[BR02] Implement isUidNetworkingBlocked
This is needed for data stall detection mechanism in NetworkStack
to get the information about whether the network is blocked for
a given uid and conditions. Because the API will be called
frequently from NetworkStack to resolve all status for all uids
on the device, the API cannot call into the service which
creates IPC. Instead, the API need to directly access bpf maps
in the user process to retrieve the status. In this case the
user process is the network stack, the access control is provided
by linux file permission and selinux.
Test: atest FrameworksNetTests:android.net.connectivity.android.net.BpfNetMapsReaderTest
Test: atest FrameworksNetTests:android.net.connectivity.android.net.ConnectivityManagerTest
NO_IFTTT=Refactor only change for firewall chains definitions
Bug: 297836825
Change-Id: Iaf983b71ec98cbfe5152dcfade8a3120f938f135
diff --git a/tests/unit/java/android/net/BpfNetMapsReaderTest.kt b/tests/unit/java/android/net/BpfNetMapsReaderTest.kt
index facb932..86a0acb 100644
--- a/tests/unit/java/android/net/BpfNetMapsReaderTest.kt
+++ b/tests/unit/java/android/net/BpfNetMapsReaderTest.kt
@@ -16,23 +16,31 @@
package android.net
+import android.net.BpfNetMapsConstants.DOZABLE_MATCH
+import android.net.BpfNetMapsConstants.STANDBY_MATCH
import android.net.BpfNetMapsConstants.UID_RULES_CONFIGURATION_KEY
import android.net.BpfNetMapsUtils.getMatchByFirewallChain
-import android.os.Build
+import android.os.Build.VERSION_CODES
import com.android.net.module.util.IBpfMap
import com.android.net.module.util.Struct.S32
import com.android.net.module.util.Struct.U32
import com.android.testutils.DevSdkIgnoreRule.IgnoreUpTo
import com.android.testutils.DevSdkIgnoreRunner
import com.android.testutils.TestBpfMap
+import java.lang.reflect.Modifier
+import kotlin.test.assertEquals
import kotlin.test.assertFalse
import kotlin.test.assertTrue
import org.junit.Test
import org.junit.runner.RunWith
+private const val TEST_UID1 = 1234
+private const val TEST_UID2 = TEST_UID1 + 1
+private const val NO_IIF = 0
+
// pre-T devices does not support Bpf.
@RunWith(DevSdkIgnoreRunner::class)
-@IgnoreUpTo(Build.VERSION_CODES.S_V2)
+@IgnoreUpTo(VERSION_CODES.S_V2)
class BpfNetMapsReaderTest {
private val testConfigurationMap: IBpfMap<S32, U32> = TestBpfMap()
private val testUidOwnerMap: IBpfMap<S32, UidOwnerValue> = TestBpfMap()
@@ -66,4 +74,75 @@
doTestIsChainEnabled(ConnectivityManager.FIREWALL_CHAIN_RESTRICTED)
doTestIsChainEnabled(ConnectivityManager.FIREWALL_CHAIN_LOW_POWER_STANDBY)
}
+
+ @Test
+ fun testFirewallChainList() {
+ // Verify that when a firewall chain constant is added, it should also be included in
+ // firewall chain list.
+ val declaredChains = ConnectivityManager::class.java.declaredFields.filter {
+ Modifier.isStatic(it.modifiers) && it.name.startsWith("FIREWALL_CHAIN_")
+ }
+ // Verify the size matches, this also verifies no common item in allow and deny chains.
+ assertEquals(BpfNetMapsConstants.ALLOW_CHAINS.size +
+ BpfNetMapsConstants.DENY_CHAINS.size, declaredChains.size)
+ declaredChains.forEach {
+ assertTrue(BpfNetMapsConstants.ALLOW_CHAINS.contains(it.get(null)) ||
+ BpfNetMapsConstants.DENY_CHAINS.contains(it.get(null)))
+ }
+ }
+
+ private fun mockChainEnabled(chain: Int, enabled: Boolean) {
+ val config = testConfigurationMap.getValue(UID_RULES_CONFIGURATION_KEY).`val`
+ val newConfig = if (enabled) {
+ config or getMatchByFirewallChain(chain)
+ } else {
+ config and getMatchByFirewallChain(chain).inv()
+ }
+ testConfigurationMap.updateEntry(UID_RULES_CONFIGURATION_KEY, U32(newConfig))
+ }
+
+ @Test
+ fun testIsUidNetworkingBlockedByFirewallChains_allowChain() {
+ // With everything disabled by default, verify the return value is false.
+ testConfigurationMap.updateEntry(UID_RULES_CONFIGURATION_KEY, U32(0))
+ assertFalse(bpfNetMapsReader.isUidBlockedByFirewallChains(TEST_UID1))
+
+ // Enable dozable chain but does not provide allowed list. Verify the network is blocked
+ // for all uids.
+ mockChainEnabled(ConnectivityManager.FIREWALL_CHAIN_DOZABLE, true)
+ assertTrue(bpfNetMapsReader.isUidBlockedByFirewallChains(TEST_UID1))
+ assertTrue(bpfNetMapsReader.isUidBlockedByFirewallChains(TEST_UID2))
+
+ // Add uid1 to dozable allowed list. Verify the network is not blocked for uid1, while
+ // uid2 is blocked.
+ testUidOwnerMap.updateEntry(S32(TEST_UID1), UidOwnerValue(NO_IIF, DOZABLE_MATCH))
+ assertFalse(bpfNetMapsReader.isUidBlockedByFirewallChains(TEST_UID1))
+ assertTrue(bpfNetMapsReader.isUidBlockedByFirewallChains(TEST_UID2))
+ }
+
+ @Test
+ fun testIsUidNetworkingBlockedByFirewallChains_denyChain() {
+ // Enable standby chain but does not provide denied list. Verify the network is allowed
+ // for all uids.
+ testConfigurationMap.updateEntry(UID_RULES_CONFIGURATION_KEY, U32(0))
+ mockChainEnabled(ConnectivityManager.FIREWALL_CHAIN_STANDBY, true)
+ assertFalse(bpfNetMapsReader.isUidBlockedByFirewallChains(TEST_UID1))
+ assertFalse(bpfNetMapsReader.isUidBlockedByFirewallChains(TEST_UID2))
+
+ // Add uid1 to standby allowed list. Verify the network is blocked for uid1, while
+ // uid2 is not blocked.
+ testUidOwnerMap.updateEntry(S32(TEST_UID1), UidOwnerValue(NO_IIF, STANDBY_MATCH))
+ assertTrue(bpfNetMapsReader.isUidBlockedByFirewallChains(TEST_UID1))
+ assertFalse(bpfNetMapsReader.isUidBlockedByFirewallChains(TEST_UID2))
+ }
+
+ @Test
+ fun testIsUidNetworkingBlockedByFirewallChains_blockedWithAllowed() {
+ // Uids blocked by powersave chain but allowed by standby chain, verify the blocking
+ // takes higher priority.
+ testConfigurationMap.updateEntry(UID_RULES_CONFIGURATION_KEY, U32(0))
+ mockChainEnabled(ConnectivityManager.FIREWALL_CHAIN_POWERSAVE, true)
+ mockChainEnabled(ConnectivityManager.FIREWALL_CHAIN_STANDBY, true)
+ assertTrue(bpfNetMapsReader.isUidBlockedByFirewallChains(TEST_UID1))
+ }
}
diff --git a/tests/unit/java/com/android/server/BpfNetMapsTest.java b/tests/unit/java/com/android/server/BpfNetMapsTest.java
index ea2b261..1dfc8c0 100644
--- a/tests/unit/java/com/android/server/BpfNetMapsTest.java
+++ b/tests/unit/java/com/android/server/BpfNetMapsTest.java
@@ -16,10 +16,12 @@
package com.android.server;
+import static android.net.BpfNetMapsConstants.ALLOW_CHAINS;
import static android.net.BpfNetMapsConstants.CURRENT_STATS_MAP_CONFIGURATION_KEY;
import static android.net.BpfNetMapsConstants.DATA_SAVER_ENABLED_KEY;
import static android.net.BpfNetMapsConstants.DATA_SAVER_DISABLED;
import static android.net.BpfNetMapsConstants.DATA_SAVER_ENABLED;
+import static android.net.BpfNetMapsConstants.DENY_CHAINS;
import static android.net.BpfNetMapsConstants.DOZABLE_MATCH;
import static android.net.BpfNetMapsConstants.HAPPY_BOX_MATCH;
import static android.net.BpfNetMapsConstants.IIF_MATCH;
@@ -119,20 +121,16 @@
private static final int NO_IIF = 0;
private static final int NULL_IIF = 0;
private static final String CHAINNAME = "fw_dozable";
- private static final List<Integer> FIREWALL_CHAINS = List.of(
- FIREWALL_CHAIN_DOZABLE,
- FIREWALL_CHAIN_STANDBY,
- FIREWALL_CHAIN_POWERSAVE,
- FIREWALL_CHAIN_RESTRICTED,
- FIREWALL_CHAIN_LOW_POWER_STANDBY,
- FIREWALL_CHAIN_OEM_DENY_1,
- FIREWALL_CHAIN_OEM_DENY_2,
- FIREWALL_CHAIN_OEM_DENY_3
- );
private static final long STATS_SELECT_MAP_A = 0;
private static final long STATS_SELECT_MAP_B = 1;
+ private static final List<Integer> FIREWALL_CHAINS = new ArrayList<>();
+ static {
+ FIREWALL_CHAINS.addAll(ALLOW_CHAINS);
+ FIREWALL_CHAINS.addAll(DENY_CHAINS);
+ }
+
private BpfNetMaps mBpfNetMaps;
@Mock INetd mNetd;
@@ -617,7 +615,7 @@
mUidOwnerMap.updateEntry(new S32(TEST_UID), new UidOwnerValue(TEST_IF_INDEX, IIF_MATCH));
for (final int chain: testChains) {
- final int ruleToAddMatch = mBpfNetMaps.isFirewallAllowList(chain)
+ final int ruleToAddMatch = BpfNetMapsUtils.isFirewallAllowList(chain)
? FIREWALL_RULE_ALLOW : FIREWALL_RULE_DENY;
mBpfNetMaps.setUidRule(chain, TEST_UID, ruleToAddMatch);
}
@@ -625,7 +623,7 @@
checkUidOwnerValue(TEST_UID, TEST_IF_INDEX, IIF_MATCH | getMatch(testChains));
for (final int chain: testChains) {
- final int ruleToRemoveMatch = mBpfNetMaps.isFirewallAllowList(chain)
+ final int ruleToRemoveMatch = BpfNetMapsUtils.isFirewallAllowList(chain)
? FIREWALL_RULE_DENY : FIREWALL_RULE_ALLOW;
mBpfNetMaps.setUidRule(chain, TEST_UID, ruleToRemoveMatch);
}
@@ -705,11 +703,11 @@
for (final int chain: FIREWALL_CHAINS) {
final String testCase = "EnabledChains: " + enableChains + " CheckedChain: " + chain;
if (enableChains.contains(chain)) {
- final int expectedRule = mBpfNetMaps.isFirewallAllowList(chain)
+ final int expectedRule = BpfNetMapsUtils.isFirewallAllowList(chain)
? FIREWALL_RULE_ALLOW : FIREWALL_RULE_DENY;
assertEquals(testCase, expectedRule, mBpfNetMaps.getUidRule(chain, TEST_UID));
} else {
- final int expectedRule = mBpfNetMaps.isFirewallAllowList(chain)
+ final int expectedRule = BpfNetMapsUtils.isFirewallAllowList(chain)
? FIREWALL_RULE_DENY : FIREWALL_RULE_ALLOW;
assertEquals(testCase, expectedRule, mBpfNetMaps.getUidRule(chain, TEST_UID));
}
@@ -752,7 +750,7 @@
public void testGetUidRuleNoEntry() throws Exception {
mUidOwnerMap.clear();
for (final int chain: FIREWALL_CHAINS) {
- final int expectedRule = mBpfNetMaps.isFirewallAllowList(chain)
+ final int expectedRule = BpfNetMapsUtils.isFirewallAllowList(chain)
? FIREWALL_RULE_DENY : FIREWALL_RULE_ALLOW;
assertEquals(expectedRule, mBpfNetMaps.getUidRule(chain, TEST_UID));
}
diff --git a/tests/unit/java/com/android/server/ConnectivityServiceTest.java b/tests/unit/java/com/android/server/ConnectivityServiceTest.java
index 82fb651..97ae3bf 100755
--- a/tests/unit/java/com/android/server/ConnectivityServiceTest.java
+++ b/tests/unit/java/com/android/server/ConnectivityServiceTest.java
@@ -10585,13 +10585,11 @@
final boolean allowlist = true;
final boolean denylist = false;
- doReturn(true).when(mBpfNetMaps).isFirewallAllowList(anyInt());
doTestSetFirewallChainEnabledCloseSocket(FIREWALL_CHAIN_DOZABLE, allowlist);
doTestSetFirewallChainEnabledCloseSocket(FIREWALL_CHAIN_POWERSAVE, allowlist);
doTestSetFirewallChainEnabledCloseSocket(FIREWALL_CHAIN_RESTRICTED, allowlist);
doTestSetFirewallChainEnabledCloseSocket(FIREWALL_CHAIN_LOW_POWER_STANDBY, allowlist);
- doReturn(false).when(mBpfNetMaps).isFirewallAllowList(anyInt());
doTestSetFirewallChainEnabledCloseSocket(FIREWALL_CHAIN_STANDBY, denylist);
doTestSetFirewallChainEnabledCloseSocket(FIREWALL_CHAIN_OEM_DENY_1, denylist);
doTestSetFirewallChainEnabledCloseSocket(FIREWALL_CHAIN_OEM_DENY_2, denylist);