Also a few utilities that were in the way, and some opportunistic
cleanups.
Test: FrameworksNetTest NetworkStackTest
Change-Id: I385070e2044fd967cb18f1ffea9a86a4627b742e
This change fixes detailed UID stats to ensure network and battery stats
both take VPNs into account. NetworkStatsFactory is being made aware of
VPNs enabled, and the full set of underlying networks present.
Since traffic can only be migrated over a NetworkStats delta, NSF
maintains a NetworkStats snapshot across all UIDs/ifaces/tags.
This snapshot gets updated whenever NSF records a new snapshot
(based on various hooks such as VPN updating its underlying networks,
network getting lost, etc.), or NetworkStatsService's
getDetailedUidStats() method being called.
This change widens the scope of the existing mPersistentSnapshot lock,
renaming it to mPersistentDataLock, and ensures that TUN migrations are
not done in parallel. Additionally, mVpnInfos is updated via
pointer-swapping, to reduce the scope of the mPersistentDataLock.
The safety of this change is predicated on:
1. NetworkStatsFactory lock not held, so services cannot deadlock through
the cyclical lock.
2. The broadening of the scope of the lock in NetworkStatsFactory has no
threading implications, as it is always the last (leaf node) lock held,
and therefore is impossible to have lock inversion.
Additionally, to ensure VPNs work with 464xlat, the VPN info passed to
the NetworkStatsFactory includes all underlying interfaces, instead of
only passing the first one.
This (partially) re-applies changes from:
aosp/972848: Add one more test for VPN usage stats.
aosp/972847: Addressing comments for http://ag/7700679.
aosp/885338: NetworkStatsService: Fix getDetailedUidStats to take VPNs
into account.
Co-developed with: Varun Anand <vaanand@google.com>
Bug: 113122541
Bug: 120145746
Bug: 129264869
Bug: 134244752
Test: FrameworksNetTest passing
Test: Manual tests show data usage fixes maintained.
Change-Id: I6466ec1411fc5ed6954125d27d353b6cd1be719e
This is the most common test library for Connectivity tests. It is
meant to be usable in framework tests, network stack tests, CTS,
GTS. To achieve that, it can only depend on framework classes.
Bug: none
Test: NetworkMonitorTest
Test: NsdManagerTest
Test: ConnectivityServiceTest
Test: OffloadControllerTest
Test: NetworkStatsObserversTest
Test: NetworkStatsServiceTest
(all the touched classes)
Change-Id: Ic47cbe7ba0e407145fa6bc49bb2adb3c5937dbc4
This is a follow-up commit for aosp/955431 to update commets
and minor updates in unit test.
Test: atest com.android.server.ConnectivityServiceTest#testCaptivePortalOnPartialConnectivity
Bug: 130683832
Change-Id: I581eae8daeddd2c4c186e7b40e27fef2aaa7ab43
Once a network is determined to have partial connectivity, it
cannot go back to full connectivity without a disconnect. This
is because NetworkMonitor can only communicate either
PARTIAL_CONNECTIVITY or VALID, but not both. Thus, multiple
validation results allow ConnectivityService to know the real
network status.
Bug: 129662877
Bug: 130683832
Test: atest FrameworksNetTests
Test: atest NetworkStackTests
Test: atest --generate-new-metrics 50
NetworkStackTests:com.android.server.connectivity.NetworkMonitorTest
Test: Simulate partial connectvitiy
Change-Id: I406c9368617c03a2dd3ab15fb1f6dbf539d7c714
When unregistering callback due to ON_UNAVAILABLE did not check for
a non-null callback.
Bug: 132950880
Test: atest ConnectivityServiceTest
Change-Id: I8f3322963f322e6690f1403681bf66e8b38b35f8
Currently, strict mode private DNS does not work on VPNs because
NetworkMonitor does not validate VPNs. When a VPN connects, it
immediately transitions to ValidatedState, skipping private DNS
hostname resolution.
This change makes NetworkMonitor perform private DNS hostname
resolution and evaluation even on VPNs.
In order to ensure that the system always immediately switches to
the VPN as soon as it connects, remove the unvalidated penalty
for VPN networks. This ensures that the VPN score is always 101
and the VPN always outscores other networks as soon as it
connects. Previously, it would only outscore other networks
when no-op validation completed.
Bug: 122652057
Test: atest FrameworksNetTests NetworkStackTests
Test: manually ran a VPN with private DNS in strict mode
atest android.net.cts.ConnectivityManagerTest com.android.cts.net.HostsideVpnTests
Change-Id: Iaa78a7edcf23755c89d7b354edbc28d37d74d891
The onUnavailable semantics promise that it is equivalent to calling
the unregister callback method. But - it doesn't unregister the callback
allowing it to be reused. Fixed.
Additionally, modified the unregisterNetworkCallback method to not fail
on duplicate unregistration (since a callback could now self
unregister). Instead simply print a log.
Bug: 130651445
Test: atest ConnectivityServiceTest
Change-Id: I4c54b003a733eb0b1e4fd8674ed13081b1bef8e3
This reverts commit cecd4a3d64.
Reason for revert: Adds dependency between IpSecService and
ConnectivityService may lead to future deadlock
problems. Uses a simpler approach instead,
hence the solution is not needed.
See aosp/954040.
Change-Id: If6d537a39595cf132d3ed81d4eaac6700f5f0ab3
Support adding NATT keepalive packet filter to APF
filter.
Generating APF program will be addressed in another CL.
Bug: 33530442
Test: - atest NetworkStackTests
- atest FrameworksNetTests
Change-Id: I4961d5da343d8700600269632787c28112f0f9f1
Mock out PackageManager and returns correct information corresponding
to the test app package itself.
Test: atest --generate-new-metrics 10 com.android.server.ConnectivityServiceTest
Bug: 114231106
Bug: 130397860
Change-Id: Ib921700eda417f411d7a2c77c1140fba9ab50bbb
Since socket keepalive APIs for UDP encapsulation sockets are
public to generic app. In order to ensure the given fd is valid,
this change verifies the resource id inside the UDP
encapsulation socket by using methods provided by IpSecService.
Bug: 125517194
Fix: 123968920
Test: 1. atest FrameworksNetTests --generate-new-metrics 10
2. atestcom.android.server.ConnectivityServiceTest \
#testNattSocketKeepalives --generate-new-metrics 100
Change-Id: I408aacc19b364683854d15a095c34e72389a6e5b
Currntly, keepalive slot is released when stop() is called. Next
starting keepalive can use the same slot number while previous
keepalive is still stopping. When the previous keepalive is
stopped, the incoming as will be processed by the new keepalive.
This change release keepalive slot after the result of stopping
has returned. Thus, newly created keepalive cannot allocate the
same slot number while lower layer is still processing stop event.
This change also disable flaky assertions that are caused by
test port has been occupied by other process.
Bug: 129512753
Test: 1. atest com.android.server.ConnectivityServiceTest \
#testNattSocketKeepalives --generate-new-metrics 100
2. atest FrameworksNetTests --generate-new-metrics 10
3. simulate the fail case manually.
Change-Id: I1991627545519ee5cb408a3df3a006f710f4af7b
A mocked PackageManager caused test failures in existing tests.
Revert that for now to make tests pass again.
Bug: 114231106
Bug: 130397860
Test: atest FrameworksNetTests
Change-Id: I4f181789152438f18e6cd2d235d76fabe3872ea3
This reverts commit 3897df2e36.
Reason for revert: Rolling forward, will fix tests in same CL stack.
Bug: 114231106
Bug: 130397860
Test: FrameworksNetTests
Change-Id: Ia8a0c99b4e1fd5dff26c881715cd876618ca4321
This reverts commit fd8f96d719.
This change does not have any topic: not reverting the other 2 commits in the original topic.
Reason for revert: broke FrameworksNetTests presubmit: b/130397860
Change-Id: Iff41d9fe97fafea44680c8d67d1ce19277548cc0
When a fully-routed VPN is running, we want to prevent normal apps
under the VPN from receiving packets originating from any local non-VPN
interfaces. This is achieved by using eBPF to create a per-UID input
interface whitelist and populate the whitelist such that all
non-bypassable apps under a VPN can only receive packets from the VPN's
TUN interface (and loopback implicitly)
This is the framework part of the change that build the whitelist.
The whitelist needs to be updated in the following cases:
* When a VPN is connected and disconnected
This will cover the change to allowBypass bit, since that can't be
changed without reconnecting.
* When a VPN's NetworkCapabilites is changed (whitelist/blacklist app changes)
* When a new app is installed
* When an existing app is removed
* When a VPN becomes fully-routed or is no longer fully-routed
New user/profile creation will automatically result in a whitelist app change
transition so it doesn't need to be handled specially here.
Due to the limitation of the kernel IPSec interacting with eBPF (sk_buf->ifindex
does not point to the virtual tunnel interface for kernel IPSec), the whitelist
will only apply to app VPNs but not legacy VPN connections, to prevent breaking
connectivity with kernel IPSec entirely.
Test: atest PermissionMonitorTest
Test: atest android.net.RouteInfoTest
Test: atest com.android.server.ConnectivityServiceTest
Test: atest HostsideVpnTests
Bug: 114231106
Change-Id: I143b03d60e46cb1b04732b4a4034f5847b4d1b1a
- Restrict unprivileged apps to use
NetworkRequest.Builder#setSignalStrength.
- Remove the "throws NullPointerException" in
CaptivePortalProbeSpec constructor.
- Remove the null check in LinkProperties.
- Add annotataion into all ConnectivityManager.NetworkCallback
methods.
Change-Id: Id275cac1d6a30d7515cd7b113394f5e8a0179314
Fix: 129097486
Test: atest FrameworksNetTests
