Adds ingress rate limiting functionality to ConnectivityService. The tc
rate limit is installed before we tell netd about the interface, and
removed after the network is removed from netd. When the setting
changes, the old rate limit needs to be removed before a new one can be
added (unfortunately, we cannot use NLM_F_REPLACE when configuring the
tc-police filter).
Currently, this functionality is always enabled, but may or may not work
based on kernel support.
Bug: 157552970
Test: atest FrameworksNetTests:ConnectivityServiceTest
Change-Id: I4e64b2c40490f061e42b40a1b1b3a6618c3d1a87
When the network is a VPN, NetworkMonitor needs to know whether
the VPN requests validation, and that information is stored in
NetworkAgentConfig. Pass it.
Test: FrameworksNetTests
Change-Id: I3616f0796b69ce054d92213aafdef43ba7041596
This reverts commit 13b96bc651.
Reason for revert:
- The reverted CL fixes a bootloop on Fi devices and must be submitted again for droidfood stability purposes.
- It's not clear whether the revert actually fixes the test that prompted it.
Change-Id: I68200501d1c587d1c6b3ad81053175c74961a440
This reverts commit a7d4766d0d.
Reason for revert: DroidMonitor: Potential culprit for Bug 218308105 - verifying through ABTD before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.
Change-Id: Ia9953d023c1eb84846834f92d4f38a72fa14bd30
UIDs can't be sent to netd until the native network is created.
Also, it's possible that the interface disappears at any moment,
so in that case catch the ServiceSpecificException.
Test: FrameworksNetTests
Bug: 218100554
Change-Id: I79285166acf5d89aa34107e00dfff963ccc22d52
Passing one of RECEIVER_EXPORTED or RECEIVER_NOT_EXPORTED is
required for all code targeting T or above. The correct value
here is RECEIVER_NOT_EXPORTED because the receiver is being
registered in the system server and the broadcast comes from
the system server itself (same UID).
This does not need to be guarded by OS version because
CarrierPrivilegeAuthenticator is only used on T+.
Test: m
Fix: 217642082
Change-Id: I09840b17bd54352896607737b56c6a692ffbd2c2
* changes:
jni - dynamically link C++ - saves 43 kB
libservice-connectivity - dynamically link c++ - saves 600 kB
link libbase & libnetdutils dynamically - save ~17.5 kiB
remove spurious headers
libclat only depends on libbase_headers not libbase itself
* changes:
Add Low Power Standby support to TrafficController
Handle Low Power Standby chain in ConnectivityService
Implement Low Power Standby packet filtering in BPF program
Since we already ship libc++ in the apex anyway...
Before in /apex/com.android.tethering/lib:
-rw-r--r-- 1 system system 64560 1969-12-31 16:00 libandroid_net_connectivity_com_android_net_module_util_jni.so
After:
-rw-r--r-- 1 system system 21460 1969-12-31 16:00 libandroid_net_connectivity_com_android_net_module_util_jni.so
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I50417e69a9a0b03d24212aa3f875bf241e0b0527
Before in /apex/com.android.tethering/lib:
-rw-r--r-- 1 system system 749980 1969-12-31 16:00 libservice-connectivity.so
After:
-rw-r--r-- 1 system system 150748 1969-12-31 16:00 libservice-connectivity.so
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I6892d81ca597d27cc1a85180f7ffa39f2b3de1be
bpf_connectivity_headers already pulls in bpf_headers,
which already pulls in bpf_syscall_wrappers.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ib22da8d433bd3187349f06f41ec064360c38982f
* changes:
Use packBitList to prevent long-related mistakes
Introduce ensureListenableCapabilities
Accept accessUids from telephony when it's the carrier config app
Renamed from ensureValid, this is an easier to understand name.
It is also a lot clearer when requestable capabilities also
have to be listenable.
Also move the 2 functions together.
Test: FrameworksNetTests
Change-Id: I685f924a3720846d740837a4a0fee3d88a26725a
netlink_listener_test tests the socket destroy listener, so it makes
sense to just merge it into the TrafficControllerTest.
Test: atest traffic_controller_unit_test
Change-Id: Ibc0b483203150aa2d7898a761fa4715dce6f4218
We are ready to remove traffic controller from netd, so
TrafficController::start() should be called from the system server.
This reverts commit c2984fdca8.
Test: atest FrameworksNetTests FrameworksNetIntegrationTests
CtsNetTestCases:android.net.TrafficStatsTest NetworkUsageStatsTest
CtsHostsideNetworkTests
Change-Id: Ic324ad0c064271977ab35d7f55badee00098e196
Allow framework-connectivity to depend on framework-connectivity-t
stubs, and framework-connectivity-t to depend on prebuilt (to avoid
circular dependencies) framework-connectivity stubs to compile its own
stubs, and framework-connectivity.impl to compile its implementation.
Also reorganize jarjar rules so that service and framework jar can use
static libraries in framework-connectivity without packaging their own,
reducing duplicate code.
Bug: 204830222
Test: m
Change-Id: I75c34986e7c479de23cdb2e9b360fa1fede018c9
Nearby will be merged together with the tethering/connectivity APEX, so
that module maintenance efforts can be reduced, and the two codebases
can evolve the interfaces that they expose to each other over time.
This is a cherry-pick from downstream branches, with some differences:
- nearby/Android.bp is added with empty libraries
- There is no API change, as no API classes are added
- proguard is not applied, so no proguard rules change
- HalfSheetUX APK is not added to the APEX
Bug: 189355156
Test: m
Merged-In: If4b40689a257d2806f895cd2dded97fc699adc5f
Change-Id: I2eb965a0965ffce08388278945160e57e8094339
* changes:
Prevent native_init from starting TrafficController
Remove libutils dependency from libservice-connectivity
Merge libtraffic_controller_jni into libservice-connectivity
[NETD-TC#15] Make ConnectivityService and PermissionMonitor calls BpfNetMaps on T
TrafficController is currently still started by netd, and this should
not happen in two places. Instead, native_init should init (open) the
maps.
Test: atest FrameworksNetTests
Change-Id: Ifd6be50aa5f62e59a5b1c5c0a97550389fd0e7e1
There is not really a point to separate these two as they are all used
in ConnectivityService.
As a future TODO, we might want to rename libservice-connectivity to
libcom_android_server_jni to be more inline with the jarjar'ed jni lib
versions.
Test: atest FrameworksNetTests:ConnectivityServiceTest
Change-Id: I1b9f4fde345038bda6b3ffcf8e3f47cf9262e052
calls BpfNetMaps on T
Since TrafficController moves to mainline module for T, so some netd binder
interfaces revelant to BPF are going to deprecated. Provide JNI APIs to
call TrafficController inside mainline module for T.
Bug: 209935649
Test: atest CtsHostsideNetworkTests
Change-Id: Ib3b43cf2840e02806395af9f1e019ca6fccd032e
For now, all entry points reject this. Followup changes
will allow the supported use cases.
Test: new unit tests and CTS for this in this patch
Change-Id: I7262811a2e46336d3bb63c80886fc0578a36da94
NetworkAgents send NetworkCapabilities to ConnectivityService but
there are limits to what exactly they can send. Going forward,
some of these checks will have to happen on the handler thread,
which is already the case when an agent updates its capabilities,
but not upon registration.
This patches moves the sanitization on the handler thread, after
the network monitor is created for a network agent.
Before this patch, upon registration of a new agent, the binder
thread would copy and sanitize the capabilities, then store them
in nai.networkCapabilities. It would store the original caps from
the agent in the NAI, mix in what is known from the network info,
process the LinkProperties, and then proceed to create the
network monitor, but not yet store the NAI in the internal
structures because its registration is not finalized, so other
methods should not see it yet. After the monitor is created in
the network stack process, the NAI is stored in the internal
structures which publishes it for all methods to see. After
that is done, the NAI calls to the network monitor to warn it
that it's registered, what its capabilities are, and that it's
time to start validation if applicable.
With this patch, the validation no longer happens on the binder
thread. Instead, the binder thread stores the capabilities and
link properties as is, before sanitization, in the NAI. This is
fine because no other method can access these until the
registration completes upon notification that the monitor has
been created ; this agent is only stored in the network monitor
callbacks in a self-destructing object precisely to make sure
that's the case.
When the monitor is created and CS receives notification of the
same, it will sanitize the capabilities before adding the NAI
to the internal structures, to protect the invariant that the
un-sanitized capabilities inside the NAI can't ever be seen by
any other method. After that's done, it will call to the
monitor to start validation as usual.
Test: FrameworksNetTests CtsNetTestsCases
Change-Id: I7d43ef0e25955e0349903b4801b9dfd8c3c92586
* changes:
Don't enable DscpPolicyTracker on pre-T devices.
Allow service JNI in FrameworksNetIntegrationTests.
Don't manually load the JNI library in DscpPolicyTracker.
Process DSCP QoS events for policies
Allow using BpfMap and TcUtils in unit tests.
Added SPDX-license-identifier-Apache-2.0 to:
service/native/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Change-Id: Ibfaed81348fca9e5cf313a4d29fd0b72bc746e06
The code cannot work before T because before T the tethering
module can only load BPF programs/maps into /sys/fs/tethering/bpf
and the system server cannot access that directory.
Additionally, this is causing unit tests to fail on pre-T devices
because on those devices the seccomp filter blocks the bpf
syscall from apps (including Java tests).
Test: revert aosp/1907693 and atest FrameworksNetTests:ConnectivityServiceTest
Change-Id: I6c398031dffb840da1d723b11ea4d0845ad6c6f2
This is not necessary because TcUtils already loads its library,
and unlike this code, it correctly loads it using JniUtils so
will succeed even when the code is jarjard in unit tests.
Test: atest ConnectivityServiceTest
Change-Id: I57eb46178d58777769f5497a0ea93cd037d598cb
New events to handle adding and removing of DSCP QoS policies.
Async indication sends status back to client if the policy
has been added, failed, or if the policy limit has been
reached.
Bug: 202871011
Change-Id: I7988d22ae625ad0dd415927d2943de4a749e6fb8
