Merge "[BR02] Implement isUidNetworkingBlocked" into main am: 2c8e96d599
Original change: https://android-review.googlesource.com/c/platform/packages/modules/Connectivity/+/2732634
Change-Id: I95e402728095daf71d613944ae823b255e5b8c9f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/framework/src/android/net/BpfNetMapsConstants.java b/framework/src/android/net/BpfNetMapsConstants.java
index 36848e7..8086809 100644
--- a/framework/src/android/net/BpfNetMapsConstants.java
+++ b/framework/src/android/net/BpfNetMapsConstants.java
@@ -16,6 +16,15 @@
package android.net;
+import static android.net.ConnectivityManager.FIREWALL_CHAIN_DOZABLE;
+import static android.net.ConnectivityManager.FIREWALL_CHAIN_LOW_POWER_STANDBY;
+import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_1;
+import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_2;
+import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_3;
+import static android.net.ConnectivityManager.FIREWALL_CHAIN_POWERSAVE;
+import static android.net.ConnectivityManager.FIREWALL_CHAIN_RESTRICTED;
+import static android.net.ConnectivityManager.FIREWALL_CHAIN_STANDBY;
+
import android.util.Pair;
import com.android.net.module.util.Struct;
@@ -66,7 +75,6 @@
public static final long OEM_DENY_1_MATCH = (1 << 9);
public static final long OEM_DENY_2_MATCH = (1 << 10);
public static final long OEM_DENY_3_MATCH = (1 << 11);
- // LINT.ThenChange(../../../../bpf_progs/netd.h)
public static final List<Pair<Long, String>> MATCH_LIST = Arrays.asList(
Pair.create(HAPPY_BOX_MATCH, "HAPPY_BOX_MATCH"),
@@ -82,4 +90,29 @@
Pair.create(OEM_DENY_2_MATCH, "OEM_DENY_2_MATCH"),
Pair.create(OEM_DENY_3_MATCH, "OEM_DENY_3_MATCH")
);
+
+ /**
+ * List of all firewall allow chains.
+ *
+ * Allow chains mean the firewall denies all uids by default, uids must be explicitly allowed.
+ */
+ public static final List<Integer> ALLOW_CHAINS = List.of(
+ FIREWALL_CHAIN_DOZABLE,
+ FIREWALL_CHAIN_POWERSAVE,
+ FIREWALL_CHAIN_RESTRICTED,
+ FIREWALL_CHAIN_LOW_POWER_STANDBY
+ );
+
+ /**
+ * List of all firewall deny chains.
+ *
+ * Deny chains mean the firewall allows all uids by default, uids must be explicitly denied.
+ */
+ public static final List<Integer> DENY_CHAINS = List.of(
+ FIREWALL_CHAIN_STANDBY,
+ FIREWALL_CHAIN_OEM_DENY_1,
+ FIREWALL_CHAIN_OEM_DENY_2,
+ FIREWALL_CHAIN_OEM_DENY_3
+ );
+ // LINT.ThenChange(../../../../bpf_progs/netd.h)
}
diff --git a/framework/src/android/net/BpfNetMapsReader.java b/framework/src/android/net/BpfNetMapsReader.java
index 49e874a..9bce9cd 100644
--- a/framework/src/android/net/BpfNetMapsReader.java
+++ b/framework/src/android/net/BpfNetMapsReader.java
@@ -57,10 +57,42 @@
private final IBpfMap<S32, UidOwnerValue> mUidOwnerMap;
private final Dependencies mDeps;
- public BpfNetMapsReader() {
+ // Bitmaps for calculating whether a given uid is blocked by firewall chains.
+ private static final long sMaskDropIfSet;
+ private static final long sMaskDropIfUnset;
+
+ static {
+ long maskDropIfSet = 0L;
+ long maskDropIfUnset = 0L;
+
+ for (int chain : BpfNetMapsConstants.ALLOW_CHAINS) {
+ final long match = getMatchByFirewallChain(chain);
+ maskDropIfUnset |= match;
+ }
+ for (int chain : BpfNetMapsConstants.DENY_CHAINS) {
+ final long match = getMatchByFirewallChain(chain);
+ maskDropIfSet |= match;
+ }
+ sMaskDropIfSet = maskDropIfSet;
+ sMaskDropIfUnset = maskDropIfUnset;
+ }
+
+ private static class SingletonHolder {
+ static final BpfNetMapsReader sInstance = new BpfNetMapsReader();
+ }
+
+ @NonNull
+ public static BpfNetMapsReader getInstance() {
+ return SingletonHolder.sInstance;
+ }
+
+ private BpfNetMapsReader() {
this(new Dependencies());
}
+ // While the production code uses the singleton to optimize for performance and deal with
+ // concurrent access, the test needs to use a non-static approach for dependency injection and
+ // mocking virtual bpf maps.
@VisibleForTesting
public BpfNetMapsReader(@NonNull Dependencies deps) {
if (!SdkLevel.isAtLeastT()) {
@@ -176,4 +208,33 @@
"Unable to get uid rule status: " + Os.strerror(e.errno));
}
}
+
+ /**
+ * Return whether the network is blocked by firewall chains for the given uid.
+ *
+ * @param uid The target uid.
+ *
+ * @return True if the network is blocked. Otherwise, false.
+ * @throws ServiceSpecificException if the read fails.
+ *
+ * @hide
+ */
+ public boolean isUidBlockedByFirewallChains(final int uid) {
+ throwIfPreT("isUidBlockedByFirewallChains is not available on pre-T devices");
+
+ final long uidRuleConfig;
+ final long uidMatch;
+ try {
+ uidRuleConfig = mConfigurationMap.getValue(UID_RULES_CONFIGURATION_KEY).val;
+ final UidOwnerValue value = mUidOwnerMap.getValue(new S32(uid));
+ uidMatch = (value != null) ? value.rule : 0L;
+ } catch (ErrnoException e) {
+ throw new ServiceSpecificException(e.errno,
+ "Unable to get firewall chain status: " + Os.strerror(e.errno));
+ }
+
+ final boolean blockedByAllowChains = 0 != (uidRuleConfig & ~uidMatch & sMaskDropIfUnset);
+ final boolean blockedByDenyChains = 0 != (uidRuleConfig & uidMatch & sMaskDropIfSet);
+ return blockedByAllowChains || blockedByDenyChains;
+ }
}
diff --git a/framework/src/android/net/BpfNetMapsUtils.java b/framework/src/android/net/BpfNetMapsUtils.java
index 28d5891..e9c9137 100644
--- a/framework/src/android/net/BpfNetMapsUtils.java
+++ b/framework/src/android/net/BpfNetMapsUtils.java
@@ -16,6 +16,8 @@
package android.net;
+import static android.net.BpfNetMapsConstants.ALLOW_CHAINS;
+import static android.net.BpfNetMapsConstants.DENY_CHAINS;
import static android.net.BpfNetMapsConstants.DOZABLE_MATCH;
import static android.net.BpfNetMapsConstants.LOW_POWER_STANDBY_MATCH;
import static android.net.BpfNetMapsConstants.MATCH_LIST;
@@ -82,26 +84,18 @@
}
/**
- * Get if the chain is allow list or not.
+ * Get whether the chain is an allow-list or a deny-list.
*
* ALLOWLIST means the firewall denies all by default, uids must be explicitly allowed
- * DENYLIST means the firewall allows all by default, uids must be explicitly denyed
+ * DENYLIST means the firewall allows all by default, uids must be explicitly denied
*/
public static boolean isFirewallAllowList(final int chain) {
- switch (chain) {
- case FIREWALL_CHAIN_DOZABLE:
- case FIREWALL_CHAIN_POWERSAVE:
- case FIREWALL_CHAIN_RESTRICTED:
- case FIREWALL_CHAIN_LOW_POWER_STANDBY:
- return true;
- case FIREWALL_CHAIN_STANDBY:
- case FIREWALL_CHAIN_OEM_DENY_1:
- case FIREWALL_CHAIN_OEM_DENY_2:
- case FIREWALL_CHAIN_OEM_DENY_3:
- return false;
- default:
- throw new ServiceSpecificException(EINVAL, "Invalid firewall chain: " + chain);
+ if (ALLOW_CHAINS.contains(chain)) {
+ return true;
+ } else if (DENY_CHAINS.contains(chain)) {
+ return false;
}
+ throw new ServiceSpecificException(EINVAL, "Invalid firewall chain: " + chain);
}
/**
diff --git a/framework/src/android/net/ConnectivityManager.java b/framework/src/android/net/ConnectivityManager.java
index 32058a4..ad76012 100644
--- a/framework/src/android/net/ConnectivityManager.java
+++ b/framework/src/android/net/ConnectivityManager.java
@@ -6198,6 +6198,36 @@
}
}
+ /**
+ * Return whether the network is blocked for the given uid.
+ *
+ * Similar to {@link NetworkPolicyManager#isUidNetworkingBlocked}, but directly reads the BPF
+ * maps and therefore considerably faster. For use by the NetworkStack process only.
+ *
+ * @param uid The target uid.
+ * @return True if all networking is blocked. Otherwise, false.
+ * @throws IllegalStateException if the map cannot be opened.
+ * @throws ServiceSpecificException if the read fails.
+ * @hide
+ */
+ // This isn't protected by a standard Android permission since it can't
+ // afford to do IPC for performance reasons. Instead, the access control
+ // is provided by linux file group permission AID_NET_BW_ACCT and the
+ // selinux context fs_bpf_net*.
+ // Only the system server process and the network stack have access.
+ // TODO: Expose api when ready.
+ // @SystemApi(client = MODULE_LIBRARIES)
+ @RequiresApi(Build.VERSION_CODES.TIRAMISU) // BPF maps were only mainlined in T
+ @RequiresPermission(NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK)
+ public boolean isUidNetworkingBlocked(int uid) {
+ final BpfNetMapsReader reader = BpfNetMapsReader.getInstance();
+
+ return reader.isUidBlockedByFirewallChains(uid);
+
+ // TODO: If isNetworkMetered is true, check the data saver switch, penalty box
+ // and happy box rules.
+ }
+
/** @hide */
public IBinder getCompanionDeviceManagerProxyService() {
try {
diff --git a/service/src/com/android/server/BpfNetMaps.java b/service/src/com/android/server/BpfNetMaps.java
index 6ade124..14ab2a1 100644
--- a/service/src/com/android/server/BpfNetMaps.java
+++ b/service/src/com/android/server/BpfNetMaps.java
@@ -32,6 +32,7 @@
import static android.net.BpfNetMapsConstants.UID_RULES_CONFIGURATION_KEY;
import static android.net.BpfNetMapsUtils.PRE_T;
import static android.net.BpfNetMapsUtils.getMatchByFirewallChain;
+import static android.net.BpfNetMapsUtils.isFirewallAllowList;
import static android.net.BpfNetMapsUtils.matchToString;
import static android.net.ConnectivityManager.FIREWALL_CHAIN_DOZABLE;
import static android.net.ConnectivityManager.FIREWALL_CHAIN_LOW_POWER_STANDBY;
@@ -352,29 +353,6 @@
mDeps = deps;
}
- /**
- * Get if the chain is allow list or not.
- *
- * ALLOWLIST means the firewall denies all by default, uids must be explicitly allowed
- * DENYLIST means the firewall allows all by default, uids must be explicitly denyed
- */
- public boolean isFirewallAllowList(final int chain) {
- switch (chain) {
- case FIREWALL_CHAIN_DOZABLE:
- case FIREWALL_CHAIN_POWERSAVE:
- case FIREWALL_CHAIN_RESTRICTED:
- case FIREWALL_CHAIN_LOW_POWER_STANDBY:
- return true;
- case FIREWALL_CHAIN_STANDBY:
- case FIREWALL_CHAIN_OEM_DENY_1:
- case FIREWALL_CHAIN_OEM_DENY_2:
- case FIREWALL_CHAIN_OEM_DENY_3:
- return false;
- default:
- throw new ServiceSpecificException(EINVAL, "Invalid firewall chain: " + chain);
- }
- }
-
private void maybeThrow(final int err, final String msg) {
if (err != 0) {
throw new ServiceSpecificException(err, msg + ": " + Os.strerror(err));
diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java
index f877bb0..f52a1a2 100755
--- a/service/src/com/android/server/ConnectivityService.java
+++ b/service/src/com/android/server/ConnectivityService.java
@@ -136,6 +136,7 @@
import android.content.pm.PackageManager;
import android.content.res.XmlResourceParser;
import android.database.ContentObserver;
+import android.net.BpfNetMapsUtils;
import android.net.CaptivePortal;
import android.net.CaptivePortalData;
import android.net.ConnectionInfo;
@@ -12689,7 +12690,7 @@
private void closeSocketsForFirewallChainLocked(final int chain)
throws ErrnoException, SocketException, InterruptedIOException {
- if (mBpfNetMaps.isFirewallAllowList(chain)) {
+ if (BpfNetMapsUtils.isFirewallAllowList(chain)) {
// Allowlist means the firewall denies all by default, uids must be explicitly allowed
// So, close all non-system socket owned by uids that are not explicitly allowed
Set<Range<Integer>> ranges = new ArraySet<>();
diff --git a/tests/unit/java/android/net/BpfNetMapsReaderTest.kt b/tests/unit/java/android/net/BpfNetMapsReaderTest.kt
index facb932..86a0acb 100644
--- a/tests/unit/java/android/net/BpfNetMapsReaderTest.kt
+++ b/tests/unit/java/android/net/BpfNetMapsReaderTest.kt
@@ -16,23 +16,31 @@
package android.net
+import android.net.BpfNetMapsConstants.DOZABLE_MATCH
+import android.net.BpfNetMapsConstants.STANDBY_MATCH
import android.net.BpfNetMapsConstants.UID_RULES_CONFIGURATION_KEY
import android.net.BpfNetMapsUtils.getMatchByFirewallChain
-import android.os.Build
+import android.os.Build.VERSION_CODES
import com.android.net.module.util.IBpfMap
import com.android.net.module.util.Struct.S32
import com.android.net.module.util.Struct.U32
import com.android.testutils.DevSdkIgnoreRule.IgnoreUpTo
import com.android.testutils.DevSdkIgnoreRunner
import com.android.testutils.TestBpfMap
+import java.lang.reflect.Modifier
+import kotlin.test.assertEquals
import kotlin.test.assertFalse
import kotlin.test.assertTrue
import org.junit.Test
import org.junit.runner.RunWith
+private const val TEST_UID1 = 1234
+private const val TEST_UID2 = TEST_UID1 + 1
+private const val NO_IIF = 0
+
// pre-T devices does not support Bpf.
@RunWith(DevSdkIgnoreRunner::class)
-@IgnoreUpTo(Build.VERSION_CODES.S_V2)
+@IgnoreUpTo(VERSION_CODES.S_V2)
class BpfNetMapsReaderTest {
private val testConfigurationMap: IBpfMap<S32, U32> = TestBpfMap()
private val testUidOwnerMap: IBpfMap<S32, UidOwnerValue> = TestBpfMap()
@@ -66,4 +74,75 @@
doTestIsChainEnabled(ConnectivityManager.FIREWALL_CHAIN_RESTRICTED)
doTestIsChainEnabled(ConnectivityManager.FIREWALL_CHAIN_LOW_POWER_STANDBY)
}
+
+ @Test
+ fun testFirewallChainList() {
+ // Verify that when a firewall chain constant is added, it should also be included in
+ // firewall chain list.
+ val declaredChains = ConnectivityManager::class.java.declaredFields.filter {
+ Modifier.isStatic(it.modifiers) && it.name.startsWith("FIREWALL_CHAIN_")
+ }
+ // Verify the size matches, this also verifies no common item in allow and deny chains.
+ assertEquals(BpfNetMapsConstants.ALLOW_CHAINS.size +
+ BpfNetMapsConstants.DENY_CHAINS.size, declaredChains.size)
+ declaredChains.forEach {
+ assertTrue(BpfNetMapsConstants.ALLOW_CHAINS.contains(it.get(null)) ||
+ BpfNetMapsConstants.DENY_CHAINS.contains(it.get(null)))
+ }
+ }
+
+ private fun mockChainEnabled(chain: Int, enabled: Boolean) {
+ val config = testConfigurationMap.getValue(UID_RULES_CONFIGURATION_KEY).`val`
+ val newConfig = if (enabled) {
+ config or getMatchByFirewallChain(chain)
+ } else {
+ config and getMatchByFirewallChain(chain).inv()
+ }
+ testConfigurationMap.updateEntry(UID_RULES_CONFIGURATION_KEY, U32(newConfig))
+ }
+
+ @Test
+ fun testIsUidNetworkingBlockedByFirewallChains_allowChain() {
+ // With everything disabled by default, verify the return value is false.
+ testConfigurationMap.updateEntry(UID_RULES_CONFIGURATION_KEY, U32(0))
+ assertFalse(bpfNetMapsReader.isUidBlockedByFirewallChains(TEST_UID1))
+
+ // Enable dozable chain but does not provide allowed list. Verify the network is blocked
+ // for all uids.
+ mockChainEnabled(ConnectivityManager.FIREWALL_CHAIN_DOZABLE, true)
+ assertTrue(bpfNetMapsReader.isUidBlockedByFirewallChains(TEST_UID1))
+ assertTrue(bpfNetMapsReader.isUidBlockedByFirewallChains(TEST_UID2))
+
+ // Add uid1 to dozable allowed list. Verify the network is not blocked for uid1, while
+ // uid2 is blocked.
+ testUidOwnerMap.updateEntry(S32(TEST_UID1), UidOwnerValue(NO_IIF, DOZABLE_MATCH))
+ assertFalse(bpfNetMapsReader.isUidBlockedByFirewallChains(TEST_UID1))
+ assertTrue(bpfNetMapsReader.isUidBlockedByFirewallChains(TEST_UID2))
+ }
+
+ @Test
+ fun testIsUidNetworkingBlockedByFirewallChains_denyChain() {
+ // Enable standby chain but does not provide denied list. Verify the network is allowed
+ // for all uids.
+ testConfigurationMap.updateEntry(UID_RULES_CONFIGURATION_KEY, U32(0))
+ mockChainEnabled(ConnectivityManager.FIREWALL_CHAIN_STANDBY, true)
+ assertFalse(bpfNetMapsReader.isUidBlockedByFirewallChains(TEST_UID1))
+ assertFalse(bpfNetMapsReader.isUidBlockedByFirewallChains(TEST_UID2))
+
+ // Add uid1 to standby allowed list. Verify the network is blocked for uid1, while
+ // uid2 is not blocked.
+ testUidOwnerMap.updateEntry(S32(TEST_UID1), UidOwnerValue(NO_IIF, STANDBY_MATCH))
+ assertTrue(bpfNetMapsReader.isUidBlockedByFirewallChains(TEST_UID1))
+ assertFalse(bpfNetMapsReader.isUidBlockedByFirewallChains(TEST_UID2))
+ }
+
+ @Test
+ fun testIsUidNetworkingBlockedByFirewallChains_blockedWithAllowed() {
+ // Uids blocked by powersave chain but allowed by standby chain, verify the blocking
+ // takes higher priority.
+ testConfigurationMap.updateEntry(UID_RULES_CONFIGURATION_KEY, U32(0))
+ mockChainEnabled(ConnectivityManager.FIREWALL_CHAIN_POWERSAVE, true)
+ mockChainEnabled(ConnectivityManager.FIREWALL_CHAIN_STANDBY, true)
+ assertTrue(bpfNetMapsReader.isUidBlockedByFirewallChains(TEST_UID1))
+ }
}
diff --git a/tests/unit/java/com/android/server/BpfNetMapsTest.java b/tests/unit/java/com/android/server/BpfNetMapsTest.java
index ea2b261..1dfc8c0 100644
--- a/tests/unit/java/com/android/server/BpfNetMapsTest.java
+++ b/tests/unit/java/com/android/server/BpfNetMapsTest.java
@@ -16,10 +16,12 @@
package com.android.server;
+import static android.net.BpfNetMapsConstants.ALLOW_CHAINS;
import static android.net.BpfNetMapsConstants.CURRENT_STATS_MAP_CONFIGURATION_KEY;
import static android.net.BpfNetMapsConstants.DATA_SAVER_ENABLED_KEY;
import static android.net.BpfNetMapsConstants.DATA_SAVER_DISABLED;
import static android.net.BpfNetMapsConstants.DATA_SAVER_ENABLED;
+import static android.net.BpfNetMapsConstants.DENY_CHAINS;
import static android.net.BpfNetMapsConstants.DOZABLE_MATCH;
import static android.net.BpfNetMapsConstants.HAPPY_BOX_MATCH;
import static android.net.BpfNetMapsConstants.IIF_MATCH;
@@ -119,20 +121,16 @@
private static final int NO_IIF = 0;
private static final int NULL_IIF = 0;
private static final String CHAINNAME = "fw_dozable";
- private static final List<Integer> FIREWALL_CHAINS = List.of(
- FIREWALL_CHAIN_DOZABLE,
- FIREWALL_CHAIN_STANDBY,
- FIREWALL_CHAIN_POWERSAVE,
- FIREWALL_CHAIN_RESTRICTED,
- FIREWALL_CHAIN_LOW_POWER_STANDBY,
- FIREWALL_CHAIN_OEM_DENY_1,
- FIREWALL_CHAIN_OEM_DENY_2,
- FIREWALL_CHAIN_OEM_DENY_3
- );
private static final long STATS_SELECT_MAP_A = 0;
private static final long STATS_SELECT_MAP_B = 1;
+ private static final List<Integer> FIREWALL_CHAINS = new ArrayList<>();
+ static {
+ FIREWALL_CHAINS.addAll(ALLOW_CHAINS);
+ FIREWALL_CHAINS.addAll(DENY_CHAINS);
+ }
+
private BpfNetMaps mBpfNetMaps;
@Mock INetd mNetd;
@@ -617,7 +615,7 @@
mUidOwnerMap.updateEntry(new S32(TEST_UID), new UidOwnerValue(TEST_IF_INDEX, IIF_MATCH));
for (final int chain: testChains) {
- final int ruleToAddMatch = mBpfNetMaps.isFirewallAllowList(chain)
+ final int ruleToAddMatch = BpfNetMapsUtils.isFirewallAllowList(chain)
? FIREWALL_RULE_ALLOW : FIREWALL_RULE_DENY;
mBpfNetMaps.setUidRule(chain, TEST_UID, ruleToAddMatch);
}
@@ -625,7 +623,7 @@
checkUidOwnerValue(TEST_UID, TEST_IF_INDEX, IIF_MATCH | getMatch(testChains));
for (final int chain: testChains) {
- final int ruleToRemoveMatch = mBpfNetMaps.isFirewallAllowList(chain)
+ final int ruleToRemoveMatch = BpfNetMapsUtils.isFirewallAllowList(chain)
? FIREWALL_RULE_DENY : FIREWALL_RULE_ALLOW;
mBpfNetMaps.setUidRule(chain, TEST_UID, ruleToRemoveMatch);
}
@@ -705,11 +703,11 @@
for (final int chain: FIREWALL_CHAINS) {
final String testCase = "EnabledChains: " + enableChains + " CheckedChain: " + chain;
if (enableChains.contains(chain)) {
- final int expectedRule = mBpfNetMaps.isFirewallAllowList(chain)
+ final int expectedRule = BpfNetMapsUtils.isFirewallAllowList(chain)
? FIREWALL_RULE_ALLOW : FIREWALL_RULE_DENY;
assertEquals(testCase, expectedRule, mBpfNetMaps.getUidRule(chain, TEST_UID));
} else {
- final int expectedRule = mBpfNetMaps.isFirewallAllowList(chain)
+ final int expectedRule = BpfNetMapsUtils.isFirewallAllowList(chain)
? FIREWALL_RULE_DENY : FIREWALL_RULE_ALLOW;
assertEquals(testCase, expectedRule, mBpfNetMaps.getUidRule(chain, TEST_UID));
}
@@ -752,7 +750,7 @@
public void testGetUidRuleNoEntry() throws Exception {
mUidOwnerMap.clear();
for (final int chain: FIREWALL_CHAINS) {
- final int expectedRule = mBpfNetMaps.isFirewallAllowList(chain)
+ final int expectedRule = BpfNetMapsUtils.isFirewallAllowList(chain)
? FIREWALL_RULE_DENY : FIREWALL_RULE_ALLOW;
assertEquals(expectedRule, mBpfNetMaps.getUidRule(chain, TEST_UID));
}
diff --git a/tests/unit/java/com/android/server/ConnectivityServiceTest.java b/tests/unit/java/com/android/server/ConnectivityServiceTest.java
index 3649c5e..aeb4028 100755
--- a/tests/unit/java/com/android/server/ConnectivityServiceTest.java
+++ b/tests/unit/java/com/android/server/ConnectivityServiceTest.java
@@ -10526,13 +10526,11 @@
final boolean allowlist = true;
final boolean denylist = false;
- doReturn(true).when(mBpfNetMaps).isFirewallAllowList(anyInt());
doTestSetFirewallChainEnabledCloseSocket(FIREWALL_CHAIN_DOZABLE, allowlist);
doTestSetFirewallChainEnabledCloseSocket(FIREWALL_CHAIN_POWERSAVE, allowlist);
doTestSetFirewallChainEnabledCloseSocket(FIREWALL_CHAIN_RESTRICTED, allowlist);
doTestSetFirewallChainEnabledCloseSocket(FIREWALL_CHAIN_LOW_POWER_STANDBY, allowlist);
- doReturn(false).when(mBpfNetMaps).isFirewallAllowList(anyInt());
doTestSetFirewallChainEnabledCloseSocket(FIREWALL_CHAIN_STANDBY, denylist);
doTestSetFirewallChainEnabledCloseSocket(FIREWALL_CHAIN_OEM_DENY_1, denylist);
doTestSetFirewallChainEnabledCloseSocket(FIREWALL_CHAIN_OEM_DENY_2, denylist);