diff options
author | Ken Chen <cken@google.com> | 2022-12-22 15:11:39 +0800 |
---|---|---|
committer | Ken Chen <cken@google.com> | 2022-12-24 12:27:26 +0800 |
commit | 0c209f8c6bab3513a1ec23077acefead8e0b4eea (patch) | |
tree | 45dbdf5b8c6b6f492672fa608ba74430753deead /tests | |
parent | f9c4679e6a18e5e4cc5abada26271cf5ee847774 (diff) | |
download | netd-0c209f8c6bab3513a1ec23077acefead8e0b4eea.tar.gz |
Support per-uid explicit selected network permission control
Adds a mechanism for CS to restrict explicit network selection
per-UID.
Bug: 263219497
Test: netd_integration_tests
Change-Id: I2ff45a6836e4757239d69ccefd2fa8b8f0f20b45
Diffstat (limited to 'tests')
-rw-r--r-- | tests/binder_test.cpp | 128 |
1 files changed, 128 insertions, 0 deletions
diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp index bd9841ad..60f0596f 100644 --- a/tests/binder_test.cpp +++ b/tests/binder_test.cpp @@ -4035,6 +4035,10 @@ namespace { #define APP_DEFAULT_NETID TEST_NETID2 #define VPN_NETID TEST_NETID3 +#define ENTERPRISE_NETID_1 TEST_NETID2 +#define ENTERPRISE_NETID_2 TEST_NETID3 +#define ENTERPRISE_NETID_3 TEST_NETID4 + void verifyAppUidRules(std::vector<bool>&& expectedResults, std::vector<UidRangeParcel>& uidRanges, const std::string& iface, int32_t subPriority) { ASSERT_EQ(expectedResults.size(), uidRanges.size()); @@ -5389,3 +5393,127 @@ TEST_F(MDnsBinderTest, EventListenerTest) { status = mMDns->unregisterEventListener(testListener); EXPECT_TRUE(status.isOk()) << status.exceptionMessage(); } + +// Creates a system default network and 3 enterprise networks for two profiles. Check if network +// selection in compliance with network allow list settings. +// +// +-----------+-----------------------+----------------------------------------+ +// | UID | UID's default network | UID can select networks | +// +-----------+-----------------------+----------------------------------------+ +// | TEST_UID1 | ENTERPRISE_NETID_1 | ENTERPRISE_NETID_1, ENTERPRISE_NETID_2 | +// | TEST_UID2 | ENTERPRISE_NETID_3 | ENTERPRISE_NETID_3 | +// +-----------+-----------------------+----------------------------------------+ +TEST_F(NetdBinderTest, PerProfileNetworkPermission) { + // creates 4 networks + createDefaultAndOtherPhysicalNetwork(SYSTEM_DEFAULT_NETID, ENTERPRISE_NETID_1); + createPhysicalNetwork(ENTERPRISE_NETID_2, sTun3.name()); + EXPECT_TRUE(mNetd->networkAddRoute(ENTERPRISE_NETID_2, sTun3.name(), "::/0", "").isOk()); + createPhysicalNetwork(ENTERPRISE_NETID_3, sTun4.name()); + EXPECT_TRUE(mNetd->networkAddRoute(ENTERPRISE_NETID_3, sTun4.name(), "::/0", "").isOk()); + + // profile#1 + NativeUidRangeConfig cfg1 = + makeNativeUidRangeConfig(ENTERPRISE_NETID_1, {makeUidRangeParcel(TEST_UID1, TEST_UID1)}, + UidRanges::SUB_PRIORITY_HIGHEST + 20); + EXPECT_TRUE(mNetd->networkAddUidRangesParcel(cfg1).isOk()); + + // profile#2 + NativeUidRangeConfig cfg2 = + makeNativeUidRangeConfig(ENTERPRISE_NETID_3, {makeUidRangeParcel(TEST_UID2, TEST_UID2)}, + UidRanges::SUB_PRIORITY_HIGHEST + 20); + EXPECT_TRUE(mNetd->networkAddUidRangesParcel(cfg2).isOk()); + + // setNetworkAllowlist at once + // all uids except for TEST_UID2 + NativeUidRangeConfig nw1UserConfig = makeNativeUidRangeConfig( + ENTERPRISE_NETID_1, + {makeUidRangeParcel(0, TEST_UID3), makeUidRangeParcel(TEST_UID1, TEST_UID1)}, + /*unused*/ 0); + NativeUidRangeConfig nw2UserConfig = makeNativeUidRangeConfig( + ENTERPRISE_NETID_2, + {makeUidRangeParcel(0, TEST_UID3), makeUidRangeParcel(TEST_UID1, TEST_UID1)}, + /*unused*/ 0); + // all uids except for TEST_UID1 + NativeUidRangeConfig nw3UserConfig = makeNativeUidRangeConfig( + ENTERPRISE_NETID_3, {makeUidRangeParcel(0, TEST_UID2)}, /*unused*/ 0); + // all uids except for TEST_UID1 and TEST_UID2 + NativeUidRangeConfig nwDefaultUserConfig = makeNativeUidRangeConfig( + SYSTEM_DEFAULT_NETID, {makeUidRangeParcel(0, TEST_UID3)}, /*unused*/ 0); + EXPECT_TRUE(mNetd->setNetworkAllowlist( + {nw1UserConfig, nw2UserConfig, nw3UserConfig, nwDefaultUserConfig}) + .isOk()); + + { // Can set network for process on allowed networks. + ScopedUidChange scopedUidChange(TEST_UID1); + EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_1)); + EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_2)); + // Can not set network for process on not allowed networks. + EXPECT_EQ(-EACCES, setNetworkForProcess(SYSTEM_DEFAULT_NETID)); + EXPECT_EQ(-EACCES, setNetworkForProcess(ENTERPRISE_NETID_3)); + } + { // Can set network for process on allowed networks. + ScopedUidChange scopedUidChange(TEST_UID2); + EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_3)); + // Can not set network for process on not allowed networks. + EXPECT_EQ(-EACCES, setNetworkForProcess(SYSTEM_DEFAULT_NETID)); + EXPECT_EQ(-EACCES, setNetworkForProcess(ENTERPRISE_NETID_1)); + EXPECT_EQ(-EACCES, setNetworkForProcess(ENTERPRISE_NETID_2)); + } + { // Root can use whatever network it wants. + ScopedUidChange scopedUidChange(AID_ROOT); + EXPECT_EQ(0, setNetworkForProcess(SYSTEM_DEFAULT_NETID)); + EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_1)); + EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_2)); + EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_3)); + } + + // Update setting: remove ENTERPRISE_NETID_2 from profile#1's allowed network list and add it to + // profile#2's allowed network list. + // +-----------+-----------------------+----------------------------------------+ + // | UID | UID's default network | UID can select networks | + // +-----------+-----------------------+----------------------------------------+ + // | TEST_UID1 | ENTERPRISE_NETID_1 | ENTERPRISE_NETID_1 | + // | TEST_UID2 | ENTERPRISE_NETID_3 | ENTERPRISE_NETID_2, ENTERPRISE_NETID_3 | + // +-----------+-----------------------+----------------------------------------+ + + // all uids except for TEST_UID2 + nw1UserConfig = makeNativeUidRangeConfig( + ENTERPRISE_NETID_1, + {makeUidRangeParcel(0, TEST_UID3), makeUidRangeParcel(TEST_UID1, TEST_UID1)}, + /*unused*/ 0); + // all uids except for TEST_UID1 + nw2UserConfig = makeNativeUidRangeConfig(ENTERPRISE_NETID_2, {makeUidRangeParcel(0, TEST_UID2)}, + /*unused*/ 0); + nw3UserConfig = makeNativeUidRangeConfig(ENTERPRISE_NETID_3, {makeUidRangeParcel(0, TEST_UID2)}, + /*unused*/ 0); + // all uids except for TEST_UID1 and TEST_UID2 + nwDefaultUserConfig = makeNativeUidRangeConfig( + SYSTEM_DEFAULT_NETID, {makeUidRangeParcel(0, TEST_UID3)}, /*unused*/ 0); + EXPECT_TRUE(mNetd->setNetworkAllowlist( + {nw1UserConfig, nw2UserConfig, nw3UserConfig, nwDefaultUserConfig}) + .isOk()); + + { + ScopedUidChange scopedUidChange(TEST_UID1); + EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_1)); + EXPECT_EQ(-EACCES, setNetworkForProcess(SYSTEM_DEFAULT_NETID)); + EXPECT_EQ(-EACCES, setNetworkForProcess(ENTERPRISE_NETID_2)); + EXPECT_EQ(-EACCES, setNetworkForProcess(ENTERPRISE_NETID_3)); + } + { + ScopedUidChange scopedUidChange(TEST_UID2); + EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_2)); + EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_3)); + EXPECT_EQ(-EACCES, setNetworkForProcess(SYSTEM_DEFAULT_NETID)); + EXPECT_EQ(-EACCES, setNetworkForProcess(ENTERPRISE_NETID_1)); + } + + // UID not restricted by allowed list can select all networks. + { + ScopedUidChange scopedUidChange(TEST_UID3); + EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_1)); + EXPECT_EQ(0, setNetworkForProcess(SYSTEM_DEFAULT_NETID)); + EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_2)); + EXPECT_EQ(0, setNetworkForProcess(ENTERPRISE_NETID_3)); + } +}
\ No newline at end of file |