Blame - server/FirewallControllerTest.cpp - platform_system_netd

blob: a7aee47e3c84272b6bb59c957af6c37015e67dd3 [file] [log] [blame]

Lorenzo Colitti	89faa34	2016-02-26 11:38:47 +0900	[diff] [blame]	1	/*
				2	* Copyright 2016 The Android Open Source Project
				3	*
				4	* Licensed under the Apache License, Version 2.0 (the "License");
				5	* you may not use this file except in compliance with the License.
				6	* You may obtain a copy of the License at
				7	*
				8	* http://www.apache.org/licenses/LICENSE-2.0
				9	*
				10	* Unless required by applicable law or agreed to in writing, software
				11	* distributed under the License is distributed on an "AS IS" BASIS,
				12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				13	* See the License for the specific language governing permissions and
				14	* limitations under the License.
				15	*
				16	* FirewallControllerTest.cpp - unit tests for FirewallController.cpp
				17	*/
				18
				19	#include <string>
				20	#include <vector>
				21	#include <stdio.h>
				22
				23	#include <gtest/gtest.h>
				24
				25	#include "FirewallController.h"
Lorenzo Colitti	932c44c	2016-04-24 16:58:02 +0900	[diff] [blame]	26	#include "IptablesBaseTest.h"
Lorenzo Colitti	89faa34	2016-02-26 11:38:47 +0900	[diff] [blame]	27
Luke Huang	e64fa38	2018-07-24 16:38:22 +0800	[diff] [blame]	28	namespace android {
				29	namespace net {
				30
Lorenzo Colitti	932c44c	2016-04-24 16:58:02 +0900	[diff] [blame]	31	class FirewallControllerTest : public IptablesBaseTest {
Lorenzo Colitti	89faa34	2016-02-26 11:38:47 +0900	[diff] [blame]	32	protected:
Lorenzo Colitti	932c44c	2016-04-24 16:58:02 +0900	[diff] [blame]	33	FirewallControllerTest() {
Lorenzo Colitti	932c44c	2016-04-24 16:58:02 +0900	[diff] [blame]	34	FirewallController::execIptablesRestore = fakeExecIptablesRestore;
				35	}
Lorenzo Colitti	89faa34	2016-02-26 11:38:47 +0900	[diff] [blame]	36	FirewallController mFw;
Lorenzo Colitti	89faa34	2016-02-26 11:38:47 +0900	[diff] [blame]	37	};
				38
Lorenzo Colitti	6324b18	2017-07-17 21:48:14 +0900	[diff] [blame]	39	TEST_F(FirewallControllerTest, TestFirewall) {
Lorenzo Colitti	cc1bb82	2017-07-16 21:08:54 +0900	[diff] [blame]	40	std::vector<std::string> enableCommands = {
Maciej Żenczykowski	344bb89	2021-10-14 20:22:23 -0700	[diff] [blame]	41	"*filter\n"
				42	"-A fw_INPUT -j DROP\n"
				43	"-A fw_OUTPUT -j REJECT\n"
				44	"-A fw_FORWARD -j REJECT\n"
				45	"COMMIT\n"};
Lorenzo Colitti	cc1bb82	2017-07-16 21:08:54 +0900	[diff] [blame]	46	std::vector<std::string> disableCommands = {
Maciej Żenczykowski	344bb89	2021-10-14 20:22:23 -0700	[diff] [blame]	47	"*filter\n"
				48	":fw_INPUT -\n"
				49	":fw_OUTPUT -\n"
				50	":fw_FORWARD -\n"
				51	"-6 -A fw_OUTPUT ! -o lo -s ::1 -j DROP\n"
				52	"COMMIT\n"};
Lorenzo Colitti	cc1bb82	2017-07-16 21:08:54 +0900	[diff] [blame]	53	std::vector<std::string> noCommands = {};
				54
Luke Huang	e64fa38	2018-07-24 16:38:22 +0800	[diff] [blame]	55	EXPECT_EQ(0, mFw.resetFirewall());
Lorenzo Colitti	d351bea	2017-07-16 22:52:30 +0900	[diff] [blame]	56	expectIptablesRestoreCommands(disableCommands);
Lorenzo Colitti	cc1bb82	2017-07-16 21:08:54 +0900	[diff] [blame]	57
Luke Huang	e64fa38	2018-07-24 16:38:22 +0800	[diff] [blame]	58	EXPECT_EQ(0, mFw.resetFirewall());
Lorenzo Colitti	d351bea	2017-07-16 22:52:30 +0900	[diff] [blame]	59	expectIptablesRestoreCommands(disableCommands);
Lorenzo Colitti	cc1bb82	2017-07-16 21:08:54 +0900	[diff] [blame]	60
Lorenzo Colitti	cdd79f1	2020-07-30 12:03:40 +0900	[diff] [blame]	61	EXPECT_EQ(0, mFw.setFirewallType(DENYLIST));
Lorenzo Colitti	d351bea	2017-07-16 22:52:30 +0900	[diff] [blame]	62	expectIptablesRestoreCommands(disableCommands);
Lorenzo Colitti	cc1bb82	2017-07-16 21:08:54 +0900	[diff] [blame]	63
Lorenzo Colitti	cdd79f1	2020-07-30 12:03:40 +0900	[diff] [blame]	64	EXPECT_EQ(0, mFw.setFirewallType(DENYLIST));
Lorenzo Colitti	d351bea	2017-07-16 22:52:30 +0900	[diff] [blame]	65	expectIptablesRestoreCommands(noCommands);
Lorenzo Colitti	cc1bb82	2017-07-16 21:08:54 +0900	[diff] [blame]	66
				67	std::vector<std::string> disableEnableCommands;
				68	disableEnableCommands.insert(
				69	disableEnableCommands.end(), disableCommands.begin(), disableCommands.end());
				70	disableEnableCommands.insert(
				71	disableEnableCommands.end(), enableCommands.begin(), enableCommands.end());
				72
Lorenzo Colitti	cdd79f1	2020-07-30 12:03:40 +0900	[diff] [blame]	73	EXPECT_EQ(0, mFw.setFirewallType(ALLOWLIST));
Lorenzo Colitti	d351bea	2017-07-16 22:52:30 +0900	[diff] [blame]	74	expectIptablesRestoreCommands(disableEnableCommands);
Lorenzo Colitti	cc1bb82	2017-07-16 21:08:54 +0900	[diff] [blame]	75
Lorenzo Colitti	6324b18	2017-07-17 21:48:14 +0900	[diff] [blame]	76	std::vector<std::string> ifaceCommands = {
Lorenzo Colitti	1411d45	2017-07-17 22:12:15 +0900	[diff] [blame]	77	"*filter\n"
				78	"-I fw_INPUT -i rmnet_data0 -j RETURN\n"
				79	"-I fw_OUTPUT -o rmnet_data0 -j RETURN\n"
				80	"COMMIT\n"
Lorenzo Colitti	6324b18	2017-07-17 21:48:14 +0900	[diff] [blame]	81	};
				82	EXPECT_EQ(0, mFw.setInterfaceRule("rmnet_data0", ALLOW));
Lorenzo Colitti	1411d45	2017-07-17 22:12:15 +0900	[diff] [blame]	83	expectIptablesRestoreCommands(ifaceCommands);
				84
				85	EXPECT_EQ(0, mFw.setInterfaceRule("rmnet_data0", ALLOW));
				86	expectIptablesRestoreCommands(noCommands);
Lorenzo Colitti	6324b18	2017-07-17 21:48:14 +0900	[diff] [blame]	87
				88	ifaceCommands = {
Lorenzo Colitti	1411d45	2017-07-17 22:12:15 +0900	[diff] [blame]	89	"*filter\n"
				90	"-D fw_INPUT -i rmnet_data0 -j RETURN\n"
				91	"-D fw_OUTPUT -o rmnet_data0 -j RETURN\n"
				92	"COMMIT\n"
Lorenzo Colitti	6324b18	2017-07-17 21:48:14 +0900	[diff] [blame]	93	};
				94	EXPECT_EQ(0, mFw.setInterfaceRule("rmnet_data0", DENY));
Lorenzo Colitti	1411d45	2017-07-17 22:12:15 +0900	[diff] [blame]	95	expectIptablesRestoreCommands(ifaceCommands);
				96
				97	EXPECT_EQ(0, mFw.setInterfaceRule("rmnet_data0", DENY));
				98	expectIptablesRestoreCommands(noCommands);
Lorenzo Colitti	6324b18	2017-07-17 21:48:14 +0900	[diff] [blame]	99
Lorenzo Colitti	cdd79f1	2020-07-30 12:03:40 +0900	[diff] [blame]	100	EXPECT_EQ(0, mFw.setFirewallType(ALLOWLIST));
Lorenzo Colitti	d351bea	2017-07-16 22:52:30 +0900	[diff] [blame]	101	expectIptablesRestoreCommands(noCommands);
Lorenzo Colitti	cc1bb82	2017-07-16 21:08:54 +0900	[diff] [blame]	102
Luke Huang	e64fa38	2018-07-24 16:38:22 +0800	[diff] [blame]	103	EXPECT_EQ(0, mFw.resetFirewall());
Lorenzo Colitti	d351bea	2017-07-16 22:52:30 +0900	[diff] [blame]	104	expectIptablesRestoreCommands(disableCommands);
Lorenzo Colitti	cc1bb82	2017-07-16 21:08:54 +0900	[diff] [blame]	105
Lorenzo Colitti	cdd79f1	2020-07-30 12:03:40 +0900	[diff] [blame]	106	// TODO: calling resetFirewall and then setFirewallType(ALLOWLIST) does
Lorenzo Colitti	cc1bb82	2017-07-16 21:08:54 +0900	[diff] [blame]	107	// nothing. This seems like a clear bug.
Lorenzo Colitti	cdd79f1	2020-07-30 12:03:40 +0900	[diff] [blame]	108	EXPECT_EQ(0, mFw.setFirewallType(ALLOWLIST));
Lorenzo Colitti	d351bea	2017-07-16 22:52:30 +0900	[diff] [blame]	109	expectIptablesRestoreCommands(noCommands);
Lorenzo Colitti	cc1bb82	2017-07-16 21:08:54 +0900	[diff] [blame]	110	}
Hugo Benichi	528d3d0	2018-06-20 13:35:58 +0900	[diff] [blame]	111
Luke Huang	e64fa38	2018-07-24 16:38:22 +0800	[diff] [blame]	112	} // namespace net
Bernie Innocenti	a5161a0	2019-01-30 22:40:53 +0900	[diff] [blame]	113	} // namespace android