Some native daemons legacy design work with SYSTEM_UID. If none of
SYSTEM_UID apps declare the restricted network permission, it will
result in permission denial in daemons. Allow SYSTEM_UID in the
devices shipped before Q to support backward compatibility.
Bug:114245686
Test: 1. runtest frameworks-net
2. atest FrameworksNetTests
3. Native daemons with SYSTEM_UID can work normally
Change-Id: I6f3f0d83bcae74ef5389535b528af3baf649fa48
Currently, if VPN lockdown is disabled, the blocking judgement
inside VPN will return false immediately. It will make
ConnectivityService hard to check blocked status by a given
VPN lockdown status.
Thus, move this check into ConnectivityService and check it
externally.
Bug: 117814902
Test: 1. manual test with 3rd-party vpn app
2. runtest frameworks-net
Change-Id: Ia8319b1a1a12f1058c24badf2431f2ec69bc78e7
onBlockedStatusChanged is intruduced for network blocked status.
The changes in this patch are:
- Test onBlockedStatusChanged which tells apps whether the
network is blocked.
- Fixed the tests which is affected by the order changed in
onAvailable.
Test: as follows
- runtest frameworks-net
- runtest -x NetworkPolicyManagerServiceTest.java
Bug: 74575553
Change-Id: I383c037ed895ef69c478dc3cff69fb1e27c42845
This commit checks if UDP-encapsulation is used
for unsupported address family and throws
IllegalArgumentException when it happens.
Bug: 74213459
Test: Tests added in testCreateTransportModeTransformWithEncap
and testCreateTunnelModeTransformWithEncap.
Command: runtest frameworks-net
Verified on taimen.
Change-Id: I10c01f2bad6aca23430849ea9ef6c1eb157ae131
This will improve the user experience on Android TV devices,
see bug for details.
In addition when connecting adb to the device by ethernet
for cts, wifi will not connect, causing lots of tests to fail.
For example:
[CTS7.1]android.net.wifi.cts.WifiInfoTest#testWifiInfoProperties
[CTS7.1]android.net.cts.ConnectivityManagerTest#testConnectivityChanged_
manifestRequestOnlyPreN_shouldReceiveIntent
Use command:settings to put global wifi_data_always_on 1 to enable it.
Bug: 26102779
Test: Manual, CTS.
Change-Id: I711d93061a6bc7164d98a858912f781e1b967406
Idle timer rule is not cleared as expected if there is a
default network replacement.
Bug:37080406
Test: 1.run frameworks-net
2.check iptables rule with default network replacement
Change-Id: I6bd29d79e4ca3e8de4b867c4fcb5f81d02ba6de4
FakeSettingsProvider requires this method to be called before and after
use. Without this, the settings value or content provider may be cached
statically, so the test will be affected by code accessing settings
before it is run.
Bug: b/116668105
Test: atest FrameworksNetTests
Change-Id: I1480f3f3bbb17791752582a70327bb5c7c348d7c
Run most tests with TETHER_ENABLE_LEGACY_DHCP_SERVER set to 0 (will be
the default value). Add one test to verify that the new server is not
started when TETHER_ENABLE_LEGACY_DHCP_SERVER is 1.
Bug: b/109584964
Test: atest FrameworksNetTests
Change-Id: I288ba1f434918e62ff29f7ace00856108c9730f7
Rename TetherInterfaceStateMachine to IpServer. IControlsTethering
is folded into IpServer.Callback and some of the dependencies in
TetheringDependencies are moved into IpServer.Dependencies.
Several things still need fixing, including:
- convert message passing into method calls
- the calls that enable forwarding should be moved up out of
IpServer into the Tethering layer above it
Test: as follows
- built, flashed, booted
- runtest frameworks-net passes
Change-Id: I015f800ed23c8aa5c8c81a74d7b508abfcaab659
This change makes all requestIDs use the UID of the creator, ensuring
that rekeys always use the same requestID. This also has the nice
property of separating app's resources from each other, and allowing for
identification of which app/UID allocated the resources from
command-line dumps (eg ip xfrm state show)
Bug: 111841561
Test: Updated tests & passing taimen
Change-Id: I4f1eadcdb795766ae4682b15e41727359c52fa38
Not all preinstalled apps should have access to background
networks or restricted networks. But we give them all network
access permissions currently, it's not a good design. So we
shall limit preinstalled apps permissions, they should just
request the appropriate permission for their use case from
the network permissions.
Bug:19610688
Test: runtest frameworks-net
Change-Id: I184ae3197208c979847ca134c8f01b32528badf1
The newer implementation is disabled by default with this CL. Ultimately
the intention is to enable it by default.
Bug: b/109584964
Test: set tether_enable_legacy_dhcp_server to 0, ran DhcpServerTest.py,
observed new behavior. Added tests in CL also pass.
Change-Id: I0f830b9804b8956c127057e66ab75a21ca29dc57
Use the Private DNS bypass logic that was moved into Network.
Once all callers of ResolvUtil are updated to use this interface
ResolvUtil can be deleted.
Test: as follows
- built, flashed, booted
- runtest frameworks-net passes
- connection to captive portal network detects portal correctly
and the login activity functions as expected
Bug: 64133961
Bug: 72345192
Bug: 73872000
Bug: 78548486
Change-Id: If11ef2b5ffdc729f8449cf18dccd5f1eccbc51e6
LocalServices.addService in NetworkStatsService is currently failing
with IllegalStateException "Overriding service registration". Setting up
LocalServices in the test to avoid this issue might be possible, but
moving the registration to the only non-test caller of that constructor
as done here solves the issue and avoids side-effects from a constructor.
Test: atest FrameworksNetTests does not choke on this test
Bug: b/78487385
Bug: b/80082746
Change-Id: I5dba98fc79aec0800c8b71e6c7e23d1cfbcae852
Merged-In: I884a7a8bd7db3fcd220b785ba9914ac8c77720f0
(Clean cherry-pick of go/ag/4061255)
With recent performance degradations on apct, the current timeouts are
too short and some requests trigger onUnavailable() before networks are
validated.
Test: runtest -x ConnectivityServiceTest.java
Bug: b/111778226
Change-Id: I083f529787f108065637a0aff3e5bb88e05e6510
Fix some timeouts that were forgotten in parent CL.
Bug: b/111778226
Test: runtest --no-hidden-api-checks -x ConnectivityServiceTest.java
Change-Id: Ib848eaba8c69c07ac596aa4386a741c9a2a87fc9
Tests appear to have become much slower on apct in recent runs, although
local runs do not seem to be affected. As a first measure, increase our
timeouts to eliminate flakyness.
Bug: b/111778226
Test: runtest --no-hidden-api-checks -x ConnectivityServiceTest.java
Change-Id: I7a3bfb646eb554bcd9d50d026142f2a2cff74beb
The current timeout is short enough that lingered networks are torn down
before assertions can be run, causing flakyness in testMultipleLingering.
This CL sets the timeout to 300 in that particular test.
Verified that 300ms is enough with 500 successful runs on Sailfish.
An alternative would be to mock firing of the lingering timer, but
keeping the WakeupMessage logic realistic has already proven useful in
detecting races.
Bug: b/110673602
Test: runtest --no-hidden-api-checks frameworks-net
Change-Id: I6f9a656190bcff0b071ae2584d0f5fa74158472b
Rather than use the crufty config.xml list of upstream transport types,
use ConnectivityService's notion of the default network for the upstream.
In cases where a DUN network is required and the default network is
currently a mobile network, look for a DUN network (code in Tethering
is currently responsible for requesting one).
Test: as follows
- built, flashed, booted
- runtest frameworks-net
- tethered via mobile, joined captive portal network, maintained
laptop access via mobile until captive passed (then used wifi)
- disabled client mode wifi, disabled mobile data, plugged in
ethernet adapter, observed connectivity via ethernet
Bug: 32163131
Bug: 62648872
Bug: 63282480
Bug: 109786760
Bug: 110118584
Bug: 110260419
Merged-In: I9cddf1fb7aa3b8d56bf048c563556244e74808c2
Merged-In: Icac3e5e20e99093ddb85aae1ca07ed7b5cf309fd
Change-Id: I925b75994e31df8046f3ef9916a2457b4210485e
(cherry picked from commit 4080a1bd15)
Change access level of getNetworkAgentInfoForNetwork in ConnectivityService to get
better testability. And add test case to verify clat state transition and make sure
linkProperties are updated correctly.
Bug: 80261579, 109913107
Test: runtest frameworks-net -c com.android.server.ConnectivityServiceTest \
-m testStackedLinkProperties
Change-Id: I72fce594d74bd349f65557edca03640e1b86317c
This CL temporarily removes the AppOp restriction
that disallows creation of IpSec tunnels due to
the lack of the appropriate AppOp in AOSP/master.
When the relevant framework merges out to master,
this CL should be reverted.
Manually merging this due to skipping a merge
conflict at ef9f2740a7
Bug: none
Test: compilation
Change-Id: Ic06c193f85f6bcdd0ead4238825c1add78703cde
* changes:
Disable the AppOp Restriction for IpSec Tunnels
Rework Exception Handling for IpSecManager
Update IpSecManager to use InetAddress and prefixLen
Add AppOps Checks for MANAGE_IPSEC_TUNNELS
Add MANAGE_IPSEC_TUNNELS Permission
This CL temporarily removes the AppOp restriction
that disallows creation of IpSec tunnels due to
the lack of the appropriate AppOp in AOSP/master.
When the relevant framework merges out to master,
this CL should be reverted.
Bug: none
Test: compilation
Change-Id: Ic06c193f85f6bcdd0ead4238825c1add78703cde
Adds support for a new AppOp to permit services to
use IpSec tunnel mode. The IpSecService now needs
a context so change the service mode to a cached
service rather than a static service.
Bug: 66955045
Test: runtest frameworks-net
Merged-In: I17a4a286225b432c3e15ea1587d946189931b4f4
Change-Id: I17a4a286225b432c3e15ea1587d946189931b4f4
(cherry picked from commit 592dadbd43)
* changes:
Let tests enumerate all transports/capabilities.
Destroy networks as soon as they are disconnected.
Fix a ConcurrentModificationException crash.
Unify behavior of various cases of "no underlying networks"
Fix: VPNs update caps upon underlying network disconnect.
Add tests for setUnderlyingNetworks.
Fix setCapabilities.
Fix SSID not being logged by the validation logs
Make sure getActiveNetwork is consistent with default callbacks
Add tests for getActiveNetwork.
Guard the SSID with NETWORK_SETTINGS
Add a new ssid field in NetworkCapabilities.
Notif manager and captive portal app to read SSID again
Remove unwanted capability from the java-doc
Actually @hide unwanted capability methods.
API council requested tweaks to NetworkRequest.
Add OEM_PAID capability to system api
add airplane mode shell commands to connectivity
Enable cleartext for captive portal apps
Expose CONNECTIVITY_ACTION to Instant Apps
fix isActiveNetworkMetered with VPNs
Before this change, VPNs having no underlying networks would be
marked as metered as the safe option, but VPNs having only
disconnected underlying networks would be marked as unmetered.
Fix this discrepancy.
Clean cherry-pick of ag/4113809
Bug: 79748782
Test: runtest frameworks-net
Change-Id: Ie6ace6bd95139605ffcfa8cd6c15cf28f8fa28c8
Merged-In: If19b85325e7d684e645470293b3c8a674084c641
Merged-in: I22f80a6a39d4a19ff74aa61fcbd66f1a041b1003
Fixes come later. This is complex enough as it is.
Clean cherry-pick of ag/4083953
Bug: 79748782
Test: new test passes, old tests still pass
Change-Id: If7276fe1f751be7b9c18f689e97699e566e5bde0
Merged-In: I12c948ebeb2b74290908f8320ff77220dc4a9fb9
