Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c36de978 authored by Ken Chen's avatar Ken Chen
Browse files

[Test] DNS query blocked by UID network restrictions 

Test is conducted on 4 DNS entrances over private DNS only. There is no
effective way to know whether a DNS query is rejected by the DNS
resolver or by the BPF program in kernel. However, private DNS queries
will not be rejected by BPF programs before the "DNS query fail-fast"
feature, and will be rejected after the implementation. So we use
private DNS to verify the functionality.

Bug: 288340533
Test: atest resolv_integration_test
Change-Id: Ie4a18995826a4bd7705d71b12a2af91f895ba683
parent 098116b9

tests/resolv_private_dns_test.cpp

+57 −0
Original line number Diff line number Diff line
@@ -528,6 +528,63 @@ TEST_P(TransportParameterizedTest, MdnsGetAddrInfo_fallback) { 
    }

}



TEST_P(TransportParameterizedTest, BlockDnsQueryWithUidRule) {

    SKIP_IF_BEFORE_T;

    constexpr char ptr_name[] = "v4v6.example.com.";

    // PTR record for IPv6 address 2001:db8::102:304

    constexpr char ptr_addr_v6[] =

            "4.0.3.0.2.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.";

    const DnsRecord r = {ptr_addr_v6, ns_type::ns_t_ptr, ptr_name};

    dns.addMapping(r.host_name, r.type, r.addr);

    dot_backend.addMapping(r.host_name, r.type, r.addr);

    doh_backend.addMapping(r.host_name, r.type, r.addr);



    const auto parcel = DnsResponderClient::GetDefaultResolverParamsParcel();

    ASSERT_TRUE(mDnsClient.SetResolversFromParcel(parcel));



    if (testParamHasDoh()) EXPECT_TRUE(WaitForDohValidationSuccess(test::kDefaultListenAddr));

    if (testParamHasDot()) EXPECT_TRUE(WaitForDotValidationSuccess(test::kDefaultListenAddr));



    // This waiting time is expected to avoid that the DoH validation event interferes other tests.

    if (!testParamHasDoh()) waitForDohValidationFailed();



    // Have the test independent of the number of sent queries in private DNS validation, because

    // the DnsResolver can send either 1 or 2 queries in DoT validation.

    if (testParamHasDoh()) {

        doh.clearQueries();

    }

    if (testParamHasDot()) {

        EXPECT_TRUE(dot.waitForQueries(1));

        dot.clearQueries();

    }

    dns.clearQueries();



    // Block TEST_UID's network access

    ScopeBlockedUIDRule scopeBlockUidRule(mDnsClient.netdService(), TEST_UID);



    // getaddrinfo should fail

    const addrinfo hints = {.ai_socktype = SOCK_DGRAM};

    EXPECT_FALSE(safe_getaddrinfo(kQueryHostname, nullptr, &hints));



    // gethostbyname should fail

    EXPECT_FALSE(gethostbyname(kQueryHostname));



    // gethostbyaddr should fail

    in6_addr v6addr;

    inet_pton(AF_INET6, "2001:db8::102:304", &v6addr);

    EXPECT_FALSE(gethostbyaddr(&v6addr, sizeof(v6addr), AF_INET6));



    // resNetworkQuery should fail

    int fd = resNetworkQuery(TEST_NETID, kQueryHostname, ns_c_in, ns_t_aaaa, 0);

    EXPECT_TRUE(fd != -1);



    uint8_t buf[MAXPACKET] = {};

    int rcode;

    EXPECT_EQ(-ECONNREFUSED, getAsyncResponse(fd, &rcode, buf, MAXPACKET));



    expectQueries(0 /* dns */, 0 /* dot */, 0 /* doh */);

}



class PrivateDnsDohTest : public BasePrivateDnsTest {

  protected:

    void SetUp() override {

tests/resolv_test_utils.h

+8 −0
Original line number Diff line number Diff line
@@ -32,6 +32,7 @@ 
#include <netdutils/InternetAddresses.h>



#include "dns_responder/dns_responder.h"

#include "util.h"



class ScopeBlockedUIDRule {

    using INetd = aidl::android::net::INetd;
@@ -402,3 +403,10 @@ android::netdutils::ScopedAddrinfo safe_getaddrinfo(const char* node, const char 


void SetMdnsRoute();

void RemoveMdnsRoute();



#define SKIP_IF_BEFORE_T                                                         \

    do {                                                                         \

        if (!isAtLeastT()) {                                                     \

            GTEST_SKIP() << "Skipping test because SDK version is less than T."; \

        }                                                                        \

    } while (0)