| Ken Chen | d4876de | 2023-09-13 00:53:52 +0800 | [diff] [blame^] | 1 | /* |
| 2 | * Copyright (C) 2023 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #include <gtest/gtest.h> |
| 18 | #include <private/android_filesystem_config.h> |
| 19 | |
| 20 | #define BPF_MAP_MAKE_VISIBLE_FOR_TESTING |
| 21 | #include "DnsBpfHelper.h" |
| 22 | |
| 23 | using namespace android::bpf; // NOLINT(google-build-using-namespace): exempted |
| 24 | |
| 25 | namespace android { |
| 26 | namespace net { |
| 27 | |
| 28 | constexpr int TEST_MAP_SIZE = 2; |
| 29 | |
| 30 | #define ASSERT_VALID(x) ASSERT_TRUE((x).isValid()) |
| 31 | |
| 32 | class DnsBpfHelperTest : public ::testing::Test { |
| 33 | protected: |
| 34 | DnsBpfHelper mDnsBpfHelper; |
| 35 | BpfMap<uint32_t, uint32_t> mFakeConfigurationMap; |
| 36 | BpfMap<uint32_t, UidOwnerValue> mFakeUidOwnerMap; |
| 37 | |
| 38 | void SetUp() { |
| 39 | mFakeConfigurationMap.resetMap(BPF_MAP_TYPE_ARRAY, CONFIGURATION_MAP_SIZE); |
| 40 | ASSERT_VALID(mFakeConfigurationMap); |
| 41 | |
| 42 | mFakeUidOwnerMap.resetMap(BPF_MAP_TYPE_HASH, TEST_MAP_SIZE); |
| 43 | ASSERT_VALID(mFakeUidOwnerMap); |
| 44 | |
| 45 | mDnsBpfHelper.mConfigurationMap = mFakeConfigurationMap; |
| 46 | ASSERT_VALID(mDnsBpfHelper.mConfigurationMap); |
| 47 | mDnsBpfHelper.mUidOwnerMap = mFakeUidOwnerMap; |
| 48 | ASSERT_VALID(mDnsBpfHelper.mUidOwnerMap); |
| 49 | } |
| 50 | |
| 51 | void ResetAllMaps() { |
| 52 | mDnsBpfHelper.mConfigurationMap.reset(); |
| 53 | mDnsBpfHelper.mUidOwnerMap.reset(); |
| 54 | } |
| 55 | }; |
| 56 | |
| 57 | TEST_F(DnsBpfHelperTest, IsUidNetworkingBlocked) { |
| 58 | struct TestConfig { |
| 59 | const uid_t uid; |
| 60 | const uint32_t enabledRules; |
| 61 | const uint32_t uidRules; |
| 62 | const int expectedResult; |
| 63 | std::string toString() const { |
| 64 | return fmt::format( |
| 65 | "uid: {}, enabledRules: {}, uidRules: {}, expectedResult: {}", |
| 66 | uid, enabledRules, uidRules, expectedResult); |
| 67 | } |
| 68 | } testConfigs[] = { |
| 69 | // clang-format off |
| 70 | // No rule enabled: |
| 71 | // uid, enabledRules, uidRules, expectedResult |
| 72 | {AID_APP_START, NO_MATCH, NO_MATCH, false}, |
| 73 | |
| 74 | // An allowlist rule: |
| 75 | {AID_APP_START, NO_MATCH, DOZABLE_MATCH, false}, |
| 76 | {AID_APP_START, DOZABLE_MATCH, NO_MATCH, true}, |
| 77 | {AID_APP_START, DOZABLE_MATCH, DOZABLE_MATCH, false}, |
| 78 | // A denylist rule |
| 79 | {AID_APP_START, NO_MATCH, STANDBY_MATCH, false}, |
| 80 | {AID_APP_START, STANDBY_MATCH, NO_MATCH, false}, |
| 81 | {AID_APP_START, STANDBY_MATCH, STANDBY_MATCH, true}, |
| 82 | |
| 83 | // Multiple rules enabled: |
| 84 | // Match only part of the enabled allowlist rules. |
| 85 | {AID_APP_START, DOZABLE_MATCH|POWERSAVE_MATCH, DOZABLE_MATCH, true}, |
| 86 | {AID_APP_START, DOZABLE_MATCH|POWERSAVE_MATCH, POWERSAVE_MATCH, true}, |
| 87 | // Match all of the enabled allowlist rules. |
| 88 | {AID_APP_START, DOZABLE_MATCH|POWERSAVE_MATCH, DOZABLE_MATCH|POWERSAVE_MATCH, false}, |
| 89 | // Match allowlist. |
| 90 | {AID_APP_START, DOZABLE_MATCH|STANDBY_MATCH, DOZABLE_MATCH, false}, |
| 91 | // Match no rule. |
| 92 | {AID_APP_START, DOZABLE_MATCH|STANDBY_MATCH, NO_MATCH, true}, |
| 93 | {AID_APP_START, DOZABLE_MATCH|POWERSAVE_MATCH, NO_MATCH, true}, |
| 94 | |
| 95 | // System UID: always unblocked. |
| 96 | {AID_SYSTEM, NO_MATCH, NO_MATCH, false}, |
| 97 | {AID_SYSTEM, NO_MATCH, DOZABLE_MATCH, false}, |
| 98 | {AID_SYSTEM, DOZABLE_MATCH, NO_MATCH, false}, |
| 99 | {AID_SYSTEM, DOZABLE_MATCH, DOZABLE_MATCH, false}, |
| 100 | {AID_SYSTEM, NO_MATCH, STANDBY_MATCH, false}, |
| 101 | {AID_SYSTEM, STANDBY_MATCH, NO_MATCH, false}, |
| 102 | {AID_SYSTEM, STANDBY_MATCH, STANDBY_MATCH, false}, |
| 103 | {AID_SYSTEM, DOZABLE_MATCH|POWERSAVE_MATCH, DOZABLE_MATCH, false}, |
| 104 | {AID_SYSTEM, DOZABLE_MATCH|POWERSAVE_MATCH, POWERSAVE_MATCH, false}, |
| 105 | {AID_SYSTEM, DOZABLE_MATCH|POWERSAVE_MATCH, DOZABLE_MATCH|POWERSAVE_MATCH, false}, |
| 106 | {AID_SYSTEM, DOZABLE_MATCH|STANDBY_MATCH, DOZABLE_MATCH, false}, |
| 107 | {AID_SYSTEM, DOZABLE_MATCH|STANDBY_MATCH, NO_MATCH, false}, |
| 108 | {AID_SYSTEM, DOZABLE_MATCH|POWERSAVE_MATCH, NO_MATCH, false}, |
| 109 | // clang-format on |
| 110 | }; |
| 111 | |
| 112 | for (const auto& config : testConfigs) { |
| 113 | SCOPED_TRACE(config.toString()); |
| 114 | |
| 115 | // Setup maps. |
| 116 | EXPECT_RESULT_OK(mFakeConfigurationMap.writeValue(UID_RULES_CONFIGURATION_KEY, |
| 117 | config.enabledRules, BPF_EXIST)); |
| 118 | EXPECT_RESULT_OK(mFakeUidOwnerMap.writeValue(config.uid, {.iif = 0, .rule = config.uidRules}, |
| 119 | BPF_ANY)); |
| 120 | |
| 121 | // Verify the function. |
| 122 | auto result = mDnsBpfHelper.isUidNetworkingBlocked(config.uid, /*metered=*/false); |
| 123 | EXPECT_TRUE(result.ok()); |
| 124 | EXPECT_EQ(config.expectedResult, result.value()); |
| 125 | } |
| 126 | } |
| 127 | |
| 128 | TEST_F(DnsBpfHelperTest, IsUidNetworkingBlocked_uninitialized) { |
| 129 | ResetAllMaps(); |
| 130 | |
| 131 | auto result = mDnsBpfHelper.isUidNetworkingBlocked(AID_APP_START, /*metered=*/false); |
| 132 | EXPECT_FALSE(result.ok()); |
| 133 | EXPECT_EQ(EUNATCH, result.error().code()); |
| 134 | |
| 135 | result = mDnsBpfHelper.isUidNetworkingBlocked(AID_SYSTEM, /*metered=*/false); |
| 136 | EXPECT_TRUE(result.ok()); |
| 137 | EXPECT_FALSE(result.value()); |
| 138 | } |
| 139 | |
| 140 | } // namespace net |
| 141 | } // namespace android |