Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / 8bcb1f449de2b72da578530f2c16698c22afc316^! / . / server / FirewallControllerTest.cpp
commit8bcb1f449de2b72da578530f2c16698c22afc316[log] [tgz]
authorLorenzo Colitti <lorenzo@google.com>Tue Apr 25 00:17:48 2017 +0900
committerLorenzo Colitti <lorenzo@google.com>Tue Apr 25 16:20:54 2017 +0900
tree5ac9ddc57bc39da6b452f49a4d7f9d7a3f2789af
parenta73576568ec540edc247f9bb7ef80f0301d8b71b [diff] [blame]
Reorder the commands in whitelist chains.

Currently FirewallController::replaceUidChain uses the same
layout when building whitelist and blacklist chains: first it
writes the exception rules (e.g., system apps, RST packets,
ICMPv6 packets, etc.), and then the UIDs in the chain.

This works, but it looks strange because unlike whitelist chains,
insertion into whitelist chains always happens at the front of
the chain. Make whitelist chains start with the UIDs, so that
when UIDs are added at the beginning, they are contiguous to the
UIDs that are already there.

Bug: 32073253
Test: netd_{unit,integration}_test passes
Test: bullhead builds, boots
Test: fw_powersave chain looks sane
Change-Id: I8a0ac7a33604455171b56e1d503cfe028a37a062

diff --git a/server/FirewallControllerTest.cpp b/server/FirewallControllerTest.cpp
index 3f8ce12..5d2a012 100644
--- a/server/FirewallControllerTest.cpp
+++ b/server/FirewallControllerTest.cpp

@@ -52,16 +52,17 @@
     std::vector<std::string> expectedRestore4 = {
         "*filter",
         ":fw_whitelist -",
+        "-A fw_whitelist -m owner --uid-owner 0-9999 -j RETURN",
         "-A fw_whitelist -i lo -j RETURN",
         "-A fw_whitelist -o lo -j RETURN",
         "-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN",
-        "-A fw_whitelist -m owner --uid-owner 0-9999 -j RETURN",
         "-A fw_whitelist -j DROP",
         "COMMIT\n"
     };
     std::vector<std::string> expectedRestore6 = {
         "*filter",
         ":fw_whitelist -",
+        "-A fw_whitelist -m owner --uid-owner 0-9999 -j RETURN",
         "-A fw_whitelist -i lo -j RETURN",
         "-A fw_whitelist -o lo -j RETURN",
         "-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN",
@@ -71,7 +72,6 @@
         "-A fw_whitelist -p icmpv6 --icmpv6-type neighbour-solicitation -j RETURN",
         "-A fw_whitelist -p icmpv6 --icmpv6-type neighbour-advertisement -j RETURN",
         "-A fw_whitelist -p icmpv6 --icmpv6-type redirect -j RETURN",
-        "-A fw_whitelist -m owner --uid-owner 0-9999 -j RETURN",
         "-A fw_whitelist -j DROP",
         "COMMIT\n"
     };
@@ -154,6 +154,14 @@
     std::string expected =
             "*filter\n"
             ":FW_whitechain -\n"
+            "-A FW_whitechain -m owner --uid-owner 10023 -j RETURN\n"
+            "-A FW_whitechain -m owner --uid-owner 10059 -j RETURN\n"
+            "-A FW_whitechain -m owner --uid-owner 10124 -j RETURN\n"
+            "-A FW_whitechain -m owner --uid-owner 10111 -j RETURN\n"
+            "-A FW_whitechain -m owner --uid-owner 110122 -j RETURN\n"
+            "-A FW_whitechain -m owner --uid-owner 210153 -j RETURN\n"
+            "-A FW_whitechain -m owner --uid-owner 210024 -j RETURN\n"
+            "-A FW_whitechain -m owner --uid-owner 0-9999 -j RETURN\n"
             "-A FW_whitechain -i lo -j RETURN\n"
             "-A FW_whitechain -o lo -j RETURN\n"
             "-A FW_whitechain -p tcp --tcp-flags RST RST -j RETURN\n"
@@ -163,14 +171,6 @@
             "-A FW_whitechain -p icmpv6 --icmpv6-type neighbour-solicitation -j RETURN\n"
             "-A FW_whitechain -p icmpv6 --icmpv6-type neighbour-advertisement -j RETURN\n"
             "-A FW_whitechain -p icmpv6 --icmpv6-type redirect -j RETURN\n"
-            "-A FW_whitechain -m owner --uid-owner 0-9999 -j RETURN\n"
-            "-A FW_whitechain -m owner --uid-owner 10023 -j RETURN\n"
-            "-A FW_whitechain -m owner --uid-owner 10059 -j RETURN\n"
-            "-A FW_whitechain -m owner --uid-owner 10124 -j RETURN\n"
-            "-A FW_whitechain -m owner --uid-owner 10111 -j RETURN\n"
-            "-A FW_whitechain -m owner --uid-owner 110122 -j RETURN\n"
-            "-A FW_whitechain -m owner --uid-owner 210153 -j RETURN\n"
-            "-A FW_whitechain -m owner --uid-owner 210024 -j RETURN\n"
             "-A FW_whitechain -j DROP\n"
             "COMMIT\n";