Blame - services/core/java/com/android/server/net/LockdownVpnTracker.java - platform/frameworks/base

2012-08-25 00:05:46 -0700

[diff] [blame]

/*

*

* Licensed under the Apache License, Version 2.0 (the "License");

5

* you may not use this file except in compliance with the License.

6

* You may obtain a copy of the License at

7

*

8

* http://www.apache.org/licenses/LICENSE-2.0

9

*

10

* Unless required by applicable law or agreed to in writing, software

11

* distributed under the License is distributed on an "AS IS" BASIS,

12

* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

13

* See the License for the specific language governing permissions and

14

* limitations under the License.

15

*/

16

17

package com.android.server.net;

18

19

import static android.Manifest.permission.CONNECTIVITY_INTERNAL;

Xiaohui Chen

b41c9f7

2015-06-17 15:55:37 -0700

[diff] [blame]

20

import static android.net.NetworkPolicyManager.FIREWALL_CHAIN_NONE;

Amith Yamasani

15e47235

2015-04-24 19:06:07 -0700

[diff] [blame]

21

import static android.net.NetworkPolicyManager.FIREWALL_RULE_ALLOW;

22

import static android.net.NetworkPolicyManager.FIREWALL_RULE_DEFAULT;

Robin Lee

a249aee

2016-02-03 13:42:56 +0000

[diff] [blame]

23

import static android.provider.Settings.ACTION_VPN_SETTINGS;

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

24

25

import android.app.Notification;

26

import android.app.NotificationManager;

27

import android.app.PendingIntent;

28

import android.content.BroadcastReceiver;

29

import android.content.Context;

30

import android.content.Intent;

31

import android.content.IntentFilter;

Lorenzo Colitti

2014-10-15 16:06:07 +0900

[diff] [blame]

32

import android.net.ConnectivityManager;

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

33

import android.net.LinkProperties;

Chad Brubaker

2013-06-14 11:16:51 -0700

[diff] [blame]

34

import android.net.LinkAddress;

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

35

import android.net.NetworkInfo;

36

import android.net.NetworkInfo.DetailedState;

37

import android.net.NetworkInfo.State;

Amith Yamasani

15e47235

2015-04-24 19:06:07 -0700

[diff] [blame]

38

import android.net.NetworkPolicyManager;

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

39

import android.os.INetworkManagementService;

40

import android.os.RemoteException;

41

import android.security.Credentials;

42

import android.security.KeyStore;

Lorenzo Colitti

2014-10-16 01:06:29 +0900

[diff] [blame]

43

import android.system.Os;

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

44

import android.text.TextUtils;

45

import android.util.Slog;

46

47

import com.android.internal.R;

48

import com.android.internal.net.VpnConfig;

49

import com.android.internal.net.VpnProfile;

50

import com.android.internal.util.Preconditions;

51

import com.android.server.ConnectivityService;

Jeff Sharkey

2012-09-06 18:33:14 -0700

[diff] [blame]

52

import com.android.server.EventLogTags;

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

53

import com.android.server.connectivity.Vpn;

54

Chad Brubaker

2013-06-14 11:16:51 -0700

[diff] [blame]

55

import java.util.List;

56

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

57

/**

58

* State tracker for lockdown mode. Watches for normal {@link NetworkInfo} to be

59

* connected and kicks off VPN connection, managing any required {@code netd}

60

* firewall rules.

61

*/

62

public class LockdownVpnTracker {

63

private static final String TAG = "LockdownVpnTracker";

64

65

/** Number of VPN attempts before waiting for user intervention. */

66

private static final int MAX_ERROR_COUNT = 4;

67

68

private static final String ACTION_LOCKDOWN_RESET = "com.android.server.action.LOCKDOWN_RESET";

Jeff Sharkey

2013-02-20 18:21:19 -0800

[diff] [blame]

69

Lorenzo Colitti

2014-10-16 01:06:29 +0900

[diff] [blame]

70

private static final int ROOT_UID = 0;

71

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

72

private final Context mContext;

73

private final INetworkManagementService mNetService;

74

private final ConnectivityService mConnService;

75

private final Vpn mVpn;

76

private final VpnProfile mProfile;

77

78

private final Object mStateLock = new Object();

79

Jeff Sharkey

2013-02-20 18:21:19 -0800

[diff] [blame]

80

private final PendingIntent mConfigIntent;

81

private final PendingIntent mResetIntent;

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

82

83

private String mAcceptedEgressIface;

84

private String mAcceptedIface;

Chad Brubaker

2013-06-14 11:16:51 -0700

[diff] [blame]

85

private List<LinkAddress> mAcceptedSourceAddr;

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

86

87

private int mErrorCount;

88

89

public static boolean isEnabled() {

90

return KeyStore.getInstance().contains(Credentials.LOCKDOWN_VPN);

91

}

92

93

public LockdownVpnTracker(Context context, INetworkManagementService netService,

94

ConnectivityService connService, Vpn vpn, VpnProfile profile) {

95

mContext = Preconditions.checkNotNull(context);

96

mNetService = Preconditions.checkNotNull(netService);

97

mConnService = Preconditions.checkNotNull(connService);

98

mVpn = Preconditions.checkNotNull(vpn);

99

mProfile = Preconditions.checkNotNull(profile);

100

Jeff Sharkey

2013-02-20 18:21:19 -0800

[diff] [blame]

101

final Intent configIntent = new Intent(ACTION_VPN_SETTINGS);

Jeff Sharkey

2013-02-20 18:21:19 -0800

[diff] [blame]

102

mConfigIntent = PendingIntent.getActivity(mContext, 0, configIntent, 0);

103

Jeff Sharkey

2012-08-29 22:27:39 -0700

[diff] [blame]

104

final Intent resetIntent = new Intent(ACTION_LOCKDOWN_RESET);

105

resetIntent.addFlags(Intent.FLAG_RECEIVER_REGISTERED_ONLY);

106

mResetIntent = PendingIntent.getBroadcast(mContext, 0, resetIntent, 0);

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

107

}

108

109

private BroadcastReceiver mResetReceiver = new BroadcastReceiver() {

110

@Override

111

public void onReceive(Context context, Intent intent) {

reset();

}

};

/**

* Watch for state changes to both active egress network, kicking off a VPN

118

* connection when ready, or setting firewall rules once VPN is connected.

119

*/

120

private void handleStateChangedLocked() {

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

121

122

final NetworkInfo egressInfo = mConnService.getActiveNetworkInfoUnfiltered();

123

final LinkProperties egressProp = mConnService.getActiveLinkProperties();

124

125

final NetworkInfo vpnInfo = mVpn.getNetworkInfo();

126

final VpnConfig vpnConfig = mVpn.getLegacyVpnConfig();

127

128

// Restart VPN when egress network disconnected or changed

129

final boolean egressDisconnected = egressInfo == null

130

|| State.DISCONNECTED.equals(egressInfo.getState());

131

final boolean egressChanged = egressProp == null

132

|| !TextUtils.equals(mAcceptedEgressIface, egressProp.getInterfaceName());

Lorenzo Colitti

2014-10-15 16:06:07 +0900

[diff] [blame]

133

134

final String egressTypeName = (egressInfo == null) ?

135

null : ConnectivityManager.getNetworkTypeName(egressInfo.getType());

136

final String egressIface = (egressProp == null) ?

137

null : egressProp.getInterfaceName();

138

Slog.d(TAG, "handleStateChanged: egress=" + egressTypeName +

139

" " + mAcceptedEgressIface + "->" + egressIface);

140

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

141

if (egressDisconnected || egressChanged) {

Jeff Sharkey

2012-08-29 22:27:39 -0700

[diff] [blame]

142

clearSourceRulesLocked();

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

143

mAcceptedEgressIface = null;

Jeff Davidson

b21298a

2015-02-10 10:02:11 -0800

[diff] [blame]

144

mVpn.stopLegacyVpnPrivileged();

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

145

}

Jeff Sharkey

5766693

2013-04-30 17:01:57 -0700

[diff] [blame]

146

if (egressDisconnected) {

147

hideNotification();

148

return;

149

}

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

150

Jeff Sharkey

2012-09-06 18:33:14 -0700

[diff] [blame]

151

final int egressType = egressInfo.getType();

152

if (vpnInfo.getDetailedState() == DetailedState.FAILED) {

153

EventLogTags.writeLockdownVpnError(egressType);

154

}

155

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

156

if (mErrorCount > MAX_ERROR_COUNT) {

157

showNotification(R.string.vpn_lockdown_error, R.drawable.vpn_disconnected);

158

159

} else if (egressInfo.isConnected() && !vpnInfo.isConnectedOrConnecting()) {

160

if (mProfile.isValidLockdownProfile()) {

161

Slog.d(TAG, "Active network connected; starting VPN");

Jeff Sharkey

2012-09-06 18:33:14 -0700

[diff] [blame]

162

EventLogTags.writeLockdownVpnConnecting(egressType);

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

163

showNotification(R.string.vpn_lockdown_connecting, R.drawable.vpn_disconnected);

164

165

mAcceptedEgressIface = egressProp.getInterfaceName();

Jeff Sharkey

421fab8

2013-06-27 10:57:45 -0700

[diff] [blame]

166

try {

Jeff Davidson

b21298a

2015-02-10 10:02:11 -0800

[diff] [blame]

167

// Use the privileged method because Lockdown VPN is initiated by the system, so

168

// no additional permission checks are necessary.

169

mVpn.startLegacyVpnPrivileged(mProfile, KeyStore.getInstance(), egressProp);

Jeff Sharkey

421fab8

2013-06-27 10:57:45 -0700

[diff] [blame]

170

} catch (IllegalStateException e) {

171

mAcceptedEgressIface = null;

172

Slog.e(TAG, "Failed to start VPN", e);

173

showNotification(R.string.vpn_lockdown_error, R.drawable.vpn_disconnected);

174

}

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

175

} else {

176

Slog.e(TAG, "Invalid VPN profile; requires IP-based server and DNS");

177

showNotification(R.string.vpn_lockdown_error, R.drawable.vpn_disconnected);

178

}

179

180

} else if (vpnInfo.isConnected() && vpnConfig != null) {

181

final String iface = vpnConfig.interfaze;

Chad Brubaker

2013-06-14 11:16:51 -0700

[diff] [blame]

182

final List<LinkAddress> sourceAddrs = vpnConfig.addresses;

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

183

184

if (TextUtils.equals(iface, mAcceptedIface)

Chad Brubaker

2013-06-14 11:16:51 -0700

[diff] [blame]

185

&& sourceAddrs.equals(mAcceptedSourceAddr)) {

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

return;

}

Chad Brubaker

2013-06-14 11:16:51 -0700

[diff] [blame]

189

Slog.d(TAG, "VPN connected using iface=" + iface +

190

", sourceAddr=" + sourceAddrs.toString());

Jeff Sharkey

2012-09-06 18:33:14 -0700

[diff] [blame]

191

EventLogTags.writeLockdownVpnConnected(egressType);

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

192

showNotification(R.string.vpn_lockdown_connected, R.drawable.vpn_connected);

193

194

try {

Jeff Sharkey

2012-08-29 22:27:39 -0700

[diff] [blame]

195

clearSourceRulesLocked();

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

196

197

mNetService.setFirewallInterfaceRule(iface, true);

Chad Brubaker

2013-06-14 11:16:51 -0700

[diff] [blame]

198

for (LinkAddress addr : sourceAddrs) {

Lorenzo Colitti

02c7aba

2014-10-16 00:55:07 +0900

[diff] [blame]

199

setFirewallEgressSourceRule(addr, true);

Chad Brubaker

2013-06-14 11:16:51 -0700

[diff] [blame]

200

}

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

201

Xiaohui Chen

b41c9f7

2015-06-17 15:55:37 -0700

[diff] [blame]

202

mNetService.setFirewallUidRule(FIREWALL_CHAIN_NONE, ROOT_UID, FIREWALL_RULE_ALLOW);

203

mNetService.setFirewallUidRule(FIREWALL_CHAIN_NONE, Os.getuid(), FIREWALL_RULE_ALLOW);

Lorenzo Colitti

2014-10-16 01:06:29 +0900

[diff] [blame]

204

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

205

mErrorCount = 0;

206

mAcceptedIface = iface;

Chad Brubaker

2013-06-14 11:16:51 -0700

[diff] [blame]

207

mAcceptedSourceAddr = sourceAddrs;

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

208

} catch (RemoteException e) {

209

throw new RuntimeException("Problem setting firewall rules", e);

210

}

211

Jeff Sharkey

f07c7b9

2016-04-22 09:50:16 -0600

[diff] [blame]

212

final NetworkInfo clone = new NetworkInfo(egressInfo);

213

augmentNetworkInfo(clone);

214

mConnService.sendConnectedBroadcast(clone);

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

}

}

public void init() {

Jeff Sharkey

2012-08-29 22:27:39 -0700

[diff] [blame]

219

synchronized (mStateLock) {

initLocked();

}

}

private void initLocked() {

225

Slog.d(TAG, "initLocked()");

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

226

Jeff Sharkey

5766693

2013-04-30 17:01:57 -0700

[diff] [blame]

227

mVpn.setEnableTeardown(false);

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

228

229

final IntentFilter resetFilter = new IntentFilter(ACTION_LOCKDOWN_RESET);

230

mContext.registerReceiver(mResetReceiver, resetFilter, CONNECTIVITY_INTERNAL, null);

231

232

try {

233

// TODO: support non-standard port numbers

234

mNetService.setFirewallEgressDestRule(mProfile.server, 500, true);

235

mNetService.setFirewallEgressDestRule(mProfile.server, 4500, true);

Jeff Sharkey

42c0c9f

2013-02-21 10:31:45 -0800

[diff] [blame]

236

mNetService.setFirewallEgressDestRule(mProfile.server, 1701, true);

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

237

} catch (RemoteException e) {

238

throw new RuntimeException("Problem setting firewall rules", e);

239

}

240

Robin Lee

aca5e7e3

2015-11-12 10:28:06 +0000

[diff] [blame]

241

handleStateChangedLocked();

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

242

}

243

244

public void shutdown() {

Jeff Sharkey

2012-08-29 22:27:39 -0700

[diff] [blame]

245

synchronized (mStateLock) {

shutdownLocked();

}

}

private void shutdownLocked() {

251

Slog.d(TAG, "shutdownLocked()");

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

252

253

mAcceptedEgressIface = null;

254

mErrorCount = 0;

255

Jeff Davidson

b21298a

2015-02-10 10:02:11 -0800

[diff] [blame]

256

mVpn.stopLegacyVpnPrivileged();

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

257

try {

258

mNetService.setFirewallEgressDestRule(mProfile.server, 500, false);

259

mNetService.setFirewallEgressDestRule(mProfile.server, 4500, false);

Jeff Sharkey

42c0c9f

2013-02-21 10:31:45 -0800

[diff] [blame]

260

mNetService.setFirewallEgressDestRule(mProfile.server, 1701, false);

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

261

} catch (RemoteException e) {

262

throw new RuntimeException("Problem setting firewall rules", e);

263

}

Jeff Sharkey

2012-08-29 22:27:39 -0700

[diff] [blame]

264

clearSourceRulesLocked();

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

265

hideNotification();

266

267

mContext.unregisterReceiver(mResetReceiver);

Jeff Sharkey

5766693

2013-04-30 17:01:57 -0700

[diff] [blame]

268

mVpn.setEnableTeardown(true);

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

269

}

270

271

public void reset() {

Lorenzo Colitti

2014-10-15 16:06:07 +0900

[diff] [blame]

272

Slog.d(TAG, "reset()");

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

273

synchronized (mStateLock) {

Jeff Sharkey

2012-08-29 22:27:39 -0700

[diff] [blame]

274

// cycle tracker, reset error count, and trigger retry

275

shutdownLocked();

276

initLocked();

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

277

handleStateChangedLocked();

}

}

Jeff Sharkey

2012-08-29 22:27:39 -0700

[diff] [blame]

281

private void clearSourceRulesLocked() {

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

282

try {

283

if (mAcceptedIface != null) {

284

mNetService.setFirewallInterfaceRule(mAcceptedIface, false);

285

mAcceptedIface = null;

286

}

287

if (mAcceptedSourceAddr != null) {

Chad Brubaker

2013-06-14 11:16:51 -0700

[diff] [blame]

288

for (LinkAddress addr : mAcceptedSourceAddr) {

Lorenzo Colitti

02c7aba

2014-10-16 00:55:07 +0900

[diff] [blame]

289

setFirewallEgressSourceRule(addr, false);

Chad Brubaker

2013-06-14 11:16:51 -0700

[diff] [blame]

290

}

Lorenzo Colitti

2014-10-16 01:06:29 +0900

[diff] [blame]

291

Xiaohui Chen

b41c9f7

2015-06-17 15:55:37 -0700

[diff] [blame]

292

mNetService.setFirewallUidRule(FIREWALL_CHAIN_NONE, ROOT_UID, FIREWALL_RULE_DEFAULT);

293

mNetService.setFirewallUidRule(FIREWALL_CHAIN_NONE,Os.getuid(), FIREWALL_RULE_DEFAULT);

Lorenzo Colitti

2014-10-16 01:06:29 +0900

[diff] [blame]

294

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

295

mAcceptedSourceAddr = null;

296

}

297

} catch (RemoteException e) {

298

throw new RuntimeException("Problem setting firewall rules", e);

}

}

Lorenzo Colitti

2014-10-16 00:55:07 +0900

[diff] [blame]

302

private void setFirewallEgressSourceRule(

303

LinkAddress address, boolean allow) throws RemoteException {

304

// Our source address based firewall rules must only cover our own source address, not the

305

// whole subnet

306

final String addrString = address.getAddress().getHostAddress();

307

mNetService.setFirewallEgressSourceRule(addrString, allow);

308

}

309

Lorenzo Colitti

2014-10-15 16:06:07 +0900

[diff] [blame]

310

public void onNetworkInfoChanged() {

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

311

synchronized (mStateLock) {

312

handleStateChangedLocked();

}

}

public void onVpnStateChanged(NetworkInfo info) {

317

if (info.getDetailedState() == DetailedState.FAILED) {

318

mErrorCount++;

319

}

320

synchronized (mStateLock) {

321

handleStateChangedLocked();

}

}

Jeff Sharkey

2016-04-22 09:50:16 -0600

[diff] [blame]

325

public void augmentNetworkInfo(NetworkInfo info) {

Jeff Sharkey

0b81be6

2012-09-18 15:44:16 -0700

[diff] [blame]

326

if (info.isConnected()) {

327

final NetworkInfo vpnInfo = mVpn.getNetworkInfo();

Jeff Sharkey

0b81be6

2012-09-18 15:44:16 -0700

[diff] [blame]

328

info.setDetailedState(vpnInfo.getDetailedState(), vpnInfo.getReason(), null);

329

}

Jeff Sharkey

2012-08-25 00:05:46 -0700

[diff] [blame]

330

}

331

332

private void showNotification(int titleRes, int iconRes) {

Selim Cinek

255dd04

2014-08-19 22:29:02 +0200

[diff] [blame]

333

final Notification.Builder builder = new Notification.Builder(mContext)

334

.setWhen(0)

335

.setSmallIcon(iconRes)

336

.setContentTitle(mContext.getString(titleRes))

337

.setContentText(mContext.getString(R.string.vpn_lockdown_config))

338

.setContentIntent(mConfigIntent)

339

.setPriority(Notification.PRIORITY_LOW)

340

.setOngoing(true)

341

.addAction(R.drawable.ic_menu_refresh, mContext.getString(R.string.reset),

342

mResetIntent)

Alan Viverette

4a357cd

2015-03-18 18:37:18 -0700

[diff] [blame]

343

.setColor(mContext.getColor(

Selim Cinek

255dd04

2014-08-19 22:29:02 +0200

[diff] [blame]

344

com.android.internal.R.color.system_notification_accent_color));

Jeff Sharkey

2013-02-20 18:21:19 -0800

[diff] [blame]

345

Jeff Sharkey