Merge "[Thread] add Thread Operational Dataset API" into main
diff --git a/Tethering/Android.bp b/Tethering/Android.bp
index 4478b1e..e69b872 100644
--- a/Tethering/Android.bp
+++ b/Tethering/Android.bp
@@ -95,6 +95,7 @@
],
static_libs: [
"NetworkStackApiCurrentShims",
+ "net-utils-device-common-struct",
],
apex_available: ["com.android.tethering"],
lint: { strict_updatability_linting: true },
@@ -109,6 +110,7 @@
],
static_libs: [
"NetworkStackApiStableShims",
+ "net-utils-device-common-struct",
],
apex_available: ["com.android.tethering"],
lint: { strict_updatability_linting: true },
diff --git a/Tethering/src/android/net/ip/IpServer.java b/Tethering/src/android/net/ip/IpServer.java
index e030902..246e5bc 100644
--- a/Tethering/src/android/net/ip/IpServer.java
+++ b/Tethering/src/android/net/ip/IpServer.java
@@ -44,6 +44,7 @@
import android.net.LinkProperties;
import android.net.MacAddress;
import android.net.RouteInfo;
+import android.net.RoutingCoordinatorManager;
import android.net.TetheredClient;
import android.net.TetheringManager;
import android.net.TetheringRequestParcel;
@@ -71,6 +72,7 @@
import com.android.modules.utils.build.SdkLevel;
import com.android.net.module.util.InterfaceParams;
import com.android.net.module.util.NetdUtils;
+import com.android.net.module.util.SdkUtil.LateSdk;
import com.android.net.module.util.SharedLog;
import com.android.net.module.util.ip.InterfaceController;
import com.android.net.module.util.ip.IpNeighborMonitor;
@@ -245,6 +247,11 @@
private final INetd mNetd;
@NonNull
private final BpfCoordinator mBpfCoordinator;
+ // Contains null if the connectivity module is unsupported, as the routing coordinator is not
+ // available. Must use LateSdk because MessageUtils enumerates fields in this class, so it
+ // must be able to find all classes at runtime.
+ @NonNull
+ private final LateSdk<RoutingCoordinatorManager> mRoutingCoordinator;
private final Callback mCallback;
private final InterfaceController mInterfaceCtrl;
private final PrivateAddressCoordinator mPrivateAddressCoordinator;
@@ -307,13 +314,15 @@
// object. It helps to reduce the arguments of the constructor.
public IpServer(
String ifaceName, Looper looper, int interfaceType, SharedLog log,
- INetd netd, @NonNull BpfCoordinator coordinator, Callback callback,
+ INetd netd, @NonNull BpfCoordinator bpfCoordinator,
+ @Nullable LateSdk<RoutingCoordinatorManager> routingCoordinator, Callback callback,
TetheringConfiguration config, PrivateAddressCoordinator addressCoordinator,
TetheringMetrics tetheringMetrics, Dependencies deps) {
super(ifaceName, looper);
mLog = log.forSubComponent(ifaceName);
mNetd = netd;
- mBpfCoordinator = coordinator;
+ mBpfCoordinator = bpfCoordinator;
+ mRoutingCoordinator = routingCoordinator;
mCallback = callback;
mInterfaceCtrl = new InterfaceController(ifaceName, mNetd, mLog);
mIfaceName = ifaceName;
@@ -807,23 +816,33 @@
for (RouteInfo route : toBeRemoved) mLinkProperties.removeRoute(route);
}
- private void addRoutesToLocalNetwork(@NonNull final List<RouteInfo> toBeAdded) {
+ private void addInterfaceToNetwork(final int netId, @NonNull final String ifaceName) {
try {
- // It's safe to call networkAddInterface() even if
- // the interface is already in the local_network.
- mNetd.networkAddInterface(INetd.LOCAL_NET_ID, mIfaceName);
- try {
- // Add routes from local network. Note that adding routes that
- // already exist does not cause an error (EEXIST is silently ignored).
- NetdUtils.addRoutesToLocalNetwork(mNetd, mIfaceName, toBeAdded);
- } catch (IllegalStateException e) {
- mLog.e("Failed to add IPv4/v6 routes to local table: " + e);
- return;
+ if (null != mRoutingCoordinator.value) {
+ // TODO : remove this call in favor of using the LocalNetworkConfiguration
+ // correctly, which will let ConnectivityService do it automatically.
+ mRoutingCoordinator.value.addInterfaceToNetwork(netId, ifaceName);
+ } else {
+ mNetd.networkAddInterface(netId, ifaceName);
}
} catch (ServiceSpecificException | RemoteException e) {
mLog.e("Failed to add " + mIfaceName + " to local table: ", e);
return;
}
+ }
+
+ private void addRoutesToLocalNetwork(@NonNull final List<RouteInfo> toBeAdded) {
+ // It's safe to call addInterfaceToNetwork() even if
+ // the interface is already in the local_network.
+ addInterfaceToNetwork(INetd.LOCAL_NET_ID, mIfaceName);
+ try {
+ // Add routes from local network. Note that adding routes that
+ // already exist does not cause an error (EEXIST is silently ignored).
+ NetdUtils.addRoutesToLocalNetwork(mNetd, mIfaceName, toBeAdded);
+ } catch (IllegalStateException e) {
+ mLog.e("Failed to add IPv4/v6 routes to local table: " + e);
+ return;
+ }
for (RouteInfo route : toBeAdded) mLinkProperties.addRoute(route);
}
diff --git a/Tethering/src/com/android/networkstack/tethering/Tethering.java b/Tethering/src/com/android/networkstack/tethering/Tethering.java
index b371178..f52bed9 100644
--- a/Tethering/src/com/android/networkstack/tethering/Tethering.java
+++ b/Tethering/src/com/android/networkstack/tethering/Tethering.java
@@ -90,6 +90,7 @@
import android.net.LinkProperties;
import android.net.Network;
import android.net.NetworkInfo;
+import android.net.RoutingCoordinatorManager;
import android.net.TetherStatesParcel;
import android.net.TetheredClient;
import android.net.TetheringCallbackStartedParcel;
@@ -136,6 +137,7 @@
import com.android.net.module.util.BaseNetdUnsolicitedEventListener;
import com.android.net.module.util.CollectionUtils;
import com.android.net.module.util.NetdUtils;
+import com.android.net.module.util.SdkUtil.LateSdk;
import com.android.net.module.util.SharedLog;
import com.android.networkstack.apishim.common.BluetoothPanShim;
import com.android.networkstack.apishim.common.BluetoothPanShim.TetheredInterfaceCallbackShim;
@@ -250,6 +252,10 @@
private final Handler mHandler;
private final INetd mNetd;
private final NetdCallback mNetdCallback;
+ // Contains null if the connectivity module is unsupported, as the routing coordinator is not
+ // available. Must use LateSdk because MessageUtils enumerates fields in this class, so it
+ // must be able to find all classes at runtime.
+ @NonNull private final LateSdk<RoutingCoordinatorManager> mRoutingCoordinator;
private final UserRestrictionActionListener mTetheringRestriction;
private final ActiveDataSubIdListener mActiveDataSubIdListener;
private final ConnectedClientsTracker mConnectedClientsTracker;
@@ -296,6 +302,7 @@
mDeps = deps;
mContext = mDeps.getContext();
mNetd = mDeps.getINetd(mContext);
+ mRoutingCoordinator = mDeps.getRoutingCoordinator(mContext);
mLooper = mDeps.getTetheringLooper();
mNotificationUpdater = mDeps.getNotificationUpdater(mContext, mLooper);
mTetheringMetrics = mDeps.getTetheringMetrics();
@@ -2835,8 +2842,9 @@
mLog.i("adding IpServer for: " + iface);
final TetherState tetherState = new TetherState(
new IpServer(iface, mLooper, interfaceType, mLog, mNetd, mBpfCoordinator,
- makeControlCallback(), mConfig, mPrivateAddressCoordinator,
- mTetheringMetrics, mDeps.getIpServerDependencies()), isNcm);
+ mRoutingCoordinator, makeControlCallback(), mConfig,
+ mPrivateAddressCoordinator, mTetheringMetrics,
+ mDeps.getIpServerDependencies()), isNcm);
mTetherStates.put(iface, tetherState);
tetherState.ipServer.start();
}
diff --git a/Tethering/src/com/android/networkstack/tethering/TetheringDependencies.java b/Tethering/src/com/android/networkstack/tethering/TetheringDependencies.java
index 741a5c5..c6468a0 100644
--- a/Tethering/src/com/android/networkstack/tethering/TetheringDependencies.java
+++ b/Tethering/src/com/android/networkstack/tethering/TetheringDependencies.java
@@ -16,11 +16,14 @@
package com.android.networkstack.tethering;
+import android.annotation.Nullable;
import android.app.usage.NetworkStatsManager;
import android.bluetooth.BluetoothAdapter;
import android.bluetooth.BluetoothPan;
import android.content.Context;
import android.net.INetd;
+import android.net.RoutingCoordinatorManager;
+import android.net.connectivity.TiramisuConnectivityInternalApiUtil;
import android.net.ip.IpServer;
import android.os.Build;
import android.os.Handler;
@@ -33,6 +36,8 @@
import androidx.annotation.RequiresApi;
import com.android.internal.util.StateMachine;
+import com.android.modules.utils.build.SdkLevel;
+import com.android.net.module.util.SdkUtil.LateSdk;
import com.android.net.module.util.SharedLog;
import com.android.networkstack.apishim.BluetoothPanShimImpl;
import com.android.networkstack.apishim.common.BluetoothPanShim;
@@ -122,6 +127,16 @@
}
/**
+ * Get the routing coordinator, or null if below S.
+ */
+ @Nullable
+ public LateSdk<RoutingCoordinatorManager> getRoutingCoordinator(Context context) {
+ if (!SdkLevel.isAtLeastS()) return new LateSdk<>(null);
+ return new LateSdk<>(
+ TiramisuConnectivityInternalApiUtil.getRoutingCoordinatorManager(context));
+ }
+
+ /**
* Get a reference to the TetheringNotificationUpdater to be used by tethering.
*/
public TetheringNotificationUpdater getNotificationUpdater(@NonNull final Context ctx,
@@ -135,7 +150,7 @@
public abstract Looper getTetheringLooper();
/**
- * Get Context of TetheringSerice.
+ * Get Context of TetheringService.
*/
public abstract Context getContext();
diff --git a/Tethering/tests/unit/src/android/net/ip/IpServerTest.java b/Tethering/tests/unit/src/android/net/ip/IpServerTest.java
index d497a4d..fc9928d 100644
--- a/Tethering/tests/unit/src/android/net/ip/IpServerTest.java
+++ b/Tethering/tests/unit/src/android/net/ip/IpServerTest.java
@@ -62,6 +62,7 @@
import static org.mockito.Mockito.doReturn;
import static org.mockito.Mockito.doThrow;
import static org.mockito.Mockito.inOrder;
+import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.reset;
import static org.mockito.Mockito.spy;
@@ -80,6 +81,7 @@
import android.net.LinkProperties;
import android.net.MacAddress;
import android.net.RouteInfo;
+import android.net.RoutingCoordinatorManager;
import android.net.TetherOffloadRuleParcel;
import android.net.TetherStatsParcel;
import android.net.dhcp.DhcpServerCallbacks;
@@ -99,9 +101,11 @@
import androidx.test.filters.SmallTest;
import androidx.test.runner.AndroidJUnit4;
+import com.android.modules.utils.build.SdkLevel;
import com.android.net.module.util.BpfMap;
import com.android.net.module.util.InterfaceParams;
import com.android.net.module.util.NetworkStackConstants;
+import com.android.net.module.util.SdkUtil.LateSdk;
import com.android.net.module.util.SharedLog;
import com.android.net.module.util.Struct.S32;
import com.android.net.module.util.bpf.Tether4Key;
@@ -193,6 +197,8 @@
@Mock private IpNeighborMonitor mIpNeighborMonitor;
@Mock private IpServer.Dependencies mDependencies;
@Mock private PrivateAddressCoordinator mAddressCoordinator;
+ private final LateSdk<RoutingCoordinatorManager> mRoutingCoordinatorManager =
+ new LateSdk<>(SdkLevel.isAtLeastS() ? mock(RoutingCoordinatorManager.class) : null);
@Mock private NetworkStatsManager mStatsManager;
@Mock private TetheringConfiguration mTetherConfig;
@Mock private ConntrackMonitor mConntrackMonitor;
@@ -249,7 +255,8 @@
mBpfCoordinator = spy(new BpfCoordinator(mBpfDeps));
mIpServer = new IpServer(
IFACE_NAME, mLooper.getLooper(), interfaceType, mSharedLog, mNetd, mBpfCoordinator,
- mCallback, mTetherConfig, mAddressCoordinator, mTetheringMetrics, mDependencies);
+ mRoutingCoordinatorManager, mCallback, mTetherConfig, mAddressCoordinator,
+ mTetheringMetrics, mDependencies);
mIpServer.start();
mNeighborEventConsumer = neighborCaptor.getValue();
@@ -396,8 +403,8 @@
when(mDependencies.getIpNeighborMonitor(any(), any(), any()))
.thenReturn(mIpNeighborMonitor);
mIpServer = new IpServer(IFACE_NAME, mLooper.getLooper(), TETHERING_BLUETOOTH, mSharedLog,
- mNetd, mBpfCoordinator, mCallback, mTetherConfig, mAddressCoordinator,
- mTetheringMetrics, mDependencies);
+ mNetd, mBpfCoordinator, mRoutingCoordinatorManager, mCallback, mTetherConfig,
+ mAddressCoordinator, mTetheringMetrics, mDependencies);
mIpServer.start();
mLooper.dispatchAll();
verify(mCallback).updateInterfaceState(
diff --git a/Tethering/tests/unit/src/com/android/networkstack/tethering/PrivateAddressCoordinatorTest.java b/Tethering/tests/unit/src/com/android/networkstack/tethering/PrivateAddressCoordinatorTest.java
index 91b092a..6ebd6ae 100644
--- a/Tethering/tests/unit/src/com/android/networkstack/tethering/PrivateAddressCoordinatorTest.java
+++ b/Tethering/tests/unit/src/com/android/networkstack/tethering/PrivateAddressCoordinatorTest.java
@@ -126,16 +126,17 @@
final LinkAddress newAddress = requestDownstreamAddress(mHotspotIpServer,
CONNECTIVITY_SCOPE_GLOBAL, false /* useLastAddress */);
- final IpPrefix testDupRequest = asIpPrefix(newAddress);
- assertNotEquals(hotspotPrefix, testDupRequest);
- assertNotEquals(bluetoothPrefix, testDupRequest);
- mPrivateAddressCoordinator.releaseDownstream(mHotspotIpServer);
+ final IpPrefix newHotspotPrefix = asIpPrefix(newAddress);
+ assertNotEquals(hotspotPrefix, newHotspotPrefix);
+ assertNotEquals(bluetoothPrefix, newHotspotPrefix);
final LinkAddress usbAddress = requestDownstreamAddress(mUsbIpServer,
CONNECTIVITY_SCOPE_GLOBAL, false /* useLastAddress */);
final IpPrefix usbPrefix = asIpPrefix(usbAddress);
assertNotEquals(usbPrefix, bluetoothPrefix);
- assertNotEquals(usbPrefix, hotspotPrefix);
+ assertNotEquals(usbPrefix, newHotspotPrefix);
+
+ mPrivateAddressCoordinator.releaseDownstream(mHotspotIpServer);
mPrivateAddressCoordinator.releaseDownstream(mUsbIpServer);
}
diff --git a/Tethering/tests/unit/src/com/android/networkstack/tethering/TetheringTest.java b/Tethering/tests/unit/src/com/android/networkstack/tethering/TetheringTest.java
index 770507e..ba39f22 100644
--- a/Tethering/tests/unit/src/com/android/networkstack/tethering/TetheringTest.java
+++ b/Tethering/tests/unit/src/com/android/networkstack/tethering/TetheringTest.java
@@ -142,6 +142,7 @@
import android.net.NetworkCapabilities;
import android.net.NetworkRequest;
import android.net.RouteInfo;
+import android.net.RoutingCoordinatorManager;
import android.net.TetherStatesParcel;
import android.net.TetheredClient;
import android.net.TetheredClient.AddressInfo;
@@ -191,6 +192,7 @@
import com.android.internal.util.test.FakeSettingsProvider;
import com.android.net.module.util.CollectionUtils;
import com.android.net.module.util.InterfaceParams;
+import com.android.net.module.util.SdkUtil.LateSdk;
import com.android.net.module.util.SharedLog;
import com.android.net.module.util.ip.IpNeighborMonitor;
import com.android.networkstack.apishim.common.BluetoothPanShim;
@@ -482,6 +484,12 @@
return mEntitleMgr;
}
+ @Nullable
+ @Override
+ public LateSdk<RoutingCoordinatorManager> getRoutingCoordinator(final Context context) {
+ return new LateSdk<>(null);
+ }
+
@Override
public TetheringConfiguration generateTetheringConfiguration(Context ctx, SharedLog log,
int subId) {
diff --git a/Tethering/tests/unit/src/com/android/networkstack/tethering/util/SyncStateMachineTest.kt b/Tethering/tests/unit/src/com/android/networkstack/tethering/util/SyncStateMachineTest.kt
new file mode 100644
index 0000000..3a57fdd
--- /dev/null
+++ b/Tethering/tests/unit/src/com/android/networkstack/tethering/util/SyncStateMachineTest.kt
@@ -0,0 +1,294 @@
+/**
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.networkstack.tethering.util
+
+import android.os.Message
+import androidx.test.ext.junit.runners.AndroidJUnit4
+import androidx.test.filters.SmallTest
+import com.android.internal.util.State
+import com.android.networkstack.tethering.util.SyncStateMachine.StateInfo
+import java.util.ArrayDeque
+import java.util.ArrayList
+import kotlin.test.assertFailsWith
+import org.junit.Assert.assertEquals
+import org.junit.Assert.assertTrue
+import org.junit.Test
+import org.junit.runner.RunWith
+import org.mockito.ArgumentMatchers.any
+import org.mockito.Mockito.inOrder
+import org.mockito.Mockito.spy
+import org.mockito.Mockito.verifyNoMoreInteractions
+
+private const val MSG_INVALID = -1
+private const val MSG_1 = 1
+private const val MSG_2 = 2
+private const val MSG_3 = 3
+private const val MSG_4 = 4
+private const val MSG_5 = 5
+private const val MSG_6 = 6
+private const val MSG_7 = 7
+private const val ARG_1 = 100
+private const val ARG_2 = 200
+
+@RunWith(AndroidJUnit4::class)
+@SmallTest
+class SynStateMachineTest {
+ private val mState1 = spy(object : TestState(MSG_1) {})
+ private val mState2 = spy(object : TestState(MSG_2) {})
+ private val mState3 = spy(object : TestState(MSG_3) {})
+ private val mState4 = spy(object : TestState(MSG_4) {})
+ private val mState5 = spy(object : TestState(MSG_5) {})
+ private val mState6 = spy(object : TestState(MSG_6) {})
+ private val mState7 = spy(object : TestState(MSG_7) {})
+ private val mInOrder = inOrder(mState1, mState2, mState3, mState4, mState5, mState6, mState7)
+ // Lazy initialize to make sure running in test thread.
+ private val mSM by lazy {
+ SyncStateMachine("TestSyncStateMachine", Thread.currentThread(), true /* debug */)
+ }
+ private val mAllStates = ArrayList<StateInfo>()
+
+ private val mMsgProcessedResults = ArrayDeque<Pair<State, Int>>()
+
+ open inner class TestState(val expected: Int) : State() {
+ // Control destination state in obj field for testing.
+ override fun processMessage(msg: Message): Boolean {
+ mMsgProcessedResults.add(this to msg.what)
+ assertEquals(ARG_1, msg.arg1)
+ assertEquals(ARG_2, msg.arg2)
+
+ if (msg.what == expected) {
+ msg.obj?.let { mSM.transitionTo(it as State) }
+ return true
+ }
+
+ return false
+ }
+ }
+
+ private fun verifyNoMoreInteractions() {
+ verifyNoMoreInteractions(mState1, mState2, mState3, mState4, mState5, mState6)
+ }
+
+ private fun processMessage(what: Int, toState: State?) {
+ mSM.processMessage(what, ARG_1, ARG_2, toState)
+ }
+
+ private fun verifyMessageProcessedBy(what: Int, vararg processedStates: State) {
+ for (state in processedStates) {
+ // InOrder.verify can't check the Message content here because SyncSM will recycle the
+ // message after it's been processed. SyncSM reuses the same Message instance for all
+ // messages it processes. So, if using InOrder.verify to verify the content of a message
+ // after SyncSM has processed it, the content would be wrong.
+ mInOrder.verify(state).processMessage(any())
+ val (processedState, msgWhat) = mMsgProcessedResults.remove()
+ assertEquals(state, processedState)
+ assertEquals(what, msgWhat)
+ }
+ assertTrue(mMsgProcessedResults.isEmpty())
+ }
+
+ @Test
+ fun testInitialState() {
+ // mState1 -> initial
+ // |
+ // mState2
+ mAllStates.add(StateInfo(mState1, null))
+ mAllStates.add(StateInfo(mState2, mState1))
+ mSM.addAllStates(mAllStates)
+
+ mSM.start(mState1)
+ mInOrder.verify(mState1).enter()
+ verifyNoMoreInteractions()
+ }
+
+ @Test
+ fun testStartFromLeafState() {
+ // mState1 -> initial
+ // |
+ // mState2
+ // |
+ // mState3
+ mAllStates.add(StateInfo(mState1, null))
+ mAllStates.add(StateInfo(mState2, mState1))
+ mAllStates.add(StateInfo(mState3, mState2))
+ mSM.addAllStates(mAllStates)
+
+ mSM.start(mState3)
+ mInOrder.verify(mState1).enter()
+ mInOrder.verify(mState2).enter()
+ mInOrder.verify(mState3).enter()
+ verifyNoMoreInteractions()
+ }
+
+ private fun verifyStart() {
+ mSM.addAllStates(mAllStates)
+ mSM.start(mState1)
+ mInOrder.verify(mState1).enter()
+ verifyNoMoreInteractions()
+ }
+
+ fun addState(state: State, parent: State? = null) {
+ mAllStates.add(StateInfo(state, parent))
+ }
+
+ @Test
+ fun testAddState() {
+ // Add duplicated states.
+ mAllStates.add(StateInfo(mState1, null))
+ mAllStates.add(StateInfo(mState1, null))
+ assertFailsWith(IllegalStateException::class) {
+ mSM.addAllStates(mAllStates)
+ }
+ }
+
+ @Test
+ fun testProcessMessage() {
+ // mState1
+ // |
+ // mState2
+ addState(mState1)
+ addState(mState2, mState1)
+ verifyStart()
+
+ processMessage(MSG_1, null)
+ verifyMessageProcessedBy(MSG_1, mState1)
+ verifyNoMoreInteractions()
+ }
+
+ @Test
+ fun testTwoStates() {
+ // mState1 <-initial, mState2
+ addState(mState1)
+ addState(mState2)
+ verifyStart()
+
+ // Test transition to mState2
+ processMessage(MSG_1, mState2)
+ verifyMessageProcessedBy(MSG_1, mState1)
+ mInOrder.verify(mState1).exit()
+ mInOrder.verify(mState2).enter()
+ verifyNoMoreInteractions()
+
+ // If set destState to mState2 (current state), no state transition.
+ processMessage(MSG_2, mState2)
+ verifyMessageProcessedBy(MSG_2, mState2)
+ verifyNoMoreInteractions()
+ }
+
+ @Test
+ fun testTwoStateTrees() {
+ // mState1 -> initial mState4
+ // / \ / \
+ // mState2 mState3 mState5 mState6
+ addState(mState1)
+ addState(mState2, mState1)
+ addState(mState3, mState1)
+ addState(mState4)
+ addState(mState5, mState4)
+ addState(mState6, mState4)
+ verifyStart()
+
+ // mState1 -> current mState4
+ // / \ / \
+ // mState2 mState3 -> dest mState5 mState6
+ processMessage(MSG_1, mState3)
+ verifyMessageProcessedBy(MSG_1, mState1)
+ mInOrder.verify(mState3).enter()
+ verifyNoMoreInteractions()
+
+ // mState1 mState4
+ // / \ / \
+ // dest <- mState2 mState3 -> current mState5 mState6
+ processMessage(MSG_1, mState2)
+ verifyMessageProcessedBy(MSG_1, mState3, mState1)
+ mInOrder.verify(mState3).exit()
+ mInOrder.verify(mState2).enter()
+ verifyNoMoreInteractions()
+
+ // mState1 mState4
+ // / \ / \
+ // current <- mState2 mState3 mState5 mState6 -> dest
+ processMessage(MSG_2, mState6)
+ verifyMessageProcessedBy(MSG_2, mState2)
+ mInOrder.verify(mState2).exit()
+ mInOrder.verify(mState1).exit()
+ mInOrder.verify(mState4).enter()
+ mInOrder.verify(mState6).enter()
+ verifyNoMoreInteractions()
+ }
+
+ @Test
+ fun testMultiDepthTransition() {
+ // mState1 -> current
+ // | \
+ // mState2 mState6
+ // | \ |
+ // mState3 mState5 mState7
+ // |
+ // mState4
+ addState(mState1)
+ addState(mState2, mState1)
+ addState(mState6, mState1)
+ addState(mState3, mState2)
+ addState(mState5, mState2)
+ addState(mState7, mState6)
+ addState(mState4, mState3)
+ verifyStart()
+
+ // mState1 -> current
+ // | \
+ // mState2 mState6
+ // | \ |
+ // mState3 mState5 mState7
+ // |
+ // mState4 -> dest
+ processMessage(MSG_1, mState4)
+ verifyMessageProcessedBy(MSG_1, mState1)
+ mInOrder.verify(mState2).enter()
+ mInOrder.verify(mState3).enter()
+ mInOrder.verify(mState4).enter()
+ verifyNoMoreInteractions()
+
+ // mState1
+ // / \
+ // mState2 mState6
+ // | \ \
+ // mState3 mState5 -> dest mState7
+ // |
+ // mState4 -> current
+ processMessage(MSG_1, mState5)
+ verifyMessageProcessedBy(MSG_1, mState4, mState3, mState2, mState1)
+ mInOrder.verify(mState4).exit()
+ mInOrder.verify(mState3).exit()
+ mInOrder.verify(mState5).enter()
+ verifyNoMoreInteractions()
+
+ // mState1
+ // / \
+ // mState2 mState6
+ // | \ \
+ // mState3 mState5 -> current mState7 -> dest
+ // |
+ // mState4
+ processMessage(MSG_2, mState7)
+ verifyMessageProcessedBy(MSG_2, mState5, mState2)
+ mInOrder.verify(mState5).exit()
+ mInOrder.verify(mState2).exit()
+ mInOrder.verify(mState6).enter()
+ mInOrder.verify(mState7).enter()
+ verifyNoMoreInteractions()
+ }
+}
diff --git a/common/Android.bp b/common/Android.bp
index c982431..1d73a46 100644
--- a/common/Android.bp
+++ b/common/Android.bp
@@ -25,6 +25,7 @@
// as the above target may not exist
// depending on the branch
+// The library requires the final artifact to contain net-utils-device-common-struct.
java_library {
name: "connectivity-net-module-utils-bpf",
srcs: [
@@ -40,8 +41,9 @@
libs: [
"androidx.annotation_annotation",
"framework-connectivity.stubs.module_lib",
- ],
- static_libs: [
+ // For libraries which are statically linked in framework-connectivity, do not
+ // statically link here because callers of this library might already have a static
+ // version linked.
"net-utils-device-common-struct",
],
apex_available: [
diff --git a/framework/Android.bp b/framework/Android.bp
index 182c558..103083f 100644
--- a/framework/Android.bp
+++ b/framework/Android.bp
@@ -101,7 +101,7 @@
"framework-connectivity-javastream-protos",
],
impl_only_static_libs: [
- "net-utils-device-common-struct",
+ "net-utils-device-common-bpf",
],
libs: [
"androidx.annotation_annotation",
@@ -130,7 +130,7 @@
// to generate the SDK stubs.
// Even if the library is included in "impl_only_static_libs" of defaults. This is still
// needed because java_library which doesn't understand "impl_only_static_libs".
- "net-utils-device-common-struct",
+ "net-utils-device-common-bpf",
],
libs: [
// This cannot be in the defaults clause above because if it were, it would be used
@@ -292,17 +292,20 @@
// Library providing limited APIs within the connectivity module, so that R+ components like
// Tethering have a controlled way to depend on newer components like framework-connectivity that
// are not loaded on R.
+// Note that this target needs to have access to hidden classes, and as such needs to list
+// the full libraries instead of the .impl lib (which only expose API classes).
java_library {
name: "connectivity-internal-api-util",
sdk_version: "module_current",
libs: [
"androidx.annotation_annotation",
- "framework-connectivity.impl",
+ "framework-connectivity-pre-jarjar",
],
jarjar_rules: ":framework-connectivity-jarjar-rules",
srcs: [
- // Files listed here MUST all be annotated with @RequiresApi(Build.VERSION_CODES.TIRAMISU),
- // so that API checks are enforced for R+ users of this library
+ // Files listed here MUST all be annotated with @RequiresApi(Build.VERSION_CODES.S)
+ // or above as appropriate so that API checks are enforced for R+ users of this library
+ "src/android/net/RoutingCoordinatorManager.java",
"src/android/net/connectivity/TiramisuConnectivityInternalApiUtil.java",
],
visibility: [
diff --git a/framework/jarjar-excludes.txt b/framework/jarjar-excludes.txt
index 1ac5e8e..bc3c8d1 100644
--- a/framework/jarjar-excludes.txt
+++ b/framework/jarjar-excludes.txt
@@ -14,6 +14,15 @@
# TODO: move files to android.net.connectivity.visiblefortesting
android\.net\.IConnectivityDiagnosticsCallback(\$.+)?
+# Classes used by tethering as a hidden API are compiled as a lib in target
+# connectivity-internal-api-util. Because it's used by tethering, it can't
+# be jarjared. Classes in android.net.connectivity are exempt from being
+# listed here because they are already in the target package and as such
+# are already not jarjared.
+# Because Tethering can be installed on R without Connectivity, any use
+# of these classes must be protected by a check for >= S SDK.
+# It's unlikely anybody else declares a hidden class with this name ?
+android\.net\.RoutingCoordinatorManager(\$.+)?
# KeepaliveUtils is used by ConnectivityManager CTS
# TODO: move into service-connectivity so framework-connectivity stops using
diff --git a/framework/src/android/net/BpfNetMapsReader.java b/framework/src/android/net/BpfNetMapsReader.java
new file mode 100644
index 0000000..49e874a
--- /dev/null
+++ b/framework/src/android/net/BpfNetMapsReader.java
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.net;
+
+import static android.net.BpfNetMapsConstants.CONFIGURATION_MAP_PATH;
+import static android.net.BpfNetMapsConstants.UID_OWNER_MAP_PATH;
+import static android.net.BpfNetMapsConstants.UID_RULES_CONFIGURATION_KEY;
+import static android.net.BpfNetMapsUtils.getMatchByFirewallChain;
+import static android.net.BpfNetMapsUtils.isFirewallAllowList;
+import static android.net.BpfNetMapsUtils.throwIfPreT;
+import static android.net.ConnectivityManager.FIREWALL_RULE_ALLOW;
+import static android.net.ConnectivityManager.FIREWALL_RULE_DENY;
+
+import android.annotation.NonNull;
+import android.annotation.RequiresApi;
+import android.os.Build;
+import android.os.ServiceSpecificException;
+import android.system.ErrnoException;
+import android.system.Os;
+
+import com.android.internal.annotations.VisibleForTesting;
+import com.android.modules.utils.build.SdkLevel;
+import com.android.net.module.util.BpfMap;
+import com.android.net.module.util.IBpfMap;
+import com.android.net.module.util.Struct;
+import com.android.net.module.util.Struct.S32;
+import com.android.net.module.util.Struct.U32;
+
+/**
+ * A helper class to *read* java BpfMaps.
+ * @hide
+ */
+@RequiresApi(Build.VERSION_CODES.TIRAMISU) // BPF maps were only mainlined in T
+public class BpfNetMapsReader {
+ // Locally store the handle of bpf maps. The FileDescriptors are statically cached inside the
+ // BpfMap implementation.
+
+ // Bpf map to store various networking configurations, the format of the value is different
+ // for different keys. See BpfNetMapsConstants#*_CONFIGURATION_KEY for keys.
+ private final IBpfMap<S32, U32> mConfigurationMap;
+ // Bpf map to store per uid traffic control configurations.
+ // See {@link UidOwnerValue} for more detail.
+ private final IBpfMap<S32, UidOwnerValue> mUidOwnerMap;
+ private final Dependencies mDeps;
+
+ public BpfNetMapsReader() {
+ this(new Dependencies());
+ }
+
+ @VisibleForTesting
+ public BpfNetMapsReader(@NonNull Dependencies deps) {
+ if (!SdkLevel.isAtLeastT()) {
+ throw new UnsupportedOperationException(
+ BpfNetMapsReader.class.getSimpleName() + " is not supported below Android T");
+ }
+ mDeps = deps;
+ mConfigurationMap = mDeps.getConfigurationMap();
+ mUidOwnerMap = mDeps.getUidOwnerMap();
+ }
+
+ /**
+ * Dependencies of BpfNetMapReader, for injection in tests.
+ */
+ @VisibleForTesting
+ public static class Dependencies {
+ /** Get the configuration map. */
+ public IBpfMap<S32, U32> getConfigurationMap() {
+ try {
+ return new BpfMap<>(CONFIGURATION_MAP_PATH, BpfMap.BPF_F_RDONLY,
+ S32.class, U32.class);
+ } catch (ErrnoException e) {
+ throw new IllegalStateException("Cannot open configuration map", e);
+ }
+ }
+
+ /** Get the uid owner map. */
+ public IBpfMap<S32, UidOwnerValue> getUidOwnerMap() {
+ try {
+ return new BpfMap<>(UID_OWNER_MAP_PATH, BpfMap.BPF_F_RDONLY,
+ S32.class, UidOwnerValue.class);
+ } catch (ErrnoException e) {
+ throw new IllegalStateException("Cannot open uid owner map", e);
+ }
+ }
+ }
+
+ /**
+ * Get the specified firewall chain's status.
+ *
+ * @param chain target chain
+ * @return {@code true} if chain is enabled, {@code false} if chain is not enabled.
+ * @throws UnsupportedOperationException if called on pre-T devices.
+ * @throws ServiceSpecificException in case of failure, with an error code indicating the
+ * cause of the failure.
+ */
+ public boolean isChainEnabled(final int chain) {
+ return isChainEnabled(mConfigurationMap, chain);
+ }
+
+ /**
+ * Get firewall rule of specified firewall chain on specified uid.
+ *
+ * @param chain target chain
+ * @param uid target uid
+ * @return either {@link ConnectivityManager#FIREWALL_RULE_ALLOW} or
+ * {@link ConnectivityManager#FIREWALL_RULE_DENY}.
+ * @throws UnsupportedOperationException if called on pre-T devices.
+ * @throws ServiceSpecificException in case of failure, with an error code indicating the
+ * cause of the failure.
+ */
+ public int getUidRule(final int chain, final int uid) {
+ return getUidRule(mUidOwnerMap, chain, uid);
+ }
+
+ /**
+ * Get the specified firewall chain's status.
+ *
+ * @param configurationMap target configurationMap
+ * @param chain target chain
+ * @return {@code true} if chain is enabled, {@code false} if chain is not enabled.
+ * @throws UnsupportedOperationException if called on pre-T devices.
+ * @throws ServiceSpecificException in case of failure, with an error code indicating the
+ * cause of the failure.
+ */
+ public static boolean isChainEnabled(
+ final IBpfMap<Struct.S32, Struct.U32> configurationMap, final int chain) {
+ throwIfPreT("isChainEnabled is not available on pre-T devices");
+
+ final long match = getMatchByFirewallChain(chain);
+ try {
+ final Struct.U32 config = configurationMap.getValue(UID_RULES_CONFIGURATION_KEY);
+ return (config.val & match) != 0;
+ } catch (ErrnoException e) {
+ throw new ServiceSpecificException(e.errno,
+ "Unable to get firewall chain status: " + Os.strerror(e.errno));
+ }
+ }
+
+ /**
+ * Get firewall rule of specified firewall chain on specified uid.
+ *
+ * @param uidOwnerMap target uidOwnerMap.
+ * @param chain target chain.
+ * @param uid target uid.
+ * @return either FIREWALL_RULE_ALLOW or FIREWALL_RULE_DENY
+ * @throws UnsupportedOperationException if called on pre-T devices.
+ * @throws ServiceSpecificException in case of failure, with an error code indicating the
+ * cause of the failure.
+ */
+ public static int getUidRule(final IBpfMap<Struct.S32, UidOwnerValue> uidOwnerMap,
+ final int chain, final int uid) {
+ throwIfPreT("getUidRule is not available on pre-T devices");
+
+ final long match = getMatchByFirewallChain(chain);
+ final boolean isAllowList = isFirewallAllowList(chain);
+ try {
+ final UidOwnerValue uidMatch = uidOwnerMap.getValue(new Struct.S32(uid));
+ final boolean isMatchEnabled = uidMatch != null && (uidMatch.rule & match) != 0;
+ return isMatchEnabled == isAllowList ? FIREWALL_RULE_ALLOW : FIREWALL_RULE_DENY;
+ } catch (ErrnoException e) {
+ throw new ServiceSpecificException(e.errno,
+ "Unable to get uid rule status: " + Os.strerror(e.errno));
+ }
+ }
+}
diff --git a/framework/src/android/net/BpfNetMapsUtils.java b/framework/src/android/net/BpfNetMapsUtils.java
index d464e3d..28d5891 100644
--- a/framework/src/android/net/BpfNetMapsUtils.java
+++ b/framework/src/android/net/BpfNetMapsUtils.java
@@ -39,6 +39,8 @@
import android.os.ServiceSpecificException;
import android.util.Pair;
+import com.android.modules.utils.build.SdkLevel;
+
import java.util.StringJoiner;
/**
@@ -124,4 +126,15 @@
}
return sj.toString();
}
+
+ public static final boolean PRE_T = !SdkLevel.isAtLeastT();
+
+ /**
+ * Throw UnsupportedOperationException if SdkLevel is before T.
+ */
+ public static void throwIfPreT(final String msg) {
+ if (PRE_T) {
+ throw new UnsupportedOperationException(msg);
+ }
+ }
}
diff --git a/framework/src/android/net/ConnectivityManager.java b/framework/src/android/net/ConnectivityManager.java
index 9e879c2..32058a4 100644
--- a/framework/src/android/net/ConnectivityManager.java
+++ b/framework/src/android/net/ConnectivityManager.java
@@ -30,6 +30,7 @@
import android.annotation.IntDef;
import android.annotation.NonNull;
import android.annotation.Nullable;
+import android.annotation.RequiresApi;
import android.annotation.RequiresPermission;
import android.annotation.SdkConstant;
import android.annotation.SdkConstant.SdkConstantType;
@@ -6205,4 +6206,24 @@
throw e.rethrowFromSystemServer();
}
}
+
+ private static final Object sRoutingCoordinatorManagerLock = new Object();
+ @GuardedBy("sRoutingCoordinatorManagerLock")
+ private static RoutingCoordinatorManager sRoutingCoordinatorManager = null;
+ /** @hide */
+ @RequiresApi(Build.VERSION_CODES.S)
+ public RoutingCoordinatorManager getRoutingCoordinatorManager() {
+ try {
+ synchronized (sRoutingCoordinatorManagerLock) {
+ if (null == sRoutingCoordinatorManager) {
+ sRoutingCoordinatorManager = new RoutingCoordinatorManager(mContext,
+ IRoutingCoordinator.Stub.asInterface(
+ mService.getRoutingCoordinatorService()));
+ }
+ return sRoutingCoordinatorManager;
+ }
+ } catch (RemoteException e) {
+ throw e.rethrowFromSystemServer();
+ }
+ }
}
diff --git a/framework/src/android/net/IConnectivityManager.aidl b/framework/src/android/net/IConnectivityManager.aidl
index 92e1ea1..d3a02b9 100644
--- a/framework/src/android/net/IConnectivityManager.aidl
+++ b/framework/src/android/net/IConnectivityManager.aidl
@@ -261,4 +261,6 @@
void setVpnNetworkPreference(String session, in UidRange[] ranges);
void setTestLowTcpPollingTimerForKeepalive(long timeMs);
+
+ IBinder getRoutingCoordinatorService();
}
diff --git a/framework/src/android/net/IRoutingCoordinator.aidl b/framework/src/android/net/IRoutingCoordinator.aidl
new file mode 100644
index 0000000..a5cda98
--- /dev/null
+++ b/framework/src/android/net/IRoutingCoordinator.aidl
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.net;
+
+import android.net.RouteInfo;
+
+/** @hide */
+interface IRoutingCoordinator {
+ /**
+ * Add a route for specific network
+ *
+ * @param netId the network to add the route to
+ * @param route the route to add
+ * @throws ServiceSpecificException in case of failure, with an error code indicating the
+ * cause of the failure.
+ */
+ void addRoute(int netId, in RouteInfo route);
+
+ /**
+ * Remove a route for specific network
+ *
+ * @param netId the network to remove the route from
+ * @param route the route to remove
+ * @throws ServiceSpecificException in case of failure, with an error code indicating the
+ * cause of the failure.
+ */
+ void removeRoute(int netId, in RouteInfo route);
+
+ /**
+ * Update a route for specific network
+ *
+ * @param netId the network to update the route for
+ * @param route parcelable with route information
+ * @throws ServiceSpecificException in case of failure, with an error code indicating the
+ * cause of the failure.
+ */
+ void updateRoute(int netId, in RouteInfo route);
+
+ /**
+ * Adds an interface to a network. The interface must not be assigned to any network, including
+ * the specified network.
+ *
+ * @param netId the network to add the interface to.
+ * @param iface the name of the interface to add.
+ *
+ * @throws ServiceSpecificException in case of failure, with an error code corresponding to the
+ * unix errno.
+ */
+ void addInterfaceToNetwork(int netId, in String iface);
+
+ /**
+ * Removes an interface from a network. The interface must be assigned to the specified network.
+ *
+ * @param netId the network to remove the interface from.
+ * @param iface the name of the interface to remove.
+ *
+ * @throws ServiceSpecificException in case of failure, with an error code corresponding to the
+ * unix errno.
+ */
+ void removeInterfaceFromNetwork(int netId, in String iface);
+}
diff --git a/framework/src/android/net/RouteInfo.java b/framework/src/android/net/RouteInfo.java
index df5f151..e8ebf81 100644
--- a/framework/src/android/net/RouteInfo.java
+++ b/framework/src/android/net/RouteInfo.java
@@ -584,7 +584,7 @@
}
RouteKey p = (RouteKey) o;
// No need to do anything special for scoped addresses. Inet6Address#equals does not
- // consider the scope ID, but the netd route IPCs (e.g., INetd#networkAddRouteParcel)
+ // consider the scope ID, but the route IPCs (e.g., RoutingCoordinatorManager#addRoute)
// and the kernel ignore scoped addresses both in the prefix and in the nexthop and only
// look at RTA_OIF.
return Objects.equals(p.mDestination, mDestination)
diff --git a/framework/src/android/net/RoutingCoordinatorManager.java b/framework/src/android/net/RoutingCoordinatorManager.java
new file mode 100644
index 0000000..5576cb0
--- /dev/null
+++ b/framework/src/android/net/RoutingCoordinatorManager.java
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.net;
+
+import android.content.Context;
+import android.os.Build;
+import android.os.RemoteException;
+
+import androidx.annotation.NonNull;
+import androidx.annotation.RequiresApi;
+
+/**
+ * A manager class for talking to the routing coordinator service.
+ *
+ * This class should only be used by the connectivity and tethering module. This is enforced
+ * by the build rules. Do not change build rules to gain access to this class from elsewhere.
+ * @hide
+ */
+@RequiresApi(Build.VERSION_CODES.S)
+public class RoutingCoordinatorManager {
+ @NonNull final Context mContext;
+ @NonNull final IRoutingCoordinator mService;
+
+ public RoutingCoordinatorManager(@NonNull final Context context,
+ @NonNull final IRoutingCoordinator service) {
+ mContext = context;
+ mService = service;
+ }
+
+ /**
+ * Add a route for specific network
+ *
+ * @param netId the network to add the route to
+ * @param route the route to add
+ * @throws ServiceSpecificException in case of failure, with an error code indicating the
+ * cause of the failure.
+ */
+ public void addRoute(final int netId, final RouteInfo route) {
+ try {
+ mService.addRoute(netId, route);
+ } catch (RemoteException e) {
+ throw e.rethrowFromSystemServer();
+ }
+ }
+
+ /**
+ * Remove a route for specific network
+ *
+ * @param netId the network to remove the route from
+ * @param route the route to remove
+ * @throws ServiceSpecificException in case of failure, with an error code indicating the
+ * cause of the failure.
+ */
+ public void removeRoute(final int netId, final RouteInfo route) {
+ try {
+ mService.removeRoute(netId, route);
+ } catch (RemoteException e) {
+ throw e.rethrowFromSystemServer();
+ }
+ }
+
+ /**
+ * Update a route for specific network
+ *
+ * @param netId the network to update the route for
+ * @param route parcelable with route information
+ * @throws ServiceSpecificException in case of failure, with an error code indicating the
+ * cause of the failure.
+ */
+ public void updateRoute(final int netId, final RouteInfo route) {
+ try {
+ mService.updateRoute(netId, route);
+ } catch (RemoteException e) {
+ throw e.rethrowFromSystemServer();
+ }
+ }
+
+ /**
+ * Adds an interface to a network. The interface must not be assigned to any network, including
+ * the specified network.
+ *
+ * @param netId the network to add the interface to.
+ * @param iface the name of the interface to add.
+ *
+ * @throws ServiceSpecificException in case of failure, with an error code corresponding to the
+ * unix errno.
+ */
+ public void addInterfaceToNetwork(final int netId, final String iface) {
+ try {
+ mService.addInterfaceToNetwork(netId, iface);
+ } catch (RemoteException e) {
+ throw e.rethrowFromSystemServer();
+ }
+ }
+
+ /**
+ * Removes an interface from a network. The interface must be assigned to the specified network.
+ *
+ * @param netId the network to remove the interface from.
+ * @param iface the name of the interface to remove.
+ *
+ * @throws ServiceSpecificException in case of failure, with an error code corresponding to the
+ * unix errno.
+ */
+ public void removeInterfaceFromNetwork(final int netId, final String iface) {
+ try {
+ mService.removeInterfaceFromNetwork(netId, iface);
+ } catch (RemoteException e) {
+ throw e.rethrowFromSystemServer();
+ }
+ }
+}
diff --git a/service/src/com/android/server/UidOwnerValue.java b/framework/src/android/net/UidOwnerValue.java
similarity index 86%
rename from service/src/com/android/server/UidOwnerValue.java
rename to framework/src/android/net/UidOwnerValue.java
index d6c0e0d..e8ae604 100644
--- a/service/src/com/android/server/UidOwnerValue.java
+++ b/framework/src/android/net/UidOwnerValue.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2022 The Android Open Source Project
+ * Copyright (C) 2023 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,11 +14,15 @@
* limitations under the License.
*/
-package com.android.server;
+package android.net;
import com.android.net.module.util.Struct;
-/** Value type for per uid traffic control configuration map */
+/**
+ * Value type for per uid traffic control configuration map.
+ *
+ * @hide
+ */
public class UidOwnerValue extends Struct {
// Allowed interface index. Only applicable if IIF_MATCH is set in the rule bitmask below.
@Field(order = 0, type = Type.S32)
diff --git a/framework/src/android/net/connectivity/TiramisuConnectivityInternalApiUtil.java b/framework/src/android/net/connectivity/TiramisuConnectivityInternalApiUtil.java
index d65858f..c2d75d2 100644
--- a/framework/src/android/net/connectivity/TiramisuConnectivityInternalApiUtil.java
+++ b/framework/src/android/net/connectivity/TiramisuConnectivityInternalApiUtil.java
@@ -18,6 +18,7 @@
import android.content.Context;
import android.net.ConnectivityManager;
+import android.net.RoutingCoordinatorManager;
import android.os.Build;
import android.os.IBinder;
@@ -34,15 +35,28 @@
* linter).
* @hide
*/
-@RequiresApi(Build.VERSION_CODES.TIRAMISU)
+// TODO : rename this so that it doesn't reference "Tiramisu" since it can be used in S.
+@RequiresApi(Build.VERSION_CODES.S)
public class TiramisuConnectivityInternalApiUtil {
/**
* Get a service binder token for
* {@link com.android.server.connectivity.wear.CompanionDeviceManagerProxyService}.
*/
+ @RequiresApi(Build.VERSION_CODES.TIRAMISU)
public static IBinder getCompanionDeviceManagerProxyService(Context ctx) {
final ConnectivityManager cm = ctx.getSystemService(ConnectivityManager.class);
return cm.getCompanionDeviceManagerProxyService();
}
+
+ /**
+ * Obtain a routing coordinator manager from a context, possibly cross-module.
+ * @param ctx the context
+ * @return an instance of the coordinator manager
+ */
+ @RequiresApi(Build.VERSION_CODES.S)
+ public static RoutingCoordinatorManager getRoutingCoordinatorManager(Context ctx) {
+ final ConnectivityManager cm = ctx.getSystemService(ConnectivityManager.class);
+ return cm.getRoutingCoordinatorManager();
+ }
}
diff --git a/netbpfload/Android.bp b/netbpfload/Android.bp
index daa8fad..1f92374 100644
--- a/netbpfload/Android.bp
+++ b/netbpfload/Android.bp
@@ -46,5 +46,6 @@
// min_sdk_version(30) for "com.android.tethering": newer SDK(34).
min_sdk_version: "30",
- // init_rc: ["netbpfload.rc"],
+ init_rc: ["netbpfload.rc"],
+ required: ["bpfloader"],
}
diff --git a/netbpfload/initrc-doc/README.txt b/netbpfload/initrc-doc/README.txt
new file mode 100644
index 0000000..42e1fc2
--- /dev/null
+++ b/netbpfload/initrc-doc/README.txt
@@ -0,0 +1,62 @@
+This directory contains comment stripped versions of
+ //system/bpf/bpfloader/bpfloader.rc
+from previous versions of Android.
+
+Generated via:
+ (cd ../../../../../system/bpf && git cat-file -p remotes/aosp/android11-release:bpfloader/bpfloader.rc; ) | egrep -v '^ *#' > bpfloader-sdk30-11-R.rc
+ (cd ../../../../../system/bpf && git cat-file -p remotes/aosp/android12-release:bpfloader/bpfloader.rc; ) | egrep -v '^ *#' > bpfloader-sdk31-12-S.rc
+ (cd ../../../../../system/bpf && git cat-file -p remotes/aosp/android13-release:bpfloader/bpfloader.rc; ) | egrep -v '^ *#' > bpfloader-sdk33-13-T.rc
+ (cd ../../../../../system/bpf && git cat-file -p remotes/aosp/android14-release:bpfloader/bpfloader.rc; ) | egrep -v '^ *#' > bpfloader-sdk34-14-U.rc
+ (cd ../../../../../system/bpf && git cat-file -p remotes/aosp/main:bpfloader/bpfloader.rc; ) | egrep -v '^ *#' > bpfloader-sdk34-14-U-QPR2.rc
+
+this is entirely equivalent to:
+ (cd /android1/system/bpf && git cat-file -p remotes/goog/rvc-dev:bpfloader/bpfloader.rc; ) | egrep -v '^ *#' > bpfloader-sdk30-11-R.rc
+ (cd /android1/system/bpf && git cat-file -p remotes/goog/sc-dev:bpfloader/bpfloader.rc; ) | egrep -v '^ *#' > bpfloader-sdk31-12-S.rc
+ (cd /android1/system/bpf && git cat-file -p remotes/goog/tm-dev:bpfloader/bpfloader.rc; ) | egrep -v '^ *#' > bpfloader-sdk33-13-T.rc
+ (cd /android1/system/bpf && git cat-file -p remotes/goog/udc-dev:bpfloader/bpfloader.rc; ) | egrep -v '^ *#' > bpfloader-sdk34-14-U.rc
+ (cd /android1/system/bpf && git cat-file -p remotes/goog/main:bpfloader/bpfloader.rc; ) | egrep -v '^ *#' > bpfloader-sdk34-14-U-QPR2.rc
+
+it is also equivalent to:
+ (cd /android1/system/bpf && git cat-file -p remotes/goog/rvc-qpr-dev:bpfloader/bpfloader.rc; ) | egrep -v '^ *#' > bpfloader-sdk30-11-R.rc
+ (cd /android1/system/bpf && git cat-file -p remotes/goog/sc-v2-dev:bpfloader/bpfloader.rc; ) | egrep -v '^ *#' > bpfloader-sdk31-12-S.rc
+ (cd /android1/system/bpf && git cat-file -p remotes/goog/tm-qpr-dev:bpfloader/bpfloader.rc; ) | egrep -v '^ *#' > bpfloader-sdk33-13-T.rc
+ (cd /android1/system/bpf && git cat-file -p remotes/goog/udc-qpr-dev:bpfloader/bpfloader.rc; ) | egrep -v '^ *#' > bpfloader-sdk34-14-U.rc
+
+ie. there were no changes between R/S/T and R/S/T QPR3, and no change between U and U QPR1.
+
+Note: Sv2 sdk/api level is actually 32, it just didn't change anything wrt. bpf, so doesn't matter.
+
+
+Key takeaways:
+
+= R bpfloader:
+ - CHOWN + SYS_ADMIN
+ - asynchronous startup
+ - platform only
+ - proc file setup handled by initrc
+
+= S bpfloader
+ - adds NET_ADMIN
+ - synchronous startup
+ - platform + mainline tethering offload
+
+= T bpfloader
+ - platform + mainline networking (including tethering offload)
+ - supported btf for maps via exec of btfloader
+
+= U bpfloader
+ - proc file setup moved into bpfloader binary
+ - explicitly specified user and groups:
+ group root graphics network_stack net_admin net_bw_acct net_bw_stats net_raw system
+ user root
+
+= U QPR2 bpfloader
+ - drops support of btf for maps
+ - invocation of /system/bin/netbpfload binary, which after handling *all*
+ networking bpf related things executes the platform /system/bin/bpfloader
+ which handles non-networking bpf.
+
+Note that there is now a copy of 'netbpfload' provided by the tethering apex
+mainline module at /apex/com.android.tethering/bin/netbpfload, which due
+to the use of execve("/system/bin/bpfloader") relies on T+ selinux which was
+added for btf map support (specifically the ability to exec the "btfloader").
diff --git a/netbpfload/initrc-doc/bpfloader-sdk30-11-R.rc b/netbpfload/initrc-doc/bpfloader-sdk30-11-R.rc
new file mode 100644
index 0000000..482a7db
--- /dev/null
+++ b/netbpfload/initrc-doc/bpfloader-sdk30-11-R.rc
@@ -0,0 +1,11 @@
+on load_bpf_programs
+ write /proc/sys/net/core/bpf_jit_enable 1
+ write /proc/sys/net/core/bpf_jit_kallsyms 1
+ start bpfloader
+
+service bpfloader /system/bin/bpfloader
+ capabilities CHOWN SYS_ADMIN
+ rlimit memlock 1073741824 1073741824
+ oneshot
+ reboot_on_failure reboot,bpfloader-failed
+ updatable
diff --git a/netbpfload/initrc-doc/bpfloader-sdk31-12-S.rc b/netbpfload/initrc-doc/bpfloader-sdk31-12-S.rc
new file mode 100644
index 0000000..4117887
--- /dev/null
+++ b/netbpfload/initrc-doc/bpfloader-sdk31-12-S.rc
@@ -0,0 +1,11 @@
+on load_bpf_programs
+ write /proc/sys/net/core/bpf_jit_enable 1
+ write /proc/sys/net/core/bpf_jit_kallsyms 1
+ exec_start bpfloader
+
+service bpfloader /system/bin/bpfloader
+ capabilities CHOWN SYS_ADMIN NET_ADMIN
+ rlimit memlock 1073741824 1073741824
+ oneshot
+ reboot_on_failure reboot,bpfloader-failed
+ updatable
diff --git a/netbpfload/initrc-doc/bpfloader-sdk33-13-T.rc b/netbpfload/initrc-doc/bpfloader-sdk33-13-T.rc
new file mode 100644
index 0000000..f0b6700
--- /dev/null
+++ b/netbpfload/initrc-doc/bpfloader-sdk33-13-T.rc
@@ -0,0 +1,12 @@
+on load_bpf_programs
+ write /proc/sys/kernel/unprivileged_bpf_disabled 0
+ write /proc/sys/net/core/bpf_jit_enable 1
+ write /proc/sys/net/core/bpf_jit_kallsyms 1
+ exec_start bpfloader
+
+service bpfloader /system/bin/bpfloader
+ capabilities CHOWN SYS_ADMIN NET_ADMIN
+ rlimit memlock 1073741824 1073741824
+ oneshot
+ reboot_on_failure reboot,bpfloader-failed
+ updatable
diff --git a/netbpfload/initrc-doc/bpfloader-sdk34-14-U-QPR2.rc b/netbpfload/initrc-doc/bpfloader-sdk34-14-U-QPR2.rc
new file mode 100644
index 0000000..8f3f462
--- /dev/null
+++ b/netbpfload/initrc-doc/bpfloader-sdk34-14-U-QPR2.rc
@@ -0,0 +1,11 @@
+on load_bpf_programs
+ exec_start bpfloader
+
+service bpfloader /system/bin/netbpfload
+ capabilities CHOWN SYS_ADMIN NET_ADMIN
+ group root graphics network_stack net_admin net_bw_acct net_bw_stats net_raw system
+ user root
+ rlimit memlock 1073741824 1073741824
+ oneshot
+ reboot_on_failure reboot,bpfloader-failed
+ updatable
diff --git a/netbpfload/initrc-doc/bpfloader-sdk34-14-U.rc b/netbpfload/initrc-doc/bpfloader-sdk34-14-U.rc
new file mode 100644
index 0000000..592303e
--- /dev/null
+++ b/netbpfload/initrc-doc/bpfloader-sdk34-14-U.rc
@@ -0,0 +1,11 @@
+on load_bpf_programs
+ exec_start bpfloader
+
+service bpfloader /system/bin/bpfloader
+ capabilities CHOWN SYS_ADMIN NET_ADMIN
+ group root graphics network_stack net_admin net_bw_acct net_bw_stats net_raw system
+ user root
+ rlimit memlock 1073741824 1073741824
+ oneshot
+ reboot_on_failure reboot,bpfloader-failed
+ updatable
diff --git a/netbpfload/netbpfload.rc b/netbpfload/netbpfload.rc
index 20fbb9f..14181dc 100644
--- a/netbpfload/netbpfload.rc
+++ b/netbpfload/netbpfload.rc
@@ -3,7 +3,7 @@
# a tad earlier. There's no benefit to that though, since on 4.9+ P+ devices netd
# will just block until bpfloader finishes and sets the bpf.progs_loaded property.
#
-# It is important that we start netbpfload after:
+# It is important that we start bpfloader after:
# - /sys/fs/bpf is already mounted,
# - apex (incl. rollback) is initialized (so that in the future we can load bpf
# programs shipped as part of apex mainline modules)
@@ -15,9 +15,10 @@
# considered to have booted successfully.
#
on load_bpf_programs
- exec_start netbpfload
+ exec_start bpfloader
-service netbpfload /system/bin/netbpfload
+service bpfloader /system/bin/netbpfload
+ # netbpfload will do network bpf loading, then execute /system/bin/bpfloader
capabilities CHOWN SYS_ADMIN NET_ADMIN
# The following group memberships are a workaround for lack of DAC_OVERRIDE
# and allow us to open (among other things) files that we created and are
@@ -27,28 +28,28 @@
group root graphics network_stack net_admin net_bw_acct net_bw_stats net_raw system
user root
#
- # Set RLIMIT_MEMLOCK to 1GiB for netbpfload
+ # Set RLIMIT_MEMLOCK to 1GiB for bpfloader
#
- # Actually only 8MiB would be needed if netbpfload ran as its own uid.
+ # Actually only 8MiB would be needed if bpfloader ran as its own uid.
#
# However, while the rlimit is per-thread, the accounting is system wide.
# So, for example, if the graphics stack has already allocated 10MiB of
- # memlock data before netbpfload even gets a chance to run, it would fail
+ # memlock data before bpfloader even gets a chance to run, it would fail
# if its memlock rlimit is only 8MiB - since there would be none left for it.
#
- # netbpfload succeeding is critical to system health, since a failure will
+ # bpfloader succeeding is critical to system health, since a failure will
# cause netd crashloop and thus system server crashloop... and the only
# recovery is a full kernel reboot.
#
# We've had issues where devices would sometimes (rarely) boot into
- # a crashloop because netbpfload would occasionally lose a boot time
+ # a crashloop because bpfloader would occasionally lose a boot time
# race against the graphics stack's boot time locked memory allocation.
#
- # Thus netbpfload's memlock has to be 8MB higher then the locked memory
+ # Thus bpfloader's memlock has to be 8MB higher then the locked memory
# consumption of the root uid anywhere else in the system...
# But we don't know what that is for all possible devices...
#
- # Ideally, we'd simply grant netbpfload the IPC_LOCK capability and it
+ # Ideally, we'd simply grant bpfloader the IPC_LOCK capability and it
# would simply ignore it's memlock rlimit... but it turns that this
# capability is not even checked by the kernel's bpf system call.
#
@@ -57,29 +58,29 @@
rlimit memlock 1073741824 1073741824
oneshot
#
- # How to debug bootloops caused by 'netbpfload-failed'.
+ # How to debug bootloops caused by 'bpfloader-failed'.
#
# 1. On some lower RAM devices (like wembley) you may need to first enable developer mode
# (from the Settings app UI), and change the developer option "Logger buffer sizes"
# from the default (wembley: 64kB) to the maximum (1M) per log buffer.
# Otherwise buffer will overflow before you manage to dump it and you'll get useless logs.
#
- # 2. comment out 'reboot_on_failure reboot,netbpfload-failed' below
+ # 2. comment out 'reboot_on_failure reboot,bpfloader-failed' below
# 3. rebuild/reflash/reboot
- # 4. as the device is booting up capture netbpfload logs via:
- # adb logcat -s 'NetBpfLoad:*' 'NetBpfLoader:*'
+ # 4. as the device is booting up capture bpfloader logs via:
+ # adb logcat -s 'bpfloader:*' 'LibBpfLoader:*' 'NetBpfLoad:*' 'NetBpfLoader:*'
#
# something like:
- # $ adb reboot; sleep 1; adb wait-for-device; adb root; sleep 1; adb wait-for-device; adb logcat -s 'NetBpfLoad:*' 'NetBpfLoader:*'
+ # $ adb reboot; sleep 1; adb wait-for-device; adb root; sleep 1; adb wait-for-device; adb logcat -s 'bpfloader:*' 'LibBpfLoader:*' 'NetBpfLoad:*' 'NetBpfLoader:*'
# will take care of capturing logs as early as possible
#
- # 5. look through the logs from the kernel's bpf verifier that netbpfload dumps out,
+ # 5. look through the logs from the kernel's bpf verifier that bpfloader dumps out,
# it usually makes sense to search back from the end and find the particular
- # bpf verifier failure that caused netbpfload to terminate early with an error code.
+ # bpf verifier failure that caused bpfloader to terminate early with an error code.
# This will probably be something along the lines of 'too many jumps' or
# 'cannot prove return value is 0 or 1' or 'unsupported / unknown operation / helper',
# 'invalid bpf_context access', etc.
#
- reboot_on_failure reboot,netbpfload-failed
+ reboot_on_failure reboot,bpfloader-failed
# we're not really updatable, but want to be able to load bpf programs shipped in apexes
updatable
diff --git a/service/Android.bp b/service/Android.bp
index 8e59e86..250693f 100644
--- a/service/Android.bp
+++ b/service/Android.bp
@@ -188,7 +188,6 @@
"dnsresolver_aidl_interface-V11-java",
"modules-utils-shell-command-handler",
"net-utils-device-common",
- "net-utils-device-common-bpf",
"net-utils-device-common-ip",
"net-utils-device-common-netlink",
"net-utils-services-common",
diff --git a/service/src/com/android/server/BpfNetMaps.java b/service/src/com/android/server/BpfNetMaps.java
index 6a34a24..671c4ac 100644
--- a/service/src/com/android/server/BpfNetMaps.java
+++ b/service/src/com/android/server/BpfNetMaps.java
@@ -26,6 +26,7 @@
import static android.net.BpfNetMapsConstants.UID_OWNER_MAP_PATH;
import static android.net.BpfNetMapsConstants.UID_PERMISSION_MAP_PATH;
import static android.net.BpfNetMapsConstants.UID_RULES_CONFIGURATION_KEY;
+import static android.net.BpfNetMapsUtils.PRE_T;
import static android.net.BpfNetMapsUtils.getMatchByFirewallChain;
import static android.net.BpfNetMapsUtils.matchToString;
import static android.net.ConnectivityManager.FIREWALL_CHAIN_DOZABLE;
@@ -51,7 +52,9 @@
import android.app.StatsManager;
import android.content.Context;
+import android.net.BpfNetMapsReader;
import android.net.INetd;
+import android.net.UidOwnerValue;
import android.os.Build;
import android.os.RemoteException;
import android.os.ServiceSpecificException;
@@ -92,7 +95,6 @@
* {@hide}
*/
public class BpfNetMaps {
- private static final boolean PRE_T = !SdkLevel.isAtLeastT();
static {
if (!PRE_T) {
System.loadLibrary("service-connectivity");
@@ -298,6 +300,7 @@
}
/** Constructor used after T that doesn't need to use netd anymore. */
+ @RequiresApi(Build.VERSION_CODES.TIRAMISU)
public BpfNetMaps(final Context context) {
this(context, null);
@@ -420,6 +423,7 @@
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
+ @RequiresApi(Build.VERSION_CODES.TIRAMISU)
public void addNaughtyApp(final int uid) {
throwIfPreT("addNaughtyApp is not available on pre-T devices");
@@ -438,6 +442,7 @@
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
+ @RequiresApi(Build.VERSION_CODES.TIRAMISU)
public void removeNaughtyApp(final int uid) {
throwIfPreT("removeNaughtyApp is not available on pre-T devices");
@@ -456,6 +461,7 @@
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
+ @RequiresApi(Build.VERSION_CODES.TIRAMISU)
public void addNiceApp(final int uid) {
throwIfPreT("addNiceApp is not available on pre-T devices");
@@ -474,6 +480,7 @@
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
+ @RequiresApi(Build.VERSION_CODES.TIRAMISU)
public void removeNiceApp(final int uid) {
throwIfPreT("removeNiceApp is not available on pre-T devices");
@@ -494,6 +501,7 @@
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
+ @RequiresApi(Build.VERSION_CODES.TIRAMISU)
public void setChildChain(final int childChain, final boolean enable) {
throwIfPreT("setChildChain is not available on pre-T devices");
@@ -523,18 +531,14 @@
* @throws UnsupportedOperationException if called on pre-T devices.
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
+ *
+ * @deprecated Use {@link BpfNetMapsReader#isChainEnabled} instead.
*/
+ // TODO: Migrate the callers to use {@link BpfNetMapsReader#isChainEnabled} instead.
+ @Deprecated
+ @RequiresApi(Build.VERSION_CODES.TIRAMISU)
public boolean isChainEnabled(final int childChain) {
- throwIfPreT("isChainEnabled is not available on pre-T devices");
-
- final long match = getMatchByFirewallChain(childChain);
- try {
- final U32 config = sConfigurationMap.getValue(UID_RULES_CONFIGURATION_KEY);
- return (config.val & match) != 0;
- } catch (ErrnoException e) {
- throw new ServiceSpecificException(e.errno,
- "Unable to get firewall chain status: " + Os.strerror(e.errno));
- }
+ return BpfNetMapsReader.isChainEnabled(sConfigurationMap, childChain);
}
private Set<Integer> asSet(final int[] uids) {
@@ -554,6 +558,7 @@
* @throws UnsupportedOperationException if called on pre-T devices.
* @throws IllegalArgumentException if {@code chain} is not a valid chain.
*/
+ @RequiresApi(Build.VERSION_CODES.TIRAMISU)
public void replaceUidChain(final int chain, final int[] uids) {
throwIfPreT("replaceUidChain is not available on pre-T devices");
@@ -638,6 +643,7 @@
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
+ @RequiresApi(Build.VERSION_CODES.TIRAMISU)
public void setUidRule(final int childChain, final int uid, final int firewallRule) {
throwIfPreT("setUidRule is not available on pre-T devices");
@@ -667,20 +673,12 @@
* @throws UnsupportedOperationException if called on pre-T devices.
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
+ *
+ * @deprecated use {@link BpfNetMapsReader#getUidRule} instead.
*/
+ // TODO: Migrate the callers to use {@link BpfNetMapsReader#getUidRule} instead.
public int getUidRule(final int childChain, final int uid) {
- throwIfPreT("isUidChainEnabled is not available on pre-T devices");
-
- final long match = getMatchByFirewallChain(childChain);
- final boolean isAllowList = isFirewallAllowList(childChain);
- try {
- final UidOwnerValue uidMatch = sUidOwnerMap.getValue(new S32(uid));
- final boolean isMatchEnabled = uidMatch != null && (uidMatch.rule & match) != 0;
- return isMatchEnabled == isAllowList ? FIREWALL_RULE_ALLOW : FIREWALL_RULE_DENY;
- } catch (ErrnoException e) {
- throw new ServiceSpecificException(e.errno,
- "Unable to get uid rule status: " + Os.strerror(e.errno));
- }
+ return BpfNetMapsReader.getUidRule(sUidOwnerMap, childChain, uid);
}
private Set<Integer> getUidsMatchEnabled(final int childChain) throws ErrnoException {
@@ -830,6 +828,7 @@
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
+ @RequiresApi(Build.VERSION_CODES.TIRAMISU)
public void updateUidLockdownRule(final int uid, final boolean add) {
throwIfPreT("updateUidLockdownRule is not available on pre-T devices");
@@ -852,6 +851,7 @@
* @throws ServiceSpecificException in case of failure, with an error code indicating the
* cause of the failure.
*/
+ @RequiresApi(Build.VERSION_CODES.TIRAMISU)
public void swapActiveStatsMap() {
throwIfPreT("swapActiveStatsMap is not available on pre-T devices");
@@ -927,6 +927,7 @@
}
/** Register callback for statsd to pull atom. */
+ @RequiresApi(Build.VERSION_CODES.TIRAMISU)
public void setPullAtomCallback(final Context context) {
throwIfPreT("setPullAtomCallback is not available on pre-T devices");
@@ -1016,6 +1017,7 @@
* @throws IOException when file descriptor is invalid.
* @throws ServiceSpecificException when the method is called on an unsupported device.
*/
+ @RequiresApi(Build.VERSION_CODES.TIRAMISU)
public void dump(final IndentingPrintWriter pw, final FileDescriptor fd, boolean verbose)
throws IOException, ServiceSpecificException {
if (PRE_T) {
diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java
index ada5860..c559fa3 100755
--- a/service/src/com/android/server/ConnectivityService.java
+++ b/service/src/com/android/server/ConnectivityService.java
@@ -199,7 +199,6 @@
import android.net.QosSocketFilter;
import android.net.QosSocketInfo;
import android.net.RouteInfo;
-import android.net.RouteInfoParcel;
import android.net.SocketKeepalive;
import android.net.TetheringManager;
import android.net.TransportInfo;
@@ -330,6 +329,7 @@
import com.android.server.connectivity.ProfileNetworkPreferenceInfo;
import com.android.server.connectivity.ProxyTracker;
import com.android.server.connectivity.QosCallbackTracker;
+import com.android.server.connectivity.RoutingCoordinatorService;
import com.android.server.connectivity.UidRangeUtils;
import com.android.server.connectivity.VpnNetworkPreferenceInfo;
import com.android.server.connectivity.wear.CompanionDeviceManagerProxyService;
@@ -493,6 +493,7 @@
@GuardedBy("mTNSLock")
private TestNetworkService mTNS;
private final CompanionDeviceManagerProxyService mCdmps;
+ private final RoutingCoordinatorService mRoutingCoordinatorService;
private final Object mTNSLock = new Object();
@@ -1826,6 +1827,8 @@
mCdmps = null;
}
+ mRoutingCoordinatorService = new RoutingCoordinatorService(netd);
+
mDestroyFrozenSockets = mDeps.isAtLeastU()
&& mDeps.isFeatureEnabled(context, KEY_DESTROY_FROZEN_SOCKETS_VERSION);
mDelayDestroyFrozenSockets = mDeps.isAtLeastU()
@@ -8515,7 +8518,7 @@
for (final String iface : interfaceDiff.added) {
try {
if (DBG) log("Adding iface " + iface + " to network " + netId);
- mNetd.networkAddInterface(netId, iface);
+ mRoutingCoordinatorService.addInterfaceToNetwork(netId, iface);
wakeupModifyInterface(iface, nai, true);
mDeps.reportNetworkInterfaceForTransports(mContext, iface,
nai.networkCapabilities.getTransportTypes());
@@ -8528,45 +8531,13 @@
try {
if (DBG) log("Removing iface " + iface + " from network " + netId);
wakeupModifyInterface(iface, nai, false);
- mNetd.networkRemoveInterface(netId, iface);
+ mRoutingCoordinatorService.removeInterfaceFromNetwork(netId, iface);
} catch (Exception e) {
loge("Exception removing interface: " + e);
}
}
}
- // TODO: move to frameworks/libs/net.
- private RouteInfoParcel convertRouteInfo(RouteInfo route) {
- final String nextHop;
-
- switch (route.getType()) {
- case RouteInfo.RTN_UNICAST:
- if (route.hasGateway()) {
- nextHop = route.getGateway().getHostAddress();
- } else {
- nextHop = INetd.NEXTHOP_NONE;
- }
- break;
- case RouteInfo.RTN_UNREACHABLE:
- nextHop = INetd.NEXTHOP_UNREACHABLE;
- break;
- case RouteInfo.RTN_THROW:
- nextHop = INetd.NEXTHOP_THROW;
- break;
- default:
- nextHop = INetd.NEXTHOP_NONE;
- break;
- }
-
- final RouteInfoParcel rip = new RouteInfoParcel();
- rip.ifName = route.getInterface();
- rip.destination = route.getDestination().toString();
- rip.nextHop = nextHop;
- rip.mtu = route.getMtu();
-
- return rip;
- }
-
/**
* Have netd update routes from oldLp to newLp.
* @return true if routes changed between oldLp and newLp
@@ -8587,10 +8558,10 @@
if (route.hasGateway()) continue;
if (VDBG || DDBG) log("Adding Route [" + route + "] to network " + netId);
try {
- mNetd.networkAddRouteParcel(netId, convertRouteInfo(route));
+ mRoutingCoordinatorService.addRoute(netId, route);
} catch (Exception e) {
if ((route.getDestination().getAddress() instanceof Inet4Address) || VDBG) {
- loge("Exception in networkAddRouteParcel for non-gateway: " + e);
+ loge("Exception in addRoute for non-gateway: " + e);
}
}
}
@@ -8598,10 +8569,10 @@
if (!route.hasGateway()) continue;
if (VDBG || DDBG) log("Adding Route [" + route + "] to network " + netId);
try {
- mNetd.networkAddRouteParcel(netId, convertRouteInfo(route));
+ mRoutingCoordinatorService.addRoute(netId, route);
} catch (Exception e) {
if ((route.getGateway() instanceof Inet4Address) || VDBG) {
- loge("Exception in networkAddRouteParcel for gateway: " + e);
+ loge("Exception in addRoute for gateway: " + e);
}
}
}
@@ -8609,18 +8580,18 @@
for (RouteInfo route : routeDiff.removed) {
if (VDBG || DDBG) log("Removing Route [" + route + "] from network " + netId);
try {
- mNetd.networkRemoveRouteParcel(netId, convertRouteInfo(route));
+ mRoutingCoordinatorService.removeRoute(netId, route);
} catch (Exception e) {
- loge("Exception in networkRemoveRouteParcel: " + e);
+ loge("Exception in removeRoute: " + e);
}
}
for (RouteInfo route : routeDiff.updated) {
if (VDBG || DDBG) log("Updating Route [" + route + "] from network " + netId);
try {
- mNetd.networkUpdateRouteParcel(netId, convertRouteInfo(route));
+ mRoutingCoordinatorService.updateRoute(netId, route);
} catch (Exception e) {
- loge("Exception in networkUpdateRouteParcel: " + e);
+ loge("Exception in updateRoute: " + e);
}
}
return !routeDiff.added.isEmpty() || !routeDiff.removed.isEmpty()
@@ -10261,7 +10232,7 @@
// If a rate limit has been configured and is applicable to this network (network
// provides internet connectivity), apply it. The tc police filter cannot be attached
// before the clsact qdisc is added which happens as part of updateLinkProperties ->
- // updateInterfaces -> INetd#networkAddInterface.
+ // updateInterfaces -> RoutingCoordinatorManager#addInterfaceToNetwork
// Note: in case of a system server crash, the NetworkController constructor in netd
// (called when netd starts up) deletes the clsact qdisc of all interfaces.
if (canNetworkBeRateLimited(networkAgent) && mIngressRateLimit >= 0) {
@@ -12754,4 +12725,10 @@
enforceNetworkStackPermission(mContext);
return mCdmps;
}
+
+ @Override
+ public IBinder getRoutingCoordinatorService() {
+ enforceNetworkStackPermission(mContext);
+ return mRoutingCoordinatorService;
+ }
}
diff --git a/service/src/com/android/server/connectivity/RoutingCoordinatorService.java b/service/src/com/android/server/connectivity/RoutingCoordinatorService.java
new file mode 100644
index 0000000..50e84d4
--- /dev/null
+++ b/service/src/com/android/server/connectivity/RoutingCoordinatorService.java
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.server.connectivity;
+
+import static com.android.net.module.util.NetdUtils.toRouteInfoParcel;
+
+import android.annotation.NonNull;
+import android.content.Context;
+import android.net.INetd;
+import android.net.IRoutingCoordinator;
+import android.net.RouteInfo;
+import android.os.RemoteException;
+import android.os.ServiceSpecificException;
+
+/**
+ * Class to coordinate routing across multiple clients.
+ *
+ * At present this is just a wrapper for netd methods, but it will be used to host some more
+ * coordination logic in the near future. It can be used to pull up some of the routing logic
+ * from netd into Java land.
+ *
+ * Note that usage of this class is not thread-safe. Clients are responsible for their own
+ * synchronization.
+ */
+public class RoutingCoordinatorService extends IRoutingCoordinator.Stub {
+ private final INetd mNetd;
+
+ public RoutingCoordinatorService(@NonNull INetd netd) {
+ mNetd = netd;
+ }
+
+ /**
+ * Add a route for specific network
+ *
+ * @param netId the network to add the route to
+ * @param route the route to add
+ * @throws ServiceSpecificException in case of failure, with an error code indicating the
+ * cause of the failure.
+ */
+ @Override
+ public void addRoute(final int netId, final RouteInfo route)
+ throws ServiceSpecificException, RemoteException {
+ mNetd.networkAddRouteParcel(netId, toRouteInfoParcel(route));
+ }
+
+ /**
+ * Remove a route for specific network
+ *
+ * @param netId the network to remove the route from
+ * @param route the route to remove
+ * @throws ServiceSpecificException in case of failure, with an error code indicating the
+ * cause of the failure.
+ */
+ @Override
+ public void removeRoute(final int netId, final RouteInfo route)
+ throws ServiceSpecificException, RemoteException {
+ mNetd.networkRemoveRouteParcel(netId, toRouteInfoParcel(route));
+ }
+
+ /**
+ * Update a route for specific network
+ *
+ * @param netId the network to update the route for
+ * @param route parcelable with route information
+ * @throws ServiceSpecificException in case of failure, with an error code indicating the
+ * cause of the failure.
+ */
+ @Override
+ public void updateRoute(final int netId, final RouteInfo route)
+ throws ServiceSpecificException, RemoteException {
+ mNetd.networkUpdateRouteParcel(netId, toRouteInfoParcel(route));
+ }
+
+ /**
+ * Adds an interface to a network. The interface must not be assigned to any network, including
+ * the specified network.
+ *
+ * @param netId the network to add the interface to.
+ * @param iface the name of the interface to add.
+ *
+ * @throws ServiceSpecificException in case of failure, with an error code corresponding to the
+ * unix errno.
+ */
+ @Override
+ public void addInterfaceToNetwork(final int netId, final String iface)
+ throws ServiceSpecificException, RemoteException {
+ mNetd.networkAddInterface(netId, iface);
+ }
+
+ /**
+ * Removes an interface from a network. The interface must be assigned to the specified network.
+ *
+ * @param netId the network to remove the interface from.
+ * @param iface the name of the interface to remove.
+ *
+ * @throws ServiceSpecificException in case of failure, with an error code corresponding to the
+ * unix errno.
+ */
+ @Override
+ public void removeInterfaceFromNetwork(final int netId, final String iface)
+ throws ServiceSpecificException, RemoteException {
+ mNetd.networkRemoveInterface(netId, iface);
+ }
+}
diff --git a/staticlibs/Android.bp b/staticlibs/Android.bp
index 621759e..0bcb757 100644
--- a/staticlibs/Android.bp
+++ b/staticlibs/Android.bp
@@ -181,6 +181,8 @@
},
}
+// The net-utils-device-common-netlink library requires the callers to contain
+// net-utils-device-common-struct.
java_library {
name: "net-utils-device-common-netlink",
srcs: [
@@ -192,12 +194,13 @@
"//packages/modules/Connectivity:__subpackages__",
"//packages/modules/NetworkStack:__subpackages__",
],
- static_libs: [
- "net-utils-device-common-struct",
- ],
libs: [
"androidx.annotation_annotation",
"framework-connectivity.stubs.module_lib",
+ // For libraries which are statically linked in framework-connectivity, do not
+ // statically link here because callers of this library might already have a static
+ // version linked.
+ "net-utils-device-common-struct",
],
apex_available: [
"com.android.tethering",
@@ -209,6 +212,8 @@
},
}
+// The net-utils-device-common-ip library requires the callers to contain
+// net-utils-device-common-struct.
java_library {
// TODO : this target should probably be folded into net-utils-device-common
name: "net-utils-device-common-ip",
diff --git a/staticlibs/client-libs/netd/com/android/net/module/util/NetdUtils.java b/staticlibs/client-libs/netd/com/android/net/module/util/NetdUtils.java
index ea18d37..d99eedc 100644
--- a/staticlibs/client-libs/netd/com/android/net/module/util/NetdUtils.java
+++ b/staticlibs/client-libs/netd/com/android/net/module/util/NetdUtils.java
@@ -28,6 +28,7 @@
import android.net.InterfaceConfigurationParcel;
import android.net.IpPrefix;
import android.net.RouteInfo;
+import android.net.RouteInfoParcel;
import android.net.TetherConfigParcel;
import android.os.RemoteException;
import android.os.ServiceSpecificException;
@@ -278,4 +279,38 @@
throw new IllegalStateException(e);
}
}
+
+ /**
+ * Convert a RouteInfo into a RouteInfoParcel.
+ */
+ public static RouteInfoParcel toRouteInfoParcel(RouteInfo route) {
+ final String nextHop;
+
+ switch (route.getType()) {
+ case RouteInfo.RTN_UNICAST:
+ if (route.hasGateway()) {
+ nextHop = route.getGateway().getHostAddress();
+ } else {
+ nextHop = INetd.NEXTHOP_NONE;
+ }
+ break;
+ case RouteInfo.RTN_UNREACHABLE:
+ nextHop = INetd.NEXTHOP_UNREACHABLE;
+ break;
+ case RouteInfo.RTN_THROW:
+ nextHop = INetd.NEXTHOP_THROW;
+ break;
+ default:
+ nextHop = INetd.NEXTHOP_NONE;
+ break;
+ }
+
+ final RouteInfoParcel rip = new RouteInfoParcel();
+ rip.ifName = route.getInterface();
+ rip.destination = route.getDestination().toString();
+ rip.nextHop = nextHop;
+ rip.mtu = route.getMtu();
+
+ return rip;
+ }
}
diff --git a/staticlibs/device/com/android/net/module/util/Struct.java b/staticlibs/device/com/android/net/module/util/Struct.java
index b638a46..dc0d19b 100644
--- a/staticlibs/device/com/android/net/module/util/Struct.java
+++ b/staticlibs/device/com/android/net/module/util/Struct.java
@@ -146,6 +146,14 @@
int arraysize() default 0;
}
+ /**
+ * Indicates that this field contains a computed value and is ignored for the purposes of Struct
+ * parsing.
+ */
+ @Retention(RetentionPolicy.RUNTIME)
+ @Target(ElementType.FIELD)
+ public @interface Computed {}
+
private static class FieldInfo {
@NonNull
public final Field annotation;
@@ -533,6 +541,7 @@
final FieldInfo[] annotationFields = new FieldInfo[getAnnotationFieldCount(clazz)];
for (java.lang.reflect.Field field : clazz.getDeclaredFields()) {
if (Modifier.isStatic(field.getModifiers())) continue;
+ if (field.getAnnotation(Computed.class) != null) continue;
final Field annotation = field.getAnnotation(Field.class);
if (annotation == null) {
diff --git a/staticlibs/device/com/android/net/module/util/structs/IaPrefixOption.java b/staticlibs/device/com/android/net/module/util/structs/IaPrefixOption.java
index e9c39e4..ecdd440 100644
--- a/staticlibs/device/com/android/net/module/util/structs/IaPrefixOption.java
+++ b/staticlibs/device/com/android/net/module/util/structs/IaPrefixOption.java
@@ -18,12 +18,17 @@
import static com.android.net.module.util.NetworkStackConstants.DHCP6_OPTION_IAPREFIX;
+import android.net.IpPrefix;
import android.util.Log;
import com.android.net.module.util.Struct;
+import com.android.net.module.util.Struct.Computed;
import com.android.net.module.util.Struct.Field;
import com.android.net.module.util.Struct.Type;
+import java.net.Inet6Address;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
@@ -70,7 +75,11 @@
@Field(order = 5, type = Type.ByteArray, arraysize = 16)
public final byte[] prefix;
- public IaPrefixOption(final short code, final short length, final long preferred,
+ @Computed
+ private final IpPrefix mIpPrefix;
+
+ // Constructor used by Struct.parse()
+ protected IaPrefixOption(final short code, final short length, final long preferred,
final long valid, final byte prefixLen, final byte[] prefix) {
this.code = code;
this.length = length;
@@ -78,30 +87,43 @@
this.valid = valid;
this.prefixLen = prefixLen;
this.prefix = prefix.clone();
+
+ try {
+ final Inet6Address addr = (Inet6Address) InetAddress.getByAddress(prefix);
+ mIpPrefix = new IpPrefix(addr, prefixLen);
+ } catch (UnknownHostException | ClassCastException e) {
+ // UnknownHostException should never happen unless prefix is null.
+ // ClassCastException can occur when prefix is an IPv6 mapped IPv4 address.
+ // Both scenarios should throw an exception in the context of Struct#parse().
+ throw new IllegalArgumentException(e);
+ }
+ }
+
+ public IaPrefixOption(final short length, final long preferred, final long valid,
+ final byte prefixLen, final byte[] prefix) {
+ this((byte) DHCP6_OPTION_IAPREFIX, length, preferred, valid, prefixLen, prefix);
}
/**
* Check whether or not IA Prefix option in IA_PD option is valid per RFC8415#section-21.22.
+ *
+ * Note: an expired prefix can still be valid.
*/
- public boolean isValid(int t2) {
- if (preferred < 0 || valid < 0) {
- Log.w(TAG, "IA_PD option with invalid lifetime, preferred lifetime " + preferred
- + ", valid lifetime " + valid);
+ public boolean isValid() {
+ if (preferred < 0) {
+ Log.w(TAG, "Invalid preferred lifetime: " + this);
+ return false;
+ }
+ if (valid < 0) {
+ Log.w(TAG, "Invalid valid lifetime: " + this);
return false;
}
if (preferred > valid) {
- Log.w(TAG, "IA_PD option with preferred lifetime " + preferred
- + " greater than valid lifetime " + valid);
+ Log.w(TAG, "Invalid lifetime. Preferred lifetime > valid lifetime: " + this);
return false;
}
if (prefixLen > 64) {
- Log.w(TAG, "IA_PD option with prefix length " + prefixLen
- + " longer than 64");
- return false;
- }
- // Either preferred lifetime or t2 might be 0 which is valid, then ignore it.
- if (preferred != 0 && t2 != 0 && preferred < t2) {
- Log.w(TAG, "preferred lifetime " + preferred + " is smaller than T2 " + t2);
+ Log.w(TAG, "Invalid prefix length: " + this);
return false;
}
return true;
@@ -119,8 +141,14 @@
*/
public static ByteBuffer build(final short length, final long preferred, final long valid,
final byte prefixLen, final byte[] prefix) {
- final IaPrefixOption option = new IaPrefixOption((byte) DHCP6_OPTION_IAPREFIX,
+ final IaPrefixOption option = new IaPrefixOption(
length /* 25 + IAPrefix options length */, preferred, valid, prefixLen, prefix);
return ByteBuffer.wrap(option.writeToBytes(ByteOrder.BIG_ENDIAN));
}
+
+ @Override
+ public String toString() {
+ return "IA Prefix, length " + length + ": " + mIpPrefix + ", pref " + preferred + ", valid "
+ + valid;
+ }
}
diff --git a/staticlibs/framework/com/android/net/module/util/SdkUtil.java b/staticlibs/framework/com/android/net/module/util/SdkUtil.java
new file mode 100644
index 0000000..5006ba9
--- /dev/null
+++ b/staticlibs/framework/com/android/net/module/util/SdkUtil.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.net.module.util;
+
+import android.annotation.Nullable;
+
+/**
+ * Utilities to deal with multiple SDKs in a single mainline module.
+ * @hide
+ */
+public class SdkUtil {
+ /**
+ * Holder class taking advantage of erasure to avoid reflection running into class not found
+ * exceptions.
+ *
+ * This is useful to store a reference to a class that might not be present at runtime when
+ * fields are examined through reflection. An example is the MessageUtils class, which tries
+ * to get all fields in a class and therefore will try to load any class for which there
+ * is a member. Another example would be arguments or return values of methods in tests,
+ * when the testing framework uses reflection to list methods and their arguments.
+ *
+ * In these cases, LateSdk<T> can be used to hide type T from reflection, since it's erased
+ * and it becomes a vanilla LateSdk in Java bytecode. The T still can't be instantiated at
+ * runtime of course, but runtime tests will avoid that.
+ *
+ * @param <T> The held type
+ * @hide
+ */
+ public static class LateSdk<T> {
+ @Nullable public final T value;
+ public LateSdk(@Nullable final T value) {
+ this.value = value;
+ }
+ }
+}
diff --git a/staticlibs/testutils/Android.bp b/staticlibs/testutils/Android.bp
index 5fe7ac3..a5e5afb 100644
--- a/staticlibs/testutils/Android.bp
+++ b/staticlibs/testutils/Android.bp
@@ -38,6 +38,7 @@
"net-utils-device-common",
"net-utils-device-common-async",
"net-utils-device-common-netlink",
+ "net-utils-device-common-struct",
"net-utils-device-common-wear",
"modules-utils-build_system",
],
diff --git a/staticlibs/testutils/devicetests/com/android/testutils/TestBpfMap.java b/staticlibs/testutils/devicetests/com/android/testutils/TestBpfMap.java
index 733bd98..70f20d6 100644
--- a/staticlibs/testutils/devicetests/com/android/testutils/TestBpfMap.java
+++ b/staticlibs/testutils/devicetests/com/android/testutils/TestBpfMap.java
@@ -43,6 +43,8 @@
public class TestBpfMap<K extends Struct, V extends Struct> implements IBpfMap<K, V> {
private final ConcurrentHashMap<K, V> mMap = new ConcurrentHashMap<>();
+ public TestBpfMap() {}
+
// TODO: Remove this constructor
public TestBpfMap(final Class<K> key, final Class<V> value) {
}
diff --git a/staticlibs/testutils/host/com/android/testutils/ConnectivityTestTargetPreparer.kt b/staticlibs/testutils/host/com/android/testutils/ConnectivityTestTargetPreparer.kt
index eb94781..600a623 100644
--- a/staticlibs/testutils/host/com/android/testutils/ConnectivityTestTargetPreparer.kt
+++ b/staticlibs/testutils/host/com/android/testutils/ConnectivityTestTargetPreparer.kt
@@ -128,7 +128,7 @@
if (testInfo.device.getApiLevel() < 31) return
testInfo.exec("cmd connectivity set-chain3-enabled $enableChain")
enablePkgs.forEach { (pkg, allow) ->
- testInfo.exec("cmd connectivity set-package-networking-enabled $pkg $allow")
+ testInfo.exec("cmd connectivity set-package-networking-enabled $allow $pkg")
}
}
diff --git a/tests/integration/Android.bp b/tests/integration/Android.bp
index 12919ae..f705e34 100644
--- a/tests/integration/Android.bp
+++ b/tests/integration/Android.bp
@@ -45,6 +45,7 @@
// order-dependent setup.
"NetworkStackApiStableLib",
"androidx.test.ext.junit",
+ "compatibility-device-util-axt",
"frameworks-net-integration-testutils",
"kotlin-reflect",
"mockito-target-extended-minus-junit4",
diff --git a/tests/integration/src/com/android/server/net/integrationtests/ConnectivityServiceIntegrationTest.kt b/tests/integration/src/com/android/server/net/integrationtests/ConnectivityServiceIntegrationTest.kt
index e264b55..9b082a4 100644
--- a/tests/integration/src/com/android/server/net/integrationtests/ConnectivityServiceIntegrationTest.kt
+++ b/tests/integration/src/com/android/server/net/integrationtests/ConnectivityServiceIntegrationTest.kt
@@ -40,11 +40,14 @@
import android.os.IBinder
import android.os.SystemConfigManager
import android.os.UserHandle
+import android.os.VintfRuntimeInfo
import android.testing.TestableContext
import android.util.Log
import androidx.test.ext.junit.runners.AndroidJUnit4
import androidx.test.platform.app.InstrumentationRegistry
+import com.android.compatibility.common.util.SystemUtil
import com.android.connectivity.resources.R
+import com.android.net.module.util.BpfUtils
import com.android.server.BpfNetMaps
import com.android.server.ConnectivityService
import com.android.server.NetworkAgentWrapper
@@ -53,6 +56,7 @@
import com.android.server.connectivity.MockableSystemProperties
import com.android.server.connectivity.MultinetworkPolicyTracker
import com.android.server.connectivity.ProxyTracker
+import com.android.testutils.DeviceInfoUtils
import com.android.testutils.RecorderCallback.CallbackEntry.LinkPropertiesChanged
import com.android.testutils.TestableNetworkCallback
import kotlin.test.assertEquals
@@ -60,6 +64,7 @@
import kotlin.test.assertTrue
import kotlin.test.fail
import org.junit.After
+import org.junit.Assume
import org.junit.Before
import org.junit.BeforeClass
import org.junit.Test
@@ -302,4 +307,25 @@
!it.hasCapability(NET_CAPABILITY_VALIDATED)
}
}
+
+ private fun isBpfGetCgroupProgramIdSupportedByKernel(): Boolean {
+ val kVersionString = VintfRuntimeInfo.getKernelVersion()
+ return DeviceInfoUtils.compareMajorMinorVersion(kVersionString, "4.19") >= 0
+ }
+
+ @Test
+ fun testBpfProgramAttachStatus() {
+ Assume.assumeTrue(isBpfGetCgroupProgramIdSupportedByKernel())
+
+ listOf(
+ BpfUtils.BPF_CGROUP_INET_INGRESS,
+ BpfUtils.BPF_CGROUP_INET_EGRESS,
+ BpfUtils.BPF_CGROUP_INET_SOCK_CREATE
+ ).forEach {
+ val ret = SystemUtil.runShellCommand(InstrumentationRegistry.getInstrumentation(),
+ "cmd connectivity bpf-get-cgroup-program-id $it").trim()
+
+ assertTrue(Integer.parseInt(ret) > 0, "Unexpected output $ret for type $it")
+ }
+ }
}
diff --git a/tests/unit/java/android/net/BpfNetMapsReaderTest.kt b/tests/unit/java/android/net/BpfNetMapsReaderTest.kt
new file mode 100644
index 0000000..facb932
--- /dev/null
+++ b/tests/unit/java/android/net/BpfNetMapsReaderTest.kt
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.net
+
+import android.net.BpfNetMapsConstants.UID_RULES_CONFIGURATION_KEY
+import android.net.BpfNetMapsUtils.getMatchByFirewallChain
+import android.os.Build
+import com.android.net.module.util.IBpfMap
+import com.android.net.module.util.Struct.S32
+import com.android.net.module.util.Struct.U32
+import com.android.testutils.DevSdkIgnoreRule.IgnoreUpTo
+import com.android.testutils.DevSdkIgnoreRunner
+import com.android.testutils.TestBpfMap
+import kotlin.test.assertFalse
+import kotlin.test.assertTrue
+import org.junit.Test
+import org.junit.runner.RunWith
+
+// pre-T devices does not support Bpf.
+@RunWith(DevSdkIgnoreRunner::class)
+@IgnoreUpTo(Build.VERSION_CODES.S_V2)
+class BpfNetMapsReaderTest {
+ private val testConfigurationMap: IBpfMap<S32, U32> = TestBpfMap()
+ private val testUidOwnerMap: IBpfMap<S32, UidOwnerValue> = TestBpfMap()
+ private val bpfNetMapsReader = BpfNetMapsReader(
+ TestDependencies(testConfigurationMap, testUidOwnerMap))
+
+ class TestDependencies(
+ private val configMap: IBpfMap<S32, U32>,
+ private val uidOwnerMap: IBpfMap<S32, UidOwnerValue>
+ ) : BpfNetMapsReader.Dependencies() {
+ override fun getConfigurationMap() = configMap
+ override fun getUidOwnerMap() = uidOwnerMap
+ }
+
+ private fun doTestIsChainEnabled(chain: Int) {
+ testConfigurationMap.updateEntry(
+ UID_RULES_CONFIGURATION_KEY,
+ U32(getMatchByFirewallChain(chain))
+ )
+ assertTrue(bpfNetMapsReader.isChainEnabled(chain))
+ testConfigurationMap.updateEntry(UID_RULES_CONFIGURATION_KEY, U32(0))
+ assertFalse(bpfNetMapsReader.isChainEnabled(chain))
+ }
+
+ @Test
+ @Throws(Exception::class)
+ fun testIsChainEnabled() {
+ doTestIsChainEnabled(ConnectivityManager.FIREWALL_CHAIN_DOZABLE)
+ doTestIsChainEnabled(ConnectivityManager.FIREWALL_CHAIN_STANDBY)
+ doTestIsChainEnabled(ConnectivityManager.FIREWALL_CHAIN_POWERSAVE)
+ doTestIsChainEnabled(ConnectivityManager.FIREWALL_CHAIN_RESTRICTED)
+ doTestIsChainEnabled(ConnectivityManager.FIREWALL_CHAIN_LOW_POWER_STANDBY)
+ }
+}
diff --git a/tests/unit/java/com/android/server/BpfNetMapsTest.java b/tests/unit/java/com/android/server/BpfNetMapsTest.java
index 5f280c6..da5f7e1 100644
--- a/tests/unit/java/com/android/server/BpfNetMapsTest.java
+++ b/tests/unit/java/com/android/server/BpfNetMapsTest.java
@@ -66,6 +66,7 @@
import android.content.Context;
import android.net.BpfNetMapsUtils;
import android.net.INetd;
+import android.net.UidOwnerValue;
import android.os.Build;
import android.os.ServiceSpecificException;
import android.system.ErrnoException;
diff --git a/tests/unit/java/com/android/server/ConnectivityServiceTest.java b/tests/unit/java/com/android/server/ConnectivityServiceTest.java
index 8bca4dd..194cec3 100755
--- a/tests/unit/java/com/android/server/ConnectivityServiceTest.java
+++ b/tests/unit/java/com/android/server/ConnectivityServiceTest.java
@@ -935,12 +935,6 @@
return appUid + (firstSdkSandboxUid - Process.FIRST_APPLICATION_UID);
}
- // This function assumes the UID range for user 0 ([1, 99999])
- private static UidRangeParcel[] uidRangeParcelsExcludingUids(Integer... excludedUids) {
- final List<Integer> uids = Arrays.asList(excludedUids);
- return intToUidRangeStableParcels(intRangesPrimaryExcludingUids(uids));
- }
-
// Create the list of ranges for the primary user (User 0), excluding excludedUids.
private static List<Range<Integer>> intRangesPrimaryExcludingUids(List<Integer> excludedUids) {
final List<Integer> excludedUidsList = new ArrayList<>(excludedUids);
@@ -9527,8 +9521,16 @@
assertNotNull(mCm.getActiveNetworkForUid(restrictedUid));
// Enable always-on VPN lockdown. The main user loses network access because no VPN is up.
- final ArrayList<String> allowList = new ArrayList<>();
- mMockVpn.setAlwaysOnPackage(ALWAYS_ON_PACKAGE, true /* lockdown */, allowList);
+ // Coverage in VpnTest.
+ final List<Integer> excludedUids = new ArrayList<>();
+ excludedUids.add(VPN_UID);
+ if (mDeps.isAtLeastT()) {
+ // On T onwards, the corresponding SDK sandbox UID should also be excluded
+ excludedUids.add(toSdkSandboxUid(VPN_UID));
+ }
+ final List<Range<Integer>> primaryRanges = intRangesPrimaryExcludingUids(excludedUids);
+ mCm.setRequireVpnForUids(true, primaryRanges);
+
waitForIdle();
assertNull(mCm.getActiveNetworkForUid(uid));
// This is arguably overspecified: a UID that is not running doesn't have an active network.
@@ -9540,12 +9542,6 @@
// TODO: check that VPN app within restricted profile still has access, etc.
// Add a restricted user.
// This is equivalent to `mMockVpn.onUserAdded(RESTRICTED_USER);`, coverage in VpnTest.
- final List<Integer> excludedUids = new ArrayList<Integer>();
- excludedUids.add(VPN_UID);
- if (mDeps.isAtLeastT()) {
- // On T onwards, the corresponding SDK sandbox UID should also be excluded
- excludedUids.add(toSdkSandboxUid(VPN_UID));
- }
final List<Range<Integer>> restrictedRanges =
intRangesExcludingUids(RESTRICTED_USER, excludedUids);
mCm.setRequireVpnForUids(true, restrictedRanges);
@@ -9563,7 +9559,8 @@
assertNull(mCm.getActiveNetworkForUid(uid));
assertNotNull(mCm.getActiveNetworkForUid(restrictedUid));
- mMockVpn.setAlwaysOnPackage(null, false /* lockdown */, allowList);
+ mCm.setRequireVpnForUids(false, primaryRanges);
+
waitForIdle();
}
@@ -10016,18 +10013,20 @@
new Handler(ConnectivityThread.getInstanceLooper()));
final int uid = Process.myUid();
- final ArrayList<String> allowList = new ArrayList<>();
- mMockVpn.setAlwaysOnPackage(ALWAYS_ON_PACKAGE, true /* lockdown */, allowList);
- waitForIdle();
- final Set<Integer> excludedUids = new ArraySet<Integer>();
+ // Enable always-on VPN lockdown, coverage in VpnTest.
+ final List<Integer> excludedUids = new ArrayList<Integer>();
excludedUids.add(VPN_UID);
if (mDeps.isAtLeastT()) {
// On T onwards, the corresponding SDK sandbox UID should also be excluded
excludedUids.add(toSdkSandboxUid(VPN_UID));
}
- final UidRangeParcel[] uidRangeParcels = uidRangeParcelsExcludingUids(
- excludedUids.toArray(new Integer[0]));
+
+ final List<Range<Integer>> primaryRanges = intRangesPrimaryExcludingUids(excludedUids);
+ mCm.setRequireVpnForUids(true, primaryRanges);
+ waitForIdle();
+
+ final UidRangeParcel[] uidRangeParcels = intToUidRangeStableParcels(primaryRanges);
InOrder inOrder = inOrder(mMockNetd);
expectNetworkRejectNonSecureVpn(inOrder, true, uidRangeParcels);
@@ -10047,7 +10046,8 @@
assertNetworkInfo(TYPE_WIFI, DetailedState.BLOCKED);
// Disable lockdown, expect to see the network unblocked.
- mMockVpn.setAlwaysOnPackage(null, false /* lockdown */, allowList);
+ mCm.setRequireVpnForUids(false, primaryRanges);
+ waitForIdle();
callback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> !cb.getBlocked());
defaultCallback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> !cb.getBlocked());
vpnUidCallback.assertNoCallback();
@@ -10060,22 +10060,25 @@
assertNetworkInfo(TYPE_MOBILE, DetailedState.DISCONNECTED);
assertNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED);
- // Add our UID to the allowlist and re-enable lockdown, expect network is not blocked.
- allowList.add(TEST_PACKAGE_NAME);
- mMockVpn.setAlwaysOnPackage(ALWAYS_ON_PACKAGE, true /* lockdown */, allowList);
+ // Add our UID to the allowlist, expect network is not blocked. Coverage in VpnTest.
+ excludedUids.add(uid);
+ if (mDeps.isAtLeastT()) {
+ // On T onwards, the corresponding SDK sandbox UID should also be excluded
+ excludedUids.add(toSdkSandboxUid(uid));
+ }
+ final List<Range<Integer>> primaryRangesExcludingUid =
+ intRangesPrimaryExcludingUids(excludedUids);
+ mCm.setRequireVpnForUids(true, primaryRangesExcludingUid);
+ waitForIdle();
+
callback.assertNoCallback();
defaultCallback.assertNoCallback();
vpnUidCallback.assertNoCallback();
vpnUidDefaultCallback.assertNoCallback();
vpnDefaultCallbackAsUid.assertNoCallback();
- excludedUids.add(uid);
- if (mDeps.isAtLeastT()) {
- // On T onwards, the corresponding SDK sandbox UID should also be excluded
- excludedUids.add(toSdkSandboxUid(uid));
- }
- final UidRangeParcel[] uidRangeParcelsAlsoExcludingUs = uidRangeParcelsExcludingUids(
- excludedUids.toArray(new Integer[0]));
+ final UidRangeParcel[] uidRangeParcelsAlsoExcludingUs =
+ intToUidRangeStableParcels(primaryRangesExcludingUid);
expectNetworkRejectNonSecureVpn(inOrder, true, uidRangeParcelsAlsoExcludingUs);
assertEquals(mWiFiAgent.getNetwork(), mCm.getActiveNetworkForUid(VPN_UID));
assertEquals(mWiFiAgent.getNetwork(), mCm.getActiveNetwork());
@@ -10098,15 +10101,15 @@
assertNetworkInfo(TYPE_MOBILE, DetailedState.DISCONNECTED);
assertNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED);
- // Disable lockdown, remove our UID from the allowlist, and re-enable lockdown.
- // Everything should now be blocked.
- mMockVpn.setAlwaysOnPackage(null, false /* lockdown */, allowList);
+ // Disable lockdown
+ mCm.setRequireVpnForUids(false, primaryRangesExcludingUid);
waitForIdle();
expectNetworkRejectNonSecureVpn(inOrder, false, uidRangeParcelsAlsoExcludingUs);
- allowList.clear();
- mMockVpn.setAlwaysOnPackage(ALWAYS_ON_PACKAGE, true /* lockdown */, allowList);
+ // Remove our UID from the allowlist, and re-enable lockdown.
+ mCm.setRequireVpnForUids(true, primaryRanges);
waitForIdle();
expectNetworkRejectNonSecureVpn(inOrder, true, uidRangeParcels);
+ // Everything should now be blocked.
defaultCallback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> cb.getBlocked());
assertBlockedCallbackInAnyOrder(callback, true, mWiFiAgent, mCellAgent);
vpnUidCallback.assertNoCallback();
@@ -10119,7 +10122,7 @@
assertNetworkInfo(TYPE_WIFI, DetailedState.BLOCKED);
// Disable lockdown. Everything is unblocked.
- mMockVpn.setAlwaysOnPackage(null, false /* lockdown */, allowList);
+ mCm.setRequireVpnForUids(false, primaryRanges);
defaultCallback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> !cb.getBlocked());
assertBlockedCallbackInAnyOrder(callback, false, mWiFiAgent, mCellAgent);
vpnUidCallback.assertNoCallback();
@@ -10132,7 +10135,7 @@
assertNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED);
// Enable lockdown and connect a VPN. The VPN is not blocked.
- mMockVpn.setAlwaysOnPackage(ALWAYS_ON_PACKAGE, true /* lockdown */, allowList);
+ mCm.setRequireVpnForUids(true, primaryRanges);
defaultCallback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> cb.getBlocked());
assertBlockedCallbackInAnyOrder(callback, true, mWiFiAgent, mCellAgent);
vpnUidCallback.assertNoCallback();