Move isChainEnabled and getUidRule to BpfNetMapsUtils
This CL also adds @RequiresApi(Build.VERSION_CODES.UPSIDE_DOWN_CAKE)
to NetworkStackBpfNetMaps
Bug: 328732146
Test: TH
Change-Id: Ifa4cffd046164405b8b49d2e2ee9f27240bec6fa
diff --git a/framework/src/android/net/BpfNetMapsUtils.java b/framework/src/android/net/BpfNetMapsUtils.java
index cb2b770..3c91db2 100644
--- a/framework/src/android/net/BpfNetMapsUtils.java
+++ b/framework/src/android/net/BpfNetMapsUtils.java
@@ -43,6 +43,8 @@
import static android.net.ConnectivityManager.FIREWALL_CHAIN_POWERSAVE;
import static android.net.ConnectivityManager.FIREWALL_CHAIN_RESTRICTED;
import static android.net.ConnectivityManager.FIREWALL_CHAIN_STANDBY;
+import static android.net.ConnectivityManager.FIREWALL_RULE_ALLOW;
+import static android.net.ConnectivityManager.FIREWALL_RULE_DENY;
import static android.system.OsConstants.EINVAL;
import android.os.ServiceSpecificException;
@@ -166,6 +168,56 @@
}
}
+ /**
+ * Get the specified firewall chain's status.
+ *
+ * @param configurationMap target configurationMap
+ * @param chain target chain
+ * @return {@code true} if chain is enabled, {@code false} if chain is not enabled.
+ * @throws UnsupportedOperationException if called on pre-T devices.
+ * @throws ServiceSpecificException in case of failure, with an error code indicating the
+ * cause of the failure.
+ */
+ public static boolean isChainEnabled(
+ final IBpfMap<S32, U32> configurationMap, final int chain) {
+ throwIfPreT("isChainEnabled is not available on pre-T devices");
+
+ final long match = getMatchByFirewallChain(chain);
+ try {
+ final U32 config = configurationMap.getValue(UID_RULES_CONFIGURATION_KEY);
+ return (config.val & match) != 0;
+ } catch (ErrnoException e) {
+ throw new ServiceSpecificException(e.errno,
+ "Unable to get firewall chain status: " + Os.strerror(e.errno));
+ }
+ }
+
+ /**
+ * Get firewall rule of specified firewall chain on specified uid.
+ *
+ * @param uidOwnerMap target uidOwnerMap.
+ * @param chain target chain.
+ * @param uid target uid.
+ * @return either FIREWALL_RULE_ALLOW or FIREWALL_RULE_DENY
+ * @throws UnsupportedOperationException if called on pre-T devices.
+ * @throws ServiceSpecificException in case of failure, with an error code indicating the
+ * cause of the failure.
+ */
+ public static int getUidRule(final IBpfMap<S32, UidOwnerValue> uidOwnerMap,
+ final int chain, final int uid) {
+ throwIfPreT("getUidRule is not available on pre-T devices");
+
+ final long match = getMatchByFirewallChain(chain);
+ final boolean isAllowList = isFirewallAllowList(chain);
+ try {
+ final UidOwnerValue uidMatch = uidOwnerMap.getValue(new S32(uid));
+ final boolean isMatchEnabled = uidMatch != null && (uidMatch.rule & match) != 0;
+ return isMatchEnabled == isAllowList ? FIREWALL_RULE_ALLOW : FIREWALL_RULE_DENY;
+ } catch (ErrnoException e) {
+ throw new ServiceSpecificException(e.errno,
+ "Unable to get uid rule status: " + Os.strerror(e.errno));
+ }
+ }
/**
* Return whether the network is blocked by firewall chains for the given uid.
diff --git a/framework/src/android/net/NetworkStackBpfNetMaps.java b/framework/src/android/net/NetworkStackBpfNetMaps.java
index 1a1e449..b7c4e34 100644
--- a/framework/src/android/net/NetworkStackBpfNetMaps.java
+++ b/framework/src/android/net/NetworkStackBpfNetMaps.java
@@ -19,19 +19,12 @@
import static android.net.BpfNetMapsConstants.CONFIGURATION_MAP_PATH;
import static android.net.BpfNetMapsConstants.DATA_SAVER_ENABLED_MAP_PATH;
import static android.net.BpfNetMapsConstants.UID_OWNER_MAP_PATH;
-import static android.net.BpfNetMapsConstants.UID_RULES_CONFIGURATION_KEY;
-import static android.net.BpfNetMapsUtils.getMatchByFirewallChain;
-import static android.net.BpfNetMapsUtils.isFirewallAllowList;
-import static android.net.BpfNetMapsUtils.throwIfPreT;
-import static android.net.ConnectivityManager.FIREWALL_RULE_ALLOW;
-import static android.net.ConnectivityManager.FIREWALL_RULE_DENY;
import android.annotation.NonNull;
import android.annotation.RequiresApi;
import android.os.Build;
import android.os.ServiceSpecificException;
import android.system.ErrnoException;
-import android.system.Os;
import com.android.internal.annotations.VisibleForTesting;
import com.android.modules.utils.build.SdkLevel;
@@ -47,7 +40,8 @@
* {@link com.android.server.BpfNetMaps}
* @hide
*/
-@RequiresApi(Build.VERSION_CODES.TIRAMISU) // BPF maps were only mainlined in T
+// NetworkStack can not use this before U due to b/326143935
+@RequiresApi(Build.VERSION_CODES.UPSIDE_DOWN_CAKE)
public class NetworkStackBpfNetMaps {
private static final String TAG = NetworkStackBpfNetMaps.class.getSimpleName();
@@ -138,7 +132,7 @@
* cause of the failure.
*/
public boolean isChainEnabled(final int chain) {
- return isChainEnabled(mConfigurationMap, chain);
+ return BpfNetMapsUtils.isChainEnabled(mConfigurationMap, chain);
}
/**
@@ -153,58 +147,7 @@
* cause of the failure.
*/
public int getUidRule(final int chain, final int uid) {
- return getUidRule(mUidOwnerMap, chain, uid);
- }
-
- /**
- * Get the specified firewall chain's status.
- *
- * @param configurationMap target configurationMap
- * @param chain target chain
- * @return {@code true} if chain is enabled, {@code false} if chain is not enabled.
- * @throws UnsupportedOperationException if called on pre-T devices.
- * @throws ServiceSpecificException in case of failure, with an error code indicating the
- * cause of the failure.
- */
- public static boolean isChainEnabled(
- final IBpfMap<S32, U32> configurationMap, final int chain) {
- throwIfPreT("isChainEnabled is not available on pre-T devices");
-
- final long match = getMatchByFirewallChain(chain);
- try {
- final U32 config = configurationMap.getValue(UID_RULES_CONFIGURATION_KEY);
- return (config.val & match) != 0;
- } catch (ErrnoException e) {
- throw new ServiceSpecificException(e.errno,
- "Unable to get firewall chain status: " + Os.strerror(e.errno));
- }
- }
-
- /**
- * Get firewall rule of specified firewall chain on specified uid.
- *
- * @param uidOwnerMap target uidOwnerMap.
- * @param chain target chain.
- * @param uid target uid.
- * @return either FIREWALL_RULE_ALLOW or FIREWALL_RULE_DENY
- * @throws UnsupportedOperationException if called on pre-T devices.
- * @throws ServiceSpecificException in case of failure, with an error code indicating the
- * cause of the failure.
- */
- public static int getUidRule(final IBpfMap<S32, UidOwnerValue> uidOwnerMap,
- final int chain, final int uid) {
- throwIfPreT("getUidRule is not available on pre-T devices");
-
- final long match = getMatchByFirewallChain(chain);
- final boolean isAllowList = isFirewallAllowList(chain);
- try {
- final UidOwnerValue uidMatch = uidOwnerMap.getValue(new S32(uid));
- final boolean isMatchEnabled = uidMatch != null && (uidMatch.rule & match) != 0;
- return isMatchEnabled == isAllowList ? FIREWALL_RULE_ALLOW : FIREWALL_RULE_DENY;
- } catch (ErrnoException e) {
- throw new ServiceSpecificException(e.errno,
- "Unable to get uid rule status: " + Os.strerror(e.errno));
- }
+ return BpfNetMapsUtils.getUidRule(mUidOwnerMap, chain, uid);
}
/**
diff --git a/service/src/com/android/server/BpfNetMaps.java b/service/src/com/android/server/BpfNetMaps.java
index 487f25c..fc6d8c4 100644
--- a/service/src/com/android/server/BpfNetMaps.java
+++ b/service/src/com/android/server/BpfNetMaps.java
@@ -49,8 +49,8 @@
import android.app.StatsManager;
import android.content.Context;
+import android.net.BpfNetMapsUtils;
import android.net.INetd;
-import android.net.NetworkStackBpfNetMaps;
import android.net.UidOwnerValue;
import android.os.Build;
import android.os.RemoteException;
@@ -539,7 +539,7 @@
@Deprecated
@RequiresApi(Build.VERSION_CODES.TIRAMISU)
public boolean isChainEnabled(final int childChain) {
- return NetworkStackBpfNetMaps.isChainEnabled(sConfigurationMap, childChain);
+ return BpfNetMapsUtils.isChainEnabled(sConfigurationMap, childChain);
}
private Set<Integer> asSet(final int[] uids) {
@@ -634,7 +634,7 @@
* cause of the failure.
*/
public int getUidRule(final int childChain, final int uid) {
- return NetworkStackBpfNetMaps.getUidRule(sUidOwnerMap, childChain, uid);
+ return BpfNetMapsUtils.getUidRule(sUidOwnerMap, childChain, uid);
}
private Set<Integer> getUidsMatchEnabled(final int childChain) throws ErrnoException {