Cleanup existing firewall rule on myUid before the test
testFirewallCloseSocketAllowlistChainOtherUid sets the firewall rule on
myUid + 1 and confirms this does not affect the network access from
myUid.
This test failed when there is an existing firewall rule on myUid.
This CL cleans up the existing rule on myUid before running the test and
restores the existing state after the test.
Bug: 299898772
Test: atest CtsNetTestCases
Change-Id: I9083ac41a64a8b81a8b4616c0d57a25355f5d53c
diff --git a/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java b/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java
index 59aefa5..07474f8 100644
--- a/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java
+++ b/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java
@@ -47,6 +47,7 @@
import static android.net.ConnectivityManager.FIREWALL_CHAIN_RESTRICTED;
import static android.net.ConnectivityManager.FIREWALL_CHAIN_STANDBY;
import static android.net.ConnectivityManager.FIREWALL_RULE_ALLOW;
+import static android.net.ConnectivityManager.FIREWALL_RULE_DEFAULT;
import static android.net.ConnectivityManager.FIREWALL_RULE_DENY;
import static android.net.ConnectivityManager.PROFILE_NETWORK_PREFERENCE_ENTERPRISE;
import static android.net.ConnectivityManager.TYPE_BLUETOOTH;
@@ -3590,6 +3591,15 @@
}
}
+ private void setUidFirewallRule(final int chain, final int uid, final int rule) {
+ try {
+ mCm.setUidFirewallRule(chain, uid, rule);
+ } catch (IllegalStateException ignored) {
+ // Removing match causes an exception when the rule entry for the uid does
+ // not exist. But this is fine and can be ignored.
+ }
+ }
+
private static final boolean EXPECT_OPEN = false;
private static final boolean EXPECT_CLOSE = true;
@@ -3598,6 +3608,8 @@
runWithShellPermissionIdentity(() -> {
// Firewall chain status will be restored after the test.
final boolean wasChainEnabled = mCm.getFirewallChainEnabled(chain);
+ final int myUid = Process.myUid();
+ final int previousMyUidFirewallRule = mCm.getUidFirewallRule(chain, myUid);
final int previousUidFirewallRule = mCm.getUidFirewallRule(chain, targetUid);
final Socket socket = new Socket(TEST_HOST, HTTP_PORT);
socket.setSoTimeout(NETWORK_REQUEST_TIMEOUT_MS);
@@ -3605,12 +3617,12 @@
mCm.setFirewallChainEnabled(chain, false /* enable */);
assertSocketOpen(socket);
- try {
- mCm.setUidFirewallRule(chain, targetUid, rule);
- } catch (IllegalStateException ignored) {
- // Removing match causes an exception when the rule entry for the uid does
- // not exist. But this is fine and can be ignored.
+ setUidFirewallRule(chain, targetUid, rule);
+ if (targetUid != myUid) {
+ // If this test does not set rule on myUid, remove existing rule on myUid
+ setUidFirewallRule(chain, myUid, FIREWALL_RULE_DEFAULT);
}
+
mCm.setFirewallChainEnabled(chain, true /* enable */);
if (expectClose) {
@@ -3623,11 +3635,9 @@
mCm.setFirewallChainEnabled(chain, wasChainEnabled);
}, /* cleanup */ () -> {
// Restore the uid firewall rule status
- try {
- mCm.setUidFirewallRule(chain, targetUid, previousUidFirewallRule);
- } catch (IllegalStateException ignored) {
- // Removing match causes an exception when the rule entry for the uid does
- // not exist. But this is fine and can be ignored.
+ setUidFirewallRule(chain, targetUid, previousUidFirewallRule);
+ if (targetUid != myUid) {
+ setUidFirewallRule(chain, myUid, previousMyUidFirewallRule);
}
}, /* cleanup */ () -> {
socket.close();