Merge "Skip VPN filtering tests on unsupported versions"
This commit is contained in:
Motomu Utsumi
@@ -9505,7 +9505,7 @@ public class ConnectivityServiceTest {
|
|||||||
b2.expectBroadcast();
|
b2.expectBroadcast();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test @IgnoreUpTo(Build.VERSION_CODES.S_V2)
|
||||||
public void testLockdownSetFirewallUidRule() throws Exception {
|
public void testLockdownSetFirewallUidRule() throws Exception {
|
||||||
// For ConnectivityService#setAlwaysOnVpnPackage.
|
// For ConnectivityService#setAlwaysOnVpnPackage.
|
||||||
mServiceContext.setPermission(
|
mServiceContext.setPermission(
|
||||||
@@ -10428,7 +10428,7 @@ public class ConnectivityServiceTest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testLegacyVpnSetInterfaceFilteringRuleWithWildcard() throws Exception {
|
public void testLegacyVpnInterfaceFilteringRule() throws Exception {
|
||||||
LinkProperties lp = new LinkProperties();
|
LinkProperties lp = new LinkProperties();
|
||||||
lp.setInterfaceName("tun0");
|
lp.setInterfaceName("tun0");
|
||||||
lp.addRoute(new RouteInfo(new IpPrefix(Inet6Address.ANY, 0), null));
|
lp.addRoute(new RouteInfo(new IpPrefix(Inet6Address.ANY, 0), null));
|
||||||
@@ -10438,29 +10438,34 @@ public class ConnectivityServiceTest {
|
|||||||
mMockVpn.establish(lp, Process.SYSTEM_UID, vpnRange);
|
mMockVpn.establish(lp, Process.SYSTEM_UID, vpnRange);
|
||||||
assertVpnUidRangesUpdated(true, vpnRange, Process.SYSTEM_UID);
|
assertVpnUidRangesUpdated(true, vpnRange, Process.SYSTEM_UID);
|
||||||
|
|
||||||
// A connected Legacy VPN should have interface rules with null interface.
|
if (SdkLevel.isAtLeastT()) {
|
||||||
// Null Interface is a wildcard and this accepts traffic from all the interfaces.
|
// On T and above, A connected Legacy VPN should have interface rules with null
|
||||||
// There are two expected invocations, one during the VPN initial connection,
|
// interface. Null Interface is a wildcard and this accepts traffic from all the
|
||||||
// one during the VPN LinkProperties update.
|
// interfaces. There are two expected invocations, one during the VPN initial
|
||||||
ArgumentCaptor<int[]> uidCaptor = ArgumentCaptor.forClass(int[].class);
|
// connection, one during the VPN LinkProperties update.
|
||||||
verify(mBpfNetMaps, times(2)).addUidInterfaceRules(
|
ArgumentCaptor<int[]> uidCaptor = ArgumentCaptor.forClass(int[].class);
|
||||||
eq(null) /* iface */, uidCaptor.capture());
|
verify(mBpfNetMaps, times(2)).addUidInterfaceRules(
|
||||||
assertContainsExactly(uidCaptor.getAllValues().get(0), APP1_UID, APP2_UID, VPN_UID);
|
eq(null) /* iface */, uidCaptor.capture());
|
||||||
assertContainsExactly(uidCaptor.getAllValues().get(1), APP1_UID, APP2_UID, VPN_UID);
|
assertContainsExactly(uidCaptor.getAllValues().get(0), APP1_UID, APP2_UID, VPN_UID);
|
||||||
assertEquals(mService.mPermissionMonitor.getVpnInterfaceUidRanges(null /* iface */),
|
assertContainsExactly(uidCaptor.getAllValues().get(1), APP1_UID, APP2_UID, VPN_UID);
|
||||||
vpnRange);
|
assertEquals(mService.mPermissionMonitor.getVpnInterfaceUidRanges(null /* iface */),
|
||||||
|
vpnRange);
|
||||||
|
|
||||||
mMockVpn.disconnect();
|
mMockVpn.disconnect();
|
||||||
waitForIdle();
|
waitForIdle();
|
||||||
|
|
||||||
// Disconnected VPN should have interface rules removed
|
// Disconnected VPN should have interface rules removed
|
||||||
verify(mBpfNetMaps).removeUidInterfaceRules(uidCaptor.capture());
|
verify(mBpfNetMaps).removeUidInterfaceRules(uidCaptor.capture());
|
||||||
assertContainsExactly(uidCaptor.getValue(), APP1_UID, APP2_UID, VPN_UID);
|
assertContainsExactly(uidCaptor.getValue(), APP1_UID, APP2_UID, VPN_UID);
|
||||||
assertNull(mService.mPermissionMonitor.getVpnInterfaceUidRanges(null /* iface */));
|
assertNull(mService.mPermissionMonitor.getVpnInterfaceUidRanges(null /* iface */));
|
||||||
|
} else {
|
||||||
|
// Before T, Legacy VPN should not have interface rules.
|
||||||
|
verify(mBpfNetMaps, never()).addUidInterfaceRules(any(), any());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testLocalIpv4OnlyVpnSetInterfaceFilteringRuleWithWildcard() throws Exception {
|
public void testLocalIpv4OnlyVpnInterfaceFilteringRule() throws Exception {
|
||||||
LinkProperties lp = new LinkProperties();
|
LinkProperties lp = new LinkProperties();
|
||||||
lp.setInterfaceName("tun0");
|
lp.setInterfaceName("tun0");
|
||||||
lp.addRoute(new RouteInfo(new IpPrefix("192.0.2.0/24"), null, "tun0"));
|
lp.addRoute(new RouteInfo(new IpPrefix("192.0.2.0/24"), null, "tun0"));
|
||||||
@@ -10470,26 +10475,31 @@ public class ConnectivityServiceTest {
|
|||||||
mMockVpn.establish(lp, Process.SYSTEM_UID, vpnRange);
|
mMockVpn.establish(lp, Process.SYSTEM_UID, vpnRange);
|
||||||
assertVpnUidRangesUpdated(true, vpnRange, Process.SYSTEM_UID);
|
assertVpnUidRangesUpdated(true, vpnRange, Process.SYSTEM_UID);
|
||||||
|
|
||||||
// IPv6 unreachable route should not be misinterpreted as a default route
|
if (SdkLevel.isAtLeastT()) {
|
||||||
// A connected VPN should have interface rules with null interface.
|
// IPv6 unreachable route should not be misinterpreted as a default route
|
||||||
// Null Interface is a wildcard and this accepts traffic from all the interfaces.
|
// On T and above, A connected VPN that does not provide a default route should have
|
||||||
// There are two expected invocations, one during the VPN initial connection,
|
// interface rules with null interface. Null Interface is a wildcard and this accepts
|
||||||
// one during the VPN LinkProperties update.
|
// traffic from all the interfaces. There are two expected invocations, one during the
|
||||||
ArgumentCaptor<int[]> uidCaptor = ArgumentCaptor.forClass(int[].class);
|
// VPN initial connection, one during the VPN LinkProperties update.
|
||||||
verify(mBpfNetMaps, times(2)).addUidInterfaceRules(
|
ArgumentCaptor<int[]> uidCaptor = ArgumentCaptor.forClass(int[].class);
|
||||||
eq(null) /* iface */, uidCaptor.capture());
|
verify(mBpfNetMaps, times(2)).addUidInterfaceRules(
|
||||||
assertContainsExactly(uidCaptor.getAllValues().get(0), APP1_UID, APP2_UID, VPN_UID);
|
eq(null) /* iface */, uidCaptor.capture());
|
||||||
assertContainsExactly(uidCaptor.getAllValues().get(1), APP1_UID, APP2_UID, VPN_UID);
|
assertContainsExactly(uidCaptor.getAllValues().get(0), APP1_UID, APP2_UID, VPN_UID);
|
||||||
assertEquals(mService.mPermissionMonitor.getVpnInterfaceUidRanges(null /* iface */),
|
assertContainsExactly(uidCaptor.getAllValues().get(1), APP1_UID, APP2_UID, VPN_UID);
|
||||||
vpnRange);
|
assertEquals(mService.mPermissionMonitor.getVpnInterfaceUidRanges(null /* iface */),
|
||||||
|
vpnRange);
|
||||||
|
|
||||||
mMockVpn.disconnect();
|
mMockVpn.disconnect();
|
||||||
waitForIdle();
|
waitForIdle();
|
||||||
|
|
||||||
// Disconnected VPN should have interface rules removed
|
// Disconnected VPN should have interface rules removed
|
||||||
verify(mBpfNetMaps).removeUidInterfaceRules(uidCaptor.capture());
|
verify(mBpfNetMaps).removeUidInterfaceRules(uidCaptor.capture());
|
||||||
assertContainsExactly(uidCaptor.getValue(), APP1_UID, APP2_UID, VPN_UID);
|
assertContainsExactly(uidCaptor.getValue(), APP1_UID, APP2_UID, VPN_UID);
|
||||||
assertNull(mService.mPermissionMonitor.getVpnInterfaceUidRanges(null /* iface */));
|
assertNull(mService.mPermissionMonitor.getVpnInterfaceUidRanges(null /* iface */));
|
||||||
|
} else {
|
||||||
|
// Before T, VPN with IPv6 unreachable route should not have interface rules.
|
||||||
|
verify(mBpfNetMaps, never()).addUidInterfaceRules(any(), any());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
|||||||
Reference in New Issue
Block a user