diff options
| -rw-r--r-- | core/java/android/app/AppOpsManager.java | 12 | ||||
| -rw-r--r-- | core/java/android/net/NetworkUtils.java | 76 | ||||
| -rw-r--r-- | services/core/java/com/android/server/connectivity/Vpn.java | 80 | ||||
| -rw-r--r-- | tests/net/java/android/net/NetworkUtilsTest.java | 128 |
4 files changed, 32 insertions, 264 deletions
diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java index 60f1424220f6..2f0782b413bf 100644 --- a/core/java/android/app/AppOpsManager.java +++ b/core/java/android/app/AppOpsManager.java @@ -2507,7 +2507,7 @@ public class AppOpsManager { } /** - * @return The duration of the operation in milliseconds. + * @return The duration of the operation in milliseconds. The duration is in wall time. */ public long getDuration() { return getLastDuration(MAX_PRIORITY_UID_STATE, MIN_PRIORITY_UID_STATE, OP_FLAGS_ALL); @@ -2515,7 +2515,7 @@ public class AppOpsManager { /** * Return the duration in milliseconds the app accessed this op while - * in the foreground. + * in the foreground. The duration is in wall time. * * @param flags The flags which are any combination of * {@link #OP_FLAG_SELF}, {@link #OP_FLAG_TRUSTED_PROXY}, @@ -2534,7 +2534,7 @@ public class AppOpsManager { /** * Return the duration in milliseconds the app accessed this op while - * in the background. + * in the background. The duration is in wall time. * * @param flags The flags which are any combination of * {@link #OP_FLAG_SELF}, {@link #OP_FLAG_TRUSTED_PROXY}, @@ -2553,7 +2553,7 @@ public class AppOpsManager { /** * Return the duration in milliseconds the app accessed this op for - * a given range of UID states. + * a given range of UID states. The duration is in wall time. * * @param fromUidState The UID state for which to query. Could be one of * {@link #UID_STATE_PERSISTENT}, {@link #UID_STATE_TOP}, @@ -3968,6 +3968,7 @@ public class AppOpsManager { /** * Gets the total duration the app op was accessed (performed) in the foreground. + * The duration is in wall time. * * @param flags The flags which are any combination of * {@link #OP_FLAG_SELF}, {@link #OP_FLAG_TRUSTED_PROXY}, @@ -3986,6 +3987,7 @@ public class AppOpsManager { /** * Gets the total duration the app op was accessed (performed) in the background. + * The duration is in wall time. * * @param flags The flags which are any combination of * {@link #OP_FLAG_SELF}, {@link #OP_FLAG_TRUSTED_PROXY}, @@ -4004,7 +4006,7 @@ public class AppOpsManager { /** * Gets the total duration the app op was accessed (performed) for a given - * range of UID states. + * range of UID states. The duration is in wall time. * * @param fromUidState The UID state from which to query. Could be one of * {@link #UID_STATE_PERSISTENT}, {@link #UID_STATE_TOP}, diff --git a/core/java/android/net/NetworkUtils.java b/core/java/android/net/NetworkUtils.java index d0f54b4c7f2d..d045549bd8c7 100644 --- a/core/java/android/net/NetworkUtils.java +++ b/core/java/android/net/NetworkUtils.java @@ -29,7 +29,6 @@ import android.util.Log; import android.util.Pair; import java.io.FileDescriptor; -import java.math.BigInteger; import java.net.Inet4Address; import java.net.Inet6Address; import java.net.InetAddress; @@ -37,7 +36,6 @@ import java.net.SocketException; import java.net.UnknownHostException; import java.util.Collection; import java.util.Locale; -import java.util.TreeSet; /** * Native methods for managing network interfaces. @@ -392,72 +390,30 @@ public class NetworkUtils { return result; } - /** - * Returns a prefix set without overlaps. - * - * This expects the src set to be sorted from shorter to longer. Results are undefined - * failing this condition. The returned prefix set is sorted in the same order as the - * passed set, with the same comparator. - */ - private static TreeSet<IpPrefix> deduplicatePrefixSet(final TreeSet<IpPrefix> src) { - final TreeSet<IpPrefix> dst = new TreeSet<>(src.comparator()); - // Prefixes match addresses that share their upper part up to their length, therefore - // the only kind of possible overlap in two prefixes is strict inclusion of the longer - // (more restrictive) in the shorter (including equivalence if they have the same - // length). - // Because prefixes in the src set are sorted from shorter to longer, deduplicating - // is done by simply iterating in order, and not adding any longer prefix that is - // already covered by a shorter one. - newPrefixes: - for (IpPrefix newPrefix : src) { - for (IpPrefix existingPrefix : dst) { - if (existingPrefix.containsPrefix(newPrefix)) { - continue newPrefixes; - } - } - dst.add(newPrefix); - } - return dst; - } + private static final int[] ADDRESS_FAMILIES = new int[] {AF_INET, AF_INET6}; /** - * Returns how many IPv4 addresses match any of the prefixes in the passed ordered set. - * - * Obviously this returns an integral value between 0 and 2**32. - * The behavior is undefined if any of the prefixes is not an IPv4 prefix or if the - * set is not ordered smallest prefix to longer prefix. + * Returns true if the hostname is weakly validated. + * @param hostname Name of host to validate. + * @return True if it's a valid-ish hostname. * - * @param prefixes the set of prefixes, ordered by length + * @hide */ - public static long routedIPv4AddressCount(final TreeSet<IpPrefix> prefixes) { - long routedIPCount = 0; - for (final IpPrefix prefix : deduplicatePrefixSet(prefixes)) { - if (!prefix.isIPv4()) { - Log.wtf(TAG, "Non-IPv4 prefix in routedIPv4AddressCount"); - } - int rank = 32 - prefix.getPrefixLength(); - routedIPCount += 1L << rank; + public static boolean isWeaklyValidatedHostname(@NonNull String hostname) { + // TODO(b/34953048): Use a validation method that permits more accurate, + // but still inexpensive, checking of likely valid DNS hostnames. + final String weakHostnameRegex = "^[a-zA-Z0-9_.-]+$"; + if (!hostname.matches(weakHostnameRegex)) { + return false; } - return routedIPCount; - } - /** - * Returns how many IPv6 addresses match any of the prefixes in the passed ordered set. - * - * This returns a BigInteger between 0 and 2**128. - * The behavior is undefined if any of the prefixes is not an IPv6 prefix or if the - * set is not ordered smallest prefix to longer prefix. - */ - public static BigInteger routedIPv6AddressCount(final TreeSet<IpPrefix> prefixes) { - BigInteger routedIPCount = BigInteger.ZERO; - for (final IpPrefix prefix : deduplicatePrefixSet(prefixes)) { - if (!prefix.isIPv6()) { - Log.wtf(TAG, "Non-IPv6 prefix in routedIPv6AddressCount"); + for (int address_family : ADDRESS_FAMILIES) { + if (Os.inet_pton(address_family, hostname) != null) { + return false; } - int rank = 128 - prefix.getPrefixLength(); - routedIPCount = routedIPCount.add(BigInteger.ONE.shiftLeft(rank)); } - return routedIPCount; + + return true; } private static final int[] ADDRESS_FAMILIES = new int[] {AF_INET, AF_INET6}; diff --git a/services/core/java/com/android/server/connectivity/Vpn.java b/services/core/java/com/android/server/connectivity/Vpn.java index e7a8b132d850..1240a002936d 100644 --- a/services/core/java/com/android/server/connectivity/Vpn.java +++ b/services/core/java/com/android/server/connectivity/Vpn.java @@ -58,7 +58,6 @@ import android.net.NetworkFactory; import android.net.NetworkInfo; import android.net.NetworkInfo.DetailedState; import android.net.NetworkMisc; -import android.net.NetworkUtils; import android.net.RouteInfo; import android.net.UidRange; import android.net.VpnService; @@ -105,7 +104,6 @@ import java.io.File; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; -import java.math.BigInteger; import java.net.Inet4Address; import java.net.Inet6Address; import java.net.InetAddress; @@ -114,7 +112,6 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; import java.util.Collections; -import java.util.Comparator; import java.util.List; import java.util.Objects; import java.util.Set; @@ -134,31 +131,6 @@ public class Vpn { // the device idle whitelist during service launch and VPN bootstrap. private static final long VPN_LAUNCH_IDLE_WHITELIST_DURATION_MS = 60 * 1000; - // Settings for how much of the address space should be routed so that Vpn considers - // "most" of the address space is routed. This is used to determine whether this Vpn - // should be marked with the INTERNET capability. - private static final long MOST_IPV4_ADDRESSES_COUNT; - private static final BigInteger MOST_IPV6_ADDRESSES_COUNT; - static { - // 85% of the address space must be routed for Vpn to consider this VPN to provide - // INTERNET access. - final int howManyPercentIsMost = 85; - - final long twoPower32 = 1L << 32; - MOST_IPV4_ADDRESSES_COUNT = twoPower32 * howManyPercentIsMost / 100; - final BigInteger twoPower128 = BigInteger.ONE.shiftLeft(128); - MOST_IPV6_ADDRESSES_COUNT = twoPower128 - .multiply(BigInteger.valueOf(howManyPercentIsMost)) - .divide(BigInteger.valueOf(100)); - } - // How many routes to evaluate before bailing and declaring this Vpn should provide - // the INTERNET capability. This is necessary because computing the address space is - // O(n²) and this is running in the system service, so a limit is needed to alleviate - // the risk of attack. - // This is taken as a total of IPv4 + IPV6 routes for simplicity, but the algorithm - // is actually O(n²)+O(n²). - private static final int MAX_ROUTES_TO_EVALUATE = 150; - // TODO: create separate trackers for each unique VPN to support // automated reconnection @@ -256,7 +228,7 @@ public class Vpn { } /** - * Update current state, dispaching event to listeners. + * Update current state, dispatching event to listeners. */ @VisibleForTesting protected void updateState(DetailedState detailedState, String reason) { @@ -301,7 +273,7 @@ public class Vpn { } @VisibleForTesting - public static void applyUnderlyingCapabilities( + static void applyUnderlyingCapabilities( ConnectivityManager cm, Network[] underlyingNetworks, NetworkCapabilities caps, @@ -415,7 +387,7 @@ public class Vpn { PackageManager pm = mContext.getPackageManager(); ApplicationInfo appInfo = null; try { - appInfo = pm.getApplicationInfoAsUser(packageName, 0 /*flags*/, mUserHandle); + appInfo = pm.getApplicationInfoAsUser(packageName, 0 /* flags */, mUserHandle); } catch (NameNotFoundException unused) { Log.w(TAG, "Can't find \"" + packageName + "\" when checking always-on support"); } @@ -576,7 +548,7 @@ public class Vpn { final String alwaysOnPackage = mSystemServices.settingsSecureGetStringForUser( Settings.Secure.ALWAYS_ON_VPN_APP, mUserHandle); final boolean alwaysOnLockdown = mSystemServices.settingsSecureGetIntForUser( - Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN, 0 /*default*/, mUserHandle) != 0; + Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN, 0 /* default */, mUserHandle) != 0; final String whitelistString = mSystemServices.settingsSecureGetStringForUser( Settings.Secure.ALWAYS_ON_VPN_LOCKDOWN_WHITELIST, mUserHandle); final List<String> whitelistedPackages = TextUtils.isEmpty(whitelistString) @@ -828,7 +800,7 @@ public class Vpn { PackageManager pm = mContext.getPackageManager(); try { ApplicationInfo appInfo = - pm.getApplicationInfoAsUser(packageName, 0 /*flags*/, mUserHandle); + pm.getApplicationInfoAsUser(packageName, 0 /* flags */, mUserHandle); return appInfo.targetSdkVersion >= VERSION_CODES.Q; } catch (NameNotFoundException unused) { Log.w(TAG, "Can't find \"" + packageName + "\""); @@ -902,38 +874,6 @@ public class Vpn { } /** - * Analyzes the passed LinkedProperties to figure out whether it routes to most of the IP space. - * - * This returns true if the passed LinkedProperties contains routes to either most of the IPv4 - * space or to most of the IPv6 address space, where "most" is defined by the value of the - * MOST_IPV{4,6}_ADDRESSES_COUNT constants : if more than this number of addresses are matched - * by any of the routes, then it's decided that most of the space is routed. - * @hide - */ - @VisibleForTesting - static boolean providesRoutesToMostDestinations(LinkProperties lp) { - final List<RouteInfo> routes = lp.getAllRoutes(); - if (routes.size() > MAX_ROUTES_TO_EVALUATE) return true; - final Comparator<IpPrefix> prefixLengthComparator = IpPrefix.lengthComparator(); - TreeSet<IpPrefix> ipv4Prefixes = new TreeSet<>(prefixLengthComparator); - TreeSet<IpPrefix> ipv6Prefixes = new TreeSet<>(prefixLengthComparator); - for (final RouteInfo route : routes) { - if (route.getType() == RouteInfo.RTN_UNREACHABLE) continue; - IpPrefix destination = route.getDestination(); - if (destination.isIPv4()) { - ipv4Prefixes.add(destination); - } else { - ipv6Prefixes.add(destination); - } - } - if (NetworkUtils.routedIPv4AddressCount(ipv4Prefixes) > MOST_IPV4_ADDRESSES_COUNT) { - return true; - } - return NetworkUtils.routedIPv6AddressCount(ipv6Prefixes) - .compareTo(MOST_IPV6_ADDRESSES_COUNT) >= 0; - } - - /** * Attempt to perform a seamless handover of VPNs by only updating LinkProperties without * registering a new NetworkAgent. This is not always possible if the new VPN configuration * has certain changes, in which case this method would just return {@code false}. @@ -1658,8 +1598,8 @@ public class Vpn { */ public PendingIntent pendingIntentGetActivityAsUser( Intent intent, int flags, UserHandle user) { - return PendingIntent.getActivityAsUser(mContext, 0 /*request*/, intent, flags, - null /*options*/, user); + return PendingIntent.getActivityAsUser(mContext, 0 /* request */, intent, flags, + null /* options */, user); } /** @@ -1765,7 +1705,7 @@ public class Vpn { byte[] value = keyStore.get(Credentials.USER_CERTIFICATE + profile.ipsecServerCert); serverCert = (value == null) ? null : new String(value, StandardCharsets.UTF_8); } - if (privateKey == null || userCert == null || caCert == null || serverCert == null) { + if (userCert == null || caCert == null || serverCert == null) { throw new IllegalStateException("Cannot load credentials"); } @@ -1884,7 +1824,7 @@ public class Vpn { * Return the information of the current ongoing legacy VPN. * Callers are responsible for checking permissions if needed. */ - public synchronized LegacyVpnInfo getLegacyVpnInfoPrivileged() { + private synchronized LegacyVpnInfo getLegacyVpnInfoPrivileged() { if (mLegacyVpnRunner == null) return null; final LegacyVpnInfo info = new LegacyVpnInfo(); @@ -2038,7 +1978,6 @@ public class Vpn { private void bringup() { // Catch all exceptions so we can clean up a few things. - boolean initFinished = false; try { // Initialize the timer. mBringupStartTime = SystemClock.elapsedRealtime(); @@ -2057,7 +1996,6 @@ public class Vpn { throw new IllegalStateException("Cannot delete the state"); } new File("/data/misc/vpn/abort").delete(); - initFinished = true; // Check if we need to restart any of the daemons. boolean restart = false; diff --git a/tests/net/java/android/net/NetworkUtilsTest.java b/tests/net/java/android/net/NetworkUtilsTest.java deleted file mode 100644 index 7748288aeb05..000000000000 --- a/tests/net/java/android/net/NetworkUtilsTest.java +++ /dev/null @@ -1,128 +0,0 @@ -/* - * Copyright (C) 2015 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package android.net; - -import static junit.framework.Assert.assertEquals; - -import androidx.test.runner.AndroidJUnit4; - -import org.junit.Test; -import org.junit.runner.RunWith; - -import java.math.BigInteger; -import java.util.TreeSet; - -@RunWith(AndroidJUnit4.class) -@androidx.test.filters.SmallTest -public class NetworkUtilsTest { - @Test - public void testRoutedIPv4AddressCount() { - final TreeSet<IpPrefix> set = new TreeSet<>(IpPrefix.lengthComparator()); - // No routes routes to no addresses. - assertEquals(0, NetworkUtils.routedIPv4AddressCount(set)); - - set.add(new IpPrefix("0.0.0.0/0")); - assertEquals(1l << 32, NetworkUtils.routedIPv4AddressCount(set)); - - set.add(new IpPrefix("20.18.0.0/16")); - set.add(new IpPrefix("20.18.0.0/24")); - set.add(new IpPrefix("20.18.0.0/8")); - // There is a default route, still covers everything - assertEquals(1l << 32, NetworkUtils.routedIPv4AddressCount(set)); - - set.clear(); - set.add(new IpPrefix("20.18.0.0/24")); - set.add(new IpPrefix("20.18.0.0/8")); - // The 8-length includes the 24-length prefix - assertEquals(1l << 24, NetworkUtils.routedIPv4AddressCount(set)); - - set.add(new IpPrefix("10.10.10.126/25")); - // The 8-length does not include this 25-length prefix - assertEquals((1l << 24) + (1 << 7), NetworkUtils.routedIPv4AddressCount(set)); - - set.clear(); - set.add(new IpPrefix("1.2.3.4/32")); - set.add(new IpPrefix("1.2.3.4/32")); - set.add(new IpPrefix("1.2.3.4/32")); - set.add(new IpPrefix("1.2.3.4/32")); - assertEquals(1l, NetworkUtils.routedIPv4AddressCount(set)); - - set.add(new IpPrefix("1.2.3.5/32")); - set.add(new IpPrefix("1.2.3.6/32")); - - set.add(new IpPrefix("1.2.3.7/32")); - set.add(new IpPrefix("1.2.3.8/32")); - set.add(new IpPrefix("1.2.3.9/32")); - set.add(new IpPrefix("1.2.3.0/32")); - assertEquals(7l, NetworkUtils.routedIPv4AddressCount(set)); - - // 1.2.3.4/30 eats 1.2.3.{4-7}/32 - set.add(new IpPrefix("1.2.3.4/30")); - set.add(new IpPrefix("6.2.3.4/28")); - set.add(new IpPrefix("120.2.3.4/16")); - assertEquals(7l - 4 + 4 + 16 + 65536, NetworkUtils.routedIPv4AddressCount(set)); - } - - @Test - public void testRoutedIPv6AddressCount() { - final TreeSet<IpPrefix> set = new TreeSet<>(IpPrefix.lengthComparator()); - // No routes routes to no addresses. - assertEquals(BigInteger.ZERO, NetworkUtils.routedIPv6AddressCount(set)); - - set.add(new IpPrefix("::/0")); - assertEquals(BigInteger.ONE.shiftLeft(128), NetworkUtils.routedIPv6AddressCount(set)); - - set.add(new IpPrefix("1234:622a::18/64")); - set.add(new IpPrefix("add4:f00:80:f7:1111::6adb/96")); - set.add(new IpPrefix("add4:f00:80:f7:1111::6adb/8")); - // There is a default route, still covers everything - assertEquals(BigInteger.ONE.shiftLeft(128), NetworkUtils.routedIPv6AddressCount(set)); - - set.clear(); - set.add(new IpPrefix("add4:f00:80:f7:1111::6adb/96")); - set.add(new IpPrefix("add4:f00:80:f7:1111::6adb/8")); - // The 8-length includes the 96-length prefix - assertEquals(BigInteger.ONE.shiftLeft(120), NetworkUtils.routedIPv6AddressCount(set)); - - set.add(new IpPrefix("10::26/64")); - // The 8-length does not include this 64-length prefix - assertEquals(BigInteger.ONE.shiftLeft(120).add(BigInteger.ONE.shiftLeft(64)), - NetworkUtils.routedIPv6AddressCount(set)); - - set.clear(); - set.add(new IpPrefix("add4:f00:80:f7:1111::6ad4/128")); - set.add(new IpPrefix("add4:f00:80:f7:1111::6ad4/128")); - set.add(new IpPrefix("add4:f00:80:f7:1111::6ad4/128")); - set.add(new IpPrefix("add4:f00:80:f7:1111::6ad4/128")); - assertEquals(BigInteger.ONE, NetworkUtils.routedIPv6AddressCount(set)); - - set.add(new IpPrefix("add4:f00:80:f7:1111::6ad5/128")); - set.add(new IpPrefix("add4:f00:80:f7:1111::6ad6/128")); - set.add(new IpPrefix("add4:f00:80:f7:1111::6ad7/128")); - set.add(new IpPrefix("add4:f00:80:f7:1111::6ad8/128")); - set.add(new IpPrefix("add4:f00:80:f7:1111::6ad9/128")); - set.add(new IpPrefix("add4:f00:80:f7:1111::6ad0/128")); - assertEquals(BigInteger.valueOf(7), NetworkUtils.routedIPv6AddressCount(set)); - - // add4:f00:80:f7:1111::6ad4/126 eats add4:f00:8[:f7:1111::6ad{4-7}/128 - set.add(new IpPrefix("add4:f00:80:f7:1111::6ad4/126")); - set.add(new IpPrefix("d00d:f00:80:f7:1111::6ade/124")); - set.add(new IpPrefix("f00b:a33::/112")); - assertEquals(BigInteger.valueOf(7l - 4 + 4 + 16 + 65536), - NetworkUtils.routedIPv6AddressCount(set)); - } -} |