Add libconnectivity_native_test_utils
The utility currently contains a firewall class that is used by DNS
resolver tests to block DNS packets.
Bug: 227159929
Test: atest resolv_integration_test
Change-Id: I5c5bc0b263a677f57cd63f002057ff0812f15e64
diff --git a/tests/native/utilities/Android.bp b/tests/native/utilities/Android.bp
new file mode 100644
index 0000000..7668cc1
--- /dev/null
+++ b/tests/native/utilities/Android.bp
@@ -0,0 +1,30 @@
+//
+// Copyright (C) 2022 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+cc_test_library {
+ name: "libconnectivity_native_test_utils",
+ defaults: [
+ "netd_defaults",
+ "resolv_test_defaults"
+ ],
+ srcs: [
+ "firewall.cpp",
+ ],
+ header_libs: [
+ "bpf_connectivity_headers",
+ ],
+ export_header_lib_headers: ["bpf_connectivity_headers"],
+ export_include_dirs: ["."],
+}
diff --git a/tests/native/utilities/firewall.cpp b/tests/native/utilities/firewall.cpp
new file mode 100644
index 0000000..e4669cb
--- /dev/null
+++ b/tests/native/utilities/firewall.cpp
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include "firewall.h"
+
+#include <android-base/result.h>
+#include <gtest/gtest.h>
+
+Firewall::Firewall() {
+ std::lock_guard guard(mMutex);
+ auto result = mConfigurationMap.init(CONFIGURATION_MAP_PATH);
+ EXPECT_RESULT_OK(result) << "init mConfigurationMap failed";
+
+ result = mUidOwnerMap.init(UID_OWNER_MAP_PATH);
+ EXPECT_RESULT_OK(result) << "init mUidOwnerMap failed";
+}
+
+Firewall* Firewall::getInstance() {
+ static Firewall instance;
+ return &instance;
+}
+
+Result<void> Firewall::toggleStandbyMatch(bool enable) {
+ std::lock_guard guard(mMutex);
+ uint32_t key = UID_RULES_CONFIGURATION_KEY;
+ auto oldConfiguration = mConfigurationMap.readValue(key);
+ if (!oldConfiguration.ok()) {
+ return Errorf("Cannot read the old configuration: {}", oldConfiguration.error().message());
+ }
+
+ BpfConfig newConfiguration = enable ? (oldConfiguration.value() | STANDBY_MATCH)
+ : (oldConfiguration.value() & (~STANDBY_MATCH));
+ auto res = mConfigurationMap.writeValue(key, newConfiguration, BPF_EXIST);
+ if (!res.ok()) return Errorf("Failed to toggle STANDBY_MATCH: {}", res.error().message());
+
+ return {};
+}
+
+Result<void> Firewall::addRule(uint32_t uid, UidOwnerMatchType match, uint32_t iif) {
+ // iif should be non-zero if and only if match == MATCH_IIF
+ if (match == IIF_MATCH && iif == 0) {
+ return Errorf("Interface match {} must have nonzero interface index", match);
+ } else if (match != IIF_MATCH && iif != 0) {
+ return Errorf("Non-interface match {} must have zero interface index", match);
+ }
+
+ std::lock_guard guard(mMutex);
+ auto oldMatch = mUidOwnerMap.readValue(uid);
+ if (oldMatch.ok()) {
+ UidOwnerValue newMatch = {
+ .iif = iif ? iif : oldMatch.value().iif,
+ .rule = static_cast<uint8_t>(oldMatch.value().rule | match),
+ };
+ auto res = mUidOwnerMap.writeValue(uid, newMatch, BPF_ANY);
+ if (!res.ok()) return Errorf("Failed to update rule: {}", res.error().message());
+ } else {
+ UidOwnerValue newMatch = {
+ .iif = iif,
+ .rule = static_cast<uint8_t>(match),
+ };
+ auto res = mUidOwnerMap.writeValue(uid, newMatch, BPF_ANY);
+ if (!res.ok()) return Errorf("Failed to add rule: {}", res.error().message());
+ }
+ return {};
+}
+
+Result<void> Firewall::removeRule(uint32_t uid, UidOwnerMatchType match) {
+ std::lock_guard guard(mMutex);
+ auto oldMatch = mUidOwnerMap.readValue(uid);
+ if (!oldMatch.ok()) return Errorf("uid: %u does not exist in map", uid);
+
+ UidOwnerValue newMatch = {
+ .iif = (match == IIF_MATCH) ? 0 : oldMatch.value().iif,
+ .rule = static_cast<uint8_t>(oldMatch.value().rule & ~match),
+ };
+ if (newMatch.rule == 0) {
+ auto res = mUidOwnerMap.deleteValue(uid);
+ if (!res.ok()) return Errorf("Failed to remove rule: {}", res.error().message());
+ } else {
+ auto res = mUidOwnerMap.writeValue(uid, newMatch, BPF_ANY);
+ if (!res.ok()) return Errorf("Failed to update rule: {}", res.error().message());
+ }
+ return {};
+}
+
+Result<void> Firewall::addUidInterfaceRules(const std::string& ifName,
+ const std::vector<int32_t>& uids) {
+ unsigned int iif = if_nametoindex(ifName.c_str());
+ if (!iif) return Errorf("Failed to get interface index: {}", ifName);
+
+ for (auto uid : uids) {
+ auto res = addRule(uid, IIF_MATCH, iif);
+ if (!res.ok()) return res;
+ }
+ return {};
+}
+
+Result<void> Firewall::removeUidInterfaceRules(const std::vector<int32_t>& uids) {
+ for (auto uid : uids) {
+ auto res = removeRule(uid, IIF_MATCH);
+ if (!res.ok()) return res;
+ }
+ return {};
+}
diff --git a/tests/native/utilities/firewall.h b/tests/native/utilities/firewall.h
new file mode 100644
index 0000000..185559b
--- /dev/null
+++ b/tests/native/utilities/firewall.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#pragma once
+
+#include <android-base/thread_annotations.h>
+#include <bpf/BpfMap.h>
+#include <bpf_shared.h>
+
+using android::base::Result;
+using android::bpf::BpfMap;
+
+class Firewall {
+ public:
+ Firewall() EXCLUDES(mMutex);
+ static Firewall* getInstance();
+ Result<void> toggleStandbyMatch(bool enable) EXCLUDES(mMutex);
+ Result<void> addRule(uint32_t uid, UidOwnerMatchType match, uint32_t iif = 0) EXCLUDES(mMutex);
+ Result<void> removeRule(uint32_t uid, UidOwnerMatchType match) EXCLUDES(mMutex);
+ Result<void> addUidInterfaceRules(const std::string& ifName, const std::vector<int32_t>& uids);
+ Result<void> removeUidInterfaceRules(const std::vector<int32_t>& uids);
+
+ private:
+ BpfMap<uint32_t, uint32_t> mConfigurationMap GUARDED_BY(mMutex);
+ BpfMap<uint32_t, UidOwnerValue> mUidOwnerMap GUARDED_BY(mMutex);
+ std::mutex mMutex;
+};