From 28afaff7c3a5118c12b38d2c91e74dc6e05537cd Mon Sep 17 00:00:00 2001 From: Chiachang Wang Date: Thu, 10 Dec 2020 22:24:47 +0800 Subject: [PATCH] Resolve UidRange dependency between NMS and CS module ConnectivityService is going to become a mainline module which cannot access hidden APIs. Thus, replace the VPN uid range controlling APIs from NMS to INetd directly. Bug: 170598012 Test: atest FrameworksNetTests Test: atest HostsideVpnTests Test: manually test to connect to VPN and check the uid range Change-Id: Ie6656ef36f54c2f14d5a2899e763a29b70a30f5d --- .../android/server/ConnectivityService.java | 22 ++- .../server/ConnectivityServiceTest.java | 17 +- .../android/server/connectivity/VpnTest.java | 176 +++++++++--------- 3 files changed, 117 insertions(+), 98 deletions(-) diff --git a/services/core/java/com/android/server/ConnectivityService.java b/services/core/java/com/android/server/ConnectivityService.java index a42c864744..cdaf6557aa 100644 --- a/services/core/java/com/android/server/ConnectivityService.java +++ b/services/core/java/com/android/server/ConnectivityService.java @@ -129,6 +129,7 @@ import android.net.RouteInfoParcel; import android.net.SocketKeepalive; import android.net.TetheringManager; import android.net.UidRange; +import android.net.UidRangeParcel; import android.net.Uri; import android.net.VpnManager; import android.net.VpnService; @@ -5152,7 +5153,7 @@ public class ConnectivityService extends IConnectivityManager.Stub loge("Starting user already has a VPN"); return; } - userVpn = new Vpn(mHandler.getLooper(), mContext, mNMS, userId, mKeyStore); + userVpn = new Vpn(mHandler.getLooper(), mContext, mNMS, mNetd, userId, mKeyStore); mVpns.put(userId, userVpn); if (mUserManager.getUserInfo(userId).isPrimary() && LockdownVpnTracker.isEnabled()) { updateLockdownVpn(); @@ -6621,6 +6622,16 @@ public class ConnectivityService extends IConnectivityManager.Stub && (lp.hasIpv6DefaultRoute() || lp.hasIpv6UnreachableDefaultRoute()); } + private static UidRangeParcel[] toUidRangeStableParcels(final @NonNull Set ranges) { + final UidRangeParcel[] stableRanges = new UidRangeParcel[ranges.size()]; + int index = 0; + for (UidRange range : ranges) { + stableRanges[index] = new UidRangeParcel(range.start, range.stop); + index++; + } + return stableRanges; + } + private void updateUids(NetworkAgentInfo nai, NetworkCapabilities prevNc, NetworkCapabilities newNc) { Set prevRanges = null == prevNc ? null : prevNc.getUids(); @@ -6640,14 +6651,11 @@ public class ConnectivityService extends IConnectivityManager.Stub // removing old range works because, unlike the filtering rules below, it's possible to // add duplicate UID routing rules. if (!newRanges.isEmpty()) { - final UidRange[] addedRangesArray = new UidRange[newRanges.size()]; - newRanges.toArray(addedRangesArray); - mNMS.addVpnUidRanges(nai.network.getNetId(), addedRangesArray); + mNetd.networkAddUidRanges(nai.network.netId, toUidRangeStableParcels(newRanges)); } if (!prevRanges.isEmpty()) { - final UidRange[] removedRangesArray = new UidRange[prevRanges.size()]; - prevRanges.toArray(removedRangesArray); - mNMS.removeVpnUidRanges(nai.network.getNetId(), removedRangesArray); + mNetd.networkRemoveUidRanges( + nai.network.netId, toUidRangeStableParcels(prevRanges)); } final boolean wasFiltering = requiresVpnIsolation(nai, prevNc, nai.linkProperties); final boolean shouldFilter = requiresVpnIsolation(nai, newNc, nai.linkProperties); diff --git a/tests/net/java/com/android/server/ConnectivityServiceTest.java b/tests/net/java/com/android/server/ConnectivityServiceTest.java index deda927c04..691fc465af 100644 --- a/tests/net/java/com/android/server/ConnectivityServiceTest.java +++ b/tests/net/java/com/android/server/ConnectivityServiceTest.java @@ -187,6 +187,7 @@ import android.net.RouteInfo; import android.net.RouteInfoParcel; import android.net.SocketKeepalive; import android.net.UidRange; +import android.net.UidRangeParcel; import android.net.Uri; import android.net.VpnManager; import android.net.metrics.IpConnectivityLog; @@ -1053,7 +1054,7 @@ public class ConnectivityServiceTest { public MockVpn(int userId) { super(startHandlerThreadAndReturnLooper(), mServiceContext, mNetworkManagementService, - userId, mock(KeyStore.class)); + mMockNetd, userId, mock(KeyStore.class)); mConfig = new VpnConfig(); } @@ -1092,10 +1093,11 @@ public class ConnectivityServiceTest { mMockNetworkAgent = new TestNetworkAgentWrapper(TRANSPORT_VPN, lp, mNetworkCapabilities); mMockNetworkAgent.waitForIdle(TIMEOUT_MS); - verify(mNetworkManagementService, times(1)) - .addVpnUidRanges(eq(mMockVpn.getNetId()), eq(uids.toArray(new UidRange[0]))); - verify(mNetworkManagementService, never()) - .removeVpnUidRanges(eq(mMockVpn.getNetId()), any()); + + verify(mMockNetd, times(1)).networkAddUidRanges(eq(mMockVpn.getNetId()), + eq(toUidRangeStableParcels(uids))); + verify(mMockNetd, never()) + .networkRemoveUidRanges(eq(mMockVpn.getNetId()), any()); mAgentRegistered = true; mNetworkCapabilities.set(mMockNetworkAgent.getNetworkCapabilities()); mNetworkAgent = mMockNetworkAgent.getNetworkAgent(); @@ -1167,6 +1169,11 @@ public class ConnectivityServiceTest { } } + private UidRangeParcel[] toUidRangeStableParcels(final @NonNull Set ranges) { + return ranges.stream().map( + r -> new UidRangeParcel(r.start, r.stop)).toArray(UidRangeParcel[]::new); + } + private void mockVpn(int uid) { synchronized (mService.mVpns) { int userId = UserHandle.getUserId(uid); diff --git a/tests/net/java/com/android/server/connectivity/VpnTest.java b/tests/net/java/com/android/server/connectivity/VpnTest.java index 337507ac1d..6e380be6c5 100644 --- a/tests/net/java/com/android/server/connectivity/VpnTest.java +++ b/tests/net/java/com/android/server/connectivity/VpnTest.java @@ -58,6 +58,7 @@ import android.content.pm.ServiceInfo; import android.content.pm.UserInfo; import android.content.res.Resources; import android.net.ConnectivityManager; +import android.net.INetd; import android.net.Ikev2VpnProfile; import android.net.InetAddresses; import android.net.IpPrefix; @@ -70,6 +71,7 @@ import android.net.NetworkCapabilities; import android.net.NetworkInfo.DetailedState; import android.net.RouteInfo; import android.net.UidRange; +import android.net.UidRangeParcel; import android.net.VpnManager; import android.net.VpnService; import android.net.ipsec.ike.IkeSessionCallback; @@ -172,11 +174,13 @@ public class VpnTest { mPackages.put(PKGS[i], PKG_UIDS[i]); } } + private static final UidRange PRI_USER_RANGE = UidRange.createForUser(primaryUser.id); @Mock(answer = Answers.RETURNS_DEEP_STUBS) private Context mContext; @Mock private UserManager mUserManager; @Mock private PackageManager mPackageManager; @Mock private INetworkManagementService mNetService; + @Mock private INetd mNetd; @Mock private AppOpsManager mAppOps; @Mock private NotificationManager mNotificationManager; @Mock private Vpn.SystemServices mSystemServices; @@ -256,8 +260,7 @@ public class VpnTest { null, null); assertEquals(new ArraySet<>(Arrays.asList(new UidRange[] { - UidRange.createForUser(primaryUser.id), - UidRange.createForUser(restrictedProfileA.id) + PRI_USER_RANGE, UidRange.createForUser(restrictedProfileA.id) })), ranges); } @@ -269,9 +272,7 @@ public class VpnTest { final Set ranges = vpn.createUserAndRestrictedProfilesRanges(primaryUser.id, null, null); - assertEquals(new ArraySet<>(Arrays.asList(new UidRange[] { - UidRange.createForUser(primaryUser.id) - })), ranges); + assertEquals(new ArraySet<>(Arrays.asList(new UidRange[] { PRI_USER_RANGE })), ranges); } @Test @@ -282,15 +283,13 @@ public class VpnTest { final Set ranges = new ArraySet<>(); vpn.addUserToRanges(ranges, primaryUser.id, null, null); - assertEquals(new ArraySet<>(Arrays.asList(new UidRange[] { - UidRange.createForUser(primaryUser.id) - })), ranges); + assertEquals(new ArraySet<>(Arrays.asList(new UidRange[] { PRI_USER_RANGE })), ranges); } @Test public void testUidAllowAndDenylist() throws Exception { final Vpn vpn = createVpn(primaryUser.id); - final UidRange user = UidRange.createForUser(primaryUser.id); + final UidRange user = PRI_USER_RANGE; final String[] packages = {PKGS[0], PKGS[1], PKGS[2]}; // Allowed list @@ -339,62 +338,67 @@ public class VpnTest { @Test public void testLockdownChangingPackage() throws Exception { final Vpn vpn = createVpn(primaryUser.id); - final UidRange user = UidRange.createForUser(primaryUser.id); + final UidRange user = PRI_USER_RANGE; // Default state. - assertUnblocked(vpn, user.start + PKG_UIDS[0], user.start + PKG_UIDS[1], user.start + PKG_UIDS[2], user.start + PKG_UIDS[3]); + assertUnblocked(vpn, user.start + PKG_UIDS[0], user.start + PKG_UIDS[1], + user.start + PKG_UIDS[2], user.start + PKG_UIDS[3]); // Set always-on without lockdown. assertTrue(vpn.setAlwaysOnPackage(PKGS[1], false, null, mKeyStore)); - assertUnblocked(vpn, user.start + PKG_UIDS[0], user.start + PKG_UIDS[1], user.start + PKG_UIDS[2], user.start + PKG_UIDS[3]); + assertUnblocked(vpn, user.start + PKG_UIDS[0], user.start + PKG_UIDS[1], + user.start + PKG_UIDS[2], user.start + PKG_UIDS[3]); // Set always-on with lockdown. assertTrue(vpn.setAlwaysOnPackage(PKGS[1], true, null, mKeyStore)); - verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(new UidRange[] { - new UidRange(user.start, user.start + PKG_UIDS[1] - 1), - new UidRange(user.start + PKG_UIDS[1] + 1, user.stop) + verify(mNetd).networkRejectNonSecureVpn(eq(true), aryEq(new UidRangeParcel[] { + new UidRangeParcel(user.start, user.start + PKG_UIDS[1] - 1), + new UidRangeParcel(user.start + PKG_UIDS[1] + 1, user.stop) })); - assertBlocked(vpn, user.start + PKG_UIDS[0], user.start + PKG_UIDS[2], user.start + PKG_UIDS[3]); + + assertBlocked(vpn, user.start + PKG_UIDS[0], user.start + PKG_UIDS[2], + user.start + PKG_UIDS[3]); assertUnblocked(vpn, user.start + PKG_UIDS[1]); // Switch to another app. assertTrue(vpn.setAlwaysOnPackage(PKGS[3], true, null, mKeyStore)); - verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(new UidRange[] { - new UidRange(user.start, user.start + PKG_UIDS[1] - 1), - new UidRange(user.start + PKG_UIDS[1] + 1, user.stop) + verify(mNetd).networkRejectNonSecureVpn(eq(false), aryEq(new UidRangeParcel[] { + new UidRangeParcel(user.start, user.start + PKG_UIDS[1] - 1), + new UidRangeParcel(user.start + PKG_UIDS[1] + 1, user.stop) })); - verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(new UidRange[] { - new UidRange(user.start, user.start + PKG_UIDS[3] - 1), - new UidRange(user.start + PKG_UIDS[3] + 1, user.stop) + + verify(mNetd).networkRejectNonSecureVpn(eq(true), aryEq(new UidRangeParcel[] { + new UidRangeParcel(user.start, user.start + PKG_UIDS[3] - 1), + new UidRangeParcel(user.start + PKG_UIDS[3] + 1, user.stop) })); - assertBlocked(vpn, user.start + PKG_UIDS[0], user.start + PKG_UIDS[1], user.start + PKG_UIDS[2]); + assertBlocked(vpn, user.start + PKG_UIDS[0], user.start + PKG_UIDS[1], + user.start + PKG_UIDS[2]); assertUnblocked(vpn, user.start + PKG_UIDS[3]); } @Test public void testLockdownAllowlist() throws Exception { final Vpn vpn = createVpn(primaryUser.id); - final UidRange user = UidRange.createForUser(primaryUser.id); + final UidRange user = PRI_USER_RANGE; // Set always-on with lockdown and allow app PKGS[2] from lockdown. assertTrue(vpn.setAlwaysOnPackage( PKGS[1], true, Collections.singletonList(PKGS[2]), mKeyStore)); - verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(new UidRange[] { - new UidRange(user.start, user.start + PKG_UIDS[1] - 1), - new UidRange(user.start + PKG_UIDS[2] + 1, user.stop) + verify(mNetd).networkRejectNonSecureVpn(eq(true), aryEq(new UidRangeParcel[] { + new UidRangeParcel(user.start, user.start + PKG_UIDS[1] - 1), + new UidRangeParcel(user.start + PKG_UIDS[2] + 1, user.stop) })); assertBlocked(vpn, user.start + PKG_UIDS[0], user.start + PKG_UIDS[3]); assertUnblocked(vpn, user.start + PKG_UIDS[1], user.start + PKG_UIDS[2]); - // Change allowed app list to PKGS[3]. assertTrue(vpn.setAlwaysOnPackage( PKGS[1], true, Collections.singletonList(PKGS[3]), mKeyStore)); - verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(new UidRange[] { - new UidRange(user.start + PKG_UIDS[2] + 1, user.stop) + verify(mNetd).networkRejectNonSecureVpn(eq(false), aryEq(new UidRangeParcel[] { + new UidRangeParcel(user.start + PKG_UIDS[2] + 1, user.stop) })); - verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(new UidRange[] { - new UidRange(user.start + PKG_UIDS[1] + 1, user.start + PKG_UIDS[3] - 1), - new UidRange(user.start + PKG_UIDS[3] + 1, user.stop) + verify(mNetd).networkRejectNonSecureVpn(eq(true), aryEq(new UidRangeParcel[] { + new UidRangeParcel(user.start + PKG_UIDS[1] + 1, user.start + PKG_UIDS[3] - 1), + new UidRangeParcel(user.start + PKG_UIDS[3] + 1, user.stop) })); assertBlocked(vpn, user.start + PKG_UIDS[0], user.start + PKG_UIDS[2]); assertUnblocked(vpn, user.start + PKG_UIDS[1], user.start + PKG_UIDS[3]); @@ -402,25 +406,25 @@ public class VpnTest { // Change the VPN app. assertTrue(vpn.setAlwaysOnPackage( PKGS[0], true, Collections.singletonList(PKGS[3]), mKeyStore)); - verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(new UidRange[] { - new UidRange(user.start, user.start + PKG_UIDS[1] - 1), - new UidRange(user.start + PKG_UIDS[1] + 1, user.start + PKG_UIDS[3] - 1) + verify(mNetd).networkRejectNonSecureVpn(eq(false), aryEq(new UidRangeParcel[] { + new UidRangeParcel(user.start, user.start + PKG_UIDS[1] - 1), + new UidRangeParcel(user.start + PKG_UIDS[1] + 1, user.start + PKG_UIDS[3] - 1) })); - verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(new UidRange[] { - new UidRange(user.start, user.start + PKG_UIDS[0] - 1), - new UidRange(user.start + PKG_UIDS[0] + 1, user.start + PKG_UIDS[3] - 1) + verify(mNetd).networkRejectNonSecureVpn(eq(true), aryEq(new UidRangeParcel[] { + new UidRangeParcel(user.start, user.start + PKG_UIDS[0] - 1), + new UidRangeParcel(user.start + PKG_UIDS[0] + 1, user.start + PKG_UIDS[3] - 1) })); assertBlocked(vpn, user.start + PKG_UIDS[1], user.start + PKG_UIDS[2]); assertUnblocked(vpn, user.start + PKG_UIDS[0], user.start + PKG_UIDS[3]); // Remove the list of allowed packages. assertTrue(vpn.setAlwaysOnPackage(PKGS[0], true, null, mKeyStore)); - verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(new UidRange[] { - new UidRange(user.start + PKG_UIDS[0] + 1, user.start + PKG_UIDS[3] - 1), - new UidRange(user.start + PKG_UIDS[3] + 1, user.stop) + verify(mNetd).networkRejectNonSecureVpn(eq(false), aryEq(new UidRangeParcel[] { + new UidRangeParcel(user.start + PKG_UIDS[0] + 1, user.start + PKG_UIDS[3] - 1), + new UidRangeParcel(user.start + PKG_UIDS[3] + 1, user.stop) })); - verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(new UidRange[] { - new UidRange(user.start + PKG_UIDS[0] + 1, user.stop), + verify(mNetd).networkRejectNonSecureVpn(eq(true), aryEq(new UidRangeParcel[] { + new UidRangeParcel(user.start + PKG_UIDS[0] + 1, user.stop), })); assertBlocked(vpn, user.start + PKG_UIDS[1], user.start + PKG_UIDS[2], user.start + PKG_UIDS[3]); @@ -429,12 +433,12 @@ public class VpnTest { // Add the list of allowed packages. assertTrue(vpn.setAlwaysOnPackage( PKGS[0], true, Collections.singletonList(PKGS[1]), mKeyStore)); - verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(new UidRange[] { - new UidRange(user.start + PKG_UIDS[0] + 1, user.stop) + verify(mNetd).networkRejectNonSecureVpn(eq(false), aryEq(new UidRangeParcel[] { + new UidRangeParcel(user.start + PKG_UIDS[0] + 1, user.stop) })); - verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(new UidRange[] { - new UidRange(user.start + PKG_UIDS[0] + 1, user.start + PKG_UIDS[1] - 1), - new UidRange(user.start + PKG_UIDS[1] + 1, user.stop) + verify(mNetd).networkRejectNonSecureVpn(eq(true), aryEq(new UidRangeParcel[] { + new UidRangeParcel(user.start + PKG_UIDS[0] + 1, user.start + PKG_UIDS[1] - 1), + new UidRangeParcel(user.start + PKG_UIDS[1] + 1, user.stop) })); assertBlocked(vpn, user.start + PKG_UIDS[2], user.start + PKG_UIDS[3]); assertUnblocked(vpn, user.start + PKG_UIDS[0], user.start + PKG_UIDS[1]); @@ -447,13 +451,13 @@ public class VpnTest { // allowed package should change from PGKS[1] to PKGS[2]. assertTrue(vpn.setAlwaysOnPackage( PKGS[0], true, Arrays.asList("com.foo.app", PKGS[2], "com.bar.app"), mKeyStore)); - verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(new UidRange[]{ - new UidRange(user.start + PKG_UIDS[0] + 1, user.start + PKG_UIDS[1] - 1), - new UidRange(user.start + PKG_UIDS[1] + 1, user.stop) + verify(mNetd).networkRejectNonSecureVpn(eq(false), aryEq(new UidRangeParcel[]{ + new UidRangeParcel(user.start + PKG_UIDS[0] + 1, user.start + PKG_UIDS[1] - 1), + new UidRangeParcel(user.start + PKG_UIDS[1] + 1, user.stop) })); - verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(new UidRange[]{ - new UidRange(user.start + PKG_UIDS[0] + 1, user.start + PKG_UIDS[2] - 1), - new UidRange(user.start + PKG_UIDS[2] + 1, user.stop) + verify(mNetd).networkRejectNonSecureVpn(eq(true), aryEq(new UidRangeParcel[]{ + new UidRangeParcel(user.start + PKG_UIDS[0] + 1, user.start + PKG_UIDS[2] - 1), + new UidRangeParcel(user.start + PKG_UIDS[2] + 1, user.stop) })); } @@ -467,86 +471,86 @@ public class VpnTest { restrictedProfileA.flags); tempProfile.restrictedProfileParentId = primaryUser.id; - final UidRange user = UidRange.createForUser(primaryUser.id); + final UidRange user = PRI_USER_RANGE; final UidRange profile = UidRange.createForUser(tempProfile.id); // Set lockdown. assertTrue(vpn.setAlwaysOnPackage(PKGS[3], true, null, mKeyStore)); - verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(new UidRange[] { - new UidRange(user.start, user.start + PKG_UIDS[3] - 1), - new UidRange(user.start + PKG_UIDS[3] + 1, user.stop) + verify(mNetd).networkRejectNonSecureVpn(eq(true), aryEq(new UidRangeParcel[] { + new UidRangeParcel(user.start, user.start + PKG_UIDS[3] - 1), + new UidRangeParcel(user.start + PKG_UIDS[3] + 1, user.stop) })); - // Verify restricted user isn't affected at first. assertUnblocked(vpn, profile.start + PKG_UIDS[0]); // Add the restricted user. setMockedUsers(primaryUser, tempProfile); vpn.onUserAdded(tempProfile.id); - verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(new UidRange[] { - new UidRange(profile.start, profile.start + PKG_UIDS[3] - 1), - new UidRange(profile.start + PKG_UIDS[3] + 1, profile.stop) + verify(mNetd).networkRejectNonSecureVpn(eq(true), aryEq(new UidRangeParcel[] { + new UidRangeParcel(profile.start, profile.start + PKG_UIDS[3] - 1), + new UidRangeParcel(profile.start + PKG_UIDS[3] + 1, profile.stop) })); // Remove the restricted user. tempProfile.partial = true; vpn.onUserRemoved(tempProfile.id); - verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(new UidRange[] { - new UidRange(profile.start, profile.start + PKG_UIDS[3] - 1), - new UidRange(profile.start + PKG_UIDS[3] + 1, profile.stop) + verify(mNetd).networkRejectNonSecureVpn(eq(false), aryEq(new UidRangeParcel[] { + new UidRangeParcel(profile.start, profile.start + PKG_UIDS[3] - 1), + new UidRangeParcel(profile.start + PKG_UIDS[3] + 1, profile.stop) })); } @Test public void testLockdownRuleRepeatability() throws Exception { final Vpn vpn = createVpn(primaryUser.id); - + final UidRangeParcel[] primaryUserRangeParcel = new UidRangeParcel[] { + new UidRangeParcel(PRI_USER_RANGE.start, PRI_USER_RANGE.stop)}; // Given legacy lockdown is already enabled, vpn.setLockdown(true); - verify(mNetService, times(1)).setAllowOnlyVpnForUids( - eq(true), aryEq(new UidRange[] {UidRange.createForUser(primaryUser.id)})); + + verify(mNetd).networkRejectNonSecureVpn(eq(true), aryEq(primaryUserRangeParcel)); // Enabling legacy lockdown twice should do nothing. vpn.setLockdown(true); - verify(mNetService, times(1)).setAllowOnlyVpnForUids(anyBoolean(), any(UidRange[].class)); + verify(mNetd, times(1)) + .networkRejectNonSecureVpn(anyBoolean(), any(UidRangeParcel[].class)); // And disabling should remove the rules exactly once. vpn.setLockdown(false); - verify(mNetService, times(1)).setAllowOnlyVpnForUids( - eq(false), aryEq(new UidRange[] {UidRange.createForUser(primaryUser.id)})); + verify(mNetd).networkRejectNonSecureVpn(eq(false), aryEq(primaryUserRangeParcel)); // Removing the lockdown again should have no effect. vpn.setLockdown(false); - verify(mNetService, times(2)).setAllowOnlyVpnForUids(anyBoolean(), any(UidRange[].class)); + verify(mNetd, times(2)).networkRejectNonSecureVpn( + anyBoolean(), any(UidRangeParcel[].class)); } @Test public void testLockdownRuleReversibility() throws Exception { final Vpn vpn = createVpn(primaryUser.id); - - final UidRange[] entireUser = { - UidRange.createForUser(primaryUser.id) + final UidRangeParcel[] entireUser = { + new UidRangeParcel(PRI_USER_RANGE.start, PRI_USER_RANGE.stop) }; - final UidRange[] exceptPkg0 = { - new UidRange(entireUser[0].start, entireUser[0].start + PKG_UIDS[0] - 1), - new UidRange(entireUser[0].start + PKG_UIDS[0] + 1, entireUser[0].stop) + final UidRangeParcel[] exceptPkg0 = { + new UidRangeParcel(entireUser[0].start, entireUser[0].start + PKG_UIDS[0] - 1), + new UidRangeParcel(entireUser[0].start + PKG_UIDS[0] + 1, entireUser[0].stop) }; - final InOrder order = inOrder(mNetService); + final InOrder order = inOrder(mNetd); // Given lockdown is enabled with no package (legacy VPN), vpn.setLockdown(true); - order.verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(entireUser)); + order.verify(mNetd).networkRejectNonSecureVpn(eq(true), aryEq(entireUser)); // When a new VPN package is set the rules should change to cover that package. vpn.prepare(null, PKGS[0], VpnManager.TYPE_VPN_SERVICE); - order.verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(entireUser)); - order.verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(exceptPkg0)); + order.verify(mNetd).networkRejectNonSecureVpn(eq(false), aryEq(entireUser)); + order.verify(mNetd).networkRejectNonSecureVpn(eq(true), aryEq(exceptPkg0)); // When that VPN package is unset, everything should be undone again in reverse. vpn.prepare(null, VpnConfig.LEGACY_VPN, VpnManager.TYPE_VPN_SERVICE); - order.verify(mNetService).setAllowOnlyVpnForUids(eq(false), aryEq(exceptPkg0)); - order.verify(mNetService).setAllowOnlyVpnForUids(eq(true), aryEq(entireUser)); + order.verify(mNetd).networkRejectNonSecureVpn(eq(false), aryEq(exceptPkg0)); + order.verify(mNetd).networkRejectNonSecureVpn(eq(true), aryEq(entireUser)); } @Test @@ -1186,7 +1190,7 @@ public class VpnTest { .thenReturn(asUserContext); final TestLooper testLooper = new TestLooper(); final Vpn vpn = new Vpn(testLooper.getLooper(), mContext, new TestDeps(), mNetService, - userId, mKeyStore, mSystemServices, mIkev2SessionCreator); + mNetd, userId, mKeyStore, mSystemServices, mIkev2SessionCreator); verify(mConnectivityManager, times(1)).registerNetworkProvider(argThat( provider -> provider.getName().contains("VpnNetworkProvider") ));