From 80ec50b8ae0dadf5333f85a84c17e7d106eac08c Mon Sep 17 00:00:00 2001
From: junyulai <junyulai@google.com>
Date: Wed, 8 May 2019 11:46:25 +0800
Subject: [PATCH] add cts for unprivileged keepalive slots

Currently, unprivileged Nat-T keepalives are limited to 1 slot
per uid. Add CTS to verify that the keepalive slots are limited
as customized for unprivileged requests.

Bug: 129371366
Test: atest android.net.cts
      .ConnectivityManagerTest#testSocketKeepaliveUnprivileged
      --generate-new-metrics 10

Change-Id: I60b9e9ae9cf2b63490493ced9738cd2f402c3f9b
---
 .../net/cts/ConnectivityManagerTest.java      | 51 +++++++++++++++----
 1 file changed, 42 insertions(+), 9 deletions(-)

diff --git a/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java b/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java
index e89a4227cb..ea441a7fff 100644
--- a/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java
+++ b/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java
@@ -1184,6 +1184,16 @@ public class ConnectivityManagerTest extends AndroidTestCase {
         return s;
     }
 
+    private int getSupportedKeepalivesFromRes() throws Exception {
+        final Network network = ensureWifiConnected();
+        final NetworkCapabilities nc = mCm.getNetworkCapabilities(network);
+
+        // Get number of supported concurrent keepalives for testing network.
+        final int[] keepalivesPerTransport = KeepaliveUtils.getSupportedKeepalives(mContext);
+        return KeepaliveUtils.getSupportedKeepalivesForNetworkCapabilities(
+                keepalivesPerTransport, nc);
+    }
+
     private boolean isKeepaliveSupported() throws Exception {
         final Network network = ensureWifiConnected();
         final Executor executor = mContext.getMainExecutor();
@@ -1293,7 +1303,8 @@ public class ConnectivityManagerTest extends AndroidTestCase {
     }
 
     private int createConcurrentSocketKeepalives(int nattCount, int tcpCount) throws Exception {
-        if (!isKeepaliveSupported()) return 0;
+        // Use customization value in resource to prevent the need of privilege.
+        if (getSupportedKeepalivesFromRes() == 0) return 0;
 
         final Network network = ensureWifiConnected();
 
@@ -1374,16 +1385,10 @@ public class ConnectivityManagerTest extends AndroidTestCase {
     public void testSocketKeepaliveLimit() throws Exception {
         adoptShellPermissionIdentity();
 
-        final Network network = ensureWifiConnected();
-        final NetworkCapabilities nc = mCm.getNetworkCapabilities(network);
+        final int supported = getSupportedKeepalivesFromRes();
 
-        // Get number of supported concurrent keepalives for testing network.
-        final int[] keepalivesPerTransport = KeepaliveUtils.getSupportedKeepalives(mContext);
-        final int supported = KeepaliveUtils.getSupportedKeepalivesForNetworkCapabilities(
-                keepalivesPerTransport, nc);
-
-        // Sanity check.
         if (!isKeepaliveSupported()) {
+            // Sanity check.
             assertEquals(0, supported);
             return;
         }
@@ -1408,6 +1413,34 @@ public class ConnectivityManagerTest extends AndroidTestCase {
         dropShellPermissionIdentity();
     }
 
+    /**
+     * Verifies that the keepalive slots are limited as customized for unprivileged requests.
+     */
+    public void testSocketKeepaliveUnprivileged() throws Exception {
+        final int supported = getSupportedKeepalivesFromRes();
+
+        adoptShellPermissionIdentity();
+        if (!isKeepaliveSupported()) {
+            // Sanity check.
+            assertEquals(0, supported);
+            return;
+        }
+        dropShellPermissionIdentity();
+
+        final int allowedUnprivilegedPerUid = mContext.getResources().getInteger(
+                R.integer.config_allowedUnprivilegedKeepalivePerUid);
+        final int reservedPrivilegedSlots = mContext.getResources().getInteger(
+                R.integer.config_reservedPrivilegedKeepaliveSlots);
+        // Verifies that unprivileged request per uid cannot exceed the limit customized in the
+        // resource. Currently, unprivileged keepalive slots are limited to Nat-T only, this test
+        // does not apply to TCP.
+        assertGreaterOrEqual(supported, reservedPrivilegedSlots);
+        assertGreaterOrEqual(supported, allowedUnprivilegedPerUid);
+        final int expectedUnprivileged =
+                Math.min(allowedUnprivilegedPerUid, supported - reservedPrivilegedSlots);
+        assertEquals(expectedUnprivileged, createConcurrentSocketKeepalives(supported + 1, 0));
+    }
+
     private static void assertGreaterOrEqual(long greater, long lesser) {
         assertTrue("" + greater + " expected to be greater than or equal to " + lesser,
                 greater >= lesser);