LineageOS/android_packages_modules_Connectivity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Only apply VPN isolation if it's fully routed

Browse Source 
VPN is considered fully routed if both IPv4 and IPv6 have
either a default route or a prohibit route.

Bug: 145332510
Test: atest FrameworksNetTests
Merged-In: I59cf48552bca98092d1212e3d718fd420add5458
Change-Id: I59cf48552bca98092d1212e3d718fd420add5458
This commit is contained in:
Lorenzo Colitti
2020-04-02 04:50:41 +00:00
parent 86ae134de8
commit 7fb7c3e0bf
6 changed files with 146 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
core/java/android/net/LinkProperties.java
View File

@@ -1073,6 +1073,21 @@ public final class LinkProperties implements Parcelable {
return false;
}
/**
* Returns true if this link has an IPv4 unreachable default route.
*
* @return {@code true} if there is an IPv4 unreachable default route, {@code false} otherwise.
* @hide
*/
public boolean hasIpv4UnreachableDefaultRoute() {
for (RouteInfo r : mRoutes) {
if (r.isIPv4UnreachableDefault()) {
return true;
}
}
return false;
}
/**
* For backward compatibility.
* This was annotated with @UnsupportedAppUsage in P, so we can't remove the method completely
@@ -1101,6 +1116,21 @@ public final class LinkProperties implements Parcelable {
return false;
}
/**
* Returns true if this link has an IPv6 unreachable default route.
*
* @return {@code true} if there is an IPv6 unreachable default route, {@code false} otherwise.
* @hide
*/
public boolean hasIpv6UnreachableDefaultRoute() {
for (RouteInfo r : mRoutes) {
if (r.isIPv6UnreachableDefault()) {
return true;
}
}
return false;
}
/**
* For backward compatibility.
* This was annotated with @UnsupportedAppUsage in P, so we can't remove the method completely

26
core/java/android/net/RouteInfo.java
View File

@@ -425,6 +425,16 @@ public final class RouteInfo implements Parcelable {
return mType == RTN_UNICAST && mDestination.getPrefixLength() == 0;
}
/**
* Indicates if this route is an unreachable default route.
*
* @return {@code true} if it's an unreachable route with prefix length of 0.
* @hide
*/
private boolean isUnreachableDefaultRoute() {
return mType == RTN_UNREACHABLE && mDestination.getPrefixLength() == 0;
}
/**
* Indicates if this route is an IPv4 default route.
* @hide
@@ -433,6 +443,14 @@ public final class RouteInfo implements Parcelable {
return isDefaultRoute() && mDestination.getAddress() instanceof Inet4Address;
}
/**
* Indicates if this route is an IPv4 unreachable default route.
* @hide
*/
public boolean isIPv4UnreachableDefault() {
return isUnreachableDefaultRoute() && mDestination.getAddress() instanceof Inet4Address;
}
/**
* Indicates if this route is an IPv6 default route.
* @hide
@@ -441,6 +459,14 @@ public final class RouteInfo implements Parcelable {
return isDefaultRoute() && mDestination.getAddress() instanceof Inet6Address;
}
/**
* Indicates if this route is an IPv6 unreachable default route.
* @hide
*/
public boolean isIPv6UnreachableDefault() {
return isUnreachableDefaultRoute() && mDestination.getAddress() instanceof Inet6Address;
}
/**
* Indicates if this route is a host route (ie, matches only a single host address).
*

3
services/core/java/com/android/server/ConnectivityService.java
View File

@@ -6313,7 +6313,8 @@ public class ConnectivityService extends IConnectivityManager.Stub
&& !nai.networkAgentConfig.allowBypass
&& nc.getOwnerUid() != Process.SYSTEM_UID
&& lp.getInterfaceName() != null
&& (lp.hasIPv4DefaultRoute() || lp.hasIPv6DefaultRoute());
&& (lp.hasIPv4DefaultRoute() || lp.hasIpv4UnreachableDefaultRoute())
&& (lp.hasIPv6DefaultRoute() || lp.hasIpv6UnreachableDefaultRoute());
}
private void updateUids(NetworkAgentInfo nai, NetworkCapabilities prevNc,

25
tests/net/common/java/android/net/LinkPropertiesTest.java
View File

@@ -16,6 +16,8 @@
package android.net;
import static android.net.RouteInfo.RTN_UNREACHABLE;
import static com.android.testutils.ParcelUtilsKt.assertParcelSane;
import static com.android.testutils.ParcelUtilsKt.assertParcelingIsLossless;
import static com.android.testutils.ParcelUtilsKt.parcelingRoundTrip;
@@ -46,6 +48,7 @@ import org.junit.Test;
import org.junit.runner.RunWith;
import java.net.Inet4Address;
import java.net.Inet6Address;
import java.net.InetAddress;
import java.util.ArrayList;
import java.util.Arrays;
@@ -1251,4 +1254,26 @@ public class LinkPropertiesTest {
final LinkProperties Ipv6 = makeIpv6LinkProperties();
assertTrue(Ipv6.hasIpv6DnsServer());
}
@Test @IgnoreUpTo(Build.VERSION_CODES.Q)
public void testHasIpv4UnreachableDefaultRoute() {
final LinkProperties lp = makeTestObject();
assertFalse(lp.hasIpv4UnreachableDefaultRoute());
assertFalse(lp.hasIpv6UnreachableDefaultRoute());
lp.addRoute(new RouteInfo(new IpPrefix(Inet4Address.ANY, 0), RTN_UNREACHABLE));
assertTrue(lp.hasIpv4UnreachableDefaultRoute());
assertFalse(lp.hasIpv6UnreachableDefaultRoute());
}
@Test @IgnoreUpTo(Build.VERSION_CODES.Q)
public void testHasIpv6UnreachableDefaultRoute() {
final LinkProperties lp = makeTestObject();
assertFalse(lp.hasIpv6UnreachableDefaultRoute());
assertFalse(lp.hasIpv4UnreachableDefaultRoute());
lp.addRoute(new RouteInfo(new IpPrefix(Inet6Address.ANY, 0), RTN_UNREACHABLE));
assertTrue(lp.hasIpv6UnreachableDefaultRoute());
assertFalse(lp.hasIpv4UnreachableDefaultRoute());
}
}

58
tests/net/common/java/android/net/RouteInfoTest.java
View File

@@ -31,6 +31,7 @@ import static org.junit.Assert.fail;
import android.os.Build;
import androidx.core.os.BuildCompat;
import androidx.test.filters.SmallTest;
import androidx.test.runner.AndroidJUnit4;
@@ -62,6 +63,11 @@ public class RouteInfoTest {
return new IpPrefix(prefix);
}
private static boolean isAtLeastR() {
// BuildCompat.isAtLeastR is documented to return false on release SDKs (including R)
return Build.VERSION.SDK_INT > Build.VERSION_CODES.Q || BuildCompat.isAtLeastR();
}
@Test
public void testConstructor() {
RouteInfo r;
@@ -195,78 +201,130 @@ public class RouteInfoTest {
assertTrue(r.isDefaultRoute());
assertTrue(r.isIPv4Default());
assertFalse(r.isIPv6Default());
if (isAtLeastR()) {
assertFalse(r.isIPv4UnreachableDefault());
assertFalse(r.isIPv6UnreachableDefault());
}
r = new RouteInfo(Prefix("::/0"), Address("::"), "wlan0");
assertFalse(r.isHostRoute());
assertTrue(r.isDefaultRoute());
assertFalse(r.isIPv4Default());
assertTrue(r.isIPv6Default());
if (isAtLeastR()) {
assertFalse(r.isIPv4UnreachableDefault());
assertFalse(r.isIPv6UnreachableDefault());
}
r = new RouteInfo(Prefix("192.0.2.0/24"), null, "wlan0");
assertFalse(r.isHostRoute());
assertFalse(r.isDefaultRoute());
assertFalse(r.isIPv4Default());
assertFalse(r.isIPv6Default());
if (isAtLeastR()) {
assertFalse(r.isIPv4UnreachableDefault());
assertFalse(r.isIPv6UnreachableDefault());
}
r = new RouteInfo(Prefix("2001:db8::/48"), null, "wlan0");
assertFalse(r.isHostRoute());
assertFalse(r.isDefaultRoute());
assertFalse(r.isIPv4Default());
assertFalse(r.isIPv6Default());
if (isAtLeastR()) {
assertFalse(r.isIPv4UnreachableDefault());
assertFalse(r.isIPv6UnreachableDefault());
}
r = new RouteInfo(Prefix("192.0.2.0/32"), Address("0.0.0.0"), "wlan0");
assertTrue(r.isHostRoute());
assertFalse(r.isDefaultRoute());
assertFalse(r.isIPv4Default());
assertFalse(r.isIPv6Default());
if (isAtLeastR()) {
assertFalse(r.isIPv4UnreachableDefault());
assertFalse(r.isIPv6UnreachableDefault());
}
r = new RouteInfo(Prefix("2001:db8::/128"), Address("::"), "wlan0");
assertTrue(r.isHostRoute());
assertFalse(r.isDefaultRoute());
assertFalse(r.isIPv4Default());
assertFalse(r.isIPv6Default());
if (isAtLeastR()) {
assertFalse(r.isIPv4UnreachableDefault());
assertFalse(r.isIPv6UnreachableDefault());
}
r = new RouteInfo(Prefix("192.0.2.0/32"), null, "wlan0");
assertTrue(r.isHostRoute());
assertFalse(r.isDefaultRoute());
assertFalse(r.isIPv4Default());
assertFalse(r.isIPv6Default());
if (isAtLeastR()) {
assertFalse(r.isIPv4UnreachableDefault());
assertFalse(r.isIPv6UnreachableDefault());
}
r = new RouteInfo(Prefix("2001:db8::/128"), null, "wlan0");
assertTrue(r.isHostRoute());
assertFalse(r.isDefaultRoute());
assertFalse(r.isIPv4Default());
assertFalse(r.isIPv6Default());
if (isAtLeastR()) {
assertFalse(r.isIPv4UnreachableDefault());
assertFalse(r.isIPv6UnreachableDefault());
}
r = new RouteInfo(Prefix("::/128"), Address("fe80::"), "wlan0");
assertTrue(r.isHostRoute());
assertFalse(r.isDefaultRoute());
assertFalse(r.isIPv4Default());
assertFalse(r.isIPv6Default());
if (isAtLeastR()) {
assertFalse(r.isIPv4UnreachableDefault());
assertFalse(r.isIPv6UnreachableDefault());
}
r = new RouteInfo(Prefix("0.0.0.0/32"), Address("192.0.2.1"), "wlan0");
assertTrue(r.isHostRoute());
assertFalse(r.isDefaultRoute());
assertFalse(r.isIPv4Default());
assertFalse(r.isIPv6Default());
if (isAtLeastR()) {
assertFalse(r.isIPv4UnreachableDefault());
assertFalse(r.isIPv6UnreachableDefault());
}
r = new RouteInfo(Prefix("0.0.0.0/32"), Address("192.0.2.1"), "wlan0");
assertTrue(r.isHostRoute());
assertFalse(r.isDefaultRoute());
assertFalse(r.isIPv4Default());
assertFalse(r.isIPv6Default());
if (isAtLeastR()) {
assertFalse(r.isIPv4UnreachableDefault());
assertFalse(r.isIPv6UnreachableDefault());
}
r = new RouteInfo(new IpPrefix(Inet4Address.ANY, 0), RTN_UNREACHABLE);
assertFalse(r.isHostRoute());
assertFalse(r.isDefaultRoute());
assertFalse(r.isIPv4Default());
assertFalse(r.isIPv6Default());
if (isAtLeastR()) {
assertTrue(r.isIPv4UnreachableDefault());
assertFalse(r.isIPv6UnreachableDefault());
}
r = new RouteInfo(new IpPrefix(Inet6Address.ANY, 0), RTN_UNREACHABLE);
assertFalse(r.isHostRoute());
assertFalse(r.isDefaultRoute());
assertFalse(r.isIPv4Default());
assertFalse(r.isIPv6Default());
if (isAtLeastR()) {
assertFalse(r.isIPv4UnreachableDefault());
assertTrue(r.isIPv6UnreachableDefault());
}
}
@Test

5
tests/net/java/com/android/server/ConnectivityServiceTest.java
View File

@@ -6336,6 +6336,7 @@ public class ConnectivityServiceTest {
LinkProperties lp = new LinkProperties();
lp.setInterfaceName("tun0");
lp.addRoute(new RouteInfo(new IpPrefix(Inet4Address.ANY, 0), null));
lp.addRoute(new RouteInfo(new IpPrefix(Inet6Address.ANY, 0), RTN_UNREACHABLE));
// The uid range needs to cover the test app so the network is visible to it.
final Set<UidRange> vpnRange = Collections.singleton(UidRange.createForUser(VPN_USER));
final TestNetworkAgentWrapper vpnNetworkAgent = establishVpn(lp, VPN_UID, vpnRange);
@@ -6361,6 +6362,7 @@ public class ConnectivityServiceTest {
public void testLegacyVpnDoesNotResultInInterfaceFilteringRule() throws Exception {
LinkProperties lp = new LinkProperties();
lp.setInterfaceName("tun0");
lp.addRoute(new RouteInfo(new IpPrefix(Inet6Address.ANY, 0), null));
lp.addRoute(new RouteInfo(new IpPrefix(Inet4Address.ANY, 0), null));
// The uid range needs to cover the test app so the network is visible to it.
final Set<UidRange> vpnRange = Collections.singleton(UidRange.createForUser(VPN_USER));
@@ -6392,6 +6394,7 @@ public class ConnectivityServiceTest {
LinkProperties lp = new LinkProperties();
lp.setInterfaceName("tun0");
lp.addRoute(new RouteInfo(new IpPrefix(Inet4Address.ANY, 0), null));
lp.addRoute(new RouteInfo(new IpPrefix(Inet6Address.ANY, 0), null));
// The uid range needs to cover the test app so the network is visible to it.
final Set<UidRange> vpnRange = Collections.singleton(UidRange.createForUser(VPN_USER));
final TestNetworkAgentWrapper vpnNetworkAgent = establishVpn(lp, VPN_UID, vpnRange);
@@ -6428,6 +6431,7 @@ public class ConnectivityServiceTest {
reset(mMockNetd);
lp = new LinkProperties();
lp.setInterfaceName("tun1");
lp.addRoute(new RouteInfo(new IpPrefix(Inet4Address.ANY, 0), RTN_UNREACHABLE));
lp.addRoute(new RouteInfo(new IpPrefix(Inet6Address.ANY, 0), null));
vpnNetworkAgent.sendLinkProperties(lp);
waitForIdle();
@@ -6440,6 +6444,7 @@ public class ConnectivityServiceTest {
public void testUidUpdateChangesInterfaceFilteringRule() throws Exception {
LinkProperties lp = new LinkProperties();
lp.setInterfaceName("tun0");
lp.addRoute(new RouteInfo(new IpPrefix(Inet4Address.ANY, 0), RTN_UNREACHABLE));
lp.addRoute(new RouteInfo(new IpPrefix(Inet6Address.ANY, 0), null));
// The uid range needs to cover the test app so the network is visible to it.
final UidRange vpnRange = UidRange.createForUser(VPN_USER);