Following CLs will switch previous codepath (JNI) and new codepath
(Java) for bpf map operations based on this flag.
Bug: 217624062
Test: atest BpfNetMapsTest
Change-Id: I74f10d5c97390993acea110f6528ef8980bb2aa4
"{@see" aren't rendered properly. Replace them with "See {@link"
or @see depending on the usage.
Bug: 238753273
Test: make doc-comment-check-docs ; Check the doc result
Change-Id: I70cb2f36e7c5fa8102b5949054df5184d755202c
Currently (T+), BPF program and map status are only dumped on demand.
$ adb shell dumpsys connectivity trafficcontroller
The information can be useful for issue debugging, especially on Data
Usage and NetworkPolicyManagerService. It should be logged in bugreport
dumpsys connectivity section as Android S (which is handled by netd).
Bug: 237954856
Test: adb bugreport
Change-Id: Ic02a58ff2ebdbf375d9df0917e8218ab8faa96da
This commit adds ConnectivityManager#getFirewallChainEnabled to read the
current firewall chain status
Bug: 208371987
Test: m
Change-Id: I1eadb69f953af5d031cd8dabde3e1f098cf0f4df
NetworkMonitorManager should just be a passthrough wrapper for
INetworkMonitor. Move logic to choose the notifyNetworkConnected version
to call to its only caller, ConnectivityService.
This allows removing the dependency on modules-utils-build, which makes
the networkstack-client library less portable; for example it would add
duplicate classes if networkstack-client is included into service-wifi,
as service-wifi can already use modules-utils-build from framework-wifi.
Fixes: 227161380
Test: atest ConnectivityServiceTest
Change-Id: Ie50f586c5d1ffe021cb0a96294f13f478fd3a2dd
This is a followup commit for aosp/2017317.
1. Reorder the NAT464 information in dumpsys connectivity
2. Reword message when clat not started
Bug: 212345928
Test: dumpsys connectivity
Change-Id: I31c7066787dc7db8e5fe225f3918368b25bb7f5e
Allow ethernet factories on automotive devices to set the allowed UIDs
on NetworkCapabilities.
Bug: 229419469
Test: atest FrameworksNetTests
Change-Id: I03e7cda75f1c530e0d0e4a756330bc9847a96668
(out of current /sys/fs/bpf/net_shared/...)
This will allow genfscon regexp changes in a followup selinux commit.
Note that this has a hard dependency on system/bpf change
'bpfloader: add support for netd_shared and net_private subdirs'
which also bumps bpfloader to v0.13.
This was merged May 12, 2022 (into both aosp/master and tm-dev)
and it is in Android T starting with Beta 3 release.
This isn't really an issue since amusingly T Beta 2 is already
incompatible with current mainline releases due to the snap
reverting a previous required bpfloader system/bpf change:
move net_shared bpf programs into net_shared subdirectory
See: http://b/232050459#comment14
So this doesn't break T Beta1/2, since they already don't work,
and Beta3 will work.
Bug: 218408035
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id5f14d6e3f11cfe35d9d8a9496548a2bc4d022ec
Currently, even when VPN Lockdown mode is enabled, incoming packets are
not dropped if VPN is not connected.
This commit fixed this issue.
After this commit, If VPN Lockdown mode is enabled, incoming packets
are dropped regardless of the VPN connectivity.
Bug: 206482423
Test: atest TrafficControllerTest ConnectivityServiceTest PermissionMonitorTest
Change-Id: If52ece613c8aac1073355e43b6fb9cb3fcc87d1d
Currently, there is no limtation for an app to request
data usage callback, which is dangerous if the app fire
hundreds of thousands requests and potientially this might
cause OOM if the apps don't free them.
Test: atest NetworkStatsObserversTest#testRegister_limit
Bug: 229103088
Change-Id: I8299f46fd47a82ec9b25ba2e0d3c95db5512c331
1) alowFallback flag was incorrectly not reset while setting profile
preference. Corrected it.
2) Threw exception if default preference and enterprise preference are
set together
3) renamed clearUser to withoutUser
Bug: 231670730
Test: ConnectivityServiceTest
Change-Id: Iaf49237bdc791c7e1dd884d069eff64e74757477
Normally if an app calls requestNetwork with capabilities that it
does not have permission to request, it gets a SecurityException,
except if it requests NET_CAPABILITY_CBS, in which case the request
will not throw but the app will get an onUnavailable callback.
Make this codepath throw as well. This simplifies the code and makes
the app-visible behaviour more consistent (and consistent with what
happens in S and below). The reason the code was written this way is because the carrier privilege app should receive a callback if it
loses permission. But onUnavailable is also not the best callback to
send, since it is used very rarely and also releases the app's
request. It seems better to leave the request registered and send
onLost.
Test: atest FrameworksNetTests
Bug: 194332512
Change-Id: I5eaeb415a6654851246e38599a996fbd9366fde0
Since 3p apps are allowed to use restricted networks in S, they
should be allowed to request a restricted network reasonably.
Otherwise, the functionalities of 3p apps will break if they rely
on restricted networks. Thus, CS needs to allow 3p apps to
request restricted networks if 3p apps are in the allowed list.
Bug: 230509118
Test: atest FrameworksNetTests CtsNetTestCases
Change-Id: I236f1550095ee2be29adbc3b28d3ac2561a8b072
Multiple enterprise slice can be setup within single user profile based
on different uids. So do not remove profile network preference with same
user profile but with different uids
Bug: 229644102
Test: manual system test and ConnectivityServciceTest
Change-Id: I897b643e01240958fff575de9e15182069efc698
isMangedProfile returns true for managed profiles.
But enterprise device can be fully managed like device owner.
Hence check specifically if request is coming on fully managed
device.
Bug: 226966328
Bug: 231071836
Test: ran DevicePolicyManager CTS and ConnectivityServiceTest
Change-Id: I7827466bd61e24ba9c36c3a2e25043257e2ed602
(this is safe because on pre-T none of these maps and programs are mainlined
and thus safe to access from mainline code anyway)
Test: TreeHugger, manual
Bug: 218408035
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I23e565d665247f33e084978890a1ee8ffe0fe568
- For clatd start and stop, use ClatdCoordinator on T+ and Netd on S-
- Fix the unit test for T+ and S- devices
Note that mokito.verify(.., times(1)) is replaced by verify(..)
because times(1) is the default and can be omitted.
See verify in mockito/src/main/java/org/mockito/Mockito.java
Note that this commit needs to be merged with aosp/1956072.
Bug: 212345928
Test: atest FrameworksNetTests
manual test
1. Connect to ipv6-only wifi.
2. Try IPv4 traffic.
$ ping 8.8.8.8
3. Check bpf entries are added
4. Disconnect from ipv6-only wifi.
5. Check bpf entries are removed
6. testipv4.com shows 10/10
Change-Id: I7dfda6eec19de94e4258971effcd8a1210542473
A UID can be a concatenation of a UserID with a 5 digit package UID.
E.g., Bluetooth under User10 would have UID 1001002. This CL removes the
UserID (if any), before checking against BLUETOOTH_UID.
Bug: 228598338
Test: m
Change-Id: I532583345cc9ab474fc848a3ede6be9d8be9c5b0
This ensures that bluetooth can register bluetooth tethering
NetworkAgents without having to make NETWORK_FACTORY a privileged
or role permission.
Test: m
Bug: 221949454
Change-Id: I24a5da444b10dde740c1e449c8630de56946d4e1
setUnderlyingNetworks() is mainly for the NetworkAgents who hold
the NETWORK_FACTORY to set its underlying networks.
And the underlying networks are only visible and useful for the
caller of getNetworkCapabilities() or the receiver of
onCapabilitiesChanged() who hold one of NETWORK_FACTORY,
NETWORK_SETTINGS and MAINLINE_NETWORK_STACK permissions.
Otherwise, the underlying networks field will be cleard before
sending.
Bug: 205738644
Test: atest CtsNetTestCases:ConnectivityManagerTest
atest CtsHostsideNetworkTests:HostsideVpnTests
atest FrameworksNetTests
Change-Id: Ife7630d9676a31ee5ab977cb1b87aec3b6fd7080
