Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / 9224bcd38e205380d4becf607fff1dcc4546a151 / . / server / NetdNativeService.cpp
blob: 4f5e9f46d25582be997d9377cc6f7ba4df65daff [file] [log] [blame]
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]1/**
2 * Copyright (c) 2016, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#define LOG_TAG "Netd"
18
Ben Schwartz4204ecf2017-10-02 12:35:48 -0400[diff] [blame]19#include <set>
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]20#include <vector>
21
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]22#include <android-base/stringprintf.h>
Ben Schwartz4204ecf2017-10-02 12:35:48 -0400[diff] [blame]23#include <android-base/strings.h>
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]24#include <cutils/log.h>
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]25#include <cutils/properties.h>
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]26#include <utils/Errors.h>
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]27#include <utils/String16.h>
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]28
29#include <binder/IPCThreadState.h>
30#include <binder/IServiceManager.h>
31#include "android/net/BnNetd.h"
32
Ben Schwartze7601812017-04-28 16:38:29 -0400[diff] [blame]33#include <openssl/base64.h>
34
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]35#include "Controllers.h"
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]36#include "DumpWriter.h"
Michal Karpinskid5440112016-10-06 16:56:04 +0100[diff] [blame]37#include "EventReporter.h"
Erik Kline55b06f82016-07-04 09:57:18 +0900[diff] [blame]38#include "InterfaceController.h"
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]39#include "NetdConstants.h"
40#include "NetdNativeService.h"
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]41#include "RouteController.h"
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]42#include "SockDiag.h"
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]43#include "UidRanges.h"
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]44
45using android::base::StringPrintf;
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]46using android::os::PersistableBundle;
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]47
48namespace android {
49namespace net {
50
51namespace {
52
53const char CONNECTIVITY_INTERNAL[] = "android.permission.CONNECTIVITY_INTERNAL";
Joel Scherpelz08b84cd2017-05-22 13:11:54 +0900[diff] [blame]54const char NETWORK_STACK[] = "android.permission.NETWORK_STACK";
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]55const char DUMP[] = "android.permission.DUMP";
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]56
57binder::Status checkPermission(const char *permission) {
58 pid_t pid;
59 uid_t uid;
60
61 if (checkCallingPermission(String16(permission), (int32_t *) &pid, (int32_t *) &uid)) {
62 return binder::Status::ok();
63 } else {
64 auto err = StringPrintf("UID %d / PID %d lacks permission %s", uid, pid, permission);
65 return binder::Status::fromExceptionCode(binder::Status::EX_SECURITY, String8(err.c_str()));
66 }
67}
68
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]69#define ENFORCE_DEBUGGABLE() { \
70 char value[PROPERTY_VALUE_MAX + 1]; \
71 if (property_get("ro.debuggable", value, NULL) != 1 \
72 || value[0] != '1') { \
73 return binder::Status::fromExceptionCode( \
74 binder::Status::EX_SECURITY, \
75 String8("Not available in production builds.") \
76 ); \
77 } \
78}
79
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]80#define ENFORCE_PERMISSION(permission) { \
81 binder::Status status = checkPermission((permission)); \
82 if (!status.isOk()) { \
83 return status; \
84 } \
85}
86
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]87#define NETD_LOCKING_RPC(permission, lock) \
88 ENFORCE_PERMISSION(permission); \
89 android::RWLock::AutoWLock _lock(lock);
90
91#define NETD_BIG_LOCK_RPC(permission) NETD_LOCKING_RPC((permission), gBigNetdLock)
Lorenzo Colittid33e96d2016-12-15 23:59:01 +0900[diff] [blame]92
93inline binder::Status statusFromErrcode(int ret) {
94 if (ret) {
95 return binder::Status::fromServiceSpecificError(-ret, strerror(-ret));
96 }
97 return binder::Status::ok();
98}
99
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]100} // namespace
101
102
Lorenzo Colittie4851de2016-03-17 13:23:28 +0900[diff] [blame]103status_t NetdNativeService::start() {
104 IPCThreadState::self()->disableBackgroundScheduling(true);
105 status_t ret = BinderService<NetdNativeService>::publish();
106 if (ret != android::OK) {
107 return ret;
108 }
109 sp<ProcessState> ps(ProcessState::self());
110 ps->startThreadPool();
111 ps->giveThreadPoolName();
112 return android::OK;
113}
114
Hugo Benichi7b314e12018-01-15 21:54:00 +0900[diff] [blame]115status_t NetdNativeService::dump(int fd, const Vector<String16> &args) {
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]116 const binder::Status dump_permission = checkPermission(DUMP);
117 if (!dump_permission.isOk()) {
118 const String8 msg(dump_permission.toString8());
119 write(fd, msg.string(), msg.size());
120 return PERMISSION_DENIED;
121 }
122
123 // This method does not grab any locks. If individual classes need locking
124 // their dump() methods MUST handle locking appropriately.
Hugo Benichi7b314e12018-01-15 21:54:00 +0900[diff] [blame]125
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]126 DumpWriter dw(fd);
Hugo Benichi7b314e12018-01-15 21:54:00 +0900[diff] [blame]127
128 if (!args.isEmpty() && args[0] == TcpSocketMonitor::DUMP_KEYWORD) {
129 dw.blankline();
130 gCtls->tcpSocketMonitor.dump(dw);
131 dw.blankline();
132 return NO_ERROR;
133 }
134
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]135 dw.blankline();
136 gCtls->netCtrl.dump(dw);
137 dw.blankline();
138
139 return NO_ERROR;
140}
141
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]142binder::Status NetdNativeService::isAlive(bool *alive) {
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]143 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL);
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]144
145 *alive = true;
146 return binder::Status::ok();
147}
148
Erik Klinef52d4522018-03-14 15:01:46 +0900[diff] [blame]149binder::Status NetdNativeService::firewallReplaceUidChain(const std::string& chainName,
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]150 bool isWhitelist, const std::vector<int32_t>& uids, bool *ret) {
151 NETD_LOCKING_RPC(CONNECTIVITY_INTERNAL, gCtls->firewallCtrl.lock);
152
Erik Klinef52d4522018-03-14 15:01:46 +0900[diff] [blame]153 int err = gCtls->firewallCtrl.replaceUidChain(chainName, isWhitelist, uids);
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]154 *ret = (err == 0);
155 return binder::Status::ok();
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]156}
Lorenzo Colittidedd2712016-03-22 12:36:29 +0900[diff] [blame]157
158binder::Status NetdNativeService::bandwidthEnableDataSaver(bool enable, bool *ret) {
159 NETD_LOCKING_RPC(CONNECTIVITY_INTERNAL, gCtls->bandwidthCtrl.lock);
160
161 int err = gCtls->bandwidthCtrl.enableDataSaver(enable);
162 *ret = (err == 0);
163 return binder::Status::ok();
164}
165
Lorenzo Colittid33e96d2016-12-15 23:59:01 +0900[diff] [blame]166binder::Status NetdNativeService::networkCreatePhysical(int32_t netId,
167 const std::string& permission) {
168 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
169 int ret = gCtls->netCtrl.createPhysicalNetwork(netId, stringToPermission(permission.c_str()));
170 return statusFromErrcode(ret);
171}
172
173binder::Status NetdNativeService::networkCreateVpn(int32_t netId, bool hasDns, bool secure) {
174 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
175 int ret = gCtls->netCtrl.createVirtualNetwork(netId, hasDns, secure);
176 return statusFromErrcode(ret);
177}
178
179binder::Status NetdNativeService::networkDestroy(int32_t netId) {
Erik Klinec8b6a9c2018-01-15 17:06:48 +0900[diff] [blame]180 ENFORCE_PERMISSION(NETWORK_STACK);
181 // Both of these functions manage their own locking internally.
182 const int ret = gCtls->netCtrl.destroyNetwork(netId);
183 gCtls->resolverCtrl.clearDnsServers(netId);
Lorenzo Colittid33e96d2016-12-15 23:59:01 +0900[diff] [blame]184 return statusFromErrcode(ret);
185}
186
187binder::Status NetdNativeService::networkAddInterface(int32_t netId, const std::string& iface) {
188 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
189 int ret = gCtls->netCtrl.addInterfaceToNetwork(netId, iface.c_str());
190 return statusFromErrcode(ret);
191}
192
193binder::Status NetdNativeService::networkRemoveInterface(int32_t netId, const std::string& iface) {
194 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
195 int ret = gCtls->netCtrl.removeInterfaceFromNetwork(netId, iface.c_str());
196 return statusFromErrcode(ret);
197}
198
199binder::Status NetdNativeService::networkAddUidRanges(int32_t netId,
200 const std::vector<UidRange>& uidRangeArray) {
201 // NetworkController::addUsersToNetwork is thread-safe.
202 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
203 int ret = gCtls->netCtrl.addUsersToNetwork(netId, UidRanges(uidRangeArray));
204 return statusFromErrcode(ret);
205}
206
207binder::Status NetdNativeService::networkRemoveUidRanges(int32_t netId,
208 const std::vector<UidRange>& uidRangeArray) {
209 // NetworkController::removeUsersFromNetwork is thread-safe.
210 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
211 int ret = gCtls->netCtrl.removeUsersFromNetwork(netId, UidRanges(uidRangeArray));
212 return statusFromErrcode(ret);
213}
214
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]215binder::Status NetdNativeService::networkRejectNonSecureVpn(bool add,
216 const std::vector<UidRange>& uidRangeArray) {
217 // TODO: elsewhere RouteController is only used from the tethering and network controllers, so
218 // it should be possible to use the same lock as NetworkController. However, every call through
219 // the CommandListener "network" command will need to hold this lock too, not just the ones that
220 // read/modify network internal state (that is sufficient for ::dump() because it doesn't
221 // look at routes, but it's not enough here).
222 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL);
223
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]224 UidRanges uidRanges(uidRangeArray);
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]225
226 int err;
227 if (add) {
228 err = RouteController::addUsersToRejectNonSecureNetworkRule(uidRanges);
229 } else {
230 err = RouteController::removeUsersFromRejectNonSecureNetworkRule(uidRanges);
231 }
232
Lorenzo Colittid33e96d2016-12-15 23:59:01 +0900[diff] [blame]233 return statusFromErrcode(err);
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]234}
235
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]236binder::Status NetdNativeService::socketDestroy(const std::vector<UidRange>& uids,
237 const std::vector<int32_t>& skipUids) {
238
239 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
240
241 SockDiag sd;
242 if (!sd.open()) {
243 return binder::Status::fromServiceSpecificError(EIO,
244 String8("Could not open SOCK_DIAG socket"));
245 }
246
247 UidRanges uidRanges(uids);
Lorenzo Colittie5c3c992016-07-26 17:53:50 +0900[diff] [blame]248 int err = sd.destroySockets(uidRanges, std::set<uid_t>(skipUids.begin(), skipUids.end()),
249 true /* excludeLoopback */);
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]250
251 if (err) {
252 return binder::Status::fromServiceSpecificError(-err,
253 String8::format("destroySockets: %s", strerror(-err)));
254 }
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]255 return binder::Status::ok();
256}
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]257
Ben Schwartz4204ecf2017-10-02 12:35:48 -0400[diff] [blame]258// Parse a base64 encoded string into a vector of bytes.
259// On failure, return an empty vector.
260static std::vector<uint8_t> parseBase64(const std::string& input) {
261 std::vector<uint8_t> decoded;
262 size_t out_len;
263 if (EVP_DecodedLength(&out_len, input.size()) != 1) {
264 return decoded;
265 }
266 // out_len is now an upper bound on the output length.
267 decoded.resize(out_len);
268 if (EVP_DecodeBase64(decoded.data(), &out_len, decoded.size(),
269 reinterpret_cast<const uint8_t*>(input.data()), input.size()) == 1) {
270 // Possibly shrink the vector if the actual output was smaller than the bound.
271 decoded.resize(out_len);
272 } else {
273 decoded.clear();
274 }
275 if (out_len != SHA256_SIZE) {
276 decoded.clear();
277 }
278 return decoded;
279}
280
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]281binder::Status NetdNativeService::setResolverConfiguration(int32_t netId,
282 const std::vector<std::string>& servers, const std::vector<std::string>& domains,
Ben Schwartz4204ecf2017-10-02 12:35:48 -0400[diff] [blame]283 const std::vector<int32_t>& params, bool useTls, const std::string& tlsName,
284 const std::vector<std::string>& tlsFingerprints) {
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]285 // This function intentionally does not lock within Netd, as Bionic is thread-safe.
286 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
287
Ben Schwartz4204ecf2017-10-02 12:35:48 -0400[diff] [blame]288 std::set<std::vector<uint8_t>> decoded_fingerprints;
289 for (const std::string& fingerprint : tlsFingerprints) {
290 std::vector<uint8_t> decoded = parseBase64(fingerprint);
291 if (decoded.empty()) {
292 return binder::Status::fromServiceSpecificError(EINVAL,
293 String8::format("ResolverController error: bad fingerprint"));
294 }
295 decoded_fingerprints.emplace(decoded);
296 }
297
298 int err = gCtls->resolverCtrl.setResolverConfiguration(netId, servers, domains, params,
299 useTls, tlsName, decoded_fingerprints);
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]300 if (err != 0) {
301 return binder::Status::fromServiceSpecificError(-err,
302 String8::format("ResolverController error: %s", strerror(-err)));
303 }
304 return binder::Status::ok();
305}
306
307binder::Status NetdNativeService::getResolverInfo(int32_t netId,
308 std::vector<std::string>* servers, std::vector<std::string>* domains,
309 std::vector<int32_t>* params, std::vector<int32_t>* stats) {
310 // This function intentionally does not lock within Netd, as Bionic is thread-safe.
311 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
312
313 int err = gCtls->resolverCtrl.getResolverInfo(netId, servers, domains, params, stats);
314 if (err != 0) {
315 return binder::Status::fromServiceSpecificError(-err,
316 String8::format("ResolverController error: %s", strerror(-err)));
317 }
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]318 return binder::Status::ok();
319}
320
Erik Klinef48e4dd2016-07-18 04:02:07 +0900[diff] [blame]321binder::Status NetdNativeService::tetherApplyDnsInterfaces(bool *ret) {
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]322 NETD_LOCKING_RPC(NETWORK_STACK, gCtls->tetherCtrl.lock)
Erik Klinef48e4dd2016-07-18 04:02:07 +0900[diff] [blame]323
324 *ret = gCtls->tetherCtrl.applyDnsInterfaces();
325 return binder::Status::ok();
326}
327
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]328namespace {
329
330void tetherAddStats(PersistableBundle *bundle, const TetherController::TetherStats& stats) {
331 String16 iface = String16(stats.extIface.c_str());
332 std::vector<int64_t> statsVector(INetd::TETHER_STATS_ARRAY_SIZE);
333
334 bundle->getLongVector(iface, &statsVector);
335 if (statsVector.size() == 0) {
336 for (int i = 0; i < INetd::TETHER_STATS_ARRAY_SIZE; i++) statsVector.push_back(0);
337 }
338
Lorenzo Colitti9a65ac62017-09-04 18:07:56 +0900[diff] [blame]339 statsVector[INetd::TETHER_STATS_RX_BYTES] += stats.rxBytes;
340 statsVector[INetd::TETHER_STATS_RX_PACKETS] += stats.rxPackets;
341 statsVector[INetd::TETHER_STATS_TX_BYTES] += stats.txBytes;
342 statsVector[INetd::TETHER_STATS_TX_PACKETS] += stats.txPackets;
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]343
344 bundle->putLongVector(iface, statsVector);
345}
346
347} // namespace
348
349binder::Status NetdNativeService::tetherGetStats(PersistableBundle *bundle) {
350 NETD_LOCKING_RPC(NETWORK_STACK, gCtls->tetherCtrl.lock)
351
Lorenzo Colitti5192bf72017-09-04 13:30:59 +0900[diff] [blame]352 const auto& statsList = gCtls->tetherCtrl.getTetherStats();
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]353 if (!isOk(statsList)) {
Nathan Harold28ccfef2018-03-16 19:02:47 -0700[diff] [blame]354 return asBinderStatus(statsList);
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]355 }
356
357 for (const auto& stats : statsList.value()) {
358 tetherAddStats(bundle, stats);
359 }
360
361 return binder::Status::ok();
362}
363
Erik Kline53c20882016-08-02 15:22:53 +0900[diff] [blame]364binder::Status NetdNativeService::interfaceAddAddress(const std::string &ifName,
365 const std::string &addrString, int prefixLength) {
366 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
367
368 const int err = InterfaceController::addAddress(
369 ifName.c_str(), addrString.c_str(), prefixLength);
370 if (err != 0) {
371 return binder::Status::fromServiceSpecificError(-err,
372 String8::format("InterfaceController error: %s", strerror(-err)));
373 }
374 return binder::Status::ok();
375}
376
377binder::Status NetdNativeService::interfaceDelAddress(const std::string &ifName,
378 const std::string &addrString, int prefixLength) {
379 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
380
381 const int err = InterfaceController::delAddress(
382 ifName.c_str(), addrString.c_str(), prefixLength);
383 if (err != 0) {
384 return binder::Status::fromServiceSpecificError(-err,
385 String8::format("InterfaceController error: %s", strerror(-err)));
386 }
387 return binder::Status::ok();
388}
389
Erik Kline55b06f82016-07-04 09:57:18 +0900[diff] [blame]390binder::Status NetdNativeService::setProcSysNet(
391 int32_t family, int32_t which, const std::string &ifname, const std::string &parameter,
392 const std::string &value) {
393 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
394
395 const char *familyStr;
396 switch (family) {
397 case INetd::IPV4:
398 familyStr = "ipv4";
399 break;
400 case INetd::IPV6:
401 familyStr = "ipv6";
402 break;
403 default:
404 return binder::Status::fromServiceSpecificError(EAFNOSUPPORT, String8("Bad family"));
405 }
406
407 const char *whichStr;
408 switch (which) {
409 case INetd::CONF:
410 whichStr = "conf";
411 break;
412 case INetd::NEIGH:
413 whichStr = "neigh";
414 break;
415 default:
416 return binder::Status::fromServiceSpecificError(EINVAL, String8("Bad category"));
417 }
418
419 const int err = InterfaceController::setParameter(
420 familyStr, whichStr, ifname.c_str(), parameter.c_str(),
421 value.c_str());
422 if (err != 0) {
423 return binder::Status::fromServiceSpecificError(-err,
424 String8::format("ResolverController error: %s", strerror(-err)));
425 }
426 return binder::Status::ok();
427}
428
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]429binder::Status NetdNativeService::getMetricsReportingLevel(int *reportingLevel) {
430 // This function intentionally does not lock, since the only thing it does is one read from an
431 // atomic_int.
432 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
433 ENFORCE_DEBUGGABLE();
434
Michal Karpinskid5440112016-10-06 16:56:04 +0100[diff] [blame]435 *reportingLevel = gCtls->eventReporter.getMetricsReportingLevel();
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]436 return binder::Status::ok();
437}
438
439binder::Status NetdNativeService::setMetricsReportingLevel(const int reportingLevel) {
440 // This function intentionally does not lock, since the only thing it does is one write to an
441 // atomic_int.
442 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
443 ENFORCE_DEBUGGABLE();
444
Michal Karpinskid5440112016-10-06 16:56:04 +0100[diff] [blame]445 return (gCtls->eventReporter.setMetricsReportingLevel(reportingLevel) == 0)
446 ? binder::Status::ok()
447 : binder::Status::fromExceptionCode(binder::Status::EX_ILLEGAL_ARGUMENT);
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]448}
449
Benedict Wongb2daefb2017-12-06 22:05:46 -0800[diff] [blame]450binder::Status NetdNativeService::ipSecSetEncapSocketOwner(const android::base::unique_fd& socket,
451 int newUid) {
452 ENFORCE_PERMISSION(NETWORK_STACK)
453 ALOGD("ipSecSetEncapSocketOwner()");
454
455 uid_t callerUid = IPCThreadState::self()->getCallingUid();
456 return asBinderStatus(gCtls->xfrmCtrl.ipSecSetEncapSocketOwner(socket, newUid, callerUid));
457}
458
459
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]460binder::Status NetdNativeService::ipSecAllocateSpi(
461 int32_t transformId,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]462 const std::string& sourceAddress,
463 const std::string& destinationAddress,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]464 int32_t inSpi,
465 int32_t* outSpi) {
466 // Necessary locking done in IpSecService and kernel
467 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
468 ALOGD("ipSecAllocateSpi()");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]469 return asBinderStatus(gCtls->xfrmCtrl.ipSecAllocateSpi(
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]470 transformId,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]471 sourceAddress,
472 destinationAddress,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]473 inSpi,
474 outSpi));
475}
476
477binder::Status NetdNativeService::ipSecAddSecurityAssociation(
478 int32_t transformId,
479 int32_t mode,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]480 const std::string& sourceAddress,
481 const std::string& destinationAddress,
Benedict Wong96abf482018-01-22 13:56:41 -0800[diff] [blame]482 int32_t underlyingNetId,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]483 int32_t spi,
Di Lu2ccb3e52018-01-03 16:19:20 -0800[diff] [blame]484 int32_t markValue,
485 int32_t markMask,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]486 const std::string& authAlgo, const std::vector<uint8_t>& authKey, int32_t authTruncBits,
487 const std::string& cryptAlgo, const std::vector<uint8_t>& cryptKey, int32_t cryptTruncBits,
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]488 const std::string& aeadAlgo, const std::vector<uint8_t>& aeadKey, int32_t aeadIcvBits,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]489 int32_t encapType,
490 int32_t encapLocalPort,
ludiec836052017-05-20 14:17:05 -0700[diff] [blame]491 int32_t encapRemotePort) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]492 // Necessary locking done in IpSecService and kernel
493 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
494 ALOGD("ipSecAddSecurityAssociation()");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]495 return asBinderStatus(gCtls->xfrmCtrl.ipSecAddSecurityAssociation(
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]496 transformId, mode, sourceAddress, destinationAddress,
Benedict Wong96abf482018-01-22 13:56:41 -0800[diff] [blame]497 underlyingNetId,
Di Lu2ccb3e52018-01-03 16:19:20 -0800[diff] [blame]498 spi, markValue, markMask,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]499 authAlgo, authKey, authTruncBits,
500 cryptAlgo, cryptKey, cryptTruncBits,
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]501 aeadAlgo, aeadKey, aeadIcvBits,
ludiec836052017-05-20 14:17:05 -0700[diff] [blame]502 encapType, encapLocalPort, encapRemotePort));
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]503}
504
505binder::Status NetdNativeService::ipSecDeleteSecurityAssociation(
506 int32_t transformId,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]507 const std::string& sourceAddress,
508 const std::string& destinationAddress,
Di Lu2ccb3e52018-01-03 16:19:20 -0800[diff] [blame]509 int32_t spi,
510 int32_t markValue,
511 int32_t markMask) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]512 // Necessary locking done in IpSecService and kernel
513 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
514 ALOGD("ipSecDeleteSecurityAssociation()");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]515 return asBinderStatus(gCtls->xfrmCtrl.ipSecDeleteSecurityAssociation(
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]516 transformId,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]517 sourceAddress,
518 destinationAddress,
Di Lu2ccb3e52018-01-03 16:19:20 -0800[diff] [blame]519 spi,
520 markValue,
521 markMask));
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]522}
523
524binder::Status NetdNativeService::ipSecApplyTransportModeTransform(
525 const android::base::unique_fd& socket,
526 int32_t transformId,
527 int32_t direction,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]528 const std::string& sourceAddress,
529 const std::string& destinationAddress,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]530 int32_t spi) {
531 // Necessary locking done in IpSecService and kernel
532 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
533 ALOGD("ipSecApplyTransportModeTransform()");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]534 return asBinderStatus(gCtls->xfrmCtrl.ipSecApplyTransportModeTransform(
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]535 socket,
536 transformId,
537 direction,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]538 sourceAddress,
539 destinationAddress,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]540 spi));
541}
542
543binder::Status NetdNativeService::ipSecRemoveTransportModeTransform(
544 const android::base::unique_fd& socket) {
545 // Necessary locking done in IpSecService and kernel
546 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
547 ALOGD("ipSecRemoveTransportModeTransform()");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]548 return asBinderStatus(gCtls->xfrmCtrl.ipSecRemoveTransportModeTransform(
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]549 socket));
550}
551
Benedict Wong84a8dca2018-01-19 12:12:17 -0800[diff] [blame]552binder::Status NetdNativeService::ipSecAddSecurityPolicy(
553 int32_t transformId,
554 int32_t direction,
555 const std::string& sourceAddress,
556 const std::string& destinationAddress,
557 int32_t spi,
558 int32_t markValue,
559 int32_t markMask){
560 // Necessary locking done in IpSecService and kernel
561 ENFORCE_PERMISSION(NETWORK_STACK);
562 ALOGD("ipSecAddSecurityPolicy()");
563 return asBinderStatus(gCtls->xfrmCtrl.ipSecAddSecurityPolicy(
564 transformId,
565 direction,
566 sourceAddress,
567 destinationAddress,
568 spi,
569 markValue,
570 markMask));
571}
572
573binder::Status NetdNativeService::ipSecUpdateSecurityPolicy(
574 int32_t transformId,
575 int32_t direction,
576 const std::string& sourceAddress,
577 const std::string& destinationAddress,
578 int32_t spi,
579 int32_t markValue,
580 int32_t markMask){
581 // Necessary locking done in IpSecService and kernel
582 ENFORCE_PERMISSION(NETWORK_STACK);
583 ALOGD("ipSecAddSecurityPolicy()");
584 return asBinderStatus(gCtls->xfrmCtrl.ipSecUpdateSecurityPolicy(
585 transformId,
586 direction,
587 sourceAddress,
588 destinationAddress,
589 spi,
590 markValue,
591 markMask));
592}
593
594binder::Status NetdNativeService::ipSecDeleteSecurityPolicy(
595 int32_t transformId,
596 int32_t direction,
597 const std::string& sourceAddress,
598 const std::string& destinationAddress,
599 int32_t markValue,
600 int32_t markMask){
601 // Necessary locking done in IpSecService and kernel
602 ENFORCE_PERMISSION(NETWORK_STACK);
603 ALOGD("ipSecAddSecurityPolicy()");
604 return asBinderStatus(gCtls->xfrmCtrl.ipSecDeleteSecurityPolicy(
605 transformId,
606 direction,
607 sourceAddress,
608 destinationAddress,
609 markValue,
610 markMask));
611}
612
manojboopathi8707f232018-01-02 14:45:47 -0800[diff] [blame]613binder::Status NetdNativeService::addVirtualTunnelInterface(
614 const std::string& deviceName,
615 const std::string& localAddress,
616 const std::string& remoteAddress,
617 int32_t iKey,
618 int32_t oKey) {
619 // Necessary locking done in IpSecService and kernel
620 ENFORCE_PERMISSION(NETWORK_STACK);
621 ALOGD("addVirtualTunnelInterface()");
622 int ret = gCtls->xfrmCtrl.addVirtualTunnelInterface(
623 deviceName,
624 localAddress,
625 remoteAddress,
626 iKey,
627 oKey,
628 false);
629
630 return (ret == 0) ? binder::Status::ok() :
631 asBinderStatus(netdutils::statusFromErrno(
632 ret, "Error in creating virtual tunnel interface."));
633}
634
635binder::Status NetdNativeService::updateVirtualTunnelInterface(
636 const std::string& deviceName,
637 const std::string& localAddress,
638 const std::string& remoteAddress,
639 int32_t iKey,
640 int32_t oKey) {
641 // Necessary locking done in IpSecService and kernel
642 ENFORCE_PERMISSION(NETWORK_STACK);
643 ALOGD("updateVirtualTunnelInterface()");
644 int ret = gCtls->xfrmCtrl.addVirtualTunnelInterface(
645 deviceName,
646 localAddress,
647 remoteAddress,
648 iKey,
649 oKey,
650 true);
651
652 return (ret == 0) ? binder::Status::ok() :
653 asBinderStatus(netdutils::statusFromErrno(
654 ret, "Error in updating virtual tunnel interface."));
655}
656
657binder::Status NetdNativeService::removeVirtualTunnelInterface(const std::string& deviceName) {
658 // Necessary locking done in IpSecService and kernel
659 ENFORCE_PERMISSION(NETWORK_STACK);
660 ALOGD("removeVirtualTunnelInterface()");
661 int ret = gCtls->xfrmCtrl.removeVirtualTunnelInterface(deviceName);
662
663 return (ret == 0) ? binder::Status::ok() :
664 asBinderStatus(netdutils::statusFromErrno(
665 ret, "Error in removing virtual tunnel interface."));
666}
667
Joel Scherpelzde937962017-06-01 13:20:21 +0900[diff] [blame]668binder::Status NetdNativeService::setIPv6AddrGenMode(const std::string& ifName,
669 int32_t mode) {
670 ENFORCE_PERMISSION(NETWORK_STACK);
Nathan Harold28ccfef2018-03-16 19:02:47 -0700[diff] [blame]671 return asBinderStatus(InterfaceController::setIPv6AddrGenMode(ifName, mode));
Joel Scherpelzde937962017-06-01 13:20:21 +0900[diff] [blame]672}
673
Joel Scherpelz08b84cd2017-05-22 13:11:54 +0900[diff] [blame]674binder::Status NetdNativeService::wakeupAddInterface(const std::string& ifName,
675 const std::string& prefix, int32_t mark,
676 int32_t mask) {
677 ENFORCE_PERMISSION(NETWORK_STACK);
Nathan Harold28ccfef2018-03-16 19:02:47 -0700[diff] [blame]678 return asBinderStatus(gCtls->wakeupCtrl.addInterface(ifName, prefix, mark, mask));
Joel Scherpelz08b84cd2017-05-22 13:11:54 +0900[diff] [blame]679}
680
681binder::Status NetdNativeService::wakeupDelInterface(const std::string& ifName,
682 const std::string& prefix, int32_t mark,
683 int32_t mask) {
684 ENFORCE_PERMISSION(NETWORK_STACK);
Nathan Harold28ccfef2018-03-16 19:02:47 -0700[diff] [blame]685 return asBinderStatus(gCtls->wakeupCtrl.delInterface(ifName, prefix, mark, mask));
Joel Scherpelz08b84cd2017-05-22 13:11:54 +0900[diff] [blame]686}
687
Chenbo Feng07d43fe2017-12-21 14:38:51 -0800[diff] [blame]688binder::Status NetdNativeService::trafficCheckBpfStatsEnable(bool* ret) {
689 ENFORCE_PERMISSION(NETWORK_STACK);
690 *ret = gCtls->trafficCtrl.checkBpfStatsEnable();
691 return binder::Status::ok();
692}
693
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]694} // namespace net
695} // namespace android