Merge "Update PrivateDnsMode from StringDef to IntDef"
diff --git a/framework/Android.bp b/framework/Android.bp
index 017ff51..657d5a3 100644
--- a/framework/Android.bp
+++ b/framework/Android.bp
@@ -25,6 +25,7 @@
java_library {
name: "framework-connectivity-protos",
+ sdk_version: "module_current",
proto: {
type: "nano",
},
@@ -82,8 +83,7 @@
name: "framework-connectivity",
api_only: true,
defaults: ["framework-module-defaults"],
- // TODO: build against module API
- platform_apis: true,
+ installable: true,
srcs: [
":framework-connectivity-sources",
],
@@ -100,18 +100,56 @@
libs: [
"unsupportedappusage",
],
- permitted_packages: ["android.net", "com.android.connectivity.aidl"],
+ permitted_packages: ["android.net"],
+}
+
+cc_defaults {
+ name: "libframework-connectivity-defaults",
+ cflags: [
+ "-Wall",
+ "-Werror",
+ "-Wno-unused-parameter",
+ "-Wthread-safety",
+ ],
+ shared_libs: [
+ "libbase",
+ "liblog",
+ "libnativehelper",
+ "libnetd_client",
+ ],
+ header_libs: [
+ "dnsproxyd_protocol_headers",
+ ],
+}
+
+cc_library_static {
+ name: "libconnectivityframeworkutils",
+ defaults: ["libframework-connectivity-defaults"],
+ srcs: [
+ "jni/android_net_NetworkUtils.cpp",
+ ],
+ apex_available: [
+ "//apex_available:platform",
+ "com.android.tethering",
+ ],
+}
+
+cc_library_shared {
+ name: "libframework-connectivity-jni",
+ defaults: ["libframework-connectivity-defaults"],
+ srcs: [
+ "jni/onload.cpp",
+ ],
+ static_libs: ["libconnectivityframeworkutils"],
+ apex_available: [
+ "//apex_available:platform",
+ "com.android.tethering",
+ ],
}
java_library {
name: "framework-connectivity.impl",
- // Instead of building against private API (framework.jar),
- // build against core_platform + framework-minus-apex + module
- // stub libs. This allows framework.jar to depend on this library,
- // so it can be part of the private API until all clients have been migrated.
- // TODO: just build against module_api, and remove this jar from
- // the private API.
- sdk_version: "core_platform",
+ sdk_version: "module_current",
srcs: [
":framework-connectivity-sources",
],
@@ -122,12 +160,11 @@
],
},
libs: [
- "framework-minus-apex",
- // TODO: just framework-tethering, framework-wifi when building against module_api
- "framework-tethering.stubs.module_lib",
- "framework-wifi.stubs.module_lib",
+ // TODO (b/183097033) remove once module_current includes core_current
+ "stable.core.platform.api.stubs",
+ "framework-tethering",
+ "framework-wifi",
"unsupportedappusage",
- "ServiceConnectivityResources",
],
static_libs: [
"framework-connectivity-protos",
@@ -136,5 +173,5 @@
jarjar_rules: "jarjar-rules.txt",
apex_available: ["com.android.tethering"],
installable: true,
- permitted_packages: ["android.net", "com.android.connectivity.aidl"],
+ permitted_packages: ["android.net"],
}
diff --git a/framework/api/module-lib-current.txt b/framework/api/module-lib-current.txt
index 90580fa..78dff21 100644
--- a/framework/api/module-lib-current.txt
+++ b/framework/api/module-lib-current.txt
@@ -109,7 +109,7 @@
public final class NetworkCapabilities implements android.os.Parcelable {
method @Nullable public java.util.Set<android.util.Range<java.lang.Integer>> getUids();
- method public boolean hasUnwantedCapability(int);
+ method public boolean hasForbiddenCapability(int);
field public static final long REDACT_ALL = -1L; // 0xffffffffffffffffL
field public static final long REDACT_FOR_ACCESS_FINE_LOCATION = 1L; // 0x1L
field public static final long REDACT_FOR_LOCAL_MAC_ADDRESS = 2L; // 0x2L
@@ -123,13 +123,13 @@
}
public class NetworkRequest implements android.os.Parcelable {
- method @NonNull public int[] getUnwantedCapabilities();
- method public boolean hasUnwantedCapability(int);
+ method @NonNull public int[] getForbiddenCapabilities();
+ method public boolean hasForbiddenCapability(int);
}
public static class NetworkRequest.Builder {
- method @NonNull public android.net.NetworkRequest.Builder addUnwantedCapability(int);
- method @NonNull public android.net.NetworkRequest.Builder removeUnwantedCapability(int);
+ method @NonNull public android.net.NetworkRequest.Builder addForbiddenCapability(int);
+ method @NonNull public android.net.NetworkRequest.Builder removeForbiddenCapability(int);
method @NonNull public android.net.NetworkRequest.Builder setUids(@Nullable java.util.Set<android.util.Range<java.lang.Integer>>);
}
diff --git a/core/jni/android_net_NetworkUtils.cpp b/framework/jni/android_net_NetworkUtils.cpp
similarity index 93%
rename from core/jni/android_net_NetworkUtils.cpp
rename to framework/jni/android_net_NetworkUtils.cpp
index 1cee895..48e262a 100644
--- a/core/jni/android_net_NetworkUtils.cpp
+++ b/framework/jni/android_net_NetworkUtils.cpp
@@ -30,13 +30,13 @@
#include <DnsProxydProtocol.h> // NETID_USE_LOCAL_NAMESERVERS
#include <cutils/properties.h>
+#include <nativehelper/JNIHelp.h>
#include <nativehelper/JNIPlatformHelp.h>
#include <nativehelper/ScopedLocalRef.h>
#include <utils/Log.h>
#include <utils/misc.h>
#include "NetdClient.h"
-#include "core_jni_helpers.h"
#include "jni.h"
extern "C" {
@@ -52,6 +52,19 @@
// FrameworkListener limits the size of commands to 4096 bytes.
constexpr int MAXCMDSIZE = 4096;
+static inline jclass FindClassOrDie(JNIEnv* env, const char* class_name) {
+ jclass clazz = env->FindClass(class_name);
+ LOG_ALWAYS_FATAL_IF(clazz == NULL, "Unable to find class %s", class_name);
+ return clazz;
+}
+
+template <typename T>
+static inline T MakeGlobalRefOrDie(JNIEnv* env, T in) {
+ jobject res = env->NewGlobalRef(in);
+ LOG_ALWAYS_FATAL_IF(res == NULL, "Unable to create global reference.");
+ return static_cast<T>(res);
+}
+
static void android_net_utils_attachDropAllBPFFilter(JNIEnv *env, jobject clazz, jobject javaFd)
{
struct sock_filter filter_code[] = {
@@ -254,8 +267,8 @@
int register_android_net_NetworkUtils(JNIEnv* env)
{
- return RegisterMethodsOrDie(env, NETUTILS_PKG_NAME, gNetworkUtilMethods,
- NELEM(gNetworkUtilMethods));
+ return jniRegisterNativeMethods(env, NETUTILS_PKG_NAME, gNetworkUtilMethods,
+ NELEM(gNetworkUtilMethods));
}
}; // namespace android
diff --git a/framework/jni/onload.cpp b/framework/jni/onload.cpp
new file mode 100644
index 0000000..435f434
--- /dev/null
+++ b/framework/jni/onload.cpp
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <nativehelper/JNIHelp.h>
+#include <log/log.h>
+
+namespace android {
+
+int register_android_net_NetworkUtils(JNIEnv* env);
+
+extern "C" jint JNI_OnLoad(JavaVM* vm, void*) {
+ JNIEnv *env;
+ if (vm->GetEnv(reinterpret_cast<void**>(&env), JNI_VERSION_1_6) != JNI_OK) {
+ ALOGE("GetEnv failed");
+ return JNI_ERR;
+ }
+
+ if (register_android_net_NetworkUtils(env) < 0) {
+ return JNI_ERR;
+ }
+
+ return JNI_VERSION_1_6;
+}
+
+};
\ No newline at end of file
diff --git a/framework/src/android/net/NetworkCapabilities.java b/framework/src/android/net/NetworkCapabilities.java
index 937a9d2..4a99d29 100644
--- a/framework/src/android/net/NetworkCapabilities.java
+++ b/framework/src/android/net/NetworkCapabilities.java
@@ -183,7 +183,7 @@
throw new UnsupportedOperationException(
"Cannot clear NetworkCapabilities when mRedactions is set");
}
- mNetworkCapabilities = mTransportTypes = mUnwantedNetworkCapabilities = 0;
+ mNetworkCapabilities = mTransportTypes = mForbiddenNetworkCapabilities = 0;
mLinkUpBandwidthKbps = mLinkDownBandwidthKbps = LINK_BANDWIDTH_UNSPECIFIED;
mNetworkSpecifier = null;
mTransportInfo = null;
@@ -219,7 +219,7 @@
mUids = (nc.mUids == null) ? null : new ArraySet<>(nc.mUids);
setAdministratorUids(nc.getAdministratorUids());
mOwnerUid = nc.mOwnerUid;
- mUnwantedNetworkCapabilities = nc.mUnwantedNetworkCapabilities;
+ mForbiddenNetworkCapabilities = nc.mForbiddenNetworkCapabilities;
mSSID = nc.mSSID;
mPrivateDnsBroken = nc.mPrivateDnsBroken;
mRequestorUid = nc.mRequestorUid;
@@ -237,7 +237,7 @@
/**
* If any capabilities specified here they must not exist in the matching Network.
*/
- private long mUnwantedNetworkCapabilities;
+ private long mForbiddenNetworkCapabilities;
/** @hide */
@Retention(RetentionPolicy.SOURCE)
@@ -586,21 +586,21 @@
* @hide
*/
public @NonNull NetworkCapabilities addCapability(@NetCapability int capability) {
- // If the given capability was previously added to the list of unwanted capabilities
- // then the capability will also be removed from the list of unwanted capabilities.
- // TODO: Consider adding unwanted capabilities to the public API and mention this
+ // If the given capability was previously added to the list of forbidden capabilities
+ // then the capability will also be removed from the list of forbidden capabilities.
+ // TODO: Consider adding forbidden capabilities to the public API and mention this
// in the documentation.
checkValidCapability(capability);
mNetworkCapabilities |= 1L << capability;
- // remove from unwanted capability list
- mUnwantedNetworkCapabilities &= ~(1L << capability);
+ // remove from forbidden capability list
+ mForbiddenNetworkCapabilities &= ~(1L << capability);
return this;
}
/**
- * Adds the given capability to the list of unwanted capabilities of this
+ * Adds the given capability to the list of forbidden capabilities of this
* {@code NetworkCapability} instance. Note that when searching for a network to
- * satisfy a request, the network must not contain any capability from unwanted capability
+ * satisfy a request, the network must not contain any capability from forbidden capability
* list.
* <p>
* If the capability was previously added to the list of required capabilities (for
@@ -610,9 +610,9 @@
* @see #addCapability(int)
* @hide
*/
- public void addUnwantedCapability(@NetCapability int capability) {
+ public void addForbiddenCapability(@NetCapability int capability) {
checkValidCapability(capability);
- mUnwantedNetworkCapabilities |= 1L << capability;
+ mForbiddenNetworkCapabilities |= 1L << capability;
mNetworkCapabilities &= ~(1L << capability); // remove from requested capabilities
}
@@ -632,16 +632,16 @@
}
/**
- * Removes (if found) the given unwanted capability from this {@code NetworkCapability}
- * instance that were added via addUnwantedCapability(int) or setCapabilities(int[], int[]).
+ * Removes (if found) the given forbidden capability from this {@code NetworkCapability}
+ * instance that were added via addForbiddenCapability(int) or setCapabilities(int[], int[]).
*
* @param capability the capability to be removed.
* @return This NetworkCapabilities instance, to facilitate chaining.
* @hide
*/
- public @NonNull NetworkCapabilities removeUnwantedCapability(@NetCapability int capability) {
+ public @NonNull NetworkCapabilities removeForbiddenCapability(@NetCapability int capability) {
checkValidCapability(capability);
- mUnwantedNetworkCapabilities &= ~(1L << capability);
+ mForbiddenNetworkCapabilities &= ~(1L << capability);
return this;
}
@@ -670,13 +670,13 @@
}
/**
- * Gets all the unwanted capabilities set on this {@code NetworkCapability} instance.
+ * Gets all the forbidden capabilities set on this {@code NetworkCapability} instance.
*
- * @return an array of unwanted capability values for this instance.
+ * @return an array of forbidden capability values for this instance.
* @hide
*/
- public @NetCapability int[] getUnwantedCapabilities() {
- return NetworkCapabilitiesUtils.unpackBits(mUnwantedNetworkCapabilities);
+ public @NetCapability int[] getForbiddenCapabilities() {
+ return NetworkCapabilitiesUtils.unpackBits(mForbiddenNetworkCapabilities);
}
@@ -687,9 +687,9 @@
* @hide
*/
public void setCapabilities(@NetCapability int[] capabilities,
- @NetCapability int[] unwantedCapabilities) {
+ @NetCapability int[] forbiddenCapabilities) {
mNetworkCapabilities = NetworkCapabilitiesUtils.packBits(capabilities);
- mUnwantedNetworkCapabilities = NetworkCapabilitiesUtils.packBits(unwantedCapabilities);
+ mForbiddenNetworkCapabilities = NetworkCapabilitiesUtils.packBits(forbiddenCapabilities);
}
/**
@@ -714,9 +714,9 @@
/** @hide */
@SystemApi(client = SystemApi.Client.MODULE_LIBRARIES)
- public boolean hasUnwantedCapability(@NetCapability int capability) {
+ public boolean hasForbiddenCapability(@NetCapability int capability) {
return isValidCapability(capability)
- && ((mUnwantedNetworkCapabilities & (1L << capability)) != 0);
+ && ((mForbiddenNetworkCapabilities & (1L << capability)) != 0);
}
/**
@@ -746,14 +746,14 @@
private void combineNetCapabilities(@NonNull NetworkCapabilities nc) {
final long wantedCaps = this.mNetworkCapabilities | nc.mNetworkCapabilities;
- final long unwantedCaps =
- this.mUnwantedNetworkCapabilities | nc.mUnwantedNetworkCapabilities;
- if ((wantedCaps & unwantedCaps) != 0) {
+ final long forbiddenCaps =
+ this.mForbiddenNetworkCapabilities | nc.mForbiddenNetworkCapabilities;
+ if ((wantedCaps & forbiddenCaps) != 0) {
throw new IllegalArgumentException(
- "Cannot have the same capability in wanted and unwanted lists.");
+ "Cannot have the same capability in wanted and forbidden lists.");
}
this.mNetworkCapabilities = wantedCaps;
- this.mUnwantedNetworkCapabilities = unwantedCaps;
+ this.mForbiddenNetworkCapabilities = forbiddenCaps;
}
/**
@@ -764,7 +764,7 @@
* @hide
*/
public @Nullable String describeFirstNonRequestableCapability() {
- final long nonRequestable = (mNetworkCapabilities | mUnwantedNetworkCapabilities)
+ final long nonRequestable = (mNetworkCapabilities | mForbiddenNetworkCapabilities)
& NON_REQUESTABLE_CAPABILITIES;
if (nonRequestable != 0) {
@@ -781,28 +781,28 @@
private boolean satisfiedByNetCapabilities(@NonNull NetworkCapabilities nc,
boolean onlyImmutable) {
long requestedCapabilities = mNetworkCapabilities;
- long requestedUnwantedCapabilities = mUnwantedNetworkCapabilities;
+ long requestedForbiddenCapabilities = mForbiddenNetworkCapabilities;
long providedCapabilities = nc.mNetworkCapabilities;
if (onlyImmutable) {
requestedCapabilities &= ~MUTABLE_CAPABILITIES;
- requestedUnwantedCapabilities &= ~MUTABLE_CAPABILITIES;
+ requestedForbiddenCapabilities &= ~MUTABLE_CAPABILITIES;
}
return ((providedCapabilities & requestedCapabilities) == requestedCapabilities)
- && ((requestedUnwantedCapabilities & providedCapabilities) == 0);
+ && ((requestedForbiddenCapabilities & providedCapabilities) == 0);
}
/** @hide */
public boolean equalsNetCapabilities(@NonNull NetworkCapabilities nc) {
return (nc.mNetworkCapabilities == this.mNetworkCapabilities)
- && (nc.mUnwantedNetworkCapabilities == this.mUnwantedNetworkCapabilities);
+ && (nc.mForbiddenNetworkCapabilities == this.mForbiddenNetworkCapabilities);
}
private boolean equalsNetCapabilitiesRequestable(@NonNull NetworkCapabilities that) {
- return ((this.mNetworkCapabilities & ~NON_REQUESTABLE_CAPABILITIES) ==
- (that.mNetworkCapabilities & ~NON_REQUESTABLE_CAPABILITIES))
- && ((this.mUnwantedNetworkCapabilities & ~NON_REQUESTABLE_CAPABILITIES) ==
- (that.mUnwantedNetworkCapabilities & ~NON_REQUESTABLE_CAPABILITIES));
+ return ((this.mNetworkCapabilities & ~NON_REQUESTABLE_CAPABILITIES)
+ == (that.mNetworkCapabilities & ~NON_REQUESTABLE_CAPABILITIES))
+ && ((this.mForbiddenNetworkCapabilities & ~NON_REQUESTABLE_CAPABILITIES)
+ == (that.mForbiddenNetworkCapabilities & ~NON_REQUESTABLE_CAPABILITIES));
}
/**
@@ -830,8 +830,17 @@
final int[] originalAdministratorUids = getAdministratorUids();
final TransportInfo originalTransportInfo = getTransportInfo();
clearAll();
- mTransportTypes = (originalTransportTypes & TEST_NETWORKS_ALLOWED_TRANSPORTS)
- | (1 << TRANSPORT_TEST);
+ if (0 != (originalCapabilities & NET_CAPABILITY_NOT_RESTRICTED)) {
+ // If the test network is not restricted, then it is only allowed to declare some
+ // specific transports. This is to minimize impact on running apps in case an app
+ // run from the shell creates a test a network.
+ mTransportTypes =
+ (originalTransportTypes & UNRESTRICTED_TEST_NETWORKS_ALLOWED_TRANSPORTS)
+ | (1 << TRANSPORT_TEST);
+ } else {
+ // If the test transport is restricted, then it may declare any transport.
+ mTransportTypes = (originalTransportTypes | (1 << TRANSPORT_TEST));
+ }
mNetworkCapabilities = originalCapabilities & TEST_NETWORKS_ALLOWED_CAPABILITIES;
mNetworkSpecifier = originalSpecifier;
mSignalStrength = originalSignalStrength;
@@ -935,9 +944,10 @@
};
/**
- * Allowed transports on a test network, in addition to TRANSPORT_TEST.
+ * Allowed transports on an unrestricted test network (in addition to TRANSPORT_TEST).
*/
- private static final int TEST_NETWORKS_ALLOWED_TRANSPORTS = 1 << TRANSPORT_TEST
+ private static final int UNRESTRICTED_TEST_NETWORKS_ALLOWED_TRANSPORTS =
+ 1 << TRANSPORT_TEST
// Test ethernet networks can be created with EthernetManager#setIncludeTestInterfaces
| 1 << TRANSPORT_ETHERNET
// Test VPN networks can be created but their UID ranges must be empty.
@@ -1718,7 +1728,7 @@
* Combine a set of Capabilities to this one. Useful for coming up with the complete set.
* <p>
* Note that this method may break an invariant of having a particular capability in either
- * wanted or unwanted lists but never in both. Requests that have the same capability in
+ * wanted or forbidden lists but never in both. Requests that have the same capability in
* both lists will never be satisfied.
* @hide
*/
@@ -1859,8 +1869,8 @@
public int hashCode() {
return (int) (mNetworkCapabilities & 0xFFFFFFFF)
+ ((int) (mNetworkCapabilities >> 32) * 3)
- + ((int) (mUnwantedNetworkCapabilities & 0xFFFFFFFF) * 5)
- + ((int) (mUnwantedNetworkCapabilities >> 32) * 7)
+ + ((int) (mForbiddenNetworkCapabilities & 0xFFFFFFFF) * 5)
+ + ((int) (mForbiddenNetworkCapabilities >> 32) * 7)
+ ((int) (mTransportTypes & 0xFFFFFFFF) * 11)
+ ((int) (mTransportTypes >> 32) * 13)
+ mLinkUpBandwidthKbps * 17
@@ -1895,7 +1905,7 @@
@Override
public void writeToParcel(Parcel dest, int flags) {
dest.writeLong(mNetworkCapabilities);
- dest.writeLong(mUnwantedNetworkCapabilities);
+ dest.writeLong(mForbiddenNetworkCapabilities);
dest.writeLong(mTransportTypes);
dest.writeInt(mLinkUpBandwidthKbps);
dest.writeInt(mLinkDownBandwidthKbps);
@@ -1919,7 +1929,7 @@
NetworkCapabilities netCap = new NetworkCapabilities();
netCap.mNetworkCapabilities = in.readLong();
- netCap.mUnwantedNetworkCapabilities = in.readLong();
+ netCap.mForbiddenNetworkCapabilities = in.readLong();
netCap.mTransportTypes = in.readLong();
netCap.mLinkUpBandwidthKbps = in.readInt();
netCap.mLinkDownBandwidthKbps = in.readInt();
@@ -1973,9 +1983,9 @@
appendStringRepresentationOfBitMaskToStringBuilder(sb, mNetworkCapabilities,
NetworkCapabilities::capabilityNameOf, "&");
}
- if (0 != mUnwantedNetworkCapabilities) {
- sb.append(" Unwanted: ");
- appendStringRepresentationOfBitMaskToStringBuilder(sb, mUnwantedNetworkCapabilities,
+ if (0 != mForbiddenNetworkCapabilities) {
+ sb.append(" Forbidden: ");
+ appendStringRepresentationOfBitMaskToStringBuilder(sb, mForbiddenNetworkCapabilities,
NetworkCapabilities::capabilityNameOf, "&");
}
if (mLinkUpBandwidthKbps > 0) {
@@ -2444,7 +2454,8 @@
* For example {@code TRANSPORT_WIFI} and {@code TRANSPORT_ETHERNET} added to a
* {@code NetworkCapabilities} would cause either a Wi-Fi network or an Ethernet network
* to be selected. This is logically different than
- * {@code NetworkCapabilities.NET_CAPABILITY_*}.
+ * {@code NetworkCapabilities.NET_CAPABILITY_*}. Also note that multiple networks with the
+ * same transport type may be active concurrently.
*
* @param transportType the transport type to be added or removed.
* @return this builder
diff --git a/framework/src/android/net/NetworkRequest.java b/framework/src/android/net/NetworkRequest.java
index 8c4f419..dd88c5a 100644
--- a/framework/src/android/net/NetworkRequest.java
+++ b/framework/src/android/net/NetworkRequest.java
@@ -311,7 +311,7 @@
*
* @see #addCapability(int)
*
- * @param capability The capability to add to unwanted capability list.
+ * @param capability The capability to add to forbidden capability list.
* @return The builder to facilitate chaining.
*
* @hide
@@ -319,15 +319,15 @@
@NonNull
@SuppressLint("MissingGetterMatchingBuilder")
@SystemApi(client = SystemApi.Client.MODULE_LIBRARIES)
- public Builder addUnwantedCapability(@NetworkCapabilities.NetCapability int capability) {
- mNetworkCapabilities.addUnwantedCapability(capability);
+ public Builder addForbiddenCapability(@NetworkCapabilities.NetCapability int capability) {
+ mNetworkCapabilities.addForbiddenCapability(capability);
return this;
}
/**
- * Removes (if found) the given unwanted capability from this builder instance.
+ * Removes (if found) the given forbidden capability from this builder instance.
*
- * @param capability The unwanted capability to remove.
+ * @param capability The forbidden capability to remove.
* @return The builder to facilitate chaining.
*
* @hide
@@ -335,8 +335,9 @@
@NonNull
@SuppressLint("BuilderSetStyle")
@SystemApi(client = SystemApi.Client.MODULE_LIBRARIES)
- public Builder removeUnwantedCapability(@NetworkCapabilities.NetCapability int capability) {
- mNetworkCapabilities.removeUnwantedCapability(capability);
+ public Builder removeForbiddenCapability(
+ @NetworkCapabilities.NetCapability int capability) {
+ mNetworkCapabilities.removeForbiddenCapability(capability);
return this;
}
@@ -598,13 +599,13 @@
}
/**
- * @see Builder#addUnwantedCapability(int)
+ * @see Builder#addForbiddenCapability(int)
*
* @hide
*/
@SystemApi(client = SystemApi.Client.MODULE_LIBRARIES)
- public boolean hasUnwantedCapability(@NetCapability int capability) {
- return networkCapabilities.hasUnwantedCapability(capability);
+ public boolean hasForbiddenCapability(@NetCapability int capability) {
+ return networkCapabilities.hasForbiddenCapability(capability);
}
/**
@@ -709,18 +710,18 @@
}
/**
- * Gets all the unwanted capabilities set on this {@code NetworkRequest} instance.
+ * Gets all the forbidden capabilities set on this {@code NetworkRequest} instance.
*
- * @return an array of unwanted capability values for this instance.
+ * @return an array of forbidden capability values for this instance.
*
* @hide
*/
@NonNull
@SystemApi(client = SystemApi.Client.MODULE_LIBRARIES)
- public @NetCapability int[] getUnwantedCapabilities() {
- // No need to make a defensive copy here as NC#getUnwantedCapabilities() already returns
+ public @NetCapability int[] getForbiddenCapabilities() {
+ // No need to make a defensive copy here as NC#getForbiddenCapabilities() already returns
// a new array.
- return networkCapabilities.getUnwantedCapabilities();
+ return networkCapabilities.getForbiddenCapabilities();
}
/**
diff --git a/services/core/java/com/android/server/ConnectivityService.java b/services/core/java/com/android/server/ConnectivityService.java
index f406252..61bb740 100644
--- a/services/core/java/com/android/server/ConnectivityService.java
+++ b/services/core/java/com/android/server/ConnectivityService.java
@@ -4769,6 +4769,7 @@
(Pair<ProfileNetworkPreferences.Preference, IOnCompleteListener>)
msg.obj;
handleSetProfileNetworkPreference(arg.first, arg.second);
+ break;
}
case EVENT_REPORT_NETWORK_ACTIVITY:
mNetworkActivityTracker.handleReportNetworkActivity();
diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
index 7837e6e..506cadb 100644
--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
@@ -338,7 +338,8 @@
return currentPermission;
}
try {
- final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS);
+ final PackageInfo app = mPackageManager.getPackageInfo(name,
+ GET_PERMISSIONS | MATCH_ANY_USER);
final boolean isNetwork = hasNetworkPermission(app);
final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
if (isNetwork || hasRestrictedPermission) {
@@ -664,6 +665,7 @@
break;
case INetd.PERMISSION_UNINSTALLED:
uninstalledAppIds.add(netdPermissionsAppIds.keyAt(i));
+ break;
default:
Log.e(TAG, "unknown permission type: " + permissions + "for uid: "
+ netdPermissionsAppIds.keyAt(i));
diff --git a/tests/net/common/java/android/net/NetworkCapabilitiesTest.java b/tests/net/common/java/android/net/NetworkCapabilitiesTest.java
index 33f2c67..b178bad 100644
--- a/tests/net/common/java/android/net/NetworkCapabilitiesTest.java
+++ b/tests/net/common/java/android/net/NetworkCapabilitiesTest.java
@@ -390,9 +390,11 @@
@Test
public void testOemPaid() {
NetworkCapabilities nc = new NetworkCapabilities();
- // By default OEM_PAID is neither in the unwanted or required lists and the network is not
+ // By default OEM_PAID is neither in the required or forbidden lists and the network is not
// restricted.
- assertFalse(nc.hasUnwantedCapability(NET_CAPABILITY_OEM_PAID));
+ if (isAtLeastS()) {
+ assertFalse(nc.hasForbiddenCapability(NET_CAPABILITY_OEM_PAID));
+ }
assertFalse(nc.hasCapability(NET_CAPABILITY_OEM_PAID));
nc.maybeMarkCapabilitiesRestricted();
assertTrue(nc.hasCapability(NET_CAPABILITY_NOT_RESTRICTED));
@@ -417,9 +419,9 @@
@Test @IgnoreUpTo(Build.VERSION_CODES.R)
public void testOemPrivate() {
NetworkCapabilities nc = new NetworkCapabilities();
- // By default OEM_PRIVATE is neither in the unwanted or required lists and the network is
+ // By default OEM_PRIVATE is neither in the required or forbidden lists and the network is
// not restricted.
- assertFalse(nc.hasUnwantedCapability(NET_CAPABILITY_OEM_PRIVATE));
+ assertFalse(nc.hasForbiddenCapability(NET_CAPABILITY_OEM_PRIVATE));
assertFalse(nc.hasCapability(NET_CAPABILITY_OEM_PRIVATE));
nc.maybeMarkCapabilitiesRestricted();
assertTrue(nc.hasCapability(NET_CAPABILITY_NOT_RESTRICTED));
@@ -441,8 +443,8 @@
assertFalse(nr.satisfiedByNetworkCapabilities(new NetworkCapabilities()));
}
- @Test
- public void testUnwantedCapabilities() {
+ @Test @IgnoreUpTo(Build.VERSION_CODES.R)
+ public void testForbiddenCapabilities() {
NetworkCapabilities network = new NetworkCapabilities();
NetworkCapabilities request = new NetworkCapabilities();
@@ -450,19 +452,19 @@
request.satisfiedByNetworkCapabilities(network));
// Requesting absence of capabilities that network doesn't have. Request should satisfy.
- request.addUnwantedCapability(NET_CAPABILITY_WIFI_P2P);
- request.addUnwantedCapability(NET_CAPABILITY_NOT_METERED);
+ request.addForbiddenCapability(NET_CAPABILITY_WIFI_P2P);
+ request.addForbiddenCapability(NET_CAPABILITY_NOT_METERED);
assertTrue(request.satisfiedByNetworkCapabilities(network));
- assertArrayEquals(new int[] {NET_CAPABILITY_WIFI_P2P,
+ assertArrayEquals(new int[]{NET_CAPABILITY_WIFI_P2P,
NET_CAPABILITY_NOT_METERED},
- request.getUnwantedCapabilities());
+ request.getForbiddenCapabilities());
// This is a default capability, just want to make sure its there because we use it below.
assertTrue(network.hasCapability(NET_CAPABILITY_NOT_RESTRICTED));
- // Verify that adding unwanted capability will effectively remove it from capability list.
- request.addUnwantedCapability(NET_CAPABILITY_NOT_RESTRICTED);
- assertTrue(request.hasUnwantedCapability(NET_CAPABILITY_NOT_RESTRICTED));
+ // Verify that adding forbidden capability will effectively remove it from capability list.
+ request.addForbiddenCapability(NET_CAPABILITY_NOT_RESTRICTED);
+ assertTrue(request.hasForbiddenCapability(NET_CAPABILITY_NOT_RESTRICTED));
assertFalse(request.hasCapability(NET_CAPABILITY_NOT_RESTRICTED));
// Now this request won't be satisfied because network contains NOT_RESTRICTED.
@@ -470,10 +472,10 @@
network.removeCapability(NET_CAPABILITY_NOT_RESTRICTED);
assertTrue(request.satisfiedByNetworkCapabilities(network));
- // Verify that adding capability will effectively remove it from unwanted list
+ // Verify that adding capability will effectively remove it from forbidden list
request.addCapability(NET_CAPABILITY_NOT_RESTRICTED);
assertTrue(request.hasCapability(NET_CAPABILITY_NOT_RESTRICTED));
- assertFalse(request.hasUnwantedCapability(NET_CAPABILITY_NOT_RESTRICTED));
+ assertFalse(request.hasForbiddenCapability(NET_CAPABILITY_NOT_RESTRICTED));
assertFalse(request.satisfiedByNetworkCapabilities(network));
network.addCapability(NET_CAPABILITY_NOT_RESTRICTED);
@@ -512,24 +514,20 @@
assertTrue(nc1.equalsNetCapabilities(nc2));
assertEquals(nc1, nc2);
- nc1.addUnwantedCapability(NET_CAPABILITY_INTERNET);
- assertFalse(nc1.equalsNetCapabilities(nc2));
- nc2.addUnwantedCapability(NET_CAPABILITY_INTERNET);
- assertTrue(nc1.equalsNetCapabilities(nc2));
if (isAtLeastS()) {
- // Remove a required capability doesn't affect unwanted capabilities.
- // This is a behaviour change from S.
+ nc1.addForbiddenCapability(NET_CAPABILITY_INTERNET);
+ assertFalse(nc1.equalsNetCapabilities(nc2));
+ nc2.addForbiddenCapability(NET_CAPABILITY_INTERNET);
+ assertTrue(nc1.equalsNetCapabilities(nc2));
+
+ // Remove a required capability doesn't affect forbidden capabilities.
+ // This is a behaviour change from R to S.
nc1.removeCapability(NET_CAPABILITY_INTERNET);
assertTrue(nc1.equalsNetCapabilities(nc2));
- nc1.removeUnwantedCapability(NET_CAPABILITY_INTERNET);
+ nc1.removeForbiddenCapability(NET_CAPABILITY_INTERNET);
assertFalse(nc1.equalsNetCapabilities(nc2));
- nc2.removeUnwantedCapability(NET_CAPABILITY_INTERNET);
- assertTrue(nc1.equalsNetCapabilities(nc2));
- } else {
- nc1.removeCapability(NET_CAPABILITY_INTERNET);
- assertFalse(nc1.equalsNetCapabilities(nc2));
- nc2.removeCapability(NET_CAPABILITY_INTERNET);
+ nc2.removeForbiddenCapability(NET_CAPABILITY_INTERNET);
assertTrue(nc1.equalsNetCapabilities(nc2));
}
}
@@ -581,31 +579,25 @@
NetworkCapabilities nc1 = new NetworkCapabilities();
NetworkCapabilities nc2 = new NetworkCapabilities();
- nc1.addUnwantedCapability(NET_CAPABILITY_CAPTIVE_PORTAL);
+ if (isAtLeastS()) {
+ nc1.addForbiddenCapability(NET_CAPABILITY_CAPTIVE_PORTAL);
+ }
nc1.addCapability(NET_CAPABILITY_NOT_ROAMING);
assertNotEquals(nc1, nc2);
nc2.combineCapabilities(nc1);
assertEquals(nc1, nc2);
assertTrue(nc2.hasCapability(NET_CAPABILITY_NOT_ROAMING));
- assertTrue(nc2.hasUnwantedCapability(NET_CAPABILITY_CAPTIVE_PORTAL));
-
- // This will effectively move NOT_ROAMING capability from required to unwanted for nc1.
- nc1.addUnwantedCapability(NET_CAPABILITY_NOT_ROAMING);
+ if (isAtLeastS()) {
+ assertTrue(nc2.hasForbiddenCapability(NET_CAPABILITY_CAPTIVE_PORTAL));
+ }
if (isAtLeastS()) {
- // From S, it is not allowed to have the same capability in both wanted and
- // unwanted list.
+ // This will effectively move NOT_ROAMING capability from required to forbidden for nc1.
+ nc1.addForbiddenCapability(NET_CAPABILITY_NOT_ROAMING);
+ // It is not allowed to have the same capability in both wanted and forbidden list.
assertThrows(IllegalArgumentException.class, () -> nc2.combineCapabilities(nc1));
- // Remove unwanted capability to continue other tests.
- nc1.removeUnwantedCapability(NET_CAPABILITY_NOT_ROAMING);
- } else {
- nc2.combineCapabilities(nc1);
- // We will get this capability in both requested and unwanted lists thus this request
- // will never be satisfied.
- assertTrue(nc2.hasCapability(NET_CAPABILITY_NOT_ROAMING));
- assertTrue(nc2.hasUnwantedCapability(NET_CAPABILITY_NOT_ROAMING));
- // For R or below, remove unwanted capability via removeCapability.
- nc1.removeCapability(NET_CAPABILITY_NOT_ROAMING);
+ // Remove forbidden capability to continue other tests.
+ nc1.removeForbiddenCapability(NET_CAPABILITY_NOT_ROAMING);
}
nc1.setSSID(TEST_SSID);
@@ -683,14 +675,11 @@
public void testSetCapabilities() {
final int[] REQUIRED_CAPABILITIES = new int[] {
NET_CAPABILITY_INTERNET, NET_CAPABILITY_NOT_VPN };
- final int[] UNWANTED_CAPABILITIES = new int[] {
- NET_CAPABILITY_NOT_RESTRICTED, NET_CAPABILITY_NOT_METERED
- };
NetworkCapabilities nc1 = new NetworkCapabilities();
NetworkCapabilities nc2 = new NetworkCapabilities();
- nc1.setCapabilities(REQUIRED_CAPABILITIES, UNWANTED_CAPABILITIES);
+ nc1.setCapabilities(REQUIRED_CAPABILITIES);
assertArrayEquals(REQUIRED_CAPABILITIES, nc1.getCapabilities());
// Verify that setting and adding capabilities leads to the same object state.
@@ -698,10 +687,25 @@
for (int cap : REQUIRED_CAPABILITIES) {
nc2.addCapability(cap);
}
- for (int cap : UNWANTED_CAPABILITIES) {
- nc2.addUnwantedCapability(cap);
- }
assertEquals(nc1, nc2);
+
+ if (isAtLeastS()) {
+ final int[] forbiddenCapabilities = new int[]{
+ NET_CAPABILITY_NOT_METERED, NET_CAPABILITY_NOT_RESTRICTED };
+
+ nc1.setCapabilities(REQUIRED_CAPABILITIES, forbiddenCapabilities);
+ assertArrayEquals(REQUIRED_CAPABILITIES, nc1.getCapabilities());
+ assertArrayEquals(forbiddenCapabilities, nc1.getForbiddenCapabilities());
+
+ nc2.clearAll();
+ for (int cap : REQUIRED_CAPABILITIES) {
+ nc2.addCapability(cap);
+ }
+ for (int cap : forbiddenCapabilities) {
+ nc2.addForbiddenCapability(cap);
+ }
+ assertEquals(nc1, nc2);
+ }
}
@Test
@@ -769,23 +773,32 @@
NetworkCapabilities nc1 = new NetworkCapabilities();
NetworkCapabilities nc2 = new NetworkCapabilities();
- nc1.addUnwantedCapability(NET_CAPABILITY_CAPTIVE_PORTAL);
+ if (isAtLeastS()) {
+ nc1.addForbiddenCapability(NET_CAPABILITY_CAPTIVE_PORTAL);
+ }
nc1.addCapability(NET_CAPABILITY_NOT_ROAMING);
assertNotEquals(nc1, nc2);
nc2.set(nc1);
assertEquals(nc1, nc2);
assertTrue(nc2.hasCapability(NET_CAPABILITY_NOT_ROAMING));
- assertTrue(nc2.hasUnwantedCapability(NET_CAPABILITY_CAPTIVE_PORTAL));
+ if (isAtLeastS()) {
+ assertTrue(nc2.hasForbiddenCapability(NET_CAPABILITY_CAPTIVE_PORTAL));
+ }
- // This will effectively move NOT_ROAMING capability from required to unwanted for nc1.
- nc1.addUnwantedCapability(NET_CAPABILITY_NOT_ROAMING);
+ if (isAtLeastS()) {
+ // This will effectively move NOT_ROAMING capability from required to forbidden for nc1.
+ nc1.addForbiddenCapability(NET_CAPABILITY_NOT_ROAMING);
+ }
nc1.setSSID(TEST_SSID);
nc2.set(nc1);
assertEquals(nc1, nc2);
- // Contrary to combineCapabilities, set() will have removed the NOT_ROAMING capability
- // from nc2.
- assertFalse(nc2.hasCapability(NET_CAPABILITY_NOT_ROAMING));
- assertTrue(nc2.hasUnwantedCapability(NET_CAPABILITY_NOT_ROAMING));
+ if (isAtLeastS()) {
+ // Contrary to combineCapabilities, set() will have removed the NOT_ROAMING capability
+ // from nc2.
+ assertFalse(nc2.hasCapability(NET_CAPABILITY_NOT_ROAMING));
+ assertTrue(nc2.hasForbiddenCapability(NET_CAPABILITY_NOT_ROAMING));
+ }
+
if (isAtLeastR()) {
assertTrue(TEST_SSID.equals(nc2.getSsid()));
}
diff --git a/tests/net/integration/src/com/android/server/net/integrationtests/TestNetworkStackService.kt b/tests/net/integration/src/com/android/server/net/integrationtests/TestNetworkStackService.kt
index a44ad1e..eff6658 100644
--- a/tests/net/integration/src/com/android/server/net/integrationtests/TestNetworkStackService.kt
+++ b/tests/net/integration/src/com/android/server/net/integrationtests/TestNetworkStackService.kt
@@ -61,7 +61,6 @@
private class NetworkMonitorDeps(private val privateDnsBypassNetwork: Network) :
NetworkMonitor.Dependencies() {
override fun getPrivateDnsBypassNetwork(network: Network?) = privateDnsBypassNetwork
- override fun sendNetworkConditionsBroadcast(context: Context, broadcast: Intent) = Unit
}
private inner class TestNetworkStackConnector(context: Context) : NetworkStackConnector(
@@ -98,4 +97,4 @@
cb.onNetworkMonitorCreated(NetworkMonitorConnector(nm, TestPermissionChecker()))
}
}
-}
\ No newline at end of file
+}
diff --git a/tests/net/java/com/android/server/ConnectivityServiceTest.java b/tests/net/java/com/android/server/ConnectivityServiceTest.java
index 406c3f8..458e9b3 100644
--- a/tests/net/java/com/android/server/ConnectivityServiceTest.java
+++ b/tests/net/java/com/android/server/ConnectivityServiceTest.java
@@ -2809,8 +2809,9 @@
private void grantUsingBackgroundNetworksPermissionForUid(
final int uid, final String packageName) throws Exception {
- when(mPackageManager.getPackageInfo(eq(packageName), eq(GET_PERMISSIONS)))
- .thenReturn(buildPackageInfo(true, uid));
+ when(mPackageManager.getPackageInfo(
+ eq(packageName), eq(GET_PERMISSIONS | MATCH_ANY_USER)))
+ .thenReturn(buildPackageInfo(true /* hasSystemPermission */, uid));
mService.mPermissionMonitor.onPackageAdded(packageName, uid);
}
diff --git a/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java b/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java
index 32c95f1..cf2c9c7 100644
--- a/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java
+++ b/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java
@@ -16,9 +16,14 @@
package com.android.server;
+import static android.content.pm.PackageManager.PERMISSION_DENIED;
import static android.content.pm.PackageManager.PERMISSION_GRANTED;
import static android.net.INetd.IF_STATE_DOWN;
import static android.net.INetd.IF_STATE_UP;
+import static android.net.IpSecManager.DIRECTION_FWD;
+import static android.net.IpSecManager.DIRECTION_IN;
+import static android.net.IpSecManager.DIRECTION_OUT;
+import static android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK;
import static android.system.OsConstants.AF_INET;
import static android.system.OsConstants.AF_INET6;
@@ -56,6 +61,7 @@
import android.os.ParcelFileDescriptor;
import android.system.Os;
import android.test.mock.MockContext;
+import android.util.ArraySet;
import androidx.test.filters.SmallTest;
@@ -71,6 +77,7 @@
import java.net.Socket;
import java.util.Arrays;
import java.util.Collection;
+import java.util.Set;
/** Unit tests for {@link IpSecService}. */
@SmallTest
@@ -119,7 +126,18 @@
AppOpsManager mMockAppOps = mock(AppOpsManager.class);
ConnectivityManager mMockConnectivityMgr = mock(ConnectivityManager.class);
- MockContext mMockContext = new MockContext() {
+ TestContext mTestContext = new TestContext();
+
+ private class TestContext extends MockContext {
+ private Set<String> mAllowedPermissions = new ArraySet<>(Arrays.asList(
+ android.Manifest.permission.MANAGE_IPSEC_TUNNELS,
+ android.Manifest.permission.NETWORK_STACK,
+ PERMISSION_MAINLINE_NETWORK_STACK));
+
+ private void setAllowedPermissions(String... permissions) {
+ mAllowedPermissions = new ArraySet<>(permissions);
+ }
+
@Override
public Object getSystemService(String name) {
switch(name) {
@@ -147,20 +165,22 @@
@Override
public void enforceCallingOrSelfPermission(String permission, String message) {
- if (permission == android.Manifest.permission.MANAGE_IPSEC_TUNNELS) {
+ if (mAllowedPermissions.contains(permission)) {
return;
+ } else {
+ throw new SecurityException("Unavailable permission requested");
}
- throw new SecurityException("Unavailable permission requested");
}
@Override
public int checkCallingOrSelfPermission(String permission) {
- if (android.Manifest.permission.NETWORK_STACK.equals(permission)) {
+ if (mAllowedPermissions.contains(permission)) {
return PERMISSION_GRANTED;
+ } else {
+ return PERMISSION_DENIED;
}
- throw new UnsupportedOperationException();
}
- };
+ }
INetd mMockNetd;
PackageManager mMockPkgMgr;
@@ -194,7 +214,7 @@
mMockNetd = mock(INetd.class);
mMockPkgMgr = mock(PackageManager.class);
mMockIpSecSrvConfig = mock(IpSecService.IpSecServiceConfiguration.class);
- mIpSecService = new IpSecService(mMockContext, mMockIpSecSrvConfig);
+ mIpSecService = new IpSecService(mTestContext, mMockIpSecSrvConfig);
// Injecting mock netd
when(mMockIpSecSrvConfig.getNetdInstance()).thenReturn(mMockNetd);
@@ -664,6 +684,21 @@
assertNotNull(createTunnelResp);
assertEquals(IpSecManager.Status.OK, createTunnelResp.status);
+ for (int direction : new int[] {DIRECTION_IN, DIRECTION_OUT, DIRECTION_FWD}) {
+ for (int selAddrFamily : ADDRESS_FAMILIES) {
+ verify(mMockNetd).ipSecAddSecurityPolicy(
+ eq(mUid),
+ eq(selAddrFamily),
+ eq(direction),
+ anyString(),
+ anyString(),
+ eq(0),
+ anyInt(), // iKey/oKey
+ anyInt(), // mask
+ eq(createTunnelResp.resourceId));
+ }
+ }
+
return createTunnelResp;
}
@@ -798,16 +833,51 @@
}
@Test
- public void testApplyTunnelModeTransform() throws Exception {
- verifyApplyTunnelModeTransformCommon(false);
+ public void testApplyTunnelModeTransformOutbound() throws Exception {
+ verifyApplyTunnelModeTransformCommon(false /* closeSpiBeforeApply */, DIRECTION_OUT);
}
@Test
- public void testApplyTunnelModeTransformReleasedSpi() throws Exception {
- verifyApplyTunnelModeTransformCommon(true);
+ public void testApplyTunnelModeTransformOutboundNonNetworkStack() throws Exception {
+ mTestContext.setAllowedPermissions(android.Manifest.permission.MANAGE_IPSEC_TUNNELS);
+ verifyApplyTunnelModeTransformCommon(false /* closeSpiBeforeApply */, DIRECTION_OUT);
}
- public void verifyApplyTunnelModeTransformCommon(boolean closeSpiBeforeApply) throws Exception {
+ @Test
+ public void testApplyTunnelModeTransformOutboundReleasedSpi() throws Exception {
+ verifyApplyTunnelModeTransformCommon(true /* closeSpiBeforeApply */, DIRECTION_OUT);
+ }
+
+ @Test
+ public void testApplyTunnelModeTransformInbound() throws Exception {
+ verifyApplyTunnelModeTransformCommon(true /* closeSpiBeforeApply */, DIRECTION_IN);
+ }
+
+ @Test
+ public void testApplyTunnelModeTransformInboundNonNetworkStack() throws Exception {
+ mTestContext.setAllowedPermissions(android.Manifest.permission.MANAGE_IPSEC_TUNNELS);
+ verifyApplyTunnelModeTransformCommon(true /* closeSpiBeforeApply */, DIRECTION_IN);
+ }
+
+ @Test
+ public void testApplyTunnelModeTransformForward() throws Exception {
+ verifyApplyTunnelModeTransformCommon(true /* closeSpiBeforeApply */, DIRECTION_FWD);
+ }
+
+ @Test
+ public void testApplyTunnelModeTransformForwardNonNetworkStack() throws Exception {
+ mTestContext.setAllowedPermissions(android.Manifest.permission.MANAGE_IPSEC_TUNNELS);
+
+ try {
+ verifyApplyTunnelModeTransformCommon(true /* closeSpiBeforeApply */, DIRECTION_FWD);
+ fail("Expected security exception due to use of forward policies without NETWORK_STACK"
+ + " or MAINLINE_NETWORK_STACK permission");
+ } catch (SecurityException expected) {
+ }
+ }
+
+ public void verifyApplyTunnelModeTransformCommon(boolean closeSpiBeforeApply, int direction)
+ throws Exception {
IpSecConfig ipSecConfig = new IpSecConfig();
ipSecConfig.setMode(IpSecTransform.MODE_TUNNEL);
addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig);
@@ -825,17 +895,17 @@
int transformResourceId = createTransformResp.resourceId;
int tunnelResourceId = createTunnelResp.resourceId;
mIpSecService.applyTunnelModeTransform(
- tunnelResourceId, IpSecManager.DIRECTION_OUT, transformResourceId, BLESSED_PACKAGE);
+ tunnelResourceId, direction, transformResourceId, BLESSED_PACKAGE);
for (int selAddrFamily : ADDRESS_FAMILIES) {
verify(mMockNetd)
.ipSecUpdateSecurityPolicy(
eq(mUid),
eq(selAddrFamily),
- eq(IpSecManager.DIRECTION_OUT),
+ eq(direction),
anyString(),
anyString(),
- eq(TEST_SPI),
+ eq(direction == DIRECTION_OUT ? TEST_SPI : 0),
anyInt(), // iKey/oKey
anyInt(), // mask
eq(tunnelResourceId));
diff --git a/tests/net/java/com/android/server/connectivity/PermissionMonitorTest.java b/tests/net/java/com/android/server/connectivity/PermissionMonitorTest.java
index d7535a9..02a5808 100644
--- a/tests/net/java/com/android/server/connectivity/PermissionMonitorTest.java
+++ b/tests/net/java/com/android/server/connectivity/PermissionMonitorTest.java
@@ -479,13 +479,14 @@
public void testUidFilteringDuringVpnConnectDisconnectAndUidUpdates() throws Exception {
when(mPackageManager.getInstalledPackages(eq(GET_PERMISSIONS | MATCH_ANY_USER))).thenReturn(
Arrays.asList(new PackageInfo[] {
- buildPackageInfo(/* SYSTEM */ true, SYSTEM_UID1, MOCK_USER1),
- buildPackageInfo(/* SYSTEM */ false, MOCK_UID1, MOCK_USER1),
- buildPackageInfo(/* SYSTEM */ false, MOCK_UID2, MOCK_USER1),
- buildPackageInfo(/* SYSTEM */ false, VPN_UID, MOCK_USER1)
+ buildPackageInfo(true /* hasSystemPermission */, SYSTEM_UID1, MOCK_USER1),
+ buildPackageInfo(false /* hasSystemPermission */, MOCK_UID1, MOCK_USER1),
+ buildPackageInfo(false /* hasSystemPermission */, MOCK_UID2, MOCK_USER1),
+ buildPackageInfo(false /* hasSystemPermission */, VPN_UID, MOCK_USER1)
}));
- when(mPackageManager.getPackageInfo(eq(MOCK_PACKAGE1), eq(GET_PERMISSIONS))).thenReturn(
- buildPackageInfo(false, MOCK_UID1, MOCK_USER1));
+ when(mPackageManager.getPackageInfo(eq(MOCK_PACKAGE1),
+ eq(GET_PERMISSIONS | MATCH_ANY_USER))).thenReturn(
+ buildPackageInfo(false /* hasSystemPermission */, MOCK_UID1, MOCK_USER1));
mPermissionMonitor.startMonitoring();
// Every app on user 0 except MOCK_UID2 are under VPN.
final Set<UidRange> vpnRange1 = new HashSet<>(Arrays.asList(new UidRange[] {
@@ -530,11 +531,12 @@
public void testUidFilteringDuringPackageInstallAndUninstall() throws Exception {
when(mPackageManager.getInstalledPackages(eq(GET_PERMISSIONS | MATCH_ANY_USER))).thenReturn(
Arrays.asList(new PackageInfo[] {
- buildPackageInfo(true, SYSTEM_UID1, MOCK_USER1),
- buildPackageInfo(false, VPN_UID, MOCK_USER1)
+ buildPackageInfo(true /* hasSystemPermission */, SYSTEM_UID1, MOCK_USER1),
+ buildPackageInfo(false /* hasSystemPermission */, VPN_UID, MOCK_USER1)
}));
- when(mPackageManager.getPackageInfo(eq(MOCK_PACKAGE1), eq(GET_PERMISSIONS))).thenReturn(
- buildPackageInfo(false, MOCK_UID1, MOCK_USER1));
+ when(mPackageManager.getPackageInfo(eq(MOCK_PACKAGE1),
+ eq(GET_PERMISSIONS | MATCH_ANY_USER))).thenReturn(
+ buildPackageInfo(false /* hasSystemPermission */, MOCK_UID1, MOCK_USER1));
mPermissionMonitor.startMonitoring();
final Set<UidRange> vpnRange = Collections.singleton(UidRange.createForUser(MOCK_USER1));