Fix For Device With A Restrictive Account

[nochlab1]

If you have a device that lets you have multiple users and one of the users is a Restrictive user then you get this error
Error while building the TUN interface
java.lang.SecurityException: getPackageUid: Neither user 10515 nor current process has android.permission.INTERACT_ACROSS_USERS.
Now i have other vpns not installed from play stor that do work but i have figured out another solution
I added this

<uses-permission
android:name="android.permission.INTERACT_ACROSS_USERS"

To the android manifest and rebuilt the app then used this command in adb

adb shell pm grant com.adguard.android android.permission.INTERACT_ACROSS_USERS

And now it works

(No root android 9 Samsung oneui 1.5)

Please put in this fix
Thanks

[ameshkov]

Hmm, there's one more thing to it then.

1. We should detect when we're not allowed to run VPN due to lack of the INTERACT_ACROSS_USERS permission
2. Once it happens, we should show a dialog that explains how to fix this (e.g. install adb and grant permission).
3. We should add a knowledge base article about this:
   • Why there is such an issue and why Play store apps don't have it
   • How to fix this

[androidacy-user]

Hmm, there's one more thing to it then.

1. We should detect when we're not allowed to run VPN due to lack of the INTERACT_ACROSS_USERS permission

2. Once it happens, we should show a dialog that explains how to fix this (e.g. install adb and grant permission).

3. We should add a knowledge base article about this:

   • Why there is such an issue and why Play store apps don't have it
   • How to fix this

In root mode you could do it automatically no need for adb

[artemiv4nov]

We already had a similar task, #173
Also, Google has a special guide on how to build the multiuser-aware application.

[Revertron]

The problem is with Android itself. Here are some bugs not with VPN, but similar:
https://issuetracker.google.com/issues/111857669
https://issuetracker.google.com/issues/111102580

I couldn't repeat this behavior on Emulators from 7.1.1 to 10. And on Lineage 17 on my phone.

[nochlab1]

The problem is with Android itself. Here are some bugs not with VPN, but similar:
https://issuetracker.google.com/issues/111857669
https://issuetracker.google.com/issues/111102580

I couldn't repeat this behavior on Emulators from 7.1.1 to 10. And on Lineage 17 on my phone.

So on android 7.1.1 you created a restricted account and on the main account adguard vpn still started?

[admitrevskiy]

It's incredibly difficult to reproduce this bug since not all devices have the ability to create a restricted account, for me the only one was Nexus 9 with Android 7.1.

This issue is reproducable atowner account, since restricted account has no ability to change VPN settings.

This issue is related to an attempt to exclude whitelisted applications from filtering. If the device has a restricted account android blocks this ability for apps without INTERACT_ACROSS_USERS permission. Here are the sources from AOSP:

ConnectivityManager tries to create ParcelFileDescriptor using VPN. If disallowed apps list is not null, android tries to exclude each app by UID and checks UIDs with PackageManagerService.java
And here is the method that throws an exception

I was wondering how does TunnelBear managing this issue without signatured permission and finally found out that apps whitelisting (they called it SplitBear) also violates the ability to create a VPN.

The problem with completely rejecting whitelist is that AdGuard must be excluded from VPN by itself to work correctly, therefore this solution was rejected.

Possible troubleshooting options are as follows:

• Granting permission via ADB (thanks for @nochlab1 ):

adb shell pm grant com.adguard.android android.permission.INTERACT_ACROSS_USERS

• Switch filtering method to HTTP Proxy
• Delete an account with restricted access

All this options will be provided to users if we detect restricted accounts in VPN filtering mode.