_PLATFORM_VPN};
                        break;
                    case 0:
                    default:
                        Log.wtf(TAG, "Unrecognized VPN type while granting authorization");
                        Binder.restoreCallingIdentity(clearCallingIdentity);
                        return false;
                    case 1:
                        strArr = new String[]{AppOpsManager.OPSTR_ACTIVATE_VPN};
                        break;
                    case 2:
                        strArr = new String[]{AppOpsManager.OPSTR_ACTIVATE_PLATFORM_VPN};
                        break;
                    case 3:
                        Binder.restoreCallingIdentity(clearCallingIdentity);
                        return false;
                }
                AppOpsManager appOpsManager = (AppOpsManager) this.mContext.getSystemService(Context.APP_OPS_SERVICE);
                for (String str2 : strArr) {
                    appOpsManager.setMode(str2, appUid, str, i == -1 ? 1 : 0);
                }
                Binder.restoreCallingIdentity(clearCallingIdentity);
                return true;
            } catch (Exception e) {
                Log.wtf(TAG, "Failed to set app ops for package " + str + ", uid " + appUid, e);
                Binder.restoreCallingIdentity(clearCallingIdentity);
                return false;
            }
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    private static boolean isVpnPreConsented(Context context, String str, int i) {
        switch (i) {
            case 1:
                return isVpnServicePreConsented(context, str);
            case 2:
                return isVpnProfilePreConsented(context, str);
            case 3:
                return VpnConfig.LEGACY_VPN.equals(str);
            default:
                return false;
        }
    }

    private static boolean doesPackageHaveAppop(Context context, String str, String str2) {
        return ((AppOpsManager) context.getSystemService(Context.APP_OPS_SERVICE)).noteOpNoThrow(str2, Binder.getCallingUid(), str, (String) null, (String) null) == 0;
    }

    private static boolean isVpnServicePreConsented(Context context, String str) {
        return doesPackageHaveAppop(context, str, AppOpsManager.OPSTR_ACTIVATE_VPN);
    }

    private static boolean isVpnProfilePreConsented(Context context, String str) {
        return doesPackageHaveAppop(context, str, AppOpsManager.OPSTR_ACTIVATE_PLATFORM_VPN) || isVpnServicePreConsented(context, str);
    }

    private int getAppUid(String str, int i) {
        if (VpnConfig.LEGACY_VPN.equals(str)) {
            return Process.myUid();
        }
        PackageManager packageManager = this.mContext.getPackageManager();
        return ((Integer) Binder.withCleanCallingIdentity(() -> {
            try {
                return Integer.valueOf(packageManager.getPackageUidAsUser(str, i));
            } catch (PackageManager.NameNotFoundException e) {
                return -1;
            }
        })).intValue();
    }

    private boolean doesPackageTargetAtLeastQ(String str) {
        if (VpnConfig.LEGACY_VPN.equals(str)) {
            return true;
        }
        try {
            return this.mContext.getPackageManager().getApplicationInfoAsUser(str, 0, this.mUserId).targetSdkVersion >= 29;
        } catch (PackageManager.NameNotFoundException e) {
            Log.w(TAG, "Can't find \"" + str + "\"");
            return false;
        }
    }

    public NetworkInfo getNetworkInfo() {
        return this.mNetworkInfo;
    }

    @VisibleForTesting
    public synchronized Network getNetwork() {
        Network network;
        NetworkAgent networkAgent = this.mNetworkAgent;
        if (null == networkAgent || null == (network = networkAgent.getNetwork())) {
            return null;
        }
        return network;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public LinkProperties makeLinkProperties() {
        boolean z = this.mConfig.allowIPv4;
        boolean z2 = this.mConfig.allowIPv6;
        LinkProperties linkProperties = new LinkProperties();
        linkProperties.setInterfaceName(this.mInterface);
        if (this.mConfig.addresses != null) {
            for (LinkAddress linkAddress : this.mConfig.addresses) {
                linkProperties.addLinkAddress(linkAddress);
                z |= linkAddress.getAddress() instanceof Inet4Address;
                z2 |= linkAddress.getAddress() instanceof Inet6Address;
            }
        }
        if (this.mConfig.routes != null) {
            for (RouteInfo routeInfo : this.mConfig.routes) {
                linkProperties.addRoute(routeInfo);
                InetAddress address = routeInfo.getDestination().getAddress();
                z |= address instanceof Inet4Address;
                z2 |= address instanceof Inet6Address;
            }
        }
        if (this.mConfig.dnsServers != null) {
            Iterator<String> it = this.mConfig.dnsServers.iterator();
            while (it.hasNext()) {
                InetAddress parseNumericAddress = InetAddresses.parseNumericAddress(it.next());
                linkProperties.addDnsServer(parseNumericAddress);
                z |= parseNumericAddress instanceof Inet4Address;
                z2 |= parseNumericAddress instanceof Inet6Address;
            }
        }
        linkProperties.setHttpProxy(this.mConfig.proxyInfo);
        if (!z) {
            linkProperties.addRoute(new RouteInfo(new IpPrefix(NetworkStackConstants.IPV4_ADDR_ANY, 0), null, null, 7));
        }
        if (!z2) {
            linkProperties.addRoute(new RouteInfo(new IpPrefix(NetworkStackConstants.IPV6_ADDR_ANY, 0), null, null, 7));
        }
        StringBuilder sb = new StringBuilder();
        if (this.mConfig.searchDomains != null) {
            Iterator<String> it2 = this.mConfig.searchDomains.iterator();
            while (it2.hasNext()) {
                sb.append(it2.next()).append(' ');
            }
        }
        linkProperties.setDomains(sb.toString().trim());
        if (this.mConfig.mtu > 0) {
            linkProperties.setMtu(this.mConfig.mtu);
        }
        return linkProperties;
    }

    private boolean updateLinkPropertiesInPlaceIfPossible(NetworkAgent networkAgent, VpnConfig vpnConfig) {
        if (vpnConfig.allowBypass != this.mConfig.allowBypass) {
            Log.i(TAG, "Handover not possible due to changes to allowBypass");
            return false;
        }
        if (Objects.equals(vpnConfig.allowedApplications, this.mConfig.allowedApplications) && Objects.equals(vpnConfig.disallowedApplications, this.mConfig.disallowedApplications)) {
            networkAgent.sendLinkProperties(makeLinkProperties());
            return true;
        }
        Log.i(TAG, "Handover not possible due to changes to allowed/denied apps");
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void agentConnect() {
        LinkProperties makeLinkProperties = makeLinkProperties();
        NetworkCapabilities.Builder builder = new NetworkCapabilities.Builder(this.mNetworkCapabilities);
        builder.addCapability(12);
        this.mLegacyState = 2;
        updateState(NetworkInfo.DetailedState.CONNECTING, "agentConnect");
        NetworkAgentConfig build = new NetworkAgentConfig.Builder().setLegacyType(17).setLegacyTypeName("VPN").setBypassableVpn(this.mConfig.allowBypass && !this.mLockdown).build();
        builder.setOwnerUid(this.mOwnerUID);
        builder.setAdministratorUids(new int[]{this.mOwnerUID});
        builder.setUids(createUserAndRestrictedProfilesRanges(this.mUserId, this.mConfig.allowedApplications, this.mConfig.disallowedApplications));
        builder.setTransportInfo(new VpnTransportInfo(getActiveVpnType(), this.mConfig.session));
        if (this.mIsPackageTargetingAtLeastQ && this.mConfig.isMetered) {
            builder.removeCapability(11);
        } else {
            builder.addCapability(11);
        }
        this.mNetworkCapabilities = builder.build();
        this.mNetworkAgent = new NetworkAgent(this.mContext, this.mLooper, "VPN", this.mNetworkCapabilities, makeLinkProperties, new NetworkScore.Builder().setLegacyInt(101).build(), build, this.mNetworkProvider) { // from class: com.android.server.connectivity.Vpn.1
            @Override // android.net.NetworkAgent
            public void onNetworkUnwanted() {
            }
        };
        Binder.withCleanCallingIdentity(() -> {
            try {
                this.mNetworkAgent.register();
            } catch (Exception e) {
                this.mNetworkAgent = null;
                throw e;
            }
        });
        this.mNetworkAgent.setUnderlyingNetworks(this.mConfig.underlyingNetworks != null ? Arrays.asList(this.mConfig.underlyingNetworks) : null);
        updateState(NetworkInfo.DetailedState.CONNECTED, "agentConnect");
    }

    private boolean canHaveRestrictedProfile(int i) {
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            boolean canHaveRestrictedProfile = ((UserManager) this.mContext.createContextAsUser(UserHandle.of(i), 0).getSystemService(UserManager.class)).canHaveRestrictedProfile();
            Binder.restoreCallingIdentity(clearCallingIdentity);
            return canHaveRestrictedProfile;
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    private void agentDisconnect(NetworkAgent networkAgent) {
        if (networkAgent != null) {
            networkAgent.unregister();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void agentDisconnect() {
        updateState(NetworkInfo.DetailedState.DISCONNECTED, "agentDisconnect");
    }

    public synchronized ParcelFileDescriptor establish(VpnConfig vpnConfig) {
        if (Binder.getCallingUid() != this.mOwnerUID || !isVpnServicePreConsented(this.mContext, this.mPackage)) {
            return null;
        }
        Intent intent = new Intent("android.net.VpnService");
        intent.setClassName(this.mPackage, vpnConfig.user);
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            enforceNotRestrictedUser();
            PackageManager packageManager = this.mUserIdContext.getPackageManager();
            if (packageManager == null) {
                throw new IllegalStateException("Cannot get PackageManager.");
            }
            ResolveInfo resolveService = packageManager.resolveService(intent, 0);
            if (resolveService == null) {
                throw new SecurityException("Cannot find " + vpnConfig.user);
            }
            if (!Manifest.permission.BIND_VPN_SERVICE.equals(resolveService.serviceInfo.permission)) {
                throw new SecurityException(vpnConfig.user + " does not require " + Manifest.permission.BIND_VPN_SERVICE);
            }
            VpnConfig vpnConfig2 = this.mConfig;
            String str = this.mInterface;
            Connection connection = this.mConnection;
            NetworkAgent networkAgent = this.mNetworkAgent;
            Set<Range<Integer>> uids = this.mNetworkCapabilities.getUids();
            ParcelFileDescriptor adoptFd = ParcelFileDescriptor.adoptFd(jniCreate(vpnConfig.mtu));
            try {
                String jniGetName = jniGetName(adoptFd.getFd());
                StringBuilder sb = new StringBuilder();
                for (LinkAddress linkAddress : vpnConfig.addresses) {
                    sb.append(" ");
                    sb.append(linkAddress);
                }
                if (jniSetAddresses(jniGetName, sb.toString()) < 1) {
                    throw new IllegalArgumentException("At least one address must be specified");
                }
                Connection connection2 = new Connection();
                if (!this.mContext.bindServiceAsUser(intent, connection2, AudioFormat.AAC_MAIN, new UserHandle(this.mUserId))) {
                    throw new IllegalStateException("Cannot bind " + vpnConfig.user);
                }
                this.mConnection = connection2;
                this.mInterface = jniGetName;
                vpnConfig.user = this.mPackage;
                vpnConfig.interfaze = this.mInterface;
                vpnConfig.startTime = SystemClock.elapsedRealtime();
                this.mConfig = vpnConfig;
                if (vpnConfig2 == null || !updateLinkPropertiesInPlaceIfPossible(this.mNetworkAgent, vpnConfig2)) {
                    this.mNetworkAgent = null;
                    updateState(NetworkInfo.DetailedState.CONNECTING, "establish");
                    agentConnect();
                    agentDisconnect(networkAgent);
                }
                if (connection != null) {
                    this.mContext.unbindService(connection);
                }
                if (str != null && !str.equals(jniGetName)) {
                    jniReset(str);
                }
                try {
                    IoUtils.setBlocking(adoptFd.getFileDescriptor(), vpnConfig.blocking);
                    Log.i(TAG, "Established by " + vpnConfig.user + " on " + this.mInterface);
                    return adoptFd;
                } catch (IOException e) {
                    throw new IllegalStateException("Cannot set tunnel's fd as blocking=" + vpnConfig.blocking, e);
                }
            } catch (RuntimeException e2) {
                IoUtils.closeQuietly(adoptFd);
                if (networkAgent != this.mNetworkAgent) {
                    agentDisconnect();
                }
                this.mConfig = vpnConfig2;
                this.mConnection = connection;
                this.mNetworkCapabilities = new NetworkCapabilities.Builder(this.mNetworkCapabilities).setUids(uids).build();
                this.mNetworkAgent = networkAgent;
                this.mInterface = str;
                throw e2;
            }
        } finally {
            Binder.restoreCallingIdentity(clearCallingIdentity);
        }
    }

    private boolean isRunningLocked() {
        return (this.mNetworkAgent == null || this.mInterface == null) ? false : true;
    }

    @VisibleForTesting
    protected boolean isCallerEstablishedOwnerLocked() {
        return isRunningLocked() && Binder.getCallingUid() == this.mOwnerUID;
    }

    private SortedSet<Integer> getAppsUids(List<String> list, int i) {
        TreeSet treeSet = new TreeSet();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            int appUid = getAppUid(it.next(), i);
            if (appUid != -1) {
                treeSet.add(Integer.valueOf(appUid));
            }
        }
        return treeSet;
    }

    @VisibleForTesting
    Set<Range<Integer>> createUserAndRestrictedProfilesRanges(int i, List<String> list, List<String> list2) {
        ArraySet arraySet = new ArraySet();
        addUserToRanges(arraySet, i, list, list2);
        if (canHaveRestrictedProfile(i)) {
            long clearCallingIdentity = Binder.clearCallingIdentity();
            try {
                List<UserInfo> aliveUsers = this.mUserManager.getAliveUsers();
                Binder.restoreCallingIdentity(clearCallingIdentity);
                for (UserInfo userInfo : aliveUsers) {
                    if (userInfo.isRestricted() && userInfo.restrictedProfileParentId == i) {
                        addUserToRanges(arraySet, userInfo.id, list, list2);
                    }
                }
            } catch (Throwable th) {
                Binder.restoreCallingIdentity(clearCallingIdentity);
                throw th;
            }
        }
        return arraySet;
    }

    @VisibleForTesting
    void addUserToRanges(Set<Range<Integer>> set, int i, List<String> list, List<String> list2) {
        if (list != null) {
            int i2 = -1;
            int i3 = -1;
            Iterator<Integer> it = getAppsUids(list, i).iterator();
            while (it.hasNext()) {
                int intValue = it.next().intValue();
                if (i2 == -1) {
                    i2 = intValue;
                } else if (intValue != i3 + 1) {
                    set.add(new Range<>(Integer.valueOf(i2), Integer.valueOf(i3)));
                    i2 = intValue;
                }
                i3 = intValue;
            }
            if (i2 != -1) {
                set.add(new Range<>(Integer.valueOf(i2), Integer.valueOf(i3)));
                return;
            }
            return;
        }
        if (list2 == null) {
            set.add(createUidRangeForUser(i));
            return;
        }
        Range<Integer> createUidRangeForUser = createUidRangeForUser(i);
        int intValue2 = createUidRangeForUser.getLower().intValue();
        Iterator<Integer> it2 = getAppsUids(list2, i).iterator();
        while (it2.hasNext()) {
            int intValue3 = it2.next().intValue();
            if (intValue3 == intValue2) {
                intValue2++;
            } else {
                set.add(new Range<>(Integer.valueOf(intValue2), Integer.valueOf(intValue3 - 1)));
                intValue2 = intValue3 + 1;
            }
        }
        if (intValue2 <= createUidRangeForUser.getUpper().intValue()) {
            set.add(new Range<>(Integer.valueOf(intValue2), createUidRangeForUser.getUpper()));
        }
    }

    private static List<Range<Integer>> uidRangesForUser(int i, Set<Range<Integer>> set) {
        Range<Integer> createUidRangeForUser = createUidRangeForUser(i);
        ArrayList arrayList = new ArrayList();
        for (Range<Integer> range : set) {
            if (createUidRangeForUser.contains(range)) {
                arrayList.add(range);
            }
        }
        return arrayList;
    }

    public void onUserAdded(int i) {
        UserInfo userInfo = this.mUserManager.getUserInfo(i);
        if (userInfo.isRestricted() && userInfo.restrictedProfileParentId == this.mUserId) {
            synchronized (this) {
                Set<Range<Integer>> uids = this.mNetworkCapabilities.getUids();
                if (uids != null) {
                    try {
                        addUserToRanges(uids, i, this.mConfig.allowedApplications, this.mConfig.disallowedApplications);
                        this.mNetworkCapabilities = new NetworkCapabilities.Builder(this.mNetworkCapabilities).setUids(uids).build();
                    } catch (Exception e) {
                        Log.wtf(TAG, "Failed to add restricted user to owner", e);
                    }
                    if (this.mNetworkAgent != null) {
                        this.mNetworkAgent.sendNetworkCapabilities(this.mNetworkCapabilities);
                    }
                }
                setVpnForcedLocked(this.mLockdown);
            }
        }
    }

    public void onUserRemoved(int i) {
        UserInfo userInfo = this.mUserManager.getUserInfo(i);
        if (userInfo.isRestricted() && userInfo.restrictedProfileParentId == this.mUserId) {
            synchronized (this) {
                Set<Range<Integer>> uids = this.mNetworkCapabilities.getUids();
                if (uids != null) {
                    try {
                        uids.removeAll(uidRangesForUser(i, uids));
                        this.mNetworkCapabilities = new NetworkCapabilities.Builder(this.mNetworkCapabilities).setUids(uids).build();
                    } catch (Exception e) {
                        Log.wtf(TAG, "Failed to remove restricted user to owner", e);
                    }
                    if (this.mNetworkAgent != null) {
                        this.mNetworkAgent.sendNetworkCapabilities(this.mNetworkCapabilities);
                    }
                }
                setVpnForcedLocked(this.mLockdown);
            }
        }
    }

    public synchronized void onUserStopped() {
        setVpnForcedLocked(false);
        this.mAlwaysOn = false;
        agentDisconnect();
        this.mConnectivityManager.unregisterNetworkProvider(this.mNetworkProvider);
    }

    @GuardedBy({"this"})
    private void setVpnForcedLocked(boolean z) {
        List<String> arrayList;
        Set emptySet;
        if (isNullOrLegacyVpn(this.mPackage)) {
            arrayList = null;
        } else {
            arrayList = new ArrayList<>(this.mLockdownAllowlist);
            arrayList.add(this.mPackage);
        }
        ArraySet arraySet = new ArraySet(this.mBlockedUidsAsToldToConnectivity);
        if (z) {
            Set<Range<Integer>> createUserAndRestrictedProfilesRanges = createUserAndRestrictedProfilesRanges(this.mUserId, null, arrayList);
            ArraySet arraySet2 = new ArraySet();
            for (Range<Integer> range : createUserAndRestrictedProfilesRanges) {
                if (range.getLower().intValue() == 0 && range.getUpper().intValue() != 0) {
                    arraySet2.add(new UidRangeParcel(1, range.getUpper().intValue()));
                } else if (range.getLower().intValue() != 0) {
                    arraySet2.add(new UidRangeParcel(range.getLower().intValue(), range.getUpper().intValue()));
                }
            }
            arraySet.removeAll((Collection<?>) arraySet2);
            emptySet = arraySet2;
            emptySet.removeAll(this.mBlockedUidsAsToldToConnectivity);
        } else {
            emptySet = Collections.emptySet();
        }
        setAllowOnlyVpnForUids(false, arraySet);
        setAllowOnlyVpnForUids(true, emptySet);
    }

    @GuardedBy({"this"})
    private boolean setAllowOnlyVpnForUids(boolean z, Collection<UidRangeParcel> collection) {
        if (collection.size() == 0) {
            return true;
        }
        ArrayList arrayList = new ArrayList(collection.size());
        for (UidRangeParcel uidRangeParcel : collection) {
            arrayList.add(new Range(Integer.valueOf(uidRangeParcel.start), Integer.valueOf(uidRangeParcel.stop)));
        }
        try {
            this.mConnectivityManager.setRequireVpnForUids(z, arrayList);
            if (z) {
                this.mBlockedUidsAsToldToConnectivity.addAll(collection);
                return true;
            }
            this.mBlockedUidsAsToldToConnectivity.removeAll(collection);
            return true;
        } catch (RuntimeException e) {
            Log.e(TAG, "Updating blocked=" + z + " for UIDs " + Arrays.toString(collection.toArray()) + " failed", e);
            return false;
        }
    }

    public synchronized VpnConfig getVpnConfig() {
        enforceControlPermission();
        return this.mConfig;
    }

    @Deprecated
    public synchronized void interfaceStatusChanged(String str, boolean z) {
        try {
            this.mObserver.interfaceStatusChanged(str, z);
        } catch (RemoteException e) {
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void cleanupVpnStateLocked() {
        this.mStatusIntent = null;
        resetNetworkCapabilities();
        this.mConfig = null;
        this.mInterface = null;
        this.mVpnRunner = null;
        this.mConnection = null;
        agentDisconnect();
    }

    private void enforceControlPermission() {
        this.mContext.enforceCallingPermission(Manifest.permission.CONTROL_VPN, "Unauthorized Caller");
    }

    private void enforceControlPermissionOrInternalCaller() {
        this.mContext.enforceCallingOrSelfPermission(Manifest.permission.CONTROL_VPN, "Unauthorized Caller");
    }

    private void enforceSettingsPermission() {
        this.mContext.enforceCallingOrSelfPermission(Manifest.permission.NETWORK_SETTINGS, "Unauthorized Caller");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void prepareStatusIntent() {
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            this.mStatusIntent = this.mDeps.getIntentForStatusPanel(this.mContext);
        } finally {
            Binder.restoreCallingIdentity(clearCallingIdentity);
        }
    }

    public synchronized boolean addAddress(String str, int i) {
        if (!isCallerEstablishedOwnerLocked()) {
            return false;
        }
        boolean jniAddAddress = jniAddAddress(this.mInterface, str, i);
        this.mNetworkAgent.sendLinkProperties(makeLinkProperties());
        return jniAddAddress;
    }

    public synchronized boolean removeAddress(String str, int i) {
        if (!isCallerEstablishedOwnerLocked()) {
            return false;
        }
        boolean jniDelAddress = jniDelAddress(this.mInterface, str, i);
        this.mNetworkAgent.sendLinkProperties(makeLinkProperties());
        return jniDelAddress;
    }

    public synchronized boolean setUnderlyingNetworks(Network[] networkArr) {
        if (!isCallerEstablishedOwnerLocked()) {
            return false;
        }
        this.mConfig.underlyingNetworks = networkArr != null ? (Network[]) Arrays.copyOf(networkArr, networkArr.length) : null;
        this.mNetworkAgent.setUnderlyingNetworks(this.mConfig.underlyingNetworks != null ? Arrays.asList(this.mConfig.underlyingNetworks) : null);
        return true;
    }

    public synchronized UnderlyingNetworkInfo getUnderlyingNetworkInfo() {
        if (isRunningLocked()) {
            return new UnderlyingNetworkInfo(this.mOwnerUID, this.mInterface, new ArrayList());
        }
        return null;
    }

    public synchronized boolean appliesToUid(int i) {
        if (!isRunningLocked()) {
            return false;
        }
        Set<Range<Integer>> uids = this.mNetworkCapabilities.getUids();
        if (uids == null) {
            return true;
        }
        Iterator<Range<Integer>> it = uids.iterator();
        while (it.hasNext()) {
            if (it.next().contains((Range<Integer>) Integer.valueOf(i))) {
                return true;
            }
        }
        return false;
    }

    public synchronized int getActiveVpnType() {
        if (!this.mNetworkInfo.isConnectedOrConnecting()) {
            return -1;
        }
        if (this.mVpnRunner == null) {
            return 1;
        }
        return this.mVpnRunner instanceof IkeV2VpnRunner ? 2 : 3;
    }

    private void updateAlwaysOnNotification(NetworkInfo.DetailedState detailedState) {
        boolean z = this.mAlwaysOn && detailedState != NetworkInfo.DetailedState.CONNECTED;
        UserHandle of = UserHandle.of(this.mUserId);
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            NotificationManager notificationManager = (NotificationManager) this.mUserIdContext.getSystemService(NotificationManager.class);
            if (!z) {
                notificationManager.cancel(TAG, 17);
                Binder.restoreCallingIdentity(clearCallingIdentity);
                return;
            }
            Intent intent = new Intent();
            intent.setComponent(ComponentName.unflattenFromString(this.mContext.getString(R.string.config_customVpnAlwaysOnDisconnectedDialogComponent)));
            intent.putExtra("lockdown", this.mLockdown);
            intent.addFlags(268435456);
            notificationManager.notify(TAG, 17, new Notification.Builder(this.mContext, "VPN").setSmallIcon(R.drawable.vpn_connected).setContentTitle(this.mContext.getString(R.string.vpn_lockdown_disconnected)).setContentText(this.mContext.getString(R.string.vpn_lockdown_config)).setContentIntent(this.mSystemServices.pendingIntentGetActivityAsUser(intent, 201326592, of)).setCategory(Notification.CATEGORY_SYSTEM).setVisibility(1).setOngoing(true).setColor(this.mContext.getColor(17170460)).build());
            Binder.restoreCallingIdentity(clearCallingIdentity);
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    private native int jniCreate(int i);

    private native String jniGetName(int i);

    private native int jniSetAddresses(String str, String str2);

    private native void jniReset(String str);

    /* JADX INFO: Access modifiers changed from: private */
    public native int jniCheck(String str);

    private native boolean jniAddAddress(String str, String str2, int i);

    private native boolean jniDelAddress(String str, String str2, int i);

    private static RouteInfo findIPv4DefaultRoute(LinkProperties linkProperties) {
        for (RouteInfo routeInfo : linkProperties.getAllRoutes()) {
            if (routeInfo.isDefaultRoute() && (routeInfo.getGateway() instanceof Inet4Address)) {
                return routeInfo;
            }
        }
        throw new IllegalStateException("Unable to find IPv4 default gateway");
    }

    private void enforceNotRestrictedUser() {
        Binder.withCleanCallingIdentity(() -> {
            if (this.mUserManager.getUserInfo(this.mUserId).isRestricted()) {
                throw new SecurityException("Restricted users cannot configure VPNs");
            }
        });
    }

    public void startLegacyVpn(VpnProfile vpnProfile, Network network, LinkProperties linkProperties) {
        enforceControlPermission();
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            startLegacyVpnPrivileged(vpnProfile, network, linkProperties);
            Binder.restoreCallingIdentity(clearCallingIdentity);
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    private String makeKeystoreEngineGrantString(String str) {
        if (str == null) {
            return null;
        }
        KeyStore2 keyStore2 = KeyStore2.getInstance();
        KeyDescriptor keyDescriptor = new KeyDescriptor();
        keyDescriptor.domain = 0;
        keyDescriptor.nspace = -1L;
        keyDescriptor.alias = str;
        keyDescriptor.blob = null;
        try {
            return KeyStore2.makeKeystoreEngineGrantString(keyStore2.grant(keyDescriptor, 1016, 260).nspace);
        } catch (KeyStoreException e) {
            Log.e(TAG, "Failed to get grant for keystore key.", e);
            throw new IllegalStateException("Failed to get grant for keystore key.", e);
        }
    }

    private String getCaCertificateFromKeystoreAsPem(KeyStore keyStore, String str) throws java.security.KeyStoreException, IOException, CertificateEncodingException {
        if (keyStore.isCertificateEntry(str)) {
            Certificate certificate = keyStore.getCertificate(str);
            if (certificate == null) {
                return null;
            }
            return new String(Credentials.convertToPem(certificate), StandardCharsets.UTF_8);
        }
        Certificate[] certificateChain = keyStore.getCertificateChain(str);
        if (certificateChain == null || certificateChain.length <= 1) {
            return null;
        }
        return new String(Credentials.convertToPem((Certificate[]) Arrays.copyOfRange(certificateChain, 1, certificateChain.length)), StandardCharsets.UTF_8);
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    /* JADX WARN: Failed to find 'out' block for switch in B:33:0x012b. Please report as an issue. */
    /* JADX WARN: Removed duplicated region for block: B:47:0x0310  */
    /* JADX WARN: Removed duplicated region for block: B:52:0x03af  */
    /* JADX WARN: Removed duplicated region for block: B:55:0x047a  */
    /* JADX WARN: Removed duplicated region for block: B:58:0x049a  */
    /* JADX WARN: Removed duplicated region for block: B:61:0x04b6  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public void startLegacyVpnPrivileged(com.android.internal.net.VpnProfile r8, android.net.Network r9, android.net.LinkProperties r10) {
        /*
            Method dump skipped, instructions count: 1236
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.android.server.connectivity.Vpn.startLegacyVpnPrivileged(com.android.internal.net.VpnProfile, android.net.Network, android.net.LinkProperties):void");
    }

    private synchronized void startLegacyVpn(VpnConfig vpnConfig, String[] strArr, String[] strArr2, VpnProfile vpnProfile) {
        stopVpnRunnerPrivileged();
        prepareInternal(VpnConfig.LEGACY_VPN);
        updateState(NetworkInfo.DetailedState.CONNECTING, "startLegacyVpn");
        this.mVpnRunner = new LegacyVpnRunner(vpnConfig, strArr, strArr2, vpnProfile);
        startLegacyVpnRunner();
    }

    @VisibleForTesting
    protected void startLegacyVpnRunner() {
        this.mVpnRunner.start();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isSettingsVpnLocked() {
        return this.mVpnRunner != null && VpnConfig.LEGACY_VPN.equals(this.mPackage);
    }

    public synchronized void stopVpnRunnerPrivileged() {
        if (isSettingsVpnLocked()) {
            boolean z = this.mVpnRunner instanceof LegacyVpnRunner;
            this.mVpnRunner.exit();
            this.mVpnRunner = null;
            if (z) {
                synchronized ("LegacyVpnRunner") {
                }
            }
        }
    }

    public synchronized LegacyVpnInfo getLegacyVpnInfo() {
        enforceControlPermission();
        return getLegacyVpnInfoPrivileged();
    }

    private synchronized LegacyVpnInfo getLegacyVpnInfoPrivileged() {
        if (!isSettingsVpnLocked()) {
            return null;
        }
        LegacyVpnInfo legacyVpnInfo = new LegacyVpnInfo();
        legacyVpnInfo.key = this.mConfig.user;
        legacyVpnInfo.state = this.mLegacyState;
        if (this.mNetworkInfo.isConnected()) {
            legacyVpnInfo.intent = this.mStatusIntent;
        }
        return legacyVpnInfo;
    }

    public synchronized VpnConfig getLegacyVpnConfig() {
        if (isSettingsVpnLocked()) {
            return this.mConfig;
        }
        return null;
    }

    private void verifyCallingUidAndPackage(String str) {
        int callingUid = Binder.getCallingUid();
        if (getAppUid(str, this.mUserId) != callingUid) {
            throw new SecurityException(str + " does not belong to uid " + callingUid);
        }
    }

    @VisibleForTesting
    String getProfileNameForPackage(String str) {
        return Credentials.PLATFORM_VPN + this.mUserId + "_" + str;
    }

    @VisibleForTesting
    void validateRequiredFeatures(VpnProfile vpnProfile) {
        switch (vpnProfile.type) {
            case 6:
            case 7:
            case 8:
                if (!this.mContext.getPackageManager().hasSystemFeature(PackageManager.FEATURE_IPSEC_TUNNELS)) {
                    throw new UnsupportedOperationException("Ikev2VpnProfile(s) requires PackageManager.FEATURE_IPSEC_TUNNELS");
                }
                return;
            default:
                return;
        }
    }

    public synchronized boolean provisionVpnProfile(String str, VpnProfile vpnProfile) {
        Preconditions.checkNotNull(str, "No package name provided");
        Preconditions.checkNotNull(vpnProfile, "No profile provided");
        verifyCallingUidAndPackage(str);
        enforceNotRestrictedUser();
        validateRequiredFeatures(vpnProfile);
        if (vpnProfile.isRestrictedToTestNetworks) {
            this.mContext.enforceCallingPermission(Manifest.permission.MANAGE_TEST_NETWORKS, "Test-mode profiles require the MANAGE_TEST_NETWORKS permission");
        }
        byte[] encode = vpnProfile.encode();
        if (encode.length > 131072) {
            throw new IllegalArgumentException("Profile too big");
        }
        Binder.withCleanCallingIdentity(() -> {
            getVpnProfileStore().put(getProfileNameForPackage(str), encode);
        });
        return isVpnProfilePreConsented(this.mContext, str);
    }

    private boolean isCurrentIkev2VpnLocked(String str) {
        return isCurrentPreparedPackage(str) && (this.mVpnRunner instanceof IkeV2VpnRunner);
    }

    public synchronized void deleteVpnProfile(String str) {
        Preconditions.checkNotNull(str, "No package name provided");
        verifyCallingUidAndPackage(str);
        enforceNotRestrictedUser();
        Binder.withCleanCallingIdentity(() -> {
            if (isCurrentIkev2VpnLocked(str)) {
                if (this.mAlwaysOn) {
                    setAlwaysOnPackage(null, false, null);
                } else {
                    prepareInternal(VpnConfig.LEGACY_VPN);
                }
            }
            getVpnProfileStore().remove(getProfileNameForPackage(str));
        });
    }

    @VisibleForTesting
    VpnProfile getVpnProfilePrivileged(String str) {
        if (!this.mDeps.isCallerSystem()) {
            Log.wtf(TAG, "getVpnProfilePrivileged called as non-System UID ");
            return null;
        }
        byte[] bArr = getVpnProfileStore().get(getProfileNameForPackage(str));
        if (bArr == null) {
            return null;
        }
        return VpnProfile.decode("", bArr);
    }

    public synchronized void startVpnProfile(String str) {
        Preconditions.checkNotNull(str, "No package name provided");
        enforceNotRestrictedUser();
        if (!prepare(str, null, 2)) {
            throw new SecurityException("User consent not granted for package " + str);
        }
        Binder.withCleanCallingIdentity(() -> {
            VpnProfile vpnProfilePrivileged = getVpnProfilePrivileged(str);
            if (vpnProfilePrivileged == null) {
                throw new IllegalArgumentException("No profile found for " + str);
            }
            startVpnProfilePrivileged(vpnProfilePrivileged, str);
        });
    }

    private synchronized void startVpnProfilePrivileged(VpnProfile vpnProfile, String str) {
        prepareInternal(str);
        updateState(NetworkInfo.DetailedState.CONNECTING, "startPlatformVpn");
        try {
            this.mConfig = new VpnConfig();
            if (VpnConfig.LEGACY_VPN.equals(str)) {
                this.mConfig.legacy = true;
                this.mConfig.session = vpnProfile.name;
                this.mConfig.user = vpnProfile.key;
                this.mConfig.isMetered = true;
            } else {
                this.mConfig.user = str;
                this.mConfig.isMetered = vpnProfile.isMetered;
            }
            this.mConfig.startTime = SystemClock.elapsedRealtime();
            this.mConfig.proxyInfo = vpnProfile.proxy;
            switch (vpnProfile.type) {
                case 6:
                case 7:
                case 8:
                    this.mVpnRunner = new IkeV2VpnRunner(Ikev2VpnProfile.fromVpnProfile(vpnProfile));
                    this.mVpnRunner.start();
                    break;
                default:
                    updateState(NetworkInfo.DetailedState.FAILED, "Invalid platform VPN type");
                    Log.d(TAG, "Unknown VPN profile type: " + vpnProfile.type);
                    break;
            }
        } catch (GeneralSecurityException e) {
            this.mConfig = null;
            updateState(NetworkInfo.DetailedState.FAILED, "VPN startup failed");
            throw new IllegalArgumentException("VPN startup failed", e);
        }
    }

    public synchronized void stopVpnProfile(String str) {
        Preconditions.checkNotNull(str, "No package name provided");
        enforceNotRestrictedUser();
        if (isCurrentIkev2VpnLocked(str)) {
            prepareInternal(VpnConfig.LEGACY_VPN);
        }
    }

    @VisibleForTesting
    static Range<Integer> createUidRangeForUser(int i) {
        return new Range<>(Integer.valueOf(i * 100000), Integer.valueOf(((i + 1) * 100000) - 1));
    }
}
