Add test coverage for Vpn.setAlwaysOnPackage() where the caller
is system user to ensure uid = 0 is not restricted.

Bug: 230548427
Test: atest FrameworksNetTests
Change-Id: Id9f81fdf0147597f64f8440b971930b3bd7b55e5

Remove calls to MockVpn.setAlwaysOnPackage() where lockdown is
false as this does not cause any changes to occur. Also verify
setRequireVpnForUids() is not called for this case in VpnTest.

Bug: 230548427
Test: atest FrameworksNetTests
Change-Id: I3428e8b31b02975975be9e943e1f88cf0e80c5ee

Replace calls to onUserAdded() and onUserRemoved() to their
equivalent setUids() or setRequireVpnForUids() calls.

Note coverage for the calls to Vpn were added in VpnTest.

Bug: 230548427
Test: atest FrameworksNetTests
Change-Id: Ifa895f71f78bd3376216fd2759c7a5a33cd3aff1

Calls to setRequireVpnForUids() for Vpn lockdown actually uses a
List instead of a Set of integer ranges.
Add intRangesExcludingUids() to return the needed List of integer
ranges and replace relevant usages of UidRange.toIntRanges() with
it.

Bug: 230548427
Test: atest FrameworksNetTests
Change-Id: I61cd4751ce2faeb129daa5ad5da7181e3c1df73c

Test coverage of adding and removing a restricted user with and
without lockdown mode, using either setLockdown() and
setAlwaysOnPackage().

This change also refactors makeVpnUidRange() to return a list
and adds makeVpnUidRangeSet().

Bug: 230548427
Test: atest FrameworksNetTests
Change-Id: I47a25e9f0337f5c1d5754c279534640cd2753b5c

Override Vpn.setUnderlyingNetworks() to do a direct call on the
network agent instead of relying on the Vpn class.

Bug: 230548427
Test: atest FrameworksNetTests
Change-Id: Ib7883f8a81a22317616cae79ce57a30afdd2bed4

Call setRequireVpnForUids directly to enable lockdown instead of
calling the real Vpn method.

Bug: 230548427
Test: atest FrameworksNetTests
Change-Id: I91ec59f7542d145e9250a7e7a414593db3d99424

When a network preference is set, the highest priority nri will
be a managed default request that disallows default networking.
In the case where there is no satisfying network,
mNoServiceNetwork is used as the satisfier instead of null.
(see computeNetworkReassignment)

mNoServiceNetwork should not be returned in any public API.
Check for the nri being satisfied before returning the satisfier
to ensure mNoServiceNetwork is not returned.

Fixes: 301222648
Test: atest FrameworksNetTests
Change-Id: I22d67a7e8d0274d8ad4f6123fbedf6d37eed18e7

Add a test for lockdown vpn that uses TYPE_IKEV2_IPSEC_PSK and
mocks platform VPN by override in startLegacyVpnPrivileged().
In the context of ConnectivityService, setVpnDefaultForUids()
is the main interaction.

Refactor testLegacyLockdownVpn to take a VpnProfile and assert
behaviors with and without setVpnDefaultForUids().
This includes:
    1. Updating callback asserts and assertActiveNetworkInfo to
       reflect setVpnDefaultForUids().
    2. Adding TODOs where mCm.getActiveNetworkInfo() returns
       unexpected values.

Bug: 230548427
Test: atest FrameworksNetTests
Change-Id: Ida4a4bc745af5ba2fc251795b2ffca56ead79b7f

Test: atest FrameworksNetTests
Change-Id: Ie852286275f0e377be582648f7766c077d9877e8

Override more VPN methods to mock the VPN interaction of
testLegacyLockdownVpn instead of relying on the Vpn class.
This includes:
    1. Overriding startLegacyVpnPrivileged() and avoid creating
       a VpnRunner.
    2. Removing expectStartLegacyVpnRunner() since it is not
       used when startLegacyVpnPrivileged() is overridden.

Bug: 230548427
Test: atest FrameworksNetTests
Change-Id: Id55d8d6cd03b84bca815cd331eb0f7d584eaed5f

In testLegacyLockdownVpn, remove the fail check on IPv6 networks
and add coverage in VpnTest instead as this interaction relies
on the Vpn implementation, not ConnectivityService.

Bug: 230548427
Test: atest FrameworksNetTests
Change-Id: Ib24809ece2332c4c3d3e08c168e02ad859242eac

The test coverage of LockdownVpnTracker has been moved to a
separate unit test file. testLegacyLockdownVpn now calls the Vpn
methods directly instead of creating a new LockdownVpnTracker.
Note this removes calls to expectStopVpnRunnerPrivileged since
stopVpnRunnerPrivileged is now directly called in the test so it
is already guaranteed to be called.

The expected calls/behavior of LockdownVpnTracker can be seen in
LockdownVpnTrackerTest.

Bug: 230548427
Test: atest FrameworksNetTests
Change-Id: Id9d26435bf62ffef954f6c7fa0558ce99540de1f

* changes:
  Add java_defaults for @FlaggedApi handling
  Prepare api directory for udc mainline branch

packages/modules/Connectivity/service/native/TrafficController.cpp:58:18: error: using decl 'DumpWriter' is unused [misc-unused-using-decls,-warnings-as-errors]
using netdutils::DumpWriter;
^
packages/modules/Connectivity/service/native/TrafficController.cpp:58:18: note: remove the using
using netdutils::DumpWriter;
~~~~~~~~~~~~~~~~^~~~~~~~~~~
packages/modules/Connectivity/service/native/TrafficController.cpp:61:18: error: using decl 'ScopedIndent' is unused [misc-unused-using-decls,-warnings-as-errors]
using netdutils::ScopedIndent;
^
packages/modules/Connectivity/service/native/TrafficController.cpp:61:18: note: remove the using
using netdutils::ScopedIndent;
~~~~~~~~~~~~~~~~^~~~~~~~~~~~~

Test: presubmit
Change-Id: I1871139fed31c57a5c15a8ab4f88aa7c695ff360

The isLegacy field of Nsd metrics should indicate whether the
data was collected from the old backend or not. However, it is
currently only dependent on the ENABLE_PLATFORM_MDNS_BACKEND
compat change value, which is incorrect. This is because the
NsdService always uses the new backend since Android U,
regardless of the compat change value. Therefore, the isLegacy
data should be obtained from each transaction.

Bug: 287546772
Bug: 299880473
Test: atest FrameworksNetTestCases NsdManagerTest
Change-Id: I156abd656b90578d710696a69ccf7dfca97a2c9c

Add RemoteAuthConnectionCache and RemoteAuthPlatform
with support to sendMessage

Design doc: go/remote-auth-manager-fishfood-design

Test: built successfully.
Bug: : 291333048
Change-Id: I17f73b4fb2e22924a484eeb3baa9b933ae980076

* changes:
  Implement ConnectivityStateMetrics sample
  Add base classes for common ConnectivityService tests.

Merge "Merge remote-tracking branch 'remotes/aosp/tmp_libs_net_move' into libs_net_move_merge" into main

As connectivity pre-check was added to CtsNativeNetDnsTestCases
recently, this CL is needed as well.

Bug: 298886804
Test: TreeHugger
Change-Id: I3c26920e8609256470cd2b8c37fc1f33f56c39fd

Test: ConnectivitySampleMetricsTest
Change-Id: I0afdda023208c3f8620cb5b89add66448af596d7

This sets up what is necessary for an instrumented
ConnectivityService to run. Users of this class are
meant to inherit CSTest.

This is still relatively basic and does not have all the
instrumentation in ConnectivityServiceTest. Developers
looking to extend CSTest may find some instrumentation
missing ; when they add the missing instrumentation,
they should consider whether it should be generic for all
CSTests (and put it in base/), or whether it's local to
their own test suite. This should enable faster testing
as each CSTest children will only need to set up the
instrumentation it actually needs.

This patch also migrates a basic test to have a first user.

Bug: 272685721
Test: ConnectivityServiceTest
      CSBasicMethodsTest
Change-Id: I1c47f616af90629c9cb2a6ae89d992b19863e704

ot-daemon is a dependency of the new Thread feature. This commit
add the ot-daemon binary and init rc file to the Tethering module.
Note that the ot-daemon service is default disabled and versioned
init rc file is used to ensure that this service won't be started
before Android U.

This is expected to increase the size of "com.android.tethering.capex"
by around 400 KB.

Manual verification:
1. on Android T (33) CF device, the ot-daemon service is not started
   after device boots; It reports service not found error when trying
   to start the ot-daemon service with adb shell command "start
   ot-daemon"
2. on Android U (34) CF device, the ot-daemon service is not started
   after device boots; It can be started with shell comamnd "start
   ot-daemon" but then failed because of missing sepolicy rules as
   expected

Test: see above manual verification note
Bug: 296211911
Change-Id: I222e2bbcc2ad0be2beec9f5f3406e7144d314370

Don't get interfaceIndex if the socket is closed. Properly catch NPE
instead of letting is propagating.

Test: TH
Change-Id: If962541e67dd6323426e46bc7a1f118786f83b9b

frameworks/libs/net/common ->
packages/modules/Connectivity/staticlibs

frameworks/libs/net/client-libs ->
packages/modules/Connectivity/staticlbs/client-libs

Test: TH
Bug: 296014682
Change-Id: I5dc78f0c4653e20312ab3d488b1e69262dbb9840

Due to try_make_writable's implementation:

  // try to make the 1st 'len' header bytes r/w via DPA
  void try_make_writable(struct __sk_buff* skb, int len) {
    if (len > skb->len) len = skb->len;
    if (skb->data_end - skb->data < len) bpf_skb_pull_data(skb, len);
  }

This *should* normally result in nothing actually being done.

This is because the 'len' we request should trivially be <= skb->len
(by virtue of how we construct the packet / get here),
and because skb->data_end - skb->data < len was previously
(to this patch) already checked below in line 251
(and thus the packet would have been dropped if it was false).

However, there's a tentative theory that we could somehow end up
with the entire payload in the non-linear portion of the packet,
and thus need to move it into the linear header portion where
we actually have direct packet access to it.

Note also that we already called this in line 71, so it should
be safe to add another call without causing bpf verifier unhappiness...

Test: TreeHugger
Bug: 298879031
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: If3531c3cf6932ac3f1d384a43d28326d17544aa3

Test: none
Change-Id: I0506ec660fd88e39079b2f36aed1516e27cdc0a6

* changes:
  Add third_party/google_benchmark to cronet's copybara
  Move buildtools/third_party/libc++[abi] to third_party in Cronet's copybara
  Cronet Import: Add jni_zero to the list of third_parties