PermissionMonitor check permission by each package name but only
update the uid permission to netd. It's better to check
permission by uid directly. Thus, use
ActivityManager#checkUidPermission to check permissions for each
uid.
Bug: 132784544
Test: atest FrameworksNetTests
Change-Id: I057d34383b4dc408b2773e4c6b146774ba0c5eb2
Avoid recording negative data by doing integer-based
math as much as possible, but switch to double-based
math if we detect that we'd end up causing an overflow.
Test :
- Builds, Boots
- High data throughput scenarios
- NetworkStatsHistoryTest, NetworkStatsCollectionTest,
NetworkStatsTest
Bug: 119527458
Change-Id: I55d4aa649bea3ae201ad513074ff2b71cb918dad
This reverts commit dc31686c31.
Reason for revert: Revert and wait for the design is settled down.
Change-Id: I10fdfc37d6456678de1886698cd6ad08bf8aa810
Add Dependencies class in PermissionMonitor for injection
in tests easily.
Bug: 132784544
Test: atests FrameworksNetTests
Change-Id: Ibb84d548908f7a955fa0ff206794486733259978
Revert "Add new network quirk parcelable in the NetworkAttributes."
Revert submission 1323251-ipv6_prov_loss_quirk_parcelable
Reason for revert: Breaks CtsStrictJavaPackagesTestCases
Reverted Changes:
I18e05c09f:Add new network quirk parcelable in the NetworkAtt...
I8dbff2377:Test IPv6ProvisioningLossParcelable in the Network...
Change-Id: Ie906919b344131cd768fbed787248d3caac2f74d
There are two methods to handle package added/removed from
two differnt listeners. It can use one of listener to handle the
changes. Thus, keep PackageManagerInternal#PackageListObserver
but remove the listening from ConnectivityService.
Bug: 132784544
Test: atests FrameworksNetTests
Change-Id: Ib2db85e4108f9fda731bf6667d0af0610fc79fea
Check one more parameter enforceDnsUid in ResolverOptionsParcel in
DnsManagerTest.
Bug: 159587277
Test: atest
com.android.server.connectivity.DnsManagerTest#testSendDnsConfiguration
Change-Id: Ic53f42b968626294c851dac252a70769846ba427
Merged-In: Ic53f42b968626294c851dac252a70769846ba427
Probe DNS servers to see they support DNS-over-TLS. Use system
CAs to verify whether the certificates sent by DNS servers are
trusted or not. An error is thrown to cause the probe failed if
DNS servers send untrusted certificates.
Unlike the DnsResolver which doesn't verify the certificates
in opportunistic mode, all of the DoT probes from NetworkDiagnostics
check certificates.
DoT probes apply to the DNS servers gotten from LinkProperties
and the DoT servers gotten from PrivateDnsConfig whatever private
DNS mode is.
A common example in DNS strict mode:
. DNS TLS dst{8.8.8.8} hostname{dns.google} src{192.168.43.2:48436} qtype{1} qname{815149-android-ds.metric.gstatic.com}: SUCCEEDED: 1/1 NOERROR (432ms)
F DNS TLS dst{192.168.43.144} hostname{}: FAILED: java.net.ConnectException: failed to connect to /192.168.43.144 (port 853) from /192.168.43.2 (port 41770) after 2500ms: isConnected failed: ECONNREFUSED (Connection refused) (172ms)
. DNS TLS dst{8.8.4.4} hostname{dns.google} src{192.168.43.2:37598} qtype{1} qname{759312-android-ds.metric.gstatic.com}: SUCCEEDED: 1/1 NOERROR (427ms)
An example when the CA is not trusted:
F DNS TLS dst{8.8.8.8} hostname{dns.google}: FAILED: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. (16ms)
An example when TCP/TLS handshake timeout:
F DNS TLS dst{8.8.8.8} hostname{dns.google}: FAILED: java.net.SocketTimeoutException: failed to connect to /8.8.8.8 (port 853) from /192.168.2.108 (port 45680) after 2500ms (2514ms)
Bug: 132925257
Bug: 118369977
Test: atest FrameworksNetTests
Change-Id: I1b54abed0e931ca4b8a97149459cde54da1c3d6f
This patch addresses the followings,
- Pass Looper to NetworkStatsSubscriptionsMonitor constructor
- Replace Looper with TestLooper in unit test
- Assert fail if result of condition check is not expected.
Bug: 154080205
Test: atest FrameworksNetTests:com.android.server.net.NetworkStatsServiceTest
atest FrameworksNetTests:com.android.server.net.NetworkStatsSubscriptionsMonitorTest
Change-Id: Ibcaba2b38af80cc0ec9a4e428a3b3a1538bc4325
Add ContentObserver to observe the status of
NETSTATS_COMBINE_SUBTYPE_ENABLED to determine that
NetworkStatsSubscriptionsMonitor start or stop
monitoring data usage per RAT type changes.
Bug: 154080515
Test: atest NetworkStatsServiceTest#testDynamicWatchForNetworkRatTypeChanges
Change-Id: I272d589633c9186b45753228b05aa0b40b7c7b89
Bug: 154080205
Test: atest FrameworksNetTests:com.android.server.net.NetworkStatsSubscriptionsMonitorTest
(copy from ag/11788484 but getActiveAndHiddenSubscriptionIdList() since it's renamed
in internal)
Change-Id: Ia162f36efe96d90b2f6f70190d9fa855bba34484
Merged-In: I4ef3f1ab2e5ea1322133edd80db3ccd0022e9c91
Test extra info sent to NetworkMonitor correctly if network
agent is created through new NetworkAgent constructor without
legacy network info taken as parameter.
Bug: 156173829
Test: atest FrameworkNetTests
Change-Id: I4f827664c528bea30cc957a0a617dd37693f4460
No clat app uid 0 rx stats on base iface due to ip6tables raw prerouting drop
(so just copy over the rx stats from the before file)
Test: atest NetworkStatsTest NetworkStatsFactoryTest
Bug: 150738490
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ie73ba0586dafde67bc2726db26e07f7268c18be3
No clat app uid 0 rx stats on base iface due to ip6tables raw prerouting drop
Test: atest NetworkStatsFactoryTest
Bug: 150738490
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I4393afcbe8e1bb886ecf4f5c1573f6ac8a0e29f5
This change adds the @RequiresFeature annotation to Ikev2VpnProfile
Builder methods, and checks before provisioning VPN profiles.
Bug: 156681625
Test: New tests added, passing.
Change-Id: I125d8fbe5d67fb877ad7d0636c007cb3e1a9f59b
This is only necessary when learning the NAT64 prefix from the
RA, because if the NAT64 prefix is learned from DNS, the DNS
resolver already knows the prefix and automatically enables
DNS64 synthesis.
The DNS resolver needs to be informed of the prefix any time
clat is running on a prefix learned from an RA. This is simple to
implement: just set the prefix when starting clat if prefix
discovery is not running, and clear the prefix when stopping clat
if prefix discovery was not running. This ensures that the prefix
is cleared iff it was set.
Bug: 156914456
Test: new unit test coverage
Change-Id: If8ad2d30712a6df3e207c8d3e8a129705242191e
This is not particularly likely to happen unless the pref64 RA is
sent by a different router than the main RA. But more tests are
always good, and this additional coverage will be more useful
in an upcoming change.
Bug: 150648313
Test: test-only change
Change-Id: I3316d49d42100800740afadc4edf0a13a4d8377c
This saves dozens of warnings every time FrameworkNetTests is
compiled. There is nothing we can do about those warnings because
LegacyTypeTracker's reason for existence is to power deprecated
APIs.
Test: m FrameworksNetTests
Change-Id: I4d65b0aade493e12b56a94247efbf9d1ad7bb4b9
As NetworkAgent is in a transition where all agents need
to include the NOT_SUSPENDED capability as part of their
migration to the system API, ConnectivityService adds it
forcefully to all agents that don't have the CELLULAR
transport. This doesn't include VPNs when VPNs have some
cellular network as their underlying network.
The best way to solve this is to make sure the VPN
capabilities reflect those of the underlying networks as
far as the NOT_SUSPENDED capability is concerned. This
is how they work for other similar capabilities.
This also happens to contain a drive-by fix for an issue
with a spurious capabilities callback is triggered when
a VPN connects and it has any underlying network (which
means almost always, because it will take the default
network if it doesn't declare any). Fixing this was
necessary to have a cogent test of this issue, but it
could be moved to another patch or it could stay unfixed
with some minor ajustment to the tests if judged too
dangerous to include in R at this point.
Test: New tests in this patch. Also manually tested with
tcpdump as described in b/150570873.
Bug: 150570873
Change-Id: I3e4ff990c0d4825b21c7679be29a482a2d1324ec
When a VPN connects and it has any underlying network (which
means almost always, because it will take the default network
if it doesn't declare any), it has default capabilities and
will only take the capabilities of its underlying network
as part of an update happening after making the network
available but before the rematch can take place. This in turn
causes the capabilities callback sent as part of the rematch
to be spuriously sent.
Test: FrameworksNetTests. Also tested together with a
followup that adds tests with drive-by coverage for this.
Bug: 150570873
Change-Id: Id7d8bba486bada1a7ba5b0f152d2aa02e407f249
NetworkStats calculation needs to filter out debug entries to
prevent over counting. While NetworkStatsFactory migrates data
usage over a VPN to the TUN network, NetworkStatsFactory does
not filter out debug entries per vpn which will cause debug
entries left and cause exception.
Bug: 152678151
Test: atest com.android.server.net.NetworkStatsFactoryTest
and verify no exception
Change-Id: I3525edc385b07858b48c7add2d331c4b5a2e84ad
This change sets the owner and administrator UIDs for test networks when
their initial values match the UID for the app creating the test
network. This ensures that apps registering test networks can only make
themselves owners / administrators of the network.
Bug: 153449964
Test: atest NetworkAgentTest
Change-Id: I3a974700aa1d83cb285295ed1de0aa263e2e5b58
Address issues found during AIDL review:
- Rename clientAddr to singleClientAddr
- Do not use a ParcelableBundle for notifyNetworkTested or
notifyDataStallSuspected; instead use AIDL parcelables for stronger
backwards compatibility guarantees.
Test: atest NetworkMonitorTest ConnectivityServiceTest
ConnectivityServiceIntegrationTest, manual
Bug: 153500847
Change-Id: Id9b71784e5f6294d203230e57737979e063ff0f8
Currently, if a prefix is learned from an RA while prefix
discovery is running, clatd will be correctly started, but
prefix discovery will be stopped.
In order to fix this, make it possible to call
stopPrefixDiscovery without transitioning to IDLE state (which
is obviously necessary in this case), by moving the assignment of
the next state from that method to its callers. For consistency,
do the same for startPrefixDiscovery.
Bug: 150648313
Test: new test coverage
Change-Id: I3803fa3d9806848b331c35ee8bac256934bd1f21
464xlat will never be started on a network that is not connected,
or on a network that has no IPv6 address.
This is a no-op test-only change but it is necessary for an
upcoming change that violates some of the invalid assumptions
currently made by this test and causes it to fail.
Bug: 150648313
Test: test-only change
Change-Id: I41766e9adaa7c24454648b371e6e3cc647693be5
The NAT64 prefix from the RA always takes precedence over the
NAT64 prefix from DNS discovery, because it is detected faster,
and detecting it does not require sending any packets.
Bug: 150648313
Test: new unit test
Change-Id: Ic7452431d2d9aea1ae59b67a9d8383c6cc5b3902
