android: add selection of included/excluded apps in split tunneling (#621)

* Add ability to select included/excluded apps from App Split Tunneling

Updates tailscale/tailscale#14660

Signed-off-by: davfsa <davfsa@gmail.com>

* Update app split tunneling description string

Signed-off-by: davfsa <davfsa@gmail.com>

* Address review comments

Signed-off-by: davfsa <davfsa@gmail.com>

* fix: update uses of excludedPackageNames

Signed-off-by: davfsa <davfsa@gmail.com>

* chore: pr review

Do not add self package by default

Signed-off-by: davfsa <davfsa@gmail.com>

* feat: improve switch dialogs + add lazy app list loading

Signed-off-by: davfsa <davfsa@gmail.com>

---------

Signed-off-by: davfsa <davfsa@gmail.com>

Author: davfsa

android/src/main/java/com/tailscale/ipn/App.kt

@@ -450,7 +450,15 @@ open class UninitializedApp : Application() {
     // Key for shared preference that tracks whether or not we're able to start
     // the VPN (i.e. we're logged in and machine is authorized).
     private const val ABLE_TO_START_VPN_KEY = "ableToStartVPN"
-    private const val DISALLOWED_APPS_KEY = "disallowedApps"
+
+    // The value is 'disallowedApps' as it used to represent
+    // only disallowed applications. This has been changed
+    // and allowing/disallowing is based on ALLOW_SELECTED_APPS_KEY
+    //
+    // The value is kept the same to not reset everyone's configuration
+    private const val SELECTED_APPS_KEY = "disallowedApps"
+    private const val ALLOW_SELECTED_APPS_KEY = "allowSelectedApps"
+
     // File for shared preferences that are not encrypted.
     private const val UNENCRYPTED_PREFERENCES = "unencrypted"
     private lateinit var appInstance: UninitializedApp
@@ -615,25 +623,34 @@ open class UninitializedApp : Application() {
     return builder.build()
   }
 
-  fun updateUserDisallowedPackageNames(packageNames: List<String>) {
+  fun updateUserSelectedPackages(packageNames: List<String>) {
     if (packageNames.any { it.isEmpty() }) {
-      TSLog.e(TAG, "updateUserDisallowedPackageNames called with empty packageName(s)")
+      TSLog.e(TAG, "updateUserSelectedPackage called with empty packageName(s)")
       return
     }
-    getUnencryptedPrefs().edit().putStringSet(DISALLOWED_APPS_KEY, packageNames.toSet()).apply()
+
+    getUnencryptedPrefs().edit().putStringSet(SELECTED_APPS_KEY, packageNames.toSet()).apply()
+
     this.restartVPN()
   }
 
-  fun disallowedPackageNames(): List<String> {
-    val mdmDisallowed =
-        MDMSettings.excludedPackages.flow.value.value?.split(",")?.map { it.trim() } ?: emptyList()
-    if (mdmDisallowed.isNotEmpty()) {
-      TSLog.d(TAG, "Excluded application packages were set via MDM: $mdmDisallowed")
-      return builtInDisallowedPackageNames + mdmDisallowed
-    }
-    val userDisallowed =
-        getUnencryptedPrefs().getStringSet(DISALLOWED_APPS_KEY, emptySet())?.toList() ?: emptyList()
-    return builtInDisallowedPackageNames + userDisallowed
+  fun switchUserSelectedPackages() {
+    getUnencryptedPrefs()
+        .edit()
+        .putBoolean(ALLOW_SELECTED_APPS_KEY, !allowSelectedPackages())
+        .apply()
+    getUnencryptedPrefs().edit().putStringSet(SELECTED_APPS_KEY, setOf()).apply()
+
+    this.restartVPN()
+  }
+
+  fun selectedPackageNames(): List<String> {
+    return getUnencryptedPrefs().getStringSet(SELECTED_APPS_KEY, emptySet())?.toList()
+        ?: emptyList()
+  }
+
+  fun allowSelectedPackages(): Boolean {
+    return getUnencryptedPrefs().getBoolean(ALLOW_SELECTED_APPS_KEY, false)
   }
 
   fun getAppScopedViewModel(): AppViewModel {

android/src/main/java/com/tailscale/ipn/IPNService.kt

@@ -141,11 +141,19 @@ open class IPNService : VpnService(), libtailscale.IPNService {
         PendingIntent.FLAG_UPDATE_CURRENT or PendingIntent.FLAG_IMMUTABLE)
   }
 
+  private fun allowApp(b: Builder, name: String) {
+    try {
+      b.addAllowedApplication(name)
+    } catch (e: PackageManager.NameNotFoundException) {
+      TSLog.e(TAG, "Failed to add allowed application: $e")
+    }
+  }
+
   private fun disallowApp(b: Builder, name: String) {
     try {
       b.addDisallowedApplication(name)
     } catch (e: PackageManager.NameNotFoundException) {
-      TSLog.d(TAG, "Failed to add disallowed application: $e")
+      TSLog.e(TAG, "Failed to add disallowed application: $e")
     }
   }
 
@@ -160,23 +168,45 @@ open class IPNService : VpnService(), libtailscale.IPNService {
     }
     b.setUnderlyingNetworks(null) // Use all available networks.
 
-    val includedPackages: List<String> =
+    val mdmAllowed =
         MDMSettings.includedPackages.flow.value.value?.split(",")?.map { it.trim() } ?: emptyList()
-    if (includedPackages.isNotEmpty()) {
-      // If an admin defined a list of packages that are exclusively allowed to be used via
-      // Tailscale,
-      // then only allow those apps.
-      for (packageName in includedPackages) {
+    val mdmDisallowed =
+        MDMSettings.excludedPackages.flow.value.value?.split(",")?.map { it.trim() } ?: emptyList()
+
+    var packagesList: List<String>
+    var allowPackages: Boolean
+    if (mdmAllowed.isNotEmpty()) {
+      // An admin defined a list of packages that are exclusively allowed to be used via
+      // Tailscale, so only allow those.
+      packagesList = mdmAllowed
+      allowPackages = true
+      TSLog.d(TAG, "Included application packages were set via MDM: $mdmAllowed")
+    } else if (mdmDisallowed.isNotEmpty()) {
+      // An admin defined a list of packages that are excluded from accessing Tailscale,
+      // so ignore user definitions and only exclude those
+      packagesList = mdmDisallowed
+      allowPackages = false
+      TSLog.d(TAG, "Excluded application packages were set via MDM: $mdmDisallowed")
+    } else {
+      // Otherwise, prevent user manually disallowed apps from getting their traffic + DNS routed
+      // via Tailscale
+      packagesList = UninitializedApp.get().selectedPackageNames()
+      allowPackages = UninitializedApp.get().allowSelectedPackages()
+      TSLog.d(TAG, "Application packages were set by user: $packagesList")
+    }
+
+    if (allowPackages) {
+      for (packageName in packagesList) {
         TSLog.d(TAG, "Including app: $packageName")
-        b.addAllowedApplication(packageName)
+        allowApp(b, packageName)
       }
     } else {
-      // Otherwise, prevent certain apps from getting their traffic + DNS routed via Tailscale:
-      // - any app that the user manually disallowed in the GUI
-      // - any app that we disallowed via hard-coding
-      for (disallowedPackageName in UninitializedApp.get().disallowedPackageNames()) {
-        TSLog.d(TAG, "Disallowing app: $disallowedPackageName")
-        disallowApp(b, disallowedPackageName)
+      // Make sure to also exclude hard-coded apps that are known to cause issues
+      packagesList += UninitializedApp.get().builtInDisallowedPackageNames
+
+      for (packageName in packagesList) {
+        TSLog.d(TAG, "Disallowing app: $packageName")
+        disallowApp(b, packageName)
       }
     }
 

android/src/main/java/com/tailscale/ipn/ui/util/InstalledAppsManager.kt

@@ -6,6 +6,7 @@ package com.tailscale.ipn.ui.util
 import android.Manifest
 import android.content.pm.ApplicationInfo
 import android.content.pm.PackageManager
+import com.tailscale.ipn.BuildConfig
 
 data class InstalledApp(val name: String, val packageName: String)
 
@@ -26,7 +27,7 @@ class InstalledAppsManager(
   }
 
   private val appIsIncluded: (ApplicationInfo) -> Boolean = { app ->
-    app.packageName != "com.tailscale.ipn" &&
+    app.packageName != BuildConfig.APPLICATION_ID &&
         // Only show apps that can access the Internet
         packageManager.checkPermission(Manifest.permission.INTERNET, app.packageName) ==
             PackageManager.PERMISSION_GRANTED

android/src/main/java/com/tailscale/ipn/ui/view/SettingsView.kt

@@ -89,7 +89,7 @@ fun SettingsView(
           Lists.ItemDivider()
           Setting.Text(
               R.string.split_tunneling,
-              subtitle = stringResource(R.string.exclude_certain_apps_from_using_tailscale),
+              subtitle = stringResource(R.string.filter_apps_allowed_to_access_tailscale),
               onClick = settingsNav.onNavigateToSplitTunneling)
 
           if (showTailnetLock.value == ShowHide.Show) {