Skip to content

Add per-app foreground-only internet access restriction #510

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Copilot wants to merge 7 commits into from
Closed

Add per-app foreground-only internet access restriction #510

Copilot wants to merge 7 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Jan 10, 2026
edited
Loading

Implements a feature allowing users to restrict app internet access to foreground (active use) only, addressing requests to "block internet access when an app is not used."

Implementation

Core tracking (ForegroundTracker.java)

  • Monitors foreground apps via UsageStatsManager with 500ms throttling
  • Requires PACKAGE_USAGE_STATS permission; prompts user via Settings when enabled
  • Thread-safe caching with concurrent data structures

Packet filtering (ServiceSinkhole.java)

  • Added foreground check in isAddressAllowed() before packet approval
  • UID-level caching for foreground-only settings (cleared on regular maintenance)
  • Graceful fallback: allows traffic if permission not granted (logs warning once per UID)

UI (AdapterRule.java, rule.xml)

  • Checkbox in expanded app details: "Allow only when in use"
  • Permission request flow integrated into toggle handler
  • Uses existing SharedPreferences pattern for persistence

Data model (Rule.java)

  • Added foreground_only boolean field
  • Loaded from foreground_only SharedPreferences namespace

Technical notes

  • Package name selection for shared UIDs: sorts packages alphabetically for determinism
  • Performance: cache hit path avoids PackageManager and SharedPreferences lookups
  • State transitions: clear-and-rebuild pattern ensures background apps are properly unmarked

Example usage

// In packet filtering hot path
Boolean isForegroundOnly = foregroundOnlyCache.get(packet.uid);
if (isForegroundOnly && !ForegroundTracker.getInstance(this).isAppInForeground(packet.uid)) {
    packet.allowed = false; // Block background traffic
}

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • dl.google.com
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-opens=java.base/java.nio.charset=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens=java.xml/javax.xml.namespace=ALL-UNNAMED -Xmx4608m -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant -cp /home/REDACTED/.gradle/wrapper/dists/gradle-8.13-bin/5xuhj0ry160q40clulazy9h7d/gradle-8.13/lib/gradle-daemon-main-8.13.jar (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>Allow internet access only when using an app</issue_title>
<issue_description>Pleade, add an option to block internet access when an app is not used.</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 6 commits January 10, 2026 22:24
@kasnder
Add foreground-only internet access feature
0002bd5 
- Add foreground_only field to Rule class
- Create ForegroundTracker to monitor app foreground state
- Integrate foreground check in ServiceSinkhole.isAddressAllowed()
- Add UI checkbox in rule.xml and AdapterRule
- Add PACKAGE_USAGE_STATS permission
- Add string resources for UI

Co-authored-by: kasnder <5175206+kasnder@users.noreply.github.com>
@kasnder
Add permission request UI for usage stats
40b3759 
- Add hasUsageStatsPermission() and requestUsageStatsPermission() to ForegroundTracker
- Update AdapterRule to check permission before enabling foreground-only mode
- Add permission request message string
- Prompt user to grant permission when enabling feature

Co-authored-by: kasnder <5175206+kasnder@users.noreply.github.com>
@kasnder
Fix foreground tracking logic and permission handling
c7a4e35 
- Fix ForegroundTracker to maintain state between updates
- Add permission check before enforcing foreground-only restriction
- Log warning if permission not granted but feature enabled

Co-authored-by: kasnder <5175206+kasnder@users.noreply.github.com>
@kasnder
Address code review feedback
551ca2c 
- Optimize ForegroundTracker map updates to only modify changed entries
- Add caching for foreground_only settings in ServiceSinkhole
- Document why first package name is used for UIDs with multiple packages
- Clear foreground_only cache on regular cleanup

Co-authored-by: kasnder <5175206+kasnder@users.noreply.github.com>
@kasnder
Address additional code review feedback
4264aa9 
- Use retainAll for O(n) complexity instead of O(n²) in ForegroundTracker
- Rate-limit permission warning logs to once per UID
- Sort packages before selection for deterministic behavior
- Clear permissionWarningLogged set during cleanup

Co-authored-by: kasnder <5175206+kasnder@users.noreply.github.com>
@kasnder
Address final code review feedback
d78b68f 
- Add constants for magic numbers (THROTTLE_INTERVAL_MS, QUERY_WINDOW_MS)
- Use entrySet() instead of keySet() to avoid race conditions
- Clear and rebuild map to properly handle background transitions
- Add comments clarifying cache behavior and performance

Co-authored-by: kasnder <5175206+kasnder@users.noreply.github.com>
Copilot AI changed the title [WIP] Implement option to block internet access when app is not used Add per-app foreground-only internet access restriction Jan 10, 2026
Copilot AI requested a review from kasnder January 10, 2026 22:36
@kasnder kasnder closed this Jan 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kasnder kasnder Awaiting requested review from kasnder

Assignees

@kasnder kasnder

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow internet access only when using an app

2 participants

@kasnder