diff options
7 files changed, 256 insertions, 21 deletions
diff --git a/core/java/android/net/NetworkPolicyManager.java b/core/java/android/net/NetworkPolicyManager.java index ce16a7835179..36348b365158 100644 --- a/core/java/android/net/NetworkPolicyManager.java +++ b/core/java/android/net/NetworkPolicyManager.java @@ -122,17 +122,26 @@ public class NetworkPolicyManager { * @hide */ public static final int RULE_REJECT_ALL = 1 << 6; + /** + * Reject traffic on all networks for restricted networking mode. + */ + public static final int RULE_REJECT_RESTRICTED_MODE = 1 << 10; /** * Mask used to get the {@code RULE_xxx_METERED} rules * @hide */ - public static final int MASK_METERED_NETWORKS = 0b00001111; + public static final int MASK_METERED_NETWORKS = 0b000000001111; /** * Mask used to get the {@code RULE_xxx_ALL} rules * @hide */ - public static final int MASK_ALL_NETWORKS = 0b11110000; + public static final int MASK_ALL_NETWORKS = 0b000011110000; + /** + * Mask used to get the {@code RULE_xxx_RESTRICTED_MODE} rules + * @hide + */ + public static final int MASK_RESTRICTED_MODE_NETWORKS = 0b111100000000; /** @hide */ public static final int FIREWALL_RULE_DEFAULT = 0; diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java index 1e14e3a4a701..4086161603a4 100755 --- a/core/java/android/provider/Settings.java +++ b/core/java/android/provider/Settings.java @@ -14406,6 +14406,17 @@ public final class Settings { */ public static final String NR_NSA_TRACKING_SCREEN_OFF_MODE = "nr_nsa_tracking_screen_off_mode"; + + /** + * Used to enable / disable the Restricted Networking Mode in which network access is + * restricted to apps holding the CONNECTIVITY_USE_RESTRICTED_NETWORKS permission. + * + * Values are: + * 0: disabled + * 1: enabled + * @hide + */ + public static final String RESTRICTED_NETWORKING_MODE = "restricted_networking_mode"; } /** diff --git a/packages/SettingsProvider/src/android/provider/settings/validators/GlobalSettingsValidators.java b/packages/SettingsProvider/src/android/provider/settings/validators/GlobalSettingsValidators.java index dd94d2eb8fe0..c559678d4005 100644 --- a/packages/SettingsProvider/src/android/provider/settings/validators/GlobalSettingsValidators.java +++ b/packages/SettingsProvider/src/android/provider/settings/validators/GlobalSettingsValidators.java @@ -149,5 +149,6 @@ public class GlobalSettingsValidators { VALIDATORS.put(Global.CUSTOM_BUGREPORT_HANDLER_APP, ANY_STRING_VALIDATOR); VALIDATORS.put(Global.CUSTOM_BUGREPORT_HANDLER_USER, ANY_INTEGER_VALIDATOR); VALIDATORS.put(Global.DEVELOPMENT_SETTINGS_ENABLED, BOOLEAN_VALIDATOR); + VALIDATORS.put(Global.RESTRICTED_NETWORKING_MODE, BOOLEAN_VALIDATOR); } } diff --git a/packages/SettingsProvider/test/src/android/provider/SettingsBackupTest.java b/packages/SettingsProvider/test/src/android/provider/SettingsBackupTest.java index 5ecb17102438..1345c3f071c7 100644 --- a/packages/SettingsProvider/test/src/android/provider/SettingsBackupTest.java +++ b/packages/SettingsProvider/test/src/android/provider/SettingsBackupTest.java @@ -420,6 +420,7 @@ public class SettingsBackupTest { Settings.Global.RADIO_WIMAX, Settings.Global.RECOMMENDED_NETWORK_EVALUATOR_CACHE_EXPIRY_MS, Settings.Global.READ_EXTERNAL_STORAGE_ENFORCED_DEFAULT, + Settings.Global.RESTRICTED_NETWORKING_MODE, Settings.Global.REQUIRE_PASSWORD_TO_DECRYPT, Settings.Global.SAFE_BOOT_DISALLOWED, Settings.Global.SELINUX_STATUS, diff --git a/services/core/java/com/android/server/net/NetworkPolicyLogger.java b/services/core/java/com/android/server/net/NetworkPolicyLogger.java index 5bd352c8f8e8..676f4218f745 100644 --- a/services/core/java/com/android/server/net/NetworkPolicyLogger.java +++ b/services/core/java/com/android/server/net/NetworkPolicyLogger.java @@ -78,6 +78,7 @@ public class NetworkPolicyLogger { static final int NTWK_BLOCKED_BG_RESTRICT = 5; static final int NTWK_ALLOWED_DEFAULT = 6; static final int NTWK_ALLOWED_SYSTEM = 7; + static final int NTWK_BLOCKED_RESTRICTED_MODE = 8; private final LogBuffer mNetworkBlockedBuffer = new LogBuffer(MAX_NETWORK_BLOCKED_LOG_SIZE); private final LogBuffer mUidStateChangeBuffer = new LogBuffer(MAX_LOG_SIZE); @@ -281,6 +282,8 @@ public class NetworkPolicyLogger { return "blocked when background is restricted"; case NTWK_ALLOWED_DEFAULT: return "allowed by default"; + case NTWK_BLOCKED_RESTRICTED_MODE: + return "blocked by restricted networking mode"; default: return String.valueOf(reason); } diff --git a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java index a039215487f8..fc94ebaa96b4 100644 --- a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java +++ b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java @@ -18,6 +18,7 @@ package com.android.server.net; import static android.Manifest.permission.ACCESS_NETWORK_STATE; import static android.Manifest.permission.CONNECTIVITY_INTERNAL; +import static android.Manifest.permission.CONNECTIVITY_USE_RESTRICTED_NETWORKS; import static android.Manifest.permission.MANAGE_NETWORK_POLICY; import static android.Manifest.permission.MANAGE_SUBSCRIPTION_PLANS; import static android.Manifest.permission.NETWORK_SETTINGS; @@ -44,6 +45,7 @@ import static android.net.ConnectivityManager.RESTRICT_BACKGROUND_STATUS_WHITELI import static android.net.ConnectivityManager.TYPE_MOBILE; import static android.net.INetd.FIREWALL_CHAIN_DOZABLE; import static android.net.INetd.FIREWALL_CHAIN_POWERSAVE; +import static android.net.INetd.FIREWALL_CHAIN_RESTRICTED; import static android.net.INetd.FIREWALL_CHAIN_STANDBY; import static android.net.INetd.FIREWALL_RULE_ALLOW; import static android.net.INetd.FIREWALL_RULE_DENY; @@ -57,6 +59,7 @@ import static android.net.NetworkPolicyManager.EXTRA_NETWORK_TEMPLATE; import static android.net.NetworkPolicyManager.FIREWALL_RULE_DEFAULT; import static android.net.NetworkPolicyManager.MASK_ALL_NETWORKS; import static android.net.NetworkPolicyManager.MASK_METERED_NETWORKS; +import static android.net.NetworkPolicyManager.MASK_RESTRICTED_MODE_NETWORKS; import static android.net.NetworkPolicyManager.POLICY_ALLOW_METERED_BACKGROUND; import static android.net.NetworkPolicyManager.POLICY_NONE; import static android.net.NetworkPolicyManager.POLICY_REJECT_METERED_BACKGROUND; @@ -65,12 +68,14 @@ import static android.net.NetworkPolicyManager.RULE_ALLOW_METERED; import static android.net.NetworkPolicyManager.RULE_NONE; import static android.net.NetworkPolicyManager.RULE_REJECT_ALL; import static android.net.NetworkPolicyManager.RULE_REJECT_METERED; +import static android.net.NetworkPolicyManager.RULE_REJECT_RESTRICTED_MODE; import static android.net.NetworkPolicyManager.RULE_TEMPORARY_ALLOW_METERED; import static android.net.NetworkPolicyManager.isProcStateAllowedWhileIdleOrPowerSaveMode; import static android.net.NetworkPolicyManager.isProcStateAllowedWhileOnRestrictBackground; import static android.net.NetworkPolicyManager.resolveNetworkId; import static android.net.NetworkPolicyManager.uidPoliciesToString; import static android.net.NetworkPolicyManager.uidRulesToString; +import static android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK; import static android.net.NetworkTemplate.MATCH_MOBILE; import static android.net.NetworkTemplate.MATCH_WIFI; import static android.net.NetworkTemplate.buildTemplateMobileAll; @@ -111,6 +116,7 @@ import static com.android.server.net.NetworkPolicyLogger.NTWK_ALLOWED_TMP_ALLOWL import static com.android.server.net.NetworkPolicyLogger.NTWK_BLOCKED_BG_RESTRICT; import static com.android.server.net.NetworkPolicyLogger.NTWK_BLOCKED_DENYLIST; import static com.android.server.net.NetworkPolicyLogger.NTWK_BLOCKED_POWER; +import static com.android.server.net.NetworkPolicyLogger.NTWK_BLOCKED_RESTRICTED_MODE; import static com.android.server.net.NetworkStatsService.ACTION_NETWORK_STATS_UPDATED; import static org.xmlpull.v1.XmlPullParser.END_DOCUMENT; @@ -445,7 +451,10 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { @GuardedBy("mUidRulesFirstLock") volatile boolean mRestrictPower; @GuardedBy("mUidRulesFirstLock") volatile boolean mDeviceIdleMode; // Store whether user flipped restrict background in battery saver mode - @GuardedBy("mUidRulesFirstLock") volatile boolean mRestrictBackgroundChangedInBsm; + @GuardedBy("mUidRulesFirstLock") + volatile boolean mRestrictBackgroundChangedInBsm; + @GuardedBy("mUidRulesFirstLock") + volatile boolean mRestrictedNetworkingMode; private final boolean mSuppressDefaultPolicy; @@ -479,6 +488,8 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { final SparseIntArray mUidFirewallDozableRules = new SparseIntArray(); @GuardedBy("mUidRulesFirstLock") final SparseIntArray mUidFirewallPowerSaveRules = new SparseIntArray(); + @GuardedBy("mUidRulesFirstLock") + final SparseIntArray mUidFirewallRestrictedModeRules = new SparseIntArray(); /** Set of states for the child firewall chains. True if the chain is active. */ @GuardedBy("mUidRulesFirstLock") @@ -786,6 +797,10 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { mRestrictPower = mPowerManagerInternal.getLowPowerState( ServiceType.NETWORK_FIREWALL).batterySaverEnabled; + mRestrictedNetworkingMode = Settings.Global.getInt( + mContext.getContentResolver(), + Settings.Global.RESTRICTED_NETWORKING_MODE, 0) != 0; + mSystemReady = true; waitForAdminData(); @@ -3501,6 +3516,7 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { fout.print("Restrict background: "); fout.println(mRestrictBackground); fout.print("Restrict power: "); fout.println(mRestrictPower); fout.print("Device idle: "); fout.println(mDeviceIdleMode); + fout.print("Restricted networking mode: "); fout.println(mRestrictedNetworkingMode); synchronized (mMeteredIfacesLock) { fout.print("Metered ifaces: "); fout.println(mMeteredIfaces); @@ -3812,6 +3828,93 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { } } + /** + * updates restricted mode state / access for all apps + * Called on initialization and when restricted mode is enabled / disabled. + */ + @VisibleForTesting + @GuardedBy("mUidRulesFirstLock") + void updateRestrictedModeAllowlistUL() { + mUidFirewallRestrictedModeRules.clear(); + forEachUid("updateRestrictedModeAllowlist", uid -> { + final int oldUidRule = mUidRules.get(uid); + final int newUidRule = getNewRestrictedModeUidRule(uid, oldUidRule); + final boolean hasUidRuleChanged = oldUidRule != newUidRule; + final int newFirewallRule = getRestrictedModeFirewallRule(newUidRule); + + // setUidFirewallRulesUL will allowlist all uids that are passed to it, so only add + // non-default rules. + if (newFirewallRule != FIREWALL_RULE_DEFAULT) { + mUidFirewallRestrictedModeRules.append(uid, newFirewallRule); + } + + if (hasUidRuleChanged) { + mUidRules.put(uid, newUidRule); + mHandler.obtainMessage(MSG_RULES_CHANGED, uid, newUidRule).sendToTarget(); + } + }); + if (mRestrictedNetworkingMode) { + // firewall rules only need to be set when this mode is being enabled. + setUidFirewallRulesUL(FIREWALL_CHAIN_RESTRICTED, mUidFirewallRestrictedModeRules); + } + enableFirewallChainUL(FIREWALL_CHAIN_RESTRICTED, mRestrictedNetworkingMode); + } + + // updates restricted mode state / access for a single app / uid. + @VisibleForTesting + @GuardedBy("mUidRulesFirstLock") + void updateRestrictedModeForUidUL(int uid) { + final int oldUidRule = mUidRules.get(uid); + final int newUidRule = getNewRestrictedModeUidRule(uid, oldUidRule); + final boolean hasUidRuleChanged = oldUidRule != newUidRule; + + if (hasUidRuleChanged) { + mUidRules.put(uid, newUidRule); + mHandler.obtainMessage(MSG_RULES_CHANGED, uid, newUidRule).sendToTarget(); + } + + // if restricted networking mode is on, and the app has an access exemption, the uid rule + // will not change, but the firewall rule will have to be updated. + if (mRestrictedNetworkingMode) { + // Note: setUidFirewallRule also updates mUidFirewallRestrictedModeRules. + // In this case, default firewall rules can also be added. + setUidFirewallRule(FIREWALL_CHAIN_RESTRICTED, uid, + getRestrictedModeFirewallRule(newUidRule)); + } + } + + private int getNewRestrictedModeUidRule(int uid, int oldUidRule) { + int newRule = oldUidRule; + newRule &= ~MASK_RESTRICTED_MODE_NETWORKS; + if (mRestrictedNetworkingMode && !hasRestrictedModeAccess(uid)) { + newRule |= RULE_REJECT_RESTRICTED_MODE; + } + return newRule; + } + + private static int getRestrictedModeFirewallRule(int uidRule) { + if ((uidRule & RULE_REJECT_RESTRICTED_MODE) != 0) { + // rejected in restricted mode, this is the default behavior. + return FIREWALL_RULE_DEFAULT; + } else { + return FIREWALL_RULE_ALLOW; + } + } + + private boolean hasRestrictedModeAccess(int uid) { + try { + // TODO: this needs to be kept in sync with + // PermissionMonitor#hasRestrictedNetworkPermission + return mIPm.checkUidPermission(CONNECTIVITY_USE_RESTRICTED_NETWORKS, uid) + == PERMISSION_GRANTED + || mIPm.checkUidPermission(NETWORK_STACK, uid) == PERMISSION_GRANTED + || mIPm.checkUidPermission(PERMISSION_MAINLINE_NETWORK_STACK, uid) + == PERMISSION_GRANTED; + } catch (RemoteException e) { + return false; + } + } + @GuardedBy("mUidRulesFirstLock") void updateRulesForPowerSaveUL() { Trace.traceBegin(Trace.TRACE_TAG_NETWORK, "updateRulesForPowerSaveUL"); @@ -4033,6 +4136,7 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { updateRulesForAppIdleUL(); updateRulesForRestrictPowerUL(); updateRulesForRestrictBackgroundUL(); + updateRestrictedModeAllowlistUL(); // If the set of restricted networks may have changed, re-evaluate those. if (restrictedNetworksChanged) { @@ -4249,6 +4353,7 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { mPowerSaveWhitelistAppIds.delete(uid); mPowerSaveTempWhitelistAppIds.delete(uid); mAppIdleTempWhitelistAppIds.delete(uid); + mUidFirewallRestrictedModeRules.delete(uid); // ...then update iptables asynchronously. mHandler.obtainMessage(MSG_RESET_FIREWALL_RULES_BY_UID, uid, 0).sendToTarget(); @@ -4274,6 +4379,10 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { updateRuleForAppIdleUL(uid); updateRuleForRestrictPowerUL(uid); + // If the uid has the necessary permissions, then it should be added to the restricted mode + // firewall allowlist. + updateRestrictedModeForUidUL(uid); + // Update internal state for power-related modes. updateRulesForPowerRestrictionsUL(uid); @@ -4999,6 +5108,8 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { mUidFirewallStandbyRules.put(uid, rule); } else if (chain == FIREWALL_CHAIN_POWERSAVE) { mUidFirewallPowerSaveRules.put(uid, rule); + } else if (chain == FIREWALL_CHAIN_RESTRICTED) { + mUidFirewallRestrictedModeRules.put(uid, rule); } try { @@ -5044,6 +5155,8 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { mNetworkManager.setFirewallUidRule(FIREWALL_CHAIN_STANDBY, uid, FIREWALL_RULE_DEFAULT); mNetworkManager .setFirewallUidRule(FIREWALL_CHAIN_POWERSAVE, uid, FIREWALL_RULE_DEFAULT); + mNetworkManager + .setFirewallUidRule(FIREWALL_CHAIN_RESTRICTED, uid, FIREWALL_RULE_DEFAULT); mNetworkManager.setUidOnMeteredNetworkAllowlist(uid, false); mNetworkManager.setUidOnMeteredNetworkDenylist(uid, false); } catch (IllegalStateException e) { @@ -5230,26 +5343,21 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { // Networks are never blocked for system components if (isSystem(uid)) { reason = NTWK_ALLOWED_SYSTEM; - } - else if (hasRule(uidRules, RULE_REJECT_ALL)) { + } else if (hasRule(uidRules, RULE_REJECT_RESTRICTED_MODE)) { + reason = NTWK_BLOCKED_RESTRICTED_MODE; + } else if (hasRule(uidRules, RULE_REJECT_ALL)) { reason = NTWK_BLOCKED_POWER; - } - else if (!isNetworkMetered) { + } else if (!isNetworkMetered) { reason = NTWK_ALLOWED_NON_METERED; - } - else if (hasRule(uidRules, RULE_REJECT_METERED)) { + } else if (hasRule(uidRules, RULE_REJECT_METERED)) { reason = NTWK_BLOCKED_DENYLIST; - } - else if (hasRule(uidRules, RULE_ALLOW_METERED)) { + } else if (hasRule(uidRules, RULE_ALLOW_METERED)) { reason = NTWK_ALLOWED_ALLOWLIST; - } - else if (hasRule(uidRules, RULE_TEMPORARY_ALLOW_METERED)) { + } else if (hasRule(uidRules, RULE_TEMPORARY_ALLOW_METERED)) { reason = NTWK_ALLOWED_TMP_ALLOWLIST; - } - else if (isBackgroundRestricted) { + } else if (isBackgroundRestricted) { reason = NTWK_BLOCKED_BG_RESTRICT; - } - else { + } else { reason = NTWK_ALLOWED_DEFAULT; } @@ -5262,6 +5370,7 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { case NTWK_ALLOWED_SYSTEM: blocked = false; break; + case NTWK_BLOCKED_RESTRICTED_MODE: case NTWK_BLOCKED_POWER: case NTWK_BLOCKED_DENYLIST: case NTWK_BLOCKED_BG_RESTRICT: diff --git a/services/tests/servicestests/src/com/android/server/net/NetworkPolicyManagerServiceTest.java b/services/tests/servicestests/src/com/android/server/net/NetworkPolicyManagerServiceTest.java index fec0273383e7..4db7ce2e6ef5 100644 --- a/services/tests/servicestests/src/com/android/server/net/NetworkPolicyManagerServiceTest.java +++ b/services/tests/servicestests/src/com/android/server/net/NetworkPolicyManagerServiceTest.java @@ -16,13 +16,18 @@ package com.android.server.net; +import static android.Manifest.permission.CONNECTIVITY_USE_RESTRICTED_NETWORKS; +import static android.Manifest.permission.NETWORK_STACK; import static android.net.ConnectivityManager.CONNECTIVITY_ACTION; import static android.net.ConnectivityManager.TYPE_WIFI; +import static android.net.INetd.FIREWALL_CHAIN_RESTRICTED; +import static android.net.INetd.FIREWALL_RULE_ALLOW; import static android.net.NetworkCapabilities.NET_CAPABILITY_NOT_ROAMING; import static android.net.NetworkCapabilities.TRANSPORT_CELLULAR; import static android.net.NetworkPolicy.LIMIT_DISABLED; import static android.net.NetworkPolicy.SNOOZE_NEVER; import static android.net.NetworkPolicy.WARNING_DISABLED; +import static android.net.NetworkPolicyManager.FIREWALL_RULE_DEFAULT; import static android.net.NetworkPolicyManager.POLICY_ALLOW_METERED_BACKGROUND; import static android.net.NetworkPolicyManager.POLICY_NONE; import static android.net.NetworkPolicyManager.POLICY_REJECT_METERED_BACKGROUND; @@ -34,6 +39,7 @@ import static android.net.NetworkPolicyManager.RULE_REJECT_METERED; import static android.net.NetworkPolicyManager.RULE_TEMPORARY_ALLOW_METERED; import static android.net.NetworkPolicyManager.uidPoliciesToString; import static android.net.NetworkPolicyManager.uidRulesToString; +import static android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK; import static android.net.NetworkStats.IFACE_ALL; import static android.net.NetworkStats.SET_ALL; import static android.net.NetworkStats.TAG_ALL; @@ -74,6 +80,7 @@ import static org.mockito.ArgumentMatchers.eq; import static org.mockito.ArgumentMatchers.isA; import static org.mockito.Mockito.atLeast; import static org.mockito.Mockito.atLeastOnce; +import static org.mockito.Mockito.clearInvocations; import static org.mockito.Mockito.doAnswer; import static org.mockito.Mockito.doNothing; import static org.mockito.Mockito.mock; @@ -97,6 +104,7 @@ import android.content.pm.IPackageManager; import android.content.pm.PackageInfo; import android.content.pm.PackageManager; import android.content.pm.Signature; +import android.content.pm.UserInfo; import android.net.ConnectivityManager; import android.net.IConnectivityManager; import android.net.INetworkManagementEventObserver; @@ -123,6 +131,7 @@ import android.os.RemoteException; import android.os.SimpleClock; import android.os.SystemClock; import android.os.UserHandle; +import android.os.UserManager; import android.platform.test.annotations.Presubmit; import android.telephony.CarrierConfigManager; import android.telephony.SubscriptionInfo; @@ -131,6 +140,7 @@ import android.telephony.SubscriptionPlan; import android.telephony.TelephonyManager; import android.test.suitebuilder.annotation.MediumTest; import android.text.TextUtils; +import android.util.ArrayMap; import android.util.DataUnit; import android.util.Log; import android.util.Pair; @@ -187,6 +197,7 @@ import java.util.Calendar; import java.util.Iterator; import java.util.LinkedHashSet; import java.util.List; +import java.util.Map; import java.util.TimeZone; import java.util.concurrent.CountDownLatch; import java.util.concurrent.ExecutionException; @@ -240,6 +251,7 @@ public class NetworkPolicyManagerServiceTest { private @Mock SubscriptionManager mSubscriptionManager; private @Mock CarrierConfigManager mCarrierConfigManager; private @Mock TelephonyManager mTelephonyManager; + private @Mock UserManager mUserManager; private ArgumentCaptor<ConnectivityManager.NetworkCallback> mNetworkCallbackCaptor = ArgumentCaptor.forClass(ConnectivityManager.NetworkCallback.class); @@ -351,6 +363,8 @@ public class NetworkPolicyManagerServiceTest { return mNotifManager; case Context.CONNECTIVITY_SERVICE: return mConnectivityManager; + case Context.USER_SERVICE: + return mUserManager; default: return super.getSystemService(name); } @@ -407,11 +421,14 @@ public class NetworkPolicyManagerServiceTest { when(mPackageManager.getPackagesForUid(UID_B)).thenReturn(new String[] {PKG_NAME_B}); when(mPackageManager.getPackagesForUid(UID_C)).thenReturn(new String[] {PKG_NAME_C}); when(mPackageManager.getApplicationInfo(eq(PKG_NAME_A), anyInt())) - .thenReturn(buildApplicationInfo(PKG_NAME_A)); + .thenReturn(buildApplicationInfo(PKG_NAME_A, UID_A)); when(mPackageManager.getApplicationInfo(eq(PKG_NAME_B), anyInt())) - .thenReturn(buildApplicationInfo(PKG_NAME_B)); + .thenReturn(buildApplicationInfo(PKG_NAME_B, UID_B)); when(mPackageManager.getApplicationInfo(eq(PKG_NAME_C), anyInt())) - .thenReturn(buildApplicationInfo(PKG_NAME_C)); + .thenReturn(buildApplicationInfo(PKG_NAME_C, UID_C)); + when(mPackageManager.getInstalledApplications(anyInt())).thenReturn( + buildInstalledApplicationInfoList()); + when(mUserManager.getUsers()).thenReturn(buildUserInfoList()); when(mNetworkManager.isBandwidthControlEnabled()).thenReturn(true); when(mNetworkManager.setDataSaverModeEnabled(anyBoolean())).thenReturn(true); doNothing().when(mConnectivityManager) @@ -1874,6 +1891,66 @@ public class NetworkPolicyManagerServiceTest { } } + private void enableRestrictedMode(boolean enable) throws Exception { + mService.mRestrictedNetworkingMode = enable; + mService.updateRestrictedModeAllowlistUL(); + verify(mNetworkManager).setFirewallChainEnabled(FIREWALL_CHAIN_RESTRICTED, + enable); + } + + @Test + public void testUpdateRestrictedModeAllowlist() throws Exception { + // initialization calls setFirewallChainEnabled, so we want to reset the invocations. + clearInvocations(mNetworkManager); + expectHasUseRestrictedNetworksPermission(UID_A, true); + expectHasUseRestrictedNetworksPermission(UID_B, false); + + Map<Integer, Integer> firewallUidRules = new ArrayMap<>(); + doAnswer(arg -> { + int[] uids = arg.getArgument(1); + int[] rules = arg.getArgument(2); + assertTrue(uids.length == rules.length); + + for (int i = 0; i < uids.length; ++i) { + firewallUidRules.put(uids[i], rules[i]); + } + return null; + }).when(mNetworkManager).setFirewallUidRules(eq(FIREWALL_CHAIN_RESTRICTED), + any(int[].class), any(int[].class)); + + enableRestrictedMode(true); + assertEquals(FIREWALL_RULE_ALLOW, firewallUidRules.get(UID_A).intValue()); + assertFalse(mService.isUidNetworkingBlocked(UID_A, false)); + assertTrue(mService.isUidNetworkingBlocked(UID_B, false)); + + enableRestrictedMode(false); + assertFalse(mService.isUidNetworkingBlocked(UID_A, false)); + assertFalse(mService.isUidNetworkingBlocked(UID_B, false)); + } + + @Test + public void testUpdateRestrictedModeForUid() throws Exception { + // initialization calls setFirewallChainEnabled, so we want to reset the invocations. + clearInvocations(mNetworkManager); + expectHasUseRestrictedNetworksPermission(UID_A, true); + expectHasUseRestrictedNetworksPermission(UID_B, false); + enableRestrictedMode(true); + + // UID_D and UID_E are not part of installed applications list, so it won't have any + // firewall rules set yet + expectHasUseRestrictedNetworksPermission(UID_D, false); + mService.updateRestrictedModeForUidUL(UID_D); + verify(mNetworkManager).setFirewallUidRule(FIREWALL_CHAIN_RESTRICTED, UID_D, + FIREWALL_RULE_DEFAULT); + assertTrue(mService.isUidNetworkingBlocked(UID_D, false)); + + expectHasUseRestrictedNetworksPermission(UID_E, true); + mService.updateRestrictedModeForUidUL(UID_E); + verify(mNetworkManager).setFirewallUidRule(FIREWALL_CHAIN_RESTRICTED, UID_E, + FIREWALL_RULE_ALLOW); + assertFalse(mService.isUidNetworkingBlocked(UID_E, false)); + } + private String formatBlockedStateError(int uid, int rule, boolean metered, boolean backgroundRestricted) { return String.format( @@ -1888,12 +1965,27 @@ public class NetworkPolicyManagerServiceTest { .build(); } - private ApplicationInfo buildApplicationInfo(String label) { + private ApplicationInfo buildApplicationInfo(String label, int uid) { final ApplicationInfo ai = new ApplicationInfo(); ai.nonLocalizedLabel = label; + ai.uid = uid; return ai; } + private List<ApplicationInfo> buildInstalledApplicationInfoList() { + final List<ApplicationInfo> installedApps = new ArrayList<>(); + installedApps.add(buildApplicationInfo(PKG_NAME_A, UID_A)); + installedApps.add(buildApplicationInfo(PKG_NAME_B, UID_B)); + installedApps.add(buildApplicationInfo(PKG_NAME_C, UID_C)); + return installedApps; + } + + private List<UserInfo> buildUserInfoList() { + final List<UserInfo> users = new ArrayList<>(); + users.add(new UserInfo(USER_ID, "user1", 0)); + return users; + } + private NetworkInfo buildNetworkInfo() { final NetworkInfo ni = new NetworkInfo(ConnectivityManager.TYPE_MOBILE, TelephonyManager.NETWORK_TYPE_LTE, null, null); @@ -1967,6 +2059,15 @@ public class NetworkPolicyManagerServiceTest { hasIt ? PackageManager.PERMISSION_GRANTED : PackageManager.PERMISSION_DENIED); } + private void expectHasUseRestrictedNetworksPermission(int uid, boolean hasIt) throws Exception { + when(mIpm.checkUidPermission(CONNECTIVITY_USE_RESTRICTED_NETWORKS, uid)).thenReturn( + hasIt ? PackageManager.PERMISSION_GRANTED : PackageManager.PERMISSION_DENIED); + when(mIpm.checkUidPermission(NETWORK_STACK, uid)).thenReturn( + PackageManager.PERMISSION_DENIED); + when(mIpm.checkUidPermission(PERMISSION_MAINLINE_NETWORK_STACK, uid)).thenReturn( + PackageManager.PERMISSION_DENIED); + } + private void expectNetworkState(boolean roaming) throws Exception { when(mCarrierConfigManager.getConfigForSubId(eq(TEST_SUB_ID))) .thenReturn(mCarrierConfig); |