Home | History | Annotate | Download | only in server
      1 /*
      2  * Copyright 2016 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  * http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  *
     16  * FirewallControllerTest.cpp - unit tests for FirewallController.cpp
     17  */
     18 
     19 #include <string>
     20 #include <vector>
     21 #include <stdio.h>
     22 
     23 #include <gtest/gtest.h>
     24 
     25 #include <android-base/strings.h>
     26 
     27 #include "FirewallController.h"
     28 #include "IptablesBaseTest.h"
     29 
     30 
     31 class FirewallControllerTest : public IptablesBaseTest {
     32 protected:
     33     FirewallControllerTest() {
     34         FirewallController::execIptables = fakeExecIptables;
     35         FirewallController::execIptablesSilently = fakeExecIptables;
     36         FirewallController::execIptablesRestore = fakeExecIptablesRestore;
     37     }
     38     FirewallController mFw;
     39 
     40     std::string makeUidRules(IptablesTarget a, const char* b, bool c,
     41                              const std::vector<int32_t>& d) {
     42         return mFw.makeUidRules(a, b, c, d);
     43     }
     44 
     45     int createChain(const char* a, FirewallType b) {
     46         return mFw.createChain(a, b);
     47     }
     48 };
     49 
     50 
     51 TEST_F(FirewallControllerTest, TestCreateWhitelistChain) {
     52     std::vector<std::string> expectedRestore4 = {
     53         "*filter",
     54         ":fw_whitelist -",
     55         "-A fw_whitelist -m owner --uid-owner 0-9999 -j RETURN",
     56         "-A fw_whitelist -i lo -j RETURN",
     57         "-A fw_whitelist -o lo -j RETURN",
     58         "-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN",
     59         "-A fw_whitelist -j DROP",
     60         "COMMIT\n"
     61     };
     62     std::vector<std::string> expectedRestore6 = {
     63         "*filter",
     64         ":fw_whitelist -",
     65         "-A fw_whitelist -m owner --uid-owner 0-9999 -j RETURN",
     66         "-A fw_whitelist -i lo -j RETURN",
     67         "-A fw_whitelist -o lo -j RETURN",
     68         "-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN",
     69         "-A fw_whitelist -p icmpv6 --icmpv6-type packet-too-big -j RETURN",
     70         "-A fw_whitelist -p icmpv6 --icmpv6-type router-solicitation -j RETURN",
     71         "-A fw_whitelist -p icmpv6 --icmpv6-type router-advertisement -j RETURN",
     72         "-A fw_whitelist -p icmpv6 --icmpv6-type neighbour-solicitation -j RETURN",
     73         "-A fw_whitelist -p icmpv6 --icmpv6-type neighbour-advertisement -j RETURN",
     74         "-A fw_whitelist -p icmpv6 --icmpv6-type redirect -j RETURN",
     75         "-A fw_whitelist -j DROP",
     76         "COMMIT\n"
     77     };
     78     std::vector<std::pair<IptablesTarget, std::string>> expectedRestoreCommands = {
     79         { V4, android::base::Join(expectedRestore4, '\n') },
     80         { V6, android::base::Join(expectedRestore6, '\n') },
     81     };
     82 
     83     createChain("fw_whitelist", WHITELIST);
     84     expectIptablesRestoreCommands(expectedRestoreCommands);
     85 }
     86 
     87 TEST_F(FirewallControllerTest, TestCreateBlacklistChain) {
     88     std::vector<std::string> expectedRestore = {
     89         "*filter",
     90         ":fw_blacklist -",
     91         "-A fw_blacklist -i lo -j RETURN",
     92         "-A fw_blacklist -o lo -j RETURN",
     93         "-A fw_blacklist -p tcp --tcp-flags RST RST -j RETURN",
     94         "COMMIT\n"
     95     };
     96     std::vector<std::pair<IptablesTarget, std::string>> expectedRestoreCommands = {
     97         { V4, android::base::Join(expectedRestore, '\n') },
     98         { V6, android::base::Join(expectedRestore, '\n') },
     99     };
    100 
    101     createChain("fw_blacklist", BLACKLIST);
    102     expectIptablesRestoreCommands(expectedRestoreCommands);
    103 }
    104 
    105 TEST_F(FirewallControllerTest, TestSetStandbyRule) {
    106     ExpectedIptablesCommands expected = {
    107         { V4V6, "*filter\n-D fw_standby -m owner --uid-owner 12345 -j DROP\nCOMMIT\n" }
    108     };
    109     mFw.setUidRule(STANDBY, 12345, ALLOW);
    110     expectIptablesRestoreCommands(expected);
    111 
    112     expected = {
    113         { V4V6, "*filter\n-A fw_standby -m owner --uid-owner 12345 -j DROP\nCOMMIT\n" }
    114     };
    115     mFw.setUidRule(STANDBY, 12345, DENY);
    116     expectIptablesRestoreCommands(expected);
    117 }
    118 
    119 TEST_F(FirewallControllerTest, TestSetDozeRule) {
    120     ExpectedIptablesCommands expected = {
    121         { V4V6, "*filter\n-I fw_dozable -m owner --uid-owner 54321 -j RETURN\nCOMMIT\n" }
    122     };
    123     mFw.setUidRule(DOZABLE, 54321, ALLOW);
    124     expectIptablesRestoreCommands(expected);
    125 
    126     expected = {
    127         { V4V6, "*filter\n-D fw_dozable -m owner --uid-owner 54321 -j RETURN\nCOMMIT\n" }
    128     };
    129     mFw.setUidRule(DOZABLE, 54321, DENY);
    130     expectIptablesRestoreCommands(expected);
    131 }
    132 
    133 TEST_F(FirewallControllerTest, TestSetFirewallRule) {
    134     ExpectedIptablesCommands expected = {
    135         { V4V6, "*filter\n"
    136                 "-A fw_INPUT -m owner --uid-owner 54321 -j DROP\n"
    137                 "-A fw_OUTPUT -m owner --uid-owner 54321 -j DROP\n"
    138                 "COMMIT\n" }
    139     };
    140     mFw.setUidRule(NONE, 54321, DENY);
    141     expectIptablesRestoreCommands(expected);
    142 
    143     expected = {
    144         { V4V6, "*filter\n"
    145                 "-D fw_INPUT -m owner --uid-owner 54321 -j DROP\n"
    146                 "-D fw_OUTPUT -m owner --uid-owner 54321 -j DROP\n"
    147                 "COMMIT\n" }
    148     };
    149     mFw.setUidRule(NONE, 54321, ALLOW);
    150     expectIptablesRestoreCommands(expected);
    151 }
    152 
    153 TEST_F(FirewallControllerTest, TestReplaceWhitelistUidRule) {
    154     std::string expected =
    155             "*filter\n"
    156             ":FW_whitechain -\n"
    157             "-A FW_whitechain -m owner --uid-owner 10023 -j RETURN\n"
    158             "-A FW_whitechain -m owner --uid-owner 10059 -j RETURN\n"
    159             "-A FW_whitechain -m owner --uid-owner 10124 -j RETURN\n"
    160             "-A FW_whitechain -m owner --uid-owner 10111 -j RETURN\n"
    161             "-A FW_whitechain -m owner --uid-owner 110122 -j RETURN\n"
    162             "-A FW_whitechain -m owner --uid-owner 210153 -j RETURN\n"
    163             "-A FW_whitechain -m owner --uid-owner 210024 -j RETURN\n"
    164             "-A FW_whitechain -m owner --uid-owner 0-9999 -j RETURN\n"
    165             "-A FW_whitechain -i lo -j RETURN\n"
    166             "-A FW_whitechain -o lo -j RETURN\n"
    167             "-A FW_whitechain -p tcp --tcp-flags RST RST -j RETURN\n"
    168             "-A FW_whitechain -p icmpv6 --icmpv6-type packet-too-big -j RETURN\n"
    169             "-A FW_whitechain -p icmpv6 --icmpv6-type router-solicitation -j RETURN\n"
    170             "-A FW_whitechain -p icmpv6 --icmpv6-type router-advertisement -j RETURN\n"
    171             "-A FW_whitechain -p icmpv6 --icmpv6-type neighbour-solicitation -j RETURN\n"
    172             "-A FW_whitechain -p icmpv6 --icmpv6-type neighbour-advertisement -j RETURN\n"
    173             "-A FW_whitechain -p icmpv6 --icmpv6-type redirect -j RETURN\n"
    174             "-A FW_whitechain -j DROP\n"
    175             "COMMIT\n";
    176 
    177     std::vector<int32_t> uids = { 10023, 10059, 10124, 10111, 110122, 210153, 210024 };
    178     EXPECT_EQ(expected, makeUidRules(V6, "FW_whitechain", true, uids));
    179 }
    180 
    181 TEST_F(FirewallControllerTest, TestReplaceBlacklistUidRule) {
    182     std::string expected =
    183             "*filter\n"
    184             ":FW_blackchain -\n"
    185             "-A FW_blackchain -i lo -j RETURN\n"
    186             "-A FW_blackchain -o lo -j RETURN\n"
    187             "-A FW_blackchain -p tcp --tcp-flags RST RST -j RETURN\n"
    188             "-A FW_blackchain -m owner --uid-owner 10023 -j DROP\n"
    189             "-A FW_blackchain -m owner --uid-owner 10059 -j DROP\n"
    190             "-A FW_blackchain -m owner --uid-owner 10124 -j DROP\n"
    191             "COMMIT\n";
    192 
    193     std::vector<int32_t> uids = { 10023, 10059, 10124 };
    194     EXPECT_EQ(expected, makeUidRules(V4 ,"FW_blackchain", false, uids));
    195 }
    196 
    197 TEST_F(FirewallControllerTest, TestEnableChildChains) {
    198     std::vector<std::string> expected = {
    199         "*filter\n"
    200         "-A fw_INPUT -j fw_dozable\n"
    201         "-A fw_OUTPUT -j fw_dozable\n"
    202         "COMMIT\n"
    203     };
    204     EXPECT_EQ(0, mFw.enableChildChains(DOZABLE, true));
    205     expectIptablesRestoreCommands(expected);
    206 
    207     expected = {
    208         "*filter\n"
    209         "-D fw_INPUT -j fw_powersave\n"
    210         "-D fw_OUTPUT -j fw_powersave\n"
    211         "COMMIT\n"
    212     };
    213     EXPECT_EQ(0, mFw.enableChildChains(POWERSAVE, false));
    214     expectIptablesRestoreCommands(expected);
    215 }
    216