| /* |
| * Copyright (C) 2019 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #include <poll.h> /* poll */ |
| #include <sys/socket.h> |
| |
| #include <thread> |
| |
| #include <android-base/parseint.h> |
| #include <android-base/unique_fd.h> |
| #include <gtest/gtest.h> |
| |
| #include "NetdClient.h" |
| #include "netdclient_priv.h" |
| |
| namespace { |
| |
| // Keep in sync with FrameworkListener.cpp (500, "Command not recognized") |
| constexpr char NOT_SUPPORT_MSG[] = "500 Command not recognized"; |
| |
| int openDnsProxyFuncStub() { |
| return -1; |
| }; |
| |
| typedef int (*DnsOpenProxyType)(); |
| typedef int (*SocketFunctionType)(int, int, int); |
| |
| DnsOpenProxyType openDnsProxyFuncPtr = openDnsProxyFuncStub; |
| SocketFunctionType socketFuncPtr = socket; |
| |
| void serverLoop(int dnsProxyFd) { |
| while (true) { |
| pollfd fds[1] = {{.fd = dnsProxyFd, .events = POLLIN}}; |
| enum { SERVERFD = 0 }; |
| |
| int poll_result = TEMP_FAILURE_RETRY(poll(fds, std::size(fds), -1)); |
| ASSERT_GT(poll_result, 0); |
| |
| if (fds[SERVERFD].revents & POLLERR) return; |
| if (fds[SERVERFD].revents & POLLIN) { |
| char buf[4096]; |
| TEMP_FAILURE_RETRY(read(fds[SERVERFD].fd, &buf, sizeof(buf))); |
| // TODO: verify command |
| TEMP_FAILURE_RETRY(write(fds[SERVERFD].fd, NOT_SUPPORT_MSG, sizeof(NOT_SUPPORT_MSG))); |
| } |
| } |
| } |
| |
| void expectAllowNetworkingForProcess() { |
| // netdClientSocket |
| android::base::unique_fd ipv4(socketFuncPtr(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0)), |
| ipv6(socketFuncPtr(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0)); |
| EXPECT_LE(3, ipv4); |
| EXPECT_LE(3, ipv6); |
| |
| // dns_open_proxy |
| android::base::unique_fd dnsproxydSocket(openDnsProxyFuncPtr()); |
| EXPECT_LE(3, dnsproxydSocket); |
| } |
| |
| void expectNotAllowNetworkingForProcess() { |
| // netdClientSocket |
| android::base::unique_fd unixSocket(socketFuncPtr(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0)); |
| EXPECT_LE(3, unixSocket); |
| android::base::unique_fd ipv4(socketFuncPtr(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0)); |
| EXPECT_EQ(-1, ipv4); |
| EXPECT_EQ(errno, EPERM); |
| android::base::unique_fd ipv6(socketFuncPtr(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0)); |
| EXPECT_EQ(-1, ipv6); |
| EXPECT_EQ(errno, EPERM); |
| |
| // dns_open_proxy |
| android::base::unique_fd dnsproxydSocket(openDnsProxyFuncPtr()); |
| EXPECT_EQ(-1, dnsproxydSocket); |
| EXPECT_EQ(errno, EPERM); |
| } |
| |
| } // namespace |
| |
| TEST(NetdClientTest, getNetworkForDnsInternal) { |
| // Test invalid fd |
| unsigned dnsNetId = 0; |
| const int invalidFd = -1; |
| EXPECT_EQ(-EBADF, getNetworkForDnsInternal(invalidFd, &dnsNetId)); |
| |
| // Test what the client does if the resolver does not support the "getdnsnetid" command. |
| android::base::unique_fd clientFd, serverFd; |
| ASSERT_TRUE(android::base::Socketpair(AF_UNIX, &clientFd, &serverFd)); |
| |
| std::thread serverThread = std::thread(serverLoop, serverFd.get()); |
| |
| EXPECT_EQ(-EOPNOTSUPP, getNetworkForDnsInternal(clientFd.get(), &dnsNetId)); |
| |
| clientFd.reset(); // Causes serverLoop() to exit |
| serverThread.join(); |
| } |
| |
| TEST(NetdClientTest, getNetworkForDns) { |
| // Test null input |
| unsigned* testNull = nullptr; |
| EXPECT_EQ(-EFAULT, getNetworkForDns(testNull)); |
| } |
| |
| TEST(NetdClientTest, protectFromVpnBadFd) { |
| EXPECT_EQ(-EBADF, protectFromVpn(-1)); |
| } |
| |
| TEST(NetdClientTest, protectFromVpnUnixStream) { |
| int s = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0); |
| ASSERT_GE(s, 3); |
| EXPECT_EQ(-EAFNOSUPPORT, protectFromVpn(s)); |
| close(s); |
| } |
| |
| TEST(NetdClientTest, protectFromVpnTcp6) { |
| int s = socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0); |
| ASSERT_GE(s, 3); |
| EXPECT_EQ(0, protectFromVpn(s)); |
| close(s); |
| } |
| |
| TEST(NetdClientTest, setAllowNetworkingForProcess) { |
| netdClientInitDnsOpenProxy(&openDnsProxyFuncPtr); |
| netdClientInitSocket(&socketFuncPtr); |
| // At the beginning, we should be able to use socket since the default setting is allowing. |
| expectAllowNetworkingForProcess(); |
| // Disable |
| setAllowNetworkingForProcess(false); |
| expectNotAllowNetworkingForProcess(); |
| // Reset |
| setAllowNetworkingForProcess(true); |
| expectAllowNetworkingForProcess(); |
| } |