LineageOS/android_packages_modules_Connectivity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Accept accessUids from telephony when it's the carrier config app

Browse Source 
Test: FrameworksNetTests, new test in this patch
Change-Id: I50fab91e107c51d33a5e529c73b83db198a88d2c
This commit is contained in:
Chalard Jean
2022-01-26 16:54:05 +09:00
parent d36de12652
commit ac9ace0bbe
5 changed files with 243 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

145
tests/unit/java/com/android/server/ConnectivityServiceTest.java
View File

@@ -264,6 +264,7 @@ import android.net.ResolverParamsParcel;
import android.net.RouteInfo;
import android.net.RouteInfoParcel;
import android.net.SocketKeepalive;
import android.net.TelephonyNetworkSpecifier;
import android.net.TransportInfo;
import android.net.UidRange;
import android.net.UidRangeParcel;
@@ -334,6 +335,7 @@ import com.android.net.module.util.LocationPermissionChecker;
import com.android.server.ConnectivityService.ConnectivityDiagnosticsCallbackInfo;
import com.android.server.ConnectivityService.NetworkRequestInfo;
import com.android.server.ConnectivityServiceTest.ConnectivityServiceDependencies.ReportedInterfaces;
import com.android.server.connectivity.CarrierPrivilegeAuthenticator;
import com.android.server.connectivity.ConnectivityFlags;
import com.android.server.connectivity.MockableSystemProperties;
import com.android.server.connectivity.Nat464Xlat;
@@ -529,6 +531,7 @@ public class ConnectivityServiceTest {
@Mock Resources mResources;
@Mock PacProxyManager mPacProxyManager;
@Mock BpfNetMaps mBpfNetMaps;
@Mock CarrierPrivilegeAuthenticator mCarrierPrivilegeAuthenticator;
// BatteryStatsManager is final and cannot be mocked with regular mockito, so just mock the
// underlying binder calls.
@@ -970,8 +973,6 @@ public class ConnectivityServiceTest {
* @param hasInternet Indicate if network should pretend to have NET_CAPABILITY_INTERNET.
*/
public void connect(boolean validated, boolean hasInternet, boolean isStrictMode) {
assertFalse(getNetworkCapabilities().hasCapability(NET_CAPABILITY_INTERNET));
ConnectivityManager.NetworkCallback callback = null;
final ConditionVariable validatedCv = new ConditionVariable();
if (validated) {
@@ -1858,6 +1859,12 @@ public class ConnectivityServiceTest {
};
}
@Override
public CarrierPrivilegeAuthenticator makeCarrierPrivilegeAuthenticator(
@NonNull final Context context, @NonNull final TelephonyManager tm) {
return SdkLevel.isAtLeastT() ? mCarrierPrivilegeAuthenticator : null;
}
@Override
public boolean intentFilterEquals(final PendingIntent a, final PendingIntent b) {
return runAsShell(GET_INTENT_SENDER_INTENT, () -> a.intentFilterEquals(b));
@@ -14643,43 +14650,157 @@ public class ConnectivityServiceTest {
agent.getNetwork().getNetId(),
intToUidRangeStableParcels(uids),
preferenceOrder);
inOrder.verify(mMockNetd, times(1)).networkAddUidRangesParcel(uids200Parcel);
if (SdkLevel.isAtLeastT()) {
inOrder.verify(mMockNetd, times(1)).networkAddUidRangesParcel(uids200Parcel);
}
uids.add(300);
uids.add(400);
nc.setAccessUids(uids);
agent.setNetworkCapabilities(nc, true /* sendToConnectivityService */);
cb.expectCapabilitiesThat(agent, caps -> caps.getAccessUids().equals(uids));
if (SdkLevel.isAtLeastT()) {
cb.expectCapabilitiesThat(agent, caps -> caps.getAccessUids().equals(uids));
} else {
cb.assertNoCallback();
}
uids.remove(200);
final NativeUidRangeConfig uids300400Parcel = new NativeUidRangeConfig(
agent.getNetwork().getNetId(),
intToUidRangeStableParcels(uids),
preferenceOrder);
inOrder.verify(mMockNetd, times(1)).networkAddUidRangesParcel(uids300400Parcel);
if (SdkLevel.isAtLeastT()) {
inOrder.verify(mMockNetd, times(1)).networkAddUidRangesParcel(uids300400Parcel);
}
nc.setAccessUids(uids);
agent.setNetworkCapabilities(nc, true /* sendToConnectivityService */);
cb.expectCapabilitiesThat(agent, caps -> caps.getAccessUids().equals(uids));
inOrder.verify(mMockNetd, times(1)).networkRemoveUidRangesParcel(uids200Parcel);
if (SdkLevel.isAtLeastT()) {
cb.expectCapabilitiesThat(agent, caps -> caps.getAccessUids().equals(uids));
inOrder.verify(mMockNetd, times(1)).networkRemoveUidRangesParcel(uids200Parcel);
} else {
cb.assertNoCallback();
}
uids.clear();
uids.add(600);
nc.setAccessUids(uids);
agent.setNetworkCapabilities(nc, true /* sendToConnectivityService */);
cb.expectCapabilitiesThat(agent, caps -> caps.getAccessUids().equals(uids));
if (SdkLevel.isAtLeastT()) {
cb.expectCapabilitiesThat(agent, caps -> caps.getAccessUids().equals(uids));
} else {
cb.assertNoCallback();
}
final NativeUidRangeConfig uids600Parcel = new NativeUidRangeConfig(
agent.getNetwork().getNetId(),
intToUidRangeStableParcels(uids),
preferenceOrder);
inOrder.verify(mMockNetd, times(1)).networkAddUidRangesParcel(uids600Parcel);
inOrder.verify(mMockNetd, times(1)).networkRemoveUidRangesParcel(uids300400Parcel);
if (SdkLevel.isAtLeastT()) {
inOrder.verify(mMockNetd, times(1)).networkAddUidRangesParcel(uids600Parcel);
inOrder.verify(mMockNetd, times(1)).networkRemoveUidRangesParcel(uids300400Parcel);
}
uids.clear();
nc.setAccessUids(uids);
agent.setNetworkCapabilities(nc, true /* sendToConnectivityService */);
cb.expectCapabilitiesThat(agent, caps -> caps.getAccessUids().isEmpty());
inOrder.verify(mMockNetd, times(1)).networkRemoveUidRangesParcel(uids600Parcel);
if (SdkLevel.isAtLeastT()) {
cb.expectCapabilitiesThat(agent, caps -> caps.getAccessUids().isEmpty());
inOrder.verify(mMockNetd, times(1)).networkRemoveUidRangesParcel(uids600Parcel);
} else {
cb.assertNoCallback();
verify(mMockNetd, never()).networkAddUidRangesParcel(any());
verify(mMockNetd, never()).networkRemoveUidRangesParcel(any());
}
}
@Test
public void testCbsAccessUids() throws Exception {
mServiceContext.setPermission(NETWORK_FACTORY, PERMISSION_GRANTED);
mServiceContext.setPermission(MANAGE_TEST_NETWORKS, PERMISSION_GRANTED);
// In this test TEST_PACKAGE_UID will be the UID of the carrier service UID.
doReturn(true).when(mCarrierPrivilegeAuthenticator)
.hasCarrierPrivilegeForNetworkCapabilities(eq(TEST_PACKAGE_UID), any());
final ArraySet<Integer> serviceUidSet = new ArraySet<>();
serviceUidSet.add(TEST_PACKAGE_UID);
final ArraySet<Integer> nonServiceUidSet = new ArraySet<>();
nonServiceUidSet.add(TEST_PACKAGE_UID2);
final ArraySet<Integer> serviceUidSetPlus = new ArraySet<>();
serviceUidSetPlus.add(TEST_PACKAGE_UID);
serviceUidSetPlus.add(TEST_PACKAGE_UID2);
final TestNetworkCallback cb = new TestNetworkCallback();
// Simulate a restricted telephony network. The telephony factory is entitled to set
// the access UID to the service package on any of its restricted networks.
final NetworkCapabilities.Builder ncb = new NetworkCapabilities.Builder()
.addTransportType(TRANSPORT_CELLULAR)
.addCapability(NET_CAPABILITY_INTERNET)
.addCapability(NET_CAPABILITY_NOT_SUSPENDED)
.addCapability(NET_CAPABILITY_NOT_VCN_MANAGED)
.removeCapability(NET_CAPABILITY_NOT_RESTRICTED)
.setNetworkSpecifier(new TelephonyNetworkSpecifier(1 /* subid */));
// Cell gets to set the service UID as access UID
mCm.requestNetwork(new NetworkRequest.Builder()
.addTransportType(TRANSPORT_CELLULAR)
.removeCapability(NET_CAPABILITY_NOT_RESTRICTED)
.build(), cb);
mCellNetworkAgent = new TestNetworkAgentWrapper(TRANSPORT_CELLULAR,
new LinkProperties(), ncb.build());
mCellNetworkAgent.connect(true);
cb.expectAvailableThenValidatedCallbacks(mCellNetworkAgent);
ncb.setAccessUids(serviceUidSet);
mCellNetworkAgent.setNetworkCapabilities(ncb.build(), true /* sendToCS */);
if (SdkLevel.isAtLeastT()) {
cb.expectCapabilitiesThat(mCellNetworkAgent,
caps -> caps.getAccessUids().equals(serviceUidSet));
} else {
// S must ignore access UIDs.
cb.assertNoCallback(TEST_CALLBACK_TIMEOUT_MS);
}
// ...but not to some other UID. Rejection sets UIDs to the empty set
ncb.setAccessUids(nonServiceUidSet);
mCellNetworkAgent.setNetworkCapabilities(ncb.build(), true /* sendToCS */);
if (SdkLevel.isAtLeastT()) {
cb.expectCapabilitiesThat(mCellNetworkAgent,
caps -> caps.getAccessUids().isEmpty());
} else {
// S must ignore access UIDs.
cb.assertNoCallback(TEST_CALLBACK_TIMEOUT_MS);
}
// ...and also not to multiple UIDs even including the service UID
ncb.setAccessUids(serviceUidSetPlus);
mCellNetworkAgent.setNetworkCapabilities(ncb.build(), true /* sendToCS */);
cb.assertNoCallback(TEST_CALLBACK_TIMEOUT_MS);
mCellNetworkAgent.disconnect();
cb.expectCallback(CallbackEntry.LOST, mCellNetworkAgent);
mCm.unregisterNetworkCallback(cb);
// Must be unset before touching the transports, because remove and add transport types
// check the specifier on the builder immediately, contradicting normal builder semantics
// TODO : fix the builder
ncb.setNetworkSpecifier(null);
ncb.removeTransportType(TRANSPORT_CELLULAR);
ncb.addTransportType(TRANSPORT_WIFI);
// Wifi does not get to set access UID, even to the correct UID
mCm.requestNetwork(new NetworkRequest.Builder()
.addTransportType(TRANSPORT_WIFI)
.removeCapability(NET_CAPABILITY_NOT_RESTRICTED)
.build(), cb);
mWiFiNetworkAgent = new TestNetworkAgentWrapper(TRANSPORT_WIFI,
new LinkProperties(), ncb.build());
mWiFiNetworkAgent.connect(true);
cb.expectAvailableThenValidatedCallbacks(mWiFiNetworkAgent);
ncb.setAccessUids(serviceUidSet);
mWiFiNetworkAgent.setNetworkCapabilities(ncb.build(), true /* sendToCS */);
cb.assertNoCallback(TEST_CALLBACK_TIMEOUT_MS);
mCm.unregisterNetworkCallback(cb);
}
/**

67
tests/unit/java/com/android/server/connectivity/CarrierPrivilegeAuthenticatorTest.java
View File

@@ -17,6 +17,7 @@
package com.android.server.connectivity;
import static android.net.NetworkCapabilities.TRANSPORT_CELLULAR;
import static android.net.NetworkCapabilities.TRANSPORT_WIFI;
import static android.telephony.TelephonyManager.ACTION_MULTI_SIM_CONFIG_CHANGED;
import static com.android.testutils.DevSdkIgnoreRuleKt.SC_V2;
@@ -40,7 +41,9 @@ import android.content.IntentFilter;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageManager;
import android.net.NetworkRequest;
import android.net.NetworkSpecifier;
import android.net.TelephonyNetworkSpecifier;
import android.telephony.SubscriptionManager;
import android.telephony.TelephonyManager;
import com.android.networkstack.apishim.TelephonyManagerShimImpl;
@@ -66,27 +69,25 @@ import java.util.List;
@RunWith(DevSdkIgnoreRunner.class)
@IgnoreUpTo(SC_V2) // TODO: Use to Build.VERSION_CODES.SC_V2 when available
public class CarrierPrivilegeAuthenticatorTest {
private static final String PACKAGE_NAME =
CarrierPrivilegeAuthenticatorTest.class.getPackage().getName();
private static final int TEST_SIM_SLOT_INDEX = 0;
private static final int TEST_SUBSCRIPTION_ID_1 = 2;
private static final int TEST_SUBSCRIPTION_ID_2 = 3;
private static final int SUBSCRIPTION_COUNT = 2;
private static final int TEST_SUBSCRIPTION_ID = 1;
@NonNull private final Context mContext;
@NonNull private final TelephonyManager mTelephonyManager;
@NonNull private final TelephonyManagerShimImpl mTelephonyManagerShim;
@NonNull private final PackageManager mPackageManager;
@NonNull private CarrierPrivilegeAuthenticatorChild mCarrierPrivilegeAuthenticator;
@NonNull private TestCarrierPrivilegeAuthenticator mCarrierPrivilegeAuthenticator;
private final int mCarrierConfigPkgUid = 12345;
private final String mTestPkg = "com.android.server.connectivity.test";
public class CarrierPrivilegeAuthenticatorChild extends CarrierPrivilegeAuthenticator {
CarrierPrivilegeAuthenticatorChild(@NonNull final Context c,
public class TestCarrierPrivilegeAuthenticator extends CarrierPrivilegeAuthenticator {
TestCarrierPrivilegeAuthenticator(@NonNull final Context c,
@NonNull final TelephonyManager t) {
super(c, t, mTelephonyManagerShim);
}
@Override
protected int getSlotIndex(int subId) {
if (SubscriptionManager.DEFAULT_SUBSCRIPTION_ID == subId) return TEST_SUBSCRIPTION_ID;
return subId;
}
}
@@ -100,7 +101,7 @@ public class CarrierPrivilegeAuthenticatorTest {
@Before
public void setUp() throws Exception {
doReturn(2).when(mTelephonyManager).getActiveModemCount();
doReturn(SUBSCRIPTION_COUNT).when(mTelephonyManager).getActiveModemCount();
doReturn(mTestPkg).when(mTelephonyManagerShim)
.getCarrierServicePackageNameForLogicalSlot(anyInt());
doReturn(mPackageManager).when(mContext).getPackageManager();
@@ -109,7 +110,7 @@ public class CarrierPrivilegeAuthenticatorTest {
doReturn(applicationInfo).when(mPackageManager)
.getApplicationInfo(eq(mTestPkg), anyInt());
mCarrierPrivilegeAuthenticator =
new CarrierPrivilegeAuthenticatorChild(mContext, mTelephonyManager);
new TestCarrierPrivilegeAuthenticator(mContext, mTelephonyManager);
}
private IntentFilter getIntentFilter() {
@@ -126,7 +127,6 @@ public class CarrierPrivilegeAuthenticatorTest {
verify(mTelephonyManagerShim, atLeastOnce())
.addCarrierPrivilegesListener(anyInt(), any(), captor.capture());
} catch (UnsupportedApiLevelException e) {
}
return captor.getAllValues();
}
@@ -160,10 +160,10 @@ public class CarrierPrivilegeAuthenticatorTest {
networkRequestBuilder.addTransportType(TRANSPORT_CELLULAR);
networkRequestBuilder.setNetworkSpecifier(telephonyNetworkSpecifier);
assertTrue(mCarrierPrivilegeAuthenticator.hasCarrierPrivilegeForNetworkRequest(
mCarrierConfigPkgUid, networkRequestBuilder.build()));
assertFalse(mCarrierPrivilegeAuthenticator.hasCarrierPrivilegeForNetworkRequest(
mCarrierConfigPkgUid + 1, networkRequestBuilder.build()));
assertTrue(mCarrierPrivilegeAuthenticator.hasCarrierPrivilegeForNetworkCapabilities(
mCarrierConfigPkgUid, networkRequestBuilder.build().networkCapabilities));
assertFalse(mCarrierPrivilegeAuthenticator.hasCarrierPrivilegeForNetworkCapabilities(
mCarrierConfigPkgUid + 1, networkRequestBuilder.build().networkCapabilities));
}
@Test
@@ -192,10 +192,10 @@ public class CarrierPrivilegeAuthenticatorTest {
final NetworkRequest.Builder networkRequestBuilder = new NetworkRequest.Builder();
networkRequestBuilder.addTransportType(TRANSPORT_CELLULAR);
networkRequestBuilder.setNetworkSpecifier(telephonyNetworkSpecifier);
assertTrue(mCarrierPrivilegeAuthenticator.hasCarrierPrivilegeForNetworkRequest(
mCarrierConfigPkgUid, networkRequestBuilder.build()));
assertFalse(mCarrierPrivilegeAuthenticator.hasCarrierPrivilegeForNetworkRequest(
mCarrierConfigPkgUid + 1, networkRequestBuilder.build()));
assertTrue(mCarrierPrivilegeAuthenticator.hasCarrierPrivilegeForNetworkCapabilities(
mCarrierConfigPkgUid, networkRequestBuilder.build().networkCapabilities));
assertFalse(mCarrierPrivilegeAuthenticator.hasCarrierPrivilegeForNetworkCapabilities(
mCarrierConfigPkgUid + 1, networkRequestBuilder.build().networkCapabilities));
}
@Test
@@ -215,9 +215,30 @@ public class CarrierPrivilegeAuthenticatorTest {
.getApplicationInfo(eq(mTestPkg), anyInt());
listener.onCarrierPrivilegesChanged(Collections.emptyList(), new int[] {});
assertFalse(mCarrierPrivilegeAuthenticator.hasCarrierPrivilegeForNetworkRequest(
mCarrierConfigPkgUid, networkRequestBuilder.build()));
assertTrue(mCarrierPrivilegeAuthenticator.hasCarrierPrivilegeForNetworkRequest(
mCarrierConfigPkgUid + 1, networkRequestBuilder.build()));
assertFalse(mCarrierPrivilegeAuthenticator.hasCarrierPrivilegeForNetworkCapabilities(
mCarrierConfigPkgUid, networkRequestBuilder.build().networkCapabilities));
assertTrue(mCarrierPrivilegeAuthenticator.hasCarrierPrivilegeForNetworkCapabilities(
mCarrierConfigPkgUid + 1, networkRequestBuilder.build().networkCapabilities));
}
@Test
public void testDefaultSubscription() throws Exception {
final NetworkRequest.Builder networkRequestBuilder = new NetworkRequest.Builder();
networkRequestBuilder.addTransportType(TRANSPORT_CELLULAR);
assertFalse(mCarrierPrivilegeAuthenticator.hasCarrierPrivilegeForNetworkCapabilities(
mCarrierConfigPkgUid, networkRequestBuilder.build().networkCapabilities));
networkRequestBuilder.setNetworkSpecifier(new TelephonyNetworkSpecifier(0));
assertTrue(mCarrierPrivilegeAuthenticator.hasCarrierPrivilegeForNetworkCapabilities(
mCarrierConfigPkgUid, networkRequestBuilder.build().networkCapabilities));
// The builder for NetworkRequest doesn't allow removing the transport as long as a
// specifier is set, so unset it first. TODO : fix the builder
networkRequestBuilder.setNetworkSpecifier((NetworkSpecifier) null);
networkRequestBuilder.removeTransportType(TRANSPORT_CELLULAR);
networkRequestBuilder.addTransportType(TRANSPORT_WIFI);
networkRequestBuilder.setNetworkSpecifier(new TelephonyNetworkSpecifier(0));
assertFalse(mCarrierPrivilegeAuthenticator.hasCarrierPrivilegeForNetworkCapabilities(
mCarrierConfigPkgUid, networkRequestBuilder.build().networkCapabilities));
}
}