Merge "Use BpfDump#dumpMapStatus in NetworkStatsService"
diff --git a/OWNERS_core_networking_xts b/OWNERS_core_networking_xts
index 8083cbf..1844334 100644
--- a/OWNERS_core_networking_xts
+++ b/OWNERS_core_networking_xts
@@ -1,7 +1,7 @@
lorenzo@google.com
satk@google.com #{LAST_RESORT_SUGGESTION}
-# For cherry-picks of CLs that are already merged in aosp/master.
+# For cherry-picks of CLs that are already merged in aosp/master, or flaky test fixes.
jchalard@google.com #{LAST_RESORT_SUGGESTION}
maze@google.com #{LAST_RESORT_SUGGESTION}
reminv@google.com #{LAST_RESORT_SUGGESTION}
diff --git a/TEST_MAPPING b/TEST_MAPPING
index 6e30fd1..700a085 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -135,6 +135,37 @@
}
]
},
+ // Test with APK modules only, in cases where APEX is not supported, or the other modules
+ // were simply not updated
+ {
+ "name": "CtsNetTestCasesLatestSdk[CaptivePortalLoginGoogle.apk+NetworkStackGoogle.apk]",
+ "options": [
+ {
+ "exclude-annotation": "com.android.testutils.SkipPresubmit"
+ },
+ {
+ "exclude-annotation": "androidx.test.filters.RequiresDevice"
+ },
+ {
+ "exclude-annotation": "com.android.testutils.ConnectivityModuleTest"
+ }
+ ]
+ },
+ // Test with connectivity/tethering module only, to catch integration issues with older versions
+ // of other modules. "new tethering + old NetworkStack" is not a configuration that should
+ // really exist in the field, but there is no strong guarantee, and it is required by MTS
+ // testing for module qualification, where modules are tested independently.
+ {
+ "name": "CtsNetTestCasesLatestSdk[com.google.android.tethering.apex]",
+ "options": [
+ {
+ "exclude-annotation": "com.android.testutils.SkipPresubmit"
+ },
+ {
+ "exclude-annotation": "androidx.test.filters.RequiresDevice"
+ }
+ ]
+ },
{
"name": "bpf_existence_test[CaptivePortalLoginGoogle.apk+NetworkStackGoogle.apk+com.google.android.resolv.apex+com.google.android.tethering.apex]"
},
@@ -159,38 +190,6 @@
{
"name": "CtsNetTestCasesLatestSdk[CaptivePortalLoginGoogle.apk+NetworkStackGoogle.apk+com.google.android.resolv.apex+com.google.android.tethering.apex]",
"keywords": ["sim"]
- },
- // TODO: move to mainline-presubmit when known green.
- // Test with APK modules only, in cases where APEX is not supported, or the other modules were simply not updated
- {
- "name": "CtsNetTestCasesLatestSdk[CaptivePortalLoginGoogle.apk+NetworkStackGoogle.apk]",
- "options": [
- {
- "exclude-annotation": "com.android.testutils.SkipPresubmit"
- },
- {
- "exclude-annotation": "androidx.test.filters.RequiresDevice"
- },
- {
- "exclude-annotation": "com.android.testutils.ConnectivityModuleTest"
- }
- ]
- },
- // TODO: move to mainline-presubmit when known green.
- // Test with connectivity/tethering module only, to catch integration issues with older versions of other modules.
- // "new tethering + old NetworkStack" is not a configuration that should really exist in the field, but
- // there is no strong guarantee, and it is required by MTS testing for module qualification, where modules
- // are tested independently.
- {
- "name": "CtsNetTestCasesLatestSdk[com.google.android.tethering.apex]",
- "options": [
- {
- "exclude-annotation": "com.android.testutils.SkipPresubmit"
- },
- {
- "exclude-annotation": "androidx.test.filters.RequiresDevice"
- }
- ]
}
],
"imports": [
diff --git a/framework/src/android/net/NetworkCapabilities.java b/framework/src/android/net/NetworkCapabilities.java
index ea8a3df..d0cbbe5 100644
--- a/framework/src/android/net/NetworkCapabilities.java
+++ b/framework/src/android/net/NetworkCapabilities.java
@@ -185,10 +185,18 @@
NET_ENTERPRISE_ID_4,
NET_ENTERPRISE_ID_5,
})
-
public @interface EnterpriseId {
}
+ private static final int ALL_VALID_ENTERPRISE_IDS;
+ static {
+ int enterpriseIds = 0;
+ for (int i = NET_ENTERPRISE_ID_1; i <= NET_ENTERPRISE_ID_5; ++i) {
+ enterpriseIds |= 1 << i;
+ }
+ ALL_VALID_ENTERPRISE_IDS = enterpriseIds;
+ }
+
/**
* Bitfield representing the network's enterprise capability identifier. If any are specified
* they will be satisfied by any Network that matches all of them.
@@ -622,6 +630,15 @@
private static final int MIN_NET_CAPABILITY = NET_CAPABILITY_MMS;
private static final int MAX_NET_CAPABILITY = NET_CAPABILITY_PRIORITIZE_BANDWIDTH;
+ private static final int ALL_VALID_CAPABILITIES;
+ static {
+ int caps = 0;
+ for (int i = MIN_NET_CAPABILITY; i <= MAX_NET_CAPABILITY; ++i) {
+ caps |= 1 << i;
+ }
+ ALL_VALID_CAPABILITIES = caps;
+ }
+
/**
* Network capabilities that are expected to be mutable, i.e., can change while a particular
* network is connected.
@@ -1146,6 +1163,15 @@
/** @hide */
public static final int MAX_TRANSPORT = TRANSPORT_USB;
+ private static final int ALL_VALID_TRANSPORTS;
+ static {
+ int transports = 0;
+ for (int i = MIN_TRANSPORT; i <= MAX_TRANSPORT; ++i) {
+ transports |= 1 << i;
+ }
+ ALL_VALID_TRANSPORTS = transports;
+ }
+
/** @hide */
public static boolean isValidTransport(@Transport int transportType) {
return (MIN_TRANSPORT <= transportType) && (transportType <= MAX_TRANSPORT);
@@ -2114,9 +2140,9 @@
@Override
public void writeToParcel(Parcel dest, int flags) {
- dest.writeLong(mNetworkCapabilities);
- dest.writeLong(mForbiddenNetworkCapabilities);
- dest.writeLong(mTransportTypes);
+ dest.writeLong(mNetworkCapabilities & ALL_VALID_CAPABILITIES);
+ dest.writeLong(mForbiddenNetworkCapabilities & ALL_VALID_CAPABILITIES);
+ dest.writeLong(mTransportTypes & ALL_VALID_TRANSPORTS);
dest.writeInt(mLinkUpBandwidthKbps);
dest.writeInt(mLinkDownBandwidthKbps);
dest.writeParcelable((Parcelable) mNetworkSpecifier, flags);
@@ -2132,7 +2158,7 @@
dest.writeString(mRequestorPackageName);
dest.writeIntArray(CollectionUtils.toIntArray(mSubIds));
dest.writeTypedList(mUnderlyingNetworks);
- dest.writeInt(mEnterpriseId);
+ dest.writeInt(mEnterpriseId & ALL_VALID_ENTERPRISE_IDS);
}
public static final @android.annotation.NonNull Creator<NetworkCapabilities> CREATOR =
@@ -2140,10 +2166,10 @@
@Override
public NetworkCapabilities createFromParcel(Parcel in) {
NetworkCapabilities netCap = new NetworkCapabilities();
-
- netCap.mNetworkCapabilities = in.readLong();
- netCap.mForbiddenNetworkCapabilities = in.readLong();
- netCap.mTransportTypes = in.readLong();
+ // Validate the unparceled data, in case the parceling party was malicious.
+ netCap.mNetworkCapabilities = in.readLong() & ALL_VALID_CAPABILITIES;
+ netCap.mForbiddenNetworkCapabilities = in.readLong() & ALL_VALID_CAPABILITIES;
+ netCap.mTransportTypes = in.readLong() & ALL_VALID_TRANSPORTS;
netCap.mLinkUpBandwidthKbps = in.readInt();
netCap.mLinkDownBandwidthKbps = in.readInt();
netCap.mNetworkSpecifier = in.readParcelable(null);
@@ -2167,7 +2193,7 @@
netCap.mSubIds.add(subIdInts[i]);
}
netCap.setUnderlyingNetworks(in.createTypedArrayList(Network.CREATOR));
- netCap.mEnterpriseId = in.readInt();
+ netCap.mEnterpriseId = in.readInt() & ALL_VALID_ENTERPRISE_IDS;
return netCap;
}
@Override
diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java
index 6804baf..10b3dc8 100755
--- a/service/src/com/android/server/ConnectivityService.java
+++ b/service/src/com/android/server/ConnectivityService.java
@@ -1982,6 +1982,9 @@
@Nullable
public NetworkInfo getNetworkInfoForUid(Network network, int uid, boolean ignoreBlocked) {
enforceAccessPermission();
+ if (uid != mDeps.getCallingUid()) {
+ enforceNetworkStackPermission(mContext);
+ }
final NetworkAgentInfo nai = getNetworkAgentInfoForNetwork(network);
if (nai == null) return null;
return getFilteredNetworkInfo(nai, uid, ignoreBlocked);
diff --git a/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java b/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java
index 8dbcc00..310d7bf 100644
--- a/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java
+++ b/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java
@@ -2751,6 +2751,27 @@
mCm.getActiveNetwork(), false /* accept */ , false /* always */));
}
+ private void ensureCellIsValidatedBeforeMockingValidationUrls() {
+ // Verify that current supported network is validated so that the mock http server will not
+ // apply to unexpected networks. Also see aosp/2208680.
+ //
+ // This may also apply to wifi in principle, but in practice methods that mock validation
+ // URL all disconnect wifi forcefully anyway, so don't wait for wifi to validate.
+ if (mPackageManager.hasSystemFeature(FEATURE_TELEPHONY)) {
+ ensureValidatedNetwork(makeCellNetworkRequest());
+ }
+ }
+
+ private void ensureValidatedNetwork(NetworkRequest request) {
+ final TestableNetworkCallback cb = new TestableNetworkCallback();
+ mCm.registerNetworkCallback(request, cb);
+ cb.eventuallyExpect(CallbackEntry.NETWORK_CAPS_UPDATED,
+ NETWORK_CALLBACK_TIMEOUT_MS,
+ entry -> ((CallbackEntry.CapabilitiesChanged) entry).getCaps()
+ .hasCapability(NET_CAPABILITY_VALIDATED));
+ mCm.unregisterNetworkCallback(cb);
+ }
+
@AppModeFull(reason = "WRITE_DEVICE_CONFIG permission can't be granted to instant apps")
@Test
public void testAcceptPartialConnectivity_validatedNetwork() throws Exception {
@@ -2882,7 +2903,8 @@
assertTrue(mCm.getNetworkCapabilities(wifiNetwork).hasCapability(
NET_CAPABILITY_VALIDATED));
- // Configure response code for unvalidated network
+ // The cell network has already been checked to be validated.
+ // Configure response code for unvalidated network.
configTestServer(Status.INTERNAL_ERROR, Status.INTERNAL_ERROR);
mCm.reportNetworkConnectivity(wifiNetwork, false);
// Default network should stay on unvalidated wifi because avoid bad wifi is disabled.
@@ -2970,6 +2992,8 @@
}
private Network prepareValidatedNetwork() throws Exception {
+ ensureCellIsValidatedBeforeMockingValidationUrls();
+
prepareHttpServer();
configTestServer(Status.NO_CONTENT, Status.NO_CONTENT);
// Disconnect wifi first then start wifi network with configuration.
@@ -2980,6 +3004,8 @@
}
private Network preparePartialConnectivity() throws Exception {
+ ensureCellIsValidatedBeforeMockingValidationUrls();
+
prepareHttpServer();
// Configure response code for partial connectivity
configTestServer(Status.INTERNAL_ERROR /* httpsStatusCode */,
@@ -2993,6 +3019,8 @@
}
private Network prepareUnvalidatedNetwork() throws Exception {
+ ensureCellIsValidatedBeforeMockingValidationUrls();
+
prepareHttpServer();
// Configure response code for unvalidated network
configTestServer(Status.INTERNAL_ERROR /* httpsStatusCode */,
diff --git a/tests/unit/java/com/android/server/ConnectivityServiceTest.java b/tests/unit/java/com/android/server/ConnectivityServiceTest.java
index 7993a5c..c8aa59b 100755
--- a/tests/unit/java/com/android/server/ConnectivityServiceTest.java
+++ b/tests/unit/java/com/android/server/ConnectivityServiceTest.java
@@ -1068,38 +1068,41 @@
* @param hasInternet Indicate if network should pretend to have NET_CAPABILITY_INTERNET.
*/
public void connect(boolean validated, boolean hasInternet, boolean isStrictMode) {
- ConnectivityManager.NetworkCallback callback = null;
final ConditionVariable validatedCv = new ConditionVariable();
+ final ConditionVariable capsChangedCv = new ConditionVariable();
+ final NetworkRequest request = new NetworkRequest.Builder()
+ .addTransportType(getNetworkCapabilities().getTransportTypes()[0])
+ .clearCapabilities()
+ .build();
if (validated) {
setNetworkValid(isStrictMode);
- NetworkRequest request = new NetworkRequest.Builder()
- .addTransportType(getNetworkCapabilities().getTransportTypes()[0])
- .clearCapabilities()
- .build();
- callback = new ConnectivityManager.NetworkCallback() {
- public void onCapabilitiesChanged(Network network,
- NetworkCapabilities networkCapabilities) {
- if (network.equals(getNetwork()) &&
- networkCapabilities.hasCapability(NET_CAPABILITY_VALIDATED)) {
+ }
+ final NetworkCallback callback = new NetworkCallback() {
+ public void onCapabilitiesChanged(Network network,
+ NetworkCapabilities networkCapabilities) {
+ if (network.equals(getNetwork())) {
+ capsChangedCv.open();
+ if (networkCapabilities.hasCapability(NET_CAPABILITY_VALIDATED)) {
validatedCv.open();
}
}
- };
- mCm.registerNetworkCallback(request, callback);
- }
+ }
+ };
+ mCm.registerNetworkCallback(request, callback);
+
if (hasInternet) {
addCapability(NET_CAPABILITY_INTERNET);
}
connectWithoutInternet();
+ waitFor(capsChangedCv);
if (validated) {
// Wait for network to validate.
waitFor(validatedCv);
setNetworkInvalid(isStrictMode);
}
-
- if (callback != null) mCm.unregisterNetworkCallback(callback);
+ mCm.unregisterNetworkCallback(callback);
}
public void connectWithCaptivePortal(String redirectUrl, boolean isStrictMode) {
@@ -1605,9 +1608,9 @@
mMockVpn = new MockVpn(userId);
}
- private void mockUidNetworkingBlocked() {
+ private void mockUidNetworkingBlocked(int uid) {
doAnswer(i -> isUidBlocked(mBlockedReasons, i.getArgument(1))
- ).when(mNetworkPolicyManager).isUidNetworkingBlocked(anyInt(), anyBoolean());
+ ).when(mNetworkPolicyManager).isUidNetworkingBlocked(eq(uid), anyBoolean());
}
private boolean isUidBlocked(int blockedReasons, boolean meteredNetwork) {
@@ -8994,7 +8997,7 @@
final DetailedBlockedStatusCallback detailedCallback = new DetailedBlockedStatusCallback();
mCm.registerNetworkCallback(cellRequest, detailedCallback);
- mockUidNetworkingBlocked();
+ mockUidNetworkingBlocked(Process.myUid());
mCellNetworkAgent = new TestNetworkAgentWrapper(TRANSPORT_CELLULAR);
mCellNetworkAgent.connect(true);
@@ -9109,7 +9112,7 @@
public void testNetworkBlockedStatusBeforeAndAfterConnect() throws Exception {
final TestNetworkCallback defaultCallback = new TestNetworkCallback();
mCm.registerDefaultNetworkCallback(defaultCallback);
- mockUidNetworkingBlocked();
+ mockUidNetworkingBlocked(Process.myUid());
// No Networkcallbacks invoked before any network is active.
setBlockedReasonChanged(BLOCKED_REASON_BATTERY_SAVER);
@@ -16878,4 +16881,43 @@
verify(mTetheringManager).getTetherableWifiRegexs();
});
}
+
+ @Test
+ public void testGetNetworkInfoForUid() throws Exception {
+ // Setup and verify getNetworkInfoForUid cannot be called without Network Stack permission,
+ // when querying NetworkInfo for other uid.
+ verifyNoNetwork();
+ mWiFiNetworkAgent = new TestNetworkAgentWrapper(TRANSPORT_WIFI);
+ mServiceContext.setPermission(NETWORK_STACK, PERMISSION_DENIED);
+ mServiceContext.setPermission(NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK,
+ PERMISSION_DENIED);
+
+ final int otherUid = Process.myUid() + 1;
+ assertNull(mCm.getActiveNetwork());
+ assertNull(mCm.getNetworkInfoForUid(mCm.getActiveNetwork(),
+ Process.myUid(), false /* ignoreBlocked */));
+ assertThrows(SecurityException.class, () -> mCm.getNetworkInfoForUid(
+ mCm.getActiveNetwork(), otherUid, false /* ignoreBlocked */));
+ withPermission(NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK, () ->
+ assertNull(mCm.getNetworkInfoForUid(mCm.getActiveNetwork(),
+ otherUid, false /* ignoreBlocked */)));
+
+ // Bringing up validated wifi and verify again. Make the other uid be blocked,
+ // verify the method returns result accordingly.
+ mWiFiNetworkAgent.connect(true);
+ setBlockedReasonChanged(BLOCKED_REASON_BATTERY_SAVER);
+ mockUidNetworkingBlocked(otherUid);
+ withPermission(NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK, () ->
+ verifyActiveNetwork(TRANSPORT_WIFI));
+ checkNetworkInfo(mCm.getNetworkInfoForUid(mCm.getActiveNetwork(),
+ Process.myUid(), false /* ignoreBlocked */), TYPE_WIFI, DetailedState.CONNECTED);
+ assertThrows(SecurityException.class, () -> mCm.getNetworkInfoForUid(
+ mCm.getActiveNetwork(), otherUid, false /* ignoreBlocked */));
+ withPermission(NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK, () ->
+ checkNetworkInfo(mCm.getNetworkInfoForUid(mCm.getActiveNetwork(),
+ otherUid, false /* ignoreBlocked */), TYPE_WIFI, DetailedState.BLOCKED));
+ withPermission(NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK, () ->
+ checkNetworkInfo(mCm.getNetworkInfoForUid(mCm.getActiveNetwork(),
+ otherUid, true /* ignoreBlocked */), TYPE_WIFI, DetailedState.CONNECTED));
+ }
}