LineageOS/android_packages_modules_Connectivity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge "Mock Vpn.setAlwaysOnPackage()." into main

Browse Source
This commit is contained in:
Hansen Kurli
2023-10-24 03:11:38 +00:00
committed by Gerrit Code Review
parent 1bd33c6c17 2ddfc8ba8c
commit a584159ceb
1 changed files with 42 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
tests/unit/java/com/android/server/ConnectivityServiceTest.java
View File

@@ -935,12 +935,6 @@ public class ConnectivityServiceTest {
return appUid + (firstSdkSandboxUid - Process.FIRST_APPLICATION_UID); return appUid + (firstSdkSandboxUid - Process.FIRST_APPLICATION_UID);
} }
// This function assumes the UID range for user 0 ([1, 99999])
private static UidRangeParcel[] uidRangeParcelsExcludingUids(Integer... excludedUids) {
final List<Integer> uids = Arrays.asList(excludedUids);
return intToUidRangeStableParcels(intRangesPrimaryExcludingUids(uids));
}
// Create the list of ranges for the primary user (User 0), excluding excludedUids. // Create the list of ranges for the primary user (User 0), excluding excludedUids.
private static List<Range<Integer>> intRangesPrimaryExcludingUids(List<Integer> excludedUids) { private static List<Range<Integer>> intRangesPrimaryExcludingUids(List<Integer> excludedUids) {
final List<Integer> excludedUidsList = new ArrayList<>(excludedUids); final List<Integer> excludedUidsList = new ArrayList<>(excludedUids);
@@ -9527,8 +9521,16 @@ public class ConnectivityServiceTest {
assertNotNull(mCm.getActiveNetworkForUid(restrictedUid)); assertNotNull(mCm.getActiveNetworkForUid(restrictedUid));
// Enable always-on VPN lockdown. The main user loses network access because no VPN is up. // Enable always-on VPN lockdown. The main user loses network access because no VPN is up.
final ArrayList<String> allowList = new ArrayList<>(); // Coverage in VpnTest.
mMockVpn.setAlwaysOnPackage(ALWAYS_ON_PACKAGE, true /* lockdown */, allowList); final List<Integer> excludedUids = new ArrayList<>();
excludedUids.add(VPN_UID);
if (mDeps.isAtLeastT()) {
// On T onwards, the corresponding SDK sandbox UID should also be excluded
excludedUids.add(toSdkSandboxUid(VPN_UID));
}
final List<Range<Integer>> primaryRanges = intRangesPrimaryExcludingUids(excludedUids);
mCm.setRequireVpnForUids(true, primaryRanges);
waitForIdle(); waitForIdle();
assertNull(mCm.getActiveNetworkForUid(uid)); assertNull(mCm.getActiveNetworkForUid(uid));
// This is arguably overspecified: a UID that is not running doesn't have an active network. // This is arguably overspecified: a UID that is not running doesn't have an active network.
@@ -9540,12 +9542,6 @@ public class ConnectivityServiceTest {
// TODO: check that VPN app within restricted profile still has access, etc. // TODO: check that VPN app within restricted profile still has access, etc.
// Add a restricted user. // Add a restricted user.
// This is equivalent to `mMockVpn.onUserAdded(RESTRICTED_USER);`, coverage in VpnTest. // This is equivalent to `mMockVpn.onUserAdded(RESTRICTED_USER);`, coverage in VpnTest.
final List<Integer> excludedUids = new ArrayList<Integer>();
excludedUids.add(VPN_UID);
if (mDeps.isAtLeastT()) {
// On T onwards, the corresponding SDK sandbox UID should also be excluded
excludedUids.add(toSdkSandboxUid(VPN_UID));
}
final List<Range<Integer>> restrictedRanges = final List<Range<Integer>> restrictedRanges =
intRangesExcludingUids(RESTRICTED_USER, excludedUids); intRangesExcludingUids(RESTRICTED_USER, excludedUids);
mCm.setRequireVpnForUids(true, restrictedRanges); mCm.setRequireVpnForUids(true, restrictedRanges);
@@ -9563,7 +9559,8 @@ public class ConnectivityServiceTest {
assertNull(mCm.getActiveNetworkForUid(uid)); assertNull(mCm.getActiveNetworkForUid(uid));
assertNotNull(mCm.getActiveNetworkForUid(restrictedUid)); assertNotNull(mCm.getActiveNetworkForUid(restrictedUid));
mMockVpn.setAlwaysOnPackage(null, false /* lockdown */, allowList); mCm.setRequireVpnForUids(false, primaryRanges);
waitForIdle(); waitForIdle();
} }
@@ -10016,18 +10013,20 @@ public class ConnectivityServiceTest {
new Handler(ConnectivityThread.getInstanceLooper())); new Handler(ConnectivityThread.getInstanceLooper()));
final int uid = Process.myUid(); final int uid = Process.myUid();
final ArrayList<String> allowList = new ArrayList<>();
mMockVpn.setAlwaysOnPackage(ALWAYS_ON_PACKAGE, true /* lockdown */, allowList);
waitForIdle();
final Set<Integer> excludedUids = new ArraySet<Integer>(); // Enable always-on VPN lockdown, coverage in VpnTest.
final List<Integer> excludedUids = new ArrayList<Integer>();
excludedUids.add(VPN_UID); excludedUids.add(VPN_UID);
if (mDeps.isAtLeastT()) { if (mDeps.isAtLeastT()) {
// On T onwards, the corresponding SDK sandbox UID should also be excluded // On T onwards, the corresponding SDK sandbox UID should also be excluded
excludedUids.add(toSdkSandboxUid(VPN_UID)); excludedUids.add(toSdkSandboxUid(VPN_UID));
} }
final UidRangeParcel[] uidRangeParcels = uidRangeParcelsExcludingUids(
excludedUids.toArray(new Integer[0])); final List<Range<Integer>> primaryRanges = intRangesPrimaryExcludingUids(excludedUids);
mCm.setRequireVpnForUids(true, primaryRanges);
waitForIdle();
final UidRangeParcel[] uidRangeParcels = intToUidRangeStableParcels(primaryRanges);
InOrder inOrder = inOrder(mMockNetd); InOrder inOrder = inOrder(mMockNetd);
expectNetworkRejectNonSecureVpn(inOrder, true, uidRangeParcels); expectNetworkRejectNonSecureVpn(inOrder, true, uidRangeParcels);
@@ -10047,7 +10046,8 @@ public class ConnectivityServiceTest {
assertNetworkInfo(TYPE_WIFI, DetailedState.BLOCKED); assertNetworkInfo(TYPE_WIFI, DetailedState.BLOCKED);
// Disable lockdown, expect to see the network unblocked. // Disable lockdown, expect to see the network unblocked.
mMockVpn.setAlwaysOnPackage(null, false /* lockdown */, allowList); mCm.setRequireVpnForUids(false, primaryRanges);
waitForIdle();
callback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> !cb.getBlocked()); callback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> !cb.getBlocked());
defaultCallback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> !cb.getBlocked()); defaultCallback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> !cb.getBlocked());
vpnUidCallback.assertNoCallback(); vpnUidCallback.assertNoCallback();
@@ -10060,22 +10060,25 @@ public class ConnectivityServiceTest {
assertNetworkInfo(TYPE_MOBILE, DetailedState.DISCONNECTED); assertNetworkInfo(TYPE_MOBILE, DetailedState.DISCONNECTED);
assertNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED); assertNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED);
// Add our UID to the allowlist and re-enable lockdown, expect network is not blocked. // Add our UID to the allowlist, expect network is not blocked. Coverage in VpnTest.
allowList.add(TEST_PACKAGE_NAME); excludedUids.add(uid);
mMockVpn.setAlwaysOnPackage(ALWAYS_ON_PACKAGE, true /* lockdown */, allowList); if (mDeps.isAtLeastT()) {
// On T onwards, the corresponding SDK sandbox UID should also be excluded
excludedUids.add(toSdkSandboxUid(uid));
}
final List<Range<Integer>> primaryRangesExcludingUid =
intRangesPrimaryExcludingUids(excludedUids);
mCm.setRequireVpnForUids(true, primaryRangesExcludingUid);
waitForIdle();
callback.assertNoCallback(); callback.assertNoCallback();
defaultCallback.assertNoCallback(); defaultCallback.assertNoCallback();
vpnUidCallback.assertNoCallback(); vpnUidCallback.assertNoCallback();
vpnUidDefaultCallback.assertNoCallback(); vpnUidDefaultCallback.assertNoCallback();
vpnDefaultCallbackAsUid.assertNoCallback(); vpnDefaultCallbackAsUid.assertNoCallback();
excludedUids.add(uid); final UidRangeParcel[] uidRangeParcelsAlsoExcludingUs =
if (mDeps.isAtLeastT()) { intToUidRangeStableParcels(primaryRangesExcludingUid);
// On T onwards, the corresponding SDK sandbox UID should also be excluded
excludedUids.add(toSdkSandboxUid(uid));
}
final UidRangeParcel[] uidRangeParcelsAlsoExcludingUs = uidRangeParcelsExcludingUids(
excludedUids.toArray(new Integer[0]));
expectNetworkRejectNonSecureVpn(inOrder, true, uidRangeParcelsAlsoExcludingUs); expectNetworkRejectNonSecureVpn(inOrder, true, uidRangeParcelsAlsoExcludingUs);
assertEquals(mWiFiAgent.getNetwork(), mCm.getActiveNetworkForUid(VPN_UID)); assertEquals(mWiFiAgent.getNetwork(), mCm.getActiveNetworkForUid(VPN_UID));
assertEquals(mWiFiAgent.getNetwork(), mCm.getActiveNetwork()); assertEquals(mWiFiAgent.getNetwork(), mCm.getActiveNetwork());
@@ -10098,15 +10101,15 @@ public class ConnectivityServiceTest {
assertNetworkInfo(TYPE_MOBILE, DetailedState.DISCONNECTED); assertNetworkInfo(TYPE_MOBILE, DetailedState.DISCONNECTED);
assertNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED); assertNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED);
// Disable lockdown, remove our UID from the allowlist, and re-enable lockdown. // Disable lockdown
// Everything should now be blocked. mCm.setRequireVpnForUids(false, primaryRangesExcludingUid);
mMockVpn.setAlwaysOnPackage(null, false /* lockdown */, allowList);
waitForIdle(); waitForIdle();
expectNetworkRejectNonSecureVpn(inOrder, false, uidRangeParcelsAlsoExcludingUs); expectNetworkRejectNonSecureVpn(inOrder, false, uidRangeParcelsAlsoExcludingUs);
allowList.clear(); // Remove our UID from the allowlist, and re-enable lockdown.
mMockVpn.setAlwaysOnPackage(ALWAYS_ON_PACKAGE, true /* lockdown */, allowList); mCm.setRequireVpnForUids(true, primaryRanges);
waitForIdle(); waitForIdle();
expectNetworkRejectNonSecureVpn(inOrder, true, uidRangeParcels); expectNetworkRejectNonSecureVpn(inOrder, true, uidRangeParcels);
// Everything should now be blocked.
defaultCallback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> cb.getBlocked()); defaultCallback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> cb.getBlocked());
assertBlockedCallbackInAnyOrder(callback, true, mWiFiAgent, mCellAgent); assertBlockedCallbackInAnyOrder(callback, true, mWiFiAgent, mCellAgent);
vpnUidCallback.assertNoCallback(); vpnUidCallback.assertNoCallback();
@@ -10119,7 +10122,7 @@ public class ConnectivityServiceTest {
assertNetworkInfo(TYPE_WIFI, DetailedState.BLOCKED); assertNetworkInfo(TYPE_WIFI, DetailedState.BLOCKED);
// Disable lockdown. Everything is unblocked. // Disable lockdown. Everything is unblocked.
mMockVpn.setAlwaysOnPackage(null, false /* lockdown */, allowList); mCm.setRequireVpnForUids(false, primaryRanges);
defaultCallback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> !cb.getBlocked()); defaultCallback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> !cb.getBlocked());
assertBlockedCallbackInAnyOrder(callback, false, mWiFiAgent, mCellAgent); assertBlockedCallbackInAnyOrder(callback, false, mWiFiAgent, mCellAgent);
vpnUidCallback.assertNoCallback(); vpnUidCallback.assertNoCallback();
@@ -10132,7 +10135,7 @@ public class ConnectivityServiceTest {
assertNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED); assertNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED);
// Enable lockdown and connect a VPN. The VPN is not blocked. // Enable lockdown and connect a VPN. The VPN is not blocked.
mMockVpn.setAlwaysOnPackage(ALWAYS_ON_PACKAGE, true /* lockdown */, allowList); mCm.setRequireVpnForUids(true, primaryRanges);
defaultCallback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> cb.getBlocked()); defaultCallback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> cb.getBlocked());
assertBlockedCallbackInAnyOrder(callback, true, mWiFiAgent, mCellAgent); assertBlockedCallbackInAnyOrder(callback, true, mWiFiAgent, mCellAgent);
vpnUidCallback.assertNoCallback(); vpnUidCallback.assertNoCallback();