LOCKDOWN_VPN was in the FirewallChain IntDef but this was not a right
place because LOCKDOWN_VPN was not a valid value for Connectivity APIs
that take an argument annotated with @FirewallChain(setUidFirewallRule,
setFirewallChainEnabled, replaceFirewallChain).
LOCKDOWN_VPN was in the FirewallChain IntDef because
BpfNetMaps#setUidRule was used to add/remove LOCKDOWN_VPN entries.
This commit adds BpfNetMaps#updateUidLockdownRule and uses this to
add/remove LOCKDOWN_VPN entries instead of BpfNetMaps#setUidRule and
removes LOCKDOWN from FirewallChain.
Bug: 206482423
Test: atest TrafficControllerTest ConnectivityServiceTest
PermissionMonitorTest HostsideVpnTests#testBlockIncomingPacket
Change-Id: Iff9b9792fc0f208f153e10e396c6d5034b412d7c
dump function has no enough code coverage for error handling.
Add a simple unit test so that code lines can be executed and counted.
Test: atest TrafficControllerTest
Change-Id: I65a322cc93d559896f0b481ca849b39315432df3
uidMatchTypeToString function has no enough line coverage currently.
Add a simple unit test so that code lines can be executed and counted.
NO_MATCH(0) can't be verified because match type flag is added by OR
operator. See TrafficController::addRule.
Bug: N/A
Test: atest
Change-Id: I6178d4a8cc21430882fae3c1f53f7bc1cebb6c01
Add more values in different maps to cover more code lines in dump
function.
The original test code is also modified to have one entry per map.
Because the entries are hashed in the map. The order of each entry is
not a fixed order.
Bug: N/A
Test: atest
Change-Id: Ie21016768309e8501a127cb3da02211d21b06c2c
Dump function has no code line coverage currently. Add a simple unit
test so that code lines can be executed and counted.
Bug: N/A
Test: atest
Change-Id: I6362a679d11c26be66ab49216666f0f8c6f2c4f0
BpfMap.reset(createMap()) is equivalent to newly added BpfMap.resetMap(),
except that the latter makes it impossible to screw up the Key/Value sizes.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I290986e9ae8660f3fc6f73b086d33f4ab93d6095
We notice that:
BpfMap.reset(dupFd_with_cloexec(BpfMap.getMap())
is equivalent to
BpfMap = BpfMap
due to the current implementation of the BpfMap assignment operator.
Except the latter also verifies BpfMap<K,V> template types match.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I99fcf77bc6aa360b6a19e22c2cd58d67a1e62976
In the BPF code, per-UID network access (e.g., for doze mode,
standby, etc.) is stored in UidOwnerValue structures. Each of
these stores that UID's rules in a 32-bit bitmask of
UidOwnerMatchType values, so the code can support ~31 match
types.
However, which match types are enabled is stored in
configuration_map at index UID_RULES_CONFIGURATION_KEY, and
configuration_map only stores 8-bit values. So it's not
possible to define more than 7 match types.
Widen configuration_map to from 8 to 32 bits to match the width
of UidOwnerValue.rule. This doesn't impact memory because
configuration_map only has 2 entries.
Bug: 208371987
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I7e1eee2daedd66d27965a2dd4ce6b4c3667892f7
(for consistency with rest of code base)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5660615f24daf4285e2b6cbacecb7cd99061c5f5
Currently, even when VPN Lockdown mode is enabled, incoming packets are
not dropped if VPN is not connected.
This commit fixed this issue.
After this commit, If VPN Lockdown mode is enabled, incoming packets
are dropped regardless of the VPN connectivity.
Bug: 206482423
Test: atest TrafficControllerTest ConnectivityServiceTest PermissionMonitorTest
Change-Id: If52ece613c8aac1073355e43b6fb9cb3fcc87d1d
netlink_listener_test tests the socket destroy listener, so it makes
sense to just merge it into the TrafficControllerTest.
Test: atest traffic_controller_unit_test
Change-Id: Ibc0b483203150aa2d7898a761fa4715dce6f4218
Delete tagSocket(), privilegedTagSocket() and untagSocket() revelant
test cases since thay are moved out of TrafficController in
aosp/1849156.
Bug: 202086915
Test: atest traffic_controller_unit_test passed
Change-Id: I605577ee4d7076f0c8ad75888a4d32bff90f6104
Delete tagSocket(), privilegedTagSocket() and untagSocket() since
they are moved out of TrafficController in aosp/1849156.
Test: m
Change-Id: I6162c758446f597eb79734e00348dc8b1fe2d422
