Currently, when an always-on VPN is set in lockdown mode, Vpn
configures prohibit UID rules in netd directly and does not
inform ConnectivityService of the fact.
This means that ConnectivityService cannot send NetworkCallbacks
that tells apps that they are blocked or unblocked. It also means
that ConnectivityService has to take the mVpns lock and call into
Vpn to allow synchronous APIs such as getActiveNetwork to return
BLOCKED if the app is blocked.
Move all this to ConnectivityService:
- Add a setRequireVpnForUids API to ConnectivityManager, and have
that pass the routing rules to netd.
- Update VpnTest to expect calls to ConnectivityManager instead
of to netd.
- Whenever setRequireVpnForUids is called, ensure that
ConnectivityService sends onBlockedStatusChanged to the
affected callbacks.
- Update existing unit tests to check for callbacks.
- Add a way to find the VPN that applies to a given UID without
taking the VPN lock, by instead scanning all connected VPNs.
Use this as a replacement for direct access to mVpns.
For simplicity, and in order to ensure proper ordering between
the NetworkCallbacks sent for VPNs connecting and disconnecting,
process blocked UID ranges on the handler thread. This means that
when setRequireVpnForUids returns, the rule changes might not
have been applied. This shouldn't impact apps using network
connectivity, but it might mean that apps setting an always-on
package, and then immediately checking whether networking is
blocked, will see a behaviour change.
Bug: 173331190
Fix: 175670887
Test: new test coverage in ConnectivityServiceTest
Test: atest MixedDeviceOwnerTest#testAlwaysOnVpn \
MixedDeviceOwnerTest#testAlwaysOnVpnLockDown \
MixedDeviceOwnerTest#testAlwaysOnVpnAcrossReboot \
MixedDeviceOwnerTest#testAlwaysOnVpnPackageUninstalled \
MixedDeviceOwnerTest#testAlwaysOnVpnUnsupportedPackage \
MixedDeviceOwnerTest#testAlwaysOnVpnUnsupportedPackageReplaced \
MixedDeviceOwnerTest#testAlwaysOnVpnPackageLogged \
MixedProfileOwnerTest#testAlwaysOnVpn \
MixedProfileOwnerTest#testAlwaysOnVpnLockDown \
MixedProfileOwnerTest#testAlwaysOnVpnAcrossReboot \
MixedProfileOwnerTest#testAlwaysOnVpnPackageUninstalled \
MixedProfileOwnerTest#testAlwaysOnVpnUnsupportedPackage \
MixedProfileOwnerTest#testAlwaysOnVpnUnsupportedPackageReplaced \
MixedProfileOwnerTest#testAlwaysOnVpnPackageLogged \
MixedManagedProfileOwnerTest#testAlwaysOnVpn \
MixedManagedProfileOwnerTest#testAlwaysOnVpnLockDown \
MixedManagedProfileOwnerTest#testAlwaysOnVpnAcrossReboot \
MixedManagedProfileOwnerTest#testAlwaysOnVpnPackageUninstalled \
MixedManagedProfileOwnerTest#testAlwaysOnVpnUnsupportedPackage \
MixedManagedProfileOwnerTest#testAlwaysOnVpnUnsupportedPackageReplaced \
MixedManagedProfileOwnerTest#testAlwaysOnVpnPackageLogged
Test: atest FrameworksNetTests HostsideVpnTests \
CtsNetTestCases:VpnServiceTest \
CtsNetTestCases:Ikev2VpnTest
Change-Id: Iaca8a7cc343aef52706cff62a7735f338cb1b772
Using these generalized interfaces is more flexible, since it enables
us to pivot the implementation being used internally. In particular,
an upcoming CL will pivot them to use a more efficient alternative.
This is a no-op refactoring.
Bug: 176777285
Test: atest FrameworksNetTests CtsNetTestCases
Change-Id: Ibd4717174cf1f136e9d5d80172ecb6e493265306
Connectivity service is going to become a mainline module which
will not able to access hidden APIs. Thus, use formal API
Context#getSystemService() to get network policy service instead
of hidden API ServiceManager#getService().
Bug: 170598012
Test: atest FrameworksNetTests FrameworksNetIntegrationTests
Change-Id: I4f286264b5800b2b922f85a76ddd20d64d53000a
Use two oneway binder interfaces instead.
The interfaces post messages to handlers as was implemented before, but
provide a more strictly defined interface, with less hops between
NetworkAgent, AsyncChannel, and ConnectivityService.
The actual public interface is the NetworkAgent @SystemApi: the binder
interface is an internal implementation detail.
Test: atest FrameworksNetTests CtsNetTestCasesLatestSdk
Bug: 173574274
Merged-In: Ie364ab50f416e7821e70f4539a881eea828e1256
Change-Id: Ie364ab50f416e7821e70f4539a881eea828e1256
Currently, when the caller increment operation count, the count
will be blamed on the active default network even though the
traffic is all generated on other networks. This is kind
of weird. But in order to change the behavior, extend test
coverage first.
Test: atest com.android.server.net.NetworkStatsServiceTest#testOperationCount_nondefault_traffic
Bug: 174123988
Change-Id: Ia5b5aa3601de15bb9ee5a29f6d184d122f1c5352
In a previous change (https://r.android.com/1394342), we did a mass update of whitelist->allowlist
and blacklist->denylist in network policy related code. Updating
some usages of those (like allowlisted to allowed) to make them
sound natural.
Test: atest services/tests/servicestests/src/com/android/server/net/NetworkPolicyManagerServiceTest.java
Test: atest services/tests/servicestests/src/com/android/server/NetworkManagementInternalTest.java
Test: atest hostsidetests/net/src/com/android/cts/net/HostsideRestrictBackgroundNetworkTests.java
Change-Id: I6d34b0bd3cdb64d5872874fd9378bfc962a24f8d
To make connectivity service mainline, this patch makes
MultipathPolicyTracker as a submodule of NetworkPolicyManagerService
to remove the dependencies of ConnectivityService.
Bug: 175015282
Test: FrameworksNetTests
Change-Id: I82a7c62069ffd0683deb2f5ce2f99de120a2a16f
The argument type of interfaceClassDataActivityChanged takes a
string for the network type. It requires both the receivers and
NMS to do type transformation. The transformation is a redundant
work. Update it to take integer directly and rename to
understandable naming.
Bug: 170598012
Test: atest FrameworksNetTests
Change-Id: Ibe9fa7a1b71af2dab916b5d615742e77e4174c39
Use two oneway binder interfaces instead.
The interfaces post messages to handlers as was implemented before, but
provide a more strictly defined interface, with less hops between
NetworkAgent, AsyncChannel, and ConnectivityService.
The actual public interface is the NetworkAgent @SystemApi: the binder
interface is an internal implementation detail.
Test: atest FrameworksNetTests CtsNetTestCasesLatestSdk
Change-Id: Ie364ab50f416e7821e70f4539a881eea828e1256
Add uid into interfaceClassDataActivityChanged in
INetworkManagementEventObserver. This helps the listeners to use
BaseNetworkObserver to listen for target evnets instead of using
whole INetdUnsolicitedEventListener with no-op in other event
that listeners do not care about.
Bug: 170598012
Test: m ; atest FrameworksNetTests
Change-Id: I2a42a522c2ff9b1e0be88261a8574bb7f5292fa6
Allow ConnectivityServiceTest to change the UID by replacing
static calls to Binder.getCallingUid() with a method that can
be mocked.
Add registerNetworkCallbackAsUid as an initial way to exercise
this, and add some test coverage to the always-on lockdown test
to confirm that things are working as expected.
Bug: 173331190
Test: new unit tests
Change-Id: Ie0b32460e20e5906a0f479191e11a062f21cc608
This requires mocking lots of new things that weren't mocked
before but is otherwise fairly straightforward.
A few changes to MockVpn are needed as well:
1. Set the VPN's NetworkInfo to CONNECTED, so methods such as
isBlockingUid will work. While I'm at it, set the interface on
the LinkProperties as well to make things a bit more
realistic.
2. Constructs the VpnConfig when registering the agent, not when
the MockVpn is created. This is needed because starting and
stopping lockdown VPN calls prepare, which nulls out mConfig.
But constructing the VpnConfig when registering the agent is
more realistic anyway. The production code does that in
establish, but we can't do that in ConnectivityServiceTest
because some of the test cases don't call establish and call
registerAgent directly.
Bug: 173331190
Test: atest FrameworksNetTests
Change-Id: I827543751dbf5e626a24ec02cd6f50b423f5f761
CAPTIVE_PORTAL is a CS-managed capability, and causes CS to log a wtf.
When this test is run on an eng build, this sends SIGSEGV to the test,
which is pretty difficult to debug.
Test: FrameworksNetTests NetworkStackTests
Change-Id: I72fc46a6daa4e886425b4dc967318cca9f1a5302
Currently, ConnectivityService assumes that only VPNs can have
underlying networks. Make the code decide this based only on the
return value of NetworkAgentInfo#supportsUnderlyingNetworks.
This allows non-VPN network types to support underlying networks
in the future.
This requires storing the original agent's capabilities in
NetworkAgentInfo so that applyUnderlyingCapabilities can mix in
the underlying network capabilities without overwriting the
capabilities of the network itself. Currently, the only
information that applyUnderlyingCapabilities takes from the
original agent's capabilities are the metered bit (stored in
NetworkAgentInfo#declaredMetered) and the transports (assumed to
be exactly {TRANSPORT_VPN}. Store the full capabilities instead.
This is more state than needed but it ensures that we do not need
to make any changes if in the future we want to propagate new
types of information from the underlying networks.
This should have no impact on current use cases (i.e., VPNs).
There is a change in ordering: in disconnectAndDestroyNetwork,
the new code propagates underlying network capabilities before
removing the network from LegacyTypeTracker, instead of after.
This is done to simplify the new code. When the new code
propagates underlying network capabilities in response to a
change for a particular network (e.g., connect, disconnect,
capabilities change), it only considers networks that have the
changed network as underlying. Because determining the
underlying networks requires knowing the default network,
the new code runs before the default network is changed and
LegacyTypeTracker is updated.
This shouldn't have app implications because the connectivity
broadcasts sent by LegacyTypeTracker and the callbacks cannot be
ordered, since they run on separate threads with unpredictable
delays. The capability change callbacks resulting from
propagation of underlying network capabilities were already
sent before the rematch, so the callbacks themselves are not
reordered in any way.
Bug: 173331190
Test: atest FrameworksNetTests \
CtsNetTestCases:NetworkAgentTest \
CtsNetTestCases:Ikev2VpnTest \
CtsNetTestCases:VpnServiceTest \
CtsNetTestCases:android.net.cts.ConnectivityDiagnosticsManagerTest \
HostsideVpnTests com.android.server.connectivity.VpnTest
Change-Id: Ic5353a928a3a3541dcf953c35f47277c5e295db8
* changes:
Remove support for legacy network agents
Remove deprecated constructors for NetworkAgent
Migrate NetworkAgentWrapper to the new NA API
Cleanup TestNetworkService
Minor cleanup as per nit comments on approved CLs in the relation chain.
Namely:
- removing an extranous space
- changing requestsSortedById() to be package private
- changing releaseNetworkRequest() name to releaseNetworkRequests()
- adding final in a couple spots
- added some test requests in testDumpDoesNotCrash()
Bug: 173145245
Bug: 173292541
Bug: 173146509
Bug: 171991028
Test: atest FrameworksNetTests
Change-Id: I177ec6072a44acd247022b65b56e90cc231094b9
