This CL temporarily removes the AppOp restriction
that disallows creation of IpSec tunnels due to
the lack of the appropriate AppOp in AOSP/master.
When the relevant framework merges out to master,
this CL should be reverted.
Manually merging this due to skipping a merge
conflict at ef9f2740a790feceaa47a24b1a179e93c4ffb5e6
Bug: none
Test: compilation
Change-Id: Ic06c193f85f6bcdd0ead4238825c1add78703cde
* changes:
Disable the AppOp Restriction for IpSec Tunnels
Rework Exception Handling for IpSecManager
Update IpSecManager to use InetAddress and prefixLen
Add AppOps Checks for MANAGE_IPSEC_TUNNELS
Add MANAGE_IPSEC_TUNNELS Permission
This CL temporarily removes the AppOp restriction
that disallows creation of IpSec tunnels due to
the lack of the appropriate AppOp in AOSP/master.
When the relevant framework merges out to master,
this CL should be reverted.
Bug: none
Test: compilation
Change-Id: Ic06c193f85f6bcdd0ead4238825c1add78703cde
In order to properly support EOPNOTSUPP this CL
applies a consistent approach to handling Exceptions.
Hereafter, all exceptions that aren't of a special
method-specific type (such as SpiUnavailableException)
will all be returned to the calling process unchanged.
At the API call site, the ServiceSpecificException,
which is really an Errno, will be inspected and either
converted to an unchecked exception for types we know,
or it will be converted to an IOException in cases where
that method can return a checked exception. In cases
where we do not expect an errno, we will simply throw
a generic RuntimeException. This means all API calls
will now properly throw UnsupportedOperationException
and may be CTS tested accordingly.
Bug: 72420898
Test: runtest frameworks-net
Merged-In: I4a00e221618896223fcdb4b4279fb14cd14e34d8
Change-Id: I4a00e221618896223fcdb4b4279fb14cd14e34d8
(cherry picked from commit beed0b61b7)
LinkAddress constructors are currently @hide; this change updates
IpSecManager to use InetAddress and prefixLen, and then construct a
LinkAddress internally. LinkAddress is used over the binder interface to
IpSecService to ensure validity.
Bug: 77528639
Test: CTS, Java unit tests ran on walleye
Merged-In: I19e124adef6d9f4992d8293db3190bcf74c95848
Change-Id: I19e124adef6d9f4992d8293db3190bcf74c95848
(cherry picked from commit d39837f7e2)
Adds support for a new AppOp to permit services to
use IpSec tunnel mode. The IpSecService now needs
a context so change the service mode to a cached
service rather than a static service.
Bug: 66955045
Test: runtest frameworks-net
Merged-In: I17a4a286225b432c3e15ea1587d946189931b4f4
Change-Id: I17a4a286225b432c3e15ea1587d946189931b4f4
(cherry picked from commit 65ef843176)
Add a new MANAGE_IPSEC_TUNNELS permission and
protect all IPsec Tunnel mode APIs with it.
This permission is only granted to the system or
through an AppOp.
Bug: 66955045
Test: compilation
Merged-In: I0f618373b500c493ef2211bece681f74652a1833
Change-Id: I0f618373b500c493ef2211bece681f74652a1833
(cherry picked from commit 00e77247eb)
The current implementation check for bpf map existance whenever a
NetworkStats request comes in. The check is not efficient and may
require additional permission for threads. So a member variable is added
to NetworkStatsService to store the bpf configuration status and is
initialized when NetworkStatsService start.
Test: -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
-m CtsUsageStatsTestCases -t android.app.usage.cts.NetworkUsageStatsTest
Bug: 79994577
Change-Id: I872ae18fb3e9631a4e6c4d773fefbba32e60a03b
Merged-In: I872ae18fb3e9631a4e6c4d773fefbba32e60a03b
We've seen reports of negative values flowing through to attempt
being recorded, which will outright crash. This change does one
last-ditch check to see if we're about to work with negative values,
reporting any trouble and clamping them to zero so we don't crash.
This gives us the data we need to continue investigating without
triggering runtime restarts in the field.
Bug: 80057433
Test: atest android.net.NetworkStatsTest
Change-Id: I8174391c6cf5dadc2c2c10a8d841ee07e1f7d934
The current implementation check for bpf map existance whenever a
NetworkStats request comes in. The check is not efficient and may
require additional permission for threads. So a member variable is added
to NetworkStatsService to store the bpf configuration status and is
initialized when NetworkStatsService start.
Test: -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
-m CtsUsageStatsTestCases -t android.app.usage.cts.NetworkUsageStatsTest
Bug: 79994577
Change-Id: I872ae18fb3e9631a4e6c4d773fefbba32e60a03b
Convert to using a constant in INetd to ensure
that there is a consistent tunnel prefix between
Java and native code.
Bug: 74560705
Test: atest FramworksNetTest; atest CtsNetTestCases
Change-Id: Ida233aac2e6c6b26567463964e0ebac9d52eff1e
(cherry picked from commit 7be7f4596a)
Convert to using a constant in INetd to ensure
that there is a consistent tunnel prefix between
Java and native code.
Bug: 74560705
Test: atest FramworksNetTest; atest CtsNetTestCases
Change-Id: Ida233aac2e6c6b26567463964e0ebac9d52eff1e
With the new xt_bpf support for iface stats. We no longer need to parse
the per interface stats from /proc/net/dev. And since the old xt_qtaguid
code path also not depend on it, we can completly remove that helper
function since no caller is depending on it now.
Bug: 72111305
Test: runtest frameworks-net -c com.android.internal.net.NetworkStatsFactoryTest
Change-Id: Icb7eaeef0eeb9fdffd32a90316c76ee05bafffbe
Merged-In: Icb7eaeef0eeb9fdffd32a90316c76ee05bafffbe
(cherry picked from aosp commit b815c978b81eee4b1494bd0b9d25bfad52f08b72)
After adding the xt_bpf module and ifaceStatsMap, eBPF tool can now
support reading per interface data. So networkStatsFactory should move
away from parsing proc/net/dev and use the eBPF map stats instead.
Bug: 72111305
Test: atest com.android.server.net.NetworkStatsServiceTest
Change-Id: Ibcc6150d00835b3bd33af22a72e4a86e172581cf
Merged-In: Ibcc6150d00835b3bd33af22a72e4a86e172581cf
(cherry picked from aosp commit dcc56783f5b945b16c9f5e50333fba557a7c3603)
With the new xt_bpf support for iface stats. We no longer need to parse
the per interface stats from /proc/net/dev. And since the old xt_qtaguid
code path also not depend on it, we can completly remove that helper
function since no caller is depending on it now.
Bug: 72111305
Test: runtest frameworks-net -c com.android.internal.net.NetworkStatsFactoryTest
Change-Id: Icb7eaeef0eeb9fdffd32a90316c76ee05bafffbe
After adding the xt_bpf module and ifaceStatsMap, eBPF tool can now
support reading per interface data. So networkStatsFactory should move
away from parsing proc/net/dev and use the eBPF map stats instead.
Bug: 72111305
Test: atest com.android.server.net.NetworkStatsServiceTest
Change-Id: Ibcc6150d00835b3bd33af22a72e4a86e172581cf
In order to properly support EOPNOTSUPP this CL
applies a consistent approach to handling Exceptions.
Hereafter, all exceptions that aren't of a special
method-specific type (such as SpiUnavailableException)
will all be returned to the calling process unchanged.
At the API call site, the ServiceSpecificException,
which is really an Errno, will be inspected and either
converted to an unchecked exception for types we know,
or it will be converted to an IOException in cases where
that method can return a checked exception. In cases
where we do not expect an errno, we will simply throw
a generic RuntimeException. This means all API calls
will now properly throw UnsupportedOperationException
and may be CTS tested accordingly.
Bug: 72420898
Test: runtest frameworks-net
Change-Id: I4a00e221618896223fcdb4b4279fb14cd14e34d8
Collecting network statistics is pretty heavy, which is why we're
throttling callers. However, to keep CTS running fast, we provide a
way for tests to force a poll event, instead of making them wait for
the throttle timeout.
Bug: 77908520
Test: atest cts/tests/tests/app.usage/src/android/app/usage/cts/NetworkUsageStatsTest.java
Change-Id: Ia792f0cd495023366ff8c4839df54e7da2ae8331
We've seen devices where heavy communication between "system_server"
and the "phone" process can exhuast Binder threads, especially when
calling while holding locks. To mitigate this, we now interact with
the "phone" process before acquiring any locks.
Update our internal data structures either when we see a connectivity
change, or when SubscriptionManager tells us something changed.
Fix bug in resolveSubscriptionPlan() that always picked the 0'th
SubscriptionPlan instead of looking for the currently active plan;
we now use the same logic for both NSS and NPMS.
Bug: 77908520, 77154412
Test: atest com.android.server.NetworkPolicyManagerServiceTest
Test: atest com.android.server.net.NetworkStatsServiceTest
Change-Id: I177d3fa6cddc78d745b35a9ede12451d458b892c
These trace points surround areas of heavy lifting to help us debug
code that might be taking longer than expected. (For example, slow
getting data from eBPF, slow recording into data structures, slow
writing to disk, or slow evaluating policy.)
Typical timings on a taimen:
performPollLocked: 25.5ms
snapshotUid: 4.4ms
snapshotXt: 1.4ms
[persisting]: 13.4ms
updateNotifications: 3.3ms
Bug: 77908520, 77808546, 77853238, 77154412
Test: builds, boots
Change-Id: I072bfecffee01eeec7e4cbad439bd1cdc166febc
