Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / 6c6ea2ac9c441bd1cc24c553bfc76e13bb484d45 / . / server / NetdNativeService.cpp
blob: a575642876719068aace1ad9f2ee8f3e276eac32 [file] [log] [blame]
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]1/**
2 * Copyright (c) 2016, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#define LOG_TAG "Netd"
18
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]19#include <vector>
20
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]21#include <android-base/stringprintf.h>
22#include <cutils/log.h>
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]23#include <cutils/properties.h>
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]24#include <utils/Errors.h>
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]25#include <utils/String16.h>
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]26
27#include <binder/IPCThreadState.h>
28#include <binder/IServiceManager.h>
29#include "android/net/BnNetd.h"
30
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]31#include "Controllers.h"
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]32#include "DumpWriter.h"
Michal Karpinskid5440112016-10-06 16:56:04 +0100[diff] [blame]33#include "EventReporter.h"
Erik Kline55b06f82016-07-04 09:57:18 +0900[diff] [blame]34#include "InterfaceController.h"
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]35#include "NetdConstants.h"
36#include "NetdNativeService.h"
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]37#include "RouteController.h"
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]38#include "SockDiag.h"
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]39#include "UidRanges.h"
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]40
41using android::base::StringPrintf;
42
43namespace android {
44namespace net {
45
46namespace {
47
48const char CONNECTIVITY_INTERNAL[] = "android.permission.CONNECTIVITY_INTERNAL";
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]49const char DUMP[] = "android.permission.DUMP";
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]50
51binder::Status checkPermission(const char *permission) {
52 pid_t pid;
53 uid_t uid;
54
55 if (checkCallingPermission(String16(permission), (int32_t *) &pid, (int32_t *) &uid)) {
56 return binder::Status::ok();
57 } else {
58 auto err = StringPrintf("UID %d / PID %d lacks permission %s", uid, pid, permission);
59 return binder::Status::fromExceptionCode(binder::Status::EX_SECURITY, String8(err.c_str()));
60 }
61}
62
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]63#define ENFORCE_DEBUGGABLE() { \
64 char value[PROPERTY_VALUE_MAX + 1]; \
65 if (property_get("ro.debuggable", value, NULL) != 1 \
66 || value[0] != '1') { \
67 return binder::Status::fromExceptionCode( \
68 binder::Status::EX_SECURITY, \
69 String8("Not available in production builds.") \
70 ); \
71 } \
72}
73
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]74#define ENFORCE_PERMISSION(permission) { \
75 binder::Status status = checkPermission((permission)); \
76 if (!status.isOk()) { \
77 return status; \
78 } \
79}
80
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]81#define NETD_LOCKING_RPC(permission, lock) \
82 ENFORCE_PERMISSION(permission); \
83 android::RWLock::AutoWLock _lock(lock);
84
85#define NETD_BIG_LOCK_RPC(permission) NETD_LOCKING_RPC((permission), gBigNetdLock)
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]86} // namespace
87
88
Lorenzo Colittie4851de2016-03-17 13:23:28 +0900[diff] [blame]89status_t NetdNativeService::start() {
90 IPCThreadState::self()->disableBackgroundScheduling(true);
91 status_t ret = BinderService<NetdNativeService>::publish();
92 if (ret != android::OK) {
93 return ret;
94 }
95 sp<ProcessState> ps(ProcessState::self());
96 ps->startThreadPool();
97 ps->giveThreadPoolName();
98 return android::OK;
99}
100
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]101status_t NetdNativeService::dump(int fd, const Vector<String16> & /* args */) {
102 const binder::Status dump_permission = checkPermission(DUMP);
103 if (!dump_permission.isOk()) {
104 const String8 msg(dump_permission.toString8());
105 write(fd, msg.string(), msg.size());
106 return PERMISSION_DENIED;
107 }
108
109 // This method does not grab any locks. If individual classes need locking
110 // their dump() methods MUST handle locking appropriately.
111 DumpWriter dw(fd);
112 dw.blankline();
113 gCtls->netCtrl.dump(dw);
114 dw.blankline();
115
116 return NO_ERROR;
117}
118
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]119binder::Status NetdNativeService::isAlive(bool *alive) {
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]120 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL);
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]121
122 *alive = true;
123 return binder::Status::ok();
124}
125
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]126binder::Status NetdNativeService::firewallReplaceUidChain(const android::String16& chainName,
127 bool isWhitelist, const std::vector<int32_t>& uids, bool *ret) {
128 NETD_LOCKING_RPC(CONNECTIVITY_INTERNAL, gCtls->firewallCtrl.lock);
129
130 android::String8 name = android::String8(chainName);
131 int err = gCtls->firewallCtrl.replaceUidChain(name.string(), isWhitelist, uids);
132 *ret = (err == 0);
133 return binder::Status::ok();
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]134}
Lorenzo Colittidedd2712016-03-22 12:36:29 +0900[diff] [blame]135
136binder::Status NetdNativeService::bandwidthEnableDataSaver(bool enable, bool *ret) {
137 NETD_LOCKING_RPC(CONNECTIVITY_INTERNAL, gCtls->bandwidthCtrl.lock);
138
139 int err = gCtls->bandwidthCtrl.enableDataSaver(enable);
140 *ret = (err == 0);
141 return binder::Status::ok();
142}
143
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]144binder::Status NetdNativeService::networkRejectNonSecureVpn(bool add,
145 const std::vector<UidRange>& uidRangeArray) {
146 // TODO: elsewhere RouteController is only used from the tethering and network controllers, so
147 // it should be possible to use the same lock as NetworkController. However, every call through
148 // the CommandListener "network" command will need to hold this lock too, not just the ones that
149 // read/modify network internal state (that is sufficient for ::dump() because it doesn't
150 // look at routes, but it's not enough here).
151 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL);
152
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]153 UidRanges uidRanges(uidRangeArray);
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]154
155 int err;
156 if (add) {
157 err = RouteController::addUsersToRejectNonSecureNetworkRule(uidRanges);
158 } else {
159 err = RouteController::removeUsersFromRejectNonSecureNetworkRule(uidRanges);
160 }
161
162 if (err != 0) {
163 return binder::Status::fromServiceSpecificError(-err,
164 String8::format("RouteController error: %s", strerror(-err)));
165 }
166 return binder::Status::ok();
167}
168
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]169binder::Status NetdNativeService::socketDestroy(const std::vector<UidRange>& uids,
170 const std::vector<int32_t>& skipUids) {
171
172 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
173
174 SockDiag sd;
175 if (!sd.open()) {
176 return binder::Status::fromServiceSpecificError(EIO,
177 String8("Could not open SOCK_DIAG socket"));
178 }
179
180 UidRanges uidRanges(uids);
Lorenzo Colittie5c3c992016-07-26 17:53:50 +0900[diff] [blame]181 int err = sd.destroySockets(uidRanges, std::set<uid_t>(skipUids.begin(), skipUids.end()),
182 true /* excludeLoopback */);
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]183
184 if (err) {
185 return binder::Status::fromServiceSpecificError(-err,
186 String8::format("destroySockets: %s", strerror(-err)));
187 }
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]188 return binder::Status::ok();
189}
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]190
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]191binder::Status NetdNativeService::setResolverConfiguration(int32_t netId,
192 const std::vector<std::string>& servers, const std::vector<std::string>& domains,
193 const std::vector<int32_t>& params) {
194 // This function intentionally does not lock within Netd, as Bionic is thread-safe.
195 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
196
197 int err = gCtls->resolverCtrl.setResolverConfiguration(netId, servers, domains, params);
198 if (err != 0) {
199 return binder::Status::fromServiceSpecificError(-err,
200 String8::format("ResolverController error: %s", strerror(-err)));
201 }
202 return binder::Status::ok();
203}
204
205binder::Status NetdNativeService::getResolverInfo(int32_t netId,
206 std::vector<std::string>* servers, std::vector<std::string>* domains,
207 std::vector<int32_t>* params, std::vector<int32_t>* stats) {
208 // This function intentionally does not lock within Netd, as Bionic is thread-safe.
209 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
210
211 int err = gCtls->resolverCtrl.getResolverInfo(netId, servers, domains, params, stats);
212 if (err != 0) {
213 return binder::Status::fromServiceSpecificError(-err,
214 String8::format("ResolverController error: %s", strerror(-err)));
215 }
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]216 return binder::Status::ok();
217}
218
Erik Klinef48e4dd2016-07-18 04:02:07 +0900[diff] [blame]219binder::Status NetdNativeService::tetherApplyDnsInterfaces(bool *ret) {
220 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL);
221
222 *ret = gCtls->tetherCtrl.applyDnsInterfaces();
223 return binder::Status::ok();
224}
225
Erik Kline53c20882016-08-02 15:22:53 +0900[diff] [blame]226binder::Status NetdNativeService::interfaceAddAddress(const std::string &ifName,
227 const std::string &addrString, int prefixLength) {
228 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
229
230 const int err = InterfaceController::addAddress(
231 ifName.c_str(), addrString.c_str(), prefixLength);
232 if (err != 0) {
233 return binder::Status::fromServiceSpecificError(-err,
234 String8::format("InterfaceController error: %s", strerror(-err)));
235 }
236 return binder::Status::ok();
237}
238
239binder::Status NetdNativeService::interfaceDelAddress(const std::string &ifName,
240 const std::string &addrString, int prefixLength) {
241 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
242
243 const int err = InterfaceController::delAddress(
244 ifName.c_str(), addrString.c_str(), prefixLength);
245 if (err != 0) {
246 return binder::Status::fromServiceSpecificError(-err,
247 String8::format("InterfaceController error: %s", strerror(-err)));
248 }
249 return binder::Status::ok();
250}
251
Erik Kline55b06f82016-07-04 09:57:18 +0900[diff] [blame]252binder::Status NetdNativeService::setProcSysNet(
253 int32_t family, int32_t which, const std::string &ifname, const std::string &parameter,
254 const std::string &value) {
255 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
256
257 const char *familyStr;
258 switch (family) {
259 case INetd::IPV4:
260 familyStr = "ipv4";
261 break;
262 case INetd::IPV6:
263 familyStr = "ipv6";
264 break;
265 default:
266 return binder::Status::fromServiceSpecificError(EAFNOSUPPORT, String8("Bad family"));
267 }
268
269 const char *whichStr;
270 switch (which) {
271 case INetd::CONF:
272 whichStr = "conf";
273 break;
274 case INetd::NEIGH:
275 whichStr = "neigh";
276 break;
277 default:
278 return binder::Status::fromServiceSpecificError(EINVAL, String8("Bad category"));
279 }
280
281 const int err = InterfaceController::setParameter(
282 familyStr, whichStr, ifname.c_str(), parameter.c_str(),
283 value.c_str());
284 if (err != 0) {
285 return binder::Status::fromServiceSpecificError(-err,
286 String8::format("ResolverController error: %s", strerror(-err)));
287 }
288 return binder::Status::ok();
289}
290
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]291binder::Status NetdNativeService::getMetricsReportingLevel(int *reportingLevel) {
292 // This function intentionally does not lock, since the only thing it does is one read from an
293 // atomic_int.
294 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
295 ENFORCE_DEBUGGABLE();
296
Michal Karpinskid5440112016-10-06 16:56:04 +0100[diff] [blame]297 *reportingLevel = gCtls->eventReporter.getMetricsReportingLevel();
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]298 return binder::Status::ok();
299}
300
301binder::Status NetdNativeService::setMetricsReportingLevel(const int reportingLevel) {
302 // This function intentionally does not lock, since the only thing it does is one write to an
303 // atomic_int.
304 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
305 ENFORCE_DEBUGGABLE();
306
Michal Karpinskid5440112016-10-06 16:56:04 +0100[diff] [blame]307 return (gCtls->eventReporter.setMetricsReportingLevel(reportingLevel) == 0)
308 ? binder::Status::ok()
309 : binder::Status::fromExceptionCode(binder::Status::EX_ILLEGAL_ARGUMENT);
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]310}
311
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]312} // namespace net
313} // namespace android