xref: /aosp_15_r20/system/netd/server/StrictControllerTest.cpp (revision 8542734a0dd1db395a4d42aae09c37f3c3c3e7a1) 
1*8542734aSAndroid Build Coastguard Worker /*
2*8542734aSAndroid Build Coastguard Worker  * Copyright 2016 The Android Open Source Project
3*8542734aSAndroid Build Coastguard Worker  *
4*8542734aSAndroid Build Coastguard Worker  * Licensed under the Apache License, Version 2.0 (the "License");
5*8542734aSAndroid Build Coastguard Worker  * you may not use this file except in compliance with the License.
6*8542734aSAndroid Build Coastguard Worker  * You may obtain a copy of the License at
7*8542734aSAndroid Build Coastguard Worker  *
8*8542734aSAndroid Build Coastguard Worker  * http://www.apache.org/licenses/LICENSE-2.0
9*8542734aSAndroid Build Coastguard Worker  *
10*8542734aSAndroid Build Coastguard Worker  * Unless required by applicable law or agreed to in writing, software
11*8542734aSAndroid Build Coastguard Worker  * distributed under the License is distributed on an "AS IS" BASIS,
12*8542734aSAndroid Build Coastguard Worker  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13*8542734aSAndroid Build Coastguard Worker  * See the License for the specific language governing permissions and
14*8542734aSAndroid Build Coastguard Worker  * limitations under the License.
15*8542734aSAndroid Build Coastguard Worker  *
16*8542734aSAndroid Build Coastguard Worker  * StrictControllerTest.cpp - unit tests for StrictController.cpp
17*8542734aSAndroid Build Coastguard Worker  */
18*8542734aSAndroid Build Coastguard Worker 
19*8542734aSAndroid Build Coastguard Worker #include <string>
20*8542734aSAndroid Build Coastguard Worker #include <vector>
21*8542734aSAndroid Build Coastguard Worker 
22*8542734aSAndroid Build Coastguard Worker #include <gtest/gtest.h>
23*8542734aSAndroid Build Coastguard Worker 
24*8542734aSAndroid Build Coastguard Worker #include <android-base/strings.h>
25*8542734aSAndroid Build Coastguard Worker 
26*8542734aSAndroid Build Coastguard Worker #include "StrictController.h"
27*8542734aSAndroid Build Coastguard Worker #include "IptablesBaseTest.h"
28*8542734aSAndroid Build Coastguard Worker 
29*8542734aSAndroid Build Coastguard Worker class StrictControllerTest : public IptablesBaseTest {
30*8542734aSAndroid Build Coastguard Worker public:
StrictControllerTest()31*8542734aSAndroid Build Coastguard Worker     StrictControllerTest() {
32*8542734aSAndroid Build Coastguard Worker         StrictController::execIptablesRestore = fakeExecIptablesRestore;
33*8542734aSAndroid Build Coastguard Worker     }
34*8542734aSAndroid Build Coastguard Worker     StrictController mStrictCtrl;
35*8542734aSAndroid Build Coastguard Worker };
36*8542734aSAndroid Build Coastguard Worker 
TEST_F(StrictControllerTest,TestSetupIptablesHooks)37*8542734aSAndroid Build Coastguard Worker TEST_F(StrictControllerTest, TestSetupIptablesHooks) {
38*8542734aSAndroid Build Coastguard Worker     mStrictCtrl.setupIptablesHooks();
39*8542734aSAndroid Build Coastguard Worker 
40*8542734aSAndroid Build Coastguard Worker     std::vector<std::string> common = {
41*8542734aSAndroid Build Coastguard Worker         "*filter",
42*8542734aSAndroid Build Coastguard Worker         ":st_OUTPUT -",
43*8542734aSAndroid Build Coastguard Worker         ":st_penalty_log -",
44*8542734aSAndroid Build Coastguard Worker         ":st_penalty_reject -",
45*8542734aSAndroid Build Coastguard Worker         ":st_clear_caught -",
46*8542734aSAndroid Build Coastguard Worker         ":st_clear_detect -",
47*8542734aSAndroid Build Coastguard Worker         "COMMIT\n"
48*8542734aSAndroid Build Coastguard Worker     };
49*8542734aSAndroid Build Coastguard Worker 
50*8542734aSAndroid Build Coastguard Worker     std::vector<std::string> v4 = {
51*8542734aSAndroid Build Coastguard Worker         "*filter",
52*8542734aSAndroid Build Coastguard Worker         "-A st_penalty_log -j CONNMARK --or-mark 0x1000000",
53*8542734aSAndroid Build Coastguard Worker         "-A st_penalty_log -j NFLOG --nflog-group 0",
54*8542734aSAndroid Build Coastguard Worker         "-A st_penalty_reject -j CONNMARK --or-mark 0x2000000",
55*8542734aSAndroid Build Coastguard Worker         "-A st_penalty_reject -j NFLOG --nflog-group 0",
56*8542734aSAndroid Build Coastguard Worker         "-A st_penalty_reject -j REJECT",
57*8542734aSAndroid Build Coastguard Worker         "-A st_clear_detect -m connmark --mark 0x2000000/0x2000000 -j REJECT",
58*8542734aSAndroid Build Coastguard Worker         "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN",
59*8542734aSAndroid Build Coastguard Worker         "-A st_clear_detect -p tcp -m u32 --u32 \""
60*8542734aSAndroid Build Coastguard Worker             "0>>22&0x3C@ 12>>26&0x3C@ 0&0xFFFF0000=0x16030000 &&"
61*8542734aSAndroid Build Coastguard Worker             "0>>22&0x3C@ 12>>26&0x3C@ 4&0x00FF0000=0x00010000"
62*8542734aSAndroid Build Coastguard Worker             "\" -j CONNMARK --or-mark 0x1000000",
63*8542734aSAndroid Build Coastguard Worker         "-A st_clear_detect -p udp -m u32 --u32 \""
64*8542734aSAndroid Build Coastguard Worker             "0>>22&0x3C@ 8&0xFFFF0000=0x16FE0000 &&"
65*8542734aSAndroid Build Coastguard Worker             "0>>22&0x3C@ 20&0x00FF0000=0x00010000"
66*8542734aSAndroid Build Coastguard Worker             "\" -j CONNMARK --or-mark 0x1000000",
67*8542734aSAndroid Build Coastguard Worker         "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN",
68*8542734aSAndroid Build Coastguard Worker         "-A st_clear_detect -p tcp -m state --state ESTABLISHED -m u32 --u32 "
69*8542734aSAndroid Build Coastguard Worker             "\"0>>22&0x3C@ 12>>26&0x3C@ 0&0x0=0x0\" -j st_clear_caught",
70*8542734aSAndroid Build Coastguard Worker         "-A st_clear_detect -p udp -j st_clear_caught",
71*8542734aSAndroid Build Coastguard Worker         "COMMIT\n"
72*8542734aSAndroid Build Coastguard Worker     };
73*8542734aSAndroid Build Coastguard Worker 
74*8542734aSAndroid Build Coastguard Worker     std::vector<std::string> v6 = {
75*8542734aSAndroid Build Coastguard Worker         "*filter",
76*8542734aSAndroid Build Coastguard Worker         "-A st_penalty_log -j CONNMARK --or-mark 0x1000000",
77*8542734aSAndroid Build Coastguard Worker         "-A st_penalty_log -j NFLOG --nflog-group 0",
78*8542734aSAndroid Build Coastguard Worker         "-A st_penalty_reject -j CONNMARK --or-mark 0x2000000",
79*8542734aSAndroid Build Coastguard Worker         "-A st_penalty_reject -j NFLOG --nflog-group 0",
80*8542734aSAndroid Build Coastguard Worker         "-A st_penalty_reject -j REJECT",
81*8542734aSAndroid Build Coastguard Worker         "-A st_clear_detect -m connmark --mark 0x2000000/0x2000000 -j REJECT",
82*8542734aSAndroid Build Coastguard Worker         "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN",
83*8542734aSAndroid Build Coastguard Worker 
84*8542734aSAndroid Build Coastguard Worker         "-A st_clear_detect -p tcp -m u32 --u32 \""
85*8542734aSAndroid Build Coastguard Worker             "52>>26&0x3C@ 40&0xFFFF0000=0x16030000 &&"
86*8542734aSAndroid Build Coastguard Worker             "52>>26&0x3C@ 44&0x00FF0000=0x00010000"
87*8542734aSAndroid Build Coastguard Worker             "\" -j CONNMARK --or-mark 0x1000000",
88*8542734aSAndroid Build Coastguard Worker         "-A st_clear_detect -p udp -m u32 --u32 \""
89*8542734aSAndroid Build Coastguard Worker             "48&0xFFFF0000=0x16FE0000 &&"
90*8542734aSAndroid Build Coastguard Worker             "60&0x00FF0000=0x00010000"
91*8542734aSAndroid Build Coastguard Worker             "\" -j CONNMARK --or-mark 0x1000000",
92*8542734aSAndroid Build Coastguard Worker         "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN",
93*8542734aSAndroid Build Coastguard Worker         "-A st_clear_detect -p tcp -m state --state ESTABLISHED -m u32 --u32 "
94*8542734aSAndroid Build Coastguard Worker             "\"52>>26&0x3C@ 40&0x0=0x0\" -j st_clear_caught",
95*8542734aSAndroid Build Coastguard Worker         "-A st_clear_detect -p udp -j st_clear_caught",
96*8542734aSAndroid Build Coastguard Worker         "COMMIT\n"
97*8542734aSAndroid Build Coastguard Worker     };
98*8542734aSAndroid Build Coastguard Worker 
99*8542734aSAndroid Build Coastguard Worker     std::string commandsCommon = android::base::Join(common, '\n');
100*8542734aSAndroid Build Coastguard Worker     std::string commands4 = android::base::Join(v4, '\n');
101*8542734aSAndroid Build Coastguard Worker     std::string commands6 = android::base::Join(v6, '\n');
102*8542734aSAndroid Build Coastguard Worker 
103*8542734aSAndroid Build Coastguard Worker     std::vector<std::pair<IptablesTarget, std::string>> expected = {
104*8542734aSAndroid Build Coastguard Worker         { V4V6, commandsCommon },
105*8542734aSAndroid Build Coastguard Worker         { V4, commands4 },
106*8542734aSAndroid Build Coastguard Worker         { V6, commands6 },
107*8542734aSAndroid Build Coastguard Worker     };
108*8542734aSAndroid Build Coastguard Worker     expectIptablesRestoreCommands(expected);
109*8542734aSAndroid Build Coastguard Worker }
110*8542734aSAndroid Build Coastguard Worker 
TEST_F(StrictControllerTest,TestResetChains)111*8542734aSAndroid Build Coastguard Worker TEST_F(StrictControllerTest, TestResetChains) {
112*8542734aSAndroid Build Coastguard Worker     mStrictCtrl.resetChains();
113*8542734aSAndroid Build Coastguard Worker 
114*8542734aSAndroid Build Coastguard Worker     const std::string expected =
115*8542734aSAndroid Build Coastguard Worker         "*filter\n"
116*8542734aSAndroid Build Coastguard Worker         ":st_OUTPUT -\n"
117*8542734aSAndroid Build Coastguard Worker         ":st_penalty_log -\n"
118*8542734aSAndroid Build Coastguard Worker         ":st_penalty_reject -\n"
119*8542734aSAndroid Build Coastguard Worker         ":st_clear_caught -\n"
120*8542734aSAndroid Build Coastguard Worker         ":st_clear_detect -\n"
121*8542734aSAndroid Build Coastguard Worker         "COMMIT\n";
122*8542734aSAndroid Build Coastguard Worker     expectIptablesRestoreCommands({ expected });
123*8542734aSAndroid Build Coastguard Worker }
124*8542734aSAndroid Build Coastguard Worker 
TEST_F(StrictControllerTest,TestSetUidCleartextPenalty)125*8542734aSAndroid Build Coastguard Worker TEST_F(StrictControllerTest, TestSetUidCleartextPenalty) {
126*8542734aSAndroid Build Coastguard Worker     std::vector<std::string> acceptCommands = {
127*8542734aSAndroid Build Coastguard Worker         "*filter\n"
128*8542734aSAndroid Build Coastguard Worker         "-D st_OUTPUT -m owner --uid-owner 12345 -j st_clear_detect\n"
129*8542734aSAndroid Build Coastguard Worker         "-D st_clear_caught -m owner --uid-owner 12345 -j st_clear_caught_12345\n"
130*8542734aSAndroid Build Coastguard Worker         "-F st_clear_caught_12345\n"
131*8542734aSAndroid Build Coastguard Worker         "-X st_clear_caught_12345\n"
132*8542734aSAndroid Build Coastguard Worker         "COMMIT\n"
133*8542734aSAndroid Build Coastguard Worker     };
134*8542734aSAndroid Build Coastguard Worker     std::vector<std::string> logCommands = {
135*8542734aSAndroid Build Coastguard Worker         "*filter\n"
136*8542734aSAndroid Build Coastguard Worker         ":st_clear_caught_12345 -\n"
137*8542734aSAndroid Build Coastguard Worker         "-I st_OUTPUT -m owner --uid-owner 12345 -j st_clear_detect\n"
138*8542734aSAndroid Build Coastguard Worker         "-I st_clear_caught -m owner --uid-owner 12345 -j st_clear_caught_12345\n"
139*8542734aSAndroid Build Coastguard Worker         "-A st_clear_caught_12345 -j st_penalty_log\n"
140*8542734aSAndroid Build Coastguard Worker         "COMMIT\n"
141*8542734aSAndroid Build Coastguard Worker     };
142*8542734aSAndroid Build Coastguard Worker     std::vector<std::string> rejectCommands = {
143*8542734aSAndroid Build Coastguard Worker         "*filter\n"
144*8542734aSAndroid Build Coastguard Worker         ":st_clear_caught_12345 -\n"
145*8542734aSAndroid Build Coastguard Worker         "-I st_OUTPUT -m owner --uid-owner 12345 -j st_clear_detect\n"
146*8542734aSAndroid Build Coastguard Worker         "-I st_clear_caught -m owner --uid-owner 12345 -j st_clear_caught_12345\n"
147*8542734aSAndroid Build Coastguard Worker         "-A st_clear_caught_12345 -j st_penalty_reject\n"
148*8542734aSAndroid Build Coastguard Worker         "COMMIT\n"
149*8542734aSAndroid Build Coastguard Worker     };
150*8542734aSAndroid Build Coastguard Worker 
151*8542734aSAndroid Build Coastguard Worker     mStrictCtrl.setUidCleartextPenalty(12345, LOG);
152*8542734aSAndroid Build Coastguard Worker     expectIptablesRestoreCommands(logCommands);
153*8542734aSAndroid Build Coastguard Worker 
154*8542734aSAndroid Build Coastguard Worker     mStrictCtrl.setUidCleartextPenalty(12345, ACCEPT);
155*8542734aSAndroid Build Coastguard Worker     expectIptablesRestoreCommands(acceptCommands);
156*8542734aSAndroid Build Coastguard Worker 
157*8542734aSAndroid Build Coastguard Worker     // StrictController doesn't keep any state and it is not correct to call its methods in the
158*8542734aSAndroid Build Coastguard Worker     // wrong order (e.g., to go from LOG to REJECT without passing through ACCEPT).
159*8542734aSAndroid Build Coastguard Worker     // NetworkManagementService does keep state (not just to ensure correctness, but also so it can
160*8542734aSAndroid Build Coastguard Worker     // reprogram the rules when netd crashes).
161*8542734aSAndroid Build Coastguard Worker     mStrictCtrl.setUidCleartextPenalty(12345, REJECT);
162*8542734aSAndroid Build Coastguard Worker     expectIptablesRestoreCommands(rejectCommands);
163*8542734aSAndroid Build Coastguard Worker 
164*8542734aSAndroid Build Coastguard Worker     mStrictCtrl.setUidCleartextPenalty(12345, ACCEPT);
165*8542734aSAndroid Build Coastguard Worker     expectIptablesRestoreCommands(acceptCommands);
166*8542734aSAndroid Build Coastguard Worker }
167