Loading services/core/java/com/android/server/IpSecService.java +19 −15 Original line number Original line Diff line number Diff line Loading @@ -612,7 +612,7 @@ public class IpSecService extends IIpSecService.Stub { mSrvConfig mSrvConfig .getNetdInstance() .getNetdInstance() .ipSecDeleteSecurityAssociation( .ipSecDeleteSecurityAssociation( mResourceId, uid, mConfig.getSourceAddress(), mConfig.getSourceAddress(), mConfig.getDestinationAddress(), mConfig.getDestinationAddress(), spi, spi, Loading Loading @@ -679,7 +679,7 @@ public class IpSecService extends IIpSecService.Stub { mSrvConfig mSrvConfig .getNetdInstance() .getNetdInstance() .ipSecDeleteSecurityAssociation( .ipSecDeleteSecurityAssociation( mResourceId, mSourceAddress, mDestinationAddress, mSpi, 0, 0); uid, mSourceAddress, mDestinationAddress, mSpi, 0, 0); } } } catch (ServiceSpecificException | RemoteException e) { } catch (ServiceSpecificException | RemoteException e) { Log.e(TAG, "Failed to delete SPI reservation with ID: " + mResourceId, e); Log.e(TAG, "Failed to delete SPI reservation with ID: " + mResourceId, e); Loading Loading @@ -821,13 +821,13 @@ public class IpSecService extends IIpSecService.Stub { for (int selAddrFamily : ADDRESS_FAMILIES) { for (int selAddrFamily : ADDRESS_FAMILIES) { netd.ipSecDeleteSecurityPolicy( netd.ipSecDeleteSecurityPolicy( 0, uid, selAddrFamily, selAddrFamily, IpSecManager.DIRECTION_OUT, IpSecManager.DIRECTION_OUT, mOkey, mOkey, 0xffffffff); 0xffffffff); netd.ipSecDeleteSecurityPolicy( netd.ipSecDeleteSecurityPolicy( 0, uid, selAddrFamily, selAddrFamily, IpSecManager.DIRECTION_IN, IpSecManager.DIRECTION_IN, mIkey, mIkey, Loading Loading @@ -1083,7 +1083,8 @@ public class IpSecService extends IIpSecService.Stub { } } checkNotNull(binder, "Null Binder passed to allocateSecurityParameterIndex"); checkNotNull(binder, "Null Binder passed to allocateSecurityParameterIndex"); UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); int callingUid = Binder.getCallingUid(); UserRecord userRecord = mUserResourceTracker.getUserRecord(callingUid); final int resourceId = mNextResourceId++; final int resourceId = mNextResourceId++; int spi = IpSecManager.INVALID_SECURITY_PARAMETER_INDEX; int spi = IpSecManager.INVALID_SECURITY_PARAMETER_INDEX; Loading @@ -1096,7 +1097,7 @@ public class IpSecService extends IIpSecService.Stub { spi = spi = mSrvConfig mSrvConfig .getNetdInstance() .getNetdInstance() .ipSecAllocateSpi(resourceId, "", destinationAddress, requestedSpi); .ipSecAllocateSpi(callingUid, "", destinationAddress, requestedSpi); Log.d(TAG, "Allocated SPI " + spi); Log.d(TAG, "Allocated SPI " + spi); userRecord.mSpiRecords.put( userRecord.mSpiRecords.put( resourceId, resourceId, Loading Loading @@ -1264,7 +1265,8 @@ public class IpSecService extends IIpSecService.Stub { // TODO: Check that underlying network exists, and IP addresses not assigned to a different // TODO: Check that underlying network exists, and IP addresses not assigned to a different // network (b/72316676). // network (b/72316676). UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); int callerUid = Binder.getCallingUid(); UserRecord userRecord = mUserResourceTracker.getUserRecord(callerUid); if (!userRecord.mTunnelQuotaTracker.isAvailable()) { if (!userRecord.mTunnelQuotaTracker.isAvailable()) { return new IpSecTunnelInterfaceResponse(IpSecManager.Status.RESOURCE_UNAVAILABLE); return new IpSecTunnelInterfaceResponse(IpSecManager.Status.RESOURCE_UNAVAILABLE); } } Loading @@ -1285,7 +1287,7 @@ public class IpSecService extends IIpSecService.Stub { for (int selAddrFamily : ADDRESS_FAMILIES) { for (int selAddrFamily : ADDRESS_FAMILIES) { // Always send down correct local/remote addresses for template. // Always send down correct local/remote addresses for template. netd.ipSecAddSecurityPolicy( netd.ipSecAddSecurityPolicy( 0, // Use 0 for reqId callerUid, selAddrFamily, selAddrFamily, IpSecManager.DIRECTION_OUT, IpSecManager.DIRECTION_OUT, localAddr, localAddr, Loading @@ -1294,7 +1296,7 @@ public class IpSecService extends IIpSecService.Stub { okey, okey, 0xffffffff); 0xffffffff); netd.ipSecAddSecurityPolicy( netd.ipSecAddSecurityPolicy( 0, // Use 0 for reqId callerUid, selAddrFamily, selAddrFamily, IpSecManager.DIRECTION_IN, IpSecManager.DIRECTION_IN, remoteAddr, remoteAddr, Loading Loading @@ -1532,7 +1534,7 @@ public class IpSecService extends IIpSecService.Stub { mSrvConfig mSrvConfig .getNetdInstance() .getNetdInstance() .ipSecAddSecurityAssociation( .ipSecAddSecurityAssociation( resourceId, Binder.getCallingUid(), c.getMode(), c.getMode(), c.getSourceAddress(), c.getSourceAddress(), c.getDestinationAddress(), c.getDestinationAddress(), Loading Loading @@ -1623,13 +1625,14 @@ public class IpSecService extends IIpSecService.Stub { @Override @Override public synchronized void applyTransportModeTransform( public synchronized void applyTransportModeTransform( ParcelFileDescriptor socket, int direction, int resourceId) throws RemoteException { ParcelFileDescriptor socket, int direction, int resourceId) throws RemoteException { UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); int callingUid = Binder.getCallingUid(); UserRecord userRecord = mUserResourceTracker.getUserRecord(callingUid); checkDirection(direction); checkDirection(direction); // Get transform record; if no transform is found, will throw IllegalArgumentException // Get transform record; if no transform is found, will throw IllegalArgumentException TransformRecord info = userRecord.mTransformRecords.getResourceOrThrow(resourceId); TransformRecord info = userRecord.mTransformRecords.getResourceOrThrow(resourceId); // TODO: make this a function. // TODO: make this a function. if (info.pid != getCallingPid() || info.uid != getCallingUid()) { if (info.pid != getCallingPid() || info.uid != callingUid) { throw new SecurityException("Only the owner of an IpSec Transform may apply it!"); throw new SecurityException("Only the owner of an IpSec Transform may apply it!"); } } Loading @@ -1643,7 +1646,7 @@ public class IpSecService extends IIpSecService.Stub { .getNetdInstance() .getNetdInstance() .ipSecApplyTransportModeTransform( .ipSecApplyTransportModeTransform( socket.getFileDescriptor(), socket.getFileDescriptor(), resourceId, callingUid, direction, direction, c.getSourceAddress(), c.getSourceAddress(), c.getDestinationAddress(), c.getDestinationAddress(), Loading Loading @@ -1675,7 +1678,8 @@ public class IpSecService extends IIpSecService.Stub { enforceTunnelPermissions(callingPackage); enforceTunnelPermissions(callingPackage); checkDirection(direction); checkDirection(direction); UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); int callingUid = Binder.getCallingUid(); UserRecord userRecord = mUserResourceTracker.getUserRecord(callingUid); // Get transform record; if no transform is found, will throw IllegalArgumentException // Get transform record; if no transform is found, will throw IllegalArgumentException TransformRecord transformInfo = TransformRecord transformInfo = Loading Loading @@ -1717,7 +1721,7 @@ public class IpSecService extends IIpSecService.Stub { mSrvConfig mSrvConfig .getNetdInstance() .getNetdInstance() .ipSecUpdateSecurityPolicy( .ipSecUpdateSecurityPolicy( 0, // Use 0 for reqId callingUid, selAddrFamily, selAddrFamily, direction, direction, tunnelInterfaceInfo.getLocalAddress(), tunnelInterfaceInfo.getLocalAddress(), Loading tests/net/java/com/android/server/IpSecServiceParameterizedTest.java +18 −25 Original line number Original line Diff line number Diff line Loading @@ -41,9 +41,9 @@ import android.net.Network; import android.net.NetworkUtils; import android.net.NetworkUtils; import android.os.Binder; import android.os.Binder; import android.os.ParcelFileDescriptor; import android.os.ParcelFileDescriptor; import android.test.mock.MockContext; import android.support.test.filters.SmallTest; import android.support.test.filters.SmallTest; import android.system.Os; import android.system.Os; import android.test.mock.MockContext; import java.net.Socket; import java.net.Socket; import java.util.Arrays; import java.util.Arrays; Loading Loading @@ -121,6 +121,7 @@ public class IpSecServiceParameterizedTest { IpSecService.IpSecServiceConfiguration mMockIpSecSrvConfig; IpSecService.IpSecServiceConfiguration mMockIpSecSrvConfig; IpSecService mIpSecService; IpSecService mIpSecService; Network fakeNetwork = new Network(0xAB); Network fakeNetwork = new Network(0xAB); int mUid = Os.getuid(); private static final IpSecAlgorithm AUTH_ALGO = private static final IpSecAlgorithm AUTH_ALGO = new IpSecAlgorithm(IpSecAlgorithm.AUTH_HMAC_SHA256, AUTH_KEY, AUTH_KEY.length * 4); new IpSecAlgorithm(IpSecAlgorithm.AUTH_HMAC_SHA256, AUTH_KEY, AUTH_KEY.length * 4); Loading Loading @@ -181,7 +182,7 @@ public class IpSecServiceParameterizedTest { verify(mMockNetd) verify(mMockNetd) .ipSecDeleteSecurityAssociation( .ipSecDeleteSecurityAssociation( eq(spiResp.resourceId), eq(mUid), anyString(), anyString(), anyString(), anyString(), eq(TEST_SPI), eq(TEST_SPI), Loading @@ -189,8 +190,7 @@ public class IpSecServiceParameterizedTest { anyInt()); anyInt()); // Verify quota and RefcountedResource objects cleaned up // Verify quota and RefcountedResource objects cleaned up IpSecService.UserRecord userRecord = IpSecService.UserRecord userRecord = mIpSecService.mUserResourceTracker.getUserRecord(mUid); mIpSecService.mUserResourceTracker.getUserRecord(Os.getuid()); assertEquals(0, userRecord.mSpiQuotaTracker.mCurrent); assertEquals(0, userRecord.mSpiQuotaTracker.mCurrent); try { try { userRecord.mSpiRecords.getRefcountedResourceOrThrow(spiResp.resourceId); userRecord.mSpiRecords.getRefcountedResourceOrThrow(spiResp.resourceId); Loading @@ -209,8 +209,7 @@ public class IpSecServiceParameterizedTest { mIpSecService.allocateSecurityParameterIndex( mIpSecService.allocateSecurityParameterIndex( mDestinationAddr, TEST_SPI, new Binder()); mDestinationAddr, TEST_SPI, new Binder()); IpSecService.UserRecord userRecord = IpSecService.UserRecord userRecord = mIpSecService.mUserResourceTracker.getUserRecord(mUid); mIpSecService.mUserResourceTracker.getUserRecord(Os.getuid()); IpSecService.RefcountedResource refcountedRecord = IpSecService.RefcountedResource refcountedRecord = userRecord.mSpiRecords.getRefcountedResourceOrThrow(spiResp.resourceId); userRecord.mSpiRecords.getRefcountedResourceOrThrow(spiResp.resourceId); Loading @@ -218,7 +217,7 @@ public class IpSecServiceParameterizedTest { verify(mMockNetd) verify(mMockNetd) .ipSecDeleteSecurityAssociation( .ipSecDeleteSecurityAssociation( eq(spiResp.resourceId), eq(mUid), anyString(), anyString(), anyString(), anyString(), eq(TEST_SPI), eq(TEST_SPI), Loading Loading @@ -270,7 +269,7 @@ public class IpSecServiceParameterizedTest { verify(mMockNetd) verify(mMockNetd) .ipSecAddSecurityAssociation( .ipSecAddSecurityAssociation( eq(createTransformResp.resourceId), eq(mUid), anyInt(), anyInt(), anyString(), anyString(), anyString(), anyString(), Loading Loading @@ -305,7 +304,7 @@ public class IpSecServiceParameterizedTest { verify(mMockNetd) verify(mMockNetd) .ipSecAddSecurityAssociation( .ipSecAddSecurityAssociation( eq(createTransformResp.resourceId), eq(mUid), anyInt(), anyInt(), anyString(), anyString(), anyString(), anyString(), Loading Loading @@ -361,13 +360,12 @@ public class IpSecServiceParameterizedTest { IpSecTransformResponse createTransformResp = IpSecTransformResponse createTransformResp = mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); IpSecService.UserRecord userRecord = IpSecService.UserRecord userRecord = mIpSecService.mUserResourceTracker.getUserRecord(mUid); mIpSecService.mUserResourceTracker.getUserRecord(Os.getuid()); assertEquals(1, userRecord.mSpiQuotaTracker.mCurrent); assertEquals(1, userRecord.mSpiQuotaTracker.mCurrent); mIpSecService.releaseSecurityParameterIndex(ipSecConfig.getSpiResourceId()); mIpSecService.releaseSecurityParameterIndex(ipSecConfig.getSpiResourceId()); verify(mMockNetd, times(0)) verify(mMockNetd, times(0)) .ipSecDeleteSecurityAssociation( .ipSecDeleteSecurityAssociation( eq(createTransformResp.resourceId), eq(mUid), anyString(), anyString(), anyString(), anyString(), eq(TEST_SPI), eq(TEST_SPI), Loading @@ -389,7 +387,7 @@ public class IpSecServiceParameterizedTest { verify(mMockNetd, times(1)) verify(mMockNetd, times(1)) .ipSecDeleteSecurityAssociation( .ipSecDeleteSecurityAssociation( eq(createTransformResp.resourceId), eq(mUid), anyString(), anyString(), anyString(), anyString(), eq(TEST_SPI), eq(TEST_SPI), Loading @@ -397,8 +395,7 @@ public class IpSecServiceParameterizedTest { anyInt()); anyInt()); // Verify quota and RefcountedResource objects cleaned up // Verify quota and RefcountedResource objects cleaned up IpSecService.UserRecord userRecord = IpSecService.UserRecord userRecord = mIpSecService.mUserResourceTracker.getUserRecord(mUid); mIpSecService.mUserResourceTracker.getUserRecord(Os.getuid()); assertEquals(0, userRecord.mTransformQuotaTracker.mCurrent); assertEquals(0, userRecord.mTransformQuotaTracker.mCurrent); assertEquals(1, userRecord.mSpiQuotaTracker.mCurrent); assertEquals(1, userRecord.mSpiQuotaTracker.mCurrent); Loading Loading @@ -433,8 +430,7 @@ public class IpSecServiceParameterizedTest { IpSecTransformResponse createTransformResp = IpSecTransformResponse createTransformResp = mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); IpSecService.UserRecord userRecord = IpSecService.UserRecord userRecord = mIpSecService.mUserResourceTracker.getUserRecord(mUid); mIpSecService.mUserResourceTracker.getUserRecord(Os.getuid()); IpSecService.RefcountedResource refcountedRecord = IpSecService.RefcountedResource refcountedRecord = userRecord.mTransformRecords.getRefcountedResourceOrThrow( userRecord.mTransformRecords.getRefcountedResourceOrThrow( createTransformResp.resourceId); createTransformResp.resourceId); Loading @@ -443,7 +439,7 @@ public class IpSecServiceParameterizedTest { verify(mMockNetd) verify(mMockNetd) .ipSecDeleteSecurityAssociation( .ipSecDeleteSecurityAssociation( eq(createTransformResp.resourceId), eq(mUid), anyString(), anyString(), anyString(), anyString(), eq(TEST_SPI), eq(TEST_SPI), Loading Loading @@ -477,7 +473,7 @@ public class IpSecServiceParameterizedTest { verify(mMockNetd) verify(mMockNetd) .ipSecApplyTransportModeTransform( .ipSecApplyTransportModeTransform( eq(pfd.getFileDescriptor()), eq(pfd.getFileDescriptor()), eq(resourceId), eq(mUid), eq(IpSecManager.DIRECTION_OUT), eq(IpSecManager.DIRECTION_OUT), anyString(), anyString(), anyString(), anyString(), Loading Loading @@ -509,8 +505,7 @@ public class IpSecServiceParameterizedTest { createAndValidateTunnel(mSourceAddr, mDestinationAddr, "blessedPackage"); createAndValidateTunnel(mSourceAddr, mDestinationAddr, "blessedPackage"); // Check that we have stored the tracking object, and retrieve it // Check that we have stored the tracking object, and retrieve it IpSecService.UserRecord userRecord = IpSecService.UserRecord userRecord = mIpSecService.mUserResourceTracker.getUserRecord(mUid); mIpSecService.mUserResourceTracker.getUserRecord(Os.getuid()); IpSecService.RefcountedResource refcountedRecord = IpSecService.RefcountedResource refcountedRecord = userRecord.mTunnelInterfaceRecords.getRefcountedResourceOrThrow( userRecord.mTunnelInterfaceRecords.getRefcountedResourceOrThrow( createTunnelResp.resourceId); createTunnelResp.resourceId); Loading @@ -530,8 +525,7 @@ public class IpSecServiceParameterizedTest { IpSecTunnelInterfaceResponse createTunnelResp = IpSecTunnelInterfaceResponse createTunnelResp = createAndValidateTunnel(mSourceAddr, mDestinationAddr, "blessedPackage"); createAndValidateTunnel(mSourceAddr, mDestinationAddr, "blessedPackage"); IpSecService.UserRecord userRecord = IpSecService.UserRecord userRecord = mIpSecService.mUserResourceTracker.getUserRecord(mUid); mIpSecService.mUserResourceTracker.getUserRecord(Os.getuid()); mIpSecService.deleteTunnelInterface(createTunnelResp.resourceId, "blessedPackage"); mIpSecService.deleteTunnelInterface(createTunnelResp.resourceId, "blessedPackage"); Loading @@ -551,8 +545,7 @@ public class IpSecServiceParameterizedTest { IpSecTunnelInterfaceResponse createTunnelResp = IpSecTunnelInterfaceResponse createTunnelResp = createAndValidateTunnel(mSourceAddr, mDestinationAddr, "blessedPackage"); createAndValidateTunnel(mSourceAddr, mDestinationAddr, "blessedPackage"); IpSecService.UserRecord userRecord = IpSecService.UserRecord userRecord = mIpSecService.mUserResourceTracker.getUserRecord(mUid); mIpSecService.mUserResourceTracker.getUserRecord(Os.getuid()); IpSecService.RefcountedResource refcountedRecord = IpSecService.RefcountedResource refcountedRecord = userRecord.mTunnelInterfaceRecords.getRefcountedResourceOrThrow( userRecord.mTunnelInterfaceRecords.getRefcountedResourceOrThrow( createTunnelResp.resourceId); createTunnelResp.resourceId); Loading Loading
services/core/java/com/android/server/IpSecService.java +19 −15 Original line number Original line Diff line number Diff line Loading @@ -612,7 +612,7 @@ public class IpSecService extends IIpSecService.Stub { mSrvConfig mSrvConfig .getNetdInstance() .getNetdInstance() .ipSecDeleteSecurityAssociation( .ipSecDeleteSecurityAssociation( mResourceId, uid, mConfig.getSourceAddress(), mConfig.getSourceAddress(), mConfig.getDestinationAddress(), mConfig.getDestinationAddress(), spi, spi, Loading Loading @@ -679,7 +679,7 @@ public class IpSecService extends IIpSecService.Stub { mSrvConfig mSrvConfig .getNetdInstance() .getNetdInstance() .ipSecDeleteSecurityAssociation( .ipSecDeleteSecurityAssociation( mResourceId, mSourceAddress, mDestinationAddress, mSpi, 0, 0); uid, mSourceAddress, mDestinationAddress, mSpi, 0, 0); } } } catch (ServiceSpecificException | RemoteException e) { } catch (ServiceSpecificException | RemoteException e) { Log.e(TAG, "Failed to delete SPI reservation with ID: " + mResourceId, e); Log.e(TAG, "Failed to delete SPI reservation with ID: " + mResourceId, e); Loading Loading @@ -821,13 +821,13 @@ public class IpSecService extends IIpSecService.Stub { for (int selAddrFamily : ADDRESS_FAMILIES) { for (int selAddrFamily : ADDRESS_FAMILIES) { netd.ipSecDeleteSecurityPolicy( netd.ipSecDeleteSecurityPolicy( 0, uid, selAddrFamily, selAddrFamily, IpSecManager.DIRECTION_OUT, IpSecManager.DIRECTION_OUT, mOkey, mOkey, 0xffffffff); 0xffffffff); netd.ipSecDeleteSecurityPolicy( netd.ipSecDeleteSecurityPolicy( 0, uid, selAddrFamily, selAddrFamily, IpSecManager.DIRECTION_IN, IpSecManager.DIRECTION_IN, mIkey, mIkey, Loading Loading @@ -1083,7 +1083,8 @@ public class IpSecService extends IIpSecService.Stub { } } checkNotNull(binder, "Null Binder passed to allocateSecurityParameterIndex"); checkNotNull(binder, "Null Binder passed to allocateSecurityParameterIndex"); UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); int callingUid = Binder.getCallingUid(); UserRecord userRecord = mUserResourceTracker.getUserRecord(callingUid); final int resourceId = mNextResourceId++; final int resourceId = mNextResourceId++; int spi = IpSecManager.INVALID_SECURITY_PARAMETER_INDEX; int spi = IpSecManager.INVALID_SECURITY_PARAMETER_INDEX; Loading @@ -1096,7 +1097,7 @@ public class IpSecService extends IIpSecService.Stub { spi = spi = mSrvConfig mSrvConfig .getNetdInstance() .getNetdInstance() .ipSecAllocateSpi(resourceId, "", destinationAddress, requestedSpi); .ipSecAllocateSpi(callingUid, "", destinationAddress, requestedSpi); Log.d(TAG, "Allocated SPI " + spi); Log.d(TAG, "Allocated SPI " + spi); userRecord.mSpiRecords.put( userRecord.mSpiRecords.put( resourceId, resourceId, Loading Loading @@ -1264,7 +1265,8 @@ public class IpSecService extends IIpSecService.Stub { // TODO: Check that underlying network exists, and IP addresses not assigned to a different // TODO: Check that underlying network exists, and IP addresses not assigned to a different // network (b/72316676). // network (b/72316676). UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); int callerUid = Binder.getCallingUid(); UserRecord userRecord = mUserResourceTracker.getUserRecord(callerUid); if (!userRecord.mTunnelQuotaTracker.isAvailable()) { if (!userRecord.mTunnelQuotaTracker.isAvailable()) { return new IpSecTunnelInterfaceResponse(IpSecManager.Status.RESOURCE_UNAVAILABLE); return new IpSecTunnelInterfaceResponse(IpSecManager.Status.RESOURCE_UNAVAILABLE); } } Loading @@ -1285,7 +1287,7 @@ public class IpSecService extends IIpSecService.Stub { for (int selAddrFamily : ADDRESS_FAMILIES) { for (int selAddrFamily : ADDRESS_FAMILIES) { // Always send down correct local/remote addresses for template. // Always send down correct local/remote addresses for template. netd.ipSecAddSecurityPolicy( netd.ipSecAddSecurityPolicy( 0, // Use 0 for reqId callerUid, selAddrFamily, selAddrFamily, IpSecManager.DIRECTION_OUT, IpSecManager.DIRECTION_OUT, localAddr, localAddr, Loading @@ -1294,7 +1296,7 @@ public class IpSecService extends IIpSecService.Stub { okey, okey, 0xffffffff); 0xffffffff); netd.ipSecAddSecurityPolicy( netd.ipSecAddSecurityPolicy( 0, // Use 0 for reqId callerUid, selAddrFamily, selAddrFamily, IpSecManager.DIRECTION_IN, IpSecManager.DIRECTION_IN, remoteAddr, remoteAddr, Loading Loading @@ -1532,7 +1534,7 @@ public class IpSecService extends IIpSecService.Stub { mSrvConfig mSrvConfig .getNetdInstance() .getNetdInstance() .ipSecAddSecurityAssociation( .ipSecAddSecurityAssociation( resourceId, Binder.getCallingUid(), c.getMode(), c.getMode(), c.getSourceAddress(), c.getSourceAddress(), c.getDestinationAddress(), c.getDestinationAddress(), Loading Loading @@ -1623,13 +1625,14 @@ public class IpSecService extends IIpSecService.Stub { @Override @Override public synchronized void applyTransportModeTransform( public synchronized void applyTransportModeTransform( ParcelFileDescriptor socket, int direction, int resourceId) throws RemoteException { ParcelFileDescriptor socket, int direction, int resourceId) throws RemoteException { UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); int callingUid = Binder.getCallingUid(); UserRecord userRecord = mUserResourceTracker.getUserRecord(callingUid); checkDirection(direction); checkDirection(direction); // Get transform record; if no transform is found, will throw IllegalArgumentException // Get transform record; if no transform is found, will throw IllegalArgumentException TransformRecord info = userRecord.mTransformRecords.getResourceOrThrow(resourceId); TransformRecord info = userRecord.mTransformRecords.getResourceOrThrow(resourceId); // TODO: make this a function. // TODO: make this a function. if (info.pid != getCallingPid() || info.uid != getCallingUid()) { if (info.pid != getCallingPid() || info.uid != callingUid) { throw new SecurityException("Only the owner of an IpSec Transform may apply it!"); throw new SecurityException("Only the owner of an IpSec Transform may apply it!"); } } Loading @@ -1643,7 +1646,7 @@ public class IpSecService extends IIpSecService.Stub { .getNetdInstance() .getNetdInstance() .ipSecApplyTransportModeTransform( .ipSecApplyTransportModeTransform( socket.getFileDescriptor(), socket.getFileDescriptor(), resourceId, callingUid, direction, direction, c.getSourceAddress(), c.getSourceAddress(), c.getDestinationAddress(), c.getDestinationAddress(), Loading Loading @@ -1675,7 +1678,8 @@ public class IpSecService extends IIpSecService.Stub { enforceTunnelPermissions(callingPackage); enforceTunnelPermissions(callingPackage); checkDirection(direction); checkDirection(direction); UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); int callingUid = Binder.getCallingUid(); UserRecord userRecord = mUserResourceTracker.getUserRecord(callingUid); // Get transform record; if no transform is found, will throw IllegalArgumentException // Get transform record; if no transform is found, will throw IllegalArgumentException TransformRecord transformInfo = TransformRecord transformInfo = Loading Loading @@ -1717,7 +1721,7 @@ public class IpSecService extends IIpSecService.Stub { mSrvConfig mSrvConfig .getNetdInstance() .getNetdInstance() .ipSecUpdateSecurityPolicy( .ipSecUpdateSecurityPolicy( 0, // Use 0 for reqId callingUid, selAddrFamily, selAddrFamily, direction, direction, tunnelInterfaceInfo.getLocalAddress(), tunnelInterfaceInfo.getLocalAddress(), Loading
tests/net/java/com/android/server/IpSecServiceParameterizedTest.java +18 −25 Original line number Original line Diff line number Diff line Loading @@ -41,9 +41,9 @@ import android.net.Network; import android.net.NetworkUtils; import android.net.NetworkUtils; import android.os.Binder; import android.os.Binder; import android.os.ParcelFileDescriptor; import android.os.ParcelFileDescriptor; import android.test.mock.MockContext; import android.support.test.filters.SmallTest; import android.support.test.filters.SmallTest; import android.system.Os; import android.system.Os; import android.test.mock.MockContext; import java.net.Socket; import java.net.Socket; import java.util.Arrays; import java.util.Arrays; Loading Loading @@ -121,6 +121,7 @@ public class IpSecServiceParameterizedTest { IpSecService.IpSecServiceConfiguration mMockIpSecSrvConfig; IpSecService.IpSecServiceConfiguration mMockIpSecSrvConfig; IpSecService mIpSecService; IpSecService mIpSecService; Network fakeNetwork = new Network(0xAB); Network fakeNetwork = new Network(0xAB); int mUid = Os.getuid(); private static final IpSecAlgorithm AUTH_ALGO = private static final IpSecAlgorithm AUTH_ALGO = new IpSecAlgorithm(IpSecAlgorithm.AUTH_HMAC_SHA256, AUTH_KEY, AUTH_KEY.length * 4); new IpSecAlgorithm(IpSecAlgorithm.AUTH_HMAC_SHA256, AUTH_KEY, AUTH_KEY.length * 4); Loading Loading @@ -181,7 +182,7 @@ public class IpSecServiceParameterizedTest { verify(mMockNetd) verify(mMockNetd) .ipSecDeleteSecurityAssociation( .ipSecDeleteSecurityAssociation( eq(spiResp.resourceId), eq(mUid), anyString(), anyString(), anyString(), anyString(), eq(TEST_SPI), eq(TEST_SPI), Loading @@ -189,8 +190,7 @@ public class IpSecServiceParameterizedTest { anyInt()); anyInt()); // Verify quota and RefcountedResource objects cleaned up // Verify quota and RefcountedResource objects cleaned up IpSecService.UserRecord userRecord = IpSecService.UserRecord userRecord = mIpSecService.mUserResourceTracker.getUserRecord(mUid); mIpSecService.mUserResourceTracker.getUserRecord(Os.getuid()); assertEquals(0, userRecord.mSpiQuotaTracker.mCurrent); assertEquals(0, userRecord.mSpiQuotaTracker.mCurrent); try { try { userRecord.mSpiRecords.getRefcountedResourceOrThrow(spiResp.resourceId); userRecord.mSpiRecords.getRefcountedResourceOrThrow(spiResp.resourceId); Loading @@ -209,8 +209,7 @@ public class IpSecServiceParameterizedTest { mIpSecService.allocateSecurityParameterIndex( mIpSecService.allocateSecurityParameterIndex( mDestinationAddr, TEST_SPI, new Binder()); mDestinationAddr, TEST_SPI, new Binder()); IpSecService.UserRecord userRecord = IpSecService.UserRecord userRecord = mIpSecService.mUserResourceTracker.getUserRecord(mUid); mIpSecService.mUserResourceTracker.getUserRecord(Os.getuid()); IpSecService.RefcountedResource refcountedRecord = IpSecService.RefcountedResource refcountedRecord = userRecord.mSpiRecords.getRefcountedResourceOrThrow(spiResp.resourceId); userRecord.mSpiRecords.getRefcountedResourceOrThrow(spiResp.resourceId); Loading @@ -218,7 +217,7 @@ public class IpSecServiceParameterizedTest { verify(mMockNetd) verify(mMockNetd) .ipSecDeleteSecurityAssociation( .ipSecDeleteSecurityAssociation( eq(spiResp.resourceId), eq(mUid), anyString(), anyString(), anyString(), anyString(), eq(TEST_SPI), eq(TEST_SPI), Loading Loading @@ -270,7 +269,7 @@ public class IpSecServiceParameterizedTest { verify(mMockNetd) verify(mMockNetd) .ipSecAddSecurityAssociation( .ipSecAddSecurityAssociation( eq(createTransformResp.resourceId), eq(mUid), anyInt(), anyInt(), anyString(), anyString(), anyString(), anyString(), Loading Loading @@ -305,7 +304,7 @@ public class IpSecServiceParameterizedTest { verify(mMockNetd) verify(mMockNetd) .ipSecAddSecurityAssociation( .ipSecAddSecurityAssociation( eq(createTransformResp.resourceId), eq(mUid), anyInt(), anyInt(), anyString(), anyString(), anyString(), anyString(), Loading Loading @@ -361,13 +360,12 @@ public class IpSecServiceParameterizedTest { IpSecTransformResponse createTransformResp = IpSecTransformResponse createTransformResp = mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); IpSecService.UserRecord userRecord = IpSecService.UserRecord userRecord = mIpSecService.mUserResourceTracker.getUserRecord(mUid); mIpSecService.mUserResourceTracker.getUserRecord(Os.getuid()); assertEquals(1, userRecord.mSpiQuotaTracker.mCurrent); assertEquals(1, userRecord.mSpiQuotaTracker.mCurrent); mIpSecService.releaseSecurityParameterIndex(ipSecConfig.getSpiResourceId()); mIpSecService.releaseSecurityParameterIndex(ipSecConfig.getSpiResourceId()); verify(mMockNetd, times(0)) verify(mMockNetd, times(0)) .ipSecDeleteSecurityAssociation( .ipSecDeleteSecurityAssociation( eq(createTransformResp.resourceId), eq(mUid), anyString(), anyString(), anyString(), anyString(), eq(TEST_SPI), eq(TEST_SPI), Loading @@ -389,7 +387,7 @@ public class IpSecServiceParameterizedTest { verify(mMockNetd, times(1)) verify(mMockNetd, times(1)) .ipSecDeleteSecurityAssociation( .ipSecDeleteSecurityAssociation( eq(createTransformResp.resourceId), eq(mUid), anyString(), anyString(), anyString(), anyString(), eq(TEST_SPI), eq(TEST_SPI), Loading @@ -397,8 +395,7 @@ public class IpSecServiceParameterizedTest { anyInt()); anyInt()); // Verify quota and RefcountedResource objects cleaned up // Verify quota and RefcountedResource objects cleaned up IpSecService.UserRecord userRecord = IpSecService.UserRecord userRecord = mIpSecService.mUserResourceTracker.getUserRecord(mUid); mIpSecService.mUserResourceTracker.getUserRecord(Os.getuid()); assertEquals(0, userRecord.mTransformQuotaTracker.mCurrent); assertEquals(0, userRecord.mTransformQuotaTracker.mCurrent); assertEquals(1, userRecord.mSpiQuotaTracker.mCurrent); assertEquals(1, userRecord.mSpiQuotaTracker.mCurrent); Loading Loading @@ -433,8 +430,7 @@ public class IpSecServiceParameterizedTest { IpSecTransformResponse createTransformResp = IpSecTransformResponse createTransformResp = mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); IpSecService.UserRecord userRecord = IpSecService.UserRecord userRecord = mIpSecService.mUserResourceTracker.getUserRecord(mUid); mIpSecService.mUserResourceTracker.getUserRecord(Os.getuid()); IpSecService.RefcountedResource refcountedRecord = IpSecService.RefcountedResource refcountedRecord = userRecord.mTransformRecords.getRefcountedResourceOrThrow( userRecord.mTransformRecords.getRefcountedResourceOrThrow( createTransformResp.resourceId); createTransformResp.resourceId); Loading @@ -443,7 +439,7 @@ public class IpSecServiceParameterizedTest { verify(mMockNetd) verify(mMockNetd) .ipSecDeleteSecurityAssociation( .ipSecDeleteSecurityAssociation( eq(createTransformResp.resourceId), eq(mUid), anyString(), anyString(), anyString(), anyString(), eq(TEST_SPI), eq(TEST_SPI), Loading Loading @@ -477,7 +473,7 @@ public class IpSecServiceParameterizedTest { verify(mMockNetd) verify(mMockNetd) .ipSecApplyTransportModeTransform( .ipSecApplyTransportModeTransform( eq(pfd.getFileDescriptor()), eq(pfd.getFileDescriptor()), eq(resourceId), eq(mUid), eq(IpSecManager.DIRECTION_OUT), eq(IpSecManager.DIRECTION_OUT), anyString(), anyString(), anyString(), anyString(), Loading Loading @@ -509,8 +505,7 @@ public class IpSecServiceParameterizedTest { createAndValidateTunnel(mSourceAddr, mDestinationAddr, "blessedPackage"); createAndValidateTunnel(mSourceAddr, mDestinationAddr, "blessedPackage"); // Check that we have stored the tracking object, and retrieve it // Check that we have stored the tracking object, and retrieve it IpSecService.UserRecord userRecord = IpSecService.UserRecord userRecord = mIpSecService.mUserResourceTracker.getUserRecord(mUid); mIpSecService.mUserResourceTracker.getUserRecord(Os.getuid()); IpSecService.RefcountedResource refcountedRecord = IpSecService.RefcountedResource refcountedRecord = userRecord.mTunnelInterfaceRecords.getRefcountedResourceOrThrow( userRecord.mTunnelInterfaceRecords.getRefcountedResourceOrThrow( createTunnelResp.resourceId); createTunnelResp.resourceId); Loading @@ -530,8 +525,7 @@ public class IpSecServiceParameterizedTest { IpSecTunnelInterfaceResponse createTunnelResp = IpSecTunnelInterfaceResponse createTunnelResp = createAndValidateTunnel(mSourceAddr, mDestinationAddr, "blessedPackage"); createAndValidateTunnel(mSourceAddr, mDestinationAddr, "blessedPackage"); IpSecService.UserRecord userRecord = IpSecService.UserRecord userRecord = mIpSecService.mUserResourceTracker.getUserRecord(mUid); mIpSecService.mUserResourceTracker.getUserRecord(Os.getuid()); mIpSecService.deleteTunnelInterface(createTunnelResp.resourceId, "blessedPackage"); mIpSecService.deleteTunnelInterface(createTunnelResp.resourceId, "blessedPackage"); Loading @@ -551,8 +545,7 @@ public class IpSecServiceParameterizedTest { IpSecTunnelInterfaceResponse createTunnelResp = IpSecTunnelInterfaceResponse createTunnelResp = createAndValidateTunnel(mSourceAddr, mDestinationAddr, "blessedPackage"); createAndValidateTunnel(mSourceAddr, mDestinationAddr, "blessedPackage"); IpSecService.UserRecord userRecord = IpSecService.UserRecord userRecord = mIpSecService.mUserResourceTracker.getUserRecord(mUid); mIpSecService.mUserResourceTracker.getUserRecord(Os.getuid()); IpSecService.RefcountedResource refcountedRecord = IpSecService.RefcountedResource refcountedRecord = userRecord.mTunnelInterfaceRecords.getRefcountedResourceOrThrow( userRecord.mTunnelInterfaceRecords.getRefcountedResourceOrThrow( createTunnelResp.resourceId); createTunnelResp.resourceId); Loading
