LineageOS/android_packages_modules_Connectivity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge "Clean up BpfNetMaps"

Browse Source
This commit is contained in:
Treehugger Robot
2022-02-01 12:50:28 +00:00
committed by Gerrit Code Review
parent 687c383d78 f5f51339af
commit d36de12652
4 changed files with 186 additions and 227 deletions
Download Patch File Download Diff File Expand all files Collapse all files

350
service/src/com/android/server/BpfNetMaps.java
View File

@@ -22,6 +22,8 @@ import android.os.ServiceSpecificException;
import android.system.Os;
import android.util.Log;
import com.android.modules.utils.build.SdkLevel;
/**
* BpfNetMaps is responsible for providing traffic controller relevant functionality.
*
@@ -30,134 +32,119 @@ import android.util.Log;
public class BpfNetMaps {
private static final String TAG = "BpfNetMaps";
private final INetd mNetd;
// TODO: change USE_JNI to SdkLevel.isAtLeastT()
private static final boolean USE_JNI = false;
// Use legacy netd for releases before T.
// TODO: change to !SdkLevel.isAtLeastT()
private static final boolean USE_NETD = true;
private static boolean sInitialized = false;
static {
if (USE_JNI) {
System.loadLibrary("traffic_controller_jni");
/**
* Initializes the class if it is not already initialized. This method will open maps but not
* cause any other effects. This method may be called multiple times on any thread.
*/
private static synchronized void ensureInitialized() {
if (sInitialized) return;
if (!USE_NETD) {
System.loadLibrary("service-connectivity");
native_init();
}
sInitialized = true;
}
public BpfNetMaps(INetd netd) {
ensureInitialized();
mNetd = netd;
}
/**
* Add naughty app bandwidth rule for specific app
*
* @param uid uid of target app
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
public void addNaughtyApp(final int uid) {
if (!USE_JNI) {
try {
mNetd.bandwidthAddNaughtyApp(uid);
} catch (RemoteException e) {
throw new IllegalStateException(e);
}
private void maybeThrow(final int err, final String msg) {
if (err != 0) {
throw new ServiceSpecificException(err, msg + ": " + Os.strerror(err));
}
}
/**
* Add naughty app bandwidth rule for specific app
*
* @param uid uid of target app
* @throws RemoteException when netd has crashed.
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
public void addNaughtyApp(final int uid) throws RemoteException {
if (USE_NETD) {
mNetd.bandwidthAddNaughtyApp(uid);
return;
}
final int err = native_addNaughtyApp(uid);
if (err != 0) {
throw new ServiceSpecificException(err, "Unable to add naughty app: "
+ Os.strerror(err));
}
maybeThrow(err, "Unable to add naughty app");
}
/**
* Remove naughty app bandwidth rule for specific app
*
* @param uid uid of target app
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
public void removeNaughtyApp(final int uid) {
if (!USE_JNI) {
try {
mNetd.bandwidthRemoveNaughtyApp(uid);
} catch (RemoteException e) {
throw new IllegalStateException(e);
}
/**
* Remove naughty app bandwidth rule for specific app
*
* @param uid uid of target app
* @throws RemoteException when netd has crashed.
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
public void removeNaughtyApp(final int uid) throws RemoteException {
if (USE_NETD) {
mNetd.bandwidthRemoveNaughtyApp(uid);
return;
}
final int err = native_removeNaughtyApp(uid);
if (err != 0) {
throw new ServiceSpecificException(err, "Unable to remove naughty app: "
+ Os.strerror(err));
}
maybeThrow(err, "Unable to remove naughty app");
}
/**
* Add nice app bandwidth rule for specific app
*
* @param uid uid of target app
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
public void addNiceApp(final int uid) {
if (!USE_JNI) {
try {
mNetd.bandwidthAddNiceApp(uid);
} catch (RemoteException e) {
throw new IllegalStateException(e);
}
/**
* Add nice app bandwidth rule for specific app
*
* @param uid uid of target app
* @throws RemoteException when netd has crashed.
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
public void addNiceApp(final int uid) throws RemoteException {
if (USE_NETD) {
mNetd.bandwidthAddNiceApp(uid);
return;
}
final int err = native_addNiceApp(uid);
if (err != 0) {
throw new ServiceSpecificException(err, "Unable to add nice app: "
+ Os.strerror(err));
}
maybeThrow(err, "Unable to add nice app");
}
/**
* Remove nice app bandwidth rule for specific app
*
* @param uid uid of target app
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
public void removeNiceApp(final int uid) {
if (!USE_JNI) {
try {
mNetd.bandwidthRemoveNiceApp(uid);
} catch (RemoteException e) {
throw new IllegalStateException(e);
}
/**
* Remove nice app bandwidth rule for specific app
*
* @param uid uid of target app
* @throws RemoteException when netd has crashed.
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
public void removeNiceApp(final int uid) throws RemoteException {
if (USE_NETD) {
mNetd.bandwidthRemoveNiceApp(uid);
return;
}
final int err = native_removeNiceApp(uid);
if (err != 0) {
throw new ServiceSpecificException(err, "Unable to remove nice app: "
+ Os.strerror(err));
}
maybeThrow(err, "Unable to remove nice app");
}
/**
* Set target firewall child chain
*
* @param childChain target chain to enable
* @param enable whether to enable or disable child chain.
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
public void setChildChain(final int childChain, final boolean enable) {
if (!USE_JNI) {
try {
mNetd.firewallEnableChildChain(childChain, enable);
} catch (RemoteException e) {
throw new IllegalStateException(e);
}
/**
* Set target firewall child chain
*
* @param childChain target chain to enable
* @param enable whether to enable or disable child chain.
* @throws RemoteException when netd has crashed.
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
public void setChildChain(final int childChain, final boolean enable) throws RemoteException {
if (USE_NETD) {
mNetd.firewallEnableChildChain(childChain, enable);
return;
}
final int err = native_setChildChain(childChain, enable);
if (err != 0) {
throw new ServiceSpecificException(-err, "Unable to set child chain: "
+ Os.strerror(-err));
}
maybeThrow(err, "Unable to set child chain");
}
/**
@@ -165,22 +152,19 @@ public class BpfNetMaps {
*
* The chain may be an allowlist chain or a denylist chain. A denylist chain contains DROP
* rules for the specified UIDs and a RETURN rule at the end. An allowlist chain contains RETURN
* rules for the system UID range (0 to {@code UID_APP} - 1), RETURN rules for for the specified
* rules for the system UID range (0 to {@code UID_APP} - 1), RETURN rules for the specified
* UIDs, and a DROP rule at the end. The chain will be created if it does not exist.
*
* @param chainName The name of the chain to replace.
* @param chainName The name of the chain to replace.
* @param isAllowlist Whether this is an allowlist or denylist chain.
* @param uids The list of UIDs to allow/deny.
* @return true if the chain was successfully replaced, false otherwise.
* @param uids The list of UIDs to allow/deny.
* @return 0 if the chain was successfully replaced, errno otherwise.
* @throws RemoteException when netd has crashed.
*/
public int replaceUidChain(final String chainName, final boolean isAllowlist,
final int[] uids) {
if (!USE_JNI) {
try {
mNetd.firewallReplaceUidChain(chainName, isAllowlist, uids);
} catch (RemoteException e) {
throw new IllegalStateException(e);
}
final int[] uids) throws RemoteException {
if (USE_NETD) {
mNetd.firewallReplaceUidChain(chainName, isAllowlist, uids);
return 0;
}
final int err = native_replaceUidChain(chainName, isAllowlist, uids);
@@ -190,29 +174,24 @@ public class BpfNetMaps {
return -err;
}
/**
* Set firewall rule for uid
*
* @param childChain target chain
* @param uid uid to allow/deny
* @param firewallRule either FIREWALL_RULE_ALLOW or FIREWALL_RULE_DENY
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
public void setUidRule(final int childChain, final int uid, final int firewallRule) {
if (!USE_JNI) {
try {
mNetd.firewallSetUidRule(childChain, uid, firewallRule);
} catch (RemoteException e) {
throw new IllegalStateException(e);
}
/**
* Set firewall rule for uid
*
* @param childChain target chain
* @param uid uid to allow/deny
* @param firewallRule either FIREWALL_RULE_ALLOW or FIREWALL_RULE_DENY
* @throws RemoteException when netd has crashed.
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
public void setUidRule(final int childChain, final int uid, final int firewallRule)
throws RemoteException {
if (USE_NETD) {
mNetd.firewallSetUidRule(childChain, uid, firewallRule);
return;
}
final int err = native_setUidRule(childChain, uid, firewallRule);
if (err != 0) {
throw new ServiceSpecificException(-err, "Unable to set uid rule: "
+ Os.strerror(-err));
}
maybeThrow(err, "Unable to set uid rule");
}
/**
@@ -226,25 +205,19 @@ public class BpfNetMaps {
* instead. Otherwise calling this method will not affect existing rules set on other UIDs.
*
* @param ifName the name of the interface on which the filtering rules will allow packets to
be received.
* @param uids an array of UIDs which the filtering rules will be set
* be received.
* @param uids an array of UIDs which the filtering rules will be set
* @throws RemoteException when netd has crashed.
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
* cause of the failure.
*/
public void addUidInterfaceRules(final String ifName, final int[] uids) {
if (!USE_JNI) {
try {
mNetd.firewallAddUidInterfaceRules(ifName, uids);
} catch (RemoteException e) {
Log.e(TAG, "Exception when updating permissions: " + e);
}
public void addUidInterfaceRules(final String ifName, final int[] uids) throws RemoteException {
if (USE_NETD) {
mNetd.firewallAddUidInterfaceRules(ifName, uids);
return;
}
final int err = native_addUidInterfaceRules(ifName, uids);
if (err != 0) {
throw new ServiceSpecificException(err, "Unable to add uid interface rules: "
+ Os.strerror(err));
}
maybeThrow(err, "Unable to add uid interface rules");
}
/**
@@ -254,62 +227,48 @@ public class BpfNetMaps {
* by addUidInterfaceRules(). Ignore any uid which does not have filtering rule.
*
* @param uids an array of UIDs from which the filtering rules will be removed
* @throws RemoteException when netd has crashed.
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
* cause of the failure.
*/
public void removeUidInterfaceRules(final int[] uids) {
if (!USE_JNI) {
try {
mNetd.firewallRemoveUidInterfaceRules(uids);
} catch (RemoteException e) {
Log.e(TAG, "Exception when updating permissions: " + e);
}
public void removeUidInterfaceRules(final int[] uids) throws RemoteException {
if (USE_NETD) {
mNetd.firewallRemoveUidInterfaceRules(uids);
return;
}
final int err = native_removeUidInterfaceRules(uids);
if (err != 0) {
throw new ServiceSpecificException(err, "Unable to remove uid interface rules: "
+ Os.strerror(err));
}
maybeThrow(err, "Unable to remove uid interface rules");
}
/**
* Request netd to change the current active network stats map.
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
public void swapActiveStatsMap() {
if (!USE_JNI) {
try {
mNetd.trafficSwapActiveStatsMap();
} catch (RemoteException e) {
throw new IllegalStateException(e);
}
/**
* Request netd to change the current active network stats map.
*
* @throws RemoteException when netd has crashed.
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
public void swapActiveStatsMap() throws RemoteException {
if (USE_NETD) {
mNetd.trafficSwapActiveStatsMap();
return;
}
final int err = native_swapActiveStatsMap();
if (err != 0) {
throw new ServiceSpecificException(err, "Unable to swap active stats map: "
+ Os.strerror(err));
}
maybeThrow(err, "Unable to swap active stats map");
}
/**
* Assigns android.permission.INTERNET and/or android.permission.UPDATE_DEVICE_STATS to the uids
* specified. Or remove all permissions from the uids.
*
* @param permission The permission to grant, it could be either PERMISSION_INTERNET and/or
* PERMISSION_UPDATE_DEVICE_STATS. If the permission is NO_PERMISSIONS, then
* revoke all permissions for the uids.
* @param uids uid of users to grant permission
*/
public void setNetPermForUids(final int permissions, final int[] uids) {
if (!USE_JNI) {
try {
mNetd.trafficSetNetPermForUids(permissions, uids);
} catch (RemoteException e) {
Log.e(TAG, "Pass appId list of special permission failed." + e);
}
/**
* Assigns android.permission.INTERNET and/or android.permission.UPDATE_DEVICE_STATS to the uids
* specified. Or remove all permissions from the uids.
*
* @param permissions The permission to grant, it could be either PERMISSION_INTERNET and/or
* PERMISSION_UPDATE_DEVICE_STATS. If the permission is NO_PERMISSIONS, then
* revoke all permissions for the uids.
* @param uids uid of users to grant permission
* @throws RemoteException when netd has crashed.
*/
public void setNetPermForUids(final int permissions, final int[] uids) throws RemoteException {
if (USE_NETD) {
mNetd.trafficSetNetPermForUids(permissions, uids);
return;
}
native_setPermissionForUids(permissions, uids);
@@ -319,27 +278,26 @@ public class BpfNetMaps {
* Set counter set for uid
*
* @param counterSet either SET_DEFAULT or SET_FOREGROUND
* @param uid uid to foreground/background
* @param uid uid to foreground/background
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
public int setCounterSet(final int counterSet, final int uid) {
public void setCounterSet(final int counterSet, final int uid) {
final int err = native_setCounterSet(counterSet, uid);
if (err != 0) {
Log.e(TAG, "setCounterSet failed: " + Os.strerror(-err));
}
return -err;
maybeThrow(err, "setCounterSet failed");
}
/**
* Reset Uid stats
*
* @param tag default 0
* @param uid given uid to be clear
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
public int deleteTagData(final int tag, final int uid) {
public void deleteTagData(final int tag, final int uid) {
final int err = native_deleteTagData(tag, uid);
if (err != 0) {
Log.e(TAG, "deleteTagData failed: " + Os.strerror(-err));
}
return -err;
maybeThrow(err, "deleteTagData failed");
}
private static native void native_init();

12
service/src/com/android/server/ConnectivityService.java
View File

@@ -10843,7 +10843,7 @@ public class ConnectivityService extends IConnectivityManager.Stub
} else {
mBpfNetMaps.removeNiceApp(uid);
}
} catch (ServiceSpecificException e) {
} catch (RemoteException | ServiceSpecificException e) {
throw new IllegalStateException(e);
}
}
@@ -10858,7 +10858,7 @@ public class ConnectivityService extends IConnectivityManager.Stub
} else {
mBpfNetMaps.removeNaughtyApp(uid);
}
} catch (ServiceSpecificException e) {
} catch (RemoteException | ServiceSpecificException e) {
throw new IllegalStateException(e);
}
}
@@ -10870,7 +10870,7 @@ public class ConnectivityService extends IConnectivityManager.Stub
try {
mBpfNetMaps.setUidRule(chain, uid,
allow ? INetd.FIREWALL_RULE_ALLOW : INetd.FIREWALL_RULE_DENY);
} catch (ServiceSpecificException e) {
} catch (RemoteException | ServiceSpecificException e) {
throw new IllegalStateException(e);
}
}
@@ -10881,7 +10881,7 @@ public class ConnectivityService extends IConnectivityManager.Stub
try {
mBpfNetMaps.setChildChain(chain, enable);
} catch (ServiceSpecificException e) {
} catch (RemoteException | ServiceSpecificException e) {
throw new IllegalStateException(e);
}
}
@@ -10908,7 +10908,7 @@ public class ConnectivityService extends IConnectivityManager.Stub
throw new IllegalArgumentException("replaceFirewallChain with invalid chain: "
+ chain);
}
} catch (ServiceSpecificException e) {
} catch (RemoteException | ServiceSpecificException e) {
throw new IllegalStateException(e);
}
}
@@ -10918,7 +10918,7 @@ public class ConnectivityService extends IConnectivityManager.Stub
enforceNetworkStackOrSettingsPermission();
try {
mBpfNetMaps.swapActiveStatsMap();
} catch (ServiceSpecificException e) {
} catch (RemoteException | ServiceSpecificException e) {
throw new IllegalStateException(e);
}
}

11
service/src/com/android/server/connectivity/PermissionMonitor.java
View File

@@ -58,7 +58,6 @@ import android.os.SystemConfigManager;
import android.os.UserHandle;
import android.os.UserManager;
import android.provider.Settings;
import android.system.OsConstants;
import android.util.ArrayMap;
import android.util.ArraySet;
import android.util.Log;
@@ -812,12 +811,8 @@ public class PermissionMonitor {
} else {
mBpfNetMaps.removeUidInterfaceRules(toIntArray(uids));
}
} catch (ServiceSpecificException e) {
// Silently ignore exception when device does not support eBPF, otherwise just log
// the exception and do not crash
if (e.errorCode != OsConstants.EOPNOTSUPP) {
loge("Exception when updating permissions: ", e);
}
} catch (RemoteException | ServiceSpecificException e) {
loge("Exception when updating permissions: ", e);
}
}
@@ -901,7 +896,7 @@ public class PermissionMonitor {
mBpfNetMaps.setNetPermForUids(PERMISSION_UNINSTALLED,
toIntArray(uninstalledAppIds));
}
} catch (ServiceSpecificException e) {
} catch (RemoteException | ServiceSpecificException e) {
Log.e(TAG, "Pass appId list of special permission failed." + e);
}
}

40
tests/unit/java/com/android/server/ConnectivityServiceTest.java
View File

@@ -528,6 +528,7 @@ public class ConnectivityServiceTest {
@Mock SystemConfigManager mSystemConfigManager;
@Mock Resources mResources;
@Mock PacProxyManager mPacProxyManager;
@Mock BpfNetMaps mBpfNetMaps;
// BatteryStatsManager is final and cannot be mocked with regular mockito, so just mock the
// underlying binder calls.
@@ -1950,6 +1951,11 @@ public class ConnectivityServiceTest {
return super.isFeatureEnabled(context, name, defaultEnabled);
}
}
@Override
public BpfNetMaps getBpfNetMaps(INetd netd) {
return mBpfNetMaps;
}
}
private static void initAlarmManager(final AlarmManager am, final Handler alarmHandler) {
@@ -10126,7 +10132,7 @@ public class ConnectivityServiceTest {
// A connected VPN should have interface rules set up. There are two expected invocations,
// one during the VPN initial connection, one during the VPN LinkProperties update.
ArgumentCaptor<int[]> uidCaptor = ArgumentCaptor.forClass(int[].class);
verify(mMockNetd, times(2)).firewallAddUidInterfaceRules(eq("tun0"), uidCaptor.capture());
verify(mBpfNetMaps, times(2)).addUidInterfaceRules(eq("tun0"), uidCaptor.capture());
assertContainsExactly(uidCaptor.getAllValues().get(0), APP1_UID, APP2_UID);
assertContainsExactly(uidCaptor.getAllValues().get(1), APP1_UID, APP2_UID);
assertTrue(mService.mPermissionMonitor.getVpnUidRanges("tun0").equals(vpnRange));
@@ -10135,7 +10141,7 @@ public class ConnectivityServiceTest {
waitForIdle();
// Disconnected VPN should have interface rules removed
verify(mMockNetd).firewallRemoveUidInterfaceRules(uidCaptor.capture());
verify(mBpfNetMaps).removeUidInterfaceRules(uidCaptor.capture());
assertContainsExactly(uidCaptor.getValue(), APP1_UID, APP2_UID);
assertNull(mService.mPermissionMonitor.getVpnUidRanges("tun0"));
}
@@ -10152,7 +10158,7 @@ public class ConnectivityServiceTest {
assertVpnUidRangesUpdated(true, vpnRange, Process.SYSTEM_UID);
// Legacy VPN should not have interface rules set up
verify(mMockNetd, never()).firewallAddUidInterfaceRules(any(), any());
verify(mBpfNetMaps, never()).addUidInterfaceRules(any(), any());
}
@Test
@@ -10168,7 +10174,7 @@ public class ConnectivityServiceTest {
assertVpnUidRangesUpdated(true, vpnRange, Process.SYSTEM_UID);
// IPv6 unreachable route should not be misinterpreted as a default route
verify(mMockNetd, never()).firewallAddUidInterfaceRules(any(), any());
verify(mBpfNetMaps, never()).addUidInterfaceRules(any(), any());
}
@Test
@@ -10185,33 +10191,33 @@ public class ConnectivityServiceTest {
// Connected VPN should have interface rules set up. There are two expected invocations,
// one during VPN uid update, one during VPN LinkProperties update
ArgumentCaptor<int[]> uidCaptor = ArgumentCaptor.forClass(int[].class);
verify(mMockNetd, times(2)).firewallAddUidInterfaceRules(eq("tun0"), uidCaptor.capture());
verify(mBpfNetMaps, times(2)).addUidInterfaceRules(eq("tun0"), uidCaptor.capture());
assertContainsExactly(uidCaptor.getAllValues().get(0), APP1_UID, APP2_UID);
assertContainsExactly(uidCaptor.getAllValues().get(1), APP1_UID, APP2_UID);
reset(mMockNetd);
InOrder inOrder = inOrder(mMockNetd);
reset(mBpfNetMaps);
InOrder inOrder = inOrder(mBpfNetMaps);
lp.setInterfaceName("tun1");
mMockVpn.sendLinkProperties(lp);
waitForIdle();
// VPN handover (switch to a new interface) should result in rules being updated (old rules
// removed first, then new rules added)
inOrder.verify(mMockNetd).firewallRemoveUidInterfaceRules(uidCaptor.capture());
inOrder.verify(mBpfNetMaps).removeUidInterfaceRules(uidCaptor.capture());
assertContainsExactly(uidCaptor.getValue(), APP1_UID, APP2_UID);
inOrder.verify(mMockNetd).firewallAddUidInterfaceRules(eq("tun1"), uidCaptor.capture());
inOrder.verify(mBpfNetMaps).addUidInterfaceRules(eq("tun1"), uidCaptor.capture());
assertContainsExactly(uidCaptor.getValue(), APP1_UID, APP2_UID);
reset(mMockNetd);
reset(mBpfNetMaps);
lp = new LinkProperties();
lp.setInterfaceName("tun1");
lp.addRoute(new RouteInfo(new IpPrefix("192.0.2.0/24"), null, "tun1"));
mMockVpn.sendLinkProperties(lp);
waitForIdle();
// VPN not routing everything should no longer have interface filtering rules
verify(mMockNetd).firewallRemoveUidInterfaceRules(uidCaptor.capture());
verify(mBpfNetMaps).removeUidInterfaceRules(uidCaptor.capture());
assertContainsExactly(uidCaptor.getValue(), APP1_UID, APP2_UID);
reset(mMockNetd);
reset(mBpfNetMaps);
lp = new LinkProperties();
lp.setInterfaceName("tun1");
lp.addRoute(new RouteInfo(new IpPrefix(Inet4Address.ANY, 0), RTN_UNREACHABLE));
@@ -10219,7 +10225,7 @@ public class ConnectivityServiceTest {
mMockVpn.sendLinkProperties(lp);
waitForIdle();
// Back to routing all IPv6 traffic should have filtering rules
verify(mMockNetd).firewallAddUidInterfaceRules(eq("tun1"), uidCaptor.capture());
verify(mBpfNetMaps).addUidInterfaceRules(eq("tun1"), uidCaptor.capture());
assertContainsExactly(uidCaptor.getValue(), APP1_UID, APP2_UID);
}
@@ -10248,8 +10254,8 @@ public class ConnectivityServiceTest {
mMockVpn.establish(lp, VPN_UID, vpnRanges);
assertVpnUidRangesUpdated(true, vpnRanges, VPN_UID);
reset(mMockNetd);
InOrder inOrder = inOrder(mMockNetd);
reset(mBpfNetMaps);
InOrder inOrder = inOrder(mBpfNetMaps);
// Update to new range which is old range minus APP1, i.e. only APP2
final Set<UidRange> newRanges = new HashSet<>(asList(
@@ -10260,9 +10266,9 @@ public class ConnectivityServiceTest {
ArgumentCaptor<int[]> uidCaptor = ArgumentCaptor.forClass(int[].class);
// Verify old rules are removed before new rules are added
inOrder.verify(mMockNetd).firewallRemoveUidInterfaceRules(uidCaptor.capture());
inOrder.verify(mBpfNetMaps).removeUidInterfaceRules(uidCaptor.capture());
assertContainsExactly(uidCaptor.getValue(), APP1_UID, APP2_UID);
inOrder.verify(mMockNetd).firewallAddUidInterfaceRules(eq("tun0"), uidCaptor.capture());
inOrder.verify(mBpfNetMaps).addUidInterfaceRules(eq("tun0"), uidCaptor.capture());
assertContainsExactly(uidCaptor.getValue(), APP2_UID);
}