Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / 1564d488b7904bec24f045f2ae728146023de490^! / . / server / ResolverController.h
commit1564d488b7904bec24f045f2ae728146023de490[log] [tgz]
authorErik Kline <ek@google.com>Wed Mar 07 17:09:35 2018 +0900
committerErik Kline <ek@google.com>Thu Mar 29 11:57:35 2018 -0700
treec2d2318c694f5d89d07f8b33c6a4178438630490
parent05827de37e5413d165bf655bdfd13e3d49c906d1 [diff] [blame]
Program local and TLS servers, and allow TLS-bypass

This change comprises several parts:

[1] Define a wasExplicitlyConfigured() notion on a DnsTlsServer to
    indicate whether the hostname or any fingerprints have been
    explicitly set. A DnsTlsServer not wasExplicitlyConfigured()
    implies opportunistic mode.

[2] The locally-assigned DNS servers get set in bionic, and the TLS
    servers get set in ResolverController.

[3] ResolverController::getPrivateDnsMode returns the Private DNS mode
    configured for a given netid.

[4] ResolverController::getValidatedTlsServers() returns a list of
    validated DnsTlsServers for a given netid.

[5] The mode and a non-empty list together instruct the qhook in
    DnsProxyListener to hand a query off to the DnsTlsDispatcher.

[6] The DnsTlsDispatcher iterates over the list of DnsTlsServers,
    preferring servers for which connections already exist.

[7] Enable EDNS0 for DNS-over-TLS queries (set the appropriate flag
    in the android_net_context.flags field).

[8] Introduce NETID_USE_LOCAL_NAMESERVERS flag for setting the high
    bit of netids in order to pass this informatin across the
    app<->netd boundary.

[9] Update setNetworkForResolv and getNetworkForResolv to handle the
    NETID_USE_LOCAL_NAMESERVERS flag accordingly.

[10] DnsProxyListener translates the NETID_USE_LOCAL_NAMESERVERS bit
     into the NET_CONTEXT_FLAG_USE_LOCAL_NAMESERVERS flag.

Test: as follows
    - built
    - flashed
    - booted
    - ./system/netd/tests/runtests.sh passes
Bug: 34953048
Bug: 64133961
Bug: 72345192
Bug: 76103007
Change-Id: Ib564c6a23c44b36755418fd1557cd86ea54dae44

diff --git a/server/ResolverController.h b/server/ResolverController.h
index b67481f..287e199 100644
--- a/server/ResolverController.h
+++ b/server/ResolverController.h

@@ -17,6 +17,7 @@
 #ifndef _RESOLVER_CONTROLLER_H_
 #define _RESOLVER_CONTROLLER_H_
 
+#include <list>
 #include <vector>
 
 struct __res_params;
@@ -29,6 +30,13 @@
 class DumpWriter;
 struct ResolverStats;
 
+enum class PrivateDnsMode {
+    OFF,
+    OPPORTUNISTIC,
+    STRICT,
+};
+
+
 class ResolverController {
 public:
     ResolverController() {};
@@ -42,12 +50,16 @@
     // Validation status of a DNS over TLS server (on a specific netId).
     enum class Validation : uint8_t { in_process, success, fail, unknown_server, unknown_netid };
 
-    // Given a netId and the address of an insecure (i.e. normal) DNS server, this method checks
-    // if there is a known secure DNS server with the same IP address that has been validated as
-    // accessible on this netId.  It returns the validation status, and provides the secure server
-    // (including port, name, and fingerprints) in the output parameter.
-    Validation getTlsStatus(unsigned netId, const sockaddr_storage& insecureServer,
-            DnsTlsServer* secureServer);
+    struct PrivateDnsStatus {
+        PrivateDnsMode mode;
+        std::list<DnsTlsServer> validatedServers;
+    };
+
+    // Retrieve the Private DNS status for the given |netid|.
+    //
+    // If the requested |netid| is not known, the PrivateDnsStatus's mode has a
+    // default value of PrivateDnsMode::OFF, and validatedServers is empty.
+    PrivateDnsStatus getPrivateDnsStatus(unsigned netid) const;
 
     int clearDnsServers(unsigned netid);