commit 21299f760a5d9e3ef88b68503b82ba9107b1de31
author Nathan Harold <nharold@google.com> Fri Mar 16 20:13:03 2018 -0700
committer Nathan Harold <nharold@google.com> Thu Apr 26 16:12:19 2018 -0700
tree ad241c5c5b18eaf7486a42e2361621a2483d2648
parent 172f8e4b7aef86b4727f6c8336b7c9ecdf981da2

Add Functions to flush SADB, Policy DB, and Ifaces

-Add ipSecFlushState() which flushes the kernel's
 SA DB and Policy DB.
-Add ipSecFlushInterfaces() which seeks and removes
 any interfaces that have the prefix 'ipsec'
-Automatically call these functions when netd restarts
-Make XfrmController's methods static
-Add integration tests to verify flushing of policy
 states, and interfaces
-Convert XfrmController functions to static for easier
 test-ability

Bug: 74560705
Test: runtest ...netd_integration_test.cpp
Merged-In: Id60e7c29ff9aeee7f5ccd505b86c94cce858745f
Change-Id: Id60e7c29ff9aeee7f5ccd505b86c94cce858745f
(cherry picked from commit f5646cde551de44ba10b61c2d5cecb414847d454)

tests/binder_test.cpp

diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp
index 6ab98dc..341a7b9 100644
--- a/tests/binder_test.cpp
+++ b/tests/binder_test.cpp
@@ -42,12 +42,15 @@
 #include <logwrap/logwrap.h>
 #include <netutils/ifc.h>
 
+#include "InterfaceController.h"
 #include "NetdConstants.h"
 #include "Stopwatch.h"
+#include "XfrmController.h"
 #include "tun_interface.h"
 #include "android/net/INetd.h"
 #include "android/net/UidRange.h"
 #include "binder/IServiceManager.h"
+#include "netdutils/Syscalls.h"
 
 #define IP_PATH "/system/bin/ip"
 #define IP6TABLES_PATH "/system/bin/ip6tables"
@@ -61,6 +64,8 @@
 using android::net::INetd;
 using android::net::TunInterface;
 using android::net::UidRange;
+using android::net::XfrmController;
+using android::netdutils::sSyscalls;
 using android::os::PersistableBundle;
 
 static const char* IP_RULE_V4 = "-4";
@@ -92,6 +97,8 @@
         mNetd->networkDestroy(TEST_NETID2);
     }
 
+    bool allocateIpSecResources(bool expectOk, int32_t *spi);
+
     // Static because setting up the tun interface takes about 40ms.
     static void SetUpTestCase() {
         ASSERT_EQ(0, sTun.init());
@@ -252,18 +259,18 @@
         int32_t iKey;
         int32_t oKey;
     } kTestData[] = {
-        { "IPV4", "test_vti", "127.0.0.1", "8.8.8.8", 0x1234 + 53, 0x1234 + 53 },
-        { "IPV6", "test_vti6", "::1", "2001:4860:4860::8888", 0x1234 + 50, 0x1234 + 50 },
+        {"IPV4", "test_vti", "127.0.0.1", "8.8.8.8", 0x1234 + 53, 0x1234 + 53},
+        {"IPV6", "test_vti6", "::1", "2001:4860:4860::8888", 0x1234 + 50, 0x1234 + 50},
     };
 
     for (unsigned int i = 0; i < arraysize(kTestData); i++) {
-        const auto &td = kTestData[i];
+        const auto& td = kTestData[i];
 
         binder::Status status;
 
         // Create Virtual Tunnel Interface.
-        status = mNetd->addVirtualTunnelInterface(td.deviceName, td.localAddress,
-                                                  td.remoteAddress, td.iKey, td.oKey);
+        status = mNetd->addVirtualTunnelInterface(td.deviceName, td.localAddress, td.remoteAddress,
+                                                  td.iKey, td.oKey);
         EXPECT_TRUE(status.isOk()) << td.family << status.exceptionMessage();
 
         // Update Virtual Tunnel Interface.
@@ -277,6 +284,58 @@
     }
 }
 
+#define RETURN_FALSE_IF_NEQ(_expect_, _ret_) \
+        do { if ((_expect_) != (_ret_)) return false; } while(false)
+bool BinderTest::allocateIpSecResources(bool expectOk, int32_t *spi) {
+    netdutils::Status status = XfrmController::ipSecAllocateSpi(0, "::", "::1", 123, spi);
+    SCOPED_TRACE(status);
+    RETURN_FALSE_IF_NEQ(status.ok(), expectOk);
+
+    // Add a policy
+    status = XfrmController::ipSecAddSecurityPolicy(0, 0, "::", "::1", 123, 0, 0);
+    SCOPED_TRACE(status);
+    RETURN_FALSE_IF_NEQ(status.ok(), expectOk);
+
+    // Add an ipsec interface
+    status = netdutils::statusFromErrno(
+            XfrmController::addVirtualTunnelInterface(
+                    "ipsec_test", "::", "::1", 0xF00D, 0xD00D, false),
+            "addVirtualTunnelInterface");
+    return (status.ok() == expectOk);
+}
+
+
+TEST_F(BinderTest, TestXfrmControllerInit) {
+    netdutils::Status status;
+    status = XfrmController::Init();
+    SCOPED_TRACE(status);
+    ASSERT_TRUE(status.ok());
+
+    int32_t spi = 0;
+
+    ASSERT_TRUE(allocateIpSecResources(true, &spi));
+    ASSERT_TRUE(allocateIpSecResources(false, &spi));
+
+    status = XfrmController::Init();
+    ASSERT_TRUE(allocateIpSecResources(true, &spi));
+
+    // Clean up
+    status = XfrmController::ipSecDeleteSecurityAssociation(0, "::", "::1", 123, spi, 0);
+    SCOPED_TRACE(status);
+    ASSERT_TRUE(status.ok());
+
+    status = XfrmController::ipSecDeleteSecurityPolicy(0, 0, "::", "::1", 0, 0);
+    SCOPED_TRACE(status);
+    ASSERT_TRUE(status.ok());
+
+    // Remove Virtual Tunnel Interface.
+    status = netdutils::statusFromErrno(
+            XfrmController::removeVirtualTunnelInterface("ipsec_test"),
+            "removeVirtualTunnelInterface");
+
+    ASSERT_TRUE(status.ok());
+}
+
 static int bandwidthDataSaverEnabled(const char *binary) {
     std::vector<std::string> lines = listIptablesRule(binary, "bw_data_saver");