From d6e8d4ab712d854f03908435af27db83e9861c01 Mon Sep 17 00:00:00 2001 From: Benedict Wong Date: Wed, 25 Mar 2020 05:50:51 +0000 Subject: [PATCH 1/3] Automatically set IPsec tunnel interface as up This change makes IPsec tunnel interfaces automatically get brought up once they are created. Originally this was considered to be an additional safety check, as they would not be start routing traffic until explicitly brought up. However, in the intervening time, the NetworkManagementController now requires the NETWORK_STACK permission to set an interface as up. Additionally, that call is a hidden API, and thus not usable for use cases such as IWLAN. Bug: 149348618 Test: FrameworksNetTests, CtsNetTestCases passing. Change-Id: I55b63a748463a388e1e2991d2d5d6b3023545e60 Merged-In: I55b63a748463a388e1e2991d2d5d6b3023545e60 (cherry picked from commit 7c5704d177a903034ae1b6ae4800cc3b8457977a) --- .../android/server/IpSecServiceParameterizedTest.java | 6 +++++- .../server/IpSecServiceRefcountedResourceTest.java | 4 +++- .../net/java/com/android/server/IpSecServiceTest.java | 11 +++++++---- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java b/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java index 71b72b84de..23098ec067 100644 --- a/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java +++ b/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java @@ -46,6 +46,7 @@ import android.net.LinkAddress; import android.net.Network; import android.net.NetworkUtils; import android.os.Binder; +import android.os.INetworkManagementService; import android.os.ParcelFileDescriptor; import android.system.Os; import android.test.mock.MockContext; @@ -135,6 +136,7 @@ public class IpSecServiceParameterizedTest { }; INetd mMockNetd; + INetworkManagementService mNetworkManager; PackageManager mMockPkgMgr; IpSecService.IpSecServiceConfiguration mMockIpSecSrvConfig; IpSecService mIpSecService; @@ -160,9 +162,10 @@ public class IpSecServiceParameterizedTest { @Before public void setUp() throws Exception { mMockNetd = mock(INetd.class); + mNetworkManager = mock(INetworkManagementService.class); mMockPkgMgr = mock(PackageManager.class); mMockIpSecSrvConfig = mock(IpSecService.IpSecServiceConfiguration.class); - mIpSecService = new IpSecService(mMockContext, mMockIpSecSrvConfig); + mIpSecService = new IpSecService(mMockContext, mNetworkManager, mMockIpSecSrvConfig); // Injecting mock netd when(mMockIpSecSrvConfig.getNetdInstance()).thenReturn(mMockNetd); @@ -609,6 +612,7 @@ public class IpSecServiceParameterizedTest { anyInt(), anyInt(), anyInt()); + verify(mNetworkManager).setInterfaceUp(createTunnelResp.interfaceName); } @Test diff --git a/tests/net/java/com/android/server/IpSecServiceRefcountedResourceTest.java b/tests/net/java/com/android/server/IpSecServiceRefcountedResourceTest.java index 22a2c94fc1..788e4efe09 100644 --- a/tests/net/java/com/android/server/IpSecServiceRefcountedResourceTest.java +++ b/tests/net/java/com/android/server/IpSecServiceRefcountedResourceTest.java @@ -31,6 +31,7 @@ import static org.mockito.Mockito.verify; import android.content.Context; import android.os.Binder; import android.os.IBinder; +import android.os.INetworkManagementService; import android.os.RemoteException; import androidx.test.filters.SmallTest; @@ -61,7 +62,8 @@ public class IpSecServiceRefcountedResourceTest { public void setUp() throws Exception { mMockContext = mock(Context.class); mMockIpSecSrvConfig = mock(IpSecService.IpSecServiceConfiguration.class); - mIpSecService = new IpSecService(mMockContext, mMockIpSecSrvConfig); + mIpSecService = new IpSecService( + mMockContext, mock(INetworkManagementService.class), mMockIpSecSrvConfig); } private void assertResourceState( diff --git a/tests/net/java/com/android/server/IpSecServiceTest.java b/tests/net/java/com/android/server/IpSecServiceTest.java index 4a35015044..536e98327e 100644 --- a/tests/net/java/com/android/server/IpSecServiceTest.java +++ b/tests/net/java/com/android/server/IpSecServiceTest.java @@ -42,6 +42,7 @@ import android.net.IpSecManager; import android.net.IpSecSpiResponse; import android.net.IpSecUdpEncapResponse; import android.os.Binder; +import android.os.INetworkManagementService; import android.os.ParcelFileDescriptor; import android.os.Process; import android.system.ErrnoException; @@ -115,6 +116,7 @@ public class IpSecServiceTest { } Context mMockContext; + INetworkManagementService mMockNetworkManager; INetd mMockNetd; IpSecService.IpSecServiceConfiguration mMockIpSecSrvConfig; IpSecService mIpSecService; @@ -122,9 +124,10 @@ public class IpSecServiceTest { @Before public void setUp() throws Exception { mMockContext = mock(Context.class); + mMockNetworkManager = mock(INetworkManagementService.class); mMockNetd = mock(INetd.class); mMockIpSecSrvConfig = mock(IpSecService.IpSecServiceConfiguration.class); - mIpSecService = new IpSecService(mMockContext, mMockIpSecSrvConfig); + mIpSecService = new IpSecService(mMockContext, mMockNetworkManager, mMockIpSecSrvConfig); // Injecting mock netd when(mMockIpSecSrvConfig.getNetdInstance()).thenReturn(mMockNetd); @@ -132,7 +135,7 @@ public class IpSecServiceTest { @Test public void testIpSecServiceCreate() throws InterruptedException { - IpSecService ipSecSrv = IpSecService.create(mMockContext); + IpSecService ipSecSrv = IpSecService.create(mMockContext, mMockNetworkManager); assertNotNull(ipSecSrv); } @@ -604,8 +607,8 @@ public class IpSecServiceTest { @Test public void testOpenUdpEncapSocketTagsSocket() throws Exception { IpSecService.UidFdTagger mockTagger = mock(IpSecService.UidFdTagger.class); - IpSecService testIpSecService = - new IpSecService(mMockContext, mMockIpSecSrvConfig, mockTagger); + IpSecService testIpSecService = new IpSecService( + mMockContext, mMockNetworkManager, mMockIpSecSrvConfig, mockTagger); IpSecUdpEncapResponse udpEncapResp = testIpSecService.openUdpEncapsulationSocket(0, new Binder()); From 9f8773c32ed0791bbd8e677a5401095c53220184 Mon Sep 17 00:00:00 2001 From: Cody Kesting Date: Wed, 18 Mar 2020 15:22:12 -0700 Subject: [PATCH 2/3] Clean up handling of NetworkCapabilities#administratorUids. Update ConnectivityService's check for administrator UIDs to use ArrayUtils to check for UID inclusion. Update the NetworkCapabilities annotation on the administrator UIDs field to clarify that it is NonNull. Bug: 147903575 Test: atest FrameworksNetTests Change-Id: Id630fe9d76aacdaf038fdaa5360f0327520ee0c3 Merged-In: Id630fe9d76aacdaf038fdaa5360f0327520ee0c3 (cherry picked from commit 898496365aa1f3601cdbb305004ad0de11ff6bfc) --- core/java/android/net/NetworkCapabilities.java | 2 +- .../core/java/com/android/server/ConnectivityService.java | 6 +----- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/core/java/android/net/NetworkCapabilities.java b/core/java/android/net/NetworkCapabilities.java index 91ef911ef2..4e4ff4a63a 100644 --- a/core/java/android/net/NetworkCapabilities.java +++ b/core/java/android/net/NetworkCapabilities.java @@ -920,7 +920,7 @@ public final class NetworkCapabilities implements Parcelable { * empty unless the destination is 1) the System Server, or 2) Telephony. In either case, the * receiving entity must have the ACCESS_FINE_LOCATION permission and target R+. */ - private int[] mAdministratorUids = new int[0]; + @NonNull private int[] mAdministratorUids = new int[0]; /** * Sets the int[] of UIDs that are administrators of this network. diff --git a/services/core/java/com/android/server/ConnectivityService.java b/services/core/java/com/android/server/ConnectivityService.java index 5d350be5b0..d684f0c199 100644 --- a/services/core/java/com/android/server/ConnectivityService.java +++ b/services/core/java/com/android/server/ConnectivityService.java @@ -7992,11 +7992,7 @@ public class ConnectivityService extends IConnectivityManager.Stub // Administrator UIDs also contains the Owner UID final int[] administratorUids = nai.networkCapabilities.getAdministratorUids(); - for (final int uid : administratorUids) { - if (uid == callbackUid) return true; - } - - return false; + return ArrayUtils.contains(administratorUids, callbackUid); } @Override From cbb19fcba731f9bffc5da3798382ac76ec43ad4a Mon Sep 17 00:00:00 2001 From: Benedict Wong Date: Thu, 26 Mar 2020 21:21:03 -0700 Subject: [PATCH 3/3] Make VpnProfile.maxMtu default value match Ikev2VpnProfile This change corrects the VpnProfile's maxMtu defaults to match that of the Ikev2VpnProfile. 1400 is too high as a default, and Settings will run into an issue here quite often. Bug: 152573931 Test: FrameworksNetTests passing Change-Id: I97ba5903b3cc1ed6a21c706ed3d78bd8ecbeee0c Merged-In: I97ba5903b3cc1ed6a21c706ed3d78bd8ecbeee0c (cherry picked from commit d0a44f49df01a1aefa505ee90c9806dee135b4e4) --- tests/net/java/com/android/internal/net/VpnProfileTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/net/java/com/android/internal/net/VpnProfileTest.java b/tests/net/java/com/android/internal/net/VpnProfileTest.java index 8a4b53343c..ceca6f0288 100644 --- a/tests/net/java/com/android/internal/net/VpnProfileTest.java +++ b/tests/net/java/com/android/internal/net/VpnProfileTest.java @@ -65,7 +65,7 @@ public class VpnProfileTest { assertTrue(p.getAllowedAlgorithms() != null && p.getAllowedAlgorithms().isEmpty()); assertFalse(p.isBypassable); assertFalse(p.isMetered); - assertEquals(1400, p.maxMtu); + assertEquals(1360, p.maxMtu); assertFalse(p.areAuthParamsInline); }