Merge "Rename satisfiedBy to canBeSatisfiedBy for MatchAllNetworkSpecifier"
diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java
index 6892a94..ad07e7c 100644
--- a/core/java/android/net/ConnectivityManager.java
+++ b/core/java/android/net/ConnectivityManager.java
@@ -2044,13 +2044,22 @@
public boolean requestRouteToHostAddress(int networkType, InetAddress hostAddress) {
checkLegacyRoutingApiAccess();
try {
- return mService.requestRouteToHostAddress(networkType, hostAddress.getAddress());
+ return mService.requestRouteToHostAddress(networkType, hostAddress.getAddress(),
+ mContext.getOpPackageName(), getAttributionTag());
} catch (RemoteException e) {
throw e.rethrowFromSystemServer();
}
}
/**
+ * @return the context's attribution tag
+ */
+ // TODO: Remove method and replace with direct call once R code is pushed to AOSP
+ private @Nullable String getAttributionTag() {
+ return null;
+ }
+
+ /**
* Returns the value of the setting for background data usage. If false,
* applications should not use the network if the application is not in the
* foreground. Developers should respect this setting, and check the value
@@ -2240,14 +2249,30 @@
* services.jar, possibly in com.android.server.net. */
/** {@hide} */
- public static final void enforceChangePermission(Context context) {
+ public static final void enforceChangePermission(Context context,
+ String callingPkg, String callingAttributionTag) {
int uid = Binder.getCallingUid();
- Settings.checkAndNoteChangeNetworkStateOperation(context, uid, Settings
- .getPackageNameForUid(context, uid), true /* throwException */);
+ checkAndNoteChangeNetworkStateOperation(context, uid, callingPkg,
+ callingAttributionTag, true /* throwException */);
+ }
+
+ /**
+ * Check if the package is a allowed to change the network state. This also accounts that such
+ * an access happened.
+ *
+ * @return {@code true} iff the package is allowed to change the network state.
+ */
+ // TODO: Remove method and replace with direct call once R code is pushed to AOSP
+ private static boolean checkAndNoteChangeNetworkStateOperation(@NonNull Context context,
+ int uid, @NonNull String callingPackage, @Nullable String callingAttributionTag,
+ boolean throwException) {
+ return Settings.checkAndNoteChangeNetworkStateOperation(context, uid, callingPackage,
+ throwException);
}
/** {@hide} */
- public static final void enforceTetherChangePermission(Context context, String callingPkg) {
+ public static final void enforceTetherChangePermission(Context context, String callingPkg,
+ String callingAttributionTag) {
Preconditions.checkNotNull(context, "Context cannot be null");
Preconditions.checkNotNull(callingPkg, "callingPkg cannot be null");
@@ -2261,12 +2286,26 @@
int uid = Binder.getCallingUid();
// If callingPkg's uid is not same as Binder.getCallingUid(),
// AppOpsService throws SecurityException.
- Settings.checkAndNoteWriteSettingsOperation(context, uid, callingPkg,
- true /* throwException */);
+ checkAndNoteWriteSettingsOperation(context, uid, callingPkg,
+ callingAttributionTag, true /* throwException */);
}
}
/**
+ * Check if the package is a allowed to write settings. This also accounts that such an access
+ * happened.
+ *
+ * @return {@code true} iff the package is allowed to write settings.
+ */
+ // TODO: Remove method and replace with direct call once R code is pushed to AOSP
+ private static boolean checkAndNoteWriteSettingsOperation(@NonNull Context context, int uid,
+ @NonNull String callingPackage, @Nullable String callingAttributionTag,
+ boolean throwException) {
+ return Settings.checkAndNoteWriteSettingsOperation(context, uid, callingPackage,
+ throwException);
+ }
+
+ /**
* @deprecated - use getSystemService. This is a kludge to support static access in certain
* situations where a Context pointer is unavailable.
* @hide
@@ -3706,7 +3745,8 @@
need, messenger, binder, callingPackageName);
} else {
request = mService.requestNetwork(
- need, messenger, timeoutMs, binder, legacyType, callingPackageName);
+ need, messenger, timeoutMs, binder, legacyType, callingPackageName,
+ getAttributionTag());
}
if (request != null) {
sCallbacks.put(request, callback);
@@ -3982,7 +4022,8 @@
checkPendingIntentNotNull(operation);
try {
mService.pendingRequestForNetwork(
- request.networkCapabilities, operation, mContext.getOpPackageName());
+ request.networkCapabilities, operation, mContext.getOpPackageName(),
+ getAttributionTag());
} catch (RemoteException e) {
throw e.rethrowFromSystemServer();
} catch (ServiceSpecificException e) {
diff --git a/core/java/android/net/IConnectivityManager.aidl b/core/java/android/net/IConnectivityManager.aidl
index 1434560..b0f79bc 100644
--- a/core/java/android/net/IConnectivityManager.aidl
+++ b/core/java/android/net/IConnectivityManager.aidl
@@ -77,7 +77,8 @@
NetworkQuotaInfo getActiveNetworkQuotaInfo();
boolean isActiveNetworkMetered();
- boolean requestRouteToHostAddress(int networkType, in byte[] hostAddress);
+ boolean requestRouteToHostAddress(int networkType, in byte[] hostAddress,
+ String callingPackageName, String callingAttributionTag);
@UnsupportedAppUsage(maxTargetSdk = 29,
publicAlternatives = "Use {@code TetheringManager#getLastTetherError} as alternative")
@@ -168,10 +169,10 @@
NetworkRequest requestNetwork(in NetworkCapabilities networkCapabilities,
in Messenger messenger, int timeoutSec, in IBinder binder, int legacy,
- String callingPackageName);
+ String callingPackageName, String callingAttributionTag);
NetworkRequest pendingRequestForNetwork(in NetworkCapabilities networkCapabilities,
- in PendingIntent operation, String callingPackageName);
+ in PendingIntent operation, String callingPackageName, String callingAttributionTag);
void releasePendingNetworkRequest(in PendingIntent operation);
diff --git a/services/core/java/com/android/server/ConnectivityService.java b/services/core/java/com/android/server/ConnectivityService.java
index 336a090..58e06e0 100644
--- a/services/core/java/com/android/server/ConnectivityService.java
+++ b/services/core/java/com/android/server/ConnectivityService.java
@@ -18,6 +18,14 @@
import static android.Manifest.permission.RECEIVE_DATA_ACTIVITY_CHANGE;
import static android.content.pm.PackageManager.PERMISSION_GRANTED;
+import static android.net.ConnectivityDiagnosticsManager.ConnectivityReport.KEY_NETWORK_PROBES_ATTEMPTED_BITMASK;
+import static android.net.ConnectivityDiagnosticsManager.ConnectivityReport.KEY_NETWORK_PROBES_SUCCEEDED_BITMASK;
+import static android.net.ConnectivityDiagnosticsManager.ConnectivityReport.KEY_NETWORK_VALIDATION_RESULT;
+import static android.net.ConnectivityDiagnosticsManager.DataStallReport.DETECTION_METHOD_DNS_EVENTS;
+import static android.net.ConnectivityDiagnosticsManager.DataStallReport.DETECTION_METHOD_TCP_METRICS;
+import static android.net.ConnectivityDiagnosticsManager.DataStallReport.KEY_DNS_CONSECUTIVE_TIMEOUTS;
+import static android.net.ConnectivityDiagnosticsManager.DataStallReport.KEY_TCP_METRICS_COLLECTION_PERIOD_MILLIS;
+import static android.net.ConnectivityDiagnosticsManager.DataStallReport.KEY_TCP_PACKET_FAIL_RATE;
import static android.net.ConnectivityManager.CONNECTIVITY_ACTION;
import static android.net.ConnectivityManager.NETID_UNSET;
import static android.net.ConnectivityManager.PRIVATE_DNS_MODE_OPPORTUNISTIC;
@@ -72,6 +80,7 @@
import android.net.ConnectivityDiagnosticsManager.ConnectivityReport;
import android.net.ConnectivityDiagnosticsManager.DataStallReport;
import android.net.ConnectivityManager;
+import android.net.DataStallReportParcelable;
import android.net.ICaptivePortal;
import android.net.IConnectivityDiagnosticsCallback;
import android.net.IConnectivityManager;
@@ -108,6 +117,7 @@
import android.net.NetworkStack;
import android.net.NetworkStackClient;
import android.net.NetworkState;
+import android.net.NetworkTestResultParcelable;
import android.net.NetworkUtils;
import android.net.NetworkWatchlistManager;
import android.net.PrivateDnsConfigParcel;
@@ -1819,11 +1829,12 @@
* @return {@code true} on success, {@code false} on failure
*/
@Override
- public boolean requestRouteToHostAddress(int networkType, byte[] hostAddress) {
+ public boolean requestRouteToHostAddress(int networkType, byte[] hostAddress,
+ String callingPackageName, String callingAttributionTag) {
if (disallowedBecauseSystemCaller()) {
return false;
}
- enforceChangePermission();
+ enforceChangePermission(callingPackageName, callingAttributionTag);
if (mProtectedNetworks.contains(networkType)) {
enforceConnectivityRestrictedNetworksPermission();
}
@@ -2077,8 +2088,8 @@
"ConnectivityService");
}
- private void enforceChangePermission() {
- ConnectivityManager.enforceChangePermission(mContext);
+ private void enforceChangePermission(String callingPkg, String callingAttributionTag) {
+ ConnectivityManager.enforceChangePermission(mContext, callingPkg, callingAttributionTag);
}
private void enforceSettingsPermission() {
@@ -2811,14 +2822,6 @@
handleNetworkTested(nai, results.mTestResult,
(results.mRedirectUrl == null) ? "" : results.mRedirectUrl);
-
- // Invoke ConnectivityReport generation for this Network test event.
- final Message m =
- mConnectivityDiagnosticsHandler.obtainMessage(
- ConnectivityDiagnosticsHandler.EVENT_NETWORK_TESTED,
- new ConnectivityReportEvent(results.mTimestampMillis, nai));
- m.setData(msg.getData());
- mConnectivityDiagnosticsHandler.sendMessage(m);
break;
}
case EVENT_PROVISIONING_NOTIFICATION: {
@@ -2997,23 +3000,36 @@
@Override
public void notifyNetworkTested(int testResult, @Nullable String redirectUrl) {
- notifyNetworkTestedWithExtras(testResult, redirectUrl, SystemClock.elapsedRealtime(),
- PersistableBundle.EMPTY);
+ // Legacy version of notifyNetworkTestedWithExtras.
+ // Would only be called if the system has a NetworkStack module older than the
+ // framework, which does not happen in practice.
+ Slog.wtf(TAG, "Deprecated notifyNetworkTested called: no action taken");
}
@Override
- public void notifyNetworkTestedWithExtras(
- int testResult,
- @Nullable String redirectUrl,
- long timestampMillis,
- @NonNull PersistableBundle extras) {
- final Message msg =
- mTrackerHandler.obtainMessage(
- EVENT_NETWORK_TESTED,
- new NetworkTestedResults(
- mNetId, testResult, timestampMillis, redirectUrl));
- msg.setData(new Bundle(extras));
+ public void notifyNetworkTestedWithExtras(NetworkTestResultParcelable p) {
+ // Notify mTrackerHandler and mConnectivityDiagnosticsHandler of the event. Both use
+ // the same looper so messages will be processed in sequence.
+ final Message msg = mTrackerHandler.obtainMessage(
+ EVENT_NETWORK_TESTED,
+ new NetworkTestedResults(
+ mNetId, p.result, p.timestampMillis, p.redirectUrl));
mTrackerHandler.sendMessage(msg);
+
+ // Invoke ConnectivityReport generation for this Network test event.
+ final NetworkAgentInfo nai = getNetworkAgentInfoForNetId(mNetId);
+ if (nai == null) return;
+ final Message m = mConnectivityDiagnosticsHandler.obtainMessage(
+ ConnectivityDiagnosticsHandler.EVENT_NETWORK_TESTED,
+ new ConnectivityReportEvent(p.timestampMillis, nai));
+
+ final PersistableBundle extras = new PersistableBundle();
+ extras.putInt(KEY_NETWORK_VALIDATION_RESULT, p.result);
+ extras.putInt(KEY_NETWORK_PROBES_SUCCEEDED_BITMASK, p.probesSucceeded);
+ extras.putInt(KEY_NETWORK_PROBES_ATTEMPTED_BITMASK, p.probesAttempted);
+
+ m.setData(new Bundle(extras));
+ mConnectivityDiagnosticsHandler.sendMessage(m);
}
@Override
@@ -3062,12 +3078,25 @@
}
@Override
- public void notifyDataStallSuspected(
- long timestampMillis, int detectionMethod, PersistableBundle extras) {
- final Message msg =
- mConnectivityDiagnosticsHandler.obtainMessage(
- ConnectivityDiagnosticsHandler.EVENT_DATA_STALL_SUSPECTED,
- detectionMethod, mNetId, timestampMillis);
+ public void notifyDataStallSuspected(DataStallReportParcelable p) {
+ final Message msg = mConnectivityDiagnosticsHandler.obtainMessage(
+ ConnectivityDiagnosticsHandler.EVENT_DATA_STALL_SUSPECTED,
+ p.detectionMethod, mNetId, p.timestampMillis);
+
+ final PersistableBundle extras = new PersistableBundle();
+ switch (p.detectionMethod) {
+ case DETECTION_METHOD_DNS_EVENTS:
+ extras.putInt(KEY_DNS_CONSECUTIVE_TIMEOUTS, p.dnsConsecutiveTimeouts);
+ break;
+ case DETECTION_METHOD_TCP_METRICS:
+ extras.putInt(KEY_TCP_PACKET_FAIL_RATE, p.tcpPacketFailRate);
+ extras.putInt(KEY_TCP_METRICS_COLLECTION_PERIOD_MILLIS,
+ p.tcpMetricsCollectionPeriodMillis);
+ break;
+ default:
+ log("Unknown data stall detection method, ignoring: " + p.detectionMethod);
+ return;
+ }
msg.setData(new Bundle(extras));
// NetworkStateTrackerHandler currently doesn't take any actions based on data
@@ -5430,7 +5459,7 @@
@Override
public NetworkRequest requestNetwork(NetworkCapabilities networkCapabilities,
Messenger messenger, int timeoutMs, IBinder binder, int legacyType,
- @NonNull String callingPackageName) {
+ @NonNull String callingPackageName, @Nullable String callingAttributionTag) {
if (legacyType != TYPE_NONE && !checkNetworkStackPermission()) {
if (checkUnsupportedStartingFrom(Build.VERSION_CODES.M, callingPackageName)) {
throw new SecurityException("Insufficient permissions to specify legacy type");
@@ -5448,7 +5477,8 @@
enforceAccessPermission();
} else {
networkCapabilities = new NetworkCapabilities(networkCapabilities);
- enforceNetworkRequestPermissions(networkCapabilities);
+ enforceNetworkRequestPermissions(networkCapabilities, callingPackageName,
+ callingAttributionTag);
// TODO: this is incorrect. We mark the request as metered or not depending on the state
// of the app when the request is filed, but we never change the request if the app
// changes network state. http://b/29964605
@@ -5483,11 +5513,12 @@
return networkRequest;
}
- private void enforceNetworkRequestPermissions(NetworkCapabilities networkCapabilities) {
+ private void enforceNetworkRequestPermissions(NetworkCapabilities networkCapabilities,
+ String callingPackageName, String callingAttributionTag) {
if (networkCapabilities.hasCapability(NET_CAPABILITY_NOT_RESTRICTED) == false) {
enforceConnectivityRestrictedNetworksPermission();
} else {
- enforceChangePermission();
+ enforceChangePermission(callingPackageName, callingAttributionTag);
}
}
@@ -5538,11 +5569,13 @@
@Override
public NetworkRequest pendingRequestForNetwork(NetworkCapabilities networkCapabilities,
- PendingIntent operation, @NonNull String callingPackageName) {
+ PendingIntent operation, @NonNull String callingPackageName,
+ @Nullable String callingAttributionTag) {
Objects.requireNonNull(operation, "PendingIntent cannot be null.");
final int callingUid = Binder.getCallingUid();
networkCapabilities = new NetworkCapabilities(networkCapabilities);
- enforceNetworkRequestPermissions(networkCapabilities);
+ enforceNetworkRequestPermissions(networkCapabilities, callingPackageName,
+ callingAttributionTag);
enforceMeteredApnPolicy(networkCapabilities);
ensureRequestableCapabilities(networkCapabilities);
ensureSufficientPermissionsForRequest(networkCapabilities,
diff --git a/tests/net/common/java/android/net/NetworkSpecifierTest.kt b/tests/net/common/java/android/net/NetworkSpecifierTest.kt
new file mode 100644
index 0000000..f3409f5
--- /dev/null
+++ b/tests/net/common/java/android/net/NetworkSpecifierTest.kt
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.net
+
+import android.os.Build
+import androidx.test.filters.SmallTest
+import com.android.testutils.DevSdkIgnoreRule.IgnoreUpTo
+import com.android.testutils.DevSdkIgnoreRunner
+import kotlin.test.assertTrue
+import kotlin.test.assertEquals
+import kotlin.test.assertFalse
+import kotlin.test.assertNotEquals
+import org.junit.Test
+import org.junit.runner.RunWith
+
+@SmallTest
+@RunWith(DevSdkIgnoreRunner::class)
+@IgnoreUpTo(Build.VERSION_CODES.Q)
+class NetworkSpecifierTest {
+ private class TestNetworkSpecifier(
+ val intData: Int = 123,
+ val stringData: String = "init"
+ ) : NetworkSpecifier() {
+ override fun canBeSatisfiedBy(other: NetworkSpecifier?): Boolean =
+ other != null &&
+ other is TestNetworkSpecifier &&
+ other.intData >= intData &&
+ stringData.equals(other.stringData)
+
+ override fun redact(): NetworkSpecifier = TestNetworkSpecifier(intData, "redact")
+ }
+
+ @Test
+ fun testRedact() {
+ val ns: TestNetworkSpecifier = TestNetworkSpecifier()
+ val redactNs = ns.redact()
+ assertTrue(redactNs is TestNetworkSpecifier)
+ assertEquals(ns.intData, redactNs.intData)
+ assertNotEquals(ns.stringData, redactNs.stringData)
+ assertTrue("redact".equals(redactNs.stringData))
+ }
+
+ @Test
+ fun testcanBeSatisfiedBy() {
+ val target: TestNetworkSpecifier = TestNetworkSpecifier()
+ assertFalse(target.canBeSatisfiedBy(null))
+ assertTrue(target.canBeSatisfiedBy(TestNetworkSpecifier()))
+ val otherNs = TelephonyNetworkSpecifier.Builder().setSubscriptionId(123).build()
+ assertFalse(target.canBeSatisfiedBy(otherNs))
+ assertTrue(target.canBeSatisfiedBy(TestNetworkSpecifier(intData = 999)))
+ assertFalse(target.canBeSatisfiedBy(TestNetworkSpecifier(intData = 1)))
+ assertFalse(target.canBeSatisfiedBy(TestNetworkSpecifier(stringData = "diff")))
+ }
+}
\ No newline at end of file
diff --git a/tests/net/java/android/net/ConnectivityManagerTest.java b/tests/net/java/android/net/ConnectivityManagerTest.java
index d6bf334..d74a621 100644
--- a/tests/net/java/android/net/ConnectivityManagerTest.java
+++ b/tests/net/java/android/net/ConnectivityManagerTest.java
@@ -36,6 +36,7 @@
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
+import static org.mockito.ArgumentMatchers.nullable;
import static org.mockito.Mockito.any;
import static org.mockito.Mockito.anyBoolean;
import static org.mockito.Mockito.anyInt;
@@ -213,7 +214,7 @@
// register callback
when(mService.requestNetwork(
- any(), captor.capture(), anyInt(), any(), anyInt(), any()))
+ any(), captor.capture(), anyInt(), any(), anyInt(), any(), nullable(String.class)))
.thenReturn(request);
manager.requestNetwork(request, callback, handler);
@@ -242,7 +243,7 @@
// register callback
when(mService.requestNetwork(
- any(), captor.capture(), anyInt(), any(), anyInt(), any()))
+ any(), captor.capture(), anyInt(), any(), anyInt(), any(), nullable(String.class)))
.thenReturn(req1);
manager.requestNetwork(req1, callback, handler);
@@ -261,7 +262,7 @@
// callback can be registered again
when(mService.requestNetwork(
- any(), captor.capture(), anyInt(), any(), anyInt(), any()))
+ any(), captor.capture(), anyInt(), any(), anyInt(), any(), nullable(String.class)))
.thenReturn(req2);
manager.requestNetwork(req2, callback, handler);
@@ -285,8 +286,8 @@
info.targetSdkVersion = VERSION_CODES.N_MR1 + 1;
when(mCtx.getApplicationInfo()).thenReturn(info);
- when(mService.requestNetwork(any(), any(), anyInt(), any(), anyInt(), any()))
- .thenReturn(request);
+ when(mService.requestNetwork(any(), any(), anyInt(), any(), anyInt(), any(),
+ nullable(String.class))).thenReturn(request);
Handler handler = new Handler(Looper.getMainLooper());
manager.requestNetwork(request, callback, handler);
diff --git a/tests/net/java/android/net/Ikev2VpnProfileTest.java b/tests/net/java/android/net/Ikev2VpnProfileTest.java
index 2273bc6..ada5494 100644
--- a/tests/net/java/android/net/Ikev2VpnProfileTest.java
+++ b/tests/net/java/android/net/Ikev2VpnProfileTest.java
@@ -40,7 +40,10 @@
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Date;
+import java.util.List;
import java.util.concurrent.TimeUnit;
import javax.security.auth.x500.X500Principal;
@@ -106,6 +109,7 @@
assertTrue(profile.isBypassable());
assertTrue(profile.isMetered());
assertEquals(TEST_MTU, profile.getMaxMtu());
+ assertEquals(Ikev2VpnProfile.DEFAULT_ALGORITHMS, profile.getAllowedAlgorithms());
}
@Test
@@ -160,6 +164,78 @@
}
@Test
+ public void testBuildWithAllowedAlgorithmsAead() throws Exception {
+ final Ikev2VpnProfile.Builder builder = getBuilderWithDefaultOptions();
+ builder.setAuthPsk(PSK_BYTES);
+
+ List<String> allowedAlgorithms = Arrays.asList(IpSecAlgorithm.AUTH_CRYPT_AES_GCM);
+ builder.setAllowedAlgorithms(allowedAlgorithms);
+
+ final Ikev2VpnProfile profile = builder.build();
+ assertEquals(allowedAlgorithms, profile.getAllowedAlgorithms());
+ }
+
+ @Test
+ public void testBuildWithAllowedAlgorithmsNormal() throws Exception {
+ final Ikev2VpnProfile.Builder builder = getBuilderWithDefaultOptions();
+ builder.setAuthPsk(PSK_BYTES);
+
+ List<String> allowedAlgorithms =
+ Arrays.asList(IpSecAlgorithm.AUTH_HMAC_SHA512, IpSecAlgorithm.CRYPT_AES_CBC);
+ builder.setAllowedAlgorithms(allowedAlgorithms);
+
+ final Ikev2VpnProfile profile = builder.build();
+ assertEquals(allowedAlgorithms, profile.getAllowedAlgorithms());
+ }
+
+ @Test
+ public void testSetAllowedAlgorithmsEmptyList() throws Exception {
+ final Ikev2VpnProfile.Builder builder = getBuilderWithDefaultOptions();
+
+ try {
+ builder.setAllowedAlgorithms(new ArrayList<>());
+ fail("Expected exception due to no valid algorithm set");
+ } catch (IllegalArgumentException expected) {
+ }
+ }
+
+ @Test
+ public void testSetAllowedAlgorithmsInvalidList() throws Exception {
+ final Ikev2VpnProfile.Builder builder = getBuilderWithDefaultOptions();
+ List<String> allowedAlgorithms = new ArrayList<>();
+
+ try {
+ builder.setAllowedAlgorithms(Arrays.asList(IpSecAlgorithm.AUTH_HMAC_SHA256));
+ fail("Expected exception due to missing encryption");
+ } catch (IllegalArgumentException expected) {
+ }
+
+ try {
+ builder.setAllowedAlgorithms(Arrays.asList(IpSecAlgorithm.CRYPT_AES_CBC));
+ fail("Expected exception due to missing authentication");
+ } catch (IllegalArgumentException expected) {
+ }
+ }
+
+ @Test
+ public void testSetAllowedAlgorithmsInsecureAlgorithm() throws Exception {
+ final Ikev2VpnProfile.Builder builder = getBuilderWithDefaultOptions();
+ List<String> allowedAlgorithms = new ArrayList<>();
+
+ try {
+ builder.setAllowedAlgorithms(Arrays.asList(IpSecAlgorithm.AUTH_HMAC_MD5));
+ fail("Expected exception due to insecure algorithm");
+ } catch (IllegalArgumentException expected) {
+ }
+
+ try {
+ builder.setAllowedAlgorithms(Arrays.asList(IpSecAlgorithm.AUTH_HMAC_SHA1));
+ fail("Expected exception due to insecure algorithm");
+ } catch (IllegalArgumentException expected) {
+ }
+ }
+
+ @Test
public void testBuildNoAuthMethodSet() throws Exception {
final Ikev2VpnProfile.Builder builder = getBuilderWithDefaultOptions();
diff --git a/tests/net/java/com/android/server/ConnectivityServiceTest.java b/tests/net/java/com/android/server/ConnectivityServiceTest.java
index a478e68..656fe48 100644
--- a/tests/net/java/com/android/server/ConnectivityServiceTest.java
+++ b/tests/net/java/com/android/server/ConnectivityServiceTest.java
@@ -144,6 +144,7 @@
import android.net.ConnectivityManager.PacketKeepaliveCallback;
import android.net.ConnectivityManager.TooManyRequestsException;
import android.net.ConnectivityThread;
+import android.net.DataStallReportParcelable;
import android.net.IConnectivityDiagnosticsCallback;
import android.net.IDnsResolver;
import android.net.IIpConnectivityMetrics;
@@ -170,6 +171,7 @@
import android.net.NetworkStack;
import android.net.NetworkStackClient;
import android.net.NetworkState;
+import android.net.NetworkTestResultParcelable;
import android.net.NetworkUtils;
import android.net.ProxyInfo;
import android.net.ResolverParamsParcel;
@@ -196,7 +198,6 @@
import android.os.Parcel;
import android.os.ParcelFileDescriptor;
import android.os.Parcelable;
-import android.os.PersistableBundle;
import android.os.Process;
import android.os.RemoteException;
import android.os.SystemClock;
@@ -580,14 +581,6 @@
}
private class TestNetworkAgentWrapper extends NetworkAgentWrapper {
- private static final int VALIDATION_RESULT_BASE = NETWORK_VALIDATION_PROBE_DNS
- | NETWORK_VALIDATION_PROBE_HTTP
- | NETWORK_VALIDATION_PROBE_HTTPS;
- private static final int VALIDATION_RESULT_VALID = VALIDATION_RESULT_BASE
- | NETWORK_VALIDATION_RESULT_VALID;
- private static final int VALIDATION_RESULT_PARTIAL = VALIDATION_RESULT_BASE
- | NETWORK_VALIDATION_PROBE_FALLBACK
- | NETWORK_VALIDATION_RESULT_PARTIAL;
private static final int VALIDATION_RESULT_INVALID = 0;
private static final long DATA_STALL_TIMESTAMP = 10L;
@@ -595,12 +588,10 @@
private INetworkMonitor mNetworkMonitor;
private INetworkMonitorCallbacks mNmCallbacks;
- private int mNmValidationResult = VALIDATION_RESULT_BASE;
+ private int mNmValidationResult = VALIDATION_RESULT_INVALID;
private int mProbesCompleted;
private int mProbesSucceeded;
private String mNmValidationRedirectUrl = null;
- private PersistableBundle mValidationExtras = PersistableBundle.EMPTY;
- private PersistableBundle mDataStallExtras = PersistableBundle.EMPTY;
private boolean mNmProvNotificationRequested = false;
private final ConditionVariable mNetworkStatusReceived = new ConditionVariable();
@@ -668,8 +659,13 @@
}
mNmCallbacks.notifyProbeStatusChanged(mProbesCompleted, mProbesSucceeded);
- mNmCallbacks.notifyNetworkTestedWithExtras(
- mNmValidationResult, mNmValidationRedirectUrl, TIMESTAMP, mValidationExtras);
+ final NetworkTestResultParcelable p = new NetworkTestResultParcelable();
+ p.result = mNmValidationResult;
+ p.probesAttempted = mProbesCompleted;
+ p.probesSucceeded = mProbesSucceeded;
+ p.redirectUrl = mNmValidationRedirectUrl;
+ p.timestampMillis = TIMESTAMP;
+ mNmCallbacks.notifyNetworkTestedWithExtras(p);
if (mNmValidationRedirectUrl != null) {
mNmCallbacks.showProvisioningNotification(
@@ -751,9 +747,9 @@
}
void setNetworkValid(boolean isStrictMode) {
- mNmValidationResult = VALIDATION_RESULT_VALID;
+ mNmValidationResult = NETWORK_VALIDATION_RESULT_VALID;
mNmValidationRedirectUrl = null;
- int probesSucceeded = VALIDATION_RESULT_BASE & ~NETWORK_VALIDATION_PROBE_HTTP;
+ int probesSucceeded = NETWORK_VALIDATION_PROBE_DNS | NETWORK_VALIDATION_PROBE_HTTPS;
if (isStrictMode) {
probesSucceeded |= NETWORK_VALIDATION_PROBE_PRIVDNS;
}
@@ -765,8 +761,9 @@
void setNetworkInvalid(boolean isStrictMode) {
mNmValidationResult = VALIDATION_RESULT_INVALID;
mNmValidationRedirectUrl = null;
- int probesCompleted = VALIDATION_RESULT_BASE;
- int probesSucceeded = VALIDATION_RESULT_INVALID;
+ int probesCompleted = NETWORK_VALIDATION_PROBE_DNS | NETWORK_VALIDATION_PROBE_HTTPS
+ | NETWORK_VALIDATION_PROBE_HTTP;
+ int probesSucceeded = 0;
// If the isStrictMode is true, it means the network is invalid when NetworkMonitor
// tried to validate the private DNS but failed.
if (isStrictMode) {
@@ -782,7 +779,7 @@
mNmValidationRedirectUrl = redirectUrl;
// Suppose the portal is found when NetworkMonitor probes NETWORK_VALIDATION_PROBE_HTTP
// in the beginning, so the NETWORK_VALIDATION_PROBE_HTTPS hasn't probed yet.
- int probesCompleted = VALIDATION_RESULT_BASE & ~NETWORK_VALIDATION_PROBE_HTTPS;
+ int probesCompleted = NETWORK_VALIDATION_PROBE_DNS | NETWORK_VALIDATION_PROBE_HTTP;
int probesSucceeded = VALIDATION_RESULT_INVALID;
if (isStrictMode) {
probesCompleted |= NETWORK_VALIDATION_PROBE_PRIVDNS;
@@ -791,18 +788,20 @@
}
void setNetworkPartial() {
- mNmValidationResult = VALIDATION_RESULT_PARTIAL;
+ mNmValidationResult = NETWORK_VALIDATION_RESULT_PARTIAL;
mNmValidationRedirectUrl = null;
- int probesCompleted = VALIDATION_RESULT_BASE;
- int probesSucceeded = VALIDATION_RESULT_BASE & ~NETWORK_VALIDATION_PROBE_HTTPS;
+ int probesCompleted = NETWORK_VALIDATION_PROBE_DNS | NETWORK_VALIDATION_PROBE_HTTPS
+ | NETWORK_VALIDATION_PROBE_FALLBACK;
+ int probesSucceeded = NETWORK_VALIDATION_PROBE_DNS | NETWORK_VALIDATION_PROBE_FALLBACK;
setProbesStatus(probesCompleted, probesSucceeded);
}
void setNetworkPartialValid(boolean isStrictMode) {
setNetworkPartial();
- mNmValidationResult |= VALIDATION_RESULT_VALID;
- int probesCompleted = VALIDATION_RESULT_BASE;
- int probesSucceeded = VALIDATION_RESULT_BASE & ~NETWORK_VALIDATION_PROBE_HTTPS;
+ mNmValidationResult |= NETWORK_VALIDATION_RESULT_VALID;
+ int probesCompleted = NETWORK_VALIDATION_PROBE_DNS | NETWORK_VALIDATION_PROBE_HTTPS
+ | NETWORK_VALIDATION_PROBE_HTTP;
+ int probesSucceeded = NETWORK_VALIDATION_PROBE_DNS | NETWORK_VALIDATION_PROBE_HTTP;
// Suppose the partial network cannot pass the private DNS validation as well, so only
// add NETWORK_VALIDATION_PROBE_DNS in probesCompleted but not probesSucceeded.
if (isStrictMode) {
@@ -838,8 +837,10 @@
}
void notifyDataStallSuspected() throws Exception {
- mNmCallbacks.notifyDataStallSuspected(
- DATA_STALL_TIMESTAMP, DATA_STALL_DETECTION_METHOD, mDataStallExtras);
+ final DataStallReportParcelable p = new DataStallReportParcelable();
+ p.detectionMethod = DATA_STALL_DETECTION_METHOD;
+ p.timestampMillis = DATA_STALL_TIMESTAMP;
+ mNmCallbacks.notifyDataStallSuspected(p);
}
}
@@ -3049,6 +3050,13 @@
assertNoCallbacks(cEmpty1, cEmpty2, cEmpty3, cEmpty4, cFoo, cBar);
}
+ /**
+ * @return the context's attribution tag
+ */
+ private String getAttributionTag() {
+ return null;
+ }
+
@Test
public void testInvalidNetworkSpecifier() {
assertThrows(IllegalArgumentException.class, () -> {
@@ -3061,7 +3069,8 @@
networkCapabilities.addTransportType(TRANSPORT_WIFI)
.setNetworkSpecifier(new MatchAllNetworkSpecifier());
mService.requestNetwork(networkCapabilities, null, 0, null,
- ConnectivityManager.TYPE_WIFI, mContext.getPackageName());
+ ConnectivityManager.TYPE_WIFI, mContext.getPackageName(),
+ getAttributionTag());
});
class NonParcelableSpecifier extends NetworkSpecifier {
diff --git a/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java b/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java
index 23098ec..529d03c 100644
--- a/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java
+++ b/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java
@@ -547,6 +547,16 @@
@Test
public void testApplyTransportModeTransform() throws Exception {
+ verifyApplyTransportModeTransformCommon(false);
+ }
+
+ @Test
+ public void testApplyTransportModeTransformReleasedSpi() throws Exception {
+ verifyApplyTransportModeTransformCommon(true);
+ }
+
+ public void verifyApplyTransportModeTransformCommon(
+ boolean closeSpiBeforeApply) throws Exception {
IpSecConfig ipSecConfig = new IpSecConfig();
addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig);
addAuthAndCryptToIpSecConfig(ipSecConfig);
@@ -554,6 +564,39 @@
IpSecTransformResponse createTransformResp =
mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage");
+ if (closeSpiBeforeApply) {
+ mIpSecService.releaseSecurityParameterIndex(ipSecConfig.getSpiResourceId());
+ }
+
+ Socket socket = new Socket();
+ socket.bind(null);
+ ParcelFileDescriptor pfd = ParcelFileDescriptor.fromSocket(socket);
+
+ int resourceId = createTransformResp.resourceId;
+ mIpSecService.applyTransportModeTransform(pfd, IpSecManager.DIRECTION_OUT, resourceId);
+
+ verify(mMockNetd)
+ .ipSecApplyTransportModeTransform(
+ eq(pfd),
+ eq(mUid),
+ eq(IpSecManager.DIRECTION_OUT),
+ anyString(),
+ anyString(),
+ eq(TEST_SPI));
+ }
+
+ @Test
+ public void testApplyTransportModeTransformWithClosedSpi() throws Exception {
+ IpSecConfig ipSecConfig = new IpSecConfig();
+ addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig);
+ addAuthAndCryptToIpSecConfig(ipSecConfig);
+
+ IpSecTransformResponse createTransformResp =
+ mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage");
+
+ // Close SPI record
+ mIpSecService.releaseSecurityParameterIndex(ipSecConfig.getSpiResourceId());
+
Socket socket = new Socket();
socket.bind(null);
ParcelFileDescriptor pfd = ParcelFileDescriptor.fromSocket(socket);
@@ -660,6 +703,15 @@
@Test
public void testApplyTunnelModeTransform() throws Exception {
+ verifyApplyTunnelModeTransformCommon(false);
+ }
+
+ @Test
+ public void testApplyTunnelModeTransformReleasedSpi() throws Exception {
+ verifyApplyTunnelModeTransformCommon(true);
+ }
+
+ public void verifyApplyTunnelModeTransformCommon(boolean closeSpiBeforeApply) throws Exception {
IpSecConfig ipSecConfig = new IpSecConfig();
ipSecConfig.setMode(IpSecTransform.MODE_TUNNEL);
addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig);
@@ -670,6 +722,49 @@
IpSecTunnelInterfaceResponse createTunnelResp =
createAndValidateTunnel(mSourceAddr, mDestinationAddr, "blessedPackage");
+ if (closeSpiBeforeApply) {
+ mIpSecService.releaseSecurityParameterIndex(ipSecConfig.getSpiResourceId());
+ }
+
+ int transformResourceId = createTransformResp.resourceId;
+ int tunnelResourceId = createTunnelResp.resourceId;
+ mIpSecService.applyTunnelModeTransform(tunnelResourceId, IpSecManager.DIRECTION_OUT,
+ transformResourceId, "blessedPackage");
+
+ for (int selAddrFamily : ADDRESS_FAMILIES) {
+ verify(mMockNetd)
+ .ipSecUpdateSecurityPolicy(
+ eq(mUid),
+ eq(selAddrFamily),
+ eq(IpSecManager.DIRECTION_OUT),
+ anyString(),
+ anyString(),
+ eq(TEST_SPI),
+ anyInt(), // iKey/oKey
+ anyInt(), // mask
+ eq(tunnelResourceId));
+ }
+
+ ipSecConfig.setXfrmInterfaceId(tunnelResourceId);
+ verifyTransformNetdCalledForCreatingSA(ipSecConfig, createTransformResp);
+ }
+
+
+ @Test
+ public void testApplyTunnelModeTransformWithClosedSpi() throws Exception {
+ IpSecConfig ipSecConfig = new IpSecConfig();
+ ipSecConfig.setMode(IpSecTransform.MODE_TUNNEL);
+ addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig);
+ addAuthAndCryptToIpSecConfig(ipSecConfig);
+
+ IpSecTransformResponse createTransformResp =
+ mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage");
+ IpSecTunnelInterfaceResponse createTunnelResp =
+ createAndValidateTunnel(mSourceAddr, mDestinationAddr, "blessedPackage");
+
+ // Close SPI record
+ mIpSecService.releaseSecurityParameterIndex(ipSecConfig.getSpiResourceId());
+
int transformResourceId = createTransformResp.resourceId;
int tunnelResourceId = createTunnelResp.resourceId;
mIpSecService.applyTunnelModeTransform(tunnelResourceId, IpSecManager.DIRECTION_OUT,
diff --git a/tests/net/java/com/android/server/net/NetworkStatsBaseTest.java b/tests/net/java/com/android/server/net/NetworkStatsBaseTest.java
index 28785f7..3aafe0b 100644
--- a/tests/net/java/com/android/server/net/NetworkStatsBaseTest.java
+++ b/tests/net/java/com/android/server/net/NetworkStatsBaseTest.java
@@ -41,6 +41,7 @@
static final String TEST_IFACE = "test0";
static final String TEST_IFACE2 = "test1";
static final String TUN_IFACE = "test_nss_tun0";
+ static final String TUN_IFACE2 = "test_nss_tun1";
static final int UID_RED = 1001;
static final int UID_BLUE = 1002;
@@ -107,10 +108,14 @@
assertEquals("unexpected operations", operations, entry.operations);
}
- VpnInfo createVpnInfo(String[] underlyingIfaces) {
+ static VpnInfo createVpnInfo(String[] underlyingIfaces) {
+ return createVpnInfo(TUN_IFACE, underlyingIfaces);
+ }
+
+ static VpnInfo createVpnInfo(String vpnIface, String[] underlyingIfaces) {
VpnInfo info = new VpnInfo();
info.ownerUid = UID_VPN;
- info.vpnIface = TUN_IFACE;
+ info.vpnIface = vpnIface;
info.underlyingIfaces = underlyingIfaces;
return info;
}
diff --git a/tests/net/java/com/android/server/net/NetworkStatsFactoryTest.java b/tests/net/java/com/android/server/net/NetworkStatsFactoryTest.java
index a21f509..4473492 100644
--- a/tests/net/java/com/android/server/net/NetworkStatsFactoryTest.java
+++ b/tests/net/java/com/android/server/net/NetworkStatsFactoryTest.java
@@ -104,7 +104,7 @@
}
@Test
- public void vpnRewriteTrafficThroughItself() throws Exception {
+ public void testVpnRewriteTrafficThroughItself() throws Exception {
VpnInfo[] vpnInfos = new VpnInfo[] {createVpnInfo(new String[] {TEST_IFACE})};
mFactory.updateVpnInfos(vpnInfos);
@@ -133,7 +133,7 @@
}
@Test
- public void vpnWithClat() throws Exception {
+ public void testVpnWithClat() throws Exception {
VpnInfo[] vpnInfos = new VpnInfo[] {createVpnInfo(new String[] {CLAT_PREFIX + TEST_IFACE})};
mFactory.updateVpnInfos(vpnInfos);
mFactory.noteStackedIface(CLAT_PREFIX + TEST_IFACE, TEST_IFACE);
@@ -166,7 +166,7 @@
}
@Test
- public void vpnWithOneUnderlyingIface() throws Exception {
+ public void testVpnWithOneUnderlyingIface() throws Exception {
VpnInfo[] vpnInfos = new VpnInfo[] {createVpnInfo(new String[] {TEST_IFACE})};
mFactory.updateVpnInfos(vpnInfos);
@@ -189,7 +189,7 @@
}
@Test
- public void vpnWithOneUnderlyingIfaceAndOwnTraffic() throws Exception {
+ public void testVpnWithOneUnderlyingIfaceAndOwnTraffic() throws Exception {
// WiFi network is connected and VPN is using WiFi (which has TEST_IFACE).
VpnInfo[] vpnInfos = new VpnInfo[] {createVpnInfo(new String[] {TEST_IFACE})};
mFactory.updateVpnInfos(vpnInfos);
@@ -217,7 +217,7 @@
}
@Test
- public void vpnWithOneUnderlyingIface_withCompression() throws Exception {
+ public void testVpnWithOneUnderlyingIface_withCompression() throws Exception {
// WiFi network is connected and VPN is using WiFi (which has TEST_IFACE).
VpnInfo[] vpnInfos = new VpnInfo[] {createVpnInfo(new String[] {TEST_IFACE})};
mFactory.updateVpnInfos(vpnInfos);
@@ -238,7 +238,7 @@
}
@Test
- public void vpnWithTwoUnderlyingIfaces_packetDuplication() throws Exception {
+ public void testVpnWithTwoUnderlyingIfaces_packetDuplication() throws Exception {
// WiFi and Cell networks are connected and VPN is using WiFi (which has TEST_IFACE) and
// Cell (which has TEST_IFACE2) and has declared both of them in its underlying network set.
// Additionally, VPN is duplicating traffic across both WiFi and Cell.
@@ -264,7 +264,47 @@
}
@Test
- public void vpnWithTwoUnderlyingIfaces_splitTraffic() throws Exception {
+ public void testConcurrentVpns() throws Exception {
+ // Assume two VPNs are connected on two different network interfaces. VPN1 is using
+ // TEST_IFACE and VPN2 is using TEST_IFACE2.
+ final VpnInfo[] vpnInfos = new VpnInfo[] {
+ createVpnInfo(TUN_IFACE, new String[] {TEST_IFACE}),
+ createVpnInfo(TUN_IFACE2, new String[] {TEST_IFACE2})};
+ mFactory.updateVpnInfos(vpnInfos);
+
+ // create some traffic (assume 10 bytes of MTU for VPN interface and 1 byte encryption
+ // overhead per packet):
+ // 1000 bytes (100 packets) were sent, and 2000 bytes (200 packets) were received by UID_RED
+ // over VPN1.
+ // 700 bytes (70 packets) were sent, and 3000 bytes (300 packets) were received by UID_RED
+ // over VPN2.
+ // 500 bytes (50 packets) were sent, and 1000 bytes (100 packets) were received by UID_BLUE
+ // over VPN1.
+ // 250 bytes (25 packets) were sent, and 500 bytes (50 packets) were received by UID_BLUE
+ // over VPN2.
+ // VPN1 sent 1650 bytes (150 packets), and received 3300 (300 packets) over TEST_IFACE.
+ // Of 1650 bytes sent over WiFi, expect 1000 bytes attributed to UID_RED, 500 bytes
+ // attributed to UID_BLUE, and 150 bytes attributed to UID_VPN.
+ // Of 3300 bytes received over WiFi, expect 2000 bytes attributed to UID_RED, 1000 bytes
+ // attributed to UID_BLUE, and 300 bytes attributed to UID_VPN.
+ // VPN2 sent 1045 bytes (95 packets), and received 3850 (350 packets) over TEST_IFACE2.
+ // Of 1045 bytes sent over Cell, expect 700 bytes attributed to UID_RED, 250 bytes
+ // attributed to UID_BLUE, and 95 bytes attributed to UID_VPN.
+ // Of 3850 bytes received over Cell, expect 3000 bytes attributed to UID_RED, 500 bytes
+ // attributed to UID_BLUE, and 350 bytes attributed to UID_VPN.
+ final NetworkStats tunStats =
+ parseDetailedStats(R.raw.xt_qtaguid_vpn_one_underlying_two_vpn);
+
+ assertValues(tunStats, TEST_IFACE, UID_RED, 2000L, 200L, 1000L, 100L);
+ assertValues(tunStats, TEST_IFACE, UID_BLUE, 1000L, 100L, 500L, 50L);
+ assertValues(tunStats, TEST_IFACE2, UID_RED, 3000L, 300L, 700L, 70L);
+ assertValues(tunStats, TEST_IFACE2, UID_BLUE, 500L, 50L, 250L, 25L);
+ assertValues(tunStats, TEST_IFACE, UID_VPN, 300L, 0L, 150L, 0L);
+ assertValues(tunStats, TEST_IFACE2, UID_VPN, 350L, 0L, 95L, 0L);
+ }
+
+ @Test
+ public void testVpnWithTwoUnderlyingIfaces_splitTraffic() throws Exception {
// WiFi and Cell networks are connected and VPN is using WiFi (which has TEST_IFACE) and
// Cell (which has TEST_IFACE2) and has declared both of them in its underlying network set.
// Additionally, VPN is arbitrarily splitting traffic across WiFi and Cell.
@@ -291,7 +331,7 @@
}
@Test
- public void vpnWithTwoUnderlyingIfaces_splitTrafficWithCompression() throws Exception {
+ public void testVpnWithTwoUnderlyingIfaces_splitTrafficWithCompression() throws Exception {
// WiFi and Cell networks are connected and VPN is using WiFi (which has TEST_IFACE) and
// Cell (which has TEST_IFACE2) and has declared both of them in its underlying network set.
// Additionally, VPN is arbitrarily splitting compressed traffic across WiFi and Cell.
@@ -314,7 +354,7 @@
}
@Test
- public void vpnWithIncorrectUnderlyingIface() throws Exception {
+ public void testVpnWithIncorrectUnderlyingIface() throws Exception {
// WiFi and Cell networks are connected and VPN is using Cell (which has TEST_IFACE2),
// but has declared only WiFi (TEST_IFACE) in its underlying network set.
VpnInfo[] vpnInfos = new VpnInfo[] {createVpnInfo(new String[] {TEST_IFACE})};
diff --git a/tests/net/res/raw/xt_qtaguid_vpn_one_underlying_two_vpn b/tests/net/res/raw/xt_qtaguid_vpn_one_underlying_two_vpn
new file mode 100644
index 0000000..eb0513b
--- /dev/null
+++ b/tests/net/res/raw/xt_qtaguid_vpn_one_underlying_two_vpn
@@ -0,0 +1,9 @@
+idx iface acct_tag_hex uid_tag_int cnt_set rx_bytes rx_packets tx_bytes tx_packets rx_tcp_bytes rx_tcp_packets rx_udp_bytes rx_udp_packets rx_other_bytes rx_other_packets tx_tcp_bytes tx_tcp_packets tx_udp_bytes tx_udp_packets tx_other_bytes tx_other_packets
+2 test_nss_tun0 0x0 1001 0 2000 200 1000 100 0 0 0 0 0 0 0 0 0 0 0 0
+3 test_nss_tun0 0x0 1002 0 1000 100 500 50 0 0 0 0 0 0 0 0 0 0 0 0
+4 test_nss_tun1 0x0 1001 0 3000 300 700 70 0 0 0 0 0 0 0 0 0 0 0 0
+5 test_nss_tun1 0x0 1002 0 500 50 250 25 0 0 0 0 0 0 0 0 0 0 0 0
+6 test0 0x0 1004 0 3300 300 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+7 test0 0x0 1004 1 0 0 1650 150 0 0 0 0 0 0 0 0 0 0 0 0
+8 test1 0x0 1004 0 3850 350 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+9 test1 0x0 1004 1 0 0 1045 95 0 0 0 0 0 0 0 0 0 0 0 0
\ No newline at end of file