diff options
| author | Chalard Jean <jchalard@google.com> | 2022-01-25 18:27:53 +0900 |
|---|---|---|
| committer | Chalard Jean <jchalard@google.com> | 2022-01-31 17:04:46 +0900 |
| commit | 366c525b159002699c95ad783c671fb2d8602ddd (patch) | |
| tree | 8eca8342cbbdf6152cde5273e626d2e17fc6e5b2 /tests/common/java/android/net/NetworkCapabilitiesTest.java | |
| parent | e9cd2084e4eb3dbf363df68f7dac96c5053f0f03 (diff) | |
Sanitize NetworkCapabilities from agent on the handler thread
NetworkAgents send NetworkCapabilities to ConnectivityService but
there are limits to what exactly they can send. Going forward,
some of these checks will have to happen on the handler thread,
which is already the case when an agent updates its capabilities,
but not upon registration.
This patches moves the sanitization on the handler thread, after
the network monitor is created for a network agent.
Before this patch, upon registration of a new agent, the binder
thread would copy and sanitize the capabilities, then store them
in nai.networkCapabilities. It would store the original caps from
the agent in the NAI, mix in what is known from the network info,
process the LinkProperties, and then proceed to create the
network monitor, but not yet store the NAI in the internal
structures because its registration is not finalized, so other
methods should not see it yet. After the monitor is created in
the network stack process, the NAI is stored in the internal
structures which publishes it for all methods to see. After
that is done, the NAI calls to the network monitor to warn it
that it's registered, what its capabilities are, and that it's
time to start validation if applicable.
With this patch, the validation no longer happens on the binder
thread. Instead, the binder thread stores the capabilities and
link properties as is, before sanitization, in the NAI. This is
fine because no other method can access these until the
registration completes upon notification that the monitor has
been created ; this agent is only stored in the network monitor
callbacks in a self-destructing object precisely to make sure
that's the case.
When the monitor is created and CS receives notification of the
same, it will sanitize the capabilities before adding the NAI
to the internal structures, to protect the invariant that the
un-sanitized capabilities inside the NAI can't ever be seen by
any other method. After that's done, it will call to the
monitor to start validation as usual.
Test: FrameworksNetTests CtsNetTestsCases
Change-Id: I7d43ef0e25955e0349903b4801b9dfd8c3c92586
Diffstat (limited to 'tests/common/java/android/net/NetworkCapabilitiesTest.java')
0 files changed, 0 insertions, 0 deletions