Merge "Hold wifi and mobile interfaces since boot in NetworkStatsService"
diff --git a/bpf_progs/bpf_shared.h b/bpf_progs/bpf_shared.h
index 2afb789..706dd1d 100644
--- a/bpf_progs/bpf_shared.h
+++ b/bpf_progs/bpf_shared.h
@@ -135,6 +135,7 @@
LOCKDOWN_VPN_MATCH = (1 << 8),
OEM_DENY_1_MATCH = (1 << 9),
OEM_DENY_2_MATCH = (1 << 10),
+ OEM_DENY_3_MATCH = (1 << 11),
};
enum BpfPermissionMatch {
diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
index 9ae8ab2..94d5ed8 100644
--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
@@ -222,6 +222,9 @@
if ((enabledRules & OEM_DENY_2_MATCH) && (uidRules & OEM_DENY_2_MATCH)) {
return BPF_DROP;
}
+ if ((enabledRules & OEM_DENY_3_MATCH) && (uidRules & OEM_DENY_3_MATCH)) {
+ return BPF_DROP;
+ }
}
if (direction == BPF_INGRESS && skb->ifindex != 1) {
if (uidRules & IIF_MATCH) {
diff --git a/framework-t/src/android/net/NetworkStatsHistory.java b/framework-t/src/android/net/NetworkStatsHistory.java
index 0ff9d96..738e9cc 100644
--- a/framework-t/src/android/net/NetworkStatsHistory.java
+++ b/framework-t/src/android/net/NetworkStatsHistory.java
@@ -58,6 +58,7 @@
import java.util.Arrays;
import java.util.List;
import java.util.Random;
+import java.util.TreeMap;
/**
* Collection of historical network statistics, recorded into equally-sized
@@ -253,6 +254,28 @@
+ ", operations=" + operations
+ "}";
}
+
+ /**
+ * Add the given {@link Entry} with this instance and return a new {@link Entry}
+ * instance as the result.
+ *
+ * @hide
+ */
+ @NonNull
+ public Entry plus(@NonNull Entry another, long bucketDuration) {
+ if (this.bucketStart != another.bucketStart) {
+ throw new IllegalArgumentException("bucketStart " + this.bucketStart
+ + " is not equal to " + another.bucketStart);
+ }
+ return new Entry(this.bucketStart,
+ // Active time should not go over bucket duration.
+ Math.min(this.activeTime + another.activeTime, bucketDuration),
+ this.rxBytes + another.rxBytes,
+ this.rxPackets + another.rxPackets,
+ this.txBytes + another.txBytes,
+ this.txPackets + another.txPackets,
+ this.operations + another.operations);
+ }
}
/** @hide */
@@ -1109,14 +1132,8 @@
* Builder class for {@link NetworkStatsHistory}.
*/
public static final class Builder {
+ private final TreeMap<Long, Entry> mEntries;
private final long mBucketDuration;
- private final List<Long> mBucketStart;
- private final List<Long> mActiveTime;
- private final List<Long> mRxBytes;
- private final List<Long> mRxPackets;
- private final List<Long> mTxBytes;
- private final List<Long> mTxPackets;
- private final List<Long> mOperations;
/**
* Creates a new Builder with given bucket duration and initial capacity to construct
@@ -1127,66 +1144,31 @@
*/
public Builder(long bucketDuration, int initialCapacity) {
mBucketDuration = bucketDuration;
- mBucketStart = new ArrayList<>(initialCapacity);
- mActiveTime = new ArrayList<>(initialCapacity);
- mRxBytes = new ArrayList<>(initialCapacity);
- mRxPackets = new ArrayList<>(initialCapacity);
- mTxBytes = new ArrayList<>(initialCapacity);
- mTxPackets = new ArrayList<>(initialCapacity);
- mOperations = new ArrayList<>(initialCapacity);
- }
-
- private void addToElement(List<Long> list, int pos, long value) {
- list.set(pos, list.get(pos) + value);
+ // Create a collection that is always sorted and can deduplicate items by the timestamp.
+ mEntries = new TreeMap<>();
}
/**
- * Add an {@link Entry} into the {@link NetworkStatsHistory} instance.
+ * Add an {@link Entry} into the {@link NetworkStatsHistory} instance. If the timestamp
+ * already exists, the given {@link Entry} will be combined into existing entry.
*
- * @param entry The target {@link Entry} object. The entry timestamp must be greater than
- * that of any previously-added entry.
+ * @param entry The target {@link Entry} object.
* @return The builder object.
*/
@NonNull
public Builder addEntry(@NonNull Entry entry) {
- final int lastBucket = mBucketStart.size() - 1;
- final long lastBucketStart = (lastBucket != -1) ? mBucketStart.get(lastBucket) : 0;
-
- // If last bucket has the same timestamp, modify it instead of adding another bucket.
- // This allows callers to pass in the same bucket twice (e.g., to accumulate
- // data over time), but still requires that entries must be sorted.
- // The importer will do this in case a rotated file has the same timestamp as
- // the previous file.
- if (lastBucket != -1 && entry.bucketStart == lastBucketStart) {
- addToElement(mActiveTime, lastBucket, entry.activeTime);
- addToElement(mRxBytes, lastBucket, entry.rxBytes);
- addToElement(mRxPackets, lastBucket, entry.rxPackets);
- addToElement(mTxBytes, lastBucket, entry.txBytes);
- addToElement(mTxPackets, lastBucket, entry.txPackets);
- addToElement(mOperations, lastBucket, entry.operations);
- return this;
+ final Entry existing = mEntries.get(entry.bucketStart);
+ if (existing != null) {
+ mEntries.put(entry.bucketStart, existing.plus(entry, mBucketDuration));
+ } else {
+ mEntries.put(entry.bucketStart, entry);
}
-
- // Inserting in the middle is prohibited for performance reasons.
- if (entry.bucketStart <= lastBucketStart) {
- throw new IllegalArgumentException("new bucket start " + entry.bucketStart
- + " must be greater than last bucket start " + lastBucketStart);
- }
-
- // Common case: add entries at the end of the list.
- mBucketStart.add(entry.bucketStart);
- mActiveTime.add(entry.activeTime);
- mRxBytes.add(entry.rxBytes);
- mRxPackets.add(entry.rxPackets);
- mTxBytes.add(entry.txBytes);
- mTxPackets.add(entry.txPackets);
- mOperations.add(entry.operations);
return this;
}
- private static long sum(@NonNull List<Long> list) {
- long sum = 0;
- for (long entry : list) {
+ private static long sum(@NonNull long[] array) {
+ long sum = 0L;
+ for (long entry : array) {
sum += entry;
}
return sum;
@@ -1199,16 +1181,30 @@
*/
@NonNull
public NetworkStatsHistory build() {
- return new NetworkStatsHistory(mBucketDuration,
- CollectionUtils.toLongArray(mBucketStart),
- CollectionUtils.toLongArray(mActiveTime),
- CollectionUtils.toLongArray(mRxBytes),
- CollectionUtils.toLongArray(mRxPackets),
- CollectionUtils.toLongArray(mTxBytes),
- CollectionUtils.toLongArray(mTxPackets),
- CollectionUtils.toLongArray(mOperations),
- mBucketStart.size(),
- sum(mRxBytes) + sum(mTxBytes));
+ int size = mEntries.size();
+ final long[] bucketStart = new long[size];
+ final long[] activeTime = new long[size];
+ final long[] rxBytes = new long[size];
+ final long[] rxPackets = new long[size];
+ final long[] txBytes = new long[size];
+ final long[] txPackets = new long[size];
+ final long[] operations = new long[size];
+
+ int i = 0;
+ for (Entry entry : mEntries.values()) {
+ bucketStart[i] = entry.bucketStart;
+ activeTime[i] = entry.activeTime;
+ rxBytes[i] = entry.rxBytes;
+ rxPackets[i] = entry.rxPackets;
+ txBytes[i] = entry.txBytes;
+ txPackets[i] = entry.txPackets;
+ operations[i] = entry.operations;
+ i++;
+ }
+
+ return new NetworkStatsHistory(mBucketDuration, bucketStart, activeTime,
+ rxBytes, rxPackets, txBytes, txPackets, operations,
+ size, sum(rxBytes) + sum(txBytes));
}
}
}
diff --git a/framework/src/android/net/ConnectivityManager.java b/framework/src/android/net/ConnectivityManager.java
index fdc7bf7..5769b92 100644
--- a/framework/src/android/net/ConnectivityManager.java
+++ b/framework/src/android/net/ConnectivityManager.java
@@ -1006,6 +1006,13 @@
*/
public static final int FIREWALL_CHAIN_OEM_DENY_2 = 8;
+ /**
+ * Firewall chain used for OEM-specific application restrictions.
+ * Denylist of apps that will not have network access due to OEM-specific restrictions.
+ * @hide
+ */
+ public static final int FIREWALL_CHAIN_OEM_DENY_3 = 9;
+
/** @hide */
@Retention(RetentionPolicy.SOURCE)
@IntDef(flag = false, prefix = "FIREWALL_CHAIN_", value = {
@@ -1016,7 +1023,8 @@
FIREWALL_CHAIN_LOW_POWER_STANDBY,
FIREWALL_CHAIN_LOCKDOWN_VPN,
FIREWALL_CHAIN_OEM_DENY_1,
- FIREWALL_CHAIN_OEM_DENY_2
+ FIREWALL_CHAIN_OEM_DENY_2,
+ FIREWALL_CHAIN_OEM_DENY_3
})
public @interface FirewallChain {}
// LINT.ThenChange(packages/modules/Connectivity/service/native/include/Common.h)
diff --git a/service-t/src/com/android/server/net/NetworkStatsService.java b/service-t/src/com/android/server/net/NetworkStatsService.java
index e714ab9..d0e0f70 100644
--- a/service-t/src/com/android/server/net/NetworkStatsService.java
+++ b/service-t/src/com/android/server/net/NetworkStatsService.java
@@ -959,8 +959,17 @@
// First, read all legacy collections. This is OEM code and it can throw. Don't
// commit any data to disk until all are read.
for (int i = 0; i < migrations.length; i++) {
+ String errMsg = null;
+ Throwable exception = null;
final MigrationInfo migration = migrations[i];
- migration.collection = readPlatformCollectionForRecorder(migration.recorder);
+
+ // Read the collection from platform code, and using fallback method if throws.
+ try {
+ migration.collection = readPlatformCollectionForRecorder(migration.recorder);
+ } catch (Throwable e) {
+ errMsg = "Failed to read stats from platform";
+ exception = e;
+ }
// Also read the collection with legacy method
final NetworkStatsRecorder legacyRecorder = legacyRecorders[i];
@@ -969,18 +978,22 @@
try {
legacyStats = legacyRecorder.getOrLoadCompleteLocked();
} catch (Throwable e) {
- Log.wtf(TAG, "Failed to read stats with legacy method", e);
- // Newer stats will be used here; that's the only thing that is usable
- continue;
+ Log.wtf(TAG, "Failed to read stats with legacy method for recorder " + i, e);
+ if (exception != null) {
+ throw exception;
+ } else {
+ // Use newer stats, since that's all that is available
+ continue;
+ }
}
- String errMsg;
- Throwable exception = null;
- try {
- errMsg = compareStats(migration.collection, legacyStats);
- } catch (Throwable e) {
- errMsg = "Failed to compare migrated stats with all stats";
- exception = e;
+ if (errMsg == null) {
+ try {
+ errMsg = compareStats(migration.collection, legacyStats);
+ } catch (Throwable e) {
+ errMsg = "Failed to compare migrated stats with all stats";
+ exception = e;
+ }
}
if (errMsg != null) {
diff --git a/service/ServiceConnectivityResources/res/values-sq/strings.xml b/service/ServiceConnectivityResources/res/values-sq/strings.xml
index 385c75c..85bd84f 100644
--- a/service/ServiceConnectivityResources/res/values-sq/strings.xml
+++ b/service/ServiceConnectivityResources/res/values-sq/strings.xml
@@ -35,7 +35,7 @@
<string-array name="network_switch_type_name">
<item msgid="3004933964374161223">"të dhënat celulare"</item>
<item msgid="5624324321165953608">"Wi-Fi"</item>
- <item msgid="5667906231066981731">"Bluetooth"</item>
+ <item msgid="5667906231066981731">"Bluetooth-i"</item>
<item msgid="346574747471703768">"Eternet"</item>
<item msgid="5734728378097476003">"VPN"</item>
</string-array>
diff --git a/service/jarjar-rules.txt b/service/jarjar-rules.txt
index c7223fc..4013d2e 100644
--- a/service/jarjar-rules.txt
+++ b/service/jarjar-rules.txt
@@ -118,6 +118,7 @@
rule androidx.core.** com.android.server.nearby.@0
rule androidx.versionedparcelable.** com.android.server.nearby.@0
rule com.google.common.** com.android.server.nearby.@0
+rule android.support.v4.** com.android.server.nearby.@0
# Remaining are connectivity sources in com.android.server and com.android.server.connectivity:
# TODO: move to a subpackage of com.android.connectivity (such as com.android.connectivity.server)
diff --git a/service/native/TrafficController.cpp b/service/native/TrafficController.cpp
index 68fc9c8..d05e6fa 100644
--- a/service/native/TrafficController.cpp
+++ b/service/native/TrafficController.cpp
@@ -76,6 +76,7 @@
const char* TrafficController::LOCAL_LOW_POWER_STANDBY = "fw_low_power_standby";
const char* TrafficController::LOCAL_OEM_DENY_1 = "fw_oem_deny_1";
const char* TrafficController::LOCAL_OEM_DENY_2 = "fw_oem_deny_2";
+const char* TrafficController::LOCAL_OEM_DENY_3 = "fw_oem_deny_3";
static_assert(BPF_PERMISSION_INTERNET == INetd::PERMISSION_INTERNET,
"Mismatch between BPF and AIDL permissions: PERMISSION_INTERNET");
@@ -103,6 +104,7 @@
FLAG_MSG_TRANS(matchType, LOCKDOWN_VPN_MATCH, match);
FLAG_MSG_TRANS(matchType, OEM_DENY_1_MATCH, match);
FLAG_MSG_TRANS(matchType, OEM_DENY_2_MATCH, match);
+ FLAG_MSG_TRANS(matchType, OEM_DENY_3_MATCH, match);
if (match) {
return StringPrintf("Unknown match: %u", match);
}
@@ -344,6 +346,8 @@
return DENYLIST;
case OEM_DENY_2:
return DENYLIST;
+ case OEM_DENY_3:
+ return DENYLIST;
case NONE:
default:
return DENYLIST;
@@ -378,6 +382,9 @@
case OEM_DENY_2:
res = updateOwnerMapEntry(OEM_DENY_2_MATCH, uid, rule, type);
break;
+ case OEM_DENY_3:
+ res = updateOwnerMapEntry(OEM_DENY_3_MATCH, uid, rule, type);
+ break;
case NONE:
default:
ALOGW("Unknown child chain: %d", chain);
@@ -459,6 +466,8 @@
res = replaceRulesInMap(OEM_DENY_1_MATCH, uids);
} else if (!name.compare(LOCAL_OEM_DENY_2)) {
res = replaceRulesInMap(OEM_DENY_2_MATCH, uids);
+ } else if (!name.compare(LOCAL_OEM_DENY_3)) {
+ res = replaceRulesInMap(OEM_DENY_3_MATCH, uids);
} else {
ALOGE("unknown chain name: %s", name.c_str());
return -EINVAL;
@@ -504,6 +513,9 @@
case OEM_DENY_2:
match = OEM_DENY_2_MATCH;
break;
+ case OEM_DENY_3:
+ match = OEM_DENY_3_MATCH;
+ break;
default:
return -EINVAL;
}
diff --git a/service/native/TrafficControllerTest.cpp b/service/native/TrafficControllerTest.cpp
index dfa7097..1aca633 100644
--- a/service/native/TrafficControllerTest.cpp
+++ b/service/native/TrafficControllerTest.cpp
@@ -30,6 +30,8 @@
#include <gtest/gtest.h>
+#include <android-base/file.h>
+#include <android-base/logging.h>
#include <android-base/stringprintf.h>
#include <android-base/strings.h>
#include <binder/Status.h>
@@ -49,6 +51,7 @@
using android::netdutils::Status;
using base::Result;
using netdutils::isOk;
+using netdutils::statusFromErrno;
constexpr int TEST_MAP_SIZE = 10;
constexpr uid_t TEST_UID = 10086;
@@ -56,6 +59,13 @@
constexpr uid_t TEST_UID3 = 98765;
constexpr uint32_t TEST_TAG = 42;
constexpr uint32_t TEST_COUNTERSET = 1;
+constexpr int TEST_COOKIE = 1;
+constexpr char TEST_IFNAME[] = "test0";
+constexpr int TEST_IFINDEX = 999;
+constexpr int RXPACKETS = 1;
+constexpr int RXBYTES = 100;
+constexpr int TXPACKETS = 0;
+constexpr int TXBYTES = 0;
#define ASSERT_VALID(x) ASSERT_TRUE((x).isValid())
@@ -69,6 +79,8 @@
BpfMap<uint32_t, uint32_t> mFakeConfigurationMap;
BpfMap<uint32_t, UidOwnerValue> mFakeUidOwnerMap;
BpfMap<uint32_t, uint8_t> mFakeUidPermissionMap;
+ BpfMap<uint32_t, uint8_t> mFakeUidCounterSetMap;
+ BpfMap<uint32_t, IfaceValue> mFakeIfaceIndexNameMap;
void SetUp() {
std::lock_guard guard(mTc.mMutex);
@@ -91,6 +103,12 @@
mFakeUidPermissionMap.resetMap(BPF_MAP_TYPE_HASH, TEST_MAP_SIZE);
ASSERT_VALID(mFakeUidPermissionMap);
+ mFakeUidCounterSetMap.resetMap(BPF_MAP_TYPE_HASH, TEST_MAP_SIZE);
+ ASSERT_VALID(mFakeUidCounterSetMap);
+
+ mFakeIfaceIndexNameMap.resetMap(BPF_MAP_TYPE_HASH, TEST_MAP_SIZE);
+ ASSERT_VALID(mFakeIfaceIndexNameMap);
+
mTc.mCookieTagMap = mFakeCookieTagMap;
ASSERT_VALID(mTc.mCookieTagMap);
mTc.mAppUidStatsMap = mFakeAppUidStatsMap;
@@ -108,21 +126,38 @@
mTc.mUidPermissionMap = mFakeUidPermissionMap;
ASSERT_VALID(mTc.mUidPermissionMap);
mTc.mPrivilegedUser.clear();
+
+ mTc.mUidCounterSetMap = mFakeUidCounterSetMap;
+ ASSERT_VALID(mTc.mUidCounterSetMap);
+
+ mTc.mIfaceIndexNameMap = mFakeIfaceIndexNameMap;
+ ASSERT_VALID(mTc.mIfaceIndexNameMap);
}
void populateFakeStats(uint64_t cookie, uint32_t uid, uint32_t tag, StatsKey* key) {
UidTagValue cookieMapkey = {.uid = (uint32_t)uid, .tag = tag};
EXPECT_RESULT_OK(mFakeCookieTagMap.writeValue(cookie, cookieMapkey, BPF_ANY));
- *key = {.uid = uid, .tag = tag, .counterSet = TEST_COUNTERSET, .ifaceIndex = 1};
- StatsValue statsMapValue = {.rxPackets = 1, .rxBytes = 100};
- EXPECT_RESULT_OK(mFakeStatsMapA.writeValue(*key, statsMapValue, BPF_ANY));
- key->tag = 0;
+ *key = {.uid = uid, .tag = tag, .counterSet = TEST_COUNTERSET, .ifaceIndex = TEST_IFINDEX};
+ StatsValue statsMapValue = {.rxPackets = RXPACKETS, .rxBytes = RXBYTES,
+ .txPackets = TXPACKETS, .txBytes = TXBYTES};
EXPECT_RESULT_OK(mFakeStatsMapA.writeValue(*key, statsMapValue, BPF_ANY));
EXPECT_RESULT_OK(mFakeAppUidStatsMap.writeValue(uid, statsMapValue, BPF_ANY));
// put tag information back to statsKey
key->tag = tag;
}
+ void populateFakeCounterSet(uint32_t uid, uint32_t counterSet) {
+ EXPECT_RESULT_OK(mFakeUidCounterSetMap.writeValue(uid, counterSet, BPF_ANY));
+ }
+
+ void populateFakeIfaceIndexName(const char* name, uint32_t ifaceIndex) {
+ if (name == nullptr || ifaceIndex <= 0) return;
+
+ IfaceValue iface;
+ strlcpy(iface.name, name, sizeof(IfaceValue));
+ EXPECT_RESULT_OK(mFakeIfaceIndexNameMap.writeValue(ifaceIndex, iface, BPF_ANY));
+ }
+
void checkUidOwnerRuleForChain(ChildChain chain, UidOwnerMatchType match) {
uint32_t uid = TEST_UID;
EXPECT_EQ(0, mTc.changeUidOwnerRule(chain, uid, DENY, DENYLIST));
@@ -242,17 +277,17 @@
EXPECT_EQ(tag, cookieMapResult.value().tag);
Result<StatsValue> statsMapResult = mFakeStatsMapA.readValue(tagStatsMapKey);
EXPECT_RESULT_OK(statsMapResult);
- EXPECT_EQ((uint64_t)1, statsMapResult.value().rxPackets);
- EXPECT_EQ((uint64_t)100, statsMapResult.value().rxBytes);
+ EXPECT_EQ((uint64_t)RXPACKETS, statsMapResult.value().rxPackets);
+ EXPECT_EQ((uint64_t)RXBYTES, statsMapResult.value().rxBytes);
tagStatsMapKey.tag = 0;
statsMapResult = mFakeStatsMapA.readValue(tagStatsMapKey);
EXPECT_RESULT_OK(statsMapResult);
- EXPECT_EQ((uint64_t)1, statsMapResult.value().rxPackets);
- EXPECT_EQ((uint64_t)100, statsMapResult.value().rxBytes);
+ EXPECT_EQ((uint64_t)RXPACKETS, statsMapResult.value().rxPackets);
+ EXPECT_EQ((uint64_t)RXBYTES, statsMapResult.value().rxBytes);
auto appStatsResult = mFakeAppUidStatsMap.readValue(uid);
EXPECT_RESULT_OK(appStatsResult);
- EXPECT_EQ((uint64_t)1, appStatsResult.value().rxPackets);
- EXPECT_EQ((uint64_t)100, appStatsResult.value().rxBytes);
+ EXPECT_EQ((uint64_t)RXPACKETS, appStatsResult.value().rxPackets);
+ EXPECT_EQ((uint64_t)RXBYTES, appStatsResult.value().rxBytes);
}
Status updateUidOwnerMaps(const std::vector<uint32_t>& appUids,
@@ -265,6 +300,62 @@
return ret;
}
+ Status dump(bool verbose, std::vector<std::string>& outputLines) {
+ if (!outputLines.empty()) return statusFromErrno(EUCLEAN, "Output buffer is not empty");
+
+ android::base::unique_fd localFd, remoteFd;
+ if (!Pipe(&localFd, &remoteFd)) return statusFromErrno(errno, "Failed on pipe");
+
+ // dump() blocks until another thread has consumed all its output.
+ std::thread dumpThread =
+ std::thread([this, remoteFd{std::move(remoteFd)}, verbose]() {
+ mTc.dump(remoteFd, verbose);
+ });
+
+ std::string dumpContent;
+ if (!android::base::ReadFdToString(localFd.get(), &dumpContent)) {
+ return statusFromErrno(errno, "Failed to read dump results from fd");
+ }
+ dumpThread.join();
+
+ std::stringstream dumpStream(std::move(dumpContent));
+ std::string line;
+ while (std::getline(dumpStream, line)) {
+ outputLines.push_back(line);
+ }
+
+ return netdutils::status::ok;
+ }
+
+ // Strings in the |expect| must exist in dump results in order. But no need to be consecutive.
+ bool expectDumpsysContains(std::vector<std::string>& expect) {
+ if (expect.empty()) return false;
+
+ std::vector<std::string> output;
+ Status result = dump(true, output);
+ if (!isOk(result)) {
+ GTEST_LOG_(ERROR) << "TrafficController dump failed: " << netdutils::toString(result);
+ return false;
+ }
+
+ int matched = 0;
+ auto it = expect.begin();
+ for (const auto& line : output) {
+ if (it == expect.end()) break;
+ if (std::string::npos != line.find(*it)) {
+ matched++;
+ ++it;
+ }
+ }
+
+ if (matched != expect.size()) {
+ // dump results for debugging
+ for (const auto& o : output) LOG(INFO) << "output: " << o;
+ for (const auto& e : expect) LOG(INFO) << "expect: " << e;
+ return false;
+ }
+ return true;
+ }
};
TEST_F(TrafficControllerTest, TestUpdateOwnerMapEntry) {
@@ -301,6 +392,7 @@
checkUidOwnerRuleForChain(LOCKDOWN, LOCKDOWN_VPN_MATCH);
checkUidOwnerRuleForChain(OEM_DENY_1, OEM_DENY_1_MATCH);
checkUidOwnerRuleForChain(OEM_DENY_2, OEM_DENY_2_MATCH);
+ checkUidOwnerRuleForChain(OEM_DENY_3, OEM_DENY_3_MATCH);
ASSERT_EQ(-EINVAL, mTc.changeUidOwnerRule(NONE, TEST_UID, ALLOW, ALLOWLIST));
ASSERT_EQ(-EINVAL, mTc.changeUidOwnerRule(INVALID_CHAIN, TEST_UID, ALLOW, ALLOWLIST));
}
@@ -314,6 +406,7 @@
checkUidMapReplace("fw_low_power_standby", uids, LOW_POWER_STANDBY_MATCH);
checkUidMapReplace("fw_oem_deny_1", uids, OEM_DENY_1_MATCH);
checkUidMapReplace("fw_oem_deny_2", uids, OEM_DENY_2_MATCH);
+ checkUidMapReplace("fw_oem_deny_3", uids, OEM_DENY_3_MATCH);
ASSERT_EQ(-EINVAL, mTc.replaceUidOwnerMap("unknow", true, uids));
}
@@ -645,6 +738,83 @@
expectPrivilegedUserSetEmpty();
}
+TEST_F(TrafficControllerTest, TestDumpsys) {
+ StatsKey tagStatsMapKey;
+ populateFakeStats(TEST_COOKIE, TEST_UID, TEST_TAG, &tagStatsMapKey);
+ populateFakeCounterSet(TEST_UID3, TEST_COUNTERSET);
+
+ // Expect: (part of this depends on hard-code values in populateFakeStats())
+ //
+ // mCookieTagMap:
+ // cookie=1 tag=0x2a uid=10086
+ //
+ // mUidCounterSetMap:
+ // 98765 1
+ //
+ // mAppUidStatsMap::
+ // uid rxBytes rxPackets txBytes txPackets
+ // 10086 100 1 0 0
+ //
+ // mStatsMapA:
+ // ifaceIndex ifaceName tag_hex uid_int cnt_set rxBytes rxPackets txBytes txPackets
+ // 999 test0 0x2a 10086 1 100 1 0 0
+ std::vector<std::string> expectedLines = {
+ "mCookieTagMap:",
+ fmt::format("cookie={} tag={:#x} uid={}", TEST_COOKIE, TEST_TAG, TEST_UID),
+ "mUidCounterSetMap:",
+ fmt::format("{} {}", TEST_UID3, TEST_COUNTERSET),
+ "mAppUidStatsMap::", // TODO@: fix double colon
+ "uid rxBytes rxPackets txBytes txPackets",
+ fmt::format("{} {} {} {} {}", TEST_UID, RXBYTES, RXPACKETS, TXBYTES, TXPACKETS),
+ "mStatsMapA",
+ "ifaceIndex ifaceName tag_hex uid_int cnt_set rxBytes rxPackets txBytes txPackets",
+ fmt::format("{} {} {:#x} {} {} {} {} {} {}",
+ TEST_IFINDEX, TEST_IFNAME, TEST_TAG, TEST_UID, TEST_COUNTERSET, RXBYTES,
+ RXPACKETS, TXBYTES, TXPACKETS)};
+
+ populateFakeIfaceIndexName(TEST_IFNAME, TEST_IFINDEX);
+ expectedLines.emplace_back("mIfaceIndexNameMap:");
+ expectedLines.emplace_back(fmt::format("ifaceIndex={} ifaceName={}",
+ TEST_IFINDEX, TEST_IFNAME));
+
+ ASSERT_TRUE(isOk(updateUidOwnerMaps({TEST_UID}, HAPPY_BOX_MATCH,
+ TrafficController::IptOpInsert)));
+ expectedLines.emplace_back("mUidOwnerMap:");
+ expectedLines.emplace_back(fmt::format("{} HAPPY_BOX_MATCH", TEST_UID));
+
+ mTc.setPermissionForUids(INetd::PERMISSION_UPDATE_DEVICE_STATS, {TEST_UID2});
+ expectedLines.emplace_back("mUidPermissionMap:");
+ expectedLines.emplace_back(fmt::format("{} BPF_PERMISSION_UPDATE_DEVICE_STATS", TEST_UID2));
+ expectedLines.emplace_back("mPrivilegedUser:");
+ expectedLines.emplace_back(fmt::format("{} ALLOW_UPDATE_DEVICE_STATS", TEST_UID2));
+ EXPECT_TRUE(expectDumpsysContains(expectedLines));
+}
+
+TEST_F(TrafficControllerTest, getFirewallType) {
+ static const struct TestConfig {
+ ChildChain childChain;
+ FirewallType firewallType;
+ } testConfigs[] = {
+ // clang-format off
+ {NONE, DENYLIST},
+ {DOZABLE, ALLOWLIST},
+ {STANDBY, DENYLIST},
+ {POWERSAVE, ALLOWLIST},
+ {RESTRICTED, ALLOWLIST},
+ {LOW_POWER_STANDBY, ALLOWLIST},
+ {LOCKDOWN, DENYLIST},
+ {OEM_DENY_1, DENYLIST},
+ {OEM_DENY_2, DENYLIST},
+ {INVALID_CHAIN, DENYLIST},
+ // clang-format on
+ };
+
+ for (const auto& config : testConfigs) {
+ SCOPED_TRACE(fmt::format("testConfig: [{}, {}]", config.childChain, config.firewallType));
+ EXPECT_EQ(config.firewallType, mTc.getFirewallType(config.childChain));
+ }
+}
+
constexpr uint32_t SOCK_CLOSE_WAIT_US = 30 * 1000;
constexpr uint32_t ENOBUFS_POLL_WAIT_US = 10 * 1000;
diff --git a/service/native/include/Common.h b/service/native/include/Common.h
index 48f68ea..2427aa9 100644
--- a/service/native/include/Common.h
+++ b/service/native/include/Common.h
@@ -38,6 +38,7 @@
LOCKDOWN = 6,
OEM_DENY_1 = 7,
OEM_DENY_2 = 8,
+ OEM_DENY_3 = 9,
INVALID_CHAIN
};
// LINT.ThenChange(packages/modules/Connectivity/framework/src/android/net/ConnectivityManager.java)
diff --git a/service/native/include/TrafficController.h b/service/native/include/TrafficController.h
index 7a36e1e..c019ce7 100644
--- a/service/native/include/TrafficController.h
+++ b/service/native/include/TrafficController.h
@@ -90,6 +90,7 @@
static const char* LOCAL_LOW_POWER_STANDBY;
static const char* LOCAL_OEM_DENY_1;
static const char* LOCAL_OEM_DENY_2;
+ static const char* LOCAL_OEM_DENY_3;
private:
/*
diff --git a/service/native/libs/libclat/clatutils_test.cpp b/service/native/libs/libclat/clatutils_test.cpp
index 4153e19..8cca1f4 100644
--- a/service/native/libs/libclat/clatutils_test.cpp
+++ b/service/native/libs/libclat/clatutils_test.cpp
@@ -19,6 +19,7 @@
#include <gtest/gtest.h>
#include <linux/if_packet.h>
#include <linux/if_tun.h>
+#include <netinet/in.h>
#include "tun_interface.h"
extern "C" {
@@ -182,6 +183,31 @@
v6Iface.destroy();
}
+// This is not a realistic test because we can't test generateIPv6Address here since it requires
+// manipulating routing, which we can't do without talking to the real netd on the system.
+// See test MakeChecksumNeutral.
+// TODO: remove this test once EthernetTetheringTest can test on mainline test coverage branch.
+TEST_F(ClatUtils, GenerateIpv6AddressFailWithUlaSocketAddress) {
+ // Create an interface for generateIpv6Address to connect to.
+ TunInterface tun;
+ ASSERT_EQ(0, tun.init());
+
+ // Unused because v6 address is ULA and makeChecksumNeutral has never called.
+ in_addr v4 = {inet_addr(kIPv4LocalAddr)};
+ // Not a NAT64 prefix because test can't connect to in generateIpv6Address.
+ // Used to be a fake address from the tun interface for generating an IPv6 socket address.
+ // nat64Prefix won't be used in MakeChecksumNeutral because MakeChecksumNeutral has never
+ // be called.
+ in6_addr nat64Prefix = tun.dstAddr(); // not realistic
+ in6_addr v6;
+ EXPECT_EQ(1, inet_pton(AF_INET6, "::", &v6)); // initialize as zero
+
+ EXPECT_EQ(-ENETUNREACH, generateIpv6Address(tun.name().c_str(), v4, nat64Prefix, &v6));
+ EXPECT_TRUE(IN6_IS_ADDR_ULA(&v6));
+
+ tun.destroy();
+}
+
} // namespace clat
} // namespace net
} // namespace android
diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java
index 8d8442f..848901f 100644
--- a/service/src/com/android/server/ConnectivityService.java
+++ b/service/src/com/android/server/ConnectivityService.java
@@ -11361,6 +11361,7 @@
case ConnectivityManager.FIREWALL_CHAIN_STANDBY:
case ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_1:
case ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_2:
+ case ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_3:
defaultRule = FIREWALL_RULE_ALLOW;
break;
case ConnectivityManager.FIREWALL_CHAIN_DOZABLE:
@@ -11416,6 +11417,9 @@
case ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_2:
mBpfNetMaps.replaceUidChain("fw_oem_deny_2", false /* isAllowList */, uids);
break;
+ case ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_3:
+ mBpfNetMaps.replaceUidChain("fw_oem_deny_3", false /* isAllowList */, uids);
+ break;
default:
throw new IllegalArgumentException("replaceFirewallChain with invalid chain: "
+ chain);
diff --git a/tests/common/java/android/net/netstats/NetworkStatsHistoryTest.kt b/tests/common/java/android/net/netstats/NetworkStatsHistoryTest.kt
index f8e041a..a6c9f3c 100644
--- a/tests/common/java/android/net/netstats/NetworkStatsHistoryTest.kt
+++ b/tests/common/java/android/net/netstats/NetworkStatsHistoryTest.kt
@@ -27,7 +27,6 @@
import org.junit.runner.RunWith
import org.junit.runners.JUnit4
import kotlin.test.assertEquals
-import kotlin.test.assertFailsWith
@ConnectivityModuleTest
@RunWith(JUnit4::class)
@@ -53,21 +52,36 @@
statsSingle.assertEntriesEqual(entry1)
assertEquals(DateUtils.HOUR_IN_MILLIS, statsSingle.bucketDuration)
- // Verify the builder throws if the timestamp of added entry is not greater than
- // that of any previously-added entry.
- assertFailsWith(IllegalArgumentException::class) {
- NetworkStatsHistory
- .Builder(DateUtils.SECOND_IN_MILLIS, /* initialCapacity */ 0)
- .addEntry(entry1).addEntry(entry2).addEntry(entry3)
- .build()
- }
+ val statsMultiple = NetworkStatsHistory
+ .Builder(DateUtils.SECOND_IN_MILLIS, /* initialCapacity */ 0)
+ .addEntry(entry1).addEntry(entry2).addEntry(entry3)
+ .build()
+ assertEquals(DateUtils.SECOND_IN_MILLIS, statsMultiple.bucketDuration)
+ // Verify the entries exist and sorted.
+ statsMultiple.assertEntriesEqual(entry3, entry1, entry2)
+ }
+
+ @Test
+ fun testBuilderSortAndDeduplicate() {
+ val entry1 = NetworkStatsHistory.Entry(10, 30, 40, 4, 50, 5, 60)
+ val entry2 = NetworkStatsHistory.Entry(30, 15, 3, 41, 7, 1, 0)
+ val entry3 = NetworkStatsHistory.Entry(30, 999, 11, 14, 31, 2, 80)
+ val entry4 = NetworkStatsHistory.Entry(10, 15, 1, 17, 5, 33, 10)
+ val entry5 = NetworkStatsHistory.Entry(6, 1, 9, 11, 29, 1, 7)
+
+ // Entries for verification.
+ // Note that active time of 2 + 3 is truncated to bucket duration since the active time
+ // should not go over bucket duration.
+ val entry2and3 = NetworkStatsHistory.Entry(30, 1000, 14, 55, 38, 3, 80)
+ val entry1and4 = NetworkStatsHistory.Entry(10, 45, 41, 21, 55, 38, 70)
val statsMultiple = NetworkStatsHistory
.Builder(DateUtils.SECOND_IN_MILLIS, /* initialCapacity */ 0)
- .addEntry(entry3).addEntry(entry1).addEntry(entry2)
- .build()
+ .addEntry(entry1).addEntry(entry2).addEntry(entry3)
+ .addEntry(entry4).addEntry(entry5).build()
assertEquals(DateUtils.SECOND_IN_MILLIS, statsMultiple.bucketDuration)
- statsMultiple.assertEntriesEqual(entry3, entry1, entry2)
+ // Verify the entries sorted and deduplicated.
+ statsMultiple.assertEntriesEqual(entry5, entry1and4, entry2and3)
}
fun NetworkStatsHistory.assertEntriesEqual(vararg entries: NetworkStatsHistory.Entry) {
diff --git a/tests/cts/hostside/app/src/com/android/cts/net/hostside/VpnTest.java b/tests/cts/hostside/app/src/com/android/cts/net/hostside/VpnTest.java
index dc67c70..dd8b523 100755
--- a/tests/cts/hostside/app/src/com/android/cts/net/hostside/VpnTest.java
+++ b/tests/cts/hostside/app/src/com/android/cts/net/hostside/VpnTest.java
@@ -378,10 +378,6 @@
if (mNetwork == null) {
fail("VPN did not become available after " + TIMEOUT_MS + "ms");
}
-
- // Unfortunately, when the available callback fires, the VPN UID ranges are not yet
- // configured. Give the system some time to do so. http://b/18436087 .
- try { Thread.sleep(3000); } catch(InterruptedException e) {}
}
private void stopVpn() {
diff --git a/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java b/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java
index d97ebcb..08cf0d7 100644
--- a/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java
+++ b/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java
@@ -39,6 +39,7 @@
import static android.net.ConnectivityManager.EXTRA_NETWORK_REQUEST;
import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_1;
import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_2;
+import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_3;
import static android.net.ConnectivityManager.FIREWALL_RULE_ALLOW;
import static android.net.ConnectivityManager.FIREWALL_RULE_DENY;
import static android.net.ConnectivityManager.PROFILE_NETWORK_PREFERENCE_ENTERPRISE;
@@ -3385,6 +3386,7 @@
// doTestFirewallBlockingDenyRule(FIREWALL_CHAIN_STANDBY);
doTestFirewallBlockingDenyRule(FIREWALL_CHAIN_OEM_DENY_1);
doTestFirewallBlockingDenyRule(FIREWALL_CHAIN_OEM_DENY_2);
+ doTestFirewallBlockingDenyRule(FIREWALL_CHAIN_OEM_DENY_3);
}
private void assumeTestSApis() {
diff --git a/tests/unit/java/com/android/server/ConnectivityServiceTest.java b/tests/unit/java/com/android/server/ConnectivityServiceTest.java
index 0c5420d..e84df16 100644
--- a/tests/unit/java/com/android/server/ConnectivityServiceTest.java
+++ b/tests/unit/java/com/android/server/ConnectivityServiceTest.java
@@ -56,6 +56,7 @@
import static android.net.ConnectivityManager.FIREWALL_CHAIN_LOW_POWER_STANDBY;
import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_1;
import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_2;
+import static android.net.ConnectivityManager.FIREWALL_CHAIN_OEM_DENY_3;
import static android.net.ConnectivityManager.FIREWALL_CHAIN_POWERSAVE;
import static android.net.ConnectivityManager.FIREWALL_CHAIN_RESTRICTED;
import static android.net.ConnectivityManager.FIREWALL_CHAIN_STANDBY;
@@ -9577,6 +9578,7 @@
doTestSetUidFirewallRule(FIREWALL_CHAIN_LOW_POWER_STANDBY, FIREWALL_RULE_DENY);
doTestSetUidFirewallRule(FIREWALL_CHAIN_OEM_DENY_1, FIREWALL_RULE_ALLOW);
doTestSetUidFirewallRule(FIREWALL_CHAIN_OEM_DENY_2, FIREWALL_RULE_ALLOW);
+ doTestSetUidFirewallRule(FIREWALL_CHAIN_OEM_DENY_3, FIREWALL_RULE_ALLOW);
}
@Test @IgnoreUpTo(SC_V2)
@@ -9588,7 +9590,8 @@
FIREWALL_CHAIN_RESTRICTED,
FIREWALL_CHAIN_LOW_POWER_STANDBY,
FIREWALL_CHAIN_OEM_DENY_1,
- FIREWALL_CHAIN_OEM_DENY_2);
+ FIREWALL_CHAIN_OEM_DENY_2,
+ FIREWALL_CHAIN_OEM_DENY_3);
for (final int chain: firewallChains) {
mCm.setFirewallChainEnabled(chain, true /* enabled */);
verify(mBpfNetMaps).setChildChain(chain, true /* enable */);
@@ -9617,6 +9620,7 @@
doTestReplaceFirewallChain(FIREWALL_CHAIN_LOW_POWER_STANDBY, "fw_low_power_standby", true);
doTestReplaceFirewallChain(FIREWALL_CHAIN_OEM_DENY_1, "fw_oem_deny_1", false);
doTestReplaceFirewallChain(FIREWALL_CHAIN_OEM_DENY_2, "fw_oem_deny_2", false);
+ doTestReplaceFirewallChain(FIREWALL_CHAIN_OEM_DENY_3, "fw_oem_deny_3", false);
}
@Test @IgnoreUpTo(SC_V2)