LineageOS/android_packages_modules_Connectivity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge changes I58cd6145,I32299ce8,I0433459e

Browse Source 
* changes:
  Use java BpfMap in updateUidLockdownRule
  Use java BpfMap in BpfNetMaps#addNiceApp
  Use java BpfMap in BpfNetMaps#removeNiceApp
This commit is contained in:
Motomu Utsumi
2022-07-12 03:00:28 +00:00
committed by Gerrit Code Review
parent 5711788ea8 697b299e3a
commit fabb53a881
2 changed files with 135 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
service/src/com/android/server/BpfNetMaps.java
View File

@@ -294,10 +294,8 @@ public class BpfNetMaps {
* cause of the failure. * cause of the failure.
*/ */
public void addNiceApp(final int uid) { public void addNiceApp(final int uid) {
synchronized (sUidOwnerMap) { throwIfPreT("addNiceApp is not available on pre-T devices");
final int err = native_addNiceApp(uid); addRule(uid, HAPPY_BOX_MATCH, "addNiceApp");
maybeThrow(err, "Unable to add nice app");
}
} }
/** /**
@@ -308,10 +306,8 @@ public class BpfNetMaps {
* cause of the failure. * cause of the failure.
*/ */
public void removeNiceApp(final int uid) { public void removeNiceApp(final int uid) {
synchronized (sUidOwnerMap) { throwIfPreT("removeNiceApp is not available on pre-T devices");
final int err = native_removeNiceApp(uid); removeRule(uid, HAPPY_BOX_MATCH, "removeNiceApp");
maybeThrow(err, "Unable to remove nice app");
}
} }
/** /**
@@ -460,9 +456,11 @@ public class BpfNetMaps {
* cause of the failure. * cause of the failure.
*/ */
public void updateUidLockdownRule(final int uid, final boolean add) { public void updateUidLockdownRule(final int uid, final boolean add) {
synchronized (sUidOwnerMap) { throwIfPreT("updateUidLockdownRule is not available on pre-T devices");
final int err = native_updateUidLockdownRule(uid, add); if (add) {
maybeThrow(err, "Unable to update lockdown rule"); addRule(uid, LOCKDOWN_VPN_MATCH, "updateUidLockdownRule");
} else {
removeRule(uid, LOCKDOWN_VPN_MATCH, "updateUidLockdownRule");
} }
} }

126
tests/unit/java/com/android/server/BpfNetMapsTest.java
View File

@@ -27,7 +27,9 @@ import static android.net.ConnectivityManager.FIREWALL_CHAIN_STANDBY;
import static android.net.INetd.PERMISSION_INTERNET; import static android.net.INetd.PERMISSION_INTERNET;
import static com.android.server.BpfNetMaps.DOZABLE_MATCH; import static com.android.server.BpfNetMaps.DOZABLE_MATCH;
import static com.android.server.BpfNetMaps.HAPPY_BOX_MATCH;
import static com.android.server.BpfNetMaps.IIF_MATCH; import static com.android.server.BpfNetMaps.IIF_MATCH;
import static com.android.server.BpfNetMaps.LOCKDOWN_VPN_MATCH;
import static com.android.server.BpfNetMaps.NO_MATCH; import static com.android.server.BpfNetMaps.NO_MATCH;
import static com.android.server.BpfNetMaps.PENALTY_BOX_MATCH; import static com.android.server.BpfNetMaps.PENALTY_BOX_MATCH;
import static com.android.server.BpfNetMaps.POWERSAVE_MATCH; import static com.android.server.BpfNetMaps.POWERSAVE_MATCH;
@@ -332,4 +334,128 @@ public final class BpfNetMapsTest {
assertThrows(UnsupportedOperationException.class, assertThrows(UnsupportedOperationException.class,
() -> mBpfNetMaps.addNaughtyApp(TEST_UID)); () -> mBpfNetMaps.addNaughtyApp(TEST_UID));
} }
private void doTestRemoveNiceApp(final long iif, final long match) throws Exception {
mUidOwnerMap.updateEntry(new U32(TEST_UID), new UidOwnerValue(iif, match));
mBpfNetMaps.removeNiceApp(TEST_UID);
checkUidOwnerValue(TEST_UID, iif, match & ~HAPPY_BOX_MATCH);
}
@Test
@IgnoreUpTo(Build.VERSION_CODES.S_V2)
public void testRemoveNiceApp() throws Exception {
doTestRemoveNiceApp(NO_IIF, HAPPY_BOX_MATCH);
// HAPPY_BOX_MATCH with other matches
doTestRemoveNiceApp(NO_IIF, HAPPY_BOX_MATCH | DOZABLE_MATCH | POWERSAVE_MATCH);
// HAPPY_BOX_MATCH with IIF_MATCH
doTestRemoveNiceApp(TEST_IF_INDEX, HAPPY_BOX_MATCH | IIF_MATCH);
// HAPPY_BOX_MATCH is not enabled
doTestRemoveNiceApp(NO_IIF, DOZABLE_MATCH | POWERSAVE_MATCH | RESTRICTED_MATCH);
}
@Test
@IgnoreUpTo(Build.VERSION_CODES.S_V2)
public void testRemoveNiceAppMissingUid() {
// UidOwnerMap does not have entry for TEST_UID
assertThrows(ServiceSpecificException.class,
() -> mBpfNetMaps.removeNiceApp(TEST_UID));
}
@Test
@IgnoreAfter(Build.VERSION_CODES.S_V2)
public void testRemoveNiceAppBeforeT() {
assertThrows(UnsupportedOperationException.class,
() -> mBpfNetMaps.removeNiceApp(TEST_UID));
}
private void doTestAddNiceApp(final long iif, final long match) throws Exception {
if (match != NO_MATCH) {
mUidOwnerMap.updateEntry(new U32(TEST_UID), new UidOwnerValue(iif, match));
}
mBpfNetMaps.addNiceApp(TEST_UID);
checkUidOwnerValue(TEST_UID, iif, match | HAPPY_BOX_MATCH);
}
@Test
@IgnoreUpTo(Build.VERSION_CODES.S_V2)
public void testAddNiceApp() throws Exception {
doTestAddNiceApp(NO_IIF, NO_MATCH);
// Other matches are enabled
doTestAddNiceApp(NO_IIF, DOZABLE_MATCH | POWERSAVE_MATCH | RESTRICTED_MATCH);
// IIF_MATCH is enabled
doTestAddNiceApp(TEST_IF_INDEX, IIF_MATCH);
// HAPPY_BOX_MATCH is already enabled
doTestAddNiceApp(NO_IIF, HAPPY_BOX_MATCH | DOZABLE_MATCH);
}
@Test
@IgnoreAfter(Build.VERSION_CODES.S_V2)
public void testAddNiceAppBeforeT() {
assertThrows(UnsupportedOperationException.class,
() -> mBpfNetMaps.addNiceApp(TEST_UID));
}
private void doTestUpdateUidLockdownRule(final long iif, final long match, final boolean add)
throws Exception {
if (match != NO_MATCH) {
mUidOwnerMap.updateEntry(new U32(TEST_UID), new UidOwnerValue(iif, match));
}
mBpfNetMaps.updateUidLockdownRule(TEST_UID, add);
final long expectedMatch = add ? match | LOCKDOWN_VPN_MATCH : match & ~LOCKDOWN_VPN_MATCH;
checkUidOwnerValue(TEST_UID, iif, expectedMatch);
}
private static final boolean ADD = true;
private static final boolean REMOVE = false;
@Test
@IgnoreUpTo(Build.VERSION_CODES.S_V2)
public void testUpdateUidLockdownRuleAddLockdown() throws Exception {
doTestUpdateUidLockdownRule(NO_IIF, NO_MATCH, ADD);
// Other matches are enabled
doTestUpdateUidLockdownRule(
NO_IIF, DOZABLE_MATCH | POWERSAVE_MATCH | RESTRICTED_MATCH, ADD);
// IIF_MATCH is enabled
doTestUpdateUidLockdownRule(TEST_IF_INDEX, DOZABLE_MATCH, ADD);
// LOCKDOWN_VPN_MATCH is already enabled
doTestUpdateUidLockdownRule(NO_IIF, LOCKDOWN_VPN_MATCH | DOZABLE_MATCH, ADD);
}
@Test
@IgnoreUpTo(Build.VERSION_CODES.S_V2)
public void testUpdateUidLockdownRuleRemoveLockdown() throws Exception {
doTestUpdateUidLockdownRule(NO_IIF, LOCKDOWN_VPN_MATCH, REMOVE);
// LOCKDOWN_VPN_MATCH with other matches
doTestUpdateUidLockdownRule(
NO_IIF, LOCKDOWN_VPN_MATCH | POWERSAVE_MATCH | RESTRICTED_MATCH, REMOVE);
// LOCKDOWN_VPN_MATCH with IIF_MATCH
doTestUpdateUidLockdownRule(TEST_IF_INDEX, LOCKDOWN_VPN_MATCH | IIF_MATCH, REMOVE);
// LOCKDOWN_VPN_MATCH is not enabled
doTestUpdateUidLockdownRule(NO_IIF, POWERSAVE_MATCH | RESTRICTED_MATCH, REMOVE);
}
@Test
@IgnoreAfter(Build.VERSION_CODES.S_V2)
public void testUpdateUidLockdownRuleBeforeT() {
assertThrows(UnsupportedOperationException.class,
() -> mBpfNetMaps.updateUidLockdownRule(TEST_UID, true /* add */));
}
} }