1 /* 2 * Copyright 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 * 16 * FirewallControllerTest.cpp - unit tests for FirewallController.cpp 17 */ 18 19 #include <string> 20 #include <vector> 21 #include <stdio.h> 22 23 #include <gtest/gtest.h> 24 25 #include <android-base/strings.h> 26 27 #include "FirewallController.h" 28 #include "IptablesBaseTest.h" 29 30 31 class FirewallControllerTest : public IptablesBaseTest { 32 protected: 33 FirewallControllerTest() { 34 FirewallController::execIptables = fakeExecIptables; 35 FirewallController::execIptablesSilently = fakeExecIptables; 36 FirewallController::execIptablesRestore = fakeExecIptablesRestore; 37 } 38 FirewallController mFw; 39 40 std::string makeUidRules(IptablesTarget a, const char* b, bool c, 41 const std::vector<int32_t>& d) { 42 return mFw.makeUidRules(a, b, c, d); 43 } 44 45 int createChain(const char* a, FirewallType b) { 46 return mFw.createChain(a, b); 47 } 48 }; 49 50 51 TEST_F(FirewallControllerTest, TestCreateWhitelistChain) { 52 std::vector<std::string> expectedRestore4 = { 53 "*filter", 54 ":fw_whitelist -", 55 "-A fw_whitelist -m owner --uid-owner 0-9999 -j RETURN", 56 "-A fw_whitelist -i lo -j RETURN", 57 "-A fw_whitelist -o lo -j RETURN", 58 "-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN", 59 "-A fw_whitelist -j DROP", 60 "COMMIT\n" 61 }; 62 std::vector<std::string> expectedRestore6 = { 63 "*filter", 64 ":fw_whitelist -", 65 "-A fw_whitelist -m owner --uid-owner 0-9999 -j RETURN", 66 "-A fw_whitelist -i lo -j RETURN", 67 "-A fw_whitelist -o lo -j RETURN", 68 "-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN", 69 "-A fw_whitelist -p icmpv6 --icmpv6-type packet-too-big -j RETURN", 70 "-A fw_whitelist -p icmpv6 --icmpv6-type router-solicitation -j RETURN", 71 "-A fw_whitelist -p icmpv6 --icmpv6-type router-advertisement -j RETURN", 72 "-A fw_whitelist -p icmpv6 --icmpv6-type neighbour-solicitation -j RETURN", 73 "-A fw_whitelist -p icmpv6 --icmpv6-type neighbour-advertisement -j RETURN", 74 "-A fw_whitelist -p icmpv6 --icmpv6-type redirect -j RETURN", 75 "-A fw_whitelist -j DROP", 76 "COMMIT\n" 77 }; 78 std::vector<std::pair<IptablesTarget, std::string>> expectedRestoreCommands = { 79 { V4, android::base::Join(expectedRestore4, '\n') }, 80 { V6, android::base::Join(expectedRestore6, '\n') }, 81 }; 82 83 createChain("fw_whitelist", WHITELIST); 84 expectIptablesRestoreCommands(expectedRestoreCommands); 85 } 86 87 TEST_F(FirewallControllerTest, TestCreateBlacklistChain) { 88 std::vector<std::string> expectedRestore = { 89 "*filter", 90 ":fw_blacklist -", 91 "-A fw_blacklist -i lo -j RETURN", 92 "-A fw_blacklist -o lo -j RETURN", 93 "-A fw_blacklist -p tcp --tcp-flags RST RST -j RETURN", 94 "COMMIT\n" 95 }; 96 std::vector<std::pair<IptablesTarget, std::string>> expectedRestoreCommands = { 97 { V4, android::base::Join(expectedRestore, '\n') }, 98 { V6, android::base::Join(expectedRestore, '\n') }, 99 }; 100 101 createChain("fw_blacklist", BLACKLIST); 102 expectIptablesRestoreCommands(expectedRestoreCommands); 103 } 104 105 TEST_F(FirewallControllerTest, TestSetStandbyRule) { 106 ExpectedIptablesCommands expected = { 107 { V4V6, "*filter\n-D fw_standby -m owner --uid-owner 12345 -j DROP\nCOMMIT\n" } 108 }; 109 mFw.setUidRule(STANDBY, 12345, ALLOW); 110 expectIptablesRestoreCommands(expected); 111 112 expected = { 113 { V4V6, "*filter\n-A fw_standby -m owner --uid-owner 12345 -j DROP\nCOMMIT\n" } 114 }; 115 mFw.setUidRule(STANDBY, 12345, DENY); 116 expectIptablesRestoreCommands(expected); 117 } 118 119 TEST_F(FirewallControllerTest, TestSetDozeRule) { 120 ExpectedIptablesCommands expected = { 121 { V4V6, "*filter\n-I fw_dozable -m owner --uid-owner 54321 -j RETURN\nCOMMIT\n" } 122 }; 123 mFw.setUidRule(DOZABLE, 54321, ALLOW); 124 expectIptablesRestoreCommands(expected); 125 126 expected = { 127 { V4V6, "*filter\n-D fw_dozable -m owner --uid-owner 54321 -j RETURN\nCOMMIT\n" } 128 }; 129 mFw.setUidRule(DOZABLE, 54321, DENY); 130 expectIptablesRestoreCommands(expected); 131 } 132 133 TEST_F(FirewallControllerTest, TestSetFirewallRule) { 134 ExpectedIptablesCommands expected = { 135 { V4V6, "*filter\n" 136 "-A fw_INPUT -m owner --uid-owner 54321 -j DROP\n" 137 "-A fw_OUTPUT -m owner --uid-owner 54321 -j DROP\n" 138 "COMMIT\n" } 139 }; 140 mFw.setUidRule(NONE, 54321, DENY); 141 expectIptablesRestoreCommands(expected); 142 143 expected = { 144 { V4V6, "*filter\n" 145 "-D fw_INPUT -m owner --uid-owner 54321 -j DROP\n" 146 "-D fw_OUTPUT -m owner --uid-owner 54321 -j DROP\n" 147 "COMMIT\n" } 148 }; 149 mFw.setUidRule(NONE, 54321, ALLOW); 150 expectIptablesRestoreCommands(expected); 151 } 152 153 TEST_F(FirewallControllerTest, TestReplaceWhitelistUidRule) { 154 std::string expected = 155 "*filter\n" 156 ":FW_whitechain -\n" 157 "-A FW_whitechain -m owner --uid-owner 10023 -j RETURN\n" 158 "-A FW_whitechain -m owner --uid-owner 10059 -j RETURN\n" 159 "-A FW_whitechain -m owner --uid-owner 10124 -j RETURN\n" 160 "-A FW_whitechain -m owner --uid-owner 10111 -j RETURN\n" 161 "-A FW_whitechain -m owner --uid-owner 110122 -j RETURN\n" 162 "-A FW_whitechain -m owner --uid-owner 210153 -j RETURN\n" 163 "-A FW_whitechain -m owner --uid-owner 210024 -j RETURN\n" 164 "-A FW_whitechain -m owner --uid-owner 0-9999 -j RETURN\n" 165 "-A FW_whitechain -i lo -j RETURN\n" 166 "-A FW_whitechain -o lo -j RETURN\n" 167 "-A FW_whitechain -p tcp --tcp-flags RST RST -j RETURN\n" 168 "-A FW_whitechain -p icmpv6 --icmpv6-type packet-too-big -j RETURN\n" 169 "-A FW_whitechain -p icmpv6 --icmpv6-type router-solicitation -j RETURN\n" 170 "-A FW_whitechain -p icmpv6 --icmpv6-type router-advertisement -j RETURN\n" 171 "-A FW_whitechain -p icmpv6 --icmpv6-type neighbour-solicitation -j RETURN\n" 172 "-A FW_whitechain -p icmpv6 --icmpv6-type neighbour-advertisement -j RETURN\n" 173 "-A FW_whitechain -p icmpv6 --icmpv6-type redirect -j RETURN\n" 174 "-A FW_whitechain -j DROP\n" 175 "COMMIT\n"; 176 177 std::vector<int32_t> uids = { 10023, 10059, 10124, 10111, 110122, 210153, 210024 }; 178 EXPECT_EQ(expected, makeUidRules(V6, "FW_whitechain", true, uids)); 179 } 180 181 TEST_F(FirewallControllerTest, TestReplaceBlacklistUidRule) { 182 std::string expected = 183 "*filter\n" 184 ":FW_blackchain -\n" 185 "-A FW_blackchain -i lo -j RETURN\n" 186 "-A FW_blackchain -o lo -j RETURN\n" 187 "-A FW_blackchain -p tcp --tcp-flags RST RST -j RETURN\n" 188 "-A FW_blackchain -m owner --uid-owner 10023 -j DROP\n" 189 "-A FW_blackchain -m owner --uid-owner 10059 -j DROP\n" 190 "-A FW_blackchain -m owner --uid-owner 10124 -j DROP\n" 191 "COMMIT\n"; 192 193 std::vector<int32_t> uids = { 10023, 10059, 10124 }; 194 EXPECT_EQ(expected, makeUidRules(V4 ,"FW_blackchain", false, uids)); 195 } 196 197 TEST_F(FirewallControllerTest, TestEnableChildChains) { 198 std::vector<std::string> expected = { 199 "*filter\n" 200 "-A fw_INPUT -j fw_dozable\n" 201 "-A fw_OUTPUT -j fw_dozable\n" 202 "COMMIT\n" 203 }; 204 EXPECT_EQ(0, mFw.enableChildChains(DOZABLE, true)); 205 expectIptablesRestoreCommands(expected); 206 207 expected = { 208 "*filter\n" 209 "-D fw_INPUT -j fw_powersave\n" 210 "-D fw_OUTPUT -j fw_powersave\n" 211 "COMMIT\n" 212 }; 213 EXPECT_EQ(0, mFw.enableChildChains(POWERSAVE, false)); 214 expectIptablesRestoreCommands(expected); 215 } 216