From b5898ad53a147cf94565f55d2f6aef5bba18af61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= Date: Thu, 28 May 2020 03:21:31 -0700 Subject: [PATCH 1/3] Stop reducing RA advertised ipv6 mtu by 16 - not needed. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This effectively reverts: commit da0fb1bca8eda1ce8159289a2ea9e4f6933ce517 Author: Maciej Żenczykowski Date: Wed Feb 19 01:24:39 2020 -0800 Reduce advertised ipv6 mtu by 16 to fit ethernet header This is a temporary hack to workaround the inability of current kernel's ebpf bpf_skb_change_mode() function to prefix a 14-byte ethernet header on to a packet without going over the upstream (source, rawip) interface's mtu *before* we bpf_redirect() to the downstream (destination, ethernet) interface. Test: build, atest, atest TetheringTests Bug: 149816401 Test: flashed a flame with new kernel and it works at 1500 mtu Bug: 149816401 Signed-off-by: Maciej Żenczykowski Change-Id: I76a75a16fa27b47d78816b2f9379ef4bb68beb00 --- Tethering/src/android/net/ip/IpServer.java | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/Tethering/src/android/net/ip/IpServer.java b/Tethering/src/android/net/ip/IpServer.java index 659d344acf..6edc0e6f87 100644 --- a/Tethering/src/android/net/ip/IpServer.java +++ b/Tethering/src/android/net/ip/IpServer.java @@ -753,12 +753,7 @@ public class IpServer extends StateMachine { final String upstreamIface = v6only.getInterfaceName(); params = new RaParams(); - // When BPF offload is enabled, we advertise an mtu lower by 16, which is the closest - // multiple of 8 >= 14, the ethernet header size. This makes kernel ebpf tethering - // offload happy. This hack should be reverted once we have the kernel fixed up. - // Note: this will automatically clamp to at least 1280 (ipv6 minimum mtu) - // see RouterAdvertisementDaemon.java putMtu() - params.mtu = mUsingBpfOffload ? v6only.getMtu() - 16 : v6only.getMtu(); + params.mtu = v6only.getMtu(); params.hasDefaultRoute = v6only.hasIpv6DefaultRoute(); if (params.hasDefaultRoute) params.hopLimit = getHopLimit(upstreamIface, ttlAdjustment); From 03b52fcfd509e2f85c04534275726acf91a7feca Mon Sep 17 00:00:00 2001 From: markchien Date: Fri, 29 May 2020 14:36:36 +0800 Subject: [PATCH 2/3] Gate exemptFromEentitlementCheck by Network_STACK permission Shell has TETHER_PRIVILEGED permission. To avoid any service to adopt shell identity by lunching service with Shell process, gate exemptFromEentitlementCheck by NETWORK_STACK. Bug: 157702014 Test: atest TetheringCoverageTests Change-Id: I6ddfda23d36ea9981e3e1eb5a87767f452a65852 Merged-In: I6ddfda23d36ea9981e3e1eb5a87767f452a65852 --- .../tethering/TetheringService.java | 17 ++++++++++++-- .../android/net/EthernetTetheringTest.java | 4 ++-- .../tethering/TetheringServiceTest.java | 23 ++++++++++++++----- 3 files changed, 34 insertions(+), 10 deletions(-) diff --git a/Tethering/src/com/android/networkstack/tethering/TetheringService.java b/Tethering/src/com/android/networkstack/tethering/TetheringService.java index e095afea52..d084ca0966 100644 --- a/Tethering/src/com/android/networkstack/tethering/TetheringService.java +++ b/Tethering/src/com/android/networkstack/tethering/TetheringService.java @@ -17,8 +17,10 @@ package com.android.networkstack.tethering; import static android.Manifest.permission.ACCESS_NETWORK_STATE; +import static android.Manifest.permission.NETWORK_STACK; import static android.Manifest.permission.TETHER_PRIVILEGED; import static android.content.pm.PackageManager.PERMISSION_GRANTED; +import static android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK; import static android.net.TetheringManager.TETHER_ERROR_NO_ACCESS_TETHERING_PERMISSION; import static android.net.TetheringManager.TETHER_ERROR_NO_CHANGE_TETHERING_PERMISSION; import static android.net.TetheringManager.TETHER_ERROR_NO_ERROR; @@ -240,15 +242,26 @@ public class TetheringService extends Service { return false; } + private boolean hasNetworkStackPermission() { + return checkCallingOrSelfPermission(NETWORK_STACK) + || checkCallingOrSelfPermission(PERMISSION_MAINLINE_NETWORK_STACK); + } + private boolean hasTetherPrivilegedPermission() { - return mService.checkCallingOrSelfPermission(TETHER_PRIVILEGED) == PERMISSION_GRANTED; + return checkCallingOrSelfPermission(TETHER_PRIVILEGED); + } + + private boolean checkCallingOrSelfPermission(final String permission) { + return mService.checkCallingOrSelfPermission(permission) == PERMISSION_GRANTED; } private boolean hasTetherChangePermission(final String callerPkg, final boolean onlyAllowPrivileged) { + if (onlyAllowPrivileged && !hasNetworkStackPermission()) return false; + if (hasTetherPrivilegedPermission()) return true; - if (onlyAllowPrivileged || mTethering.isTetherProvisioningRequired()) return false; + if (mTethering.isTetherProvisioningRequired()) return false; int uid = Binder.getCallingUid(); // If callerPkg's uid is not same as Binder.getCallingUid(), diff --git a/Tethering/tests/integration/src/android/net/EthernetTetheringTest.java b/Tethering/tests/integration/src/android/net/EthernetTetheringTest.java index 2fb7e607d0..74df11370e 100644 --- a/Tethering/tests/integration/src/android/net/EthernetTetheringTest.java +++ b/Tethering/tests/integration/src/android/net/EthernetTetheringTest.java @@ -339,7 +339,7 @@ public class EthernetTetheringTest { private MyTetheringEventCallback enableEthernetTethering(String iface) throws Exception { return enableEthernetTethering(iface, new TetheringRequest.Builder(TETHERING_ETHERNET) - .setExemptFromEntitlementCheck(true).build()); + .setShouldShowEntitlementUi(false).build()); } private int getMTU(TestNetworkInterface iface) throws SocketException { @@ -510,7 +510,7 @@ public class EthernetTetheringTest { LinkAddress clientAddr = client == null ? null : new LinkAddress(client); return new TetheringRequest.Builder(TETHERING_ETHERNET) .setStaticIpv4Addresses(localAddr, clientAddr) - .setExemptFromEntitlementCheck(true).build(); + .setShouldShowEntitlementUi(false).build(); } private void assertInvalidStaticIpv4Request(String iface, String local, String client) diff --git a/Tethering/tests/unit/src/com/android/networkstack/tethering/TetheringServiceTest.java b/Tethering/tests/unit/src/com/android/networkstack/tethering/TetheringServiceTest.java index f4a5666598..22d894bf47 100644 --- a/Tethering/tests/unit/src/com/android/networkstack/tethering/TetheringServiceTest.java +++ b/Tethering/tests/unit/src/com/android/networkstack/tethering/TetheringServiceTest.java @@ -274,21 +274,32 @@ public final class TetheringServiceTest { }); } + private void runStartTetheringAndVerifyNoPermission(final TestTetheringResult result) + throws Exception { + final TetheringRequestParcel request = new TetheringRequestParcel(); + request.tetheringType = TETHERING_WIFI; + request.exemptFromEntitlementCheck = true; + mTetheringConnector.startTethering(request, TEST_CALLER_PKG, result); + result.assertResult(TETHER_ERROR_NO_CHANGE_TETHERING_PERMISSION); + verifyNoMoreInteractionsForTethering(); + } + @Test - public void testStartTetheringWithExemptFromEntitlementCheck() throws Exception { + public void testFailToBypassEntitlementWithoutNeworkStackPermission() throws Exception { final TetheringRequestParcel request = new TetheringRequestParcel(); request.tetheringType = TETHERING_WIFI; request.exemptFromEntitlementCheck = true; + runAsNoPermission((result) -> { + runStartTetheringAndVerifyNoPermission(result); + }); + runAsTetherPrivileged((result) -> { - runStartTethering(result, request); - verifyNoMoreInteractionsForTethering(); + runStartTetheringAndVerifyNoPermission(result); }); runAsWriteSettings((result) -> { - mTetheringConnector.startTethering(request, TEST_CALLER_PKG, result); - result.assertResult(TETHER_ERROR_NO_CHANGE_TETHERING_PERMISSION); - verifyNoMoreInteractionsForTethering(); + runStartTetheringAndVerifyNoPermission(result); }); } From 6812c1b1eedeca9cb25054e0c5f33269ae4fa0cf Mon Sep 17 00:00:00 2001 From: Paul Duffin Date: Sun, 31 May 2020 11:35:50 +0100 Subject: [PATCH 3/3] Switch to standard naming scheme Removes use of the special framework-modules naming scheme. Bug: 155164730 Test: m java Exempt-From-Owner-Approval: Build cleanup. Change-Id: I3b78fcbcacc3df787e171d6eedeef1e51b087615 Merged-In: I0c31e2183353dfb5bd49f04f3455cb7b10be6866 (cherry picked from 8b864fb45ce79051437f13c2a19510718ea3b7aa) --- Tethering/Android.bp | 2 +- Tethering/common/TetheringLib/Android.bp | 5 ----- Tethering/tests/unit/Android.bp | 2 +- 3 files changed, 2 insertions(+), 7 deletions(-) diff --git a/Tethering/Android.bp b/Tethering/Android.bp index 8ae30a5c6f..d07a70c1af 100644 --- a/Tethering/Android.bp +++ b/Tethering/Android.bp @@ -34,7 +34,7 @@ java_defaults { ], libs: [ "framework-tethering.impl", - "framework-wifi-stubs-systemapi", + "framework-wifi", "unsupportedappusage", ], plugins: ["java_api_finder"], diff --git a/Tethering/common/TetheringLib/Android.bp b/Tethering/common/TetheringLib/Android.bp index 6c05b11258..c8becce7be 100644 --- a/Tethering/common/TetheringLib/Android.bp +++ b/Tethering/common/TetheringLib/Android.bp @@ -30,11 +30,6 @@ java_sdk_library { ":framework-tethering-srcs", ], - // TODO(b/155480189) - Remove naming_scheme once references have been resolved. - // Temporary java_sdk_library component naming scheme to use to ease the transition from separate - // modules to java_sdk_library. - naming_scheme: "framework-modules", - jarjar_rules: "jarjar-rules.txt", installable: true, diff --git a/Tethering/tests/unit/Android.bp b/Tethering/tests/unit/Android.bp index fccc6902e3..45c7b656e2 100644 --- a/Tethering/tests/unit/Android.bp +++ b/Tethering/tests/unit/Android.bp @@ -60,7 +60,7 @@ java_defaults { "framework-minus-apex", "framework-res", "framework-tethering.impl", - "framework-wifi-stubs-module_libs_api", + "framework-wifi.stubs.module_lib", ], jni_libs: [ // For mockito extended