Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Connectivity / 4d69233e632394302c6bf5a334608ae2d3230fc6 / . / service / native / TrafficControllerTest.cpp
blob: 29ce2505efb8ff0f3e97bee9f1fd77f101196965 [file] [log] [blame]
Wayne Ma4d692332022-01-19 16:04:04 +0800[diff] [blame^]1/*
2 * Copyright 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 * TrafficControllerTest.cpp - unit tests for TrafficController.cpp
17 */
18
19#include <cstdint>
20#include <string>
21#include <vector>
22
23#include <fcntl.h>
24#include <inttypes.h>
25#include <linux/inet_diag.h>
26#include <linux/sock_diag.h>
27#include <sys/socket.h>
28#include <sys/types.h>
29#include <unistd.h>
30
31#include <gtest/gtest.h>
32
33#include <android-base/stringprintf.h>
34#include <android-base/strings.h>
35
36#include <netdutils/MockSyscalls.h>
37
38#include "TrafficController.h"
39#include "bpf/BpfUtils.h"
40
41using namespace android::bpf; // NOLINT(google-build-using-namespace): grandfathered
42
43namespace android {
44namespace net {
45
46using base::Result;
47using netdutils::isOk;
48
49constexpr int TEST_MAP_SIZE = 10;
50constexpr int TEST_COOKIE = 1;
51constexpr uid_t TEST_UID = 10086;
52constexpr uid_t TEST_UID2 = 54321;
53constexpr uid_t TEST_UID3 = 98765;
54constexpr uint32_t TEST_TAG = 42;
55constexpr uint32_t TEST_COUNTERSET = 1;
56constexpr uint32_t DEFAULT_COUNTERSET = 0;
57constexpr uint32_t TEST_PER_UID_STATS_ENTRIES_LIMIT = 3;
58constexpr uint32_t TEST_TOTAL_UID_STATS_ENTRIES_LIMIT = 7;
59
60#define ASSERT_VALID(x) ASSERT_TRUE((x).isValid())
61
62class TrafficControllerTest : public ::testing::Test {
63 protected:
64 TrafficControllerTest()
65 : mTc(TEST_PER_UID_STATS_ENTRIES_LIMIT, TEST_TOTAL_UID_STATS_ENTRIES_LIMIT) {}
66 TrafficController mTc;
67 BpfMap<uint64_t, UidTagValue> mFakeCookieTagMap;
68 BpfMap<uint32_t, uint8_t> mFakeUidCounterSetMap;
69 BpfMap<uint32_t, StatsValue> mFakeAppUidStatsMap;
70 BpfMap<StatsKey, StatsValue> mFakeStatsMapA;
71 BpfMap<uint32_t, uint8_t> mFakeConfigurationMap;
72 BpfMap<uint32_t, UidOwnerValue> mFakeUidOwnerMap;
73 BpfMap<uint32_t, uint8_t> mFakeUidPermissionMap;
74
75 void SetUp() {
76 std::lock_guard guard(mTc.mMutex);
77 ASSERT_EQ(0, setrlimitForTest());
78
79 mFakeCookieTagMap.reset(createMap(BPF_MAP_TYPE_HASH, sizeof(uint64_t), sizeof(UidTagValue),
80 TEST_MAP_SIZE, 0));
81 ASSERT_VALID(mFakeCookieTagMap);
82
83 mFakeUidCounterSetMap.reset(
84 createMap(BPF_MAP_TYPE_HASH, sizeof(uint32_t), sizeof(uint8_t), TEST_MAP_SIZE, 0));
85 ASSERT_VALID(mFakeUidCounterSetMap);
86
87 mFakeAppUidStatsMap.reset(createMap(BPF_MAP_TYPE_HASH, sizeof(uint32_t), sizeof(StatsValue),
88 TEST_MAP_SIZE, 0));
89 ASSERT_VALID(mFakeAppUidStatsMap);
90
91 mFakeStatsMapA.reset(createMap(BPF_MAP_TYPE_HASH, sizeof(StatsKey), sizeof(StatsValue),
92 TEST_MAP_SIZE, 0));
93 ASSERT_VALID(mFakeStatsMapA);
94
95 mFakeConfigurationMap.reset(
96 createMap(BPF_MAP_TYPE_HASH, sizeof(uint32_t), sizeof(uint8_t), 1, 0));
97 ASSERT_VALID(mFakeConfigurationMap);
98
99 mFakeUidOwnerMap.reset(createMap(BPF_MAP_TYPE_HASH, sizeof(uint32_t), sizeof(UidOwnerValue),
100 TEST_MAP_SIZE, 0));
101 ASSERT_VALID(mFakeUidOwnerMap);
102 mFakeUidPermissionMap.reset(
103 createMap(BPF_MAP_TYPE_HASH, sizeof(uint32_t), sizeof(uint8_t), TEST_MAP_SIZE, 0));
104 ASSERT_VALID(mFakeUidPermissionMap);
105
106 mTc.mCookieTagMap.reset(dupFd(mFakeCookieTagMap.getMap()));
107 ASSERT_VALID(mTc.mCookieTagMap);
108 mTc.mUidCounterSetMap.reset(dupFd(mFakeUidCounterSetMap.getMap()));
109 ASSERT_VALID(mTc.mUidCounterSetMap);
110 mTc.mAppUidStatsMap.reset(dupFd(mFakeAppUidStatsMap.getMap()));
111 ASSERT_VALID(mTc.mAppUidStatsMap);
112 mTc.mStatsMapA.reset(dupFd(mFakeStatsMapA.getMap()));
113 ASSERT_VALID(mTc.mStatsMapA);
114 mTc.mConfigurationMap.reset(dupFd(mFakeConfigurationMap.getMap()));
115 ASSERT_VALID(mTc.mConfigurationMap);
116
117 // Always write to stats map A by default.
118 ASSERT_RESULT_OK(mTc.mConfigurationMap.writeValue(CURRENT_STATS_MAP_CONFIGURATION_KEY,
119 SELECT_MAP_A, BPF_ANY));
120 mTc.mUidOwnerMap.reset(dupFd(mFakeUidOwnerMap.getMap()));
121 ASSERT_VALID(mTc.mUidOwnerMap);
122 mTc.mUidPermissionMap.reset(dupFd(mFakeUidPermissionMap.getMap()));
123 ASSERT_VALID(mTc.mUidPermissionMap);
124 mTc.mPrivilegedUser.clear();
125 }
126
127 int dupFd(const android::base::unique_fd& mapFd) {
128 return fcntl(mapFd.get(), F_DUPFD_CLOEXEC, 0);
129 }
130
131 int setUpSocketAndTag(int protocol, uint64_t* cookie, uint32_t tag, uid_t uid,
132 uid_t callingUid) {
133 int sock = socket(protocol, SOCK_STREAM | SOCK_CLOEXEC, 0);
134 EXPECT_LE(0, sock);
135 *cookie = getSocketCookie(sock);
136 EXPECT_NE(NONEXISTENT_COOKIE, *cookie);
137 EXPECT_EQ(0, mTc.tagSocket(sock, tag, uid, callingUid));
138 return sock;
139 }
140
141 void expectUidTag(uint64_t cookie, uid_t uid, uint32_t tag) {
142 Result<UidTagValue> tagResult = mFakeCookieTagMap.readValue(cookie);
143 ASSERT_RESULT_OK(tagResult);
144 EXPECT_EQ(uid, tagResult.value().uid);
145 EXPECT_EQ(tag, tagResult.value().tag);
146 }
147
148 void expectNoTag(uint64_t cookie) { EXPECT_FALSE(mFakeCookieTagMap.readValue(cookie).ok()); }
149
150 void populateFakeStats(uint64_t cookie, uint32_t uid, uint32_t tag, StatsKey* key) {
151 UidTagValue cookieMapkey = {.uid = (uint32_t)uid, .tag = tag};
152 EXPECT_RESULT_OK(mFakeCookieTagMap.writeValue(cookie, cookieMapkey, BPF_ANY));
153 *key = {.uid = uid, .tag = tag, .counterSet = TEST_COUNTERSET, .ifaceIndex = 1};
154 StatsValue statsMapValue = {.rxPackets = 1, .rxBytes = 100};
155 uint8_t counterSet = TEST_COUNTERSET;
156 EXPECT_RESULT_OK(mFakeUidCounterSetMap.writeValue(uid, counterSet, BPF_ANY));
157 EXPECT_RESULT_OK(mFakeStatsMapA.writeValue(*key, statsMapValue, BPF_ANY));
158 key->tag = 0;
159 EXPECT_RESULT_OK(mFakeStatsMapA.writeValue(*key, statsMapValue, BPF_ANY));
160 EXPECT_RESULT_OK(mFakeAppUidStatsMap.writeValue(uid, statsMapValue, BPF_ANY));
161 // put tag information back to statsKey
162 key->tag = tag;
163 }
164
165 void checkUidOwnerRuleForChain(ChildChain chain, UidOwnerMatchType match) {
166 uint32_t uid = TEST_UID;
167 EXPECT_EQ(0, mTc.changeUidOwnerRule(chain, uid, DENY, DENYLIST));
168 Result<UidOwnerValue> value = mFakeUidOwnerMap.readValue(uid);
169 EXPECT_RESULT_OK(value);
170 EXPECT_TRUE(value.value().rule & match);
171
172 uid = TEST_UID2;
173 EXPECT_EQ(0, mTc.changeUidOwnerRule(chain, uid, ALLOW, ALLOWLIST));
174 value = mFakeUidOwnerMap.readValue(uid);
175 EXPECT_RESULT_OK(value);
176 EXPECT_TRUE(value.value().rule & match);
177
178 EXPECT_EQ(0, mTc.changeUidOwnerRule(chain, uid, DENY, ALLOWLIST));
179 value = mFakeUidOwnerMap.readValue(uid);
180 EXPECT_FALSE(value.ok());
181 EXPECT_EQ(ENOENT, value.error().code());
182
183 uid = TEST_UID;
184 EXPECT_EQ(0, mTc.changeUidOwnerRule(chain, uid, ALLOW, DENYLIST));
185 value = mFakeUidOwnerMap.readValue(uid);
186 EXPECT_FALSE(value.ok());
187 EXPECT_EQ(ENOENT, value.error().code());
188
189 uid = TEST_UID3;
190 EXPECT_EQ(-ENOENT, mTc.changeUidOwnerRule(chain, uid, ALLOW, DENYLIST));
191 value = mFakeUidOwnerMap.readValue(uid);
192 EXPECT_FALSE(value.ok());
193 EXPECT_EQ(ENOENT, value.error().code());
194 }
195
196 void checkEachUidValue(const std::vector<int32_t>& uids, UidOwnerMatchType match) {
197 for (uint32_t uid : uids) {
198 Result<UidOwnerValue> value = mFakeUidOwnerMap.readValue(uid);
199 EXPECT_RESULT_OK(value);
200 EXPECT_TRUE(value.value().rule & match);
201 }
202 std::set<uint32_t> uidSet(uids.begin(), uids.end());
203 const auto checkNoOtherUid = [&uidSet](const int32_t& key,
204 const BpfMap<uint32_t, UidOwnerValue>&) {
205 EXPECT_NE(uidSet.end(), uidSet.find(key));
206 return Result<void>();
207 };
208 EXPECT_RESULT_OK(mFakeUidOwnerMap.iterate(checkNoOtherUid));
209 }
210
211 void checkUidMapReplace(const std::string& name, const std::vector<int32_t>& uids,
212 UidOwnerMatchType match) {
213 bool isAllowlist = true;
214 EXPECT_EQ(0, mTc.replaceUidOwnerMap(name, isAllowlist, uids));
215 checkEachUidValue(uids, match);
216
217 isAllowlist = false;
218 EXPECT_EQ(0, mTc.replaceUidOwnerMap(name, isAllowlist, uids));
219 checkEachUidValue(uids, match);
220 }
221
222 void expectUidOwnerMapValues(const std::vector<uint32_t>& appUids, uint8_t expectedRule,
223 uint32_t expectedIif) {
224 for (uint32_t uid : appUids) {
225 Result<UidOwnerValue> value = mFakeUidOwnerMap.readValue(uid);
226 EXPECT_RESULT_OK(value);
227 EXPECT_EQ(expectedRule, value.value().rule)
228 << "Expected rule for UID " << uid << " to be " << expectedRule << ", but was "
229 << value.value().rule;
230 EXPECT_EQ(expectedIif, value.value().iif)
231 << "Expected iif for UID " << uid << " to be " << expectedIif << ", but was "
232 << value.value().iif;
233 }
234 }
235
236 template <class Key, class Value>
237 void expectMapEmpty(BpfMap<Key, Value>& map) {
238 auto isEmpty = map.isEmpty();
239 EXPECT_RESULT_OK(isEmpty);
240 EXPECT_TRUE(isEmpty.value());
241 }
242
243 void expectUidPermissionMapValues(const std::vector<uid_t>& appUids, uint8_t expectedValue) {
244 for (uid_t uid : appUids) {
245 Result<uint8_t> value = mFakeUidPermissionMap.readValue(uid);
246 EXPECT_RESULT_OK(value);
247 EXPECT_EQ(expectedValue, value.value())
248 << "Expected value for UID " << uid << " to be " << expectedValue
249 << ", but was " << value.value();
250 }
251 }
252
253 void expectPrivilegedUserSet(const std::vector<uid_t>& appUids) {
254 std::lock_guard guard(mTc.mMutex);
255 EXPECT_EQ(appUids.size(), mTc.mPrivilegedUser.size());
256 for (uid_t uid : appUids) {
257 EXPECT_NE(mTc.mPrivilegedUser.end(), mTc.mPrivilegedUser.find(uid));
258 }
259 }
260
261 void expectPrivilegedUserSetEmpty() {
262 std::lock_guard guard(mTc.mMutex);
263 EXPECT_TRUE(mTc.mPrivilegedUser.empty());
264 }
265
266 void addPrivilegedUid(uid_t uid) {
267 std::vector privilegedUid = {uid};
268 mTc.setPermissionForUids(INetd::PERMISSION_UPDATE_DEVICE_STATS, privilegedUid);
269 }
270
271 void removePrivilegedUid(uid_t uid) {
272 std::vector privilegedUid = {uid};
273 mTc.setPermissionForUids(INetd::PERMISSION_NONE, privilegedUid);
274 }
275
276 void expectFakeStatsUnchanged(uint64_t cookie, uint32_t tag, uint32_t uid,
277 StatsKey tagStatsMapKey) {
278 Result<UidTagValue> cookieMapResult = mFakeCookieTagMap.readValue(cookie);
279 EXPECT_RESULT_OK(cookieMapResult);
280 EXPECT_EQ(uid, cookieMapResult.value().uid);
281 EXPECT_EQ(tag, cookieMapResult.value().tag);
282 Result<uint8_t> counterSetResult = mFakeUidCounterSetMap.readValue(uid);
283 EXPECT_RESULT_OK(counterSetResult);
284 EXPECT_EQ(TEST_COUNTERSET, counterSetResult.value());
285 Result<StatsValue> statsMapResult = mFakeStatsMapA.readValue(tagStatsMapKey);
286 EXPECT_RESULT_OK(statsMapResult);
287 EXPECT_EQ((uint64_t)1, statsMapResult.value().rxPackets);
288 EXPECT_EQ((uint64_t)100, statsMapResult.value().rxBytes);
289 tagStatsMapKey.tag = 0;
290 statsMapResult = mFakeStatsMapA.readValue(tagStatsMapKey);
291 EXPECT_RESULT_OK(statsMapResult);
292 EXPECT_EQ((uint64_t)1, statsMapResult.value().rxPackets);
293 EXPECT_EQ((uint64_t)100, statsMapResult.value().rxBytes);
294 auto appStatsResult = mFakeAppUidStatsMap.readValue(uid);
295 EXPECT_RESULT_OK(appStatsResult);
296 EXPECT_EQ((uint64_t)1, appStatsResult.value().rxPackets);
297 EXPECT_EQ((uint64_t)100, appStatsResult.value().rxBytes);
298 }
299
300 void expectTagSocketReachLimit(uint32_t tag, uint32_t uid) {
301 int sock = socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0);
302 EXPECT_LE(0, sock);
303 if (sock < 0) return;
304 uint64_t sockCookie = getSocketCookie(sock);
305 EXPECT_NE(NONEXISTENT_COOKIE, sockCookie);
306 EXPECT_EQ(-EMFILE, mTc.tagSocket(sock, tag, uid, uid));
307 expectNoTag(sockCookie);
308
309 // Delete stats entries then tag socket success
310 EXPECT_EQ(0, mTc.deleteTagData(0, uid, 0));
311 EXPECT_EQ(0, mTc.tagSocket(sock, tag, uid, uid));
312 expectUidTag(sockCookie, uid, tag);
313 }
314};
315
316TEST_F(TrafficControllerTest, TestTagSocketV4) {
317 uint64_t sockCookie;
318 int v4socket = setUpSocketAndTag(AF_INET, &sockCookie, TEST_TAG, TEST_UID, TEST_UID);
319 expectUidTag(sockCookie, TEST_UID, TEST_TAG);
320 ASSERT_EQ(0, mTc.untagSocket(v4socket));
321 expectNoTag(sockCookie);
322 expectMapEmpty(mFakeCookieTagMap);
323}
324
325TEST_F(TrafficControllerTest, TestReTagSocket) {
326 uint64_t sockCookie;
327 int v4socket = setUpSocketAndTag(AF_INET, &sockCookie, TEST_TAG, TEST_UID, TEST_UID);
328 expectUidTag(sockCookie, TEST_UID, TEST_TAG);
329 ASSERT_EQ(0, mTc.tagSocket(v4socket, TEST_TAG + 1, TEST_UID + 1, TEST_UID + 1));
330 expectUidTag(sockCookie, TEST_UID + 1, TEST_TAG + 1);
331}
332
333TEST_F(TrafficControllerTest, TestTagTwoSockets) {
334 uint64_t sockCookie1;
335 uint64_t sockCookie2;
336 int v4socket1 = setUpSocketAndTag(AF_INET, &sockCookie1, TEST_TAG, TEST_UID, TEST_UID);
337 setUpSocketAndTag(AF_INET, &sockCookie2, TEST_TAG, TEST_UID, TEST_UID);
338 expectUidTag(sockCookie1, TEST_UID, TEST_TAG);
339 expectUidTag(sockCookie2, TEST_UID, TEST_TAG);
340 ASSERT_EQ(0, mTc.untagSocket(v4socket1));
341 expectNoTag(sockCookie1);
342 expectUidTag(sockCookie2, TEST_UID, TEST_TAG);
343 ASSERT_FALSE(mFakeCookieTagMap.getNextKey(sockCookie2).ok());
344}
345
346TEST_F(TrafficControllerTest, TestTagSocketV6) {
347 uint64_t sockCookie;
348 int v6socket = setUpSocketAndTag(AF_INET6, &sockCookie, TEST_TAG, TEST_UID, TEST_UID);
349 expectUidTag(sockCookie, TEST_UID, TEST_TAG);
350 ASSERT_EQ(0, mTc.untagSocket(v6socket));
351 expectNoTag(sockCookie);
352 expectMapEmpty(mFakeCookieTagMap);
353}
354
355TEST_F(TrafficControllerTest, TestTagInvalidSocket) {
356 int invalidSocket = -1;
357 ASSERT_GT(0, mTc.tagSocket(invalidSocket, TEST_TAG, TEST_UID, TEST_UID));
358 expectMapEmpty(mFakeCookieTagMap);
359}
360
361TEST_F(TrafficControllerTest, TestTagSocketWithoutPermission) {
362 int sock = socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0);
363 ASSERT_NE(-1, sock);
364 ASSERT_EQ(-EPERM, mTc.tagSocket(sock, TEST_TAG, TEST_UID, TEST_UID2));
365 expectMapEmpty(mFakeCookieTagMap);
366}
367
368TEST_F(TrafficControllerTest, TestTagSocketWithPermission) {
369 // Grant permission to calling uid.
370 std::vector<uid_t> callingUid = {TEST_UID2};
371 mTc.setPermissionForUids(INetd::PERMISSION_UPDATE_DEVICE_STATS, callingUid);
372
373 // Tag a socket to a different uid other then callingUid.
374 uint64_t sockCookie;
375 int v6socket = setUpSocketAndTag(AF_INET6, &sockCookie, TEST_TAG, TEST_UID, TEST_UID2);
376 expectUidTag(sockCookie, TEST_UID, TEST_TAG);
377 EXPECT_EQ(0, mTc.untagSocket(v6socket));
378 expectNoTag(sockCookie);
379 expectMapEmpty(mFakeCookieTagMap);
380
381 // Clean up the permission
382 mTc.setPermissionForUids(INetd::PERMISSION_NONE, callingUid);
383 expectPrivilegedUserSetEmpty();
384}
385
386TEST_F(TrafficControllerTest, TestUntagInvalidSocket) {
387 int invalidSocket = -1;
388 ASSERT_GT(0, mTc.untagSocket(invalidSocket));
389 int v4socket = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
390 ASSERT_GT(0, mTc.untagSocket(v4socket));
391 expectMapEmpty(mFakeCookieTagMap);
392}
393
394TEST_F(TrafficControllerTest, TestTagSocketReachLimitFail) {
395 uid_t uid = TEST_UID;
396 StatsKey tagStatsMapKey[4];
397 for (int i = 0; i < 3; i++) {
398 uint64_t cookie = TEST_COOKIE + i;
399 uint32_t tag = TEST_TAG + i;
400 populateFakeStats(cookie, uid, tag, &tagStatsMapKey[i]);
401 }
402 expectTagSocketReachLimit(TEST_TAG, TEST_UID);
403}
404
405TEST_F(TrafficControllerTest, TestTagSocketReachTotalLimitFail) {
406 StatsKey tagStatsMapKey[4];
407 for (int i = 0; i < 4; i++) {
408 uint64_t cookie = TEST_COOKIE + i;
409 uint32_t tag = TEST_TAG + i;
410 uid_t uid = TEST_UID + i;
411 populateFakeStats(cookie, uid, tag, &tagStatsMapKey[i]);
412 }
413 expectTagSocketReachLimit(TEST_TAG, TEST_UID);
414}
415
416TEST_F(TrafficControllerTest, TestSetCounterSet) {
417 uid_t callingUid = TEST_UID2;
418 addPrivilegedUid(callingUid);
419 ASSERT_EQ(0, mTc.setCounterSet(TEST_COUNTERSET, TEST_UID, callingUid));
420 uid_t uid = TEST_UID;
421 Result<uint8_t> counterSetResult = mFakeUidCounterSetMap.readValue(uid);
422 ASSERT_RESULT_OK(counterSetResult);
423 ASSERT_EQ(TEST_COUNTERSET, counterSetResult.value());
424 ASSERT_EQ(0, mTc.setCounterSet(DEFAULT_COUNTERSET, TEST_UID, callingUid));
425 ASSERT_FALSE(mFakeUidCounterSetMap.readValue(uid).ok());
426 expectMapEmpty(mFakeUidCounterSetMap);
427}
428
429TEST_F(TrafficControllerTest, TestSetCounterSetWithoutPermission) {
430 ASSERT_EQ(-EPERM, mTc.setCounterSet(TEST_COUNTERSET, TEST_UID, TEST_UID2));
431 uid_t uid = TEST_UID;
432 ASSERT_FALSE(mFakeUidCounterSetMap.readValue(uid).ok());
433 expectMapEmpty(mFakeUidCounterSetMap);
434}
435
436TEST_F(TrafficControllerTest, TestSetInvalidCounterSet) {
437 uid_t callingUid = TEST_UID2;
438 addPrivilegedUid(callingUid);
439 ASSERT_GT(0, mTc.setCounterSet(OVERFLOW_COUNTERSET, TEST_UID, callingUid));
440 uid_t uid = TEST_UID;
441 ASSERT_FALSE(mFakeUidCounterSetMap.readValue(uid).ok());
442 expectMapEmpty(mFakeUidCounterSetMap);
443}
444
445TEST_F(TrafficControllerTest, TestDeleteTagDataWithoutPermission) {
446 uint64_t cookie = 1;
447 uid_t uid = TEST_UID;
448 uint32_t tag = TEST_TAG;
449 StatsKey tagStatsMapKey;
450 populateFakeStats(cookie, uid, tag, &tagStatsMapKey);
451 ASSERT_EQ(-EPERM, mTc.deleteTagData(0, TEST_UID, TEST_UID2));
452
453 expectFakeStatsUnchanged(cookie, tag, uid, tagStatsMapKey);
454}
455
456TEST_F(TrafficControllerTest, TestDeleteTagData) {
457 uid_t callingUid = TEST_UID2;
458 addPrivilegedUid(callingUid);
459 uint64_t cookie = 1;
460 uid_t uid = TEST_UID;
461 uint32_t tag = TEST_TAG;
462 StatsKey tagStatsMapKey;
463 populateFakeStats(cookie, uid, tag, &tagStatsMapKey);
464 ASSERT_EQ(0, mTc.deleteTagData(TEST_TAG, TEST_UID, callingUid));
465 ASSERT_FALSE(mFakeCookieTagMap.readValue(cookie).ok());
466 Result<uint8_t> counterSetResult = mFakeUidCounterSetMap.readValue(uid);
467 ASSERT_RESULT_OK(counterSetResult);
468 ASSERT_EQ(TEST_COUNTERSET, counterSetResult.value());
469 ASSERT_FALSE(mFakeStatsMapA.readValue(tagStatsMapKey).ok());
470 tagStatsMapKey.tag = 0;
471 Result<StatsValue> statsMapResult = mFakeStatsMapA.readValue(tagStatsMapKey);
472 ASSERT_RESULT_OK(statsMapResult);
473 ASSERT_EQ((uint64_t)1, statsMapResult.value().rxPackets);
474 ASSERT_EQ((uint64_t)100, statsMapResult.value().rxBytes);
475 auto appStatsResult = mFakeAppUidStatsMap.readValue(TEST_UID);
476 ASSERT_RESULT_OK(appStatsResult);
477 ASSERT_EQ((uint64_t)1, appStatsResult.value().rxPackets);
478 ASSERT_EQ((uint64_t)100, appStatsResult.value().rxBytes);
479}
480
481TEST_F(TrafficControllerTest, TestDeleteAllUidData) {
482 uid_t callingUid = TEST_UID2;
483 addPrivilegedUid(callingUid);
484 uint64_t cookie = 1;
485 uid_t uid = TEST_UID;
486 uint32_t tag = TEST_TAG;
487 StatsKey tagStatsMapKey;
488 populateFakeStats(cookie, uid, tag, &tagStatsMapKey);
489 ASSERT_EQ(0, mTc.deleteTagData(0, TEST_UID, callingUid));
490 ASSERT_FALSE(mFakeCookieTagMap.readValue(cookie).ok());
491 ASSERT_FALSE(mFakeUidCounterSetMap.readValue(uid).ok());
492 ASSERT_FALSE(mFakeStatsMapA.readValue(tagStatsMapKey).ok());
493 tagStatsMapKey.tag = 0;
494 ASSERT_FALSE(mFakeStatsMapA.readValue(tagStatsMapKey).ok());
495 ASSERT_FALSE(mFakeAppUidStatsMap.readValue(TEST_UID).ok());
496}
497
498TEST_F(TrafficControllerTest, TestDeleteDataWithTwoTags) {
499 uid_t callingUid = TEST_UID2;
500 addPrivilegedUid(callingUid);
501 uint64_t cookie1 = 1;
502 uint64_t cookie2 = 2;
503 uid_t uid = TEST_UID;
504 uint32_t tag1 = TEST_TAG;
505 uint32_t tag2 = TEST_TAG + 1;
506 StatsKey tagStatsMapKey1;
507 StatsKey tagStatsMapKey2;
508 populateFakeStats(cookie1, uid, tag1, &tagStatsMapKey1);
509 populateFakeStats(cookie2, uid, tag2, &tagStatsMapKey2);
510 ASSERT_EQ(0, mTc.deleteTagData(TEST_TAG, TEST_UID, callingUid));
511 ASSERT_FALSE(mFakeCookieTagMap.readValue(cookie1).ok());
512 Result<UidTagValue> cookieMapResult = mFakeCookieTagMap.readValue(cookie2);
513 ASSERT_RESULT_OK(cookieMapResult);
514 ASSERT_EQ(TEST_UID, cookieMapResult.value().uid);
515 ASSERT_EQ(TEST_TAG + 1, cookieMapResult.value().tag);
516 Result<uint8_t> counterSetResult = mFakeUidCounterSetMap.readValue(uid);
517 ASSERT_RESULT_OK(counterSetResult);
518 ASSERT_EQ(TEST_COUNTERSET, counterSetResult.value());
519 ASSERT_FALSE(mFakeStatsMapA.readValue(tagStatsMapKey1).ok());
520 Result<StatsValue> statsMapResult = mFakeStatsMapA.readValue(tagStatsMapKey2);
521 ASSERT_RESULT_OK(statsMapResult);
522 ASSERT_EQ((uint64_t)1, statsMapResult.value().rxPackets);
523 ASSERT_EQ((uint64_t)100, statsMapResult.value().rxBytes);
524}
525
526TEST_F(TrafficControllerTest, TestDeleteDataWithTwoUids) {
527 uid_t callingUid = TEST_UID2;
528 addPrivilegedUid(callingUid);
529 uint64_t cookie1 = 1;
530 uint64_t cookie2 = 2;
531 uid_t uid1 = TEST_UID;
532 uid_t uid2 = TEST_UID + 1;
533 uint32_t tag = TEST_TAG;
534 StatsKey tagStatsMapKey1;
535 StatsKey tagStatsMapKey2;
536 populateFakeStats(cookie1, uid1, tag, &tagStatsMapKey1);
537 populateFakeStats(cookie2, uid2, tag, &tagStatsMapKey2);
538
539 // Delete the stats of one of the uid. Check if it is properly collected by
540 // removedStats.
541 ASSERT_EQ(0, mTc.deleteTagData(0, uid2, callingUid));
542 ASSERT_FALSE(mFakeCookieTagMap.readValue(cookie2).ok());
543 Result<uint8_t> counterSetResult = mFakeUidCounterSetMap.readValue(uid1);
544 ASSERT_RESULT_OK(counterSetResult);
545 ASSERT_EQ(TEST_COUNTERSET, counterSetResult.value());
546 ASSERT_FALSE(mFakeUidCounterSetMap.readValue(uid2).ok());
547 ASSERT_FALSE(mFakeStatsMapA.readValue(tagStatsMapKey2).ok());
548 tagStatsMapKey2.tag = 0;
549 ASSERT_FALSE(mFakeStatsMapA.readValue(tagStatsMapKey2).ok());
550 ASSERT_FALSE(mFakeAppUidStatsMap.readValue(uid2).ok());
551 tagStatsMapKey1.tag = 0;
552 Result<StatsValue> statsMapResult = mFakeStatsMapA.readValue(tagStatsMapKey1);
553 ASSERT_RESULT_OK(statsMapResult);
554 ASSERT_EQ((uint64_t)1, statsMapResult.value().rxPackets);
555 ASSERT_EQ((uint64_t)100, statsMapResult.value().rxBytes);
556 auto appStatsResult = mFakeAppUidStatsMap.readValue(uid1);
557 ASSERT_RESULT_OK(appStatsResult);
558 ASSERT_EQ((uint64_t)1, appStatsResult.value().rxPackets);
559 ASSERT_EQ((uint64_t)100, appStatsResult.value().rxBytes);
560
561 // Delete the stats of the other uid.
562 ASSERT_EQ(0, mTc.deleteTagData(0, uid1, callingUid));
563 ASSERT_FALSE(mFakeStatsMapA.readValue(tagStatsMapKey1).ok());
564 ASSERT_FALSE(mFakeAppUidStatsMap.readValue(uid1).ok());
565}
566
567TEST_F(TrafficControllerTest, TestUpdateOwnerMapEntry) {
568 uint32_t uid = TEST_UID;
569 ASSERT_TRUE(isOk(mTc.updateOwnerMapEntry(STANDBY_MATCH, uid, DENY, DENYLIST)));
570 Result<UidOwnerValue> value = mFakeUidOwnerMap.readValue(uid);
571 ASSERT_RESULT_OK(value);
572 ASSERT_TRUE(value.value().rule & STANDBY_MATCH);
573
574 ASSERT_TRUE(isOk(mTc.updateOwnerMapEntry(DOZABLE_MATCH, uid, ALLOW, ALLOWLIST)));
575 value = mFakeUidOwnerMap.readValue(uid);
576 ASSERT_RESULT_OK(value);
577 ASSERT_TRUE(value.value().rule & DOZABLE_MATCH);
578
579 ASSERT_TRUE(isOk(mTc.updateOwnerMapEntry(DOZABLE_MATCH, uid, DENY, ALLOWLIST)));
580 value = mFakeUidOwnerMap.readValue(uid);
581 ASSERT_RESULT_OK(value);
582 ASSERT_FALSE(value.value().rule & DOZABLE_MATCH);
583
584 ASSERT_TRUE(isOk(mTc.updateOwnerMapEntry(STANDBY_MATCH, uid, ALLOW, DENYLIST)));
585 ASSERT_FALSE(mFakeUidOwnerMap.readValue(uid).ok());
586
587 uid = TEST_UID2;
588 ASSERT_FALSE(isOk(mTc.updateOwnerMapEntry(STANDBY_MATCH, uid, ALLOW, DENYLIST)));
589 ASSERT_FALSE(mFakeUidOwnerMap.readValue(uid).ok());
590}
591
592TEST_F(TrafficControllerTest, TestChangeUidOwnerRule) {
593 checkUidOwnerRuleForChain(DOZABLE, DOZABLE_MATCH);
594 checkUidOwnerRuleForChain(STANDBY, STANDBY_MATCH);
595 checkUidOwnerRuleForChain(POWERSAVE, POWERSAVE_MATCH);
596 checkUidOwnerRuleForChain(RESTRICTED, RESTRICTED_MATCH);
597 ASSERT_EQ(-EINVAL, mTc.changeUidOwnerRule(NONE, TEST_UID, ALLOW, ALLOWLIST));
598 ASSERT_EQ(-EINVAL, mTc.changeUidOwnerRule(INVALID_CHAIN, TEST_UID, ALLOW, ALLOWLIST));
599}
600
601TEST_F(TrafficControllerTest, TestReplaceUidOwnerMap) {
602 std::vector<int32_t> uids = {TEST_UID, TEST_UID2, TEST_UID3};
603 checkUidMapReplace("fw_dozable", uids, DOZABLE_MATCH);
604 checkUidMapReplace("fw_standby", uids, STANDBY_MATCH);
605 checkUidMapReplace("fw_powersave", uids, POWERSAVE_MATCH);
606 checkUidMapReplace("fw_restricted", uids, RESTRICTED_MATCH);
607 ASSERT_EQ(-EINVAL, mTc.replaceUidOwnerMap("unknow", true, uids));
608}
609
610TEST_F(TrafficControllerTest, TestReplaceSameChain) {
611 std::vector<int32_t> uids = {TEST_UID, TEST_UID2, TEST_UID3};
612 checkUidMapReplace("fw_dozable", uids, DOZABLE_MATCH);
613 std::vector<int32_t> newUids = {TEST_UID2, TEST_UID3};
614 checkUidMapReplace("fw_dozable", newUids, DOZABLE_MATCH);
615}
616
617TEST_F(TrafficControllerTest, TestDenylistUidMatch) {
618 std::vector<uint32_t> appUids = {1000, 1001, 10012};
619 ASSERT_TRUE(isOk(
620 mTc.updateUidOwnerMap(appUids, PENALTY_BOX_MATCH, TrafficController::IptOpInsert)));
621 expectUidOwnerMapValues(appUids, PENALTY_BOX_MATCH, 0);
622 ASSERT_TRUE(isOk(
623 mTc.updateUidOwnerMap(appUids, PENALTY_BOX_MATCH, TrafficController::IptOpDelete)));
624 expectMapEmpty(mFakeUidOwnerMap);
625}
626
627TEST_F(TrafficControllerTest, TestAllowlistUidMatch) {
628 std::vector<uint32_t> appUids = {1000, 1001, 10012};
629 ASSERT_TRUE(
630 isOk(mTc.updateUidOwnerMap(appUids, HAPPY_BOX_MATCH, TrafficController::IptOpInsert)));
631 expectUidOwnerMapValues(appUids, HAPPY_BOX_MATCH, 0);
632 ASSERT_TRUE(
633 isOk(mTc.updateUidOwnerMap(appUids, HAPPY_BOX_MATCH, TrafficController::IptOpDelete)));
634 expectMapEmpty(mFakeUidOwnerMap);
635}
636
637TEST_F(TrafficControllerTest, TestReplaceMatchUid) {
638 std::vector<uint32_t> appUids = {1000, 1001, 10012};
639 // Add appUids to the denylist and expect that their values are all PENALTY_BOX_MATCH.
640 ASSERT_TRUE(isOk(
641 mTc.updateUidOwnerMap(appUids, PENALTY_BOX_MATCH, TrafficController::IptOpInsert)));
642 expectUidOwnerMapValues(appUids, PENALTY_BOX_MATCH, 0);
643
644 // Add the same UIDs to the allowlist and expect that we get PENALTY_BOX_MATCH |
645 // HAPPY_BOX_MATCH.
646 ASSERT_TRUE(
647 isOk(mTc.updateUidOwnerMap(appUids, HAPPY_BOX_MATCH, TrafficController::IptOpInsert)));
648 expectUidOwnerMapValues(appUids, HAPPY_BOX_MATCH | PENALTY_BOX_MATCH, 0);
649
650 // Remove the same UIDs from the allowlist and check the PENALTY_BOX_MATCH is still there.
651 ASSERT_TRUE(
652 isOk(mTc.updateUidOwnerMap(appUids, HAPPY_BOX_MATCH, TrafficController::IptOpDelete)));
653 expectUidOwnerMapValues(appUids, PENALTY_BOX_MATCH, 0);
654
655 // Remove the same UIDs from the denylist and check the map is empty.
656 ASSERT_TRUE(isOk(
657 mTc.updateUidOwnerMap(appUids, PENALTY_BOX_MATCH, TrafficController::IptOpDelete)));
658 ASSERT_FALSE(mFakeUidOwnerMap.getFirstKey().ok());
659}
660
661TEST_F(TrafficControllerTest, TestDeleteWrongMatchSilentlyFails) {
662 std::vector<uint32_t> appUids = {1000, 1001, 10012};
663 // If the uid does not exist in the map, trying to delete a rule about it will fail.
664 ASSERT_FALSE(
665 isOk(mTc.updateUidOwnerMap(appUids, HAPPY_BOX_MATCH, TrafficController::IptOpDelete)));
666 expectMapEmpty(mFakeUidOwnerMap);
667
668 // Add denylist rules for appUids.
669 ASSERT_TRUE(
670 isOk(mTc.updateUidOwnerMap(appUids, HAPPY_BOX_MATCH, TrafficController::IptOpInsert)));
671 expectUidOwnerMapValues(appUids, HAPPY_BOX_MATCH, 0);
672
673 // Delete (non-existent) denylist rules for appUids, and check that this silently does
674 // nothing if the uid is in the map but does not have denylist match. This is required because
675 // NetworkManagementService will try to remove a uid from denylist after adding it to the
676 // allowlist and if the remove fails it will not update the uid status.
677 ASSERT_TRUE(isOk(
678 mTc.updateUidOwnerMap(appUids, PENALTY_BOX_MATCH, TrafficController::IptOpDelete)));
679 expectUidOwnerMapValues(appUids, HAPPY_BOX_MATCH, 0);
680}
681
682TEST_F(TrafficControllerTest, TestAddUidInterfaceFilteringRules) {
683 int iif0 = 15;
684 ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif0, {1000, 1001})));
685 expectUidOwnerMapValues({1000, 1001}, IIF_MATCH, iif0);
686
687 // Add some non-overlapping new uids. They should coexist with existing rules
688 int iif1 = 16;
689 ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif1, {2000, 2001})));
690 expectUidOwnerMapValues({1000, 1001}, IIF_MATCH, iif0);
691 expectUidOwnerMapValues({2000, 2001}, IIF_MATCH, iif1);
692
693 // Overwrite some existing uids
694 int iif2 = 17;
695 ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif2, {1000, 2000})));
696 expectUidOwnerMapValues({1001}, IIF_MATCH, iif0);
697 expectUidOwnerMapValues({2001}, IIF_MATCH, iif1);
698 expectUidOwnerMapValues({1000, 2000}, IIF_MATCH, iif2);
699}
700
701TEST_F(TrafficControllerTest, TestRemoveUidInterfaceFilteringRules) {
702 int iif0 = 15;
703 int iif1 = 16;
704 ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif0, {1000, 1001})));
705 ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif1, {2000, 2001})));
706 expectUidOwnerMapValues({1000, 1001}, IIF_MATCH, iif0);
707 expectUidOwnerMapValues({2000, 2001}, IIF_MATCH, iif1);
708
709 // Rmove some uids
710 ASSERT_TRUE(isOk(mTc.removeUidInterfaceRules({1001, 2001})));
711 expectUidOwnerMapValues({1000}, IIF_MATCH, iif0);
712 expectUidOwnerMapValues({2000}, IIF_MATCH, iif1);
713 checkEachUidValue({1000, 2000}, IIF_MATCH); // Make sure there are only two uids remaining
714
715 // Remove non-existent uids shouldn't fail
716 ASSERT_TRUE(isOk(mTc.removeUidInterfaceRules({2000, 3000})));
717 expectUidOwnerMapValues({1000}, IIF_MATCH, iif0);
718 checkEachUidValue({1000}, IIF_MATCH); // Make sure there are only one uid remaining
719
720 // Remove everything
721 ASSERT_TRUE(isOk(mTc.removeUidInterfaceRules({1000})));
722 expectMapEmpty(mFakeUidOwnerMap);
723}
724
725TEST_F(TrafficControllerTest, TestUidInterfaceFilteringRulesCoexistWithExistingMatches) {
726 // Set up existing PENALTY_BOX_MATCH rules
727 ASSERT_TRUE(isOk(mTc.updateUidOwnerMap({1000, 1001, 10012}, PENALTY_BOX_MATCH,
728 TrafficController::IptOpInsert)));
729 expectUidOwnerMapValues({1000, 1001, 10012}, PENALTY_BOX_MATCH, 0);
730
731 // Add some partially-overlapping uid owner rules and check result
732 int iif1 = 32;
733 ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif1, {10012, 10013, 10014})));
734 expectUidOwnerMapValues({1000, 1001}, PENALTY_BOX_MATCH, 0);
735 expectUidOwnerMapValues({10012}, PENALTY_BOX_MATCH | IIF_MATCH, iif1);
736 expectUidOwnerMapValues({10013, 10014}, IIF_MATCH, iif1);
737
738 // Removing some PENALTY_BOX_MATCH rules should not change uid interface rule
739 ASSERT_TRUE(isOk(mTc.updateUidOwnerMap({1001, 10012}, PENALTY_BOX_MATCH,
740 TrafficController::IptOpDelete)));
741 expectUidOwnerMapValues({1000}, PENALTY_BOX_MATCH, 0);
742 expectUidOwnerMapValues({10012, 10013, 10014}, IIF_MATCH, iif1);
743
744 // Remove all uid interface rules
745 ASSERT_TRUE(isOk(mTc.removeUidInterfaceRules({10012, 10013, 10014})));
746 expectUidOwnerMapValues({1000}, PENALTY_BOX_MATCH, 0);
747 // Make sure these are the only uids left
748 checkEachUidValue({1000}, PENALTY_BOX_MATCH);
749}
750
751TEST_F(TrafficControllerTest, TestUidInterfaceFilteringRulesCoexistWithNewMatches) {
752 int iif1 = 56;
753 // Set up existing uid interface rules
754 ASSERT_TRUE(isOk(mTc.addUidInterfaceRules(iif1, {10001, 10002})));
755 expectUidOwnerMapValues({10001, 10002}, IIF_MATCH, iif1);
756
757 // Add some partially-overlapping doze rules
758 EXPECT_EQ(0, mTc.replaceUidOwnerMap("fw_dozable", true, {10002, 10003}));
759 expectUidOwnerMapValues({10001}, IIF_MATCH, iif1);
760 expectUidOwnerMapValues({10002}, DOZABLE_MATCH | IIF_MATCH, iif1);
761 expectUidOwnerMapValues({10003}, DOZABLE_MATCH, 0);
762
763 // Introduce a third rule type (powersave) on various existing UIDs
764 EXPECT_EQ(0, mTc.replaceUidOwnerMap("fw_powersave", true, {10000, 10001, 10002, 10003}));
765 expectUidOwnerMapValues({10000}, POWERSAVE_MATCH, 0);
766 expectUidOwnerMapValues({10001}, POWERSAVE_MATCH | IIF_MATCH, iif1);
767 expectUidOwnerMapValues({10002}, POWERSAVE_MATCH | DOZABLE_MATCH | IIF_MATCH, iif1);
768 expectUidOwnerMapValues({10003}, POWERSAVE_MATCH | DOZABLE_MATCH, 0);
769
770 // Remove all doze rules
771 EXPECT_EQ(0, mTc.replaceUidOwnerMap("fw_dozable", true, {}));
772 expectUidOwnerMapValues({10000}, POWERSAVE_MATCH, 0);
773 expectUidOwnerMapValues({10001}, POWERSAVE_MATCH | IIF_MATCH, iif1);
774 expectUidOwnerMapValues({10002}, POWERSAVE_MATCH | IIF_MATCH, iif1);
775 expectUidOwnerMapValues({10003}, POWERSAVE_MATCH, 0);
776
777 // Remove all powersave rules, expect ownerMap to only have uid interface rules left
778 EXPECT_EQ(0, mTc.replaceUidOwnerMap("fw_powersave", true, {}));
779 expectUidOwnerMapValues({10001, 10002}, IIF_MATCH, iif1);
780 // Make sure these are the only uids left
781 checkEachUidValue({10001, 10002}, IIF_MATCH);
782}
783
784TEST_F(TrafficControllerTest, TestGrantInternetPermission) {
785 std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
786
787 mTc.setPermissionForUids(INetd::PERMISSION_INTERNET, appUids);
788 expectMapEmpty(mFakeUidPermissionMap);
789 expectPrivilegedUserSetEmpty();
790}
791
792TEST_F(TrafficControllerTest, TestRevokeInternetPermission) {
793 std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
794
795 mTc.setPermissionForUids(INetd::PERMISSION_NONE, appUids);
796 expectUidPermissionMapValues(appUids, INetd::PERMISSION_NONE);
797}
798
799TEST_F(TrafficControllerTest, TestPermissionUninstalled) {
800 std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
801
802 mTc.setPermissionForUids(INetd::PERMISSION_UPDATE_DEVICE_STATS, appUids);
803 expectUidPermissionMapValues(appUids, INetd::PERMISSION_UPDATE_DEVICE_STATS);
804 expectPrivilegedUserSet(appUids);
805
806 std::vector<uid_t> uidToRemove = {TEST_UID};
807 mTc.setPermissionForUids(INetd::PERMISSION_UNINSTALLED, uidToRemove);
808
809 std::vector<uid_t> uidRemain = {TEST_UID3, TEST_UID2};
810 expectUidPermissionMapValues(uidRemain, INetd::PERMISSION_UPDATE_DEVICE_STATS);
811 expectPrivilegedUserSet(uidRemain);
812
813 mTc.setPermissionForUids(INetd::PERMISSION_UNINSTALLED, uidRemain);
814 expectMapEmpty(mFakeUidPermissionMap);
815 expectPrivilegedUserSetEmpty();
816}
817
818TEST_F(TrafficControllerTest, TestGrantUpdateStatsPermission) {
819 std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
820
821 mTc.setPermissionForUids(INetd::PERMISSION_UPDATE_DEVICE_STATS, appUids);
822 expectUidPermissionMapValues(appUids, INetd::PERMISSION_UPDATE_DEVICE_STATS);
823 expectPrivilegedUserSet(appUids);
824
825 mTc.setPermissionForUids(INetd::PERMISSION_NONE, appUids);
826 expectPrivilegedUserSetEmpty();
827 expectUidPermissionMapValues(appUids, INetd::PERMISSION_NONE);
828}
829
830TEST_F(TrafficControllerTest, TestRevokeUpdateStatsPermission) {
831 std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
832
833 mTc.setPermissionForUids(INetd::PERMISSION_UPDATE_DEVICE_STATS, appUids);
834 expectPrivilegedUserSet(appUids);
835
836 std::vector<uid_t> uidToRemove = {TEST_UID};
837 mTc.setPermissionForUids(INetd::PERMISSION_NONE, uidToRemove);
838
839 std::vector<uid_t> uidRemain = {TEST_UID3, TEST_UID2};
840 expectPrivilegedUserSet(uidRemain);
841
842 mTc.setPermissionForUids(INetd::PERMISSION_NONE, uidRemain);
843 expectPrivilegedUserSetEmpty();
844}
845
846TEST_F(TrafficControllerTest, TestGrantWrongPermission) {
847 std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
848
849 mTc.setPermissionForUids(INetd::PERMISSION_NONE, appUids);
850 expectPrivilegedUserSetEmpty();
851 expectUidPermissionMapValues(appUids, INetd::PERMISSION_NONE);
852}
853
854TEST_F(TrafficControllerTest, TestGrantDuplicatePermissionSlientlyFail) {
855 std::vector<uid_t> appUids = {TEST_UID, TEST_UID2, TEST_UID3};
856
857 mTc.setPermissionForUids(INetd::PERMISSION_INTERNET, appUids);
858 expectMapEmpty(mFakeUidPermissionMap);
859
860 std::vector<uid_t> uidToAdd = {TEST_UID};
861 mTc.setPermissionForUids(INetd::PERMISSION_INTERNET, uidToAdd);
862
863 expectPrivilegedUserSetEmpty();
864
865 mTc.setPermissionForUids(INetd::PERMISSION_NONE, appUids);
866 expectUidPermissionMapValues(appUids, INetd::PERMISSION_NONE);
867
868 mTc.setPermissionForUids(INetd::PERMISSION_UPDATE_DEVICE_STATS, appUids);
869 expectPrivilegedUserSet(appUids);
870
871 mTc.setPermissionForUids(INetd::PERMISSION_UPDATE_DEVICE_STATS, uidToAdd);
872 expectPrivilegedUserSet(appUids);
873
874 mTc.setPermissionForUids(INetd::PERMISSION_NONE, appUids);
875 expectPrivilegedUserSetEmpty();
876}
877
878} // namespace net
879} // namespace android