1 /*
2 * Copyright 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 * binder_test.cpp - unit tests for netd binder RPCs.
17 */
18
19 #include <algorithm>
20 #include <cerrno>
21 #include <chrono>
22 #include <cinttypes>
23 #include <condition_variable>
24 #include <cstdint>
25 #include <cstdlib>
26 #include <iostream>
27 #include <mutex>
28 #include <numeric>
29 #include <regex>
30 #include <set>
31 #include <string>
32 #include <vector>
33
34 #include <dirent.h>
35 #include <fcntl.h>
36 #include <ifaddrs.h>
37 #include <linux/if.h>
38 #include <linux/if_tun.h>
39 #include <net/ethernet.h>
40 #include <net/if.h>
41 #include <netdb.h>
42 #include <netinet/in.h>
43 #include <netinet/tcp.h>
44 #include <openssl/base64.h>
45 #include <sys/socket.h>
46 #include <sys/types.h>
47
48 #include <android-base/file.h>
49 #include <android-base/format.h>
50 #include <android-base/macros.h>
51 #include <android-base/scopeguard.h>
52 #include <android-base/stringprintf.h>
53 #include <android-base/strings.h>
54 #include <android-base/test_utils.h>
55 #include <android/multinetwork.h>
56 #include <binder/IPCThreadState.h>
57 #include <bpf/KernelUtils.h>
58 #include <com/android/internal/net/BnOemNetdUnsolicitedEventListener.h>
59 #include <com/android/internal/net/IOemNetd.h>
60 #include <cutils/multiuser.h>
61 #include <gtest/gtest.h>
62 #include <netdutils/NetNativeTestBase.h>
63 #include <netutils/ifc.h>
64 #include <utils/Errors.h>
65 #include "Fwmark.h"
66 #include "InterfaceController.h"
67 #include "NetdClient.h"
68 #include "NetdConstants.h"
69 #include "NetworkController.h"
70 #include "RouteController.h"
71 #include "SockDiag.h"
72 #include "TestUnsolService.h"
73 #include "XfrmController.h"
74 #include "android/net/INetd.h"
75 #include "binder/IServiceManager.h"
76 #include "netdutils/InternetAddresses.h"
77 #include "netdutils/Stopwatch.h"
78 #include "netdutils/Syscalls.h"
79 #include "netdutils/Utils.h"
80 #include "netid_client.h" // NETID_UNSET
81 #include "nettestutils/DumpService.h"
82 #include "test_utils.h"
83 #include "tun_interface.h"
84
85 #define IP6TABLES_PATH "/system/bin/ip6tables"
86 #define IPTABLES_PATH "/system/bin/iptables"
87 #define RAW_TABLE "raw"
88 #define MANGLE_TABLE "mangle"
89 #define FILTER_TABLE "filter"
90 #define NAT_TABLE "nat"
91
92 namespace binder = android::binder;
93
94 using android::IBinder;
95 using android::IServiceManager;
96 using android::sp;
97 using android::String16;
98 using android::String8;
99 using android::base::Join;
100 using android::base::make_scope_guard;
101 using android::base::ReadFileToString;
102 using android::base::StartsWith;
103 using android::base::StringPrintf;
104 using android::base::Trim;
105 using android::base::unique_fd;
106 using android::binder::Status;
107 using android::bpf::isAtLeastKernelVersion;
108 using android::net::INetd;
109 using android::net::InterfaceConfigurationParcel;
110 using android::net::InterfaceController;
111 using android::net::MarkMaskParcel;
112 using android::net::NativeNetworkConfig;
113 using android::net::NativeNetworkType;
114 using android::net::NativeVpnType;
115 using android::net::NetworkController;
116 using android::net::RULE_PRIORITY_BYPASSABLE_VPN_LOCAL_EXCLUSION;
117 using android::net::RULE_PRIORITY_BYPASSABLE_VPN_NO_LOCAL_EXCLUSION;
118 using android::net::RULE_PRIORITY_DEFAULT_NETWORK;
119 using android::net::RULE_PRIORITY_EXPLICIT_NETWORK;
120 using android::net::RULE_PRIORITY_LOCAL_NETWORK;
121 using android::net::RULE_PRIORITY_LOCAL_ROUTES;
122 using android::net::RULE_PRIORITY_OUTPUT_INTERFACE;
123 using android::net::RULE_PRIORITY_PROHIBIT_NON_VPN;
124 using android::net::RULE_PRIORITY_SECURE_VPN;
125 using android::net::RULE_PRIORITY_TETHERING;
126 using android::net::RULE_PRIORITY_UID_DEFAULT_NETWORK;
127 using android::net::RULE_PRIORITY_UID_DEFAULT_UNREACHABLE;
128 using android::net::RULE_PRIORITY_UID_EXPLICIT_NETWORK;
129 using android::net::RULE_PRIORITY_UID_IMPLICIT_NETWORK;
130 using android::net::RULE_PRIORITY_UID_LOCAL_ROUTES;
131 using android::net::RULE_PRIORITY_VPN_FALLTHROUGH;
132 using android::net::SockDiag;
133 using android::net::TetherOffloadRuleParcel;
134 using android::net::TetherStatsParcel;
135 using android::net::TunInterface;
136 using android::net::UidRangeParcel;
137 using android::net::UidRanges;
138 using android::net::netd::aidl::NativeUidRangeConfig;
139 using android::netdutils::getIfaceNames;
140 using android::netdutils::IPAddress;
141 using android::netdutils::IPSockAddr;
142 using android::netdutils::ScopedAddrinfo;
143 using android::netdutils::sSyscalls;
144 using android::netdutils::Stopwatch;
145
146 static const char* IP_RULE_V4 = "-4";
147 static const char* IP_RULE_V6 = "-6";
148 static const int TEST_NETID1 = 65501;
149 static const int TEST_NETID2 = 65502;
150 static const int TEST_NETID3 = 65503;
151 static const int TEST_NETID4 = 65504;
152 static const int TEST_DUMP_NETID = 65123;
153 static const char* DNSMASQ = "dnsmasq";
154
155 // Use maximum reserved appId for applications to avoid conflict with existing
156 // uids.
157 static const int TEST_UID1 = 99999;
158 static const int TEST_UID2 = 99998;
159 static const int TEST_UID3 = 99997;
160 static const int TEST_UID4 = 99996;
161 static const int TEST_UID5 = 99995;
162 static const int TEST_UID6 = 99994;
163
164 constexpr int BASE_UID = AID_USER_OFFSET * 5;
165
166 static const std::string NO_SOCKET_ALLOW_RULE("! owner UID match 0-4294967294");
167
168 static const in6_addr V6_ADDR = {
169 {// 2001:db8:cafe::8888
170 .u6_addr8 = {0x20, 0x01, 0x0d, 0xb8, 0xca, 0xfe, 0, 0, 0, 0, 0, 0, 0, 0, 0x88, 0x88}}};
171
172 typedef enum { ALL_EXIST, NONE_EXIST } ExistMode;
173
clearQueue(int tunFd)174 static void clearQueue(int tunFd) {
175 char buf[4096];
176 int ret;
177 do {
178 ret = read(tunFd, buf, sizeof(buf));
179 } while (ret > 0);
180 }
181
182 class NetdBinderTest : public NetNativeTestBase {
183 public:
NetdBinderTest()184 NetdBinderTest() {
185 sp<IServiceManager> sm = android::defaultServiceManager();
186 sp<IBinder> binder = sm->getService(String16("netd"));
187 if (binder != nullptr) {
188 mNetd = android::interface_cast<INetd>(binder);
189 }
190 }
191
SetUp()192 void SetUp() override {
193 ASSERT_NE(nullptr, mNetd.get());
194 // drain tun interfaces before every test.
195 clearQueue(sTun.getFdForTesting());
196 clearQueue(sTun2.getFdForTesting());
197 clearQueue(sTun3.getFdForTesting());
198 clearQueue(sTun4.getFdForTesting());
199 }
200
TearDown()201 void TearDown() override {
202 mNetd->networkDestroy(TEST_NETID1);
203 mNetd->networkDestroy(TEST_NETID2);
204 mNetd->networkDestroy(TEST_NETID3);
205 mNetd->networkDestroy(TEST_NETID4);
206 setNetworkForProcess(NETID_UNSET);
207 // Restore default network
208 if (mStoredDefaultNetwork >= 0) mNetd->networkSetDefault(mStoredDefaultNetwork);
209 }
210
211 bool allocateIpSecResources(bool expectOk, int32_t* spi);
212
213 // Static because setting up the tun interface takes about 40ms.
SetUpTestCase()214 static void SetUpTestCase() {
215 setBackgroundNetworkingEnabledForUid(TEST_UID1, true);
216 setBackgroundNetworkingEnabledForUid(TEST_UID2, true);
217 setBackgroundNetworkingEnabledForUid(TEST_UID3, true);
218 setBackgroundNetworkingEnabledForUid(TEST_UID4, true);
219 setBackgroundNetworkingEnabledForUid(TEST_UID5, true);
220 setBackgroundNetworkingEnabledForUid(TEST_UID6, true);
221
222 ASSERT_EQ(0, sTun.init());
223 ASSERT_EQ(0, sTun2.init());
224 ASSERT_EQ(0, sTun3.init());
225 ASSERT_EQ(0, sTun4.init());
226 ASSERT_LE(sTun.name().size(), static_cast<size_t>(IFNAMSIZ));
227 ASSERT_LE(sTun2.name().size(), static_cast<size_t>(IFNAMSIZ));
228 ASSERT_LE(sTun3.name().size(), static_cast<size_t>(IFNAMSIZ));
229 ASSERT_LE(sTun4.name().size(), static_cast<size_t>(IFNAMSIZ));
230
231 // Wait for initial IPv6 packets (MLD, DAD, and RS) to be sent on tuns, so they can be
232 // drained in SetUp().
233 sleep(1);
234 }
235
TearDownTestCase()236 static void TearDownTestCase() {
237 setBackgroundNetworkingEnabledForUid(TEST_UID1, false);
238 setBackgroundNetworkingEnabledForUid(TEST_UID2, false);
239 setBackgroundNetworkingEnabledForUid(TEST_UID3, false);
240 setBackgroundNetworkingEnabledForUid(TEST_UID4, false);
241 setBackgroundNetworkingEnabledForUid(TEST_UID5, false);
242 setBackgroundNetworkingEnabledForUid(TEST_UID6, false);
243
244 // Closing the socket removes the interface and IP addresses.
245 sTun.destroy();
246 sTun2.destroy();
247 sTun3.destroy();
248 sTun4.destroy();
249 }
250
251 static void fakeRemoteSocketPair(unique_fd* clientSocket, unique_fd* serverSocket,
252 unique_fd* acceptedSocket);
253
254 void createVpnNetworkWithUid(bool secure, uid_t uid, int vpnNetId = TEST_NETID2,
255 int fallthroughNetId = TEST_NETID1,
256 int nonDefaultNetId = TEST_NETID3);
257
258 void createAndSetDefaultNetwork(int netId, const std::string& interface,
259 int permission = INetd::PERMISSION_NONE);
260
261 void createPhysicalNetwork(int netId, const std::string& interface,
262 int permission = INetd::PERMISSION_NONE);
263
264 void createDefaultAndOtherPhysicalNetwork(int defaultNetId, int otherNetId);
265
266 void createVpnAndOtherPhysicalNetwork(int systemDefaultNetId, int otherNetId, int vpnNetId,
267 bool secure);
268
269 void createVpnAndAppDefaultNetworkWithUid(int systemDefaultNetId, int appDefaultNetId,
270 int vpnNetId, bool secure,
271 std::vector<UidRangeParcel>&& appDefaultUidRanges,
272 std::vector<UidRangeParcel>&& vpnUidRanges);
273
274 void setupNetworkRoutesForVpnAndDefaultNetworks(
275 int systemDefaultNetId, int appDefaultNetId, int vpnNetId, int otherNetId, bool secure,
276 bool testV6, bool differentLocalRoutes,
277 std::vector<UidRangeParcel>&& appDefaultUidRanges,
278 std::vector<UidRangeParcel>&& vpnUidRanges);
279
280 protected:
281 // Use -1 to represent that default network was not modified because
282 // real netId must be an unsigned value.
283 int mStoredDefaultNetwork = -1;
284 sp<INetd> mNetd;
285 static TunInterface sTun;
286 static TunInterface sTun2;
287 static TunInterface sTun3;
288 static TunInterface sTun4;
289
290 private:
setBackgroundNetworkingEnabledForUid(int uid,bool enabled)291 static void setBackgroundNetworkingEnabledForUid(int uid, bool enabled) {
292 runBinderCommand("connectivity",
293 StringPrintf("set-background-networking-enabled-for-uid %d %s", uid,
294 enabled ? "true" : "false"));
295 }
296 };
297
298 TunInterface NetdBinderTest::sTun;
299 TunInterface NetdBinderTest::sTun2;
300 TunInterface NetdBinderTest::sTun3;
301 TunInterface NetdBinderTest::sTun4;
302
303 class TimedOperation : public Stopwatch {
304 public:
TimedOperation(const std::string & name)305 explicit TimedOperation(const std::string &name): mName(name) {}
~TimedOperation()306 virtual ~TimedOperation() {
307 std::cerr << " " << mName << ": " << timeTakenUs() << "us" << std::endl;
308 }
309
310 private:
311 std::string mName;
312 };
313
TEST_F(NetdBinderTest,IsAlive)314 TEST_F(NetdBinderTest, IsAlive) {
315 TimedOperation t("isAlive RPC");
316 bool isAlive = false;
317 mNetd->isAlive(&isAlive);
318 ASSERT_TRUE(isAlive);
319 }
320
321 namespace {
322
makeNativeNetworkConfig(int netId,NativeNetworkType networkType,int permission,bool secure,bool excludeLocalRoutes)323 NativeNetworkConfig makeNativeNetworkConfig(int netId, NativeNetworkType networkType,
324 int permission, bool secure, bool excludeLocalRoutes) {
325 NativeNetworkConfig config = {};
326 config.netId = netId;
327 config.networkType = networkType;
328 config.permission = permission;
329 config.secure = secure;
330 // The vpnType doesn't matter in AOSP. Just pick a well defined one from INetd.
331 config.vpnType = NativeVpnType::PLATFORM;
332 config.excludeLocalRoutes = excludeLocalRoutes;
333 return config;
334 }
335
336 } // namespace
337
testNetworkExistsButCannotConnect(const sp<INetd> & netd,TunInterface & ifc,const int netId)338 bool testNetworkExistsButCannotConnect(const sp<INetd>& netd, TunInterface& ifc, const int netId) {
339 // If this network exists, we should definitely not be able to create it.
340 // Note that this networkCreate is never allowed to create reserved network IDs, so
341 // this call may fail for other reasons than the network already existing.
342 const auto& config = makeNativeNetworkConfig(netId, NativeNetworkType::PHYSICAL,
343 INetd::PERMISSION_NONE, false, false);
344 EXPECT_FALSE(netd->networkCreate(config).isOk());
345 // Test if the network exist by adding interface. INetd has no dedicated method to query. When
346 // the network exists and the interface can be added, the function succeeds. When the network
347 // exists but the interface cannot be added, it fails with EINVAL, otherwise it is ENONET.
348 binder::Status status = netd->networkAddInterface(netId, ifc.name());
349 if (status.isOk()) { // clean up
350 EXPECT_TRUE(netd->networkRemoveInterface(netId, ifc.name()).isOk());
351 } else if (status.serviceSpecificErrorCode() == ENONET) {
352 return false;
353 }
354
355 const sockaddr_in6 sin6 = {.sin6_family = AF_INET6,
356 .sin6_port = htons(53),
357 .sin6_addr = {{.u6_addr32 = {htonl(0x20010db8), 0, 0, 0}}},
358 };
359 const int s = socket(AF_INET6, SOCK_DGRAM, 0);
360 EXPECT_NE(-1, s);
361 if (s == -1) return true;
362 Fwmark fwmark;
363 fwmark.explicitlySelected = true;
364 fwmark.netId = netId;
365 EXPECT_EQ(0, setsockopt(s, SOL_SOCKET, SO_MARK, &fwmark.intValue, sizeof(fwmark.intValue)));
366 const int ret = connect(s, (struct sockaddr*)&sin6, sizeof(sin6));
367 const int err = errno;
368 EXPECT_EQ(-1, ret);
369 EXPECT_EQ(ENETUNREACH, err);
370 close(s);
371 return true;
372 }
373
TEST_F(NetdBinderTest,InitialNetworksExist)374 TEST_F(NetdBinderTest, InitialNetworksExist) {
375 EXPECT_TRUE(testNetworkExistsButCannotConnect(mNetd, sTun, INetd::DUMMY_NET_ID));
376 EXPECT_TRUE(testNetworkExistsButCannotConnect(mNetd, sTun, INetd::LOCAL_NET_ID));
377 EXPECT_TRUE(testNetworkExistsButCannotConnect(mNetd, sTun, INetd::UNREACHABLE_NET_ID));
378 EXPECT_FALSE(testNetworkExistsButCannotConnect(mNetd, sTun, 77 /* not exist */));
379 }
380
TEST_F(NetdBinderTest,IpSecTunnelInterface)381 TEST_F(NetdBinderTest, IpSecTunnelInterface) {
382 const struct TestData {
383 const std::string family;
384 const std::string deviceName;
385 const std::string localAddress;
386 const std::string remoteAddress;
387 int32_t iKey;
388 int32_t oKey;
389 int32_t ifId;
390 } kTestData[] = {
391 {"IPV4", "ipsec_test", "127.0.0.1", "8.8.8.8", 0x1234 + 53, 0x1234 + 53, 0xFFFE},
392 {"IPV6", "ipsec_test6", "::1", "2001:4860:4860::8888", 0x1234 + 50, 0x1234 + 50,
393 0xFFFE},
394 };
395
396 for (size_t i = 0; i < std::size(kTestData); i++) {
397 const auto& td = kTestData[i];
398
399 binder::Status status;
400
401 // Create Tunnel Interface.
402 status = mNetd->ipSecAddTunnelInterface(td.deviceName, td.localAddress, td.remoteAddress,
403 td.iKey, td.oKey, td.ifId);
404 EXPECT_TRUE(status.isOk()) << td.family << status.exceptionMessage();
405
406 // Check that the interface exists
407 EXPECT_NE(0U, if_nametoindex(td.deviceName.c_str()));
408
409 // Update Tunnel Interface.
410 status = mNetd->ipSecUpdateTunnelInterface(td.deviceName, td.localAddress, td.remoteAddress,
411 td.iKey, td.oKey, td.ifId);
412 EXPECT_TRUE(status.isOk()) << td.family << status.exceptionMessage();
413
414 // Remove Tunnel Interface.
415 status = mNetd->ipSecRemoveTunnelInterface(td.deviceName);
416 EXPECT_TRUE(status.isOk()) << td.family << status.exceptionMessage();
417
418 // Check that the interface no longer exists
419 EXPECT_EQ(0U, if_nametoindex(td.deviceName.c_str()));
420 }
421 }
422
TEST_F(NetdBinderTest,IpSecSetEncapSocketOwner)423 TEST_F(NetdBinderTest, IpSecSetEncapSocketOwner) {
424 unique_fd uniqueFd(socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0));
425 android::os::ParcelFileDescriptor sockFd(std::move(uniqueFd));
426
427 int sockOptVal = UDP_ENCAP_ESPINUDP;
428 setsockopt(sockFd.get(), IPPROTO_UDP, UDP_ENCAP, &sockOptVal, sizeof(sockOptVal));
429
430 binder::Status res = mNetd->ipSecSetEncapSocketOwner(sockFd, 1001);
431 EXPECT_TRUE(res.isOk());
432
433 struct stat info;
434 EXPECT_EQ(0, fstat(sockFd.get(), &info));
435 EXPECT_EQ(1001, (int) info.st_uid);
436 }
437
438 // IPsec tests are not run in 32 bit mode; both 32-bit kernels and
439 // mismatched ABIs (64-bit kernel with 32-bit userspace) are unsupported.
440 #if INTPTR_MAX != INT32_MAX
441
442 using android::net::XfrmController;
443
444 static const int XFRM_DIRECTIONS[] = {static_cast<int>(android::net::XfrmDirection::IN),
445 static_cast<int>(android::net::XfrmDirection::OUT)};
446 static const int ADDRESS_FAMILIES[] = {AF_INET, AF_INET6};
447
448 #define RETURN_FALSE_IF_NEQ(_expect_, _ret_) \
449 do { if ((_expect_) != (_ret_)) return false; } while(false)
allocateIpSecResources(bool expectOk,int32_t * spi)450 bool NetdBinderTest::allocateIpSecResources(bool expectOk, int32_t* spi) {
451 android::netdutils::Status status = XfrmController::ipSecAllocateSpi(0, "::", "::1", 123, spi);
452 SCOPED_TRACE(status);
453 RETURN_FALSE_IF_NEQ(status.ok(), expectOk);
454
455 // Add a policy
456 status = XfrmController::ipSecAddSecurityPolicy(0, AF_INET6, 0, "::", "::1", 123, 0, 0, 0);
457 SCOPED_TRACE(status);
458 RETURN_FALSE_IF_NEQ(status.ok(), expectOk);
459
460 // Add an ipsec interface
461 return expectOk == XfrmController::ipSecAddTunnelInterface("ipsec_test", "::", "::1", 0xF00D,
462 0xD00D, 0xE00D, false)
463 .ok();
464 }
465
TEST_F(NetdBinderTest,XfrmDualSelectorTunnelModePoliciesV4)466 TEST_F(NetdBinderTest, XfrmDualSelectorTunnelModePoliciesV4) {
467 android::binder::Status status;
468
469 // Repeat to ensure cleanup and recreation works correctly
470 for (int i = 0; i < 2; i++) {
471 for (int direction : XFRM_DIRECTIONS) {
472 for (int addrFamily : ADDRESS_FAMILIES) {
473 status = mNetd->ipSecAddSecurityPolicy(0, addrFamily, direction, "127.0.0.5",
474 "127.0.0.6", 123, 0, 0, 0);
475 EXPECT_TRUE(status.isOk())
476 << " family: " << addrFamily << " direction: " << direction;
477 }
478 }
479
480 // Cleanup
481 for (int direction : XFRM_DIRECTIONS) {
482 for (int addrFamily : ADDRESS_FAMILIES) {
483 status = mNetd->ipSecDeleteSecurityPolicy(0, addrFamily, direction, 0, 0, 0);
484 EXPECT_TRUE(status.isOk());
485 }
486 }
487 }
488 }
489
TEST_F(NetdBinderTest,XfrmDualSelectorTunnelModePoliciesV6)490 TEST_F(NetdBinderTest, XfrmDualSelectorTunnelModePoliciesV6) {
491 binder::Status status;
492
493 // Repeat to ensure cleanup and recreation works correctly
494 for (int i = 0; i < 2; i++) {
495 for (int direction : XFRM_DIRECTIONS) {
496 for (int addrFamily : ADDRESS_FAMILIES) {
497 status = mNetd->ipSecAddSecurityPolicy(0, addrFamily, direction, "2001:db8::f00d",
498 "2001:db8::d00d", 123, 0, 0, 0);
499 EXPECT_TRUE(status.isOk())
500 << " family: " << addrFamily << " direction: " << direction;
501 }
502 }
503
504 // Cleanup
505 for (int direction : XFRM_DIRECTIONS) {
506 for (int addrFamily : ADDRESS_FAMILIES) {
507 status = mNetd->ipSecDeleteSecurityPolicy(0, addrFamily, direction, 0, 0, 0);
508 EXPECT_TRUE(status.isOk());
509 }
510 }
511 }
512 }
513
TEST_F(NetdBinderTest,XfrmControllerInit)514 TEST_F(NetdBinderTest, XfrmControllerInit) {
515 android::netdutils::Status status;
516 status = XfrmController::Init();
517 SCOPED_TRACE(status);
518
519 // Older devices or devices with mismatched Kernel/User ABI cannot support the IPsec
520 // feature.
521 if (status.code() == EOPNOTSUPP) return;
522
523 ASSERT_TRUE(status.ok());
524
525 int32_t spi = 0;
526
527 ASSERT_TRUE(allocateIpSecResources(true, &spi));
528 ASSERT_TRUE(allocateIpSecResources(false, &spi));
529
530 status = XfrmController::Init();
531 ASSERT_TRUE(status.ok());
532 ASSERT_TRUE(allocateIpSecResources(true, &spi));
533
534 // Clean up
535 status = XfrmController::ipSecDeleteSecurityAssociation(0, "::", "::1", 123, spi, 0, 0);
536 SCOPED_TRACE(status);
537 ASSERT_TRUE(status.ok());
538
539 status = XfrmController::ipSecDeleteSecurityPolicy(0, AF_INET6, 0, 0, 0, 0);
540 SCOPED_TRACE(status);
541 ASSERT_TRUE(status.ok());
542
543 // Remove Virtual Tunnel Interface.
544 ASSERT_TRUE(XfrmController::ipSecRemoveTunnelInterface("ipsec_test").ok());
545 }
546
547 // Two kernel fixes have been added in 5.17 to allow XFRM_MIGRATE to work correctly
548 // when (1) there are multiple tunnels with the same selectors; and (2) addresses
549 // are updated to a different IP family. These two fixes were pulled into upstream
550 // LTS releases 4.14.273, 4.19.236, 5.4.186, 5.10.107 and 5.15.30, from whence they
551 // flowed into the Android Common Kernel (via standard LTS merges).
552 // As such we require 4.14.273+, 4.19.236+, 5.4.186+, 5.10.107+, 5.15.30+ and 5.17+
553 // to have these fixes.
hasXfrmMigrateKernelFixes()554 bool hasXfrmMigrateKernelFixes() {
555 return (isAtLeastKernelVersion(4, 14, 273) && !isAtLeastKernelVersion(4, 19, 0)) ||
556 (isAtLeastKernelVersion(4, 19, 236) && !isAtLeastKernelVersion(5, 4, 0)) ||
557 (isAtLeastKernelVersion(5, 4, 186) && !isAtLeastKernelVersion(5, 10, 0)) ||
558 (isAtLeastKernelVersion(5, 10, 107) && !isAtLeastKernelVersion(5, 15, 0)) ||
559 isAtLeastKernelVersion(5, 15, 30);
560 }
561
562 // Does the kernel support CONFIG_XFRM_MIGRATE and include the kernel fixes?
supportsXfrmMigrate()563 bool supportsXfrmMigrate() {
564 if (!hasXfrmMigrateKernelFixes()) return false;
565
566 // 5.10+ VINTF requires CONFIG_XFRM_MIGRATE enabled
567 if (isAtLeastKernelVersion(5, 10, 0)) return true;
568
569 const std::string wildcardAddr = "::";
570
571 // Expect migration to fail with EINVAL because it is trying to migrate a
572 // non-existent SA.
573 auto status = XfrmController::ipSecMigrate(
574 0 /* resourceId */, AF_INET6, 0 /* direction == out */,
575 wildcardAddr /* sourceAddress */, wildcardAddr /* destinationAddress */,
576 wildcardAddr /* newSourceAddress */, wildcardAddr /* newDestinationAddress */,
577 0 /* xfrmInterfaceId */);
578
579 if (android::netdutils::equalToErrno(status, EINVAL)) {
580 return true;
581 } else if (android::netdutils::equalToErrno(status, ENOPROTOOPT)) {
582 return false;
583 } else {
584 GTEST_LOG_(WARNING) << "Unexpected migration result: "
585 << android::netdutils::toString(status)
586 << "Assuming XFRM_MIGRATE is enabled.";
587 return true;
588 }
589 }
590
591 #define SKIP_IF_XFRM_MIGRATE_NOT_SUPPORTED \
592 do { \
593 if (!supportsXfrmMigrate()) \
594 GTEST_SKIP() << "This test is skipped since xfrm migrate feature " \
595 << "not supported\n"; \
596 } while (0)
597
TEST_F(NetdBinderTest,XfrmMigrate)598 TEST_F(NetdBinderTest, XfrmMigrate) {
599 SKIP_IF_XFRM_MIGRATE_NOT_SUPPORTED;
600
601 static const struct TestData {
602 const int32_t addrFamily;
603 const int32_t newAddrFamily;
604 const std::string srcAddr;
605 const std::string dstAddr;
606 const std::string newSrcAddr;
607 const std::string newDstAddr;
608 } kTestData[] = {
609 {AF_INET, AF_INET, "192.0.2.1", "192.0.2.2", "192.0.2.101", "192.0.2.102"},
610 {AF_INET, AF_INET6, "192.0.2.1", "192.0.2.2", "2001:db8::101", "2001:db8::102"},
611 {AF_INET6, AF_INET6, "2001:db8::1", "2001:db8::2", "2001:db8::101", "2001:db8::102"},
612 {AF_INET6, AF_INET, "2001:db8::1", "2001:db8::2", "192.0.2.101", "192.0.2.102"},
613 };
614
615 const int32_t xfrmInterfaceId = 0xFFFE;
616 const std::string tunnelDeviceName = "ipsec_test";
617
618 auto status = mNetd->ipSecAddTunnelInterface(tunnelDeviceName, "2001:db8::fe", "2001:db8::ff",
619 0x1234 + 50 /* iKey */, 0x1234 + 50 /* oKey */,
620 xfrmInterfaceId);
621
622 SCOPED_TRACE(status);
623 ASSERT_TRUE(status.isOk());
624
625 for (auto& td : kTestData) {
626 const int32_t direction = static_cast<int>(android::net::XfrmDirection::OUT);
627 const int32_t resourceId = 0;
628 const int32_t spiReq = 123;
629 int32_t spi = 0;
630
631 status = mNetd->ipSecAllocateSpi(resourceId, td.srcAddr, td.dstAddr, spiReq, &spi);
632 SCOPED_TRACE(status);
633 ASSERT_TRUE(status.isOk());
634
635 status = mNetd->ipSecAddSecurityAssociation(
636 resourceId, static_cast<int32_t>(android::net::XfrmMode::TUNNEL), td.srcAddr,
637 td.dstAddr, 100 /* underlyingNetid */, spiReq, 0 /* markValue */, 0 /* markMask */,
638 "digest_null" /* authAlgo */, {} /* authKey */, 0 /* authTruncBits */,
639 "ecb(cipher_null)" /* cryptAlgo */, {} /* cryptKey */, 0 /* cryptTruncBits */,
640 "" /* aeadAlgo */, {} /* aeadKey */, 0 /* aeadIcvBits */,
641 0 /* encapType == ENCAP_NONE */, 0 /* encapLocalPort */, 0 /* encapRemotePort */,
642 xfrmInterfaceId);
643 SCOPED_TRACE(status);
644 ASSERT_TRUE(status.isOk());
645
646 for (int addrFamily : ADDRESS_FAMILIES) {
647 // Add a policy
648 status = mNetd->ipSecAddSecurityPolicy(resourceId, addrFamily, direction, td.srcAddr,
649 td.dstAddr, spiReq, 0 /* markValue */,
650 0 /* markMask */, xfrmInterfaceId);
651 SCOPED_TRACE(status);
652 ASSERT_TRUE(status.isOk());
653
654 // Migrate tunnel mode SA
655 android::net::IpSecMigrateInfoParcel parcel;
656 parcel.requestId = resourceId;
657 parcel.selAddrFamily = addrFamily;
658 parcel.direction = direction;
659 parcel.oldSourceAddress = td.srcAddr;
660 parcel.oldDestinationAddress = td.dstAddr;
661 parcel.newSourceAddress = td.newSrcAddr;
662 parcel.newDestinationAddress = td.newDstAddr;
663 parcel.interfaceId = xfrmInterfaceId;
664
665 status = mNetd->ipSecMigrate(parcel);
666 SCOPED_TRACE(status);
667 ASSERT_TRUE(status.isOk());
668 }
669
670 // Clean up
671 status = mNetd->ipSecDeleteSecurityAssociation(resourceId, td.newSrcAddr, td.newDstAddr,
672 spiReq, 0 /* markValue */, 0 /* markMask */,
673 xfrmInterfaceId);
674 SCOPED_TRACE(status);
675 ASSERT_TRUE(status.isOk());
676
677 for (int addrFamily : ADDRESS_FAMILIES) {
678 status = mNetd->ipSecDeleteSecurityPolicy(resourceId, addrFamily, direction,
679 0 /* markValue */, 0 /* markMask */,
680 xfrmInterfaceId);
681 SCOPED_TRACE(status);
682 ASSERT_TRUE(status.isOk());
683 }
684 }
685
686 // Remove Tunnel Interface.
687 status = mNetd->ipSecRemoveTunnelInterface(tunnelDeviceName);
688 SCOPED_TRACE(status);
689 EXPECT_TRUE(status.isOk());
690 }
691 #endif // INTPTR_MAX != INT32_MAX
692
bandwidthDataSaverEnabled(const char * binary)693 static int bandwidthDataSaverEnabled(const char *binary) {
694 std::vector<std::string> lines = listIptablesRule(binary, "bw_data_saver");
695
696 // Output looks like this:
697 //
698 // Chain bw_data_saver (1 references)
699 // target prot opt source destination
700 // RETURN all -- 0.0.0.0/0 0.0.0.0/0
701 //
702 // or:
703 //
704 // Chain bw_data_saver (1 references)
705 // target prot opt source destination
706 // ... possibly connectivity critical packet rules here ...
707 // REJECT all -- ::/0 ::/0
708
709 EXPECT_GE(lines.size(), 3U);
710
711 if (lines.size() == 3 && StartsWith(lines[2], "RETURN ")) {
712 // Data saver disabled.
713 return 0;
714 }
715
716 size_t minSize = (std::string(binary) == IPTABLES_PATH) ? 3 : 9;
717
718 if (lines.size() >= minSize && StartsWith(lines[lines.size() -1], "REJECT ")) {
719 // Data saver enabled.
720 return 1;
721 }
722
723 return -1;
724 }
725
enableDataSaver(sp<INetd> & netd,bool enable)726 bool enableDataSaver(sp<INetd>& netd, bool enable) {
727 TimedOperation op(enable ? " Enabling data saver" : "Disabling data saver");
728 bool ret;
729 netd->bandwidthEnableDataSaver(enable, &ret);
730 return ret;
731 }
732
getDataSaverState()733 int getDataSaverState() {
734 const int enabled4 = bandwidthDataSaverEnabled(IPTABLES_PATH);
735 const int enabled6 = bandwidthDataSaverEnabled(IP6TABLES_PATH);
736 EXPECT_EQ(enabled4, enabled6);
737 EXPECT_NE(-1, enabled4);
738 EXPECT_NE(-1, enabled6);
739 if (enabled4 != enabled6 || (enabled6 != 0 && enabled6 != 1)) {
740 return -1;
741 }
742 return enabled6;
743 }
744
TEST_F(NetdBinderTest,BandwidthEnableDataSaver)745 TEST_F(NetdBinderTest, BandwidthEnableDataSaver) {
746 const int wasEnabled = getDataSaverState();
747 ASSERT_NE(-1, wasEnabled);
748
749 if (wasEnabled) {
750 ASSERT_TRUE(enableDataSaver(mNetd, false));
751 EXPECT_EQ(0, getDataSaverState());
752 }
753
754 ASSERT_TRUE(enableDataSaver(mNetd, false));
755 EXPECT_EQ(0, getDataSaverState());
756
757 ASSERT_TRUE(enableDataSaver(mNetd, true));
758 EXPECT_EQ(1, getDataSaverState());
759
760 ASSERT_TRUE(enableDataSaver(mNetd, true));
761 EXPECT_EQ(1, getDataSaverState());
762
763 if (!wasEnabled) {
764 ASSERT_TRUE(enableDataSaver(mNetd, false));
765 EXPECT_EQ(0, getDataSaverState());
766 }
767 }
768
ipRuleExists(const char * ipVersion,const std::string & ipRule)769 static bool ipRuleExists(const char* ipVersion, const std::string& ipRule) {
770 std::vector<std::string> rules = listIpRules(ipVersion);
771 return std::find(rules.begin(), rules.end(), ipRule) != rules.end();
772 }
773
ipRuleExistsForRange(const uint32_t priority,const UidRangeParcel & range,const std::string & action,const char * ipVersion,const char * oif)774 static bool ipRuleExistsForRange(const uint32_t priority, const UidRangeParcel& range,
775 const std::string& action, const char* ipVersion,
776 const char* oif) {
777 // Output looks like this:
778 // "<priority>:\tfrom all iif lo oif netdc0ca6 uidrange 500000-500000 lookup netdc0ca6"
779 // "<priority>:\tfrom all fwmark 0x0/0x20000 iif lo uidrange 1000-2000 prohibit"
780 std::vector<std::string> rules = listIpRules(ipVersion);
781
782 std::string prefix = StringPrintf("%" PRIu32 ":", priority);
783 std::string suffix;
784 if (oif) {
785 suffix = StringPrintf(" iif lo oif %s uidrange %d-%d %s", oif, range.start, range.stop,
786 action.c_str());
787 } else {
788 suffix = StringPrintf(" iif lo uidrange %d-%d %s", range.start, range.stop, action.c_str());
789 }
790 for (const auto& line : rules) {
791 if (android::base::StartsWith(line, prefix) && android::base::EndsWith(line, suffix)) {
792 return true;
793 }
794 }
795 return false;
796 }
797
798 // Overloads function with oif parameter for VPN rules compare.
ipRuleExistsForRange(const uint32_t priority,const UidRangeParcel & range,const std::string & action,const char * oif)799 static bool ipRuleExistsForRange(const uint32_t priority, const UidRangeParcel& range,
800 const std::string& action, const char* oif) {
801 bool existsIp4 = ipRuleExistsForRange(priority, range, action, IP_RULE_V4, oif);
802 bool existsIp6 = ipRuleExistsForRange(priority, range, action, IP_RULE_V6, oif);
803 EXPECT_EQ(existsIp4, existsIp6);
804 return existsIp4;
805 }
806
ipRuleExistsForRange(const uint32_t priority,const UidRangeParcel & range,const std::string & action)807 static bool ipRuleExistsForRange(const uint32_t priority, const UidRangeParcel& range,
808 const std::string& action) {
809 return ipRuleExistsForRange(priority, range, action, nullptr);
810 }
811
expectRuleForV4AndV6(ExistMode mode,const std::string & rule)812 static void expectRuleForV4AndV6(ExistMode mode, const std::string& rule) {
813 for (const auto& ipVersion : {IP_RULE_V4, IP_RULE_V6}) {
814 if (mode == ALL_EXIST) {
815 EXPECT_TRUE(ipRuleExists(ipVersion, rule));
816 } else {
817 EXPECT_FALSE(ipRuleExists(ipVersion, rule));
818 }
819 }
820 }
821
expectLocalIpRuleExists(ExistMode mode,const std::string & ifName)822 static void expectLocalIpRuleExists(ExistMode mode, const std::string& ifName) {
823 std::string localIpRule = StringPrintf("%u:\tfrom all fwmark 0x0/0x10000 lookup %s",
824 RULE_PRIORITY_LOCAL_NETWORK, ifName.c_str());
825 expectRuleForV4AndV6(mode, localIpRule);
826
827 std::string dnsMasqRule = StringPrintf("%u:\tfrom all fwmark 0x10063/0x1ffff iif lo lookup %s",
828 RULE_PRIORITY_EXPLICIT_NETWORK, ifName.c_str());
829 expectRuleForV4AndV6(mode, dnsMasqRule);
830 }
831
832 namespace {
833
makeUidRangeParcel(int start,int stop)834 UidRangeParcel makeUidRangeParcel(int start, int stop) {
835 UidRangeParcel res;
836 res.start = start;
837 res.stop = stop;
838
839 return res;
840 }
841
makeUidRangeParcel(int uid)842 UidRangeParcel makeUidRangeParcel(int uid) {
843 return makeUidRangeParcel(uid, uid);
844 }
845
makeNativeUidRangeConfig(unsigned netId,std::vector<UidRangeParcel> uidRanges,int32_t subPriority)846 NativeUidRangeConfig makeNativeUidRangeConfig(unsigned netId, std::vector<UidRangeParcel> uidRanges,
847 int32_t subPriority) {
848 NativeUidRangeConfig res;
849 res.netId = netId;
850 res.uidRanges = std::move(uidRanges);
851 res.subPriority = subPriority;
852
853 return res;
854 }
855
856 } // namespace
857
TEST_F(NetdBinderTest,NetworkInterfaces)858 TEST_F(NetdBinderTest, NetworkInterfaces) {
859 auto config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
860 INetd::PERMISSION_NONE, false, false);
861 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
862 EXPECT_EQ(EEXIST, mNetd->networkCreate(config).serviceSpecificErrorCode());
863
864 config.networkType = NativeNetworkType::VIRTUAL;
865 config.secure = true;
866 EXPECT_EQ(EEXIST, mNetd->networkCreate(config).serviceSpecificErrorCode());
867
868 config.netId = TEST_NETID2;
869 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
870
871 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
872 EXPECT_EQ(EBUSY,
873 mNetd->networkAddInterface(TEST_NETID2, sTun.name()).serviceSpecificErrorCode());
874
875 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
876 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID2, sTun.name()).isOk());
877 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID2).isOk());
878 EXPECT_EQ(ENONET, mNetd->networkDestroy(TEST_NETID1).serviceSpecificErrorCode());
879 }
880
TEST_F(NetdBinderTest,NetworkUidRules)881 TEST_F(NetdBinderTest, NetworkUidRules) {
882 auto config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::VIRTUAL,
883 INetd::PERMISSION_NONE, true, false);
884 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
885 EXPECT_EQ(EEXIST, mNetd->networkCreate(config).serviceSpecificErrorCode());
886 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
887
888 std::vector<UidRangeParcel> uidRanges = {makeUidRangeParcel(BASE_UID + 8005, BASE_UID + 8012),
889 makeUidRangeParcel(BASE_UID + 8090, BASE_UID + 8099)};
890 UidRangeParcel otherRange = makeUidRangeParcel(BASE_UID + 8190, BASE_UID + 8299);
891 std::string action = StringPrintf("lookup %s", sTun.name().c_str());
892
893 EXPECT_TRUE(mNetd->networkAddUidRanges(TEST_NETID1, uidRanges).isOk());
894
895 EXPECT_TRUE(ipRuleExistsForRange(RULE_PRIORITY_SECURE_VPN, uidRanges[0], action));
896 EXPECT_FALSE(ipRuleExistsForRange(RULE_PRIORITY_SECURE_VPN, otherRange, action));
897 EXPECT_TRUE(mNetd->networkRemoveUidRanges(TEST_NETID1, uidRanges).isOk());
898 EXPECT_FALSE(ipRuleExistsForRange(RULE_PRIORITY_SECURE_VPN, uidRanges[0], action));
899
900 EXPECT_TRUE(mNetd->networkAddUidRanges(TEST_NETID1, uidRanges).isOk());
901 EXPECT_TRUE(ipRuleExistsForRange(RULE_PRIORITY_SECURE_VPN, uidRanges[1], action));
902 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
903 EXPECT_FALSE(ipRuleExistsForRange(RULE_PRIORITY_SECURE_VPN, uidRanges[1], action));
904
905 EXPECT_EQ(ENONET, mNetd->networkDestroy(TEST_NETID1).serviceSpecificErrorCode());
906 }
907
908 class LocalNetworkParameterizedTest : public NetdBinderTest,
909 public testing::WithParamInterface<bool> {};
910
911 // Exercise both local and non-local networks
912 INSTANTIATE_TEST_SUITE_P(LocalNetworkTests, LocalNetworkParameterizedTest, testing::Bool(),
__anon3f474b890402(const testing::TestParamInfo<bool>& info) 913 [](const testing::TestParamInfo<bool>& info) {
914 return info.param ? "Local" : "NonLocal";
915 });
916
TEST_P(LocalNetworkParameterizedTest,LocalNetworkUidRules)917 TEST_P(LocalNetworkParameterizedTest, LocalNetworkUidRules) {
918 const bool local = GetParam();
919 const auto type = local ? NativeNetworkType::PHYSICAL_LOCAL : NativeNetworkType::PHYSICAL;
920 auto config = makeNativeNetworkConfig(TEST_NETID1, type, INetd::PERMISSION_NONE,
921 false /* secure */, false /* excludeLocalRoutes */);
922 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
923 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
924
925 expectLocalIpRuleExists(local ? ALL_EXIST : NONE_EXIST, sTun.name());
926 }
927
TEST_F(NetdBinderTest,NetworkRejectNonSecureVpn)928 TEST_F(NetdBinderTest, NetworkRejectNonSecureVpn) {
929 std::vector<UidRangeParcel> uidRanges = {makeUidRangeParcel(BASE_UID + 150, BASE_UID + 224),
930 makeUidRangeParcel(BASE_UID + 226, BASE_UID + 300)};
931 // Make sure no rules existed before calling commands.
932 for (auto const& range : uidRanges) {
933 EXPECT_FALSE(ipRuleExistsForRange(RULE_PRIORITY_PROHIBIT_NON_VPN, range, "prohibit"));
934 }
935 // Create two valid rules.
936 ASSERT_TRUE(mNetd->networkRejectNonSecureVpn(true, uidRanges).isOk());
937 for (auto const& range : uidRanges) {
938 EXPECT_TRUE(ipRuleExistsForRange(RULE_PRIORITY_PROHIBIT_NON_VPN, range, "prohibit"));
939 }
940
941 // Remove the rules.
942 ASSERT_TRUE(mNetd->networkRejectNonSecureVpn(false, uidRanges).isOk());
943 for (auto const& range : uidRanges) {
944 EXPECT_FALSE(ipRuleExistsForRange(RULE_PRIORITY_PROHIBIT_NON_VPN, range, "prohibit"));
945 }
946
947 // Fail to remove the rules a second time after they are already deleted.
948 binder::Status status = mNetd->networkRejectNonSecureVpn(false, uidRanges);
949 ASSERT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
950 EXPECT_EQ(ENOENT, status.serviceSpecificErrorCode());
951 }
952
953 // Create a socket pair that isLoopbackSocket won't think is local.
fakeRemoteSocketPair(unique_fd * clientSocket,unique_fd * serverSocket,unique_fd * acceptedSocket)954 void NetdBinderTest::fakeRemoteSocketPair(unique_fd* clientSocket, unique_fd* serverSocket,
955 unique_fd* acceptedSocket) {
956 serverSocket->reset(socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0));
957 struct sockaddr_in6 server6 = { .sin6_family = AF_INET6, .sin6_addr = sTun.dstAddr() };
958 ASSERT_EQ(0, bind(*serverSocket, (struct sockaddr *) &server6, sizeof(server6)));
959
960 socklen_t addrlen = sizeof(server6);
961 ASSERT_EQ(0, getsockname(*serverSocket, (struct sockaddr *) &server6, &addrlen));
962 ASSERT_EQ(0, listen(*serverSocket, 10));
963
964 clientSocket->reset(socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0));
965 struct sockaddr_in6 client6 = { .sin6_family = AF_INET6, .sin6_addr = sTun.srcAddr() };
966 ASSERT_EQ(0, bind(*clientSocket, (struct sockaddr *) &client6, sizeof(client6)));
967 ASSERT_EQ(0, connect(*clientSocket, (struct sockaddr *) &server6, sizeof(server6)));
968 ASSERT_EQ(0, getsockname(*clientSocket, (struct sockaddr *) &client6, &addrlen));
969
970 acceptedSocket->reset(
971 accept4(*serverSocket, (struct sockaddr*)&server6, &addrlen, SOCK_CLOEXEC));
972 ASSERT_NE(-1, *acceptedSocket);
973
974 ASSERT_EQ(0, memcmp(&client6, &server6, sizeof(client6)));
975 }
976
checkSocketpairOpen(int clientSocket,int acceptedSocket)977 void checkSocketpairOpen(int clientSocket, int acceptedSocket) {
978 char buf[4096];
979 EXPECT_EQ(4, write(clientSocket, "foo", sizeof("foo")));
980 EXPECT_EQ(4, read(acceptedSocket, buf, sizeof(buf)));
981 EXPECT_EQ(0, memcmp(buf, "foo", sizeof("foo")));
982 }
983
checkSocketpairClosed(int clientSocket,int acceptedSocket)984 void checkSocketpairClosed(int clientSocket, int acceptedSocket) {
985 // Check that the client socket was closed with ECONNABORTED.
986 int ret = write(clientSocket, "foo", sizeof("foo"));
987 int err = errno;
988 EXPECT_EQ(-1, ret);
989 EXPECT_EQ(ECONNABORTED, err);
990
991 // Check that it sent a RST to the server.
992 ret = write(acceptedSocket, "foo", sizeof("foo"));
993 err = errno;
994 EXPECT_EQ(-1, ret);
995 EXPECT_EQ(ECONNRESET, err);
996 }
997
TEST_F(NetdBinderTest,SocketDestroyLinkLocal)998 TEST_F(NetdBinderTest, SocketDestroyLinkLocal) {
999 // Add the same link-local address to two interfaces.
1000 const char* kLinkLocalAddress = "fe80::ace:d00d";
1001
1002 const struct addrinfo hints = {
1003 .ai_flags = AI_NUMERICHOST,
1004 .ai_family = AF_INET6,
1005 .ai_socktype = SOCK_STREAM,
1006 };
1007
1008 // The ~ in ~64 enables 'nodad' which makes these operations faster and reduces test flakiness.
1009 // Unfortunately even with 'nodad' these are still very slightly asynchronous.
1010 binder::Status status = mNetd->interfaceAddAddress(sTun.name(), kLinkLocalAddress, ~64);
1011 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1012 status = mNetd->interfaceAddAddress(sTun2.name(), kLinkLocalAddress, ~64);
1013 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1014
1015 // Add IPs to two more interfaces - purely to slow things down a little bit more.
1016 status = mNetd->interfaceAddAddress(sTun3.name(), kLinkLocalAddress, ~64);
1017 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1018 status = mNetd->interfaceAddAddress(sTun4.name(), kLinkLocalAddress, ~64);
1019 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1020
1021 // Bind a listening socket to the address on each of the interfaces.
1022 // The sockets must be open at the same time, because this test checks that SOCK_DESTROY only
1023 // destroys the sockets on the interface where the address is deleted.
1024 struct addrinfo* addrinfoList = nullptr;
1025 int ret = getaddrinfo(kLinkLocalAddress, nullptr, &hints, &addrinfoList);
1026 ScopedAddrinfo addrinfoCleanup(addrinfoList);
1027 ASSERT_EQ(0, ret) << "errno:" << errno;
1028
1029 socklen_t len = addrinfoList[0].ai_addrlen;
1030 sockaddr_in6 sin6_1 = *reinterpret_cast<sockaddr_in6*>(addrinfoList[0].ai_addr);
1031 sockaddr_in6 sin6_2 = sin6_1;
1032 sockaddr_in6 sin6_3 = sin6_1;
1033 sockaddr_in6 sin6_4 = sin6_1;
1034 sin6_1.sin6_scope_id = if_nametoindex(sTun.name().c_str());
1035 sin6_2.sin6_scope_id = if_nametoindex(sTun2.name().c_str());
1036 sin6_3.sin6_scope_id = if_nametoindex(sTun3.name().c_str());
1037 sin6_4.sin6_scope_id = if_nametoindex(sTun4.name().c_str());
1038
1039 int s1 = socket(AF_INET6, SOCK_STREAM | SOCK_NONBLOCK, 0);
1040 ASSERT_EQ(0, bind(s1, reinterpret_cast<sockaddr*>(&sin6_1), len)) << "errno:" << errno;
1041 ASSERT_EQ(0, getsockname(s1, reinterpret_cast<sockaddr*>(&sin6_1), &len)) << "errno:" << errno;
1042 // getsockname technically writes to len, but sizeof(sockaddr_in6) doesn't change.
1043
1044 int s2 = socket(AF_INET6, SOCK_STREAM | SOCK_NONBLOCK, 0);
1045 ASSERT_EQ(0, bind(s2, reinterpret_cast<sockaddr*>(&sin6_2), len)) << "errno:" << errno;
1046 ASSERT_EQ(0, getsockname(s2, reinterpret_cast<sockaddr*>(&sin6_2), &len)) << "errno:" << errno;
1047
1048 int s3 = socket(AF_INET6, SOCK_STREAM | SOCK_NONBLOCK, 0);
1049 ASSERT_EQ(0, bind(s3, reinterpret_cast<sockaddr*>(&sin6_3), len)) << "errno:" << errno;
1050 ASSERT_EQ(0, getsockname(s3, reinterpret_cast<sockaddr*>(&sin6_3), &len)) << "errno:" << errno;
1051
1052 int s4 = socket(AF_INET6, SOCK_STREAM | SOCK_NONBLOCK, 0);
1053 ASSERT_EQ(0, bind(s4, reinterpret_cast<sockaddr*>(&sin6_4), len)) << "errno:" << errno;
1054 ASSERT_EQ(0, getsockname(s4, reinterpret_cast<sockaddr*>(&sin6_4), &len)) << "errno:" << errno;
1055
1056 ASSERT_EQ(0, listen(s1, 10)) << "errno:" << errno;
1057 ASSERT_EQ(0, listen(s2, 10)) << "errno:" << errno;
1058 ASSERT_EQ(0, listen(s3, 10)) << "errno:" << errno;
1059 ASSERT_EQ(0, listen(s4, 10)) << "errno:" << errno;
1060
1061 // Connect one client socket to each and accept the connections.
1062 int c1 = socket(AF_INET6, SOCK_STREAM, 0);
1063 int c2 = socket(AF_INET6, SOCK_STREAM, 0);
1064
1065 // ~0.1% chance the kernel isn't quite done yet with adding the IPs.
1066 // In such a case these may fail with -1, errno = 101 (ENETUNREACH)
1067 ASSERT_EQ(0, connect(c1, reinterpret_cast<sockaddr*>(&sin6_1), len)) << "errno:" << errno;
1068 ASSERT_EQ(0, connect(c2, reinterpret_cast<sockaddr*>(&sin6_2), len)) << "errno:" << errno;
1069 int a1 = accept(s1, nullptr, 0);
1070 ASSERT_NE(-1, a1) << "errno:" << errno;
1071 int a2 = accept(s2, nullptr, 0);
1072 ASSERT_NE(-1, a2) << "errno:" << errno;
1073
1074 // Delete the address on sTun2.
1075 status = mNetd->interfaceDelAddress(sTun2.name(), kLinkLocalAddress, ~64);
1076 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1077
1078 // The client sockets on sTun2 are closed, but the ones on sTun1 remain open.
1079 char buf[1024];
1080 EXPECT_EQ(-1, read(c2, buf, sizeof(buf)));
1081 EXPECT_TRUE(errno == ECONNABORTED || errno == ECONNRESET) << "errno:" << errno;
1082 // The blocking read above ensures that SOCK_DESTROY has completed.
1083
1084 EXPECT_EQ(3, write(a1, "foo", 3)) << "errno:" << errno;
1085 EXPECT_EQ(3, read(c1, buf, sizeof(buf))) << "errno:" << errno;
1086 EXPECT_EQ(-1, write(a2, "foo", 3));
1087 EXPECT_TRUE(errno == ECONNABORTED || errno == ECONNRESET) << "errno:" << errno;
1088
1089 // Check the server sockets too.
1090 EXPECT_EQ(-1, accept(s1, nullptr, 0));
1091 EXPECT_EQ(EAGAIN, errno);
1092 EXPECT_EQ(-1, accept(s2, nullptr, 0));
1093 EXPECT_EQ(EINVAL, errno);
1094
1095 close(a1);
1096 close(a2);
1097
1098 close(c1);
1099 close(c2);
1100
1101 close(s1);
1102 close(s2);
1103 close(s3);
1104 close(s4);
1105 }
1106
1107 namespace {
1108
netmaskToPrefixLength(const uint8_t * buf,size_t buflen)1109 int netmaskToPrefixLength(const uint8_t *buf, size_t buflen) {
1110 if (buf == nullptr) return -1;
1111
1112 int prefixLength = 0;
1113 bool endOfContiguousBits = false;
1114 for (unsigned int i = 0; i < buflen; i++) {
1115 const uint8_t value = buf[i];
1116
1117 // Bad bit sequence: check for a contiguous set of bits from the high
1118 // end by verifying that the inverted value + 1 is a power of 2
1119 // (power of 2 iff. (v & (v - 1)) == 0).
1120 const uint8_t inverse = ~value + 1;
1121 if ((inverse & (inverse - 1)) != 0) return -1;
1122
1123 prefixLength += (value == 0) ? 0 : CHAR_BIT - ffs(value) + 1;
1124
1125 // Bogus netmask.
1126 if (endOfContiguousBits && value != 0) return -1;
1127
1128 if (value != 0xff) endOfContiguousBits = true;
1129 }
1130
1131 return prefixLength;
1132 }
1133
1134 template<typename T>
netmaskToPrefixLength(const T * p)1135 int netmaskToPrefixLength(const T *p) {
1136 return netmaskToPrefixLength(reinterpret_cast<const uint8_t*>(p), sizeof(T));
1137 }
1138
1139
interfaceHasAddress(const std::string & ifname,const char * addrString,int prefixLength)1140 static bool interfaceHasAddress(
1141 const std::string &ifname, const char *addrString, int prefixLength) {
1142 struct addrinfo *addrinfoList = nullptr;
1143
1144 const struct addrinfo hints = {
1145 .ai_flags = AI_NUMERICHOST,
1146 .ai_family = AF_UNSPEC,
1147 .ai_socktype = SOCK_DGRAM,
1148 };
1149 if (getaddrinfo(addrString, nullptr, &hints, &addrinfoList) != 0 ||
1150 addrinfoList == nullptr || addrinfoList->ai_addr == nullptr) {
1151 return false;
1152 }
1153 ScopedAddrinfo addrinfoCleanup(addrinfoList);
1154
1155 struct ifaddrs *ifaddrsList = nullptr;
1156 ScopedIfaddrs ifaddrsCleanup(ifaddrsList);
1157
1158 if (getifaddrs(&ifaddrsList) != 0) {
1159 return false;
1160 }
1161
1162 for (struct ifaddrs *addr = ifaddrsList; addr != nullptr; addr = addr->ifa_next) {
1163 if (std::string(addr->ifa_name) != ifname ||
1164 addr->ifa_addr == nullptr ||
1165 addr->ifa_addr->sa_family != addrinfoList->ai_addr->sa_family) {
1166 continue;
1167 }
1168
1169 switch (addr->ifa_addr->sa_family) {
1170 case AF_INET: {
1171 auto *addr4 = reinterpret_cast<const struct sockaddr_in*>(addr->ifa_addr);
1172 auto *want = reinterpret_cast<const struct sockaddr_in*>(addrinfoList->ai_addr);
1173 if (memcmp(&addr4->sin_addr, &want->sin_addr, sizeof(want->sin_addr)) != 0) {
1174 continue;
1175 }
1176
1177 if (prefixLength < 0) return true; // not checking prefix lengths
1178
1179 if (addr->ifa_netmask == nullptr) return false;
1180 auto *nm = reinterpret_cast<const struct sockaddr_in*>(addr->ifa_netmask);
1181 EXPECT_EQ(prefixLength, netmaskToPrefixLength(&nm->sin_addr));
1182 return (prefixLength == netmaskToPrefixLength(&nm->sin_addr));
1183 }
1184 case AF_INET6: {
1185 auto *addr6 = reinterpret_cast<const struct sockaddr_in6*>(addr->ifa_addr);
1186 auto *want = reinterpret_cast<const struct sockaddr_in6*>(addrinfoList->ai_addr);
1187 if (memcmp(&addr6->sin6_addr, &want->sin6_addr, sizeof(want->sin6_addr)) != 0) {
1188 continue;
1189 }
1190
1191 if (prefixLength < 0) return true; // not checking prefix lengths
1192
1193 if (addr->ifa_netmask == nullptr) return false;
1194 auto *nm = reinterpret_cast<const struct sockaddr_in6*>(addr->ifa_netmask);
1195 EXPECT_EQ(prefixLength, netmaskToPrefixLength(&nm->sin6_addr));
1196 return (prefixLength == netmaskToPrefixLength(&nm->sin6_addr));
1197 }
1198 default:
1199 // Cannot happen because we have already screened for matching
1200 // address families at the top of each iteration.
1201 continue;
1202 }
1203 }
1204
1205 return false;
1206 }
1207
1208 } // namespace
1209
TEST_F(NetdBinderTest,InterfaceAddRemoveAddress)1210 TEST_F(NetdBinderTest, InterfaceAddRemoveAddress) {
1211 static const struct TestData {
1212 const char *addrString;
1213 const int prefixLength;
1214 const int expectAddResult;
1215 const int expectRemoveResult;
1216 } kTestData[] = {
1217 {"192.0.2.1", 24, 0, 0},
1218 {"192.0.2.2", 25, 0, 0},
1219 {"192.0.2.3", 32, 0, 0},
1220 {"192.0.2.4", 33, EINVAL, EADDRNOTAVAIL},
1221 {"192.not.an.ip", 24, EINVAL, EINVAL},
1222 {"2001:db8::1", 64, 0, 0},
1223 {"2001:db8::2", 65, 0, 0},
1224 {"2001:db8::3", 128, 0, 0},
1225 {"fe80::1234", 64, 0, 0},
1226 {"2001:db8::4", 129, EINVAL, EINVAL},
1227 {"foo:bar::bad", 64, EINVAL, EINVAL},
1228 {"2001:db8::1/64", 64, EINVAL, EINVAL},
1229 };
1230
1231 for (size_t i = 0; i < std::size(kTestData); i++) {
1232 const auto &td = kTestData[i];
1233
1234 SCOPED_TRACE(String8::format("Offending IP address %s/%d", td.addrString, td.prefixLength));
1235
1236 // [1.a] Add the address.
1237 binder::Status status = mNetd->interfaceAddAddress(
1238 sTun.name(), td.addrString, td.prefixLength);
1239 if (td.expectAddResult == 0) {
1240 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1241 } else {
1242 ASSERT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
1243 ASSERT_EQ(td.expectAddResult, status.serviceSpecificErrorCode());
1244 }
1245
1246 // [1.b] Verify the addition meets the expectation.
1247 if (td.expectAddResult == 0) {
1248 EXPECT_TRUE(interfaceHasAddress(sTun.name(), td.addrString, td.prefixLength));
1249 } else {
1250 EXPECT_FALSE(interfaceHasAddress(sTun.name(), td.addrString, -1));
1251 }
1252
1253 // [2.a] Try to remove the address. If it was not previously added, removing it fails.
1254 status = mNetd->interfaceDelAddress(sTun.name(), td.addrString, td.prefixLength);
1255 if (td.expectRemoveResult == 0) {
1256 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1257 } else {
1258 ASSERT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
1259 ASSERT_EQ(td.expectRemoveResult, status.serviceSpecificErrorCode());
1260 }
1261
1262 // [2.b] No matter what, the address should not be present.
1263 EXPECT_FALSE(interfaceHasAddress(sTun.name(), td.addrString, -1));
1264 }
1265
1266 // Check that netlink errors are returned correctly.
1267 // We do this by attempting to create an IPv6 address on an interface that has IPv6 disabled,
1268 // which returns EACCES.
1269 TunInterface tun;
1270 ASSERT_EQ(0, tun.init());
1271 binder::Status status =
1272 mNetd->setProcSysNet(INetd::IPV6, INetd::CONF, tun.name(), "disable_ipv6", "1");
1273 ASSERT_TRUE(status.isOk()) << status.exceptionMessage();
1274 status = mNetd->interfaceAddAddress(tun.name(), "2001:db8::1", 64);
1275 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
1276 EXPECT_EQ(EACCES, status.serviceSpecificErrorCode());
1277 tun.destroy();
1278 }
1279
TEST_F(NetdBinderTest,GetProcSysNet)1280 TEST_F(NetdBinderTest, GetProcSysNet) {
1281 const char* LOOPBACK = "lo";
1282 static const struct {
1283 const int ipversion;
1284 const int which;
1285 const char* ifname;
1286 const char* parameter;
1287 const char* expectedValue;
1288 const int expectedReturnCode;
1289 } kTestData[] = {
1290 {INetd::IPV4, INetd::CONF, LOOPBACK, "arp_ignore", "0", 0},
1291 {-1, INetd::CONF, sTun.name().c_str(), "arp_ignore", nullptr, EAFNOSUPPORT},
1292 {INetd::IPV4, -1, sTun.name().c_str(), "arp_ignore", nullptr, EINVAL},
1293 {INetd::IPV4, INetd::CONF, "..", "conf/lo/arp_ignore", nullptr, EINVAL},
1294 {INetd::IPV4, INetd::CONF, ".", "lo/arp_ignore", nullptr, EINVAL},
1295 {INetd::IPV4, INetd::CONF, sTun.name().c_str(), "../all/arp_ignore", nullptr, EINVAL},
1296 {INetd::IPV6, INetd::NEIGH, LOOPBACK, "ucast_solicit", "3", 0},
1297 };
1298
1299 for (size_t i = 0; i < std::size(kTestData); i++) {
1300 const auto& td = kTestData[i];
1301
1302 std::string value;
1303 const binder::Status status =
1304 mNetd->getProcSysNet(td.ipversion, td.which, td.ifname, td.parameter, &value);
1305
1306 if (td.expectedReturnCode == 0) {
1307 SCOPED_TRACE(String8::format("test case %zu should have passed", i));
1308 EXPECT_EQ(0, status.exceptionCode());
1309 EXPECT_EQ(0, status.serviceSpecificErrorCode());
1310 EXPECT_EQ(td.expectedValue, value);
1311 } else {
1312 SCOPED_TRACE(String8::format("test case %zu should have failed", i));
1313 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
1314 EXPECT_EQ(td.expectedReturnCode, status.serviceSpecificErrorCode());
1315 }
1316 }
1317 }
1318
TEST_F(NetdBinderTest,SetProcSysNet)1319 TEST_F(NetdBinderTest, SetProcSysNet) {
1320 static const struct {
1321 const int ipversion;
1322 const int which;
1323 const char* ifname;
1324 const char* parameter;
1325 const char* value;
1326 const int expectedReturnCode;
1327 } kTestData[] = {
1328 {INetd::IPV4, INetd::CONF, sTun.name().c_str(), "arp_ignore", "1", 0},
1329 {-1, INetd::CONF, sTun.name().c_str(), "arp_ignore", "1", EAFNOSUPPORT},
1330 {INetd::IPV4, -1, sTun.name().c_str(), "arp_ignore", "1", EINVAL},
1331 {INetd::IPV4, INetd::CONF, "..", "conf/lo/arp_ignore", "1", EINVAL},
1332 {INetd::IPV4, INetd::CONF, ".", "lo/arp_ignore", "1", EINVAL},
1333 {INetd::IPV4, INetd::CONF, sTun.name().c_str(), "../all/arp_ignore", "1", EINVAL},
1334 {INetd::IPV6, INetd::NEIGH, sTun.name().c_str(), "ucast_solicit", "7", 0},
1335 };
1336
1337 for (size_t i = 0; i < std::size(kTestData); i++) {
1338 const auto& td = kTestData[i];
1339 const binder::Status status =
1340 mNetd->setProcSysNet(td.ipversion, td.which, td.ifname, td.parameter, td.value);
1341
1342 if (td.expectedReturnCode == 0) {
1343 SCOPED_TRACE(String8::format("test case %zu should have passed", i));
1344 EXPECT_EQ(0, status.exceptionCode());
1345 EXPECT_EQ(0, status.serviceSpecificErrorCode());
1346 } else {
1347 SCOPED_TRACE(String8::format("test case %zu should have failed", i));
1348 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
1349 EXPECT_EQ(td.expectedReturnCode, status.serviceSpecificErrorCode());
1350 }
1351 }
1352 }
1353
TEST_F(NetdBinderTest,GetSetProcSysNet)1354 TEST_F(NetdBinderTest, GetSetProcSysNet) {
1355 const int ipversion = INetd::IPV6;
1356 const int category = INetd::NEIGH;
1357 const std::string& tun = sTun.name();
1358 const std::string parameter("ucast_solicit");
1359
1360 std::string value{};
1361 EXPECT_TRUE(mNetd->getProcSysNet(ipversion, category, tun, parameter, &value).isOk());
1362 ASSERT_FALSE(value.empty());
1363 const int ival = std::stoi(value);
1364 EXPECT_GT(ival, 0);
1365 // Try doubling the parameter value (always best!).
1366 EXPECT_TRUE(mNetd->setProcSysNet(ipversion, category, tun, parameter, std::to_string(2 * ival))
1367 .isOk());
1368 EXPECT_TRUE(mNetd->getProcSysNet(ipversion, category, tun, parameter, &value).isOk());
1369 EXPECT_EQ(2 * ival, std::stoi(value));
1370 // Try resetting the parameter.
1371 EXPECT_TRUE(mNetd->setProcSysNet(ipversion, category, tun, parameter, std::to_string(ival))
1372 .isOk());
1373 EXPECT_TRUE(mNetd->getProcSysNet(ipversion, category, tun, parameter, &value).isOk());
1374 EXPECT_EQ(ival, std::stoi(value));
1375 }
1376
1377 namespace {
1378
expectNoTestCounterRules()1379 void expectNoTestCounterRules() {
1380 for (const auto& binary : { IPTABLES_PATH, IP6TABLES_PATH }) {
1381 std::string command = StringPrintf("%s -w -nvL tetherctrl_counters", binary);
1382 std::string allRules = Join(runCommand(command), "\n");
1383 EXPECT_EQ(std::string::npos, allRules.find("netdtest_"));
1384 }
1385 }
1386
addTetherCounterValues(const char * path,const std::string & if1,const std::string & if2,int byte,int pkt)1387 void addTetherCounterValues(const char* path, const std::string& if1, const std::string& if2,
1388 int byte, int pkt) {
1389 runCommand(StringPrintf("%s -w -A tetherctrl_counters -i %s -o %s -j RETURN -c %d %d",
1390 path, if1.c_str(), if2.c_str(), pkt, byte));
1391 }
1392
delTetherCounterValues(const char * path,const std::string & if1,const std::string & if2)1393 void delTetherCounterValues(const char* path, const std::string& if1, const std::string& if2) {
1394 runCommand(StringPrintf("%s -w -D tetherctrl_counters -i %s -o %s -j RETURN",
1395 path, if1.c_str(), if2.c_str()));
1396 runCommand(StringPrintf("%s -w -D tetherctrl_counters -i %s -o %s -j RETURN",
1397 path, if2.c_str(), if1.c_str()));
1398 }
1399
getStatsVectorByIf(const std::vector<TetherStatsParcel> & statsVec,const std::string & iface)1400 std::vector<int64_t> getStatsVectorByIf(const std::vector<TetherStatsParcel>& statsVec,
1401 const std::string& iface) {
1402 for (auto& stats : statsVec) {
1403 if (stats.iface == iface) {
1404 return {stats.rxBytes, stats.rxPackets, stats.txBytes, stats.txPackets};
1405 }
1406 }
1407 return {};
1408 }
1409
1410 } // namespace
1411
TEST_F(NetdBinderTest,TetherGetStats)1412 TEST_F(NetdBinderTest, TetherGetStats) {
1413 expectNoTestCounterRules();
1414
1415 // TODO: fold this into more comprehensive tests once we have binder RPCs for enabling and
1416 // disabling tethering. We don't check the return value because these commands will fail if
1417 // tethering is already enabled.
1418 runCommand(StringPrintf("%s -w -N tetherctrl_counters", IPTABLES_PATH));
1419 runCommand(StringPrintf("%s -w -N tetherctrl_counters", IP6TABLES_PATH));
1420
1421 std::string intIface1 = StringPrintf("netdtest_%u", arc4random_uniform(10000));
1422 std::string intIface2 = StringPrintf("netdtest_%u", arc4random_uniform(10000));
1423 std::string intIface3 = StringPrintf("netdtest_%u", arc4random_uniform(10000));
1424
1425 // Ensure we won't use the same interface name, otherwise the test will fail.
1426 u_int32_t rNumber = arc4random_uniform(10000);
1427 std::string extIface1 = StringPrintf("netdtest_%u", rNumber);
1428 std::string extIface2 = StringPrintf("netdtest_%u", rNumber + 1);
1429
1430 addTetherCounterValues(IPTABLES_PATH, intIface1, extIface1, 123, 111);
1431 addTetherCounterValues(IP6TABLES_PATH, intIface1, extIface1, 456, 10);
1432 addTetherCounterValues(IPTABLES_PATH, extIface1, intIface1, 321, 222);
1433 addTetherCounterValues(IP6TABLES_PATH, extIface1, intIface1, 654, 20);
1434 // RX is from external to internal, and TX is from internal to external.
1435 // So rxBytes is 321 + 654 = 975, txBytes is 123 + 456 = 579, etc.
1436 std::vector<int64_t> expected1 = { 975, 242, 579, 121 };
1437
1438 addTetherCounterValues(IPTABLES_PATH, intIface2, extIface2, 1000, 333);
1439 addTetherCounterValues(IP6TABLES_PATH, intIface2, extIface2, 3000, 30);
1440
1441 addTetherCounterValues(IPTABLES_PATH, extIface2, intIface2, 2000, 444);
1442 addTetherCounterValues(IP6TABLES_PATH, extIface2, intIface2, 4000, 40);
1443
1444 addTetherCounterValues(IP6TABLES_PATH, intIface3, extIface2, 1000, 25);
1445 addTetherCounterValues(IP6TABLES_PATH, extIface2, intIface3, 2000, 35);
1446 std::vector<int64_t> expected2 = { 8000, 519, 5000, 388 };
1447
1448 std::vector<TetherStatsParcel> statsVec;
1449 binder::Status status = mNetd->tetherGetStats(&statsVec);
1450 EXPECT_TRUE(status.isOk()) << "Getting tethering stats failed: " << status;
1451
1452 EXPECT_EQ(expected1, getStatsVectorByIf(statsVec, extIface1));
1453
1454 EXPECT_EQ(expected2, getStatsVectorByIf(statsVec, extIface2));
1455
1456 for (const auto& path : { IPTABLES_PATH, IP6TABLES_PATH }) {
1457 delTetherCounterValues(path, intIface1, extIface1);
1458 delTetherCounterValues(path, intIface2, extIface2);
1459 if (strcmp(path, IP6TABLES_PATH) == 0) {
1460 delTetherCounterValues(path, intIface3, extIface2);
1461 }
1462 }
1463
1464 expectNoTestCounterRules();
1465 }
1466
1467 namespace {
1468
1469 constexpr char IDLETIMER_RAW_PREROUTING[] = "idletimer_raw_PREROUTING";
1470 constexpr char IDLETIMER_MANGLE_POSTROUTING[] = "idletimer_mangle_POSTROUTING";
1471
listIptablesRuleByTable(const char * binary,const char * table,const char * chainName)1472 static std::vector<std::string> listIptablesRuleByTable(const char* binary, const char* table,
1473 const char* chainName) {
1474 std::string command = StringPrintf("%s -t %s -w -n -v -L %s", binary, table, chainName);
1475 return runCommand(command);
1476 }
1477
iptablesInterfaceRuleExists(const char * binary,const char * chainName,const std::string & expectedInterface,const std::string & expectedRule,const char * table)1478 bool iptablesInterfaceRuleExists(const char* binary, const char* chainName,
1479 const std::string& expectedInterface,
1480 const std::string& expectedRule, const char* table) {
1481 std::vector<std::string> rules = listIptablesRuleByTable(binary, table, chainName);
1482 for (const auto& rule : rules) {
1483 if (rule.find(expectedInterface) != std::string::npos) {
1484 if (rule.find(expectedRule) != std::string::npos) {
1485 return true;
1486 }
1487 }
1488 }
1489 return false;
1490 }
1491
expectIdletimerInterfaceRuleExists(const std::string & ifname,int timeout,const std::string & classLabel)1492 void expectIdletimerInterfaceRuleExists(const std::string& ifname, int timeout,
1493 const std::string& classLabel) {
1494 std::string IdletimerRule =
1495 StringPrintf("timeout:%u label:%s send_nl_msg", timeout, classLabel.c_str());
1496 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
1497 EXPECT_TRUE(iptablesInterfaceRuleExists(binary, IDLETIMER_RAW_PREROUTING, ifname,
1498 IdletimerRule, RAW_TABLE));
1499 EXPECT_TRUE(iptablesInterfaceRuleExists(binary, IDLETIMER_MANGLE_POSTROUTING, ifname,
1500 IdletimerRule, MANGLE_TABLE));
1501 }
1502 }
1503
expectIdletimerInterfaceRuleNotExists(const std::string & ifname,int timeout,const std::string & classLabel)1504 void expectIdletimerInterfaceRuleNotExists(const std::string& ifname, int timeout,
1505 const std::string& classLabel) {
1506 std::string IdletimerRule =
1507 StringPrintf("timeout:%u label:%s send_nl_msg", timeout, classLabel.c_str());
1508 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
1509 EXPECT_FALSE(iptablesInterfaceRuleExists(binary, IDLETIMER_RAW_PREROUTING, ifname,
1510 IdletimerRule, RAW_TABLE));
1511 EXPECT_FALSE(iptablesInterfaceRuleExists(binary, IDLETIMER_MANGLE_POSTROUTING, ifname,
1512 IdletimerRule, MANGLE_TABLE));
1513 }
1514 }
1515
1516 } // namespace
1517
TEST_F(NetdBinderTest,IdletimerAddRemoveInterface)1518 TEST_F(NetdBinderTest, IdletimerAddRemoveInterface) {
1519 // TODO: We will get error in if expectIdletimerInterfaceRuleNotExists if there are the same
1520 // rule in the table. Because we only check the result after calling remove function. We might
1521 // check the actual rule which is removed by our function (maybe compare the results between
1522 // calling function before and after)
1523 binder::Status status;
1524 const struct TestData {
1525 const std::string ifname;
1526 int32_t timeout;
1527 const std::string classLabel;
1528 } idleTestData[] = {
1529 {"wlan0", 1234, "happyday"},
1530 {"rmnet_data0", 4567, "friday"},
1531 };
1532 for (const auto& td : idleTestData) {
1533 status = mNetd->idletimerAddInterface(td.ifname, td.timeout, td.classLabel);
1534 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1535 expectIdletimerInterfaceRuleExists(td.ifname, td.timeout, td.classLabel);
1536
1537 status = mNetd->idletimerRemoveInterface(td.ifname, td.timeout, td.classLabel);
1538 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1539 expectIdletimerInterfaceRuleNotExists(td.ifname, td.timeout, td.classLabel);
1540 }
1541 }
1542
1543 namespace {
1544
1545 constexpr char STRICT_OUTPUT[] = "st_OUTPUT";
1546 constexpr char STRICT_CLEAR_CAUGHT[] = "st_clear_caught";
1547
1548 // Output looks like this:
1549 //
1550 // IPv4:
1551 //
1552 // throw dst proto static scope link
1553 // unreachable dst proto static scope link
1554 // dst via nextHop dev ifName proto static
1555 // dst dev ifName proto static scope link
1556 //
1557 // IPv6:
1558 //
1559 // throw dst dev lo proto static metric 1024
1560 // unreachable dst dev lo proto static metric 1024
1561 // dst via nextHop dev ifName proto static metric 1024
1562 // dst dev ifName proto static metric 1024
ipRoutePrefix(const std::string & ifName,const std::string & dst,const std::string & nextHop)1563 std::string ipRoutePrefix(const std::string& ifName, const std::string& dst,
1564 const std::string& nextHop) {
1565 std::string prefixString;
1566
1567 bool isThrow = nextHop == "throw";
1568 bool isUnreachable = nextHop == "unreachable";
1569 bool isDefault = (dst == "0.0.0.0/0" || dst == "::/0");
1570 bool isIPv6 = dst.find(':') != std::string::npos;
1571 bool isThrowOrUnreachable = isThrow || isUnreachable;
1572
1573 if (isThrowOrUnreachable) {
1574 prefixString += nextHop + " ";
1575 }
1576
1577 prefixString += isDefault ? "default" : dst;
1578
1579 if (!nextHop.empty() && !isThrowOrUnreachable) {
1580 prefixString += " via " + nextHop;
1581 }
1582
1583 if (isThrowOrUnreachable) {
1584 if (isIPv6) {
1585 prefixString += " dev lo";
1586 }
1587 } else {
1588 prefixString += " dev " + ifName;
1589 }
1590
1591 prefixString += " proto static";
1592
1593 // IPv6 routes report the metric, IPv4 routes report the scope.
1594 if (isIPv6) {
1595 prefixString += " metric 1024";
1596 } else {
1597 if (nextHop.empty() || isThrowOrUnreachable) {
1598 prefixString += " scope link";
1599 }
1600 }
1601
1602 return prefixString;
1603 }
1604
expectStrictSetUidAccept(const int uid)1605 void expectStrictSetUidAccept(const int uid) {
1606 std::string uidRule = StringPrintf("owner UID match %u", uid);
1607 std::string perUidChain = StringPrintf("st_clear_caught_%u", uid);
1608 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
1609 EXPECT_FALSE(iptablesRuleExists(binary, STRICT_OUTPUT, uidRule));
1610 EXPECT_FALSE(iptablesRuleExists(binary, STRICT_CLEAR_CAUGHT, uidRule));
1611 EXPECT_EQ(0, iptablesRuleLineLength(binary, perUidChain.c_str()));
1612 }
1613 }
1614
expectStrictSetUidLog(const int uid)1615 void expectStrictSetUidLog(const int uid) {
1616 static const char logRule[] = "st_penalty_log all";
1617 std::string uidRule = StringPrintf("owner UID match %u", uid);
1618 std::string perUidChain = StringPrintf("st_clear_caught_%u", uid);
1619 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
1620 EXPECT_TRUE(iptablesRuleExists(binary, STRICT_OUTPUT, uidRule));
1621 EXPECT_TRUE(iptablesRuleExists(binary, STRICT_CLEAR_CAUGHT, uidRule));
1622 EXPECT_TRUE(iptablesRuleExists(binary, perUidChain.c_str(), logRule));
1623 }
1624 }
1625
expectStrictSetUidReject(const int uid)1626 void expectStrictSetUidReject(const int uid) {
1627 static const char rejectRule[] = "st_penalty_reject all";
1628 std::string uidRule = StringPrintf("owner UID match %u", uid);
1629 std::string perUidChain = StringPrintf("st_clear_caught_%u", uid);
1630 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
1631 EXPECT_TRUE(iptablesRuleExists(binary, STRICT_OUTPUT, uidRule));
1632 EXPECT_TRUE(iptablesRuleExists(binary, STRICT_CLEAR_CAUGHT, uidRule));
1633 EXPECT_TRUE(iptablesRuleExists(binary, perUidChain.c_str(), rejectRule));
1634 }
1635 }
1636
ipRouteSubstrings(const std::string & ifName,const std::string & dst,const std::string & nextHop,const std::string & mtu)1637 std::vector<std::string> ipRouteSubstrings(const std::string& ifName, const std::string& dst,
1638 const std::string& nextHop, const std::string& mtu) {
1639 std::vector<std::string> routeSubstrings;
1640
1641 routeSubstrings.push_back(ipRoutePrefix(ifName, dst, nextHop));
1642
1643 if (!mtu.empty()) {
1644 // Add separate substring to match mtu value.
1645 // This is needed because on some devices "error -11"/"error -113" appears between ip prefix
1646 // and mtu for throw/unreachable routes.
1647 routeSubstrings.push_back("mtu " + mtu);
1648 }
1649
1650 return routeSubstrings;
1651 }
1652
expectNetworkRouteDoesNotExistWithMtu(const char * ipVersion,const std::string & ifName,const std::string & dst,const std::string & nextHop,const std::string & mtu,const char * table)1653 void expectNetworkRouteDoesNotExistWithMtu(const char* ipVersion, const std::string& ifName,
1654 const std::string& dst, const std::string& nextHop,
1655 const std::string& mtu, const char* table) {
1656 std::vector<std::string> routeSubstrings = ipRouteSubstrings(ifName, dst, nextHop, mtu);
1657 EXPECT_FALSE(ipRouteExists(ipVersion, table, routeSubstrings))
1658 << "Found unexpected route [" << Join(routeSubstrings, ", ") << "] in table " << table;
1659 }
1660
expectNetworkRouteExistsWithMtu(const char * ipVersion,const std::string & ifName,const std::string & dst,const std::string & nextHop,const std::string & mtu,const char * table)1661 void expectNetworkRouteExistsWithMtu(const char* ipVersion, const std::string& ifName,
1662 const std::string& dst, const std::string& nextHop,
1663 const std::string& mtu, const char* table) {
1664 std::vector<std::string> routeSubstrings = ipRouteSubstrings(ifName, dst, nextHop, mtu);
1665 EXPECT_TRUE(ipRouteExists(ipVersion, table, routeSubstrings))
1666 << "Couldn't find route to " << dst << ": [" << Join(routeSubstrings, ", ")
1667 << "] in table " << table;
1668 }
1669
expectVpnLocalExclusionRuleExists(const std::string & ifName,bool expectExists)1670 void expectVpnLocalExclusionRuleExists(const std::string& ifName, bool expectExists) {
1671 std::string tableName = std::string(ifName + "_local");
1672 // Check if rule exists
1673 std::string vpnLocalExclusionRule =
1674 StringPrintf("%d:\tfrom all fwmark 0x0/0x10000 iif lo lookup %s",
1675 RULE_PRIORITY_LOCAL_ROUTES, tableName.c_str());
1676 for (const auto& ipVersion : {IP_RULE_V4, IP_RULE_V6}) {
1677 EXPECT_EQ(expectExists, ipRuleExists(ipVersion, vpnLocalExclusionRule));
1678 }
1679 }
1680
expectNetworkRouteExists(const char * ipVersion,const std::string & ifName,const std::string & dst,const std::string & nextHop,const char * table)1681 void expectNetworkRouteExists(const char* ipVersion, const std::string& ifName,
1682 const std::string& dst, const std::string& nextHop,
1683 const char* table) {
1684 expectNetworkRouteExistsWithMtu(ipVersion, ifName, dst, nextHop, "", table);
1685 }
1686
expectNetworkRouteDoesNotExist(const char * ipVersion,const std::string & ifName,const std::string & dst,const std::string & nextHop,const char * table)1687 void expectNetworkRouteDoesNotExist(const char* ipVersion, const std::string& ifName,
1688 const std::string& dst, const std::string& nextHop,
1689 const char* table) {
1690 expectNetworkRouteDoesNotExistWithMtu(ipVersion, ifName, dst, nextHop, "", table);
1691 }
1692
expectNetworkDefaultIpRuleExists(const char * ifName)1693 void expectNetworkDefaultIpRuleExists(const char* ifName) {
1694 std::string networkDefaultRule =
1695 StringPrintf("%u:\tfrom all fwmark 0x0/0xffff iif lo lookup %s",
1696 RULE_PRIORITY_DEFAULT_NETWORK, ifName);
1697
1698 expectRuleForV4AndV6(ALL_EXIST, networkDefaultRule);
1699 }
1700
expectNetworkDefaultIpRuleDoesNotExist()1701 void expectNetworkDefaultIpRuleDoesNotExist() {
1702 std::string networkDefaultRule =
1703 StringPrintf("%u:\tfrom all fwmark 0x0/0xffff iif lo", RULE_PRIORITY_DEFAULT_NETWORK);
1704
1705 for (const auto& ipVersion : {IP_RULE_V4, IP_RULE_V6}) {
1706 std::vector<std::string> rules = listIpRules(ipVersion);
1707 for (const auto& line : rules) {
1708 if (android::base::StartsWith(line, networkDefaultRule)) {
1709 FAIL();
1710 }
1711 }
1712 }
1713 }
1714
expectNetworkPermissionIpRuleExists(const char * ifName,int permission)1715 void expectNetworkPermissionIpRuleExists(const char* ifName, int permission) {
1716 std::string networkPermissionRule = "";
1717 switch (permission) {
1718 case INetd::PERMISSION_NONE:
1719 networkPermissionRule =
1720 StringPrintf("%u:\tfrom all fwmark 0x1ffdd/0x1ffff iif lo lookup %s",
1721 RULE_PRIORITY_EXPLICIT_NETWORK, ifName);
1722 break;
1723 case INetd::PERMISSION_NETWORK:
1724 networkPermissionRule =
1725 StringPrintf("%u:\tfrom all fwmark 0x5ffdd/0x5ffff iif lo lookup %s",
1726 RULE_PRIORITY_EXPLICIT_NETWORK, ifName);
1727 break;
1728 case INetd::PERMISSION_SYSTEM:
1729 networkPermissionRule =
1730 StringPrintf("%u:\tfrom all fwmark 0xdffdd/0xdffff iif lo lookup %s",
1731 RULE_PRIORITY_EXPLICIT_NETWORK, ifName);
1732 break;
1733 }
1734
1735 expectRuleForV4AndV6(ALL_EXIST, networkPermissionRule);
1736 }
1737
expectNetworkPermissionIptablesRuleExists(const char * ifName,int permission)1738 void expectNetworkPermissionIptablesRuleExists(const char* ifName, int permission) {
1739 static const char ROUTECTRL_INPUT[] = "routectrl_mangle_INPUT";
1740 std::string networkIncomingPacketMarkRule = "";
1741 switch (permission) {
1742 case INetd::PERMISSION_NONE:
1743 networkIncomingPacketMarkRule = "MARK xset 0x3ffdd/0x7fefffff";
1744 break;
1745 case INetd::PERMISSION_NETWORK:
1746 networkIncomingPacketMarkRule = "MARK xset 0x7ffdd/0x7fefffff";
1747 break;
1748 case INetd::PERMISSION_SYSTEM:
1749 networkIncomingPacketMarkRule = "MARK xset 0xfffdd/0x7fefffff";
1750 break;
1751 }
1752
1753 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
1754 EXPECT_TRUE(iptablesInterfaceRuleExists(binary, ROUTECTRL_INPUT, ifName,
1755 networkIncomingPacketMarkRule, MANGLE_TABLE));
1756 }
1757 }
1758
1759 } // namespace
1760
TEST_F(NetdBinderTest,StrictSetUidCleartextPenalty)1761 TEST_F(NetdBinderTest, StrictSetUidCleartextPenalty) {
1762 binder::Status status;
1763 int32_t uid = randomUid();
1764
1765 // setUidCleartextPenalty Policy:Log with randomUid
1766 status = mNetd->strictUidCleartextPenalty(uid, INetd::PENALTY_POLICY_LOG);
1767 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1768 expectStrictSetUidLog(uid);
1769
1770 // setUidCleartextPenalty Policy:Accept with randomUid
1771 status = mNetd->strictUidCleartextPenalty(uid, INetd::PENALTY_POLICY_ACCEPT);
1772 expectStrictSetUidAccept(uid);
1773
1774 // setUidCleartextPenalty Policy:Reject with randomUid
1775 status = mNetd->strictUidCleartextPenalty(uid, INetd::PENALTY_POLICY_REJECT);
1776 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1777 expectStrictSetUidReject(uid);
1778
1779 // setUidCleartextPenalty Policy:Accept with randomUid
1780 status = mNetd->strictUidCleartextPenalty(uid, INetd::PENALTY_POLICY_ACCEPT);
1781 expectStrictSetUidAccept(uid);
1782
1783 // test wrong policy
1784 int32_t wrongPolicy = -123;
1785 status = mNetd->strictUidCleartextPenalty(uid, wrongPolicy);
1786 EXPECT_EQ(EINVAL, status.serviceSpecificErrorCode());
1787 }
1788
1789 namespace {
1790
tryToFindProcesses(const std::string & processName,uint32_t maxTries=1,uint32_t intervalMs=50)1791 std::vector<std::string> tryToFindProcesses(const std::string& processName, uint32_t maxTries = 1,
1792 uint32_t intervalMs = 50) {
1793 // Output looks like:(clatd)
1794 // clat 4963 850 1 12:16:51 ? 00:00:00 clatd-netd10a88 -i netd10a88 ...
1795 // ...
1796 // root 5221 5219 0 12:18:12 ? 00:00:00 sh -c ps -Af | grep ' clatd-netdcc1a0'
1797
1798 // (dnsmasq)
1799 // dns_tether 4620 792 0 16:51:28 ? 00:00:00 dnsmasq --keep-in-foreground ...
1800
1801 if (maxTries == 0) return {};
1802
1803 std::string cmd = StringPrintf("ps -Af | grep '[0-9] %s'", processName.c_str());
1804 std::vector<std::string> result;
1805 for (uint32_t run = 1;;) {
1806 result = runCommand(cmd);
1807 if (result.size() || ++run > maxTries) {
1808 break;
1809 }
1810
1811 usleep(intervalMs * 1000);
1812 }
1813 return result;
1814 }
1815
expectProcessExists(const std::string & processName)1816 void expectProcessExists(const std::string& processName) {
1817 EXPECT_EQ(1U, tryToFindProcesses(processName, 5 /*maxTries*/).size());
1818 }
1819
expectProcessDoesNotExist(const std::string & processName)1820 void expectProcessDoesNotExist(const std::string& processName) {
1821 EXPECT_FALSE(tryToFindProcesses(processName).size());
1822 }
1823
1824 } // namespace
1825
TEST_F(NetdBinderTest,NetworkAddRemoveRouteToLocalExcludeTable)1826 TEST_F(NetdBinderTest, NetworkAddRemoveRouteToLocalExcludeTable) {
1827 static const struct {
1828 const char* ipVersion;
1829 const char* testDest;
1830 const char* testNextHop;
1831 const bool expectInLocalTable;
1832 } kTestData[] = {{IP_RULE_V6, "::/0", "fe80::", false},
1833 {IP_RULE_V6, "::/0", "", false},
1834 {IP_RULE_V6, "2001:db8:cafe::/64", "fe80::", false},
1835 {IP_RULE_V6, "fe80::/64", "", true},
1836 {IP_RULE_V6, "2001:db8:cafe::/48", "", true},
1837 {IP_RULE_V6, "2001:db8:cafe::/64", "unreachable", false},
1838 {IP_RULE_V6, "2001:db8:ca00::/40", "", true},
1839 {IP_RULE_V4, "0.0.0.0/0", "10.251.10.1", false},
1840 {IP_RULE_V4, "192.1.0.0/16", "", false},
1841 {IP_RULE_V4, "192.168.0.0/15", "", false},
1842 {IP_RULE_V4, "192.168.0.0/16", "", true},
1843 {IP_RULE_V4, "192.168.0.0/24", "", true},
1844 {IP_RULE_V4, "100.1.0.0/16", "", false},
1845 {IP_RULE_V4, "100.0.0.0/8", "", false},
1846 {IP_RULE_V4, "100.64.0.0/10", "", true},
1847 {IP_RULE_V4, "100.64.0.0/16", "", true},
1848 {IP_RULE_V4, "100.64.0.0/10", "throw", false},
1849 {IP_RULE_V4, "172.0.0.0/8", "", false},
1850 {IP_RULE_V4, "172.16.0.0/12", "", true},
1851 {IP_RULE_V4, "172.16.0.0/16", "", true},
1852 {IP_RULE_V4, "172.16.0.0/12", "unreachable", false},
1853 {IP_RULE_V4, "172.32.0.0/12", "", false},
1854 {IP_RULE_V4, "169.0.0.0/8", "", false},
1855 {IP_RULE_V4, "169.254.0.0/16", "", true},
1856 {IP_RULE_V4, "169.254.0.0/20", "", true},
1857 {IP_RULE_V4, "169.254.3.0/24", "", true},
1858 {IP_RULE_V4, "170.254.0.0/16", "", false},
1859 {IP_RULE_V4, "10.0.0.0/8", "", true},
1860 {IP_RULE_V4, "10.0.0.0/7", "", false},
1861 {IP_RULE_V4, "10.0.0.0/16", "", true},
1862 {IP_RULE_V4, "10.251.0.0/16", "", true},
1863 {IP_RULE_V4, "10.251.250.0/24", "", true},
1864 {IP_RULE_V4, "10.251.10.2/31", "throw", false},
1865 {IP_RULE_V4, "10.251.10.2/31", "unreachable", false}};
1866
1867 // To ensure that the nexthops for the above are reachable.
1868 // Otherwise, the routes can't be created.
1869 static const struct {
1870 const char* ipVersion;
1871 const char* testDest;
1872 const char* testNextHop;
1873 } kDirectlyConnectedRoutes[] = {
1874 {IP_RULE_V4, "10.251.10.0/30", ""},
1875 {IP_RULE_V6, "2001:db8::/32", ""},
1876 };
1877
1878 // This should ba aligned with V4_FIXED_LOCAL_PREFIXES in system/netd/server/RouteController.cpp
1879 // An expandable array for fixed local prefix though it's only one element now.
1880 static const char* kV4LocalPrefixes[] = {"224.0.0.0/24"};
1881
1882 // Add test physical network
1883 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
1884 INetd::PERMISSION_NONE, false, false);
1885 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
1886 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
1887
1888 // Get current default network NetId
1889 binder::Status status = mNetd->networkGetDefault(&mStoredDefaultNetwork);
1890 ASSERT_TRUE(status.isOk()) << status.exceptionMessage();
1891
1892 // Set default network
1893 EXPECT_TRUE(mNetd->networkSetDefault(TEST_NETID1).isOk());
1894
1895 std::string localTableName = std::string(sTun.name() + "_local");
1896
1897 // Verify the fixed routes exist in the local table.
1898 for (size_t i = 0; i < std::size(kV4LocalPrefixes); i++) {
1899 expectNetworkRouteExists(IP_RULE_V4, sTun.name(), kV4LocalPrefixes[i], "",
1900 localTableName.c_str());
1901 }
1902
1903 // Set up link-local routes for connectivity to the "gateway"
1904 for (size_t i = 0; i < std::size(kDirectlyConnectedRoutes); i++) {
1905 const auto& td = kDirectlyConnectedRoutes[i];
1906
1907 binder::Status status =
1908 mNetd->networkAddRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop);
1909 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1910 expectNetworkRouteExists(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
1911 sTun.name().c_str());
1912 // Verify routes in local table
1913 expectNetworkRouteExists(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
1914 localTableName.c_str());
1915 }
1916
1917 for (size_t i = 0; i < std::size(kTestData); i++) {
1918 const auto& td = kTestData[i];
1919 SCOPED_TRACE(StringPrintf("case ip:%s, dest:%s, nexHop:%s, expect:%d", td.ipVersion,
1920 td.testDest, td.testNextHop, td.expectInLocalTable));
1921 binder::Status status =
1922 mNetd->networkAddRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop);
1923 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1924 // Verify routes in local table
1925 if (td.expectInLocalTable) {
1926 expectNetworkRouteExists(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
1927 localTableName.c_str());
1928 } else {
1929 expectNetworkRouteDoesNotExist(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
1930 localTableName.c_str());
1931 }
1932
1933 status = mNetd->networkRemoveRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop);
1934 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1935 expectNetworkRouteDoesNotExist(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
1936 localTableName.c_str());
1937 }
1938
1939 for (size_t i = 0; i < std::size(kDirectlyConnectedRoutes); i++) {
1940 const auto& td = kDirectlyConnectedRoutes[i];
1941 status = mNetd->networkRemoveRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop);
1942 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
1943 }
1944
1945 // Set default network back
1946 status = mNetd->networkSetDefault(mStoredDefaultNetwork);
1947
1948 // Remove test physical network
1949 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
1950 }
1951
1952 namespace {
1953
getIpfwdV4Enable()1954 bool getIpfwdV4Enable() {
1955 static const char ipv4IpfwdCmd[] = "cat /proc/sys/net/ipv4/ip_forward";
1956 std::vector<std::string> result = runCommand(ipv4IpfwdCmd);
1957 EXPECT_TRUE(!result.empty());
1958 int v4Enable = std::stoi(result[0]);
1959 return v4Enable;
1960 }
1961
getIpfwdV6Enable()1962 bool getIpfwdV6Enable() {
1963 static const char ipv6IpfwdCmd[] = "cat /proc/sys/net/ipv6/conf/all/forwarding";
1964 std::vector<std::string> result = runCommand(ipv6IpfwdCmd);
1965 EXPECT_TRUE(!result.empty());
1966 int v6Enable = std::stoi(result[0]);
1967 return v6Enable;
1968 }
1969
expectIpfwdEnable(bool enable)1970 void expectIpfwdEnable(bool enable) {
1971 int enableIPv4 = getIpfwdV4Enable();
1972 int enableIPv6 = getIpfwdV6Enable();
1973 EXPECT_EQ(enable, enableIPv4);
1974 EXPECT_EQ(enable, enableIPv6);
1975 }
1976
ipRuleIpfwdExists(const char * ipVersion,const std::string & ipfwdRule)1977 bool ipRuleIpfwdExists(const char* ipVersion, const std::string& ipfwdRule) {
1978 std::vector<std::string> rules = listIpRules(ipVersion);
1979 for (const auto& rule : rules) {
1980 if (rule.find(ipfwdRule) != std::string::npos) {
1981 return true;
1982 }
1983 }
1984 return false;
1985 }
1986
expectIpfwdRuleExists(const char * fromIf,const char * toIf)1987 void expectIpfwdRuleExists(const char* fromIf, const char* toIf) {
1988 std::string ipfwdRule =
1989 StringPrintf("%u:\tfrom all iif %s lookup %s", RULE_PRIORITY_TETHERING, fromIf, toIf);
1990
1991 for (const auto& ipVersion : {IP_RULE_V4, IP_RULE_V6}) {
1992 EXPECT_TRUE(ipRuleIpfwdExists(ipVersion, ipfwdRule));
1993 }
1994 }
1995
expectIpfwdRuleNotExists(const char * fromIf,const char * toIf)1996 void expectIpfwdRuleNotExists(const char* fromIf, const char* toIf) {
1997 std::string ipfwdRule =
1998 StringPrintf("%u:\tfrom all iif %s lookup %s", RULE_PRIORITY_TETHERING, fromIf, toIf);
1999
2000 for (const auto& ipVersion : {IP_RULE_V4, IP_RULE_V6}) {
2001 EXPECT_FALSE(ipRuleIpfwdExists(ipVersion, ipfwdRule));
2002 }
2003 }
2004
2005 } // namespace
2006
TEST_F(NetdBinderTest,TestIpfwdEnableDisableStatusForwarding)2007 TEST_F(NetdBinderTest, TestIpfwdEnableDisableStatusForwarding) {
2008 // Get ipfwd requester list from Netd
2009 std::vector<std::string> requesterList;
2010 binder::Status status = mNetd->ipfwdGetRequesterList(&requesterList);
2011 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2012
2013 bool ipfwdEnabled;
2014 if (requesterList.size() == 0) {
2015 // No requester in Netd, ipfwd should be disabled
2016 // So add one test requester and verify
2017 status = mNetd->ipfwdEnableForwarding("TestRequester");
2018 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2019
2020 expectIpfwdEnable(true);
2021 status = mNetd->ipfwdEnabled(&ipfwdEnabled);
2022 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2023 EXPECT_TRUE(ipfwdEnabled);
2024
2025 // Remove test one, verify again
2026 status = mNetd->ipfwdDisableForwarding("TestRequester");
2027 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2028
2029 expectIpfwdEnable(false);
2030 status = mNetd->ipfwdEnabled(&ipfwdEnabled);
2031 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2032 EXPECT_FALSE(ipfwdEnabled);
2033 } else {
2034 // Disable all requesters
2035 for (const auto& requester : requesterList) {
2036 status = mNetd->ipfwdDisableForwarding(requester);
2037 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2038 }
2039
2040 // After disable all requester, ipfwd should be disabled
2041 expectIpfwdEnable(false);
2042 status = mNetd->ipfwdEnabled(&ipfwdEnabled);
2043 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2044 EXPECT_FALSE(ipfwdEnabled);
2045
2046 // Enable them back
2047 for (const auto& requester : requesterList) {
2048 status = mNetd->ipfwdEnableForwarding(requester);
2049 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2050 }
2051
2052 // ipfwd should be enabled
2053 expectIpfwdEnable(true);
2054 status = mNetd->ipfwdEnabled(&ipfwdEnabled);
2055 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2056 EXPECT_TRUE(ipfwdEnabled);
2057 }
2058 }
2059
TEST_F(NetdBinderTest,TestIpfwdAddRemoveInterfaceForward)2060 TEST_F(NetdBinderTest, TestIpfwdAddRemoveInterfaceForward) {
2061 // Add test physical network
2062 auto config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
2063 INetd::PERMISSION_NONE, false, false);
2064 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
2065 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
2066
2067 config.netId = TEST_NETID2;
2068 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
2069 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID2, sTun2.name()).isOk());
2070
2071 binder::Status status = mNetd->ipfwdAddInterfaceForward(sTun.name(), sTun2.name());
2072 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2073 expectIpfwdRuleExists(sTun.name().c_str(), sTun2.name().c_str());
2074
2075 status = mNetd->ipfwdRemoveInterfaceForward(sTun.name(), sTun2.name());
2076 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2077 expectIpfwdRuleNotExists(sTun.name().c_str(), sTun2.name().c_str());
2078 }
2079
2080 namespace {
2081
2082 constexpr char BANDWIDTH_INPUT[] = "bw_INPUT";
2083 constexpr char BANDWIDTH_OUTPUT[] = "bw_OUTPUT";
2084 constexpr char BANDWIDTH_FORWARD[] = "bw_FORWARD";
2085 constexpr char BANDWIDTH_NAUGHTY[] = "bw_penalty_box";
2086 constexpr char BANDWIDTH_ALERT[] = "bw_global_alert";
2087
2088 // TODO: Move iptablesTargetsExists and listIptablesRuleByTable to the top.
2089 // Use either a std::vector<std::string> of things to match, or a variadic function.
iptablesTargetsExists(const char * binary,int expectedCount,const char * table,const char * chainName,const std::string & expectedTargetA,const std::string & expectedTargetB)2090 bool iptablesTargetsExists(const char* binary, int expectedCount, const char* table,
2091 const char* chainName, const std::string& expectedTargetA,
2092 const std::string& expectedTargetB) {
2093 std::vector<std::string> rules = listIptablesRuleByTable(binary, table, chainName);
2094 int matchCount = 0;
2095
2096 for (const auto& rule : rules) {
2097 if (rule.find(expectedTargetA) != std::string::npos) {
2098 if (rule.find(expectedTargetB) != std::string::npos) {
2099 matchCount++;
2100 }
2101 }
2102 }
2103 return matchCount == expectedCount;
2104 }
2105
expectXtQuotaValueEqual(const char * ifname,long quotaBytes)2106 void expectXtQuotaValueEqual(const char* ifname, long quotaBytes) {
2107 std::string path = StringPrintf("/proc/net/xt_quota/%s", ifname);
2108 std::string result = "";
2109
2110 EXPECT_TRUE(ReadFileToString(path, &result));
2111 // Quota value might be decreased while matching packets
2112 EXPECT_GE(quotaBytes, std::stol(Trim(result)));
2113 }
2114
expectBandwidthInterfaceQuotaRuleExists(const char * ifname,long quotaBytes)2115 void expectBandwidthInterfaceQuotaRuleExists(const char* ifname, long quotaBytes) {
2116 std::string BANDWIDTH_COSTLY_IF = StringPrintf("bw_costly_%s", ifname);
2117 std::string quotaRule = StringPrintf("quota %s", ifname);
2118
2119 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
2120 EXPECT_TRUE(iptablesTargetsExists(binary, 1, FILTER_TABLE, BANDWIDTH_INPUT, ifname,
2121 BANDWIDTH_COSTLY_IF));
2122 EXPECT_TRUE(iptablesTargetsExists(binary, 1, FILTER_TABLE, BANDWIDTH_OUTPUT, ifname,
2123 BANDWIDTH_COSTLY_IF));
2124 EXPECT_TRUE(iptablesTargetsExists(binary, 2, FILTER_TABLE, BANDWIDTH_FORWARD, ifname,
2125 BANDWIDTH_COSTLY_IF));
2126 EXPECT_TRUE(iptablesRuleExists(binary, BANDWIDTH_COSTLY_IF.c_str(), BANDWIDTH_NAUGHTY));
2127 EXPECT_TRUE(iptablesRuleExists(binary, BANDWIDTH_COSTLY_IF.c_str(), quotaRule));
2128 }
2129 expectXtQuotaValueEqual(ifname, quotaBytes);
2130 }
2131
expectBandwidthInterfaceQuotaRuleDoesNotExist(const char * ifname)2132 void expectBandwidthInterfaceQuotaRuleDoesNotExist(const char* ifname) {
2133 std::string BANDWIDTH_COSTLY_IF = StringPrintf("bw_costly_%s", ifname);
2134 std::string quotaRule = StringPrintf("quota %s", ifname);
2135
2136 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
2137 EXPECT_FALSE(iptablesTargetsExists(binary, 1, FILTER_TABLE, BANDWIDTH_INPUT, ifname,
2138 BANDWIDTH_COSTLY_IF));
2139 EXPECT_FALSE(iptablesTargetsExists(binary, 1, FILTER_TABLE, BANDWIDTH_OUTPUT, ifname,
2140 BANDWIDTH_COSTLY_IF));
2141 EXPECT_FALSE(iptablesTargetsExists(binary, 2, FILTER_TABLE, BANDWIDTH_FORWARD, ifname,
2142 BANDWIDTH_COSTLY_IF));
2143 EXPECT_FALSE(iptablesRuleExists(binary, BANDWIDTH_COSTLY_IF.c_str(), BANDWIDTH_NAUGHTY));
2144 EXPECT_FALSE(iptablesRuleExists(binary, BANDWIDTH_COSTLY_IF.c_str(), quotaRule));
2145 }
2146 }
2147
expectBandwidthInterfaceAlertRuleExists(const char * ifname,long alertBytes)2148 void expectBandwidthInterfaceAlertRuleExists(const char* ifname, long alertBytes) {
2149 std::string BANDWIDTH_COSTLY_IF = StringPrintf("bw_costly_%s", ifname);
2150 std::string alertRule = StringPrintf("quota %sAlert", ifname);
2151 std::string alertName = StringPrintf("%sAlert", ifname);
2152
2153 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
2154 EXPECT_TRUE(iptablesRuleExists(binary, BANDWIDTH_COSTLY_IF.c_str(), alertRule));
2155 }
2156 expectXtQuotaValueEqual(alertName.c_str(), alertBytes);
2157 }
2158
expectBandwidthInterfaceAlertRuleDoesNotExist(const char * ifname)2159 void expectBandwidthInterfaceAlertRuleDoesNotExist(const char* ifname) {
2160 std::string BANDWIDTH_COSTLY_IF = StringPrintf("bw_costly_%s", ifname);
2161 std::string alertRule = StringPrintf("quota %sAlert", ifname);
2162
2163 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
2164 EXPECT_FALSE(iptablesRuleExists(binary, BANDWIDTH_COSTLY_IF.c_str(), alertRule));
2165 }
2166 }
2167
expectBandwidthGlobalAlertRuleExists(long alertBytes)2168 void expectBandwidthGlobalAlertRuleExists(long alertBytes) {
2169 static const char globalAlertRule[] = "quota globalAlert";
2170 static const char globalAlertName[] = "globalAlert";
2171
2172 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
2173 EXPECT_TRUE(iptablesRuleExists(binary, BANDWIDTH_ALERT, globalAlertRule));
2174 }
2175 expectXtQuotaValueEqual(globalAlertName, alertBytes);
2176 }
2177
2178 } // namespace
2179
TEST_F(NetdBinderTest,BandwidthSetRemoveInterfaceQuota)2180 TEST_F(NetdBinderTest, BandwidthSetRemoveInterfaceQuota) {
2181 long testQuotaBytes = 5550;
2182
2183 // Add test physical network
2184 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
2185 INetd::PERMISSION_NONE, false, false);
2186 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
2187 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
2188
2189 binder::Status status = mNetd->bandwidthSetInterfaceQuota(sTun.name(), testQuotaBytes);
2190 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2191 expectBandwidthInterfaceQuotaRuleExists(sTun.name().c_str(), testQuotaBytes);
2192
2193 status = mNetd->bandwidthRemoveInterfaceQuota(sTun.name());
2194 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2195 expectBandwidthInterfaceQuotaRuleDoesNotExist(sTun.name().c_str());
2196
2197 // Remove test physical network
2198 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
2199 }
2200
TEST_F(NetdBinderTest,BandwidthSetRemoveInterfaceAlert)2201 TEST_F(NetdBinderTest, BandwidthSetRemoveInterfaceAlert) {
2202 long testAlertBytes = 373;
2203 // Add test physical network
2204 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
2205 INetd::PERMISSION_NONE, false, false);
2206 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
2207 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
2208 // Need to have a prior interface quota set to set an alert
2209 binder::Status status = mNetd->bandwidthSetInterfaceQuota(sTun.name(), testAlertBytes);
2210 status = mNetd->bandwidthSetInterfaceAlert(sTun.name(), testAlertBytes);
2211 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2212 expectBandwidthInterfaceAlertRuleExists(sTun.name().c_str(), testAlertBytes);
2213
2214 status = mNetd->bandwidthRemoveInterfaceAlert(sTun.name());
2215 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2216 expectBandwidthInterfaceAlertRuleDoesNotExist(sTun.name().c_str());
2217
2218 // Remove interface quota
2219 status = mNetd->bandwidthRemoveInterfaceQuota(sTun.name());
2220 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2221 expectBandwidthInterfaceQuotaRuleDoesNotExist(sTun.name().c_str());
2222
2223 // Remove test physical network
2224 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
2225 }
2226
TEST_F(NetdBinderTest,BandwidthSetGlobalAlert)2227 TEST_F(NetdBinderTest, BandwidthSetGlobalAlert) {
2228 int64_t testAlertBytes = 2097200;
2229
2230 binder::Status status = mNetd->bandwidthSetGlobalAlert(testAlertBytes);
2231 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2232 expectBandwidthGlobalAlertRuleExists(testAlertBytes);
2233
2234 testAlertBytes = 2098230;
2235 status = mNetd->bandwidthSetGlobalAlert(testAlertBytes);
2236 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2237 expectBandwidthGlobalAlertRuleExists(testAlertBytes);
2238 }
2239
TEST_F(NetdBinderTest,NetworkAddRemoveRouteUserPermission)2240 TEST_F(NetdBinderTest, NetworkAddRemoveRouteUserPermission) {
2241 static const struct {
2242 const char* ipVersion;
2243 const char* testDest;
2244 const char* testNextHop;
2245 const bool expectSuccess;
2246 } kTestData[] = {
2247 {IP_RULE_V4, "0.0.0.0/0", "", true},
2248 {IP_RULE_V4, "0.0.0.0/0", "10.251.10.0", true},
2249 {IP_RULE_V4, "10.251.0.0/16", "", true},
2250 {IP_RULE_V4, "10.251.0.0/16", "10.251.10.0", true},
2251 {IP_RULE_V4, "10.251.0.0/16", "fe80::/64", false},
2252 {IP_RULE_V6, "::/0", "", true},
2253 {IP_RULE_V6, "::/0", "2001:db8::", true},
2254 {IP_RULE_V6, "2001:db8:cafe::/64", "2001:db8::", true},
2255 {IP_RULE_V4, "fe80::/64", "0.0.0.0", false},
2256 {IP_RULE_V4, "10.251.10.2/31", "throw", true},
2257 {IP_RULE_V4, "10.251.10.2/31", "unreachable", true},
2258 {IP_RULE_V4, "0.0.0.0/0", "throw", true},
2259 {IP_RULE_V4, "0.0.0.0/0", "unreachable", true},
2260 {IP_RULE_V6, "::/0", "throw", true},
2261 {IP_RULE_V6, "::/0", "unreachable", true},
2262 {IP_RULE_V6, "2001:db8:cafe::/64", "throw", true},
2263 {IP_RULE_V6, "2001:db8:cafe::/64", "unreachable", true},
2264 };
2265
2266 static const struct {
2267 const char* ipVersion;
2268 const char* testDest;
2269 const char* testNextHop;
2270 } kTestDataWithNextHop[] = {
2271 {IP_RULE_V4, "10.251.10.0/30", ""},
2272 {IP_RULE_V6, "2001:db8::/32", ""},
2273 };
2274
2275 static const char testTableLegacySystem[] = "legacy_system";
2276 static const char testTableLegacyNetwork[] = "legacy_network";
2277 const int testUid = randomUid();
2278 const std::vector<int32_t> testUids = {testUid};
2279
2280 // Add test physical network
2281 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
2282 INetd::PERMISSION_NONE, false, false);
2283 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
2284 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
2285
2286 // Setup route for testing nextHop
2287 for (size_t i = 0; i < std::size(kTestDataWithNextHop); i++) {
2288 const auto& td = kTestDataWithNextHop[i];
2289
2290 // All route for test tun will disappear once the tun interface is deleted.
2291 binder::Status status =
2292 mNetd->networkAddRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop);
2293 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2294 expectNetworkRouteExists(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2295 sTun.name().c_str());
2296
2297 // Add system permission for test uid, setup route in legacy system table.
2298 EXPECT_TRUE(mNetd->networkSetPermissionForUser(INetd::PERMISSION_SYSTEM, testUids).isOk());
2299
2300 status = mNetd->networkAddLegacyRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop,
2301 testUid);
2302 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2303 expectNetworkRouteExists(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2304 testTableLegacySystem);
2305
2306 // Remove system permission for test uid, setup route in legacy network table.
2307 EXPECT_TRUE(mNetd->networkClearPermissionForUser(testUids).isOk());
2308
2309 status = mNetd->networkAddLegacyRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop,
2310 testUid);
2311 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2312 expectNetworkRouteExists(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2313 testTableLegacyNetwork);
2314 }
2315
2316 for (size_t i = 0; i < std::size(kTestData); i++) {
2317 const auto& td = kTestData[i];
2318
2319 binder::Status status =
2320 mNetd->networkAddRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop);
2321 if (td.expectSuccess) {
2322 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2323 expectNetworkRouteExists(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2324 sTun.name().c_str());
2325 } else {
2326 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
2327 EXPECT_NE(0, status.serviceSpecificErrorCode());
2328 }
2329
2330 status = mNetd->networkRemoveRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop);
2331 if (td.expectSuccess) {
2332 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2333 expectNetworkRouteDoesNotExist(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2334 sTun.name().c_str());
2335 } else {
2336 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
2337 EXPECT_NE(0, status.serviceSpecificErrorCode());
2338 }
2339
2340 // Add system permission for test uid, route will be added into legacy system table.
2341 EXPECT_TRUE(mNetd->networkSetPermissionForUser(INetd::PERMISSION_SYSTEM, testUids).isOk());
2342
2343 status = mNetd->networkAddLegacyRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop,
2344 testUid);
2345 if (td.expectSuccess) {
2346 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2347 expectNetworkRouteExists(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2348 testTableLegacySystem);
2349 } else {
2350 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
2351 EXPECT_NE(0, status.serviceSpecificErrorCode());
2352 }
2353
2354 status = mNetd->networkRemoveLegacyRoute(TEST_NETID1, sTun.name(), td.testDest,
2355 td.testNextHop, testUid);
2356 if (td.expectSuccess) {
2357 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2358 expectNetworkRouteDoesNotExist(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2359 testTableLegacySystem);
2360 } else {
2361 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
2362 EXPECT_NE(0, status.serviceSpecificErrorCode());
2363 }
2364
2365 // Remove system permission for test uid, route will be added into legacy network table.
2366 EXPECT_TRUE(mNetd->networkClearPermissionForUser(testUids).isOk());
2367
2368 status = mNetd->networkAddLegacyRoute(TEST_NETID1, sTun.name(), td.testDest, td.testNextHop,
2369 testUid);
2370 if (td.expectSuccess) {
2371 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2372 expectNetworkRouteExists(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2373 testTableLegacyNetwork);
2374 } else {
2375 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
2376 EXPECT_NE(0, status.serviceSpecificErrorCode());
2377 }
2378
2379 status = mNetd->networkRemoveLegacyRoute(TEST_NETID1, sTun.name(), td.testDest,
2380 td.testNextHop, testUid);
2381 if (td.expectSuccess) {
2382 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2383 expectNetworkRouteDoesNotExist(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2384 testTableLegacyNetwork);
2385 } else {
2386 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
2387 EXPECT_NE(0, status.serviceSpecificErrorCode());
2388 }
2389 }
2390
2391 /*
2392 * Test networkUpdateRouteParcel behavior in case of route MTU change.
2393 *
2394 * Change of route MTU should be treated as an update of the route:
2395 * - networkUpdateRouteParcel should succeed and update route MTU.
2396 */
2397 for (size_t i = 0; i < std::size(kTestData); i++) {
2398 const auto& td = kTestData[i];
2399 int mtu = (i % 2) ? 1480 : 1280;
2400
2401 android::net::RouteInfoParcel parcel;
2402 parcel.ifName = sTun.name();
2403 parcel.destination = td.testDest;
2404 parcel.nextHop = td.testNextHop;
2405 parcel.mtu = mtu;
2406 binder::Status status = mNetd->networkAddRouteParcel(TEST_NETID1, parcel);
2407 if (td.expectSuccess) {
2408 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2409 expectNetworkRouteExistsWithMtu(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2410 std::to_string(parcel.mtu), sTun.name().c_str());
2411 } else {
2412 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
2413 EXPECT_NE(0, status.serviceSpecificErrorCode());
2414 }
2415
2416 parcel.mtu = 1337;
2417 status = mNetd->networkUpdateRouteParcel(TEST_NETID1, parcel);
2418 if (td.expectSuccess) {
2419 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2420 expectNetworkRouteExistsWithMtu(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2421 std::to_string(parcel.mtu), sTun.name().c_str());
2422 } else {
2423 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
2424 EXPECT_NE(0, status.serviceSpecificErrorCode());
2425 }
2426
2427 status = mNetd->networkRemoveRouteParcel(TEST_NETID1, parcel);
2428 if (td.expectSuccess) {
2429 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2430 expectNetworkRouteDoesNotExist(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2431 sTun.name().c_str());
2432 } else {
2433 EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
2434 EXPECT_NE(0, status.serviceSpecificErrorCode());
2435 }
2436 }
2437
2438 /*
2439 * Test network[Update|Add]RouteParcel behavior in case of route type change.
2440 *
2441 * Change of route type should be treated as an update of the route:
2442 * - networkUpdateRouteParcel should succeed and update route type.
2443 * - networkAddRouteParcel should silently fail, because the route already exists. Route type
2444 * should not be changed in this case.
2445 */
2446 for (size_t i = 0; i < std::size(kTestData); i++) {
2447 const auto& td = kTestData[i];
2448
2449 if (!td.expectSuccess) {
2450 continue;
2451 }
2452
2453 android::net::RouteInfoParcel parcel;
2454 parcel.ifName = sTun.name();
2455 parcel.destination = td.testDest;
2456 parcel.nextHop = td.testNextHop;
2457 parcel.mtu = 1280;
2458 binder::Status status = mNetd->networkAddRouteParcel(TEST_NETID1, parcel);
2459 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2460 expectNetworkRouteExistsWithMtu(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
2461 std::to_string(parcel.mtu), sTun.name().c_str());
2462
2463 parcel.nextHop = parcel.nextHop == "throw" ? "unreachable" : "throw";
2464 const char* oldNextHop = td.testNextHop;
2465 const char* newNextHop = parcel.nextHop.c_str();
2466
2467 // Trying to add same route with changed type, this should silently fail.
2468 status = mNetd->networkAddRouteParcel(TEST_NETID1, parcel);
2469 // No error reported.
2470 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2471 // Old route still exists.
2472 expectNetworkRouteExistsWithMtu(td.ipVersion, sTun.name(), td.testDest, oldNextHop,
2473 std::to_string(parcel.mtu), sTun.name().c_str());
2474 // New route was not actually added.
2475 expectNetworkRouteDoesNotExistWithMtu(td.ipVersion, sTun.name(), td.testDest, newNextHop,
2476 std::to_string(parcel.mtu), sTun.name().c_str());
2477
2478 // Update should succeed.
2479 status = mNetd->networkUpdateRouteParcel(TEST_NETID1, parcel);
2480 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2481 expectNetworkRouteExistsWithMtu(td.ipVersion, sTun.name(), td.testDest, newNextHop,
2482 std::to_string(parcel.mtu), sTun.name().c_str());
2483 expectNetworkRouteDoesNotExistWithMtu(td.ipVersion, sTun.name(), td.testDest, oldNextHop,
2484 std::to_string(parcel.mtu), sTun.name().c_str());
2485
2486 status = mNetd->networkRemoveRouteParcel(TEST_NETID1, parcel);
2487 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2488 expectNetworkRouteDoesNotExistWithMtu(td.ipVersion, sTun.name(), td.testDest, newNextHop,
2489 std::to_string(parcel.mtu), sTun.name().c_str());
2490 }
2491
2492 // Remove test physical network
2493 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
2494 }
2495
TEST_F(NetdBinderTest,NetworkPermissionDefault)2496 TEST_F(NetdBinderTest, NetworkPermissionDefault) {
2497 // Add test physical network
2498 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
2499 INetd::PERMISSION_NONE, false, false);
2500 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
2501 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
2502
2503 // Get current default network NetId
2504 binder::Status status = mNetd->networkGetDefault(&mStoredDefaultNetwork);
2505 ASSERT_TRUE(status.isOk()) << status.exceptionMessage();
2506
2507 // Test SetDefault
2508 status = mNetd->networkSetDefault(TEST_NETID1);
2509 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2510 expectNetworkDefaultIpRuleExists(sTun.name().c_str());
2511
2512 status = mNetd->networkClearDefault();
2513 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2514 expectNetworkDefaultIpRuleDoesNotExist();
2515
2516 // Set default network back
2517 status = mNetd->networkSetDefault(mStoredDefaultNetwork);
2518 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2519
2520 // Test SetPermission
2521 status = mNetd->networkSetPermissionForNetwork(TEST_NETID1, INetd::PERMISSION_SYSTEM);
2522 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2523 expectNetworkPermissionIpRuleExists(sTun.name().c_str(), INetd::PERMISSION_SYSTEM);
2524 expectNetworkPermissionIptablesRuleExists(sTun.name().c_str(), INetd::PERMISSION_SYSTEM);
2525
2526 status = mNetd->networkSetPermissionForNetwork(TEST_NETID1, INetd::PERMISSION_NONE);
2527 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2528 expectNetworkPermissionIpRuleExists(sTun.name().c_str(), INetd::PERMISSION_NONE);
2529 expectNetworkPermissionIptablesRuleExists(sTun.name().c_str(), INetd::PERMISSION_NONE);
2530
2531 // Remove test physical network
2532 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
2533 }
2534
TEST_F(NetdBinderTest,NetworkSetProtectAllowDeny)2535 TEST_F(NetdBinderTest, NetworkSetProtectAllowDeny) {
2536 binder::Status status = mNetd->networkSetProtectAllow(TEST_UID1);
2537 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2538 bool ret = false;
2539 status = mNetd->networkCanProtect(TEST_UID1, &ret);
2540 EXPECT_TRUE(ret);
2541
2542 status = mNetd->networkSetProtectDeny(TEST_UID1);
2543 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2544
2545 // Clear uid permission before calling networkCanProtect to ensure
2546 // the call won't be affected by uid permission.
2547 EXPECT_TRUE(mNetd->networkClearPermissionForUser({TEST_UID1}).isOk());
2548
2549 status = mNetd->networkCanProtect(TEST_UID1, &ret);
2550 EXPECT_FALSE(ret);
2551 }
2552
2553 namespace {
2554
readIntFromPath(const std::string & path)2555 int readIntFromPath(const std::string& path) {
2556 std::string result = "";
2557 EXPECT_TRUE(ReadFileToString(path, &result));
2558 return std::stoi(result);
2559 }
2560
getTetherAcceptIPv6Ra(const std::string & ifName)2561 int getTetherAcceptIPv6Ra(const std::string& ifName) {
2562 std::string path = StringPrintf("/proc/sys/net/ipv6/conf/%s/accept_ra", ifName.c_str());
2563 return readIntFromPath(path);
2564 }
2565
getTetherAcceptIPv6Dad(const std::string & ifName)2566 bool getTetherAcceptIPv6Dad(const std::string& ifName) {
2567 std::string path = StringPrintf("/proc/sys/net/ipv6/conf/%s/accept_dad", ifName.c_str());
2568 return readIntFromPath(path);
2569 }
2570
getTetherIPv6DadTransmits(const std::string & ifName)2571 int getTetherIPv6DadTransmits(const std::string& ifName) {
2572 std::string path = StringPrintf("/proc/sys/net/ipv6/conf/%s/dad_transmits", ifName.c_str());
2573 return readIntFromPath(path);
2574 }
2575
getTetherEnableIPv6(const std::string & ifName)2576 bool getTetherEnableIPv6(const std::string& ifName) {
2577 std::string path = StringPrintf("/proc/sys/net/ipv6/conf/%s/disable_ipv6", ifName.c_str());
2578 int disableIPv6 = readIntFromPath(path);
2579 return !disableIPv6;
2580 }
2581
interfaceListContains(const std::vector<std::string> & ifList,const std::string & ifName)2582 bool interfaceListContains(const std::vector<std::string>& ifList, const std::string& ifName) {
2583 for (const auto& iface : ifList) {
2584 if (iface == ifName) {
2585 return true;
2586 }
2587 }
2588 return false;
2589 }
2590
expectTetherInterfaceConfigureForIPv6Router(const std::string & ifName)2591 void expectTetherInterfaceConfigureForIPv6Router(const std::string& ifName) {
2592 EXPECT_EQ(getTetherAcceptIPv6Ra(ifName), 0);
2593 EXPECT_FALSE(getTetherAcceptIPv6Dad(ifName));
2594 EXPECT_EQ(getTetherIPv6DadTransmits(ifName), 0);
2595 EXPECT_TRUE(getTetherEnableIPv6(ifName));
2596 }
2597
expectTetherInterfaceConfigureForIPv6Client(const std::string & ifName)2598 void expectTetherInterfaceConfigureForIPv6Client(const std::string& ifName) {
2599 EXPECT_EQ(getTetherAcceptIPv6Ra(ifName), 2);
2600 EXPECT_TRUE(getTetherAcceptIPv6Dad(ifName));
2601 EXPECT_EQ(getTetherIPv6DadTransmits(ifName), 1);
2602 EXPECT_FALSE(getTetherEnableIPv6(ifName));
2603 }
2604
expectTetherInterfaceExists(const std::vector<std::string> & ifList,const std::string & ifName)2605 void expectTetherInterfaceExists(const std::vector<std::string>& ifList,
2606 const std::string& ifName) {
2607 EXPECT_TRUE(interfaceListContains(ifList, ifName));
2608 }
2609
expectTetherInterfaceNotExists(const std::vector<std::string> & ifList,const std::string & ifName)2610 void expectTetherInterfaceNotExists(const std::vector<std::string>& ifList,
2611 const std::string& ifName) {
2612 EXPECT_FALSE(interfaceListContains(ifList, ifName));
2613 }
2614
expectTetherDnsListEquals(const std::vector<std::string> & dnsList,const std::vector<std::string> & testDnsAddrs)2615 void expectTetherDnsListEquals(const std::vector<std::string>& dnsList,
2616 const std::vector<std::string>& testDnsAddrs) {
2617 EXPECT_TRUE(dnsList == testDnsAddrs);
2618 }
2619
2620 } // namespace
2621
TEST_F(NetdBinderTest,TetherStartStopStatus)2622 TEST_F(NetdBinderTest, TetherStartStopStatus) {
2623 std::vector<std::string> noDhcpRange = {};
2624 for (bool usingLegacyDnsProxy : {true, false}) {
2625 android::net::TetherConfigParcel config;
2626 config.usingLegacyDnsProxy = usingLegacyDnsProxy;
2627 config.dhcpRanges = noDhcpRange;
2628 binder::Status status = mNetd->tetherStartWithConfiguration(config);
2629 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2630 SCOPED_TRACE(StringPrintf("usingLegacyDnsProxy: %d", usingLegacyDnsProxy));
2631 if (usingLegacyDnsProxy == true) {
2632 expectProcessExists(DNSMASQ);
2633 } else {
2634 expectProcessDoesNotExist(DNSMASQ);
2635 }
2636
2637 bool tetherEnabled;
2638 status = mNetd->tetherIsEnabled(&tetherEnabled);
2639 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2640 EXPECT_TRUE(tetherEnabled);
2641
2642 status = mNetd->tetherStop();
2643 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2644 expectProcessDoesNotExist(DNSMASQ);
2645
2646 status = mNetd->tetherIsEnabled(&tetherEnabled);
2647 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2648 EXPECT_FALSE(tetherEnabled);
2649 }
2650 }
2651
TEST_F(NetdBinderTest,TetherInterfaceAddRemoveList)2652 TEST_F(NetdBinderTest, TetherInterfaceAddRemoveList) {
2653 // TODO: verify if dnsmasq update interface successfully
2654
2655 binder::Status status = mNetd->tetherInterfaceAdd(sTun.name());
2656 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2657 expectTetherInterfaceConfigureForIPv6Router(sTun.name());
2658
2659 std::vector<std::string> ifList;
2660 status = mNetd->tetherInterfaceList(&ifList);
2661 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2662 expectTetherInterfaceExists(ifList, sTun.name());
2663
2664 status = mNetd->tetherInterfaceRemove(sTun.name());
2665 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2666 expectTetherInterfaceConfigureForIPv6Client(sTun.name());
2667
2668 status = mNetd->tetherInterfaceList(&ifList);
2669 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2670 expectTetherInterfaceNotExists(ifList, sTun.name());
2671
2672 // Disable IPv6 tethering will disable IPv6 abilities by changing IPv6 settings(accept_ra,
2673 // dad_transmits, accept_dad, disable_ipv6). See tetherInterfaceRemove in details.
2674 // Re-init sTun to reset the interface to prevent affecting other test that requires IPv6 with
2675 // the same interface.
2676 sTun.destroy();
2677 sTun.init();
2678 }
2679
TEST_F(NetdBinderTest,TetherDnsSetList)2680 TEST_F(NetdBinderTest, TetherDnsSetList) {
2681 // TODO: verify if dnsmasq update dns successfully
2682 std::vector<std::string> testDnsAddrs = {"192.168.1.37", "213.137.100.3",
2683 "fe80::1%" + sTun.name()};
2684
2685 binder::Status status = mNetd->tetherDnsSet(TEST_NETID1, testDnsAddrs);
2686 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2687
2688 std::vector<std::string> dnsList;
2689 status = mNetd->tetherDnsList(&dnsList);
2690 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2691 expectTetherDnsListEquals(dnsList, testDnsAddrs);
2692 }
2693
2694 namespace {
2695
findDnsSockets(SockDiag * sd,unsigned numExpected)2696 std::vector<IPAddress> findDnsSockets(SockDiag* sd, unsigned numExpected) {
2697 std::vector<IPAddress> listenAddrs;
2698
2699 // Callback lambda that finds all IPv4 sockets with source port 53.
2700 auto findDnsSockets = [&](uint8_t /* proto */, const inet_diag_msg* msg) {
2701 // Always return false, which means do not destroy this socket.
2702 if (msg->id.idiag_sport != htons(53)) return false;
2703 IPAddress addr(*(in_addr*)msg->id.idiag_src);
2704 listenAddrs.push_back(addr);
2705 return false;
2706 };
2707
2708 // There is no way to know if dnsmasq has finished processing the update_interfaces command and
2709 // opened listening sockets. So, just spin a few times and return the first list of sockets
2710 // that is at least numExpected long.
2711 // Pick a relatively large timeout to avoid flaky tests, particularly when running on shared
2712 // devices.
2713 constexpr int kMaxAttempts = 50;
2714 constexpr int kSleepMs = 100;
2715 for (int i = 0; i < kMaxAttempts; i++) {
2716 listenAddrs.clear();
2717 EXPECT_EQ(0, sd->sendDumpRequest(IPPROTO_TCP, AF_INET, 1 << TCP_LISTEN))
2718 << "Failed to dump sockets, attempt " << i << " of " << kMaxAttempts;
2719 sd->readDiagMsg(IPPROTO_TCP, findDnsSockets);
2720 if (listenAddrs.size() >= numExpected) {
2721 break;
2722 }
2723 usleep(kSleepMs * 1000);
2724 }
2725
2726 return listenAddrs;
2727 }
2728
2729 } // namespace
2730
2731 // Checks that when starting dnsmasq on an interface that no longer exists, it doesn't attempt to
2732 // start on other interfaces instead.
TEST_F(NetdBinderTest,TetherDeletedInterface)2733 TEST_F(NetdBinderTest, TetherDeletedInterface) {
2734 // Do this first so we don't need to clean up anything else if it fails.
2735 SockDiag sd;
2736 ASSERT_TRUE(sd.open()) << "Failed to open SOCK_DIAG socket";
2737
2738 // Create our own TunInterfaces (so we can delete them without affecting other tests), and add
2739 // IP addresses to them. They must be IPv4 because tethering an interface disables and
2740 // re-enables IPv6 on the interface, which clears all addresses.
2741 TunInterface tun1, tun2;
2742 ASSERT_EQ(0, tun1.init());
2743 ASSERT_EQ(0, tun2.init());
2744
2745 // Clean up. It is safe to call TunInterface::destroy multiple times.
2746 auto guard = android::base::make_scope_guard([&] {
2747 tun1.destroy();
2748 tun2.destroy();
2749 mNetd->tetherStop();
2750 mNetd->tetherInterfaceRemove(tun1.name());
2751 mNetd->tetherInterfaceRemove(tun2.name());
2752 });
2753
2754 IPAddress addr1, addr2;
2755 ASSERT_TRUE(IPAddress::forString("192.0.2.1", &addr1));
2756 ASSERT_TRUE(IPAddress::forString("192.0.2.2", &addr2));
2757 EXPECT_EQ(0, tun1.addAddress(addr1.toString(), 32));
2758 EXPECT_EQ(0, tun2.addAddress(addr2.toString(), 32));
2759
2760 // Stop tethering.
2761 binder::Status status = mNetd->tetherStop();
2762 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2763
2764 // Start dnsmasq on an interface that doesn't exist.
2765 // First, tether our tun interface...
2766 status = mNetd->tetherInterfaceAdd(tun1.name());
2767 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2768 expectTetherInterfaceConfigureForIPv6Router(tun1.name());
2769
2770 // ... then delete it...
2771 tun1.destroy();
2772
2773 // ... then start dnsmasq.
2774 android::net::TetherConfigParcel config;
2775 config.usingLegacyDnsProxy = true;
2776 config.dhcpRanges = {};
2777 status = mNetd->tetherStartWithConfiguration(config);
2778 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2779
2780 // Wait for dnsmasq to start.
2781 expectProcessExists(DNSMASQ);
2782
2783 // Make sure that netd thinks the interface is tethered (even though it doesn't exist).
2784 std::vector<std::string> ifList;
2785 status = mNetd->tetherInterfaceList(&ifList);
2786 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2787 ASSERT_EQ(1U, ifList.size());
2788 EXPECT_EQ(tun1.name(), ifList[0]);
2789
2790 // Give dnsmasq some time to start up.
2791 usleep(200 * 1000);
2792
2793 // Check that dnsmasq is not listening on any IP addresses. It shouldn't, because it was only
2794 // told to run on tun1, and tun1 does not exist. Ensure it stays running and doesn't listen on
2795 // any IP addresses.
2796 std::vector<IPAddress> listenAddrs = findDnsSockets(&sd, 0);
2797 EXPECT_EQ(0U, listenAddrs.size()) << "Unexpectedly found IPv4 socket(s) listening on port 53";
2798
2799 // Now add an interface to dnsmasq and check that we can see the sockets. This confirms that
2800 // findDnsSockets is actually able to see sockets when they exist.
2801 status = mNetd->tetherInterfaceAdd(tun2.name());
2802 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2803
2804 in_addr loopback = {htonl(INADDR_LOOPBACK)};
2805 listenAddrs = findDnsSockets(&sd, 2);
2806 EXPECT_EQ(2U, listenAddrs.size()) << "Expected exactly 2 IPv4 sockets listening on port 53";
2807 EXPECT_EQ(1, std::count(listenAddrs.begin(), listenAddrs.end(), addr2));
2808 EXPECT_EQ(1, std::count(listenAddrs.begin(), listenAddrs.end(), IPAddress(loopback)));
2809
2810 // Clean up.
2811 status = mNetd->tetherStop();
2812 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2813
2814 expectProcessDoesNotExist(DNSMASQ);
2815
2816 status = mNetd->tetherInterfaceRemove(tun1.name());
2817 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2818
2819 status = mNetd->tetherInterfaceRemove(tun2.name());
2820 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2821 }
2822
2823 namespace {
2824
2825 constexpr char FIREWALL_INPUT[] = "fw_INPUT";
2826 constexpr char FIREWALL_OUTPUT[] = "fw_OUTPUT";
2827 constexpr char FIREWALL_FORWARD[] = "fw_FORWARD";
2828
expectFirewallAllowlistMode()2829 void expectFirewallAllowlistMode() {
2830 static const char dropRule[] = "DROP all";
2831 static const char rejectRule[] = "REJECT all";
2832 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
2833 EXPECT_TRUE(iptablesRuleExists(binary, FIREWALL_INPUT, dropRule));
2834 EXPECT_TRUE(iptablesRuleExists(binary, FIREWALL_OUTPUT, rejectRule));
2835 EXPECT_TRUE(iptablesRuleExists(binary, FIREWALL_FORWARD, rejectRule));
2836 }
2837 }
2838
expectFirewallDenylistMode()2839 void expectFirewallDenylistMode() {
2840 EXPECT_EQ(2, iptablesRuleLineLength(IPTABLES_PATH, FIREWALL_INPUT));
2841 EXPECT_EQ(2, iptablesRuleLineLength(IPTABLES_PATH, FIREWALL_OUTPUT));
2842 EXPECT_EQ(2, iptablesRuleLineLength(IPTABLES_PATH, FIREWALL_FORWARD));
2843
2844 // for IPv6 there is an extra OUTPUT rule to DROP ::1 sourced packets to non-loopback devices
2845 EXPECT_EQ(2, iptablesRuleLineLength(IP6TABLES_PATH, FIREWALL_INPUT));
2846 EXPECT_EQ(3, iptablesRuleLineLength(IP6TABLES_PATH, FIREWALL_OUTPUT));
2847 EXPECT_EQ(2, iptablesRuleLineLength(IP6TABLES_PATH, FIREWALL_FORWARD));
2848 }
2849
iptablesFirewallInterfaceFirstRuleExists(const char * binary,const char * chainName,const std::string & expectedInterface,const std::string & expectedRule)2850 bool iptablesFirewallInterfaceFirstRuleExists(const char* binary, const char* chainName,
2851 const std::string& expectedInterface,
2852 const std::string& expectedRule) {
2853 std::vector<std::string> rules = listIptablesRuleByTable(binary, FILTER_TABLE, chainName);
2854 // Expected rule:
2855 // Chain fw_INPUT (1 references)
2856 // pkts bytes target prot opt in out source destination
2857 // 0 0 RETURN all -- expectedInterface * 0.0.0.0/0 0.0.0.0/0
2858 // 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
2859 int firstRuleIndex = 2;
2860 if (rules.size() < 4) return false;
2861 if (rules[firstRuleIndex].find(expectedInterface) != std::string::npos) {
2862 if (rules[firstRuleIndex].find(expectedRule) != std::string::npos) {
2863 return true;
2864 }
2865 }
2866 return false;
2867 }
2868
expectFirewallInterfaceRuleAllowExists(const std::string & ifname)2869 void expectFirewallInterfaceRuleAllowExists(const std::string& ifname) {
2870 static const char returnRule[] = "RETURN all";
2871 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
2872 EXPECT_TRUE(iptablesFirewallInterfaceFirstRuleExists(binary, FIREWALL_INPUT, ifname,
2873 returnRule));
2874 EXPECT_TRUE(iptablesFirewallInterfaceFirstRuleExists(binary, FIREWALL_OUTPUT, ifname,
2875 returnRule));
2876 }
2877 }
2878
expectFireWallInterfaceRuleAllowDoesNotExist(const std::string & ifname)2879 void expectFireWallInterfaceRuleAllowDoesNotExist(const std::string& ifname) {
2880 static const char returnRule[] = "RETURN all";
2881 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
2882 EXPECT_FALSE(iptablesInterfaceRuleExists(binary, FIREWALL_INPUT, ifname, returnRule,
2883 FILTER_TABLE));
2884 EXPECT_FALSE(iptablesInterfaceRuleExists(binary, FIREWALL_OUTPUT, ifname, returnRule,
2885 FILTER_TABLE));
2886 }
2887 }
2888
2889 } // namespace
2890
TEST_F(NetdBinderTest,FirewallSetFirewallType)2891 TEST_F(NetdBinderTest, FirewallSetFirewallType) {
2892 binder::Status status = mNetd->firewallSetFirewallType(INetd::FIREWALL_ALLOWLIST);
2893 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2894 expectFirewallAllowlistMode();
2895
2896 status = mNetd->firewallSetFirewallType(INetd::FIREWALL_DENYLIST);
2897 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2898 expectFirewallDenylistMode();
2899
2900 // set firewall type blacklist twice
2901 mNetd->firewallSetFirewallType(INetd::FIREWALL_DENYLIST);
2902 status = mNetd->firewallSetFirewallType(INetd::FIREWALL_DENYLIST);
2903 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2904 expectFirewallDenylistMode();
2905
2906 // set firewall type whitelist twice
2907 mNetd->firewallSetFirewallType(INetd::FIREWALL_ALLOWLIST);
2908 status = mNetd->firewallSetFirewallType(INetd::FIREWALL_ALLOWLIST);
2909 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2910 expectFirewallAllowlistMode();
2911
2912 // reset firewall type to default
2913 status = mNetd->firewallSetFirewallType(INetd::FIREWALL_DENYLIST);
2914 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2915 expectFirewallDenylistMode();
2916 }
2917
TEST_F(NetdBinderTest,FirewallSetInterfaceRule)2918 TEST_F(NetdBinderTest, FirewallSetInterfaceRule) {
2919 // setinterfaceRule is not supported in BLACKLIST MODE
2920 binder::Status status = mNetd->firewallSetFirewallType(INetd::FIREWALL_DENYLIST);
2921 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2922
2923 status = mNetd->firewallSetInterfaceRule(sTun.name(), INetd::FIREWALL_RULE_ALLOW);
2924 EXPECT_FALSE(status.isOk()) << status.exceptionMessage();
2925
2926 // set WHITELIST mode first
2927 status = mNetd->firewallSetFirewallType(INetd::FIREWALL_ALLOWLIST);
2928 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2929
2930 status = mNetd->firewallSetInterfaceRule(sTun.name(), INetd::FIREWALL_RULE_ALLOW);
2931 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2932 expectFirewallInterfaceRuleAllowExists(sTun.name());
2933
2934 status = mNetd->firewallSetInterfaceRule(sTun.name(), INetd::FIREWALL_RULE_DENY);
2935 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2936 expectFireWallInterfaceRuleAllowDoesNotExist(sTun.name());
2937
2938 // reset firewall mode to default
2939 status = mNetd->firewallSetFirewallType(INetd::FIREWALL_DENYLIST);
2940 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
2941 expectFirewallDenylistMode();
2942 }
2943
2944 namespace {
2945
hwAddrToStr(unsigned char * hwaddr)2946 std::string hwAddrToStr(unsigned char* hwaddr) {
2947 return StringPrintf("%02x:%02x:%02x:%02x:%02x:%02x", hwaddr[0], hwaddr[1], hwaddr[2], hwaddr[3],
2948 hwaddr[4], hwaddr[5]);
2949 }
2950
ipv4NetmaskToPrefixLength(in_addr_t mask)2951 int ipv4NetmaskToPrefixLength(in_addr_t mask) {
2952 int prefixLength = 0;
2953 uint32_t m = ntohl(mask);
2954 while (m & (1 << 31)) {
2955 prefixLength++;
2956 m = m << 1;
2957 }
2958 return prefixLength;
2959 }
2960
toStdString(const String16 & s)2961 std::string toStdString(const String16& s) {
2962 return std::string(String8(s.c_str()));
2963 }
2964
ioctlByIfName(const std::string & ifName,unsigned long flag)2965 android::netdutils::StatusOr<ifreq> ioctlByIfName(const std::string& ifName, unsigned long flag) {
2966 const auto& sys = sSyscalls.get();
2967 auto fd = sys.socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
2968 EXPECT_TRUE(isOk(fd.status()));
2969
2970 struct ifreq ifr = {};
2971 strlcpy(ifr.ifr_name, ifName.c_str(), IFNAMSIZ);
2972
2973 return sys.ioctl(fd.value(), flag, &ifr);
2974 }
2975
getInterfaceHwAddr(const std::string & ifName)2976 std::string getInterfaceHwAddr(const std::string& ifName) {
2977 auto res = ioctlByIfName(ifName, SIOCGIFHWADDR);
2978
2979 unsigned char hwaddr[ETH_ALEN] = {};
2980 if (isOk(res.status())) {
2981 memcpy((void*) hwaddr, &res.value().ifr_hwaddr.sa_data, ETH_ALEN);
2982 }
2983
2984 return hwAddrToStr(hwaddr);
2985 }
2986
getInterfaceIPv4Prefix(const std::string & ifName)2987 int getInterfaceIPv4Prefix(const std::string& ifName) {
2988 auto res = ioctlByIfName(ifName, SIOCGIFNETMASK);
2989
2990 int prefixLength = 0;
2991 if (isOk(res.status())) {
2992 prefixLength = ipv4NetmaskToPrefixLength(
2993 ((struct sockaddr_in*) &res.value().ifr_addr)->sin_addr.s_addr);
2994 }
2995
2996 return prefixLength;
2997 }
2998
getInterfaceIPv4Addr(const std::string & ifName)2999 std::string getInterfaceIPv4Addr(const std::string& ifName) {
3000 auto res = ioctlByIfName(ifName, SIOCGIFADDR);
3001
3002 struct in_addr addr = {};
3003 if (isOk(res.status())) {
3004 addr.s_addr = ((struct sockaddr_in*) &res.value().ifr_addr)->sin_addr.s_addr;
3005 }
3006
3007 return std::string(inet_ntoa(addr));
3008 }
3009
getInterfaceFlags(const std::string & ifName)3010 std::vector<std::string> getInterfaceFlags(const std::string& ifName) {
3011 auto res = ioctlByIfName(ifName, SIOCGIFFLAGS);
3012
3013 unsigned flags = 0;
3014 if (isOk(res.status())) {
3015 flags = res.value().ifr_flags;
3016 }
3017
3018 std::vector<std::string> ifFlags;
3019 ifFlags.push_back(flags & IFF_UP ? toStdString(INetd::IF_STATE_UP())
3020 : toStdString(INetd::IF_STATE_DOWN()));
3021
3022 if (flags & IFF_BROADCAST) ifFlags.push_back(toStdString(INetd::IF_FLAG_BROADCAST()));
3023 if (flags & IFF_LOOPBACK) ifFlags.push_back(toStdString(INetd::IF_FLAG_LOOPBACK()));
3024 if (flags & IFF_POINTOPOINT) ifFlags.push_back(toStdString(INetd::IF_FLAG_POINTOPOINT()));
3025 if (flags & IFF_RUNNING) ifFlags.push_back(toStdString(INetd::IF_FLAG_RUNNING()));
3026 if (flags & IFF_MULTICAST) ifFlags.push_back(toStdString(INetd::IF_FLAG_MULTICAST()));
3027
3028 return ifFlags;
3029 }
3030
compareListInterface(const std::vector<std::string> & interfaceList)3031 bool compareListInterface(const std::vector<std::string>& interfaceList) {
3032 const auto& res = getIfaceNames();
3033 EXPECT_TRUE(isOk(res));
3034
3035 std::vector<std::string> resIfList;
3036 resIfList.reserve(res.value().size());
3037 resIfList.insert(end(resIfList), begin(res.value()), end(res.value()));
3038
3039 return resIfList == interfaceList;
3040 }
3041
getInterfaceIPv6PrivacyExtensions(const std::string & ifName)3042 int getInterfaceIPv6PrivacyExtensions(const std::string& ifName) {
3043 std::string path = StringPrintf("/proc/sys/net/ipv6/conf/%s/use_tempaddr", ifName.c_str());
3044 return readIntFromPath(path);
3045 }
3046
getInterfaceEnableIPv6(const std::string & ifName)3047 bool getInterfaceEnableIPv6(const std::string& ifName) {
3048 std::string path = StringPrintf("/proc/sys/net/ipv6/conf/%s/disable_ipv6", ifName.c_str());
3049
3050 int disableIPv6 = readIntFromPath(path);
3051 return !disableIPv6;
3052 }
3053
getInterfaceMtu(const std::string & ifName)3054 int getInterfaceMtu(const std::string& ifName) {
3055 std::string path = StringPrintf("/sys/class/net/%s/mtu", ifName.c_str());
3056 return readIntFromPath(path);
3057 }
3058
expectInterfaceList(const std::vector<std::string> & interfaceList)3059 void expectInterfaceList(const std::vector<std::string>& interfaceList) {
3060 EXPECT_TRUE(compareListInterface(interfaceList));
3061 }
3062
expectCurrentInterfaceConfigurationEquals(const std::string & ifName,const InterfaceConfigurationParcel & interfaceCfg)3063 void expectCurrentInterfaceConfigurationEquals(const std::string& ifName,
3064 const InterfaceConfigurationParcel& interfaceCfg) {
3065 EXPECT_EQ(getInterfaceIPv4Addr(ifName), interfaceCfg.ipv4Addr);
3066 EXPECT_EQ(getInterfaceIPv4Prefix(ifName), interfaceCfg.prefixLength);
3067 EXPECT_EQ(getInterfaceHwAddr(ifName), interfaceCfg.hwAddr);
3068 EXPECT_EQ(getInterfaceFlags(ifName), interfaceCfg.flags);
3069 }
3070
expectCurrentInterfaceConfigurationAlmostEqual(const InterfaceConfigurationParcel & setCfg)3071 void expectCurrentInterfaceConfigurationAlmostEqual(const InterfaceConfigurationParcel& setCfg) {
3072 EXPECT_EQ(getInterfaceIPv4Addr(setCfg.ifName), setCfg.ipv4Addr);
3073 EXPECT_EQ(getInterfaceIPv4Prefix(setCfg.ifName), setCfg.prefixLength);
3074
3075 const auto& ifFlags = getInterfaceFlags(setCfg.ifName);
3076 for (const auto& flag : setCfg.flags) {
3077 EXPECT_TRUE(std::find(ifFlags.begin(), ifFlags.end(), flag) != ifFlags.end());
3078 }
3079 }
3080
expectInterfaceIPv6PrivacyExtensions(const std::string & ifName,bool enable)3081 void expectInterfaceIPv6PrivacyExtensions(const std::string& ifName, bool enable) {
3082 int v6PrivacyExtensions = getInterfaceIPv6PrivacyExtensions(ifName);
3083 EXPECT_EQ(v6PrivacyExtensions, enable ? 2 : 0);
3084 }
3085
expectInterfaceNoAddr(const std::string & ifName)3086 void expectInterfaceNoAddr(const std::string& ifName) {
3087 // noAddr
3088 EXPECT_EQ(getInterfaceIPv4Addr(ifName), "0.0.0.0");
3089 // noPrefix
3090 EXPECT_EQ(getInterfaceIPv4Prefix(ifName), 0);
3091 }
3092
expectInterfaceEnableIPv6(const std::string & ifName,bool enable)3093 void expectInterfaceEnableIPv6(const std::string& ifName, bool enable) {
3094 int enableIPv6 = getInterfaceEnableIPv6(ifName);
3095 EXPECT_EQ(enableIPv6, enable);
3096 }
3097
expectInterfaceMtu(const std::string & ifName,const int mtu)3098 void expectInterfaceMtu(const std::string& ifName, const int mtu) {
3099 int mtuSize = getInterfaceMtu(ifName);
3100 EXPECT_EQ(mtu, mtuSize);
3101 }
3102
makeInterfaceCfgParcel(const std::string & ifName,const std::string & addr,int prefixLength,const std::vector<std::string> & flags)3103 InterfaceConfigurationParcel makeInterfaceCfgParcel(const std::string& ifName,
3104 const std::string& addr, int prefixLength,
3105 const std::vector<std::string>& flags) {
3106 InterfaceConfigurationParcel cfg;
3107 cfg.ifName = ifName;
3108 cfg.hwAddr = "";
3109 cfg.ipv4Addr = addr;
3110 cfg.prefixLength = prefixLength;
3111 cfg.flags = flags;
3112 return cfg;
3113 }
3114
expectTunFlags(const InterfaceConfigurationParcel & interfaceCfg)3115 void expectTunFlags(const InterfaceConfigurationParcel& interfaceCfg) {
3116 std::vector<std::string> expectedFlags = {"up", "point-to-point", "running", "multicast"};
3117 std::vector<std::string> unexpectedFlags = {"down", "broadcast"};
3118
3119 for (const auto& flag : expectedFlags) {
3120 EXPECT_TRUE(std::find(interfaceCfg.flags.begin(), interfaceCfg.flags.end(), flag) !=
3121 interfaceCfg.flags.end());
3122 }
3123
3124 for (const auto& flag : unexpectedFlags) {
3125 EXPECT_TRUE(std::find(interfaceCfg.flags.begin(), interfaceCfg.flags.end(), flag) ==
3126 interfaceCfg.flags.end());
3127 }
3128 }
3129
3130 } // namespace
3131
TEST_F(NetdBinderTest,InterfaceList)3132 TEST_F(NetdBinderTest, InterfaceList) {
3133 std::vector<std::string> interfaceListResult;
3134
3135 binder::Status status = mNetd->interfaceGetList(&interfaceListResult);
3136 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3137 expectInterfaceList(interfaceListResult);
3138 }
3139
TEST_F(NetdBinderTest,InterfaceGetCfg)3140 TEST_F(NetdBinderTest, InterfaceGetCfg) {
3141 InterfaceConfigurationParcel interfaceCfgResult;
3142
3143 // Add test physical network
3144 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
3145 INetd::PERMISSION_NONE, false, false);
3146 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3147 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
3148
3149 binder::Status status = mNetd->interfaceGetCfg(sTun.name(), &interfaceCfgResult);
3150 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3151 expectCurrentInterfaceConfigurationEquals(sTun.name(), interfaceCfgResult);
3152 expectTunFlags(interfaceCfgResult);
3153
3154 // Remove test physical network
3155 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
3156 }
3157
TEST_F(NetdBinderTest,InterfaceSetCfg)3158 TEST_F(NetdBinderTest, InterfaceSetCfg) {
3159 const std::string testAddr = "192.0.2.3";
3160 const int testPrefixLength = 24;
3161 std::vector<std::string> upFlags = {"up"};
3162 std::vector<std::string> downFlags = {"down"};
3163
3164 // Add test physical network
3165 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
3166 INetd::PERMISSION_NONE, false, false);
3167 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3168 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
3169
3170 // Set tun interface down.
3171 auto interfaceCfg = makeInterfaceCfgParcel(sTun.name(), testAddr, testPrefixLength, downFlags);
3172 binder::Status status = mNetd->interfaceSetCfg(interfaceCfg);
3173 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3174 expectCurrentInterfaceConfigurationAlmostEqual(interfaceCfg);
3175
3176 // Set tun interface up again.
3177 interfaceCfg = makeInterfaceCfgParcel(sTun.name(), testAddr, testPrefixLength, upFlags);
3178 status = mNetd->interfaceSetCfg(interfaceCfg);
3179 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3180 status = mNetd->interfaceClearAddrs(sTun.name());
3181 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3182
3183 // Remove test physical network
3184 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
3185 }
3186
TEST_F(NetdBinderTest,InterfaceSetIPv6PrivacyExtensions)3187 TEST_F(NetdBinderTest, InterfaceSetIPv6PrivacyExtensions) {
3188 // enable
3189 binder::Status status = mNetd->interfaceSetIPv6PrivacyExtensions(sTun.name(), true);
3190 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3191 expectInterfaceIPv6PrivacyExtensions(sTun.name(), true);
3192
3193 // disable
3194 status = mNetd->interfaceSetIPv6PrivacyExtensions(sTun.name(), false);
3195 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3196 expectInterfaceIPv6PrivacyExtensions(sTun.name(), false);
3197 }
3198
TEST_F(NetdBinderTest,InterfaceClearAddr)3199 TEST_F(NetdBinderTest, InterfaceClearAddr) {
3200 const std::string testAddr = "192.0.2.3";
3201 const int testPrefixLength = 24;
3202 std::vector<std::string> noFlags{};
3203
3204 // Add test physical network
3205 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
3206 INetd::PERMISSION_NONE, false, false);
3207 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3208 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
3209
3210 auto interfaceCfg = makeInterfaceCfgParcel(sTun.name(), testAddr, testPrefixLength, noFlags);
3211 binder::Status status = mNetd->interfaceSetCfg(interfaceCfg);
3212 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3213 expectCurrentInterfaceConfigurationAlmostEqual(interfaceCfg);
3214
3215 status = mNetd->interfaceClearAddrs(sTun.name());
3216 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3217 expectInterfaceNoAddr(sTun.name());
3218
3219 // Remove test physical network
3220 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
3221 }
3222
TEST_F(NetdBinderTest,InterfaceSetEnableIPv6)3223 TEST_F(NetdBinderTest, InterfaceSetEnableIPv6) {
3224 // Add test physical network
3225 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
3226 INetd::PERMISSION_NONE, false, false);
3227 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3228 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
3229
3230 // disable
3231 binder::Status status = mNetd->interfaceSetEnableIPv6(sTun.name(), false);
3232 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3233 expectInterfaceEnableIPv6(sTun.name(), false);
3234
3235 // enable
3236 status = mNetd->interfaceSetEnableIPv6(sTun.name(), true);
3237 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3238 expectInterfaceEnableIPv6(sTun.name(), true);
3239
3240 // Remove test physical network
3241 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
3242 }
3243
TEST_F(NetdBinderTest,InterfaceSetMtu)3244 TEST_F(NetdBinderTest, InterfaceSetMtu) {
3245 const int currentMtu = getInterfaceMtu(sTun.name());
3246 const int testMtu = 1200;
3247
3248 // Add test physical network
3249 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
3250 INetd::PERMISSION_NONE, false, false);
3251 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3252 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
3253
3254 binder::Status status = mNetd->interfaceSetMtu(sTun.name(), testMtu);
3255 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3256 expectInterfaceMtu(sTun.name(), testMtu);
3257
3258 // restore the MTU back
3259 status = mNetd->interfaceSetMtu(sTun.name(), currentMtu);
3260 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3261
3262 // Remove test physical network
3263 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
3264 }
3265
3266 namespace {
3267
3268 constexpr const char TETHER_FORWARD[] = "tetherctrl_FORWARD";
3269 constexpr const char TETHER_NAT_POSTROUTING[] = "tetherctrl_nat_POSTROUTING";
3270 constexpr const char TETHER_RAW_PREROUTING[] = "tetherctrl_raw_PREROUTING";
3271 constexpr const char TETHER_COUNTERS_CHAIN[] = "tetherctrl_counters";
3272
iptablesCountRules(const char * binary,const char * table,const char * chainName)3273 int iptablesCountRules(const char* binary, const char* table, const char* chainName) {
3274 return listIptablesRuleByTable(binary, table, chainName).size();
3275 }
3276
iptablesChainMatch(const char * binary,const char * table,const char * chainName,const std::vector<std::string> & targetVec)3277 bool iptablesChainMatch(const char* binary, const char* table, const char* chainName,
3278 const std::vector<std::string>& targetVec) {
3279 std::vector<std::string> rules = listIptablesRuleByTable(binary, table, chainName);
3280 if (targetVec.size() != rules.size() - 2) {
3281 return false;
3282 }
3283
3284 /*
3285 * Check that the rules match. Note that this function matches substrings, not entire rules,
3286 * because otherwise rules where "pkts" or "bytes" are nonzero would not match.
3287 * Skip first two lines since rules start from third line.
3288 * Chain chainName (x references)
3289 * pkts bytes target prot opt in out source destination
3290 * ...
3291 */
3292 int rIndex = 2;
3293 for (const auto& target : targetVec) {
3294 if (rules[rIndex].find(target) == std::string::npos) {
3295 return false;
3296 }
3297 rIndex++;
3298 }
3299 return true;
3300 }
3301
expectNatEnable(const std::string & intIf,const std::string & extIf)3302 void expectNatEnable(const std::string& intIf, const std::string& extIf) {
3303 std::vector<std::string> postroutingV4Match = {"MASQUERADE"};
3304 std::vector<std::string> preroutingV4Match = {"CT helper ftp", "CT helper pptp"};
3305 std::vector<std::string> forwardV4Match = {
3306 "bw_global_alert", "state RELATED", "state INVALID",
3307 StringPrintf("tetherctrl_counters all -- %s %s", intIf.c_str(), extIf.c_str()),
3308 "DROP"};
3309
3310 // V4
3311 EXPECT_TRUE(iptablesChainMatch(IPTABLES_PATH, NAT_TABLE, TETHER_NAT_POSTROUTING,
3312 postroutingV4Match));
3313 EXPECT_TRUE(
3314 iptablesChainMatch(IPTABLES_PATH, RAW_TABLE, TETHER_RAW_PREROUTING, preroutingV4Match));
3315 EXPECT_TRUE(iptablesChainMatch(IPTABLES_PATH, FILTER_TABLE, TETHER_FORWARD, forwardV4Match));
3316
3317 std::vector<std::string> forwardV6Match = {"bw_global_alert", "tetherctrl_counters"};
3318 std::vector<std::string> preroutingV6Match = {"rpfilter invert"};
3319
3320 // V6
3321 EXPECT_TRUE(iptablesChainMatch(IP6TABLES_PATH, FILTER_TABLE, TETHER_FORWARD, forwardV6Match));
3322 EXPECT_TRUE(iptablesChainMatch(IP6TABLES_PATH, RAW_TABLE, TETHER_RAW_PREROUTING,
3323 preroutingV6Match));
3324
3325 for (const auto& binary : {IPTABLES_PATH, IP6TABLES_PATH}) {
3326 EXPECT_TRUE(iptablesTargetsExists(binary, 2, FILTER_TABLE, TETHER_COUNTERS_CHAIN, intIf,
3327 extIf));
3328 }
3329 }
3330
expectNatDisable()3331 void expectNatDisable() {
3332 // It is the default DROP rule with tethering disable.
3333 // Chain tetherctrl_FORWARD (1 references)
3334 // pkts bytes target prot opt in out source destination
3335 // 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
3336 std::vector<std::string> forwardV4Match = {"DROP"};
3337 EXPECT_TRUE(iptablesChainMatch(IPTABLES_PATH, FILTER_TABLE, TETHER_FORWARD, forwardV4Match));
3338
3339 // We expect that these chains should be empty.
3340 EXPECT_EQ(2, iptablesCountRules(IPTABLES_PATH, NAT_TABLE, TETHER_NAT_POSTROUTING));
3341 EXPECT_EQ(2, iptablesCountRules(IPTABLES_PATH, RAW_TABLE, TETHER_RAW_PREROUTING));
3342
3343 EXPECT_EQ(2, iptablesCountRules(IP6TABLES_PATH, FILTER_TABLE, TETHER_FORWARD));
3344 EXPECT_EQ(2, iptablesCountRules(IP6TABLES_PATH, RAW_TABLE, TETHER_RAW_PREROUTING));
3345
3346 // Netd won't clear tether quota rule, we don't care rule in tetherctrl_counters.
3347 }
3348
3349 } // namespace
3350
TEST_F(NetdBinderTest,TetherForwardAddRemove)3351 TEST_F(NetdBinderTest, TetherForwardAddRemove) {
3352 binder::Status status = mNetd->tetherAddForward(sTun.name(), sTun2.name());
3353 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3354 expectNatEnable(sTun.name(), sTun2.name());
3355
3356 status = mNetd->tetherRemoveForward(sTun.name(), sTun2.name());
3357 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3358 expectNatDisable();
3359 }
3360
3361 namespace {
3362
3363 using TripleInt = std::array<int, 3>;
3364
readProcFileToTripleInt(const std::string & path)3365 TripleInt readProcFileToTripleInt(const std::string& path) {
3366 std::string valueString;
3367 int min, def, max;
3368 EXPECT_TRUE(ReadFileToString(path, &valueString));
3369 EXPECT_EQ(3, sscanf(valueString.c_str(), "%d %d %d", &min, &def, &max));
3370 return {min, def, max};
3371 }
3372
updateAndCheckTcpBuffer(sp<INetd> & netd,TripleInt & rmemValues,TripleInt & wmemValues)3373 void updateAndCheckTcpBuffer(sp<INetd>& netd, TripleInt& rmemValues, TripleInt& wmemValues) {
3374 std::string testRmemValues =
3375 StringPrintf("%u %u %u", rmemValues[0], rmemValues[1], rmemValues[2]);
3376 std::string testWmemValues =
3377 StringPrintf("%u %u %u", wmemValues[0], wmemValues[1], wmemValues[2]);
3378 EXPECT_TRUE(netd->setTcpRWmemorySize(testRmemValues, testWmemValues).isOk());
3379
3380 TripleInt newRmemValues = readProcFileToTripleInt(TCP_RMEM_PROC_FILE);
3381 TripleInt newWmemValues = readProcFileToTripleInt(TCP_WMEM_PROC_FILE);
3382
3383 for (int i = 0; i < 3; i++) {
3384 SCOPED_TRACE(StringPrintf("tcp_mem value %d should be equal", i));
3385 EXPECT_EQ(rmemValues[i], newRmemValues[i]);
3386 EXPECT_EQ(wmemValues[i], newWmemValues[i]);
3387 }
3388 }
3389
3390 } // namespace
3391
TEST_F(NetdBinderTest,TcpBufferSet)3392 TEST_F(NetdBinderTest, TcpBufferSet) {
3393 TripleInt rmemValue = readProcFileToTripleInt(TCP_RMEM_PROC_FILE);
3394 TripleInt testRmemValue{rmemValue[0] + 42, rmemValue[1] + 42, rmemValue[2] + 42};
3395 TripleInt wmemValue = readProcFileToTripleInt(TCP_WMEM_PROC_FILE);
3396 TripleInt testWmemValue{wmemValue[0] + 42, wmemValue[1] + 42, wmemValue[2] + 42};
3397
3398 updateAndCheckTcpBuffer(mNetd, testRmemValue, testWmemValue);
3399 updateAndCheckTcpBuffer(mNetd, rmemValue, wmemValue);
3400 }
3401
TEST_F(NetdBinderTest,UnsolEvents)3402 TEST_F(NetdBinderTest, UnsolEvents) {
3403 auto testUnsolService = android::net::TestUnsolService::start();
3404 std::string oldTunName = sTun.name();
3405 std::string newTunName = "unsolTest";
3406 testUnsolService->tarVec.push_back(oldTunName);
3407 testUnsolService->tarVec.push_back(newTunName);
3408 auto& cv = testUnsolService->getCv();
3409 auto& cvMutex = testUnsolService->getCvMutex();
3410 binder::Status status = mNetd->registerUnsolicitedEventListener(
3411 android::interface_cast<android::net::INetdUnsolicitedEventListener>(testUnsolService));
3412 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3413
3414 // TODO: Add test for below events
3415 // StrictCleartextDetected / InterfaceDnsServersAdded
3416 // InterfaceClassActivity / QuotaLimitReached / InterfaceAddressRemoved
3417
3418 {
3419 std::unique_lock lock(cvMutex);
3420
3421 // Re-init test Tun, and we expect that we will get some unsol events.
3422 // Use the test Tun device name to verify if we receive its unsol events.
3423 sTun.destroy();
3424 // Use predefined name
3425 sTun.init(newTunName);
3426
3427 EXPECT_EQ(std::cv_status::no_timeout, cv.wait_for(lock, std::chrono::seconds(2)));
3428 }
3429
3430 // bit mask 1101101000
3431 // Test only covers below events currently
3432 const uint32_t kExpectedEvents = InterfaceAddressUpdated | InterfaceAdded | InterfaceRemoved |
3433 InterfaceLinkStatusChanged | RouteChanged;
3434 EXPECT_EQ(kExpectedEvents, testUnsolService->getReceived());
3435
3436 // Re-init sTun to clear predefined name
3437 sTun.destroy();
3438 sTun.init();
3439 }
3440
TEST_F(NetdBinderTest,NDC)3441 TEST_F(NetdBinderTest, NDC) {
3442 struct Command {
3443 const std::string cmdString;
3444 const std::string expectedResult;
3445 };
3446
3447 // clang-format off
3448 // Do not change the commands order
3449 const Command networkCmds[] = {
3450 {StringPrintf("ndc network create %d", TEST_NETID1),
3451 "200 0 success"},
3452 {StringPrintf("ndc network interface add %d %s", TEST_NETID1, sTun.name().c_str()),
3453 "200 0 success"},
3454 {StringPrintf("ndc network interface remove %d %s", TEST_NETID1, sTun.name().c_str()),
3455 "200 0 success"},
3456 {StringPrintf("ndc network interface add %d %s", TEST_NETID2, sTun.name().c_str()),
3457 "400 0 addInterfaceToNetwork() failed (Machine is not on the network)"},
3458 {StringPrintf("ndc network destroy %d", TEST_NETID1),
3459 "200 0 success"},
3460 };
3461
3462 const std::vector<Command> ipfwdCmds = {
3463 {"ndc ipfwd enable " + sTun.name(),
3464 "200 0 ipfwd operation succeeded"},
3465 {"ndc ipfwd disable " + sTun.name(),
3466 "200 0 ipfwd operation succeeded"},
3467 {"ndc ipfwd add lo2 lo3",
3468 "400 0 ipfwd operation failed (No such process)"},
3469 {"ndc ipfwd add " + sTun.name() + " " + sTun2.name(),
3470 "200 0 ipfwd operation succeeded"},
3471 {"ndc ipfwd remove " + sTun.name() + " " + sTun2.name(),
3472 "200 0 ipfwd operation succeeded"},
3473 };
3474
3475 static const struct {
3476 const char* ipVersion;
3477 const char* testDest;
3478 const char* testNextHop;
3479 const bool expectSuccess;
3480 const std::string expectedResult;
3481 } kTestData[] = {
3482 {IP_RULE_V4, "0.0.0.0/0", "", true,
3483 "200 0 success"},
3484 {IP_RULE_V4, "10.251.0.0/16", "", true,
3485 "200 0 success"},
3486 {IP_RULE_V4, "10.251.0.0/16", "fe80::/64", false,
3487 "400 0 addRoute() failed (Invalid argument)",},
3488 {IP_RULE_V6, "::/0", "", true,
3489 "200 0 success"},
3490 {IP_RULE_V6, "2001:db8:cafe::/64", "", true,
3491 "200 0 success"},
3492 {IP_RULE_V6, "fe80::/64", "0.0.0.0", false,
3493 "400 0 addRoute() failed (Invalid argument)"},
3494 };
3495 // clang-format on
3496
3497 for (const auto& cmd : networkCmds) {
3498 const std::vector<std::string> result = runCommand(cmd.cmdString);
3499 SCOPED_TRACE(cmd.cmdString);
3500 EXPECT_EQ(result.size(), 1U);
3501 EXPECT_EQ(cmd.expectedResult, Trim(result[0]));
3502 }
3503
3504 for (const auto& cmd : ipfwdCmds) {
3505 const std::vector<std::string> result = runCommand(cmd.cmdString);
3506 SCOPED_TRACE(cmd.cmdString);
3507 EXPECT_EQ(result.size(), 1U);
3508 EXPECT_EQ(cmd.expectedResult, Trim(result[0]));
3509 }
3510
3511 // Add test physical network
3512 const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
3513 INetd::PERMISSION_NONE, false, false);
3514 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3515 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
3516
3517 for (const auto& td : kTestData) {
3518 const std::string routeAddCmd =
3519 StringPrintf("ndc network route add %d %s %s %s", TEST_NETID1, sTun.name().c_str(),
3520 td.testDest, td.testNextHop);
3521 const std::string routeRemoveCmd =
3522 StringPrintf("ndc network route remove %d %s %s %s", TEST_NETID1,
3523 sTun.name().c_str(), td.testDest, td.testNextHop);
3524 std::vector<std::string> result = runCommand(routeAddCmd);
3525 SCOPED_TRACE(routeAddCmd);
3526 EXPECT_EQ(result.size(), 1U);
3527 EXPECT_EQ(td.expectedResult, Trim(result[0]));
3528 if (td.expectSuccess) {
3529 expectNetworkRouteExists(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
3530 sTun.name().c_str());
3531 result = runCommand(routeRemoveCmd);
3532 EXPECT_EQ(result.size(), 1U);
3533 EXPECT_EQ(td.expectedResult, Trim(result[0]));
3534 expectNetworkRouteDoesNotExist(td.ipVersion, sTun.name(), td.testDest, td.testNextHop,
3535 sTun.name().c_str());
3536 }
3537 }
3538 // Remove test physical network
3539 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
3540 }
3541
TEST_F(NetdBinderTest,OemNetdRelated)3542 TEST_F(NetdBinderTest, OemNetdRelated) {
3543 sp<IBinder> binder;
3544 binder::Status status = mNetd->getOemNetd(&binder);
3545 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3546 sp<com::android::internal::net::IOemNetd> oemNetd;
3547 if (binder != nullptr) {
3548 oemNetd = android::interface_cast<com::android::internal::net::IOemNetd>(binder);
3549 }
3550 ASSERT_NE(nullptr, oemNetd.get());
3551
3552 TimedOperation t("OemNetd isAlive RPC");
3553 bool isAlive = false;
3554 oemNetd->isAlive(&isAlive);
3555 ASSERT_TRUE(isAlive);
3556
3557 class TestOemUnsolListener
3558 : public com::android::internal::net::BnOemNetdUnsolicitedEventListener {
3559 public:
3560 android::binder::Status onRegistered() override {
3561 std::lock_guard lock(mCvMutex);
3562 mCv.notify_one();
3563 return android::binder::Status::ok();
3564 }
3565 std::condition_variable& getCv() { return mCv; }
3566 std::mutex& getCvMutex() { return mCvMutex; }
3567
3568 private:
3569 std::mutex mCvMutex;
3570 std::condition_variable mCv;
3571 };
3572
3573 // Start the Binder thread pool.
3574 android::ProcessState::self()->startThreadPool();
3575
3576 android::sp<TestOemUnsolListener> testListener = new TestOemUnsolListener();
3577
3578 auto& cv = testListener->getCv();
3579 auto& cvMutex = testListener->getCvMutex();
3580
3581 {
3582 std::unique_lock lock(cvMutex);
3583
3584 status = oemNetd->registerOemUnsolicitedEventListener(
3585 ::android::interface_cast<
3586 com::android::internal::net::IOemNetdUnsolicitedEventListener>(
3587 testListener));
3588 EXPECT_TRUE(status.isOk()) << status.exceptionMessage();
3589
3590 // Wait for receiving expected events.
3591 EXPECT_EQ(std::cv_status::no_timeout, cv.wait_for(lock, std::chrono::seconds(2)));
3592 }
3593 }
3594
createVpnNetworkWithUid(bool secure,uid_t uid,int vpnNetId,int fallthroughNetId,int nonDefaultNetId)3595 void NetdBinderTest::createVpnNetworkWithUid(bool secure, uid_t uid, int vpnNetId,
3596 int fallthroughNetId, int nonDefaultNetId) {
3597 // Re-init sTun* to ensure route rule exists.
3598 sTun.destroy();
3599 sTun.init();
3600 sTun2.destroy();
3601 sTun2.init();
3602 sTun3.destroy();
3603 sTun3.init();
3604
3605 // Create physical network with fallthroughNetId but not set it as default network
3606 auto config = makeNativeNetworkConfig(fallthroughNetId, NativeNetworkType::PHYSICAL,
3607 INetd::PERMISSION_NONE, false, false);
3608 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3609 EXPECT_TRUE(mNetd->networkAddInterface(fallthroughNetId, sTun.name()).isOk());
3610 // Create another physical network in order to test VPN behaviour with multiple networks
3611 // connected, of which one may be the default.
3612 auto nonDefaultNetworkConfig = makeNativeNetworkConfig(
3613 nonDefaultNetId, NativeNetworkType::PHYSICAL, INetd::PERMISSION_NONE, false, false);
3614 EXPECT_TRUE(mNetd->networkCreate(nonDefaultNetworkConfig).isOk());
3615 EXPECT_TRUE(mNetd->networkAddInterface(nonDefaultNetId, sTun3.name()).isOk());
3616
3617 // Create VPN with vpnNetId
3618 config.netId = vpnNetId;
3619 config.networkType = NativeNetworkType::VIRTUAL;
3620 config.secure = secure;
3621 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3622
3623 // Add uid to VPN
3624 EXPECT_TRUE(mNetd->networkAddUidRanges(vpnNetId, {makeUidRangeParcel(uid, uid)}).isOk());
3625 EXPECT_TRUE(mNetd->networkAddInterface(vpnNetId, sTun2.name()).isOk());
3626
3627 // Add default route to fallthroughNetwork
3628 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID1, sTun.name(), "::/0", "").isOk());
3629 // Add limited route
3630 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID2, sTun2.name(), "2001:db8::/32", "").isOk());
3631
3632 // Also add default route to non-default network for per app default use.
3633 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID3, sTun3.name(), "::/0", "").isOk());
3634 }
3635
createAndSetDefaultNetwork(int netId,const std::string & interface,int permission)3636 void NetdBinderTest::createAndSetDefaultNetwork(int netId, const std::string& interface,
3637 int permission) {
3638 // backup current default network.
3639 ASSERT_TRUE(mNetd->networkGetDefault(&mStoredDefaultNetwork).isOk());
3640
3641 const auto& config =
3642 makeNativeNetworkConfig(netId, NativeNetworkType::PHYSICAL, permission, false, false);
3643 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3644 EXPECT_TRUE(mNetd->networkAddInterface(netId, interface).isOk());
3645 EXPECT_TRUE(mNetd->networkSetDefault(netId).isOk());
3646 }
3647
createPhysicalNetwork(int netId,const std::string & interface,int permission)3648 void NetdBinderTest::createPhysicalNetwork(int netId, const std::string& interface,
3649 int permission) {
3650 const auto& config =
3651 makeNativeNetworkConfig(netId, NativeNetworkType::PHYSICAL, permission, false, false);
3652 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3653 EXPECT_TRUE(mNetd->networkAddInterface(netId, interface).isOk());
3654 }
3655
3656 // 1. Create a physical network on sTun, and set it as the system default network.
3657 // 2. Create another physical network on sTun2.
createDefaultAndOtherPhysicalNetwork(int defaultNetId,int otherNetId)3658 void NetdBinderTest::createDefaultAndOtherPhysicalNetwork(int defaultNetId, int otherNetId) {
3659 createAndSetDefaultNetwork(defaultNetId, sTun.name());
3660 EXPECT_TRUE(mNetd->networkAddRoute(defaultNetId, sTun.name(), "::/0", "").isOk());
3661
3662 createPhysicalNetwork(otherNetId, sTun2.name());
3663 EXPECT_TRUE(mNetd->networkAddRoute(otherNetId, sTun2.name(), "::/0", "").isOk());
3664 }
3665
3666 // 1. Create a system default network and a physical network.
3667 // 2. Create a VPN on sTun3.
createVpnAndOtherPhysicalNetwork(int systemDefaultNetId,int otherNetId,int vpnNetId,bool secure)3668 void NetdBinderTest::createVpnAndOtherPhysicalNetwork(int systemDefaultNetId, int otherNetId,
3669 int vpnNetId, bool secure) {
3670 createDefaultAndOtherPhysicalNetwork(systemDefaultNetId, otherNetId);
3671
3672 auto config = makeNativeNetworkConfig(vpnNetId, NativeNetworkType::VIRTUAL,
3673 INetd::PERMISSION_NONE, secure, false);
3674 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3675 EXPECT_TRUE(mNetd->networkAddInterface(vpnNetId, sTun3.name()).isOk());
3676 EXPECT_TRUE(mNetd->networkAddRoute(vpnNetId, sTun3.name(), "2001:db8::/32", "").isOk());
3677 }
3678
3679 // 1. Create system default network, a physical network (for per-app default), and a VPN.
3680 // 2. Add per-app uid ranges and VPN ranges.
createVpnAndAppDefaultNetworkWithUid(int systemDefaultNetId,int appDefaultNetId,int vpnNetId,bool secure,std::vector<UidRangeParcel> && appDefaultUidRanges,std::vector<UidRangeParcel> && vpnUidRanges)3681 void NetdBinderTest::createVpnAndAppDefaultNetworkWithUid(
3682 int systemDefaultNetId, int appDefaultNetId, int vpnNetId, bool secure,
3683 std::vector<UidRangeParcel>&& appDefaultUidRanges,
3684 std::vector<UidRangeParcel>&& vpnUidRanges) {
3685 createVpnAndOtherPhysicalNetwork(systemDefaultNetId, appDefaultNetId, vpnNetId, secure);
3686 // add per-app uid ranges.
3687 EXPECT_TRUE(mNetd->networkAddUidRanges(appDefaultNetId, appDefaultUidRanges).isOk());
3688 // add VPN uid ranges.
3689 EXPECT_TRUE(mNetd->networkAddUidRanges(vpnNetId, vpnUidRanges).isOk());
3690 }
3691
3692 namespace {
3693
checkDataReceived(int udpSocket,int tunFd,sockaddr * dstAddr,int addrLen)3694 void checkDataReceived(int udpSocket, int tunFd, sockaddr* dstAddr, int addrLen) {
3695 char buf[4096] = {};
3696 // Clear tunFd's queue before write something because there might be some
3697 // arbitrary packets in the queue. (e.g. ICMPv6 packet)
3698 clearQueue(tunFd);
3699 EXPECT_EQ(4, sendto(udpSocket, "foo", sizeof("foo"), 0, dstAddr, addrLen));
3700 // TODO: extract header and verify data
3701 EXPECT_GT(read(tunFd, buf, sizeof(buf)), 0);
3702 }
3703
sendPacketFromUid(uid_t uid,IPSockAddr & dstAddr,Fwmark * fwmark,int tunFd,bool doConnect=true)3704 bool sendPacketFromUid(uid_t uid, IPSockAddr& dstAddr, Fwmark* fwmark, int tunFd,
3705 bool doConnect = true) {
3706 int family = dstAddr.family();
3707 ScopedUidChange scopedUidChange(uid);
3708 unique_fd testSocket(socket(family, SOCK_DGRAM | SOCK_CLOEXEC, 0));
3709
3710 if (testSocket < 0) return false;
3711 const sockaddr_storage dst = IPSockAddr(dstAddr.ip(), dstAddr.port());
3712 if (doConnect && connect(testSocket, (sockaddr*)&dst, sizeof(dst)) == -1) return false;
3713
3714 socklen_t fwmarkLen = sizeof(fwmark->intValue);
3715 EXPECT_NE(-1, getsockopt(testSocket, SOL_SOCKET, SO_MARK, &(fwmark->intValue), &fwmarkLen));
3716
3717 int addr_len = (family == AF_INET) ? INET_ADDRSTRLEN : INET6_ADDRSTRLEN;
3718 char addr[addr_len];
3719 inet_ntop(family, &dstAddr, addr, addr_len);
3720 SCOPED_TRACE(StringPrintf("sendPacket, addr: %s, uid: %u, doConnect: %s", addr, uid,
3721 doConnect ? "true" : "false"));
3722 if (doConnect) {
3723 checkDataReceived(testSocket, tunFd, nullptr, 0);
3724 } else {
3725 checkDataReceived(testSocket, tunFd, (sockaddr*)&dst, sizeof(dst));
3726 }
3727
3728 return true;
3729 }
3730
sendIPv4PacketFromUid(uid_t uid,const in_addr & dstAddr,Fwmark * fwmark,int tunFd,bool doConnect=true)3731 bool sendIPv4PacketFromUid(uid_t uid, const in_addr& dstAddr, Fwmark* fwmark, int tunFd,
3732 bool doConnect = true) {
3733 const sockaddr_in dst = {.sin_family = AF_INET, .sin_port = 42, .sin_addr = dstAddr};
3734 IPSockAddr addr = IPSockAddr(dst);
3735
3736 return sendPacketFromUid(uid, addr, fwmark, tunFd, doConnect);
3737 }
3738
sendIPv6PacketFromUid(uid_t uid,const in6_addr & dstAddr,Fwmark * fwmark,int tunFd,bool doConnect=true)3739 bool sendIPv6PacketFromUid(uid_t uid, const in6_addr& dstAddr, Fwmark* fwmark, int tunFd,
3740 bool doConnect = true) {
3741 const sockaddr_in6 dst6 = {
3742 .sin6_family = AF_INET6,
3743 .sin6_port = 42,
3744 .sin6_addr = dstAddr,
3745 };
3746 IPSockAddr addr = IPSockAddr(dst6);
3747
3748 return sendPacketFromUid(uid, addr, fwmark, tunFd, doConnect);
3749 }
3750
3751 // Send an IPv6 packet from the uid. Expect to fail and get specified errno.
sendIPv6PacketFromUidFail(uid_t uid,const in6_addr & dstAddr,Fwmark * fwmark,bool doConnect,int expectedErr)3752 bool sendIPv6PacketFromUidFail(uid_t uid, const in6_addr& dstAddr, Fwmark* fwmark, bool doConnect,
3753 int expectedErr) {
3754 ScopedUidChange scopedUidChange(uid);
3755 unique_fd s(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0));
3756 if (s < 0) return false;
3757
3758 const sockaddr_in6 dst6 = {
3759 .sin6_family = AF_INET6,
3760 .sin6_port = 42,
3761 .sin6_addr = dstAddr,
3762 };
3763 if (doConnect) {
3764 if (connect(s, (sockaddr*)&dst6, sizeof(dst6)) == 0) return false;
3765 if (errno != expectedErr) return false;
3766 }
3767
3768 socklen_t fwmarkLen = sizeof(fwmark->intValue);
3769 EXPECT_NE(-1, getsockopt(s, SOL_SOCKET, SO_MARK, &(fwmark->intValue), &fwmarkLen));
3770
3771 char addr[INET6_ADDRSTRLEN];
3772 inet_ntop(AF_INET6, &dstAddr, addr, INET6_ADDRSTRLEN);
3773 SCOPED_TRACE(StringPrintf("sendIPv6PacketFail, addr: %s, uid: %u, doConnect: %s", addr, uid,
3774 doConnect ? "true" : "false"));
3775 if (!doConnect) {
3776 if (sendto(s, "foo", sizeof("foo"), 0, (sockaddr*)&dst6, sizeof(dst6)) == 0) return false;
3777 if (errno != expectedErr) return false;
3778 }
3779 return true;
3780 }
3781
expectVpnFallthroughRuleExists(const std::string & ifName,int vpnNetId)3782 void expectVpnFallthroughRuleExists(const std::string& ifName, int vpnNetId) {
3783 std::string vpnFallthroughRule =
3784 StringPrintf("%d:\tfrom all fwmark 0x%x/0xffff lookup %s",
3785 RULE_PRIORITY_VPN_FALLTHROUGH, vpnNetId, ifName.c_str());
3786 for (const auto& ipVersion : {IP_RULE_V4, IP_RULE_V6}) {
3787 EXPECT_TRUE(ipRuleExists(ipVersion, vpnFallthroughRule));
3788 }
3789 }
3790
expectVpnFallthroughWorks(android::net::INetd * netdService,bool bypassable,uid_t uid,uid_t uidNotInVpn,const TunInterface & fallthroughNetwork,const TunInterface & vpnNetwork,const TunInterface & otherNetwork,int vpnNetId=TEST_NETID2,int fallthroughNetId=TEST_NETID1,int otherNetId=TEST_NETID3)3791 void expectVpnFallthroughWorks(android::net::INetd* netdService, bool bypassable, uid_t uid,
3792 uid_t uidNotInVpn, const TunInterface& fallthroughNetwork,
3793 const TunInterface& vpnNetwork, const TunInterface& otherNetwork,
3794 int vpnNetId = TEST_NETID2, int fallthroughNetId = TEST_NETID1,
3795 int otherNetId = TEST_NETID3) {
3796 // Set default network to NETID_UNSET
3797 EXPECT_TRUE(netdService->networkSetDefault(NETID_UNSET).isOk());
3798
3799 // insideVpnAddr based on the route we added in createVpnNetworkWithUid
3800 in6_addr insideVpnAddr = {
3801 {// 2001:db8:cafe::1
3802 .u6_addr8 = {0x20, 0x01, 0x0d, 0xb8, 0xca, 0xfe, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1}}};
3803 // outsideVpnAddr will hit the route in the fallthrough network route table
3804 // because we added default route in createVpnNetworkWithUid
3805 in6_addr outsideVpnAddr = {
3806 {// 2607:f0d0:1002::4
3807 .u6_addr8 = {0x26, 0x07, 0xf0, 0xd0, 0x10, 0x02, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4}}};
3808
3809 int fallthroughFd = fallthroughNetwork.getFdForTesting();
3810 int vpnFd = vpnNetwork.getFdForTesting();
3811 // Expect all connections to fail because UID 0 is not routed to the VPN and there is no
3812 // default network.
3813 Fwmark fwmark;
3814 EXPECT_FALSE(sendIPv6PacketFromUid(0, outsideVpnAddr, &fwmark, fallthroughFd));
3815 EXPECT_FALSE(sendIPv6PacketFromUid(0, insideVpnAddr, &fwmark, fallthroughFd));
3816
3817 // Set default network
3818 EXPECT_TRUE(netdService->networkSetDefault(fallthroughNetId).isOk());
3819
3820 // Connections go on the default network because UID 0 is not subject to the VPN.
3821 EXPECT_TRUE(sendIPv6PacketFromUid(0, outsideVpnAddr, &fwmark, fallthroughFd));
3822 EXPECT_EQ(fallthroughNetId | 0xC0000, static_cast<int>(fwmark.intValue));
3823 EXPECT_TRUE(sendIPv6PacketFromUid(0, insideVpnAddr, &fwmark, fallthroughFd));
3824 EXPECT_EQ(fallthroughNetId | 0xC0000, static_cast<int>(fwmark.intValue));
3825
3826 // Check if fallthrough rule exists
3827 expectVpnFallthroughRuleExists(fallthroughNetwork.name(), vpnNetId);
3828
3829 // Check if local exclusion rule exists for default network
3830 expectVpnLocalExclusionRuleExists(fallthroughNetwork.name(), true);
3831 // No local exclusion rule for non-default network
3832 expectVpnLocalExclusionRuleExists(otherNetwork.name(), false);
3833
3834 // Expect fallthrough to default network
3835 // The fwmark differs depending on whether the VPN is bypassable or not.
3836 EXPECT_TRUE(sendIPv6PacketFromUid(uid, outsideVpnAddr, &fwmark, fallthroughFd));
3837 EXPECT_EQ(bypassable ? vpnNetId : fallthroughNetId, static_cast<int>(fwmark.intValue));
3838
3839 // Expect connect success, packet will be sent to vpnFd.
3840 EXPECT_TRUE(sendIPv6PacketFromUid(uid, insideVpnAddr, &fwmark, vpnFd));
3841 EXPECT_EQ(bypassable ? vpnNetId : fallthroughNetId, static_cast<int>(fwmark.intValue));
3842
3843 // Explicitly select vpn network
3844 setNetworkForProcess(vpnNetId);
3845
3846 // Expect fallthrough to default network
3847 EXPECT_TRUE(sendIPv6PacketFromUid(0, outsideVpnAddr, &fwmark, fallthroughFd));
3848 // Expect the mark contains all the bit because we've selected network.
3849 EXPECT_EQ(vpnNetId | 0xF0000, static_cast<int>(fwmark.intValue));
3850
3851 // Expect connect success, packet will be sent to vpnFd.
3852 EXPECT_TRUE(sendIPv6PacketFromUid(0, insideVpnAddr, &fwmark, vpnFd));
3853 // Expect the mark contains all the bit because we've selected network.
3854 EXPECT_EQ(vpnNetId | 0xF0000, static_cast<int>(fwmark.intValue));
3855
3856 // Explicitly select fallthrough network
3857 setNetworkForProcess(fallthroughNetId);
3858
3859 // The mark is set to fallthrough network because we've selected it.
3860 EXPECT_TRUE(sendIPv6PacketFromUid(0, outsideVpnAddr, &fwmark, fallthroughFd));
3861 EXPECT_TRUE(sendIPv6PacketFromUid(0, insideVpnAddr, &fwmark, fallthroughFd));
3862
3863 // If vpn is BypassableVPN, connections can also go on the fallthrough network under vpn uid.
3864 if (bypassable) {
3865 EXPECT_TRUE(sendIPv6PacketFromUid(uid, outsideVpnAddr, &fwmark, fallthroughFd));
3866 EXPECT_TRUE(sendIPv6PacketFromUid(uid, insideVpnAddr, &fwmark, fallthroughFd));
3867 } else {
3868 // If not, no permission to bypass vpn.
3869 EXPECT_FALSE(sendIPv6PacketFromUid(uid, outsideVpnAddr, &fwmark, fallthroughFd));
3870 EXPECT_FALSE(sendIPv6PacketFromUid(uid, insideVpnAddr, &fwmark, fallthroughFd));
3871 }
3872
3873 // Add per-app uid ranges.
3874 EXPECT_TRUE(netdService
3875 ->networkAddUidRanges(otherNetId,
3876 {makeUidRangeParcel(uidNotInVpn, uidNotInVpn)})
3877 .isOk());
3878
3879 int appDefaultFd = otherNetwork.getFdForTesting();
3880
3881 // UID is not inside the VPN range, so it won't go to vpn network.
3882 // It won't fall into per app local rule because it's explicitly selected.
3883 EXPECT_TRUE(sendIPv6PacketFromUid(uidNotInVpn, outsideVpnAddr, &fwmark, fallthroughFd));
3884 EXPECT_TRUE(sendIPv6PacketFromUid(uidNotInVpn, insideVpnAddr, &fwmark, fallthroughFd));
3885
3886 // Reset explicitly selection.
3887 setNetworkForProcess(NETID_UNSET);
3888 // Connections can go to app default network.
3889 EXPECT_TRUE(sendIPv6PacketFromUid(uidNotInVpn, insideVpnAddr, &fwmark, appDefaultFd));
3890 EXPECT_TRUE(sendIPv6PacketFromUid(uidNotInVpn, outsideVpnAddr, &fwmark, appDefaultFd));
3891 }
3892
3893 } // namespace
3894
TEST_F(NetdBinderTest,SecureVPNFallthrough)3895 TEST_F(NetdBinderTest, SecureVPNFallthrough) {
3896 createVpnNetworkWithUid(true /* secure */, TEST_UID1);
3897 // Get current default network NetId
3898 ASSERT_TRUE(mNetd->networkGetDefault(&mStoredDefaultNetwork).isOk());
3899 expectVpnFallthroughWorks(mNetd.get(), false /* bypassable */, TEST_UID1, TEST_UID2, sTun,
3900 sTun2, sTun3);
3901 }
3902
TEST_F(NetdBinderTest,BypassableVPNFallthrough)3903 TEST_F(NetdBinderTest, BypassableVPNFallthrough) {
3904 createVpnNetworkWithUid(false /* secure */, TEST_UID1);
3905 // Get current default network NetId
3906 ASSERT_TRUE(mNetd->networkGetDefault(&mStoredDefaultNetwork).isOk());
3907 expectVpnFallthroughWorks(mNetd.get(), true /* bypassable */, TEST_UID1, TEST_UID2, sTun, sTun2,
3908 sTun3);
3909 }
3910
3911 namespace {
3912
createIpv6SocketAndCheckMark(int type,const in6_addr & dstAddr)3913 int32_t createIpv6SocketAndCheckMark(int type, const in6_addr& dstAddr) {
3914 const sockaddr_in6 dst6 = {
3915 .sin6_family = AF_INET6,
3916 .sin6_port = 1234,
3917 .sin6_addr = dstAddr,
3918 };
3919 // create non-blocking socket.
3920 int sockFd = socket(AF_INET6, type | SOCK_NONBLOCK, 0);
3921 EXPECT_NE(-1, sockFd);
3922 EXPECT_EQ((type == SOCK_STREAM) ? -1 : 0, connect(sockFd, (sockaddr*)&dst6, sizeof(dst6)));
3923
3924 // Get socket fwmark.
3925 Fwmark fwmark;
3926 socklen_t fwmarkLen = sizeof(fwmark.intValue);
3927 EXPECT_EQ(0, getsockopt(sockFd, SOL_SOCKET, SO_MARK, &fwmark.intValue, &fwmarkLen));
3928 EXPECT_EQ(0, close(sockFd));
3929 return fwmark.intValue;
3930 }
3931
3932 } // namespace
3933
TEST_F(NetdBinderTest,GetFwmarkForNetwork)3934 TEST_F(NetdBinderTest, GetFwmarkForNetwork) {
3935 // Save current default network.
3936 ASSERT_TRUE(mNetd->networkGetDefault(&mStoredDefaultNetwork).isOk());
3937
3938 // Add test physical network 1 and set as default network.
3939 auto config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
3940 INetd::PERMISSION_NONE, false, false);
3941 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3942 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk());
3943 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID1, sTun.name(), "2001:db8::/32", "").isOk());
3944 EXPECT_TRUE(mNetd->networkSetDefault(TEST_NETID1).isOk());
3945 // Add test physical network 2
3946 config.netId = TEST_NETID2;
3947 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3948 EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID2, sTun2.name()).isOk());
3949
3950 // Get fwmark for network 1.
3951 MarkMaskParcel maskMarkNet1;
3952 ASSERT_TRUE(mNetd->getFwmarkForNetwork(TEST_NETID1, &maskMarkNet1).isOk());
3953
3954 uint32_t fwmarkTcp = createIpv6SocketAndCheckMark(SOCK_STREAM, V6_ADDR);
3955 uint32_t fwmarkUdp = createIpv6SocketAndCheckMark(SOCK_DGRAM, V6_ADDR);
3956 EXPECT_EQ(maskMarkNet1.mark, static_cast<int>(fwmarkTcp & maskMarkNet1.mask));
3957 EXPECT_EQ(maskMarkNet1.mark, static_cast<int>(fwmarkUdp & maskMarkNet1.mask));
3958
3959 // Get fwmark for network 2.
3960 MarkMaskParcel maskMarkNet2;
3961 ASSERT_TRUE(mNetd->getFwmarkForNetwork(TEST_NETID2, &maskMarkNet2).isOk());
3962 EXPECT_NE(maskMarkNet2.mark, static_cast<int>(fwmarkTcp & maskMarkNet2.mask));
3963 EXPECT_NE(maskMarkNet2.mark, static_cast<int>(fwmarkUdp & maskMarkNet2.mask));
3964
3965 // Remove test physical network.
3966 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID2).isOk());
3967 EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk());
3968 }
3969
TEST_F(NetdBinderTest,TestServiceDump)3970 TEST_F(NetdBinderTest, TestServiceDump) {
3971 sp<IBinder> binder = INetd::asBinder(mNetd);
3972 ASSERT_NE(nullptr, binder);
3973
3974 struct TestData {
3975 // Expected contents of the dump command.
3976 const std::string output;
3977 // A regex that might be helpful in matching relevant lines in the output.
3978 // Used to make it easier to add test cases for this code.
3979 const std::string hintRegex;
3980 };
3981 std::vector<TestData> testData;
3982
3983 // Send some IPCs and for each one add an element to testData telling us what to expect.
3984 const auto& config = makeNativeNetworkConfig(TEST_DUMP_NETID, NativeNetworkType::PHYSICAL,
3985 INetd::PERMISSION_NONE, false, false);
3986 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
3987 testData.push_back(
3988 {"networkCreate(NativeNetworkConfig{netId: 65123, networkType: PHYSICAL, "
3989 "permission: 0, secure: false, vpnType: PLATFORM, excludeLocalRoutes: false})",
3990 "networkCreate.*65123"});
3991
3992 EXPECT_EQ(EEXIST, mNetd->networkCreate(config).serviceSpecificErrorCode());
3993 testData.push_back(
3994 {"networkCreate(NativeNetworkConfig{netId: 65123, networkType: PHYSICAL, "
3995 "permission: 0, secure: false, vpnType: PLATFORM, excludeLocalRoutes: false}) "
3996 "-> ServiceSpecificException(17, \"File exists\")",
3997 "networkCreate.*65123.*17"});
3998
3999 EXPECT_TRUE(mNetd->networkAddInterface(TEST_DUMP_NETID, sTun.name()).isOk());
4000 testData.push_back({StringPrintf("networkAddInterface(65123, %s)", sTun.name().c_str()),
4001 StringPrintf("networkAddInterface.*65123.*%s", sTun.name().c_str())});
4002
4003 android::net::RouteInfoParcel parcel;
4004 parcel.ifName = sTun.name();
4005 parcel.destination = "2001:db8:dead:beef::/64";
4006 parcel.nextHop = "fe80::dead:beef";
4007 parcel.mtu = 1234;
4008 EXPECT_TRUE(mNetd->networkAddRouteParcel(TEST_DUMP_NETID, parcel).isOk());
4009 testData.push_back(
4010 {StringPrintf("networkAddRouteParcel(65123, RouteInfoParcel{destination:"
4011 " 2001:db8:dead:beef::/64, ifName: %s, nextHop: fe80::dead:beef,"
4012 " mtu: 1234})",
4013 sTun.name().c_str()),
4014 "networkAddRouteParcel.*65123.*dead:beef"});
4015
4016 EXPECT_TRUE(mNetd->networkDestroy(TEST_DUMP_NETID).isOk());
4017 testData.push_back({"networkDestroy(65123)", "networkDestroy.*65123"});
4018
4019 // Send the service dump request to netd.
4020 std::vector<std::string> lines = {};
4021 android::status_t ret = dumpService(binder, {}, lines);
4022 ASSERT_EQ(android::OK, ret) << "Error dumping service: " << android::statusToString(ret);
4023
4024 // Basic regexp to match dump output lines. Matches the beginning and end of the line, and
4025 // puts the output of the command itself into the first match group.
4026 // Example: " 11-05 00:23:39.481 myCommand(args) <2.02ms>".
4027 const std::basic_regex lineRegex(
4028 "^ [0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}[.][0-9]{3} "
4029 "(.*)"
4030 " <[0-9]+[.][0-9]{2}ms>$");
4031
4032 // For each element of testdata, check that the expected output appears in the dump output.
4033 // If not, fail the test and use hintRegex to print similar lines to assist in debugging.
4034 for (const TestData& td : testData) {
4035 const bool found = std::any_of(lines.begin(), lines.end(), [&](const std::string& line) {
4036 std::smatch match;
4037 if (!std::regex_match(line, match, lineRegex)) return false;
4038 return (match.size() == 2) && (match[1].str() == td.output);
4039 });
4040 EXPECT_TRUE(found) << "Didn't find line '" << td.output << "' in dumpsys output.";
4041 if (found) continue;
4042 std::cerr << "Similar lines" << std::endl;
4043 for (const auto& line : lines) {
4044 if (std::regex_search(line, std::basic_regex(td.hintRegex))) {
4045 std::cerr << line << std::endl;
4046 }
4047 }
4048 }
4049 }
4050
4051 namespace {
4052
4053 // aliases for better reading
4054 #define SYSTEM_DEFAULT_NETID TEST_NETID1
4055 #define APP_DEFAULT_NETID TEST_NETID2
4056 #define VPN_NETID TEST_NETID3
4057
4058 #define ENTERPRISE_NETID_1 TEST_NETID2
4059 #define ENTERPRISE_NETID_2 TEST_NETID3
4060 #define ENTERPRISE_NETID_3 TEST_NETID4
4061
verifyAppUidRules(std::vector<bool> && expectedResults,std::vector<UidRangeParcel> & uidRanges,const std::string & iface,int32_t subPriority)4062 void verifyAppUidRules(std::vector<bool>&& expectedResults, std::vector<UidRangeParcel>& uidRanges,
4063 const std::string& iface, int32_t subPriority) {
4064 ASSERT_EQ(expectedResults.size(), uidRanges.size());
4065 if (iface.size()) {
4066 std::string action = StringPrintf("lookup %s", iface.c_str());
4067 std::string action_local = StringPrintf("lookup %s_local", iface.c_str());
4068 for (unsigned long i = 0; i < uidRanges.size(); i++) {
4069 EXPECT_EQ(expectedResults[i],
4070 ipRuleExistsForRange(RULE_PRIORITY_UID_EXPLICIT_NETWORK + subPriority,
4071 uidRanges[i], action));
4072 EXPECT_EQ(expectedResults[i],
4073 ipRuleExistsForRange(RULE_PRIORITY_UID_IMPLICIT_NETWORK + subPriority,
4074 uidRanges[i], action));
4075 EXPECT_EQ(expectedResults[i],
4076 ipRuleExistsForRange(RULE_PRIORITY_UID_DEFAULT_NETWORK + subPriority,
4077 uidRanges[i], action));
4078 EXPECT_EQ(expectedResults[i], ipRuleExistsForRange(RULE_PRIORITY_UID_LOCAL_ROUTES,
4079 uidRanges[i], action_local));
4080 }
4081 } else {
4082 std::string action = "unreachable";
4083 for (unsigned long i = 0; i < uidRanges.size(); i++) {
4084 EXPECT_EQ(expectedResults[i],
4085 ipRuleExistsForRange(RULE_PRIORITY_UID_EXPLICIT_NETWORK + subPriority,
4086 uidRanges[i], action));
4087 EXPECT_EQ(expectedResults[i],
4088 ipRuleExistsForRange(RULE_PRIORITY_UID_IMPLICIT_NETWORK + subPriority,
4089 uidRanges[i], action));
4090 EXPECT_EQ(expectedResults[i],
4091 ipRuleExistsForRange(RULE_PRIORITY_UID_DEFAULT_UNREACHABLE + subPriority,
4092 uidRanges[i], action));
4093 }
4094 }
4095 }
4096
verifyAppUidRules(std::vector<bool> && expectedResults,NativeUidRangeConfig & uidRangeConfig,const std::string & iface)4097 void verifyAppUidRules(std::vector<bool>&& expectedResults, NativeUidRangeConfig& uidRangeConfig,
4098 const std::string& iface) {
4099 verifyAppUidRules(std::move(expectedResults), uidRangeConfig.uidRanges, iface,
4100 uidRangeConfig.subPriority);
4101 }
4102
verifyVpnUidRules(std::vector<bool> && expectedResults,NativeUidRangeConfig & uidRangeConfig,const std::string & iface,bool secure,bool excludeLocalRoutes)4103 void verifyVpnUidRules(std::vector<bool>&& expectedResults, NativeUidRangeConfig& uidRangeConfig,
4104 const std::string& iface, bool secure, bool excludeLocalRoutes) {
4105 ASSERT_EQ(expectedResults.size(), uidRangeConfig.uidRanges.size());
4106 std::string action = StringPrintf("lookup %s", iface.c_str());
4107
4108 int32_t priority;
4109 if (secure) {
4110 priority = RULE_PRIORITY_SECURE_VPN;
4111 } else {
4112 // Set to no local exclusion here to reflect the default value of local exclusion.
4113 priority = excludeLocalRoutes ? RULE_PRIORITY_BYPASSABLE_VPN_LOCAL_EXCLUSION
4114 : RULE_PRIORITY_BYPASSABLE_VPN_NO_LOCAL_EXCLUSION;
4115 }
4116 for (unsigned long i = 0; i < uidRangeConfig.uidRanges.size(); i++) {
4117 EXPECT_EQ(expectedResults[i], ipRuleExistsForRange(priority + uidRangeConfig.subPriority,
4118 uidRangeConfig.uidRanges[i], action));
4119 EXPECT_EQ(expectedResults[i],
4120 ipRuleExistsForRange(RULE_PRIORITY_EXPLICIT_NETWORK + uidRangeConfig.subPriority,
4121 uidRangeConfig.uidRanges[i], action));
4122 EXPECT_EQ(expectedResults[i],
4123 ipRuleExistsForRange(RULE_PRIORITY_OUTPUT_INTERFACE + uidRangeConfig.subPriority,
4124 uidRangeConfig.uidRanges[i], action, iface.c_str()));
4125 }
4126 }
4127
4128 constexpr int SUB_PRIORITY_1 = UidRanges::SUB_PRIORITY_HIGHEST + 1;
4129 constexpr int SUB_PRIORITY_2 = UidRanges::SUB_PRIORITY_HIGHEST + 2;
4130
4131 constexpr int IMPLICITLY_SELECT = 0;
4132 constexpr int EXPLICITLY_SELECT = 1;
4133 constexpr int UNCONNECTED_SOCKET = 2;
4134
4135 // 1. Send data with the specified UID, on a connected or unconnected socket.
4136 // 2. Verify if data is received from the specified fd. The fd should belong to a TUN, which has
4137 // been assigned to the test network.
4138 // 3. Verify if fwmark of data is correct.
4139 // Note: This is a helper function used by per-app default network tests. It does not implement full
4140 // fwmark logic in netd, and it's currently sufficient. Extension may be required for more
4141 // complicated tests.
expectPacketSentOnNetId(uid_t uid,unsigned netId,int fd,int selectionMode)4142 void expectPacketSentOnNetId(uid_t uid, unsigned netId, int fd, int selectionMode) {
4143 Fwmark fwmark;
4144 const bool doConnect = (selectionMode != UNCONNECTED_SOCKET);
4145 EXPECT_TRUE(sendIPv6PacketFromUid(uid, V6_ADDR, &fwmark, fd, doConnect));
4146
4147 Fwmark expected;
4148 expected.netId = netId;
4149 expected.explicitlySelected = (selectionMode == EXPLICITLY_SELECT);
4150 if (uid == AID_ROOT && selectionMode == EXPLICITLY_SELECT) {
4151 expected.protectedFromVpn = true;
4152 } else {
4153 expected.protectedFromVpn = false;
4154 }
4155 if (selectionMode == UNCONNECTED_SOCKET) {
4156 expected.permission = PERMISSION_NONE;
4157 } else {
4158 expected.permission = (uid == AID_ROOT) ? PERMISSION_SYSTEM : PERMISSION_NONE;
4159 }
4160
4161 EXPECT_EQ(expected.intValue, fwmark.intValue);
4162 }
4163
expectUnreachableError(uid_t uid,unsigned netId,int selectionMode)4164 void expectUnreachableError(uid_t uid, unsigned netId, int selectionMode) {
4165 Fwmark fwmark;
4166 const bool doConnect = (selectionMode != UNCONNECTED_SOCKET);
4167 EXPECT_TRUE(sendIPv6PacketFromUidFail(uid, V6_ADDR, &fwmark, doConnect, ENETUNREACH));
4168
4169 Fwmark expected;
4170 expected.netId = netId;
4171 expected.explicitlySelected = (selectionMode == EXPLICITLY_SELECT);
4172 if (uid == AID_ROOT && selectionMode == EXPLICITLY_SELECT) {
4173 expected.protectedFromVpn = true;
4174 } else {
4175 expected.protectedFromVpn = false;
4176 }
4177 if (selectionMode == UNCONNECTED_SOCKET) {
4178 expected.permission = PERMISSION_NONE;
4179 } else {
4180 expected.permission = (uid == AID_ROOT) ? PERMISSION_SYSTEM : PERMISSION_NONE;
4181 }
4182
4183 EXPECT_EQ(expected.intValue, fwmark.intValue);
4184 }
4185
4186 } // namespace
4187
4188 // Verify how the API handle overlapped UID ranges
TEST_F(NetdBinderTest,PerAppDefaultNetwork_OverlappedUidRanges)4189 TEST_F(NetdBinderTest, PerAppDefaultNetwork_OverlappedUidRanges) {
4190 const auto& config = makeNativeNetworkConfig(APP_DEFAULT_NETID, NativeNetworkType::PHYSICAL,
4191 INetd::PERMISSION_NONE, false, false);
4192 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
4193 EXPECT_TRUE(mNetd->networkAddInterface(APP_DEFAULT_NETID, sTun.name()).isOk());
4194
4195 std::vector<UidRangeParcel> uidRanges = {makeUidRangeParcel(BASE_UID + 1, BASE_UID + 1),
4196 makeUidRangeParcel(BASE_UID + 10, BASE_UID + 12)};
4197 EXPECT_TRUE(mNetd->networkAddUidRanges(APP_DEFAULT_NETID, uidRanges).isOk());
4198
4199 binder::Status status;
4200 status = mNetd->networkAddUidRanges(APP_DEFAULT_NETID,
4201 {makeUidRangeParcel(BASE_UID + 1, BASE_UID + 1)});
4202 EXPECT_TRUE(status.isOk());
4203
4204 status = mNetd->networkAddUidRanges(APP_DEFAULT_NETID,
4205 {makeUidRangeParcel(BASE_UID + 9, BASE_UID + 10)});
4206 EXPECT_TRUE(status.isOk());
4207
4208 status = mNetd->networkAddUidRanges(APP_DEFAULT_NETID,
4209 {makeUidRangeParcel(BASE_UID + 11, BASE_UID + 11)});
4210 EXPECT_TRUE(status.isOk());
4211
4212 status = mNetd->networkAddUidRanges(APP_DEFAULT_NETID,
4213 {makeUidRangeParcel(BASE_UID + 12, BASE_UID + 13)});
4214 EXPECT_TRUE(status.isOk());
4215
4216 status = mNetd->networkAddUidRanges(APP_DEFAULT_NETID,
4217 {makeUidRangeParcel(BASE_UID + 9, BASE_UID + 13)});
4218 EXPECT_TRUE(status.isOk());
4219
4220 std::vector<UidRangeParcel> selfOverlappedUidRanges = {
4221 makeUidRangeParcel(BASE_UID + 20, BASE_UID + 20),
4222 makeUidRangeParcel(BASE_UID + 20, BASE_UID + 21)};
4223 status = mNetd->networkAddUidRanges(APP_DEFAULT_NETID, selfOverlappedUidRanges);
4224 EXPECT_FALSE(status.isOk());
4225 EXPECT_EQ(EINVAL, status.serviceSpecificErrorCode());
4226 }
4227
4228 // Verify whether IP rules for app default network are correctly configured.
TEST_F(NetdBinderTest,PerAppDefaultNetwork_VerifyIpRules)4229 TEST_F(NetdBinderTest, PerAppDefaultNetwork_VerifyIpRules) {
4230 const auto& config = makeNativeNetworkConfig(APP_DEFAULT_NETID, NativeNetworkType::PHYSICAL,
4231 INetd::PERMISSION_NONE, false, false);
4232 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
4233 EXPECT_TRUE(mNetd->networkAddInterface(APP_DEFAULT_NETID, sTun.name()).isOk());
4234
4235 std::vector<UidRangeParcel> uidRanges = {makeUidRangeParcel(BASE_UID + 8005, BASE_UID + 8012),
4236 makeUidRangeParcel(BASE_UID + 8090, BASE_UID + 8099)};
4237
4238 EXPECT_TRUE(mNetd->networkAddUidRanges(APP_DEFAULT_NETID, uidRanges).isOk());
4239 verifyAppUidRules({true, true} /*expectedResults*/, uidRanges, sTun.name(),
4240 UidRanges::SUB_PRIORITY_HIGHEST);
4241 EXPECT_TRUE(mNetd->networkRemoveUidRanges(APP_DEFAULT_NETID, {uidRanges.at(0)}).isOk());
4242 verifyAppUidRules({false, true} /*expectedResults*/, uidRanges, sTun.name(),
4243 UidRanges::SUB_PRIORITY_HIGHEST);
4244 EXPECT_TRUE(mNetd->networkRemoveUidRanges(APP_DEFAULT_NETID, {uidRanges.at(1)}).isOk());
4245 verifyAppUidRules({false, false} /*expectedResults*/, uidRanges, sTun.name(),
4246 UidRanges::SUB_PRIORITY_HIGHEST);
4247
4248 EXPECT_TRUE(mNetd->networkAddUidRanges(INetd::UNREACHABLE_NET_ID, uidRanges).isOk());
4249 verifyAppUidRules({true, true} /*expectedResults*/, uidRanges, "",
4250 UidRanges::SUB_PRIORITY_HIGHEST);
4251 EXPECT_TRUE(mNetd->networkRemoveUidRanges(INetd::UNREACHABLE_NET_ID, {uidRanges.at(0)}).isOk());
4252 verifyAppUidRules({false, true} /*expectedResults*/, uidRanges, "",
4253 UidRanges::SUB_PRIORITY_HIGHEST);
4254 EXPECT_TRUE(mNetd->networkRemoveUidRanges(INetd::UNREACHABLE_NET_ID, {uidRanges.at(1)}).isOk());
4255 verifyAppUidRules({false, false} /*expectedResults*/, uidRanges, "",
4256 UidRanges::SUB_PRIORITY_HIGHEST);
4257 }
4258
4259 // Verify whether packets go through the right network with and without per-app default network.
4260 // Meaning of Fwmark bits (from Fwmark.h):
4261 // 0x0000ffff - Network ID
4262 // 0x00010000 - Explicit mark bit
4263 // 0x00020000 - VPN protect bit
4264 // 0x000c0000 - Permission bits
TEST_F(NetdBinderTest,PerAppDefaultNetwork_ImplicitlySelectNetwork)4265 TEST_F(NetdBinderTest, PerAppDefaultNetwork_ImplicitlySelectNetwork) {
4266 createDefaultAndOtherPhysicalNetwork(SYSTEM_DEFAULT_NETID, APP_DEFAULT_NETID);
4267
4268 int systemDefaultFd = sTun.getFdForTesting();
4269 int appDefaultFd = sTun2.getFdForTesting();
4270
4271 // Connections go through the system default network.
4272 expectPacketSentOnNetId(AID_ROOT, SYSTEM_DEFAULT_NETID, systemDefaultFd, IMPLICITLY_SELECT);
4273 expectPacketSentOnNetId(TEST_UID1, SYSTEM_DEFAULT_NETID, systemDefaultFd, IMPLICITLY_SELECT);
4274
4275 // Add TEST_UID1 to per-app default network.
4276 EXPECT_TRUE(mNetd->networkAddUidRanges(APP_DEFAULT_NETID,
4277 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4278 .isOk());
4279 expectPacketSentOnNetId(AID_ROOT, SYSTEM_DEFAULT_NETID, systemDefaultFd, IMPLICITLY_SELECT);
4280 expectPacketSentOnNetId(TEST_UID1, APP_DEFAULT_NETID, appDefaultFd, IMPLICITLY_SELECT);
4281
4282 // Remove TEST_UID1 from per-app default network.
4283 EXPECT_TRUE(mNetd->networkRemoveUidRanges(APP_DEFAULT_NETID,
4284 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4285 .isOk());
4286 expectPacketSentOnNetId(AID_ROOT, SYSTEM_DEFAULT_NETID, systemDefaultFd, IMPLICITLY_SELECT);
4287 expectPacketSentOnNetId(TEST_UID1, SYSTEM_DEFAULT_NETID, systemDefaultFd, IMPLICITLY_SELECT);
4288
4289 // Prohibit TEST_UID1 from using the default network.
4290 EXPECT_TRUE(mNetd->networkAddUidRanges(INetd::UNREACHABLE_NET_ID,
4291 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4292 .isOk());
4293 expectPacketSentOnNetId(AID_ROOT, SYSTEM_DEFAULT_NETID, systemDefaultFd, IMPLICITLY_SELECT);
4294 expectUnreachableError(TEST_UID1, INetd::UNREACHABLE_NET_ID, IMPLICITLY_SELECT);
4295
4296 // restore IP rules
4297 EXPECT_TRUE(mNetd->networkRemoveUidRanges(INetd::UNREACHABLE_NET_ID,
4298 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4299 .isOk());
4300 }
4301
4302 // Verify whether packets go through the right network when app explicitly selects a network.
TEST_F(NetdBinderTest,PerAppDefaultNetwork_ExplicitlySelectNetwork)4303 TEST_F(NetdBinderTest, PerAppDefaultNetwork_ExplicitlySelectNetwork) {
4304 createDefaultAndOtherPhysicalNetwork(SYSTEM_DEFAULT_NETID, APP_DEFAULT_NETID);
4305
4306 int systemDefaultFd = sTun.getFdForTesting();
4307 int appDefaultFd = sTun2.getFdForTesting();
4308
4309 // Explicitly select the system default network.
4310 setNetworkForProcess(SYSTEM_DEFAULT_NETID);
4311 // Connections go through the system default network.
4312 expectPacketSentOnNetId(AID_ROOT, SYSTEM_DEFAULT_NETID, systemDefaultFd, EXPLICITLY_SELECT);
4313 expectPacketSentOnNetId(TEST_UID1, SYSTEM_DEFAULT_NETID, systemDefaultFd, EXPLICITLY_SELECT);
4314
4315 // Set TEST_UID1 to default unreachable, which won't affect the explicitly selected network.
4316 // Connections go through the system default network.
4317 EXPECT_TRUE(mNetd->networkAddUidRanges(INetd::UNREACHABLE_NET_ID,
4318 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4319 .isOk());
4320 expectPacketSentOnNetId(AID_ROOT, SYSTEM_DEFAULT_NETID, systemDefaultFd, EXPLICITLY_SELECT);
4321 expectPacketSentOnNetId(TEST_UID1, SYSTEM_DEFAULT_NETID, systemDefaultFd, EXPLICITLY_SELECT);
4322
4323 // restore IP rules
4324 EXPECT_TRUE(mNetd->networkRemoveUidRanges(INetd::UNREACHABLE_NET_ID,
4325 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4326 .isOk());
4327
4328 // Add TEST_UID1 to per-app default network, which won't affect the explicitly selected network.
4329 EXPECT_TRUE(mNetd->networkAddUidRanges(APP_DEFAULT_NETID,
4330 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4331 .isOk());
4332 expectPacketSentOnNetId(AID_ROOT, SYSTEM_DEFAULT_NETID, systemDefaultFd, EXPLICITLY_SELECT);
4333 expectPacketSentOnNetId(TEST_UID1, SYSTEM_DEFAULT_NETID, systemDefaultFd, EXPLICITLY_SELECT);
4334
4335 // Explicitly select the per-app default network.
4336 setNetworkForProcess(APP_DEFAULT_NETID);
4337 // Connections go through the per-app default network.
4338 expectPacketSentOnNetId(AID_ROOT, APP_DEFAULT_NETID, appDefaultFd, EXPLICITLY_SELECT);
4339 expectPacketSentOnNetId(TEST_UID1, APP_DEFAULT_NETID, appDefaultFd, EXPLICITLY_SELECT);
4340 }
4341
4342 // Verify whether packets go through the right network if app does not implicitly or explicitly
4343 // select any network.
TEST_F(NetdBinderTest,PerAppDefaultNetwork_UnconnectedSocket)4344 TEST_F(NetdBinderTest, PerAppDefaultNetwork_UnconnectedSocket) {
4345 createDefaultAndOtherPhysicalNetwork(SYSTEM_DEFAULT_NETID, APP_DEFAULT_NETID);
4346
4347 int systemDefaultFd = sTun.getFdForTesting();
4348 int appDefaultFd = sTun2.getFdForTesting();
4349
4350 // Connections go through the system default network.
4351 expectPacketSentOnNetId(AID_ROOT, NETID_UNSET, systemDefaultFd, UNCONNECTED_SOCKET);
4352 expectPacketSentOnNetId(TEST_UID1, NETID_UNSET, systemDefaultFd, UNCONNECTED_SOCKET);
4353
4354 // Add TEST_UID1 to per-app default network. Traffic should go through the per-app default
4355 // network if UID is in range. Otherwise, go through the system default network.
4356 EXPECT_TRUE(mNetd->networkAddUidRanges(APP_DEFAULT_NETID,
4357 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4358 .isOk());
4359 expectPacketSentOnNetId(AID_ROOT, NETID_UNSET, systemDefaultFd, UNCONNECTED_SOCKET);
4360 expectPacketSentOnNetId(TEST_UID1, NETID_UNSET, appDefaultFd, UNCONNECTED_SOCKET);
4361
4362 // Set TEST_UID1's default network to unreachable. Its traffic should still go through the
4363 // per-app default network. Other traffic go through the system default network.
4364 // PS: per-app default network take precedence over unreachable network. This should happens
4365 // only in the transition period when both rules are briefly set.
4366 EXPECT_TRUE(mNetd->networkAddUidRanges(INetd::UNREACHABLE_NET_ID,
4367 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4368 .isOk());
4369 expectPacketSentOnNetId(AID_ROOT, NETID_UNSET, systemDefaultFd, UNCONNECTED_SOCKET);
4370 expectPacketSentOnNetId(TEST_UID1, NETID_UNSET, appDefaultFd, UNCONNECTED_SOCKET);
4371
4372 // Remove TEST_UID1's default network from OEM-paid network. Its traffic should get ENETUNREACH
4373 // error. Other traffic still go through the system default network.
4374 EXPECT_TRUE(mNetd->networkRemoveUidRanges(APP_DEFAULT_NETID,
4375 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4376 .isOk());
4377 expectPacketSentOnNetId(AID_ROOT, NETID_UNSET, systemDefaultFd, UNCONNECTED_SOCKET);
4378 expectUnreachableError(TEST_UID1, NETID_UNSET, UNCONNECTED_SOCKET);
4379
4380 // restore IP rules
4381 EXPECT_TRUE(mNetd->networkRemoveUidRanges(INetd::UNREACHABLE_NET_ID,
4382 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4383 .isOk());
4384 }
4385
TEST_F(NetdBinderTest,PerAppDefaultNetwork_PermissionCheck)4386 TEST_F(NetdBinderTest, PerAppDefaultNetwork_PermissionCheck) {
4387 createPhysicalNetwork(APP_DEFAULT_NETID, sTun2.name(), INetd::PERMISSION_SYSTEM);
4388
4389 { // uid is not in app range. Can not set network for process.
4390 ScopedUidChange scopedUidChange(TEST_UID1);
4391 EXPECT_EQ(-EACCES, setNetworkForProcess(APP_DEFAULT_NETID));
4392 }
4393
4394 EXPECT_TRUE(mNetd->networkAddUidRanges(APP_DEFAULT_NETID,
4395 {makeUidRangeParcel(TEST_UID1, TEST_UID1)})
4396 .isOk());
4397
4398 { // uid is in app range. Can set network for process.
4399 ScopedUidChange scopedUidChange(TEST_UID1);
4400 EXPECT_EQ(0, setNetworkForProcess(APP_DEFAULT_NETID));
4401 }
4402 }
4403
4404 class VpnParameterizedTest : public NetdBinderTest, public testing::WithParamInterface<bool> {};
4405
4406 // Exercise secure and bypassable VPN.
4407 INSTANTIATE_TEST_SUITE_P(PerAppDefaultNetwork, VpnParameterizedTest, testing::Bool(),
__anon3f474b891f02(const testing::TestParamInfo<bool>& info) 4408 [](const testing::TestParamInfo<bool>& info) {
4409 return info.param ? "SecureVPN" : "BypassableVPN";
4410 });
4411
4412 // Verify per-app default network + VPN.
TEST_P(VpnParameterizedTest,ImplicitlySelectNetwork)4413 TEST_P(VpnParameterizedTest, ImplicitlySelectNetwork) {
4414 const bool isSecureVPN = GetParam();
4415 createVpnAndAppDefaultNetworkWithUid(
4416 SYSTEM_DEFAULT_NETID, APP_DEFAULT_NETID, VPN_NETID, isSecureVPN,
4417 {makeUidRangeParcel(TEST_UID2, TEST_UID1)} /* app range */,
4418 {makeUidRangeParcel(TEST_UID3, TEST_UID2)} /* VPN range */);
4419
4420 int systemDefaultFd = sTun.getFdForTesting();
4421 int appDefaultFd = sTun2.getFdForTesting();
4422 int vpnFd = sTun3.getFdForTesting();
4423
4424 // uid is neither in app range, nor in VPN range. Traffic goes through system default network.
4425 expectPacketSentOnNetId(AID_ROOT, SYSTEM_DEFAULT_NETID, systemDefaultFd, IMPLICITLY_SELECT);
4426 // uid is in VPN range, not in app range. Traffic goes through VPN.
4427 expectPacketSentOnNetId(TEST_UID3, (isSecureVPN ? SYSTEM_DEFAULT_NETID : VPN_NETID), vpnFd,
4428 IMPLICITLY_SELECT);
4429 // uid is in app range, not in VPN range. Traffic goes through per-app default network.
4430 expectPacketSentOnNetId(TEST_UID1, APP_DEFAULT_NETID, appDefaultFd, IMPLICITLY_SELECT);
4431 // uid is in both app and VPN range. Traffic goes through VPN.
4432 expectPacketSentOnNetId(TEST_UID2, (isSecureVPN ? APP_DEFAULT_NETID : VPN_NETID), vpnFd,
4433 IMPLICITLY_SELECT);
4434 }
4435
4436 class VpnAndSelectNetworkParameterizedTest
4437 : public NetdBinderTest,
4438 public testing::WithParamInterface<std::tuple<bool, int>> {};
4439
4440 // Exercise the combination of different VPN types and different user selected networks. e.g.
4441 // secure VPN + select on system default network
4442 // secure VPN + select on app default network
4443 // secure VPN + select on VPN
4444 // bypassable VPN + select on system default network
4445 // ...
4446 INSTANTIATE_TEST_SUITE_P(PerAppDefaultNetwork, VpnAndSelectNetworkParameterizedTest,
4447 testing::Combine(testing::Bool(),
4448 testing::Values(SYSTEM_DEFAULT_NETID, APP_DEFAULT_NETID,
4449 VPN_NETID)),
__anon3f474b892002(const testing::TestParamInfo<std::tuple<bool, int>>& info) 4450 [](const testing::TestParamInfo<std::tuple<bool, int>>& info) {
4451 const std::string vpnType = std::get<0>(info.param)
4452 ? std::string("SecureVPN")
4453 : std::string("BypassableVPN");
4454 std::string selectedNetwork;
4455 switch (std::get<1>(info.param)) {
4456 case SYSTEM_DEFAULT_NETID:
4457 selectedNetwork = "SystemDefaultNetwork";
4458 break;
4459 case APP_DEFAULT_NETID:
4460 selectedNetwork = "AppDefaultNetwork";
4461 break;
4462 case VPN_NETID:
4463 selectedNetwork = "VPN";
4464 break;
4465 default:
4466 selectedNetwork = "InvalidParameter"; // Should not happen.
4467 }
4468 return vpnType + "_select" + selectedNetwork;
4469 });
4470
TEST_P(VpnAndSelectNetworkParameterizedTest,ExplicitlySelectNetwork)4471 TEST_P(VpnAndSelectNetworkParameterizedTest, ExplicitlySelectNetwork) {
4472 bool isSecureVPN;
4473 int selectedNetId;
4474 std::tie(isSecureVPN, selectedNetId) = GetParam();
4475 createVpnAndAppDefaultNetworkWithUid(
4476 SYSTEM_DEFAULT_NETID, APP_DEFAULT_NETID, VPN_NETID, isSecureVPN,
4477 {makeUidRangeParcel(TEST_UID2, TEST_UID1)} /* app range */,
4478 {makeUidRangeParcel(TEST_UID3, TEST_UID2)} /* VPN range */);
4479
4480 int expectedFd = -1;
4481 switch (selectedNetId) {
4482 case SYSTEM_DEFAULT_NETID:
4483 expectedFd = sTun.getFdForTesting();
4484 break;
4485 case APP_DEFAULT_NETID:
4486 expectedFd = sTun2.getFdForTesting();
4487 break;
4488 case VPN_NETID:
4489 expectedFd = sTun3.getFdForTesting();
4490 break;
4491 default:
4492 GTEST_LOG_(ERROR) << "unexpected netId:" << selectedNetId; // Should not happen.
4493 }
4494
4495 // In all following permutations, Traffic should go through the specified network if a process
4496 // can select network for itself. The fwmark should contain process UID and the explicit select
4497 // bit.
4498 { // uid is neither in app range, nor in VPN range. Permission bits, protect bit, and explicit
4499 // select bit are all set because of AID_ROOT.
4500 ScopedUidChange scopedUidChange(AID_ROOT);
4501 EXPECT_EQ(0, setNetworkForProcess(selectedNetId));
4502 expectPacketSentOnNetId(AID_ROOT, selectedNetId, expectedFd, EXPLICITLY_SELECT);
4503 }
4504 { // uid is in VPN range, not in app range.
4505 ScopedUidChange scopedUidChange(TEST_UID3);
4506 // Cannot select non-VPN networks when uid is subject to secure VPN.
4507 if (isSecureVPN && selectedNetId != VPN_NETID) {
4508 EXPECT_EQ(-EPERM, setNetworkForProcess(selectedNetId));
4509 } else {
4510 EXPECT_EQ(0, setNetworkForProcess(selectedNetId));
4511 expectPacketSentOnNetId(TEST_UID3, selectedNetId, expectedFd, EXPLICITLY_SELECT);
4512 }
4513 }
4514 { // uid is in app range, not in VPN range.
4515 ScopedUidChange scopedUidChange(TEST_UID1);
4516 // Cannot select the VPN because the VPN does not applies to the UID.
4517 if (selectedNetId == VPN_NETID) {
4518 EXPECT_EQ(-EPERM, setNetworkForProcess(selectedNetId));
4519 } else {
4520 EXPECT_EQ(0, setNetworkForProcess(selectedNetId));
4521 expectPacketSentOnNetId(TEST_UID1, selectedNetId, expectedFd, EXPLICITLY_SELECT);
4522 }
4523 }
4524 { // uid is in both app range and VPN range.
4525 ScopedUidChange scopedUidChange(TEST_UID2);
4526 // Cannot select non-VPN networks when uid is subject to secure VPN.
4527 if (isSecureVPN && selectedNetId != VPN_NETID) {
4528 EXPECT_EQ(-EPERM, setNetworkForProcess(selectedNetId));
4529 } else {
4530 EXPECT_EQ(0, setNetworkForProcess(selectedNetId));
4531 expectPacketSentOnNetId(TEST_UID2, selectedNetId, expectedFd, EXPLICITLY_SELECT);
4532 }
4533 }
4534 }
4535
TEST_P(VpnParameterizedTest,UnconnectedSocket)4536 TEST_P(VpnParameterizedTest, UnconnectedSocket) {
4537 const bool isSecureVPN = GetParam();
4538 createVpnAndAppDefaultNetworkWithUid(
4539 SYSTEM_DEFAULT_NETID, APP_DEFAULT_NETID, VPN_NETID, isSecureVPN,
4540 {makeUidRangeParcel(TEST_UID2, TEST_UID1)} /* app range */,
4541 {makeUidRangeParcel(TEST_UID3, TEST_UID2)} /* VPN range */);
4542
4543 int systemDefaultFd = sTun.getFdForTesting();
4544 int appDefaultFd = sTun2.getFdForTesting();
4545 int vpnFd = sTun3.getFdForTesting();
4546
4547 // uid is neither in app range, nor in VPN range. Traffic goes through system default network.
4548 expectPacketSentOnNetId(AID_ROOT, NETID_UNSET, systemDefaultFd, UNCONNECTED_SOCKET);
4549 // uid is in VPN range, not in app range. Traffic goes through VPN.
4550 expectPacketSentOnNetId(TEST_UID3, NETID_UNSET, vpnFd, UNCONNECTED_SOCKET);
4551 // uid is in app range, not in VPN range. Traffic goes through per-app default network.
4552 expectPacketSentOnNetId(TEST_UID1, NETID_UNSET, appDefaultFd, UNCONNECTED_SOCKET);
4553 // uid is in both app and VPN range. Traffic goes through VPN.
4554 expectPacketSentOnNetId(TEST_UID2, NETID_UNSET, vpnFd, UNCONNECTED_SOCKET);
4555 }
4556
4557 class VpnLocalRoutesParameterizedTest
4558 : public NetdBinderTest,
4559 public testing::WithParamInterface<std::tuple<int, int, bool, bool, bool, bool>> {
4560 protected:
4561 // Local/non-local addresses based on the route added in
4562 // setupNetworkRoutesForVpnAndDefaultNetworks.
4563 in_addr V4_LOCAL_ADDR = {htonl(0xC0A80008)}; // 192.168.0.8
4564 in_addr V4_APP_LOCAL_ADDR = {htonl(0xAC100008)}; // 172.16.0.8
4565 in_addr V4_GLOBAL_ADDR = {htonl(0x08080808)}; // 8.8.8.8
4566
4567 in6_addr V6_LOCAL_ADDR = {
4568 {// 2001:db8:cafe::1
4569 .u6_addr8 = {0x20, 0x01, 0x0d, 0xb8, 0xca, 0xfe, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1}}};
4570 in6_addr V6_APP_LOCAL_ADDR = {
4571 {// 2607:f0d0:1234::4
4572 .u6_addr8 = {0x26, 0x07, 0xf0, 0xd0, 0x12, 0x34, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4}}};
4573 in6_addr V6_GLOBAL_ADDR = {
4574 {// 2607:1234:1002::4
4575 .u6_addr8 = {0x26, 0x07, 0x12, 0x34, 0x10, 0x02, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4}}};
4576 };
4577
4578 const int SEND_TO_GLOBAL = 0;
4579 const int SEND_TO_SYSTEM_DEFAULT_LOCAL = 1;
4580 const int SEND_TO_PER_APP_DEFAULT_LOCAL = 2;
4581
4582 // Exercise the combination of different explicitly selected network, different uid, local/non-local
4583 // address on local route exclusion VPN. E.g.
4584 // explicitlySelected systemDefault + uid in VPN range + no app default + non local address
4585 // explicitlySelected systemDefault + uid in VPN range + has app default + non local address
4586 // explicitlySelected systemDefault + uid in VPN range + has app default + local address
4587 // explicitlySelected appDefault + uid not in VPN range + has app default + non local address
4588 INSTANTIATE_TEST_SUITE_P(
4589 PerAppDefaultNetwork, VpnLocalRoutesParameterizedTest,
4590 testing::Combine(testing::Values(SYSTEM_DEFAULT_NETID, APP_DEFAULT_NETID, NETID_UNSET),
4591 testing::Values(SEND_TO_GLOBAL, SEND_TO_SYSTEM_DEFAULT_LOCAL,
4592 SEND_TO_PER_APP_DEFAULT_LOCAL),
4593 testing::Bool(), testing::Bool(), testing::Bool(), testing::Bool()),
__anon3f474b892102(const testing::TestParamInfo<std::tuple<int, int, bool, bool, bool, bool>>& info) 4594 [](const testing::TestParamInfo<std::tuple<int, int, bool, bool, bool, bool>>& info) {
4595 std::string explicitlySelected;
4596 switch (std::get<0>(info.param)) {
4597 case SYSTEM_DEFAULT_NETID:
4598 explicitlySelected = "explicitlySelectedSystemDefault";
4599 break;
4600 case APP_DEFAULT_NETID:
4601 explicitlySelected = "explicitlySelectedAppDefault";
4602 break;
4603 case NETID_UNSET:
4604 explicitlySelected = "implicitlySelected";
4605 break;
4606 default:
4607 explicitlySelected = "InvalidParameter"; // Should not happen.
4608 }
4609
4610 std::string sendToAddr;
4611 switch (std::get<1>(info.param)) {
4612 case SEND_TO_GLOBAL:
4613 sendToAddr = "GlobalAddr";
4614 break;
4615 case SEND_TO_SYSTEM_DEFAULT_LOCAL:
4616 sendToAddr = "SystemLocal";
4617 break;
4618 case SEND_TO_PER_APP_DEFAULT_LOCAL:
4619 sendToAddr = "AppLocal";
4620 break;
4621 default:
4622 sendToAddr = "InvalidAddr"; // Should not happen.
4623 }
4624
4625 const std::string isSubjectToVpn = std::get<2>(info.param)
4626 ? std::string("SubjectToVpn")
4627 : std::string("NotSubjectToVpn");
4628
4629 const std::string hasAppDefaultNetwork = std::get<3>(info.param)
4630 ? std::string("HasAppDefault")
4631 : std::string("NothasAppDefault");
4632
4633 const std::string testV6 =
4634 std::get<4>(info.param) ? std::string("v6") : std::string("v4");
4635
4636 // Apply the same or different local address in app default and system default.
4637 const std::string differentLocalRoutes = std::get<5>(info.param)
4638 ? std::string("DifferentLocalRoutes")
4639 : std::string("SameLocalAddr");
4640
4641 return explicitlySelected + "_uid" + isSubjectToVpn + hasAppDefaultNetwork +
4642 "Range_with" + testV6 + sendToAddr + differentLocalRoutes;
4643 });
4644
getTargetIfaceForLocalRoutesExclusion(bool isSubjectToVpn,bool hasAppDefaultNetwork,bool differentLocalRoutes,int sendToAddr,int selectedNetId,int fallthroughFd,int appDefaultFd,int vpnFd)4645 int getTargetIfaceForLocalRoutesExclusion(bool isSubjectToVpn, bool hasAppDefaultNetwork,
4646 bool differentLocalRoutes, int sendToAddr,
4647 int selectedNetId, int fallthroughFd, int appDefaultFd,
4648 int vpnFd) {
4649 int expectedIface;
4650
4651 // Setup the expected interface based on the condition.
4652 if (isSubjectToVpn && hasAppDefaultNetwork) {
4653 switch (sendToAddr) {
4654 case SEND_TO_GLOBAL:
4655 expectedIface = vpnFd;
4656 break;
4657 case SEND_TO_SYSTEM_DEFAULT_LOCAL:
4658 // Go to app default if the app default and system default are the same range
4659 // TODO(b/237351736): It should go to VPN if the system local and app local are
4660 // different.
4661 expectedIface = differentLocalRoutes ? fallthroughFd : appDefaultFd;
4662 break;
4663 case SEND_TO_PER_APP_DEFAULT_LOCAL:
4664 expectedIface = appDefaultFd;
4665 break;
4666 default:
4667 expectedIface = -1; // should not happen
4668 }
4669 } else if (isSubjectToVpn && !hasAppDefaultNetwork) {
4670 switch (sendToAddr) {
4671 case SEND_TO_GLOBAL:
4672 expectedIface = vpnFd;
4673 break;
4674 case SEND_TO_SYSTEM_DEFAULT_LOCAL:
4675 // TODO(b/237351736): It should go to app default if the system local and app local
4676 // are different.
4677 expectedIface = fallthroughFd;
4678 break;
4679 case SEND_TO_PER_APP_DEFAULT_LOCAL:
4680 // Go to system default if the system default and app default are the same range.
4681 expectedIface = differentLocalRoutes ? vpnFd : fallthroughFd;
4682 break;
4683 default:
4684 expectedIface = -1; // should not happen
4685 }
4686 } else if (!isSubjectToVpn && hasAppDefaultNetwork) {
4687 expectedIface = appDefaultFd;
4688 } else { // !isSubjectToVpn && !hasAppDefaultNetwork
4689 expectedIface = fallthroughFd;
4690 }
4691
4692 // Override the target if it's explicitly selected.
4693 switch (selectedNetId) {
4694 case SYSTEM_DEFAULT_NETID:
4695 expectedIface = fallthroughFd;
4696 break;
4697 case APP_DEFAULT_NETID:
4698 expectedIface = appDefaultFd;
4699 break;
4700 default:
4701 break;
4702 // Based on the uid range.
4703 }
4704
4705 return expectedIface;
4706 }
4707
4708 // Routes configured on the system default network and on the VPN.
4709 // This allows the test to verify the worst case where the physical network and the VPN configure
4710 // the same routes. This ensures that routing is determined by the IP rules and doesn't just happen
4711 // to work because the routes don't overlap. If differentLocalRoutes is false, these routes are also
4712 // configured on the per-app default network.
4713 // For both IPv4 and IPv6, the first route is local, the second is not.
4714 std::vector<std::string> SYSTEM_DEFAULT_ROUTES = {"192.168.0.0/16", "0.0.0.0/0",
4715 "2001:db8:cafe::/48", "::/0"};
4716 // Routes configured on the per-app default network if differentLocalRoutes is true.
4717 // For both IPv4 and IPv6, the first route is local, the second is not.
4718 std::vector<std::string> APP_DEFAULT_ROUTES = {"172.16.0.0/16", "0.0.0.0/0", "2607:f0d0:1234::/48",
4719 "::/0"};
setupNetworkRoutesForVpnAndDefaultNetworks(int systemDefaultNetId,int appDefaultNetId,int vpnNetId,int otherNetId,bool secure,bool testV6,bool differentLocalRoutes,std::vector<UidRangeParcel> && appDefaultUidRanges,std::vector<UidRangeParcel> && vpnUidRanges)4720 void NetdBinderTest::setupNetworkRoutesForVpnAndDefaultNetworks(
4721 int systemDefaultNetId, int appDefaultNetId, int vpnNetId, int otherNetId, bool secure,
4722 bool testV6, bool differentLocalRoutes, std::vector<UidRangeParcel>&& appDefaultUidRanges,
4723 std::vector<UidRangeParcel>&& vpnUidRanges) {
4724 // Create a physical network on sTun, and set it as the system default network
4725 createAndSetDefaultNetwork(systemDefaultNetId, sTun.name());
4726
4727 // Routes are configured to system default, app default and vpn network to verify if the packets
4728 // are routed correctly.
4729
4730 // Setup system default routing.
4731 for (const auto& route : SYSTEM_DEFAULT_ROUTES) {
4732 EXPECT_TRUE(mNetd->networkAddRoute(systemDefaultNetId, sTun.name(), route, "").isOk());
4733 }
4734
4735 // Create another physical network on sTun2 as per app default network
4736 createPhysicalNetwork(appDefaultNetId, sTun2.name());
4737
4738 // Setup app default routing.
4739 std::vector<std::string> appDefaultRoutes =
4740 (differentLocalRoutes ? APP_DEFAULT_ROUTES : SYSTEM_DEFAULT_ROUTES);
4741 for (const auto& route : appDefaultRoutes) {
4742 EXPECT_TRUE(mNetd->networkAddRoute(appDefaultNetId, sTun2.name(), route, "").isOk());
4743 }
4744
4745 // Create a bypassable VPN on sTun3.
4746 auto config = makeNativeNetworkConfig(vpnNetId, NativeNetworkType::VIRTUAL,
4747 INetd::PERMISSION_NONE, secure, true);
4748 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
4749 EXPECT_TRUE(mNetd->networkAddInterface(vpnNetId, sTun3.name()).isOk());
4750
4751 // Setup vpn routing.
4752 for (const auto& route : SYSTEM_DEFAULT_ROUTES) {
4753 EXPECT_TRUE(mNetd->networkAddRoute(vpnNetId, sTun3.name(), route, "").isOk());
4754 }
4755
4756 // Create another interface that is neither system default nor the app default to make sure
4757 // the traffic won't be mis-routed.
4758 createPhysicalNetwork(otherNetId, sTun4.name());
4759 EXPECT_TRUE(mNetd->networkAddRoute(otherNetId, sTun4.name(), testV6 ? "::/0" : "0.0.0.0/0", "")
4760 .isOk());
4761 // Add per-app uid ranges.
4762 EXPECT_TRUE(mNetd->networkAddUidRanges(appDefaultNetId, appDefaultUidRanges).isOk());
4763
4764 // Add VPN uid ranges.
4765 EXPECT_TRUE(mNetd->networkAddUidRanges(vpnNetId, vpnUidRanges).isOk());
4766 }
4767
4768 // Rules are in approximately the following order for bypassable VPNs that allow local network
4769 // access:
4770 // - Local routes to the per-app default network (UID guarded)
4771 // - Local routes to the system default network
4772 // - Both local and global routs to VPN network (UID guarded)
4773 // - Global routes to per-app default network(UID guarded)
4774 // - Global routes to system default network
TEST_P(VpnLocalRoutesParameterizedTest,localRoutesExclusion)4775 TEST_P(VpnLocalRoutesParameterizedTest, localRoutesExclusion) {
4776 int selectedNetId;
4777 int sendToAddr;
4778 bool isSubjectToVpn;
4779 bool hasAppDefaultNetwork;
4780 bool testV6;
4781 bool differentLocalRoutes;
4782
4783 std::tie(selectedNetId, sendToAddr, isSubjectToVpn, hasAppDefaultNetwork, testV6,
4784 differentLocalRoutes) = GetParam();
4785
4786 setupNetworkRoutesForVpnAndDefaultNetworks(
4787 SYSTEM_DEFAULT_NETID, APP_DEFAULT_NETID, VPN_NETID, TEST_NETID4, false /* secure */,
4788 testV6, differentLocalRoutes,
4789 // Setup uid ranges for app default and VPN. Configure TEST_UID2 into both app default
4790 // and VPN to verify the behavior when the uid exists in both network.
4791 {makeUidRangeParcel(TEST_UID2, TEST_UID1)}, {makeUidRangeParcel(TEST_UID3, TEST_UID2)});
4792
4793 int fallthroughFd = sTun.getFdForTesting();
4794 int appDefaultFd = sTun2.getFdForTesting();
4795 int vpnFd = sTun3.getFdForTesting();
4796
4797 // Explicitly select network
4798 setNetworkForProcess(selectedNetId);
4799
4800 int targetUid;
4801
4802 // Setup the expected testing uid
4803 if (isSubjectToVpn) {
4804 if (hasAppDefaultNetwork) {
4805 targetUid = TEST_UID2;
4806 } else {
4807 targetUid = TEST_UID3;
4808 }
4809 } else {
4810 if (hasAppDefaultNetwork) {
4811 targetUid = TEST_UID1;
4812 } else {
4813 targetUid = TEST_UID4; // Not in any of the UID ranges.
4814 }
4815 }
4816
4817 // Get expected interface for the traffic.
4818 int expectedIface = getTargetIfaceForLocalRoutesExclusion(
4819 isSubjectToVpn, hasAppDefaultNetwork, differentLocalRoutes, sendToAddr, selectedNetId,
4820 fallthroughFd, appDefaultFd, vpnFd);
4821
4822 // Verify the packets are sent to the expected interface.
4823 Fwmark fwmark;
4824 if (testV6) {
4825 in6_addr addr;
4826 switch (sendToAddr) {
4827 case SEND_TO_GLOBAL:
4828 addr = V6_GLOBAL_ADDR;
4829 break;
4830 case SEND_TO_SYSTEM_DEFAULT_LOCAL:
4831 addr = V6_LOCAL_ADDR;
4832 break;
4833 case SEND_TO_PER_APP_DEFAULT_LOCAL:
4834 addr = differentLocalRoutes ? V6_APP_LOCAL_ADDR : V6_LOCAL_ADDR;
4835 break;
4836 default:
4837 break;
4838 // should not happen
4839 }
4840 EXPECT_TRUE(sendIPv6PacketFromUid(targetUid, addr, &fwmark, expectedIface));
4841 } else {
4842 in_addr addr;
4843 switch (sendToAddr) {
4844 case SEND_TO_GLOBAL:
4845 addr = V4_GLOBAL_ADDR;
4846 break;
4847 case SEND_TO_SYSTEM_DEFAULT_LOCAL:
4848 addr = V4_LOCAL_ADDR;
4849 break;
4850 case SEND_TO_PER_APP_DEFAULT_LOCAL:
4851 addr = differentLocalRoutes ? V4_APP_LOCAL_ADDR : V4_LOCAL_ADDR;
4852 break;
4853 default:
4854 break;
4855 // should not happen
4856 }
4857
4858 EXPECT_TRUE(sendIPv4PacketFromUid(targetUid, addr, &fwmark, expectedIface));
4859 }
4860 }
4861
TEST_F(NetdBinderTest,NetworkCreate)4862 TEST_F(NetdBinderTest, NetworkCreate) {
4863 auto config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL,
4864 INetd::PERMISSION_NONE, false, false);
4865 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
4866 EXPECT_TRUE(mNetd->networkDestroy(config.netId).isOk());
4867
4868 config.networkType = NativeNetworkType::VIRTUAL;
4869 config.secure = true;
4870 config.vpnType = NativeVpnType::OEM;
4871 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
4872
4873 // invalid network type
4874 auto wrongConfig = makeNativeNetworkConfig(TEST_NETID2, static_cast<NativeNetworkType>(-1),
4875 INetd::PERMISSION_NONE, false, false);
4876 EXPECT_EQ(EINVAL, mNetd->networkCreate(wrongConfig).serviceSpecificErrorCode());
4877
4878 // invalid VPN type
4879 wrongConfig.networkType = NativeNetworkType::VIRTUAL;
4880 wrongConfig.vpnType = static_cast<NativeVpnType>(-1);
4881 EXPECT_EQ(EINVAL, mNetd->networkCreate(wrongConfig).serviceSpecificErrorCode());
4882 }
4883
4884 // Verifies valid and invalid inputs on networkAddUidRangesParcel method.
TEST_F(NetdBinderTest,UidRangeSubPriority_ValidateInputs)4885 TEST_F(NetdBinderTest, UidRangeSubPriority_ValidateInputs) {
4886 createVpnAndOtherPhysicalNetwork(SYSTEM_DEFAULT_NETID, APP_DEFAULT_NETID, VPN_NETID,
4887 /*isSecureVPN=*/true);
4888 // Invalid priority -10 on a physical network.
4889 NativeUidRangeConfig uidRangeConfig =
4890 makeNativeUidRangeConfig(APP_DEFAULT_NETID, {makeUidRangeParcel(BASE_UID, BASE_UID)},
4891 UidRanges::SUB_PRIORITY_HIGHEST - 10);
4892 binder::Status status = mNetd->networkAddUidRangesParcel(uidRangeConfig);
4893 EXPECT_FALSE(status.isOk());
4894 EXPECT_EQ(EINVAL, status.serviceSpecificErrorCode());
4895
4896 // Invalid priority 1000 on a physical network.
4897 uidRangeConfig.subPriority = UidRanges::SUB_PRIORITY_NO_DEFAULT + 1;
4898 status = mNetd->networkAddUidRangesParcel(uidRangeConfig);
4899 EXPECT_FALSE(status.isOk());
4900 EXPECT_EQ(EINVAL, status.serviceSpecificErrorCode());
4901
4902 // Virtual networks support only default priority.
4903 uidRangeConfig.netId = VPN_NETID;
4904 uidRangeConfig.subPriority = SUB_PRIORITY_1;
4905 status = mNetd->networkAddUidRangesParcel(uidRangeConfig);
4906 EXPECT_FALSE(status.isOk());
4907 EXPECT_EQ(EINVAL, status.serviceSpecificErrorCode());
4908
4909 // For a single network, identical UID ranges with different priorities are allowed.
4910 uidRangeConfig.netId = APP_DEFAULT_NETID;
4911 uidRangeConfig.subPriority = SUB_PRIORITY_1;
4912 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(uidRangeConfig).isOk());
4913 uidRangeConfig.subPriority = SUB_PRIORITY_2;
4914 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(uidRangeConfig).isOk());
4915
4916 // Overlapping ranges is invalid.
4917 uidRangeConfig.uidRanges = {makeUidRangeParcel(BASE_UID + 1, BASE_UID + 1),
4918 makeUidRangeParcel(BASE_UID + 1, BASE_UID + 1)};
4919 status = mNetd->networkAddUidRangesParcel(uidRangeConfig);
4920 EXPECT_FALSE(status.isOk());
4921 EXPECT_EQ(EINVAL, status.serviceSpecificErrorCode());
4922 }
4923
4924 // Examines whether IP rules for app default network with subsidiary priorities are correctly added
4925 // and removed.
TEST_F(NetdBinderTest,UidRangeSubPriority_VerifyPhysicalNwIpRules)4926 TEST_F(NetdBinderTest, UidRangeSubPriority_VerifyPhysicalNwIpRules) {
4927 createPhysicalNetwork(TEST_NETID1, sTun.name());
4928 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID1, sTun.name(), "::/0", "").isOk());
4929 createPhysicalNetwork(TEST_NETID2, sTun2.name());
4930 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID2, sTun2.name(), "::/0", "").isOk());
4931
4932 // Adds priority 1 setting
4933 NativeUidRangeConfig uidRangeConfig1 = makeNativeUidRangeConfig(
4934 TEST_NETID1, {makeUidRangeParcel(BASE_UID, BASE_UID)}, SUB_PRIORITY_1);
4935 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(uidRangeConfig1).isOk());
4936 verifyAppUidRules({true}, uidRangeConfig1, sTun.name());
4937 // Adds priority 2 setting
4938 NativeUidRangeConfig uidRangeConfig2 = makeNativeUidRangeConfig(
4939 TEST_NETID2, {makeUidRangeParcel(BASE_UID + 1, BASE_UID + 1)}, SUB_PRIORITY_2);
4940 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(uidRangeConfig2).isOk());
4941 verifyAppUidRules({true}, uidRangeConfig2, sTun2.name());
4942 // Adds another priority 2 setting
4943 NativeUidRangeConfig uidRangeConfig3 = makeNativeUidRangeConfig(
4944 INetd::UNREACHABLE_NET_ID, {makeUidRangeParcel(BASE_UID + 2, BASE_UID + 2)},
4945 SUB_PRIORITY_2);
4946 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(uidRangeConfig3).isOk());
4947 verifyAppUidRules({true}, uidRangeConfig3, "");
4948
4949 // Removes.
4950 EXPECT_TRUE(mNetd->networkRemoveUidRangesParcel(uidRangeConfig1).isOk());
4951 verifyAppUidRules({false}, uidRangeConfig1, sTun.name());
4952 verifyAppUidRules({true}, uidRangeConfig2, sTun2.name());
4953 verifyAppUidRules({true}, uidRangeConfig3, "");
4954 EXPECT_TRUE(mNetd->networkRemoveUidRangesParcel(uidRangeConfig2).isOk());
4955 verifyAppUidRules({false}, uidRangeConfig1, sTun.name());
4956 verifyAppUidRules({false}, uidRangeConfig2, sTun2.name());
4957 verifyAppUidRules({true}, uidRangeConfig3, "");
4958 EXPECT_TRUE(mNetd->networkRemoveUidRangesParcel(uidRangeConfig3).isOk());
4959 verifyAppUidRules({false}, uidRangeConfig1, sTun.name());
4960 verifyAppUidRules({false}, uidRangeConfig2, sTun2.name());
4961 verifyAppUidRules({false}, uidRangeConfig3, "");
4962 }
4963
4964 // Verify uid range rules on virtual network.
TEST_P(VpnParameterizedTest,UidRangeSubPriority_VerifyVpnIpRules)4965 TEST_P(VpnParameterizedTest, UidRangeSubPriority_VerifyVpnIpRules) {
4966 const bool isSecureVPN = GetParam();
4967 constexpr int VPN_NETID2 = TEST_NETID2;
4968
4969 // Create 2 VPNs, using sTun and sTun2.
4970 auto config = makeNativeNetworkConfig(VPN_NETID, NativeNetworkType::VIRTUAL,
4971 INetd::PERMISSION_NONE, isSecureVPN, false);
4972 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
4973 EXPECT_TRUE(mNetd->networkAddInterface(VPN_NETID, sTun.name()).isOk());
4974
4975 config = makeNativeNetworkConfig(VPN_NETID2, NativeNetworkType::VIRTUAL, INetd::PERMISSION_NONE,
4976 isSecureVPN, false);
4977 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
4978 EXPECT_TRUE(mNetd->networkAddInterface(VPN_NETID2, sTun2.name()).isOk());
4979
4980 // Assign uid ranges to different VPNs. Check if rules match.
4981 NativeUidRangeConfig uidRangeConfig1 = makeNativeUidRangeConfig(
4982 VPN_NETID, {makeUidRangeParcel(BASE_UID, BASE_UID)}, UidRanges::SUB_PRIORITY_HIGHEST);
4983 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(uidRangeConfig1).isOk());
4984 verifyVpnUidRules({true}, uidRangeConfig1, sTun.name(), isSecureVPN, false);
4985
4986 NativeUidRangeConfig uidRangeConfig2 =
4987 makeNativeUidRangeConfig(VPN_NETID2, {makeUidRangeParcel(BASE_UID + 1, BASE_UID + 1)},
4988 UidRanges::SUB_PRIORITY_HIGHEST);
4989 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(uidRangeConfig2).isOk());
4990 verifyVpnUidRules({true}, uidRangeConfig2, sTun2.name(), isSecureVPN, false);
4991
4992 // Remove uid configs one-by-one. Check if rules match.
4993 EXPECT_TRUE(mNetd->networkRemoveUidRangesParcel(uidRangeConfig1).isOk());
4994 verifyVpnUidRules({false}, uidRangeConfig1, sTun.name(), isSecureVPN, false);
4995 verifyVpnUidRules({true}, uidRangeConfig2, sTun2.name(), isSecureVPN, false);
4996 EXPECT_TRUE(mNetd->networkRemoveUidRangesParcel(uidRangeConfig2).isOk());
4997 verifyVpnUidRules({false}, uidRangeConfig1, sTun.name(), isSecureVPN, false);
4998 verifyVpnUidRules({false}, uidRangeConfig2, sTun2.name(), isSecureVPN, false);
4999 }
5000
5001 // Verify VPN ip rule on bypassable/secureVPN virtual network with local routes excluded
TEST_P(VpnParameterizedTest,VerifyVpnIpRules_excludeLocalRoutes)5002 TEST_P(VpnParameterizedTest, VerifyVpnIpRules_excludeLocalRoutes) {
5003 const bool isSecureVPN = GetParam();
5004 // Create VPN with local route excluded
5005 auto config = makeNativeNetworkConfig(VPN_NETID, NativeNetworkType::VIRTUAL,
5006 INetd::PERMISSION_NONE, isSecureVPN, true);
5007 EXPECT_TRUE(mNetd->networkCreate(config).isOk());
5008 EXPECT_TRUE(mNetd->networkAddInterface(VPN_NETID, sTun.name()).isOk());
5009
5010 // Assign uid ranges to VPN. Check if rules match.
5011 NativeUidRangeConfig uidRangeConfig1 = makeNativeUidRangeConfig(
5012 VPN_NETID, {makeUidRangeParcel(BASE_UID, BASE_UID)}, UidRanges::SUB_PRIORITY_HIGHEST);
5013 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(uidRangeConfig1).isOk());
5014 verifyVpnUidRules({true}, uidRangeConfig1, sTun.name(), isSecureVPN, true);
5015
5016 // Remove uid configs. Check if rules match.
5017 EXPECT_TRUE(mNetd->networkRemoveUidRangesParcel(uidRangeConfig1).isOk());
5018 verifyVpnUidRules({false}, uidRangeConfig1, sTun.name(), isSecureVPN, true);
5019 }
5020
5021 // Verify if packets go through the right network when subsidiary priority and VPN works together.
5022 //
5023 // Test config:
5024 // +----------+------------------------+-------------------------------------------+
5025 // | Priority | UID | Assigned Network |
5026 // +----------+------------------------+-------------------------------------------+
5027 // | 0 | TEST_UID1 | VPN bypassable (VPN_NETID) |
5028 // +----------+------------------------+-------------------------------------------+
5029 // | 1 | TEST_UID1, TEST_UID2, | Physical Network 1 (APP_DEFAULT_1_NETID) |
5030 // | 1 | TEST_UID3 | Physical Network 2 (APP_DEFAULT_2_NETID) |
5031 // | 1 | TEST_UID5 | Unreachable Network (UNREACHABLE_NET_ID) |
5032 // +----------+------------------------+-------------------------------------------+
5033 // | 2 | TEST_UID3 | Physical Network 1 (APP_DEFAULT_1_NETID) |
5034 // | 2 | TEST_UID4, TEST_UID5 | Physical Network 2 (APP_DEFAULT_2_NETID) |
5035 // +----------+------------------------+-------------------------------------------+
5036 //
5037 // Expected results:
5038 // +-----------+------------------------+
5039 // | UID | Using Network |
5040 // +-----------+------------------------+
5041 // | TEST_UID1 | VPN |
5042 // | TEST_UID2 | Physical Network 1 |
5043 // | TEST_UID3 | Physical Network 2 |
5044 // | TEST_UID4 | Physical Network 2 |
5045 // | TEST_UID5 | Unreachable Network |
5046 // | TEST_UID6 | System Default Network |
5047 // +-----------+------------------------+
5048 //
5049 // SYSTEM_DEFAULT_NETID uses sTun.
5050 // APP_DEFAULT_1_NETID uses sTun2.
5051 // VPN_NETID uses sTun3.
5052 // APP_DEFAULT_2_NETID uses sTun4.
5053 //
TEST_F(NetdBinderTest,UidRangeSubPriority_ImplicitlySelectNetwork)5054 TEST_F(NetdBinderTest, UidRangeSubPriority_ImplicitlySelectNetwork) {
5055 constexpr int APP_DEFAULT_1_NETID = TEST_NETID2;
5056 constexpr int APP_DEFAULT_2_NETID = TEST_NETID4;
5057
5058 static const struct TestData {
5059 uint32_t subPriority;
5060 std::vector<UidRangeParcel> uidRanges;
5061 unsigned int netId;
5062 } kTestData[] = {
5063 {UidRanges::SUB_PRIORITY_HIGHEST, {makeUidRangeParcel(TEST_UID1)}, VPN_NETID},
5064 {SUB_PRIORITY_1,
5065 {makeUidRangeParcel(TEST_UID1), makeUidRangeParcel(TEST_UID2)},
5066 APP_DEFAULT_1_NETID},
5067 {SUB_PRIORITY_1, {makeUidRangeParcel(TEST_UID3)}, APP_DEFAULT_2_NETID},
5068 {SUB_PRIORITY_1, {makeUidRangeParcel(TEST_UID5)}, INetd::UNREACHABLE_NET_ID},
5069 {SUB_PRIORITY_2, {makeUidRangeParcel(TEST_UID3)}, APP_DEFAULT_1_NETID},
5070 {SUB_PRIORITY_2,
5071 {makeUidRangeParcel(TEST_UID4), makeUidRangeParcel(TEST_UID5)},
5072 APP_DEFAULT_2_NETID},
5073 };
5074
5075 // Creates 4 networks.
5076 createVpnAndOtherPhysicalNetwork(SYSTEM_DEFAULT_NETID, APP_DEFAULT_1_NETID, VPN_NETID,
5077 /*isSecureVPN=*/false);
5078 createPhysicalNetwork(APP_DEFAULT_2_NETID, sTun4.name());
5079 EXPECT_TRUE(mNetd->networkAddRoute(APP_DEFAULT_2_NETID, sTun4.name(), "::/0", "").isOk());
5080
5081 for (const auto& td : kTestData) {
5082 NativeUidRangeConfig uidRangeConfig =
5083 makeNativeUidRangeConfig(td.netId, td.uidRanges, td.subPriority);
5084 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(uidRangeConfig).isOk());
5085 }
5086
5087 int systemDefaultFd = sTun.getFdForTesting();
5088 int appDefault_1_Fd = sTun2.getFdForTesting();
5089 int vpnFd = sTun3.getFdForTesting();
5090 int appDefault_2_Fd = sTun4.getFdForTesting();
5091 // Verify routings.
5092 expectPacketSentOnNetId(TEST_UID1, VPN_NETID, vpnFd, IMPLICITLY_SELECT);
5093 expectPacketSentOnNetId(TEST_UID2, APP_DEFAULT_1_NETID, appDefault_1_Fd, IMPLICITLY_SELECT);
5094 expectPacketSentOnNetId(TEST_UID3, APP_DEFAULT_2_NETID, appDefault_2_Fd, IMPLICITLY_SELECT);
5095 expectPacketSentOnNetId(TEST_UID4, APP_DEFAULT_2_NETID, appDefault_2_Fd, IMPLICITLY_SELECT);
5096 expectUnreachableError(TEST_UID5, INetd::UNREACHABLE_NET_ID, IMPLICITLY_SELECT);
5097 expectPacketSentOnNetId(TEST_UID6, SYSTEM_DEFAULT_NETID, systemDefaultFd, IMPLICITLY_SELECT);
5098
5099 // Remove test rules from the unreachable network.
5100 for (const auto& td : kTestData) {
5101 if (td.netId == INetd::UNREACHABLE_NET_ID) {
5102 NativeUidRangeConfig uidRangeConfig =
5103 makeNativeUidRangeConfig(td.netId, td.uidRanges, td.subPriority);
5104 EXPECT_TRUE(mNetd->networkRemoveUidRangesParcel(uidRangeConfig).isOk());
5105 }
5106 }
5107 }
5108
5109 class PerAppNetworkPermissionsTest : public NetdBinderTest {
5110 public:
bindSocketToNetwork(int sock,int netId,bool explicitlySelected)5111 int bindSocketToNetwork(int sock, int netId, bool explicitlySelected) {
5112 ScopedUidChange uidChange(AID_ROOT);
5113 Fwmark fwmark;
5114 fwmark.explicitlySelected = explicitlySelected;
5115 fwmark.netId = netId;
5116 return setsockopt(sock, SOL_SOCKET, SO_MARK, &(fwmark.intValue), sizeof(fwmark.intValue));
5117 }
5118
changeNetworkPermissionForUid(int netId,int uid,bool add)5119 void changeNetworkPermissionForUid(int netId, int uid, bool add) {
5120 auto nativeUidRangeConfig = makeNativeUidRangeConfig(netId, {makeUidRangeParcel(uid, uid)},
5121 UidRanges::SUB_PRIORITY_NO_DEFAULT);
5122 ScopedUidChange rootUid(AID_ROOT);
5123 if (add) {
5124 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(nativeUidRangeConfig).isOk());
5125 } else {
5126 EXPECT_TRUE(mNetd->networkRemoveUidRangesParcel(nativeUidRangeConfig).isOk());
5127 }
5128 }
5129
5130 protected:
5131 static inline const sockaddr_in6 TEST_SOCKADDR_IN6 = {
5132 .sin6_family = AF_INET6,
5133 .sin6_port = 42,
5134 .sin6_addr = V6_ADDR,
5135 };
5136 std::array<char, 4096> mTestBuf;
5137 };
5138
TEST_F(PerAppNetworkPermissionsTest,HasExplicitAccess)5139 TEST_F(PerAppNetworkPermissionsTest, HasExplicitAccess) {
5140 // TEST_NETID1 -> restricted network
5141 createPhysicalNetwork(TEST_NETID1, sTun.name(), INetd::PERMISSION_SYSTEM);
5142 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID1, sTun.name(), "::/0", "").isOk());
5143
5144 // Change uid to uid without PERMISSION_SYSTEM
5145 ScopedUidChange testUid(TEST_UID1);
5146 unique_fd sock(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0));
5147 EXPECT_EQ(bindSocketToNetwork(sock, TEST_NETID1, true /*explicitlySelected*/), 0);
5148
5149 // Test without permissions should fail
5150 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), -1);
5151
5152 // Test access with permission succeeds and packet is routed correctly
5153 changeNetworkPermissionForUid(TEST_NETID1, TEST_UID1, true /*add*/);
5154 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), 0);
5155 EXPECT_EQ(send(sock, "foo", sizeof("foo"), 0), (int)sizeof("foo"));
5156 EXPECT_GT(read(sTun.getFdForTesting(), mTestBuf.data(), mTestBuf.size()), 0);
5157
5158 // Test removing permissions.
5159 // Note: Send will still succeed as the destination is cached in
5160 // sock.sk_dest_cache. Try another connect instead.
5161 changeNetworkPermissionForUid(TEST_NETID1, TEST_UID1, false /*add*/);
5162 EXPECT_EQ(-1, connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)));
5163 }
5164
TEST_F(PerAppNetworkPermissionsTest,HasImplicitAccess)5165 TEST_F(PerAppNetworkPermissionsTest, HasImplicitAccess) {
5166 // TEST_NETID1 -> restricted network
5167 createPhysicalNetwork(TEST_NETID1, sTun.name(), INetd::PERMISSION_SYSTEM);
5168 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID1, sTun.name(), "::/0", "").isOk());
5169
5170 // Change uid to uid without PERMISSION_SYSTEM
5171 ScopedUidChange testUid(TEST_UID1);
5172 unique_fd sock(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0));
5173 EXPECT_EQ(bindSocketToNetwork(sock, TEST_NETID1, false /*explicitlySelected*/), 0);
5174
5175 // Note: we cannot call connect() when implicitly selecting the network as
5176 // the fwmark would get reset to the default network.
5177 // Call connect which should bind socket to default network
5178 EXPECT_EQ(sendto(sock, "foo", sizeof("foo"), 0, (sockaddr*)&TEST_SOCKADDR_IN6,
5179 sizeof(TEST_SOCKADDR_IN6)),
5180 -1);
5181
5182 // Test access with permission succeeds and packet is routed correctly
5183 changeNetworkPermissionForUid(TEST_NETID1, TEST_UID1, true /*add*/);
5184 EXPECT_EQ(sendto(sock, "foo", sizeof("foo"), 0, (sockaddr*)&TEST_SOCKADDR_IN6,
5185 sizeof(TEST_SOCKADDR_IN6)),
5186 (int)sizeof("foo"));
5187 EXPECT_GT(read(sTun.getFdForTesting(), mTestBuf.data(), mTestBuf.size()), 0);
5188 }
5189
TEST_F(PerAppNetworkPermissionsTest,DoesNotAffectDefaultNetworkSelection)5190 TEST_F(PerAppNetworkPermissionsTest, DoesNotAffectDefaultNetworkSelection) {
5191 // TEST_NETID1 -> default network
5192 // TEST_NETID2 -> restricted network
5193 createPhysicalNetwork(TEST_NETID1, sTun.name(), INetd::PERMISSION_NONE);
5194 createPhysicalNetwork(TEST_NETID2, sTun2.name(), INetd::PERMISSION_SYSTEM);
5195 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID1, sTun.name(), "::/0", "").isOk());
5196 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID2, sTun2.name(), "::/0", "").isOk());
5197 mNetd->networkSetDefault(TEST_NETID1);
5198
5199 changeNetworkPermissionForUid(TEST_NETID2, TEST_UID1, true /*add*/);
5200
5201 // Change uid to uid without PERMISSION_SYSTEM
5202 ScopedUidChange testUid(TEST_UID1);
5203 unique_fd sock(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0));
5204
5205 // Connect should select default network
5206 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), 0);
5207 EXPECT_EQ(send(sock, "foo", sizeof("foo"), 0), (int)sizeof("foo"));
5208 EXPECT_GT(read(sTun.getFdForTesting(), mTestBuf.data(), mTestBuf.size()), 0);
5209 }
5210
TEST_F(PerAppNetworkPermissionsTest,PermissionDoesNotAffectPerAppDefaultNetworkSelection)5211 TEST_F(PerAppNetworkPermissionsTest, PermissionDoesNotAffectPerAppDefaultNetworkSelection) {
5212 // TEST_NETID1 -> restricted app default network
5213 // TEST_NETID2 -> restricted network
5214 createPhysicalNetwork(TEST_NETID1, sTun.name(), INetd::PERMISSION_SYSTEM);
5215 createPhysicalNetwork(TEST_NETID2, sTun2.name(), INetd::PERMISSION_SYSTEM);
5216 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID1, sTun.name(), "::/0", "").isOk());
5217 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID2, sTun2.name(), "::/0", "").isOk());
5218
5219 auto nativeUidRangeConfig = makeNativeUidRangeConfig(
5220 TEST_NETID1, {makeUidRangeParcel(TEST_UID1, TEST_UID1)}, 0 /*subPriority*/);
5221 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(nativeUidRangeConfig).isOk());
5222 changeNetworkPermissionForUid(TEST_NETID2, TEST_UID1, true /*add*/);
5223
5224 // Change uid to uid without PERMISSION_SYSTEM
5225 ScopedUidChange testUid(TEST_UID1);
5226 unique_fd sock(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0));
5227
5228 // Connect should select app default network
5229 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), 0);
5230 EXPECT_EQ(send(sock, "foo", sizeof("foo"), 0), (int)sizeof("foo"));
5231 EXPECT_GT(read(sTun.getFdForTesting(), mTestBuf.data(), mTestBuf.size()), 0);
5232 }
5233
TEST_F(PerAppNetworkPermissionsTest,PermissionOnlyAffectsUid)5234 TEST_F(PerAppNetworkPermissionsTest, PermissionOnlyAffectsUid) {
5235 // TEST_NETID1 -> restricted network
5236 // TEST_NETID2 -> restricted network
5237 createPhysicalNetwork(TEST_NETID1, sTun.name(), INetd::PERMISSION_SYSTEM);
5238 createPhysicalNetwork(TEST_NETID2, sTun2.name(), INetd::PERMISSION_SYSTEM);
5239 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID1, sTun.name(), "::/0", "").isOk());
5240 EXPECT_TRUE(mNetd->networkAddRoute(TEST_NETID2, sTun2.name(), "::/0", "").isOk());
5241
5242 // test that neither TEST_UID1, nor TEST_UID2 have access without permission
5243 {
5244 // TEST_UID1
5245 ScopedUidChange testUid(TEST_UID1);
5246 unique_fd sock(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0));
5247 // TEST_NETID1
5248 EXPECT_EQ(bindSocketToNetwork(sock, TEST_NETID1, true /*explicitlySelected*/), 0);
5249 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), -1);
5250 // TEST_NETID2
5251 EXPECT_EQ(bindSocketToNetwork(sock, TEST_NETID2, true /*explicitlySelected*/), 0);
5252 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), -1);
5253 }
5254 {
5255 // TEST_UID2
5256 ScopedUidChange testUid(TEST_UID2);
5257 unique_fd sock(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0));
5258 // TEST_NETID1
5259 EXPECT_EQ(bindSocketToNetwork(sock, TEST_NETID1, true /*explicitlySelected*/), 0);
5260 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), -1);
5261 // TEST_NETID2
5262 EXPECT_EQ(bindSocketToNetwork(sock, TEST_NETID2, true /*explicitlySelected*/), 0);
5263 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), -1);
5264 }
5265
5266 changeNetworkPermissionForUid(TEST_NETID1, TEST_UID1, true);
5267
5268 // test that TEST_UID1 has access to TEST_UID1
5269 {
5270 // TEST_UID1
5271 ScopedUidChange testUid(TEST_UID1);
5272 unique_fd sock(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0));
5273 // TEST_NETID1
5274 EXPECT_EQ(bindSocketToNetwork(sock, TEST_NETID1, true /*explicitlySelected*/), 0);
5275 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), 0);
5276 // TEST_NETID2
5277 EXPECT_EQ(bindSocketToNetwork(sock, TEST_NETID2, true /*explicitlySelected*/), 0);
5278 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), -1);
5279 }
5280 {
5281 // TEST_UID2
5282 ScopedUidChange testUid(TEST_UID2);
5283 unique_fd sock(socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0));
5284 // TEST_NETID1
5285 EXPECT_EQ(bindSocketToNetwork(sock, TEST_NETID1, true /*explicitlySelected*/), 0);
5286 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), -1);
5287 // TEST_NETID2
5288 EXPECT_EQ(bindSocketToNetwork(sock, TEST_NETID2, true /*explicitlySelected*/), 0);
5289 EXPECT_EQ(connect(sock, (sockaddr*)&TEST_SOCKADDR_IN6, sizeof(TEST_SOCKADDR_IN6)), -1);
5290 }
5291 }
5292
5293 // Creates a system default network and 3 enterprise networks for two profiles. Check if network
5294 // selection in compliance with network allow list settings.
5295 //
5296 // +-----------+-----------------------+----------------------------------------+
5297 // | UID | UID's default network | UID can select networks |
5298 // +-----------+-----------------------+----------------------------------------+
5299 // | TEST_UID1 | ENTERPRISE_NETID_1 | ENTERPRISE_NETID_1, ENTERPRISE_NETID_2 |
5300 // | TEST_UID2 | ENTERPRISE_NETID_3 | ENTERPRISE_NETID_3 |
5301 // +-----------+-----------------------+----------------------------------------+
TEST_F(NetdBinderTest,PerProfileNetworkPermission)5302 TEST_F(NetdBinderTest, PerProfileNetworkPermission) {
5303 // creates 4 networks
5304 createDefaultAndOtherPhysicalNetwork(SYSTEM_DEFAULT_NETID, ENTERPRISE_NETID_1);
5305 createPhysicalNetwork(ENTERPRISE_NETID_2, sTun3.name());
5306 EXPECT_TRUE(mNetd->networkAddRoute(ENTERPRISE_NETID_2, sTun3.name(), "::/0", "").isOk());
5307 createPhysicalNetwork(ENTERPRISE_NETID_3, sTun4.name());
5308 EXPECT_TRUE(mNetd->networkAddRoute(ENTERPRISE_NETID_3, sTun4.name(), "::/0", "").isOk());
5309
5310 // profile#1
5311 // UidRanges::SUB_PRIORITY_HIGHEST + 20 = PREFERENCE_ORDER_PROFILE, which is defined in
5312 // ConnectivityService.java. The value here doesn't really matter because user allowed network
5313 // does not depends on specific sub-priority.
5314 NativeUidRangeConfig cfg1 =
5315 makeNativeUidRangeConfig(ENTERPRISE_NETID_1, {makeUidRangeParcel(TEST_UID1, TEST_UID1)},
5316 UidRanges::SUB_PRIORITY_HIGHEST + 20);
5317 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(cfg1).isOk());
5318
5319 // profile#2
5320 NativeUidRangeConfig cfg2 =
5321 makeNativeUidRangeConfig(ENTERPRISE_NETID_3, {makeUidRangeParcel(TEST_UID2, TEST_UID2)},
5322 UidRanges::SUB_PRIORITY_HIGHEST + 20);
5323 EXPECT_TRUE(mNetd->networkAddUidRangesParcel(cfg2).isOk());
5324
5325 // setNetworkAllowlist at once
5326 // all uids except for TEST_UID2
5327 NativeUidRangeConfig nw1UserConfig = makeNativeUidRangeConfig(
5328 ENTERPRISE_NETID_1,
5329 {makeUidRangeParcel(0, TEST_UID3), makeUidRangeParcel(TEST_UID1, TEST_UID1)},
5330 /*unused*/ 0);
5331 NativeUidRangeConfig nw2UserConfig = makeNativeUidRangeConfig(
5332 ENTERPRISE_NETID_2,
5333 {makeUidRangeParcel(0, TEST_UID3), makeUidRangeParcel(TEST_UID1, TEST_UID1)},
5334 /*unused*/ 0);
5335 // all uids except for TEST_UID1
5336 NativeUidRangeConfig nw3UserConfig = makeNativeUidRangeConfig(
5337 ENTERPRISE_NETID_3, {makeUidRangeParcel(0, TEST_UID2)}, /*unused*/ 0);
5338 // all uids except for TEST_UID1 and TEST_UID2
5339 NativeUidRangeConfig nwDefaultUserConfig = makeNativeUidRangeConfig(
5340 SYSTEM_DEFAULT_NETID, {makeUidRangeParcel(0, TEST_UID3)}, /*unused*/ 0);
5341 EXPECT_TRUE(mNetd->setNetworkAllowlist(
5342 {nw1UserConfig, nw2UserConfig, nw3UserConfig, nwDefaultUserConfig})
5343 .isOk());
5344
5345 { // Can set network for process on allowed networks.
5346 ScopedUidChange scopedUidChange(TEST_UID1);
5347 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_1));
5348 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_2));
5349 // Can not set network for process on not allowed networks.
5350 EXPECT_EQ(-EACCES, setNetworkForProcess(SYSTEM_DEFAULT_NETID));
5351 EXPECT_EQ(-EACCES, setNetworkForProcess(ENTERPRISE_NETID_3));
5352 }
5353 { // Can set network for process on allowed networks.
5354 ScopedUidChange scopedUidChange(TEST_UID2);
5355 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_3));
5356 // Can not set network for process on not allowed networks.
5357 EXPECT_EQ(-EACCES, setNetworkForProcess(SYSTEM_DEFAULT_NETID));
5358 EXPECT_EQ(-EACCES, setNetworkForProcess(ENTERPRISE_NETID_1));
5359 EXPECT_EQ(-EACCES, setNetworkForProcess(ENTERPRISE_NETID_2));
5360 }
5361 { // Root can use whatever network it wants.
5362 ScopedUidChange scopedUidChange(AID_ROOT);
5363 EXPECT_EQ(0, setNetworkForProcess(SYSTEM_DEFAULT_NETID));
5364 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_1));
5365 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_2));
5366 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_3));
5367 }
5368
5369 // Update setting: remove ENTERPRISE_NETID_2 from profile#1's allowed network list and add it to
5370 // profile#2's allowed network list.
5371 // +-----------+-----------------------+----------------------------------------+
5372 // | UID | UID's default network | UID can select networks |
5373 // +-----------+-----------------------+----------------------------------------+
5374 // | TEST_UID1 | ENTERPRISE_NETID_1 | ENTERPRISE_NETID_1 |
5375 // | TEST_UID2 | ENTERPRISE_NETID_3 | ENTERPRISE_NETID_2, ENTERPRISE_NETID_3 |
5376 // +-----------+-----------------------+----------------------------------------+
5377
5378 // all uids except for TEST_UID2
5379 nw1UserConfig = makeNativeUidRangeConfig(
5380 ENTERPRISE_NETID_1,
5381 {makeUidRangeParcel(0, TEST_UID3), makeUidRangeParcel(TEST_UID1, TEST_UID1)},
5382 /*unused*/ 0);
5383 // all uids except for TEST_UID1
5384 nw2UserConfig = makeNativeUidRangeConfig(ENTERPRISE_NETID_2, {makeUidRangeParcel(0, TEST_UID2)},
5385 /*unused*/ 0);
5386 nw3UserConfig = makeNativeUidRangeConfig(ENTERPRISE_NETID_3, {makeUidRangeParcel(0, TEST_UID2)},
5387 /*unused*/ 0);
5388 // all uids except for TEST_UID1 and TEST_UID2
5389 nwDefaultUserConfig = makeNativeUidRangeConfig(
5390 SYSTEM_DEFAULT_NETID, {makeUidRangeParcel(0, TEST_UID3)}, /*unused*/ 0);
5391 EXPECT_TRUE(mNetd->setNetworkAllowlist(
5392 {nw1UserConfig, nw2UserConfig, nw3UserConfig, nwDefaultUserConfig})
5393 .isOk());
5394
5395 {
5396 ScopedUidChange scopedUidChange(TEST_UID1);
5397 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_1));
5398 EXPECT_EQ(-EACCES, setNetworkForProcess(SYSTEM_DEFAULT_NETID));
5399 EXPECT_EQ(-EACCES, setNetworkForProcess(ENTERPRISE_NETID_2));
5400 EXPECT_EQ(-EACCES, setNetworkForProcess(ENTERPRISE_NETID_3));
5401 }
5402 {
5403 ScopedUidChange scopedUidChange(TEST_UID2);
5404 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_2));
5405 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_3));
5406 EXPECT_EQ(-EACCES, setNetworkForProcess(SYSTEM_DEFAULT_NETID));
5407 EXPECT_EQ(-EACCES, setNetworkForProcess(ENTERPRISE_NETID_1));
5408 }
5409
5410 // UID not restricted by allowed list can select all networks.
5411 {
5412 ScopedUidChange scopedUidChange(TEST_UID3);
5413 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_1));
5414 EXPECT_EQ(0, setNetworkForProcess(SYSTEM_DEFAULT_NETID));
5415 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_2));
5416 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_3));
5417 }
5418
5419 // Update setting: remove ENTERPRISE_NETID_1 from profile#1's allowed network list
5420 // +-----------+-----------------------+----------------------------------------+
5421 // | UID | UID's default network | UID can select networks |
5422 // +-----------+-----------------------+----------------------------------------+
5423 // | TEST_UID2 | ENTERPRISE_NETID_3 | ENTERPRISE_NETID_2, ENTERPRISE_NETID_3 |
5424 // +-----------+-----------------------+----------------------------------------+
5425 EXPECT_TRUE(
5426 mNetd->setNetworkAllowlist({nw2UserConfig, nw3UserConfig, nwDefaultUserConfig}).isOk());
5427
5428 // All UIDs should be able to use ENTERPRISE_NETID_1.
5429 for (const int uid : {TEST_UID1, TEST_UID2, TEST_UID3}) {
5430 {
5431 ScopedUidChange scopedUidChange(uid);
5432 EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_1));
5433 }
5434 }
5435 }
5436
5437 namespace {
5438
5439 class ScopedIfaceRouteOperation {
5440 using IfaceCmd = std::tuple<int32_t, const std::string>;
5441 using RouteCmd = std::tuple<int32_t, const std::string, const std::string, const std::string>;
5442
5443 // Helper type for the visitor.
5444 template <class... Ts>
5445 struct overloaded : Ts... {
5446 using Ts::operator()...;
5447 };
5448 // Explicit deduction guide
5449 template <class... Ts>
5450 overloaded(Ts...) -> overloaded<Ts...>;
5451
5452 public:
ScopedIfaceRouteOperation(sp<INetd> netd)5453 ScopedIfaceRouteOperation(sp<INetd> netd) : mNetd(netd) {}
5454
addInterface(int32_t netId,const std::string & iface)5455 binder::Status addInterface(int32_t netId, const std::string& iface) {
5456 const binder::Status status = mNetd->networkAddInterface(netId, iface);
5457 if (status.isOk()) {
5458 mCmds.push_back(std::make_tuple(netId, iface));
5459 }
5460 return status;
5461 }
5462
addRoute(int32_t netId,const std::string & iface,const std::string & destination,const std::string & nextHop)5463 binder::Status addRoute(int32_t netId, const std::string& iface, const std::string& destination,
5464 const std::string& nextHop) {
5465 const binder::Status status = mNetd->networkAddRoute(netId, iface, destination, nextHop);
5466 if (status.isOk()) {
5467 mCmds.push_back(std::make_tuple(netId, iface, destination, nextHop));
5468 }
5469 return status;
5470 }
5471
~ScopedIfaceRouteOperation()5472 ~ScopedIfaceRouteOperation() {
5473 // Remove routes and interfaces in reverse order.
5474 for (std::vector<std::variant<IfaceCmd, RouteCmd>>::reverse_iterator iter = mCmds.rbegin();
5475 iter != mCmds.rend(); iter++) {
5476 // Do corresponding works according to the type of the command pointed by the iter.
5477 std::visit(overloaded{
5478 [&](IfaceCmd& cmd) {
5479 mNetd->networkRemoveInterface(std::get<0>(cmd),
5480 std::get<1>(cmd));
5481 },
5482 [&](RouteCmd& cmd) {
5483 mNetd->networkRemoveRoute(std::get<0>(cmd), std::get<1>(cmd),
5484 std::get<2>(cmd), std::get<3>(cmd));
5485 },
5486 },
5487 *iter);
5488 }
5489 }
5490
5491 private:
5492 sp<INetd> mNetd;
5493 std::vector<std::variant<IfaceCmd, RouteCmd>> mCmds;
5494 };
5495
getV6LinkLocalAddrFromIfIndex(const unsigned ifIndex)5496 std::optional<sockaddr_in6> getV6LinkLocalAddrFromIfIndex(const unsigned ifIndex) {
5497 struct ifaddrs* ifAddrList = nullptr;
5498 sockaddr_in6 linkLocalAddr{};
5499
5500 if (getifaddrs(&ifAddrList) == -1) return std::nullopt;
5501
5502 for (struct ifaddrs* ifa = ifAddrList; ifa != nullptr; ifa = ifa->ifa_next) {
5503 if (ifa->ifa_addr != nullptr && ifa->ifa_addr->sa_family == AF_INET6) {
5504 struct sockaddr_in6* addr = reinterpret_cast<struct sockaddr_in6*>(ifa->ifa_addr);
5505 if (addr->sin6_scope_id == ifIndex && IN6_IS_ADDR_LINKLOCAL(&(addr->sin6_addr))) {
5506 linkLocalAddr = *addr;
5507 freeifaddrs(ifAddrList);
5508 return linkLocalAddr;
5509 }
5510 }
5511 }
5512
5513 freeifaddrs(ifAddrList);
5514 return std::nullopt;
5515 }
5516
retry_bind(int sockfd,struct sockaddr * addr,socklen_t addrlen)5517 int retry_bind(int sockfd, struct sockaddr* addr, socklen_t addrlen) {
5518 int ret = 0;
5519
5520 for (int retry = 0; retry < 10; retry++) {
5521 ret = bind(sockfd, addr, addrlen);
5522 if (ret == 0 || (ret == -1 && errno != EADDRNOTAVAIL)) {
5523 break;
5524 }
5525 usleep(100 * 1000);
5526 }
5527 return ret;
5528 }
5529
5530 } // namespace
5531
TEST_F(NetdBinderTest,V6LinkLocalFwmark)5532 TEST_F(NetdBinderTest, V6LinkLocalFwmark) {
5533 createAndSetDefaultNetwork(TEST_NETID1, sTun.name());
5534
5535 // Add an interface and route for Local network.
5536 ScopedIfaceRouteOperation scopedOperation(mNetd);
5537 EXPECT_TRUE(scopedOperation.addInterface(NetworkController::LOCAL_NET_ID, sTun2.name()).isOk());
5538 EXPECT_TRUE(
5539 scopedOperation.addRoute(NetworkController::LOCAL_NET_ID, sTun2.name(), "fe80::/64", "")
5540 .isOk());
5541
5542 // Bind a listening socket to the auto assigned link-local address of the Local network.
5543 std::optional<sockaddr_in6> v6LinkLocalAddr_1 = getV6LinkLocalAddrFromIfIndex(sTun2.ifindex());
5544 ASSERT_TRUE(v6LinkLocalAddr_1.has_value()) << "errno:" << errno;
5545 socklen_t len = sizeof(v6LinkLocalAddr_1.value());
5546 unique_fd s1(socket(AF_INET6, SOCK_STREAM | SOCK_NONBLOCK, 0));
5547 ASSERT_EQ(0, bind(s1, reinterpret_cast<sockaddr*>(&v6LinkLocalAddr_1.value()), len))
5548 << "errno:" << errno;
5549 ASSERT_EQ(0, getsockname(s1, reinterpret_cast<sockaddr*>(&v6LinkLocalAddr_1.value()), &len))
5550 << "errno:" << errno;
5551 ASSERT_EQ(0, listen(s1, 10)) << "errno:" << errno;
5552
5553 // Add another v6 link-local address.
5554 const char* v6LinkLocalAddr_2 = "fe80::ace:d00d";
5555 EXPECT_TRUE(mNetd->interfaceAddAddress(sTun2.name(), v6LinkLocalAddr_2, 64).isOk());
5556
5557 // Bind a client socket on the new added link-local address and connect it to the listen socket.
5558 // Have different src and dst addresses is needed because we want to test the behavior of fwmark
5559 // and destroying sockets. The same src and dst addresses are treated as loopbacks and won't be
5560 // destroyed in any way.
5561 const struct addrinfo hints = {
5562 .ai_flags = AI_NUMERICHOST,
5563 .ai_family = AF_INET6,
5564 .ai_socktype = SOCK_STREAM,
5565 };
5566 struct addrinfo* addrinfoList = nullptr;
5567 int ret = getaddrinfo(v6LinkLocalAddr_2, nullptr, &hints, &addrinfoList);
5568 ScopedAddrinfo addrinfoCleanup(addrinfoList);
5569 ASSERT_EQ(0, ret) << "errno:" << errno;
5570
5571 len = addrinfoList[0].ai_addrlen;
5572 sockaddr_in6 sin6 = *reinterpret_cast<sockaddr_in6*>(addrinfoList[0].ai_addr);
5573 sin6.sin6_scope_id = sTun2.ifindex();
5574
5575 unique_fd c1(socket(AF_INET6, SOCK_STREAM, 0));
5576 // Retry in case the newly added address is not ready yet.
5577 ASSERT_EQ(0, retry_bind(c1, reinterpret_cast<sockaddr*>(&sin6), len)) << "errno:" << errno;
5578 ASSERT_EQ(0, getsockname(c1, reinterpret_cast<sockaddr*>(&sin6), &len)) << "errno:" << errno;
5579 ASSERT_EQ(0, connect(c1, reinterpret_cast<sockaddr*>(&v6LinkLocalAddr_1.value()), len))
5580 << "errno:" << errno;
5581
5582 // Verify netId in fwmark.
5583 Fwmark fwmark;
5584 socklen_t fwmarkLen = sizeof(fwmark.intValue);
5585 EXPECT_EQ(0, getsockopt(c1, SOL_SOCKET, SO_MARK, &fwmark.intValue, &fwmarkLen));
5586 EXPECT_EQ((unsigned)NetworkController::LOCAL_NET_ID, fwmark.netId);
5587
5588 unique_fd a1(accept(s1, nullptr, 0));
5589 ASSERT_NE(-1, a1) << "errno:" << errno;
5590 EXPECT_EQ(0, getsockopt(a1, SOL_SOCKET, SO_MARK, &fwmark.intValue, &fwmarkLen));
5591 // TODO: Fix fwmark on the accept socket?
5592 fwmark.netId = NetworkController::LOCAL_NET_ID;
5593 EXPECT_EQ(0, setsockopt(a1, SOL_SOCKET, SO_MARK, &fwmark.intValue, sizeof(fwmark.intValue)));
5594
5595 // Change permission on the default network. Client socket should not be destroyed.
5596 EXPECT_TRUE(
5597 mNetd->networkSetPermissionForNetwork(TEST_NETID1, INetd::PERMISSION_NETWORK).isOk());
5598
5599 char buf[1024] = {};
5600 EXPECT_EQ(3, write(a1, "foo", 3)) << "errno:" << errno;
5601 EXPECT_EQ(3, read(c1, buf, sizeof(buf))) << "errno:" << errno;
5602 }
5603
5604 /**
5605 * This test sets up three networks:
5606 * - SYSTEM_DEFAULT_NETID -> sTun
5607 * - OTHER_NETID -> sTun2
5608 * - VPN_NETID -> sTun3
5609 */
TEST_F(NetdBinderTest,BypassVpnWithNetId)5610 TEST_F(NetdBinderTest, BypassVpnWithNetId) {
5611 static constexpr unsigned OTHER_NETID = TEST_NETID2;
5612 static const sockaddr_in6 addr = {
5613 .sin6_family = AF_INET6,
5614 .sin6_port = 42,
5615 .sin6_addr = V6_ADDR,
5616 };
5617 createVpnAndOtherPhysicalNetwork(SYSTEM_DEFAULT_NETID, OTHER_NETID, VPN_NETID, true /*secure*/);
5618 ASSERT_TRUE(mNetd->networkAddUidRanges(VPN_NETID, {makeUidRangeParcel(TEST_UID1)}).isOk());
5619
5620 {
5621 ScopedUidChange change(TEST_UID1);
5622 unique_fd sock(socket(AF_INET6, SOCK_DGRAM, 0));
5623 // No network selected for the socket: data is received on VPN network.
5624 checkDataReceived(sock, sTun3.getFdForTesting(), (sockaddr*)&addr, sizeof(addr));
5625 }
5626
5627 {
5628 ScopedUidChange change(TEST_UID1);
5629 unique_fd sock(socket(AF_INET6, SOCK_DGRAM, 0));
5630 EXPECT_EQ(0, setNetworkForSocket(VPN_NETID, sock));
5631 // 0x80000000 is NETID_USE_LOCAL_NAMESERVERS and should just be ignored
5632 EXPECT_EQ(0, setNetworkForSocket(VPN_NETID | 0x80000000, sock));
5633 EXPECT_EQ(-EPERM, setNetworkForSocket(SYSTEM_DEFAULT_NETID, sock));
5634 EXPECT_EQ(-EPERM, setNetworkForSocket(OTHER_NETID, sock));
5635
5636 // No permission to use OTHER_NETID: data is received on VPN network.
5637 checkDataReceived(sock, sTun3.getFdForTesting(), (sockaddr*)&addr, sizeof(addr));
5638 }
5639
5640 mNetd->networkAllowBypassVpnOnNetwork(true /* allow */, TEST_UID1, OTHER_NETID);
5641 auto guard = android::base::make_scope_guard([this] {
5642 mNetd->networkAllowBypassVpnOnNetwork(false /* allow */, TEST_UID1, OTHER_NETID);
5643 });
5644
5645 {
5646 ScopedUidChange change(TEST_UID1);
5647 unique_fd sock(socket(AF_INET6, SOCK_DGRAM, 0));
5648 EXPECT_EQ(0, setNetworkForSocket(VPN_NETID, sock));
5649 EXPECT_EQ(-EPERM, setNetworkForSocket(SYSTEM_DEFAULT_NETID, sock));
5650 EXPECT_EQ(0, setNetworkForSocket(OTHER_NETID, sock));
5651
5652 // Permission to use OTHER_NETID and OTHER_NETID is selected for socket: data is received on
5653 // OTHER network.
5654 checkDataReceived(sock, sTun2.getFdForTesting(), (sockaddr*)&addr, sizeof(addr));
5655 }
5656 }
5657
5658 /**
5659 * This test sets up three networks:
5660 * - SYSTEM_DEFAULT_NETID -> sTun
5661 * - OTHER_NETID -> sTun2
5662 * - VPN_NETID -> sTun3
5663 */
TEST_F(NetdBinderTest,BypassVpnWithNetIdOverlappingRules)5664 TEST_F(NetdBinderTest, BypassVpnWithNetIdOverlappingRules) {
5665 static constexpr unsigned OTHER_NETID = TEST_NETID2;
5666 createVpnAndOtherPhysicalNetwork(SYSTEM_DEFAULT_NETID, OTHER_NETID, VPN_NETID, true /*secure*/);
5667 ASSERT_TRUE(mNetd->networkAddUidRanges(VPN_NETID, {makeUidRangeParcel(TEST_UID1)}).isOk());
5668
5669 // Check default network permissions.
5670 {
5671 ScopedUidChange change(TEST_UID1);
5672 unique_fd sock(socket(AF_INET6, SOCK_DGRAM, 0));
5673 EXPECT_EQ(0, setNetworkForSocket(VPN_NETID, sock));
5674 EXPECT_EQ(-EPERM, setNetworkForSocket(SYSTEM_DEFAULT_NETID, sock));
5675 EXPECT_EQ(-EPERM, setNetworkForSocket(OTHER_NETID, sock));
5676 }
5677
5678 // Careful: only use EXPECT_*() so the test cleans up after itself on failure.
5679 // Exempt TEST_UID1 from VPN on OTHER_NETID
5680 mNetd->networkAllowBypassVpnOnNetwork(true /* allow */, TEST_UID1, OTHER_NETID);
5681 {
5682 ScopedUidChange change(TEST_UID1);
5683 unique_fd sock(socket(AF_INET6, SOCK_DGRAM, 0));
5684 EXPECT_EQ(0, setNetworkForSocket(VPN_NETID, sock));
5685 EXPECT_EQ(-EPERM, setNetworkForSocket(SYSTEM_DEFAULT_NETID, sock));
5686 EXPECT_EQ(0, setNetworkForSocket(OTHER_NETID, sock));
5687 }
5688
5689 // Exempt TEST_UID1 from VPN on all networks.
5690 mNetd->networkSetProtectAllow(TEST_UID1);
5691 {
5692 ScopedUidChange change(TEST_UID1);
5693 unique_fd sock(socket(AF_INET6, SOCK_DGRAM, 0));
5694 EXPECT_EQ(0, setNetworkForSocket(VPN_NETID, sock));
5695 EXPECT_EQ(0, setNetworkForSocket(SYSTEM_DEFAULT_NETID, sock));
5696 EXPECT_EQ(0, setNetworkForSocket(OTHER_NETID, sock));
5697 }
5698
5699 // Remove network-specific exemption
5700 mNetd->networkAllowBypassVpnOnNetwork(false /* allow */, TEST_UID1, OTHER_NETID);
5701 {
5702 ScopedUidChange change(TEST_UID1);
5703 unique_fd sock(socket(AF_INET6, SOCK_DGRAM, 0));
5704 EXPECT_EQ(0, setNetworkForSocket(VPN_NETID, sock));
5705 EXPECT_EQ(0, setNetworkForSocket(SYSTEM_DEFAULT_NETID, sock));
5706 EXPECT_EQ(0, setNetworkForSocket(OTHER_NETID, sock));
5707 }
5708
5709 // Remove global exemption
5710 mNetd->networkSetProtectDeny(TEST_UID1);
5711 {
5712 ScopedUidChange change(TEST_UID1);
5713 unique_fd sock(socket(AF_INET6, SOCK_DGRAM, 0));
5714 EXPECT_EQ(0, setNetworkForSocket(VPN_NETID, sock));
5715 EXPECT_EQ(-EPERM, setNetworkForSocket(SYSTEM_DEFAULT_NETID, sock));
5716 EXPECT_EQ(-EPERM, setNetworkForSocket(OTHER_NETID, sock));
5717 }
5718 }
5719