commit b2daefb0fd5eb1e6ed4ff2149e13a09ee5748711
author Benedict Wong <benedictwong@google.com> Wed Dec 06 22:05:46 2017 -0800
committer Benedict Wong <benedictwong@google.com> Mon Dec 18 15:56:49 2017 -0800
tree e0eb183f036a0dff44be2ecc60db908dd2b0fd09
parent 164c8966c6bce401907c2f140e8c69452a89d227

[ipsec-doze] Add fchown capabilities, and fw rules

Add some firewall rules to allow doze mode packets to be sent/received
on ESP & no-socket packets. No-socket packets are no security risk
because they are either forwarded, going to be forwarded, or will be
dropped at routing tables (unless they are ESP).

Bug: 62994731
Test: New tests added, run
Change-Id: I2d8704498b564403d94123e4938091dee8fb98c1

tests/binder_test.cpp

diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp
index b3a160d..f5a8d43 100644
--- a/tests/binder_test.cpp
+++ b/tests/binder_test.cpp
@@ -66,6 +66,9 @@
 static const char* IP_RULE_V4 = "-4";
 static const char* IP_RULE_V6 = "-6";
 
+static const std::string NO_SOCKET_ALLOW_RULE("! owner UID match 0-4294967294");
+static const std::string ESP_ALLOW_RULE("esp");
+
 class BinderTest : public ::testing::Test {
 
 public:
@@ -159,6 +162,28 @@
     return listIptablesRule(binary, chainName).size();
 }
 
+static bool iptablesRuleExists(const char *binary,
+                               const char *chainName,
+                               const std::string expectedRule) {
+    std::vector<std::string> rules = listIptablesRule(binary, chainName);
+    for(std::string &rule: rules) {
+        if(rule.find(expectedRule) != std::string::npos) {
+            return true;
+        }
+    }
+    return false;
+}
+
+static bool iptablesNoSocketAllowRuleExists(const char *chainName){
+    return iptablesRuleExists(IPTABLES_PATH, chainName, NO_SOCKET_ALLOW_RULE) &&
+           iptablesRuleExists(IP6TABLES_PATH, chainName, NO_SOCKET_ALLOW_RULE);
+}
+
+static bool iptablesEspAllowRuleExists(const char *chainName){
+    return iptablesRuleExists(IPTABLES_PATH, chainName, ESP_ALLOW_RULE) &&
+           iptablesRuleExists(IP6TABLES_PATH, chainName, ESP_ALLOW_RULE);
+}
+
 TEST_F(BinderTest, TestFirewallReplaceUidChain) {
     std::string chainName = StringPrintf("netd_binder_test_%u", arc4random_uniform(10000));
     const int kNumUids = 500;
@@ -174,8 +199,10 @@
         mNetd->firewallReplaceUidChain(String16(chainName.c_str()), true, uids, &ret);
     }
     EXPECT_EQ(true, ret);
-    EXPECT_EQ((int) uids.size() + 7, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
-    EXPECT_EQ((int) uids.size() + 13, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+    EXPECT_EQ((int) uids.size() + 9, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+    EXPECT_EQ((int) uids.size() + 15, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+    EXPECT_EQ(true, iptablesNoSocketAllowRuleExists(chainName.c_str()));
+    EXPECT_EQ(true, iptablesEspAllowRuleExists(chainName.c_str()));
     {
         TimedOperation op("Clearing whitelist chain");
         mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, noUids, &ret);
@@ -191,6 +218,8 @@
     EXPECT_EQ(true, ret);
     EXPECT_EQ((int) uids.size() + 5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
     EXPECT_EQ((int) uids.size() + 5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+    EXPECT_EQ(false, iptablesNoSocketAllowRuleExists(chainName.c_str()));
+    EXPECT_EQ(false, iptablesEspAllowRuleExists(chainName.c_str()));
 
     {
         TimedOperation op("Clearing blacklist chain");