Gitiles
Code Review Sign In
review.blissroms.org / platform_packages_modules_Connectivity-old / a9716ffcb8b16ea488969a35af68a46a2f745043 / . / service / native / TrafficControllerTest.cpp
blob: f5d5911676e34c1c14f81c977fa05d1e70ec6d0c [file] [log] [blame]
Wayne Ma4d692332022-01-19 16:04:04 +0800[diff] [blame]1/*
2 * Copyright 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 * TrafficControllerTest.cpp - unit tests for TrafficController.cpp
17 */
18
19#include <cstdint>
20#include <string>
21#include <vector>
22
23#include <fcntl.h>
24#include <inttypes.h>
25#include <linux/inet_diag.h>
26#include <linux/sock_diag.h>
27#include <sys/socket.h>
28#include <sys/types.h>
29#include <unistd.h>
30
31#include <gtest/gtest.h>
32
33#include <android-base/stringprintf.h>
34#include <android-base/strings.h>
35
36#include <netdutils/MockSyscalls.h>
37
38#include "TrafficController.h"
39#include "bpf/BpfUtils.h"
40
41using namespace android::bpf; // NOLINT(google-build-using-namespace): grandfathered
42
43namespace android {
44namespace net {
45
46using base::Result;
47using netdutils::isOk;
48
49constexpr int TEST_MAP_SIZE = 10;
Wayne Ma4d692332022-01-19 16:04:04 +0800[diff] [blame]50constexpr uid_t TEST_UID = 10086;
51constexpr uid_t TEST_UID2 = 54321;
52constexpr uid_t TEST_UID3 = 98765;
53constexpr uint32_t TEST_TAG = 42;
54constexpr uint32_t TEST_COUNTERSET = 1;
55constexpr uint32_t DEFAULT_COUNTERSET = 0;
Wayne Ma4d692332022-01-19 16:04:04 +0800[diff] [blame]56
57#define ASSERT_VALID(x) ASSERT_TRUE((x).isValid())
58
59class TrafficControllerTest : public ::testing::Test {
60 protected:
Wayne Ma92d80792022-01-20 13:20:34 +0800[diff] [blame]61 TrafficControllerTest() {}
Wayne Ma4d692332022-01-19 16:04:04 +0800[diff] [blame]62 TrafficController mTc;
63 BpfMap<uint64_t, UidTagValue> mFakeCookieTagMap;
64 BpfMap<uint32_t, uint8_t> mFakeUidCounterSetMap;
65 BpfMap<uint32_t, StatsValue> mFakeAppUidStatsMap;
66 BpfMap<StatsKey, StatsValue> mFakeStatsMapA;
67 BpfMap<uint32_t, uint8_t> mFakeConfigurationMap;
68 BpfMap<uint32_t, UidOwnerValue> mFakeUidOwnerMap;
69 BpfMap<uint32_t, uint8_t> mFakeUidPermissionMap;
70
71 void SetUp() {
72 std::lock_guard guard(mTc.mMutex);
73 ASSERT_EQ(0, setrlimitForTest());
74
75 mFakeCookieTagMap.reset(createMap(BPF_MAP_TYPE_HASH, sizeof(uint64_t), sizeof(UidTagValue),
76 TEST_MAP_SIZE, 0));
77 ASSERT_VALID(mFakeCookieTagMap);
78
79 mFakeUidCounterSetMap.reset(
80 createMap(BPF_MAP_TYPE_HASH, sizeof(uint32_t), sizeof(uint8_t), TEST_MAP_SIZE, 0));
81 ASSERT_VALID(mFakeUidCounterSetMap);
82
83 mFakeAppUidStatsMap.reset(createMap(BPF_MAP_TYPE_HASH, sizeof(uint32_t), sizeof(StatsValue),
84 TEST_MAP_SIZE, 0));
85 ASSERT_VALID(mFakeAppUidStatsMap);
86
87 mFakeStatsMapA.reset(createMap(BPF_MAP_TYPE_HASH, sizeof(StatsKey), sizeof(StatsValue),
88 TEST_MAP_SIZE, 0));
89 ASSERT_VALID(mFakeStatsMapA);
90
91 mFakeConfigurationMap.reset(
92 createMap(BPF_MAP_TYPE_HASH, sizeof(uint32_t), sizeof(uint8_t), 1, 0));
93 ASSERT_VALID(mFakeConfigurationMap);
94
95 mFakeUidOwnerMap.reset(createMap(BPF_MAP_TYPE_HASH, sizeof(uint32_t), sizeof(UidOwnerValue),
96 TEST_MAP_SIZE, 0));
97 ASSERT_VALID(mFakeUidOwnerMap);
98 mFakeUidPermissionMap.reset(
99 createMap(BPF_MAP_TYPE_HASH, sizeof(uint32_t), sizeof(uint8_t), TEST_MAP_SIZE, 0));
100 ASSERT_VALID(mFakeUidPermissionMap);
101
102 mTc.mCookieTagMap.reset(dupFd(mFakeCookieTagMap.getMap()));
103 ASSERT_VALID(mTc.mCookieTagMap);
104 mTc.mUidCounterSetMap.reset(dupFd(mFakeUidCounterSetMap.getMap()));
105 ASSERT_VALID(mTc.mUidCounterSetMap);
106 mTc.mAppUidStatsMap.reset(dupFd(mFakeAppUidStatsMap.getMap()));
107 ASSERT_VALID(mTc.mAppUidStatsMap);
108 mTc.mStatsMapA.reset(dupFd(mFakeStatsMapA.getMap()));
109 ASSERT_VALID(mTc.mStatsMapA);
110 mTc.mConfigurationMap.reset(dupFd(mFakeConfigurationMap.getMap()));
111 ASSERT_VALID(mTc.mConfigurationMap);
112
113 // Always write to stats map A by default.
114 ASSERT_RESULT_OK(mTc.mConfigurationMap.writeValue(CURRENT_STATS_MAP_CONFIGURATION_KEY,
115 SELECT_MAP_A, BPF_ANY));
116 mTc.mUidOwnerMap.reset(dupFd(mFakeUidOwnerMap.getMap()));
117 ASSERT_VALID(mTc.mUidOwnerMap);
118 mTc.mUidPermissionMap.reset(dupFd(mFakeUidPermissionMap.getMap()));
119 ASSERT_VALID(mTc.mUidPermissionMap);
120 mTc.mPrivilegedUser.clear();
121 }
122
123 int dupFd(const android::base::unique_fd& mapFd) {
124 return fcntl(mapFd.get(), F_DUPFD_CLOEXEC, 0);
125 }
126
Wayne Ma4d692332022-01-19 16:04:04 +0800[diff] [blame]127 void populateFakeStats(uint64_t cookie, uint32_t uid, uint32_t tag, StatsKey* key) {
128 UidTagValue cookieMapkey = {.uid = (uint32_t)uid, .tag = tag};
129 EXPECT_RESULT_OK(mFakeCookieTagMap.writeValue(cookie, cookieMapkey, BPF_ANY));
130 *key = {.uid = uid, .tag = tag, .counterSet = TEST_COUNTERSET, .ifaceIndex = 1};
131 StatsValue statsMapValue = {.rxPackets = 1, .rxBytes = 100};
132 uint8_t counterSet = TEST_COUNTERSET;
133 EXPECT_RESULT_OK(mFakeUidCounterSetMap.writeValue(uid, counterSet, BPF_ANY));
134 EXPECT_RESULT_OK(mFakeStatsMapA.writeValue(*key, statsMapValue, BPF_ANY));
135 key->tag = 0;
136 EXPECT_RESULT_OK(mFakeStatsMapA.writeValue(*key, statsMapValue, BPF_ANY));
137 EXPECT_RESULT_OK(mFakeAppUidStatsMap.writeValue(uid, statsMapValue, BPF_ANY));
138 // put tag information back to statsKey
139 key->tag = tag;
140 }
141
142 void checkUidOwnerRuleForChain(ChildChain chain, UidOwnerMatchType match) {
143 uint32_t uid = TEST_UID;
144 EXPECT_EQ(0, mTc.changeUidOwnerRule(chain, uid, DENY, DENYLIST));
145 Result<UidOwnerValue> value = mFakeUidOwnerMap.readValue(uid);
146 EXPECT_RESULT_OK(value);
147 EXPECT_TRUE(value.value().rule & match);
148
149 uid = TEST_UID2;
150 EXPECT_EQ(0, mTc.changeUidOwnerRule(chain, uid, ALLOW, ALLOWLIST));
151 value = mFakeUidOwnerMap.readValue(uid);
152 EXPECT_RESULT_OK(value);
153 EXPECT_TRUE(value.value().rule & match);
154
155 EXPECT_EQ(0, mTc.changeUidOwnerRule(chain, uid, DENY, ALLOWLIST));
156 value = mFakeUidOwnerMap.readValue(uid);
157 EXPECT_FALSE(value.ok());
158 EXPECT_EQ(ENOENT, value.error().code());
159
160 uid = TEST_UID;
161 EXPECT_EQ(0, mTc.changeUidOwnerRule(chain, uid, ALLOW, DENYLIST));
162 value = mFakeUidOwnerMap.readValue(uid);
163 EXPECT_FALSE(value.ok());
164 EXPECT_EQ(ENOENT, value.error().code());
165
166 uid = TEST_UID3;
167 EXPECT_EQ(-ENOENT, mTc.changeUidOwnerRule(chain, uid, ALLOW, DENYLIST));
168 value = mFakeUidOwnerMap.readValue(uid);
169 EXPECT_FALSE(value.ok());
170 EXPECT_EQ(ENOENT, value.error().code());
171 }
172
173 void checkEachUidValue(const std::vector<int32_t>& uids, UidOwnerMatchType match) {
174 for (uint32_t uid : uids) {
175 Result<UidOwnerValue> value = mFakeUidOwnerMap.readValue(uid);
176 EXPECT_RESULT_OK(value);
177 EXPECT_TRUE(value.value().rule & match);
178 }
179 std::set<uint32_t> uidSet(uids.begin(), uids.end());
180 const auto checkNoOtherUid = [&uidSet](const int32_t& key,
181 const BpfMap<uint32_t, UidOwnerValue>&) {
182 EXPECT_NE(uidSet.end(), uidSet.find(key));
183 return Result<void>();
184 };
185 EXPECT_RESULT_OK(mFakeUidOwnerMap.iterate(checkNoOtherUid));
186 }
187
188 void checkUidMapReplace(const std::string& name, const std::vector<int32_t>& uids,
189 UidOwnerMatchType match) {
190 bool isAllowlist = true;
191 EXPECT_EQ(0, mTc.replaceUidOwnerMap(name, isAllowlist, uids));
192 checkEachUidValue(uids, match);
193
194 isAllowlist = false;
195 EXPECT_EQ(0, mTc.replaceUidOwnerMap(name, isAllowlist, uids));
196 checkEachUidValue(uids, match);
197 }
198
199 void expectUidOwnerMapValues(const std::vector<uint32_t>& appUids, uint8_t expectedRule,
200 uint32_t expectedIif) {
201 for (uint32_t uid : appUids) {
202 Result<UidOwnerValue> value = mFakeUidOwnerMap.readValue(uid);
203 EXPECT_RESULT_OK(value);
204 EXPECT_EQ(expectedRule, value.value().rule)
205 << "Expected rule for UID " << uid << " to be " << expectedRule << ", but was "
206 << value.value().rule;
207 EXPECT_EQ(expectedIif, value.value().iif)
208 << "Expected iif for UID " << uid << " to be " << expectedIif << ", but was "
209 << value.value().iif;
210 }
211 }
212
213 template <class Key, class Value>
214 void expectMapEmpty(BpfMap<Key, Value>& map) {
215 auto isEmpty = map.isEmpty();
216 EXPECT_RESULT_OK(isEmpty);
217 EXPECT_TRUE(isEmpty.value());
218 }
219
220 void expectUidPermissionMapValues(const std::vector<uid_t>& appUids, uint8_t expectedValue) {
221 for (uid_t uid : appUids) {
222 Result<uint8_t> value = mFakeUidPermissionMap.readValue(uid);
223 EXPECT_RESULT_OK(value);
224 EXPECT_EQ(expectedValue, value.value())
225 << "Expected value for UID " << uid << " to be " << expectedValue
226 << ", but was " << value.value();
227 }
228 }
229
230 void expectPrivilegedUserSet(const std::vector<uid_t>& appUids) {
231 std::lock_guard guard(mTc.mMutex);
232 EXPECT_EQ(appUids.size(), mTc.mPrivilegedUser.size());
233 for (uid_t uid : appUids) {
234 EXPECT_NE(mTc.mPrivilegedUser.end(), mTc.mPrivilegedUser.find(uid));
235 }
236 }
237
238 void expectPrivilegedUserSetEmpty() {
239 std::lock_guard guard(mTc.mMutex);
240 EXPECT_TRUE(mTc.mPrivilegedUser.empty());
241 }
242
243 void addPrivilegedUid(uid_t uid) {
244 std::vector privilegedUid = {uid};
245 mTc.setPermissionForUids(INetd::PERMISSION_UPDATE_DEVICE_STATS, privilegedUid);
246 }
247
248 void removePrivilegedUid(uid_t uid) {
249 std::vector privilegedUid = {uid};
250 mTc.setPermissionForUids(INetd::PERMISSION_NONE, privilegedUid);
251 }
252
253 void expectFakeStatsUnchanged(uint64_t cookie, uint32_t tag, uint32_t uid,
254 StatsKey tagStatsMapKey) {
255 Result<UidTagValue> cookieMapResult = mFakeCookieTagMap.readValue(cookie);
256 EXPECT_RESULT_OK(cookieMapResult);
257 EXPECT_EQ(uid, cookieMapResult.value().uid);
258 EXPECT_EQ(tag, cookieMapResult.value().tag);
259 Result<uint8_t> counterSetResult = mFakeUidCounterSetMap.readValue(uid);
260 EXPECT_RESULT_OK(counterSetResult);
261 EXPECT_EQ(TEST_COUNTERSET, counterSetResult.value());
262 Result<StatsValue> statsMapResult = mFakeStatsMapA.readValue(tagStatsMapKey);
263 EXPECT_RESULT_OK(statsMapResult);
264 EXPECT_EQ((uint64_t)1, statsMapResult.value().rxPackets);
265 EXPECT_EQ((uint64_t)100, statsMapResult.value().rxBytes);
266 tagStatsMapKey.tag = 0;
267 statsMapResult = mFakeStatsMapA.readValue(tagStatsMapKey);
268 EXPECT_RESULT_OK(statsMapResult);
269 EXPECT_EQ((uint64_t)1, statsMapResult.value().rxPackets);
270 EXPECT_EQ((uint64_t)100, statsMapResult.value().rxBytes);
271 auto appStatsResult = mFakeAppUidStatsMap.readValue(uid);
272 EXPECT_RESULT_OK(appStatsResult);
273 EXPECT_EQ((uint64_t)1, appStatsResult.value().rxPackets);
274 EXPECT_EQ((uint64_t)100, appStatsResult.value().rxBytes);
275 }
Wayne Ma4d692332022-01-19 16:04:04 +0800[diff] [blame]276};
277
Wayne Ma4d692332022-01-19 16:04:04 +0800[diff] [blame]278TEST_F(TrafficControllerTest, TestSetCounterSet) {
279 uid_t callingUid = TEST_UID2;
280 addPrivilegedUid(callingUid);
281 ASSERT_EQ(0, mTc.setCounterSet(TEST_COUNTERSET, TEST_UID, callingUid));
282 uid_t uid = TEST_UID;
283 Result<uint8_t> counterSetResult = mFakeUidCounterSetMap.readValue(uid);
284 ASSERT_RESULT_OK(counterSetResult);
285 ASSERT_EQ(TEST_COUNTERSET, counterSetResult.value());
286 ASSERT_EQ(0, mTc.setCounterSet(DEFAULT_COUNTERSET, TEST_UID, callingUid));
287 ASSERT_FALSE(mFakeUidCounterSetMap.readValue(uid).ok());
288 expectMapEmpty(mFakeUidCounterSetMap);
289}
290
291TEST_F(TrafficControllerTest, TestSetCounterSetWithoutPermission) {
292 ASSERT_EQ(-EPERM, mTc.setCounterSet(TEST_COUNTERSET, TEST_UID, TEST_UID2));
293 uid_t uid = TEST_UID;
294 ASSERT_FALSE(mFakeUidCounterSetMap.readValue(uid).ok());
295 expectMapEmpty(mFakeUidCounterSetMap);
296}
297
298TEST_F(TrafficControllerTest, TestSetInvalidCounterSet) {
299 uid_t callingUid = TEST_UID2;
300 addPrivilegedUid(callingUid);
301 ASSERT_GT(0, mTc.setCounterSet(OVERFLOW_COUNTERSET, TEST_UID, callingUid));
302 uid_t uid = TEST_UID;
303 ASSERT_FALSE(mFakeUidCounterSetMap.readValue(uid).ok());
304 expectMapEmpty(mFakeUidCounterSetMap);
305}
306
307TEST_F(TrafficControllerTest, TestDeleteTagDataWithoutPermission) {
308 uint64_t cookie = 1;
309 uid_t uid = TEST_UID;
310 uint32_t tag = TEST_TAG;
311 StatsKey tagStatsMapKey;
312 populateFakeStats(cookie, uid, tag, &tagStatsMapKey);
313 ASSERT_EQ(-EPERM, mTc.deleteTagData(0, TEST_UID, TEST_UID2));
314
315 expectFakeStatsUnchanged(cookie, tag, uid, tagStatsMapKey);
316}
317
318TEST_F(TrafficControllerTest, TestDeleteTagData) {
319 uid_t callingUid = TEST_UID2;
320 addPrivilegedUid(callingUid);
321 uint64_t cookie = 1;
322 uid_t uid = TEST_UID;
323 uint32_t tag = TEST_TAG;
324 StatsKey tagStatsMapKey;
325 populateFakeStats(cookie, uid, tag, &tagStatsMapKey);
326 ASSERT_EQ(0, mTc.deleteTagData(TEST_TAG, TEST_UID, callingUid));
327 ASSERT_FALSE(mFakeCookieTagMap.readValue(cookie).ok());
328 Result<uint8_t> counterSetResult = mFakeUidCounterSetMap.readValue(uid);
329 ASSERT_RESULT_OK(counterSetResult);
330 ASSERT_EQ(TEST_COUNTERSET, counterSetResult.value());
331 ASSERT_FALSE(mFakeStatsMapA.readValue(tagStatsMapKey).ok());
332 tagStatsMapKey.tag = 0;
333 Result<StatsValue> statsMapResult = mFakeStatsMapA.readValue(tagStatsMapKey);
334 ASSERT_RESULT_OK(statsMapResult);
335 ASSERT_EQ((uint64_t)1, statsMapResult.value().rxPackets);
336 ASSERT_EQ((uint64_t)100, statsMapResult.value().rxBytes);
337 auto appStatsResult = mFakeAppUidStatsMap.readValue(TEST_UID);
338 ASSERT_RESULT_OK(appStatsResult);
339 ASSERT_EQ((uint64_t)1, appStatsResult.value().rxPackets);
340 ASSERT_EQ((uint64_t)100, appStatsResult.value().rxBytes);
341}
342
343TEST_F(TrafficControllerTest, TestDeleteAllUidData) {
344 uid_t callingUid = TEST_UID2;
345 addPrivilegedUid(callingUid);
346 uint64_t cookie = 1;
347 uid_t uid = TEST_UID;
348 uint32_t tag = TEST_TAG;
349 StatsKey tagStatsMapKey;
350 populateFakeStats(cookie, uid, tag, &tagStatsMapKey);
351 ASSERT_EQ(0, mTc.deleteTagData(0, TEST_UID, callingUid));
352 ASSERT_FALSE(mFakeCookieTagMap.readValue(cookie).ok());
353 ASSERT_FALSE(mFakeUidCounterSetMap.readValue(uid).ok());
354 ASSERT_FALSE(mFakeStatsMapA.readValue(tagStatsMapKey).ok());
355 tagStatsMapKey.tag = 0;
356 ASSERT_FALSE(mFakeStatsMapA.readValue(tagStatsMapKey).ok());
357 ASSERT_FALSE(mFakeAppUidStatsMap.readValue(TEST_UID).ok());
358}
359
360TEST_F(TrafficControllerTest, TestDeleteDataWithTwoTags) {
361 uid_t callingUid = TEST_UID2;
362 addPrivilegedUid(callingUid);
363 uint64_t cookie1 = 1;
364 uint64_t cookie2 = 2;
365 uid_t uid = TEST_UID;
366 uint32_t tag1 = TEST_TAG;
367 uint32_t tag2 = TEST_TAG + 1;
368 StatsKey tagStatsMapKey1;
369 StatsKey tagStatsMapKey2;
370 populateFakeStats(cookie1, uid, tag1, &tagStatsMapKey1);
371 populateFakeStats(cookie2, uid, tag2, &tagStatsMapKey2);
372 ASSERT_EQ(0, mTc.deleteTagData(TEST_TAG, TEST_UID, callingUid));
373 ASSERT_FALSE(mFakeCookieTagMap.readValue(cookie1).ok());
374 Result<UidTagValue> cookieMapResult = mFakeCookieTagMap.readValue(cookie2);
375 ASSERT_RESULT_OK(cookieMapResult);
376 ASSERT_EQ(TEST_UID, cookieMapResult.value().uid);
377 ASSERT_EQ(TEST_TAG + 1, cookieMapResult.value().tag);
378 Result<uint8_t> counterSetResult = mFakeUidCounterSetMap.readValue(uid);
379 ASSERT_RESULT_OK(counterSetResult);
380 ASSERT_EQ(TEST_COUNTERSET, counterSetResult.value());
381 ASSERT_FALSE(mFakeStatsMapA.readValue(tagStatsMapKey1).ok());
382 Result<StatsValue> statsMapResult = mFakeStatsMapA.readValue(tagStatsMapKey2);
383 ASSERT_RESULT_OK(statsMapResult);
384 ASSERT_EQ((uint64_t)1, statsMapResult.value().rxPackets);
385 ASSERT_EQ((uint64_t)100, statsMapResult.value().rxBytes);
386}
387
388TEST_F(TrafficControllerTest, TestDeleteDataWithTwoUids) {
389 uid_t callingUid = TEST_UID2;
390 addPrivilegedUid(callingUid);
391 uint64_t cookie1 = 1;
392 uint64_t cookie2 = 2;
393 uid_t uid1 = TEST_UID;
394 uid_t uid2 = TEST_UID + 1;
395 uint32_t tag = TEST_TAG;
396 StatsKey tagStatsMapKey1;
397 StatsKey tagStatsMapKey2;
398 populateFakeStats(cookie1, uid1, tag, &tagStatsMapKey1);
399 populateFakeStats(cookie2, uid2, tag, &tagStatsMapKey2);
400
401 // Delete the stats of one of the uid. Check if it is properly collected by
402 // removedStats.
403 ASSERT_EQ(0, mTc.deleteTagData(0, uid2, callingUid));
404 ASSERT_FALSE(mFakeCookieTagMap.readValue(cookie2).ok());
405 Result<uint8_t> counterSetResult = mFakeUidCounterSetMap.readValue(uid1);
406 ASSERT_RESULT_OK(counterSetResult);
407 ASSERT_EQ(TEST_COUNTERSET, counterSetResult.value());
408 ASSERT_FALSE(mFakeUidCounterSetMap.readValue(uid2).ok());
409 ASSERT_FALSE(mFakeStatsMapA.readValue(tagStatsMapKey2).ok());
410 tagStatsMapKey2.tag = 0;
411 ASSERT_FALSE(mFakeStatsMapA.readValue(tagStatsMapKey2).ok());
412 ASSERT_FALSE(mFakeAppUidStatsMap.readValue(uid2).ok());
413 tagStatsMapKey1.tag = 0;
414 Result<StatsValue> statsMapResult = mFakeStatsMapA.readValue(tagStatsMapKey1);
415 ASSERT_RESULT_OK(statsMapResult);
416 ASSERT_EQ((uint64_t)1, statsMapResult.value().rxPackets);
417 ASSERT_EQ((uint64_t)100, statsMapResult.value().rxBytes);
418 auto appStatsResult = mFakeAppUidStatsMap.readValue(uid1);
419 ASSERT_RESULT_OK(appStatsResult);
420 ASSERT_EQ((uint64_t)1, appStatsResult.value().rxPackets);
421 ASSERT_EQ((uint64_t)100, appStatsResult.value().rxBytes);
422
423 // Delete the stats of the other uid.
424 ASSERT_EQ(0, mTc.deleteTagData(0, uid1, callingUid));
425 ASSERT_FALSE(mFakeStatsMapA.readValue(tagStatsMapKey1).ok());
426 ASSERT_FALSE(mFakeAppUidStatsMap.readValue(uid1).ok());
427}
428
429TEST_F(TrafficControllerTest, TestUpdateOwnerMapEntry) {
430 uint32_t uid = TEST_UID;
431 ASSERT_TRUE(isOk(mTc.updateOwnerMapEntry(STANDBY_MATCH, uid, DENY, DENYLIST)));
432 Result<UidOwnerValue> value = mFakeUidOwnerMap.readValue(uid);
433 ASSERT_RESULT_OK(value);
434 ASSERT_TRUE(value.value().rule & STANDBY_MATCH);
435
436 ASSERT_TRUE(isOk(mTc.updateOwnerMapEntry(DOZABLE_MATCH, uid, ALLOW, ALLOWLIST)));
437 value = mFakeUidOwnerMap.readValue(uid);
438 ASSERT_RESULT_OK(value);
439 ASSERT_TRUE(value.value().rule & DOZABLE_MATCH);
440
441 ASSERT_TRUE(isOk(mTc.updateOwnerMapEntry(DOZABLE_MATCH, uid, DENY, ALLOWLIST)));
442 value = mFakeUidOwnerMap.readValue(uid);
443 ASSERT_RESULT_OK(value);
444 ASSERT_FALSE(value.value().rule & DOZABLE_MATCH);
445
446 ASSERT_TRUE(isOk(mTc.updateOwnerMapEntry(STANDBY_MATCH, uid, ALLOW, DENYLIST)));
447 ASSERT_FALSE(mFakeUidOwnerMap.readValue(uid).ok());
448
449 uid = TEST_UID2;
450 ASSERT_FALSE(isOk(mTc.updateOwnerMapEntry(STANDBY_MATCH, uid, ALLOW, DENYLIST)));
451 ASSERT_FALSE(mFakeUidOwnerMap.readValue(uid).ok());
452}
453
454TEST_F(TrafficControllerTest, TestChangeUidOwnerRule) {
455 checkUidOwnerRuleForChain(DOZABLE, DOZABLE_MATCH);
456 checkUidOwnerRuleForChain(STANDBY, STANDBY_MATCH);
457 checkUidOwnerRuleForChain(POWERSAVE, POWERSAVE_MATCH);
458 checkUidOwnerRuleForChain(RESTRICTED, RESTRICTED_MATCH);
459 ASSERT_EQ(-EINVAL, mTc.changeUidOwnerRule(NONE, TEST_UID, ALLOW, ALLOWLIST));
460 ASSERT_EQ(-EINVAL, mTc.changeUidOwnerRule(INVALID_CHAIN, TEST_UID, ALLOW, ALLOWLIST));
461}
462
463TEST_F(TrafficControllerTest, TestReplaceUidOwnerMap) {
464 std::vector<int32_t> uids = {TEST_UID, TEST_UID2, TEST_UID3};
465 checkUidMapReplace("fw_dozable", uids, DOZABLE_MATCH);
466 checkUidMapReplace("fw_standby", uids, STANDBY_MATCH);
467 checkUidMapReplace("fw_powersave", uids, POWERSAVE_MATCH);
468 checkUidMapReplace("fw_restricted", uids, RESTRICTED_MATCH);
469 ASSERT_EQ(-EINVAL, mTc.replaceUidOwnerMap("unknow", true, uids));
470}
471
472TEST_F(TrafficControllerTest, TestReplaceSameChain) {
473 std::vector<int32_t> uids = {TEST_UID, TEST_UID2, TEST_UID3};
474 checkUidMapReplace("fw_dozable", uids, DOZABLE_MATCH);
475 std::vector<int32_t> newUids = {TEST_UID2, TEST_UID3};
476 checkUidMapReplace("fw_dozable", newUids, DOZABLE_MATCH);
477}
478
479TEST_F(TrafficControllerTest, TestDenylistUidMatch) {
480 std::vector<uint32_t> appUids = {1000, 1001, 10012};
481 ASSERT_TRUE(isOk(
482 mTc.updateUidOwnerMap(appUids, PENALTY_BOX_MATCH, TrafficController::IptOpInsert)));
483 expectUidOwnerMapValues(appUids, PENALTY_BOX_MATCH, 0);
484 ASSERT_TRUE(isOk(
485 mTc.updateUidOwnerMap(appUids, PENALTY_BOX_MATCH, TrafficController::IptOpDelete)));
486 expectMapEmpty(mFakeUidOwnerMap);
487}
488
489TEST_F(TrafficControllerTest, TestAllowlistUidMatch) {
490 std::vector<uint32_t> appUids = {1000, 1001, 10012};
491 ASSERT_TRUE(
492 isOk(mTc.updateUidOwnerMap(appUids, HAPPY_BOX_MATCH, TrafficController::IptOpInsert)));
493 expectUidOwnerMapValues(appUids, HAPPY_BOX_MATCH, 0);
494 ASSERT_TRUE(
495 isOk(mTc.updateUidOwnerMap(appUids, HAPPY_BOX_MATCH, TrafficController::IptOpDelete)));
496 expectMapEmpty(mFakeUidOwnerMap);
497}
498
499TEST_F(TrafficControllerTest, TestReplaceMatchUid) {
500 std::vector<uint32_t> appUids = {1000, 1001, 10012};
501 // Add appUids to the denylist and expect that their values are all PENALTY_BOX_MATCH.
502 ASSERT_TRUE(isOk(
503 mTc.updateUidOwnerMap(appUids, PENALTY_BOX_MATCH, TrafficController::IptOpInsert)));
504 expectUidOwnerMapValues(appUids, PENALTY_BOX_MATCH, 0);
505
506 // Add the same UIDs to the allowlist and expect that we get PENALTY_BOX_MATCH |
507 // HAPPY_BOX_MATCH.
508 ASSERT_TRUE(
509 isOk(mTc.updateUidOwnerMap(appUids, HAPPY_BOX_MATCH, TrafficController::IptOpInsert)));
510 expectUidOwnerMapValues(appUids, HAPPY_BOX_MATCH | PENALTY_BOX_MATCH, 0);
511
512 // Remove the same UIDs from the allowlist and check the PENALTY_BOX_MATCH is still there.
513 ASSERT_TRUE(
514 isOk(mTc.updateUidOwnerMap(appUids, HAPPY_BOX_MATCH, TrafficController::IptOpDelete)));
515 expectUidOwnerMapValues(appUids, PENALTY_BOX_MATCH, 0);
516
517 // Remove the same UIDs from the denylist and check the map is empty.
518 ASSERT_TRUE(isOk(
519 mTc.updateUidOwnerMap(appUids, PENALTY_BOX_MATCH, TrafficController::IptOpDelete)));
520 ASSERT_FALSE(mFakeUidOwnerMap.getFirstKey().ok());
521}
522
523TEST_F(TrafficControllerTest, TestDeleteWrongMatchSilentlyFails) {
524 std::vector<uint32_t> appUids = {1000, 1001, 10012};
525 // If the uid does not exist in the map, trying to delete a rule about it will fail.
526 ASSERT_FALSE(
527 isOk(mTc.updateUidOwnerMap(appUids, HAPPY_BOX_MATCH, TrafficController::IptOpDelete)));
528 expectMapEmpty(mFakeUidOwnerMap);
529
530 // Add denylist rules for appUids.
531 ASSERT_TRUE(
532 isOk(mTc.updateUidOwnerMap(appUids, HAPPY_BOX_MATCH, TrafficController::IptOpInsert)));
533 expectUidOwnerMapValues(appUids, HAPPY_BOX_MATCH, 0);
534
535 // Delete (non-existent) denylist rules for appUids, and check that this silently does
536 // nothing if the uid is in the map but does not have denylist match. This is required because
537 // NetworkManagementService will try to remove a uid from denylist after adding it to the
538 // allowlist and if the remove fails it will not update the uid status.
539 ASSERT_TRUE(isOk(
540 mTc.updateUidOwnerMap(appUids, PENALTY_BOX_MATCH, TrafficController::IptOpDelete)));
541 expectUidOwnerMapValues(appUids, HAPPY_BOX_MATCH, 0);
542}
543
544TEST_F(TrafficControllerTest, TestAddUidInterfaceFilteringRules) {
545 int iif0 = 15;
546 ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif0, {1000, 1001})));
547 expectUidOwnerMapValues({1000, 1001}, IIF_MATCH, iif0);
548
549 // Add some non-overlapping new uids. They should coexist with existing rules
550 int iif1 = 16;
551 ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif1, {2000, 2001})));
552 expectUidOwnerMapValues({1000, 1001}, IIF_MATCH, iif0);
553 expectUidOwnerMapValues({2000, 2001}, IIF_MATCH, iif1);
554
555 // Overwrite some existing uids
556 int iif2 = 17;
557 ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif2, {1000, 2000})));
558 expectUidOwnerMapValues({1001}, IIF_MATCH, iif0);
559 expectUidOwnerMapValues({2001}, IIF_MATCH, iif1);
560 expectUidOwnerMapValues({1000, 2000}, IIF_MATCH, iif2);
561}
562
563TEST_F(TrafficControllerTest, TestRemoveUidInterfaceFilteringRules) {
564 int iif0 = 15;
565 int iif1 = 16;
566 ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif0, {1000, 1001})));
567 ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif1, {2000, 2001})));
568 expectUidOwnerMapValues({1000, 1001}, IIF_MATCH, iif0);
569 expectUidOwnerMapValues({2000, 2001}, IIF_MATCH, iif1);
570
571 // Rmove some uids
572 ASSERT_TRUE(isOk(mTc.removeUidInterfaceRules({1001, 2001})));
573 expectUidOwnerMapValues({1000}, IIF_MATCH, iif0);
574 expectUidOwnerMapValues({2000}, IIF_MATCH, iif1);
575 checkEachUidValue({1000, 2000}, IIF_MATCH); // Make sure there are only two uids remaining
576
577 // Remove non-existent uids shouldn't fail
578 ASSERT_TRUE(isOk(mTc.removeUidInterfaceRules({2000, 3000})));
579 expectUidOwnerMapValues({1000}, IIF_MATCH, iif0);
580 checkEachUidValue({1000}, IIF_MATCH); // Make sure there are only one uid remaining
581
582 // Remove everything
583 ASSERT_TRUE(isOk(mTc.removeUidInterfaceRules({1000})));
584 expectMapEmpty(mFakeUidOwnerMap);
585}
586
587TEST_F(TrafficControllerTest, TestUidInterfaceFilteringRulesCoexistWithExistingMatches) {
588 // Set up existing PENALTY_BOX_MATCH rules
589 ASSERT_TRUE(isOk(mTc.updateUidOwnerMap({1000, 1001, 10012}, PENALTY_BOX_MATCH,
590 TrafficController::IptOpInsert)));
591 expectUidOwnerMapValues({1000, 1001, 10012}, PENALTY_BOX_MATCH, 0);
592
593 // Add some partially-overlapping uid owner rules and check result
594 int iif1 = 32;
595 ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif1, {10012, 10013, 10014})));
596 expectUidOwnerMapValues({1000, 1001}, PENALTY_BOX_MATCH, 0);
597 expectUidOwnerMapValues({10012}, PENALTY_BOX_MATCH | IIF_MATCH, iif1);
598 expectUidOwnerMapValues({10013, 10014}, IIF_MATCH, iif1);
599
600 // Removing some PENALTY_BOX_MATCH rules should not change uid interface rule
601 ASSERT_TRUE(isOk(mTc.updateUidOwnerMap({1001, 10012}, PENALTY_BOX_MATCH,
602 TrafficController::IptOpDelete)));
603 expectUidOwnerMapValues({1000}, PENALTY_BOX_MATCH, 0);
604 expectUidOwnerMapValues({10012, 10013, 10014}, IIF_MATCH, iif1);
605
606 // Remove all uid interface rules
607 ASSERT_TRUE(isOk(mTc.removeUidInterfaceRules({10012, 10013, 10014})));
608 expectUidOwnerMapValues({1000}, PENALTY_BOX_MATCH, 0);
609 // Make sure these are the only uids left
610 checkEachUidValue({1000}, PENALTY_BOX_MATCH);
611}
612
613TEST_F(TrafficControllerTest, TestUidInterfaceFilteringRulesCoexistWithNewMatches) {
614 int iif1 = 56;
615 // Set up existing uid interface rules
616 ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif1, {10001, 10002})));
617 expectUidOwnerMapValues({10001, 10002}, IIF_MATCH, iif1);
618
619 // Add some partially-overlapping doze rules
620 EXPECT_EQ(0, mTc.replaceUidOwnerMap("fw_dozable", true, {10002, 10003}));
621 expectUidOwnerMapValues({10001}, IIF_MATCH, iif1);
622 expectUidOwnerMapValues({10002}, DOZABLE_MATCH | IIF_MATCH, iif1);
623 expectUidOwnerMapValues({10003}, DOZABLE_MATCH, 0);
624
625 // Introduce a third rule type (powersave) on various existing UIDs
626 EXPECT_EQ(0, mTc.replaceUidOwnerMap("fw_powersave", true, {10000, 10001, 10002, 10003}));
627 expectUidOwnerMapValues({10000}, POWERSAVE_MATCH, 0);
628 expectUidOwnerMapValues({10001}, POWERSAVE_MATCH | IIF_MATCH, iif1);
629 expectUidOwnerMapValues({10002}, POWERSAVE_MATCH | DOZABLE_MATCH | IIF_MATCH, iif1);
630 expectUidOwnerMapValues({10003}, POWERSAVE_MATCH | DOZABLE_MATCH, 0);
631
632 // Remove all doze rules
633 EXPECT_EQ(0, mTc.replaceUidOwnerMap("fw_dozable", true, {}));
634 expectUidOwnerMapValues({10000}, POWERSAVE_MATCH, 0);
635 expectUidOwnerMapValues({10001}, POWERSAVE_MATCH | IIF_MATCH, iif1);
636 expectUidOwnerMapValues({10002}, POWERSAVE_MATCH | IIF_MATCH, iif1);
637 expectUidOwnerMapValues({10003}, POWERSAVE_MATCH, 0);
638
639 // Remove all powersave rules, expect ownerMap to only have uid interface rules left
640 EXPECT_EQ(0, mTc.replaceUidOwnerMap("fw_powersave", true, {}));
641 expectUidOwnerMapValues({10001, 10002}, IIF_MATCH, iif1);
642 // Make sure these are the only uids left
643 checkEachUidValue({10001, 10002}, IIF_MATCH);
644}
645
646TEST_F(TrafficControllerTest, TestGrantInternetPermission) {
647 std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
648
649 mTc.setPermissionForUids(INetd::PERMISSION_INTERNET, appUids);
650 expectMapEmpty(mFakeUidPermissionMap);
651 expectPrivilegedUserSetEmpty();
652}
653
654TEST_F(TrafficControllerTest, TestRevokeInternetPermission) {
655 std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
656
657 mTc.setPermissionForUids(INetd::PERMISSION_NONE, appUids);
658 expectUidPermissionMapValues(appUids, INetd::PERMISSION_NONE);
659}
660
661TEST_F(TrafficControllerTest, TestPermissionUninstalled) {
662 std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
663
664 mTc.setPermissionForUids(INetd::PERMISSION_UPDATE_DEVICE_STATS, appUids);
665 expectUidPermissionMapValues(appUids, INetd::PERMISSION_UPDATE_DEVICE_STATS);
666 expectPrivilegedUserSet(appUids);
667
668 std::vector<uid_t> uidToRemove = {TEST_UID};
669 mTc.setPermissionForUids(INetd::PERMISSION_UNINSTALLED, uidToRemove);
670
671 std::vector<uid_t> uidRemain = {TEST_UID3, TEST_UID2};
672 expectUidPermissionMapValues(uidRemain, INetd::PERMISSION_UPDATE_DEVICE_STATS);
673 expectPrivilegedUserSet(uidRemain);
674
675 mTc.setPermissionForUids(INetd::PERMISSION_UNINSTALLED, uidRemain);
676 expectMapEmpty(mFakeUidPermissionMap);
677 expectPrivilegedUserSetEmpty();
678}
679
680TEST_F(TrafficControllerTest, TestGrantUpdateStatsPermission) {
681 std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
682
683 mTc.setPermissionForUids(INetd::PERMISSION_UPDATE_DEVICE_STATS, appUids);
684 expectUidPermissionMapValues(appUids, INetd::PERMISSION_UPDATE_DEVICE_STATS);
685 expectPrivilegedUserSet(appUids);
686
687 mTc.setPermissionForUids(INetd::PERMISSION_NONE, appUids);
688 expectPrivilegedUserSetEmpty();
689 expectUidPermissionMapValues(appUids, INetd::PERMISSION_NONE);
690}
691
692TEST_F(TrafficControllerTest, TestRevokeUpdateStatsPermission) {
693 std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
694
695 mTc.setPermissionForUids(INetd::PERMISSION_UPDATE_DEVICE_STATS, appUids);
696 expectPrivilegedUserSet(appUids);
697
698 std::vector<uid_t> uidToRemove = {TEST_UID};
699 mTc.setPermissionForUids(INetd::PERMISSION_NONE, uidToRemove);
700
701 std::vector<uid_t> uidRemain = {TEST_UID3, TEST_UID2};
702 expectPrivilegedUserSet(uidRemain);
703
704 mTc.setPermissionForUids(INetd::PERMISSION_NONE, uidRemain);
705 expectPrivilegedUserSetEmpty();
706}
707
708TEST_F(TrafficControllerTest, TestGrantWrongPermission) {
709 std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
710
711 mTc.setPermissionForUids(INetd::PERMISSION_NONE, appUids);
712 expectPrivilegedUserSetEmpty();
713 expectUidPermissionMapValues(appUids, INetd::PERMISSION_NONE);
714}
715
716TEST_F(TrafficControllerTest, TestGrantDuplicatePermissionSlientlyFail) {
717 std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
718
719 mTc.setPermissionForUids(INetd::PERMISSION_INTERNET, appUids);
720 expectMapEmpty(mFakeUidPermissionMap);
721
722 std::vector<uid_t> uidToAdd = {TEST_UID};
723 mTc.setPermissionForUids(INetd::PERMISSION_INTERNET, uidToAdd);
724
725 expectPrivilegedUserSetEmpty();
726
727 mTc.setPermissionForUids(INetd::PERMISSION_NONE, appUids);
728 expectUidPermissionMapValues(appUids, INetd::PERMISSION_NONE);
729
730 mTc.setPermissionForUids(INetd::PERMISSION_UPDATE_DEVICE_STATS, appUids);
731 expectPrivilegedUserSet(appUids);
732
733 mTc.setPermissionForUids(INetd::PERMISSION_UPDATE_DEVICE_STATS, uidToAdd);
734 expectPrivilegedUserSet(appUids);
735
736 mTc.setPermissionForUids(INetd::PERMISSION_NONE, appUids);
737 expectPrivilegedUserSetEmpty();
738}
739
740} // namespace net
741} // namespace android