Merge changes from topic "transportinfo-explicit-redaction" into sc-dev
* changes:
Immediately redact VcnTransportInfo.
Do not automatically redact TransportInfo objects.
diff --git a/framework/jni/android_net_NetworkUtils.cpp b/framework/jni/android_net_NetworkUtils.cpp
index 9bf910b..7478b3e 100644
--- a/framework/jni/android_net_NetworkUtils.cpp
+++ b/framework/jni/android_net_NetworkUtils.cpp
@@ -64,7 +64,7 @@
filter_code,
};
- int fd = AFileDescriptor_getFD(env, javaFd);
+ int fd = AFileDescriptor_getFd(env, javaFd);
if (setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, &filter, sizeof(filter)) != 0) {
jniThrowExceptionFmt(env, "java/net/SocketException",
"setsockopt(SO_ATTACH_FILTER): %s", strerror(errno));
@@ -74,7 +74,7 @@
static void android_net_utils_detachBPFFilter(JNIEnv *env, jobject clazz, jobject javaFd)
{
int optval_ignored = 0;
- int fd = AFileDescriptor_getFD(env, javaFd);
+ int fd = AFileDescriptor_getFd(env, javaFd);
if (setsockopt(fd, SOL_SOCKET, SO_DETACH_FILTER, &optval_ignored, sizeof(optval_ignored)) !=
0) {
jniThrowExceptionFmt(env, "java/net/SocketException",
@@ -107,7 +107,7 @@
static jint android_net_utils_bindSocketToNetworkHandle(JNIEnv *env, jobject thiz, jobject javaFd,
jlong netHandle) {
- return android_setsocknetwork(netHandle, AFileDescriptor_getFD(env, javaFd));
+ return android_setsocknetwork(netHandle, AFileDescriptor_getFd(env, javaFd));
}
static bool checkLenAndCopy(JNIEnv* env, const jbyteArray& addr, int len, void* dst)
@@ -156,7 +156,7 @@
}
static jobject android_net_utils_resNetworkResult(JNIEnv *env, jobject thiz, jobject javaFd) {
- int fd = AFileDescriptor_getFD(env, javaFd);
+ int fd = AFileDescriptor_getFd(env, javaFd);
int rcode;
uint8_t buf[MAXPACKETSIZE] = {0};
@@ -182,7 +182,7 @@
}
static void android_net_utils_resNetworkCancel(JNIEnv *env, jobject thiz, jobject javaFd) {
- int fd = AFileDescriptor_getFD(env, javaFd);
+ int fd = AFileDescriptor_getFd(env, javaFd);
android_res_cancel(fd);
jniSetFileDescriptorOfFD(env, javaFd, -1);
}
@@ -210,7 +210,7 @@
return NULL;
}
- int fd = AFileDescriptor_getFD(env, javaFd);
+ int fd = AFileDescriptor_getFd(env, javaFd);
struct tcp_repair_window trw = {};
socklen_t size = sizeof(trw);
diff --git a/framework/src/android/net/NetworkCapabilities.java b/framework/src/android/net/NetworkCapabilities.java
index d0b1075..2e4d8f8 100644
--- a/framework/src/android/net/NetworkCapabilities.java
+++ b/framework/src/android/net/NetworkCapabilities.java
@@ -827,8 +827,17 @@
final int[] originalAdministratorUids = getAdministratorUids();
final TransportInfo originalTransportInfo = getTransportInfo();
clearAll();
- mTransportTypes = (originalTransportTypes & TEST_NETWORKS_ALLOWED_TRANSPORTS)
- | (1 << TRANSPORT_TEST);
+ if (0 != (originalCapabilities & NET_CAPABILITY_NOT_RESTRICTED)) {
+ // If the test network is not restricted, then it is only allowed to declare some
+ // specific transports. This is to minimize impact on running apps in case an app
+ // run from the shell creates a test a network.
+ mTransportTypes =
+ (originalTransportTypes & UNRESTRICTED_TEST_NETWORKS_ALLOWED_TRANSPORTS)
+ | (1 << TRANSPORT_TEST);
+ } else {
+ // If the test transport is restricted, then it may declare any transport.
+ mTransportTypes = (originalTransportTypes | (1 << TRANSPORT_TEST));
+ }
mNetworkCapabilities = originalCapabilities & TEST_NETWORKS_ALLOWED_CAPABILITIES;
mNetworkSpecifier = originalSpecifier;
mSignalStrength = originalSignalStrength;
@@ -939,9 +948,10 @@
};
/**
- * Allowed transports on a test network, in addition to TRANSPORT_TEST.
+ * Allowed transports on an unrestricted test network (in addition to TRANSPORT_TEST).
*/
- private static final int TEST_NETWORKS_ALLOWED_TRANSPORTS = 1 << TRANSPORT_TEST
+ private static final int UNRESTRICTED_TEST_NETWORKS_ALLOWED_TRANSPORTS =
+ 1 << TRANSPORT_TEST
// Test ethernet networks can be created with EthernetManager#setIncludeTestInterfaces
| 1 << TRANSPORT_ETHERNET
// Test VPN networks can be created but their UID ranges must be empty.
@@ -2449,7 +2459,8 @@
* For example {@code TRANSPORT_WIFI} and {@code TRANSPORT_ETHERNET} added to a
* {@code NetworkCapabilities} would cause either a Wi-Fi network or an Ethernet network
* to be selected. This is logically different than
- * {@code NetworkCapabilities.NET_CAPABILITY_*}.
+ * {@code NetworkCapabilities.NET_CAPABILITY_*}. Also note that multiple networks with the
+ * same transport type may be active concurrently.
*
* @param transportType the transport type to be added or removed.
* @return this builder
diff --git a/services/core/java/com/android/server/ConnectivityService.java b/services/core/java/com/android/server/ConnectivityService.java
index 3b6d747..e4f2203 100644
--- a/services/core/java/com/android/server/ConnectivityService.java
+++ b/services/core/java/com/android/server/ConnectivityService.java
@@ -4789,6 +4789,7 @@
(Pair<ProfileNetworkPreferences.Preference, IOnCompleteListener>)
msg.obj;
handleSetProfileNetworkPreference(arg.first, arg.second);
+ break;
}
case EVENT_REPORT_NETWORK_ACTIVITY:
mNetworkActivityTracker.handleReportNetworkActivity();
diff --git a/services/core/java/com/android/server/connectivity/FullScore.java b/services/core/java/com/android/server/connectivity/FullScore.java
index 14cec09..fbfa7a1 100644
--- a/services/core/java/com/android/server/connectivity/FullScore.java
+++ b/services/core/java/com/android/server/connectivity/FullScore.java
@@ -108,9 +108,10 @@
// and all bits managed by FullScore unset. As bits are handled from 0 up in NetworkScore and
// from 63 down in FullScore, cut at the 32nd bit for simplicity, but change this if some day
// there are more than 32 bits handled on either side.
- // YIELD_TO_BAD_WIFI is temporarily handled by ConnectivityService.
- private static final long EXTERNAL_POLICIES_MASK =
- 0x00000000FFFFFFFFL & ~(1L << POLICY_YIELD_TO_BAD_WIFI);
+ // YIELD_TO_BAD_WIFI is temporarily handled by ConnectivityService, but the factory is still
+ // allowed to set it, so that it's possible to transition from handling it in CS to handling
+ // it in the factory.
+ private static final long EXTERNAL_POLICIES_MASK = 0x00000000FFFFFFFFL;
@VisibleForTesting
static @NonNull String policyNameOf(final int policy) {
diff --git a/services/core/java/com/android/server/connectivity/PermissionMonitor.java b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
index 28f208b..5886b1a 100644
--- a/services/core/java/com/android/server/connectivity/PermissionMonitor.java
+++ b/services/core/java/com/android/server/connectivity/PermissionMonitor.java
@@ -338,7 +338,8 @@
return currentPermission;
}
try {
- final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS);
+ final PackageInfo app = mPackageManager.getPackageInfo(name,
+ GET_PERMISSIONS | MATCH_ANY_USER);
final boolean isNetwork = hasNetworkPermission(app);
final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
if (isNetwork || hasRestrictedPermission) {
@@ -664,6 +665,7 @@
break;
case INetd.PERMISSION_UNINSTALLED:
uninstalledAppIds.add(netdPermissionsAppIds.keyAt(i));
+ break;
default:
Log.e(TAG, "unknown permission type: " + permissions + "for uid: "
+ netdPermissionsAppIds.keyAt(i));
diff --git a/tests/net/java/com/android/server/ConnectivityServiceTest.java b/tests/net/java/com/android/server/ConnectivityServiceTest.java
index 8590941..8dbc6e6 100644
--- a/tests/net/java/com/android/server/ConnectivityServiceTest.java
+++ b/tests/net/java/com/android/server/ConnectivityServiceTest.java
@@ -2778,8 +2778,9 @@
private void grantUsingBackgroundNetworksPermissionForUid(
final int uid, final String packageName) throws Exception {
- when(mPackageManager.getPackageInfo(eq(packageName), eq(GET_PERMISSIONS)))
- .thenReturn(buildPackageInfo(true, uid));
+ when(mPackageManager.getPackageInfo(
+ eq(packageName), eq(GET_PERMISSIONS | MATCH_ANY_USER)))
+ .thenReturn(buildPackageInfo(true /* hasSystemPermission */, uid));
mService.mPermissionMonitor.onPackageAdded(packageName, uid);
}
diff --git a/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java b/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java
index 32c95f1..cf2c9c7 100644
--- a/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java
+++ b/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java
@@ -16,9 +16,14 @@
package com.android.server;
+import static android.content.pm.PackageManager.PERMISSION_DENIED;
import static android.content.pm.PackageManager.PERMISSION_GRANTED;
import static android.net.INetd.IF_STATE_DOWN;
import static android.net.INetd.IF_STATE_UP;
+import static android.net.IpSecManager.DIRECTION_FWD;
+import static android.net.IpSecManager.DIRECTION_IN;
+import static android.net.IpSecManager.DIRECTION_OUT;
+import static android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK;
import static android.system.OsConstants.AF_INET;
import static android.system.OsConstants.AF_INET6;
@@ -56,6 +61,7 @@
import android.os.ParcelFileDescriptor;
import android.system.Os;
import android.test.mock.MockContext;
+import android.util.ArraySet;
import androidx.test.filters.SmallTest;
@@ -71,6 +77,7 @@
import java.net.Socket;
import java.util.Arrays;
import java.util.Collection;
+import java.util.Set;
/** Unit tests for {@link IpSecService}. */
@SmallTest
@@ -119,7 +126,18 @@
AppOpsManager mMockAppOps = mock(AppOpsManager.class);
ConnectivityManager mMockConnectivityMgr = mock(ConnectivityManager.class);
- MockContext mMockContext = new MockContext() {
+ TestContext mTestContext = new TestContext();
+
+ private class TestContext extends MockContext {
+ private Set<String> mAllowedPermissions = new ArraySet<>(Arrays.asList(
+ android.Manifest.permission.MANAGE_IPSEC_TUNNELS,
+ android.Manifest.permission.NETWORK_STACK,
+ PERMISSION_MAINLINE_NETWORK_STACK));
+
+ private void setAllowedPermissions(String... permissions) {
+ mAllowedPermissions = new ArraySet<>(permissions);
+ }
+
@Override
public Object getSystemService(String name) {
switch(name) {
@@ -147,20 +165,22 @@
@Override
public void enforceCallingOrSelfPermission(String permission, String message) {
- if (permission == android.Manifest.permission.MANAGE_IPSEC_TUNNELS) {
+ if (mAllowedPermissions.contains(permission)) {
return;
+ } else {
+ throw new SecurityException("Unavailable permission requested");
}
- throw new SecurityException("Unavailable permission requested");
}
@Override
public int checkCallingOrSelfPermission(String permission) {
- if (android.Manifest.permission.NETWORK_STACK.equals(permission)) {
+ if (mAllowedPermissions.contains(permission)) {
return PERMISSION_GRANTED;
+ } else {
+ return PERMISSION_DENIED;
}
- throw new UnsupportedOperationException();
}
- };
+ }
INetd mMockNetd;
PackageManager mMockPkgMgr;
@@ -194,7 +214,7 @@
mMockNetd = mock(INetd.class);
mMockPkgMgr = mock(PackageManager.class);
mMockIpSecSrvConfig = mock(IpSecService.IpSecServiceConfiguration.class);
- mIpSecService = new IpSecService(mMockContext, mMockIpSecSrvConfig);
+ mIpSecService = new IpSecService(mTestContext, mMockIpSecSrvConfig);
// Injecting mock netd
when(mMockIpSecSrvConfig.getNetdInstance()).thenReturn(mMockNetd);
@@ -664,6 +684,21 @@
assertNotNull(createTunnelResp);
assertEquals(IpSecManager.Status.OK, createTunnelResp.status);
+ for (int direction : new int[] {DIRECTION_IN, DIRECTION_OUT, DIRECTION_FWD}) {
+ for (int selAddrFamily : ADDRESS_FAMILIES) {
+ verify(mMockNetd).ipSecAddSecurityPolicy(
+ eq(mUid),
+ eq(selAddrFamily),
+ eq(direction),
+ anyString(),
+ anyString(),
+ eq(0),
+ anyInt(), // iKey/oKey
+ anyInt(), // mask
+ eq(createTunnelResp.resourceId));
+ }
+ }
+
return createTunnelResp;
}
@@ -798,16 +833,51 @@
}
@Test
- public void testApplyTunnelModeTransform() throws Exception {
- verifyApplyTunnelModeTransformCommon(false);
+ public void testApplyTunnelModeTransformOutbound() throws Exception {
+ verifyApplyTunnelModeTransformCommon(false /* closeSpiBeforeApply */, DIRECTION_OUT);
}
@Test
- public void testApplyTunnelModeTransformReleasedSpi() throws Exception {
- verifyApplyTunnelModeTransformCommon(true);
+ public void testApplyTunnelModeTransformOutboundNonNetworkStack() throws Exception {
+ mTestContext.setAllowedPermissions(android.Manifest.permission.MANAGE_IPSEC_TUNNELS);
+ verifyApplyTunnelModeTransformCommon(false /* closeSpiBeforeApply */, DIRECTION_OUT);
}
- public void verifyApplyTunnelModeTransformCommon(boolean closeSpiBeforeApply) throws Exception {
+ @Test
+ public void testApplyTunnelModeTransformOutboundReleasedSpi() throws Exception {
+ verifyApplyTunnelModeTransformCommon(true /* closeSpiBeforeApply */, DIRECTION_OUT);
+ }
+
+ @Test
+ public void testApplyTunnelModeTransformInbound() throws Exception {
+ verifyApplyTunnelModeTransformCommon(true /* closeSpiBeforeApply */, DIRECTION_IN);
+ }
+
+ @Test
+ public void testApplyTunnelModeTransformInboundNonNetworkStack() throws Exception {
+ mTestContext.setAllowedPermissions(android.Manifest.permission.MANAGE_IPSEC_TUNNELS);
+ verifyApplyTunnelModeTransformCommon(true /* closeSpiBeforeApply */, DIRECTION_IN);
+ }
+
+ @Test
+ public void testApplyTunnelModeTransformForward() throws Exception {
+ verifyApplyTunnelModeTransformCommon(true /* closeSpiBeforeApply */, DIRECTION_FWD);
+ }
+
+ @Test
+ public void testApplyTunnelModeTransformForwardNonNetworkStack() throws Exception {
+ mTestContext.setAllowedPermissions(android.Manifest.permission.MANAGE_IPSEC_TUNNELS);
+
+ try {
+ verifyApplyTunnelModeTransformCommon(true /* closeSpiBeforeApply */, DIRECTION_FWD);
+ fail("Expected security exception due to use of forward policies without NETWORK_STACK"
+ + " or MAINLINE_NETWORK_STACK permission");
+ } catch (SecurityException expected) {
+ }
+ }
+
+ public void verifyApplyTunnelModeTransformCommon(boolean closeSpiBeforeApply, int direction)
+ throws Exception {
IpSecConfig ipSecConfig = new IpSecConfig();
ipSecConfig.setMode(IpSecTransform.MODE_TUNNEL);
addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig);
@@ -825,17 +895,17 @@
int transformResourceId = createTransformResp.resourceId;
int tunnelResourceId = createTunnelResp.resourceId;
mIpSecService.applyTunnelModeTransform(
- tunnelResourceId, IpSecManager.DIRECTION_OUT, transformResourceId, BLESSED_PACKAGE);
+ tunnelResourceId, direction, transformResourceId, BLESSED_PACKAGE);
for (int selAddrFamily : ADDRESS_FAMILIES) {
verify(mMockNetd)
.ipSecUpdateSecurityPolicy(
eq(mUid),
eq(selAddrFamily),
- eq(IpSecManager.DIRECTION_OUT),
+ eq(direction),
anyString(),
anyString(),
- eq(TEST_SPI),
+ eq(direction == DIRECTION_OUT ? TEST_SPI : 0),
anyInt(), // iKey/oKey
anyInt(), // mask
eq(tunnelResourceId));
diff --git a/tests/net/java/com/android/server/connectivity/PermissionMonitorTest.java b/tests/net/java/com/android/server/connectivity/PermissionMonitorTest.java
index d7535a9..02a5808 100644
--- a/tests/net/java/com/android/server/connectivity/PermissionMonitorTest.java
+++ b/tests/net/java/com/android/server/connectivity/PermissionMonitorTest.java
@@ -479,13 +479,14 @@
public void testUidFilteringDuringVpnConnectDisconnectAndUidUpdates() throws Exception {
when(mPackageManager.getInstalledPackages(eq(GET_PERMISSIONS | MATCH_ANY_USER))).thenReturn(
Arrays.asList(new PackageInfo[] {
- buildPackageInfo(/* SYSTEM */ true, SYSTEM_UID1, MOCK_USER1),
- buildPackageInfo(/* SYSTEM */ false, MOCK_UID1, MOCK_USER1),
- buildPackageInfo(/* SYSTEM */ false, MOCK_UID2, MOCK_USER1),
- buildPackageInfo(/* SYSTEM */ false, VPN_UID, MOCK_USER1)
+ buildPackageInfo(true /* hasSystemPermission */, SYSTEM_UID1, MOCK_USER1),
+ buildPackageInfo(false /* hasSystemPermission */, MOCK_UID1, MOCK_USER1),
+ buildPackageInfo(false /* hasSystemPermission */, MOCK_UID2, MOCK_USER1),
+ buildPackageInfo(false /* hasSystemPermission */, VPN_UID, MOCK_USER1)
}));
- when(mPackageManager.getPackageInfo(eq(MOCK_PACKAGE1), eq(GET_PERMISSIONS))).thenReturn(
- buildPackageInfo(false, MOCK_UID1, MOCK_USER1));
+ when(mPackageManager.getPackageInfo(eq(MOCK_PACKAGE1),
+ eq(GET_PERMISSIONS | MATCH_ANY_USER))).thenReturn(
+ buildPackageInfo(false /* hasSystemPermission */, MOCK_UID1, MOCK_USER1));
mPermissionMonitor.startMonitoring();
// Every app on user 0 except MOCK_UID2 are under VPN.
final Set<UidRange> vpnRange1 = new HashSet<>(Arrays.asList(new UidRange[] {
@@ -530,11 +531,12 @@
public void testUidFilteringDuringPackageInstallAndUninstall() throws Exception {
when(mPackageManager.getInstalledPackages(eq(GET_PERMISSIONS | MATCH_ANY_USER))).thenReturn(
Arrays.asList(new PackageInfo[] {
- buildPackageInfo(true, SYSTEM_UID1, MOCK_USER1),
- buildPackageInfo(false, VPN_UID, MOCK_USER1)
+ buildPackageInfo(true /* hasSystemPermission */, SYSTEM_UID1, MOCK_USER1),
+ buildPackageInfo(false /* hasSystemPermission */, VPN_UID, MOCK_USER1)
}));
- when(mPackageManager.getPackageInfo(eq(MOCK_PACKAGE1), eq(GET_PERMISSIONS))).thenReturn(
- buildPackageInfo(false, MOCK_UID1, MOCK_USER1));
+ when(mPackageManager.getPackageInfo(eq(MOCK_PACKAGE1),
+ eq(GET_PERMISSIONS | MATCH_ANY_USER))).thenReturn(
+ buildPackageInfo(false /* hasSystemPermission */, MOCK_UID1, MOCK_USER1));
mPermissionMonitor.startMonitoring();
final Set<UidRange> vpnRange = Collections.singleton(UidRange.createForUser(MOCK_USER1));