Snap for 8952093 from 5196afab1eb83fec45d13766aec7bb27869bcae9 to sdk-release
Change-Id: Ib72f2e57a6827fb29ad8496789874bab2042d336
diff --git a/server/FirewallController.h b/server/FirewallController.h
index 6d6f48f..1bff064 100644
--- a/server/FirewallController.h
+++ b/server/FirewallController.h
@@ -52,8 +52,6 @@
/* Match traffic owned by given UID. This is specific to a particular chain. */
int setUidRule(ChildChain, int, FirewallRule);
- int enableChildChains(ChildChain, bool);
-
static std::string makeCriticalCommands(IptablesTarget target, const char* chainName);
static const char* TABLE;
diff --git a/tests/benchmarks/dns_benchmark.cpp b/tests/benchmarks/dns_benchmark.cpp
index b8f626e..060e40a 100644
--- a/tests/benchmarks/dns_benchmark.cpp
+++ b/tests/benchmarks/dns_benchmark.cpp
@@ -65,11 +65,12 @@
std::vector<std::string> domains = { "example.com" };
std::vector<std::string> servers;
dns.SetupMappings(num_hosts, domains, &mappings);
-
dns.SetupDNSServers(MAXNS, mappings, &mDns, &servers);
-
- const std::vector<int> mDefaultParams_Binder = {300, 25, 8, 8, 1000};
- dns.SetResolversForNetwork(servers, domains, mDefaultParams_Binder);
+ dns.SetResolversFromParcel(ResolverParams::Builder()
+ .setDnsServers(servers)
+ .setDotServers({})
+ .setDomains(domains)
+ .build());
}
}
diff --git a/tests/netd_test.cpp b/tests/netd_test.cpp
index 8d5d8bc..169fa2b 100644
--- a/tests/netd_test.cpp
+++ b/tests/netd_test.cpp
@@ -29,6 +29,7 @@
#include <gtest/gtest.h>
+#include <android-base/stringprintf.h>
#include <android-base/unique_fd.h>
#define LOG_TAG "NetdTest"
@@ -70,6 +71,44 @@
"'^u:object_r:sysfs_net:s0 /sys/class/net/'"));
}
+static void assertBpfContext(const char* const target, const char* const label) {
+ // Use 'ls' cli utility to print the selinux context of the target directory or file.
+ // egrep -q will return 0 if it matches, ie. if the selinux context is as expected
+ std::string cmd = android::base::StringPrintf("ls -dZ %s | egrep -q '^u:object_r:%s:s0 %s$'",
+ target, label, target);
+
+ // NOLINTNEXTLINE(cert-env33-c)
+ ASSERT_EQ(W_EXITCODE(0, 0), system(cmd.c_str())) << cmd << " - did not return success(0)";
+}
+
+// This test will fail if kernel is missing:
+// https://android-review.googlesource.com/c/kernel/common/+/1831252
+// UPSTREAM: security: selinux: allow per-file labeling for bpffs
+TEST(NetdSELinuxTest, CheckProperBpfLabels) {
+ assertBpfContext("/sys/fs/bpf", "fs_bpf");
+ assertBpfContext("/sys/fs/bpf/net_private", "fs_bpf_net_private");
+ assertBpfContext("/sys/fs/bpf/net_shared", "fs_bpf_net_shared");
+ assertBpfContext("/sys/fs/bpf/netd_readonly", "fs_bpf_netd_readonly");
+ assertBpfContext("/sys/fs/bpf/netd_shared", "fs_bpf_netd_shared");
+ assertBpfContext("/sys/fs/bpf/vendor", "fs_bpf_vendor");
+}
+
+bool isTetheringInProcess() {
+ int v = access("/apex/com.android.tethering/etc/flag/in-process", F_OK);
+ if (!v) return true;
+ EXPECT_EQ(v, -1) << "expected return of found(0) or notfound(-1/ENOENT)";
+ EXPECT_EQ(errno, ENOENT) << "expected return of found(0) or notfound(-1/ENOENT)";
+ return false;
+}
+
+TEST(NetdSELinuxTest, CheckProperBpfTetheringLabels) {
+ if (isTetheringInProcess()) {
+ assertBpfContext("/sys/fs/bpf/net_shared/tethering", "fs_bpf_net_shared");
+ } else {
+ assertBpfContext("/sys/fs/bpf/tethering", "fs_bpf_tethering");
+ }
+}
+
// Trivial thread function that simply immediately terminates successfully.
static int thread(void*) {
return 0;