Merge "Add allowed capabilities on non cellular test networks"
diff --git a/framework/src/android/net/NetworkCapabilities.java b/framework/src/android/net/NetworkCapabilities.java
index 324f565..cd2daf0 100644
--- a/framework/src/android/net/NetworkCapabilities.java
+++ b/framework/src/android/net/NetworkCapabilities.java
@@ -757,10 +757,10 @@
NET_CAPABILITY_PARTIAL_CONNECTIVITY);
/**
- * Capabilities that are allowed for test networks. This list must be set so that it is safe
- * for an unprivileged user to create a network with these capabilities via shell. As such,
- * it must never contain capabilities that are generally useful to the system, such as
- * INTERNET, IMS, SUPL, etc.
+ * Capabilities that are allowed for all test networks. This list must be set so that it is safe
+ * for an unprivileged user to create a network with these capabilities via shell. As such, it
+ * must never contain capabilities that are generally useful to the system, such as INTERNET,
+ * IMS, SUPL, etc.
*/
private static final long TEST_NETWORKS_ALLOWED_CAPABILITIES =
BitUtils.packBitList(
@@ -774,6 +774,14 @@
NET_CAPABILITY_NOT_VCN_MANAGED);
/**
+ * Extra allowed capabilities for test networks that do not have TRANSPORT_CELLULAR. Test
+ * networks with TRANSPORT_CELLULAR must not have those capabilities in order to mitigate
+ * the risk of being used by running apps.
+ */
+ private static final long TEST_NETWORKS_EXTRA_ALLOWED_CAPABILITIES_ON_NON_CELL =
+ BitUtils.packBitList(NET_CAPABILITY_CBS, NET_CAPABILITY_DUN, NET_CAPABILITY_RCS);
+
+ /**
* Adds the given capability to this {@code NetworkCapability} instance.
* Note that when searching for a network to satisfy a request, all capabilities
* requested must be satisfied.
@@ -1133,7 +1141,13 @@
// If the test network is restricted, then it may declare any transport.
mTransportTypes = (originalTransportTypes | (1 << TRANSPORT_TEST));
}
+
mNetworkCapabilities = originalCapabilities & TEST_NETWORKS_ALLOWED_CAPABILITIES;
+ if (!hasTransport(TRANSPORT_CELLULAR)) {
+ mNetworkCapabilities |=
+ (originalCapabilities & TEST_NETWORKS_EXTRA_ALLOWED_CAPABILITIES_ON_NON_CELL);
+ }
+
mNetworkSpecifier = originalSpecifier;
mSignalStrength = originalSignalStrength;
mTransportInfo = originalTransportInfo;
diff --git a/tests/common/java/android/net/NetworkCapabilitiesTest.java b/tests/common/java/android/net/NetworkCapabilitiesTest.java
index 7b374d2..06af3c0 100644
--- a/tests/common/java/android/net/NetworkCapabilitiesTest.java
+++ b/tests/common/java/android/net/NetworkCapabilitiesTest.java
@@ -21,6 +21,7 @@
import static android.net.NetworkCapabilities.MIN_TRANSPORT;
import static android.net.NetworkCapabilities.NET_CAPABILITY_CAPTIVE_PORTAL;
import static android.net.NetworkCapabilities.NET_CAPABILITY_CBS;
+import static android.net.NetworkCapabilities.NET_CAPABILITY_DUN;
import static android.net.NetworkCapabilities.NET_CAPABILITY_EIMS;
import static android.net.NetworkCapabilities.NET_CAPABILITY_ENTERPRISE;
import static android.net.NetworkCapabilities.NET_CAPABILITY_FOREGROUND;
@@ -36,6 +37,7 @@
import static android.net.NetworkCapabilities.NET_CAPABILITY_PARTIAL_CONNECTIVITY;
import static android.net.NetworkCapabilities.NET_CAPABILITY_PRIORITIZE_BANDWIDTH;
import static android.net.NetworkCapabilities.NET_CAPABILITY_PRIORITIZE_LATENCY;
+import static android.net.NetworkCapabilities.NET_CAPABILITY_RCS;
import static android.net.NetworkCapabilities.NET_CAPABILITY_SUPL;
import static android.net.NetworkCapabilities.NET_CAPABILITY_TRUSTED;
import static android.net.NetworkCapabilities.NET_CAPABILITY_VALIDATED;
@@ -113,6 +115,9 @@
private static final int TEST_SUBID2 = 2;
private static final int TEST_SUBID3 = 3;
+ private static final Set<Integer> TEST_NETWORKS_EXTRA_ALLOWED_CAPS_ON_NON_CELL =
+ Set.of(NET_CAPABILITY_CBS, NET_CAPABILITY_DUN, NET_CAPABILITY_RCS);
+
@Rule
public DevSdkIgnoreRule mDevSdkIgnoreRule = new DevSdkIgnoreRule();
@@ -1321,16 +1326,31 @@
}
@Test
- public void testRestrictCapabilitiesForTestNetworkByNotOwnerWithRestrictedNc() {
- testRestrictCapabilitiesForTestNetworkWithRestrictedNc(false /* isOwner */);
+ public void testRestrictCapabilitiesForTestNetworkRestrictedNc_NotOwner_NotCell() {
+ testRestrictCapabilitiesForTestNetworkWithRestrictedNc(
+ false /* isOwner */, false /* isCell */);
}
@Test
- public void testRestrictCapabilitiesForTestNetworkByOwnerWithRestrictedNc() {
- testRestrictCapabilitiesForTestNetworkWithRestrictedNc(true /* isOwner */);
+ public void testRestrictCapabilitiesForTestNetworkRestrictedNc_Owner_NotCell() {
+ testRestrictCapabilitiesForTestNetworkWithRestrictedNc(
+ true /* isOwner */, false /* isCell */);
}
- private void testRestrictCapabilitiesForTestNetworkWithRestrictedNc(boolean isOwner) {
+ @Test
+ public void testRestrictCapabilitiesForTestNetworkRestrictedNc_NotOwner_Cell() {
+ testRestrictCapabilitiesForTestNetworkWithRestrictedNc(
+ false /* isOwner */, true /* isCell */);
+ }
+
+ @Test
+ public void testRestrictCapabilitiesForTestNetworkRestrictedNc_Owner_Cell() {
+ testRestrictCapabilitiesForTestNetworkWithRestrictedNc(
+ true /* isOwner */, false /* isCell */);
+ }
+
+ private void testRestrictCapabilitiesForTestNetworkWithRestrictedNc(
+ boolean isOwner, boolean isCell) {
final int ownerUid = 1234;
final int signalStrength = -80;
final int[] administratorUids = {1001, ownerUid};
@@ -1339,29 +1359,47 @@
// the networkCapabilities will contain more than one transport type. However,
// networkCapabilities must have a single transport specified to use NetworkSpecifier. Thus,
// do not verify this part since it's verified in other tests.
- final NetworkCapabilities restrictedNc = new NetworkCapabilities.Builder()
+ final NetworkCapabilities.Builder restrictedNcBuilder = new NetworkCapabilities.Builder()
.removeCapability(NET_CAPABILITY_NOT_RESTRICTED)
- .addTransportType(TRANSPORT_CELLULAR)
.addCapability(NET_CAPABILITY_MMS)
.addCapability(NET_CAPABILITY_NOT_METERED)
.setAdministratorUids(administratorUids)
.setOwnerUid(ownerUid)
.setSignalStrength(signalStrength)
.setTransportInfo(transportInfo)
- .setSubscriptionIds(Set.of(TEST_SUBID1)).build();
+ .setSubscriptionIds(Set.of(TEST_SUBID1));
+ for (int cap : TEST_NETWORKS_EXTRA_ALLOWED_CAPS_ON_NON_CELL) {
+ restrictedNcBuilder.addCapability(cap);
+ }
+
+ if (isCell) {
+ restrictedNcBuilder.addTransportType(TRANSPORT_CELLULAR);
+ }
+ final NetworkCapabilities restrictedNc = restrictedNcBuilder.build();
+
final int creatorUid = isOwner ? ownerUid : INVALID_UID;
restrictedNc.restrictCapabilitiesForTestNetwork(creatorUid);
final NetworkCapabilities.Builder expectedNcBuilder = new NetworkCapabilities.Builder()
.removeCapability(NET_CAPABILITY_NOT_RESTRICTED);
- // If the test network is restricted, then the network may declare any transport, and
- // appended with TRANSPORT_TEST.
- expectedNcBuilder.addTransportType(TRANSPORT_CELLULAR);
+
+ if (isCell) {
+ // If the test network is restricted, then the network may declare any transport, and
+ // appended with TRANSPORT_TEST.
+ expectedNcBuilder.addTransportType(TRANSPORT_CELLULAR);
+ }
expectedNcBuilder.addTransportType(TRANSPORT_TEST);
+
// Only TEST_NETWORKS_ALLOWED_CAPABILITIES will be kept.
expectedNcBuilder.addCapability(NET_CAPABILITY_NOT_METERED);
expectedNcBuilder.removeCapability(NET_CAPABILITY_TRUSTED);
+ if (!isCell) {
+ for (int cap : TEST_NETWORKS_EXTRA_ALLOWED_CAPS_ON_NON_CELL) {
+ expectedNcBuilder.addCapability(cap);
+ }
+ }
+
expectedNcBuilder.setSignalStrength(signalStrength).setTransportInfo(transportInfo);
if (creatorUid == ownerUid) {
// Only retain the owner and administrator UIDs if they match the app registering the