Remove LOCKDOWN from FirewallChain IntDef

LOCKDOWN_VPN was in the FirewallChain IntDef but this was not a right place because LOCKDOWN_VPN was not a valid value for Connectivity APIs that take an argument annotated with @FirewallChain(setUidFirewallRule, setFirewallChainEnabled, replaceFirewallChain). LOCKDOWN_VPN was in the FirewallChain IntDef because BpfNetMaps#setUidRule was used to add/remove LOCKDOWN_VPN entries. This commit adds BpfNetMaps#updateUidLockdownRule and uses this to add/remove LOCKDOWN_VPN entries instead of BpfNetMaps#setUidRule and removes LOCKDOWN from FirewallChain. Bug: 206482423 Test: atest TrafficControllerTest ConnectivityServiceTest PermissionMonitorTest HostsideVpnTests#testBlockIncomingPacket Change-Id: Iff9b9792fc0f208f153e10e396c6d5034b412d7c
2022-05-19 06:23:40 +00:00
parent 5c74cab9a8
commit 8b42e6d431
10 changed files with 70 additions and 74 deletions
--- a/service/native/TrafficControllerTest.cpp
+++ b/service/native/TrafficControllerTest.cpp
@@ -215,7 +215,7 @@ class TrafficControllerTest : public ::testing::Test {
        checkEachUidValue(uids, match);
    }

-    void expectUidOwnerMapValues(const std::vector<uint32_t>& appUids, uint8_t expectedRule,
+    void expectUidOwnerMapValues(const std::vector<uint32_t>& appUids, uint32_t expectedRule,
                                 uint32_t expectedIif) {
        for (uint32_t uid : appUids) {
            Result<UidOwnerValue> value = mFakeUidOwnerMap.readValue(uid);
@@ -389,7 +389,6 @@ TEST_F(TrafficControllerTest, TestChangeUidOwnerRule) {
    checkUidOwnerRuleForChain(POWERSAVE, POWERSAVE_MATCH);
    checkUidOwnerRuleForChain(RESTRICTED, RESTRICTED_MATCH);
    checkUidOwnerRuleForChain(LOW_POWER_STANDBY, LOW_POWER_STANDBY_MATCH);
-    checkUidOwnerRuleForChain(LOCKDOWN, LOCKDOWN_VPN_MATCH);
    checkUidOwnerRuleForChain(OEM_DENY_1, OEM_DENY_1_MATCH);
    checkUidOwnerRuleForChain(OEM_DENY_2, OEM_DENY_2_MATCH);
    checkUidOwnerRuleForChain(OEM_DENY_3, OEM_DENY_3_MATCH);
@@ -521,6 +520,21 @@ TEST_F(TrafficControllerTest, TestRemoveUidInterfaceFilteringRules) {
    expectMapEmpty(mFakeUidOwnerMap);
 }

+TEST_F(TrafficControllerTest, TestUpdateUidLockdownRule) {
+    // Add Lockdown rules
+    ASSERT_TRUE(isOk(mTc.updateUidLockdownRule(1000, true /* add */)));
+    ASSERT_TRUE(isOk(mTc.updateUidLockdownRule(1001, true /* add */)));
+    expectUidOwnerMapValues({1000, 1001}, LOCKDOWN_VPN_MATCH, 0);
+
+    // Remove one of Lockdown rules
+    ASSERT_TRUE(isOk(mTc.updateUidLockdownRule(1000, false /* add */)));
+    expectUidOwnerMapValues({1001}, LOCKDOWN_VPN_MATCH, 0);
+
+    // Remove remaining Lockdown rule
+    ASSERT_TRUE(isOk(mTc.updateUidLockdownRule(1001, false /* add */)));
+    expectMapEmpty(mFakeUidOwnerMap);
+}
+
 TEST_F(TrafficControllerTest, TestUidInterfaceFilteringRulesCoexistWithExistingMatches) {
    // Set up existing PENALTY_BOX_MATCH rules
    ASSERT_TRUE(isOk(updateUidOwnerMaps({1000, 1001, 10012}, PENALTY_BOX_MATCH,
@@ -802,7 +816,6 @@ TEST_F(TrafficControllerTest, getFirewallType) {
            {POWERSAVE, ALLOWLIST},
            {RESTRICTED, ALLOWLIST},
            {LOW_POWER_STANDBY, ALLOWLIST},
-            {LOCKDOWN, DENYLIST},
            {OEM_DENY_1, DENYLIST},
            {OEM_DENY_2, DENYLIST},
            {INVALID_CHAIN, DENYLIST},