Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Connectivity / 02eee9aa5abc17d9a0a80509effc9654317d5f4a / . / service / native / TrafficControllerTest.cpp
blob: 57f32afe6bce10200542af4f1632bcb4881fcfb3 [file] [log] [blame]
/*
* Copyright 2022 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* TrafficControllerTest.cpp - unit tests for TrafficController.cpp
*/
#include <cstdint>
#include <string>
#include <vector>
#include <fcntl.h>
#include <inttypes.h>
#include <linux/inet_diag.h>
#include <linux/sock_diag.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>
#include <gtest/gtest.h>
#include <android-base/file.h>
#include <android-base/logging.h>
#include <android-base/stringprintf.h>
#include <android-base/strings.h>
#include <binder/Status.h>
#include <netdutils/MockSyscalls.h>
#define BPF_MAP_MAKE_VISIBLE_FOR_TESTING
#include "TrafficController.h"
#include "bpf/BpfUtils.h"
#include "NetdUpdatablePublic.h"
using namespace android::bpf; // NOLINT(google-build-using-namespace): grandfathered
namespace android {
namespace net {
using android::netdutils::Status;
using base::Result;
using netdutils::isOk;
using netdutils::statusFromErrno;
constexpr int TEST_MAP_SIZE = 10;
constexpr uid_t TEST_UID = 10086;
constexpr uid_t TEST_UID2 = 54321;
constexpr uid_t TEST_UID3 = 98765;
constexpr uint32_t TEST_TAG = 42;
constexpr uint32_t TEST_COUNTERSET = 1;
constexpr int TEST_IFINDEX = 999;
constexpr int RXPACKETS = 1;
constexpr int RXBYTES = 100;
constexpr int TXPACKETS = 0;
constexpr int TXBYTES = 0;
#define ASSERT_VALID(x) ASSERT_TRUE((x).isValid())
#define ASSERT_INVALID(x) ASSERT_FALSE((x).isValid())
class TrafficControllerTest : public ::testing::Test {
protected:
TrafficControllerTest() {}
TrafficController mTc;
BpfMap<uint64_t, UidTagValue> mFakeCookieTagMap;
BpfMap<uint32_t, StatsValue> mFakeAppUidStatsMap;
BpfMap<StatsKey, StatsValue> mFakeStatsMapA;
BpfMap<StatsKey, StatsValue> mFakeStatsMapB; // makeTrafficControllerMapsInvalid only
BpfMap<uint32_t, StatsValue> mFakeIfaceStatsMap; ; // makeTrafficControllerMapsInvalid only
BpfMap<uint32_t, uint32_t> mFakeConfigurationMap;
BpfMap<uint32_t, UidOwnerValue> mFakeUidOwnerMap;
BpfMap<uint32_t, uint8_t> mFakeUidPermissionMap;
BpfMap<uint32_t, uint8_t> mFakeUidCounterSetMap;
BpfMap<uint32_t, IfaceValue> mFakeIfaceIndexNameMap;
void SetUp() {
std::lock_guard guard(mTc.mMutex);
ASSERT_EQ(0, setrlimitForTest());
mFakeCookieTagMap.resetMap(BPF_MAP_TYPE_HASH, TEST_MAP_SIZE);
ASSERT_VALID(mFakeCookieTagMap);
mFakeAppUidStatsMap.resetMap(BPF_MAP_TYPE_HASH, TEST_MAP_SIZE);
ASSERT_VALID(mFakeAppUidStatsMap);
mFakeStatsMapA.resetMap(BPF_MAP_TYPE_HASH, TEST_MAP_SIZE);
ASSERT_VALID(mFakeStatsMapA);
mFakeConfigurationMap.resetMap(BPF_MAP_TYPE_ARRAY, CONFIGURATION_MAP_SIZE);
ASSERT_VALID(mFakeConfigurationMap);
mFakeUidOwnerMap.resetMap(BPF_MAP_TYPE_HASH, TEST_MAP_SIZE);
ASSERT_VALID(mFakeUidOwnerMap);
mFakeUidPermissionMap.resetMap(BPF_MAP_TYPE_HASH, TEST_MAP_SIZE);
ASSERT_VALID(mFakeUidPermissionMap);
mFakeUidCounterSetMap.resetMap(BPF_MAP_TYPE_HASH, TEST_MAP_SIZE);
ASSERT_VALID(mFakeUidCounterSetMap);
mFakeIfaceIndexNameMap.resetMap(BPF_MAP_TYPE_HASH, TEST_MAP_SIZE);
ASSERT_VALID(mFakeIfaceIndexNameMap);
mTc.mCookieTagMap = mFakeCookieTagMap;
ASSERT_VALID(mTc.mCookieTagMap);
mTc.mAppUidStatsMap = mFakeAppUidStatsMap;
ASSERT_VALID(mTc.mAppUidStatsMap);
mTc.mStatsMapA = mFakeStatsMapA;
ASSERT_VALID(mTc.mStatsMapA);
mTc.mConfigurationMap = mFakeConfigurationMap;
ASSERT_VALID(mTc.mConfigurationMap);
// Always write to stats map A by default.
static_assert(SELECT_MAP_A == 0);
mTc.mUidOwnerMap = mFakeUidOwnerMap;
ASSERT_VALID(mTc.mUidOwnerMap);
mTc.mUidPermissionMap = mFakeUidPermissionMap;
ASSERT_VALID(mTc.mUidPermissionMap);
mTc.mPrivilegedUser.clear();
mTc.mUidCounterSetMap = mFakeUidCounterSetMap;
ASSERT_VALID(mTc.mUidCounterSetMap);
mTc.mIfaceIndexNameMap = mFakeIfaceIndexNameMap;
ASSERT_VALID(mTc.mIfaceIndexNameMap);
}
void populateFakeStats(uint64_t cookie, uint32_t uid, uint32_t tag, StatsKey* key) {
UidTagValue cookieMapkey = {.uid = (uint32_t)uid, .tag = tag};
EXPECT_RESULT_OK(mFakeCookieTagMap.writeValue(cookie, cookieMapkey, BPF_ANY));
*key = {.uid = uid, .tag = tag, .counterSet = TEST_COUNTERSET, .ifaceIndex = TEST_IFINDEX};
StatsValue statsMapValue = {.rxPackets = RXPACKETS, .rxBytes = RXBYTES,
.txPackets = TXPACKETS, .txBytes = TXBYTES};
EXPECT_RESULT_OK(mFakeStatsMapA.writeValue(*key, statsMapValue, BPF_ANY));
EXPECT_RESULT_OK(mFakeAppUidStatsMap.writeValue(uid, statsMapValue, BPF_ANY));
// put tag information back to statsKey
key->tag = tag;
}
void populateFakeCounterSet(uint32_t uid, uint32_t counterSet) {
EXPECT_RESULT_OK(mFakeUidCounterSetMap.writeValue(uid, counterSet, BPF_ANY));
}
void populateFakeIfaceIndexName(const char* name, uint32_t ifaceIndex) {
if (name == nullptr || ifaceIndex <= 0) return;
IfaceValue iface;
strlcpy(iface.name, name, sizeof(IfaceValue));
EXPECT_RESULT_OK(mFakeIfaceIndexNameMap.writeValue(ifaceIndex, iface, BPF_ANY));
}
void checkUidOwnerRuleForChain(ChildChain chain, UidOwnerMatchType match) {
uint32_t uid = TEST_UID;
EXPECT_EQ(0, mTc.changeUidOwnerRule(chain, uid, DENY, DENYLIST));
Result<UidOwnerValue> value = mFakeUidOwnerMap.readValue(uid);
EXPECT_RESULT_OK(value);
EXPECT_TRUE(value.value().rule & match);
uid = TEST_UID2;
EXPECT_EQ(0, mTc.changeUidOwnerRule(chain, uid, ALLOW, ALLOWLIST));
value = mFakeUidOwnerMap.readValue(uid);
EXPECT_RESULT_OK(value);
EXPECT_TRUE(value.value().rule & match);
EXPECT_EQ(0, mTc.changeUidOwnerRule(chain, uid, DENY, ALLOWLIST));
value = mFakeUidOwnerMap.readValue(uid);
EXPECT_FALSE(value.ok());
EXPECT_EQ(ENOENT, value.error().code());
uid = TEST_UID;
EXPECT_EQ(0, mTc.changeUidOwnerRule(chain, uid, ALLOW, DENYLIST));
value = mFakeUidOwnerMap.readValue(uid);
EXPECT_FALSE(value.ok());
EXPECT_EQ(ENOENT, value.error().code());
uid = TEST_UID3;
EXPECT_EQ(-ENOENT, mTc.changeUidOwnerRule(chain, uid, ALLOW, DENYLIST));
value = mFakeUidOwnerMap.readValue(uid);
EXPECT_FALSE(value.ok());
EXPECT_EQ(ENOENT, value.error().code());
}
void checkEachUidValue(const std::vector<int32_t>& uids, UidOwnerMatchType match) {
for (uint32_t uid : uids) {
Result<UidOwnerValue> value = mFakeUidOwnerMap.readValue(uid);
EXPECT_RESULT_OK(value);
EXPECT_TRUE(value.value().rule & match);
}
std::set<uint32_t> uidSet(uids.begin(), uids.end());
const auto checkNoOtherUid = [&uidSet](const int32_t& key,
const BpfMap<uint32_t, UidOwnerValue>&) {
EXPECT_NE(uidSet.end(), uidSet.find(key));
return Result<void>();
};
EXPECT_RESULT_OK(mFakeUidOwnerMap.iterate(checkNoOtherUid));
}
void checkUidMapReplace(const std::string& name, const std::vector<int32_t>& uids,
UidOwnerMatchType match) {
bool isAllowlist = true;
EXPECT_EQ(0, mTc.replaceUidOwnerMap(name, isAllowlist, uids));
checkEachUidValue(uids, match);
isAllowlist = false;
EXPECT_EQ(0, mTc.replaceUidOwnerMap(name, isAllowlist, uids));
checkEachUidValue(uids, match);
}
void expectUidOwnerMapValues(const std::vector<uint32_t>& appUids, uint32_t expectedRule,
uint32_t expectedIif) {
for (uint32_t uid : appUids) {
Result<UidOwnerValue> value = mFakeUidOwnerMap.readValue(uid);
EXPECT_RESULT_OK(value);
EXPECT_EQ(expectedRule, value.value().rule)
<< "Expected rule for UID " << uid << " to be " << expectedRule << ", but was "
<< value.value().rule;
EXPECT_EQ(expectedIif, value.value().iif)
<< "Expected iif for UID " << uid << " to be " << expectedIif << ", but was "
<< value.value().iif;
}
}
template <class Key, class Value>
void expectMapEmpty(BpfMap<Key, Value>& map) {
auto isEmpty = map.isEmpty();
EXPECT_RESULT_OK(isEmpty);
EXPECT_TRUE(isEmpty.value());
}
void expectUidPermissionMapValues(const std::vector<uid_t>& appUids, uint8_t expectedValue) {
for (uid_t uid : appUids) {
Result<uint8_t> value = mFakeUidPermissionMap.readValue(uid);
EXPECT_RESULT_OK(value);
EXPECT_EQ(expectedValue, value.value())
<< "Expected value for UID " << uid << " to be " << expectedValue
<< ", but was " << value.value();
}
}
void expectPrivilegedUserSet(const std::vector<uid_t>& appUids) {
std::lock_guard guard(mTc.mMutex);
EXPECT_EQ(appUids.size(), mTc.mPrivilegedUser.size());
for (uid_t uid : appUids) {
EXPECT_NE(mTc.mPrivilegedUser.end(), mTc.mPrivilegedUser.find(uid));
}
}
void expectPrivilegedUserSetEmpty() {
std::lock_guard guard(mTc.mMutex);
EXPECT_TRUE(mTc.mPrivilegedUser.empty());
}
Status updateUidOwnerMaps(const std::vector<uint32_t>& appUids,
UidOwnerMatchType matchType, TrafficController::IptOp op) {
Status ret(0);
for (auto uid : appUids) {
ret = mTc.updateUidOwnerMap(uid, matchType, op);
if(!isOk(ret)) break;
}
return ret;
}
Status dump(bool verbose, std::vector<std::string>& outputLines) {
if (!outputLines.empty()) return statusFromErrno(EUCLEAN, "Output buffer is not empty");
android::base::unique_fd localFd, remoteFd;
if (!Pipe(&localFd, &remoteFd)) return statusFromErrno(errno, "Failed on pipe");
// dump() blocks until another thread has consumed all its output.
std::thread dumpThread =
std::thread([this, remoteFd{std::move(remoteFd)}, verbose]() {
mTc.dump(remoteFd, verbose);
});
std::string dumpContent;
if (!android::base::ReadFdToString(localFd.get(), &dumpContent)) {
return statusFromErrno(errno, "Failed to read dump results from fd");
}
dumpThread.join();
std::stringstream dumpStream(std::move(dumpContent));
std::string line;
while (std::getline(dumpStream, line)) {
outputLines.push_back(line);
}
return netdutils::status::ok;
}
// Strings in the |expect| must exist in dump results in order. But no need to be consecutive.
bool expectDumpsysContains(std::vector<std::string>& expect) {
if (expect.empty()) return false;
std::vector<std::string> output;
Status result = dump(true, output);
if (!isOk(result)) {
GTEST_LOG_(ERROR) << "TrafficController dump failed: " << netdutils::toString(result);
return false;
}
int matched = 0;
auto it = expect.begin();
for (const auto& line : output) {
if (it == expect.end()) break;
if (std::string::npos != line.find(*it)) {
matched++;
++it;
}
}
if (matched != expect.size()) {
// dump results for debugging
for (const auto& o : output) LOG(INFO) << "output: " << o;
for (const auto& e : expect) LOG(INFO) << "expect: " << e;
return false;
}
return true;
}
// Once called, the maps of TrafficController can't recover to valid maps which initialized
// in SetUp().
void makeTrafficControllerMapsInvalid() {
constexpr char INVALID_PATH[] = "invalid";
mFakeCookieTagMap.init(INVALID_PATH);
mTc.mCookieTagMap = mFakeCookieTagMap;
ASSERT_INVALID(mTc.mCookieTagMap);
mFakeAppUidStatsMap.init(INVALID_PATH);
mTc.mAppUidStatsMap = mFakeAppUidStatsMap;
ASSERT_INVALID(mTc.mAppUidStatsMap);
mFakeStatsMapA.init(INVALID_PATH);
mTc.mStatsMapA = mFakeStatsMapA;
ASSERT_INVALID(mTc.mStatsMapA);
mFakeStatsMapB.init(INVALID_PATH);
mTc.mStatsMapB = mFakeStatsMapB;
ASSERT_INVALID(mTc.mStatsMapB);
mFakeIfaceStatsMap.init(INVALID_PATH);
mTc.mIfaceStatsMap = mFakeIfaceStatsMap;
ASSERT_INVALID(mTc.mIfaceStatsMap);
mFakeConfigurationMap.init(INVALID_PATH);
mTc.mConfigurationMap = mFakeConfigurationMap;
ASSERT_INVALID(mTc.mConfigurationMap);
mFakeUidOwnerMap.init(INVALID_PATH);
mTc.mUidOwnerMap = mFakeUidOwnerMap;
ASSERT_INVALID(mTc.mUidOwnerMap);
mFakeUidPermissionMap.init(INVALID_PATH);
mTc.mUidPermissionMap = mFakeUidPermissionMap;
ASSERT_INVALID(mTc.mUidPermissionMap);
mFakeUidCounterSetMap.init(INVALID_PATH);
mTc.mUidCounterSetMap = mFakeUidCounterSetMap;
ASSERT_INVALID(mTc.mUidCounterSetMap);
mFakeIfaceIndexNameMap.init(INVALID_PATH);
mTc.mIfaceIndexNameMap = mFakeIfaceIndexNameMap;
ASSERT_INVALID(mTc.mIfaceIndexNameMap);
}
};
TEST_F(TrafficControllerTest, TestUpdateOwnerMapEntry) {
uint32_t uid = TEST_UID;
ASSERT_TRUE(isOk(mTc.updateOwnerMapEntry(STANDBY_MATCH, uid, DENY, DENYLIST)));
Result<UidOwnerValue> value = mFakeUidOwnerMap.readValue(uid);
ASSERT_RESULT_OK(value);
ASSERT_TRUE(value.value().rule & STANDBY_MATCH);
ASSERT_TRUE(isOk(mTc.updateOwnerMapEntry(DOZABLE_MATCH, uid, ALLOW, ALLOWLIST)));
value = mFakeUidOwnerMap.readValue(uid);
ASSERT_RESULT_OK(value);
ASSERT_TRUE(value.value().rule & DOZABLE_MATCH);
ASSERT_TRUE(isOk(mTc.updateOwnerMapEntry(DOZABLE_MATCH, uid, DENY, ALLOWLIST)));
value = mFakeUidOwnerMap.readValue(uid);
ASSERT_RESULT_OK(value);
ASSERT_FALSE(value.value().rule & DOZABLE_MATCH);
ASSERT_TRUE(isOk(mTc.updateOwnerMapEntry(STANDBY_MATCH, uid, ALLOW, DENYLIST)));
ASSERT_FALSE(mFakeUidOwnerMap.readValue(uid).ok());
uid = TEST_UID2;
ASSERT_FALSE(isOk(mTc.updateOwnerMapEntry(STANDBY_MATCH, uid, ALLOW, DENYLIST)));
ASSERT_FALSE(mFakeUidOwnerMap.readValue(uid).ok());
}
TEST_F(TrafficControllerTest, TestChangeUidOwnerRule) {
checkUidOwnerRuleForChain(DOZABLE, DOZABLE_MATCH);
checkUidOwnerRuleForChain(STANDBY, STANDBY_MATCH);
checkUidOwnerRuleForChain(POWERSAVE, POWERSAVE_MATCH);
checkUidOwnerRuleForChain(RESTRICTED, RESTRICTED_MATCH);
checkUidOwnerRuleForChain(LOW_POWER_STANDBY, LOW_POWER_STANDBY_MATCH);
checkUidOwnerRuleForChain(OEM_DENY_1, OEM_DENY_1_MATCH);
checkUidOwnerRuleForChain(OEM_DENY_2, OEM_DENY_2_MATCH);
checkUidOwnerRuleForChain(OEM_DENY_3, OEM_DENY_3_MATCH);
ASSERT_EQ(-EINVAL, mTc.changeUidOwnerRule(NONE, TEST_UID, ALLOW, ALLOWLIST));
ASSERT_EQ(-EINVAL, mTc.changeUidOwnerRule(INVALID_CHAIN, TEST_UID, ALLOW, ALLOWLIST));
}
TEST_F(TrafficControllerTest, TestReplaceUidOwnerMap) {
std::vector<int32_t> uids = {TEST_UID, TEST_UID2, TEST_UID3};
checkUidMapReplace("fw_dozable", uids, DOZABLE_MATCH);
checkUidMapReplace("fw_standby", uids, STANDBY_MATCH);
checkUidMapReplace("fw_powersave", uids, POWERSAVE_MATCH);
checkUidMapReplace("fw_restricted", uids, RESTRICTED_MATCH);
checkUidMapReplace("fw_low_power_standby", uids, LOW_POWER_STANDBY_MATCH);
checkUidMapReplace("fw_oem_deny_1", uids, OEM_DENY_1_MATCH);
checkUidMapReplace("fw_oem_deny_2", uids, OEM_DENY_2_MATCH);
checkUidMapReplace("fw_oem_deny_3", uids, OEM_DENY_3_MATCH);
ASSERT_EQ(-EINVAL, mTc.replaceUidOwnerMap("unknow", true, uids));
}
TEST_F(TrafficControllerTest, TestReplaceSameChain) {
std::vector<int32_t> uids = {TEST_UID, TEST_UID2, TEST_UID3};
checkUidMapReplace("fw_dozable", uids, DOZABLE_MATCH);
std::vector<int32_t> newUids = {TEST_UID2, TEST_UID3};
checkUidMapReplace("fw_dozable", newUids, DOZABLE_MATCH);
}
TEST_F(TrafficControllerTest, TestDenylistUidMatch) {
std::vector<uint32_t> appUids = {1000, 1001, 10012};
ASSERT_TRUE(isOk(updateUidOwnerMaps(appUids, PENALTY_BOX_MATCH,
TrafficController::IptOpInsert)));
expectUidOwnerMapValues(appUids, PENALTY_BOX_MATCH, 0);
ASSERT_TRUE(isOk(updateUidOwnerMaps(appUids, PENALTY_BOX_MATCH,
TrafficController::IptOpDelete)));
expectMapEmpty(mFakeUidOwnerMap);
}
TEST_F(TrafficControllerTest, TestAllowlistUidMatch) {
std::vector<uint32_t> appUids = {1000, 1001, 10012};
ASSERT_TRUE(isOk(updateUidOwnerMaps(appUids, HAPPY_BOX_MATCH, TrafficController::IptOpInsert)));
expectUidOwnerMapValues(appUids, HAPPY_BOX_MATCH, 0);
ASSERT_TRUE(isOk(updateUidOwnerMaps(appUids, HAPPY_BOX_MATCH, TrafficController::IptOpDelete)));
expectMapEmpty(mFakeUidOwnerMap);
}
TEST_F(TrafficControllerTest, TestReplaceMatchUid) {
std::vector<uint32_t> appUids = {1000, 1001, 10012};
// Add appUids to the denylist and expect that their values are all PENALTY_BOX_MATCH.
ASSERT_TRUE(isOk(updateUidOwnerMaps(appUids, PENALTY_BOX_MATCH,
TrafficController::IptOpInsert)));
expectUidOwnerMapValues(appUids, PENALTY_BOX_MATCH, 0);
// Add the same UIDs to the allowlist and expect that we get PENALTY_BOX_MATCH |
// HAPPY_BOX_MATCH.
ASSERT_TRUE(isOk(updateUidOwnerMaps(appUids, HAPPY_BOX_MATCH, TrafficController::IptOpInsert)));
expectUidOwnerMapValues(appUids, HAPPY_BOX_MATCH | PENALTY_BOX_MATCH, 0);
// Remove the same UIDs from the allowlist and check the PENALTY_BOX_MATCH is still there.
ASSERT_TRUE(isOk(updateUidOwnerMaps(appUids, HAPPY_BOX_MATCH, TrafficController::IptOpDelete)));
expectUidOwnerMapValues(appUids, PENALTY_BOX_MATCH, 0);
// Remove the same UIDs from the denylist and check the map is empty.
ASSERT_TRUE(isOk(updateUidOwnerMaps(appUids, PENALTY_BOX_MATCH,
TrafficController::IptOpDelete)));
ASSERT_FALSE(mFakeUidOwnerMap.getFirstKey().ok());
}
TEST_F(TrafficControllerTest, TestDeleteWrongMatchSilentlyFails) {
std::vector<uint32_t> appUids = {1000, 1001, 10012};
// If the uid does not exist in the map, trying to delete a rule about it will fail.
ASSERT_FALSE(isOk(updateUidOwnerMaps(appUids, HAPPY_BOX_MATCH,
TrafficController::IptOpDelete)));
expectMapEmpty(mFakeUidOwnerMap);
// Add denylist rules for appUids.
ASSERT_TRUE(isOk(updateUidOwnerMaps(appUids, HAPPY_BOX_MATCH,
TrafficController::IptOpInsert)));
expectUidOwnerMapValues(appUids, HAPPY_BOX_MATCH, 0);
// Delete (non-existent) denylist rules for appUids, and check that this silently does
// nothing if the uid is in the map but does not have denylist match. This is required because
// NetworkManagementService will try to remove a uid from denylist after adding it to the
// allowlist and if the remove fails it will not update the uid status.
ASSERT_TRUE(isOk(updateUidOwnerMaps(appUids, PENALTY_BOX_MATCH,
TrafficController::IptOpDelete)));
expectUidOwnerMapValues(appUids, HAPPY_BOX_MATCH, 0);
}
TEST_F(TrafficControllerTest, TestAddUidInterfaceFilteringRules) {
int iif0 = 15;
ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif0, {1000, 1001})));
expectUidOwnerMapValues({1000, 1001}, IIF_MATCH, iif0);
// Add some non-overlapping new uids. They should coexist with existing rules
int iif1 = 16;
ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif1, {2000, 2001})));
expectUidOwnerMapValues({1000, 1001}, IIF_MATCH, iif0);
expectUidOwnerMapValues({2000, 2001}, IIF_MATCH, iif1);
// Overwrite some existing uids
int iif2 = 17;
ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif2, {1000, 2000})));
expectUidOwnerMapValues({1001}, IIF_MATCH, iif0);
expectUidOwnerMapValues({2001}, IIF_MATCH, iif1);
expectUidOwnerMapValues({1000, 2000}, IIF_MATCH, iif2);
}
TEST_F(TrafficControllerTest, TestRemoveUidInterfaceFilteringRules) {
int iif0 = 15;
int iif1 = 16;
ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif0, {1000, 1001})));
ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif1, {2000, 2001})));
expectUidOwnerMapValues({1000, 1001}, IIF_MATCH, iif0);
expectUidOwnerMapValues({2000, 2001}, IIF_MATCH, iif1);
// Rmove some uids
ASSERT_TRUE(isOk(mTc.removeUidInterfaceRules({1001, 2001})));
expectUidOwnerMapValues({1000}, IIF_MATCH, iif0);
expectUidOwnerMapValues({2000}, IIF_MATCH, iif1);
checkEachUidValue({1000, 2000}, IIF_MATCH); // Make sure there are only two uids remaining
// Remove non-existent uids shouldn't fail
ASSERT_TRUE(isOk(mTc.removeUidInterfaceRules({2000, 3000})));
expectUidOwnerMapValues({1000}, IIF_MATCH, iif0);
checkEachUidValue({1000}, IIF_MATCH); // Make sure there are only one uid remaining
// Remove everything
ASSERT_TRUE(isOk(mTc.removeUidInterfaceRules({1000})));
expectMapEmpty(mFakeUidOwnerMap);
}
TEST_F(TrafficControllerTest, TestUpdateUidLockdownRule) {
// Add Lockdown rules
ASSERT_TRUE(isOk(mTc.updateUidLockdownRule(1000, true /* add */)));
ASSERT_TRUE(isOk(mTc.updateUidLockdownRule(1001, true /* add */)));
expectUidOwnerMapValues({1000, 1001}, LOCKDOWN_VPN_MATCH, 0);
// Remove one of Lockdown rules
ASSERT_TRUE(isOk(mTc.updateUidLockdownRule(1000, false /* add */)));
expectUidOwnerMapValues({1001}, LOCKDOWN_VPN_MATCH, 0);
// Remove remaining Lockdown rule
ASSERT_TRUE(isOk(mTc.updateUidLockdownRule(1001, false /* add */)));
expectMapEmpty(mFakeUidOwnerMap);
}
TEST_F(TrafficControllerTest, TestUidInterfaceFilteringRulesCoexistWithExistingMatches) {
// Set up existing PENALTY_BOX_MATCH rules
ASSERT_TRUE(isOk(updateUidOwnerMaps({1000, 1001, 10012}, PENALTY_BOX_MATCH,
TrafficController::IptOpInsert)));
expectUidOwnerMapValues({1000, 1001, 10012}, PENALTY_BOX_MATCH, 0);
// Add some partially-overlapping uid owner rules and check result
int iif1 = 32;
ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif1, {10012, 10013, 10014})));
expectUidOwnerMapValues({1000, 1001}, PENALTY_BOX_MATCH, 0);
expectUidOwnerMapValues({10012}, PENALTY_BOX_MATCH | IIF_MATCH, iif1);
expectUidOwnerMapValues({10013, 10014}, IIF_MATCH, iif1);
// Removing some PENALTY_BOX_MATCH rules should not change uid interface rule
ASSERT_TRUE(isOk(updateUidOwnerMaps({1001, 10012}, PENALTY_BOX_MATCH,
TrafficController::IptOpDelete)));
expectUidOwnerMapValues({1000}, PENALTY_BOX_MATCH, 0);
expectUidOwnerMapValues({10012, 10013, 10014}, IIF_MATCH, iif1);
// Remove all uid interface rules
ASSERT_TRUE(isOk(mTc.removeUidInterfaceRules({10012, 10013, 10014})));
expectUidOwnerMapValues({1000}, PENALTY_BOX_MATCH, 0);
// Make sure these are the only uids left
checkEachUidValue({1000}, PENALTY_BOX_MATCH);
}
TEST_F(TrafficControllerTest, TestUidInterfaceFilteringRulesCoexistWithNewMatches) {
int iif1 = 56;
// Set up existing uid interface rules
ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif1, {10001, 10002})));
expectUidOwnerMapValues({10001, 10002}, IIF_MATCH, iif1);
// Add some partially-overlapping doze rules
EXPECT_EQ(0, mTc.replaceUidOwnerMap("fw_dozable", true, {10002, 10003}));
expectUidOwnerMapValues({10001}, IIF_MATCH, iif1);
expectUidOwnerMapValues({10002}, DOZABLE_MATCH | IIF_MATCH, iif1);
expectUidOwnerMapValues({10003}, DOZABLE_MATCH, 0);
// Introduce a third rule type (powersave) on various existing UIDs
EXPECT_EQ(0, mTc.replaceUidOwnerMap("fw_powersave", true, {10000, 10001, 10002, 10003}));
expectUidOwnerMapValues({10000}, POWERSAVE_MATCH, 0);
expectUidOwnerMapValues({10001}, POWERSAVE_MATCH | IIF_MATCH, iif1);
expectUidOwnerMapValues({10002}, POWERSAVE_MATCH | DOZABLE_MATCH | IIF_MATCH, iif1);
expectUidOwnerMapValues({10003}, POWERSAVE_MATCH | DOZABLE_MATCH, 0);
// Remove all doze rules
EXPECT_EQ(0, mTc.replaceUidOwnerMap("fw_dozable", true, {}));
expectUidOwnerMapValues({10000}, POWERSAVE_MATCH, 0);
expectUidOwnerMapValues({10001}, POWERSAVE_MATCH | IIF_MATCH, iif1);
expectUidOwnerMapValues({10002}, POWERSAVE_MATCH | IIF_MATCH, iif1);
expectUidOwnerMapValues({10003}, POWERSAVE_MATCH, 0);
// Remove all powersave rules, expect ownerMap to only have uid interface rules left
EXPECT_EQ(0, mTc.replaceUidOwnerMap("fw_powersave", true, {}));
expectUidOwnerMapValues({10001, 10002}, IIF_MATCH, iif1);
// Make sure these are the only uids left
checkEachUidValue({10001, 10002}, IIF_MATCH);
}
TEST_F(TrafficControllerTest, TestAddUidInterfaceFilteringRulesWithWildcard) {
// iif=0 is a wildcard
int iif = 0;
// Add interface rule with wildcard to uids
ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif, {1000, 1001})));
expectUidOwnerMapValues({1000, 1001}, IIF_MATCH, iif);
}
TEST_F(TrafficControllerTest, TestRemoveUidInterfaceFilteringRulesWithWildcard) {
// iif=0 is a wildcard
int iif = 0;
// Add interface rule with wildcard to two uids
ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif, {1000, 1001})));
expectUidOwnerMapValues({1000, 1001}, IIF_MATCH, iif);
// Remove interface rule from one of the uids
ASSERT_TRUE(isOk(mTc.removeUidInterfaceRules({1000})));
expectUidOwnerMapValues({1001}, IIF_MATCH, iif);
checkEachUidValue({1001}, IIF_MATCH);
// Remove interface rule from the remaining uid
ASSERT_TRUE(isOk(mTc.removeUidInterfaceRules({1001})));
expectMapEmpty(mFakeUidOwnerMap);
}
TEST_F(TrafficControllerTest, TestUidInterfaceFilteringRulesWithWildcardAndExistingMatches) {
// Set up existing DOZABLE_MATCH and POWERSAVE_MATCH rule
ASSERT_TRUE(isOk(updateUidOwnerMaps({1000}, DOZABLE_MATCH,
TrafficController::IptOpInsert)));
ASSERT_TRUE(isOk(updateUidOwnerMaps({1000}, POWERSAVE_MATCH,
TrafficController::IptOpInsert)));
// iif=0 is a wildcard
int iif = 0;
// Add interface rule with wildcard to the existing uid
ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif, {1000})));
expectUidOwnerMapValues({1000}, POWERSAVE_MATCH | DOZABLE_MATCH | IIF_MATCH, iif);
// Remove interface rule with wildcard from the existing uid
ASSERT_TRUE(isOk(mTc.removeUidInterfaceRules({1000})));
expectUidOwnerMapValues({1000}, POWERSAVE_MATCH | DOZABLE_MATCH, 0);
}
TEST_F(TrafficControllerTest, TestUidInterfaceFilteringRulesWithWildcardAndNewMatches) {
// iif=0 is a wildcard
int iif = 0;
// Set up existing interface rule with wildcard
ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif, {1000})));
// Add DOZABLE_MATCH and POWERSAVE_MATCH rule to the existing uid
ASSERT_TRUE(isOk(updateUidOwnerMaps({1000}, DOZABLE_MATCH,
TrafficController::IptOpInsert)));
ASSERT_TRUE(isOk(updateUidOwnerMaps({1000}, POWERSAVE_MATCH,
TrafficController::IptOpInsert)));
expectUidOwnerMapValues({1000}, POWERSAVE_MATCH | DOZABLE_MATCH | IIF_MATCH, iif);
// Remove DOZABLE_MATCH and POWERSAVE_MATCH rule from the existing uid
ASSERT_TRUE(isOk(updateUidOwnerMaps({1000}, DOZABLE_MATCH,
TrafficController::IptOpDelete)));
ASSERT_TRUE(isOk(updateUidOwnerMaps({1000}, POWERSAVE_MATCH,
TrafficController::IptOpDelete)));
expectUidOwnerMapValues({1000}, IIF_MATCH, iif);
}
TEST_F(TrafficControllerTest, TestGrantInternetPermission) {
std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
mTc.setPermissionForUids(INetd::PERMISSION_INTERNET, appUids);
expectMapEmpty(mFakeUidPermissionMap);
expectPrivilegedUserSetEmpty();
}
TEST_F(TrafficControllerTest, TestRevokeInternetPermission) {
std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
mTc.setPermissionForUids(INetd::PERMISSION_NONE, appUids);
expectUidPermissionMapValues(appUids, INetd::PERMISSION_NONE);
}
TEST_F(TrafficControllerTest, TestPermissionUninstalled) {
std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
mTc.setPermissionForUids(INetd::PERMISSION_UPDATE_DEVICE_STATS, appUids);
expectUidPermissionMapValues(appUids, INetd::PERMISSION_UPDATE_DEVICE_STATS);
expectPrivilegedUserSet(appUids);
std::vector<uid_t> uidToRemove = {TEST_UID};
mTc.setPermissionForUids(INetd::PERMISSION_UNINSTALLED, uidToRemove);
std::vector<uid_t> uidRemain = {TEST_UID3, TEST_UID2};
expectUidPermissionMapValues(uidRemain, INetd::PERMISSION_UPDATE_DEVICE_STATS);
expectPrivilegedUserSet(uidRemain);
mTc.setPermissionForUids(INetd::PERMISSION_UNINSTALLED, uidRemain);
expectMapEmpty(mFakeUidPermissionMap);
expectPrivilegedUserSetEmpty();
}
TEST_F(TrafficControllerTest, TestGrantUpdateStatsPermission) {
std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
mTc.setPermissionForUids(INetd::PERMISSION_UPDATE_DEVICE_STATS, appUids);
expectUidPermissionMapValues(appUids, INetd::PERMISSION_UPDATE_DEVICE_STATS);
expectPrivilegedUserSet(appUids);
mTc.setPermissionForUids(INetd::PERMISSION_NONE, appUids);
expectPrivilegedUserSetEmpty();
expectUidPermissionMapValues(appUids, INetd::PERMISSION_NONE);
}
TEST_F(TrafficControllerTest, TestRevokeUpdateStatsPermission) {
std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
mTc.setPermissionForUids(INetd::PERMISSION_UPDATE_DEVICE_STATS, appUids);
expectPrivilegedUserSet(appUids);
std::vector<uid_t> uidToRemove = {TEST_UID};
mTc.setPermissionForUids(INetd::PERMISSION_NONE, uidToRemove);
std::vector<uid_t> uidRemain = {TEST_UID3, TEST_UID2};
expectPrivilegedUserSet(uidRemain);
mTc.setPermissionForUids(INetd::PERMISSION_NONE, uidRemain);
expectPrivilegedUserSetEmpty();
}
TEST_F(TrafficControllerTest, TestGrantWrongPermission) {
std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
mTc.setPermissionForUids(INetd::PERMISSION_NONE, appUids);
expectPrivilegedUserSetEmpty();
expectUidPermissionMapValues(appUids, INetd::PERMISSION_NONE);
}
TEST_F(TrafficControllerTest, TestGrantDuplicatePermissionSlientlyFail) {
std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
mTc.setPermissionForUids(INetd::PERMISSION_INTERNET, appUids);
expectMapEmpty(mFakeUidPermissionMap);
std::vector<uid_t> uidToAdd = {TEST_UID};
mTc.setPermissionForUids(INetd::PERMISSION_INTERNET, uidToAdd);
expectPrivilegedUserSetEmpty();
mTc.setPermissionForUids(INetd::PERMISSION_NONE, appUids);
expectUidPermissionMapValues(appUids, INetd::PERMISSION_NONE);
mTc.setPermissionForUids(INetd::PERMISSION_UPDATE_DEVICE_STATS, appUids);
expectPrivilegedUserSet(appUids);
mTc.setPermissionForUids(INetd::PERMISSION_UPDATE_DEVICE_STATS, uidToAdd);
expectPrivilegedUserSet(appUids);
mTc.setPermissionForUids(INetd::PERMISSION_NONE, appUids);
expectPrivilegedUserSetEmpty();
}
TEST_F(TrafficControllerTest, getFirewallType) {
static const struct TestConfig {
ChildChain childChain;
FirewallType firewallType;
} testConfigs[] = {
// clang-format off
{NONE, DENYLIST},
{DOZABLE, ALLOWLIST},
{STANDBY, DENYLIST},
{POWERSAVE, ALLOWLIST},
{RESTRICTED, ALLOWLIST},
{LOW_POWER_STANDBY, ALLOWLIST},
{OEM_DENY_1, DENYLIST},
{OEM_DENY_2, DENYLIST},
{OEM_DENY_3, DENYLIST},
{INVALID_CHAIN, DENYLIST},
// clang-format on
};
for (const auto& config : testConfigs) {
SCOPED_TRACE(fmt::format("testConfig: [{}, {}]", config.childChain, config.firewallType));
EXPECT_EQ(config.firewallType, mTc.getFirewallType(config.childChain));
}
}
constexpr uint32_t SOCK_CLOSE_WAIT_US = 30 * 1000;
constexpr uint32_t ENOBUFS_POLL_WAIT_US = 10 * 1000;
using android::base::Error;
using android::base::Result;
using android::bpf::BpfMap;
// This test set up a SkDestroyListener that is running parallel with the production
// SkDestroyListener. The test will create thousands of sockets and tag them on the
// production cookieUidTagMap and close them in a short time. When the number of
// sockets get closed exceeds the buffer size, it will start to return ENOBUFF
// error. The error will be ignored by the production SkDestroyListener and the
// test will clean up the tags in tearDown if there is any remains.
// TODO: Instead of test the ENOBUFF error, we can test the production
// SkDestroyListener to see if it failed to delete a tagged socket when ENOBUFF
// triggered.
class NetlinkListenerTest : public testing::Test {
protected:
NetlinkListenerTest() {}
BpfMap<uint64_t, UidTagValue> mCookieTagMap;
void SetUp() {
mCookieTagMap.init(COOKIE_TAG_MAP_PATH);
ASSERT_TRUE(mCookieTagMap.isValid());
}
void TearDown() {
const auto deleteTestCookieEntries = [](const uint64_t& key, const UidTagValue& value,
BpfMap<uint64_t, UidTagValue>& map) {
if ((value.uid == TEST_UID) && (value.tag == TEST_TAG)) {
Result<void> res = map.deleteValue(key);
if (res.ok() || (res.error().code() == ENOENT)) {
return Result<void>();
}
ALOGE("Failed to delete data(cookie = %" PRIu64 "): %s", key,
strerror(res.error().code()));
}
// Move forward to next cookie in the map.
return Result<void>();
};
EXPECT_RESULT_OK(mCookieTagMap.iterateWithValue(deleteTestCookieEntries));
}
Result<void> checkNoGarbageTagsExist() {
const auto checkGarbageTags = [](const uint64_t&, const UidTagValue& value,
const BpfMap<uint64_t, UidTagValue>&) -> Result<void> {
if ((TEST_UID == value.uid) && (TEST_TAG == value.tag)) {
return Error(EUCLEAN) << "Closed socket is not untagged";
}
return {};
};
return mCookieTagMap.iterateWithValue(checkGarbageTags);
}
bool checkMassiveSocketDestroy(int totalNumber, bool expectError) {
std::unique_ptr<android::netdutils::NetlinkListenerInterface> skDestroyListener;
auto result = android::net::TrafficController::makeSkDestroyListener();
if (!isOk(result)) {
ALOGE("Unable to create SkDestroyListener: %s", toString(result).c_str());
} else {
skDestroyListener = std::move(result.value());
}
int rxErrorCount = 0;
// Rx handler extracts nfgenmsg looks up and invokes registered dispatch function.
const auto rxErrorHandler = [&rxErrorCount](const int, const int) { rxErrorCount++; };
skDestroyListener->registerSkErrorHandler(rxErrorHandler);
int fds[totalNumber];
for (int i = 0; i < totalNumber; i++) {
fds[i] = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
// The likely reason for a failure is running out of available file descriptors.
EXPECT_LE(0, fds[i]) << i << " of " << totalNumber;
if (fds[i] < 0) {
// EXPECT_LE already failed above, so test case is a failure, but we don't
// want potentially tens of thousands of extra failures creating and then
// closing all these fds cluttering up the logs.
totalNumber = i;
break;
};
libnetd_updatable_tagSocket(fds[i], TEST_TAG, TEST_UID, 1000);
}
// TODO: Use a separate thread that has its own fd table so we can
// close sockets even faster simply by terminating that thread.
for (int i = 0; i < totalNumber; i++) {
EXPECT_EQ(0, close(fds[i]));
}
// wait a bit for netlink listener to handle all the messages.
usleep(SOCK_CLOSE_WAIT_US);
if (expectError) {
// If ENOBUFS triggered, check it only called into the handler once, ie.
// that the netlink handler is not spinning.
int currentErrorCount = rxErrorCount;
// 0 error count is acceptable because the system has chances to close all sockets
// normally.
EXPECT_LE(0, rxErrorCount);
if (!rxErrorCount) return true;
usleep(ENOBUFS_POLL_WAIT_US);
EXPECT_EQ(currentErrorCount, rxErrorCount);
} else {
EXPECT_RESULT_OK(checkNoGarbageTagsExist());
EXPECT_EQ(0, rxErrorCount);
}
return false;
}
};
TEST_F(NetlinkListenerTest, TestAllSocketUntagged) {
checkMassiveSocketDestroy(10, false);
checkMassiveSocketDestroy(100, false);
}
// Disabled because flaky on blueline-userdebug; this test relies on the main thread
// winning a race against the NetlinkListener::run() thread. There's no way to ensure
// things will be scheduled the same way across all architectures and test environments.
TEST_F(NetlinkListenerTest, DISABLED_TestSkDestroyError) {
bool needRetry = false;
int retryCount = 0;
do {
needRetry = checkMassiveSocketDestroy(32500, true);
if (needRetry) retryCount++;
} while (needRetry && retryCount < 3);
// Should review test if it can always close all sockets correctly.
EXPECT_GT(3, retryCount);
}
} // namespace net
} // namespace android