diff --git a/service/src/com/android/server/BpfNetMaps.java b/service/src/com/android/server/BpfNetMaps.java index e444a12b6a..6c6a19d3a6 100644 --- a/service/src/com/android/server/BpfNetMaps.java +++ b/service/src/com/android/server/BpfNetMaps.java @@ -22,6 +22,8 @@ import android.os.ServiceSpecificException; import android.system.Os; import android.util.Log; +import com.android.modules.utils.build.SdkLevel; + /** * BpfNetMaps is responsible for providing traffic controller relevant functionality. * @@ -30,134 +32,119 @@ import android.util.Log; public class BpfNetMaps { private static final String TAG = "BpfNetMaps"; private final INetd mNetd; - // TODO: change USE_JNI to SdkLevel.isAtLeastT() - private static final boolean USE_JNI = false; + // Use legacy netd for releases before T. + // TODO: change to !SdkLevel.isAtLeastT() + private static final boolean USE_NETD = true; + private static boolean sInitialized = false; - static { - if (USE_JNI) { - System.loadLibrary("traffic_controller_jni"); + /** + * Initializes the class if it is not already initialized. This method will open maps but not + * cause any other effects. This method may be called multiple times on any thread. + */ + private static synchronized void ensureInitialized() { + if (sInitialized) return; + if (!USE_NETD) { + System.loadLibrary("service-connectivity"); native_init(); } + sInitialized = true; } public BpfNetMaps(INetd netd) { + ensureInitialized(); mNetd = netd; } - /** - * Add naughty app bandwidth rule for specific app - * - * @param uid uid of target app - * @throws ServiceSpecificException in case of failure, with an error code indicating the - * cause of the failure. - */ - public void addNaughtyApp(final int uid) { - if (!USE_JNI) { - try { - mNetd.bandwidthAddNaughtyApp(uid); - } catch (RemoteException e) { - throw new IllegalStateException(e); - } + private void maybeThrow(final int err, final String msg) { + if (err != 0) { + throw new ServiceSpecificException(err, msg + ": " + Os.strerror(err)); + } + } + + /** + * Add naughty app bandwidth rule for specific app + * + * @param uid uid of target app + * @throws RemoteException when netd has crashed. + * @throws ServiceSpecificException in case of failure, with an error code indicating the + * cause of the failure. + */ + public void addNaughtyApp(final int uid) throws RemoteException { + if (USE_NETD) { + mNetd.bandwidthAddNaughtyApp(uid); return; } final int err = native_addNaughtyApp(uid); - if (err != 0) { - throw new ServiceSpecificException(err, "Unable to add naughty app: " - + Os.strerror(err)); - } + maybeThrow(err, "Unable to add naughty app"); } - /** - * Remove naughty app bandwidth rule for specific app - * - * @param uid uid of target app - * @throws ServiceSpecificException in case of failure, with an error code indicating the - * cause of the failure. - */ - public void removeNaughtyApp(final int uid) { - if (!USE_JNI) { - try { - mNetd.bandwidthRemoveNaughtyApp(uid); - } catch (RemoteException e) { - throw new IllegalStateException(e); - } + /** + * Remove naughty app bandwidth rule for specific app + * + * @param uid uid of target app + * @throws RemoteException when netd has crashed. + * @throws ServiceSpecificException in case of failure, with an error code indicating the + * cause of the failure. + */ + public void removeNaughtyApp(final int uid) throws RemoteException { + if (USE_NETD) { + mNetd.bandwidthRemoveNaughtyApp(uid); return; } final int err = native_removeNaughtyApp(uid); - if (err != 0) { - throw new ServiceSpecificException(err, "Unable to remove naughty app: " - + Os.strerror(err)); - } + maybeThrow(err, "Unable to remove naughty app"); } - /** - * Add nice app bandwidth rule for specific app - * - * @param uid uid of target app - * @throws ServiceSpecificException in case of failure, with an error code indicating the - * cause of the failure. - */ - public void addNiceApp(final int uid) { - if (!USE_JNI) { - try { - mNetd.bandwidthAddNiceApp(uid); - } catch (RemoteException e) { - throw new IllegalStateException(e); - } + /** + * Add nice app bandwidth rule for specific app + * + * @param uid uid of target app + * @throws RemoteException when netd has crashed. + * @throws ServiceSpecificException in case of failure, with an error code indicating the + * cause of the failure. + */ + public void addNiceApp(final int uid) throws RemoteException { + if (USE_NETD) { + mNetd.bandwidthAddNiceApp(uid); return; } final int err = native_addNiceApp(uid); - if (err != 0) { - throw new ServiceSpecificException(err, "Unable to add nice app: " - + Os.strerror(err)); - } + maybeThrow(err, "Unable to add nice app"); } - /** - * Remove nice app bandwidth rule for specific app - * - * @param uid uid of target app - * @throws ServiceSpecificException in case of failure, with an error code indicating the - * cause of the failure. - */ - public void removeNiceApp(final int uid) { - if (!USE_JNI) { - try { - mNetd.bandwidthRemoveNiceApp(uid); - } catch (RemoteException e) { - throw new IllegalStateException(e); - } + /** + * Remove nice app bandwidth rule for specific app + * + * @param uid uid of target app + * @throws RemoteException when netd has crashed. + * @throws ServiceSpecificException in case of failure, with an error code indicating the + * cause of the failure. + */ + public void removeNiceApp(final int uid) throws RemoteException { + if (USE_NETD) { + mNetd.bandwidthRemoveNiceApp(uid); return; } final int err = native_removeNiceApp(uid); - if (err != 0) { - throw new ServiceSpecificException(err, "Unable to remove nice app: " - + Os.strerror(err)); - } + maybeThrow(err, "Unable to remove nice app"); } - /** - * Set target firewall child chain - * - * @param childChain target chain to enable - * @param enable whether to enable or disable child chain. - * @throws ServiceSpecificException in case of failure, with an error code indicating the - * cause of the failure. - */ - public void setChildChain(final int childChain, final boolean enable) { - if (!USE_JNI) { - try { - mNetd.firewallEnableChildChain(childChain, enable); - } catch (RemoteException e) { - throw new IllegalStateException(e); - } + /** + * Set target firewall child chain + * + * @param childChain target chain to enable + * @param enable whether to enable or disable child chain. + * @throws RemoteException when netd has crashed. + * @throws ServiceSpecificException in case of failure, with an error code indicating the + * cause of the failure. + */ + public void setChildChain(final int childChain, final boolean enable) throws RemoteException { + if (USE_NETD) { + mNetd.firewallEnableChildChain(childChain, enable); return; } final int err = native_setChildChain(childChain, enable); - if (err != 0) { - throw new ServiceSpecificException(-err, "Unable to set child chain: " - + Os.strerror(-err)); - } + maybeThrow(err, "Unable to set child chain"); } /** @@ -165,22 +152,19 @@ public class BpfNetMaps { * * The chain may be an allowlist chain or a denylist chain. A denylist chain contains DROP * rules for the specified UIDs and a RETURN rule at the end. An allowlist chain contains RETURN - * rules for the system UID range (0 to {@code UID_APP} - 1), RETURN rules for for the specified + * rules for the system UID range (0 to {@code UID_APP} - 1), RETURN rules for the specified * UIDs, and a DROP rule at the end. The chain will be created if it does not exist. * - * @param chainName The name of the chain to replace. + * @param chainName The name of the chain to replace. * @param isAllowlist Whether this is an allowlist or denylist chain. - * @param uids The list of UIDs to allow/deny. - * @return true if the chain was successfully replaced, false otherwise. + * @param uids The list of UIDs to allow/deny. + * @return 0 if the chain was successfully replaced, errno otherwise. + * @throws RemoteException when netd has crashed. */ public int replaceUidChain(final String chainName, final boolean isAllowlist, - final int[] uids) { - if (!USE_JNI) { - try { - mNetd.firewallReplaceUidChain(chainName, isAllowlist, uids); - } catch (RemoteException e) { - throw new IllegalStateException(e); - } + final int[] uids) throws RemoteException { + if (USE_NETD) { + mNetd.firewallReplaceUidChain(chainName, isAllowlist, uids); return 0; } final int err = native_replaceUidChain(chainName, isAllowlist, uids); @@ -190,29 +174,24 @@ public class BpfNetMaps { return -err; } - /** - * Set firewall rule for uid - * - * @param childChain target chain - * @param uid uid to allow/deny - * @param firewallRule either FIREWALL_RULE_ALLOW or FIREWALL_RULE_DENY - * @throws ServiceSpecificException in case of failure, with an error code indicating the - * cause of the failure. - */ - public void setUidRule(final int childChain, final int uid, final int firewallRule) { - if (!USE_JNI) { - try { - mNetd.firewallSetUidRule(childChain, uid, firewallRule); - } catch (RemoteException e) { - throw new IllegalStateException(e); - } + /** + * Set firewall rule for uid + * + * @param childChain target chain + * @param uid uid to allow/deny + * @param firewallRule either FIREWALL_RULE_ALLOW or FIREWALL_RULE_DENY + * @throws RemoteException when netd has crashed. + * @throws ServiceSpecificException in case of failure, with an error code indicating the + * cause of the failure. + */ + public void setUidRule(final int childChain, final int uid, final int firewallRule) + throws RemoteException { + if (USE_NETD) { + mNetd.firewallSetUidRule(childChain, uid, firewallRule); return; } final int err = native_setUidRule(childChain, uid, firewallRule); - if (err != 0) { - throw new ServiceSpecificException(-err, "Unable to set uid rule: " - + Os.strerror(-err)); - } + maybeThrow(err, "Unable to set uid rule"); } /** @@ -226,25 +205,19 @@ public class BpfNetMaps { * instead. Otherwise calling this method will not affect existing rules set on other UIDs. * * @param ifName the name of the interface on which the filtering rules will allow packets to - be received. - * @param uids an array of UIDs which the filtering rules will be set + * be received. + * @param uids an array of UIDs which the filtering rules will be set + * @throws RemoteException when netd has crashed. * @throws ServiceSpecificException in case of failure, with an error code indicating the - * cause of the failure. + * cause of the failure. */ - public void addUidInterfaceRules(final String ifName, final int[] uids) { - if (!USE_JNI) { - try { - mNetd.firewallAddUidInterfaceRules(ifName, uids); - } catch (RemoteException e) { - Log.e(TAG, "Exception when updating permissions: " + e); - } + public void addUidInterfaceRules(final String ifName, final int[] uids) throws RemoteException { + if (USE_NETD) { + mNetd.firewallAddUidInterfaceRules(ifName, uids); return; } final int err = native_addUidInterfaceRules(ifName, uids); - if (err != 0) { - throw new ServiceSpecificException(err, "Unable to add uid interface rules: " - + Os.strerror(err)); - } + maybeThrow(err, "Unable to add uid interface rules"); } /** @@ -254,62 +227,48 @@ public class BpfNetMaps { * by addUidInterfaceRules(). Ignore any uid which does not have filtering rule. * * @param uids an array of UIDs from which the filtering rules will be removed + * @throws RemoteException when netd has crashed. * @throws ServiceSpecificException in case of failure, with an error code indicating the - * cause of the failure. + * cause of the failure. */ - public void removeUidInterfaceRules(final int[] uids) { - if (!USE_JNI) { - try { - mNetd.firewallRemoveUidInterfaceRules(uids); - } catch (RemoteException e) { - Log.e(TAG, "Exception when updating permissions: " + e); - } + public void removeUidInterfaceRules(final int[] uids) throws RemoteException { + if (USE_NETD) { + mNetd.firewallRemoveUidInterfaceRules(uids); return; } final int err = native_removeUidInterfaceRules(uids); - if (err != 0) { - throw new ServiceSpecificException(err, "Unable to remove uid interface rules: " - + Os.strerror(err)); - } + maybeThrow(err, "Unable to remove uid interface rules"); } - /** - * Request netd to change the current active network stats map. - * @throws ServiceSpecificException in case of failure, with an error code indicating the - * cause of the failure. - */ - public void swapActiveStatsMap() { - if (!USE_JNI) { - try { - mNetd.trafficSwapActiveStatsMap(); - } catch (RemoteException e) { - throw new IllegalStateException(e); - } + /** + * Request netd to change the current active network stats map. + * + * @throws RemoteException when netd has crashed. + * @throws ServiceSpecificException in case of failure, with an error code indicating the + * cause of the failure. + */ + public void swapActiveStatsMap() throws RemoteException { + if (USE_NETD) { + mNetd.trafficSwapActiveStatsMap(); return; } final int err = native_swapActiveStatsMap(); - if (err != 0) { - throw new ServiceSpecificException(err, "Unable to swap active stats map: " - + Os.strerror(err)); - } + maybeThrow(err, "Unable to swap active stats map"); } - /** - * Assigns android.permission.INTERNET and/or android.permission.UPDATE_DEVICE_STATS to the uids - * specified. Or remove all permissions from the uids. - * - * @param permission The permission to grant, it could be either PERMISSION_INTERNET and/or - * PERMISSION_UPDATE_DEVICE_STATS. If the permission is NO_PERMISSIONS, then - * revoke all permissions for the uids. - * @param uids uid of users to grant permission - */ - public void setNetPermForUids(final int permissions, final int[] uids) { - if (!USE_JNI) { - try { - mNetd.trafficSetNetPermForUids(permissions, uids); - } catch (RemoteException e) { - Log.e(TAG, "Pass appId list of special permission failed." + e); - } + /** + * Assigns android.permission.INTERNET and/or android.permission.UPDATE_DEVICE_STATS to the uids + * specified. Or remove all permissions from the uids. + * + * @param permissions The permission to grant, it could be either PERMISSION_INTERNET and/or + * PERMISSION_UPDATE_DEVICE_STATS. If the permission is NO_PERMISSIONS, then + * revoke all permissions for the uids. + * @param uids uid of users to grant permission + * @throws RemoteException when netd has crashed. + */ + public void setNetPermForUids(final int permissions, final int[] uids) throws RemoteException { + if (USE_NETD) { + mNetd.trafficSetNetPermForUids(permissions, uids); return; } native_setPermissionForUids(permissions, uids); @@ -319,27 +278,26 @@ public class BpfNetMaps { * Set counter set for uid * * @param counterSet either SET_DEFAULT or SET_FOREGROUND - * @param uid uid to foreground/background + * @param uid uid to foreground/background + * @throws ServiceSpecificException in case of failure, with an error code indicating the + * cause of the failure. */ - public int setCounterSet(final int counterSet, final int uid) { + public void setCounterSet(final int counterSet, final int uid) { final int err = native_setCounterSet(counterSet, uid); - if (err != 0) { - Log.e(TAG, "setCounterSet failed: " + Os.strerror(-err)); - } - return -err; + maybeThrow(err, "setCounterSet failed"); } /** * Reset Uid stats + * * @param tag default 0 * @param uid given uid to be clear + * @throws ServiceSpecificException in case of failure, with an error code indicating the + * cause of the failure. */ - public int deleteTagData(final int tag, final int uid) { + public void deleteTagData(final int tag, final int uid) { final int err = native_deleteTagData(tag, uid); - if (err != 0) { - Log.e(TAG, "deleteTagData failed: " + Os.strerror(-err)); - } - return -err; + maybeThrow(err, "deleteTagData failed"); } private static native void native_init(); diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java index a453270c3e..fb9005305c 100644 --- a/service/src/com/android/server/ConnectivityService.java +++ b/service/src/com/android/server/ConnectivityService.java @@ -10843,7 +10843,7 @@ public class ConnectivityService extends IConnectivityManager.Stub } else { mBpfNetMaps.removeNiceApp(uid); } - } catch (ServiceSpecificException e) { + } catch (RemoteException | ServiceSpecificException e) { throw new IllegalStateException(e); } } @@ -10858,7 +10858,7 @@ public class ConnectivityService extends IConnectivityManager.Stub } else { mBpfNetMaps.removeNaughtyApp(uid); } - } catch (ServiceSpecificException e) { + } catch (RemoteException | ServiceSpecificException e) { throw new IllegalStateException(e); } } @@ -10870,7 +10870,7 @@ public class ConnectivityService extends IConnectivityManager.Stub try { mBpfNetMaps.setUidRule(chain, uid, allow ? INetd.FIREWALL_RULE_ALLOW : INetd.FIREWALL_RULE_DENY); - } catch (ServiceSpecificException e) { + } catch (RemoteException | ServiceSpecificException e) { throw new IllegalStateException(e); } } @@ -10881,7 +10881,7 @@ public class ConnectivityService extends IConnectivityManager.Stub try { mBpfNetMaps.setChildChain(chain, enable); - } catch (ServiceSpecificException e) { + } catch (RemoteException | ServiceSpecificException e) { throw new IllegalStateException(e); } } @@ -10908,7 +10908,7 @@ public class ConnectivityService extends IConnectivityManager.Stub throw new IllegalArgumentException("replaceFirewallChain with invalid chain: " + chain); } - } catch (ServiceSpecificException e) { + } catch (RemoteException | ServiceSpecificException e) { throw new IllegalStateException(e); } } @@ -10918,7 +10918,7 @@ public class ConnectivityService extends IConnectivityManager.Stub enforceNetworkStackOrSettingsPermission(); try { mBpfNetMaps.swapActiveStatsMap(); - } catch (ServiceSpecificException e) { + } catch (RemoteException | ServiceSpecificException e) { throw new IllegalStateException(e); } } diff --git a/service/src/com/android/server/connectivity/PermissionMonitor.java b/service/src/com/android/server/connectivity/PermissionMonitor.java index c9c177663f..ac46054381 100755 --- a/service/src/com/android/server/connectivity/PermissionMonitor.java +++ b/service/src/com/android/server/connectivity/PermissionMonitor.java @@ -58,7 +58,6 @@ import android.os.SystemConfigManager; import android.os.UserHandle; import android.os.UserManager; import android.provider.Settings; -import android.system.OsConstants; import android.util.ArrayMap; import android.util.ArraySet; import android.util.Log; @@ -812,12 +811,8 @@ public class PermissionMonitor { } else { mBpfNetMaps.removeUidInterfaceRules(toIntArray(uids)); } - } catch (ServiceSpecificException e) { - // Silently ignore exception when device does not support eBPF, otherwise just log - // the exception and do not crash - if (e.errorCode != OsConstants.EOPNOTSUPP) { - loge("Exception when updating permissions: ", e); - } + } catch (RemoteException | ServiceSpecificException e) { + loge("Exception when updating permissions: ", e); } } @@ -901,7 +896,7 @@ public class PermissionMonitor { mBpfNetMaps.setNetPermForUids(PERMISSION_UNINSTALLED, toIntArray(uninstalledAppIds)); } - } catch (ServiceSpecificException e) { + } catch (RemoteException | ServiceSpecificException e) { Log.e(TAG, "Pass appId list of special permission failed." + e); } } diff --git a/tests/unit/java/com/android/server/ConnectivityServiceTest.java b/tests/unit/java/com/android/server/ConnectivityServiceTest.java index 2985c41d87..e41a2ac8bb 100644 --- a/tests/unit/java/com/android/server/ConnectivityServiceTest.java +++ b/tests/unit/java/com/android/server/ConnectivityServiceTest.java @@ -528,6 +528,7 @@ public class ConnectivityServiceTest { @Mock SystemConfigManager mSystemConfigManager; @Mock Resources mResources; @Mock PacProxyManager mPacProxyManager; + @Mock BpfNetMaps mBpfNetMaps; // BatteryStatsManager is final and cannot be mocked with regular mockito, so just mock the // underlying binder calls. @@ -1950,6 +1951,11 @@ public class ConnectivityServiceTest { return super.isFeatureEnabled(context, name, defaultEnabled); } } + + @Override + public BpfNetMaps getBpfNetMaps(INetd netd) { + return mBpfNetMaps; + } } private static void initAlarmManager(final AlarmManager am, final Handler alarmHandler) { @@ -10126,7 +10132,7 @@ public class ConnectivityServiceTest { // A connected VPN should have interface rules set up. There are two expected invocations, // one during the VPN initial connection, one during the VPN LinkProperties update. ArgumentCaptor uidCaptor = ArgumentCaptor.forClass(int[].class); - verify(mMockNetd, times(2)).firewallAddUidInterfaceRules(eq("tun0"), uidCaptor.capture()); + verify(mBpfNetMaps, times(2)).addUidInterfaceRules(eq("tun0"), uidCaptor.capture()); assertContainsExactly(uidCaptor.getAllValues().get(0), APP1_UID, APP2_UID); assertContainsExactly(uidCaptor.getAllValues().get(1), APP1_UID, APP2_UID); assertTrue(mService.mPermissionMonitor.getVpnUidRanges("tun0").equals(vpnRange)); @@ -10135,7 +10141,7 @@ public class ConnectivityServiceTest { waitForIdle(); // Disconnected VPN should have interface rules removed - verify(mMockNetd).firewallRemoveUidInterfaceRules(uidCaptor.capture()); + verify(mBpfNetMaps).removeUidInterfaceRules(uidCaptor.capture()); assertContainsExactly(uidCaptor.getValue(), APP1_UID, APP2_UID); assertNull(mService.mPermissionMonitor.getVpnUidRanges("tun0")); } @@ -10152,7 +10158,7 @@ public class ConnectivityServiceTest { assertVpnUidRangesUpdated(true, vpnRange, Process.SYSTEM_UID); // Legacy VPN should not have interface rules set up - verify(mMockNetd, never()).firewallAddUidInterfaceRules(any(), any()); + verify(mBpfNetMaps, never()).addUidInterfaceRules(any(), any()); } @Test @@ -10168,7 +10174,7 @@ public class ConnectivityServiceTest { assertVpnUidRangesUpdated(true, vpnRange, Process.SYSTEM_UID); // IPv6 unreachable route should not be misinterpreted as a default route - verify(mMockNetd, never()).firewallAddUidInterfaceRules(any(), any()); + verify(mBpfNetMaps, never()).addUidInterfaceRules(any(), any()); } @Test @@ -10185,33 +10191,33 @@ public class ConnectivityServiceTest { // Connected VPN should have interface rules set up. There are two expected invocations, // one during VPN uid update, one during VPN LinkProperties update ArgumentCaptor uidCaptor = ArgumentCaptor.forClass(int[].class); - verify(mMockNetd, times(2)).firewallAddUidInterfaceRules(eq("tun0"), uidCaptor.capture()); + verify(mBpfNetMaps, times(2)).addUidInterfaceRules(eq("tun0"), uidCaptor.capture()); assertContainsExactly(uidCaptor.getAllValues().get(0), APP1_UID, APP2_UID); assertContainsExactly(uidCaptor.getAllValues().get(1), APP1_UID, APP2_UID); - reset(mMockNetd); - InOrder inOrder = inOrder(mMockNetd); + reset(mBpfNetMaps); + InOrder inOrder = inOrder(mBpfNetMaps); lp.setInterfaceName("tun1"); mMockVpn.sendLinkProperties(lp); waitForIdle(); // VPN handover (switch to a new interface) should result in rules being updated (old rules // removed first, then new rules added) - inOrder.verify(mMockNetd).firewallRemoveUidInterfaceRules(uidCaptor.capture()); + inOrder.verify(mBpfNetMaps).removeUidInterfaceRules(uidCaptor.capture()); assertContainsExactly(uidCaptor.getValue(), APP1_UID, APP2_UID); - inOrder.verify(mMockNetd).firewallAddUidInterfaceRules(eq("tun1"), uidCaptor.capture()); + inOrder.verify(mBpfNetMaps).addUidInterfaceRules(eq("tun1"), uidCaptor.capture()); assertContainsExactly(uidCaptor.getValue(), APP1_UID, APP2_UID); - reset(mMockNetd); + reset(mBpfNetMaps); lp = new LinkProperties(); lp.setInterfaceName("tun1"); lp.addRoute(new RouteInfo(new IpPrefix("192.0.2.0/24"), null, "tun1")); mMockVpn.sendLinkProperties(lp); waitForIdle(); // VPN not routing everything should no longer have interface filtering rules - verify(mMockNetd).firewallRemoveUidInterfaceRules(uidCaptor.capture()); + verify(mBpfNetMaps).removeUidInterfaceRules(uidCaptor.capture()); assertContainsExactly(uidCaptor.getValue(), APP1_UID, APP2_UID); - reset(mMockNetd); + reset(mBpfNetMaps); lp = new LinkProperties(); lp.setInterfaceName("tun1"); lp.addRoute(new RouteInfo(new IpPrefix(Inet4Address.ANY, 0), RTN_UNREACHABLE)); @@ -10219,7 +10225,7 @@ public class ConnectivityServiceTest { mMockVpn.sendLinkProperties(lp); waitForIdle(); // Back to routing all IPv6 traffic should have filtering rules - verify(mMockNetd).firewallAddUidInterfaceRules(eq("tun1"), uidCaptor.capture()); + verify(mBpfNetMaps).addUidInterfaceRules(eq("tun1"), uidCaptor.capture()); assertContainsExactly(uidCaptor.getValue(), APP1_UID, APP2_UID); } @@ -10248,8 +10254,8 @@ public class ConnectivityServiceTest { mMockVpn.establish(lp, VPN_UID, vpnRanges); assertVpnUidRangesUpdated(true, vpnRanges, VPN_UID); - reset(mMockNetd); - InOrder inOrder = inOrder(mMockNetd); + reset(mBpfNetMaps); + InOrder inOrder = inOrder(mBpfNetMaps); // Update to new range which is old range minus APP1, i.e. only APP2 final Set newRanges = new HashSet<>(asList( @@ -10260,9 +10266,9 @@ public class ConnectivityServiceTest { ArgumentCaptor uidCaptor = ArgumentCaptor.forClass(int[].class); // Verify old rules are removed before new rules are added - inOrder.verify(mMockNetd).firewallRemoveUidInterfaceRules(uidCaptor.capture()); + inOrder.verify(mBpfNetMaps).removeUidInterfaceRules(uidCaptor.capture()); assertContainsExactly(uidCaptor.getValue(), APP1_UID, APP2_UID); - inOrder.verify(mMockNetd).firewallAddUidInterfaceRules(eq("tun0"), uidCaptor.capture()); + inOrder.verify(mBpfNetMaps).addUidInterfaceRules(eq("tun0"), uidCaptor.capture()); assertContainsExactly(uidCaptor.getValue(), APP2_UID); }