Merge branch 'fix-auto-connect-leak'

9 files changed, 41 insertions, 1 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b66b2e3bbf..731411ea13 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -51,6 +51,10 @@ Line wrap the file at 100 chars.                                              Th
   checks delayed app startup when "block when disconnected" was enabled and performed system network
   requests to Apple.
 
+#### Android
+- Fix failure to create tunnel when app is started with auto-connect enabled. This would sometimes
+  lead to a traffic leak.
+
 
 ## [2020.4-beta2] - 2020-04-08
 ### Added
diff --git a/android/src/main/kotlin/net/mullvad/mullvadvpn/ui/NotificationBanner.kt b/android/src/main/kotlin/net/mullvad/mullvadvpn/ui/NotificationBanner.kt
index 83cc14b738..3965344f7a 100644
--- a/android/src/main/kotlin/net/mullvad/mullvadvpn/ui/NotificationBanner.kt
+++ b/android/src/main/kotlin/net/mullvad/mullvadvpn/ui/NotificationBanner.kt
@@ -193,13 +193,19 @@ class NotificationBanner(
                     }
                 }
             }
+            is ErrorStateCause.VpnPermissionDenied -> R.string.vpn_permission_denied_error
         }
 
         // if the error state is null, we can assume that we are secure
         if (errorState?.isBlocking ?: true) {
             showError(R.string.blocking_internet, messageText)
         } else {
-            showError(R.string.not_blocking_internet, R.string.failed_to_block_internet)
+            val updatedMessageText = when (cause) {
+                is ErrorStateCause.VpnPermissionDenied -> messageText
+                else -> R.string.failed_to_block_internet
+            }
+
+            showError(R.string.not_blocking_internet, updatedMessageText)
         }
     }
 
diff --git a/android/src/main/kotlin/net/mullvad/talpid/TalpidVpnService.kt b/android/src/main/kotlin/net/mullvad/talpid/TalpidVpnService.kt
index a36e0b1db6..f960f0c13f 100644
--- a/android/src/main/kotlin/net/mullvad/talpid/TalpidVpnService.kt
+++ b/android/src/main/kotlin/net/mullvad/talpid/TalpidVpnService.kt
@@ -18,6 +18,11 @@ open class TalpidVpnService : VpnService() {
     }
 
     fun createTun(config: TunConfig): Int {
+        if (VpnService.prepare(this) != null) {
+            // VPN permission wasn't granted
+            return -1
+        }
+
         val builder = Builder().apply {
             for (address in config.addresses) {
                 addAddress(address, prefixForAddress(address))
diff --git a/android/src/main/kotlin/net/mullvad/talpid/tunnel/ErrorStateCause.kt b/android/src/main/kotlin/net/mullvad/talpid/tunnel/ErrorStateCause.kt
index e289b59551..d35d0a428b 100644
--- a/android/src/main/kotlin/net/mullvad/talpid/tunnel/ErrorStateCause.kt
+++ b/android/src/main/kotlin/net/mullvad/talpid/tunnel/ErrorStateCause.kt
@@ -9,4 +9,5 @@ sealed class ErrorStateCause {
     class TunnelParameterError(val error: ParameterGenerationError) : ErrorStateCause()
     class IsOffline : ErrorStateCause()
     class TapAdapterProblem : ErrorStateCause()
+    class VpnPermissionDenied : ErrorStateCause()
 }
diff --git a/android/src/main/res/values/strings.xml b/android/src/main/res/values/strings.xml
index a9c5cdab2a..744ae5a0c1 100644
--- a/android/src/main/res/values/strings.xml
+++ b/android/src/main/res/values/strings.xml
@@ -120,6 +120,9 @@
     server</string>
     <string name="start_tunnel_error">Failed to start tunnel
     connection</string>
+    <string name="vpn_permission_denied_error">VPN permission was
+    denied when creating the tunnel. Please try connecting
+    again.</string>
     <string name="no_matching_relay">No relay server matches the
     current settings</string>
     <string name="no_matching_bridge_relay">No bridge relay server
diff --git a/mullvad-jni/src/classes.rs b/mullvad-jni/src/classes.rs
index c060a2e584..15e27d3a11 100644
--- a/mullvad-jni/src/classes.rs
+++ b/mullvad-jni/src/classes.rs
@@ -54,6 +54,7 @@ pub const CLASSES: &[&str] = &[
     "net/mullvad/talpid/tunnel/ErrorStateCause$TunnelParameterError",
     "net/mullvad/talpid/tunnel/ErrorStateCause$IsOffline",
     "net/mullvad/talpid/tunnel/ErrorStateCause$TapAdapterProblem",
+    "net/mullvad/talpid/tunnel/ErrorStateCause$VpnPermissionDenied",
     "net/mullvad/talpid/tunnel/ParameterGenerationError",
     "net/mullvad/talpid/ConnectivityListener",
     "net/mullvad/talpid/TalpidVpnService",
diff --git a/talpid-core/src/tunnel/tun_provider/android/mod.rs b/talpid-core/src/tunnel/tun_provider/android/mod.rs
index 3b5b9c45dd..7558f067b0 100644
--- a/talpid-core/src/tunnel/tun_provider/android/mod.rs
+++ b/talpid-core/src/tunnel/tun_provider/android/mod.rs
@@ -63,6 +63,9 @@ pub enum Error {
 
     #[error(display = "Failed to create tunnel device")]
     TunnelDeviceError,
+
+    #[error(display = "Permission denied when trying to create tunnel")]
+    PermissionDenied,
 }
 
 /// Factory of tunnel devices on Android.
@@ -338,6 +341,7 @@ impl AndroidTunProvider {
 
         match result {
             JValue::Int(0) => Err(Error::TunnelDeviceError),
+            JValue::Int(-1) => Err(Error::PermissionDenied),
             JValue::Int(fd) => {
                 Self::wait_for_tunnel_up(fd, &config)?;
                 let tun = unsafe { File::from_raw_fd(fd) };
diff --git a/talpid-core/src/tunnel_state_machine/connecting_state.rs b/talpid-core/src/tunnel_state_machine/connecting_state.rs
index 204d1e5ebb..14cd2cc51d 100644
--- a/talpid-core/src/tunnel_state_machine/connecting_state.rs
+++ b/talpid-core/src/tunnel_state_machine/connecting_state.rs
@@ -27,6 +27,9 @@ use talpid_types::{
 };
 
 #[cfg(target_os = "android")]
+use crate::tunnel::tun_provider;
+
+#[cfg(target_os = "android")]
 const MAX_ATTEMPTS_WITH_SAME_TUN: u32 = 5;
 const MIN_TUNNEL_ALIVE_TIME: Duration = Duration::from_millis(1000);
 
@@ -395,6 +398,14 @@ impl TunnelState for ConnectingState {
                                     | tunnel::Error::WinnetError(
                                         crate::winnet::Error::GetTapAlias,
                                     ) => ErrorStateCause::TapAdapterProblem,
+                                    #[cfg(target_os = "android")]
+                                    tunnel::Error::WireguardTunnelMonitoringError(
+                                        tunnel::wireguard::Error::TunnelError(
+                                            tunnel::wireguard::TunnelError::SetupTunnelDeviceError(
+                                                tun_provider::Error::PermissionDenied,
+                                            ),
+                                        ),
+                                    ) => ErrorStateCause::VpnPermissionDenied,
                                     _ => ErrorStateCause::StartTunnelError,
                                 };
                                 ErrorState::enter(shared_values, block_reason)
diff --git a/talpid-types/src/tunnel.rs b/talpid-types/src/tunnel.rs
index fad6be14a4..a921d1ba0c 100644
--- a/talpid-types/src/tunnel.rs
+++ b/talpid-types/src/tunnel.rs
@@ -85,6 +85,9 @@ pub enum ErrorStateCause {
     IsOffline,
     /// A problem with the TAP adapter has been detected.
     TapAdapterProblem,
+    /// The Android VPN permission was denied.
+    #[cfg(target_os = "android")]
+    VpnPermissionDenied,
 }
 
 /// Errors that can occur when generating tunnel parameters.
@@ -130,6 +133,8 @@ impl fmt::Display for ErrorStateCause {
             }
             IsOffline => "This device is offline, no tunnels can be established",
             TapAdapterProblem => "A problem with the TAP adapter has been detected",
+            #[cfg(target_os = "android")]
+            VpnPermissionDenied => "The Android VPN permission was denied when creating the tunnel",
         };
 
         write!(f, "{}", description)