Merge changes I0731fa84,Id31a60ad am: 1ab1849ab2
Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/1545865 MUST ONLY BE SUBMITTED BY AUTOMERGER Change-Id: Idb217a2f933bd215a489f202f737122cf87b9b36
This commit is contained in:
Patrick Rohr
@@ -122,17 +122,26 @@ public class NetworkPolicyManager {
|
||||
* @hide
|
||||
*/
|
||||
public static final int RULE_REJECT_ALL = 1 << 6;
|
||||
/**
|
||||
* Reject traffic on all networks for restricted networking mode.
|
||||
*/
|
||||
public static final int RULE_REJECT_RESTRICTED_MODE = 1 << 10;
|
||||
|
||||
/**
|
||||
* Mask used to get the {@code RULE_xxx_METERED} rules
|
||||
* @hide
|
||||
*/
|
||||
public static final int MASK_METERED_NETWORKS = 0b00001111;
|
||||
public static final int MASK_METERED_NETWORKS = 0b000000001111;
|
||||
/**
|
||||
* Mask used to get the {@code RULE_xxx_ALL} rules
|
||||
* @hide
|
||||
*/
|
||||
public static final int MASK_ALL_NETWORKS = 0b11110000;
|
||||
public static final int MASK_ALL_NETWORKS = 0b000011110000;
|
||||
/**
|
||||
* Mask used to get the {@code RULE_xxx_RESTRICTED_MODE} rules
|
||||
* @hide
|
||||
*/
|
||||
public static final int MASK_RESTRICTED_MODE_NETWORKS = 0b111100000000;
|
||||
|
||||
/** @hide */
|
||||
public static final int FIREWALL_RULE_DEFAULT = 0;
|
||||
|
||||
@@ -14406,6 +14406,17 @@ public final class Settings {
|
||||
*/
|
||||
public static final String NR_NSA_TRACKING_SCREEN_OFF_MODE =
|
||||
"nr_nsa_tracking_screen_off_mode";
|
||||
|
||||
/**
|
||||
* Used to enable / disable the Restricted Networking Mode in which network access is
|
||||
* restricted to apps holding the CONNECTIVITY_USE_RESTRICTED_NETWORKS permission.
|
||||
*
|
||||
* Values are:
|
||||
* 0: disabled
|
||||
* 1: enabled
|
||||
* @hide
|
||||
*/
|
||||
public static final String RESTRICTED_NETWORKING_MODE = "restricted_networking_mode";
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -149,5 +149,6 @@ public class GlobalSettingsValidators {
|
||||
VALIDATORS.put(Global.CUSTOM_BUGREPORT_HANDLER_APP, ANY_STRING_VALIDATOR);
|
||||
VALIDATORS.put(Global.CUSTOM_BUGREPORT_HANDLER_USER, ANY_INTEGER_VALIDATOR);
|
||||
VALIDATORS.put(Global.DEVELOPMENT_SETTINGS_ENABLED, BOOLEAN_VALIDATOR);
|
||||
VALIDATORS.put(Global.RESTRICTED_NETWORKING_MODE, BOOLEAN_VALIDATOR);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -420,6 +420,7 @@ public class SettingsBackupTest {
|
||||
Settings.Global.RADIO_WIMAX,
|
||||
Settings.Global.RECOMMENDED_NETWORK_EVALUATOR_CACHE_EXPIRY_MS,
|
||||
Settings.Global.READ_EXTERNAL_STORAGE_ENFORCED_DEFAULT,
|
||||
Settings.Global.RESTRICTED_NETWORKING_MODE,
|
||||
Settings.Global.REQUIRE_PASSWORD_TO_DECRYPT,
|
||||
Settings.Global.SAFE_BOOT_DISALLOWED,
|
||||
Settings.Global.SELINUX_STATUS,
|
||||
|
||||
@@ -78,6 +78,7 @@ public class NetworkPolicyLogger {
|
||||
static final int NTWK_BLOCKED_BG_RESTRICT = 5;
|
||||
static final int NTWK_ALLOWED_DEFAULT = 6;
|
||||
static final int NTWK_ALLOWED_SYSTEM = 7;
|
||||
static final int NTWK_BLOCKED_RESTRICTED_MODE = 8;
|
||||
|
||||
private final LogBuffer mNetworkBlockedBuffer = new LogBuffer(MAX_NETWORK_BLOCKED_LOG_SIZE);
|
||||
private final LogBuffer mUidStateChangeBuffer = new LogBuffer(MAX_LOG_SIZE);
|
||||
@@ -281,6 +282,8 @@ public class NetworkPolicyLogger {
|
||||
return "blocked when background is restricted";
|
||||
case NTWK_ALLOWED_DEFAULT:
|
||||
return "allowed by default";
|
||||
case NTWK_BLOCKED_RESTRICTED_MODE:
|
||||
return "blocked by restricted networking mode";
|
||||
default:
|
||||
return String.valueOf(reason);
|
||||
}
|
||||
|
||||
@@ -18,6 +18,7 @@ package com.android.server.net;
|
||||
|
||||
import static android.Manifest.permission.ACCESS_NETWORK_STATE;
|
||||
import static android.Manifest.permission.CONNECTIVITY_INTERNAL;
|
||||
import static android.Manifest.permission.CONNECTIVITY_USE_RESTRICTED_NETWORKS;
|
||||
import static android.Manifest.permission.MANAGE_NETWORK_POLICY;
|
||||
import static android.Manifest.permission.MANAGE_SUBSCRIPTION_PLANS;
|
||||
import static android.Manifest.permission.NETWORK_SETTINGS;
|
||||
@@ -44,6 +45,7 @@ import static android.net.ConnectivityManager.RESTRICT_BACKGROUND_STATUS_WHITELI
|
||||
import static android.net.ConnectivityManager.TYPE_MOBILE;
|
||||
import static android.net.INetd.FIREWALL_CHAIN_DOZABLE;
|
||||
import static android.net.INetd.FIREWALL_CHAIN_POWERSAVE;
|
||||
import static android.net.INetd.FIREWALL_CHAIN_RESTRICTED;
|
||||
import static android.net.INetd.FIREWALL_CHAIN_STANDBY;
|
||||
import static android.net.INetd.FIREWALL_RULE_ALLOW;
|
||||
import static android.net.INetd.FIREWALL_RULE_DENY;
|
||||
@@ -57,6 +59,7 @@ import static android.net.NetworkPolicyManager.EXTRA_NETWORK_TEMPLATE;
|
||||
import static android.net.NetworkPolicyManager.FIREWALL_RULE_DEFAULT;
|
||||
import static android.net.NetworkPolicyManager.MASK_ALL_NETWORKS;
|
||||
import static android.net.NetworkPolicyManager.MASK_METERED_NETWORKS;
|
||||
import static android.net.NetworkPolicyManager.MASK_RESTRICTED_MODE_NETWORKS;
|
||||
import static android.net.NetworkPolicyManager.POLICY_ALLOW_METERED_BACKGROUND;
|
||||
import static android.net.NetworkPolicyManager.POLICY_NONE;
|
||||
import static android.net.NetworkPolicyManager.POLICY_REJECT_METERED_BACKGROUND;
|
||||
@@ -65,6 +68,7 @@ import static android.net.NetworkPolicyManager.RULE_ALLOW_METERED;
|
||||
import static android.net.NetworkPolicyManager.RULE_NONE;
|
||||
import static android.net.NetworkPolicyManager.RULE_REJECT_ALL;
|
||||
import static android.net.NetworkPolicyManager.RULE_REJECT_METERED;
|
||||
import static android.net.NetworkPolicyManager.RULE_REJECT_RESTRICTED_MODE;
|
||||
import static android.net.NetworkPolicyManager.RULE_TEMPORARY_ALLOW_METERED;
|
||||
import static android.net.NetworkPolicyManager.isProcStateAllowedWhileIdleOrPowerSaveMode;
|
||||
import static android.net.NetworkPolicyManager.isProcStateAllowedWhileOnRestrictBackground;
|
||||
@@ -112,6 +116,7 @@ import static com.android.server.net.NetworkPolicyLogger.NTWK_ALLOWED_TMP_ALLOWL
|
||||
import static com.android.server.net.NetworkPolicyLogger.NTWK_BLOCKED_BG_RESTRICT;
|
||||
import static com.android.server.net.NetworkPolicyLogger.NTWK_BLOCKED_DENYLIST;
|
||||
import static com.android.server.net.NetworkPolicyLogger.NTWK_BLOCKED_POWER;
|
||||
import static com.android.server.net.NetworkPolicyLogger.NTWK_BLOCKED_RESTRICTED_MODE;
|
||||
import static com.android.server.net.NetworkStatsService.ACTION_NETWORK_STATS_UPDATED;
|
||||
|
||||
import static org.xmlpull.v1.XmlPullParser.END_DOCUMENT;
|
||||
@@ -446,7 +451,10 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
|
||||
@GuardedBy("mUidRulesFirstLock") volatile boolean mRestrictPower;
|
||||
@GuardedBy("mUidRulesFirstLock") volatile boolean mDeviceIdleMode;
|
||||
// Store whether user flipped restrict background in battery saver mode
|
||||
@GuardedBy("mUidRulesFirstLock") volatile boolean mRestrictBackgroundChangedInBsm;
|
||||
@GuardedBy("mUidRulesFirstLock")
|
||||
volatile boolean mRestrictBackgroundChangedInBsm;
|
||||
@GuardedBy("mUidRulesFirstLock")
|
||||
volatile boolean mRestrictedNetworkingMode;
|
||||
|
||||
private final boolean mSuppressDefaultPolicy;
|
||||
|
||||
@@ -480,6 +488,8 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
|
||||
final SparseIntArray mUidFirewallDozableRules = new SparseIntArray();
|
||||
@GuardedBy("mUidRulesFirstLock")
|
||||
final SparseIntArray mUidFirewallPowerSaveRules = new SparseIntArray();
|
||||
@GuardedBy("mUidRulesFirstLock")
|
||||
final SparseIntArray mUidFirewallRestrictedModeRules = new SparseIntArray();
|
||||
|
||||
/** Set of states for the child firewall chains. True if the chain is active. */
|
||||
@GuardedBy("mUidRulesFirstLock")
|
||||
@@ -787,6 +797,10 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
|
||||
mRestrictPower = mPowerManagerInternal.getLowPowerState(
|
||||
ServiceType.NETWORK_FIREWALL).batterySaverEnabled;
|
||||
|
||||
mRestrictedNetworkingMode = Settings.Global.getInt(
|
||||
mContext.getContentResolver(),
|
||||
Settings.Global.RESTRICTED_NETWORKING_MODE, 0) != 0;
|
||||
|
||||
mSystemReady = true;
|
||||
|
||||
waitForAdminData();
|
||||
@@ -3502,6 +3516,7 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
|
||||
fout.print("Restrict background: "); fout.println(mRestrictBackground);
|
||||
fout.print("Restrict power: "); fout.println(mRestrictPower);
|
||||
fout.print("Device idle: "); fout.println(mDeviceIdleMode);
|
||||
fout.print("Restricted networking mode: "); fout.println(mRestrictedNetworkingMode);
|
||||
synchronized (mMeteredIfacesLock) {
|
||||
fout.print("Metered ifaces: ");
|
||||
fout.println(mMeteredIfaces);
|
||||
@@ -3813,6 +3828,93 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* updates restricted mode state / access for all apps
|
||||
* Called on initialization and when restricted mode is enabled / disabled.
|
||||
*/
|
||||
@VisibleForTesting
|
||||
@GuardedBy("mUidRulesFirstLock")
|
||||
void updateRestrictedModeAllowlistUL() {
|
||||
mUidFirewallRestrictedModeRules.clear();
|
||||
forEachUid("updateRestrictedModeAllowlist", uid -> {
|
||||
final int oldUidRule = mUidRules.get(uid);
|
||||
final int newUidRule = getNewRestrictedModeUidRule(uid, oldUidRule);
|
||||
final boolean hasUidRuleChanged = oldUidRule != newUidRule;
|
||||
final int newFirewallRule = getRestrictedModeFirewallRule(newUidRule);
|
||||
|
||||
// setUidFirewallRulesUL will allowlist all uids that are passed to it, so only add
|
||||
// non-default rules.
|
||||
if (newFirewallRule != FIREWALL_RULE_DEFAULT) {
|
||||
mUidFirewallRestrictedModeRules.append(uid, newFirewallRule);
|
||||
}
|
||||
|
||||
if (hasUidRuleChanged) {
|
||||
mUidRules.put(uid, newUidRule);
|
||||
mHandler.obtainMessage(MSG_RULES_CHANGED, uid, newUidRule).sendToTarget();
|
||||
}
|
||||
});
|
||||
if (mRestrictedNetworkingMode) {
|
||||
// firewall rules only need to be set when this mode is being enabled.
|
||||
setUidFirewallRulesUL(FIREWALL_CHAIN_RESTRICTED, mUidFirewallRestrictedModeRules);
|
||||
}
|
||||
enableFirewallChainUL(FIREWALL_CHAIN_RESTRICTED, mRestrictedNetworkingMode);
|
||||
}
|
||||
|
||||
// updates restricted mode state / access for a single app / uid.
|
||||
@VisibleForTesting
|
||||
@GuardedBy("mUidRulesFirstLock")
|
||||
void updateRestrictedModeForUidUL(int uid) {
|
||||
final int oldUidRule = mUidRules.get(uid);
|
||||
final int newUidRule = getNewRestrictedModeUidRule(uid, oldUidRule);
|
||||
final boolean hasUidRuleChanged = oldUidRule != newUidRule;
|
||||
|
||||
if (hasUidRuleChanged) {
|
||||
mUidRules.put(uid, newUidRule);
|
||||
mHandler.obtainMessage(MSG_RULES_CHANGED, uid, newUidRule).sendToTarget();
|
||||
}
|
||||
|
||||
// if restricted networking mode is on, and the app has an access exemption, the uid rule
|
||||
// will not change, but the firewall rule will have to be updated.
|
||||
if (mRestrictedNetworkingMode) {
|
||||
// Note: setUidFirewallRule also updates mUidFirewallRestrictedModeRules.
|
||||
// In this case, default firewall rules can also be added.
|
||||
setUidFirewallRule(FIREWALL_CHAIN_RESTRICTED, uid,
|
||||
getRestrictedModeFirewallRule(newUidRule));
|
||||
}
|
||||
}
|
||||
|
||||
private int getNewRestrictedModeUidRule(int uid, int oldUidRule) {
|
||||
int newRule = oldUidRule;
|
||||
newRule &= ~MASK_RESTRICTED_MODE_NETWORKS;
|
||||
if (mRestrictedNetworkingMode && !hasRestrictedModeAccess(uid)) {
|
||||
newRule |= RULE_REJECT_RESTRICTED_MODE;
|
||||
}
|
||||
return newRule;
|
||||
}
|
||||
|
||||
private static int getRestrictedModeFirewallRule(int uidRule) {
|
||||
if ((uidRule & RULE_REJECT_RESTRICTED_MODE) != 0) {
|
||||
// rejected in restricted mode, this is the default behavior.
|
||||
return FIREWALL_RULE_DEFAULT;
|
||||
} else {
|
||||
return FIREWALL_RULE_ALLOW;
|
||||
}
|
||||
}
|
||||
|
||||
private boolean hasRestrictedModeAccess(int uid) {
|
||||
try {
|
||||
// TODO: this needs to be kept in sync with
|
||||
// PermissionMonitor#hasRestrictedNetworkPermission
|
||||
return mIPm.checkUidPermission(CONNECTIVITY_USE_RESTRICTED_NETWORKS, uid)
|
||||
== PERMISSION_GRANTED
|
||||
|| mIPm.checkUidPermission(NETWORK_STACK, uid) == PERMISSION_GRANTED
|
||||
|| mIPm.checkUidPermission(PERMISSION_MAINLINE_NETWORK_STACK, uid)
|
||||
== PERMISSION_GRANTED;
|
||||
} catch (RemoteException e) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
@GuardedBy("mUidRulesFirstLock")
|
||||
void updateRulesForPowerSaveUL() {
|
||||
Trace.traceBegin(Trace.TRACE_TAG_NETWORK, "updateRulesForPowerSaveUL");
|
||||
@@ -4034,6 +4136,7 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
|
||||
updateRulesForAppIdleUL();
|
||||
updateRulesForRestrictPowerUL();
|
||||
updateRulesForRestrictBackgroundUL();
|
||||
updateRestrictedModeAllowlistUL();
|
||||
|
||||
// If the set of restricted networks may have changed, re-evaluate those.
|
||||
if (restrictedNetworksChanged) {
|
||||
@@ -4250,6 +4353,7 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
|
||||
mPowerSaveWhitelistAppIds.delete(uid);
|
||||
mPowerSaveTempWhitelistAppIds.delete(uid);
|
||||
mAppIdleTempWhitelistAppIds.delete(uid);
|
||||
mUidFirewallRestrictedModeRules.delete(uid);
|
||||
|
||||
// ...then update iptables asynchronously.
|
||||
mHandler.obtainMessage(MSG_RESET_FIREWALL_RULES_BY_UID, uid, 0).sendToTarget();
|
||||
@@ -4275,6 +4379,10 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
|
||||
updateRuleForAppIdleUL(uid);
|
||||
updateRuleForRestrictPowerUL(uid);
|
||||
|
||||
// If the uid has the necessary permissions, then it should be added to the restricted mode
|
||||
// firewall allowlist.
|
||||
updateRestrictedModeForUidUL(uid);
|
||||
|
||||
// Update internal state for power-related modes.
|
||||
updateRulesForPowerRestrictionsUL(uid);
|
||||
|
||||
@@ -5000,6 +5108,8 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
|
||||
mUidFirewallStandbyRules.put(uid, rule);
|
||||
} else if (chain == FIREWALL_CHAIN_POWERSAVE) {
|
||||
mUidFirewallPowerSaveRules.put(uid, rule);
|
||||
} else if (chain == FIREWALL_CHAIN_RESTRICTED) {
|
||||
mUidFirewallRestrictedModeRules.put(uid, rule);
|
||||
}
|
||||
|
||||
try {
|
||||
@@ -5045,6 +5155,8 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
|
||||
mNetworkManager.setFirewallUidRule(FIREWALL_CHAIN_STANDBY, uid, FIREWALL_RULE_DEFAULT);
|
||||
mNetworkManager
|
||||
.setFirewallUidRule(FIREWALL_CHAIN_POWERSAVE, uid, FIREWALL_RULE_DEFAULT);
|
||||
mNetworkManager
|
||||
.setFirewallUidRule(FIREWALL_CHAIN_RESTRICTED, uid, FIREWALL_RULE_DEFAULT);
|
||||
mNetworkManager.setUidOnMeteredNetworkAllowlist(uid, false);
|
||||
mNetworkManager.setUidOnMeteredNetworkDenylist(uid, false);
|
||||
} catch (IllegalStateException e) {
|
||||
@@ -5231,26 +5343,21 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
|
||||
// Networks are never blocked for system components
|
||||
if (isSystem(uid)) {
|
||||
reason = NTWK_ALLOWED_SYSTEM;
|
||||
}
|
||||
else if (hasRule(uidRules, RULE_REJECT_ALL)) {
|
||||
} else if (hasRule(uidRules, RULE_REJECT_RESTRICTED_MODE)) {
|
||||
reason = NTWK_BLOCKED_RESTRICTED_MODE;
|
||||
} else if (hasRule(uidRules, RULE_REJECT_ALL)) {
|
||||
reason = NTWK_BLOCKED_POWER;
|
||||
}
|
||||
else if (!isNetworkMetered) {
|
||||
} else if (!isNetworkMetered) {
|
||||
reason = NTWK_ALLOWED_NON_METERED;
|
||||
}
|
||||
else if (hasRule(uidRules, RULE_REJECT_METERED)) {
|
||||
} else if (hasRule(uidRules, RULE_REJECT_METERED)) {
|
||||
reason = NTWK_BLOCKED_DENYLIST;
|
||||
}
|
||||
else if (hasRule(uidRules, RULE_ALLOW_METERED)) {
|
||||
} else if (hasRule(uidRules, RULE_ALLOW_METERED)) {
|
||||
reason = NTWK_ALLOWED_ALLOWLIST;
|
||||
}
|
||||
else if (hasRule(uidRules, RULE_TEMPORARY_ALLOW_METERED)) {
|
||||
} else if (hasRule(uidRules, RULE_TEMPORARY_ALLOW_METERED)) {
|
||||
reason = NTWK_ALLOWED_TMP_ALLOWLIST;
|
||||
}
|
||||
else if (isBackgroundRestricted) {
|
||||
} else if (isBackgroundRestricted) {
|
||||
reason = NTWK_BLOCKED_BG_RESTRICT;
|
||||
}
|
||||
else {
|
||||
} else {
|
||||
reason = NTWK_ALLOWED_DEFAULT;
|
||||
}
|
||||
|
||||
@@ -5263,6 +5370,7 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
|
||||
case NTWK_ALLOWED_SYSTEM:
|
||||
blocked = false;
|
||||
break;
|
||||
case NTWK_BLOCKED_RESTRICTED_MODE:
|
||||
case NTWK_BLOCKED_POWER:
|
||||
case NTWK_BLOCKED_DENYLIST:
|
||||
case NTWK_BLOCKED_BG_RESTRICT:
|
||||
|
||||
@@ -16,13 +16,18 @@
|
||||
|
||||
package com.android.server.net;
|
||||
|
||||
import static android.Manifest.permission.CONNECTIVITY_USE_RESTRICTED_NETWORKS;
|
||||
import static android.Manifest.permission.NETWORK_STACK;
|
||||
import static android.net.ConnectivityManager.CONNECTIVITY_ACTION;
|
||||
import static android.net.ConnectivityManager.TYPE_WIFI;
|
||||
import static android.net.INetd.FIREWALL_CHAIN_RESTRICTED;
|
||||
import static android.net.INetd.FIREWALL_RULE_ALLOW;
|
||||
import static android.net.NetworkCapabilities.NET_CAPABILITY_NOT_ROAMING;
|
||||
import static android.net.NetworkCapabilities.TRANSPORT_CELLULAR;
|
||||
import static android.net.NetworkPolicy.LIMIT_DISABLED;
|
||||
import static android.net.NetworkPolicy.SNOOZE_NEVER;
|
||||
import static android.net.NetworkPolicy.WARNING_DISABLED;
|
||||
import static android.net.NetworkPolicyManager.FIREWALL_RULE_DEFAULT;
|
||||
import static android.net.NetworkPolicyManager.POLICY_ALLOW_METERED_BACKGROUND;
|
||||
import static android.net.NetworkPolicyManager.POLICY_NONE;
|
||||
import static android.net.NetworkPolicyManager.POLICY_REJECT_METERED_BACKGROUND;
|
||||
@@ -34,6 +39,7 @@ import static android.net.NetworkPolicyManager.RULE_REJECT_METERED;
|
||||
import static android.net.NetworkPolicyManager.RULE_TEMPORARY_ALLOW_METERED;
|
||||
import static android.net.NetworkPolicyManager.uidPoliciesToString;
|
||||
import static android.net.NetworkPolicyManager.uidRulesToString;
|
||||
import static android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK;
|
||||
import static android.net.NetworkStats.IFACE_ALL;
|
||||
import static android.net.NetworkStats.SET_ALL;
|
||||
import static android.net.NetworkStats.TAG_ALL;
|
||||
@@ -74,6 +80,7 @@ import static org.mockito.ArgumentMatchers.eq;
|
||||
import static org.mockito.ArgumentMatchers.isA;
|
||||
import static org.mockito.Mockito.atLeast;
|
||||
import static org.mockito.Mockito.atLeastOnce;
|
||||
import static org.mockito.Mockito.clearInvocations;
|
||||
import static org.mockito.Mockito.doAnswer;
|
||||
import static org.mockito.Mockito.doNothing;
|
||||
import static org.mockito.Mockito.mock;
|
||||
@@ -97,6 +104,7 @@ import android.content.pm.IPackageManager;
|
||||
import android.content.pm.PackageInfo;
|
||||
import android.content.pm.PackageManager;
|
||||
import android.content.pm.Signature;
|
||||
import android.content.pm.UserInfo;
|
||||
import android.net.ConnectivityManager;
|
||||
import android.net.IConnectivityManager;
|
||||
import android.net.INetworkManagementEventObserver;
|
||||
@@ -123,6 +131,7 @@ import android.os.RemoteException;
|
||||
import android.os.SimpleClock;
|
||||
import android.os.SystemClock;
|
||||
import android.os.UserHandle;
|
||||
import android.os.UserManager;
|
||||
import android.platform.test.annotations.Presubmit;
|
||||
import android.telephony.CarrierConfigManager;
|
||||
import android.telephony.SubscriptionInfo;
|
||||
@@ -131,6 +140,7 @@ import android.telephony.SubscriptionPlan;
|
||||
import android.telephony.TelephonyManager;
|
||||
import android.test.suitebuilder.annotation.MediumTest;
|
||||
import android.text.TextUtils;
|
||||
import android.util.ArrayMap;
|
||||
import android.util.DataUnit;
|
||||
import android.util.Log;
|
||||
import android.util.Pair;
|
||||
@@ -187,6 +197,7 @@ import java.util.Calendar;
|
||||
import java.util.Iterator;
|
||||
import java.util.LinkedHashSet;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.TimeZone;
|
||||
import java.util.concurrent.CountDownLatch;
|
||||
import java.util.concurrent.ExecutionException;
|
||||
@@ -240,6 +251,7 @@ public class NetworkPolicyManagerServiceTest {
|
||||
private @Mock SubscriptionManager mSubscriptionManager;
|
||||
private @Mock CarrierConfigManager mCarrierConfigManager;
|
||||
private @Mock TelephonyManager mTelephonyManager;
|
||||
private @Mock UserManager mUserManager;
|
||||
|
||||
private ArgumentCaptor<ConnectivityManager.NetworkCallback> mNetworkCallbackCaptor =
|
||||
ArgumentCaptor.forClass(ConnectivityManager.NetworkCallback.class);
|
||||
@@ -351,6 +363,8 @@ public class NetworkPolicyManagerServiceTest {
|
||||
return mNotifManager;
|
||||
case Context.CONNECTIVITY_SERVICE:
|
||||
return mConnectivityManager;
|
||||
case Context.USER_SERVICE:
|
||||
return mUserManager;
|
||||
default:
|
||||
return super.getSystemService(name);
|
||||
}
|
||||
@@ -407,11 +421,14 @@ public class NetworkPolicyManagerServiceTest {
|
||||
when(mPackageManager.getPackagesForUid(UID_B)).thenReturn(new String[] {PKG_NAME_B});
|
||||
when(mPackageManager.getPackagesForUid(UID_C)).thenReturn(new String[] {PKG_NAME_C});
|
||||
when(mPackageManager.getApplicationInfo(eq(PKG_NAME_A), anyInt()))
|
||||
.thenReturn(buildApplicationInfo(PKG_NAME_A));
|
||||
.thenReturn(buildApplicationInfo(PKG_NAME_A, UID_A));
|
||||
when(mPackageManager.getApplicationInfo(eq(PKG_NAME_B), anyInt()))
|
||||
.thenReturn(buildApplicationInfo(PKG_NAME_B));
|
||||
.thenReturn(buildApplicationInfo(PKG_NAME_B, UID_B));
|
||||
when(mPackageManager.getApplicationInfo(eq(PKG_NAME_C), anyInt()))
|
||||
.thenReturn(buildApplicationInfo(PKG_NAME_C));
|
||||
.thenReturn(buildApplicationInfo(PKG_NAME_C, UID_C));
|
||||
when(mPackageManager.getInstalledApplications(anyInt())).thenReturn(
|
||||
buildInstalledApplicationInfoList());
|
||||
when(mUserManager.getUsers()).thenReturn(buildUserInfoList());
|
||||
when(mNetworkManager.isBandwidthControlEnabled()).thenReturn(true);
|
||||
when(mNetworkManager.setDataSaverModeEnabled(anyBoolean())).thenReturn(true);
|
||||
doNothing().when(mConnectivityManager)
|
||||
@@ -1874,6 +1891,66 @@ public class NetworkPolicyManagerServiceTest {
|
||||
}
|
||||
}
|
||||
|
||||
private void enableRestrictedMode(boolean enable) throws Exception {
|
||||
mService.mRestrictedNetworkingMode = enable;
|
||||
mService.updateRestrictedModeAllowlistUL();
|
||||
verify(mNetworkManager).setFirewallChainEnabled(FIREWALL_CHAIN_RESTRICTED,
|
||||
enable);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testUpdateRestrictedModeAllowlist() throws Exception {
|
||||
// initialization calls setFirewallChainEnabled, so we want to reset the invocations.
|
||||
clearInvocations(mNetworkManager);
|
||||
expectHasUseRestrictedNetworksPermission(UID_A, true);
|
||||
expectHasUseRestrictedNetworksPermission(UID_B, false);
|
||||
|
||||
Map<Integer, Integer> firewallUidRules = new ArrayMap<>();
|
||||
doAnswer(arg -> {
|
||||
int[] uids = arg.getArgument(1);
|
||||
int[] rules = arg.getArgument(2);
|
||||
assertTrue(uids.length == rules.length);
|
||||
|
||||
for (int i = 0; i < uids.length; ++i) {
|
||||
firewallUidRules.put(uids[i], rules[i]);
|
||||
}
|
||||
return null;
|
||||
}).when(mNetworkManager).setFirewallUidRules(eq(FIREWALL_CHAIN_RESTRICTED),
|
||||
any(int[].class), any(int[].class));
|
||||
|
||||
enableRestrictedMode(true);
|
||||
assertEquals(FIREWALL_RULE_ALLOW, firewallUidRules.get(UID_A).intValue());
|
||||
assertFalse(mService.isUidNetworkingBlocked(UID_A, false));
|
||||
assertTrue(mService.isUidNetworkingBlocked(UID_B, false));
|
||||
|
||||
enableRestrictedMode(false);
|
||||
assertFalse(mService.isUidNetworkingBlocked(UID_A, false));
|
||||
assertFalse(mService.isUidNetworkingBlocked(UID_B, false));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testUpdateRestrictedModeForUid() throws Exception {
|
||||
// initialization calls setFirewallChainEnabled, so we want to reset the invocations.
|
||||
clearInvocations(mNetworkManager);
|
||||
expectHasUseRestrictedNetworksPermission(UID_A, true);
|
||||
expectHasUseRestrictedNetworksPermission(UID_B, false);
|
||||
enableRestrictedMode(true);
|
||||
|
||||
// UID_D and UID_E are not part of installed applications list, so it won't have any
|
||||
// firewall rules set yet
|
||||
expectHasUseRestrictedNetworksPermission(UID_D, false);
|
||||
mService.updateRestrictedModeForUidUL(UID_D);
|
||||
verify(mNetworkManager).setFirewallUidRule(FIREWALL_CHAIN_RESTRICTED, UID_D,
|
||||
FIREWALL_RULE_DEFAULT);
|
||||
assertTrue(mService.isUidNetworkingBlocked(UID_D, false));
|
||||
|
||||
expectHasUseRestrictedNetworksPermission(UID_E, true);
|
||||
mService.updateRestrictedModeForUidUL(UID_E);
|
||||
verify(mNetworkManager).setFirewallUidRule(FIREWALL_CHAIN_RESTRICTED, UID_E,
|
||||
FIREWALL_RULE_ALLOW);
|
||||
assertFalse(mService.isUidNetworkingBlocked(UID_E, false));
|
||||
}
|
||||
|
||||
private String formatBlockedStateError(int uid, int rule, boolean metered,
|
||||
boolean backgroundRestricted) {
|
||||
return String.format(
|
||||
@@ -1888,12 +1965,27 @@ public class NetworkPolicyManagerServiceTest {
|
||||
.build();
|
||||
}
|
||||
|
||||
private ApplicationInfo buildApplicationInfo(String label) {
|
||||
private ApplicationInfo buildApplicationInfo(String label, int uid) {
|
||||
final ApplicationInfo ai = new ApplicationInfo();
|
||||
ai.nonLocalizedLabel = label;
|
||||
ai.uid = uid;
|
||||
return ai;
|
||||
}
|
||||
|
||||
private List<ApplicationInfo> buildInstalledApplicationInfoList() {
|
||||
final List<ApplicationInfo> installedApps = new ArrayList<>();
|
||||
installedApps.add(buildApplicationInfo(PKG_NAME_A, UID_A));
|
||||
installedApps.add(buildApplicationInfo(PKG_NAME_B, UID_B));
|
||||
installedApps.add(buildApplicationInfo(PKG_NAME_C, UID_C));
|
||||
return installedApps;
|
||||
}
|
||||
|
||||
private List<UserInfo> buildUserInfoList() {
|
||||
final List<UserInfo> users = new ArrayList<>();
|
||||
users.add(new UserInfo(USER_ID, "user1", 0));
|
||||
return users;
|
||||
}
|
||||
|
||||
private NetworkInfo buildNetworkInfo() {
|
||||
final NetworkInfo ni = new NetworkInfo(ConnectivityManager.TYPE_MOBILE,
|
||||
TelephonyManager.NETWORK_TYPE_LTE, null, null);
|
||||
@@ -1967,6 +2059,15 @@ public class NetworkPolicyManagerServiceTest {
|
||||
hasIt ? PackageManager.PERMISSION_GRANTED : PackageManager.PERMISSION_DENIED);
|
||||
}
|
||||
|
||||
private void expectHasUseRestrictedNetworksPermission(int uid, boolean hasIt) throws Exception {
|
||||
when(mIpm.checkUidPermission(CONNECTIVITY_USE_RESTRICTED_NETWORKS, uid)).thenReturn(
|
||||
hasIt ? PackageManager.PERMISSION_GRANTED : PackageManager.PERMISSION_DENIED);
|
||||
when(mIpm.checkUidPermission(NETWORK_STACK, uid)).thenReturn(
|
||||
PackageManager.PERMISSION_DENIED);
|
||||
when(mIpm.checkUidPermission(PERMISSION_MAINLINE_NETWORK_STACK, uid)).thenReturn(
|
||||
PackageManager.PERMISSION_DENIED);
|
||||
}
|
||||
|
||||
private void expectNetworkState(boolean roaming) throws Exception {
|
||||
when(mCarrierConfigManager.getConfigForSubId(eq(TEST_SUB_ID)))
|
||||
.thenReturn(mCarrierConfig);
|
||||
|
||||
Reference in New Issue
Block a user