When a fully-routed VPN is running, we want to prevent normal apps
under the VPN from receiving packets originating from any local non-VPN
interfaces. This is achieved by using eBPF to create a per-UID input
interface whitelist and populate the whitelist such that all
non-bypassable apps under a VPN can only receive packets from the VPN's
TUN interface (and loopback implicitly)
This is the framework part of the change that build the whitelist.
The whitelist needs to be updated in the following cases:
* When a VPN is connected and disconnected
This will cover the change to allowBypass bit, since that can't be
changed without reconnecting.
* When a VPN's NetworkCapabilites is changed (whitelist/blacklist app changes)
* When a new app is installed
* When an existing app is removed
* When a VPN becomes fully-routed or is no longer fully-routed
New user/profile creation will automatically result in a whitelist app change
transition so it doesn't need to be handled specially here.
Due to the limitation of the kernel IPSec interacting with eBPF (sk_buf->ifindex
does not point to the virtual tunnel interface for kernel IPSec), the whitelist
will only apply to app VPNs but not legacy VPN connections, to prevent breaking
connectivity with kernel IPSec entirely.
Test: atest PermissionMonitorTest
Test: atest android.net.RouteInfoTest
Test: atest com.android.server.ConnectivityServiceTest
Test: atest HostsideVpnTests
Bug: 114231106
Merged-In: I5af81bc80dadd086261ba4b1eb706cc873bb7cfa
Change-Id: I5af81bc80dadd086261ba4b1eb706cc873bb7cfa
(cherry picked from commit 65968ea16bf49f678d4a43c220e1d67393170459)
This freezes the interface as of the latest beta build, not the tip of
tree. IIpClient#setL2KeyAndGroupHint is not in the frozen definition in
particular.
Generated with:
m networkstack-aidl-interfaces-freeze-api \
ipmemorystore-aidl-interfaces-freeze-api
Test: flashed, booted, WiFi and captive portal working
Bug: 128803828
Change-Id: Ideabe73fc93bbefca2d624ee9ca190cf31419424
Merged-In: Ideabe73fc93bbefca2d624ee9ca190cf31419424
(cherry picked from commit 9b89cdaaf401a6b77e160807039c06e537fa600a)
Test: new test for this
Fixes: 62650382
Change-Id: I918b8271d3c3c058553ca888cb54cd36a6efba66
Merged-In: I0fc408d546ae9d72b7dd9415e502252b484d4329
Merged-In: I9282930106d1eee3274d9e5c4e89de60e929a0e6
Since the Framework net test require jni library
libnetworkstatsfactorytestjni, but the test fails to load that library
unless *all* the dependencies of that library are explicitly listed in
jni_libs, whenever any of the dependencies changes the framework net
test will start failing and it might not be catched since the change
might not related to frameworks/base. And this smoke test is aimed to
spot those native library changes and it should be stable enough to put
in global presubmit.
Bug: 124764595
Test: FrameworksNetSmokeTests
Change-Id: Id24e7f0558b5643e4ad7393e85f1f0a2bd875615
Merged-In: Id24e7f0558b5643e4ad7393e85f1f0a2bd875615
(cherry picked from commit 5f8a630da7d5b308c0824a25f6fc1dd4c7552c9f)
As per API council feedback, these constants should live in
a place that is private to the network stack, only with a
range defined in system API.
Bug: 129433383
Test: m
Change-Id: I84a90f84a9af6fef4667ee4d512ebd0413222086
(cherry picked from commit 79a6330650ca04bd7a08afbd63f8016a3b30bc72)
To address the API review feedback provided by
the API council.
Bug: 129261432
Test: atest DnsResolverTest
Merged-In: I5737cf293264bf9d492e7bd56b62bee4d49002eb
(cherry picked from commit 454fe010dcacd38211b857d2b235ed37269e3b7e)
Change-Id: I429dd93285f50314e9d757f4ec8539a3ba40e61b
This commit re-enables enforcement of the MANAGE_TEST_NETWORK
permission, which is only granted to the shell. CTS tests using this
permission should use UiAutomation.adoptShellPermissionIdentity() to
gain access.
Bug: 72950854
Test: IPsec CTS tests using this passing
Change-Id: I98573a5c68e45abbbaddef01f6ac74a6a18e26f9
Merged-In: I98573a5c68e45abbbaddef01f6ac74a6a18e26f9
(cherry picked from commit 3ec38dc5530db151388879a521d6d3b94679a0de)
This follow-up change performs some cleanup changes without affecting
functionality
Bug: 72950854
Test: Compiles, CTS tests using this pass
Change-Id: Ic7394f24f11d713c9374b438182e29d2a02ea236
Merged-In: Ic7394f24f11d713c9374b438182e29d2a02ea236
(cherry picked from commit 7df36ed96a807f258aef43e558ef127b27b90756)
There is a logic error in maybeNotifyNetworkBlockedForNewUidRules
that caused function to return if there is no status change in
the first network. This would cause CTS failed in devices which
has volte-enabled SIM inserted.
Bug: 129409153
Fix: 117969394
Test: 1. atest com.android.cts.net.HostsideNetworkCallbackTests \
--generate-new-metrics 20
2. atest FrameworksNetTests
Change-Id: I11168fd07a7c29e0605f2e874e9d9f41b5ad88b6
Merged-In: Ifd18d1c6ad708c1dbc793f03d8241f572af50317
(cherry picked from commit 794f01c7266275fa4b22a5ce37fe992535d04463)
Carriers in Mainland China need to customize certain captive portal
urls. The main issue is that google servers are not accessible in
Mainland China.
Added the following captive portal resources to be targeted for overlay.
- config_captive_portal_http_url
- config_captive_portal_https_url
- config_captive_portal_fallback_urls (string-array)
- config_captive_portal_fallback_probe_specs (string-array)
These values can be customized for e g diffent countries
Bug: 111819230
Test: atest FrameworksNetTests NetworkStackTests
Test: Add a product RRO that targets a specific country code,
insert a SIM card that matches that country code and check the log
what URL is used.
Merged-In: I54050b28bbfb93e0b7e509dbe0e987a0b902b7d9
Merged-In: I1f734c5f864bb2f2bc8ba1a66fe33d3480554f69
(cherry picked from commit 2977a40b1e8db190e5974a638b2619b3d253d38b)
Change-Id: I278f2888851d38edb59157f8623541fbe94549b6
This patch fixes a bug where if a binder dies before the linkToDeath
call, the cleanup will be performed before the entry is added to the
array. While it is safe in that quotas and tracking performs as per
normal, the RefcountedRecord may not be cleaned up.
Rethrowing this exception is safe, since the only paths that would hit
this are all on binder threads coming from applications. Further, it
seems there is only one real way of this getting hit - if the app that
called the creation died during the binder call.
Bug: 126802451
Test: Compiled, CTS tests passing
Change-Id: Ib955acaa5e498c0e977cb5f2e48cffbc9fea8c7c
Merged-In: I6db75853da9f29e1573512e26351623f22770c5d
Merged-In: I416c2e43961ec0e1cc6b2fbcef970fbce858603b
Merged-In: Ib955acaa5e498c0e977cb5f2e48cffbc9fea8c7c
(cherry picked from commit 6c089d90bfa728e9842de0f5947f0c557c62dea0)
Cherry-pick from commit 415f523f7ce4c7e33fa70ea003f265e5b53faa20,
with small conflict resolution.
Bug: 129510344
Test: m, boots, wifi connects, resolves DNS
Change-Id: Idf24f42a86bbfcc89e3ea8cf50d1b705d72ac613
Merged-In: Idf24f42a86bbfcc89e3ea8cf50d1b705d72ac613
Merged-In: Ia08104f839ef37139a8761e2e625bb10c94c275f
NetdService#getInstance() will get null object in
WrappedConnectivityService constructor. Then pass this null
INetd object to PermissionMonitor will case NPE in
PermissionMonitor#sendPackagePermissionsToNetd()
Bug: 128024100
Test: atest FrameworksNetTests
Change-Id: Ia1c80f9600a19c4aaf3f3c1b497b355d96c49c8e
Merged-In: I7f185e731db91c30a9b0f14aefbdbb067942190e
Merged-In: Ic77ef73841266da487401ffd657ef63562b6fc1e
(cherry picked from commit 7d215078521ea03bbd692364e882d02ad065ced0)
The gnss@2.0 HAL and the framework GNSS Location Provider code is
updated in Q to not call the deprecated requestRouteToHost() method.
However, devices upgrading to Q which are still using gnss@1.1 or
earlier HAL must continued to be supported.
Fixes: 121222025
Test: Tested with gnss@1.1 HAL and first API level P. The
ConnectivityService log message "This method exists only for
app backwards compatibility and must not be called by system
services" is not present for devices with first API level P.
Change-Id: I10199776ea413dc256dbf0771e6cb3eedb334495
Merged-In: Ifa60d8f2d60aba4c4e2894dc612c224d45e3992d
Merged-In: Ifa4ec98d5c942522dfd569664f169fa841d495ed
(cherry picked from commit 2eea7ac272431b6e02a0a281207b981b01daf393)
This commit reduces the flakiness of the
testOpenAndCloseUdpEncapsulationSocket by retrying up to three times.
Unfortunately, testing port-selected socket creation is racy against
other applications. This helps to handle the same race condition as done
in IpSecService#bindToRandomPort
Bug: 128024100
Test: 200x runs of testOpenAndCloseUdpEncapsulationSocket
Change-Id: I7e036ce821019dbac6c50899bd0894e89d2fe82a
Merged-In: Idf040a67e53d9b9ec6e6c647ce24f8ada501d355
Merged-In: Iad9aea4b42cd8b31a5a2659bb9cb54dd1c64e8b7
(cherry picked from commit 614ab3dd4e49e9b664f5065983fb9067148fef12)
The SocketUtils.attach*Filter and SocketUtils.addArpEntry methods
were added there because they could not be added as JNI inside
the NetworkStack. This was not possible because on Go devices,
the NetworkStack was a jar library. But now, Go also uses an APK.
Hence, move these methods to the NetworkStack.
Fixes: 129433183
Merged-In: I66d7b3e4fbfa32bb0bc853e8cf9399031daff8a9
(cherry picked from commit fe71be2b04a3213828dc0347a1dd4a3675d20562)
Change-Id: Ice433a41469e784385f19498c154345d7b9c69b5
The common package covers tests that should be included both in CTS and
unit tests.
Test: atest FrameworksBaseTests
Bug: 129199908
Change-Id: Ic78ff947250871fa773252c924f1dee9395c6074
(cherry picked from commit 054e3e0f5ebfffe5d9fdd0095abac309552ae0cd)
In order to notify netd to swap eBPF maps before pulling the
networkStats from eBPF maps, NetworkStatsFactory need to use the
NetdServices to issue binder calls. So it need to be moved from
framework/base/core to framework/base/service since object in
framework/base/core cannot get any system services. This change is also
necessary for setting up a lock inside NetworkStatsFactory to prevent
racing between two netstats caller since the lock need to be hold before
netd trigger the map swap.
Also fix the compile problem caused by moving the NetworkStatsFactory
and the related tests. Rename the packages and the jni functions to a
more proper name.
Bug: 124764595
Bug: 128900919
Test: NetworkStatsFactoryTest
android.app.usage.cts.NetworkUsageStatsTest
android.net.cts.TrafficStatsTest
Change-Id: Ifcfe4df81caf8ede2e4e66a76552cb3200378fa8
