Loading tests/Android.bp +7 −0 Original line number Original line Diff line number Diff line Loading @@ -18,10 +18,16 @@ cc_test_library { ], ], static_libs: [ static_libs: [ "netd_aidl_interface-lateststable-ndk", "netd_aidl_interface-lateststable-ndk", "libconnectivity_native_test_utils", "libmodules-utils-build", "libnetd_test_dnsresponder_ndk", "libnetd_test_dnsresponder_ndk", "libnetdutils", "libnetdutils", "libgmock", "libgmock", ], ], export_static_lib_headers: [ "libconnectivity_native_test_utils", "libmodules-utils-build", ], } } cc_library_host_static { cc_library_host_static { Loading Loading @@ -185,6 +191,7 @@ cc_test { ], ], static_libs: [ static_libs: [ "dnsresolver_aidl_interface-lateststable-ndk", "dnsresolver_aidl_interface-lateststable-ndk", "libconnectivity_native_test_utils", "libcrypto_static", "libcrypto_static", "libgmock", "libgmock", "libmodules-utils-build", "libmodules-utils-build", Loading tests/resolv_integration_test.cpp +16 −14 Original line number Original line Diff line number Diff line Loading @@ -4319,9 +4319,7 @@ TEST_F(ResolverTest, getDnsNetId) { EXPECT_EQ(500, readResponseCode(fd)); EXPECT_EQ(500, readResponseCode(fd)); } } // TODO(b/219434602): find an alternative way to block DNS packets on T+. TEST_F(ResolverTest, BlockDnsQueryWithUidRule) { TEST_F(ResolverTest, BlockDnsQueryWithUidRule) { if (android::modules::sdklevel::IsAtLeastT()) GTEST_SKIP() << "T+ device."; SKIP_IF_BPF_NOT_SUPPORTED; SKIP_IF_BPF_NOT_SUPPORTED; constexpr char listen_addr1[] = "127.0.0.4"; constexpr char listen_addr1[] = "127.0.0.4"; constexpr char listen_addr2[] = "::1"; constexpr char listen_addr2[] = "::1"; Loading Loading @@ -4369,9 +4367,7 @@ TEST_F(ResolverTest, BlockDnsQueryWithUidRule) { } } } } // TODO(b/219434602): find an alternative way to block DNS packets on T+. TEST_F(ResolverTest, GetAddrinfo_BlockDnsQueryWithUidRule) { TEST_F(ResolverTest, GetAddrinfo_BlockDnsQueryWithUidRule) { if (android::modules::sdklevel::IsAtLeastT()) GTEST_SKIP() << "T+ device."; SKIP_IF_BPF_NOT_SUPPORTED; SKIP_IF_BPF_NOT_SUPPORTED; constexpr char listen_addr1[] = "127.0.0.4"; constexpr char listen_addr1[] = "127.0.0.4"; constexpr char listen_addr2[] = "::1"; constexpr char listen_addr2[] = "::1"; Loading Loading @@ -4421,9 +4417,7 @@ TEST_F(ResolverTest, GetAddrinfo_BlockDnsQueryWithUidRule) { } } } } // TODO(b/219434602): find an alternative way to block DNS packets on T+. TEST_F(ResolverTest, EnforceDnsUid) { TEST_F(ResolverTest, EnforceDnsUid) { if (android::modules::sdklevel::IsAtLeastT()) GTEST_SKIP() << "T+ device."; SKIP_IF_BPF_NOT_SUPPORTED; SKIP_IF_BPF_NOT_SUPPORTED; constexpr char listen_addr1[] = "127.0.0.4"; constexpr char listen_addr1[] = "127.0.0.4"; constexpr char listen_addr2[] = "::1"; constexpr char listen_addr2[] = "::1"; Loading Loading @@ -6103,9 +6097,7 @@ TEST_F(ResolverTest, GetAddrInfoParallelLookupSleepTime) { EXPECT_EQ(0U, GetNumQueries(dns, kHelloExampleCom)); EXPECT_EQ(0U, GetNumQueries(dns, kHelloExampleCom)); } } // TODO(b/219434602): find an alternative way to block DNS packets on T+. TEST_F(ResolverTest, BlockDnsQueryUidDoesNotLeadToBadServer) { TEST_F(ResolverTest, BlockDnsQueryUidDoesNotLeadToBadServer) { if (android::modules::sdklevel::IsAtLeastT()) GTEST_SKIP() << "T+ device."; SKIP_IF_BPF_NOT_SUPPORTED; SKIP_IF_BPF_NOT_SUPPORTED; constexpr char listen_addr1[] = "127.0.0.4"; constexpr char listen_addr1[] = "127.0.0.4"; constexpr char listen_addr2[] = "::1"; constexpr char listen_addr2[] = "::1"; Loading Loading @@ -6975,7 +6967,11 @@ class ResolverMultinetworkTest : public ResolverTest { public: public: ScopedVirtualNetwork(unsigned netId, ConnectivityType type, INetd* netdSrv, ScopedVirtualNetwork(unsigned netId, ConnectivityType type, INetd* netdSrv, IDnsResolver* dnsResolvSrv, const char* name, bool isSecure) IDnsResolver* dnsResolvSrv, const char* name, bool isSecure) : ScopedNetwork(netId, type, netdSrv, dnsResolvSrv, name), mIsSecure(isSecure) {} : ScopedNetwork(netId, type, netdSrv, dnsResolvSrv, name), mIsSecure(isSecure) { if (android::modules::sdklevel::IsAtLeastT()) { mFw = Firewall::getInstance(); } } ~ScopedVirtualNetwork() { ~ScopedVirtualNetwork() { if (!mVpnIsolationUids.empty()) { if (!mVpnIsolationUids.empty()) { const std::vector<int> tmpUids(mVpnIsolationUids.begin(), mVpnIsolationUids.end()); const std::vector<int> tmpUids(mVpnIsolationUids.begin(), mVpnIsolationUids.end()); Loading @@ -6984,15 +6980,22 @@ class ResolverMultinetworkTest : public ResolverTest { } } // Enable VPN isolation. Ensures that uid can only receive packets on mIfname. // Enable VPN isolation. Ensures that uid can only receive packets on mIfname. Result<void> enableVpnIsolation(int uid) { Result<void> enableVpnIsolation(int uid) { if (auto r = mNetdSrv->firewallAddUidInterfaceRules(mIfname, {uid}); !r.isOk()) { if (android::modules::sdklevel::IsAtLeastT()) { if (auto r = mFw->addUidInterfaceRules(mIfname, {uid}); !r.ok()) { return r; } } else if (auto r = mNetdSrv->firewallAddUidInterfaceRules(mIfname, {uid}); !r.isOk()) { return Error() << r.getMessage(); return Error() << r.getMessage(); } } mVpnIsolationUids.insert(uid); mVpnIsolationUids.insert(uid); return {}; return {}; } } Result<void> disableVpnIsolation(int uid) { Result<void> disableVpnIsolation(int uid) { if (auto r = mNetdSrv->firewallRemoveUidInterfaceRules({static_cast<int>(uid)}); if (android::modules::sdklevel::IsAtLeastT()) { !r.isOk()) { if (auto r = mFw->removeUidInterfaceRules({uid}); !r.ok()) { return r; } } else if (auto r = mNetdSrv->firewallRemoveUidInterfaceRules({uid}); !r.isOk()) { return Error() << r.getMessage(); return Error() << r.getMessage(); } } mVpnIsolationUids.erase(uid); mVpnIsolationUids.erase(uid); Loading Loading @@ -7021,6 +7024,7 @@ class ResolverMultinetworkTest : public ResolverTest { bool mIsSecure = false; bool mIsSecure = false; std::unordered_set<int> mVpnIsolationUids; std::unordered_set<int> mVpnIsolationUids; Firewall* mFw; }; }; void SetUp() override { void SetUp() override { Loading Loading @@ -7354,9 +7358,7 @@ TEST_F(ResolverMultinetworkTest, OneCachePerNetwork) { EXPECT_EQ(GetNumQueries(*dnsPair2->dnsServer, host_name), 1U); EXPECT_EQ(GetNumQueries(*dnsPair2->dnsServer, host_name), 1U); } } // TODO(b/219434602): find an alternative way to block DNS packets on T+. TEST_F(ResolverMultinetworkTest, DnsWithVpn) { TEST_F(ResolverMultinetworkTest, DnsWithVpn) { if (android::modules::sdklevel::IsAtLeastT()) GTEST_SKIP() << "T+ device."; SKIP_IF_BPF_NOT_SUPPORTED; SKIP_IF_BPF_NOT_SUPPORTED; SKIP_IF_REMOTE_VERSION_LESS_THAN(mDnsClient.resolvService(), 4); SKIP_IF_REMOTE_VERSION_LESS_THAN(mDnsClient.resolvService(), 4); constexpr char host_name[] = "ohayou.example.com."; constexpr char host_name[] = "ohayou.example.com."; Loading tests/resolv_test_utils.h +24 −8 Original line number Original line Diff line number Diff line Loading @@ -25,6 +25,8 @@ #include <aidl/android/net/INetd.h> #include <aidl/android/net/INetd.h> #include <android-base/properties.h> #include <android-base/properties.h> #include <android-modules-utils/sdk_level.h> #include <firewall.h> #include <gtest/gtest.h> #include <gtest/gtest.h> #include <netdutils/InternetAddresses.h> #include <netdutils/InternetAddresses.h> Loading @@ -41,24 +43,38 @@ class ScopeBlockedUIDRule { // this purpose because netd calls fchown() on the DNS query sockets, and "iptables -m // this purpose because netd calls fchown() on the DNS query sockets, and "iptables -m // owner" matches the UID of the socket creator, not the UID set by fchown(). // owner" matches the UID of the socket creator, not the UID set by fchown(). // TODO: migrate FIREWALL_CHAIN_NONE to eBPF as well. // TODO: migrate FIREWALL_CHAIN_NONE to eBPF as well. EXPECT_TRUE(mNetSrv->firewallEnableChildChain(INetd::FIREWALL_CHAIN_STANDBY, true).isOk()); if (android::modules::sdklevel::IsAtLeastT()) { mFw = Firewall::getInstance(); EXPECT_RESULT_OK(mFw->toggleStandbyMatch(true)); EXPECT_RESULT_OK(mFw->addRule(mTestUid, STANDBY_MATCH)); } else { EXPECT_TRUE( mNetSrv->firewallEnableChildChain(INetd::FIREWALL_CHAIN_STANDBY, true).isOk()); EXPECT_TRUE(mNetSrv->firewallSetUidRule(INetd::FIREWALL_CHAIN_STANDBY, mTestUid, EXPECT_TRUE(mNetSrv->firewallSetUidRule(INetd::FIREWALL_CHAIN_STANDBY, mTestUid, INetd::FIREWALL_RULE_DENY) INetd::FIREWALL_RULE_DENY) .isOk()); .isOk()); } EXPECT_TRUE(seteuid(mTestUid) == 0); EXPECT_TRUE(seteuid(mTestUid) == 0); }; }; ~ScopeBlockedUIDRule() { ~ScopeBlockedUIDRule() { // Restore uid // Restore uid EXPECT_TRUE(seteuid(mSavedUid) == 0); EXPECT_TRUE(seteuid(mSavedUid) == 0); // Remove drop rule for testUid, and disable the standby chain. // Remove drop rule for testUid, and disable the standby chain. if (android::modules::sdklevel::IsAtLeastT()) { EXPECT_RESULT_OK(mFw->removeRule(mTestUid, STANDBY_MATCH)); EXPECT_RESULT_OK(mFw->toggleStandbyMatch(false)); } else { EXPECT_TRUE(mNetSrv->firewallSetUidRule(INetd::FIREWALL_CHAIN_STANDBY, mTestUid, EXPECT_TRUE(mNetSrv->firewallSetUidRule(INetd::FIREWALL_CHAIN_STANDBY, mTestUid, INetd::FIREWALL_RULE_ALLOW) INetd::FIREWALL_RULE_ALLOW) .isOk()); .isOk()); EXPECT_TRUE(mNetSrv->firewallEnableChildChain(INetd::FIREWALL_CHAIN_STANDBY, false).isOk()); EXPECT_TRUE( mNetSrv->firewallEnableChildChain(INetd::FIREWALL_CHAIN_STANDBY, false).isOk()); } } } private: private: INetd* mNetSrv; INetd* mNetSrv; Firewall* mFw; const uid_t mTestUid; const uid_t mTestUid; const uid_t mSavedUid; const uid_t mSavedUid; }; }; Loading Loading
tests/Android.bp +7 −0 Original line number Original line Diff line number Diff line Loading @@ -18,10 +18,16 @@ cc_test_library { ], ], static_libs: [ static_libs: [ "netd_aidl_interface-lateststable-ndk", "netd_aidl_interface-lateststable-ndk", "libconnectivity_native_test_utils", "libmodules-utils-build", "libnetd_test_dnsresponder_ndk", "libnetd_test_dnsresponder_ndk", "libnetdutils", "libnetdutils", "libgmock", "libgmock", ], ], export_static_lib_headers: [ "libconnectivity_native_test_utils", "libmodules-utils-build", ], } } cc_library_host_static { cc_library_host_static { Loading Loading @@ -185,6 +191,7 @@ cc_test { ], ], static_libs: [ static_libs: [ "dnsresolver_aidl_interface-lateststable-ndk", "dnsresolver_aidl_interface-lateststable-ndk", "libconnectivity_native_test_utils", "libcrypto_static", "libcrypto_static", "libgmock", "libgmock", "libmodules-utils-build", "libmodules-utils-build", Loading
tests/resolv_integration_test.cpp +16 −14 Original line number Original line Diff line number Diff line Loading @@ -4319,9 +4319,7 @@ TEST_F(ResolverTest, getDnsNetId) { EXPECT_EQ(500, readResponseCode(fd)); EXPECT_EQ(500, readResponseCode(fd)); } } // TODO(b/219434602): find an alternative way to block DNS packets on T+. TEST_F(ResolverTest, BlockDnsQueryWithUidRule) { TEST_F(ResolverTest, BlockDnsQueryWithUidRule) { if (android::modules::sdklevel::IsAtLeastT()) GTEST_SKIP() << "T+ device."; SKIP_IF_BPF_NOT_SUPPORTED; SKIP_IF_BPF_NOT_SUPPORTED; constexpr char listen_addr1[] = "127.0.0.4"; constexpr char listen_addr1[] = "127.0.0.4"; constexpr char listen_addr2[] = "::1"; constexpr char listen_addr2[] = "::1"; Loading Loading @@ -4369,9 +4367,7 @@ TEST_F(ResolverTest, BlockDnsQueryWithUidRule) { } } } } // TODO(b/219434602): find an alternative way to block DNS packets on T+. TEST_F(ResolverTest, GetAddrinfo_BlockDnsQueryWithUidRule) { TEST_F(ResolverTest, GetAddrinfo_BlockDnsQueryWithUidRule) { if (android::modules::sdklevel::IsAtLeastT()) GTEST_SKIP() << "T+ device."; SKIP_IF_BPF_NOT_SUPPORTED; SKIP_IF_BPF_NOT_SUPPORTED; constexpr char listen_addr1[] = "127.0.0.4"; constexpr char listen_addr1[] = "127.0.0.4"; constexpr char listen_addr2[] = "::1"; constexpr char listen_addr2[] = "::1"; Loading Loading @@ -4421,9 +4417,7 @@ TEST_F(ResolverTest, GetAddrinfo_BlockDnsQueryWithUidRule) { } } } } // TODO(b/219434602): find an alternative way to block DNS packets on T+. TEST_F(ResolverTest, EnforceDnsUid) { TEST_F(ResolverTest, EnforceDnsUid) { if (android::modules::sdklevel::IsAtLeastT()) GTEST_SKIP() << "T+ device."; SKIP_IF_BPF_NOT_SUPPORTED; SKIP_IF_BPF_NOT_SUPPORTED; constexpr char listen_addr1[] = "127.0.0.4"; constexpr char listen_addr1[] = "127.0.0.4"; constexpr char listen_addr2[] = "::1"; constexpr char listen_addr2[] = "::1"; Loading Loading @@ -6103,9 +6097,7 @@ TEST_F(ResolverTest, GetAddrInfoParallelLookupSleepTime) { EXPECT_EQ(0U, GetNumQueries(dns, kHelloExampleCom)); EXPECT_EQ(0U, GetNumQueries(dns, kHelloExampleCom)); } } // TODO(b/219434602): find an alternative way to block DNS packets on T+. TEST_F(ResolverTest, BlockDnsQueryUidDoesNotLeadToBadServer) { TEST_F(ResolverTest, BlockDnsQueryUidDoesNotLeadToBadServer) { if (android::modules::sdklevel::IsAtLeastT()) GTEST_SKIP() << "T+ device."; SKIP_IF_BPF_NOT_SUPPORTED; SKIP_IF_BPF_NOT_SUPPORTED; constexpr char listen_addr1[] = "127.0.0.4"; constexpr char listen_addr1[] = "127.0.0.4"; constexpr char listen_addr2[] = "::1"; constexpr char listen_addr2[] = "::1"; Loading Loading @@ -6975,7 +6967,11 @@ class ResolverMultinetworkTest : public ResolverTest { public: public: ScopedVirtualNetwork(unsigned netId, ConnectivityType type, INetd* netdSrv, ScopedVirtualNetwork(unsigned netId, ConnectivityType type, INetd* netdSrv, IDnsResolver* dnsResolvSrv, const char* name, bool isSecure) IDnsResolver* dnsResolvSrv, const char* name, bool isSecure) : ScopedNetwork(netId, type, netdSrv, dnsResolvSrv, name), mIsSecure(isSecure) {} : ScopedNetwork(netId, type, netdSrv, dnsResolvSrv, name), mIsSecure(isSecure) { if (android::modules::sdklevel::IsAtLeastT()) { mFw = Firewall::getInstance(); } } ~ScopedVirtualNetwork() { ~ScopedVirtualNetwork() { if (!mVpnIsolationUids.empty()) { if (!mVpnIsolationUids.empty()) { const std::vector<int> tmpUids(mVpnIsolationUids.begin(), mVpnIsolationUids.end()); const std::vector<int> tmpUids(mVpnIsolationUids.begin(), mVpnIsolationUids.end()); Loading @@ -6984,15 +6980,22 @@ class ResolverMultinetworkTest : public ResolverTest { } } // Enable VPN isolation. Ensures that uid can only receive packets on mIfname. // Enable VPN isolation. Ensures that uid can only receive packets on mIfname. Result<void> enableVpnIsolation(int uid) { Result<void> enableVpnIsolation(int uid) { if (auto r = mNetdSrv->firewallAddUidInterfaceRules(mIfname, {uid}); !r.isOk()) { if (android::modules::sdklevel::IsAtLeastT()) { if (auto r = mFw->addUidInterfaceRules(mIfname, {uid}); !r.ok()) { return r; } } else if (auto r = mNetdSrv->firewallAddUidInterfaceRules(mIfname, {uid}); !r.isOk()) { return Error() << r.getMessage(); return Error() << r.getMessage(); } } mVpnIsolationUids.insert(uid); mVpnIsolationUids.insert(uid); return {}; return {}; } } Result<void> disableVpnIsolation(int uid) { Result<void> disableVpnIsolation(int uid) { if (auto r = mNetdSrv->firewallRemoveUidInterfaceRules({static_cast<int>(uid)}); if (android::modules::sdklevel::IsAtLeastT()) { !r.isOk()) { if (auto r = mFw->removeUidInterfaceRules({uid}); !r.ok()) { return r; } } else if (auto r = mNetdSrv->firewallRemoveUidInterfaceRules({uid}); !r.isOk()) { return Error() << r.getMessage(); return Error() << r.getMessage(); } } mVpnIsolationUids.erase(uid); mVpnIsolationUids.erase(uid); Loading Loading @@ -7021,6 +7024,7 @@ class ResolverMultinetworkTest : public ResolverTest { bool mIsSecure = false; bool mIsSecure = false; std::unordered_set<int> mVpnIsolationUids; std::unordered_set<int> mVpnIsolationUids; Firewall* mFw; }; }; void SetUp() override { void SetUp() override { Loading Loading @@ -7354,9 +7358,7 @@ TEST_F(ResolverMultinetworkTest, OneCachePerNetwork) { EXPECT_EQ(GetNumQueries(*dnsPair2->dnsServer, host_name), 1U); EXPECT_EQ(GetNumQueries(*dnsPair2->dnsServer, host_name), 1U); } } // TODO(b/219434602): find an alternative way to block DNS packets on T+. TEST_F(ResolverMultinetworkTest, DnsWithVpn) { TEST_F(ResolverMultinetworkTest, DnsWithVpn) { if (android::modules::sdklevel::IsAtLeastT()) GTEST_SKIP() << "T+ device."; SKIP_IF_BPF_NOT_SUPPORTED; SKIP_IF_BPF_NOT_SUPPORTED; SKIP_IF_REMOTE_VERSION_LESS_THAN(mDnsClient.resolvService(), 4); SKIP_IF_REMOTE_VERSION_LESS_THAN(mDnsClient.resolvService(), 4); constexpr char host_name[] = "ohayou.example.com."; constexpr char host_name[] = "ohayou.example.com."; Loading
tests/resolv_test_utils.h +24 −8 Original line number Original line Diff line number Diff line Loading @@ -25,6 +25,8 @@ #include <aidl/android/net/INetd.h> #include <aidl/android/net/INetd.h> #include <android-base/properties.h> #include <android-base/properties.h> #include <android-modules-utils/sdk_level.h> #include <firewall.h> #include <gtest/gtest.h> #include <gtest/gtest.h> #include <netdutils/InternetAddresses.h> #include <netdutils/InternetAddresses.h> Loading @@ -41,24 +43,38 @@ class ScopeBlockedUIDRule { // this purpose because netd calls fchown() on the DNS query sockets, and "iptables -m // this purpose because netd calls fchown() on the DNS query sockets, and "iptables -m // owner" matches the UID of the socket creator, not the UID set by fchown(). // owner" matches the UID of the socket creator, not the UID set by fchown(). // TODO: migrate FIREWALL_CHAIN_NONE to eBPF as well. // TODO: migrate FIREWALL_CHAIN_NONE to eBPF as well. EXPECT_TRUE(mNetSrv->firewallEnableChildChain(INetd::FIREWALL_CHAIN_STANDBY, true).isOk()); if (android::modules::sdklevel::IsAtLeastT()) { mFw = Firewall::getInstance(); EXPECT_RESULT_OK(mFw->toggleStandbyMatch(true)); EXPECT_RESULT_OK(mFw->addRule(mTestUid, STANDBY_MATCH)); } else { EXPECT_TRUE( mNetSrv->firewallEnableChildChain(INetd::FIREWALL_CHAIN_STANDBY, true).isOk()); EXPECT_TRUE(mNetSrv->firewallSetUidRule(INetd::FIREWALL_CHAIN_STANDBY, mTestUid, EXPECT_TRUE(mNetSrv->firewallSetUidRule(INetd::FIREWALL_CHAIN_STANDBY, mTestUid, INetd::FIREWALL_RULE_DENY) INetd::FIREWALL_RULE_DENY) .isOk()); .isOk()); } EXPECT_TRUE(seteuid(mTestUid) == 0); EXPECT_TRUE(seteuid(mTestUid) == 0); }; }; ~ScopeBlockedUIDRule() { ~ScopeBlockedUIDRule() { // Restore uid // Restore uid EXPECT_TRUE(seteuid(mSavedUid) == 0); EXPECT_TRUE(seteuid(mSavedUid) == 0); // Remove drop rule for testUid, and disable the standby chain. // Remove drop rule for testUid, and disable the standby chain. if (android::modules::sdklevel::IsAtLeastT()) { EXPECT_RESULT_OK(mFw->removeRule(mTestUid, STANDBY_MATCH)); EXPECT_RESULT_OK(mFw->toggleStandbyMatch(false)); } else { EXPECT_TRUE(mNetSrv->firewallSetUidRule(INetd::FIREWALL_CHAIN_STANDBY, mTestUid, EXPECT_TRUE(mNetSrv->firewallSetUidRule(INetd::FIREWALL_CHAIN_STANDBY, mTestUid, INetd::FIREWALL_RULE_ALLOW) INetd::FIREWALL_RULE_ALLOW) .isOk()); .isOk()); EXPECT_TRUE(mNetSrv->firewallEnableChildChain(INetd::FIREWALL_CHAIN_STANDBY, false).isOk()); EXPECT_TRUE( mNetSrv->firewallEnableChildChain(INetd::FIREWALL_CHAIN_STANDBY, false).isOk()); } } } private: private: INetd* mNetSrv; INetd* mNetSrv; Firewall* mFw; const uid_t mTestUid; const uid_t mTestUid; const uid_t mSavedUid; const uid_t mSavedUid; }; }; Loading
