Merge "Add flags for allowlisting types for new NSD impl"
diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
index 84da79d..e068d8a 100644
--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
@@ -350,10 +350,10 @@
static __always_inline inline int bpf_owner_match(struct __sk_buff* skb, uint32_t uid,
bool egress, const unsigned kver) {
- if (skip_owner_match(skb, kver)) return PASS;
-
if (is_system_uid(uid)) return PASS;
+ if (skip_owner_match(skb, kver)) return PASS;
+
BpfConfig enabledRules = getConfig(UID_RULES_CONFIGURATION_KEY);
UidOwnerValue* uidEntry = bpf_uid_owner_map_lookup_elem(&uid);
@@ -415,11 +415,6 @@
}
int match = bpf_owner_match(skb, sock_uid, egress, kver);
- if (egress && (match == DROP)) {
- // If an outbound packet is going to be dropped, we do not count that
- // traffic.
- return match;
- }
// Workaround for secureVPN with VpnIsolation enabled, refer to b/159994981 for details.
// Keep TAG_SYSTEM_DNS in sync with DnsResolver/include/netd_resolv/resolv.h
@@ -432,6 +427,9 @@
if (match == DROP_UNLESS_DNS) match = DROP;
}
+ // If an outbound packet is going to be dropped, we do not count that traffic.
+ if (egress && (match == DROP)) return DROP;
+
StatsKey key = {.uid = uid, .tag = tag, .counterSet = 0, .ifaceIndex = skb->ifindex};
uint8_t* counterSet = bpf_uid_counterset_map_lookup_elem(&uid);
diff --git a/framework-t/src/android/net/NetworkTemplate.java b/framework-t/src/android/net/NetworkTemplate.java
index 4a1632b..55fcc4a 100644
--- a/framework-t/src/android/net/NetworkTemplate.java
+++ b/framework-t/src/android/net/NetworkTemplate.java
@@ -51,6 +51,7 @@
import android.util.Log;
import com.android.internal.annotations.VisibleForTesting;
+import com.android.modules.utils.build.SdkLevel;
import com.android.net.module.util.CollectionUtils;
import com.android.net.module.util.NetworkIdentityUtils;
@@ -246,6 +247,38 @@
return new NetworkTemplate.Builder(MATCH_ETHERNET).build();
}
+ /**
+ * Template to combine all {@link ConnectivityManager#TYPE_BLUETOOTH} style
+ * networks together.
+ *
+ * @hide
+ */
+ // TODO(b/270089918): Remove this method. This can only be done after there are no more callers,
+ // including in OEM code which can access this by linking against the framework.
+ public static NetworkTemplate buildTemplateBluetooth() {
+ if (SdkLevel.isAtLeastU()) {
+ throw new UnsupportedOperationException(
+ "buildTemplateBluetooth is not supported on Android U devices or above");
+ }
+ return new NetworkTemplate.Builder(MATCH_BLUETOOTH).build();
+ }
+
+ /**
+ * Template to combine all {@link ConnectivityManager#TYPE_PROXY} style
+ * networks together.
+ *
+ * @hide
+ */
+ // TODO(b/270089918): Remove this method. This can only be done after there are no more callers,
+ // including in OEM code which can access this by linking against the framework.
+ public static NetworkTemplate buildTemplateProxy() {
+ if (SdkLevel.isAtLeastU()) {
+ throw new UnsupportedOperationException(
+ "buildTemplateProxy is not supported on Android U devices or above");
+ }
+ return new NetworkTemplate(MATCH_PROXY, null, null);
+ }
+
private final int mMatchRule;
/**
@@ -316,6 +349,10 @@
if (matchRule == 6 || matchRule == 7) {
Log.e(TAG, "Use MATCH_MOBILE with empty subscriberIds or MATCH_WIFI with empty "
+ "wifiNetworkKeys instead of template with matchRule=" + matchRule);
+ if (SdkLevel.isAtLeastU()) {
+ throw new UnsupportedOperationException(
+ "Wildcard templates are not supported on Android U devices or above");
+ }
}
}
@@ -337,6 +374,43 @@
}
/** @hide */
+ // TODO(b/270089918): Remove this method after no callers.
+ public NetworkTemplate(int matchRule, String subscriberId, String[] matchSubscriberIds,
+ String wifiNetworkKey) {
+ // Older versions used to only match MATCH_MOBILE and MATCH_MOBILE_WILDCARD templates
+ // to metered networks. It is now possible to match mobile with any meteredness, but
+ // in order to preserve backward compatibility of @UnsupportedAppUsage methods, this
+ // constructor passes METERED_YES for these types.
+ this(getBackwardsCompatibleMatchRule(matchRule), matchSubscriberIds,
+ wifiNetworkKey != null ? new String[] { wifiNetworkKey } : new String[0],
+ getMeterednessForBackwardsCompatibility(matchRule),
+ ROAMING_ALL, DEFAULT_NETWORK_ALL, NETWORK_TYPE_ALL,
+ OEM_MANAGED_ALL);
+ if (SdkLevel.isAtLeastU()) {
+ throw new UnsupportedOperationException(
+ "This constructor is not supported on Android U devices or above");
+ }
+ }
+
+ /** @hide */
+ // TODO(b/269974916): Remove this method after Android U is released.
+ // This is only used by CTS of Android T.
+ public NetworkTemplate(int matchRule, String subscriberId, String[] matchSubscriberIds,
+ String[] matchWifiNetworkKeys, int metered, int roaming,
+ int defaultNetwork, int ratType, int oemManaged, int subscriberIdMatchRule) {
+ // subscriberId and subscriberIdMatchRule aren't used since they are replaced by
+ // matchSubscriberIds, which could be null to indicate the intention of matching any
+ // subscriberIds.
+ this(getBackwardsCompatibleMatchRule(matchRule),
+ matchSubscriberIds == null ? new String[]{} : matchSubscriberIds,
+ matchWifiNetworkKeys, metered, roaming, defaultNetwork, ratType, oemManaged);
+ if (SdkLevel.isAtLeastU()) {
+ throw new UnsupportedOperationException(
+ "This constructor is not supported on Android U devices or above");
+ }
+ }
+
+ /** @hide */
public NetworkTemplate(int matchRule, String[] matchSubscriberIds,
String[] matchWifiNetworkKeys, int metered, int roaming, int defaultNetwork,
int ratType, int oemManaged) {
@@ -436,9 +510,14 @@
return false;
}
- // TODO(b/270089918): Remove this method after no callers.
+ // TODO(b/270089918): Remove this method. This can only be done after there are no more callers,
+ // including in OEM code which can access this by linking against the framework.
/** @hide */
public boolean isMatchRuleMobile() {
+ if (SdkLevel.isAtLeastU()) {
+ throw new UnsupportedOperationException(
+ "isMatchRuleMobile is not supported on Android U devices or above");
+ }
switch (mMatchRule) {
case MATCH_MOBILE:
// Old MATCH_MOBILE_WILDCARD
diff --git a/framework/src/android/net/NetworkCapabilities.java b/framework/src/android/net/NetworkCapabilities.java
index 427eac1..324f565 100644
--- a/framework/src/android/net/NetworkCapabilities.java
+++ b/framework/src/android/net/NetworkCapabilities.java
@@ -53,18 +53,70 @@
import java.util.StringJoiner;
/**
- * Representation of the capabilities of an active network. Instances are
- * typically obtained through
- * {@link NetworkCallback#onCapabilitiesChanged(Network, NetworkCapabilities)}
- * or {@link ConnectivityManager#getNetworkCapabilities(Network)}.
- * <p>
- * This replaces the old {@link ConnectivityManager#TYPE_MOBILE} method of
- * network selection. Rather than indicate a need for Wi-Fi because an
- * application needs high bandwidth and risk obsolescence when a new, fast
- * network appears (like LTE), the application should specify it needs high
- * bandwidth. Similarly if an application needs an unmetered network for a bulk
- * transfer it can specify that rather than assuming all cellular based
- * connections are metered and all Wi-Fi based connections are not.
+ * Representation of the capabilities of an active network.
+ *
+ * <p>@see <a href="https://developer.android.com/training/basics/network-ops/reading-network-state>
+ * this general guide</a> on how to use NetworkCapabilities and related classes.
+ *
+ * <p>NetworkCapabilities represent what a network can do and what its
+ * characteristics are like. The principal attribute of NetworkCapabilities
+ * is in the capabilities bits, which are checked with
+ * {@link #hasCapability(int)}. See the list of capabilities and each
+ * capability for a description of what it means.
+ *
+ * <p>Some prime examples include {@code NET_CAPABILITY_MMS}, which means that the
+ * network is capable of sending MMS. A network without this capability
+ * is not capable of sending MMS.
+ * <p>The {@code NET_CAPABILITY_INTERNET} capability means that the network is
+ * configured to reach the general Internet. It may or may not actually
+ * provide connectivity ; the {@code NET_CAPABILITY_VALIDATED} bit indicates that
+ * the system found actual connectivity to the general Internet the last
+ * time it checked. Apps interested in actual connectivity should usually
+ * look at both these capabilities.
+ * <p>The {@code NET_CAPABILITY_NOT_METERED} capability is set for networks that
+ * do not bill the user for consumption of bytes. Applications are
+ * encouraged to consult this to determine appropriate usage, and to
+ * limit usage of metered network where possible, including deferring
+ * big downloads until such a time that an unmetered network is connected.
+ * Also see {@link android.app.job.JobScheduler} to help with scheduling such
+ * downloads, in particular
+ * {@link android.app.job.JobInfo.Builder#setRequiredNetwork(NetworkRequest)}.
+ * <p>NetworkCapabilities contain a number of other capabilities that
+ * represent what modern networks can and can't do. Look up the individual
+ * capabilities in this class to learn about each of them.
+ *
+ * <p>NetworkCapabilities typically represent attributes that can apply to
+ * any network. The attributes that apply only to specific transports like
+ * cellular or Wi-Fi can be found in the specifier (for requestable attributes)
+ * or in the transport info (for non-requestable ones). See
+ * {@link #getNetworkSpecifier} and {@link #getTransportInfo}. An app would
+ * downcast these to the specific class for the transport they need if they
+ * are interested in transport-specific attributes. Also see
+ * {@link android.net.wifi.WifiNetworkSpecifier} or
+ * {@link android.net.wifi.WifiInfo} for some examples of each of these.
+ *
+ * <p>NetworkCapabilities also contains other attributes like the estimated
+ * upstream and downstream bandwidth and the specific transport of that
+ * network (e.g. {@link #TRANSPORT_CELLULAR}). Generally, apps should normally
+ * have little reason to check for the type of transport ; for example, to
+ * query whether a network costs money to the user, do not look at the
+ * transport, but instead look at the absence or presence of
+ * {@link #NET_CAPABILITY_NOT_METERED} which will correctly account for
+ * metered Wi-Fis and free of charge cell connections.
+ *
+ * <p>The system communicates with apps about connected networks and uses
+ * NetworkCapabilities to express these capabilities about these networks.
+ * Apps should register callbacks with the {@link ConnectivityManager#requestNetwork}
+ * or {@link ConnectivityManager#registerNetworkCallback} family of methods
+ * to learn about the capabilities of a network on a continuous basis
+ * and be able to react to changes to capabilities. For quick debugging Android also
+ * provides {@link ConnectivityManager#getNetworkCapabilities(Network)},
+ * but the dynamic nature of networking makes this ill-suited to production
+ * code since capabilities obtained in this way can go stale immediately.
+ *
+ * <p>Also see {@link NetworkRequest} which uses the same capabilities
+ * together with {@link ConnectivityManager#requestNetwork} for how to
+ * request the system brings up the kind of network your application needs.
*/
public final class NetworkCapabilities implements Parcelable {
private static final String TAG = "NetworkCapabilities";
@@ -622,11 +674,19 @@
/**
* Indicates that this network should be able to prioritize latency for the internet.
+ *
+ * Starting with {@link Build.VERSION_CODES#UPSIDE_DOWN_CAKE}, requesting this capability with
+ * {@link ConnectivityManager#requestNetwork} requires declaration in the self-certified
+ * network capabilities. See {@link NetworkRequest} for the self-certification documentation.
*/
public static final int NET_CAPABILITY_PRIORITIZE_LATENCY = 34;
/**
* Indicates that this network should be able to prioritize bandwidth for the internet.
+ *
+ * Starting with {@link Build.VERSION_CODES#UPSIDE_DOWN_CAKE}, requesting this capability with
+ * {@link ConnectivityManager#requestNetwork} requires declaration in the self-certified
+ * network capabilities. See {@link NetworkRequest} for the self-certification documentation.
*/
public static final int NET_CAPABILITY_PRIORITIZE_BANDWIDTH = 35;
diff --git a/framework/src/android/net/NetworkRequest.java b/framework/src/android/net/NetworkRequest.java
index b7a6076..6c351d0 100644
--- a/framework/src/android/net/NetworkRequest.java
+++ b/framework/src/android/net/NetworkRequest.java
@@ -54,9 +54,92 @@
import java.util.Set;
/**
- * Defines a request for a network, made through {@link NetworkRequest.Builder} and used
- * to request a network via {@link ConnectivityManager#requestNetwork} or listen for changes
- * via {@link ConnectivityManager#registerNetworkCallback}.
+ * An object describing a network that the application is interested in.
+ *
+ * <p>@see <a href="https://developer.android.com/training/basics/network-ops/reading-network-state>
+ * this general guide</a> on how to use NetworkCapabilities and related classes.
+ *
+ * NetworkRequest defines a request for a network, made through
+ * {@link NetworkRequest.Builder} and used to request a network via
+ * {@link ConnectivityManager#requestNetwork} or to listen for changes
+ * via the {@link ConnectivityManager#registerNetworkCallback} family of
+ * functions.
+ *
+ * <p>{@link ConnectivityManager#requestNetwork} will try to find a connected
+ * network matching the NetworkRequest, and return it if there is one.
+ * As long as the request is outstanding, the system will try to find the best
+ * possible network that matches the request. The request will keep up the
+ * currently best connected network, and if a better one is found (e.g. cheaper
+ * or faster) the system will bring up that better network to better serve the
+ * request. A request filed with {@link ConnectivityManager#requestNetwork} will
+ * only match one network at a time (the one the system thinks is best), even if
+ * other networks can match the request that are being kept up by other requests.
+ *
+ * For example, an application needing a network with
+ * {@link NetworkCapabilities#NET_CAPABILITY_INTERNET} should use
+ * {@link ConnectivityManager#requestNetwork} to request the system keeps one up.
+ * A general cellular network can satisfy this request, but if the system finds
+ * a free Wi-Fi network which is expected to be faster, it will try and connect
+ * to that Wi-Fi network and switch the request over to it once it is connected.
+ * The cell network may stay connected if there are outstanding requests (from
+ * the same app or from other apps on the system) that match the cell network
+ * but not the Wi-Fi network, such as a request with {@link NetworkCapabilities#NET_CAPABILITY_MMS}.
+ *
+ * When a network is no longer needed to serve any request, the system can
+ * tear it down at any time and usually does so immediately, so make sure to
+ * keep up requests for the networks your app needs.
+ *
+ * <p>By contrast, requests filed with {@link ConnectivityManager#registerNetworkCallback}
+ * will receive callbacks for all matching networks, and will not cause the system to
+ * keep up the networks they match. Use this to listen to networks that the device is
+ * connected to, but that you don't want the system to keep up for your use case.
+ *
+ * <p>Applications build a NetworkRequest and pass it to one of the
+ * {@link ConnectivityManager} methods above together with a
+ * {@link ConnectivityManager.NetworkCallback} object. The callback
+ * will then start receiving method calls about networks that match
+ * the request.
+ *
+ * <p>Networks are brought up and/or matched according to the capabilities
+ * set in the builder. For example, a request with
+ * {@link NetworkCapabilities#NET_CAPABILITY_MMS} lets the system match
+ * and/or bring up a network that is capable to send MMS. A request with
+ * {@link NetworkCapabilities#NET_CAPABILITY_NOT_METERED} matches a network
+ * that doesn't charge the user for usage. See
+ * {@link NetworkCapabilities} for a list of capabilities and their
+ * description.
+ *
+ * <p>While all capabilities can be matched with the
+ * {@link ConnectivityManager#registerNetworkCallback} family of methods,
+ * not all capabilities can be used to request that the system brings
+ * up a network with {@link ConnectivityManager#requestNetwork}. For example,
+ * an application cannot use {@link ConnectivityManager#requestNetwork} to
+ * ask the system to bring up a network with
+ * {@link NetworkCapabilities#NET_CAPABILITY_CAPTIVE_PORTAL}, because the
+ * system won't know if a network has a captive portal before it connects
+ * to that network. Similarly, some capabilities may require a specific
+ * permission or privilege to be requested.
+ *
+ * Look up the specific capability and the {@link ConnectivityManager#requestNetwork}
+ * method for limitations applicable to each capability.
+ *
+ * <p>Also, starting with {@link Build.VERSION_CODES#UPSIDE_DOWN_CAKE}, some capabilities
+ * require the application to self-certify by explicitly adding the
+ * {@link android.content.pm.PackageManager#PROPERTY_SELF_CERTIFIED_NETWORK_CAPABILITIES}
+ * property in the AndroidManifest.xml, which points to an XML resource file. In the
+ * XML resource file, the application declares what kind of network capabilities the application
+ * wants to have.
+ *
+ * Here is an example self-certification XML resource file :
+ * <pre>
+ * {@code
+ * <network-capabilities-declaration xmlns:android="http://schemas.android.com/apk/res/android">
+ * <uses-network-capability android:name="NET_CAPABILITY_PRIORITIZE_LATENCY"/>
+ * <uses-network-capability android:name="NET_CAPABILITY_PRIORITIZE_BANDWIDTH"/>
+ * </network-capabilities-declaration>
+ * }
+ * </pre>
+ * Look up the specific capability to learn whether its usage requires this self-certification.
*/
public class NetworkRequest implements Parcelable {
/**
diff --git a/tests/common/java/android/net/netstats/NetworkTemplateTest.kt b/tests/common/java/android/net/netstats/NetworkTemplateTest.kt
index c2eacbc..fb6759e 100644
--- a/tests/common/java/android/net/netstats/NetworkTemplateTest.kt
+++ b/tests/common/java/android/net/netstats/NetworkTemplateTest.kt
@@ -165,23 +165,6 @@
}
@Test
- fun testUnsupportedAppUsageConstructor() {
- val templateMobile = NetworkTemplate(MATCH_MOBILE, null /* subscriberId */,
- null /* wifiNetworkKey */)
- val templateMobileWildcard = NetworkTemplate(6 /* MATCH_MOBILE_WILDCARD */,
- null /* subscriberId */, null /* wifiNetworkKey */)
- val templateWifiWildcard = NetworkTemplate(7 /* MATCH_WIFI_WILDCARD */,
- null /* subscriberId */,
- null /* wifiNetworkKey */)
-
- assertEquals(NetworkTemplate.Builder(MATCH_MOBILE).setMeteredness(METERED_YES).build(),
- templateMobile)
- assertEquals(NetworkTemplate.Builder(MATCH_MOBILE).setMeteredness(METERED_YES).build(),
- templateMobileWildcard)
- assertEquals(NetworkTemplate.Builder(MATCH_WIFI).build(), templateWifiWildcard)
- }
-
- @Test
fun testBuilderWifiNetworkKeys() {
// Verify template builder which generates same template with the given different
// sequence keys.