| /* |
| * Copyright (C) 2011 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package com.android.server.connectivity; |
| |
| import android.app.Notification; |
| import android.app.NotificationManager; |
| import android.content.Context; |
| import android.content.Intent; |
| import android.content.pm.ApplicationInfo; |
| import android.content.pm.PackageManager; |
| import android.content.res.Resources; |
| import android.graphics.Bitmap; |
| import android.graphics.Canvas; |
| import android.graphics.drawable.Drawable; |
| import android.net.INetworkManagementEventObserver; |
| import android.net.LocalSocket; |
| import android.net.LocalSocketAddress; |
| import android.os.Binder; |
| import android.os.ParcelFileDescriptor; |
| import android.os.Process; |
| import android.os.SystemClock; |
| import android.os.SystemProperties; |
| import android.util.Log; |
| |
| import com.android.internal.R; |
| import com.android.internal.net.VpnConfig; |
| import com.android.server.ConnectivityService.VpnCallback; |
| |
| import java.io.OutputStream; |
| import java.nio.charset.Charsets; |
| |
| /** |
| * @hide |
| */ |
| public class Vpn extends INetworkManagementEventObserver.Stub { |
| |
| private final static String TAG = "Vpn"; |
| private final static String VPN = android.Manifest.permission.VPN; |
| |
| private final Context mContext; |
| private final VpnCallback mCallback; |
| |
| private String mPackageName; |
| private String mInterfaceName; |
| |
| private LegacyVpnRunner mLegacyVpnRunner; |
| |
| public Vpn(Context context, VpnCallback callback) { |
| mContext = context; |
| mCallback = callback; |
| } |
| |
| /** |
| * Prepare for a VPN application. |
| * |
| * @param packageName The package name of the new VPN application. |
| * @return The name of the current prepared package. |
| */ |
| public synchronized String prepare(String packageName) { |
| // Return the current prepared package if the new one is null. |
| if (packageName == null) { |
| return mPackageName; |
| } |
| |
| // Check the permission of the caller. |
| PackageManager pm = mContext.getPackageManager(); |
| VpnConfig.enforceCallingPackage(pm.getNameForUid(Binder.getCallingUid())); |
| |
| // Check the permission of the given package. |
| if (packageName.isEmpty()) { |
| packageName = null; |
| } else if (pm.checkPermission(VPN, packageName) != PackageManager.PERMISSION_GRANTED) { |
| throw new SecurityException(packageName + " does not have " + VPN); |
| } |
| |
| // Reset the interface and hide the notification. |
| if (mInterfaceName != null) { |
| jniResetInterface(mInterfaceName); |
| mCallback.restore(); |
| hideNotification(); |
| mInterfaceName = null; |
| } |
| |
| // Notify the package being revoked. |
| if (mPackageName != null) { |
| Intent intent = new Intent(VpnConfig.ACTION_VPN_REVOKED); |
| intent.setPackage(mPackageName); |
| intent.addFlags(Intent.FLAG_RECEIVER_REGISTERED_ONLY); |
| mContext.sendBroadcast(intent); |
| } |
| |
| Log.i(TAG, "Switched from " + mPackageName + " to " + packageName); |
| mPackageName = packageName; |
| return mPackageName; |
| } |
| |
| /** |
| * Protect a socket from routing changes by binding it to the given |
| * interface. The socket IS closed by this method. |
| * |
| * @param socket The socket to be bound. |
| * @param name The name of the interface. |
| */ |
| public void protect(ParcelFileDescriptor socket, String name) { |
| try { |
| mContext.enforceCallingPermission(VPN, "protect"); |
| jniProtectSocket(socket.getFd(), name); |
| } finally { |
| try { |
| socket.close(); |
| } catch (Exception e) { |
| // ignore |
| } |
| } |
| } |
| |
| /** |
| * Configure a TUN interface and return its file descriptor. |
| * |
| * @param config The parameters to configure the interface. |
| * @return The file descriptor of the interface. |
| */ |
| public synchronized ParcelFileDescriptor establish(VpnConfig config) { |
| // Check the permission of the caller. |
| mContext.enforceCallingPermission(VPN, "establish"); |
| |
| // Check if the caller is already prepared. |
| PackageManager pm = mContext.getPackageManager(); |
| ApplicationInfo app = null; |
| try { |
| app = pm.getApplicationInfo(mPackageName, 0); |
| } catch (Exception e) { |
| return null; |
| } |
| if (Binder.getCallingUid() != app.uid) { |
| return null; |
| } |
| |
| // Load the label. |
| String label = app.loadLabel(pm).toString(); |
| |
| // Load the icon and convert it into a bitmap. |
| Drawable icon = app.loadIcon(pm); |
| Bitmap bitmap = null; |
| if (icon.getIntrinsicWidth() > 0 && icon.getIntrinsicHeight() > 0) { |
| int width = mContext.getResources().getDimensionPixelSize( |
| android.R.dimen.notification_large_icon_width); |
| int height = mContext.getResources().getDimensionPixelSize( |
| android.R.dimen.notification_large_icon_height); |
| icon.setBounds(0, 0, width, height); |
| bitmap = Bitmap.createBitmap(width, height, Bitmap.Config.ARGB_8888); |
| icon.draw(new Canvas(bitmap)); |
| } |
| |
| // Create the interface and abort if any of the following steps fails. |
| ParcelFileDescriptor descriptor = |
| ParcelFileDescriptor.adoptFd(jniCreateInterface(config.mtu)); |
| try { |
| String name = jniGetInterfaceName(descriptor.getFd()); |
| if (jniSetAddresses(name, config.addresses) < 1) { |
| throw new IllegalArgumentException("At least one address must be specified"); |
| } |
| if (config.routes != null) { |
| jniSetRoutes(name, config.routes); |
| } |
| if (mInterfaceName != null && !mInterfaceName.equals(name)) { |
| jniResetInterface(mInterfaceName); |
| } |
| mInterfaceName = name; |
| } catch (RuntimeException e) { |
| try { |
| descriptor.close(); |
| } catch (Exception ex) { |
| // ignore |
| } |
| throw e; |
| } |
| |
| String dnsServers = (config.dnsServers == null) ? "" : config.dnsServers.trim(); |
| mCallback.override(dnsServers.isEmpty() ? null : dnsServers.split(" ")); |
| |
| config.packageName = mPackageName; |
| config.interfaceName = mInterfaceName; |
| showNotification(pm, app, config); |
| return descriptor; |
| } |
| |
| // INetworkManagementEventObserver.Stub |
| public void interfaceStatusChanged(String name, boolean up) { |
| } |
| |
| // INetworkManagementEventObserver.Stub |
| public void interfaceLinkStateChanged(String name, boolean up) { |
| } |
| |
| // INetworkManagementEventObserver.Stub |
| public void interfaceAdded(String name) { |
| } |
| |
| // INetworkManagementEventObserver.Stub |
| public synchronized void interfaceRemoved(String name) { |
| if (name.equals(mInterfaceName) && jniCheckInterface(name) == 0) { |
| hideNotification(); |
| mCallback.restore(); |
| mInterfaceName = null; |
| } |
| } |
| |
| private void showNotification(VpnConfig config, String label, Bitmap icon) { |
| NotificationManager nm = (NotificationManager) |
| mContext.getSystemService(Context.NOTIFICATION_SERVICE); |
| |
| if (nm != null) { |
| String title = (label == null) ? mContext.getString(R.string.vpn_title) : |
| mContext.getString(R.string.vpn_title_long, label); |
| String text = (config.sessionName == null) ? mContext.getString(R.string.vpn_text) : |
| mContext.getString(R.string.vpn_text_long, config.sessionName); |
| |
| long identity = Binder.clearCallingIdentity(); |
| Notification notification = new Notification.Builder(mContext) |
| .setSmallIcon(R.drawable.vpn_connected) |
| .setLargeIcon(icon) |
| .setContentTitle(title) |
| .setContentText(text) |
| .setContentIntent(VpnConfig.getIntentForNotification(mContext, config)) |
| .setDefaults(Notification.DEFAULT_ALL) |
| .setOngoing(true) |
| .getNotification(); |
| nm.notify(R.drawable.vpn_connected, notification); |
| Binder.restoreCallingIdentity(identity); |
| } |
| } |
| |
| private void hideNotification() { |
| NotificationManager nm = (NotificationManager) |
| mContext.getSystemService(Context.NOTIFICATION_SERVICE); |
| |
| if (nm != null) { |
| long identity = Binder.clearCallingIdentity(); |
| nm.cancel(R.drawable.vpn_connected); |
| Binder.restoreCallingIdentity(identity); |
| } |
| } |
| |
| private native int jniCreateInterface(int mtu); |
| private native String jniGetInterfaceName(int fd); |
| private native int jniSetAddresses(String name, String addresses); |
| private native int jniSetRoutes(String name, String routes); |
| private native void jniResetInterface(String name); |
| private native int jniCheckInterface(String name); |
| private native void jniProtectSocket(int fd, String name); |
| |
| /** |
| * Handle legacy VPN requests. This method stops the services and restart |
| * them if their arguments are not null. Heavy things are offloaded to |
| * another thread, so callers will not be blocked too long. |
| * |
| * @param raoocn The arguments to be passed to racoon. |
| * @param mtpd The arguments to be passed to mtpd. |
| */ |
| public synchronized void doLegacyVpn(String[] racoon, String[] mtpd) { |
| // Currently only system user is allowed. |
| if (Binder.getCallingUid() != Process.SYSTEM_UID) { |
| throw new SecurityException("Unauthorized Caller"); |
| } |
| |
| // If the previous runner is still alive, interrupt it. |
| if (mLegacyVpnRunner != null && mLegacyVpnRunner.isAlive()) { |
| mLegacyVpnRunner.interrupt(); |
| } |
| |
| // Start a new runner and we are done! |
| mLegacyVpnRunner = new LegacyVpnRunner( |
| new String[] {"racoon", "mtpd"}, racoon, mtpd); |
| mLegacyVpnRunner.start(); |
| } |
| |
| /** |
| * Bringing up a VPN connection takes time, and that is all this thread |
| * does. Here we have plenty of time. The only thing we need to take |
| * care of is responding to interruptions as soon as possible. Otherwise |
| * requests will be piled up. This can be done in a Handler as a state |
| * machine, but it is much easier to read in the current form. |
| */ |
| private class LegacyVpnRunner extends Thread { |
| private static final String TAG = "LegacyVpnRunner"; |
| |
| private static final String NONE = "--"; |
| |
| private final String[] mServices; |
| private final String[][] mArguments; |
| private long mTimer = -1; |
| |
| public LegacyVpnRunner(String[] services, String[]... arguments) { |
| super(TAG); |
| mServices = services; |
| mArguments = arguments; |
| } |
| |
| @Override |
| public void run() { |
| // Wait for the previous thread since it has been interrupted. |
| Log.v(TAG, "wait"); |
| synchronized (TAG) { |
| Log.v(TAG, "run"); |
| execute(); |
| Log.v(TAG, "exit"); |
| } |
| } |
| |
| private void checkpoint(boolean yield) throws InterruptedException { |
| long now = SystemClock.elapsedRealtime(); |
| if (mTimer == -1) { |
| mTimer = now; |
| Thread.sleep(1); |
| } else if (now - mTimer <= 30000) { |
| Thread.sleep(yield ? 200 : 1); |
| } else { |
| throw new InterruptedException("timeout"); |
| } |
| } |
| |
| private void execute() { |
| // Catch all exceptions so we can clean up few things. |
| try { |
| // Initialize the timer. |
| checkpoint(false); |
| |
| // First stop the services. |
| for (String service : mServices) { |
| SystemProperties.set("ctl.stop", service); |
| } |
| |
| // Wait for the services to stop. |
| for (String service : mServices) { |
| String key = "init.svc." + service; |
| while (!"stopped".equals(SystemProperties.get(key))) { |
| checkpoint(true); |
| } |
| } |
| |
| // Reset the properties. |
| SystemProperties.set("vpn.dns", NONE); |
| SystemProperties.set("vpn.via", NONE); |
| while (!NONE.equals(SystemProperties.get("vpn.dns")) || |
| !NONE.equals(SystemProperties.get("vpn.via"))) { |
| checkpoint(true); |
| } |
| |
| // Check if we need to restart some services. |
| boolean restart = false; |
| for (String[] arguments : mArguments) { |
| restart = restart || (arguments != null); |
| } |
| if (!restart) { |
| return; |
| } |
| |
| // Start the service with arguments. |
| for (int i = 0; i < mServices.length; ++i) { |
| String[] arguments = mArguments[i]; |
| if (arguments == null) { |
| continue; |
| } |
| |
| // Start the service. |
| String service = mServices[i]; |
| SystemProperties.set("ctl.start", service); |
| |
| // Wait for the service to start. |
| String key = "init.svc." + service; |
| while (!"running".equals(SystemProperties.get(key))) { |
| checkpoint(true); |
| } |
| |
| // Create the control socket. |
| LocalSocket socket = new LocalSocket(); |
| LocalSocketAddress address = new LocalSocketAddress( |
| service, LocalSocketAddress.Namespace.RESERVED); |
| |
| // Wait for the socket to connect. |
| while (true) { |
| try { |
| socket.connect(address); |
| break; |
| } catch (Exception e) { |
| // ignore |
| } |
| checkpoint(true); |
| } |
| socket.setSoTimeout(500); |
| |
| // Send over the arguments. |
| OutputStream output = socket.getOutputStream(); |
| for (String argument : arguments) { |
| byte[] bytes = argument.getBytes(Charsets.UTF_8); |
| if (bytes.length >= 0xFFFF) { |
| throw new IllegalArgumentException("argument too large"); |
| } |
| output.write(bytes.length >> 8); |
| output.write(bytes.length); |
| output.write(bytes); |
| checkpoint(false); |
| } |
| |
| // Send End-Of-Arguments. |
| output.write(0xFF); |
| output.write(0xFF); |
| output.flush(); |
| socket.close(); |
| } |
| |
| // Now here is the beast from the old days. We check few |
| // properties to figure out the current status. Ideally we |
| // can read things back from the sockets and get rid of the |
| // properties, but we have no time... |
| while (NONE.equals(SystemProperties.get("vpn.dns")) || |
| NONE.equals(SystemProperties.get("vpn.via"))) { |
| |
| // Check if a running service is dead. |
| for (int i = 0; i < mServices.length; ++i) { |
| String service = mServices[i]; |
| if (mArguments[i] != null && !"running".equals( |
| SystemProperties.get("init.svc." + service))) { |
| throw new IllegalArgumentException(service + " is dead"); |
| } |
| } |
| checkpoint(true); |
| } |
| |
| // Great! Now we are connected! |
| Log.i(TAG, "connected!"); |
| // TODO: |
| |
| } catch (Exception e) { |
| Log.i(TAG, e.getMessage()); |
| for (String service : mServices) { |
| SystemProperties.set("ctl.stop", service); |
| } |
| } |
| } |
| } |
| } |