android: implement app split tunneling support

android/src/main/AndroidManifest.xml

@@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
-<manifest xmlns:android="http://schemas.android.com/apk/res/android">
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools">
 
     <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
     <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
@@ -9,8 +10,11 @@
         android:maxSdkVersion="29" />
     <uses-permission android:name="android.permission.CHANGE_NETWORK_STATE" />
     <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
-    <uses-permission android:name="android.permission.FOREGROUND_SERVICE"/>
-    <uses-permission android:name="android.permission.FOREGROUND_SERVICE_SYSTEM_EXEMPTED"/>
+    <uses-permission android:name="android.permission.FOREGROUND_SERVICE" />
+    <uses-permission android:name="android.permission.FOREGROUND_SERVICE_SYSTEM_EXEMPTED" />
+    <uses-permission
+        android:name="android.permission.QUERY_ALL_PACKAGES"
+        tools:ignore="QueryAllPackagesPermission" />
 
     <!-- Disable input emulation on ChromeOS -->
     <uses-feature
@@ -29,9 +33,9 @@
         android:name=".App"
         android:allowBackup="false"
         android:banner="@drawable/tv_banner"
-        android:requestLegacyExternalStorage="true"
         android:icon="@mipmap/ic_launcher"
         android:label="Tailscale"
+        android:requestLegacyExternalStorage="true"
         android:roundIcon="@mipmap/ic_launcher_round"
         android:theme="@style/Theme.App.SplashScreen">
         <activity
@@ -97,8 +101,8 @@
         <service
             android:name=".IPNService"
             android:exported="false"
-            android:permission="android.permission.BIND_VPN_SERVICE"
-            android:foregroundServiceType="systemExempted">
+            android:foregroundServiceType="systemExempted"
+            android:permission="android.permission.BIND_VPN_SERVICE">
             <intent-filter>
                 <action android:name="android.net.VpnService" />
             </intent-filter>

android/src/main/java/com/tailscale/ipn/App.kt

@@ -343,6 +343,8 @@ class App : UninitializedApp(), libtailscale.AppContext {
  */
 open class UninitializedApp : Application() {
   companion object {
+    const val TAG = "UninitializedApp"
+
     const val STATUS_NOTIFICATION_ID = 1
     const val STATUS_EXIT_NODE_FAILURE_NOTIFICATION_ID = 2
     const val STATUS_CHANNEL_ID = "tailscale-status"
@@ -351,6 +353,8 @@ open class UninitializedApp : Application() {
     // the VPN (i.e. we're logged in and machine is authorized).
     private const val ABLE_TO_START_VPN_KEY = "ableToStartVPN"
 
+    private const val DISALLOWED_APPS_KEY = "disallowedApps"
+
     // File for shared preferences that are not encrypted.
     private const val UNENCRYPTED_PREFERENCES = "unencrypted"
 
@@ -382,12 +386,34 @@ open class UninitializedApp : Application() {
 
   fun startVPN() {
     val intent = Intent(this, IPNService::class.java).apply { action = IPNService.ACTION_START_VPN }
-    startForegroundService(intent)
+    try {
+      startForegroundService(intent)
+    } catch (foregroundServiceStartException: IllegalStateException) {
+      Log.e(
+          TAG,
+          "startVPN hit ForegroundServiceStartNotAllowedException in startForegroundService(): $foregroundServiceStartException")
+    } catch (securityException: SecurityException) {
+      Log.e(TAG, "startVPN hit SecurityException in startForegroundService(): $securityException")
+    } catch (e: Exception) {
+      Log.e(TAG, "startVPN hit exception in startForegroundService(): $e")
+    }
   }
 
   fun stopVPN() {
     val intent = Intent(this, IPNService::class.java).apply { action = IPNService.ACTION_STOP_VPN }
-    startService(intent)
+    try {
+      startService(intent)
+    } catch (illegalStateException: IllegalStateException) {
+      Log.e(TAG, "stopVPN hit IllegalStateException in startService(): $illegalStateException")
+    } catch (e: Exception) {
+      Log.e(TAG, "stopVPN hit exception in startService(): $e")
+    }
+  }
+
+  // Calls stopVPN() followed by startVPN() to restart the VPN.
+  fun restartVPN() {
+    stopVPN()
+    startVPN()
   }
 
   fun createNotificationChannel(id: String, name: String, description: String, importance: Int) {
@@ -451,4 +477,58 @@ open class UninitializedApp : Application() {
         .setContentIntent(pendingIntent)
         .build()
   }
+
+  fun addUserDisallowedPackageName(packageName: String) {
+    if (packageName.isEmpty()) {
+      Log.e(TAG, "addUserDisallowedPackageName called with empty packageName")
+      return
+    }
+
+    getUnencryptedPrefs()
+        .edit()
+        .putStringSet(
+            DISALLOWED_APPS_KEY, disallowedPackageNames().toMutableSet().union(setOf(packageName)))
+        .apply()
+
+    this.restartVPN()
+  }
+
+  fun removeUserDisallowedPackageName(packageName: String) {
+    if (packageName.isEmpty()) {
+      Log.e(TAG, "removeUserDisallowedPackageName called with empty packageName")
+      return
+    }
+
+    getUnencryptedPrefs()
+        .edit()
+        .putStringSet(
+            DISALLOWED_APPS_KEY,
+            disallowedPackageNames().toMutableSet().subtract(setOf(packageName)))
+        .apply()
+
+    this.restartVPN()
+  }
+
+  fun disallowedPackageNames(): List<String> {
+    val userDisallowed =
+        getUnencryptedPrefs().getStringSet(DISALLOWED_APPS_KEY, emptySet())?.toList() ?: emptyList()
+    return builtInDisallowedPackageNames + userDisallowed
+  }
+
+  val builtInDisallowedPackageNames: List<String> =
+      listOf(
+          // RCS/Jibe https://github.com/tailscale/tailscale/issues/2322
+          "com.google.android.apps.messaging",
+          // Stadia https://github.com/tailscale/tailscale/issues/3460
+          "com.google.stadia.android",
+          // Android Auto https://github.com/tailscale/tailscale/issues/3828
+          "com.google.android.projection.gearhead",
+          // GoPro https://github.com/tailscale/tailscale/issues/2554
+          "com.gopro.smarty",
+          // Sonos https://github.com/tailscale/tailscale/issues/2548
+          "com.sonos.acr",
+          "com.sonos.acr2",
+          // Google Chromecast https://github.com/tailscale/tailscale/issues/3636
+          "com.google.android.apps.chromecast.app",
+      )
 }

android/src/main/java/com/tailscale/ipn/IPNService.kt

@@ -8,10 +8,12 @@ import android.content.pm.PackageManager
 import android.net.VpnService
 import android.os.Build
 import android.system.OsConstants
+import android.util.Log
 import libtailscale.Libtailscale
 import java.util.UUID
 
 open class IPNService : VpnService(), libtailscale.IPNService {
+  private val TAG = "IPNService"
   private val randomID: String = UUID.randomUUID().toString()
 
   override fun id(): String {
@@ -76,9 +78,13 @@ open class IPNService : VpnService(), libtailscale.IPNService {
   }
 
   private fun showForegroundNotification() {
-    startForeground(
-        UninitializedApp.STATUS_NOTIFICATION_ID,
-        UninitializedApp.get().buildStatusNotification(true))
+    try {
+      startForeground(
+          UninitializedApp.STATUS_NOTIFICATION_ID,
+          UninitializedApp.get().buildStatusNotification(true))
+    } catch (e: Exception) {
+      Log.e(TAG, "Failed to start foreground service: $e")
+    }
   }
 
   private fun configIntent(): PendingIntent {
@@ -92,7 +98,9 @@ open class IPNService : VpnService(), libtailscale.IPNService {
   private fun disallowApp(b: Builder, name: String) {
     try {
       b.addDisallowedApplication(name)
-    } catch (e: PackageManager.NameNotFoundException) {}
+    } catch (e: PackageManager.NameNotFoundException) {
+      Log.d(TAG, "Failed to add disallowed application: $e")
+    }
   }
 
   override fun newBuilder(): VPNServiceBuilder {
@@ -106,24 +114,14 @@ open class IPNService : VpnService(), libtailscale.IPNService {
     }
     b.setUnderlyingNetworks(null) // Use all available networks.
 
-    // RCS/Jibe https://github.com/tailscale/tailscale/issues/2322
-    disallowApp(b, "com.google.android.apps.messaging")
-
-    // Stadia https://github.com/tailscale/tailscale/issues/3460
-    disallowApp(b, "com.google.stadia.android")
-
-    // Android Auto https://github.com/tailscale/tailscale/issues/3828
-    disallowApp(b, "com.google.android.projection.gearhead")
-
-    // GoPro https://github.com/tailscale/tailscale/issues/2554
-    disallowApp(b, "com.gopro.smarty")
-
-    // Sonos https://github.com/tailscale/tailscale/issues/2548
-    disallowApp(b, "com.sonos.acr")
-    disallowApp(b, "com.sonos.acr2")
+    // Prevent certain apps from getting their traffic + DNS routed via Tailscale:
+    // - any app that the user manually disallowed in the GUI
+    // - any app that we disallowed via hard-coding
+    for (disallowedPackageName in UninitializedApp.get().disallowedPackageNames()) {
+      Log.d(TAG, "Disallowing app: $disallowedPackageName")
+      disallowApp(b, disallowedPackageName)
+    }
 
-    // Google Chromecast https://github.com/tailscale/tailscale/issues/3636
-    disallowApp(b, "com.google.android.apps.chromecast.app")
     return VPNServiceBuilder(b)
   }
 

android/src/main/java/com/tailscale/ipn/MainActivity.kt

@@ -63,6 +63,7 @@ import com.tailscale.ipn.ui.view.PeerDetails
 import com.tailscale.ipn.ui.view.PermissionsView
 import com.tailscale.ipn.ui.view.RunExitNodeView
 import com.tailscale.ipn.ui.view.SettingsView
+import com.tailscale.ipn.ui.view.SplitTunnelAppPickerView
 import com.tailscale.ipn.ui.view.TailnetLockSetupView
 import com.tailscale.ipn.ui.view.UserSwitcherNav
 import com.tailscale.ipn.ui.view.UserSwitcherView
@@ -162,6 +163,7 @@ class MainActivity : ComponentActivity() {
                           onNavigateToBugReport = { navController.navigate("bugReport") },
                           onNavigateToAbout = { navController.navigate("about") },
                           onNavigateToDNSSettings = { navController.navigate("dnsSettings") },
+                          onNavigateToSplitTunneling = { navController.navigate("splitTunneling") },
                           onNavigateToTailnetLock = { navController.navigate("tailnetLock") },
                           onNavigateToMDMSettings = { navController.navigate("mdmSettings") },
                           onNavigateToManagedBy = { navController.navigate("managedBy") },
@@ -214,6 +216,7 @@ class MainActivity : ComponentActivity() {
                       }
                   composable("bugReport") { BugReportView(backTo("settings")) }
                   composable("dnsSettings") { DNSSettingsView(backTo("settings")) }
+                  composable("splitTunneling") { SplitTunnelAppPickerView(backTo("settings")) }
                   composable("tailnetLock") { TailnetLockSetupView(backTo("settings")) }
                   composable("about") { AboutView(backTo("settings")) }
                   composable("mdmSettings") { MDMSettingsDebugView(backTo("settings")) }

android/src/main/java/com/tailscale/ipn/ui/util/InstalledAppsManager.kt

@@ -0,0 +1,34 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package com.tailscale.ipn.ui.util
+
+import android.Manifest
+import android.content.pm.ApplicationInfo
+import android.content.pm.PackageManager
+
+data class InstalledApp(val name: String, val packageName: String)
+
+class InstalledAppsManager(
+    val packageManager: PackageManager,
+) {
+  fun fetchInstalledApps(): List<InstalledApp> {
+    return packageManager
+        .getInstalledApplications(PackageManager.GET_META_DATA)
+        .filter(appIsIncluded)
+        .map {
+          InstalledApp(
+              name = it.loadLabel(packageManager).toString(),
+              packageName = it.packageName,
+          )
+        }
+        .sortedBy { it.name }
+  }
+
+  private val appIsIncluded: (ApplicationInfo) -> Boolean = { app ->
+    app.packageName != "com.tailscale.ipn" &&
+        // Only show apps that can access the Internet
+        packageManager.checkPermission(Manifest.permission.INTERNET, app.packageName) ==
+            PackageManager.PERMISSION_GRANTED
+  }
+}

android/src/main/java/com/tailscale/ipn/ui/view/SettingsView.kt

@@ -55,7 +55,7 @@ fun SettingsView(settingsNav: SettingsNav, viewModel: SettingsViewModel = viewMo
         Header(titleRes = R.string.settings_title, onBack = settingsNav.onNavigateBackHome)
       }) { innerPadding ->
         Column(modifier = Modifier.padding(innerPadding).verticalScroll(rememberScrollState())) {
-          if (isVPNPrepared){
+          if (isVPNPrepared) {
             UserView(
                 profile = user,
                 actionState = UserActionState.NAV,
@@ -77,6 +77,12 @@ fun SettingsView(settingsNav: SettingsNav, viewModel: SettingsViewModel = viewMo
                   },
               onClick = settingsNav.onNavigateToDNSSettings)
 
+          Lists.ItemDivider()
+          Setting.Text(
+              R.string.split_tunneling,
+              subtitle = stringResource(R.string.exclude_certain_apps_from_using_tailscale),
+              onClick = settingsNav.onNavigateToSplitTunneling)
+
           if (showTailnetLock == ShowHide.Show) {
             Lists.ItemDivider()
             Setting.Text(
@@ -199,5 +205,5 @@ fun SettingsPreview() {
   vm.tailNetLockEnabled.set(true)
   vm.isAdmin.set(true)
   vm.managedByOrganization.set("Tails and Scales Inc.")
-  SettingsView(SettingsNav({}, {}, {}, {}, {}, {}, {}, {}, {}, {}), vm)
+  SettingsView(SettingsNav({}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}), vm)
 }