Merge "[BR01.1] Support BpfNetMapsReader" into main
diff --git a/staticlibs/testutils/host/com/android/testutils/ConnectivityTestTargetPreparer.kt b/staticlibs/testutils/host/com/android/testutils/ConnectivityTestTargetPreparer.kt
index eb94781..600a623 100644
--- a/staticlibs/testutils/host/com/android/testutils/ConnectivityTestTargetPreparer.kt
+++ b/staticlibs/testutils/host/com/android/testutils/ConnectivityTestTargetPreparer.kt
@@ -128,7 +128,7 @@
if (testInfo.device.getApiLevel() < 31) return
testInfo.exec("cmd connectivity set-chain3-enabled $enableChain")
enablePkgs.forEach { (pkg, allow) ->
- testInfo.exec("cmd connectivity set-package-networking-enabled $pkg $allow")
+ testInfo.exec("cmd connectivity set-package-networking-enabled $allow $pkg")
}
}
diff --git a/tests/integration/Android.bp b/tests/integration/Android.bp
index 12919ae..f705e34 100644
--- a/tests/integration/Android.bp
+++ b/tests/integration/Android.bp
@@ -45,6 +45,7 @@
// order-dependent setup.
"NetworkStackApiStableLib",
"androidx.test.ext.junit",
+ "compatibility-device-util-axt",
"frameworks-net-integration-testutils",
"kotlin-reflect",
"mockito-target-extended-minus-junit4",
diff --git a/tests/integration/src/com/android/server/net/integrationtests/ConnectivityServiceIntegrationTest.kt b/tests/integration/src/com/android/server/net/integrationtests/ConnectivityServiceIntegrationTest.kt
index e264b55..9b082a4 100644
--- a/tests/integration/src/com/android/server/net/integrationtests/ConnectivityServiceIntegrationTest.kt
+++ b/tests/integration/src/com/android/server/net/integrationtests/ConnectivityServiceIntegrationTest.kt
@@ -40,11 +40,14 @@
import android.os.IBinder
import android.os.SystemConfigManager
import android.os.UserHandle
+import android.os.VintfRuntimeInfo
import android.testing.TestableContext
import android.util.Log
import androidx.test.ext.junit.runners.AndroidJUnit4
import androidx.test.platform.app.InstrumentationRegistry
+import com.android.compatibility.common.util.SystemUtil
import com.android.connectivity.resources.R
+import com.android.net.module.util.BpfUtils
import com.android.server.BpfNetMaps
import com.android.server.ConnectivityService
import com.android.server.NetworkAgentWrapper
@@ -53,6 +56,7 @@
import com.android.server.connectivity.MockableSystemProperties
import com.android.server.connectivity.MultinetworkPolicyTracker
import com.android.server.connectivity.ProxyTracker
+import com.android.testutils.DeviceInfoUtils
import com.android.testutils.RecorderCallback.CallbackEntry.LinkPropertiesChanged
import com.android.testutils.TestableNetworkCallback
import kotlin.test.assertEquals
@@ -60,6 +64,7 @@
import kotlin.test.assertTrue
import kotlin.test.fail
import org.junit.After
+import org.junit.Assume
import org.junit.Before
import org.junit.BeforeClass
import org.junit.Test
@@ -302,4 +307,25 @@
!it.hasCapability(NET_CAPABILITY_VALIDATED)
}
}
+
+ private fun isBpfGetCgroupProgramIdSupportedByKernel(): Boolean {
+ val kVersionString = VintfRuntimeInfo.getKernelVersion()
+ return DeviceInfoUtils.compareMajorMinorVersion(kVersionString, "4.19") >= 0
+ }
+
+ @Test
+ fun testBpfProgramAttachStatus() {
+ Assume.assumeTrue(isBpfGetCgroupProgramIdSupportedByKernel())
+
+ listOf(
+ BpfUtils.BPF_CGROUP_INET_INGRESS,
+ BpfUtils.BPF_CGROUP_INET_EGRESS,
+ BpfUtils.BPF_CGROUP_INET_SOCK_CREATE
+ ).forEach {
+ val ret = SystemUtil.runShellCommand(InstrumentationRegistry.getInstrumentation(),
+ "cmd connectivity bpf-get-cgroup-program-id $it").trim()
+
+ assertTrue(Integer.parseInt(ret) > 0, "Unexpected output $ret for type $it")
+ }
+ }
}
diff --git a/tests/unit/java/com/android/server/ConnectivityServiceTest.java b/tests/unit/java/com/android/server/ConnectivityServiceTest.java
index 42b0d59..194cec3 100755
--- a/tests/unit/java/com/android/server/ConnectivityServiceTest.java
+++ b/tests/unit/java/com/android/server/ConnectivityServiceTest.java
@@ -935,24 +935,39 @@
return appUid + (firstSdkSandboxUid - Process.FIRST_APPLICATION_UID);
}
- // This function assumes the UID range for user 0 ([1, 99999])
- private static UidRangeParcel[] uidRangeParcelsExcludingUids(Integer... excludedUids) {
- int start = 1;
- Arrays.sort(excludedUids);
- List<UidRangeParcel> parcels = new ArrayList<UidRangeParcel>();
+ // Create the list of ranges for the primary user (User 0), excluding excludedUids.
+ private static List<Range<Integer>> intRangesPrimaryExcludingUids(List<Integer> excludedUids) {
+ final List<Integer> excludedUidsList = new ArrayList<>(excludedUids);
+ // Uid 0 is always excluded
+ if (!excludedUidsList.contains(0)) {
+ excludedUidsList.add(0);
+ }
+ return intRangesExcludingUids(PRIMARY_USER, excludedUidsList);
+ }
+
+ private static List<Range<Integer>> intRangesExcludingUids(int userId,
+ List<Integer> excludedAppIds) {
+ final List<Integer> excludedUids = CollectionUtils.map(excludedAppIds,
+ appId -> UserHandle.getUid(userId, appId));
+ final int userBase = userId * UserHandle.PER_USER_RANGE;
+ final int maxUid = userBase + UserHandle.PER_USER_RANGE - 1;
+
+ int start = userBase;
+ Collections.sort(excludedUids);
+ final List<Range<Integer>> ranges = new ArrayList<>();
for (int excludedUid : excludedUids) {
if (excludedUid == start) {
start++;
} else {
- parcels.add(new UidRangeParcel(start, excludedUid - 1));
+ ranges.add(new Range<>(start, excludedUid - 1));
start = excludedUid + 1;
}
}
- if (start <= 99999) {
- parcels.add(new UidRangeParcel(start, 99999));
+ if (start <= maxUid) {
+ ranges.add(new Range<>(start, maxUid));
}
- return parcels.toArray(new UidRangeParcel[0]);
+ return ranges;
}
private void waitForIdle() {
@@ -1739,6 +1754,12 @@
return ranges.stream().map(r -> new UidRangeParcel(r, r)).toArray(UidRangeParcel[]::new);
}
+ private static UidRangeParcel[] intToUidRangeStableParcels(
+ final @NonNull List<Range<Integer>> ranges) {
+ return ranges.stream().map(
+ r -> new UidRangeParcel(r.getLower(), r.getUpper())).toArray(UidRangeParcel[]::new);
+ }
+
private void assertVpnTransportInfo(NetworkCapabilities nc, int type) {
assertNotNull(nc);
final TransportInfo ti = nc.getTransportInfo();
@@ -1871,6 +1892,8 @@
private static final UserHandle TERTIARY_USER_HANDLE = new UserHandle(TERTIARY_USER);
private static final int RESTRICTED_USER = 1;
+ private static final UidRange RESTRICTED_USER_UIDRANGE =
+ UidRange.createForUser(UserHandle.of(RESTRICTED_USER));
private static final UserInfo RESTRICTED_USER_INFO = new UserInfo(RESTRICTED_USER, "",
UserInfo.FLAG_RESTRICTED);
static {
@@ -9426,11 +9449,11 @@
&& c.hasTransport(TRANSPORT_WIFI));
callback.expectCaps(mWiFiAgent, c -> c.hasCapability(NET_CAPABILITY_VALIDATED));
- doReturn(UserHandle.getUid(RESTRICTED_USER, VPN_UID)).when(mPackageManager)
- .getPackageUidAsUser(ALWAYS_ON_PACKAGE, RESTRICTED_USER);
-
- // New user added
- mMockVpn.onUserAdded(RESTRICTED_USER);
+ // New user added, this updates the Vpn uids, coverage in VpnTest.
+ // This is equivalent to `mMockVpn.onUserAdded(RESTRICTED_USER);`
+ final Set<UidRange> ranges = uidRangesForUids(uid);
+ ranges.add(RESTRICTED_USER_UIDRANGE);
+ mMockVpn.setUids(ranges);
// Expect that the VPN UID ranges contain both |uid| and the UID range for the newly-added
// restricted user.
@@ -9455,7 +9478,9 @@
&& !c.hasTransport(TRANSPORT_WIFI));
// User removed and expect to lose the UID range for the restricted user.
- mMockVpn.onUserRemoved(RESTRICTED_USER);
+ // This updates the Vpn uids, coverage in VpnTest.
+ // This is equivalent to `mMockVpn.onUserRemoved(RESTRICTED_USER);`
+ mMockVpn.setUids(uidRangesForUids(uid));
// Expect that the VPN gains the UID range for the restricted user, and that the capability
// change made just before that (i.e., loss of TRANSPORT_WIFI) is preserved.
@@ -9496,8 +9521,16 @@
assertNotNull(mCm.getActiveNetworkForUid(restrictedUid));
// Enable always-on VPN lockdown. The main user loses network access because no VPN is up.
- final ArrayList<String> allowList = new ArrayList<>();
- mMockVpn.setAlwaysOnPackage(ALWAYS_ON_PACKAGE, true /* lockdown */, allowList);
+ // Coverage in VpnTest.
+ final List<Integer> excludedUids = new ArrayList<>();
+ excludedUids.add(VPN_UID);
+ if (mDeps.isAtLeastT()) {
+ // On T onwards, the corresponding SDK sandbox UID should also be excluded
+ excludedUids.add(toSdkSandboxUid(VPN_UID));
+ }
+ final List<Range<Integer>> primaryRanges = intRangesPrimaryExcludingUids(excludedUids);
+ mCm.setRequireVpnForUids(true, primaryRanges);
+
waitForIdle();
assertNull(mCm.getActiveNetworkForUid(uid));
// This is arguably overspecified: a UID that is not running doesn't have an active network.
@@ -9506,32 +9539,28 @@
assertNotNull(mCm.getActiveNetworkForUid(restrictedUid));
// Start the restricted profile, and check that the UID within it loses network access.
- doReturn(UserHandle.getUid(RESTRICTED_USER, VPN_UID)).when(mPackageManager)
- .getPackageUidAsUser(ALWAYS_ON_PACKAGE, RESTRICTED_USER);
- doReturn(asList(PRIMARY_USER_INFO, RESTRICTED_USER_INFO)).when(mUserManager)
- .getAliveUsers();
// TODO: check that VPN app within restricted profile still has access, etc.
- mMockVpn.onUserAdded(RESTRICTED_USER);
- final Intent addedIntent = new Intent(ACTION_USER_ADDED);
- addedIntent.putExtra(Intent.EXTRA_USER, UserHandle.of(RESTRICTED_USER));
- addedIntent.putExtra(Intent.EXTRA_USER_HANDLE, RESTRICTED_USER);
- processBroadcast(addedIntent);
+ // Add a restricted user.
+ // This is equivalent to `mMockVpn.onUserAdded(RESTRICTED_USER);`, coverage in VpnTest.
+ final List<Range<Integer>> restrictedRanges =
+ intRangesExcludingUids(RESTRICTED_USER, excludedUids);
+ mCm.setRequireVpnForUids(true, restrictedRanges);
+ waitForIdle();
+
assertNull(mCm.getActiveNetworkForUid(uid));
assertNull(mCm.getActiveNetworkForUid(restrictedUid));
// Stop the restricted profile, and check that the UID within it has network access again.
- doReturn(asList(PRIMARY_USER_INFO)).when(mUserManager).getAliveUsers();
+ // Remove the restricted user.
+ // This is equivalent to `mMockVpn.onUserRemoved(RESTRICTED_USER);`, coverage in VpnTest.
+ mCm.setRequireVpnForUids(false, restrictedRanges);
+ waitForIdle();
- // Send a USER_REMOVED broadcast and expect to lose the UID range for the restricted user.
- mMockVpn.onUserRemoved(RESTRICTED_USER);
- final Intent removedIntent = new Intent(ACTION_USER_REMOVED);
- removedIntent.putExtra(Intent.EXTRA_USER, UserHandle.of(RESTRICTED_USER));
- removedIntent.putExtra(Intent.EXTRA_USER_HANDLE, RESTRICTED_USER);
- processBroadcast(removedIntent);
assertNull(mCm.getActiveNetworkForUid(uid));
assertNotNull(mCm.getActiveNetworkForUid(restrictedUid));
- mMockVpn.setAlwaysOnPackage(null, false /* lockdown */, allowList);
+ mCm.setRequireVpnForUids(false, primaryRanges);
+
waitForIdle();
}
@@ -9984,18 +10013,20 @@
new Handler(ConnectivityThread.getInstanceLooper()));
final int uid = Process.myUid();
- final ArrayList<String> allowList = new ArrayList<>();
- mMockVpn.setAlwaysOnPackage(ALWAYS_ON_PACKAGE, true /* lockdown */, allowList);
- waitForIdle();
- final Set<Integer> excludedUids = new ArraySet<Integer>();
+ // Enable always-on VPN lockdown, coverage in VpnTest.
+ final List<Integer> excludedUids = new ArrayList<Integer>();
excludedUids.add(VPN_UID);
if (mDeps.isAtLeastT()) {
// On T onwards, the corresponding SDK sandbox UID should also be excluded
excludedUids.add(toSdkSandboxUid(VPN_UID));
}
- final UidRangeParcel[] uidRangeParcels = uidRangeParcelsExcludingUids(
- excludedUids.toArray(new Integer[0]));
+
+ final List<Range<Integer>> primaryRanges = intRangesPrimaryExcludingUids(excludedUids);
+ mCm.setRequireVpnForUids(true, primaryRanges);
+ waitForIdle();
+
+ final UidRangeParcel[] uidRangeParcels = intToUidRangeStableParcels(primaryRanges);
InOrder inOrder = inOrder(mMockNetd);
expectNetworkRejectNonSecureVpn(inOrder, true, uidRangeParcels);
@@ -10015,7 +10046,8 @@
assertNetworkInfo(TYPE_WIFI, DetailedState.BLOCKED);
// Disable lockdown, expect to see the network unblocked.
- mMockVpn.setAlwaysOnPackage(null, false /* lockdown */, allowList);
+ mCm.setRequireVpnForUids(false, primaryRanges);
+ waitForIdle();
callback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> !cb.getBlocked());
defaultCallback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> !cb.getBlocked());
vpnUidCallback.assertNoCallback();
@@ -10028,22 +10060,25 @@
assertNetworkInfo(TYPE_MOBILE, DetailedState.DISCONNECTED);
assertNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED);
- // Add our UID to the allowlist and re-enable lockdown, expect network is not blocked.
- allowList.add(TEST_PACKAGE_NAME);
- mMockVpn.setAlwaysOnPackage(ALWAYS_ON_PACKAGE, true /* lockdown */, allowList);
+ // Add our UID to the allowlist, expect network is not blocked. Coverage in VpnTest.
+ excludedUids.add(uid);
+ if (mDeps.isAtLeastT()) {
+ // On T onwards, the corresponding SDK sandbox UID should also be excluded
+ excludedUids.add(toSdkSandboxUid(uid));
+ }
+ final List<Range<Integer>> primaryRangesExcludingUid =
+ intRangesPrimaryExcludingUids(excludedUids);
+ mCm.setRequireVpnForUids(true, primaryRangesExcludingUid);
+ waitForIdle();
+
callback.assertNoCallback();
defaultCallback.assertNoCallback();
vpnUidCallback.assertNoCallback();
vpnUidDefaultCallback.assertNoCallback();
vpnDefaultCallbackAsUid.assertNoCallback();
- excludedUids.add(uid);
- if (mDeps.isAtLeastT()) {
- // On T onwards, the corresponding SDK sandbox UID should also be excluded
- excludedUids.add(toSdkSandboxUid(uid));
- }
- final UidRangeParcel[] uidRangeParcelsAlsoExcludingUs = uidRangeParcelsExcludingUids(
- excludedUids.toArray(new Integer[0]));
+ final UidRangeParcel[] uidRangeParcelsAlsoExcludingUs =
+ intToUidRangeStableParcels(primaryRangesExcludingUid);
expectNetworkRejectNonSecureVpn(inOrder, true, uidRangeParcelsAlsoExcludingUs);
assertEquals(mWiFiAgent.getNetwork(), mCm.getActiveNetworkForUid(VPN_UID));
assertEquals(mWiFiAgent.getNetwork(), mCm.getActiveNetwork());
@@ -10066,15 +10101,15 @@
assertNetworkInfo(TYPE_MOBILE, DetailedState.DISCONNECTED);
assertNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED);
- // Disable lockdown, remove our UID from the allowlist, and re-enable lockdown.
- // Everything should now be blocked.
- mMockVpn.setAlwaysOnPackage(null, false /* lockdown */, allowList);
+ // Disable lockdown
+ mCm.setRequireVpnForUids(false, primaryRangesExcludingUid);
waitForIdle();
expectNetworkRejectNonSecureVpn(inOrder, false, uidRangeParcelsAlsoExcludingUs);
- allowList.clear();
- mMockVpn.setAlwaysOnPackage(ALWAYS_ON_PACKAGE, true /* lockdown */, allowList);
+ // Remove our UID from the allowlist, and re-enable lockdown.
+ mCm.setRequireVpnForUids(true, primaryRanges);
waitForIdle();
expectNetworkRejectNonSecureVpn(inOrder, true, uidRangeParcels);
+ // Everything should now be blocked.
defaultCallback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> cb.getBlocked());
assertBlockedCallbackInAnyOrder(callback, true, mWiFiAgent, mCellAgent);
vpnUidCallback.assertNoCallback();
@@ -10087,7 +10122,7 @@
assertNetworkInfo(TYPE_WIFI, DetailedState.BLOCKED);
// Disable lockdown. Everything is unblocked.
- mMockVpn.setAlwaysOnPackage(null, false /* lockdown */, allowList);
+ mCm.setRequireVpnForUids(false, primaryRanges);
defaultCallback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> !cb.getBlocked());
assertBlockedCallbackInAnyOrder(callback, false, mWiFiAgent, mCellAgent);
vpnUidCallback.assertNoCallback();
@@ -10099,36 +10134,8 @@
assertNetworkInfo(TYPE_MOBILE, DetailedState.DISCONNECTED);
assertNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED);
- // Enable and disable an always-on VPN package without lockdown. Expect no changes.
- reset(mMockNetd);
- mMockVpn.setAlwaysOnPackage(ALWAYS_ON_PACKAGE, false /* lockdown */, allowList);
- inOrder.verify(mMockNetd, never()).networkRejectNonSecureVpn(anyBoolean(), any());
- callback.assertNoCallback();
- defaultCallback.assertNoCallback();
- vpnUidCallback.assertNoCallback();
- vpnUidDefaultCallback.assertNoCallback();
- vpnDefaultCallbackAsUid.assertNoCallback();
- assertEquals(mWiFiAgent.getNetwork(), mCm.getActiveNetworkForUid(VPN_UID));
- assertEquals(mWiFiAgent.getNetwork(), mCm.getActiveNetwork());
- assertActiveNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED);
- assertNetworkInfo(TYPE_MOBILE, DetailedState.DISCONNECTED);
- assertNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED);
-
- mMockVpn.setAlwaysOnPackage(null, false /* lockdown */, allowList);
- inOrder.verify(mMockNetd, never()).networkRejectNonSecureVpn(anyBoolean(), any());
- callback.assertNoCallback();
- defaultCallback.assertNoCallback();
- vpnUidCallback.assertNoCallback();
- vpnUidDefaultCallback.assertNoCallback();
- vpnDefaultCallbackAsUid.assertNoCallback();
- assertEquals(mWiFiAgent.getNetwork(), mCm.getActiveNetworkForUid(VPN_UID));
- assertEquals(mWiFiAgent.getNetwork(), mCm.getActiveNetwork());
- assertActiveNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED);
- assertNetworkInfo(TYPE_MOBILE, DetailedState.DISCONNECTED);
- assertNetworkInfo(TYPE_WIFI, DetailedState.CONNECTED);
-
// Enable lockdown and connect a VPN. The VPN is not blocked.
- mMockVpn.setAlwaysOnPackage(ALWAYS_ON_PACKAGE, true /* lockdown */, allowList);
+ mCm.setRequireVpnForUids(true, primaryRanges);
defaultCallback.expect(BLOCKED_STATUS, mWiFiAgent, cb -> cb.getBlocked());
assertBlockedCallbackInAnyOrder(callback, true, mWiFiAgent, mCellAgent);
vpnUidCallback.assertNoCallback();
@@ -10262,7 +10269,8 @@
// Init lockdown state to simulate LockdownVpnTracker behavior.
mCm.setLegacyLockdownVpnEnabled(true);
mMockVpn.setEnableTeardown(false);
- final Set<Range<Integer>> ranges = UidRange.toIntRanges(Set.of(PRIMARY_UIDRANGE));
+ final List<Range<Integer>> ranges =
+ intRangesPrimaryExcludingUids(Collections.EMPTY_LIST /* excludedeUids */);
mCm.setRequireVpnForUids(true /* requireVpn */, ranges);
// Bring up a network.
@@ -10468,7 +10476,8 @@
@Test @IgnoreUpTo(Build.VERSION_CODES.S_V2)
public void testLockdownSetFirewallUidRule() throws Exception {
- final Set<Range<Integer>> lockdownRange = UidRange.toIntRanges(Set.of(PRIMARY_UIDRANGE));
+ final List<Range<Integer>> lockdownRange =
+ intRangesPrimaryExcludingUids(Collections.EMPTY_LIST /* excludedeUids */);
// Enable Lockdown
mCm.setRequireVpnForUids(true /* requireVpn */, lockdownRange);
waitForIdle();
diff --git a/tests/unit/java/com/android/server/connectivity/VpnTest.java b/tests/unit/java/com/android/server/connectivity/VpnTest.java
index 478ff61..48cfe77 100644
--- a/tests/unit/java/com/android/server/connectivity/VpnTest.java
+++ b/tests/unit/java/com/android/server/connectivity/VpnTest.java
@@ -579,6 +579,18 @@
}
@Test
+ public void testAlwaysOnWithoutLockdown() throws Exception {
+ final Vpn vpn = createVpn(PRIMARY_USER.id);
+ assertTrue(vpn.setAlwaysOnPackage(
+ PKGS[1], false /* lockdown */, null /* lockdownAllowlist */));
+ verify(mConnectivityManager, never()).setRequireVpnForUids(anyBoolean(), any());
+
+ assertTrue(vpn.setAlwaysOnPackage(
+ null /* packageName */, false /* lockdown */, null /* lockdownAllowlist */));
+ verify(mConnectivityManager, never()).setRequireVpnForUids(anyBoolean(), any());
+ }
+
+ @Test
public void testLockdownChangingPackage() throws Exception {
final Vpn vpn = createVpn(PRIMARY_USER.id);
final Range<Integer> user = PRIMARY_USER_RANGE;
@@ -724,6 +736,37 @@
}
@Test
+ public void testLockdownSystemUser() throws Exception {
+ final Vpn vpn = createVpn(SYSTEM_USER_ID);
+
+ // Uid 0 is always excluded and PKG_UIDS[1] is the uid of the VPN.
+ final List<Integer> excludedUids = new ArrayList<>(List.of(0, PKG_UIDS[1]));
+ final List<Range<Integer>> ranges = makeVpnUidRange(SYSTEM_USER_ID, excludedUids);
+
+ // Set always-on with lockdown.
+ assertTrue(vpn.setAlwaysOnPackage(
+ PKGS[1], true /* lockdown */, null /* lockdownAllowlist */));
+ verify(mConnectivityManager).setRequireVpnForUids(true, ranges);
+
+ // Disable always-on with lockdown.
+ assertTrue(vpn.setAlwaysOnPackage(
+ null /* packageName */, false /* lockdown */, null /* lockdownAllowlist */));
+ verify(mConnectivityManager).setRequireVpnForUids(false, ranges);
+
+ // Set always-on with lockdown and allow the app PKGS[2].
+ excludedUids.add(PKG_UIDS[2]);
+ final List<Range<Integer>> ranges2 = makeVpnUidRange(SYSTEM_USER_ID, excludedUids);
+ assertTrue(vpn.setAlwaysOnPackage(
+ PKGS[1], true /* lockdown */, Collections.singletonList(PKGS[2])));
+ verify(mConnectivityManager).setRequireVpnForUids(true, ranges2);
+
+ // Disable always-on with lockdown.
+ assertTrue(vpn.setAlwaysOnPackage(
+ null /* packageName */, false /* lockdown */, null /* lockdownAllowlist */));
+ verify(mConnectivityManager).setRequireVpnForUids(false, ranges2);
+ }
+
+ @Test
public void testLockdownRuleRepeatability() throws Exception {
final Vpn vpn = createVpn(PRIMARY_USER.id);
final UidRangeParcel[] primaryUserRangeParcel = new UidRangeParcel[] {
@@ -788,6 +831,101 @@
}
@Test
+ public void testOnUserAddedAndRemoved_restrictedUser() throws Exception {
+ final InOrder order = inOrder(mMockNetworkAgent);
+ final Vpn vpn = createVpn(PRIMARY_USER.id);
+ final Set<Range<Integer>> initialRange = rangeSet(PRIMARY_USER_RANGE);
+ // Note since mVpnProfile is a Ikev2VpnProfile, this starts an IkeV2VpnRunner.
+ startLegacyVpn(vpn, mVpnProfile);
+ // Set an initial Uid range and mock the network agent
+ vpn.mNetworkCapabilities.setUids(initialRange);
+ vpn.mNetworkAgent = mMockNetworkAgent;
+
+ // Add the restricted user
+ setMockedUsers(PRIMARY_USER, RESTRICTED_PROFILE_A);
+ vpn.onUserAdded(RESTRICTED_PROFILE_A.id);
+ // Expect restricted user range to be added to the NetworkCapabilities.
+ final Set<Range<Integer>> expectRestrictedRange =
+ rangeSet(PRIMARY_USER_RANGE, uidRangeForUser(RESTRICTED_PROFILE_A.id));
+ assertEquals(expectRestrictedRange, vpn.mNetworkCapabilities.getUids());
+ order.verify(mMockNetworkAgent).doSendNetworkCapabilities(
+ argThat(nc -> expectRestrictedRange.equals(nc.getUids())));
+
+ // Remove the restricted user
+ vpn.onUserRemoved(RESTRICTED_PROFILE_A.id);
+ // Expect restricted user range to be removed from the NetworkCapabilities.
+ assertEquals(initialRange, vpn.mNetworkCapabilities.getUids());
+ order.verify(mMockNetworkAgent).doSendNetworkCapabilities(
+ argThat(nc -> initialRange.equals(nc.getUids())));
+ }
+
+ @Test
+ public void testOnUserAddedAndRemoved_restrictedUserLockdown() throws Exception {
+ final UidRangeParcel[] primaryUserRangeParcel = new UidRangeParcel[] {
+ new UidRangeParcel(PRIMARY_USER_RANGE.getLower(), PRIMARY_USER_RANGE.getUpper())};
+ final Range<Integer> restrictedUserRange = uidRangeForUser(RESTRICTED_PROFILE_A.id);
+ final UidRangeParcel[] restrictedUserRangeParcel = new UidRangeParcel[] {
+ new UidRangeParcel(restrictedUserRange.getLower(), restrictedUserRange.getUpper())};
+ final Vpn vpn = createVpn(PRIMARY_USER.id);
+
+ // Set lockdown calls setRequireVpnForUids
+ vpn.setLockdown(true);
+ verify(mConnectivityManager).setRequireVpnForUids(true, toRanges(primaryUserRangeParcel));
+
+ // Add the restricted user
+ doReturn(true).when(mUserManager).canHaveRestrictedProfile();
+ setMockedUsers(PRIMARY_USER, RESTRICTED_PROFILE_A);
+ vpn.onUserAdded(RESTRICTED_PROFILE_A.id);
+
+ // Expect restricted user range to be added.
+ verify(mConnectivityManager).setRequireVpnForUids(true,
+ toRanges(restrictedUserRangeParcel));
+
+ // Mark as partial indicates that the user is removed, mUserManager.getAliveUsers() does not
+ // return the restricted user but it is still returned in mUserManager.getUserInfo().
+ RESTRICTED_PROFILE_A.partial = true;
+ // Remove the restricted user
+ vpn.onUserRemoved(RESTRICTED_PROFILE_A.id);
+ verify(mConnectivityManager).setRequireVpnForUids(false,
+ toRanges(restrictedUserRangeParcel));
+ // reset to avoid affecting other tests since RESTRICTED_PROFILE_A is static.
+ RESTRICTED_PROFILE_A.partial = false;
+ }
+
+ @Test
+ public void testOnUserAddedAndRemoved_restrictedUserAlwaysOn() throws Exception {
+ final Vpn vpn = createVpn(PRIMARY_USER.id);
+
+ // setAlwaysOnPackage() calls setRequireVpnForUids()
+ assertTrue(vpn.setAlwaysOnPackage(
+ PKGS[0], true /* lockdown */, null /* lockdownAllowlist */));
+ final List<Integer> excludedUids = List.of(PKG_UIDS[0]);
+ final List<Range<Integer>> primaryRanges =
+ makeVpnUidRange(PRIMARY_USER.id, excludedUids);
+ verify(mConnectivityManager).setRequireVpnForUids(true, primaryRanges);
+
+ // Add the restricted user
+ doReturn(true).when(mUserManager).canHaveRestrictedProfile();
+ setMockedUsers(PRIMARY_USER, RESTRICTED_PROFILE_A);
+ vpn.onUserAdded(RESTRICTED_PROFILE_A.id);
+
+ final List<Range<Integer>> restrictedRanges =
+ makeVpnUidRange(RESTRICTED_PROFILE_A.id, excludedUids);
+ // Expect restricted user range to be added.
+ verify(mConnectivityManager).setRequireVpnForUids(true, restrictedRanges);
+
+ // Mark as partial indicates that the user is removed, mUserManager.getAliveUsers() does not
+ // return the restricted user but it is still returned in mUserManager.getUserInfo().
+ RESTRICTED_PROFILE_A.partial = true;
+ // Remove the restricted user
+ vpn.onUserRemoved(RESTRICTED_PROFILE_A.id);
+ verify(mConnectivityManager).setRequireVpnForUids(false, restrictedRanges);
+
+ // reset to avoid affecting other tests since RESTRICTED_PROFILE_A is static.
+ RESTRICTED_PROFILE_A.partial = false;
+ }
+
+ @Test
public void testPrepare_throwSecurityExceptionWhenGivenPackageDoesNotBelongToTheCaller()
throws Exception {
mTestDeps.mIgnoreCallingUidChecks = false;
@@ -1002,12 +1140,12 @@
// List in keystore is not changed, but UID for the removed packages is no longer exempted.
assertEquals(Arrays.asList(PKGS), vpn.getAppExclusionList(TEST_VPN_PKG));
- assertEquals(makeVpnUidRange(PRIMARY_USER.id, newExcludedUids),
+ assertEquals(makeVpnUidRangeSet(PRIMARY_USER.id, newExcludedUids),
vpn.mNetworkCapabilities.getUids());
ArgumentCaptor<NetworkCapabilities> ncCaptor =
ArgumentCaptor.forClass(NetworkCapabilities.class);
verify(mMockNetworkAgent).doSendNetworkCapabilities(ncCaptor.capture());
- assertEquals(makeVpnUidRange(PRIMARY_USER.id, newExcludedUids),
+ assertEquals(makeVpnUidRangeSet(PRIMARY_USER.id, newExcludedUids),
ncCaptor.getValue().getUids());
reset(mMockNetworkAgent);
@@ -1019,26 +1157,28 @@
// List in keystore is not changed and the uid list should be updated in the net cap.
assertEquals(Arrays.asList(PKGS), vpn.getAppExclusionList(TEST_VPN_PKG));
- assertEquals(makeVpnUidRange(PRIMARY_USER.id, newExcludedUids),
+ assertEquals(makeVpnUidRangeSet(PRIMARY_USER.id, newExcludedUids),
vpn.mNetworkCapabilities.getUids());
verify(mMockNetworkAgent).doSendNetworkCapabilities(ncCaptor.capture());
- assertEquals(makeVpnUidRange(PRIMARY_USER.id, newExcludedUids),
+ assertEquals(makeVpnUidRangeSet(PRIMARY_USER.id, newExcludedUids),
ncCaptor.getValue().getUids());
}
- private Set<Range<Integer>> makeVpnUidRange(int userId, List<Integer> excludedList) {
+ private List<Range<Integer>> makeVpnUidRange(int userId, List<Integer> excludedAppIdList) {
final SortedSet<Integer> list = new TreeSet<>();
final int userBase = userId * UserHandle.PER_USER_RANGE;
- for (int uid : excludedList) {
- final int applicationUid = UserHandle.getUid(userId, uid);
- list.add(applicationUid);
- list.add(Process.toSdkSandboxUid(applicationUid)); // Add Sdk Sandbox UID
+ for (int appId : excludedAppIdList) {
+ final int uid = UserHandle.getUid(userId, appId);
+ list.add(uid);
+ if (Process.isApplicationUid(uid)) {
+ list.add(Process.toSdkSandboxUid(uid)); // Add Sdk Sandbox UID
+ }
}
final int minUid = userBase;
final int maxUid = userBase + UserHandle.PER_USER_RANGE - 1;
- final Set<Range<Integer>> ranges = new ArraySet<>();
+ final List<Range<Integer>> ranges = new ArrayList<>();
// Iterate the list to create the ranges between each uid.
int start = minUid;
@@ -1059,6 +1199,10 @@
return ranges;
}
+ private Set<Range<Integer>> makeVpnUidRangeSet(int userId, List<Integer> excludedAppIdList) {
+ return new ArraySet<>(makeVpnUidRange(userId, excludedAppIdList));
+ }
+
@Test
public void testSetAndGetAppExclusionListRestrictedUser() throws Exception {
final Vpn vpn = prepareVpnForVerifyAppExclusionList();