• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2019 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <poll.h> /* poll */
18 #include <sys/socket.h>
19 
20 #include <thread>
21 
22 #include <android-base/parseint.h>
23 #include <android-base/unique_fd.h>
24 #include <gtest/gtest.h>
25 
26 #include "NetdClient.h"
27 #include "netdclient_priv.h"
28 
29 namespace {
30 
31 // Keep in sync with FrameworkListener.cpp (500, "Command not recognized")
32 constexpr char NOT_SUPPORT_MSG[] = "500 Command not recognized";
33 
openDnsProxyFuncStub()34 int openDnsProxyFuncStub() {
35     return -1;
36 };
37 
38 typedef int (*DnsOpenProxyType)();
39 typedef int (*SocketFunctionType)(int, int, int);
40 
41 DnsOpenProxyType openDnsProxyFuncPtr = openDnsProxyFuncStub;
42 SocketFunctionType socketFuncPtr = socket;
43 
serverLoop(int dnsProxyFd)44 void serverLoop(int dnsProxyFd) {
45     while (true) {
46         pollfd fds[1] = {{.fd = dnsProxyFd, .events = POLLIN}};
47         enum { SERVERFD = 0 };
48 
49         int poll_result = TEMP_FAILURE_RETRY(poll(fds, std::size(fds), -1));
50         ASSERT_GT(poll_result, 0);
51 
52         if (fds[SERVERFD].revents & POLLERR) return;
53         if (fds[SERVERFD].revents & POLLIN) {
54             char buf[4096];
55             TEMP_FAILURE_RETRY(read(fds[SERVERFD].fd, &buf, sizeof(buf)));
56             // TODO: verify command
57             TEMP_FAILURE_RETRY(write(fds[SERVERFD].fd, NOT_SUPPORT_MSG, sizeof(NOT_SUPPORT_MSG)));
58         }
59     }
60 }
61 
expectAllowNetworkingForProcess()62 void expectAllowNetworkingForProcess() {
63     // netdClientSocket
64     android::base::unique_fd ipv4(socketFuncPtr(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0)),
65             ipv6(socketFuncPtr(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0));
66     EXPECT_LE(3, ipv4);
67     EXPECT_LE(3, ipv6);
68 
69     // dns_open_proxy
70     android::base::unique_fd dnsproxydSocket(openDnsProxyFuncPtr());
71     EXPECT_LE(3, dnsproxydSocket);
72 }
73 
expectNotAllowNetworkingForProcess()74 void expectNotAllowNetworkingForProcess() {
75     // netdClientSocket
76     android::base::unique_fd unixSocket(socketFuncPtr(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0));
77     EXPECT_LE(3, unixSocket);
78     android::base::unique_fd ipv4(socketFuncPtr(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0));
79     EXPECT_EQ(-1, ipv4);
80     EXPECT_EQ(errno, EPERM);
81     android::base::unique_fd ipv6(socketFuncPtr(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0));
82     EXPECT_EQ(-1, ipv6);
83     EXPECT_EQ(errno, EPERM);
84 
85     // dns_open_proxy
86     android::base::unique_fd dnsproxydSocket(openDnsProxyFuncPtr());
87     EXPECT_EQ(-1, dnsproxydSocket);
88     EXPECT_EQ(errno, EPERM);
89 }
90 
91 }  // namespace
92 
TEST(NetdClientTest,getNetworkForDnsInternal)93 TEST(NetdClientTest, getNetworkForDnsInternal) {
94     // Test invalid fd
95     unsigned dnsNetId = 0;
96     const int invalidFd = -1;
97     EXPECT_EQ(-EBADF, getNetworkForDnsInternal(invalidFd, &dnsNetId));
98 
99     // Test what the client does if the resolver does not support the "getdnsnetid" command.
100     android::base::unique_fd clientFd, serverFd;
101     ASSERT_TRUE(android::base::Socketpair(AF_UNIX, &clientFd, &serverFd));
102 
103     std::thread serverThread = std::thread(serverLoop, serverFd.get());
104 
105     EXPECT_EQ(-EOPNOTSUPP, getNetworkForDnsInternal(clientFd.get(), &dnsNetId));
106 
107     clientFd.reset();  // Causes serverLoop() to exit
108     serverThread.join();
109 }
110 
TEST(NetdClientTest,getNetworkForDns)111 TEST(NetdClientTest, getNetworkForDns) {
112     // Test null input
113     unsigned* testNull = nullptr;
114     EXPECT_EQ(-EFAULT, getNetworkForDns(testNull));
115 }
116 
TEST(NetdClientTest,protectFromVpnBadFd)117 TEST(NetdClientTest, protectFromVpnBadFd) {
118     EXPECT_EQ(-EBADF, protectFromVpn(-1));
119 }
120 
TEST(NetdClientTest,protectFromVpnUnixStream)121 TEST(NetdClientTest, protectFromVpnUnixStream) {
122     int s = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
123     ASSERT_GE(s, 3);
124     EXPECT_EQ(-EAFNOSUPPORT, protectFromVpn(s));
125     close(s);
126 }
127 
TEST(NetdClientTest,protectFromVpnTcp6)128 TEST(NetdClientTest, protectFromVpnTcp6) {
129     int s = socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0);
130     ASSERT_GE(s, 3);
131     EXPECT_EQ(0, protectFromVpn(s));
132     close(s);
133 }
134 
TEST(NetdClientTest,setAllowNetworkingForProcess)135 TEST(NetdClientTest, setAllowNetworkingForProcess) {
136     netdClientInitDnsOpenProxy(&openDnsProxyFuncPtr);
137     netdClientInitSocket(&socketFuncPtr);
138     // At the beginning, we should be able to use socket since the default setting is allowing.
139     expectAllowNetworkingForProcess();
140     // Disable
141     setAllowNetworkingForProcess(false);
142     expectNotAllowNetworkingForProcess();
143     // Reset
144     setAllowNetworkingForProcess(true);
145     expectAllowNetworkingForProcess();
146 }
147