Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "Remove providesRoutesToMostDestinations."

Browse Source 
This reverts commit d85b09a06f.

Reason for revert: multiple build breakages b/137069068

Change-Id: I60a4f71e13fe82f970b177a07c0b58439cbc64ff
This commit is contained in:
Fedor Kudasov
2019-07-09 09:23:25 +00:00
parent d85b09a06f
commit e5cb0a2216
3 changed files with 269 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
core/java/android/net/NetworkUtils.java
View File

@@ -29,6 +29,7 @@ import android.util.Log;
import android.util.Pair;
import java.io.FileDescriptor;
import java.math.BigInteger;
import java.net.Inet4Address;
import java.net.Inet6Address;
import java.net.InetAddress;
@@ -36,6 +37,7 @@ import java.net.SocketException;
import java.net.UnknownHostException;
import java.util.Collection;
import java.util.Locale;
import java.util.TreeSet;
/**
* Native methods for managing network interfaces.
@@ -390,6 +392,74 @@ public class NetworkUtils {
return result;
}
/**
* Returns a prefix set without overlaps.
*
* This expects the src set to be sorted from shorter to longer. Results are undefined
* failing this condition. The returned prefix set is sorted in the same order as the
* passed set, with the same comparator.
*/
private static TreeSet<IpPrefix> deduplicatePrefixSet(final TreeSet<IpPrefix> src) {
final TreeSet<IpPrefix> dst = new TreeSet<>(src.comparator());
// Prefixes match addresses that share their upper part up to their length, therefore
// the only kind of possible overlap in two prefixes is strict inclusion of the longer
// (more restrictive) in the shorter (including equivalence if they have the same
// length).
// Because prefixes in the src set are sorted from shorter to longer, deduplicating
// is done by simply iterating in order, and not adding any longer prefix that is
// already covered by a shorter one.
newPrefixes:
for (IpPrefix newPrefix : src) {
for (IpPrefix existingPrefix : dst) {
if (existingPrefix.containsPrefix(newPrefix)) {
continue newPrefixes;
}
}
dst.add(newPrefix);
}
return dst;
}
/**
* Returns how many IPv4 addresses match any of the prefixes in the passed ordered set.
*
* Obviously this returns an integral value between 0 and 2**32.
* The behavior is undefined if any of the prefixes is not an IPv4 prefix or if the
* set is not ordered smallest prefix to longer prefix.
*
* @param prefixes the set of prefixes, ordered by length
*/
public static long routedIPv4AddressCount(final TreeSet<IpPrefix> prefixes) {
long routedIPCount = 0;
for (final IpPrefix prefix : deduplicatePrefixSet(prefixes)) {
if (!prefix.isIPv4()) {
Log.wtf(TAG, "Non-IPv4 prefix in routedIPv4AddressCount");
}
int rank = 32 - prefix.getPrefixLength();
routedIPCount += 1L << rank;
}
return routedIPCount;
}
/**
* Returns how many IPv6 addresses match any of the prefixes in the passed ordered set.
*
* This returns a BigInteger between 0 and 2**128.
* The behavior is undefined if any of the prefixes is not an IPv6 prefix or if the
* set is not ordered smallest prefix to longer prefix.
*/
public static BigInteger routedIPv6AddressCount(final TreeSet<IpPrefix> prefixes) {
BigInteger routedIPCount = BigInteger.ZERO;
for (final IpPrefix prefix : deduplicatePrefixSet(prefixes)) {
if (!prefix.isIPv6()) {
Log.wtf(TAG, "Non-IPv6 prefix in routedIPv6AddressCount");
}
int rank = 128 - prefix.getPrefixLength();
routedIPCount = routedIPCount.add(BigInteger.ONE.shiftLeft(rank));
}
return routedIPCount;
}
private static final int[] ADDRESS_FAMILIES = new int[] {AF_INET, AF_INET6};
/**

80
services/core/java/com/android/server/connectivity/Vpn.java
View File

@@ -58,6 +58,7 @@ import android.net.NetworkFactory;
import android.net.NetworkInfo;
import android.net.NetworkInfo.DetailedState;
import android.net.NetworkMisc;
import android.net.NetworkUtils;
import android.net.RouteInfo;
import android.net.UidRange;
import android.net.VpnService;
@@ -104,6 +105,7 @@ import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.net.Inet4Address;
import java.net.Inet6Address;
import java.net.InetAddress;
@@ -112,6 +114,7 @@ import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
@@ -131,6 +134,31 @@ public class Vpn {
// the device idle whitelist during service launch and VPN bootstrap.
private static final long VPN_LAUNCH_IDLE_WHITELIST_DURATION_MS = 60 * 1000;
// Settings for how much of the address space should be routed so that Vpn considers
// "most" of the address space is routed. This is used to determine whether this Vpn
// should be marked with the INTERNET capability.
private static final long MOST_IPV4_ADDRESSES_COUNT;
private static final BigInteger MOST_IPV6_ADDRESSES_COUNT;
static {
// 85% of the address space must be routed for Vpn to consider this VPN to provide
// INTERNET access.
final int howManyPercentIsMost = 85;
final long twoPower32 = 1L << 32;
MOST_IPV4_ADDRESSES_COUNT = twoPower32 * howManyPercentIsMost / 100;
final BigInteger twoPower128 = BigInteger.ONE.shiftLeft(128);
MOST_IPV6_ADDRESSES_COUNT = twoPower128
.multiply(BigInteger.valueOf(howManyPercentIsMost))
.divide(BigInteger.valueOf(100));
}
// How many routes to evaluate before bailing and declaring this Vpn should provide
// the INTERNET capability. This is necessary because computing the address space is
// O(n²) and this is running in the system service, so a limit is needed to alleviate
// the risk of attack.
// This is taken as a total of IPv4 + IPV6 routes for simplicity, but the algorithm
// is actually O(n²)+O(n²).
private static final int MAX_ROUTES_TO_EVALUATE = 150;
// TODO: create separate trackers for each unique VPN to support
// automated reconnection
@@ -228,7 +256,7 @@ public class Vpn {
}
/**
* Update current state, dispatching event to listeners.
* Update current state, dispaching event to listeners.
*/
@VisibleForTesting
protected void updateState(DetailedState detailedState, String reason) {
@@ -273,7 +301,7 @@ public class Vpn {
}
@VisibleForTesting
static void applyUnderlyingCapabilities(
public static void applyUnderlyingCapabilities(
ConnectivityManager cm,
Network[] underlyingNetworks,
NetworkCapabilities caps,
@@ -387,7 +415,7 @@ public class Vpn {
PackageManager pm = mContext.getPackageManager();
ApplicationInfo appInfo = null;
try {
appInfo = pm.getApplicationInfoAsUser(packageName, 0 /* flags */, mUserHandle);
appInfo = pm.getApplicationInfoAsUser(packageName, 0 /*flags*/, mUserHandle);
} catch (NameNotFoundException unused) {
Log.w(TAG, "Can't find \"" + packageName + "\" when checking always-on support");
}
@@ -548,7 +576,7 @@ public class Vpn {
final String alwaysOnPackage = mSystemServices.settingsSecureGetStringForUser(
Settings.Secure.ALWAYS_ON_VPN_APP, mUserHandle);
final boolean alwaysOnLockdown = mSystemServices.settingsSecureGetIntForUser(
Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN, 0 /* default */, mUserHandle) != 0;
Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN, 0 /*default*/, mUserHandle) != 0;
final String whitelistString = mSystemServices.settingsSecureGetStringForUser(
Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN_WHITELIST, mUserHandle);
final List<String> whitelistedPackages = TextUtils.isEmpty(whitelistString)
@@ -800,7 +828,7 @@ public class Vpn {
PackageManager pm = mContext.getPackageManager();
try {
ApplicationInfo appInfo =
pm.getApplicationInfoAsUser(packageName, 0 /* flags */, mUserHandle);
pm.getApplicationInfoAsUser(packageName, 0 /*flags*/, mUserHandle);
return appInfo.targetSdkVersion >= VERSION_CODES.Q;
} catch (NameNotFoundException unused) {
Log.w(TAG, "Can't find \"" + packageName + "\"");
@@ -873,6 +901,38 @@ public class Vpn {
return lp;
}
/**
* Analyzes the passed LinkedProperties to figure out whether it routes to most of the IP space.
*
* This returns true if the passed LinkedProperties contains routes to either most of the IPv4
* space or to most of the IPv6 address space, where "most" is defined by the value of the
* MOST_IPV{4,6}_ADDRESSES_COUNT constants : if more than this number of addresses are matched
* by any of the routes, then it's decided that most of the space is routed.
* @hide
*/
@VisibleForTesting
static boolean providesRoutesToMostDestinations(LinkProperties lp) {
final List<RouteInfo> routes = lp.getAllRoutes();
if (routes.size() > MAX_ROUTES_TO_EVALUATE) return true;
final Comparator<IpPrefix> prefixLengthComparator = IpPrefix.lengthComparator();
TreeSet<IpPrefix> ipv4Prefixes = new TreeSet<>(prefixLengthComparator);
TreeSet<IpPrefix> ipv6Prefixes = new TreeSet<>(prefixLengthComparator);
for (final RouteInfo route : routes) {
if (route.getType() == RouteInfo.RTN_UNREACHABLE) continue;
IpPrefix destination = route.getDestination();
if (destination.isIPv4()) {
ipv4Prefixes.add(destination);
} else {
ipv6Prefixes.add(destination);
}
}
if (NetworkUtils.routedIPv4AddressCount(ipv4Prefixes) > MOST_IPV4_ADDRESSES_COUNT) {
return true;
}
return NetworkUtils.routedIPv6AddressCount(ipv6Prefixes)
.compareTo(MOST_IPV6_ADDRESSES_COUNT) >= 0;
}
/**
* Attempt to perform a seamless handover of VPNs by only updating LinkProperties without
* registering a new NetworkAgent. This is not always possible if the new VPN configuration
@@ -1598,8 +1658,8 @@ public class Vpn {
*/
public PendingIntent pendingIntentGetActivityAsUser(
Intent intent, int flags, UserHandle user) {
return PendingIntent.getActivityAsUser(mContext, 0 /* request */, intent, flags,
null /* options */, user);
return PendingIntent.getActivityAsUser(mContext, 0 /*request*/, intent, flags,
null /*options*/, user);
}
/**
@@ -1705,7 +1765,7 @@ public class Vpn {
byte[] value = keyStore.get(Credentials.USER_CERTIFICATE + profile.ipsecServerCert);
serverCert = (value == null) ? null : new String(value, StandardCharsets.UTF_8);
}
if (userCert == null || caCert == null || serverCert == null) {
if (privateKey == null || userCert == null || caCert == null || serverCert == null) {
throw new IllegalStateException("Cannot load credentials");
}
@@ -1824,7 +1884,7 @@ public class Vpn {
* Return the information of the current ongoing legacy VPN.
* Callers are responsible for checking permissions if needed.
*/
private synchronized LegacyVpnInfo getLegacyVpnInfoPrivileged() {
public synchronized LegacyVpnInfo getLegacyVpnInfoPrivileged() {
if (mLegacyVpnRunner == null) return null;
final LegacyVpnInfo info = new LegacyVpnInfo();
@@ -1978,6 +2038,7 @@ public class Vpn {
private void bringup() {
// Catch all exceptions so we can clean up a few things.
boolean initFinished = false;
try {
// Initialize the timer.
mBringupStartTime = SystemClock.elapsedRealtime();
@@ -1996,6 +2057,7 @@ public class Vpn {
throw new IllegalStateException("Cannot delete the state");
}
new File("/data/misc/vpn/abort").delete();
initFinished = true;
// Check if we need to restart any of the daemons.
boolean restart = false;

128
tests/net/java/android/net/NetworkUtilsTest.java Normal file
View File

@@ -0,0 +1,128 @@
/*
* Copyright (C) 2015 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.net;
import static junit.framework.Assert.assertEquals;
import androidx.test.runner.AndroidJUnit4;
import org.junit.Test;
import org.junit.runner.RunWith;
import java.math.BigInteger;
import java.util.TreeSet;
@RunWith(AndroidJUnit4.class)
@androidx.test.filters.SmallTest
public class NetworkUtilsTest {
@Test
public void testRoutedIPv4AddressCount() {
final TreeSet<IpPrefix> set = new TreeSet<>(IpPrefix.lengthComparator());
// No routes routes to no addresses.
assertEquals(0, NetworkUtils.routedIPv4AddressCount(set));
set.add(new IpPrefix("0.0.0.0/0"));
assertEquals(1l << 32, NetworkUtils.routedIPv4AddressCount(set));
set.add(new IpPrefix("20.18.0.0/16"));
set.add(new IpPrefix("20.18.0.0/24"));
set.add(new IpPrefix("20.18.0.0/8"));
// There is a default route, still covers everything
assertEquals(1l << 32, NetworkUtils.routedIPv4AddressCount(set));
set.clear();
set.add(new IpPrefix("20.18.0.0/24"));
set.add(new IpPrefix("20.18.0.0/8"));
// The 8-length includes the 24-length prefix
assertEquals(1l << 24, NetworkUtils.routedIPv4AddressCount(set));
set.add(new IpPrefix("10.10.10.126/25"));
// The 8-length does not include this 25-length prefix
assertEquals((1l << 24) + (1 << 7), NetworkUtils.routedIPv4AddressCount(set));
set.clear();
set.add(new IpPrefix("1.2.3.4/32"));
set.add(new IpPrefix("1.2.3.4/32"));
set.add(new IpPrefix("1.2.3.4/32"));
set.add(new IpPrefix("1.2.3.4/32"));
assertEquals(1l, NetworkUtils.routedIPv4AddressCount(set));
set.add(new IpPrefix("1.2.3.5/32"));
set.add(new IpPrefix("1.2.3.6/32"));
set.add(new IpPrefix("1.2.3.7/32"));
set.add(new IpPrefix("1.2.3.8/32"));
set.add(new IpPrefix("1.2.3.9/32"));
set.add(new IpPrefix("1.2.3.0/32"));
assertEquals(7l, NetworkUtils.routedIPv4AddressCount(set));
// 1.2.3.4/30 eats 1.2.3.{4-7}/32
set.add(new IpPrefix("1.2.3.4/30"));
set.add(new IpPrefix("6.2.3.4/28"));
set.add(new IpPrefix("120.2.3.4/16"));
assertEquals(7l - 4 + 4 + 16 + 65536, NetworkUtils.routedIPv4AddressCount(set));
}
@Test
public void testRoutedIPv6AddressCount() {
final TreeSet<IpPrefix> set = new TreeSet<>(IpPrefix.lengthComparator());
// No routes routes to no addresses.
assertEquals(BigInteger.ZERO, NetworkUtils.routedIPv6AddressCount(set));
set.add(new IpPrefix("::/0"));
assertEquals(BigInteger.ONE.shiftLeft(128), NetworkUtils.routedIPv6AddressCount(set));
set.add(new IpPrefix("1234:622a::18/64"));
set.add(new IpPrefix("add4:f00:80:f7:1111::6adb/96"));
set.add(new IpPrefix("add4:f00:80:f7:1111::6adb/8"));
// There is a default route, still covers everything
assertEquals(BigInteger.ONE.shiftLeft(128), NetworkUtils.routedIPv6AddressCount(set));
set.clear();
set.add(new IpPrefix("add4:f00:80:f7:1111::6adb/96"));
set.add(new IpPrefix("add4:f00:80:f7:1111::6adb/8"));
// The 8-length includes the 96-length prefix
assertEquals(BigInteger.ONE.shiftLeft(120), NetworkUtils.routedIPv6AddressCount(set));
set.add(new IpPrefix("10::26/64"));
// The 8-length does not include this 64-length prefix
assertEquals(BigInteger.ONE.shiftLeft(120).add(BigInteger.ONE.shiftLeft(64)),
NetworkUtils.routedIPv6AddressCount(set));
set.clear();
set.add(new IpPrefix("add4:f00:80:f7:1111::6ad4/128"));
set.add(new IpPrefix("add4:f00:80:f7:1111::6ad4/128"));
set.add(new IpPrefix("add4:f00:80:f7:1111::6ad4/128"));
set.add(new IpPrefix("add4:f00:80:f7:1111::6ad4/128"));
assertEquals(BigInteger.ONE, NetworkUtils.routedIPv6AddressCount(set));
set.add(new IpPrefix("add4:f00:80:f7:1111::6ad5/128"));
set.add(new IpPrefix("add4:f00:80:f7:1111::6ad6/128"));
set.add(new IpPrefix("add4:f00:80:f7:1111::6ad7/128"));
set.add(new IpPrefix("add4:f00:80:f7:1111::6ad8/128"));
set.add(new IpPrefix("add4:f00:80:f7:1111::6ad9/128"));
set.add(new IpPrefix("add4:f00:80:f7:1111::6ad0/128"));
assertEquals(BigInteger.valueOf(7), NetworkUtils.routedIPv6AddressCount(set));
// add4:f00:80:f7:1111::6ad4/126 eats add4:f00:8[:f7:1111::6ad{4-7}/128
set.add(new IpPrefix("add4:f00:80:f7:1111::6ad4/126"));
set.add(new IpPrefix("d00d:f00:80:f7:1111::6ade/124"));
set.add(new IpPrefix("f00b:a33::/112"));
assertEquals(BigInteger.valueOf(7l - 4 + 4 + 16 + 65536),
NetworkUtils.routedIPv6AddressCount(set));
}
}