Disallow non-VPN tethering upstreams on always-on VPN lockdown mode

* This ensures that the Hotspot "Allow clients to use VPN" option
  respects the VPN "Block connections without VPN" option,
  to avoid any leaks.

Issue: calyxos#555
Change-Id: Ibd690c605a3d87e3c493550039a65862be16848b
Signed-off-by: Mohammad Hasan Keramat J <ikeramat@protonmail.com>

Tethering/src/com/android/networkstack/tethering/UpstreamNetworkMonitor.java

@@ -91,6 +91,7 @@ public class UpstreamNetworkMonitor {
     private static final boolean VDBG = false;
 
     // Copied from frameworks/base/core/java/android/provider/Settings.java
+    private static final String ALWAYS_ON_VPN_LOCKDOWN = "always_on_vpn_lockdown";
     private static final String TETHERING_ALLOW_VPN_UPSTREAMS = "tethering_allow_vpn_upstreams";
 
     public static final int EVENT_ON_CAPABILITIES   = 1;
@@ -360,8 +361,13 @@ public class UpstreamNetworkMonitor {
      */
     public UpstreamNetworkState getCurrentPreferredUpstream() {
         // Use VPN upstreams if hotspot settings allow.
-        if (mTetheringUpstreamVpn != null && isAllowedToUseVpnUpstreams()) {
+        if (isAllowedToUseVpnUpstreams()) {
-            return mNetworkMap.get(mTetheringUpstreamVpn);
+            if (mTetheringUpstreamVpn != null) {
+                return mNetworkMap.get(mTetheringUpstreamVpn);
+            } else if (Settings.Secure.getInt(mContext.getContentResolver(),
+                    ALWAYS_ON_VPN_LOCKDOWN, 0) == 1) {
+                return null;
+            }
         }
         final UpstreamNetworkState dfltState = (mDefaultInternetNetwork != null)
                 ? mNetworkMap.get(mDefaultInternetNetwork)