Add the native implementation for NetworkStatsService to read the
uidStatsMap and tagStatsMap to get the network traffic information.
Currently the implementation only try to get the data from bpf for a
reference but the final value returned is still from old xt_qtaguid
module. So the result will not be effected. The bpf implementation is
depending on libbpf inside netd.
Bug: 30950746
Test: CtsNetTestCases -t android.net.cts.TrafficStatsTest
Change-Id: Ia85e4d4d602f6bd536739d89085e6dc37ad82e15
This change adds an additional check in CheckIpsecConfig to prevent
users from using the same SPI twice. This allows for a more granular
error message.
Bug: 70642141
Test: Tests added in IpSecServiceParameterizedTest
Change-Id: I9621fb05c6b162bd8ae8db4ac1e64feaa9d0ac73
CreateTransportModeTransform and DeleteTransportModeTransform are both
agnostic as far as which mode of transform it creates/deletes. As such,
to facilitate the implementation of tunnel mode, this patch renames them
to CreateTransform and DeleteTransform, along with all test names.
Bug: 63588681
Test: frameworks/base unit tests and CTS tests run, passed
Change-Id: I1f015eb7ad0e85fca966658a9402485ca2b44091
This change adds the defaultNetwork to the ident based on current
system networking state, and persists that value to flash.
Bug: 35142602
Test: runtest frameworks-net
Test: downloaded files using default/non-default networks while watching dumpsys netstats
Change-Id: Id8776d149b2977548a9eb455ad4926af55e25aba
This allows us to maintain NetworkStats entries that track
whether the traffic was on the default network.
At the moment, the stats collection code always passes in
DEFAULT_NETWORK_NO. However, this value is a no-op, since it is
not persisted to disk. Only the ident, the uid/set/tag, and the
packet/byte/operation counters are persisted.
A future change will add defaultNetwork to the ident and start
persisting it.
Bug: 35142602
Test: runtest frameworks-net
Change-Id: Ifa291c62c0fa389b88e5561086a29dcd7cee2253
This will allow NetworkStatsService to treat traffic on these
networks differently from traffic where the app selects a network
that is not the default.
Bug: 35142602
Test: runtest frameworks-net
Change-Id: I5ea9d200d9fb153490c6108bb9390bf152f297da
Added some extra comments on reference counting and moved a few methods
around. No significant logical changes made in this CL
Bug: 63409385
Test: CTS, Unit tests (both frameworks-base and netd) and binder tests
all pass
Change-Id: I89f1f4a021db48ae406fefefa6aca7406045736c
Because IpSecTransforms are now unidirectional,
and because the only mechanism for removing Transforms
removes it from both directions, the API can no longer
use the Transform parameter to meaningfully validate
that the caller had applied a transform. Since that
functionality was as-yet unimplemented and is now
infeasible, the transform parameter is removed.
Bug: 72079356
Test: cts - IpSecManagerTest; runtest frameworks-net
Change-Id: If19b0d34bdc6daf31a40d6d62bff326dcbca08c0
Convert the IpSecTransform from being a bi-directional
pair of SAs to a unidirectional single SA. This CL
also removes the concept of "direction from SAs meaning
that a IpSecTransform may now be applied to a socket
in either direction.
-Make transforms unidirectional
-Add Convert allocateSpi() to use destination rather
than direction and remote address
-Remove directionality from builders for IpSecTransform
-Change applyTransportModeTransform() to take a
direction in which to apply the transform object.
-Additional minor naming updates
-Restrict IpSecConfig to only print keys on eng builds
-Move DIRECTION constants to IpSecManager
-Add sourceAddress parameter to IpSecTransform to provide
additional guarantees about the source address of data;
(explicit failure rather than implicit failure).
-Move SPI to the build() method of IpSecTransform
Bug: 71717213
Test: runtest frameworks-net, CTS - IpSecManagerTest
Change-Id: I0824b37f443f4b8c62536d9801238c63ed8f2a1c
Adds checks to ensure that users can only set the correct types of
algorithms for the Authentication, Encryption and Authenticated
Encryption algorithms.
Bug: 65223935
Test: Added tests in IpSecConfigTest, and passed on aosp_marlin-eng
Change-Id: I462c77d9eb5710b8d03a48866453649d3b6fc6bf
The mNextResourceId variable is only accessed within synchronized
blocks, so there is no need to use an atomic integer to synchronize
it. This eliminates the misleading notion that the variable is
accessed outside of guarded blocks, which it is not.
Bug: 62279167
Test: cts
Change-Id: I815835622659f54d2d2d33b349b17c632ebced8d
CTS test should fail if IPV6 Sockets is used on IPV4 address.
Unfortunately its been passing fine due to unhandled catch
exception. This is fixed in this CL.
Bug: 64435904
Test: Ran CTS test to verify ./run_cts.sh
Change-Id: I369c1b5baaa64b64feaa3f298e61f46d1200ea17
Symptom:
System_server crashed due to unsolved "netd" service.
Root cause:
My previous patch was not enough for avoiding this crash.
a00d4b0 Abort connecting to native daemon during shutdown
listenToSocket loop can be finished without throwing exception.
Solution:
It's better to test shutdown condition before reconnection even
though listenToSocket is finished without exception.
Bug: 68742327
Change-Id: Ifdfe43d52bef891f55bd7b07cc1aa0fa248a6030
Move the native implementation of TrafficStats to NetworkStatsService
and apps need to get the NetworkStatsService binder interface from
system_server in order to get the network usage stats since boot. This
implementation can hide the detail of retrieving network traffic
information from apps and the NetworkStatsService can choose which
methoed it use to get the data depending on the kernel version of the
device.
Bug: 30950746
Test: CtsNetTestCases -t android.net.cts.TrafficStatsTest
Change-Id: I53bbefd19aa0b783b9b4b42ea4d76db3e9ec07a3
Encap sockets are currently created as the system server, and should be
fchown'd to the user for whom it was created on behalf of.
Bug: 62994731
Test: New tests added and run to IpSecService
Change-Id: Icc49e709ae588981e69765fdb77537d7ffbac5fe
Added calls to tag encap sockets to that of the UID for which the encap
socket is being created on behalf of. This ensures that all data
accounting generated for the UDP-encap-ESP socket is correctly billed to
the right UID.
Bug: 62994731
Test: New tests added to IpSecServiceTest.java, passing
Change-Id: I15365ea9c982fd7b4e3cdeff314ddfba2289c86e
This is part 2 of 2 of the refcounting refactor for IpSecService
resources.
Switched ManagedResources to use RefcountedResource structure for
managing reference counts and eventual cleanup. Further, resource arrays
and quota management have been aggregated into a UserRecord for better
isolation. UID access checking has been similarly moved into the
UserRecordTracker, and resourceId checking has been rolled into
RefcountedResourceArray's accessor methods.
Bug: 63409385
Test: CTS, all unit tests run on aosp_marlin-eng, new tests added
Change-Id: Iee52dd1c9d2583bb6bfaf65be87569e9d50a5b63
This patch adds (but does not enable the usage of) RefcountedResource
objects to IpSecService, with tests to ensure correct function. This is
patch 1 of a series of patches to refactor the resource management
systems in IpSecService.
RefcountedResource objects allow for management of acyclical dependency
trees, ensuring eventual cleanup when resources are no longer used. This
cleanup may be triggered by binder death or by explicit user action.
Bug: 63409385
Test: New tests written in IpSecServiceRefcountedResourceTest,
explicitly testing the RefcountedResource class
Change-Id: Ib5be7482b2ef5f1c8dec9be68f15e90d8b3aba6d
Throughout the IPsec code (API, system server, netd) we use "reserve"
SPI and "allocate" SPI interchangeably. This renames to use "allocate"
everywhere for self-consistency and consistency with the kernel
(ALLOCSPI).
In javadoc, I am leaving the word "reserve" in several places because it
is still an accurate description of how the method behaves.
Bug: 69128142
Test: TreeHugger should be enough
Change-Id: I8ea603b4612303b0393beef04032671fa53d2106
Replaced null with empty byte array in createTransportModeTransform
for null auth.getKey, crypt.getKey() and authCrypt.getKey()
Test: Ran CTS test
Bug: 68052730
Change-Id: I5110b1297b4bfbb5766e8ecfd3d64f8110b52945
When binding to a random port, the port number was not being
returned, so the user is incorrectly receiving a port of zero.
Return the port number that was ultimately bound.
Bug: 67662580
Test: Ran CTS test on aosp_angler-eng
Change-Id: I22f4e5cdc83d43dc453788889990feb34e451bd3
Allows native AES-GCM-ESP to be used as an IPSec transport/tunnel mode
algorithm with kernel support
Bug: 63589918
Test: IPsecService tests added, existing ones pass
Change-Id: Ie1a9a902be205f269aa37bf956198f2e5b177c21
This is a follow-up CL to address comments
on aosp/466677
-Rename ManagedResourceArray.get()
-Comment cleanup
Bug: 38397094
Test: runtest frameworks-net
Change-Id: I6fbdd89c4a864fe1d8a19c68947f582d7b1f0f21
All of the input to IpSecService over the Binder
interface needs to be validated both for sanity
and for safety.
-Sanity check all the parameters coming from binder.
-Added setters for IpSecConfig to decouple the test
from the IpSecManager. This was needed because the
input validation caused the tests to fail due to a
null parameter that was previously un-tested.
-Added the mode flag to the IpSecConfig bundle this
oversight was found during testing.
-Expose the getResourceId() methods for testing in
UdpEncapsulationSocket, SecurityParameterIndex, and
IpSecTransform classes.
-Remove the unneeded getIpSecConfig() from
IpSecTransform: unneeded now that we can synthesize
configs.
Bug: 38397094
Test: runtest frameworks-net
Change-Id: I5241fc7fbfa9816d54219acd8d81a9f7eef10dd4
Try sticking with integer-based math as much as possible for speed,
but switch to double-based math if we detect that we'd end up
causing an overflow.
New tests to verify.
Test: bit FrameworksNetTests:com.android.server.net.NetworkStatsCollectionTest
Bug: 65257769
Change-Id: I1ae35599be134f81850c0a3d86928b057fba1eff
We only need to hold mNetworkPoliciesSecondLock when working with
subscription plans; before this CL we could end up acquiring the two
NPMS locks out of order, resulting in a deadlock.
Also annotate objects in NSS that require mStatsLock to be held.
Test: builds, boots
Bug: 65268076
Change-Id: I06497564424316ef895dc8dceba72ae784781dc3
When a carrier provides an "anchor" of data usage at a specific
moment in time, augment the network statistics used by warning/limit
thresholds and Settings UI. For example, if the OS measured 500MB
of usage, but the carrier says only 400MB has been used, we "squish"
down the OS measured usage to match that anchor.
Callers using the hidden API will have their data augmented by
default, and the public API offers a way to opt-into augmentation.
Thorough testing to verify behavior.
Test: bit FrameworksNetTests:android.net.,com.android.server.net.
Test: cts-tradefed run commandAndExit cts-dev -m CtsUsageStatsTestCases -t android.app.usage.cts.NetworkUsageStatsTest
Bug: 64534190
Change-Id: Id3d4d7625bbf04f57643e51dbf376e3fa0ea8eca
