1 /*
2 * Copyright 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 * binder_test.cpp - unit tests for netd binder RPCs.
17 */
18
19 #include <algorithm>
20 #include <cerrno>
21 #include <chrono>
22 #include <cinttypes>
23 #include <condition_variable>
24 #include <cstdint>
25 #include <cstdlib>
26 #include <iostream>
27 #include <mutex>
28 #include <numeric>
29 #include <regex>
30 #include <set>
31 #include <string>
32 #include <vector>
33
34 #include <dirent.h>
35 #include <fcntl.h>
36 #include <ifaddrs.h>
37 #include <linux/if.h>
38 #include <linux/if_tun.h>
39 #include <net/ethernet.h>
40 #include <net/if.h>
41 #include <netdb.h>
42 #include <netinet/in.h>
43 #include <netinet/tcp.h>
44 #include <openssl/base64.h>
45 #include <sys/socket.h>
46 #include <sys/types.h>
47
48 #include <android-base/file.h>
49 #include <android-base/format.h>
50 #include <android-base/macros.h>
51 #include <android-base/scopeguard.h>
52 #include <android-base/stringprintf.h>
53 #include <android-base/strings.h>
54 #include <android-base/test_utils.h>
55 #include <android/multinetwork.h>
56 #include <binder/IPCThreadState.h>
57 #include <bpf/KernelUtils.h>
58 #include <com/android/internal/net/BnOemNetdUnsolicitedEventListener.h>
59 #include <com/android/internal/net/IOemNetd.h>
60 #include <cutils/multiuser.h>
61 #include <gtest/gtest.h>
62 #include <netdutils/NetNativeTestBase.h>
63 #include <netutils/ifc.h>
64 #include <utils/Errors.h>
65 #include "Fwmark.h"
66 #include "InterfaceController.h"
67 #include "NetdClient.h"
68 #include "NetdConstants.h"
69 #include "NetworkController.h"
70 #include "RouteController.h"
71 #include "SockDiag.h"
72 #include "TestUnsolService.h"
73 #include "XfrmController.h"
74 #include "android/net/INetd.h"
75 #include "binder/IServiceManager.h"
76 #include "netdutils/InternetAddresses.h"
77 #include "netdutils/Stopwatch.h"
78 #include "netdutils/Syscalls.h"
79 #include "netdutils/Utils.h"
80 #include "netid_client.h" // NETID_UNSET
81 #include "nettestutils/DumpService.h"
82 #include "test_utils.h"
83 #include "tun_interface.h"
84
85 #define IP6TABLES_PATH "/system/bin/ip6tables"
86 #define IPTABLES_PATH "/system/bin/iptables"
87 #define RAW_TABLE "raw"
88 #define MANGLE_TABLE "mangle"
89 #define FILTER_TABLE "filter"
90 #define NAT_TABLE "nat"
91
92 namespace binder = android::binder;
93
94 using android::IBinder;
95 using android::IServiceManager;
96 using android::sp;
97 using android::String16;
98 using android::String8;
99 using android::base::Join;
100 using android::base::make_scope_guard;
101 using android::base::ReadFileToString;
102 using android::base::StartsWith;
103 using android::base::StringPrintf;
104 using android::base::Trim;
105 using android::base::unique_fd;
106 using android::binder::Status;
107 using android::bpf::isAtLeastKernelVersion;
108 using android::net::INetd;
109 using android::net::InterfaceConfigurationParcel;
110 using android::net::InterfaceController;
111 using android::net::MarkMaskParcel;
112 using android::net::NativeNetworkConfig;
113 using android::net::NativeNetworkType;
114 using android::net::NativeVpnType;
115 using android::net::NetworkController;
116 using android::net::RULE_PRIORITY_BYPASSABLE_VPN_LOCAL_EXCLUSION;
117 using android::net::RULE_PRIORITY_BYPASSABLE_VPN_NO_LOCAL_EXCLUSION;
118 using android::net::RULE_PRIORITY_DEFAULT_NETWORK;
119 using android::net::RULE_PRIORITY_EXPLICIT_NETWORK;
120 using android::net::RULE_PRIORITY_LOCAL_NETWORK;
121 using android::net::RULE_PRIORITY_LOCAL_ROUTES;
122 using android::net::RULE_PRIORITY_OUTPUT_INTERFACE;
123 using android::net::RULE_PRIORITY_PROHIBIT_NON_VPN;
124 using android::net::RULE_PRIORITY_SECURE_VPN;
125 using android::net::RULE_PRIORITY_TETHERING;
126 using android::net::RULE_PRIORITY_UID_DEFAULT_NETWORK;
127 using android::net::RULE_PRIORITY_UID_DEFAULT_UNREACHABLE;
128 using android::net::RULE_PRIORITY_UID_EXPLICIT_NETWORK;
129 using android::net::RULE_PRIORITY_UID_IMPLICIT_NETWORK;
130 using android::net::RULE_PRIORITY_UID_LOCAL_ROUTES;
131 using android::net::RULE_PRIORITY_VPN_FALLTHROUGH;
132 using android::net::SockDiag;
133 using android::net::TetherOffloadRuleParcel;
134 using android::net::TetherStatsParcel;
135 using android::net::TunInterface;
136 using android::net::UidRangeParcel;
137 using android::net::UidRanges;
138 using android::net::netd::aidl::NativeUidRangeConfig;
139 using android::netdutils::getIfaceNames;
140 using android::netdutils::IPAddress;
141 using android::netdutils::IPSockAddr;
142 using android::netdutils::ScopedAddrinfo;
143 using android::netdutils::sSyscalls;
144 using android::netdutils::Stopwatch;
145
146 static const char* IP_RULE_V4 = "-4";
147 static const char* IP_RULE_V6 = "-6";
148 static const int TEST_NETID1 = 65501;
149 static const int TEST_NETID2 = 65502;
150 static const int TEST_NETID3 = 65503;
151 static const int TEST_NETID4 = 65504;
152 static const int TEST_DUMP_NETID = 65123;
153 static const char* DNSMASQ = "dnsmasq";
154
155 // Use maximum reserved appId for applications to avoid conflict with existing
156 // uids.
157 static const int TEST_UID1 = 99999;
158 static const int TEST_UID2 = 99998;
159 static const int TEST_UID3 = 99997;
160 static const int TEST_UID4 = 99996;
161 static const int TEST_UID5 = 99995;
162 static const int TEST_UID6 = 99994;
163
164 constexpr int BASE_UID = AID_USER_OFFSET * 5;
165
166 static const std::string NO_SOCKET_ALLOW_RULE("! owner UID match 0-4294967294");
167
168 static const in6_addr V6_ADDR = {
169 {// 2001:db8:cafe::8888
170 .u6_addr8 = {0x20, 0x01, 0x0d, 0xb8, 0xca, 0xfe, 0, 0, 0, 0, 0, 0, 0, 0, 0x88, 0x88}}};
171
172 typedef enum { ALL_EXIST, NONE_EXIST } ExistMode;
173
clearQueue(int tunFd)174 static void clearQueue(int tunFd) {
175 char buf[4096];
176 int ret;
177 do {
178 ret = read(tunFd, buf, sizeof(buf));
179 } while (ret > 0);
180 }
181
182 class NetdBinderTest : public NetNativeTestBase {
183 public:
NetdBinderTest()184 NetdBinderTest() {
185 sp<IServiceManager> sm = android::defaultServiceManager();
186 sp<IBinder> binder = sm->getService(String16("netd"));
187 if (binder != nullptr) {
188 mNetd = android::interface_cast<INetd>(binder);
189 }
190 }
191
SetUp()192 void SetUp() override {
193 ASSERT_NE(nullptr, mNetd.get());
194 // drain tun interfaces before every test.
195 clearQueue(sTun.getFdForTesting());
196 clearQueue(sTun2.getFdForTesting());
197 clearQueue(sTun3.getFdForTesting());
198 clearQueue(sTun4.getFdForTesting());
199 }
200
TearDown()201 void TearDown() override {
202 mNetd->networkDestroy(TEST_NETID1);
203 mNetd->networkDestroy(TEST_NETID2);
204 mNetd->networkDestroy(TEST_NETID3);
205 mNetd->networkDestroy(TEST_NETID4);
206 setNetworkForProcess(NETID_UNSET);
207 // Restore default network
208 if (mStoredDefaultNetwork >= 0) mNetd->networkSetDefault(mStoredDefaultNetwork);
209 }
210
211 bool allocateIpSecResources(bool expectOk, int32_t* spi);
212
213 // Static because setting up the tun interface takes about 40ms.
SetUpTestCase()214 static void SetUpTestCase() {
215 setBackgroundNetworkingEnabledForUid(TEST_UID1, true);
216 setBackgroundNetworkingEnabledForUid(TEST_UID2, true);
217 setBackgroundNetworkingEnabledForUid(TEST_UID3, true);
218 setBackgroundNetworkingEnabledForUid(TEST_UID4, true);
219 setBackgroundNetworkingEnabledForUid(TEST_UID5, true);
220 setBackgroundNetworkingEnabledForUid(TEST_UID6, true);
221
222 ASSERT_EQ(0, sTun.init());
223 ASSERT_EQ(0, sTun2.init());
224 ASSERT_EQ(0, sTun3.init());
225 ASSERT_EQ(0, sTun4.init());
226 ASSERT_LE(sTun.name().size(), static_cast<size_t>(IFNAMSIZ));
227 ASSERT_LE(sTun2.name().size(), static_cast<size_t>(IFNAMSIZ));
228 ASSERT_LE(sTun3.name().size(), static_cast<size_t>(IFNAMSIZ));
229 ASSERT_LE(sTun4.name().size(), static_cast<size_t>(IFNAMSIZ));
230
231 // Wait for initial IPv6 packets (MLD, DAD, and RS) to be sent on tuns, so they can be
232 // drained in SetUp().
233 sleep(1);
234 }
235
TearDownTestCase()236 static void TearDownTestCase() {
237 setBackgroundNetworkingEnabledForUid(TEST_UID1, false);
238 setBackgroundNetworkingEnabledForUid(TEST_UID2, false);
239 setBackgroundNetworkingEnabledForUid(TEST_UID3, false);
240 setBackgroundNetworkingEnabledForUid(TEST_UID4, false);
241 setBackgroundNetworkingEnabledForUid(TEST_UID5, false);
242 setBackgroundNetworkingEnabledForUid(TEST_UID6, false);
243
244 // Closing the socket removes the interface and IP addresses.
245 sTun.destroy();
246 sTun2.destroy();
247 sTun3.destroy();
248 sTun4.destroy();
249 }
250
251 static void fakeRemoteSocketPair(unique_fd* clientSocket, unique_fd* serverSocket,
252 unique_fd* acceptedSocket);
253
254 void createVpnNetworkWithUid(bool secure, uid_t uid, int vpnNetId = TEST_NETID2,
255 int fallthroughNetId = TEST_NETID1,
256 int nonDefaultNetId = TEST_NETID3);
257
258 void createAndSetDefaultNetwork(int netId, const std::string& interface,
259 int permission = INetd::PERMISSION_NONE);
260
261 void createPhysicalNetwork(int netId, const std::string& interface,
262 int permission = INetd::PERMISSION_NONE);
263
264 void createDefaultAndOtherPhysicalNetwork(int defaultNetId, int otherNetId);
265
266 void createVpnAndOtherPhysicalNetwork(int systemDefaultNetId, int otherNetId, int vpnNetId,
267 bool secure);
268
269 void createVpnAndAppDefaultNetworkWithUid(int systemDefaultNetId, int appDefaultNetId,
270 int vpnNetId, bool secure,
271 std::vector<UidRangeParcel>&& appDefaultUidRanges,
272 std::vector<UidRangeParcel>&& vpnUidRanges);
273
274 void setupNetworkRoutesForVpnAndDefaultNetworks(
275 int systemDefaultNetId, int appDefaultNetId, int vpnNetId, int otherNetId, bool secure,
276 bool testV6, bool differentLocalRoutes,
277 std::vector<UidRangeParcel>&& appDefaultUidRanges,
278 std::vector<UidRangeParcel>&& vpnUidRanges);
279
280 protected:
281 // Use -1 to represent that default network was not modified because
282 // real netId must be an unsigned value.
283 int mStoredDefaultNetwork = -1;
284 sp<INetd> mNetd;
285 static TunInterface sTun;
286 static TunInterface sTun2;
287 static TunInterface sTun3;
288 static TunInterface sTun4;
289
290 private:
setBackgroundNetworkingEnabledForUid(int uid,bool enabled)291 static void setBackgroundNetworkingEnabledForUid(int uid, bool enabled) {
292 runBinderCommand("connectivity",
293 StringPrintf("set-background-networking-enabled-for-uid %d %s", uid,
294 enabled ? "true" : "false"));
295 }
296 };
297
298 TunInterface NetdBinderTest::sTun;
299 TunInterface NetdBinderTest::sTun2;
300 TunInterface NetdBinderTest::sTun3;
301 TunInterface NetdBinderTest::sTun4;
302
303 class TimedOperation : public Stopwatch {
304 public:
TimedOperation(const std::string & name)305 explicit TimedOperation(const std::string &name): mName(name) {}
~TimedOperation()306 virtual ~TimedOperation() {
307 std::cerr << " " << mName << ": " << timeTakenUs() << "us" << std::endl;
308 }
309
310 private:
311 std::string mName;
312 };
313
TEST_F(NetdBinderTest,IsAlive)314 TEST_F(NetdBinderTest, IsAlive) {
315 TimedOperation t("isAlive RPC");
316 bool isAlive = false;
317 mNetd->isAlive(&isAlive);
318 ASSERT_TRUE(isAlive);
319 }
320
321 namespace {
322
makeNativeNetworkConfig(int netId,NativeNetworkType networkType,int permission,bool secure,bool excludeLocalRoutes)323 NativeNetworkConfig makeNativeNetworkConfig(int netId, NativeNetworkType networkType,
324 int permission, bool secure, bool excludeLocalRoutes) {
325 NativeNetworkConfig config = {};
326 config.netId = netId;
327 config.networkType = networkType;
328 config.permission = permission;
329 config.secure = secure;
330 // The vpnType doesn't matter in AOSP. Just pick a well defined one from INetd.
331 config.vpnType = NativeVpnType::PLATFORM;
332 config.excludeLocalRoutes = excludeLocalRoutes;
333 return config;
334 }
335
336 } // namespace
337
testNetworkExistsButCannotConnect(const sp<INetd> & netd,TunInterface & ifc,const int netId)338 bool testNetworkExistsButCannotConnect(const sp<INetd>& netd, TunInterface& ifc, const int netId) {
339 // If this network exists, we should definitely not be able to create it.
340 // Note that this networkCreate is never allowed to create reserved network IDs, so
341 // this call may fail for other reasons than the network already existing.
342 const auto& config = makeNativeNetworkConfig(netId, NativeNetworkType::PHYSICAL,
343 INetd::PERMISSION_NONE, false, false);
344 EXPECT_FALSE(netd->networkCreate(config).isOk());
345 // Test if the network exist by adding interface. INetd has no dedicated method to query. When
346 // the network exists and the interface can be added, the function succeeds. When the network
347 // exists but the interface cannot be added, it fails with EINVAL, otherwise it is ENONET.
348 binder::Status status = netd->networkAddInterface(netId, ifc.name());
349 if (status.isOk()) { // clean up
350 EXPECT_TRUE(netd->networkRemoveInterface(netId, ifc.name()).isOk());
351 } else if (status.serviceSpecificErrorCode() == ENONET) {
352 return false;
353 }
354
355 const sockaddr_in6 sin6 = {.sin6_family = AF_INET6,
356 .sin6_port = htons(53),
357 .sin6_addr = {{.u6_addr32 = {htonl(0x20010db8), 0, 0, 0}}},
358 };
359 const int s = socket(AF_INET6, SOCK_DGRAM, 0);
360 EXPECT_NE(-1, s);
361 if (s == -1) return true;
362 Fwmark fwmark;
363 fwmark.explicitlySelected = true;
364 fwmark.netId = netId;
365 EXPECT_EQ(0, setsockopt(s, SOL_SOCKET, SO_MARK, &fwmark.intValue, sizeof(fwmark.intValue)));
366 const int ret = connect(s, (struct sockaddr*)&sin6, sizeof(sin6));
367 const int err = errno;
368 EXPECT_EQ(-1, ret);
369 EXPECT_EQ(ENETUNREACH, err);
370 close(s);
371 return true;
372 }
373
TEST_F(NetdBinderTest,InitialNetworksExist)374 TEST_F(NetdBinderTest, InitialNetworksExist) {
375 EXPECT_TRUE(testNetworkExistsButCannotConnect(mNetd, sTun, INetd::DUMMY_NET_ID));
376 EXPECT_TRUE(testNetworkExistsButCannotConnect(mNetd, sTun, INetd::LOCAL_NET_ID));
377 EXPECT_TRUE(testNetworkExistsButCannotConnect(mNetd, sTun, INetd::UNREACHABLE_NET_ID));
378 EXPECT_FALSE(testNetworkExistsButCannotConnect(mNetd, sTun, 77 /* not exist */));
379 }
380
TEST_F(NetdBinderTest,IpSecTunnelInterface)381 TEST_F(NetdBinderTest, IpSecTunnelInterface) {
382 const struct TestData {
383 const std::string family;
384 const std::string deviceName;
385 const std::string localAddress;
386 const std::string remoteAddress;
387 int32_t iKey;
388 int32_t oKey;
389 int32_t ifId;
390 } kTestData[] = {
391 {"IPV4", "ipsec_test", "127.0.0.1", "8.8.8.8", 0x1234 + 53, 0x1234 + 53, 0xFFFE},
392 {"IPV6", "ipsec_test6", "::1", "2001:4860:4860::8888", 0x1234 + 50, 0x1234 + 50,
393 0xFFFE},
394 };
395
396 for (size_t i = 0; i < std::size(kTestData); i++) {
397 const auto& td = kTestData[i];
398
399 binder::Status status;
400
401 // Create Tunnel Interface.
402 status = mNetd->ipSecAddTunnelInterface(td.deviceName, td.localAddress, td.remoteAddress,
403 td.iKey, td.oKey, td.ifId);
404 EXPECT_TRUE(status.isOk()) << td.family << status.exceptionMessage();
405
406 // Check that the interface exists
407 EXPECT_NE(0U, if_nametoindex(td.deviceName.c_str()));
408
409 // Update Tunnel Interface.
410 status = mNetd->ipSecUpdateTunnelInterface(td.deviceName, td.localAddress, td.remoteAddress,
411 td.iKey, td.oKey, td.ifId);
412 EXPECT_TRUE(status.isOk()) << td.family << status.exceptionMessage();
413
414 // Remove Tunnel Interface.
415 status = mNetd->ipSecRemoveTunnelInterface(td.deviceName);
416 EXPECT_TRUE(status.isOk()) << td.family << status.exceptionMessage();
417
418 // Check that the interface no longer exists
419 EXPECT_EQ(0U, if_nametoindex(td.deviceName.c_str()));
420 }
421 }
422
TEST_F(NetdBinderTest,IpSecSetEncapSocketOwner)423 TEST_F(NetdBinderTest, IpSecSetEncapSocketOwner) {
424 unique_fd uniqueFd(socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0));
425 android::os::ParcelFileDescriptor sockFd(std::move(uniqueFd));
426
427 int sockOptVal = UDP_ENCAP_ESPINUDP;
428 setsockopt(sockFd.get(), IPPROTO_UDP, UDP_ENCAP, &sockOptVal, sizeof(sockOptVal));
429
430 binder::Status res = mNetd->ipSecSetEncapSocketOwner(sockFd, 1001);
431 EXPECT_TRUE(res.isOk());
432
433 struct stat info;
434 EXPECT_EQ(0, fstat(sockFd.get(), &info));
435 EXPECT_EQ(1001, (int) info.st_uid);
436 }
437
438 // IPsec tests are not run in 32 bit mode; both 32-bit kernels and
439 // mismatched ABIs (64-bit kernel with 32-bit userspace) are unsupported.
440 #if INTPTR_MAX != INT32_MAX
441
442 using android::net::XfrmController;
443
444 static const int XFRM_DIRECTIONS[] = {static_cast<int>(android::net::XfrmDirection::IN),
445 static_cast<int>(android::net::XfrmDirection::OUT)};
446 static const int ADDRESS_FAMILIES[] = {AF_INET, AF_INET6};
447
448 #define RETURN_FALSE_IF_NEQ(_expect_, _ret_) \
449 do { if ((_expect_) != (_ret_)) return false; } while(false)
allocateIpSecResources(bool expectOk,int32_t * spi)450 bool NetdBinderTest::allocateIpSecResources(bool expectOk, int32_t* spi) {
451 android::netdutils::Status status = XfrmController::ipSecAllocateSpi(0, "::", "::1", 123, spi);
452 SCOPED_TRACE(status);
453 RETURN_FALSE_IF_NEQ(status.ok(), expectOk);
454
455 // Add a policy
456 status = XfrmController::ipSecAddSecurityPolicy(0, AF_INET6, 0, "::", "::1", 123, 0, 0, 0);
457 SCOPED_TRACE(status);
458 RETURN_FALSE_IF_NEQ(status.ok(), expectOk);
459
460 // Add an ipsec interface
461 return expectOk == XfrmController::ipSecAddTunnelInterface("ipsec_test", "::", "::1", 0xF00D,
462 0xD00D, 0xE00D, false)
463 .ok();
464 }
465
TEST_F(NetdBinderTest,XfrmDualSelectorTunnelModePoliciesV4)466 TEST_F(NetdBinderTest, XfrmDualSelectorTunnelModePoliciesV4) {
467 android::binder::Status status;
468
469 // Repeat to ensure cleanup and recreation works correctly
470 for (int i = 0; i < 2; i++) {
471 for (int direction : XFRM_DIRECTIONS) {
472 for (int addrFamily : ADDRESS_FAMILIES) {
473 status = mNetd->ipSecAddSecurityPolicy(0, addrFamily, direction, "127.0.0.5",
474 "127.0.0.6", 123, 0, 0, 0);
475 EXPECT_TRUE(status.isOk())
476 << " family: " << addrFamily << " direction: " << direction;
477 }
478 }
479
480 // Cleanup
481 for (int direction : XFRM_DIRECTIONS) {
482 for (int addrFamily : ADDRESS_FAMILIES) {
483 status = mNetd->ipSecDeleteSecurityPolicy(0, addrFamily, direction, 0, 0, 0);
484 EXPECT_TRUE(status.isOk());
485 }
486 }
487 }
488 }
489
TEST_F(NetdBinderTest,XfrmDualSelectorTunnelModePoliciesV6)490 TEST_F(NetdBinderTest, XfrmDualSelectorTunnelModePoliciesV6) {
491 binder::Status status;
492
493 // Repeat to ensure cleanup and recreation works correctly
494 for (int i = 0; i < 2; i++) {
495 for (int direction : XFRM_DIRECTIONS) {
496 for (int addrFamily : ADDRESS_FAMILIES) {
497 status = mNetd->ipSecAddSecurityPolicy(0, addrFamily, direction, "2001:db8::f00d",
498 "2001:db8::d00d", 123, 0, 0, 0);
499 EXPECT_TRUE(status.isOk())
500 << " family: " << addrFamily << " direction: " << direction;
501 }
502 }
503
504 // Cleanup
505 for (int direction : XFRM_DIRECTIONS) {
506 for (int addrFamily : ADDRESS_FAMILIES) {
507 status = mNetd->ipSecDeleteSecurityPolicy(0, addrFamily, direction, 0, 0, 0);
508 EXPECT_TRUE(status.isOk());
509 }
510 }
511 }
512 }
513
TEST_F(NetdBinderTest,XfrmControllerInit)514 TEST_F(NetdBinderTest, XfrmControllerInit) {
515 android::netdutils::Status status;
516 status = XfrmController::Init();
517 SCOPED_TRACE(status);
518
519 // Older devices or devices with mismatched Kernel/User ABI cannot support the IPsec
520 // feature.
521 if (status.code() == EOPNOTSUPP) return;
522
523 ASSERT_TRUE(status.ok());
524
525 int32_t spi = 0;
526
527 ASSERT_TRUE(allocateIpSecResources(true, &spi));
528 ASSERT_TRUE(allocateIpSecResources(false, &spi));
529
530 status = XfrmController::Init();
531 ASSERT_TRUE(status.ok());
532 ASSERT_TRUE(allocateIpSecResources(true, &spi));
533
534 // Clean up
535 status = XfrmController::ipSecDeleteSecurityAssociation(0, "::", "::1", 123, spi, 0, 0);
536 SCOPED_TRACE(status);
537 ASSERT_TRUE(status.ok());
538
539 status = XfrmController::ipSecDeleteSecurityPolicy(0, AF_INET6, 0, 0, 0, 0);
540 SCOPED_TRACE(status);
541 ASSERT_TRUE(status.ok());
542
543 // Remove Virtual Tunnel Interface.
544 ASSERT_TRUE(XfrmController::ipSecRemoveTunnelInterface("ipsec_test").ok());
545 }
546
547 // Two kernel fixes have been added in 5.17 to allow XFRM_MIGRATE to work correctly
548 // when (1) there are multiple tunnels with the same selectors; and (2) addresses
549 // are updated to a different IP family. These two fixes were pulled into upstream
550 // LTS releases 4.14.273, 4.19.236, 5.4.186, 5.10.107 and 5.15.30, from whence they
551 // flowed into the Android Common Kernel (via standard LTS merges).
552 // As such we require 4.14.273+, 4.19.236+, 5.4.186+, 5.10.107+, 5.15.30+ and 5.17+
553 // to have these fixes.
hasXfrmMigrateKernelFixes()554 bool hasXfrmMigrateKernelFixes() {
555 return (isAtLeastKernelVersion(4, 14, 273) && !isAtLeastKernelVersion(4, 19, 0)) ||
556 (isAtLeastKernelVersion(4, 19, 236) && !isAtLeastKernelVersion(5, 4, 0)) ||
557 (isAtLeastKernelVersion(5, 4, 186) && !isAtLeastKernelVersion(5, 10, 0)) ||
558 (isAtLeastKernelVersion(5, 10, 107) && !isAtLeastKernelVersion(5, 15, 0)) ||
559 isAtLeastKernelVersion(5, 15, 30);
560 }
561
562 // Does the kernel support CONFIG_XFRM_MIGRATE and include the kernel fixes?
supportsXfrmMigrate()563 bool supportsXfrmMigrate() {
564 if (!hasXfrmMigrateKernelFixes()) return false;
565
566 // 5.10+ VINTF requires CONFIG_XFRM_MIGRATE enabled
567 if (isAtLeastKernelVersion(5, 10, 0)) return true;
568
569 const std::string wildcardAddr = "::";
570
571 // Expect migration to fail with EINVAL because it is trying to migrate a
572 // non-existent SA.
573 auto status = XfrmController::ipSecMigrate(
574 0 /* resourceId */, AF_INET6, 0 /* direction == out */,
575 wildcardAddr /* sourceAddress */, wildcardAddr /* destinationAddress */,
576 wildcardAddr /* newSourceAddress */, wildcardAddr /* newDestinationAddress */,
577 0 /* xfrmInterfaceId */);
578
579 if (android::netdutils::equalToErrno(status, EINVAL)) {
580 return true;
581 } else if (android::netdutils::equalToErrno(status, ENOPROTOOPT)) {
582 return false;
583 } else {
584 GTEST_LOG_(WARNING) << "Unexpected migration result: "
585 << android::netdutils::toString(status)
586 << "Assuming XFRM_MIGRATE is enabled.";
587 return true;
588 }
589 }
590
591 #define SKIP_IF_XFRM_MIGRATE_NOT_SUPPORTED \
592 do { \
593 if (!supportsXfrmMigrate()) \
594 GTEST_SKIP() << "This test is skipped since xfrm migrate feature " \
595 << "not supported\n"; \
596 } while (0)
597
TEST_F(NetdBinderTest,XfrmMigrate)598 TEST_F(NetdBinderTest, XfrmMigrate) {
599 SKIP_IF_XFRM_MIGRATE_NOT_SUPPORTED;
600
601 static const struct TestData {
602 const int32_t addrFamily;
603 const int32_t newAddrFamily;
604 const std::string srcAddr;
605 const std::string dstAddr;
606 const std::string newSrcAddr;
607 const std::string newDstAddr;
608 } kTestData[] = {
609 {AF_INET, AF_INET, "192.0.2.1", "192.0.2.2", "192.0.2.101", "192.0.2.102"},
610 {AF_INET, AF_INET6, "192.0.2.1", "192.0.2.2", "2001:db8::101", "2001:db8::102"},
611 {AF_INET6, AF_INET6, "2001:db8::1", "2001:db8::2", "2001:db8::101", "2001:db8::102"},
612 {AF_INET6, AF_INET, "2001:db8::1", "2001:db8::2", "192.0.2.101", "192.0.2.102"},
613 };
614
615 const int32_t xfrmInterfaceId = 0xFFFE;
616 const std::string tunnelDeviceName = "ipsec_test";
617
618 auto status = mNetd->ipSecAddTunnelInterface(tunnelDeviceName, "2001:db8::fe", "2001:db8::ff",
619 0x1234 + 50 /* iKey */, 0x1234 + 50 /* oKey */,
620 xfrmInterfaceId);
621
622 SCOPED_TRACE(status);
623 ASSERT_TRUE(status.isOk());
624
625 for (auto& td : kTestData) {
626 const int32_t direction = static_cast<int>(android::net::XfrmDirection::OUT);
627 const int32_t resourceId = 0;
628 const int32_t spiReq = 123;
629 int32_t spi = 0;
630
631 status = mNetd->ipSecAllocateSpi(resourceId, td.srcAddr, td.dstAddr, spiReq, &spi);
632 SCOPED_TRACE(status);
633 ASSERT_TRUE(status.isOk());
634
635 status = mNetd->ipSecAddSecurityAssociation(
636 resourceId, static_cast<int32_t>(android::net::XfrmMode::TUNNEL), td.srcAddr,
637 td.dstAddr, 100 /* underlyingNetid */, spiReq, 0 /* markValue */, 0 /* markMask */,
638 "digest_null" /* authAlgo */, {} /* authKey */, 0 /* authTruncBits */,
639 "ecb(cipher_null)" /* cryptAlgo */, {} /* cryptKey */, 0 /* cryptTruncBits */,
640 "" /* aeadAlgo */, {} /* aeadKey */, 0 /* aeadIcvBits */,
641 0 /* encapType == ENCAP_NONE */, 0 /* encapLocalPort */, 0 /* encapRemotePort */,
642 xfrmInterfaceId);
643 SCOPED_TRACE(status);
644 ASSERT_TRUE(status.isOk());
645
646 for (int addrFamily : ADDRESS_FAMILIES) {
647 // Add a policy
648 status = mNetd->ipSecAddSecurityPolicy(resourceId, addrFamily, direction, td.srcAddr,
649 td.dstAddr, spiReq, 0 /* markValue */,
650 0 /* markMask */, xfrmInterfaceId);
651 SCOPED_TRACE(status);
652 ASSERT_TRUE(status.isOk());
653
654 // Migrate tunnel mode SA
655 android::net::IpSecMigrateInfoParcel parcel;
656 parcel.requestId = resourceId;
657 parcel.selAddrFamily = addrFamily;
658 parcel.direction = direction;
659 parcel.oldSourceAddress = td.srcAddr;
660 parcel.oldDestinationAddress = td.dstAddr;
661 parcel.newSourceAddress = td.newSrcAddr;
662 parcel.newDestinationAddress = td.newDstAddr;
663 parcel.interfaceId = xfrmInterfaceId;
664
665 status = mNetd->ipSecMigrate(parcel);
666 SCOPED_TRACE(status);
667 ASSERT_TRUE(status.isOk());
668 }
669
670 // Clean up
671 status = mNetd->ipSecDeleteSecurityAssociation(resourceId, td.newSrcAddr, td.newDstAddr,
672 spiReq, 0 /* markValue */, 0 /* markMask */,
673 xfrmInterfaceId);
674 SCOPED_TRACE(status);
675 ASSERT_TRUE(status.isOk());
676
677 for (int addrFamily : ADDRESS_FAMILIES) {
678 status = mNetd->ipSecDeleteSecurityPolicy(resourceId, addrFamily, direction,
679 0 /* markValue */, 0 /* markMask */,
680 xfrmInterfaceId);
681 SCOPED_TRACE(status);
682 ASSERT_TRUE(status.isOk());
683 }
684 }
685
686 // Remove Tunnel Interface.
687 status = mNetd->ipSecRemoveTunnelInterface(tunnelDeviceName);
688 SCOPED_TRACE(status);
689 EXPECT_TRUE(status.isOk());
690 }
691 #endif // INTPTR_MAX != INT32_MAX
692
bandwidthDataSaverEnabled(const char * binary)693 static int bandwidthDataSaverEnabled(const char *binary) {
694 std::vector<std::string> lines = listIptablesRule(binary, "bw_data_saver");
695
696 // Output looks like this:
697 //
698 // Chain bw_data_saver (1 references)
699 // target prot opt source destination
700 // RETURN all -- 0.0.0.0/0 0.0.0.0/0
701 //
702 // or:
703 //
704 // Chain bw_data_saver (1 references)
705 // target prot opt source destination
706 // ... possibly connectivity critical packet rules here ...
707 // REJECT all -- ::/0 ::/0
708
709 EXPECT_GE(lines.size(), 3U);
710
711 if (lines.size() == 3 && StartsWith(lines[2], "RETURN ")) {
712 // Data saver disabled.
713 return 0;
714 }
715
716 size_t minSize = (std::string(binary) == IPTABLES_PATH) ? 3 : 9;
717
718 if (lines.size() >= minSize && StartsWith(lines[lines.size() -1], "REJECT ")) {
719 // Data saver enabled.
720 return 1;
721 }
722
723 return -1;
724 }
725
enableDataSaver(sp<INetd> & netd,bool enable)726 bool enableDataSaver(sp<INetd>& netd, bool enable) {
727 TimedOperation op(enable ? " Enabling data saver" : "Disabling data saver");
728 bool ret;
729 netd->bandwidthEnableDataSaver(enable, &ret);
730 return ret;
731 }
732
getDataSaverState()733 int getDataSaverState() {
734 const int enabled4 = bandwidthDataSaverEnabled(IPTABLES_PATH);
735 const int enabled6 = bandwidthDataSaverEnabled(IP6TABLES_PATH);
736 EXPECT_EQ(enabled4, enabled6);
737 EXPECT_NE(-1, enabled4);
738 EXPECT_NE(-1, enabled6);
739 if (enabled4 != enabled6 || (enabled6 != 0 && enabled6 != 1)) {
740 return -1;
741 }
742 return enabled6;
743 }
744
TEST_F(NetdBinderTest,BandwidthEnableDataSaver)745 TEST_F(NetdBinderTest, BandwidthEnableDataSaver) {
746 const int wasEnabled = getDataSaverState();
747 ASSERT_NE(-1, wasEnabled);
748
749 if (wasEnabled) {
750 ASSERT_TRUE(enableDataSaver(mNetd, false));
751 EXPECT_EQ(0, getDataSaverState());
752 }
753
754 ASSERT_TRUE(enableDataSaver(mNetd, false));
755 EXPECT_EQ(0, getDataSaverState());
756
757 ASSERT_TRUE(enableDataSaver(mNetd, true));
758 EXPECT_EQ(1, getDataSaverState());
759
760 ASSERT_TRUE(enableDataSaver(mNetd, true));
761 EXPECT_EQ(1, getDataSaverState());
762
763 if (!wasEnabled) {
764 ASSERT_TRUE(enableDataSaver(mNetd, false));
765 EXPECT_EQ(0, getDataSaverState());
766 }
767 }
768
ipRuleExists(const char * ipVersion,const std::string & ipRule)769 static bool ipRuleExists(const char* ipVersion, const std::string& ipRule) {
770 std::vector<std::string> rules = listIpRules(ipVersion);
771 return std::find(rules.begin(), rules.end(), ipRule) != rules.end();
772 }
773
ipRuleExistsForRange(const uint32_t priority,const UidRangeParcel & range,const std::string & action,const char * ipVersion,const char * oif)774 static bool ipRuleExistsForRange(const uint32_t priority, const UidRangeParcel& range,
775 const std::string& action, const char* ipVersion,
776 const char* oif) {
777 // Output looks like this:
778 // "<priority>:\tfrom all iif lo oif netdc0ca6 uidrange 500000-500000 lookup netdc0ca6"
779 // "<priority>:\tfrom all fwmark 0x0/0x20000 iif lo uidrange 1000-2000 prohibit"
780 std::vector<std::string> rules = listIpRules(ipVersion);
781
782 std::string prefix = StringPrintf("%" PRIu32 ":", priority);
783 std::string suffix;
784 if (oif) {
785 suffix = StringPrintf(" iif lo oif %s uidrange %d-%d %s", oif, range.start, range.stop,
786 action.c_str());
787 } else {
788 suffix = StringPrintf(" iif lo uidrange %d-%d %s", range.start, range.stop, action.c_str());
789 }
790 for (const auto& line : rules) {
791 if (android::base::StartsWith(line, prefix) && android::base::EndsWith(line, suffix)) {
792 return true;
793 }
794 }
795 return false;
796 }
797
798 // Overloads function with oif parameter for VPN rules compare.
ipRuleExistsForRange(const uint32_t priority,const UidRangeParcel & range,const std::string & action,const char * oif)799 static bool ipRuleExistsForRange(const uint32_t priority, const UidRangeParcel& range,
800 const std::string& action, const char* oif) {
801 bool existsIp4 = ipRuleExistsForRange(priority, range, action, IP_RULE_V4, oif);
802 bool existsIp6 = ipRuleExistsForRange(priority, range, action, IP_RULE_V6, oif);
803 EXPECT_EQ(existsIp4, existsIp6);
804 return existsIp4;
805 }
806
ipRuleExistsForRange(const uint32_t priority,const UidRangeParcel & range,const std::string & action)807 static bool ipRuleExistsForRange(const uint32_t priority, const UidRangeParcel& range,
808 const std::string& action) {
809 return ipRuleExistsForRange(priority, range, action, nullptr);
810 }
811
expectRuleForV4AndV6(ExistMode mode,const std::string & rule)812 static void expectRuleForV4AndV6(ExistMode mode, const std::string& rule) {
813 for (const auto& ipVersion : {IP_RULE_V4, IP_RULE_V6}) {
814 if (mode == ALL_EXIST) {
815 EXPECT_TRUE(ipRuleExists(ipVersion, rule));
816 } else {
817 EXPECT_FALSE(ipRuleExists(ipVersion, rule));
818 }
819 }
820 }
821
expectLocalIpRuleExists(ExistMode mode,const std::string & ifName)822 static void expectLocalIpRuleExists(ExistMode mode, const std::string& ifName) {
823 std::string localIpRule = StringPrintf("%u:\tfrom all fwmark 0x0/0x10000 lookup %s",
824 RULE_PRIORITY_LOCAL_NETWORK, ifName.c_str());
825 expectRuleForV4AndV6(mode, localIpRule);
826
827 std::string dnsMasqRule = StringPrintf("%u:\tfrom all fwmark 0x10063/0x1ffff iif lo lookup %s",
828 RULE_PRIORITY_EXPLICIT_NETWORK, ifName.c_str());
829 expectRuleForV4AndV6(mode, dnsMasqRule);
830 }
831
832 namespace {
833
makeUidRangeParcel(int start,int stop)834 UidRangeParcel makeUidRangeParcel(int start, int stop) {
835 UidRangeParcel res;
836 res.start = start;
837 res.stop = stop;
838
839 return res;
840 }
841
makeUidRangeParcel(int uid)842 UidRangeParcel makeUidRangeParcel(int uid) {
843 return makeUidRangeParcel(uid, uid);
844 }
845
makeNativeUidRangeConfig(unsigned netId,std::vector<UidRangeParcel> uidRanges,int32_t subPriority)846 NativeUidRangeConfig makeNativeUidRangeConfig(unsigned netId, std::vector<UidRangeParcel> uidRanges,
847 int32_t subPriority) {
848 NativeUidRangeConfig res;
849 res.netId = netId;
850 res.uidRanges = std::move(uidRanges);
851 res.subPriority = subPriority;
852
853 return res;
854 }
855
856 } // namespace
857
TEST_F(NetdBinderTest,NetworkInterfaces)858 TEST_F(NetdBinderTest, NetworkInterfaces) {
859 auto config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
860 INetd::PERMISSION_NONE, false, false);
861 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
862 EXPECT_EQ(EEXIST, mNetd->networkCreate(config).serviceSpecificErrorCode());
863
864 config.networkType = NativeNetworkType::VIRTUAL;
865 config.secure = true;
866 EXPECT_EQ(EEXIST, mNetd->networkCreate(config).serviceSpecificErrorCode());
867
868 config.netId = TEST_NETID2;
869 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
870
871 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
872 EXPECT_EQ(EBUSY,
873 mNetd->networkAddInterface(TEST_NETID2, sTun.name()).serviceSpecificErrorCode());
874
875 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
876 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID2, sTun.name()).isOk());
877 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID2).isOk());
878 EXPECT_EQ(ENONET, mNetd->networkDestroy(TEST_NETID1).serviceSpecificErrorCode());
879 }
880
TEST_F(NetdBinderTest,NetworkUidRules)881 TEST_F(NetdBinderTest, NetworkUidRules) {
882 auto config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::VIRTUAL,
883 INetd::PERMISSION_NONE, true, false);
884 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
885 EXPECT_EQ(EEXIST, mNetd->networkCreate(config).serviceSpecificErrorCode());
886 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
887
888 std::vector<UidRangeParcel> uidRanges = {makeUidRangeParcel(BASE_UID + 8005, BASE_UID + 8012),
889 makeUidRangeParcel(BASE_UID + 8090, BASE_UID + 8099)};
890 UidRangeParcel otherRange = makeUidRangeParcel(BASE_UID + 8190, BASE_UID + 8299);
891 std::string action = StringPrintf("lookup %s", sTun.name().c_str());
892
893 EXPECT_TRUE(mNetd->networkAddUidRanges(TEST_NETID1, uidRanges).isOk());
894
895 EXPECT_TRUE(ipRuleExistsForRange(RULE_PRIORITY_SECURE_VPN, uidRanges[0], action));
896 EXPECT_FALSE(ipRuleExistsForRange(RULE_PRIORITY_SECURE_VPN, otherRange, action));
897 EXPECT_TRUE(mNetd->networkRemoveUidRanges(TEST_NETID1, uidRanges).isOk());
898 EXPECT_FALSE(ipRuleExistsForRange(RULE_PRIORITY_SECURE_VPN, uidRanges[0], action));
899
900 EXPECT_TRUE(mNetd->networkAddUidRanges(TEST_NETID1, uidRanges).isOk());
901 EXPECT_TRUE(ipRuleExistsForRange(RULE_PRIORITY_SECURE_VPN, uidRanges[1], action));
902 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
903 EXPECT_FALSE(ipRuleExistsForRange(RULE_PRIORITY_SECURE_VPN, uidRanges[1], action));
904
905 EXPECT_EQ(ENONET, mNetd->networkDestroy(TEST_NETID1).serviceSpecificErrorCode());
906 }
907
908 class LocalNetworkParameterizedTest : public NetdBinderTest,
909 public testing::WithParamInterface<bool> {};
910
911 // Exercise both local and non-local networks
912 INSTANTIATE_TEST_SUITE_P(LocalNetworkTests, LocalNetworkParameterizedTest, testing::Bool(),
__anon8d4ee1090402(const testing::TestParamInfo<bool>& info) 913 [](const testing::TestParamInfo<bool>& info) {
914 return info.param ? "Local" : "NonLocal";
915 });
916
TEST_P(LocalNetworkParameterizedTest,LocalNetworkUidRules)917 TEST_P(LocalNetworkParameterizedTest, LocalNetworkUidRules) {
918 const bool local = GetParam();
919 const auto type = local ? NativeNetworkType::PHYSICAL_LOCAL : NativeNetworkType::PHYSICAL;
920 auto config = makeNativeNetworkConfig(TEST_NETID1, type, INetd::PERMISSION_NONE,
921 false /* secure */, false /* excludeLocalRoutes */);
922 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
923 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
924
925 expectLocalIpRuleExists(local ? ALL_EXIST : NONE_EXIST, sTun.name());
926 }
927
TEST_F(NetdBinderTest,NetworkRejectNonSecureVpn)928 TEST_F(NetdBinderTest, NetworkRejectNonSecureVpn) {
929 std::vector<UidRangeParcel> uidRanges = {makeUidRangeParcel(BASE_UID + 150, BASE_UID + 224),
930 makeUidRangeParcel(BASE_UID + 226, BASE_UID + 300)};
931 // Make sure no rules existed before calling commands.
932 for (auto const& range : uidRanges) {
933 EXPECT_FALSE(ipRuleExistsForRange(RULE_PRIORITY_PROHIBIT_NON_VPN, range, "prohibit"));
934 }
935 // Create two valid rules.
936 ASSERT_TRUE(mNetd->networkRejectNonSecureVpn(true, uidRanges).isOk());
937 for (auto const& range : uidRanges) {
938 EXPECT_TRUE(ipRuleExistsForRange(RULE_PRIORITY_PROHIBIT_NON_VPN, range, "prohibit"));
939 }
940
941 // Remove the rules.
942 ASSERT_TRUE(mNetd->networkRejectNonSecureVpn(false, uidRanges).isOk());
943 for (auto const& range : uidRanges) {
944 EXPECT_FALSE(ipRuleExistsForRange(RULE_PRIORITY_PROHIBIT_NON_VPN, range, "prohibit"));
945 }
946
947 // Fail to remove the rules a second time after they are already deleted.
948 binder::Status status = mNetd->networkRejectNonSecureVpn(false, uidRanges);
949 ASSERT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
950 EXPECT_EQ(ENOENT, status.serviceSpecificErrorCode());
951 }
952
953 // Create a socket pair that isLoopbackSocket won't think is local.
fakeRemoteSocketPair(unique_fd * clientSocket,unique_fd * serverSocket,unique_fd * acceptedSocket)954 void NetdBinderTest::fakeRemoteSocketPair(unique_fd* clientSocket, unique_fd* serverSocket,
955 unique_fd* acceptedSocket) {
956 serverSocket->reset(socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0));
957 struct sockaddr_in6 server6 = { .sin6_family = AF_INET6, .sin6_addr = sTun.dstAddr() };
958 ASSERT_EQ(0, bind(*serverSocket, (struct sockaddr *) &server6, sizeof(server6)));
959
960 socklen_t addrlen = sizeof(server6);
961 ASSERT_EQ(0, getsockname(*serverSocket, (struct sockaddr *) &server6, &addrlen));
962 ASSERT_EQ(0, listen(*serverSocket, 10));
963
964 clientSocket->reset(socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0));
965 struct sockaddr_in6 client6 = { .sin6_family = AF_INET6, .sin6_addr = sTun.srcAddr() };
966 ASSERT_EQ(0, bind(*clientSocket, (struct sockaddr *) &client6, sizeof(client6)));
967 ASSERT_EQ(0, connect(*clientSocket, (struct sockaddr *) &server6, sizeof(server6)));
968 ASSERT_EQ(0, getsockname(*clientSocket, (struct sockaddr *) &client6, &addrlen));
969
970 acceptedSocket->reset(
971 accept4(*serverSocket, (struct sockaddr*)&server6, &addrlen, SOCK_CLOEXEC));
972 ASSERT_NE(-1, *acceptedSocket);
973
974 ASSERT_EQ(0, memcmp(&client6, &server6, sizeof(client6)));
975 }
976
checkSocketpairOpen(int clientSocket,int acceptedSocket)977 void checkSocketpairOpen(int clientSocket, int acceptedSocket) {
978 char buf[4096];
979 EXPECT_EQ(4, write(clientSocket, "foo", sizeof("foo")));
980 EXPECT_EQ(4, read(acceptedSocket, buf, sizeof(buf)));
981 EXPECT_EQ(0, memcmp(buf, "foo", sizeof("foo")));
982 }
983
checkSocketpairClosed(int clientSocket,int acceptedSocket)984 void checkSocketpairClosed(int clientSocket, int acceptedSocket) {
985 // Check that the client socket was closed with ECONNABORTED.
986 int ret = write(clientSocket, "foo", sizeof("foo"));
987 int err = errno;
988 EXPECT_EQ(-1, ret);
989 EXPECT_EQ(ECONNABORTED, err);
990
991 // Check that it sent a RST to the server.
992 ret = write(acceptedSocket, "foo", sizeof("foo"));
993 err = errno;
994 EXPECT_EQ(-1, ret);
995 EXPECT_EQ(ECONNRESET, err);
996 }
997
TEST_F(NetdBinderTest,SocketDestroy)998 TEST_F(NetdBinderTest, SocketDestroy) {
999 unique_fd clientSocket, serverSocket, acceptedSocket;
1000 ASSERT_NO_FATAL_FAILURE(fakeRemoteSocketPair(&clientSocket, &serverSocket, &acceptedSocket));
1001
1002 // Pick a random UID in the system UID range.
1003 constexpr int baseUid = AID_APP - 2000;
1004 static_assert(baseUid > 0, "Not enough UIDs? Please fix this test.");
1005 int uid = baseUid + 500 + arc4random_uniform(1000);
1006 EXPECT_EQ(0, fchown(clientSocket, uid, -1));
1007
1008 // UID ranges that don't contain uid.
1009 std::vector<UidRangeParcel> uidRanges = {
1010 makeUidRangeParcel(baseUid + 42, baseUid + 449),
1011 makeUidRangeParcel(baseUid + 1536, AID_APP - 4),
1012 makeUidRangeParcel(baseUid + 498, uid - 1),
1013 makeUidRangeParcel(uid + 1, baseUid + 1520),
1014 };
1015 // A skip list that doesn't contain UID.
1016 std::vector<int32_t> skipUids { baseUid + 123, baseUid + 1600 };
1017
1018 // Close sockets. Our test socket should be intact.
1019 EXPECT_TRUE(mNetd->socketDestroy(uidRanges, skipUids).isOk());
1020 checkSocketpairOpen(clientSocket, acceptedSocket);
1021
1022 // UID ranges that do contain uid.
1023 uidRanges = {
1024 makeUidRangeParcel(baseUid + 42, baseUid + 449),
1025 makeUidRangeParcel(baseUid + 1536, AID_APP - 4),
1026 makeUidRangeParcel(baseUid + 498, baseUid + 1520),
1027 };
1028 // Add uid to the skip list.
1029 skipUids.push_back(uid);
1030
1031 // Close sockets. Our test socket should still be intact because it's in the skip list.
1032 EXPECT_TRUE(mNetd->socketDestroy(uidRanges, skipUids).isOk());
1033 checkSocketpairOpen(clientSocket, acceptedSocket);
1034
1035 // Now remove uid from skipUids, and close sockets. Our test socket should have been closed.
1036 skipUids.resize(skipUids.size() - 1);
1037 EXPECT_TRUE(mNetd->socketDestroy(uidRanges, skipUids).isOk());
1038 checkSocketpairClosed(clientSocket, acceptedSocket);
1039 }
1040
TEST_F(NetdBinderTest,SocketDestroyLinkLocal)1041 TEST_F(NetdBinderTest, SocketDestroyLinkLocal) {
1042 // Add the same link-local address to two interfaces.
1043 const char* kLinkLocalAddress = "fe80::ace:d00d";
1044
1045 const struct addrinfo hints = {
1046 .ai_flags = AI_NUMERICHOST,
1047 .ai_family = AF_INET6,
1048 .ai_socktype = SOCK_STREAM,
1049 };
1050
1051 // The ~ in ~64 enables 'nodad' which makes these operations faster and reduces test flakiness.
1052 // Unfortunately even with 'nodad' these are still very slightly asynchronous.
1053 binder::Status status = mNetd->interfaceAddAddress(sTun.name(), kLinkLocalAddress, ~64);
1054 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1055 status = mNetd->interfaceAddAddress(sTun2.name(), kLinkLocalAddress, ~64);
1056 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1057
1058 // Add IPs to two more interfaces - purely to slow things down a little bit more.
1059 status = mNetd->interfaceAddAddress(sTun3.name(), kLinkLocalAddress, ~64);
1060 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1061 status = mNetd->interfaceAddAddress(sTun4.name(), kLinkLocalAddress, ~64);
1062 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1063
1064 // Bind a listening socket to the address on each of the interfaces.
1065 // The sockets must be open at the same time, because this test checks that SOCK_DESTROY only
1066 // destroys the sockets on the interface where the address is deleted.
1067 struct addrinfo* addrinfoList = nullptr;
1068 int ret = getaddrinfo(kLinkLocalAddress, nullptr, &hints, &addrinfoList);
1069 ScopedAddrinfo addrinfoCleanup(addrinfoList);
1070 ASSERT_EQ(0, ret) << "errno:" << errno;
1071
1072 socklen_t len = addrinfoList[0].ai_addrlen;
1073 sockaddr_in6 sin6_1 = *reinterpret_cast<sockaddr_in6*>(addrinfoList[0].ai_addr);
1074 sockaddr_in6 sin6_2 = sin6_1;
1075 sockaddr_in6 sin6_3 = sin6_1;
1076 sockaddr_in6 sin6_4 = sin6_1;
1077 sin6_1.sin6_scope_id = if_nametoindex(sTun.name().c_str());
1078 sin6_2.sin6_scope_id = if_nametoindex(sTun2.name().c_str());
1079 sin6_3.sin6_scope_id = if_nametoindex(sTun3.name().c_str());
1080 sin6_4.sin6_scope_id = if_nametoindex(sTun4.name().c_str());
1081
1082 int s1 = socket(AF_INET6, SOCK_STREAM | SOCK_NONBLOCK, 0);
1083 ASSERT_EQ(0, bind(s1, reinterpret_cast<sockaddr*>(&sin6_1), len)) << "errno:" << errno;
1084 ASSERT_EQ(0, getsockname(s1, reinterpret_cast<sockaddr*>(&sin6_1), &len)) << "errno:" << errno;
1085 // getsockname technically writes to len, but sizeof(sockaddr_in6) doesn't change.
1086
1087 int s2 = socket(AF_INET6, SOCK_STREAM | SOCK_NONBLOCK, 0);
1088 ASSERT_EQ(0, bind(s2, reinterpret_cast<sockaddr*>(&sin6_2), len)) << "errno:" << errno;
1089 ASSERT_EQ(0, getsockname(s2, reinterpret_cast<sockaddr*>(&sin6_2), &len)) << "errno:" << errno;
1090
1091 int s3 = socket(AF_INET6, SOCK_STREAM | SOCK_NONBLOCK, 0);
1092 ASSERT_EQ(0, bind(s3, reinterpret_cast<sockaddr*>(&sin6_3), len)) << "errno:" << errno;
1093 ASSERT_EQ(0, getsockname(s3, reinterpret_cast<sockaddr*>(&sin6_3), &len)) << "errno:" << errno;
1094
1095 int s4 = socket(AF_INET6, SOCK_STREAM | SOCK_NONBLOCK, 0);
1096 ASSERT_EQ(0, bind(s4, reinterpret_cast<sockaddr*>(&sin6_4), len)) << "errno:" << errno;
1097 ASSERT_EQ(0, getsockname(s4, reinterpret_cast<sockaddr*>(&sin6_4), &len)) << "errno:" << errno;
1098
1099 ASSERT_EQ(0, listen(s1, 10)) << "errno:" << errno;
1100 ASSERT_EQ(0, listen(s2, 10)) << "errno:" << errno;
1101 ASSERT_EQ(0, listen(s3, 10)) << "errno:" << errno;
1102 ASSERT_EQ(0, listen(s4, 10)) << "errno:" << errno;
1103
1104 // Connect one client socket to each and accept the connections.
1105 int c1 = socket(AF_INET6, SOCK_STREAM, 0);
1106 int c2 = socket(AF_INET6, SOCK_STREAM, 0);
1107
1108 // ~0.1% chance the kernel isn't quite done yet with adding the IPs.
1109 // In such a case these may fail with -1, errno = 101 (ENETUNREACH)
1110 ASSERT_EQ(0, connect(c1, reinterpret_cast<sockaddr*>(&sin6_1), len)) << "errno:" << errno;
1111 ASSERT_EQ(0, connect(c2, reinterpret_cast<sockaddr*>(&sin6_2), len)) << "errno:" << errno;
1112 int a1 = accept(s1, nullptr, 0);
1113 ASSERT_NE(-1, a1) << "errno:" << errno;
1114 int a2 = accept(s2, nullptr, 0);
1115 ASSERT_NE(-1, a2) << "errno:" << errno;
1116
1117 // Delete the address on sTun2.
1118 status = mNetd->interfaceDelAddress(sTun2.name(), kLinkLocalAddress, ~64);
1119 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1120
1121 // The client sockets on sTun2 are closed, but the ones on sTun1 remain open.
1122 char buf[1024];
1123 EXPECT_EQ(-1, read(c2, buf, sizeof(buf)));
1124 EXPECT_TRUE(errno == ECONNABORTED || errno == ECONNRESET) << "errno:" << errno;
1125 // The blocking read above ensures that SOCK_DESTROY has completed.
1126
1127 EXPECT_EQ(3, write(a1, "foo", 3)) << "errno:" << errno;
1128 EXPECT_EQ(3, read(c1, buf, sizeof(buf))) << "errno:" << errno;
1129 EXPECT_EQ(-1, write(a2, "foo", 3));
1130 EXPECT_TRUE(errno == ECONNABORTED || errno == ECONNRESET) << "errno:" << errno;
1131
1132 // Check the server sockets too.
1133 EXPECT_EQ(-1, accept(s1, nullptr, 0));
1134 EXPECT_EQ(EAGAIN, errno);
1135 EXPECT_EQ(-1, accept(s2, nullptr, 0));
1136 EXPECT_EQ(EINVAL, errno);
1137
1138 close(a1);
1139 close(a2);
1140
1141 close(c1);
1142 close(c2);
1143
1144 close(s1);
1145 close(s2);
1146 close(s3);
1147 close(s4);
1148 }
1149
1150 namespace {
1151
netmaskToPrefixLength(const uint8_t * buf,size_t buflen)1152 int netmaskToPrefixLength(const uint8_t *buf, size_t buflen) {
1153 if (buf == nullptr) return -1;
1154
1155 int prefixLength = 0;
1156 bool endOfContiguousBits = false;
1157 for (unsigned int i = 0; i < buflen; i++) {
1158 const uint8_t value = buf[i];
1159
1160 // Bad bit sequence: check for a contiguous set of bits from the high
1161 // end by verifying that the inverted value + 1 is a power of 2
1162 // (power of 2 iff. (v & (v - 1)) == 0).
1163 const uint8_t inverse = ~value + 1;
1164 if ((inverse & (inverse - 1)) != 0) return -1;
1165
1166 prefixLength += (value == 0) ? 0 : CHAR_BIT - ffs(value) + 1;
1167
1168 // Bogus netmask.
1169 if (endOfContiguousBits && value != 0) return -1;
1170
1171 if (value != 0xff) endOfContiguousBits = true;
1172 }
1173
1174 return prefixLength;
1175 }
1176
1177 template<typename T>
netmaskToPrefixLength(const T * p)1178 int netmaskToPrefixLength(const T *p) {
1179 return netmaskToPrefixLength(reinterpret_cast<const uint8_t*>(p), sizeof(T));
1180 }
1181
1182
interfaceHasAddress(const std::string & ifname,const char * addrString,int prefixLength)1183 static bool interfaceHasAddress(
1184 const std::string &ifname, const char *addrString, int prefixLength) {
1185 struct addrinfo *addrinfoList = nullptr;
1186
1187 const struct addrinfo hints = {
1188 .ai_flags = AI_NUMERICHOST,
1189 .ai_family = AF_UNSPEC,
1190 .ai_socktype = SOCK_DGRAM,
1191 };
1192 if (getaddrinfo(addrString, nullptr, &hints, &addrinfoList) != 0 ||
1193 addrinfoList == nullptr || addrinfoList->ai_addr == nullptr) {
1194 return false;
1195 }
1196 ScopedAddrinfo addrinfoCleanup(addrinfoList);
1197
1198 struct ifaddrs *ifaddrsList = nullptr;
1199 ScopedIfaddrs ifaddrsCleanup(ifaddrsList);
1200
1201 if (getifaddrs(&ifaddrsList) != 0) {
1202 return false;
1203 }
1204
1205 for (struct ifaddrs *addr = ifaddrsList; addr != nullptr; addr = addr->ifa_next) {
1206 if (std::string(addr->ifa_name) != ifname ||
1207 addr->ifa_addr == nullptr ||
1208 addr->ifa_addr->sa_family != addrinfoList->ai_addr->sa_family) {
1209 continue;
1210 }
1211
1212 switch (addr->ifa_addr->sa_family) {
1213 case AF_INET: {
1214 auto *addr4 = reinterpret_cast<const struct sockaddr_in*>(addr->ifa_addr);
1215 auto *want = reinterpret_cast<const struct sockaddr_in*>(addrinfoList->ai_addr);
1216 if (memcmp(&addr4->sin_addr, &want->sin_addr, sizeof(want->sin_addr)) != 0) {
1217 continue;
1218 }
1219
1220 if (prefixLength < 0) return true; // not checking prefix lengths
1221
1222 if (addr->ifa_netmask == nullptr) return false;
1223 auto *nm = reinterpret_cast<const struct sockaddr_in*>(addr->ifa_netmask);
1224 EXPECT_EQ(prefixLength, netmaskToPrefixLength(&nm->sin_addr));
1225 return (prefixLength == netmaskToPrefixLength(&nm->sin_addr));
1226 }
1227 case AF_INET6: {
1228 auto *addr6 = reinterpret_cast<const struct sockaddr_in6*>(addr->ifa_addr);
1229 auto *want = reinterpret_cast<const struct sockaddr_in6*>(addrinfoList->ai_addr);
1230 if (memcmp(&addr6->sin6_addr, &want->sin6_addr, sizeof(want->sin6_addr)) != 0) {
1231 continue;
1232 }
1233
1234 if (prefixLength < 0) return true; // not checking prefix lengths
1235
1236 if (addr->ifa_netmask == nullptr) return false;
1237 auto *nm = reinterpret_cast<const struct sockaddr_in6*>(addr->ifa_netmask);
1238 EXPECT_EQ(prefixLength, netmaskToPrefixLength(&nm->sin6_addr));
1239 return (prefixLength == netmaskToPrefixLength(&nm->sin6_addr));
1240 }
1241 default:
1242 // Cannot happen because we have already screened for matching
1243 // address families at the top of each iteration.
1244 continue;
1245 }
1246 }
1247
1248 return false;
1249 }
1250
1251 } // namespace
1252
TEST_F(NetdBinderTest,InterfaceAddRemoveAddress)1253 TEST_F(NetdBinderTest, InterfaceAddRemoveAddress) {
1254 static const struct TestData {
1255 const char *addrString;
1256 const int prefixLength;
1257 const int expectAddResult;
1258 const int expectRemoveResult;
1259 } kTestData[] = {
1260 {"192.0.2.1", 24, 0, 0},
1261 {"192.0.2.2", 25, 0, 0},
1262 {"192.0.2.3", 32, 0, 0},
1263 {"192.0.2.4", 33, EINVAL, EADDRNOTAVAIL},
1264 {"192.not.an.ip", 24, EINVAL, EINVAL},
1265 {"2001:db8::1", 64, 0, 0},
1266 {"2001:db8::2", 65, 0, 0},
1267 {"2001:db8::3", 128, 0, 0},
1268 {"fe80::1234", 64, 0, 0},
1269 {"2001:db8::4", 129, EINVAL, EINVAL},
1270 {"foo:bar::bad", 64, EINVAL, EINVAL},
1271 {"2001:db8::1/64", 64, EINVAL, EINVAL},
1272 };
1273
1274 for (size_t i = 0; i < std::size(kTestData); i++) {
1275 const auto &td = kTestData[i];
1276
1277 SCOPED_TRACE(String8::format("Offending IP address %s/%d", td.addrString, td.prefixLength));
1278
1279 // [1.a] Add the address.
1280 binder::Status status = mNetd->interfaceAddAddress(
1281 sTun.name(), td.addrString, td.prefixLength);
1282 if (td.expectAddResult == 0) {
1283 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1284 } else {
1285 ASSERT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
1286 ASSERT_EQ(td.expectAddResult, status.serviceSpecificErrorCode());
1287 }
1288
1289 // [1.b] Verify the addition meets the expectation.
1290 if (td.expectAddResult == 0) {
1291 EXPECT_TRUE(interfaceHasAddress(sTun.name(), td.addrString, td.prefixLength));
1292 } else {
1293 EXPECT_FALSE(interfaceHasAddress(sTun.name(), td.addrString, -1));
1294 }
1295
1296 // [2.a] Try to remove the address. If it was not previously added, removing it fails.
1297 status = mNetd->interfaceDelAddress(sTun.name(), td.addrString, td.prefixLength);
1298 if (td.expectRemoveResult == 0) {
1299 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1300 } else {
1301 ASSERT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
1302 ASSERT_EQ(td.expectRemoveResult, status.serviceSpecificErrorCode());
1303 }
1304
1305 // [2.b] No matter what, the address should not be present.
1306 EXPECT_FALSE(interfaceHasAddress(sTun.name(), td.addrString, -1));
1307 }
1308
1309 // Check that netlink errors are returned correctly.
1310 // We do this by attempting to create an IPv6 address on an interface that has IPv6 disabled,
1311 // which returns EACCES.
1312 TunInterface tun;
1313 ASSERT_EQ(0, tun.init());
1314 binder::Status status =
1315 mNetd->setProcSysNet(INetd::IPV6, INetd::CONF, tun.name(), "disable_ipv6", "1");
1316 ASSERT_TRUE(status.isOk()) << status.exceptionMessage();
1317 status = mNetd->interfaceAddAddress(tun.name(), "2001:db8::1", 64);
1318 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
1319 EXPECT_EQ(EACCES, status.serviceSpecificErrorCode());
1320 tun.destroy();
1321 }
1322
TEST_F(NetdBinderTest,GetProcSysNet)1323 TEST_F(NetdBinderTest, GetProcSysNet) {
1324 const char* LOOPBACK = "lo";
1325 static const struct {
1326 const int ipversion;
1327 const int which;
1328 const char* ifname;
1329 const char* parameter;
1330 const char* expectedValue;
1331 const int expectedReturnCode;
1332 } kTestData[] = {
1333 {INetd::IPV4, INetd::CONF, LOOPBACK, "arp_ignore", "0", 0},
1334 {-1, INetd::CONF, sTun.name().c_str(), "arp_ignore", nullptr, EAFNOSUPPORT},
1335 {INetd::IPV4, -1, sTun.name().c_str(), "arp_ignore", nullptr, EINVAL},
1336 {INetd::IPV4, INetd::CONF, "..", "conf/lo/arp_ignore", nullptr, EINVAL},
1337 {INetd::IPV4, INetd::CONF, ".", "lo/arp_ignore", nullptr, EINVAL},
1338 {INetd::IPV4, INetd::CONF, sTun.name().c_str(), "../all/arp_ignore", nullptr, EINVAL},
1339 {INetd::IPV6, INetd::NEIGH, LOOPBACK, "ucast_solicit", "3", 0},
1340 };
1341
1342 for (size_t i = 0; i < std::size(kTestData); i++) {
1343 const auto& td = kTestData[i];
1344
1345 std::string value;
1346 const binder::Status status =
1347 mNetd->getProcSysNet(td.ipversion, td.which, td.ifname, td.parameter, &value);
1348
1349 if (td.expectedReturnCode == 0) {
1350 SCOPED_TRACE(String8::format("test case %zu should have passed", i));
1351 EXPECT_EQ(0, status.exceptionCode());
1352 EXPECT_EQ(0, status.serviceSpecificErrorCode());
1353 EXPECT_EQ(td.expectedValue, value);
1354 } else {
1355 SCOPED_TRACE(String8::format("test case %zu should have failed", i));
1356 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
1357 EXPECT_EQ(td.expectedReturnCode, status.serviceSpecificErrorCode());
1358 }
1359 }
1360 }
1361
TEST_F(NetdBinderTest,SetProcSysNet)1362 TEST_F(NetdBinderTest, SetProcSysNet) {
1363 static const struct {
1364 const int ipversion;
1365 const int which;
1366 const char* ifname;
1367 const char* parameter;
1368 const char* value;
1369 const int expectedReturnCode;
1370 } kTestData[] = {
1371 {INetd::IPV4, INetd::CONF, sTun.name().c_str(), "arp_ignore", "1", 0},
1372 {-1, INetd::CONF, sTun.name().c_str(), "arp_ignore", "1", EAFNOSUPPORT},
1373 {INetd::IPV4, -1, sTun.name().c_str(), "arp_ignore", "1", EINVAL},
1374 {INetd::IPV4, INetd::CONF, "..", "conf/lo/arp_ignore", "1", EINVAL},
1375 {INetd::IPV4, INetd::CONF, ".", "lo/arp_ignore", "1", EINVAL},
1376 {INetd::IPV4, INetd::CONF, sTun.name().c_str(), "../all/arp_ignore", "1", EINVAL},
1377 {INetd::IPV6, INetd::NEIGH, sTun.name().c_str(), "ucast_solicit", "7", 0},
1378 };
1379
1380 for (size_t i = 0; i < std::size(kTestData); i++) {
1381 const auto& td = kTestData[i];
1382 const binder::Status status =
1383 mNetd->setProcSysNet(td.ipversion, td.which, td.ifname, td.parameter, td.value);
1384
1385 if (td.expectedReturnCode == 0) {
1386 SCOPED_TRACE(String8::format("test case %zu should have passed", i));
1387 EXPECT_EQ(0, status.exceptionCode());
1388 EXPECT_EQ(0, status.serviceSpecificErrorCode());
1389 } else {
1390 SCOPED_TRACE(String8::format("test case %zu should have failed", i));
1391 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
1392 EXPECT_EQ(td.expectedReturnCode, status.serviceSpecificErrorCode());
1393 }
1394 }
1395 }
1396
TEST_F(NetdBinderTest,GetSetProcSysNet)1397 TEST_F(NetdBinderTest, GetSetProcSysNet) {
1398 const int ipversion = INetd::IPV6;
1399 const int category = INetd::NEIGH;
1400 const std::string& tun = sTun.name();
1401 const std::string parameter("ucast_solicit");
1402
1403 std::string value{};
1404 EXPECT_TRUE(mNetd->getProcSysNet(ipversion, category, tun, parameter, &value).isOk());
1405 ASSERT_FALSE(value.empty());
1406 const int ival = std::stoi(value);
1407 EXPECT_GT(ival, 0);
1408 // Try doubling the parameter value (always best!).
1409 EXPECT_TRUE(mNetd->setProcSysNet(ipversion, category, tun, parameter, std::to_string(2 * ival))
1410 .isOk());
1411 EXPECT_TRUE(mNetd->getProcSysNet(ipversion, category, tun, parameter, &value).isOk());
1412 EXPECT_EQ(2 * ival, std::stoi(value));
1413 // Try resetting the parameter.
1414 EXPECT_TRUE(mNetd->setProcSysNet(ipversion, category, tun, parameter, std::to_string(ival))
1415 .isOk());
1416 EXPECT_TRUE(mNetd->getProcSysNet(ipversion, category, tun, parameter, &value).isOk());
1417 EXPECT_EQ(ival, std::stoi(value));
1418 }
1419
1420 namespace {
1421
expectNoTestCounterRules()1422 void expectNoTestCounterRules() {
1423 for (const auto& binary : { IPTABLES_PATH, IP6TABLES_PATH }) {
1424 std::string command = StringPrintf("%s -w -nvL tetherctrl_counters", binary);
1425 std::string allRules = Join(runCommand(command), "\n");
1426 EXPECT_EQ(std::string::npos, allRules.find("netdtest_"));
1427 }
1428 }
1429
addTetherCounterValues(const char * path,const std::string & if1,const std::string & if2,int byte,int pkt)1430 void addTetherCounterValues(const char* path, const std::string& if1, const std::string& if2,
1431 int byte, int pkt) {
1432 runCommand(StringPrintf("%s -w -A tetherctrl_counters -i %s -o %s -j RETURN -c %d %d",
1433 path, if1.c_str(), if2.c_str(), pkt, byte));
1434 }
1435
delTetherCounterValues(const char * path,const std::string & if1,const std::string & if2)1436 void delTetherCounterValues(const char* path, const std::string& if1, const std::string& if2) {
1437 runCommand(StringPrintf("%s -w -D tetherctrl_counters -i %s -o %s -j RETURN",
1438 path, if1.c_str(), if2.c_str()));
1439 runCommand(StringPrintf("%s -w -D tetherctrl_counters -i %s -o %s -j RETURN",
1440 path, if2.c_str(), if1.c_str()));
1441 }
1442
getStatsVectorByIf(const std::vector<TetherStatsParcel> & statsVec,const std::string & iface)1443 std::vector<int64_t> getStatsVectorByIf(const std::vector<TetherStatsParcel>& statsVec,
1444 const std::string& iface) {
1445 for (auto& stats : statsVec) {
1446 if (stats.iface == iface) {
1447 return {stats.rxBytes, stats.rxPackets, stats.txBytes, stats.txPackets};
1448 }
1449 }
1450 return {};
1451 }
1452
1453 } // namespace
1454
TEST_F(NetdBinderTest,TetherGetStats)1455 TEST_F(NetdBinderTest, TetherGetStats) {
1456 expectNoTestCounterRules();
1457
1458 // TODO: fold this into more comprehensive tests once we have binder RPCs for enabling and
1459 // disabling tethering. We don't check the return value because these commands will fail if
1460 // tethering is already enabled.
1461 runCommand(StringPrintf("%s -w -N tetherctrl_counters", IPTABLES_PATH));
1462 runCommand(StringPrintf("%s -w -N tetherctrl_counters", IP6TABLES_PATH));
1463
1464 std::string intIface1 = StringPrintf("netdtest_%u", arc4random_uniform(10000));
1465 std::string intIface2 = StringPrintf("netdtest_%u", arc4random_uniform(10000));
1466 std::string intIface3 = StringPrintf("netdtest_%u", arc4random_uniform(10000));
1467
1468 // Ensure we won't use the same interface name, otherwise the test will fail.
1469 u_int32_t rNumber = arc4random_uniform(10000);
1470 std::string extIface1 = StringPrintf("netdtest_%u", rNumber);
1471 std::string extIface2 = StringPrintf("netdtest_%u", rNumber + 1);
1472
1473 addTetherCounterValues(IPTABLES_PATH, intIface1, extIface1, 123, 111);
1474 addTetherCounterValues(IP6TABLES_PATH, intIface1, extIface1, 456, 10);
1475 addTetherCounterValues(IPTABLES_PATH, extIface1, intIface1, 321, 222);
1476 addTetherCounterValues(IP6TABLES_PATH, extIface1, intIface1, 654, 20);
1477 // RX is from external to internal, and TX is from internal to external.
1478 // So rxBytes is 321 + 654 = 975, txBytes is 123 + 456 = 579, etc.
1479 std::vector<int64_t> expected1 = { 975, 242, 579, 121 };
1480
1481 addTetherCounterValues(IPTABLES_PATH, intIface2, extIface2, 1000, 333);
1482 addTetherCounterValues(IP6TABLES_PATH, intIface2, extIface2, 3000, 30);
1483
1484 addTetherCounterValues(IPTABLES_PATH, extIface2, intIface2, 2000, 444);
1485 addTetherCounterValues(IP6TABLES_PATH, extIface2, intIface2, 4000, 40);
1486
1487 addTetherCounterValues(IP6TABLES_PATH, intIface3, extIface2, 1000, 25);
1488 addTetherCounterValues(IP6TABLES_PATH, extIface2, intIface3, 2000, 35);
1489 std::vector<int64_t> expected2 = { 8000, 519, 5000, 388 };
1490
1491 std::vector<TetherStatsParcel> statsVec;
1492 binder::Status status = mNetd->tetherGetStats(&statsVec);
1493 EXPECT_TRUE(status.isOk()) << "Getting tethering stats failed: " << status;
1494
1495 EXPECT_EQ(expected1, getStatsVectorByIf(statsVec, extIface1));
1496
1497 EXPECT_EQ(expected2, getStatsVectorByIf(statsVec, extIface2));
1498
1499 for (const auto& path : { IPTABLES_PATH, IP6TABLES_PATH }) {
1500 delTetherCounterValues(path, intIface1, extIface1);
1501 delTetherCounterValues(path, intIface2, extIface2);
1502 if (strcmp(path, IP6TABLES_PATH) == 0) {
1503 delTetherCounterValues(path, intIface3, extIface2);
1504 }
1505 }
1506
1507 expectNoTestCounterRules();
1508 }
1509
1510 namespace {
1511
1512 constexpr char IDLETIMER_RAW_PREROUTING[] = "idletimer_raw_PREROUTING";
1513 constexpr char IDLETIMER_MANGLE_POSTROUTING[] = "idletimer_mangle_POSTROUTING";
1514
listIptablesRuleByTable(const char * binary,const char * table,const char * chainName)1515 static std::vector<std::string> listIptablesRuleByTable(const char* binary, const char* table,
1516 const char* chainName) {
1517 std::string command = StringPrintf("%s -t %s -w -n -v -L %s", binary, table, chainName);
1518 return runCommand(command);
1519 }
1520
iptablesInterfaceRuleExists(const char * binary,const char * chainName,const std::string & expectedInterface,const std::string & expectedRule,const char * table)1521 bool iptablesInterfaceRuleExists(const char* binary, const char* chainName,
1522 const std::string& expectedInterface,
1523 const std::string& expectedRule, const char* table) {
1524 std::vector<std::string> rules = listIptablesRuleByTable(binary, table, chainName);
1525 for (const auto& rule : rules) {
1526 if (rule.find(expectedInterface) != std::string::npos) {
1527 if (rule.find(expectedRule) != std::string::npos) {
1528 return true;
1529 }
1530 }
1531 }
1532 return false;
1533 }
1534
expectIdletimerInterfaceRuleExists(const std::string & ifname,int timeout,const std::string & classLabel)1535 void expectIdletimerInterfaceRuleExists(const std::string& ifname, int timeout,
1536 const std::string& classLabel) {
1537 std::string IdletimerRule =
1538 StringPrintf("timeout:%u label:%s send_nl_msg", timeout, classLabel.c_str());
1539 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
1540 EXPECT_TRUE(iptablesInterfaceRuleExists(binary, IDLETIMER_RAW_PREROUTING, ifname,
1541 IdletimerRule, RAW_TABLE));
1542 EXPECT_TRUE(iptablesInterfaceRuleExists(binary, IDLETIMER_MANGLE_POSTROUTING, ifname,
1543 IdletimerRule, MANGLE_TABLE));
1544 }
1545 }
1546
expectIdletimerInterfaceRuleNotExists(const std::string & ifname,int timeout,const std::string & classLabel)1547 void expectIdletimerInterfaceRuleNotExists(const std::string& ifname, int timeout,
1548 const std::string& classLabel) {
1549 std::string IdletimerRule =
1550 StringPrintf("timeout:%u label:%s send_nl_msg", timeout, classLabel.c_str());
1551 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
1552 EXPECT_FALSE(iptablesInterfaceRuleExists(binary, IDLETIMER_RAW_PREROUTING, ifname,
1553 IdletimerRule, RAW_TABLE));
1554 EXPECT_FALSE(iptablesInterfaceRuleExists(binary, IDLETIMER_MANGLE_POSTROUTING, ifname,
1555 IdletimerRule, MANGLE_TABLE));
1556 }
1557 }
1558
1559 } // namespace
1560
TEST_F(NetdBinderTest,IdletimerAddRemoveInterface)1561 TEST_F(NetdBinderTest, IdletimerAddRemoveInterface) {
1562 // TODO: We will get error in if expectIdletimerInterfaceRuleNotExists if there are the same
1563 // rule in the table. Because we only check the result after calling remove function. We might
1564 // check the actual rule which is removed by our function (maybe compare the results between
1565 // calling function before and after)
1566 binder::Status status;
1567 const struct TestData {
1568 const std::string ifname;
1569 int32_t timeout;
1570 const std::string classLabel;
1571 } idleTestData[] = {
1572 {"wlan0", 1234, "happyday"},
1573 {"rmnet_data0", 4567, "friday"},
1574 };
1575 for (const auto& td : idleTestData) {
1576 status = mNetd->idletimerAddInterface(td.ifname, td.timeout, td.classLabel);
1577 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1578 expectIdletimerInterfaceRuleExists(td.ifname, td.timeout, td.classLabel);
1579
1580 status = mNetd->idletimerRemoveInterface(td.ifname, td.timeout, td.classLabel);
1581 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1582 expectIdletimerInterfaceRuleNotExists(td.ifname, td.timeout, td.classLabel);
1583 }
1584 }
1585
1586 namespace {
1587
1588 constexpr char STRICT_OUTPUT[] = "st_OUTPUT";
1589 constexpr char STRICT_CLEAR_CAUGHT[] = "st_clear_caught";
1590
1591 // Output looks like this:
1592 //
1593 // IPv4:
1594 //
1595 // throw dst proto static scope link
1596 // unreachable dst proto static scope link
1597 // dst via nextHop dev ifName proto static
1598 // dst dev ifName proto static scope link
1599 //
1600 // IPv6:
1601 //
1602 // throw dst dev lo proto static metric 1024
1603 // unreachable dst dev lo proto static metric 1024
1604 // dst via nextHop dev ifName proto static metric 1024
1605 // dst dev ifName proto static metric 1024
ipRoutePrefix(const std::string & ifName,const std::string & dst,const std::string & nextHop)1606 std::string ipRoutePrefix(const std::string& ifName, const std::string& dst,
1607 const std::string& nextHop) {
1608 std::string prefixString;
1609
1610 bool isThrow = nextHop == "throw";
1611 bool isUnreachable = nextHop == "unreachable";
1612 bool isDefault = (dst == "0.0.0.0/0" || dst == "::/0");
1613 bool isIPv6 = dst.find(':') != std::string::npos;
1614 bool isThrowOrUnreachable = isThrow || isUnreachable;
1615
1616 if (isThrowOrUnreachable) {
1617 prefixString += nextHop + " ";
1618 }
1619
1620 prefixString += isDefault ? "default" : dst;
1621
1622 if (!nextHop.empty() && !isThrowOrUnreachable) {
1623 prefixString += " via " + nextHop;
1624 }
1625
1626 if (isThrowOrUnreachable) {
1627 if (isIPv6) {
1628 prefixString += " dev lo";
1629 }
1630 } else {
1631 prefixString += " dev " + ifName;
1632 }
1633
1634 prefixString += " proto static";
1635
1636 // IPv6 routes report the metric, IPv4 routes report the scope.
1637 if (isIPv6) {
1638 prefixString += " metric 1024";
1639 } else {
1640 if (nextHop.empty() || isThrowOrUnreachable) {
1641 prefixString += " scope link";
1642 }
1643 }
1644
1645 return prefixString;
1646 }
1647
expectStrictSetUidAccept(const int uid)1648 void expectStrictSetUidAccept(const int uid) {
1649 std::string uidRule = StringPrintf("owner UID match %u", uid);
1650 std::string perUidChain = StringPrintf("st_clear_caught_%u", uid);
1651 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
1652 EXPECT_FALSE(iptablesRuleExists(binary, STRICT_OUTPUT, uidRule));
1653 EXPECT_FALSE(iptablesRuleExists(binary, STRICT_CLEAR_CAUGHT, uidRule));
1654 EXPECT_EQ(0, iptablesRuleLineLength(binary, perUidChain.c_str()));
1655 }
1656 }
1657
expectStrictSetUidLog(const int uid)1658 void expectStrictSetUidLog(const int uid) {
1659 static const char logRule[] = "st_penalty_log all";
1660 std::string uidRule = StringPrintf("owner UID match %u", uid);
1661 std::string perUidChain = StringPrintf("st_clear_caught_%u", uid);
1662 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
1663 EXPECT_TRUE(iptablesRuleExists(binary, STRICT_OUTPUT, uidRule));
1664 EXPECT_TRUE(iptablesRuleExists(binary, STRICT_CLEAR_CAUGHT, uidRule));
1665 EXPECT_TRUE(iptablesRuleExists(binary, perUidChain.c_str(), logRule));
1666 }
1667 }
1668
expectStrictSetUidReject(const int uid)1669 void expectStrictSetUidReject(const int uid) {
1670 static const char rejectRule[] = "st_penalty_reject all";
1671 std::string uidRule = StringPrintf("owner UID match %u", uid);
1672 std::string perUidChain = StringPrintf("st_clear_caught_%u", uid);
1673 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
1674 EXPECT_TRUE(iptablesRuleExists(binary, STRICT_OUTPUT, uidRule));
1675 EXPECT_TRUE(iptablesRuleExists(binary, STRICT_CLEAR_CAUGHT, uidRule));
1676 EXPECT_TRUE(iptablesRuleExists(binary, perUidChain.c_str(), rejectRule));
1677 }
1678 }
1679
ipRouteSubstrings(const std::string & ifName,const std::string & dst,const std::string & nextHop,const std::string & mtu)1680 std::vector<std::string> ipRouteSubstrings(const std::string& ifName, const std::string& dst,
1681 const std::string& nextHop, const std::string& mtu) {
1682 std::vector<std::string> routeSubstrings;
1683
1684 routeSubstrings.push_back(ipRoutePrefix(ifName, dst, nextHop));
1685
1686 if (!mtu.empty()) {
1687 // Add separate substring to match mtu value.
1688 // This is needed because on some devices "error -11"/"error -113" appears between ip prefix
1689 // and mtu for throw/unreachable routes.
1690 routeSubstrings.push_back("mtu " + mtu);
1691 }
1692
1693 return routeSubstrings;
1694 }
1695
expectNetworkRouteDoesNotExistWithMtu(const char * ipVersion,const std::string & ifName,const std::string & dst,const std::string & nextHop,const std::string & mtu,const char * table)1696 void expectNetworkRouteDoesNotExistWithMtu(const char* ipVersion, const std::string& ifName,
1697 const std::string& dst, const std::string& nextHop,
1698 const std::string& mtu, const char* table) {
1699 std::vector<std::string> routeSubstrings = ipRouteSubstrings(ifName, dst, nextHop, mtu);
1700 EXPECT_FALSE(ipRouteExists(ipVersion, table, routeSubstrings))
1701 << "Found unexpected route [" << Join(routeSubstrings, ", ") << "] in table " << table;
1702 }
1703
expectNetworkRouteExistsWithMtu(const char * ipVersion,const std::string & ifName,const std::string & dst,const std::string & nextHop,const std::string & mtu,const char * table)1704 void expectNetworkRouteExistsWithMtu(const char* ipVersion, const std::string& ifName,
1705 const std::string& dst, const std::string& nextHop,
1706 const std::string& mtu, const char* table) {
1707 std::vector<std::string> routeSubstrings = ipRouteSubstrings(ifName, dst, nextHop, mtu);
1708 EXPECT_TRUE(ipRouteExists(ipVersion, table, routeSubstrings))
1709 << "Couldn't find route to " << dst << ": [" << Join(routeSubstrings, ", ")
1710 << "] in table " << table;
1711 }
1712
expectVpnLocalExclusionRuleExists(const std::string & ifName,bool expectExists)1713 void expectVpnLocalExclusionRuleExists(const std::string& ifName, bool expectExists) {
1714 std::string tableName = std::string(ifName + "_local");
1715 // Check if rule exists
1716 std::string vpnLocalExclusionRule =
1717 StringPrintf("%d:\tfrom all fwmark 0x0/0x10000 iif lo lookup %s",
1718 RULE_PRIORITY_LOCAL_ROUTES, tableName.c_str());
1719 for (const auto& ipVersion : {IP_RULE_V4, IP_RULE_V6}) {
1720 EXPECT_EQ(expectExists, ipRuleExists(ipVersion, vpnLocalExclusionRule));
1721 }
1722 }
1723
expectNetworkRouteExists(const char * ipVersion,const std::string & ifName,const std::string & dst,const std::string & nextHop,const char * table)1724 void expectNetworkRouteExists(const char* ipVersion, const std::string& ifName,
1725 const std::string& dst, const std::string& nextHop,
1726 const char* table) {
1727 expectNetworkRouteExistsWithMtu(ipVersion, ifName, dst, nextHop, "", table);
1728 }
1729
expectNetworkRouteDoesNotExist(const char * ipVersion,const std::string & ifName,const std::string & dst,const std::string & nextHop,const char * table)1730 void expectNetworkRouteDoesNotExist(const char* ipVersion, const std::string& ifName,
1731 const std::string& dst, const std::string& nextHop,
1732 const char* table) {
1733 expectNetworkRouteDoesNotExistWithMtu(ipVersion, ifName, dst, nextHop, "", table);
1734 }
1735
expectNetworkDefaultIpRuleExists(const char * ifName)1736 void expectNetworkDefaultIpRuleExists(const char* ifName) {
1737 std::string networkDefaultRule =
1738 StringPrintf("%u:\tfrom all fwmark 0x0/0xffff iif lo lookup %s",
1739 RULE_PRIORITY_DEFAULT_NETWORK, ifName);
1740
1741 expectRuleForV4AndV6(ALL_EXIST, networkDefaultRule);
1742 }
1743
expectNetworkDefaultIpRuleDoesNotExist()1744 void expectNetworkDefaultIpRuleDoesNotExist() {
1745 std::string networkDefaultRule =
1746 StringPrintf("%u:\tfrom all fwmark 0x0/0xffff iif lo", RULE_PRIORITY_DEFAULT_NETWORK);
1747
1748 for (const auto& ipVersion : {IP_RULE_V4, IP_RULE_V6}) {
1749 std::vector<std::string> rules = listIpRules(ipVersion);
1750 for (const auto& line : rules) {
1751 if (android::base::StartsWith(line, networkDefaultRule)) {
1752 FAIL();
1753 }
1754 }
1755 }
1756 }
1757
expectNetworkPermissionIpRuleExists(const char * ifName,int permission)1758 void expectNetworkPermissionIpRuleExists(const char* ifName, int permission) {
1759 std::string networkPermissionRule = "";
1760 switch (permission) {
1761 case INetd::PERMISSION_NONE:
1762 networkPermissionRule =
1763 StringPrintf("%u:\tfrom all fwmark 0x1ffdd/0x1ffff iif lo lookup %s",
1764 RULE_PRIORITY_EXPLICIT_NETWORK, ifName);
1765 break;
1766 case INetd::PERMISSION_NETWORK:
1767 networkPermissionRule =
1768 StringPrintf("%u:\tfrom all fwmark 0x5ffdd/0x5ffff iif lo lookup %s",
1769 RULE_PRIORITY_EXPLICIT_NETWORK, ifName);
1770 break;
1771 case INetd::PERMISSION_SYSTEM:
1772 networkPermissionRule =
1773 StringPrintf("%u:\tfrom all fwmark 0xdffdd/0xdffff iif lo lookup %s",
1774 RULE_PRIORITY_EXPLICIT_NETWORK, ifName);
1775 break;
1776 }
1777
1778 expectRuleForV4AndV6(ALL_EXIST, networkPermissionRule);
1779 }
1780
expectNetworkPermissionIptablesRuleExists(const char * ifName,int permission)1781 void expectNetworkPermissionIptablesRuleExists(const char* ifName, int permission) {
1782 static const char ROUTECTRL_INPUT[] = "routectrl_mangle_INPUT";
1783 std::string networkIncomingPacketMarkRule = "";
1784 switch (permission) {
1785 case INetd::PERMISSION_NONE:
1786 networkIncomingPacketMarkRule = "MARK xset 0x3ffdd/0x7fefffff";
1787 break;
1788 case INetd::PERMISSION_NETWORK:
1789 networkIncomingPacketMarkRule = "MARK xset 0x7ffdd/0x7fefffff";
1790 break;
1791 case INetd::PERMISSION_SYSTEM:
1792 networkIncomingPacketMarkRule = "MARK xset 0xfffdd/0x7fefffff";
1793 break;
1794 }
1795
1796 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
1797 EXPECT_TRUE(iptablesInterfaceRuleExists(binary, ROUTECTRL_INPUT, ifName,
1798 networkIncomingPacketMarkRule, MANGLE_TABLE));
1799 }
1800 }
1801
1802 } // namespace
1803
TEST_F(NetdBinderTest,StrictSetUidCleartextPenalty)1804 TEST_F(NetdBinderTest, StrictSetUidCleartextPenalty) {
1805 binder::Status status;
1806 int32_t uid = randomUid();
1807
1808 // setUidCleartextPenalty Policy:Log with randomUid
1809 status = mNetd->strictUidCleartextPenalty(uid, INetd::PENALTY_POLICY_LOG);
1810 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1811 expectStrictSetUidLog(uid);
1812
1813 // setUidCleartextPenalty Policy:Accept with randomUid
1814 status = mNetd->strictUidCleartextPenalty(uid, INetd::PENALTY_POLICY_ACCEPT);
1815 expectStrictSetUidAccept(uid);
1816
1817 // setUidCleartextPenalty Policy:Reject with randomUid
1818 status = mNetd->strictUidCleartextPenalty(uid, INetd::PENALTY_POLICY_REJECT);
1819 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1820 expectStrictSetUidReject(uid);
1821
1822 // setUidCleartextPenalty Policy:Accept with randomUid
1823 status = mNetd->strictUidCleartextPenalty(uid, INetd::PENALTY_POLICY_ACCEPT);
1824 expectStrictSetUidAccept(uid);
1825
1826 // test wrong policy
1827 int32_t wrongPolicy = -123;
1828 status = mNetd->strictUidCleartextPenalty(uid, wrongPolicy);
1829 EXPECT_EQ(EINVAL, status.serviceSpecificErrorCode());
1830 }
1831
1832 namespace {
1833
tryToFindProcesses(const std::string & processName,uint32_t maxTries=1,uint32_t intervalMs=50)1834 std::vector<std::string> tryToFindProcesses(const std::string& processName, uint32_t maxTries = 1,
1835 uint32_t intervalMs = 50) {
1836 // Output looks like:(clatd)
1837 // clat 4963 850 1 12:16:51 ? 00:00:00 clatd-netd10a88 -i netd10a88 ...
1838 // ...
1839 // root 5221 5219 0 12:18:12 ? 00:00:00 sh -c ps -Af | grep ' clatd-netdcc1a0'
1840
1841 // (dnsmasq)
1842 // dns_tether 4620 792 0 16:51:28 ? 00:00:00 dnsmasq --keep-in-foreground ...
1843
1844 if (maxTries == 0) return {};
1845
1846 std::string cmd = StringPrintf("ps -Af | grep '[0-9] %s'", processName.c_str());
1847 std::vector<std::string> result;
1848 for (uint32_t run = 1;;) {
1849 result = runCommand(cmd);
1850 if (result.size() || ++run > maxTries) {
1851 break;
1852 }
1853
1854 usleep(intervalMs * 1000);
1855 }
1856 return result;
1857 }
1858
expectProcessExists(const std::string & processName)1859 void expectProcessExists(const std::string& processName) {
1860 EXPECT_EQ(1U, tryToFindProcesses(processName, 5 /*maxTries*/).size());
1861 }
1862
expectProcessDoesNotExist(const std::string & processName)1863 void expectProcessDoesNotExist(const std::string& processName) {
1864 EXPECT_FALSE(tryToFindProcesses(processName).size());
1865 }
1866
1867 } // namespace
1868
TEST_F(NetdBinderTest,NetworkAddRemoveRouteToLocalExcludeTable)1869 TEST_F(NetdBinderTest, NetworkAddRemoveRouteToLocalExcludeTable) {
1870 static const struct {
1871 const char* ipVersion;
1872 const char* testDest;
1873 const char* testNextHop;
1874 const bool expectInLocalTable;
1875 } kTestData[] = {{IP_RULE_V6, "::/0", "fe80::", false},
1876 {IP_RULE_V6, "::/0", "", false},
1877 {IP_RULE_V6, "2001:db8:cafe::/64", "fe80::", false},
1878 {IP_RULE_V6, "fe80::/64", "", true},
1879 {IP_RULE_V6, "2001:db8:cafe::/48", "", true},
1880 {IP_RULE_V6, "2001:db8:cafe::/64", "unreachable", false},
1881 {IP_RULE_V6, "2001:db8:ca00::/40", "", true},
1882 {IP_RULE_V4, "0.0.0.0/0", "10.251.10.1", false},
1883 {IP_RULE_V4, "192.1.0.0/16", "", false},
1884 {IP_RULE_V4, "192.168.0.0/15", "", false},
1885 {IP_RULE_V4, "192.168.0.0/16", "", true},
1886 {IP_RULE_V4, "192.168.0.0/24", "", true},
1887 {IP_RULE_V4, "100.1.0.0/16", "", false},
1888 {IP_RULE_V4, "100.0.0.0/8", "", false},
1889 {IP_RULE_V4, "100.64.0.0/10", "", true},
1890 {IP_RULE_V4, "100.64.0.0/16", "", true},
1891 {IP_RULE_V4, "100.64.0.0/10", "throw", false},
1892 {IP_RULE_V4, "172.0.0.0/8", "", false},
1893 {IP_RULE_V4, "172.16.0.0/12", "", true},
1894 {IP_RULE_V4, "172.16.0.0/16", "", true},
1895 {IP_RULE_V4, "172.16.0.0/12", "unreachable", false},
1896 {IP_RULE_V4, "172.32.0.0/12", "", false},
1897 {IP_RULE_V4, "169.0.0.0/8", "", false},
1898 {IP_RULE_V4, "169.254.0.0/16", "", true},
1899 {IP_RULE_V4, "169.254.0.0/20", "", true},
1900 {IP_RULE_V4, "169.254.3.0/24", "", true},
1901 {IP_RULE_V4, "170.254.0.0/16", "", false},
1902 {IP_RULE_V4, "10.0.0.0/8", "", true},
1903 {IP_RULE_V4, "10.0.0.0/7", "", false},
1904 {IP_RULE_V4, "10.0.0.0/16", "", true},
1905 {IP_RULE_V4, "10.251.0.0/16", "", true},
1906 {IP_RULE_V4, "10.251.250.0/24", "", true},
1907 {IP_RULE_V4, "10.251.10.2/31", "throw", false},
1908 {IP_RULE_V4, "10.251.10.2/31", "unreachable", false}};
1909
1910 // To ensure that the nexthops for the above are reachable.
1911 // Otherwise, the routes can't be created.
1912 static const struct {
1913 const char* ipVersion;
1914 const char* testDest;
1915 const char* testNextHop;
1916 } kDirectlyConnectedRoutes[] = {
1917 {IP_RULE_V4, "10.251.10.0/30", ""},
1918 {IP_RULE_V6, "2001:db8::/32", ""},
1919 };
1920
1921 // This should ba aligned with V4_FIXED_LOCAL_PREFIXES in system/netd/server/RouteController.cpp
1922 // An expandable array for fixed local prefix though it's only one element now.
1923 static const char* kV4LocalPrefixes[] = {"224.0.0.0/24"};
1924
1925 // Add test physical network
1926 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
1927 INetd::PERMISSION_NONE, false, false);
1928 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
1929 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
1930
1931 // Get current default network NetId
1932 binder::Status status = mNetd->networkGetDefault(&mStoredDefaultNetwork);
1933 ASSERT_TRUE(status.isOk()) << status.exceptionMessage();
1934
1935 // Set default network
1936 EXPECT_TRUE(mNetd->networkSetDefault(TEST_NETID1).isOk());
1937
1938 std::string localTableName = std::string(sTun.name() + "_local");
1939
1940 // Verify the fixed routes exist in the local table.
1941 for (size_t i = 0; i < std::size(kV4LocalPrefixes); i++) {
1942 expectNetworkRouteExists(IP_RULE_V4, sTun.name(), kV4LocalPrefixes[i], "",
1943 localTableName.c_str());
1944 }
1945
1946 // Set up link-local routes for connectivity to the "gateway"
1947 for (size_t i = 0; i < std::size(kDirectlyConnectedRoutes); i++) {
1948 const auto& td = kDirectlyConnectedRoutes[i];
1949
1950 binder::Status status =
1951 mNetd->networkAddRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop);
1952 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1953 expectNetworkRouteExists(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
1954 sTun.name().c_str());
1955 // Verify routes in local table
1956 expectNetworkRouteExists(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
1957 localTableName.c_str());
1958 }
1959
1960 for (size_t i = 0; i < std::size(kTestData); i++) {
1961 const auto& td = kTestData[i];
1962 SCOPED_TRACE(StringPrintf("case ip:%s, dest:%s, nexHop:%s, expect:%d", td.ipVersion,
1963 td.testDest, td.testNextHop, td.expectInLocalTable));
1964 binder::Status status =
1965 mNetd->networkAddRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop);
1966 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1967 // Verify routes in local table
1968 if (td.expectInLocalTable) {
1969 expectNetworkRouteExists(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
1970 localTableName.c_str());
1971 } else {
1972 expectNetworkRouteDoesNotExist(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
1973 localTableName.c_str());
1974 }
1975
1976 status = mNetd->networkRemoveRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop);
1977 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1978 expectNetworkRouteDoesNotExist(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
1979 localTableName.c_str());
1980 }
1981
1982 for (size_t i = 0; i < std::size(kDirectlyConnectedRoutes); i++) {
1983 const auto& td = kDirectlyConnectedRoutes[i];
1984 status = mNetd->networkRemoveRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop);
1985 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1986 }
1987
1988 // Set default network back
1989 status = mNetd->networkSetDefault(mStoredDefaultNetwork);
1990
1991 // Remove test physical network
1992 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
1993 }
1994
1995 namespace {
1996
getIpfwdV4Enable()1997 bool getIpfwdV4Enable() {
1998 static const char ipv4IpfwdCmd[] = "cat /proc/sys/net/ipv4/ip_forward";
1999 std::vector<std::string> result = runCommand(ipv4IpfwdCmd);
2000 EXPECT_TRUE(!result.empty());
2001 int v4Enable = std::stoi(result[0]);
2002 return v4Enable;
2003 }
2004
getIpfwdV6Enable()2005 bool getIpfwdV6Enable() {
2006 static const char ipv6IpfwdCmd[] = "cat /proc/sys/net/ipv6/conf/all/forwarding";
2007 std::vector<std::string> result = runCommand(ipv6IpfwdCmd);
2008 EXPECT_TRUE(!result.empty());
2009 int v6Enable = std::stoi(result[0]);
2010 return v6Enable;
2011 }
2012
expectIpfwdEnable(bool enable)2013 void expectIpfwdEnable(bool enable) {
2014 int enableIPv4 = getIpfwdV4Enable();
2015 int enableIPv6 = getIpfwdV6Enable();
2016 EXPECT_EQ(enable, enableIPv4);
2017 EXPECT_EQ(enable, enableIPv6);
2018 }
2019
ipRuleIpfwdExists(const char * ipVersion,const std::string & ipfwdRule)2020 bool ipRuleIpfwdExists(const char* ipVersion, const std::string& ipfwdRule) {
2021 std::vector<std::string> rules = listIpRules(ipVersion);
2022 for (const auto& rule : rules) {
2023 if (rule.find(ipfwdRule) != std::string::npos) {
2024 return true;
2025 }
2026 }
2027 return false;
2028 }
2029
expectIpfwdRuleExists(const char * fromIf,const char * toIf)2030 void expectIpfwdRuleExists(const char* fromIf, const char* toIf) {
2031 std::string ipfwdRule =
2032 StringPrintf("%u:\tfrom all iif %s lookup %s", RULE_PRIORITY_TETHERING, fromIf, toIf);
2033
2034 for (const auto& ipVersion : {IP_RULE_V4, IP_RULE_V6}) {
2035 EXPECT_TRUE(ipRuleIpfwdExists(ipVersion, ipfwdRule));
2036 }
2037 }
2038
expectIpfwdRuleNotExists(const char * fromIf,const char * toIf)2039 void expectIpfwdRuleNotExists(const char* fromIf, const char* toIf) {
2040 std::string ipfwdRule =
2041 StringPrintf("%u:\tfrom all iif %s lookup %s", RULE_PRIORITY_TETHERING, fromIf, toIf);
2042
2043 for (const auto& ipVersion : {IP_RULE_V4, IP_RULE_V6}) {
2044 EXPECT_FALSE(ipRuleIpfwdExists(ipVersion, ipfwdRule));
2045 }
2046 }
2047
2048 } // namespace
2049
TEST_F(NetdBinderTest,TestIpfwdEnableDisableStatusForwarding)2050 TEST_F(NetdBinderTest, TestIpfwdEnableDisableStatusForwarding) {
2051 // Get ipfwd requester list from Netd
2052 std::vector<std::string> requesterList;
2053 binder::Status status = mNetd->ipfwdGetRequesterList(&requesterList);
2054 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2055
2056 bool ipfwdEnabled;
2057 if (requesterList.size() == 0) {
2058 // No requester in Netd, ipfwd should be disabled
2059 // So add one test requester and verify
2060 status = mNetd->ipfwdEnableForwarding("TestRequester");
2061 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2062
2063 expectIpfwdEnable(true);
2064 status = mNetd->ipfwdEnabled(&ipfwdEnabled);
2065 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2066 EXPECT_TRUE(ipfwdEnabled);
2067
2068 // Remove test one, verify again
2069 status = mNetd->ipfwdDisableForwarding("TestRequester");
2070 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2071
2072 expectIpfwdEnable(false);
2073 status = mNetd->ipfwdEnabled(&ipfwdEnabled);
2074 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2075 EXPECT_FALSE(ipfwdEnabled);
2076 } else {
2077 // Disable all requesters
2078 for (const auto& requester : requesterList) {
2079 status = mNetd->ipfwdDisableForwarding(requester);
2080 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2081 }
2082
2083 // After disable all requester, ipfwd should be disabled
2084 expectIpfwdEnable(false);
2085 status = mNetd->ipfwdEnabled(&ipfwdEnabled);
2086 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2087 EXPECT_FALSE(ipfwdEnabled);
2088
2089 // Enable them back
2090 for (const auto& requester : requesterList) {
2091 status = mNetd->ipfwdEnableForwarding(requester);
2092 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2093 }
2094
2095 // ipfwd should be enabled
2096 expectIpfwdEnable(true);
2097 status = mNetd->ipfwdEnabled(&ipfwdEnabled);
2098 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2099 EXPECT_TRUE(ipfwdEnabled);
2100 }
2101 }
2102
TEST_F(NetdBinderTest,TestIpfwdAddRemoveInterfaceForward)2103 TEST_F(NetdBinderTest, TestIpfwdAddRemoveInterfaceForward) {
2104 // Add test physical network
2105 auto config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
2106 INetd::PERMISSION_NONE, false, false);
2107 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
2108 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
2109
2110 config.netId = TEST_NETID2;
2111 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
2112 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID2, sTun2.name()).isOk());
2113
2114 binder::Status status = mNetd->ipfwdAddInterfaceForward(sTun.name(), sTun2.name());
2115 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2116 expectIpfwdRuleExists(sTun.name().c_str(), sTun2.name().c_str());
2117
2118 status = mNetd->ipfwdRemoveInterfaceForward(sTun.name(), sTun2.name());
2119 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2120 expectIpfwdRuleNotExists(sTun.name().c_str(), sTun2.name().c_str());
2121 }
2122
2123 namespace {
2124
2125 constexpr char BANDWIDTH_INPUT[] = "bw_INPUT";
2126 constexpr char BANDWIDTH_OUTPUT[] = "bw_OUTPUT";
2127 constexpr char BANDWIDTH_FORWARD[] = "bw_FORWARD";
2128 constexpr char BANDWIDTH_NAUGHTY[] = "bw_penalty_box";
2129 constexpr char BANDWIDTH_ALERT[] = "bw_global_alert";
2130
2131 // TODO: Move iptablesTargetsExists and listIptablesRuleByTable to the top.
2132 // Use either a std::vector<std::string> of things to match, or a variadic function.
iptablesTargetsExists(const char * binary,int expectedCount,const char * table,const char * chainName,const std::string & expectedTargetA,const std::string & expectedTargetB)2133 bool iptablesTargetsExists(const char* binary, int expectedCount, const char* table,
2134 const char* chainName, const std::string& expectedTargetA,
2135 const std::string& expectedTargetB) {
2136 std::vector<std::string> rules = listIptablesRuleByTable(binary, table, chainName);
2137 int matchCount = 0;
2138
2139 for (const auto& rule : rules) {
2140 if (rule.find(expectedTargetA) != std::string::npos) {
2141 if (rule.find(expectedTargetB) != std::string::npos) {
2142 matchCount++;
2143 }
2144 }
2145 }
2146 return matchCount == expectedCount;
2147 }
2148
expectXtQuotaValueEqual(const char * ifname,long quotaBytes)2149 void expectXtQuotaValueEqual(const char* ifname, long quotaBytes) {
2150 std::string path = StringPrintf("/proc/net/xt_quota/%s", ifname);
2151 std::string result = "";
2152
2153 EXPECT_TRUE(ReadFileToString(path, &result));
2154 // Quota value might be decreased while matching packets
2155 EXPECT_GE(quotaBytes, std::stol(Trim(result)));
2156 }
2157
expectBandwidthInterfaceQuotaRuleExists(const char * ifname,long quotaBytes)2158 void expectBandwidthInterfaceQuotaRuleExists(const char* ifname, long quotaBytes) {
2159 std::string BANDWIDTH_COSTLY_IF = StringPrintf("bw_costly_%s", ifname);
2160 std::string quotaRule = StringPrintf("quota %s", ifname);
2161
2162 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
2163 EXPECT_TRUE(iptablesTargetsExists(binary, 1, FILTER_TABLE, BANDWIDTH_INPUT, ifname,
2164 BANDWIDTH_COSTLY_IF));
2165 EXPECT_TRUE(iptablesTargetsExists(binary, 1, FILTER_TABLE, BANDWIDTH_OUTPUT, ifname,
2166 BANDWIDTH_COSTLY_IF));
2167 EXPECT_TRUE(iptablesTargetsExists(binary, 2, FILTER_TABLE, BANDWIDTH_FORWARD, ifname,
2168 BANDWIDTH_COSTLY_IF));
2169 EXPECT_TRUE(iptablesRuleExists(binary, BANDWIDTH_COSTLY_IF.c_str(), BANDWIDTH_NAUGHTY));
2170 EXPECT_TRUE(iptablesRuleExists(binary, BANDWIDTH_COSTLY_IF.c_str(), quotaRule));
2171 }
2172 expectXtQuotaValueEqual(ifname, quotaBytes);
2173 }
2174
expectBandwidthInterfaceQuotaRuleDoesNotExist(const char * ifname)2175 void expectBandwidthInterfaceQuotaRuleDoesNotExist(const char* ifname) {
2176 std::string BANDWIDTH_COSTLY_IF = StringPrintf("bw_costly_%s", ifname);
2177 std::string quotaRule = StringPrintf("quota %s", ifname);
2178
2179 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
2180 EXPECT_FALSE(iptablesTargetsExists(binary, 1, FILTER_TABLE, BANDWIDTH_INPUT, ifname,
2181 BANDWIDTH_COSTLY_IF));
2182 EXPECT_FALSE(iptablesTargetsExists(binary, 1, FILTER_TABLE, BANDWIDTH_OUTPUT, ifname,
2183 BANDWIDTH_COSTLY_IF));
2184 EXPECT_FALSE(iptablesTargetsExists(binary, 2, FILTER_TABLE, BANDWIDTH_FORWARD, ifname,
2185 BANDWIDTH_COSTLY_IF));
2186 EXPECT_FALSE(iptablesRuleExists(binary, BANDWIDTH_COSTLY_IF.c_str(), BANDWIDTH_NAUGHTY));
2187 EXPECT_FALSE(iptablesRuleExists(binary, BANDWIDTH_COSTLY_IF.c_str(), quotaRule));
2188 }
2189 }
2190
expectBandwidthInterfaceAlertRuleExists(const char * ifname,long alertBytes)2191 void expectBandwidthInterfaceAlertRuleExists(const char* ifname, long alertBytes) {
2192 std::string BANDWIDTH_COSTLY_IF = StringPrintf("bw_costly_%s", ifname);
2193 std::string alertRule = StringPrintf("quota %sAlert", ifname);
2194 std::string alertName = StringPrintf("%sAlert", ifname);
2195
2196 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
2197 EXPECT_TRUE(iptablesRuleExists(binary, BANDWIDTH_COSTLY_IF.c_str(), alertRule));
2198 }
2199 expectXtQuotaValueEqual(alertName.c_str(), alertBytes);
2200 }
2201
expectBandwidthInterfaceAlertRuleDoesNotExist(const char * ifname)2202 void expectBandwidthInterfaceAlertRuleDoesNotExist(const char* ifname) {
2203 std::string BANDWIDTH_COSTLY_IF = StringPrintf("bw_costly_%s", ifname);
2204 std::string alertRule = StringPrintf("quota %sAlert", ifname);
2205
2206 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
2207 EXPECT_FALSE(iptablesRuleExists(binary, BANDWIDTH_COSTLY_IF.c_str(), alertRule));
2208 }
2209 }
2210
expectBandwidthGlobalAlertRuleExists(long alertBytes)2211 void expectBandwidthGlobalAlertRuleExists(long alertBytes) {
2212 static const char globalAlertRule[] = "quota globalAlert";
2213 static const char globalAlertName[] = "globalAlert";
2214
2215 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
2216 EXPECT_TRUE(iptablesRuleExists(binary, BANDWIDTH_ALERT, globalAlertRule));
2217 }
2218 expectXtQuotaValueEqual(globalAlertName, alertBytes);
2219 }
2220
2221 } // namespace
2222
TEST_F(NetdBinderTest,BandwidthSetRemoveInterfaceQuota)2223 TEST_F(NetdBinderTest, BandwidthSetRemoveInterfaceQuota) {
2224 long testQuotaBytes = 5550;
2225
2226 // Add test physical network
2227 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
2228 INetd::PERMISSION_NONE, false, false);
2229 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
2230 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
2231
2232 binder::Status status = mNetd->bandwidthSetInterfaceQuota(sTun.name(), testQuotaBytes);
2233 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2234 expectBandwidthInterfaceQuotaRuleExists(sTun.name().c_str(), testQuotaBytes);
2235
2236 status = mNetd->bandwidthRemoveInterfaceQuota(sTun.name());
2237 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2238 expectBandwidthInterfaceQuotaRuleDoesNotExist(sTun.name().c_str());
2239
2240 // Remove test physical network
2241 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
2242 }
2243
TEST_F(NetdBinderTest,BandwidthSetRemoveInterfaceAlert)2244 TEST_F(NetdBinderTest, BandwidthSetRemoveInterfaceAlert) {
2245 long testAlertBytes = 373;
2246 // Add test physical network
2247 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
2248 INetd::PERMISSION_NONE, false, false);
2249 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
2250 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
2251 // Need to have a prior interface quota set to set an alert
2252 binder::Status status = mNetd->bandwidthSetInterfaceQuota(sTun.name(), testAlertBytes);
2253 status = mNetd->bandwidthSetInterfaceAlert(sTun.name(), testAlertBytes);
2254 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2255 expectBandwidthInterfaceAlertRuleExists(sTun.name().c_str(), testAlertBytes);
2256
2257 status = mNetd->bandwidthRemoveInterfaceAlert(sTun.name());
2258 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2259 expectBandwidthInterfaceAlertRuleDoesNotExist(sTun.name().c_str());
2260
2261 // Remove interface quota
2262 status = mNetd->bandwidthRemoveInterfaceQuota(sTun.name());
2263 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2264 expectBandwidthInterfaceQuotaRuleDoesNotExist(sTun.name().c_str());
2265
2266 // Remove test physical network
2267 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
2268 }
2269
TEST_F(NetdBinderTest,BandwidthSetGlobalAlert)2270 TEST_F(NetdBinderTest, BandwidthSetGlobalAlert) {
2271 int64_t testAlertBytes = 2097200;
2272
2273 binder::Status status = mNetd->bandwidthSetGlobalAlert(testAlertBytes);
2274 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2275 expectBandwidthGlobalAlertRuleExists(testAlertBytes);
2276
2277 testAlertBytes = 2098230;
2278 status = mNetd->bandwidthSetGlobalAlert(testAlertBytes);
2279 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2280 expectBandwidthGlobalAlertRuleExists(testAlertBytes);
2281 }
2282
TEST_F(NetdBinderTest,NetworkAddRemoveRouteUserPermission)2283 TEST_F(NetdBinderTest, NetworkAddRemoveRouteUserPermission) {
2284 static const struct {
2285 const char* ipVersion;
2286 const char* testDest;
2287 const char* testNextHop;
2288 const bool expectSuccess;
2289 } kTestData[] = {
2290 {IP_RULE_V4, "0.0.0.0/0", "", true},
2291 {IP_RULE_V4, "0.0.0.0/0", "10.251.10.0", true},
2292 {IP_RULE_V4, "10.251.0.0/16", "", true},
2293 {IP_RULE_V4, "10.251.0.0/16", "10.251.10.0", true},
2294 {IP_RULE_V4, "10.251.0.0/16", "fe80::/64", false},
2295 {IP_RULE_V6, "::/0", "", true},
2296 {IP_RULE_V6, "::/0", "2001:db8::", true},
2297 {IP_RULE_V6, "2001:db8:cafe::/64", "2001:db8::", true},
2298 {IP_RULE_V4, "fe80::/64", "0.0.0.0", false},
2299 {IP_RULE_V4, "10.251.10.2/31", "throw", true},
2300 {IP_RULE_V4, "10.251.10.2/31", "unreachable", true},
2301 {IP_RULE_V4, "0.0.0.0/0", "throw", true},
2302 {IP_RULE_V4, "0.0.0.0/0", "unreachable", true},
2303 {IP_RULE_V6, "::/0", "throw", true},
2304 {IP_RULE_V6, "::/0", "unreachable", true},
2305 {IP_RULE_V6, "2001:db8:cafe::/64", "throw", true},
2306 {IP_RULE_V6, "2001:db8:cafe::/64", "unreachable", true},
2307 };
2308
2309 static const struct {
2310 const char* ipVersion;
2311 const char* testDest;
2312 const char* testNextHop;
2313 } kTestDataWithNextHop[] = {
2314 {IP_RULE_V4, "10.251.10.0/30", ""},
2315 {IP_RULE_V6, "2001:db8::/32", ""},
2316 };
2317
2318 static const char testTableLegacySystem[] = "legacy_system";
2319 static const char testTableLegacyNetwork[] = "legacy_network";
2320 const int testUid = randomUid();
2321 const std::vector<int32_t> testUids = {testUid};
2322
2323 // Add test physical network
2324 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
2325 INetd::PERMISSION_NONE, false, false);
2326 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
2327 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
2328
2329 // Setup route for testing nextHop
2330 for (size_t i = 0; i < std::size(kTestDataWithNextHop); i++) {
2331 const auto& td = kTestDataWithNextHop[i];
2332
2333 // All route for test tun will disappear once the tun interface is deleted.
2334 binder::Status status =
2335 mNetd->networkAddRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop);
2336 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2337 expectNetworkRouteExists(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2338 sTun.name().c_str());
2339
2340 // Add system permission for test uid, setup route in legacy system table.
2341 EXPECT_TRUE(mNetd->networkSetPermissionForUser(INetd::PERMISSION_SYSTEM, testUids).isOk());
2342
2343 status = mNetd->networkAddLegacyRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop,
2344 testUid);
2345 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2346 expectNetworkRouteExists(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2347 testTableLegacySystem);
2348
2349 // Remove system permission for test uid, setup route in legacy network table.
2350 EXPECT_TRUE(mNetd->networkClearPermissionForUser(testUids).isOk());
2351
2352 status = mNetd->networkAddLegacyRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop,
2353 testUid);
2354 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2355 expectNetworkRouteExists(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2356 testTableLegacyNetwork);
2357 }
2358
2359 for (size_t i = 0; i < std::size(kTestData); i++) {
2360 const auto& td = kTestData[i];
2361
2362 binder::Status status =
2363 mNetd->networkAddRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop);
2364 if (td.expectSuccess) {
2365 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2366 expectNetworkRouteExists(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2367 sTun.name().c_str());
2368 } else {
2369 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
2370 EXPECT_NE(0, status.serviceSpecificErrorCode());
2371 }
2372
2373 status = mNetd->networkRemoveRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop);
2374 if (td.expectSuccess) {
2375 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2376 expectNetworkRouteDoesNotExist(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2377 sTun.name().c_str());
2378 } else {
2379 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
2380 EXPECT_NE(0, status.serviceSpecificErrorCode());
2381 }
2382
2383 // Add system permission for test uid, route will be added into legacy system table.
2384 EXPECT_TRUE(mNetd->networkSetPermissionForUser(INetd::PERMISSION_SYSTEM, testUids).isOk());
2385
2386 status = mNetd->networkAddLegacyRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop,
2387 testUid);
2388 if (td.expectSuccess) {
2389 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2390 expectNetworkRouteExists(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2391 testTableLegacySystem);
2392 } else {
2393 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
2394 EXPECT_NE(0, status.serviceSpecificErrorCode());
2395 }
2396
2397 status = mNetd->networkRemoveLegacyRoute(TEST_NETID1, sTun.name(), td.testDest,
2398 td.testNextHop, testUid);
2399 if (td.expectSuccess) {
2400 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2401 expectNetworkRouteDoesNotExist(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2402 testTableLegacySystem);
2403 } else {
2404 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
2405 EXPECT_NE(0, status.serviceSpecificErrorCode());
2406 }
2407
2408 // Remove system permission for test uid, route will be added into legacy network table.
2409 EXPECT_TRUE(mNetd->networkClearPermissionForUser(testUids).isOk());
2410
2411 status = mNetd->networkAddLegacyRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop,
2412 testUid);
2413 if (td.expectSuccess) {
2414 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2415 expectNetworkRouteExists(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2416 testTableLegacyNetwork);
2417 } else {
2418 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
2419 EXPECT_NE(0, status.serviceSpecificErrorCode());
2420 }
2421
2422 status = mNetd->networkRemoveLegacyRoute(TEST_NETID1, sTun.name(), td.testDest,
2423 td.testNextHop, testUid);
2424 if (td.expectSuccess) {
2425 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2426 expectNetworkRouteDoesNotExist(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2427 testTableLegacyNetwork);
2428 } else {
2429 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
2430 EXPECT_NE(0, status.serviceSpecificErrorCode());
2431 }
2432 }
2433
2434 /*
2435 * Test networkUpdateRouteParcel behavior in case of route MTU change.
2436 *
2437 * Change of route MTU should be treated as an update of the route:
2438 * - networkUpdateRouteParcel should succeed and update route MTU.
2439 */
2440 for (size_t i = 0; i < std::size(kTestData); i++) {
2441 const auto& td = kTestData[i];
2442 int mtu = (i % 2) ? 1480 : 1280;
2443
2444 android::net::RouteInfoParcel parcel;
2445 parcel.ifName = sTun.name();
2446 parcel.destination = td.testDest;
2447 parcel.nextHop = td.testNextHop;
2448 parcel.mtu = mtu;
2449 binder::Status status = mNetd->networkAddRouteParcel(TEST_NETID1, parcel);
2450 if (td.expectSuccess) {
2451 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2452 expectNetworkRouteExistsWithMtu(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2453 std::to_string(parcel.mtu), sTun.name().c_str());
2454 } else {
2455 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
2456 EXPECT_NE(0, status.serviceSpecificErrorCode());
2457 }
2458
2459 parcel.mtu = 1337;
2460 status = mNetd->networkUpdateRouteParcel(TEST_NETID1, parcel);
2461 if (td.expectSuccess) {
2462 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2463 expectNetworkRouteExistsWithMtu(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2464 std::to_string(parcel.mtu), sTun.name().c_str());
2465 } else {
2466 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
2467 EXPECT_NE(0, status.serviceSpecificErrorCode());
2468 }
2469
2470 status = mNetd->networkRemoveRouteParcel(TEST_NETID1, parcel);
2471 if (td.expectSuccess) {
2472 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2473 expectNetworkRouteDoesNotExist(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2474 sTun.name().c_str());
2475 } else {
2476 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
2477 EXPECT_NE(0, status.serviceSpecificErrorCode());
2478 }
2479 }
2480
2481 /*
2482 * Test network[Update|Add]RouteParcel behavior in case of route type change.
2483 *
2484 * Change of route type should be treated as an update of the route:
2485 * - networkUpdateRouteParcel should succeed and update route type.
2486 * - networkAddRouteParcel should silently fail, because the route already exists. Route type
2487 * should not be changed in this case.
2488 */
2489 for (size_t i = 0; i < std::size(kTestData); i++) {
2490 const auto& td = kTestData[i];
2491
2492 if (!td.expectSuccess) {
2493 continue;
2494 }
2495
2496 android::net::RouteInfoParcel parcel;
2497 parcel.ifName = sTun.name();
2498 parcel.destination = td.testDest;
2499 parcel.nextHop = td.testNextHop;
2500 parcel.mtu = 1280;
2501 binder::Status status = mNetd->networkAddRouteParcel(TEST_NETID1, parcel);
2502 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2503 expectNetworkRouteExistsWithMtu(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2504 std::to_string(parcel.mtu), sTun.name().c_str());
2505
2506 parcel.nextHop = parcel.nextHop == "throw" ? "unreachable" : "throw";
2507 const char* oldNextHop = td.testNextHop;
2508 const char* newNextHop = parcel.nextHop.c_str();
2509
2510 // Trying to add same route with changed type, this should silently fail.
2511 status = mNetd->networkAddRouteParcel(TEST_NETID1, parcel);
2512 // No error reported.
2513 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2514 // Old route still exists.
2515 expectNetworkRouteExistsWithMtu(td.ipVersion, sTun.name(), td.testDest, oldNextHop,
2516 std::to_string(parcel.mtu), sTun.name().c_str());
2517 // New route was not actually added.
2518 expectNetworkRouteDoesNotExistWithMtu(td.ipVersion, sTun.name(), td.testDest, newNextHop,
2519 std::to_string(parcel.mtu), sTun.name().c_str());
2520
2521 // Update should succeed.
2522 status = mNetd->networkUpdateRouteParcel(TEST_NETID1, parcel);
2523 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2524 expectNetworkRouteExistsWithMtu(td.ipVersion, sTun.name(), td.testDest, newNextHop,
2525 std::to_string(parcel.mtu), sTun.name().c_str());
2526 expectNetworkRouteDoesNotExistWithMtu(td.ipVersion, sTun.name(), td.testDest, oldNextHop,
2527 std::to_string(parcel.mtu), sTun.name().c_str());
2528
2529 status = mNetd->networkRemoveRouteParcel(TEST_NETID1, parcel);
2530 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2531 expectNetworkRouteDoesNotExistWithMtu(td.ipVersion, sTun.name(), td.testDest, newNextHop,
2532 std::to_string(parcel.mtu), sTun.name().c_str());
2533 }
2534
2535 // Remove test physical network
2536 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
2537 }
2538
TEST_F(NetdBinderTest,NetworkPermissionDefault)2539 TEST_F(NetdBinderTest, NetworkPermissionDefault) {
2540 // Add test physical network
2541 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
2542 INetd::PERMISSION_NONE, false, false);
2543 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
2544 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
2545
2546 // Get current default network NetId
2547 binder::Status status = mNetd->networkGetDefault(&mStoredDefaultNetwork);
2548 ASSERT_TRUE(status.isOk()) << status.exceptionMessage();
2549
2550 // Test SetDefault
2551 status = mNetd->networkSetDefault(TEST_NETID1);
2552 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2553 expectNetworkDefaultIpRuleExists(sTun.name().c_str());
2554
2555 status = mNetd->networkClearDefault();
2556 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2557 expectNetworkDefaultIpRuleDoesNotExist();
2558
2559 // Set default network back
2560 status = mNetd->networkSetDefault(mStoredDefaultNetwork);
2561 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2562
2563 // Test SetPermission
2564 status = mNetd->networkSetPermissionForNetwork(TEST_NETID1, INetd::PERMISSION_SYSTEM);
2565 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2566 expectNetworkPermissionIpRuleExists(sTun.name().c_str(), INetd::PERMISSION_SYSTEM);
2567 expectNetworkPermissionIptablesRuleExists(sTun.name().c_str(), INetd::PERMISSION_SYSTEM);
2568
2569 status = mNetd->networkSetPermissionForNetwork(TEST_NETID1, INetd::PERMISSION_NONE);
2570 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2571 expectNetworkPermissionIpRuleExists(sTun.name().c_str(), INetd::PERMISSION_NONE);
2572 expectNetworkPermissionIptablesRuleExists(sTun.name().c_str(), INetd::PERMISSION_NONE);
2573
2574 // Remove test physical network
2575 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
2576 }
2577
TEST_F(NetdBinderTest,NetworkSetProtectAllowDeny)2578 TEST_F(NetdBinderTest, NetworkSetProtectAllowDeny) {
2579 binder::Status status = mNetd->networkSetProtectAllow(TEST_UID1);
2580 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2581 bool ret = false;
2582 status = mNetd->networkCanProtect(TEST_UID1, &ret);
2583 EXPECT_TRUE(ret);
2584
2585 status = mNetd->networkSetProtectDeny(TEST_UID1);
2586 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2587
2588 // Clear uid permission before calling networkCanProtect to ensure
2589 // the call won't be affected by uid permission.
2590 EXPECT_TRUE(mNetd->networkClearPermissionForUser({TEST_UID1}).isOk());
2591
2592 status = mNetd->networkCanProtect(TEST_UID1, &ret);
2593 EXPECT_FALSE(ret);
2594 }
2595
2596 namespace {
2597
readIntFromPath(const std::string & path)2598 int readIntFromPath(const std::string& path) {
2599 std::string result = "";
2600 EXPECT_TRUE(ReadFileToString(path, &result));
2601 return std::stoi(result);
2602 }
2603
getTetherAcceptIPv6Ra(const std::string & ifName)2604 int getTetherAcceptIPv6Ra(const std::string& ifName) {
2605 std::string path = StringPrintf("/proc/sys/net/ipv6/conf/%s/accept_ra", ifName.c_str());
2606 return readIntFromPath(path);
2607 }
2608
getTetherAcceptIPv6Dad(const std::string & ifName)2609 bool getTetherAcceptIPv6Dad(const std::string& ifName) {
2610 std::string path = StringPrintf("/proc/sys/net/ipv6/conf/%s/accept_dad", ifName.c_str());
2611 return readIntFromPath(path);
2612 }
2613
getTetherIPv6DadTransmits(const std::string & ifName)2614 int getTetherIPv6DadTransmits(const std::string& ifName) {
2615 std::string path = StringPrintf("/proc/sys/net/ipv6/conf/%s/dad_transmits", ifName.c_str());
2616 return readIntFromPath(path);
2617 }
2618
getTetherEnableIPv6(const std::string & ifName)2619 bool getTetherEnableIPv6(const std::string& ifName) {
2620 std::string path = StringPrintf("/proc/sys/net/ipv6/conf/%s/disable_ipv6", ifName.c_str());
2621 int disableIPv6 = readIntFromPath(path);
2622 return !disableIPv6;
2623 }
2624
interfaceListContains(const std::vector<std::string> & ifList,const std::string & ifName)2625 bool interfaceListContains(const std::vector<std::string>& ifList, const std::string& ifName) {
2626 for (const auto& iface : ifList) {
2627 if (iface == ifName) {
2628 return true;
2629 }
2630 }
2631 return false;
2632 }
2633
expectTetherInterfaceConfigureForIPv6Router(const std::string & ifName)2634 void expectTetherInterfaceConfigureForIPv6Router(const std::string& ifName) {
2635 EXPECT_EQ(getTetherAcceptIPv6Ra(ifName), 0);
2636 EXPECT_FALSE(getTetherAcceptIPv6Dad(ifName));
2637 EXPECT_EQ(getTetherIPv6DadTransmits(ifName), 0);
2638 EXPECT_TRUE(getTetherEnableIPv6(ifName));
2639 }
2640
expectTetherInterfaceConfigureForIPv6Client(const std::string & ifName)2641 void expectTetherInterfaceConfigureForIPv6Client(const std::string& ifName) {
2642 EXPECT_EQ(getTetherAcceptIPv6Ra(ifName), 2);
2643 EXPECT_TRUE(getTetherAcceptIPv6Dad(ifName));
2644 EXPECT_EQ(getTetherIPv6DadTransmits(ifName), 1);
2645 EXPECT_FALSE(getTetherEnableIPv6(ifName));
2646 }
2647
expectTetherInterfaceExists(const std::vector<std::string> & ifList,const std::string & ifName)2648 void expectTetherInterfaceExists(const std::vector<std::string>& ifList,
2649 const std::string& ifName) {
2650 EXPECT_TRUE(interfaceListContains(ifList, ifName));
2651 }
2652
expectTetherInterfaceNotExists(const std::vector<std::string> & ifList,const std::string & ifName)2653 void expectTetherInterfaceNotExists(const std::vector<std::string>& ifList,
2654 const std::string& ifName) {
2655 EXPECT_FALSE(interfaceListContains(ifList, ifName));
2656 }
2657
expectTetherDnsListEquals(const std::vector<std::string> & dnsList,const std::vector<std::string> & testDnsAddrs)2658 void expectTetherDnsListEquals(const std::vector<std::string>& dnsList,
2659 const std::vector<std::string>& testDnsAddrs) {
2660 EXPECT_TRUE(dnsList == testDnsAddrs);
2661 }
2662
2663 } // namespace
2664
TEST_F(NetdBinderTest,TetherStartStopStatus)2665 TEST_F(NetdBinderTest, TetherStartStopStatus) {
2666 std::vector<std::string> noDhcpRange = {};
2667 for (bool usingLegacyDnsProxy : {true, false}) {
2668 android::net::TetherConfigParcel config;
2669 config.usingLegacyDnsProxy = usingLegacyDnsProxy;
2670 config.dhcpRanges = noDhcpRange;
2671 binder::Status status = mNetd->tetherStartWithConfiguration(config);
2672 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2673 SCOPED_TRACE(StringPrintf("usingLegacyDnsProxy: %d", usingLegacyDnsProxy));
2674 if (usingLegacyDnsProxy == true) {
2675 expectProcessExists(DNSMASQ);
2676 } else {
2677 expectProcessDoesNotExist(DNSMASQ);
2678 }
2679
2680 bool tetherEnabled;
2681 status = mNetd->tetherIsEnabled(&tetherEnabled);
2682 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2683 EXPECT_TRUE(tetherEnabled);
2684
2685 status = mNetd->tetherStop();
2686 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2687 expectProcessDoesNotExist(DNSMASQ);
2688
2689 status = mNetd->tetherIsEnabled(&tetherEnabled);
2690 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2691 EXPECT_FALSE(tetherEnabled);
2692 }
2693 }
2694
TEST_F(NetdBinderTest,TetherInterfaceAddRemoveList)2695 TEST_F(NetdBinderTest, TetherInterfaceAddRemoveList) {
2696 // TODO: verify if dnsmasq update interface successfully
2697
2698 binder::Status status = mNetd->tetherInterfaceAdd(sTun.name());
2699 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2700 expectTetherInterfaceConfigureForIPv6Router(sTun.name());
2701
2702 std::vector<std::string> ifList;
2703 status = mNetd->tetherInterfaceList(&ifList);
2704 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2705 expectTetherInterfaceExists(ifList, sTun.name());
2706
2707 status = mNetd->tetherInterfaceRemove(sTun.name());
2708 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2709 expectTetherInterfaceConfigureForIPv6Client(sTun.name());
2710
2711 status = mNetd->tetherInterfaceList(&ifList);
2712 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2713 expectTetherInterfaceNotExists(ifList, sTun.name());
2714
2715 // Disable IPv6 tethering will disable IPv6 abilities by changing IPv6 settings(accept_ra,
2716 // dad_transmits, accept_dad, disable_ipv6). See tetherInterfaceRemove in details.
2717 // Re-init sTun to reset the interface to prevent affecting other test that requires IPv6 with
2718 // the same interface.
2719 sTun.destroy();
2720 sTun.init();
2721 }
2722
TEST_F(NetdBinderTest,TetherDnsSetList)2723 TEST_F(NetdBinderTest, TetherDnsSetList) {
2724 // TODO: verify if dnsmasq update dns successfully
2725 std::vector<std::string> testDnsAddrs = {"192.168.1.37", "213.137.100.3",
2726 "fe80::1%" + sTun.name()};
2727
2728 binder::Status status = mNetd->tetherDnsSet(TEST_NETID1, testDnsAddrs);
2729 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2730
2731 std::vector<std::string> dnsList;
2732 status = mNetd->tetherDnsList(&dnsList);
2733 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2734 expectTetherDnsListEquals(dnsList, testDnsAddrs);
2735 }
2736
2737 namespace {
2738
findDnsSockets(SockDiag * sd,unsigned numExpected)2739 std::vector<IPAddress> findDnsSockets(SockDiag* sd, unsigned numExpected) {
2740 std::vector<IPAddress> listenAddrs;
2741
2742 // Callback lambda that finds all IPv4 sockets with source port 53.
2743 auto findDnsSockets = [&](uint8_t /* proto */, const inet_diag_msg* msg) {
2744 // Always return false, which means do not destroy this socket.
2745 if (msg->id.idiag_sport != htons(53)) return false;
2746 IPAddress addr(*(in_addr*)msg->id.idiag_src);
2747 listenAddrs.push_back(addr);
2748 return false;
2749 };
2750
2751 // There is no way to know if dnsmasq has finished processing the update_interfaces command and
2752 // opened listening sockets. So, just spin a few times and return the first list of sockets
2753 // that is at least numExpected long.
2754 // Pick a relatively large timeout to avoid flaky tests, particularly when running on shared
2755 // devices.
2756 constexpr int kMaxAttempts = 50;
2757 constexpr int kSleepMs = 100;
2758 for (int i = 0; i < kMaxAttempts; i++) {
2759 listenAddrs.clear();
2760 EXPECT_EQ(0, sd->sendDumpRequest(IPPROTO_TCP, AF_INET, 1 << TCP_LISTEN))
2761 << "Failed to dump sockets, attempt " << i << " of " << kMaxAttempts;
2762 sd->readDiagMsg(IPPROTO_TCP, findDnsSockets);
2763 if (listenAddrs.size() >= numExpected) {
2764 break;
2765 }
2766 usleep(kSleepMs * 1000);
2767 }
2768
2769 return listenAddrs;
2770 }
2771
2772 } // namespace
2773
2774 // Checks that when starting dnsmasq on an interface that no longer exists, it doesn't attempt to
2775 // start on other interfaces instead.
TEST_F(NetdBinderTest,TetherDeletedInterface)2776 TEST_F(NetdBinderTest, TetherDeletedInterface) {
2777 // Do this first so we don't need to clean up anything else if it fails.
2778 SockDiag sd;
2779 ASSERT_TRUE(sd.open()) << "Failed to open SOCK_DIAG socket";
2780
2781 // Create our own TunInterfaces (so we can delete them without affecting other tests), and add
2782 // IP addresses to them. They must be IPv4 because tethering an interface disables and
2783 // re-enables IPv6 on the interface, which clears all addresses.
2784 TunInterface tun1, tun2;
2785 ASSERT_EQ(0, tun1.init());
2786 ASSERT_EQ(0, tun2.init());
2787
2788 // Clean up. It is safe to call TunInterface::destroy multiple times.
2789 auto guard = android::base::make_scope_guard([&] {
2790 tun1.destroy();
2791 tun2.destroy();
2792 mNetd->tetherStop();
2793 mNetd->tetherInterfaceRemove(tun1.name());
2794 mNetd->tetherInterfaceRemove(tun2.name());
2795 });
2796
2797 IPAddress addr1, addr2;
2798 ASSERT_TRUE(IPAddress::forString("192.0.2.1", &addr1));
2799 ASSERT_TRUE(IPAddress::forString("192.0.2.2", &addr2));
2800 EXPECT_EQ(0, tun1.addAddress(addr1.toString(), 32));
2801 EXPECT_EQ(0, tun2.addAddress(addr2.toString(), 32));
2802
2803 // Stop tethering.
2804 binder::Status status = mNetd->tetherStop();
2805 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2806
2807 // Start dnsmasq on an interface that doesn't exist.
2808 // First, tether our tun interface...
2809 status = mNetd->tetherInterfaceAdd(tun1.name());
2810 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2811 expectTetherInterfaceConfigureForIPv6Router(tun1.name());
2812
2813 // ... then delete it...
2814 tun1.destroy();
2815
2816 // ... then start dnsmasq.
2817 android::net::TetherConfigParcel config;
2818 config.usingLegacyDnsProxy = true;
2819 config.dhcpRanges = {};
2820 status = mNetd->tetherStartWithConfiguration(config);
2821 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2822
2823 // Wait for dnsmasq to start.
2824 expectProcessExists(DNSMASQ);
2825
2826 // Make sure that netd thinks the interface is tethered (even though it doesn't exist).
2827 std::vector<std::string> ifList;
2828 status = mNetd->tetherInterfaceList(&ifList);
2829 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2830 ASSERT_EQ(1U, ifList.size());
2831 EXPECT_EQ(tun1.name(), ifList[0]);
2832
2833 // Give dnsmasq some time to start up.
2834 usleep(200 * 1000);
2835
2836 // Check that dnsmasq is not listening on any IP addresses. It shouldn't, because it was only
2837 // told to run on tun1, and tun1 does not exist. Ensure it stays running and doesn't listen on
2838 // any IP addresses.
2839 std::vector<IPAddress> listenAddrs = findDnsSockets(&sd, 0);
2840 EXPECT_EQ(0U, listenAddrs.size()) << "Unexpectedly found IPv4 socket(s) listening on port 53";
2841
2842 // Now add an interface to dnsmasq and check that we can see the sockets. This confirms that
2843 // findDnsSockets is actually able to see sockets when they exist.
2844 status = mNetd->tetherInterfaceAdd(tun2.name());
2845 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2846
2847 in_addr loopback = {htonl(INADDR_LOOPBACK)};
2848 listenAddrs = findDnsSockets(&sd, 2);
2849 EXPECT_EQ(2U, listenAddrs.size()) << "Expected exactly 2 IPv4 sockets listening on port 53";
2850 EXPECT_EQ(1, std::count(listenAddrs.begin(), listenAddrs.end(), addr2));
2851 EXPECT_EQ(1, std::count(listenAddrs.begin(), listenAddrs.end(), IPAddress(loopback)));
2852
2853 // Clean up.
2854 status = mNetd->tetherStop();
2855 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2856
2857 expectProcessDoesNotExist(DNSMASQ);
2858
2859 status = mNetd->tetherInterfaceRemove(tun1.name());
2860 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2861
2862 status = mNetd->tetherInterfaceRemove(tun2.name());
2863 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2864 }
2865
2866 namespace {
2867
2868 constexpr char FIREWALL_INPUT[] = "fw_INPUT";
2869 constexpr char FIREWALL_OUTPUT[] = "fw_OUTPUT";
2870 constexpr char FIREWALL_FORWARD[] = "fw_FORWARD";
2871
expectFirewallAllowlistMode()2872 void expectFirewallAllowlistMode() {
2873 static const char dropRule[] = "DROP all";
2874 static const char rejectRule[] = "REJECT all";
2875 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
2876 EXPECT_TRUE(iptablesRuleExists(binary, FIREWALL_INPUT, dropRule));
2877 EXPECT_TRUE(iptablesRuleExists(binary, FIREWALL_OUTPUT, rejectRule));
2878 EXPECT_TRUE(iptablesRuleExists(binary, FIREWALL_FORWARD, rejectRule));
2879 }
2880 }
2881
expectFirewallDenylistMode()2882 void expectFirewallDenylistMode() {
2883 EXPECT_EQ(2, iptablesRuleLineLength(IPTABLES_PATH, FIREWALL_INPUT));
2884 EXPECT_EQ(2, iptablesRuleLineLength(IPTABLES_PATH, FIREWALL_OUTPUT));
2885 EXPECT_EQ(2, iptablesRuleLineLength(IPTABLES_PATH, FIREWALL_FORWARD));
2886
2887 // for IPv6 there is an extra OUTPUT rule to DROP ::1 sourced packets to non-loopback devices
2888 EXPECT_EQ(2, iptablesRuleLineLength(IP6TABLES_PATH, FIREWALL_INPUT));
2889 EXPECT_EQ(3, iptablesRuleLineLength(IP6TABLES_PATH, FIREWALL_OUTPUT));
2890 EXPECT_EQ(2, iptablesRuleLineLength(IP6TABLES_PATH, FIREWALL_FORWARD));
2891 }
2892
iptablesFirewallInterfaceFirstRuleExists(const char * binary,const char * chainName,const std::string & expectedInterface,const std::string & expectedRule)2893 bool iptablesFirewallInterfaceFirstRuleExists(const char* binary, const char* chainName,
2894 const std::string& expectedInterface,
2895 const std::string& expectedRule) {
2896 std::vector<std::string> rules = listIptablesRuleByTable(binary, FILTER_TABLE, chainName);
2897 // Expected rule:
2898 // Chain fw_INPUT (1 references)
2899 // pkts bytes target prot opt in out source destination
2900 // 0 0 RETURN all -- expectedInterface * 0.0.0.0/0 0.0.0.0/0
2901 // 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
2902 int firstRuleIndex = 2;
2903 if (rules.size() < 4) return false;
2904 if (rules[firstRuleIndex].find(expectedInterface) != std::string::npos) {
2905 if (rules[firstRuleIndex].find(expectedRule) != std::string::npos) {
2906 return true;
2907 }
2908 }
2909 return false;
2910 }
2911
expectFirewallInterfaceRuleAllowExists(const std::string & ifname)2912 void expectFirewallInterfaceRuleAllowExists(const std::string& ifname) {
2913 static const char returnRule[] = "RETURN all";
2914 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
2915 EXPECT_TRUE(iptablesFirewallInterfaceFirstRuleExists(binary, FIREWALL_INPUT, ifname,
2916 returnRule));
2917 EXPECT_TRUE(iptablesFirewallInterfaceFirstRuleExists(binary, FIREWALL_OUTPUT, ifname,
2918 returnRule));
2919 }
2920 }
2921
expectFireWallInterfaceRuleAllowDoesNotExist(const std::string & ifname)2922 void expectFireWallInterfaceRuleAllowDoesNotExist(const std::string& ifname) {
2923 static const char returnRule[] = "RETURN all";
2924 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
2925 EXPECT_FALSE(iptablesInterfaceRuleExists(binary, FIREWALL_INPUT, ifname, returnRule,
2926 FILTER_TABLE));
2927 EXPECT_FALSE(iptablesInterfaceRuleExists(binary, FIREWALL_OUTPUT, ifname, returnRule,
2928 FILTER_TABLE));
2929 }
2930 }
2931
2932 } // namespace
2933
TEST_F(NetdBinderTest,FirewallSetFirewallType)2934 TEST_F(NetdBinderTest, FirewallSetFirewallType) {
2935 binder::Status status = mNetd->firewallSetFirewallType(INetd::FIREWALL_ALLOWLIST);
2936 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2937 expectFirewallAllowlistMode();
2938
2939 status = mNetd->firewallSetFirewallType(INetd::FIREWALL_DENYLIST);
2940 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2941 expectFirewallDenylistMode();
2942
2943 // set firewall type blacklist twice
2944 mNetd->firewallSetFirewallType(INetd::FIREWALL_DENYLIST);
2945 status = mNetd->firewallSetFirewallType(INetd::FIREWALL_DENYLIST);
2946 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2947 expectFirewallDenylistMode();
2948
2949 // set firewall type whitelist twice
2950 mNetd->firewallSetFirewallType(INetd::FIREWALL_ALLOWLIST);
2951 status = mNetd->firewallSetFirewallType(INetd::FIREWALL_ALLOWLIST);
2952 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2953 expectFirewallAllowlistMode();
2954
2955 // reset firewall type to default
2956 status = mNetd->firewallSetFirewallType(INetd::FIREWALL_DENYLIST);
2957 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2958 expectFirewallDenylistMode();
2959 }
2960
TEST_F(NetdBinderTest,FirewallSetInterfaceRule)2961 TEST_F(NetdBinderTest, FirewallSetInterfaceRule) {
2962 // setinterfaceRule is not supported in BLACKLIST MODE
2963 binder::Status status = mNetd->firewallSetFirewallType(INetd::FIREWALL_DENYLIST);
2964 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2965
2966 status = mNetd->firewallSetInterfaceRule(sTun.name(), INetd::FIREWALL_RULE_ALLOW);
2967 EXPECT_FALSE(status.isOk()) << status.exceptionMessage();
2968
2969 // set WHITELIST mode first
2970 status = mNetd->firewallSetFirewallType(INetd::FIREWALL_ALLOWLIST);
2971 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2972
2973 status = mNetd->firewallSetInterfaceRule(sTun.name(), INetd::FIREWALL_RULE_ALLOW);
2974 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2975 expectFirewallInterfaceRuleAllowExists(sTun.name());
2976
2977 status = mNetd->firewallSetInterfaceRule(sTun.name(), INetd::FIREWALL_RULE_DENY);
2978 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2979 expectFireWallInterfaceRuleAllowDoesNotExist(sTun.name());
2980
2981 // reset firewall mode to default
2982 status = mNetd->firewallSetFirewallType(INetd::FIREWALL_DENYLIST);
2983 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2984 expectFirewallDenylistMode();
2985 }
2986
2987 namespace {
2988
hwAddrToStr(unsigned char * hwaddr)2989 std::string hwAddrToStr(unsigned char* hwaddr) {
2990 return StringPrintf("%02x:%02x:%02x:%02x:%02x:%02x", hwaddr[0], hwaddr[1], hwaddr[2], hwaddr[3],
2991 hwaddr[4], hwaddr[5]);
2992 }
2993
ipv4NetmaskToPrefixLength(in_addr_t mask)2994 int ipv4NetmaskToPrefixLength(in_addr_t mask) {
2995 int prefixLength = 0;
2996 uint32_t m = ntohl(mask);
2997 while (m & (1 << 31)) {
2998 prefixLength++;
2999 m = m << 1;
3000 }
3001 return prefixLength;
3002 }
3003
toStdString(const String16 & s)3004 std::string toStdString(const String16& s) {
3005 return std::string(String8(s.c_str()));
3006 }
3007
ioctlByIfName(const std::string & ifName,unsigned long flag)3008 android::netdutils::StatusOr<ifreq> ioctlByIfName(const std::string& ifName, unsigned long flag) {
3009 const auto& sys = sSyscalls.get();
3010 auto fd = sys.socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
3011 EXPECT_TRUE(isOk(fd.status()));
3012
3013 struct ifreq ifr = {};
3014 strlcpy(ifr.ifr_name, ifName.c_str(), IFNAMSIZ);
3015
3016 return sys.ioctl(fd.value(), flag, &ifr);
3017 }
3018
getInterfaceHwAddr(const std::string & ifName)3019 std::string getInterfaceHwAddr(const std::string& ifName) {
3020 auto res = ioctlByIfName(ifName, SIOCGIFHWADDR);
3021
3022 unsigned char hwaddr[ETH_ALEN] = {};
3023 if (isOk(res.status())) {
3024 memcpy((void*) hwaddr, &res.value().ifr_hwaddr.sa_data, ETH_ALEN);
3025 }
3026
3027 return hwAddrToStr(hwaddr);
3028 }
3029
getInterfaceIPv4Prefix(const std::string & ifName)3030 int getInterfaceIPv4Prefix(const std::string& ifName) {
3031 auto res = ioctlByIfName(ifName, SIOCGIFNETMASK);
3032
3033 int prefixLength = 0;
3034 if (isOk(res.status())) {
3035 prefixLength = ipv4NetmaskToPrefixLength(
3036 ((struct sockaddr_in*) &res.value().ifr_addr)->sin_addr.s_addr);
3037 }
3038
3039 return prefixLength;
3040 }
3041
getInterfaceIPv4Addr(const std::string & ifName)3042 std::string getInterfaceIPv4Addr(const std::string& ifName) {
3043 auto res = ioctlByIfName(ifName, SIOCGIFADDR);
3044
3045 struct in_addr addr = {};
3046 if (isOk(res.status())) {
3047 addr.s_addr = ((struct sockaddr_in*) &res.value().ifr_addr)->sin_addr.s_addr;
3048 }
3049
3050 return std::string(inet_ntoa(addr));
3051 }
3052
getInterfaceFlags(const std::string & ifName)3053 std::vector<std::string> getInterfaceFlags(const std::string& ifName) {
3054 auto res = ioctlByIfName(ifName, SIOCGIFFLAGS);
3055
3056 unsigned flags = 0;
3057 if (isOk(res.status())) {
3058 flags = res.value().ifr_flags;
3059 }
3060
3061 std::vector<std::string> ifFlags;
3062 ifFlags.push_back(flags & IFF_UP ? toStdString(INetd::IF_STATE_UP())
3063 : toStdString(INetd::IF_STATE_DOWN()));
3064
3065 if (flags & IFF_BROADCAST) ifFlags.push_back(toStdString(INetd::IF_FLAG_BROADCAST()));
3066 if (flags & IFF_LOOPBACK) ifFlags.push_back(toStdString(INetd::IF_FLAG_LOOPBACK()));
3067 if (flags & IFF_POINTOPOINT) ifFlags.push_back(toStdString(INetd::IF_FLAG_POINTOPOINT()));
3068 if (flags & IFF_RUNNING) ifFlags.push_back(toStdString(INetd::IF_FLAG_RUNNING()));
3069 if (flags & IFF_MULTICAST) ifFlags.push_back(toStdString(INetd::IF_FLAG_MULTICAST()));
3070
3071 return ifFlags;
3072 }
3073
compareListInterface(const std::vector<std::string> & interfaceList)3074 bool compareListInterface(const std::vector<std::string>& interfaceList) {
3075 const auto& res = getIfaceNames();
3076 EXPECT_TRUE(isOk(res));
3077
3078 std::vector<std::string> resIfList;
3079 resIfList.reserve(res.value().size());
3080 resIfList.insert(end(resIfList), begin(res.value()), end(res.value()));
3081
3082 return resIfList == interfaceList;
3083 }
3084
getInterfaceIPv6PrivacyExtensions(const std::string & ifName)3085 int getInterfaceIPv6PrivacyExtensions(const std::string& ifName) {
3086 std::string path = StringPrintf("/proc/sys/net/ipv6/conf/%s/use_tempaddr", ifName.c_str());
3087 return readIntFromPath(path);
3088 }
3089
getInterfaceEnableIPv6(const std::string & ifName)3090 bool getInterfaceEnableIPv6(const std::string& ifName) {
3091 std::string path = StringPrintf("/proc/sys/net/ipv6/conf/%s/disable_ipv6", ifName.c_str());
3092
3093 int disableIPv6 = readIntFromPath(path);
3094 return !disableIPv6;
3095 }
3096
getInterfaceMtu(const std::string & ifName)3097 int getInterfaceMtu(const std::string& ifName) {
3098 std::string path = StringPrintf("/sys/class/net/%s/mtu", ifName.c_str());
3099 return readIntFromPath(path);
3100 }
3101
expectInterfaceList(const std::vector<std::string> & interfaceList)3102 void expectInterfaceList(const std::vector<std::string>& interfaceList) {
3103 EXPECT_TRUE(compareListInterface(interfaceList));
3104 }
3105
expectCurrentInterfaceConfigurationEquals(const std::string & ifName,const InterfaceConfigurationParcel & interfaceCfg)3106 void expectCurrentInterfaceConfigurationEquals(const std::string& ifName,
3107 const InterfaceConfigurationParcel& interfaceCfg) {
3108 EXPECT_EQ(getInterfaceIPv4Addr(ifName), interfaceCfg.ipv4Addr);
3109 EXPECT_EQ(getInterfaceIPv4Prefix(ifName), interfaceCfg.prefixLength);
3110 EXPECT_EQ(getInterfaceHwAddr(ifName), interfaceCfg.hwAddr);
3111 EXPECT_EQ(getInterfaceFlags(ifName), interfaceCfg.flags);
3112 }
3113
expectCurrentInterfaceConfigurationAlmostEqual(const InterfaceConfigurationParcel & setCfg)3114 void expectCurrentInterfaceConfigurationAlmostEqual(const InterfaceConfigurationParcel& setCfg) {
3115 EXPECT_EQ(getInterfaceIPv4Addr(setCfg.ifName), setCfg.ipv4Addr);
3116 EXPECT_EQ(getInterfaceIPv4Prefix(setCfg.ifName), setCfg.prefixLength);
3117
3118 const auto& ifFlags = getInterfaceFlags(setCfg.ifName);
3119 for (const auto& flag : setCfg.flags) {
3120 EXPECT_TRUE(std::find(ifFlags.begin(), ifFlags.end(), flag) != ifFlags.end());
3121 }
3122 }
3123
expectInterfaceIPv6PrivacyExtensions(const std::string & ifName,bool enable)3124 void expectInterfaceIPv6PrivacyExtensions(const std::string& ifName, bool enable) {
3125 int v6PrivacyExtensions = getInterfaceIPv6PrivacyExtensions(ifName);
3126 EXPECT_EQ(v6PrivacyExtensions, enable ? 2 : 0);
3127 }
3128
expectInterfaceNoAddr(const std::string & ifName)3129 void expectInterfaceNoAddr(const std::string& ifName) {
3130 // noAddr
3131 EXPECT_EQ(getInterfaceIPv4Addr(ifName), "0.0.0.0");
3132 // noPrefix
3133 EXPECT_EQ(getInterfaceIPv4Prefix(ifName), 0);
3134 }
3135
expectInterfaceEnableIPv6(const std::string & ifName,bool enable)3136 void expectInterfaceEnableIPv6(const std::string& ifName, bool enable) {
3137 int enableIPv6 = getInterfaceEnableIPv6(ifName);
3138 EXPECT_EQ(enableIPv6, enable);
3139 }
3140
expectInterfaceMtu(const std::string & ifName,const int mtu)3141 void expectInterfaceMtu(const std::string& ifName, const int mtu) {
3142 int mtuSize = getInterfaceMtu(ifName);
3143 EXPECT_EQ(mtu, mtuSize);
3144 }
3145
makeInterfaceCfgParcel(const std::string & ifName,const std::string & addr,int prefixLength,const std::vector<std::string> & flags)3146 InterfaceConfigurationParcel makeInterfaceCfgParcel(const std::string& ifName,
3147 const std::string& addr, int prefixLength,
3148 const std::vector<std::string>& flags) {
3149 InterfaceConfigurationParcel cfg;
3150 cfg.ifName = ifName;
3151 cfg.hwAddr = "";
3152 cfg.ipv4Addr = addr;
3153 cfg.prefixLength = prefixLength;
3154 cfg.flags = flags;
3155 return cfg;
3156 }
3157
expectTunFlags(const InterfaceConfigurationParcel & interfaceCfg)3158 void expectTunFlags(const InterfaceConfigurationParcel& interfaceCfg) {
3159 std::vector<std::string> expectedFlags = {"up", "point-to-point", "running", "multicast"};
3160 std::vector<std::string> unexpectedFlags = {"down", "broadcast"};
3161
3162 for (const auto& flag : expectedFlags) {
3163 EXPECT_TRUE(std::find(interfaceCfg.flags.begin(), interfaceCfg.flags.end(), flag) !=
3164 interfaceCfg.flags.end());
3165 }
3166
3167 for (const auto& flag : unexpectedFlags) {
3168 EXPECT_TRUE(std::find(interfaceCfg.flags.begin(), interfaceCfg.flags.end(), flag) ==
3169 interfaceCfg.flags.end());
3170 }
3171 }
3172
3173 } // namespace
3174
TEST_F(NetdBinderTest,InterfaceList)3175 TEST_F(NetdBinderTest, InterfaceList) {
3176 std::vector<std::string> interfaceListResult;
3177
3178 binder::Status status = mNetd->interfaceGetList(&interfaceListResult);
3179 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3180 expectInterfaceList(interfaceListResult);
3181 }
3182
TEST_F(NetdBinderTest,InterfaceGetCfg)3183 TEST_F(NetdBinderTest, InterfaceGetCfg) {
3184 InterfaceConfigurationParcel interfaceCfgResult;
3185
3186 // Add test physical network
3187 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
3188 INetd::PERMISSION_NONE, false, false);
3189 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3190 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
3191
3192 binder::Status status = mNetd->interfaceGetCfg(sTun.name(), &interfaceCfgResult);
3193 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3194 expectCurrentInterfaceConfigurationEquals(sTun.name(), interfaceCfgResult);
3195 expectTunFlags(interfaceCfgResult);
3196
3197 // Remove test physical network
3198 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
3199 }
3200
TEST_F(NetdBinderTest,InterfaceSetCfg)3201 TEST_F(NetdBinderTest, InterfaceSetCfg) {
3202 const std::string testAddr = "192.0.2.3";
3203 const int testPrefixLength = 24;
3204 std::vector<std::string> upFlags = {"up"};
3205 std::vector<std::string> downFlags = {"down"};
3206
3207 // Add test physical network
3208 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
3209 INetd::PERMISSION_NONE, false, false);
3210 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3211 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
3212
3213 // Set tun interface down.
3214 auto interfaceCfg = makeInterfaceCfgParcel(sTun.name(), testAddr, testPrefixLength, downFlags);
3215 binder::Status status = mNetd->interfaceSetCfg(interfaceCfg);
3216 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3217 expectCurrentInterfaceConfigurationAlmostEqual(interfaceCfg);
3218
3219 // Set tun interface up again.
3220 interfaceCfg = makeInterfaceCfgParcel(sTun.name(), testAddr, testPrefixLength, upFlags);
3221 status = mNetd->interfaceSetCfg(interfaceCfg);
3222 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3223 status = mNetd->interfaceClearAddrs(sTun.name());
3224 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3225
3226 // Remove test physical network
3227 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
3228 }
3229
TEST_F(NetdBinderTest,InterfaceSetIPv6PrivacyExtensions)3230 TEST_F(NetdBinderTest, InterfaceSetIPv6PrivacyExtensions) {
3231 // enable
3232 binder::Status status = mNetd->interfaceSetIPv6PrivacyExtensions(sTun.name(), true);
3233 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3234 expectInterfaceIPv6PrivacyExtensions(sTun.name(), true);
3235
3236 // disable
3237 status = mNetd->interfaceSetIPv6PrivacyExtensions(sTun.name(), false);
3238 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3239 expectInterfaceIPv6PrivacyExtensions(sTun.name(), false);
3240 }
3241
TEST_F(NetdBinderTest,InterfaceClearAddr)3242 TEST_F(NetdBinderTest, InterfaceClearAddr) {
3243 const std::string testAddr = "192.0.2.3";
3244 const int testPrefixLength = 24;
3245 std::vector<std::string> noFlags{};
3246
3247 // Add test physical network
3248 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
3249 INetd::PERMISSION_NONE, false, false);
3250 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3251 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
3252
3253 auto interfaceCfg = makeInterfaceCfgParcel(sTun.name(), testAddr, testPrefixLength, noFlags);
3254 binder::Status status = mNetd->interfaceSetCfg(interfaceCfg);
3255 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3256 expectCurrentInterfaceConfigurationAlmostEqual(interfaceCfg);
3257
3258 status = mNetd->interfaceClearAddrs(sTun.name());
3259 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3260 expectInterfaceNoAddr(sTun.name());
3261
3262 // Remove test physical network
3263 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
3264 }
3265
TEST_F(NetdBinderTest,InterfaceSetEnableIPv6)3266 TEST_F(NetdBinderTest, InterfaceSetEnableIPv6) {
3267 // Add test physical network
3268 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
3269 INetd::PERMISSION_NONE, false, false);
3270 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3271 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
3272
3273 // disable
3274 binder::Status status = mNetd->interfaceSetEnableIPv6(sTun.name(), false);
3275 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3276 expectInterfaceEnableIPv6(sTun.name(), false);
3277
3278 // enable
3279 status = mNetd->interfaceSetEnableIPv6(sTun.name(), true);
3280 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3281 expectInterfaceEnableIPv6(sTun.name(), true);
3282
3283 // Remove test physical network
3284 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
3285 }
3286
TEST_F(NetdBinderTest,InterfaceSetMtu)3287 TEST_F(NetdBinderTest, InterfaceSetMtu) {
3288 const int currentMtu = getInterfaceMtu(sTun.name());
3289 const int testMtu = 1200;
3290
3291 // Add test physical network
3292 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
3293 INetd::PERMISSION_NONE, false, false);
3294 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3295 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
3296
3297 binder::Status status = mNetd->interfaceSetMtu(sTun.name(), testMtu);
3298 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3299 expectInterfaceMtu(sTun.name(), testMtu);
3300
3301 // restore the MTU back
3302 status = mNetd->interfaceSetMtu(sTun.name(), currentMtu);
3303 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3304
3305 // Remove test physical network
3306 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
3307 }
3308
3309 namespace {
3310
3311 constexpr const char TETHER_FORWARD[] = "tetherctrl_FORWARD";
3312 constexpr const char TETHER_NAT_POSTROUTING[] = "tetherctrl_nat_POSTROUTING";
3313 constexpr const char TETHER_RAW_PREROUTING[] = "tetherctrl_raw_PREROUTING";
3314 constexpr const char TETHER_COUNTERS_CHAIN[] = "tetherctrl_counters";
3315
iptablesCountRules(const char * binary,const char * table,const char * chainName)3316 int iptablesCountRules(const char* binary, const char* table, const char* chainName) {
3317 return listIptablesRuleByTable(binary, table, chainName).size();
3318 }
3319
iptablesChainMatch(const char * binary,const char * table,const char * chainName,const std::vector<std::string> & targetVec)3320 bool iptablesChainMatch(const char* binary, const char* table, const char* chainName,
3321 const std::vector<std::string>& targetVec) {
3322 std::vector<std::string> rules = listIptablesRuleByTable(binary, table, chainName);
3323 if (targetVec.size() != rules.size() - 2) {
3324 return false;
3325 }
3326
3327 /*
3328 * Check that the rules match. Note that this function matches substrings, not entire rules,
3329 * because otherwise rules where "pkts" or "bytes" are nonzero would not match.
3330 * Skip first two lines since rules start from third line.
3331 * Chain chainName (x references)
3332 * pkts bytes target prot opt in out source destination
3333 * ...
3334 */
3335 int rIndex = 2;
3336 for (const auto& target : targetVec) {
3337 if (rules[rIndex].find(target) == std::string::npos) {
3338 return false;
3339 }
3340 rIndex++;
3341 }
3342 return true;
3343 }
3344
expectNatEnable(const std::string & intIf,const std::string & extIf)3345 void expectNatEnable(const std::string& intIf, const std::string& extIf) {
3346 std::vector<std::string> postroutingV4Match = {"MASQUERADE"};
3347 std::vector<std::string> preroutingV4Match = {"CT helper ftp", "CT helper pptp"};
3348 std::vector<std::string> forwardV4Match = {
3349 "bw_global_alert", "state RELATED", "state INVALID",
3350 StringPrintf("tetherctrl_counters all -- %s %s", intIf.c_str(), extIf.c_str()),
3351 "DROP"};
3352
3353 // V4
3354 EXPECT_TRUE(iptablesChainMatch(IPTABLES_PATH, NAT_TABLE, TETHER_NAT_POSTROUTING,
3355 postroutingV4Match));
3356 EXPECT_TRUE(
3357 iptablesChainMatch(IPTABLES_PATH, RAW_TABLE, TETHER_RAW_PREROUTING, preroutingV4Match));
3358 EXPECT_TRUE(iptablesChainMatch(IPTABLES_PATH, FILTER_TABLE, TETHER_FORWARD, forwardV4Match));
3359
3360 std::vector<std::string> forwardV6Match = {"bw_global_alert", "tetherctrl_counters"};
3361 std::vector<std::string> preroutingV6Match = {"rpfilter invert"};
3362
3363 // V6
3364 EXPECT_TRUE(iptablesChainMatch(IP6TABLES_PATH, FILTER_TABLE, TETHER_FORWARD, forwardV6Match));
3365 EXPECT_TRUE(iptablesChainMatch(IP6TABLES_PATH, RAW_TABLE, TETHER_RAW_PREROUTING,
3366 preroutingV6Match));
3367
3368 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
3369 EXPECT_TRUE(iptablesTargetsExists(binary, 2, FILTER_TABLE, TETHER_COUNTERS_CHAIN, intIf,
3370 extIf));
3371 }
3372 }
3373
expectNatDisable()3374 void expectNatDisable() {
3375 // It is the default DROP rule with tethering disable.
3376 // Chain tetherctrl_FORWARD (1 references)
3377 // pkts bytes target prot opt in out source destination
3378 // 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
3379 std::vector<std::string> forwardV4Match = {"DROP"};
3380 EXPECT_TRUE(iptablesChainMatch(IPTABLES_PATH, FILTER_TABLE, TETHER_FORWARD, forwardV4Match));
3381
3382 // We expect that these chains should be empty.
3383 EXPECT_EQ(2, iptablesCountRules(IPTABLES_PATH, NAT_TABLE, TETHER_NAT_POSTROUTING));
3384 EXPECT_EQ(2, iptablesCountRules(IPTABLES_PATH, RAW_TABLE, TETHER_RAW_PREROUTING));
3385
3386 EXPECT_EQ(2, iptablesCountRules(IP6TABLES_PATH, FILTER_TABLE, TETHER_FORWARD));
3387 EXPECT_EQ(2, iptablesCountRules(IP6TABLES_PATH, RAW_TABLE, TETHER_RAW_PREROUTING));
3388
3389 // Netd won't clear tether quota rule, we don't care rule in tetherctrl_counters.
3390 }
3391
3392 } // namespace
3393
TEST_F(NetdBinderTest,TetherForwardAddRemove)3394 TEST_F(NetdBinderTest, TetherForwardAddRemove) {
3395 binder::Status status = mNetd->tetherAddForward(sTun.name(), sTun2.name());
3396 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3397 expectNatEnable(sTun.name(), sTun2.name());
3398
3399 status = mNetd->tetherRemoveForward(sTun.name(), sTun2.name());
3400 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3401 expectNatDisable();
3402 }
3403
3404 namespace {
3405
3406 using TripleInt = std::array<int, 3>;
3407
readProcFileToTripleInt(const std::string & path)3408 TripleInt readProcFileToTripleInt(const std::string& path) {
3409 std::string valueString;
3410 int min, def, max;
3411 EXPECT_TRUE(ReadFileToString(path, &valueString));
3412 EXPECT_EQ(3, sscanf(valueString.c_str(), "%d %d %d", &min, &def, &max));
3413 return {min, def, max};
3414 }
3415
updateAndCheckTcpBuffer(sp<INetd> & netd,TripleInt & rmemValues,TripleInt & wmemValues)3416 void updateAndCheckTcpBuffer(sp<INetd>& netd, TripleInt& rmemValues, TripleInt& wmemValues) {
3417 std::string testRmemValues =
3418 StringPrintf("%u %u %u", rmemValues[0], rmemValues[1], rmemValues[2]);
3419 std::string testWmemValues =
3420 StringPrintf("%u %u %u", wmemValues[0], wmemValues[1], wmemValues[2]);
3421 EXPECT_TRUE(netd->setTcpRWmemorySize(testRmemValues, testWmemValues).isOk());
3422
3423 TripleInt newRmemValues = readProcFileToTripleInt(TCP_RMEM_PROC_FILE);
3424 TripleInt newWmemValues = readProcFileToTripleInt(TCP_WMEM_PROC_FILE);
3425
3426 for (int i = 0; i < 3; i++) {
3427 SCOPED_TRACE(StringPrintf("tcp_mem value %d should be equal", i));
3428 EXPECT_EQ(rmemValues[i], newRmemValues[i]);
3429 EXPECT_EQ(wmemValues[i], newWmemValues[i]);
3430 }
3431 }
3432
3433 } // namespace
3434
TEST_F(NetdBinderTest,TcpBufferSet)3435 TEST_F(NetdBinderTest, TcpBufferSet) {
3436 TripleInt rmemValue = readProcFileToTripleInt(TCP_RMEM_PROC_FILE);
3437 TripleInt testRmemValue{rmemValue[0] + 42, rmemValue[1] + 42, rmemValue[2] + 42};
3438 TripleInt wmemValue = readProcFileToTripleInt(TCP_WMEM_PROC_FILE);
3439 TripleInt testWmemValue{wmemValue[0] + 42, wmemValue[1] + 42, wmemValue[2] + 42};
3440
3441 updateAndCheckTcpBuffer(mNetd, testRmemValue, testWmemValue);
3442 updateAndCheckTcpBuffer(mNetd, rmemValue, wmemValue);
3443 }
3444
TEST_F(NetdBinderTest,UnsolEvents)3445 TEST_F(NetdBinderTest, UnsolEvents) {
3446 auto testUnsolService = android::net::TestUnsolService::start();
3447 std::string oldTunName = sTun.name();
3448 std::string newTunName = "unsolTest";
3449 testUnsolService->tarVec.push_back(oldTunName);
3450 testUnsolService->tarVec.push_back(newTunName);
3451 auto& cv = testUnsolService->getCv();
3452 auto& cvMutex = testUnsolService->getCvMutex();
3453 binder::Status status = mNetd->registerUnsolicitedEventListener(
3454 android::interface_cast<android::net::INetdUnsolicitedEventListener>(testUnsolService));
3455 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3456
3457 // TODO: Add test for below events
3458 // StrictCleartextDetected / InterfaceDnsServersAdded
3459 // InterfaceClassActivity / QuotaLimitReached / InterfaceAddressRemoved
3460
3461 {
3462 std::unique_lock lock(cvMutex);
3463
3464 // Re-init test Tun, and we expect that we will get some unsol events.
3465 // Use the test Tun device name to verify if we receive its unsol events.
3466 sTun.destroy();
3467 // Use predefined name
3468 sTun.init(newTunName);
3469
3470 EXPECT_EQ(std::cv_status::no_timeout, cv.wait_for(lock, std::chrono::seconds(2)));
3471 }
3472
3473 // bit mask 1101101000
3474 // Test only covers below events currently
3475 const uint32_t kExpectedEvents = InterfaceAddressUpdated | InterfaceAdded | InterfaceRemoved |
3476 InterfaceLinkStatusChanged | RouteChanged;
3477 EXPECT_EQ(kExpectedEvents, testUnsolService->getReceived());
3478
3479 // Re-init sTun to clear predefined name
3480 sTun.destroy();
3481 sTun.init();
3482 }
3483
TEST_F(NetdBinderTest,NDC)3484 TEST_F(NetdBinderTest, NDC) {
3485 struct Command {
3486 const std::string cmdString;
3487 const std::string expectedResult;
3488 };
3489
3490 // clang-format off
3491 // Do not change the commands order
3492 const Command networkCmds[] = {
3493 {StringPrintf("ndc network create %d", TEST_NETID1),
3494 "200 0 success"},
3495 {StringPrintf("ndc network interface add %d %s", TEST_NETID1, sTun.name().c_str()),
3496 "200 0 success"},
3497 {StringPrintf("ndc network interface remove %d %s", TEST_NETID1, sTun.name().c_str()),
3498 "200 0 success"},
3499 {StringPrintf("ndc network interface add %d %s", TEST_NETID2, sTun.name().c_str()),
3500 "400 0 addInterfaceToNetwork() failed (Machine is not on the network)"},
3501 {StringPrintf("ndc network destroy %d", TEST_NETID1),
3502 "200 0 success"},
3503 };
3504
3505 const std::vector<Command> ipfwdCmds = {
3506 {"ndc ipfwd enable " + sTun.name(),
3507 "200 0 ipfwd operation succeeded"},
3508 {"ndc ipfwd disable " + sTun.name(),
3509 "200 0 ipfwd operation succeeded"},
3510 {"ndc ipfwd add lo2 lo3",
3511 "400 0 ipfwd operation failed (No such process)"},
3512 {"ndc ipfwd add " + sTun.name() + " " + sTun2.name(),
3513 "200 0 ipfwd operation succeeded"},
3514 {"ndc ipfwd remove " + sTun.name() + " " + sTun2.name(),
3515 "200 0 ipfwd operation succeeded"},
3516 };
3517
3518 static const struct {
3519 const char* ipVersion;
3520 const char* testDest;
3521 const char* testNextHop;
3522 const bool expectSuccess;
3523 const std::string expectedResult;
3524 } kTestData[] = {
3525 {IP_RULE_V4, "0.0.0.0/0", "", true,
3526 "200 0 success"},
3527 {IP_RULE_V4, "10.251.0.0/16", "", true,
3528 "200 0 success"},
3529 {IP_RULE_V4, "10.251.0.0/16", "fe80::/64", false,
3530 "400 0 addRoute() failed (Invalid argument)",},
3531 {IP_RULE_V6, "::/0", "", true,
3532 "200 0 success"},
3533 {IP_RULE_V6, "2001:db8:cafe::/64", "", true,
3534 "200 0 success"},
3535 {IP_RULE_V6, "fe80::/64", "0.0.0.0", false,
3536 "400 0 addRoute() failed (Invalid argument)"},
3537 };
3538 // clang-format on
3539
3540 for (const auto& cmd : networkCmds) {
3541 const std::vector<std::string> result = runCommand(cmd.cmdString);
3542 SCOPED_TRACE(cmd.cmdString);
3543 EXPECT_EQ(result.size(), 1U);
3544 EXPECT_EQ(cmd.expectedResult, Trim(result[0]));
3545 }
3546
3547 for (const auto& cmd : ipfwdCmds) {
3548 const std::vector<std::string> result = runCommand(cmd.cmdString);
3549 SCOPED_TRACE(cmd.cmdString);
3550 EXPECT_EQ(result.size(), 1U);
3551 EXPECT_EQ(cmd.expectedResult, Trim(result[0]));
3552 }
3553
3554 // Add test physical network
3555 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
3556 INetd::PERMISSION_NONE, false, false);
3557 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3558 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
3559
3560 for (const auto& td : kTestData) {
3561 const std::string routeAddCmd =
3562 StringPrintf("ndc network route add %d %s %s %s", TEST_NETID1, sTun.name().c_str(),
3563 td.testDest, td.testNextHop);
3564 const std::string routeRemoveCmd =
3565 StringPrintf("ndc network route remove %d %s %s %s", TEST_NETID1,
3566 sTun.name().c_str(), td.testDest, td.testNextHop);
3567 std::vector<std::string> result = runCommand(routeAddCmd);
3568 SCOPED_TRACE(routeAddCmd);
3569 EXPECT_EQ(result.size(), 1U);
3570 EXPECT_EQ(td.expectedResult, Trim(result[0]));
3571 if (td.expectSuccess) {
3572 expectNetworkRouteExists(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
3573 sTun.name().c_str());
3574 result = runCommand(routeRemoveCmd);
3575 EXPECT_EQ(result.size(), 1U);
3576 EXPECT_EQ(td.expectedResult, Trim(result[0]));
3577 expectNetworkRouteDoesNotExist(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
3578 sTun.name().c_str());
3579 }
3580 }
3581 // Remove test physical network
3582 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
3583 }
3584
TEST_F(NetdBinderTest,OemNetdRelated)3585 TEST_F(NetdBinderTest, OemNetdRelated) {
3586 sp<IBinder> binder;
3587 binder::Status status = mNetd->getOemNetd(&binder);
3588 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3589 sp<com::android::internal::net::IOemNetd> oemNetd;
3590 if (binder != nullptr) {
3591 oemNetd = android::interface_cast<com::android::internal::net::IOemNetd>(binder);
3592 }
3593 ASSERT_NE(nullptr, oemNetd.get());
3594
3595 TimedOperation t("OemNetd isAlive RPC");
3596 bool isAlive = false;
3597 oemNetd->isAlive(&isAlive);
3598 ASSERT_TRUE(isAlive);
3599
3600 class TestOemUnsolListener
3601 : public com::android::internal::net::BnOemNetdUnsolicitedEventListener {
3602 public:
3603 android::binder::Status onRegistered() override {
3604 std::lock_guard lock(mCvMutex);
3605 mCv.notify_one();
3606 return android::binder::Status::ok();
3607 }
3608 std::condition_variable& getCv() { return mCv; }
3609 std::mutex& getCvMutex() { return mCvMutex; }
3610
3611 private:
3612 std::mutex mCvMutex;
3613 std::condition_variable mCv;
3614 };
3615
3616 // Start the Binder thread pool.
3617 android::ProcessState::self()->startThreadPool();
3618
3619 android::sp<TestOemUnsolListener> testListener = new TestOemUnsolListener();
3620
3621 auto& cv = testListener->getCv();
3622 auto& cvMutex = testListener->getCvMutex();
3623
3624 {
3625 std::unique_lock lock(cvMutex);
3626
3627 status = oemNetd->registerOemUnsolicitedEventListener(
3628 ::android::interface_cast<
3629 com::android::internal::net::IOemNetdUnsolicitedEventListener>(
3630 testListener));
3631 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3632
3633 // Wait for receiving expected events.
3634 EXPECT_EQ(std::cv_status::no_timeout, cv.wait_for(lock, std::chrono::seconds(2)));
3635 }
3636 }
3637
createVpnNetworkWithUid(bool secure,uid_t uid,int vpnNetId,int fallthroughNetId,int nonDefaultNetId)3638 void NetdBinderTest::createVpnNetworkWithUid(bool secure, uid_t uid, int vpnNetId,
3639 int fallthroughNetId, int nonDefaultNetId) {
3640 // Re-init sTun* to ensure route rule exists.
3641 sTun.destroy();
3642 sTun.init();
3643 sTun2.destroy();
3644 sTun2.init();
3645 sTun3.destroy();
3646 sTun3.init();
3647
3648 // Create physical network with fallthroughNetId but not set it as default network
3649 auto config = makeNativeNetworkConfig(fallthroughNetId, NativeNetworkType::PHYSICAL,
3650 INetd::PERMISSION_NONE, false, false);
3651 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3652 EXPECT_TRUE(mNetd->networkAddInterface(fallthroughNetId, sTun.name()).isOk());
3653 // Create another physical network in order to test VPN behaviour with multiple networks
3654 // connected, of which one may be the default.
3655 auto nonDefaultNetworkConfig = makeNativeNetworkConfig(
3656 nonDefaultNetId, NativeNetworkType::PHYSICAL, INetd::PERMISSION_NONE, false, false);
3657 EXPECT_TRUE(mNetd->networkCreate(nonDefaultNetworkConfig).isOk());
3658 EXPECT_TRUE(mNetd->networkAddInterface(nonDefaultNetId, sTun3.name()).isOk());
3659
3660 // Create VPN with vpnNetId
3661 config.netId = vpnNetId;
3662 config.networkType = NativeNetworkType::VIRTUAL;
3663 config.secure = secure;
3664 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3665
3666 // Add uid to VPN
3667 EXPECT_TRUE(mNetd->networkAddUidRanges(vpnNetId, {makeUidRangeParcel(uid, uid)}).isOk());
3668 EXPECT_TRUE(mNetd->networkAddInterface(vpnNetId, sTun2.name()).isOk());
3669
3670 // Add default route to fallthroughNetwork
3671 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID1, sTun.name(), "::/0", "").isOk());
3672 // Add limited route
3673 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID2, sTun2.name(), "2001:db8::/32", "").isOk());
3674
3675 // Also add default route to non-default network for per app default use.
3676 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID3, sTun3.name(), "::/0", "").isOk());
3677 }
3678
createAndSetDefaultNetwork(int netId,const std::string & interface,int permission)3679 void NetdBinderTest::createAndSetDefaultNetwork(int netId, const std::string& interface,
3680 int permission) {
3681 // backup current default network.
3682 ASSERT_TRUE(mNetd->networkGetDefault(&mStoredDefaultNetwork).isOk());
3683
3684 const auto& config =
3685 makeNativeNetworkConfig(netId, NativeNetworkType::PHYSICAL, permission, false, false);
3686 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3687 EXPECT_TRUE(mNetd->networkAddInterface(netId, interface).isOk());
3688 EXPECT_TRUE(mNetd->networkSetDefault(netId).isOk());
3689 }
3690
createPhysicalNetwork(int netId,const std::string & interface,int permission)3691 void NetdBinderTest::createPhysicalNetwork(int netId, const std::string& interface,
3692 int permission) {
3693 const auto& config =
3694 makeNativeNetworkConfig(netId, NativeNetworkType::PHYSICAL, permission, false, false);
3695 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3696 EXPECT_TRUE(mNetd->networkAddInterface(netId, interface).isOk());
3697 }
3698
3699 // 1. Create a physical network on sTun, and set it as the system default network.
3700 // 2. Create another physical network on sTun2.
createDefaultAndOtherPhysicalNetwork(int defaultNetId,int otherNetId)3701 void NetdBinderTest::createDefaultAndOtherPhysicalNetwork(int defaultNetId, int otherNetId) {
3702 createAndSetDefaultNetwork(defaultNetId, sTun.name());
3703 EXPECT_TRUE(mNetd->networkAddRoute(defaultNetId, sTun.name(), "::/0", "").isOk());
3704
3705 createPhysicalNetwork(otherNetId, sTun2.name());
3706 EXPECT_TRUE(mNetd->networkAddRoute(otherNetId, sTun2.name(), "::/0", "").isOk());
3707 }
3708
3709 // 1. Create a system default network and a physical network.
3710 // 2. Create a VPN on sTun3.
createVpnAndOtherPhysicalNetwork(int systemDefaultNetId,int otherNetId,int vpnNetId,bool secure)3711 void NetdBinderTest::createVpnAndOtherPhysicalNetwork(int systemDefaultNetId, int otherNetId,
3712 int vpnNetId, bool secure) {
3713 createDefaultAndOtherPhysicalNetwork(systemDefaultNetId, otherNetId);
3714
3715 auto config = makeNativeNetworkConfig(vpnNetId, NativeNetworkType::VIRTUAL,
3716 INetd::PERMISSION_NONE, secure, false);
3717 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3718 EXPECT_TRUE(mNetd->networkAddInterface(vpnNetId, sTun3.name()).isOk());
3719 EXPECT_TRUE(mNetd->networkAddRoute(vpnNetId, sTun3.name(), "2001:db8::/32", "").isOk());
3720 }
3721
3722 // 1. Create system default network, a physical network (for per-app default), and a VPN.
3723 // 2. Add per-app uid ranges and VPN ranges.
createVpnAndAppDefaultNetworkWithUid(int systemDefaultNetId,int appDefaultNetId,int vpnNetId,bool secure,std::vector<UidRangeParcel> && appDefaultUidRanges,std::vector<UidRangeParcel> && vpnUidRanges)3724 void NetdBinderTest::createVpnAndAppDefaultNetworkWithUid(
3725 int systemDefaultNetId, int appDefaultNetId, int vpnNetId, bool secure,
3726 std::vector<UidRangeParcel>&& appDefaultUidRanges,
3727 std::vector<UidRangeParcel>&& vpnUidRanges) {
3728 createVpnAndOtherPhysicalNetwork(systemDefaultNetId, appDefaultNetId, vpnNetId, secure);
3729 // add per-app uid ranges.
3730 EXPECT_TRUE(mNetd->networkAddUidRanges(appDefaultNetId, appDefaultUidRanges).isOk());
3731 // add VPN uid ranges.
3732 EXPECT_TRUE(mNetd->networkAddUidRanges(vpnNetId, vpnUidRanges).isOk());
3733 }
3734
3735 namespace {
3736
checkDataReceived(int udpSocket,int tunFd,sockaddr * dstAddr,int addrLen)3737 void checkDataReceived(int udpSocket, int tunFd, sockaddr* dstAddr, int addrLen) {
3738 char buf[4096] = {};
3739 // Clear tunFd's queue before write something because there might be some
3740 // arbitrary packets in the queue. (e.g. ICMPv6 packet)
3741 clearQueue(tunFd);
3742 EXPECT_EQ(4, sendto(udpSocket, "foo", sizeof("foo"), 0, dstAddr, addrLen));
3743 // TODO: extract header and verify data
3744 EXPECT_GT(read(tunFd, buf, sizeof(buf)), 0);
3745 }
3746
sendPacketFromUid(uid_t uid,IPSockAddr & dstAddr,Fwmark * fwmark,int tunFd,bool doConnect=true)3747 bool sendPacketFromUid(uid_t uid, IPSockAddr& dstAddr, Fwmark* fwmark, int tunFd,
3748 bool doConnect = true) {
3749 int family = dstAddr.family();
3750 ScopedUidChange scopedUidChange(uid);
3751 unique_fd testSocket(socket(family, SOCK_DGRAM | SOCK_CLOEXEC, 0));
3752
3753 if (testSocket < 0) return false;
3754 const sockaddr_storage dst = IPSockAddr(dstAddr.ip(), dstAddr.port());
3755 if (doConnect && connect(testSocket, (sockaddr*)&dst, sizeof(dst)) == -1) return false;
3756
3757 socklen_t fwmarkLen = sizeof(fwmark->intValue);
3758 EXPECT_NE(-1, getsockopt(testSocket, SOL_SOCKET, SO_MARK, &(fwmark->intValue), &fwmarkLen));
3759
3760 int addr_len = (family == AF_INET) ? INET_ADDRSTRLEN : INET6_ADDRSTRLEN;
3761 char addr[addr_len];
3762 inet_ntop(family, &dstAddr, addr, addr_len);
3763 SCOPED_TRACE(StringPrintf("sendPacket, addr: %s, uid: %u, doConnect: %s", addr, uid,
3764 doConnect ? "true" : "false"));
3765 if (doConnect) {
3766 checkDataReceived(testSocket, tunFd, nullptr, 0);
3767 } else {
3768 checkDataReceived(testSocket, tunFd, (sockaddr*)&dst, sizeof(dst));
3769 }
3770
3771 return true;
3772 }
3773
sendIPv4PacketFromUid(uid_t uid,const in_addr & dstAddr,Fwmark * fwmark,int tunFd,bool doConnect=true)3774 bool sendIPv4PacketFromUid(uid_t uid, const in_addr& dstAddr, Fwmark* fwmark, int tunFd,
3775 bool doConnect = true) {
3776 const sockaddr_in dst = {.sin_family = AF_INET, .sin_port = 42, .sin_addr = dstAddr};
3777 IPSockAddr addr = IPSockAddr(dst);
3778
3779 return sendPacketFromUid(uid, addr, fwmark, tunFd, doConnect);
3780 }
3781
sendIPv6PacketFromUid(uid_t uid,const in6_addr & dstAddr,Fwmark * fwmark,int tunFd,bool doConnect=true)3782 bool sendIPv6PacketFromUid(uid_t uid, const in6_addr& dstAddr, Fwmark* fwmark, int tunFd,
3783 bool doConnect = true) {
3784 const sockaddr_in6 dst6 = {
3785 .sin6_family = AF_INET6,
3786 .sin6_port = 42,
3787 .sin6_addr = dstAddr,
3788 };
3789 IPSockAddr addr = IPSockAddr(dst6);
3790
3791 return sendPacketFromUid(uid, addr, fwmark, tunFd, doConnect);
3792 }
3793
3794 // Send an IPv6 packet from the uid. Expect to fail and get specified errno.
sendIPv6PacketFromUidFail(uid_t uid,const in6_addr & dstAddr,Fwmark * fwmark,bool doConnect,int expectedErr)3795 bool sendIPv6PacketFromUidFail(uid_t uid, const in6_addr& dstAddr, Fwmark* fwmark, bool doConnect,
3796 int expectedErr) {
3797 ScopedUidChange scopedUidChange(uid);
3798 unique_fd s(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0));
3799 if (s < 0) return false;
3800
3801 const sockaddr_in6 dst6 = {
3802 .sin6_family = AF_INET6,
3803 .sin6_port = 42,
3804 .sin6_addr = dstAddr,
3805 };
3806 if (doConnect) {
3807 if (connect(s, (sockaddr*)&dst6, sizeof(dst6)) == 0) return false;
3808 if (errno != expectedErr) return false;
3809 }
3810
3811 socklen_t fwmarkLen = sizeof(fwmark->intValue);
3812 EXPECT_NE(-1, getsockopt(s, SOL_SOCKET, SO_MARK, &(fwmark->intValue), &fwmarkLen));
3813
3814 char addr[INET6_ADDRSTRLEN];
3815 inet_ntop(AF_INET6, &dstAddr, addr, INET6_ADDRSTRLEN);
3816 SCOPED_TRACE(StringPrintf("sendIPv6PacketFail, addr: %s, uid: %u, doConnect: %s", addr, uid,
3817 doConnect ? "true" : "false"));
3818 if (!doConnect) {
3819 if (sendto(s, "foo", sizeof("foo"), 0, (sockaddr*)&dst6, sizeof(dst6)) == 0) return false;
3820 if (errno != expectedErr) return false;
3821 }
3822 return true;
3823 }
3824
expectVpnFallthroughRuleExists(const std::string & ifName,int vpnNetId)3825 void expectVpnFallthroughRuleExists(const std::string& ifName, int vpnNetId) {
3826 std::string vpnFallthroughRule =
3827 StringPrintf("%d:\tfrom all fwmark 0x%x/0xffff lookup %s",
3828 RULE_PRIORITY_VPN_FALLTHROUGH, vpnNetId, ifName.c_str());
3829 for (const auto& ipVersion : {IP_RULE_V4, IP_RULE_V6}) {
3830 EXPECT_TRUE(ipRuleExists(ipVersion, vpnFallthroughRule));
3831 }
3832 }
3833
expectVpnFallthroughWorks(android::net::INetd * netdService,bool bypassable,uid_t uid,uid_t uidNotInVpn,const TunInterface & fallthroughNetwork,const TunInterface & vpnNetwork,const TunInterface & otherNetwork,int vpnNetId=TEST_NETID2,int fallthroughNetId=TEST_NETID1,int otherNetId=TEST_NETID3)3834 void expectVpnFallthroughWorks(android::net::INetd* netdService, bool bypassable, uid_t uid,
3835 uid_t uidNotInVpn, const TunInterface& fallthroughNetwork,
3836 const TunInterface& vpnNetwork, const TunInterface& otherNetwork,
3837 int vpnNetId = TEST_NETID2, int fallthroughNetId = TEST_NETID1,
3838 int otherNetId = TEST_NETID3) {
3839 // Set default network to NETID_UNSET
3840 EXPECT_TRUE(netdService->networkSetDefault(NETID_UNSET).isOk());
3841
3842 // insideVpnAddr based on the route we added in createVpnNetworkWithUid
3843 in6_addr insideVpnAddr = {
3844 {// 2001:db8:cafe::1
3845 .u6_addr8 = {0x20, 0x01, 0x0d, 0xb8, 0xca, 0xfe, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1}}};
3846 // outsideVpnAddr will hit the route in the fallthrough network route table
3847 // because we added default route in createVpnNetworkWithUid
3848 in6_addr outsideVpnAddr = {
3849 {// 2607:f0d0:1002::4
3850 .u6_addr8 = {0x26, 0x07, 0xf0, 0xd0, 0x10, 0x02, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4}}};
3851
3852 int fallthroughFd = fallthroughNetwork.getFdForTesting();
3853 int vpnFd = vpnNetwork.getFdForTesting();
3854 // Expect all connections to fail because UID 0 is not routed to the VPN and there is no
3855 // default network.
3856 Fwmark fwmark;
3857 EXPECT_FALSE(sendIPv6PacketFromUid(0, outsideVpnAddr, &fwmark, fallthroughFd));
3858 EXPECT_FALSE(sendIPv6PacketFromUid(0, insideVpnAddr, &fwmark, fallthroughFd));
3859
3860 // Set default network
3861 EXPECT_TRUE(netdService->networkSetDefault(fallthroughNetId).isOk());
3862
3863 // Connections go on the default network because UID 0 is not subject to the VPN.
3864 EXPECT_TRUE(sendIPv6PacketFromUid(0, outsideVpnAddr, &fwmark, fallthroughFd));
3865 EXPECT_EQ(fallthroughNetId | 0xC0000, static_cast<int>(fwmark.intValue));
3866 EXPECT_TRUE(sendIPv6PacketFromUid(0, insideVpnAddr, &fwmark, fallthroughFd));
3867 EXPECT_EQ(fallthroughNetId | 0xC0000, static_cast<int>(fwmark.intValue));
3868
3869 // Check if fallthrough rule exists
3870 expectVpnFallthroughRuleExists(fallthroughNetwork.name(), vpnNetId);
3871
3872 // Check if local exclusion rule exists for default network
3873 expectVpnLocalExclusionRuleExists(fallthroughNetwork.name(), true);
3874 // No local exclusion rule for non-default network
3875 expectVpnLocalExclusionRuleExists(otherNetwork.name(), false);
3876
3877 // Expect fallthrough to default network
3878 // The fwmark differs depending on whether the VPN is bypassable or not.
3879 EXPECT_TRUE(sendIPv6PacketFromUid(uid, outsideVpnAddr, &fwmark, fallthroughFd));
3880 EXPECT_EQ(bypassable ? vpnNetId : fallthroughNetId, static_cast<int>(fwmark.intValue));
3881
3882 // Expect connect success, packet will be sent to vpnFd.
3883 EXPECT_TRUE(sendIPv6PacketFromUid(uid, insideVpnAddr, &fwmark, vpnFd));
3884 EXPECT_EQ(bypassable ? vpnNetId : fallthroughNetId, static_cast<int>(fwmark.intValue));
3885
3886 // Explicitly select vpn network
3887 setNetworkForProcess(vpnNetId);
3888
3889 // Expect fallthrough to default network
3890 EXPECT_TRUE(sendIPv6PacketFromUid(0, outsideVpnAddr, &fwmark, fallthroughFd));
3891 // Expect the mark contains all the bit because we've selected network.
3892 EXPECT_EQ(vpnNetId | 0xF0000, static_cast<int>(fwmark.intValue));
3893
3894 // Expect connect success, packet will be sent to vpnFd.
3895 EXPECT_TRUE(sendIPv6PacketFromUid(0, insideVpnAddr, &fwmark, vpnFd));
3896 // Expect the mark contains all the bit because we've selected network.
3897 EXPECT_EQ(vpnNetId | 0xF0000, static_cast<int>(fwmark.intValue));
3898
3899 // Explicitly select fallthrough network
3900 setNetworkForProcess(fallthroughNetId);
3901
3902 // The mark is set to fallthrough network because we've selected it.
3903 EXPECT_TRUE(sendIPv6PacketFromUid(0, outsideVpnAddr, &fwmark, fallthroughFd));
3904 EXPECT_TRUE(sendIPv6PacketFromUid(0, insideVpnAddr, &fwmark, fallthroughFd));
3905
3906 // If vpn is BypassableVPN, connections can also go on the fallthrough network under vpn uid.
3907 if (bypassable) {
3908 EXPECT_TRUE(sendIPv6PacketFromUid(uid, outsideVpnAddr, &fwmark, fallthroughFd));
3909 EXPECT_TRUE(sendIPv6PacketFromUid(uid, insideVpnAddr, &fwmark, fallthroughFd));
3910 } else {
3911 // If not, no permission to bypass vpn.
3912 EXPECT_FALSE(sendIPv6PacketFromUid(uid, outsideVpnAddr, &fwmark, fallthroughFd));
3913 EXPECT_FALSE(sendIPv6PacketFromUid(uid, insideVpnAddr, &fwmark, fallthroughFd));
3914 }
3915
3916 // Add per-app uid ranges.
3917 EXPECT_TRUE(netdService
3918 ->networkAddUidRanges(otherNetId,
3919 {makeUidRangeParcel(uidNotInVpn, uidNotInVpn)})
3920 .isOk());
3921
3922 int appDefaultFd = otherNetwork.getFdForTesting();
3923
3924 // UID is not inside the VPN range, so it won't go to vpn network.
3925 // It won't fall into per app local rule because it's explicitly selected.
3926 EXPECT_TRUE(sendIPv6PacketFromUid(uidNotInVpn, outsideVpnAddr, &fwmark, fallthroughFd));
3927 EXPECT_TRUE(sendIPv6PacketFromUid(uidNotInVpn, insideVpnAddr, &fwmark, fallthroughFd));
3928
3929 // Reset explicitly selection.
3930 setNetworkForProcess(NETID_UNSET);
3931 // Connections can go to app default network.
3932 EXPECT_TRUE(sendIPv6PacketFromUid(uidNotInVpn, insideVpnAddr, &fwmark, appDefaultFd));
3933 EXPECT_TRUE(sendIPv6PacketFromUid(uidNotInVpn, outsideVpnAddr, &fwmark, appDefaultFd));
3934 }
3935
3936 } // namespace
3937
TEST_F(NetdBinderTest,SecureVPNFallthrough)3938 TEST_F(NetdBinderTest, SecureVPNFallthrough) {
3939 createVpnNetworkWithUid(true /* secure */, TEST_UID1);
3940 // Get current default network NetId
3941 ASSERT_TRUE(mNetd->networkGetDefault(&mStoredDefaultNetwork).isOk());
3942 expectVpnFallthroughWorks(mNetd.get(), false /* bypassable */, TEST_UID1, TEST_UID2, sTun,
3943 sTun2, sTun3);
3944 }
3945
TEST_F(NetdBinderTest,BypassableVPNFallthrough)3946 TEST_F(NetdBinderTest, BypassableVPNFallthrough) {
3947 createVpnNetworkWithUid(false /* secure */, TEST_UID1);
3948 // Get current default network NetId
3949 ASSERT_TRUE(mNetd->networkGetDefault(&mStoredDefaultNetwork).isOk());
3950 expectVpnFallthroughWorks(mNetd.get(), true /* bypassable */, TEST_UID1, TEST_UID2, sTun, sTun2,
3951 sTun3);
3952 }
3953
3954 namespace {
3955
createIpv6SocketAndCheckMark(int type,const in6_addr & dstAddr)3956 int32_t createIpv6SocketAndCheckMark(int type, const in6_addr& dstAddr) {
3957 const sockaddr_in6 dst6 = {
3958 .sin6_family = AF_INET6,
3959 .sin6_port = 1234,
3960 .sin6_addr = dstAddr,
3961 };
3962 // create non-blocking socket.
3963 int sockFd = socket(AF_INET6, type | SOCK_NONBLOCK, 0);
3964 EXPECT_NE(-1, sockFd);
3965 EXPECT_EQ((type == SOCK_STREAM) ? -1 : 0, connect(sockFd, (sockaddr*)&dst6, sizeof(dst6)));
3966
3967 // Get socket fwmark.
3968 Fwmark fwmark;
3969 socklen_t fwmarkLen = sizeof(fwmark.intValue);
3970 EXPECT_EQ(0, getsockopt(sockFd, SOL_SOCKET, SO_MARK, &fwmark.intValue, &fwmarkLen));
3971 EXPECT_EQ(0, close(sockFd));
3972 return fwmark.intValue;
3973 }
3974
3975 } // namespace
3976
TEST_F(NetdBinderTest,GetFwmarkForNetwork)3977 TEST_F(NetdBinderTest, GetFwmarkForNetwork) {
3978 // Save current default network.
3979 ASSERT_TRUE(mNetd->networkGetDefault(&mStoredDefaultNetwork).isOk());
3980
3981 // Add test physical network 1 and set as default network.
3982 auto config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
3983 INetd::PERMISSION_NONE, false, false);
3984 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3985 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
3986 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID1, sTun.name(), "2001:db8::/32", "").isOk());
3987 EXPECT_TRUE(mNetd->networkSetDefault(TEST_NETID1).isOk());
3988 // Add test physical network 2
3989 config.netId = TEST_NETID2;
3990 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3991 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID2, sTun2.name()).isOk());
3992
3993 // Get fwmark for network 1.
3994 MarkMaskParcel maskMarkNet1;
3995 ASSERT_TRUE(mNetd->getFwmarkForNetwork(TEST_NETID1, &maskMarkNet1).isOk());
3996
3997 uint32_t fwmarkTcp = createIpv6SocketAndCheckMark(SOCK_STREAM, V6_ADDR);
3998 uint32_t fwmarkUdp = createIpv6SocketAndCheckMark(SOCK_DGRAM, V6_ADDR);
3999 EXPECT_EQ(maskMarkNet1.mark, static_cast<int>(fwmarkTcp & maskMarkNet1.mask));
4000 EXPECT_EQ(maskMarkNet1.mark, static_cast<int>(fwmarkUdp & maskMarkNet1.mask));
4001
4002 // Get fwmark for network 2.
4003 MarkMaskParcel maskMarkNet2;
4004 ASSERT_TRUE(mNetd->getFwmarkForNetwork(TEST_NETID2, &maskMarkNet2).isOk());
4005 EXPECT_NE(maskMarkNet2.mark, static_cast<int>(fwmarkTcp & maskMarkNet2.mask));
4006 EXPECT_NE(maskMarkNet2.mark, static_cast<int>(fwmarkUdp & maskMarkNet2.mask));
4007
4008 // Remove test physical network.
4009 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID2).isOk());
4010 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
4011 }
4012
TEST_F(NetdBinderTest,TestServiceDump)4013 TEST_F(NetdBinderTest, TestServiceDump) {
4014 sp<IBinder> binder = INetd::asBinder(mNetd);
4015 ASSERT_NE(nullptr, binder);
4016
4017 struct TestData {
4018 // Expected contents of the dump command.
4019 const std::string output;
4020 // A regex that might be helpful in matching relevant lines in the output.
4021 // Used to make it easier to add test cases for this code.
4022 const std::string hintRegex;
4023 };
4024 std::vector<TestData> testData;
4025
4026 // Send some IPCs and for each one add an element to testData telling us what to expect.
4027 const auto& config = makeNativeNetworkConfig(TEST_DUMP_NETID, NativeNetworkType::PHYSICAL,
4028 INetd::PERMISSION_NONE, false, false);
4029 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
4030 testData.push_back(
4031 {"networkCreate(NativeNetworkConfig{netId: 65123, networkType: PHYSICAL, "
4032 "permission: 0, secure: false, vpnType: PLATFORM, excludeLocalRoutes: false})",
4033 "networkCreate.*65123"});
4034
4035 EXPECT_EQ(EEXIST, mNetd->networkCreate(config).serviceSpecificErrorCode());
4036 testData.push_back(
4037 {"networkCreate(NativeNetworkConfig{netId: 65123, networkType: PHYSICAL, "
4038 "permission: 0, secure: false, vpnType: PLATFORM, excludeLocalRoutes: false}) "
4039 "-> ServiceSpecificException(17, \"File exists\")",
4040 "networkCreate.*65123.*17"});
4041
4042 EXPECT_TRUE(mNetd->networkAddInterface(TEST_DUMP_NETID, sTun.name()).isOk());
4043 testData.push_back({StringPrintf("networkAddInterface(65123, %s)", sTun.name().c_str()),
4044 StringPrintf("networkAddInterface.*65123.*%s", sTun.name().c_str())});
4045
4046 android::net::RouteInfoParcel parcel;
4047 parcel.ifName = sTun.name();
4048 parcel.destination = "2001:db8:dead:beef::/64";
4049 parcel.nextHop = "fe80::dead:beef";
4050 parcel.mtu = 1234;
4051 EXPECT_TRUE(mNetd->networkAddRouteParcel(TEST_DUMP_NETID, parcel).isOk());
4052 testData.push_back(
4053 {StringPrintf("networkAddRouteParcel(65123, RouteInfoParcel{destination:"
4054 " 2001:db8:dead:beef::/64, ifName: %s, nextHop: fe80::dead:beef,"
4055 " mtu: 1234})",
4056 sTun.name().c_str()),
4057 "networkAddRouteParcel.*65123.*dead:beef"});
4058
4059 EXPECT_TRUE(mNetd->networkDestroy(TEST_DUMP_NETID).isOk());
4060 testData.push_back({"networkDestroy(65123)", "networkDestroy.*65123"});
4061
4062 // Send the service dump request to netd.
4063 std::vector<std::string> lines = {};
4064 android::status_t ret = dumpService(binder, {}, lines);
4065 ASSERT_EQ(android::OK, ret) << "Error dumping service: " << android::statusToString(ret);
4066
4067 // Basic regexp to match dump output lines. Matches the beginning and end of the line, and
4068 // puts the output of the command itself into the first match group.
4069 // Example: " 11-05 00:23:39.481 myCommand(args) <2.02ms>".
4070 const std::basic_regex lineRegex(
4071 "^ [0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}[.][0-9]{3} "
4072 "(.*)"
4073 " <[0-9]+[.][0-9]{2}ms>$");
4074
4075 // For each element of testdata, check that the expected output appears in the dump output.
4076 // If not, fail the test and use hintRegex to print similar lines to assist in debugging.
4077 for (const TestData& td : testData) {
4078 const bool found = std::any_of(lines.begin(), lines.end(), [&](const std::string& line) {
4079 std::smatch match;
4080 if (!std::regex_match(line, match, lineRegex)) return false;
4081 return (match.size() == 2) && (match[1].str() == td.output);
4082 });
4083 EXPECT_TRUE(found) << "Didn't find line '" << td.output << "' in dumpsys output.";
4084 if (found) continue;
4085 std::cerr << "Similar lines" << std::endl;
4086 for (const auto& line : lines) {
4087 if (std::regex_search(line, std::basic_regex(td.hintRegex))) {
4088 std::cerr << line << std::endl;
4089 }
4090 }
4091 }
4092 }
4093
4094 namespace {
4095
4096 // aliases for better reading
4097 #define SYSTEM_DEFAULT_NETID TEST_NETID1
4098 #define APP_DEFAULT_NETID TEST_NETID2
4099 #define VPN_NETID TEST_NETID3
4100
4101 #define ENTERPRISE_NETID_1 TEST_NETID2
4102 #define ENTERPRISE_NETID_2 TEST_NETID3
4103 #define ENTERPRISE_NETID_3 TEST_NETID4
4104
verifyAppUidRules(std::vector<bool> && expectedResults,std::vector<UidRangeParcel> & uidRanges,const std::string & iface,int32_t subPriority)4105 void verifyAppUidRules(std::vector<bool>&& expectedResults, std::vector<UidRangeParcel>& uidRanges,
4106 const std::string& iface, int32_t subPriority) {
4107 ASSERT_EQ(expectedResults.size(), uidRanges.size());
4108 if (iface.size()) {
4109 std::string action = StringPrintf("lookup %s", iface.c_str());
4110 std::string action_local = StringPrintf("lookup %s_local", iface.c_str());
4111 for (unsigned long i = 0; i < uidRanges.size(); i++) {
4112 EXPECT_EQ(expectedResults[i],
4113 ipRuleExistsForRange(RULE_PRIORITY_UID_EXPLICIT_NETWORK + subPriority,
4114 uidRanges[i], action));
4115 EXPECT_EQ(expectedResults[i],
4116 ipRuleExistsForRange(RULE_PRIORITY_UID_IMPLICIT_NETWORK + subPriority,
4117 uidRanges[i], action));
4118 EXPECT_EQ(expectedResults[i],
4119 ipRuleExistsForRange(RULE_PRIORITY_UID_DEFAULT_NETWORK + subPriority,
4120 uidRanges[i], action));
4121 EXPECT_EQ(expectedResults[i], ipRuleExistsForRange(RULE_PRIORITY_UID_LOCAL_ROUTES,
4122 uidRanges[i], action_local));
4123 }
4124 } else {
4125 std::string action = "unreachable";
4126 for (unsigned long i = 0; i < uidRanges.size(); i++) {
4127 EXPECT_EQ(expectedResults[i],
4128 ipRuleExistsForRange(RULE_PRIORITY_UID_EXPLICIT_NETWORK + subPriority,
4129 uidRanges[i], action));
4130 EXPECT_EQ(expectedResults[i],
4131 ipRuleExistsForRange(RULE_PRIORITY_UID_IMPLICIT_NETWORK + subPriority,
4132 uidRanges[i], action));
4133 EXPECT_EQ(expectedResults[i],
4134 ipRuleExistsForRange(RULE_PRIORITY_UID_DEFAULT_UNREACHABLE + subPriority,
4135 uidRanges[i], action));
4136 }
4137 }
4138 }
4139
verifyAppUidRules(std::vector<bool> && expectedResults,NativeUidRangeConfig & uidRangeConfig,const std::string & iface)4140 void verifyAppUidRules(std::vector<bool>&& expectedResults, NativeUidRangeConfig& uidRangeConfig,
4141 const std::string& iface) {
4142 verifyAppUidRules(std::move(expectedResults), uidRangeConfig.uidRanges, iface,
4143 uidRangeConfig.subPriority);
4144 }
4145
verifyVpnUidRules(std::vector<bool> && expectedResults,NativeUidRangeConfig & uidRangeConfig,const std::string & iface,bool secure,bool excludeLocalRoutes)4146 void verifyVpnUidRules(std::vector<bool>&& expectedResults, NativeUidRangeConfig& uidRangeConfig,
4147 const std::string& iface, bool secure, bool excludeLocalRoutes) {
4148 ASSERT_EQ(expectedResults.size(), uidRangeConfig.uidRanges.size());
4149 std::string action = StringPrintf("lookup %s", iface.c_str());
4150
4151 int32_t priority;
4152 if (secure) {
4153 priority = RULE_PRIORITY_SECURE_VPN;
4154 } else {
4155 // Set to no local exclusion here to reflect the default value of local exclusion.
4156 priority = excludeLocalRoutes ? RULE_PRIORITY_BYPASSABLE_VPN_LOCAL_EXCLUSION
4157 : RULE_PRIORITY_BYPASSABLE_VPN_NO_LOCAL_EXCLUSION;
4158 }
4159 for (unsigned long i = 0; i < uidRangeConfig.uidRanges.size(); i++) {
4160 EXPECT_EQ(expectedResults[i], ipRuleExistsForRange(priority + uidRangeConfig.subPriority,
4161 uidRangeConfig.uidRanges[i], action));
4162 EXPECT_EQ(expectedResults[i],
4163 ipRuleExistsForRange(RULE_PRIORITY_EXPLICIT_NETWORK + uidRangeConfig.subPriority,
4164 uidRangeConfig.uidRanges[i], action));
4165 EXPECT_EQ(expectedResults[i],
4166 ipRuleExistsForRange(RULE_PRIORITY_OUTPUT_INTERFACE + uidRangeConfig.subPriority,
4167 uidRangeConfig.uidRanges[i], action, iface.c_str()));
4168 }
4169 }
4170
4171 constexpr int SUB_PRIORITY_1 = UidRanges::SUB_PRIORITY_HIGHEST + 1;
4172 constexpr int SUB_PRIORITY_2 = UidRanges::SUB_PRIORITY_HIGHEST + 2;
4173
4174 constexpr int IMPLICITLY_SELECT = 0;
4175 constexpr int EXPLICITLY_SELECT = 1;
4176 constexpr int UNCONNECTED_SOCKET = 2;
4177
4178 // 1. Send data with the specified UID, on a connected or unconnected socket.
4179 // 2. Verify if data is received from the specified fd. The fd should belong to a TUN, which has
4180 // been assigned to the test network.
4181 // 3. Verify if fwmark of data is correct.
4182 // Note: This is a helper function used by per-app default network tests. It does not implement full
4183 // fwmark logic in netd, and it's currently sufficient. Extension may be required for more
4184 // complicated tests.
expectPacketSentOnNetId(uid_t uid,unsigned netId,int fd,int selectionMode)4185 void expectPacketSentOnNetId(uid_t uid, unsigned netId, int fd, int selectionMode) {
4186 Fwmark fwmark;
4187 const bool doConnect = (selectionMode != UNCONNECTED_SOCKET);
4188 EXPECT_TRUE(sendIPv6PacketFromUid(uid, V6_ADDR, &fwmark, fd, doConnect));
4189
4190 Fwmark expected;
4191 expected.netId = netId;
4192 expected.explicitlySelected = (selectionMode == EXPLICITLY_SELECT);
4193 if (uid == AID_ROOT && selectionMode == EXPLICITLY_SELECT) {
4194 expected.protectedFromVpn = true;
4195 } else {
4196 expected.protectedFromVpn = false;
4197 }
4198 if (selectionMode == UNCONNECTED_SOCKET) {
4199 expected.permission = PERMISSION_NONE;
4200 } else {
4201 expected.permission = (uid == AID_ROOT) ? PERMISSION_SYSTEM : PERMISSION_NONE;
4202 }
4203
4204 EXPECT_EQ(expected.intValue, fwmark.intValue);
4205 }
4206
expectUnreachableError(uid_t uid,unsigned netId,int selectionMode)4207 void expectUnreachableError(uid_t uid, unsigned netId, int selectionMode) {
4208 Fwmark fwmark;
4209 const bool doConnect = (selectionMode != UNCONNECTED_SOCKET);
4210 EXPECT_TRUE(sendIPv6PacketFromUidFail(uid, V6_ADDR, &fwmark, doConnect, ENETUNREACH));
4211
4212 Fwmark expected;
4213 expected.netId = netId;
4214 expected.explicitlySelected = (selectionMode == EXPLICITLY_SELECT);
4215 if (uid == AID_ROOT && selectionMode == EXPLICITLY_SELECT) {
4216 expected.protectedFromVpn = true;
4217 } else {
4218 expected.protectedFromVpn = false;
4219 }
4220 if (selectionMode == UNCONNECTED_SOCKET) {
4221 expected.permission = PERMISSION_NONE;
4222 } else {
4223 expected.permission = (uid == AID_ROOT) ? PERMISSION_SYSTEM : PERMISSION_NONE;
4224 }
4225
4226 EXPECT_EQ(expected.intValue, fwmark.intValue);
4227 }
4228
4229 } // namespace
4230
4231 // Verify how the API handle overlapped UID ranges
TEST_F(NetdBinderTest,PerAppDefaultNetwork_OverlappedUidRanges)4232 TEST_F(NetdBinderTest, PerAppDefaultNetwork_OverlappedUidRanges) {
4233 const auto& config = makeNativeNetworkConfig(APP_DEFAULT_NETID, NativeNetworkType::PHYSICAL,
4234 INetd::PERMISSION_NONE, false, false);
4235 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
4236 EXPECT_TRUE(mNetd->networkAddInterface(APP_DEFAULT_NETID, sTun.name()).isOk());
4237
4238 std::vector<UidRangeParcel> uidRanges = {makeUidRangeParcel(BASE_UID + 1, BASE_UID + 1),
4239 makeUidRangeParcel(BASE_UID + 10, BASE_UID + 12)};
4240 EXPECT_TRUE(mNetd->networkAddUidRanges(APP_DEFAULT_NETID, uidRanges).isOk());
4241
4242 binder::Status status;
4243 status = mNetd->networkAddUidRanges(APP_DEFAULT_NETID,
4244 {makeUidRangeParcel(BASE_UID + 1, BASE_UID + 1)});
4245 EXPECT_TRUE(status.isOk());
4246
4247 status = mNetd->networkAddUidRanges(APP_DEFAULT_NETID,
4248 {makeUidRangeParcel(BASE_UID + 9, BASE_UID + 10)});
4249 EXPECT_TRUE(status.isOk());
4250
4251 status = mNetd->networkAddUidRanges(APP_DEFAULT_NETID,
4252 {makeUidRangeParcel(BASE_UID + 11, BASE_UID + 11)});
4253 EXPECT_TRUE(status.isOk());
4254
4255 status = mNetd->networkAddUidRanges(APP_DEFAULT_NETID,
4256 {makeUidRangeParcel(BASE_UID + 12, BASE_UID + 13)});
4257 EXPECT_TRUE(status.isOk());
4258
4259 status = mNetd->networkAddUidRanges(APP_DEFAULT_NETID,
4260 {makeUidRangeParcel(BASE_UID + 9, BASE_UID + 13)});
4261 EXPECT_TRUE(status.isOk());
4262
4263 std::vector<UidRangeParcel> selfOverlappedUidRanges = {
4264 makeUidRangeParcel(BASE_UID + 20, BASE_UID + 20),
4265 makeUidRangeParcel(BASE_UID + 20, BASE_UID + 21)};
4266 status = mNetd->networkAddUidRanges(APP_DEFAULT_NETID, selfOverlappedUidRanges);
4267 EXPECT_FALSE(status.isOk());
4268 EXPECT_EQ(EINVAL, status.serviceSpecificErrorCode());
4269 }
4270
4271 // Verify whether IP rules for app default network are correctly configured.
TEST_F(NetdBinderTest,PerAppDefaultNetwork_VerifyIpRules)4272 TEST_F(NetdBinderTest, PerAppDefaultNetwork_VerifyIpRules) {
4273 const auto& config = makeNativeNetworkConfig(APP_DEFAULT_NETID, NativeNetworkType::PHYSICAL,
4274 INetd::PERMISSION_NONE, false, false);
4275 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
4276 EXPECT_TRUE(mNetd->networkAddInterface(APP_DEFAULT_NETID, sTun.name()).isOk());
4277
4278 std::vector<UidRangeParcel> uidRanges = {makeUidRangeParcel(BASE_UID + 8005, BASE_UID + 8012),
4279 makeUidRangeParcel(BASE_UID + 8090, BASE_UID + 8099)};
4280
4281 EXPECT_TRUE(mNetd->networkAddUidRanges(APP_DEFAULT_NETID, uidRanges).isOk());
4282 verifyAppUidRules({true, true} /*expectedResults*/, uidRanges, sTun.name(),
4283 UidRanges::SUB_PRIORITY_HIGHEST);
4284 EXPECT_TRUE(mNetd->networkRemoveUidRanges(APP_DEFAULT_NETID, {uidRanges.at(0)}).isOk());
4285 verifyAppUidRules({false, true} /*expectedResults*/, uidRanges, sTun.name(),
4286 UidRanges::SUB_PRIORITY_HIGHEST);
4287 EXPECT_TRUE(mNetd->networkRemoveUidRanges(APP_DEFAULT_NETID, {uidRanges.at(1)}).isOk());
4288 verifyAppUidRules({false, false} /*expectedResults*/, uidRanges, sTun.name(),
4289 UidRanges::SUB_PRIORITY_HIGHEST);
4290
4291 EXPECT_TRUE(mNetd->networkAddUidRanges(INetd::UNREACHABLE_NET_ID, uidRanges).isOk());
4292 verifyAppUidRules({true, true} /*expectedResults*/, uidRanges, "",
4293 UidRanges::SUB_PRIORITY_HIGHEST);
4294 EXPECT_TRUE(mNetd->networkRemoveUidRanges(INetd::UNREACHABLE_NET_ID, {uidRanges.at(0)}).isOk());
4295 verifyAppUidRules({false, true} /*expectedResults*/, uidRanges, "",
4296 UidRanges::SUB_PRIORITY_HIGHEST);
4297 EXPECT_TRUE(mNetd->networkRemoveUidRanges(INetd::UNREACHABLE_NET_ID, {uidRanges.at(1)}).isOk());
4298 verifyAppUidRules({false, false} /*expectedResults*/, uidRanges, "",
4299 UidRanges::SUB_PRIORITY_HIGHEST);
4300 }
4301
4302 // Verify whether packets go through the right network with and without per-app default network.
4303 // Meaning of Fwmark bits (from Fwmark.h):
4304 // 0x0000ffff - Network ID
4305 // 0x00010000 - Explicit mark bit
4306 // 0x00020000 - VPN protect bit
4307 // 0x000c0000 - Permission bits
TEST_F(NetdBinderTest,PerAppDefaultNetwork_ImplicitlySelectNetwork)4308 TEST_F(NetdBinderTest, PerAppDefaultNetwork_ImplicitlySelectNetwork) {
4309 createDefaultAndOtherPhysicalNetwork(SYSTEM_DEFAULT_NETID, APP_DEFAULT_NETID);
4310
4311 int systemDefaultFd = sTun.getFdForTesting();
4312 int appDefaultFd = sTun2.getFdForTesting();
4313
4314 // Connections go through the system default network.
4315 expectPacketSentOnNetId(AID_ROOT, SYSTEM_DEFAULT_NETID, systemDefaultFd, IMPLICITLY_SELECT);
4316 expectPacketSentOnNetId(TEST_UID1, SYSTEM_DEFAULT_NETID, systemDefaultFd, IMPLICITLY_SELECT);
4317
4318 // Add TEST_UID1 to per-app default network.
4319 EXPECT_TRUE(mNetd->networkAddUidRanges(APP_DEFAULT_NETID,
4320 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4321 .isOk());
4322 expectPacketSentOnNetId(AID_ROOT, SYSTEM_DEFAULT_NETID, systemDefaultFd, IMPLICITLY_SELECT);
4323 expectPacketSentOnNetId(TEST_UID1, APP_DEFAULT_NETID, appDefaultFd, IMPLICITLY_SELECT);
4324
4325 // Remove TEST_UID1 from per-app default network.
4326 EXPECT_TRUE(mNetd->networkRemoveUidRanges(APP_DEFAULT_NETID,
4327 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4328 .isOk());
4329 expectPacketSentOnNetId(AID_ROOT, SYSTEM_DEFAULT_NETID, systemDefaultFd, IMPLICITLY_SELECT);
4330 expectPacketSentOnNetId(TEST_UID1, SYSTEM_DEFAULT_NETID, systemDefaultFd, IMPLICITLY_SELECT);
4331
4332 // Prohibit TEST_UID1 from using the default network.
4333 EXPECT_TRUE(mNetd->networkAddUidRanges(INetd::UNREACHABLE_NET_ID,
4334 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4335 .isOk());
4336 expectPacketSentOnNetId(AID_ROOT, SYSTEM_DEFAULT_NETID, systemDefaultFd, IMPLICITLY_SELECT);
4337 expectUnreachableError(TEST_UID1, INetd::UNREACHABLE_NET_ID, IMPLICITLY_SELECT);
4338
4339 // restore IP rules
4340 EXPECT_TRUE(mNetd->networkRemoveUidRanges(INetd::UNREACHABLE_NET_ID,
4341 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4342 .isOk());
4343 }
4344
4345 // Verify whether packets go through the right network when app explicitly selects a network.
TEST_F(NetdBinderTest,PerAppDefaultNetwork_ExplicitlySelectNetwork)4346 TEST_F(NetdBinderTest, PerAppDefaultNetwork_ExplicitlySelectNetwork) {
4347 createDefaultAndOtherPhysicalNetwork(SYSTEM_DEFAULT_NETID, APP_DEFAULT_NETID);
4348
4349 int systemDefaultFd = sTun.getFdForTesting();
4350 int appDefaultFd = sTun2.getFdForTesting();
4351
4352 // Explicitly select the system default network.
4353 setNetworkForProcess(SYSTEM_DEFAULT_NETID);
4354 // Connections go through the system default network.
4355 expectPacketSentOnNetId(AID_ROOT, SYSTEM_DEFAULT_NETID, systemDefaultFd, EXPLICITLY_SELECT);
4356 expectPacketSentOnNetId(TEST_UID1, SYSTEM_DEFAULT_NETID, systemDefaultFd, EXPLICITLY_SELECT);
4357
4358 // Set TEST_UID1 to default unreachable, which won't affect the explicitly selected network.
4359 // Connections go through the system default network.
4360 EXPECT_TRUE(mNetd->networkAddUidRanges(INetd::UNREACHABLE_NET_ID,
4361 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4362 .isOk());
4363 expectPacketSentOnNetId(AID_ROOT, SYSTEM_DEFAULT_NETID, systemDefaultFd, EXPLICITLY_SELECT);
4364 expectPacketSentOnNetId(TEST_UID1, SYSTEM_DEFAULT_NETID, systemDefaultFd, EXPLICITLY_SELECT);
4365
4366 // restore IP rules
4367 EXPECT_TRUE(mNetd->networkRemoveUidRanges(INetd::UNREACHABLE_NET_ID,
4368 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4369 .isOk());
4370
4371 // Add TEST_UID1 to per-app default network, which won't affect the explicitly selected network.
4372 EXPECT_TRUE(mNetd->networkAddUidRanges(APP_DEFAULT_NETID,
4373 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4374 .isOk());
4375 expectPacketSentOnNetId(AID_ROOT, SYSTEM_DEFAULT_NETID, systemDefaultFd, EXPLICITLY_SELECT);
4376 expectPacketSentOnNetId(TEST_UID1, SYSTEM_DEFAULT_NETID, systemDefaultFd, EXPLICITLY_SELECT);
4377
4378 // Explicitly select the per-app default network.
4379 setNetworkForProcess(APP_DEFAULT_NETID);
4380 // Connections go through the per-app default network.
4381 expectPacketSentOnNetId(AID_ROOT, APP_DEFAULT_NETID, appDefaultFd, EXPLICITLY_SELECT);
4382 expectPacketSentOnNetId(TEST_UID1, APP_DEFAULT_NETID, appDefaultFd, EXPLICITLY_SELECT);
4383 }
4384
4385 // Verify whether packets go through the right network if app does not implicitly or explicitly
4386 // select any network.
TEST_F(NetdBinderTest,PerAppDefaultNetwork_UnconnectedSocket)4387 TEST_F(NetdBinderTest, PerAppDefaultNetwork_UnconnectedSocket) {
4388 createDefaultAndOtherPhysicalNetwork(SYSTEM_DEFAULT_NETID, APP_DEFAULT_NETID);
4389
4390 int systemDefaultFd = sTun.getFdForTesting();
4391 int appDefaultFd = sTun2.getFdForTesting();
4392
4393 // Connections go through the system default network.
4394 expectPacketSentOnNetId(AID_ROOT, NETID_UNSET, systemDefaultFd, UNCONNECTED_SOCKET);
4395 expectPacketSentOnNetId(TEST_UID1, NETID_UNSET, systemDefaultFd, UNCONNECTED_SOCKET);
4396
4397 // Add TEST_UID1 to per-app default network. Traffic should go through the per-app default
4398 // network if UID is in range. Otherwise, go through the system default network.
4399 EXPECT_TRUE(mNetd->networkAddUidRanges(APP_DEFAULT_NETID,
4400 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4401 .isOk());
4402 expectPacketSentOnNetId(AID_ROOT, NETID_UNSET, systemDefaultFd, UNCONNECTED_SOCKET);
4403 expectPacketSentOnNetId(TEST_UID1, NETID_UNSET, appDefaultFd, UNCONNECTED_SOCKET);
4404
4405 // Set TEST_UID1's default network to unreachable. Its traffic should still go through the
4406 // per-app default network. Other traffic go through the system default network.
4407 // PS: per-app default network take precedence over unreachable network. This should happens
4408 // only in the transition period when both rules are briefly set.
4409 EXPECT_TRUE(mNetd->networkAddUidRanges(INetd::UNREACHABLE_NET_ID,
4410 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4411 .isOk());
4412 expectPacketSentOnNetId(AID_ROOT, NETID_UNSET, systemDefaultFd, UNCONNECTED_SOCKET);
4413 expectPacketSentOnNetId(TEST_UID1, NETID_UNSET, appDefaultFd, UNCONNECTED_SOCKET);
4414
4415 // Remove TEST_UID1's default network from OEM-paid network. Its traffic should get ENETUNREACH
4416 // error. Other traffic still go through the system default network.
4417 EXPECT_TRUE(mNetd->networkRemoveUidRanges(APP_DEFAULT_NETID,
4418 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4419 .isOk());
4420 expectPacketSentOnNetId(AID_ROOT, NETID_UNSET, systemDefaultFd, UNCONNECTED_SOCKET);
4421 expectUnreachableError(TEST_UID1, NETID_UNSET, UNCONNECTED_SOCKET);
4422
4423 // restore IP rules
4424 EXPECT_TRUE(mNetd->networkRemoveUidRanges(INetd::UNREACHABLE_NET_ID,
4425 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4426 .isOk());
4427 }
4428
TEST_F(NetdBinderTest,PerAppDefaultNetwork_PermissionCheck)4429 TEST_F(NetdBinderTest, PerAppDefaultNetwork_PermissionCheck) {
4430 createPhysicalNetwork(APP_DEFAULT_NETID, sTun2.name(), INetd::PERMISSION_SYSTEM);
4431
4432 { // uid is not in app range. Can not set network for process.
4433 ScopedUidChange scopedUidChange(TEST_UID1);
4434 EXPECT_EQ(-EACCES, setNetworkForProcess(APP_DEFAULT_NETID));
4435 }
4436
4437 EXPECT_TRUE(mNetd->networkAddUidRanges(APP_DEFAULT_NETID,
4438 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4439 .isOk());
4440
4441 { // uid is in app range. Can set network for process.
4442 ScopedUidChange scopedUidChange(TEST_UID1);
4443 EXPECT_EQ(0, setNetworkForProcess(APP_DEFAULT_NETID));
4444 }
4445 }
4446
4447 class VpnParameterizedTest : public NetdBinderTest, public testing::WithParamInterface<bool> {};
4448
4449 // Exercise secure and bypassable VPN.
4450 INSTANTIATE_TEST_SUITE_P(PerAppDefaultNetwork, VpnParameterizedTest, testing::Bool(),
__anon8d4ee1091f02(const testing::TestParamInfo<bool>& info) 4451 [](const testing::TestParamInfo<bool>& info) {
4452 return info.param ? "SecureVPN" : "BypassableVPN";
4453 });
4454
4455 // Verify per-app default network + VPN.
TEST_P(VpnParameterizedTest,ImplicitlySelectNetwork)4456 TEST_P(VpnParameterizedTest, ImplicitlySelectNetwork) {
4457 const bool isSecureVPN = GetParam();
4458 createVpnAndAppDefaultNetworkWithUid(
4459 SYSTEM_DEFAULT_NETID, APP_DEFAULT_NETID, VPN_NETID, isSecureVPN,
4460 {makeUidRangeParcel(TEST_UID2, TEST_UID1)} /* app range */,
4461 {makeUidRangeParcel(TEST_UID3, TEST_UID2)} /* VPN range */);
4462
4463 int systemDefaultFd = sTun.getFdForTesting();
4464 int appDefaultFd = sTun2.getFdForTesting();
4465 int vpnFd = sTun3.getFdForTesting();
4466
4467 // uid is neither in app range, nor in VPN range. Traffic goes through system default network.
4468 expectPacketSentOnNetId(AID_ROOT, SYSTEM_DEFAULT_NETID, systemDefaultFd, IMPLICITLY_SELECT);
4469 // uid is in VPN range, not in app range. Traffic goes through VPN.
4470 expectPacketSentOnNetId(TEST_UID3, (isSecureVPN ? SYSTEM_DEFAULT_NETID : VPN_NETID), vpnFd,
4471 IMPLICITLY_SELECT);
4472 // uid is in app range, not in VPN range. Traffic goes through per-app default network.
4473 expectPacketSentOnNetId(TEST_UID1, APP_DEFAULT_NETID, appDefaultFd, IMPLICITLY_SELECT);
4474 // uid is in both app and VPN range. Traffic goes through VPN.
4475 expectPacketSentOnNetId(TEST_UID2, (isSecureVPN ? APP_DEFAULT_NETID : VPN_NETID), vpnFd,
4476 IMPLICITLY_SELECT);
4477 }
4478
4479 class VpnAndSelectNetworkParameterizedTest
4480 : public NetdBinderTest,
4481 public testing::WithParamInterface<std::tuple<bool, int>> {};
4482
4483 // Exercise the combination of different VPN types and different user selected networks. e.g.
4484 // secure VPN + select on system default network
4485 // secure VPN + select on app default network
4486 // secure VPN + select on VPN
4487 // bypassable VPN + select on system default network
4488 // ...
4489 INSTANTIATE_TEST_SUITE_P(PerAppDefaultNetwork, VpnAndSelectNetworkParameterizedTest,
4490 testing::Combine(testing::Bool(),
4491 testing::Values(SYSTEM_DEFAULT_NETID, APP_DEFAULT_NETID,
4492 VPN_NETID)),
__anon8d4ee1092002(const testing::TestParamInfo<std::tuple<bool, int>>& info) 4493 [](const testing::TestParamInfo<std::tuple<bool, int>>& info) {
4494 const std::string vpnType = std::get<0>(info.param)
4495 ? std::string("SecureVPN")
4496 : std::string("BypassableVPN");
4497 std::string selectedNetwork;
4498 switch (std::get<1>(info.param)) {
4499 case SYSTEM_DEFAULT_NETID:
4500 selectedNetwork = "SystemDefaultNetwork";
4501 break;
4502 case APP_DEFAULT_NETID:
4503 selectedNetwork = "AppDefaultNetwork";
4504 break;
4505 case VPN_NETID:
4506 selectedNetwork = "VPN";
4507 break;
4508 default:
4509 selectedNetwork = "InvalidParameter"; // Should not happen.
4510 }
4511 return vpnType + "_select" + selectedNetwork;
4512 });
4513
TEST_P(VpnAndSelectNetworkParameterizedTest,ExplicitlySelectNetwork)4514 TEST_P(VpnAndSelectNetworkParameterizedTest, ExplicitlySelectNetwork) {
4515 bool isSecureVPN;
4516 int selectedNetId;
4517 std::tie(isSecureVPN, selectedNetId) = GetParam();
4518 createVpnAndAppDefaultNetworkWithUid(
4519 SYSTEM_DEFAULT_NETID, APP_DEFAULT_NETID, VPN_NETID, isSecureVPN,
4520 {makeUidRangeParcel(TEST_UID2, TEST_UID1)} /* app range */,
4521 {makeUidRangeParcel(TEST_UID3, TEST_UID2)} /* VPN range */);
4522
4523 int expectedFd = -1;
4524 switch (selectedNetId) {
4525 case SYSTEM_DEFAULT_NETID:
4526 expectedFd = sTun.getFdForTesting();
4527 break;
4528 case APP_DEFAULT_NETID:
4529 expectedFd = sTun2.getFdForTesting();
4530 break;
4531 case VPN_NETID:
4532 expectedFd = sTun3.getFdForTesting();
4533 break;
4534 default:
4535 GTEST_LOG_(ERROR) << "unexpected netId:" << selectedNetId; // Should not happen.
4536 }
4537
4538 // In all following permutations, Traffic should go through the specified network if a process
4539 // can select network for itself. The fwmark should contain process UID and the explicit select
4540 // bit.
4541 { // uid is neither in app range, nor in VPN range. Permission bits, protect bit, and explicit
4542 // select bit are all set because of AID_ROOT.
4543 ScopedUidChange scopedUidChange(AID_ROOT);
4544 EXPECT_EQ(0, setNetworkForProcess(selectedNetId));
4545 expectPacketSentOnNetId(AID_ROOT, selectedNetId, expectedFd, EXPLICITLY_SELECT);
4546 }
4547 { // uid is in VPN range, not in app range.
4548 ScopedUidChange scopedUidChange(TEST_UID3);
4549 // Cannot select non-VPN networks when uid is subject to secure VPN.
4550 if (isSecureVPN && selectedNetId != VPN_NETID) {
4551 EXPECT_EQ(-EPERM, setNetworkForProcess(selectedNetId));
4552 } else {
4553 EXPECT_EQ(0, setNetworkForProcess(selectedNetId));
4554 expectPacketSentOnNetId(TEST_UID3, selectedNetId, expectedFd, EXPLICITLY_SELECT);
4555 }
4556 }
4557 { // uid is in app range, not in VPN range.
4558 ScopedUidChange scopedUidChange(TEST_UID1);
4559 // Cannot select the VPN because the VPN does not applies to the UID.
4560 if (selectedNetId == VPN_NETID) {
4561 EXPECT_EQ(-EPERM, setNetworkForProcess(selectedNetId));
4562 } else {
4563 EXPECT_EQ(0, setNetworkForProcess(selectedNetId));
4564 expectPacketSentOnNetId(TEST_UID1, selectedNetId, expectedFd, EXPLICITLY_SELECT);
4565 }
4566 }
4567 { // uid is in both app range and VPN range.
4568 ScopedUidChange scopedUidChange(TEST_UID2);
4569 // Cannot select non-VPN networks when uid is subject to secure VPN.
4570 if (isSecureVPN && selectedNetId != VPN_NETID) {
4571 EXPECT_EQ(-EPERM, setNetworkForProcess(selectedNetId));
4572 } else {
4573 EXPECT_EQ(0, setNetworkForProcess(selectedNetId));
4574 expectPacketSentOnNetId(TEST_UID2, selectedNetId, expectedFd, EXPLICITLY_SELECT);
4575 }
4576 }
4577 }
4578
TEST_P(VpnParameterizedTest,UnconnectedSocket)4579 TEST_P(VpnParameterizedTest, UnconnectedSocket) {
4580 const bool isSecureVPN = GetParam();
4581 createVpnAndAppDefaultNetworkWithUid(
4582 SYSTEM_DEFAULT_NETID, APP_DEFAULT_NETID, VPN_NETID, isSecureVPN,
4583 {makeUidRangeParcel(TEST_UID2, TEST_UID1)} /* app range */,
4584 {makeUidRangeParcel(TEST_UID3, TEST_UID2)} /* VPN range */);
4585
4586 int systemDefaultFd = sTun.getFdForTesting();
4587 int appDefaultFd = sTun2.getFdForTesting();
4588 int vpnFd = sTun3.getFdForTesting();
4589
4590 // uid is neither in app range, nor in VPN range. Traffic goes through system default network.
4591 expectPacketSentOnNetId(AID_ROOT, NETID_UNSET, systemDefaultFd, UNCONNECTED_SOCKET);
4592 // uid is in VPN range, not in app range. Traffic goes through VPN.
4593 expectPacketSentOnNetId(TEST_UID3, NETID_UNSET, vpnFd, UNCONNECTED_SOCKET);
4594 // uid is in app range, not in VPN range. Traffic goes through per-app default network.
4595 expectPacketSentOnNetId(TEST_UID1, NETID_UNSET, appDefaultFd, UNCONNECTED_SOCKET);
4596 // uid is in both app and VPN range. Traffic goes through VPN.
4597 expectPacketSentOnNetId(TEST_UID2, NETID_UNSET, vpnFd, UNCONNECTED_SOCKET);
4598 }
4599
4600 class VpnLocalRoutesParameterizedTest
4601 : public NetdBinderTest,
4602 public testing::WithParamInterface<std::tuple<int, int, bool, bool, bool, bool>> {
4603 protected:
4604 // Local/non-local addresses based on the route added in
4605 // setupNetworkRoutesForVpnAndDefaultNetworks.
4606 in_addr V4_LOCAL_ADDR = {htonl(0xC0A80008)}; // 192.168.0.8
4607 in_addr V4_APP_LOCAL_ADDR = {htonl(0xAC100008)}; // 172.16.0.8
4608 in_addr V4_GLOBAL_ADDR = {htonl(0x08080808)}; // 8.8.8.8
4609
4610 in6_addr V6_LOCAL_ADDR = {
4611 {// 2001:db8:cafe::1
4612 .u6_addr8 = {0x20, 0x01, 0x0d, 0xb8, 0xca, 0xfe, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1}}};
4613 in6_addr V6_APP_LOCAL_ADDR = {
4614 {// 2607:f0d0:1234::4
4615 .u6_addr8 = {0x26, 0x07, 0xf0, 0xd0, 0x12, 0x34, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4}}};
4616 in6_addr V6_GLOBAL_ADDR = {
4617 {// 2607:1234:1002::4
4618 .u6_addr8 = {0x26, 0x07, 0x12, 0x34, 0x10, 0x02, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4}}};
4619 };
4620
4621 const int SEND_TO_GLOBAL = 0;
4622 const int SEND_TO_SYSTEM_DEFAULT_LOCAL = 1;
4623 const int SEND_TO_PER_APP_DEFAULT_LOCAL = 2;
4624
4625 // Exercise the combination of different explicitly selected network, different uid, local/non-local
4626 // address on local route exclusion VPN. E.g.
4627 // explicitlySelected systemDefault + uid in VPN range + no app default + non local address
4628 // explicitlySelected systemDefault + uid in VPN range + has app default + non local address
4629 // explicitlySelected systemDefault + uid in VPN range + has app default + local address
4630 // explicitlySelected appDefault + uid not in VPN range + has app default + non local address
4631 INSTANTIATE_TEST_SUITE_P(
4632 PerAppDefaultNetwork, VpnLocalRoutesParameterizedTest,
4633 testing::Combine(testing::Values(SYSTEM_DEFAULT_NETID, APP_DEFAULT_NETID, NETID_UNSET),
4634 testing::Values(SEND_TO_GLOBAL, SEND_TO_SYSTEM_DEFAULT_LOCAL,
4635 SEND_TO_PER_APP_DEFAULT_LOCAL),
4636 testing::Bool(), testing::Bool(), testing::Bool(), testing::Bool()),
__anon8d4ee1092102(const testing::TestParamInfo<std::tuple<int, int, bool, bool, bool, bool>>& info) 4637 [](const testing::TestParamInfo<std::tuple<int, int, bool, bool, bool, bool>>& info) {
4638 std::string explicitlySelected;
4639 switch (std::get<0>(info.param)) {
4640 case SYSTEM_DEFAULT_NETID:
4641 explicitlySelected = "explicitlySelectedSystemDefault";
4642 break;
4643 case APP_DEFAULT_NETID:
4644 explicitlySelected = "explicitlySelectedAppDefault";
4645 break;
4646 case NETID_UNSET:
4647 explicitlySelected = "implicitlySelected";
4648 break;
4649 default:
4650 explicitlySelected = "InvalidParameter"; // Should not happen.
4651 }
4652
4653 std::string sendToAddr;
4654 switch (std::get<1>(info.param)) {
4655 case SEND_TO_GLOBAL:
4656 sendToAddr = "GlobalAddr";
4657 break;
4658 case SEND_TO_SYSTEM_DEFAULT_LOCAL:
4659 sendToAddr = "SystemLocal";
4660 break;
4661 case SEND_TO_PER_APP_DEFAULT_LOCAL:
4662 sendToAddr = "AppLocal";
4663 break;
4664 default:
4665 sendToAddr = "InvalidAddr"; // Should not happen.
4666 }
4667
4668 const std::string isSubjectToVpn = std::get<2>(info.param)
4669 ? std::string("SubjectToVpn")
4670 : std::string("NotSubjectToVpn");
4671
4672 const std::string hasAppDefaultNetwork = std::get<3>(info.param)
4673 ? std::string("HasAppDefault")
4674 : std::string("NothasAppDefault");
4675
4676 const std::string testV6 =
4677 std::get<4>(info.param) ? std::string("v6") : std::string("v4");
4678
4679 // Apply the same or different local address in app default and system default.
4680 const std::string differentLocalRoutes = std::get<5>(info.param)
4681 ? std::string("DifferentLocalRoutes")
4682 : std::string("SameLocalAddr");
4683
4684 return explicitlySelected + "_uid" + isSubjectToVpn + hasAppDefaultNetwork +
4685 "Range_with" + testV6 + sendToAddr + differentLocalRoutes;
4686 });
4687
getTargetIfaceForLocalRoutesExclusion(bool isSubjectToVpn,bool hasAppDefaultNetwork,bool differentLocalRoutes,int sendToAddr,int selectedNetId,int fallthroughFd,int appDefaultFd,int vpnFd)4688 int getTargetIfaceForLocalRoutesExclusion(bool isSubjectToVpn, bool hasAppDefaultNetwork,
4689 bool differentLocalRoutes, int sendToAddr,
4690 int selectedNetId, int fallthroughFd, int appDefaultFd,
4691 int vpnFd) {
4692 int expectedIface;
4693
4694 // Setup the expected interface based on the condition.
4695 if (isSubjectToVpn && hasAppDefaultNetwork) {
4696 switch (sendToAddr) {
4697 case SEND_TO_GLOBAL:
4698 expectedIface = vpnFd;
4699 break;
4700 case SEND_TO_SYSTEM_DEFAULT_LOCAL:
4701 // Go to app default if the app default and system default are the same range
4702 // TODO(b/237351736): It should go to VPN if the system local and app local are
4703 // different.
4704 expectedIface = differentLocalRoutes ? fallthroughFd : appDefaultFd;
4705 break;
4706 case SEND_TO_PER_APP_DEFAULT_LOCAL:
4707 expectedIface = appDefaultFd;
4708 break;
4709 default:
4710 expectedIface = -1; // should not happen
4711 }
4712 } else if (isSubjectToVpn && !hasAppDefaultNetwork) {
4713 switch (sendToAddr) {
4714 case SEND_TO_GLOBAL:
4715 expectedIface = vpnFd;
4716 break;
4717 case SEND_TO_SYSTEM_DEFAULT_LOCAL:
4718 // TODO(b/237351736): It should go to app default if the system local and app local
4719 // are different.
4720 expectedIface = fallthroughFd;
4721 break;
4722 case SEND_TO_PER_APP_DEFAULT_LOCAL:
4723 // Go to system default if the system default and app default are the same range.
4724 expectedIface = differentLocalRoutes ? vpnFd : fallthroughFd;
4725 break;
4726 default:
4727 expectedIface = -1; // should not happen
4728 }
4729 } else if (!isSubjectToVpn && hasAppDefaultNetwork) {
4730 expectedIface = appDefaultFd;
4731 } else { // !isSubjectToVpn && !hasAppDefaultNetwork
4732 expectedIface = fallthroughFd;
4733 }
4734
4735 // Override the target if it's explicitly selected.
4736 switch (selectedNetId) {
4737 case SYSTEM_DEFAULT_NETID:
4738 expectedIface = fallthroughFd;
4739 break;
4740 case APP_DEFAULT_NETID:
4741 expectedIface = appDefaultFd;
4742 break;
4743 default:
4744 break;
4745 // Based on the uid range.
4746 }
4747
4748 return expectedIface;
4749 }
4750
4751 // Routes configured on the system default network and on the VPN.
4752 // This allows the test to verify the worst case where the physical network and the VPN configure
4753 // the same routes. This ensures that routing is determined by the IP rules and doesn't just happen
4754 // to work because the routes don't overlap. If differentLocalRoutes is false, these routes are also
4755 // configured on the per-app default network.
4756 // For both IPv4 and IPv6, the first route is local, the second is not.
4757 std::vector<std::string> SYSTEM_DEFAULT_ROUTES = {"192.168.0.0/16", "0.0.0.0/0",
4758 "2001:db8:cafe::/48", "::/0"};
4759 // Routes configured on the per-app default network if differentLocalRoutes is true.
4760 // For both IPv4 and IPv6, the first route is local, the second is not.
4761 std::vector<std::string> APP_DEFAULT_ROUTES = {"172.16.0.0/16", "0.0.0.0/0", "2607:f0d0:1234::/48",
4762 "::/0"};
setupNetworkRoutesForVpnAndDefaultNetworks(int systemDefaultNetId,int appDefaultNetId,int vpnNetId,int otherNetId,bool secure,bool testV6,bool differentLocalRoutes,std::vector<UidRangeParcel> && appDefaultUidRanges,std::vector<UidRangeParcel> && vpnUidRanges)4763 void NetdBinderTest::setupNetworkRoutesForVpnAndDefaultNetworks(
4764 int systemDefaultNetId, int appDefaultNetId, int vpnNetId, int otherNetId, bool secure,
4765 bool testV6, bool differentLocalRoutes, std::vector<UidRangeParcel>&& appDefaultUidRanges,
4766 std::vector<UidRangeParcel>&& vpnUidRanges) {
4767 // Create a physical network on sTun, and set it as the system default network
4768 createAndSetDefaultNetwork(systemDefaultNetId, sTun.name());
4769
4770 // Routes are configured to system default, app default and vpn network to verify if the packets
4771 // are routed correctly.
4772
4773 // Setup system default routing.
4774 for (const auto& route : SYSTEM_DEFAULT_ROUTES) {
4775 EXPECT_TRUE(mNetd->networkAddRoute(systemDefaultNetId, sTun.name(), route, "").isOk());
4776 }
4777
4778 // Create another physical network on sTun2 as per app default network
4779 createPhysicalNetwork(appDefaultNetId, sTun2.name());
4780
4781 // Setup app default routing.
4782 std::vector<std::string> appDefaultRoutes =
4783 (differentLocalRoutes ? APP_DEFAULT_ROUTES : SYSTEM_DEFAULT_ROUTES);
4784 for (const auto& route : appDefaultRoutes) {
4785 EXPECT_TRUE(mNetd->networkAddRoute(appDefaultNetId, sTun2.name(), route, "").isOk());
4786 }
4787
4788 // Create a bypassable VPN on sTun3.
4789 auto config = makeNativeNetworkConfig(vpnNetId, NativeNetworkType::VIRTUAL,
4790 INetd::PERMISSION_NONE, secure, true);
4791 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
4792 EXPECT_TRUE(mNetd->networkAddInterface(vpnNetId, sTun3.name()).isOk());
4793
4794 // Setup vpn routing.
4795 for (const auto& route : SYSTEM_DEFAULT_ROUTES) {
4796 EXPECT_TRUE(mNetd->networkAddRoute(vpnNetId, sTun3.name(), route, "").isOk());
4797 }
4798
4799 // Create another interface that is neither system default nor the app default to make sure
4800 // the traffic won't be mis-routed.
4801 createPhysicalNetwork(otherNetId, sTun4.name());
4802 EXPECT_TRUE(mNetd->networkAddRoute(otherNetId, sTun4.name(), testV6 ? "::/0" : "0.0.0.0/0", "")
4803 .isOk());
4804 // Add per-app uid ranges.
4805 EXPECT_TRUE(mNetd->networkAddUidRanges(appDefaultNetId, appDefaultUidRanges).isOk());
4806
4807 // Add VPN uid ranges.
4808 EXPECT_TRUE(mNetd->networkAddUidRanges(vpnNetId, vpnUidRanges).isOk());
4809 }
4810
4811 // Rules are in approximately the following order for bypassable VPNs that allow local network
4812 // access:
4813 // - Local routes to the per-app default network (UID guarded)
4814 // - Local routes to the system default network
4815 // - Both local and global routs to VPN network (UID guarded)
4816 // - Global routes to per-app default network(UID guarded)
4817 // - Global routes to system default network
TEST_P(VpnLocalRoutesParameterizedTest,localRoutesExclusion)4818 TEST_P(VpnLocalRoutesParameterizedTest, localRoutesExclusion) {
4819 int selectedNetId;
4820 int sendToAddr;
4821 bool isSubjectToVpn;
4822 bool hasAppDefaultNetwork;
4823 bool testV6;
4824 bool differentLocalRoutes;
4825
4826 std::tie(selectedNetId, sendToAddr, isSubjectToVpn, hasAppDefaultNetwork, testV6,
4827 differentLocalRoutes) = GetParam();
4828
4829 setupNetworkRoutesForVpnAndDefaultNetworks(
4830 SYSTEM_DEFAULT_NETID, APP_DEFAULT_NETID, VPN_NETID, TEST_NETID4, false /* secure */,
4831 testV6, differentLocalRoutes,
4832 // Setup uid ranges for app default and VPN. Configure TEST_UID2 into both app default
4833 // and VPN to verify the behavior when the uid exists in both network.
4834 {makeUidRangeParcel(TEST_UID2, TEST_UID1)}, {makeUidRangeParcel(TEST_UID3, TEST_UID2)});
4835
4836 int fallthroughFd = sTun.getFdForTesting();
4837 int appDefaultFd = sTun2.getFdForTesting();
4838 int vpnFd = sTun3.getFdForTesting();
4839
4840 // Explicitly select network
4841 setNetworkForProcess(selectedNetId);
4842
4843 int targetUid;
4844
4845 // Setup the expected testing uid
4846 if (isSubjectToVpn) {
4847 if (hasAppDefaultNetwork) {
4848 targetUid = TEST_UID2;
4849 } else {
4850 targetUid = TEST_UID3;
4851 }
4852 } else {
4853 if (hasAppDefaultNetwork) {
4854 targetUid = TEST_UID1;
4855 } else {
4856 targetUid = TEST_UID4; // Not in any of the UID ranges.
4857 }
4858 }
4859
4860 // Get expected interface for the traffic.
4861 int expectedIface = getTargetIfaceForLocalRoutesExclusion(
4862 isSubjectToVpn, hasAppDefaultNetwork, differentLocalRoutes, sendToAddr, selectedNetId,
4863 fallthroughFd, appDefaultFd, vpnFd);
4864
4865 // Verify the packets are sent to the expected interface.
4866 Fwmark fwmark;
4867 if (testV6) {
4868 in6_addr addr;
4869 switch (sendToAddr) {
4870 case SEND_TO_GLOBAL:
4871 addr = V6_GLOBAL_ADDR;
4872 break;
4873 case SEND_TO_SYSTEM_DEFAULT_LOCAL:
4874 addr = V6_LOCAL_ADDR;
4875 break;
4876 case SEND_TO_PER_APP_DEFAULT_LOCAL:
4877 addr = differentLocalRoutes ? V6_APP_LOCAL_ADDR : V6_LOCAL_ADDR;
4878 break;
4879 default:
4880 break;
4881 // should not happen
4882 }
4883 EXPECT_TRUE(sendIPv6PacketFromUid(targetUid, addr, &fwmark, expectedIface));
4884 } else {
4885 in_addr addr;
4886 switch (sendToAddr) {
4887 case SEND_TO_GLOBAL:
4888 addr = V4_GLOBAL_ADDR;
4889 break;
4890 case SEND_TO_SYSTEM_DEFAULT_LOCAL:
4891 addr = V4_LOCAL_ADDR;
4892 break;
4893 case SEND_TO_PER_APP_DEFAULT_LOCAL:
4894 addr = differentLocalRoutes ? V4_APP_LOCAL_ADDR : V4_LOCAL_ADDR;
4895 break;
4896 default:
4897 break;
4898 // should not happen
4899 }
4900
4901 EXPECT_TRUE(sendIPv4PacketFromUid(targetUid, addr, &fwmark, expectedIface));
4902 }
4903 }
4904
TEST_F(NetdBinderTest,NetworkCreate)4905 TEST_F(NetdBinderTest, NetworkCreate) {
4906 auto config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
4907 INetd::PERMISSION_NONE, false, false);
4908 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
4909 EXPECT_TRUE(mNetd->networkDestroy(config.netId).isOk());
4910
4911 config.networkType = NativeNetworkType::VIRTUAL;
4912 config.secure = true;
4913 config.vpnType = NativeVpnType::OEM;
4914 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
4915
4916 // invalid network type
4917 auto wrongConfig = makeNativeNetworkConfig(TEST_NETID2, static_cast<NativeNetworkType>(-1),
4918 INetd::PERMISSION_NONE, false, false);
4919 EXPECT_EQ(EINVAL, mNetd->networkCreate(wrongConfig).serviceSpecificErrorCode());
4920
4921 // invalid VPN type
4922 wrongConfig.networkType = NativeNetworkType::VIRTUAL;
4923 wrongConfig.vpnType = static_cast<NativeVpnType>(-1);
4924 EXPECT_EQ(EINVAL, mNetd->networkCreate(wrongConfig).serviceSpecificErrorCode());
4925 }
4926
4927 // Verifies valid and invalid inputs on networkAddUidRangesParcel method.
TEST_F(NetdBinderTest,UidRangeSubPriority_ValidateInputs)4928 TEST_F(NetdBinderTest, UidRangeSubPriority_ValidateInputs) {
4929 createVpnAndOtherPhysicalNetwork(SYSTEM_DEFAULT_NETID, APP_DEFAULT_NETID, VPN_NETID,
4930 /*isSecureVPN=*/true);
4931 // Invalid priority -10 on a physical network.
4932 NativeUidRangeConfig uidRangeConfig =
4933 makeNativeUidRangeConfig(APP_DEFAULT_NETID, {makeUidRangeParcel(BASE_UID, BASE_UID)},
4934 UidRanges::SUB_PRIORITY_HIGHEST - 10);
4935 binder::Status status = mNetd->networkAddUidRangesParcel(uidRangeConfig);
4936 EXPECT_FALSE(status.isOk());
4937 EXPECT_EQ(EINVAL, status.serviceSpecificErrorCode());
4938
4939 // Invalid priority 1000 on a physical network.
4940 uidRangeConfig.subPriority = UidRanges::SUB_PRIORITY_NO_DEFAULT + 1;
4941 status = mNetd->networkAddUidRangesParcel(uidRangeConfig);
4942 EXPECT_FALSE(status.isOk());
4943 EXPECT_EQ(EINVAL, status.serviceSpecificErrorCode());
4944
4945 // Virtual networks support only default priority.
4946 uidRangeConfig.netId = VPN_NETID;
4947 uidRangeConfig.subPriority = SUB_PRIORITY_1;
4948 status = mNetd->networkAddUidRangesParcel(uidRangeConfig);
4949 EXPECT_FALSE(status.isOk());
4950 EXPECT_EQ(EINVAL, status.serviceSpecificErrorCode());
4951
4952 // For a single network, identical UID ranges with different priorities are allowed.
4953 uidRangeConfig.netId = APP_DEFAULT_NETID;
4954 uidRangeConfig.subPriority = SUB_PRIORITY_1;
4955 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(uidRangeConfig).isOk());
4956 uidRangeConfig.subPriority = SUB_PRIORITY_2;
4957 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(uidRangeConfig).isOk());
4958
4959 // Overlapping ranges is invalid.
4960 uidRangeConfig.uidRanges = {makeUidRangeParcel(BASE_UID + 1, BASE_UID + 1),
4961 makeUidRangeParcel(BASE_UID + 1, BASE_UID + 1)};
4962 status = mNetd->networkAddUidRangesParcel(uidRangeConfig);
4963 EXPECT_FALSE(status.isOk());
4964 EXPECT_EQ(EINVAL, status.serviceSpecificErrorCode());
4965 }
4966
4967 // Examines whether IP rules for app default network with subsidiary priorities are correctly added
4968 // and removed.
TEST_F(NetdBinderTest,UidRangeSubPriority_VerifyPhysicalNwIpRules)4969 TEST_F(NetdBinderTest, UidRangeSubPriority_VerifyPhysicalNwIpRules) {
4970 createPhysicalNetwork(TEST_NETID1, sTun.name());
4971 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID1, sTun.name(), "::/0", "").isOk());
4972 createPhysicalNetwork(TEST_NETID2, sTun2.name());
4973 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID2, sTun2.name(), "::/0", "").isOk());
4974
4975 // Adds priority 1 setting
4976 NativeUidRangeConfig uidRangeConfig1 = makeNativeUidRangeConfig(
4977 TEST_NETID1, {makeUidRangeParcel(BASE_UID, BASE_UID)}, SUB_PRIORITY_1);
4978 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(uidRangeConfig1).isOk());
4979 verifyAppUidRules({true}, uidRangeConfig1, sTun.name());
4980 // Adds priority 2 setting
4981 NativeUidRangeConfig uidRangeConfig2 = makeNativeUidRangeConfig(
4982 TEST_NETID2, {makeUidRangeParcel(BASE_UID + 1, BASE_UID + 1)}, SUB_PRIORITY_2);
4983 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(uidRangeConfig2).isOk());
4984 verifyAppUidRules({true}, uidRangeConfig2, sTun2.name());
4985 // Adds another priority 2 setting
4986 NativeUidRangeConfig uidRangeConfig3 = makeNativeUidRangeConfig(
4987 INetd::UNREACHABLE_NET_ID, {makeUidRangeParcel(BASE_UID + 2, BASE_UID + 2)},
4988 SUB_PRIORITY_2);
4989 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(uidRangeConfig3).isOk());
4990 verifyAppUidRules({true}, uidRangeConfig3, "");
4991
4992 // Removes.
4993 EXPECT_TRUE(mNetd->networkRemoveUidRangesParcel(uidRangeConfig1).isOk());
4994 verifyAppUidRules({false}, uidRangeConfig1, sTun.name());
4995 verifyAppUidRules({true}, uidRangeConfig2, sTun2.name());
4996 verifyAppUidRules({true}, uidRangeConfig3, "");
4997 EXPECT_TRUE(mNetd->networkRemoveUidRangesParcel(uidRangeConfig2).isOk());
4998 verifyAppUidRules({false}, uidRangeConfig1, sTun.name());
4999 verifyAppUidRules({false}, uidRangeConfig2, sTun2.name());
5000 verifyAppUidRules({true}, uidRangeConfig3, "");
5001 EXPECT_TRUE(mNetd->networkRemoveUidRangesParcel(uidRangeConfig3).isOk());
5002 verifyAppUidRules({false}, uidRangeConfig1, sTun.name());
5003 verifyAppUidRules({false}, uidRangeConfig2, sTun2.name());
5004 verifyAppUidRules({false}, uidRangeConfig3, "");
5005 }
5006
5007 // Verify uid range rules on virtual network.
TEST_P(VpnParameterizedTest,UidRangeSubPriority_VerifyVpnIpRules)5008 TEST_P(VpnParameterizedTest, UidRangeSubPriority_VerifyVpnIpRules) {
5009 const bool isSecureVPN = GetParam();
5010 constexpr int VPN_NETID2 = TEST_NETID2;
5011
5012 // Create 2 VPNs, using sTun and sTun2.
5013 auto config = makeNativeNetworkConfig(VPN_NETID, NativeNetworkType::VIRTUAL,
5014 INetd::PERMISSION_NONE, isSecureVPN, false);
5015 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
5016 EXPECT_TRUE(mNetd->networkAddInterface(VPN_NETID, sTun.name()).isOk());
5017
5018 config = makeNativeNetworkConfig(VPN_NETID2, NativeNetworkType::VIRTUAL, INetd::PERMISSION_NONE,
5019 isSecureVPN, false);
5020 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
5021 EXPECT_TRUE(mNetd->networkAddInterface(VPN_NETID2, sTun2.name()).isOk());
5022
5023 // Assign uid ranges to different VPNs. Check if rules match.
5024 NativeUidRangeConfig uidRangeConfig1 = makeNativeUidRangeConfig(
5025 VPN_NETID, {makeUidRangeParcel(BASE_UID, BASE_UID)}, UidRanges::SUB_PRIORITY_HIGHEST);
5026 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(uidRangeConfig1).isOk());
5027 verifyVpnUidRules({true}, uidRangeConfig1, sTun.name(), isSecureVPN, false);
5028
5029 NativeUidRangeConfig uidRangeConfig2 =
5030 makeNativeUidRangeConfig(VPN_NETID2, {makeUidRangeParcel(BASE_UID + 1, BASE_UID + 1)},
5031 UidRanges::SUB_PRIORITY_HIGHEST);
5032 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(uidRangeConfig2).isOk());
5033 verifyVpnUidRules({true}, uidRangeConfig2, sTun2.name(), isSecureVPN, false);
5034
5035 // Remove uid configs one-by-one. Check if rules match.
5036 EXPECT_TRUE(mNetd->networkRemoveUidRangesParcel(uidRangeConfig1).isOk());
5037 verifyVpnUidRules({false}, uidRangeConfig1, sTun.name(), isSecureVPN, false);
5038 verifyVpnUidRules({true}, uidRangeConfig2, sTun2.name(), isSecureVPN, false);
5039 EXPECT_TRUE(mNetd->networkRemoveUidRangesParcel(uidRangeConfig2).isOk());
5040 verifyVpnUidRules({false}, uidRangeConfig1, sTun.name(), isSecureVPN, false);
5041 verifyVpnUidRules({false}, uidRangeConfig2, sTun2.name(), isSecureVPN, false);
5042 }
5043
5044 // Verify VPN ip rule on bypassable/secureVPN virtual network with local routes excluded
TEST_P(VpnParameterizedTest,VerifyVpnIpRules_excludeLocalRoutes)5045 TEST_P(VpnParameterizedTest, VerifyVpnIpRules_excludeLocalRoutes) {
5046 const bool isSecureVPN = GetParam();
5047 // Create VPN with local route excluded
5048 auto config = makeNativeNetworkConfig(VPN_NETID, NativeNetworkType::VIRTUAL,
5049 INetd::PERMISSION_NONE, isSecureVPN, true);
5050 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
5051 EXPECT_TRUE(mNetd->networkAddInterface(VPN_NETID, sTun.name()).isOk());
5052
5053 // Assign uid ranges to VPN. Check if rules match.
5054 NativeUidRangeConfig uidRangeConfig1 = makeNativeUidRangeConfig(
5055 VPN_NETID, {makeUidRangeParcel(BASE_UID, BASE_UID)}, UidRanges::SUB_PRIORITY_HIGHEST);
5056 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(uidRangeConfig1).isOk());
5057 verifyVpnUidRules({true}, uidRangeConfig1, sTun.name(), isSecureVPN, true);
5058
5059 // Remove uid configs. Check if rules match.
5060 EXPECT_TRUE(mNetd->networkRemoveUidRangesParcel(uidRangeConfig1).isOk());
5061 verifyVpnUidRules({false}, uidRangeConfig1, sTun.name(), isSecureVPN, true);
5062 }
5063
5064 // Verify if packets go through the right network when subsidiary priority and VPN works together.
5065 //
5066 // Test config:
5067 // +----------+------------------------+-------------------------------------------+
5068 // | Priority | UID | Assigned Network |
5069 // +----------+------------------------+-------------------------------------------+
5070 // | 0 | TEST_UID1 | VPN bypassable (VPN_NETID) |
5071 // +----------+------------------------+-------------------------------------------+
5072 // | 1 | TEST_UID1, TEST_UID2, | Physical Network 1 (APP_DEFAULT_1_NETID) |
5073 // | 1 | TEST_UID3 | Physical Network 2 (APP_DEFAULT_2_NETID) |
5074 // | 1 | TEST_UID5 | Unreachable Network (UNREACHABLE_NET_ID) |
5075 // +----------+------------------------+-------------------------------------------+
5076 // | 2 | TEST_UID3 | Physical Network 1 (APP_DEFAULT_1_NETID) |
5077 // | 2 | TEST_UID4, TEST_UID5 | Physical Network 2 (APP_DEFAULT_2_NETID) |
5078 // +----------+------------------------+-------------------------------------------+
5079 //
5080 // Expected results:
5081 // +-----------+------------------------+
5082 // | UID | Using Network |
5083 // +-----------+------------------------+
5084 // | TEST_UID1 | VPN |
5085 // | TEST_UID2 | Physical Network 1 |
5086 // | TEST_UID3 | Physical Network 2 |
5087 // | TEST_UID4 | Physical Network 2 |
5088 // | TEST_UID5 | Unreachable Network |
5089 // | TEST_UID6 | System Default Network |
5090 // +-----------+------------------------+
5091 //
5092 // SYSTEM_DEFAULT_NETID uses sTun.
5093 // APP_DEFAULT_1_NETID uses sTun2.
5094 // VPN_NETID uses sTun3.
5095 // APP_DEFAULT_2_NETID uses sTun4.
5096 //
TEST_F(NetdBinderTest,UidRangeSubPriority_ImplicitlySelectNetwork)5097 TEST_F(NetdBinderTest, UidRangeSubPriority_ImplicitlySelectNetwork) {
5098 constexpr int APP_DEFAULT_1_NETID = TEST_NETID2;
5099 constexpr int APP_DEFAULT_2_NETID = TEST_NETID4;
5100
5101 static const struct TestData {
5102 uint32_t subPriority;
5103 std::vector<UidRangeParcel> uidRanges;
5104 unsigned int netId;
5105 } kTestData[] = {
5106 {UidRanges::SUB_PRIORITY_HIGHEST, {makeUidRangeParcel(TEST_UID1)}, VPN_NETID},
5107 {SUB_PRIORITY_1,
5108 {makeUidRangeParcel(TEST_UID1), makeUidRangeParcel(TEST_UID2)},
5109 APP_DEFAULT_1_NETID},
5110 {SUB_PRIORITY_1, {makeUidRangeParcel(TEST_UID3)}, APP_DEFAULT_2_NETID},
5111 {SUB_PRIORITY_1, {makeUidRangeParcel(TEST_UID5)}, INetd::UNREACHABLE_NET_ID},
5112 {SUB_PRIORITY_2, {makeUidRangeParcel(TEST_UID3)}, APP_DEFAULT_1_NETID},
5113 {SUB_PRIORITY_2,
5114 {makeUidRangeParcel(TEST_UID4), makeUidRangeParcel(TEST_UID5)},
5115 APP_DEFAULT_2_NETID},
5116 };
5117
5118 // Creates 4 networks.
5119 createVpnAndOtherPhysicalNetwork(SYSTEM_DEFAULT_NETID, APP_DEFAULT_1_NETID, VPN_NETID,
5120 /*isSecureVPN=*/false);
5121 createPhysicalNetwork(APP_DEFAULT_2_NETID, sTun4.name());
5122 EXPECT_TRUE(mNetd->networkAddRoute(APP_DEFAULT_2_NETID, sTun4.name(), "::/0", "").isOk());
5123
5124 for (const auto& td : kTestData) {
5125 NativeUidRangeConfig uidRangeConfig =
5126 makeNativeUidRangeConfig(td.netId, td.uidRanges, td.subPriority);
5127 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(uidRangeConfig).isOk());
5128 }
5129
5130 int systemDefaultFd = sTun.getFdForTesting();
5131 int appDefault_1_Fd = sTun2.getFdForTesting();
5132 int vpnFd = sTun3.getFdForTesting();
5133 int appDefault_2_Fd = sTun4.getFdForTesting();
5134 // Verify routings.
5135 expectPacketSentOnNetId(TEST_UID1, VPN_NETID, vpnFd, IMPLICITLY_SELECT);
5136 expectPacketSentOnNetId(TEST_UID2, APP_DEFAULT_1_NETID, appDefault_1_Fd, IMPLICITLY_SELECT);
5137 expectPacketSentOnNetId(TEST_UID3, APP_DEFAULT_2_NETID, appDefault_2_Fd, IMPLICITLY_SELECT);
5138 expectPacketSentOnNetId(TEST_UID4, APP_DEFAULT_2_NETID, appDefault_2_Fd, IMPLICITLY_SELECT);
5139 expectUnreachableError(TEST_UID5, INetd::UNREACHABLE_NET_ID, IMPLICITLY_SELECT);
5140 expectPacketSentOnNetId(TEST_UID6, SYSTEM_DEFAULT_NETID, systemDefaultFd, IMPLICITLY_SELECT);
5141
5142 // Remove test rules from the unreachable network.
5143 for (const auto& td : kTestData) {
5144 if (td.netId == INetd::UNREACHABLE_NET_ID) {
5145 NativeUidRangeConfig uidRangeConfig =
5146 makeNativeUidRangeConfig(td.netId, td.uidRanges, td.subPriority);
5147 EXPECT_TRUE(mNetd->networkRemoveUidRangesParcel(uidRangeConfig).isOk());
5148 }
5149 }
5150 }
5151
5152 class PerAppNetworkPermissionsTest : public NetdBinderTest {
5153 public:
bindSocketToNetwork(int sock,int netId,bool explicitlySelected)5154 int bindSocketToNetwork(int sock, int netId, bool explicitlySelected) {
5155 ScopedUidChange uidChange(AID_ROOT);
5156 Fwmark fwmark;
5157 fwmark.explicitlySelected = explicitlySelected;
5158 fwmark.netId = netId;
5159 return setsockopt(sock, SOL_SOCKET, SO_MARK, &(fwmark.intValue), sizeof(fwmark.intValue));
5160 }
5161
changeNetworkPermissionForUid(int netId,int uid,bool add)5162 void changeNetworkPermissionForUid(int netId, int uid, bool add) {
5163 auto nativeUidRangeConfig = makeNativeUidRangeConfig(netId, {makeUidRangeParcel(uid, uid)},
5164 UidRanges::SUB_PRIORITY_NO_DEFAULT);
5165 ScopedUidChange rootUid(AID_ROOT);
5166 if (add) {
5167 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(nativeUidRangeConfig).isOk());
5168 } else {
5169 EXPECT_TRUE(mNetd->networkRemoveUidRangesParcel(nativeUidRangeConfig).isOk());
5170 }
5171 }
5172
5173 protected:
5174 static inline const sockaddr_in6 TEST_SOCKADDR_IN6 = {
5175 .sin6_family = AF_INET6,
5176 .sin6_port = 42,
5177 .sin6_addr = V6_ADDR,
5178 };
5179 std::array<char, 4096> mTestBuf;
5180 };
5181
TEST_F(PerAppNetworkPermissionsTest,HasExplicitAccess)5182 TEST_F(PerAppNetworkPermissionsTest, HasExplicitAccess) {
5183 // TEST_NETID1 -> restricted network
5184 createPhysicalNetwork(TEST_NETID1, sTun.name(), INetd::PERMISSION_SYSTEM);
5185 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID1, sTun.name(), "::/0", "").isOk());
5186
5187 // Change uid to uid without PERMISSION_SYSTEM
5188 ScopedUidChange testUid(TEST_UID1);
5189 unique_fd sock(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0));
5190 EXPECT_EQ(bindSocketToNetwork(sock, TEST_NETID1, true /*explicitlySelected*/), 0);
5191
5192 // Test without permissions should fail
5193 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), -1);
5194
5195 // Test access with permission succeeds and packet is routed correctly
5196 changeNetworkPermissionForUid(TEST_NETID1, TEST_UID1, true /*add*/);
5197 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), 0);
5198 EXPECT_EQ(send(sock, "foo", sizeof("foo"), 0), (int)sizeof("foo"));
5199 EXPECT_GT(read(sTun.getFdForTesting(), mTestBuf.data(), mTestBuf.size()), 0);
5200
5201 // Test removing permissions.
5202 // Note: Send will still succeed as the destination is cached in
5203 // sock.sk_dest_cache. Try another connect instead.
5204 changeNetworkPermissionForUid(TEST_NETID1, TEST_UID1, false /*add*/);
5205 EXPECT_EQ(-1, connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)));
5206 }
5207
TEST_F(PerAppNetworkPermissionsTest,HasImplicitAccess)5208 TEST_F(PerAppNetworkPermissionsTest, HasImplicitAccess) {
5209 // TEST_NETID1 -> restricted network
5210 createPhysicalNetwork(TEST_NETID1, sTun.name(), INetd::PERMISSION_SYSTEM);
5211 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID1, sTun.name(), "::/0", "").isOk());
5212
5213 // Change uid to uid without PERMISSION_SYSTEM
5214 ScopedUidChange testUid(TEST_UID1);
5215 unique_fd sock(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0));
5216 EXPECT_EQ(bindSocketToNetwork(sock, TEST_NETID1, false /*explicitlySelected*/), 0);
5217
5218 // Note: we cannot call connect() when implicitly selecting the network as
5219 // the fwmark would get reset to the default network.
5220 // Call connect which should bind socket to default network
5221 EXPECT_EQ(sendto(sock, "foo", sizeof("foo"), 0, (sockaddr*)&TEST_SOCKADDR_IN6,
5222 sizeof(TEST_SOCKADDR_IN6)),
5223 -1);
5224
5225 // Test access with permission succeeds and packet is routed correctly
5226 changeNetworkPermissionForUid(TEST_NETID1, TEST_UID1, true /*add*/);
5227 EXPECT_EQ(sendto(sock, "foo", sizeof("foo"), 0, (sockaddr*)&TEST_SOCKADDR_IN6,
5228 sizeof(TEST_SOCKADDR_IN6)),
5229 (int)sizeof("foo"));
5230 EXPECT_GT(read(sTun.getFdForTesting(), mTestBuf.data(), mTestBuf.size()), 0);
5231 }
5232
TEST_F(PerAppNetworkPermissionsTest,DoesNotAffectDefaultNetworkSelection)5233 TEST_F(PerAppNetworkPermissionsTest, DoesNotAffectDefaultNetworkSelection) {
5234 // TEST_NETID1 -> default network
5235 // TEST_NETID2 -> restricted network
5236 createPhysicalNetwork(TEST_NETID1, sTun.name(), INetd::PERMISSION_NONE);
5237 createPhysicalNetwork(TEST_NETID2, sTun2.name(), INetd::PERMISSION_SYSTEM);
5238 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID1, sTun.name(), "::/0", "").isOk());
5239 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID2, sTun2.name(), "::/0", "").isOk());
5240 mNetd->networkSetDefault(TEST_NETID1);
5241
5242 changeNetworkPermissionForUid(TEST_NETID2, TEST_UID1, true /*add*/);
5243
5244 // Change uid to uid without PERMISSION_SYSTEM
5245 ScopedUidChange testUid(TEST_UID1);
5246 unique_fd sock(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0));
5247
5248 // Connect should select default network
5249 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), 0);
5250 EXPECT_EQ(send(sock, "foo", sizeof("foo"), 0), (int)sizeof("foo"));
5251 EXPECT_GT(read(sTun.getFdForTesting(), mTestBuf.data(), mTestBuf.size()), 0);
5252 }
5253
TEST_F(PerAppNetworkPermissionsTest,PermissionDoesNotAffectPerAppDefaultNetworkSelection)5254 TEST_F(PerAppNetworkPermissionsTest, PermissionDoesNotAffectPerAppDefaultNetworkSelection) {
5255 // TEST_NETID1 -> restricted app default network
5256 // TEST_NETID2 -> restricted network
5257 createPhysicalNetwork(TEST_NETID1, sTun.name(), INetd::PERMISSION_SYSTEM);
5258 createPhysicalNetwork(TEST_NETID2, sTun2.name(), INetd::PERMISSION_SYSTEM);
5259 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID1, sTun.name(), "::/0", "").isOk());
5260 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID2, sTun2.name(), "::/0", "").isOk());
5261
5262 auto nativeUidRangeConfig = makeNativeUidRangeConfig(
5263 TEST_NETID1, {makeUidRangeParcel(TEST_UID1, TEST_UID1)}, 0 /*subPriority*/);
5264 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(nativeUidRangeConfig).isOk());
5265 changeNetworkPermissionForUid(TEST_NETID2, TEST_UID1, true /*add*/);
5266
5267 // Change uid to uid without PERMISSION_SYSTEM
5268 ScopedUidChange testUid(TEST_UID1);
5269 unique_fd sock(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0));
5270
5271 // Connect should select app default network
5272 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), 0);
5273 EXPECT_EQ(send(sock, "foo", sizeof("foo"), 0), (int)sizeof("foo"));
5274 EXPECT_GT(read(sTun.getFdForTesting(), mTestBuf.data(), mTestBuf.size()), 0);
5275 }
5276
TEST_F(PerAppNetworkPermissionsTest,PermissionOnlyAffectsUid)5277 TEST_F(PerAppNetworkPermissionsTest, PermissionOnlyAffectsUid) {
5278 // TEST_NETID1 -> restricted network
5279 // TEST_NETID2 -> restricted network
5280 createPhysicalNetwork(TEST_NETID1, sTun.name(), INetd::PERMISSION_SYSTEM);
5281 createPhysicalNetwork(TEST_NETID2, sTun2.name(), INetd::PERMISSION_SYSTEM);
5282 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID1, sTun.name(), "::/0", "").isOk());
5283 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID2, sTun2.name(), "::/0", "").isOk());
5284
5285 // test that neither TEST_UID1, nor TEST_UID2 have access without permission
5286 {
5287 // TEST_UID1
5288 ScopedUidChange testUid(TEST_UID1);
5289 unique_fd sock(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0));
5290 // TEST_NETID1
5291 EXPECT_EQ(bindSocketToNetwork(sock, TEST_NETID1, true /*explicitlySelected*/), 0);
5292 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), -1);
5293 // TEST_NETID2
5294 EXPECT_EQ(bindSocketToNetwork(sock, TEST_NETID2, true /*explicitlySelected*/), 0);
5295 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), -1);
5296 }
5297 {
5298 // TEST_UID2
5299 ScopedUidChange testUid(TEST_UID2);
5300 unique_fd sock(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0));
5301 // TEST_NETID1
5302 EXPECT_EQ(bindSocketToNetwork(sock, TEST_NETID1, true /*explicitlySelected*/), 0);
5303 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), -1);
5304 // TEST_NETID2
5305 EXPECT_EQ(bindSocketToNetwork(sock, TEST_NETID2, true /*explicitlySelected*/), 0);
5306 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), -1);
5307 }
5308
5309 changeNetworkPermissionForUid(TEST_NETID1, TEST_UID1, true);
5310
5311 // test that TEST_UID1 has access to TEST_UID1
5312 {
5313 // TEST_UID1
5314 ScopedUidChange testUid(TEST_UID1);
5315 unique_fd sock(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0));
5316 // TEST_NETID1
5317 EXPECT_EQ(bindSocketToNetwork(sock, TEST_NETID1, true /*explicitlySelected*/), 0);
5318 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), 0);
5319 // TEST_NETID2
5320 EXPECT_EQ(bindSocketToNetwork(sock, TEST_NETID2, true /*explicitlySelected*/), 0);
5321 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), -1);
5322 }
5323 {
5324 // TEST_UID2
5325 ScopedUidChange testUid(TEST_UID2);
5326 unique_fd sock(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0));
5327 // TEST_NETID1
5328 EXPECT_EQ(bindSocketToNetwork(sock, TEST_NETID1, true /*explicitlySelected*/), 0);
5329 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), -1);
5330 // TEST_NETID2
5331 EXPECT_EQ(bindSocketToNetwork(sock, TEST_NETID2, true /*explicitlySelected*/), 0);
5332 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), -1);
5333 }
5334 }
5335
5336 // Creates a system default network and 3 enterprise networks for two profiles. Check if network
5337 // selection in compliance with network allow list settings.
5338 //
5339 // +-----------+-----------------------+----------------------------------------+
5340 // | UID | UID's default network | UID can select networks |
5341 // +-----------+-----------------------+----------------------------------------+
5342 // | TEST_UID1 | ENTERPRISE_NETID_1 | ENTERPRISE_NETID_1, ENTERPRISE_NETID_2 |
5343 // | TEST_UID2 | ENTERPRISE_NETID_3 | ENTERPRISE_NETID_3 |
5344 // +-----------+-----------------------+----------------------------------------+
TEST_F(NetdBinderTest,PerProfileNetworkPermission)5345 TEST_F(NetdBinderTest, PerProfileNetworkPermission) {
5346 // creates 4 networks
5347 createDefaultAndOtherPhysicalNetwork(SYSTEM_DEFAULT_NETID, ENTERPRISE_NETID_1);
5348 createPhysicalNetwork(ENTERPRISE_NETID_2, sTun3.name());
5349 EXPECT_TRUE(mNetd->networkAddRoute(ENTERPRISE_NETID_2, sTun3.name(), "::/0", "").isOk());
5350 createPhysicalNetwork(ENTERPRISE_NETID_3, sTun4.name());
5351 EXPECT_TRUE(mNetd->networkAddRoute(ENTERPRISE_NETID_3, sTun4.name(), "::/0", "").isOk());
5352
5353 // profile#1
5354 // UidRanges::SUB_PRIORITY_HIGHEST + 20 = PREFERENCE_ORDER_PROFILE, which is defined in
5355 // ConnectivityService.java. The value here doesn't really matter because user allowed network
5356 // does not depends on specific sub-priority.
5357 NativeUidRangeConfig cfg1 =
5358 makeNativeUidRangeConfig(ENTERPRISE_NETID_1, {makeUidRangeParcel(TEST_UID1, TEST_UID1)},
5359 UidRanges::SUB_PRIORITY_HIGHEST + 20);
5360 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(cfg1).isOk());
5361
5362 // profile#2
5363 NativeUidRangeConfig cfg2 =
5364 makeNativeUidRangeConfig(ENTERPRISE_NETID_3, {makeUidRangeParcel(TEST_UID2, TEST_UID2)},
5365 UidRanges::SUB_PRIORITY_HIGHEST + 20);
5366 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(cfg2).isOk());
5367
5368 // setNetworkAllowlist at once
5369 // all uids except for TEST_UID2
5370 NativeUidRangeConfig nw1UserConfig = makeNativeUidRangeConfig(
5371 ENTERPRISE_NETID_1,
5372 {makeUidRangeParcel(0, TEST_UID3), makeUidRangeParcel(TEST_UID1, TEST_UID1)},
5373 /*unused*/ 0);
5374 NativeUidRangeConfig nw2UserConfig = makeNativeUidRangeConfig(
5375 ENTERPRISE_NETID_2,
5376 {makeUidRangeParcel(0, TEST_UID3), makeUidRangeParcel(TEST_UID1, TEST_UID1)},
5377 /*unused*/ 0);
5378 // all uids except for TEST_UID1
5379 NativeUidRangeConfig nw3UserConfig = makeNativeUidRangeConfig(
5380 ENTERPRISE_NETID_3, {makeUidRangeParcel(0, TEST_UID2)}, /*unused*/ 0);
5381 // all uids except for TEST_UID1 and TEST_UID2
5382 NativeUidRangeConfig nwDefaultUserConfig = makeNativeUidRangeConfig(
5383 SYSTEM_DEFAULT_NETID, {makeUidRangeParcel(0, TEST_UID3)}, /*unused*/ 0);
5384 EXPECT_TRUE(mNetd->setNetworkAllowlist(
5385 {nw1UserConfig, nw2UserConfig, nw3UserConfig, nwDefaultUserConfig})
5386 .isOk());
5387
5388 { // Can set network for process on allowed networks.
5389 ScopedUidChange scopedUidChange(TEST_UID1);
5390 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_1));
5391 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_2));
5392 // Can not set network for process on not allowed networks.
5393 EXPECT_EQ(-EACCES, setNetworkForProcess(SYSTEM_DEFAULT_NETID));
5394 EXPECT_EQ(-EACCES, setNetworkForProcess(ENTERPRISE_NETID_3));
5395 }
5396 { // Can set network for process on allowed networks.
5397 ScopedUidChange scopedUidChange(TEST_UID2);
5398 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_3));
5399 // Can not set network for process on not allowed networks.
5400 EXPECT_EQ(-EACCES, setNetworkForProcess(SYSTEM_DEFAULT_NETID));
5401 EXPECT_EQ(-EACCES, setNetworkForProcess(ENTERPRISE_NETID_1));
5402 EXPECT_EQ(-EACCES, setNetworkForProcess(ENTERPRISE_NETID_2));
5403 }
5404 { // Root can use whatever network it wants.
5405 ScopedUidChange scopedUidChange(AID_ROOT);
5406 EXPECT_EQ(0, setNetworkForProcess(SYSTEM_DEFAULT_NETID));
5407 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_1));
5408 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_2));
5409 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_3));
5410 }
5411
5412 // Update setting: remove ENTERPRISE_NETID_2 from profile#1's allowed network list and add it to
5413 // profile#2's allowed network list.
5414 // +-----------+-----------------------+----------------------------------------+
5415 // | UID | UID's default network | UID can select networks |
5416 // +-----------+-----------------------+----------------------------------------+
5417 // | TEST_UID1 | ENTERPRISE_NETID_1 | ENTERPRISE_NETID_1 |
5418 // | TEST_UID2 | ENTERPRISE_NETID_3 | ENTERPRISE_NETID_2, ENTERPRISE_NETID_3 |
5419 // +-----------+-----------------------+----------------------------------------+
5420
5421 // all uids except for TEST_UID2
5422 nw1UserConfig = makeNativeUidRangeConfig(
5423 ENTERPRISE_NETID_1,
5424 {makeUidRangeParcel(0, TEST_UID3), makeUidRangeParcel(TEST_UID1, TEST_UID1)},
5425 /*unused*/ 0);
5426 // all uids except for TEST_UID1
5427 nw2UserConfig = makeNativeUidRangeConfig(ENTERPRISE_NETID_2, {makeUidRangeParcel(0, TEST_UID2)},
5428 /*unused*/ 0);
5429 nw3UserConfig = makeNativeUidRangeConfig(ENTERPRISE_NETID_3, {makeUidRangeParcel(0, TEST_UID2)},
5430 /*unused*/ 0);
5431 // all uids except for TEST_UID1 and TEST_UID2
5432 nwDefaultUserConfig = makeNativeUidRangeConfig(
5433 SYSTEM_DEFAULT_NETID, {makeUidRangeParcel(0, TEST_UID3)}, /*unused*/ 0);
5434 EXPECT_TRUE(mNetd->setNetworkAllowlist(
5435 {nw1UserConfig, nw2UserConfig, nw3UserConfig, nwDefaultUserConfig})
5436 .isOk());
5437
5438 {
5439 ScopedUidChange scopedUidChange(TEST_UID1);
5440 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_1));
5441 EXPECT_EQ(-EACCES, setNetworkForProcess(SYSTEM_DEFAULT_NETID));
5442 EXPECT_EQ(-EACCES, setNetworkForProcess(ENTERPRISE_NETID_2));
5443 EXPECT_EQ(-EACCES, setNetworkForProcess(ENTERPRISE_NETID_3));
5444 }
5445 {
5446 ScopedUidChange scopedUidChange(TEST_UID2);
5447 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_2));
5448 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_3));
5449 EXPECT_EQ(-EACCES, setNetworkForProcess(SYSTEM_DEFAULT_NETID));
5450 EXPECT_EQ(-EACCES, setNetworkForProcess(ENTERPRISE_NETID_1));
5451 }
5452
5453 // UID not restricted by allowed list can select all networks.
5454 {
5455 ScopedUidChange scopedUidChange(TEST_UID3);
5456 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_1));
5457 EXPECT_EQ(0, setNetworkForProcess(SYSTEM_DEFAULT_NETID));
5458 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_2));
5459 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_3));
5460 }
5461
5462 // Update setting: remove ENTERPRISE_NETID_1 from profile#1's allowed network list
5463 // +-----------+-----------------------+----------------------------------------+
5464 // | UID | UID's default network | UID can select networks |
5465 // +-----------+-----------------------+----------------------------------------+
5466 // | TEST_UID2 | ENTERPRISE_NETID_3 | ENTERPRISE_NETID_2, ENTERPRISE_NETID_3 |
5467 // +-----------+-----------------------+----------------------------------------+
5468 EXPECT_TRUE(
5469 mNetd->setNetworkAllowlist({nw2UserConfig, nw3UserConfig, nwDefaultUserConfig}).isOk());
5470
5471 // All UIDs should be able to use ENTERPRISE_NETID_1.
5472 for (const int uid : {TEST_UID1, TEST_UID2, TEST_UID3}) {
5473 {
5474 ScopedUidChange scopedUidChange(uid);
5475 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_1));
5476 }
5477 }
5478 }
5479
5480 namespace {
5481
5482 class ScopedIfaceRouteOperation {
5483 using IfaceCmd = std::tuple<int32_t, const std::string>;
5484 using RouteCmd = std::tuple<int32_t, const std::string, const std::string, const std::string>;
5485
5486 // Helper type for the visitor.
5487 template <class... Ts>
5488 struct overloaded : Ts... {
5489 using Ts::operator()...;
5490 };
5491 // Explicit deduction guide
5492 template <class... Ts>
5493 overloaded(Ts...) -> overloaded<Ts...>;
5494
5495 public:
ScopedIfaceRouteOperation(sp<INetd> netd)5496 ScopedIfaceRouteOperation(sp<INetd> netd) : mNetd(netd) {}
5497
addInterface(int32_t netId,const std::string & iface)5498 binder::Status addInterface(int32_t netId, const std::string& iface) {
5499 const binder::Status status = mNetd->networkAddInterface(netId, iface);
5500 if (status.isOk()) {
5501 mCmds.push_back(std::make_tuple(netId, iface));
5502 }
5503 return status;
5504 }
5505
addRoute(int32_t netId,const std::string & iface,const std::string & destination,const std::string & nextHop)5506 binder::Status addRoute(int32_t netId, const std::string& iface, const std::string& destination,
5507 const std::string& nextHop) {
5508 const binder::Status status = mNetd->networkAddRoute(netId, iface, destination, nextHop);
5509 if (status.isOk()) {
5510 mCmds.push_back(std::make_tuple(netId, iface, destination, nextHop));
5511 }
5512 return status;
5513 }
5514
~ScopedIfaceRouteOperation()5515 ~ScopedIfaceRouteOperation() {
5516 // Remove routes and interfaces in reverse order.
5517 for (std::vector<std::variant<IfaceCmd, RouteCmd>>::reverse_iterator iter = mCmds.rbegin();
5518 iter != mCmds.rend(); iter++) {
5519 // Do corresponding works according to the type of the command pointed by the iter.
5520 std::visit(overloaded{
5521 [&](IfaceCmd& cmd) {
5522 mNetd->networkRemoveInterface(std::get<0>(cmd),
5523 std::get<1>(cmd));
5524 },
5525 [&](RouteCmd& cmd) {
5526 mNetd->networkRemoveRoute(std::get<0>(cmd), std::get<1>(cmd),
5527 std::get<2>(cmd), std::get<3>(cmd));
5528 },
5529 },
5530 *iter);
5531 }
5532 }
5533
5534 private:
5535 sp<INetd> mNetd;
5536 std::vector<std::variant<IfaceCmd, RouteCmd>> mCmds;
5537 };
5538
getV6LinkLocalAddrFromIfIndex(const unsigned ifIndex)5539 std::optional<sockaddr_in6> getV6LinkLocalAddrFromIfIndex(const unsigned ifIndex) {
5540 struct ifaddrs* ifAddrList = nullptr;
5541 sockaddr_in6 linkLocalAddr{};
5542
5543 if (getifaddrs(&ifAddrList) == -1) return std::nullopt;
5544
5545 for (struct ifaddrs* ifa = ifAddrList; ifa != nullptr; ifa = ifa->ifa_next) {
5546 if (ifa->ifa_addr != nullptr && ifa->ifa_addr->sa_family == AF_INET6) {
5547 struct sockaddr_in6* addr = reinterpret_cast<struct sockaddr_in6*>(ifa->ifa_addr);
5548 if (addr->sin6_scope_id == ifIndex && IN6_IS_ADDR_LINKLOCAL(&(addr->sin6_addr))) {
5549 linkLocalAddr = *addr;
5550 freeifaddrs(ifAddrList);
5551 return linkLocalAddr;
5552 }
5553 }
5554 }
5555
5556 freeifaddrs(ifAddrList);
5557 return std::nullopt;
5558 }
5559
retry_bind(int sockfd,struct sockaddr * addr,socklen_t addrlen)5560 int retry_bind(int sockfd, struct sockaddr* addr, socklen_t addrlen) {
5561 int ret = 0;
5562
5563 for (int retry = 0; retry < 10; retry++) {
5564 ret = bind(sockfd, addr, addrlen);
5565 if (ret == 0 || (ret == -1 && errno != EADDRNOTAVAIL)) {
5566 break;
5567 }
5568 usleep(100 * 1000);
5569 }
5570 return ret;
5571 }
5572
5573 } // namespace
5574
TEST_F(NetdBinderTest,V6LinkLocalFwmark)5575 TEST_F(NetdBinderTest, V6LinkLocalFwmark) {
5576 createAndSetDefaultNetwork(TEST_NETID1, sTun.name());
5577
5578 // Add an interface and route for Local network.
5579 ScopedIfaceRouteOperation scopedOperation(mNetd);
5580 EXPECT_TRUE(scopedOperation.addInterface(NetworkController::LOCAL_NET_ID, sTun2.name()).isOk());
5581 EXPECT_TRUE(
5582 scopedOperation.addRoute(NetworkController::LOCAL_NET_ID, sTun2.name(), "fe80::/64", "")
5583 .isOk());
5584
5585 // Bind a listening socket to the auto assigned link-local address of the Local network.
5586 std::optional<sockaddr_in6> v6LinkLocalAddr_1 = getV6LinkLocalAddrFromIfIndex(sTun2.ifindex());
5587 ASSERT_TRUE(v6LinkLocalAddr_1.has_value()) << "errno:" << errno;
5588 socklen_t len = sizeof(v6LinkLocalAddr_1.value());
5589 unique_fd s1(socket(AF_INET6, SOCK_STREAM | SOCK_NONBLOCK, 0));
5590 ASSERT_EQ(0, bind(s1, reinterpret_cast<sockaddr*>(&v6LinkLocalAddr_1.value()), len))
5591 << "errno:" << errno;
5592 ASSERT_EQ(0, getsockname(s1, reinterpret_cast<sockaddr*>(&v6LinkLocalAddr_1.value()), &len))
5593 << "errno:" << errno;
5594 ASSERT_EQ(0, listen(s1, 10)) << "errno:" << errno;
5595
5596 // Add another v6 link-local address.
5597 const char* v6LinkLocalAddr_2 = "fe80::ace:d00d";
5598 EXPECT_TRUE(mNetd->interfaceAddAddress(sTun2.name(), v6LinkLocalAddr_2, 64).isOk());
5599
5600 // Bind a client socket on the new added link-local address and connect it to the listen socket.
5601 // Have different src and dst addresses is needed because we want to test the behavior of fwmark
5602 // and destroying sockets. The same src and dst addresses are treated as loopbacks and won't be
5603 // destroyed in any way.
5604 const struct addrinfo hints = {
5605 .ai_flags = AI_NUMERICHOST,
5606 .ai_family = AF_INET6,
5607 .ai_socktype = SOCK_STREAM,
5608 };
5609 struct addrinfo* addrinfoList = nullptr;
5610 int ret = getaddrinfo(v6LinkLocalAddr_2, nullptr, &hints, &addrinfoList);
5611 ScopedAddrinfo addrinfoCleanup(addrinfoList);
5612 ASSERT_EQ(0, ret) << "errno:" << errno;
5613
5614 len = addrinfoList[0].ai_addrlen;
5615 sockaddr_in6 sin6 = *reinterpret_cast<sockaddr_in6*>(addrinfoList[0].ai_addr);
5616 sin6.sin6_scope_id = sTun2.ifindex();
5617
5618 unique_fd c1(socket(AF_INET6, SOCK_STREAM, 0));
5619 // Retry in case the newly added address is not ready yet.
5620 ASSERT_EQ(0, retry_bind(c1, reinterpret_cast<sockaddr*>(&sin6), len)) << "errno:" << errno;
5621 ASSERT_EQ(0, getsockname(c1, reinterpret_cast<sockaddr*>(&sin6), &len)) << "errno:" << errno;
5622 ASSERT_EQ(0, connect(c1, reinterpret_cast<sockaddr*>(&v6LinkLocalAddr_1.value()), len))
5623 << "errno:" << errno;
5624
5625 // Verify netId in fwmark.
5626 Fwmark fwmark;
5627 socklen_t fwmarkLen = sizeof(fwmark.intValue);
5628 EXPECT_EQ(0, getsockopt(c1, SOL_SOCKET, SO_MARK, &fwmark.intValue, &fwmarkLen));
5629 EXPECT_EQ((unsigned)NetworkController::LOCAL_NET_ID, fwmark.netId);
5630
5631 unique_fd a1(accept(s1, nullptr, 0));
5632 ASSERT_NE(-1, a1) << "errno:" << errno;
5633 EXPECT_EQ(0, getsockopt(a1, SOL_SOCKET, SO_MARK, &fwmark.intValue, &fwmarkLen));
5634 // TODO: Fix fwmark on the accept socket?
5635 fwmark.netId = NetworkController::LOCAL_NET_ID;
5636 EXPECT_EQ(0, setsockopt(a1, SOL_SOCKET, SO_MARK, &fwmark.intValue, sizeof(fwmark.intValue)));
5637
5638 // Change permission on the default network. Client socket should not be destroyed.
5639 EXPECT_TRUE(
5640 mNetd->networkSetPermissionForNetwork(TEST_NETID1, INetd::PERMISSION_NETWORK).isOk());
5641
5642 char buf[1024] = {};
5643 EXPECT_EQ(3, write(a1, "foo", 3)) << "errno:" << errno;
5644 EXPECT_EQ(3, read(c1, buf, sizeof(buf))) << "errno:" << errno;
5645 }
5646
5647 /**
5648 * This test sets up three networks:
5649 * - SYSTEM_DEFAULT_NETID -> sTun
5650 * - OTHER_NETID -> sTun2
5651 * - VPN_NETID -> sTun3
5652 */
TEST_F(NetdBinderTest,BypassVpnWithNetId)5653 TEST_F(NetdBinderTest, BypassVpnWithNetId) {
5654 static constexpr unsigned OTHER_NETID = TEST_NETID2;
5655 static const sockaddr_in6 addr = {
5656 .sin6_family = AF_INET6,
5657 .sin6_port = 42,
5658 .sin6_addr = V6_ADDR,
5659 };
5660 createVpnAndOtherPhysicalNetwork(SYSTEM_DEFAULT_NETID, OTHER_NETID, VPN_NETID, true /*secure*/);
5661 ASSERT_TRUE(mNetd->networkAddUidRanges(VPN_NETID, {makeUidRangeParcel(TEST_UID1)}).isOk());
5662
5663 {
5664 ScopedUidChange change(TEST_UID1);
5665 unique_fd sock(socket(AF_INET6, SOCK_DGRAM, 0));
5666 // No network selected for the socket: data is received on VPN network.
5667 checkDataReceived(sock, sTun3.getFdForTesting(), (sockaddr*)&addr, sizeof(addr));
5668 }
5669
5670 {
5671 ScopedUidChange change(TEST_UID1);
5672 unique_fd sock(socket(AF_INET6, SOCK_DGRAM, 0));
5673 EXPECT_EQ(0, setNetworkForSocket(VPN_NETID, sock));
5674 EXPECT_EQ(-EPERM, setNetworkForSocket(SYSTEM_DEFAULT_NETID, sock));
5675 EXPECT_EQ(-EPERM, setNetworkForSocket(OTHER_NETID, sock));
5676
5677 // No permission to use OTHER_NETID: data is received on VPN network.
5678 checkDataReceived(sock, sTun3.getFdForTesting(), (sockaddr*)&addr, sizeof(addr));
5679 }
5680
5681 mNetd->networkAllowBypassVpnOnNetwork(true /* allow */, TEST_UID1, OTHER_NETID);
5682 auto guard = android::base::make_scope_guard([this] {
5683 mNetd->networkAllowBypassVpnOnNetwork(false /* allow */, TEST_UID1, OTHER_NETID);
5684 });
5685
5686 {
5687 ScopedUidChange change(TEST_UID1);
5688 unique_fd sock(socket(AF_INET6, SOCK_DGRAM, 0));
5689 EXPECT_EQ(0, setNetworkForSocket(VPN_NETID, sock));
5690 EXPECT_EQ(-EPERM, setNetworkForSocket(SYSTEM_DEFAULT_NETID, sock));
5691 EXPECT_EQ(0, setNetworkForSocket(OTHER_NETID, sock));
5692
5693 // Permission to use OTHER_NETID and OTHER_NETID is selected for socket: data is received on
5694 // OTHER network.
5695 checkDataReceived(sock, sTun2.getFdForTesting(), (sockaddr*)&addr, sizeof(addr));
5696 }
5697 }
5698
5699 /**
5700 * This test sets up three networks:
5701 * - SYSTEM_DEFAULT_NETID -> sTun
5702 * - OTHER_NETID -> sTun2
5703 * - VPN_NETID -> sTun3
5704 */
TEST_F(NetdBinderTest,BypassVpnWithNetIdOverlappingRules)5705 TEST_F(NetdBinderTest, BypassVpnWithNetIdOverlappingRules) {
5706 static constexpr unsigned OTHER_NETID = TEST_NETID2;
5707 createVpnAndOtherPhysicalNetwork(SYSTEM_DEFAULT_NETID, OTHER_NETID, VPN_NETID, true /*secure*/);
5708 ASSERT_TRUE(mNetd->networkAddUidRanges(VPN_NETID, {makeUidRangeParcel(TEST_UID1)}).isOk());
5709
5710 // Check default network permissions.
5711 {
5712 ScopedUidChange change(TEST_UID1);
5713 unique_fd sock(socket(AF_INET6, SOCK_DGRAM, 0));
5714 EXPECT_EQ(0, setNetworkForSocket(VPN_NETID, sock));
5715 EXPECT_EQ(-EPERM, setNetworkForSocket(SYSTEM_DEFAULT_NETID, sock));
5716 EXPECT_EQ(-EPERM, setNetworkForSocket(OTHER_NETID, sock));
5717 }
5718
5719 // Careful: only use EXPECT_*() so the test cleans up after itself on failure.
5720 // Exempt TEST_UID1 from VPN on OTHER_NETID
5721 mNetd->networkAllowBypassVpnOnNetwork(true /* allow */, TEST_UID1, OTHER_NETID);
5722 {
5723 ScopedUidChange change(TEST_UID1);
5724 unique_fd sock(socket(AF_INET6, SOCK_DGRAM, 0));
5725 EXPECT_EQ(0, setNetworkForSocket(VPN_NETID, sock));
5726 EXPECT_EQ(-EPERM, setNetworkForSocket(SYSTEM_DEFAULT_NETID, sock));
5727 EXPECT_EQ(0, setNetworkForSocket(OTHER_NETID, sock));
5728 }
5729
5730 // Exempt TEST_UID1 from VPN on all networks.
5731 mNetd->networkSetProtectAllow(TEST_UID1);
5732 {
5733 ScopedUidChange change(TEST_UID1);
5734 unique_fd sock(socket(AF_INET6, SOCK_DGRAM, 0));
5735 EXPECT_EQ(0, setNetworkForSocket(VPN_NETID, sock));
5736 EXPECT_EQ(0, setNetworkForSocket(SYSTEM_DEFAULT_NETID, sock));
5737 EXPECT_EQ(0, setNetworkForSocket(OTHER_NETID, sock));
5738 }
5739
5740 // Remove network-specific exemption
5741 mNetd->networkAllowBypassVpnOnNetwork(false /* allow */, TEST_UID1, OTHER_NETID);
5742 {
5743 ScopedUidChange change(TEST_UID1);
5744 unique_fd sock(socket(AF_INET6, SOCK_DGRAM, 0));
5745 EXPECT_EQ(0, setNetworkForSocket(VPN_NETID, sock));
5746 EXPECT_EQ(0, setNetworkForSocket(SYSTEM_DEFAULT_NETID, sock));
5747 EXPECT_EQ(0, setNetworkForSocket(OTHER_NETID, sock));
5748 }
5749
5750 // Remove global exemption
5751 mNetd->networkSetProtectDeny(TEST_UID1);
5752 {
5753 ScopedUidChange change(TEST_UID1);
5754 unique_fd sock(socket(AF_INET6, SOCK_DGRAM, 0));
5755 EXPECT_EQ(0, setNetworkForSocket(VPN_NETID, sock));
5756 EXPECT_EQ(-EPERM, setNetworkForSocket(SYSTEM_DEFAULT_NETID, sock));
5757 EXPECT_EQ(-EPERM, setNetworkForSocket(OTHER_NETID, sock));
5758 }
5759 }
5760