Merge "Add test for Vpn#prepare()" into sc-dev am: f89a629776
Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Connectivity/+/15606164
Change-Id: I6b9024a183cefba4ce7173650d78c61ee60c9ec2
diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java
index e34c064..418e9e3 100644
--- a/service/src/com/android/server/ConnectivityService.java
+++ b/service/src/com/android/server/ConnectivityService.java
@@ -2361,6 +2361,26 @@
return false;
}
+ private int getAppUid(final String app, final UserHandle user) {
+ final PackageManager pm =
+ mContext.createContextAsUser(user, 0 /* flags */).getPackageManager();
+ final long token = Binder.clearCallingIdentity();
+ try {
+ return pm.getPackageUid(app, 0 /* flags */);
+ } catch (PackageManager.NameNotFoundException e) {
+ return -1;
+ } finally {
+ Binder.restoreCallingIdentity(token);
+ }
+ }
+
+ private void verifyCallingUidAndPackage(String packageName, int callingUid) {
+ final UserHandle user = UserHandle.getUserHandleForUid(callingUid);
+ if (getAppUid(packageName, user) != callingUid) {
+ throw new SecurityException(packageName + " does not belong to uid " + callingUid);
+ }
+ }
+
/**
* Ensure that a network route exists to deliver traffic to the specified
* host via the specified network interface.
@@ -2376,6 +2396,7 @@
if (disallowedBecauseSystemCaller()) {
return false;
}
+ verifyCallingUidAndPackage(callingPackageName, mDeps.getCallingUid());
enforceChangePermission(callingPackageName, callingAttributionTag);
if (mProtectedNetworks.contains(networkType)) {
enforceConnectivityRestrictedNetworksPermission();
diff --git a/tests/unit/java/android/net/NetworkTemplateTest.kt b/tests/unit/java/android/net/NetworkTemplateTest.kt
index 49c7271..c89937d 100644
--- a/tests/unit/java/android/net/NetworkTemplateTest.kt
+++ b/tests/unit/java/android/net/NetworkTemplateTest.kt
@@ -39,9 +39,12 @@
import android.net.NetworkTemplate.SUBSCRIBER_ID_MATCH_RULE_EXACT
import android.net.NetworkTemplate.WIFI_NETWORKID_ALL
import android.net.NetworkTemplate.buildTemplateCarrierMetered
+import android.net.NetworkTemplate.buildTemplateMobileAll
import android.net.NetworkTemplate.buildTemplateMobileWithRatType
+import android.net.NetworkTemplate.buildTemplateMobileWildcard
import android.net.NetworkTemplate.buildTemplateWifi
import android.net.NetworkTemplate.buildTemplateWifiWildcard
+import android.net.NetworkTemplate.normalize
import android.os.Build
import android.telephony.TelephonyManager
import com.android.testutils.DevSdkIgnoreRule
@@ -59,6 +62,7 @@
private const val TEST_IMSI1 = "imsi1"
private const val TEST_IMSI2 = "imsi2"
+private const val TEST_IMSI3 = "imsi3"
private const val TEST_SSID1 = "ssid1"
private const val TEST_SSID2 = "ssid2"
@@ -365,4 +369,45 @@
identSsid = TEST_SSID1)
matchOemManagedIdent(TYPE_WIFI, MATCH_WIFI_WILDCARD, identSsid = TEST_SSID1)
}
+
+ @Test
+ fun testNormalize() {
+ var mergedImsiList = listOf(arrayOf(TEST_IMSI1, TEST_IMSI2))
+ val identMobileImsi1 = buildNetworkIdentity(mockContext,
+ buildMobileNetworkState(TEST_IMSI1), false /* defaultNetwork */,
+ TelephonyManager.NETWORK_TYPE_UMTS)
+ val identMobileImsi2 = buildNetworkIdentity(mockContext,
+ buildMobileNetworkState(TEST_IMSI2), false /* defaultNetwork */,
+ TelephonyManager.NETWORK_TYPE_UMTS)
+ val identMobileImsi3 = buildNetworkIdentity(mockContext,
+ buildMobileNetworkState(TEST_IMSI3), false /* defaultNetwork */,
+ TelephonyManager.NETWORK_TYPE_UMTS)
+ val identWifiImsi1Ssid1 = buildNetworkIdentity(
+ mockContext, buildWifiNetworkState(TEST_IMSI1, TEST_SSID1), true, 0)
+ val identWifiImsi2Ssid1 = buildNetworkIdentity(
+ mockContext, buildWifiNetworkState(TEST_IMSI2, TEST_SSID1), true, 0)
+ val identWifiImsi3Ssid1 = buildNetworkIdentity(
+ mockContext, buildWifiNetworkState(TEST_IMSI3, TEST_SSID1), true, 0)
+
+ normalize(buildTemplateMobileAll(TEST_IMSI1), mergedImsiList).also {
+ it.assertMatches(identMobileImsi1)
+ it.assertMatches(identMobileImsi2)
+ it.assertDoesNotMatch(identMobileImsi3)
+ }
+ normalize(buildTemplateCarrierMetered(TEST_IMSI1), mergedImsiList).also {
+ it.assertMatches(identMobileImsi1)
+ it.assertMatches(identMobileImsi2)
+ it.assertDoesNotMatch(identMobileImsi3)
+ }
+ normalize(buildTemplateWifi(TEST_SSID1, TEST_IMSI1), mergedImsiList).also {
+ it.assertMatches(identWifiImsi1Ssid1)
+ it.assertMatches(identWifiImsi2Ssid1)
+ it.assertDoesNotMatch(identWifiImsi3Ssid1)
+ }
+ normalize(buildTemplateMobileWildcard(), mergedImsiList).also {
+ it.assertMatches(identMobileImsi1)
+ it.assertMatches(identMobileImsi2)
+ it.assertMatches(identMobileImsi3)
+ }
+ }
}
diff --git a/tests/unit/java/com/android/server/ConnectivityServiceTest.java b/tests/unit/java/com/android/server/ConnectivityServiceTest.java
index 10b7e14..b900169 100644
--- a/tests/unit/java/com/android/server/ConnectivityServiceTest.java
+++ b/tests/unit/java/com/android/server/ConnectivityServiceTest.java
@@ -13941,4 +13941,11 @@
mDefaultNetworkCallback.expectCallback(CallbackEntry.LOST, mWiFiNetworkAgent);
mDefaultNetworkCallback.expectAvailableCallbacksValidated(mCellNetworkAgent);
}
+
+ @Test
+ public void testRequestRouteToHostAddress_PackageDoesNotBelongToCaller() {
+ assertThrows(SecurityException.class, () -> mService.requestRouteToHostAddress(
+ ConnectivityManager.TYPE_NONE, null /* hostAddress */, "com.not.package.owner",
+ null /* callingAttributionTag */));
+ }
}