Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / d33e96d5c80460d3aac0d92acbc035183e5f9042 / . / server / NetdNativeService.cpp
blob: 1771a059796499cbb2949f5e6fcaff63ecefdccd [file] [log] [blame]
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]1/**
2 * Copyright (c) 2016, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#define LOG_TAG "Netd"
18
Ben Schwartz4204ecf2017-10-02 12:35:48 -0400[diff] [blame]19#include <set>
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]20#include <vector>
21
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]22#include <android-base/stringprintf.h>
Ben Schwartz4204ecf2017-10-02 12:35:48 -0400[diff] [blame]23#include <android-base/strings.h>
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]24#include <cutils/log.h>
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]25#include <cutils/properties.h>
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]26#include <utils/Errors.h>
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]27#include <utils/String16.h>
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]28
29#include <binder/IPCThreadState.h>
30#include <binder/IServiceManager.h>
31#include "android/net/BnNetd.h"
32
Ben Schwartze7601812017-04-28 16:38:29 -0400[diff] [blame]33#include <openssl/base64.h>
34
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]35#include "Controllers.h"
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]36#include "DumpWriter.h"
Michal Karpinskid5440112016-10-06 16:56:04 +0100[diff] [blame]37#include "EventReporter.h"
Erik Kline55b06f82016-07-04 09:57:18 +0900[diff] [blame]38#include "InterfaceController.h"
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]39#include "NetdConstants.h"
40#include "NetdNativeService.h"
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]41#include "RouteController.h"
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]42#include "SockDiag.h"
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]43#include "UidRanges.h"
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]44
45using android::base::StringPrintf;
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]46using android::os::PersistableBundle;
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]47
48namespace android {
49namespace net {
50
51namespace {
52
53const char CONNECTIVITY_INTERNAL[] = "android.permission.CONNECTIVITY_INTERNAL";
Joel Scherpelz08b84cd2017-05-22 13:11:54 +0900[diff] [blame]54const char NETWORK_STACK[] = "android.permission.NETWORK_STACK";
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]55const char DUMP[] = "android.permission.DUMP";
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]56
Joel Scherpelz08b84cd2017-05-22 13:11:54 +0900[diff] [blame]57binder::Status toBinderStatus(const netdutils::Status s) {
58 if (isOk(s)) {
59 return binder::Status::ok();
60 }
Joel Scherpelzde937962017-06-01 13:20:21 +0900[diff] [blame]61 return binder::Status::fromServiceSpecificError(s.code(), s.msg().c_str());
Joel Scherpelz08b84cd2017-05-22 13:11:54 +0900[diff] [blame]62}
63
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]64binder::Status checkPermission(const char *permission) {
65 pid_t pid;
66 uid_t uid;
67
68 if (checkCallingPermission(String16(permission), (int32_t *) &pid, (int32_t *) &uid)) {
69 return binder::Status::ok();
70 } else {
71 auto err = StringPrintf("UID %d / PID %d lacks permission %s", uid, pid, permission);
72 return binder::Status::fromExceptionCode(binder::Status::EX_SECURITY, String8(err.c_str()));
73 }
74}
75
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]76#define ENFORCE_DEBUGGABLE() { \
77 char value[PROPERTY_VALUE_MAX + 1]; \
78 if (property_get("ro.debuggable", value, NULL) != 1 \
79 || value[0] != '1') { \
80 return binder::Status::fromExceptionCode( \
81 binder::Status::EX_SECURITY, \
82 String8("Not available in production builds.") \
83 ); \
84 } \
85}
86
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]87#define ENFORCE_PERMISSION(permission) { \
88 binder::Status status = checkPermission((permission)); \
89 if (!status.isOk()) { \
90 return status; \
91 } \
92}
93
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]94#define NETD_LOCKING_RPC(permission, lock) \
95 ENFORCE_PERMISSION(permission); \
96 android::RWLock::AutoWLock _lock(lock);
97
98#define NETD_BIG_LOCK_RPC(permission) NETD_LOCKING_RPC((permission), gBigNetdLock)
Lorenzo Colittid33e96d2016-12-15 23:59:01 +0900[diff] [blame^]99
100inline binder::Status statusFromErrcode(int ret) {
101 if (ret) {
102 return binder::Status::fromServiceSpecificError(-ret, strerror(-ret));
103 }
104 return binder::Status::ok();
105}
106
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]107} // namespace
108
109
Lorenzo Colittie4851de2016-03-17 13:23:28 +0900[diff] [blame]110status_t NetdNativeService::start() {
111 IPCThreadState::self()->disableBackgroundScheduling(true);
112 status_t ret = BinderService<NetdNativeService>::publish();
113 if (ret != android::OK) {
114 return ret;
115 }
116 sp<ProcessState> ps(ProcessState::self());
117 ps->startThreadPool();
118 ps->giveThreadPoolName();
119 return android::OK;
120}
121
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]122status_t NetdNativeService::dump(int fd, const Vector<String16> & /* args */) {
123 const binder::Status dump_permission = checkPermission(DUMP);
124 if (!dump_permission.isOk()) {
125 const String8 msg(dump_permission.toString8());
126 write(fd, msg.string(), msg.size());
127 return PERMISSION_DENIED;
128 }
129
130 // This method does not grab any locks. If individual classes need locking
131 // their dump() methods MUST handle locking appropriately.
132 DumpWriter dw(fd);
133 dw.blankline();
134 gCtls->netCtrl.dump(dw);
135 dw.blankline();
136
137 return NO_ERROR;
138}
139
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]140binder::Status NetdNativeService::isAlive(bool *alive) {
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]141 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL);
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]142
143 *alive = true;
144 return binder::Status::ok();
145}
146
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]147binder::Status NetdNativeService::firewallReplaceUidChain(const android::String16& chainName,
148 bool isWhitelist, const std::vector<int32_t>& uids, bool *ret) {
149 NETD_LOCKING_RPC(CONNECTIVITY_INTERNAL, gCtls->firewallCtrl.lock);
150
151 android::String8 name = android::String8(chainName);
152 int err = gCtls->firewallCtrl.replaceUidChain(name.string(), isWhitelist, uids);
153 *ret = (err == 0);
154 return binder::Status::ok();
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]155}
Lorenzo Colittidedd2712016-03-22 12:36:29 +0900[diff] [blame]156
157binder::Status NetdNativeService::bandwidthEnableDataSaver(bool enable, bool *ret) {
158 NETD_LOCKING_RPC(CONNECTIVITY_INTERNAL, gCtls->bandwidthCtrl.lock);
159
160 int err = gCtls->bandwidthCtrl.enableDataSaver(enable);
161 *ret = (err == 0);
162 return binder::Status::ok();
163}
164
Lorenzo Colittid33e96d2016-12-15 23:59:01 +0900[diff] [blame^]165binder::Status NetdNativeService::networkCreatePhysical(int32_t netId,
166 const std::string& permission) {
167 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
168 int ret = gCtls->netCtrl.createPhysicalNetwork(netId, stringToPermission(permission.c_str()));
169 return statusFromErrcode(ret);
170}
171
172binder::Status NetdNativeService::networkCreateVpn(int32_t netId, bool hasDns, bool secure) {
173 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
174 int ret = gCtls->netCtrl.createVirtualNetwork(netId, hasDns, secure);
175 return statusFromErrcode(ret);
176}
177
178binder::Status NetdNativeService::networkDestroy(int32_t netId) {
179 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
180 int ret = gCtls->netCtrl.destroyNetwork(netId);
181 return statusFromErrcode(ret);
182}
183
184binder::Status NetdNativeService::networkAddInterface(int32_t netId, const std::string& iface) {
185 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
186 int ret = gCtls->netCtrl.addInterfaceToNetwork(netId, iface.c_str());
187 return statusFromErrcode(ret);
188}
189
190binder::Status NetdNativeService::networkRemoveInterface(int32_t netId, const std::string& iface) {
191 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
192 int ret = gCtls->netCtrl.removeInterfaceFromNetwork(netId, iface.c_str());
193 return statusFromErrcode(ret);
194}
195
196binder::Status NetdNativeService::networkAddUidRanges(int32_t netId,
197 const std::vector<UidRange>& uidRangeArray) {
198 // NetworkController::addUsersToNetwork is thread-safe.
199 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
200 int ret = gCtls->netCtrl.addUsersToNetwork(netId, UidRanges(uidRangeArray));
201 return statusFromErrcode(ret);
202}
203
204binder::Status NetdNativeService::networkRemoveUidRanges(int32_t netId,
205 const std::vector<UidRange>& uidRangeArray) {
206 // NetworkController::removeUsersFromNetwork is thread-safe.
207 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
208 int ret = gCtls->netCtrl.removeUsersFromNetwork(netId, UidRanges(uidRangeArray));
209 return statusFromErrcode(ret);
210}
211
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]212binder::Status NetdNativeService::networkRejectNonSecureVpn(bool add,
213 const std::vector<UidRange>& uidRangeArray) {
214 // TODO: elsewhere RouteController is only used from the tethering and network controllers, so
215 // it should be possible to use the same lock as NetworkController. However, every call through
216 // the CommandListener "network" command will need to hold this lock too, not just the ones that
217 // read/modify network internal state (that is sufficient for ::dump() because it doesn't
218 // look at routes, but it's not enough here).
219 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL);
220
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]221 UidRanges uidRanges(uidRangeArray);
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]222
223 int err;
224 if (add) {
225 err = RouteController::addUsersToRejectNonSecureNetworkRule(uidRanges);
226 } else {
227 err = RouteController::removeUsersFromRejectNonSecureNetworkRule(uidRanges);
228 }
229
Lorenzo Colittid33e96d2016-12-15 23:59:01 +0900[diff] [blame^]230 return statusFromErrcode(err);
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]231}
232
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]233binder::Status NetdNativeService::socketDestroy(const std::vector<UidRange>& uids,
234 const std::vector<int32_t>& skipUids) {
235
236 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
237
238 SockDiag sd;
239 if (!sd.open()) {
240 return binder::Status::fromServiceSpecificError(EIO,
241 String8("Could not open SOCK_DIAG socket"));
242 }
243
244 UidRanges uidRanges(uids);
Lorenzo Colittie5c3c992016-07-26 17:53:50 +0900[diff] [blame]245 int err = sd.destroySockets(uidRanges, std::set<uid_t>(skipUids.begin(), skipUids.end()),
246 true /* excludeLoopback */);
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]247
248 if (err) {
249 return binder::Status::fromServiceSpecificError(-err,
250 String8::format("destroySockets: %s", strerror(-err)));
251 }
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]252 return binder::Status::ok();
253}
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]254
Ben Schwartz4204ecf2017-10-02 12:35:48 -0400[diff] [blame]255// Parse a base64 encoded string into a vector of bytes.
256// On failure, return an empty vector.
257static std::vector<uint8_t> parseBase64(const std::string& input) {
258 std::vector<uint8_t> decoded;
259 size_t out_len;
260 if (EVP_DecodedLength(&out_len, input.size()) != 1) {
261 return decoded;
262 }
263 // out_len is now an upper bound on the output length.
264 decoded.resize(out_len);
265 if (EVP_DecodeBase64(decoded.data(), &out_len, decoded.size(),
266 reinterpret_cast<const uint8_t*>(input.data()), input.size()) == 1) {
267 // Possibly shrink the vector if the actual output was smaller than the bound.
268 decoded.resize(out_len);
269 } else {
270 decoded.clear();
271 }
272 if (out_len != SHA256_SIZE) {
273 decoded.clear();
274 }
275 return decoded;
276}
277
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]278binder::Status NetdNativeService::setResolverConfiguration(int32_t netId,
279 const std::vector<std::string>& servers, const std::vector<std::string>& domains,
Ben Schwartz4204ecf2017-10-02 12:35:48 -0400[diff] [blame]280 const std::vector<int32_t>& params, bool useTls, const std::string& tlsName,
281 const std::vector<std::string>& tlsFingerprints) {
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]282 // This function intentionally does not lock within Netd, as Bionic is thread-safe.
283 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
284
Ben Schwartz4204ecf2017-10-02 12:35:48 -0400[diff] [blame]285 std::set<std::vector<uint8_t>> decoded_fingerprints;
286 for (const std::string& fingerprint : tlsFingerprints) {
287 std::vector<uint8_t> decoded = parseBase64(fingerprint);
288 if (decoded.empty()) {
289 return binder::Status::fromServiceSpecificError(EINVAL,
290 String8::format("ResolverController error: bad fingerprint"));
291 }
292 decoded_fingerprints.emplace(decoded);
293 }
294
295 int err = gCtls->resolverCtrl.setResolverConfiguration(netId, servers, domains, params,
296 useTls, tlsName, decoded_fingerprints);
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]297 if (err != 0) {
298 return binder::Status::fromServiceSpecificError(-err,
299 String8::format("ResolverController error: %s", strerror(-err)));
300 }
301 return binder::Status::ok();
302}
303
304binder::Status NetdNativeService::getResolverInfo(int32_t netId,
305 std::vector<std::string>* servers, std::vector<std::string>* domains,
306 std::vector<int32_t>* params, std::vector<int32_t>* stats) {
307 // This function intentionally does not lock within Netd, as Bionic is thread-safe.
308 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
309
310 int err = gCtls->resolverCtrl.getResolverInfo(netId, servers, domains, params, stats);
311 if (err != 0) {
312 return binder::Status::fromServiceSpecificError(-err,
313 String8::format("ResolverController error: %s", strerror(-err)));
314 }
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]315 return binder::Status::ok();
316}
317
Erik Klinef48e4dd2016-07-18 04:02:07 +0900[diff] [blame]318binder::Status NetdNativeService::tetherApplyDnsInterfaces(bool *ret) {
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]319 NETD_LOCKING_RPC(NETWORK_STACK, gCtls->tetherCtrl.lock)
Erik Klinef48e4dd2016-07-18 04:02:07 +0900[diff] [blame]320
321 *ret = gCtls->tetherCtrl.applyDnsInterfaces();
322 return binder::Status::ok();
323}
324
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]325namespace {
326
327void tetherAddStats(PersistableBundle *bundle, const TetherController::TetherStats& stats) {
328 String16 iface = String16(stats.extIface.c_str());
329 std::vector<int64_t> statsVector(INetd::TETHER_STATS_ARRAY_SIZE);
330
331 bundle->getLongVector(iface, &statsVector);
332 if (statsVector.size() == 0) {
333 for (int i = 0; i < INetd::TETHER_STATS_ARRAY_SIZE; i++) statsVector.push_back(0);
334 }
335
Lorenzo Colitti9a65ac62017-09-04 18:07:56 +0900[diff] [blame]336 statsVector[INetd::TETHER_STATS_RX_BYTES] += stats.rxBytes;
337 statsVector[INetd::TETHER_STATS_RX_PACKETS] += stats.rxPackets;
338 statsVector[INetd::TETHER_STATS_TX_BYTES] += stats.txBytes;
339 statsVector[INetd::TETHER_STATS_TX_PACKETS] += stats.txPackets;
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]340
341 bundle->putLongVector(iface, statsVector);
342}
343
344} // namespace
345
346binder::Status NetdNativeService::tetherGetStats(PersistableBundle *bundle) {
347 NETD_LOCKING_RPC(NETWORK_STACK, gCtls->tetherCtrl.lock)
348
Lorenzo Colitti5192bf72017-09-04 13:30:59 +0900[diff] [blame]349 const auto& statsList = gCtls->tetherCtrl.getTetherStats();
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]350 if (!isOk(statsList)) {
351 return toBinderStatus(statsList);
352 }
353
354 for (const auto& stats : statsList.value()) {
355 tetherAddStats(bundle, stats);
356 }
357
358 return binder::Status::ok();
359}
360
Erik Kline53c20882016-08-02 15:22:53 +0900[diff] [blame]361binder::Status NetdNativeService::interfaceAddAddress(const std::string &ifName,
362 const std::string &addrString, int prefixLength) {
363 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
364
365 const int err = InterfaceController::addAddress(
366 ifName.c_str(), addrString.c_str(), prefixLength);
367 if (err != 0) {
368 return binder::Status::fromServiceSpecificError(-err,
369 String8::format("InterfaceController error: %s", strerror(-err)));
370 }
371 return binder::Status::ok();
372}
373
374binder::Status NetdNativeService::interfaceDelAddress(const std::string &ifName,
375 const std::string &addrString, int prefixLength) {
376 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
377
378 const int err = InterfaceController::delAddress(
379 ifName.c_str(), addrString.c_str(), prefixLength);
380 if (err != 0) {
381 return binder::Status::fromServiceSpecificError(-err,
382 String8::format("InterfaceController error: %s", strerror(-err)));
383 }
384 return binder::Status::ok();
385}
386
Erik Kline55b06f82016-07-04 09:57:18 +0900[diff] [blame]387binder::Status NetdNativeService::setProcSysNet(
388 int32_t family, int32_t which, const std::string &ifname, const std::string &parameter,
389 const std::string &value) {
390 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
391
392 const char *familyStr;
393 switch (family) {
394 case INetd::IPV4:
395 familyStr = "ipv4";
396 break;
397 case INetd::IPV6:
398 familyStr = "ipv6";
399 break;
400 default:
401 return binder::Status::fromServiceSpecificError(EAFNOSUPPORT, String8("Bad family"));
402 }
403
404 const char *whichStr;
405 switch (which) {
406 case INetd::CONF:
407 whichStr = "conf";
408 break;
409 case INetd::NEIGH:
410 whichStr = "neigh";
411 break;
412 default:
413 return binder::Status::fromServiceSpecificError(EINVAL, String8("Bad category"));
414 }
415
416 const int err = InterfaceController::setParameter(
417 familyStr, whichStr, ifname.c_str(), parameter.c_str(),
418 value.c_str());
419 if (err != 0) {
420 return binder::Status::fromServiceSpecificError(-err,
421 String8::format("ResolverController error: %s", strerror(-err)));
422 }
423 return binder::Status::ok();
424}
425
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]426binder::Status NetdNativeService::getMetricsReportingLevel(int *reportingLevel) {
427 // This function intentionally does not lock, since the only thing it does is one read from an
428 // atomic_int.
429 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
430 ENFORCE_DEBUGGABLE();
431
Michal Karpinskid5440112016-10-06 16:56:04 +0100[diff] [blame]432 *reportingLevel = gCtls->eventReporter.getMetricsReportingLevel();
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]433 return binder::Status::ok();
434}
435
436binder::Status NetdNativeService::setMetricsReportingLevel(const int reportingLevel) {
437 // This function intentionally does not lock, since the only thing it does is one write to an
438 // atomic_int.
439 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
440 ENFORCE_DEBUGGABLE();
441
Michal Karpinskid5440112016-10-06 16:56:04 +0100[diff] [blame]442 return (gCtls->eventReporter.setMetricsReportingLevel(reportingLevel) == 0)
443 ? binder::Status::ok()
444 : binder::Status::fromExceptionCode(binder::Status::EX_ILLEGAL_ARGUMENT);
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]445}
446
Benedict Wongb2daefb2017-12-06 22:05:46 -0800[diff] [blame]447binder::Status NetdNativeService::ipSecSetEncapSocketOwner(const android::base::unique_fd& socket,
448 int newUid) {
449 ENFORCE_PERMISSION(NETWORK_STACK)
450 ALOGD("ipSecSetEncapSocketOwner()");
451
452 uid_t callerUid = IPCThreadState::self()->getCallingUid();
453 return asBinderStatus(gCtls->xfrmCtrl.ipSecSetEncapSocketOwner(socket, newUid, callerUid));
454}
455
456
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]457binder::Status NetdNativeService::ipSecAllocateSpi(
458 int32_t transformId,
459 int32_t direction,
460 const std::string& localAddress,
461 const std::string& remoteAddress,
462 int32_t inSpi,
463 int32_t* outSpi) {
464 // Necessary locking done in IpSecService and kernel
465 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
466 ALOGD("ipSecAllocateSpi()");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]467 return asBinderStatus(gCtls->xfrmCtrl.ipSecAllocateSpi(
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]468 transformId,
469 direction,
470 localAddress,
471 remoteAddress,
472 inSpi,
473 outSpi));
474}
475
476binder::Status NetdNativeService::ipSecAddSecurityAssociation(
477 int32_t transformId,
478 int32_t mode,
479 int32_t direction,
480 const std::string& localAddress,
481 const std::string& remoteAddress,
482 int64_t underlyingNetworkHandle,
483 int32_t spi,
484 const std::string& authAlgo, const std::vector<uint8_t>& authKey, int32_t authTruncBits,
485 const std::string& cryptAlgo, const std::vector<uint8_t>& cryptKey, int32_t cryptTruncBits,
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]486 const std::string& aeadAlgo, const std::vector<uint8_t>& aeadKey, int32_t aeadIcvBits,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]487 int32_t encapType,
488 int32_t encapLocalPort,
ludiec836052017-05-20 14:17:05 -0700[diff] [blame]489 int32_t encapRemotePort) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]490 // Necessary locking done in IpSecService and kernel
491 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
492 ALOGD("ipSecAddSecurityAssociation()");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]493 return asBinderStatus(gCtls->xfrmCtrl.ipSecAddSecurityAssociation(
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]494 transformId, mode, direction, localAddress, remoteAddress,
495 underlyingNetworkHandle,
496 spi,
497 authAlgo, authKey, authTruncBits,
498 cryptAlgo, cryptKey, cryptTruncBits,
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]499 aeadAlgo, aeadKey, aeadIcvBits,
ludiec836052017-05-20 14:17:05 -0700[diff] [blame]500 encapType, encapLocalPort, encapRemotePort));
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]501}
502
503binder::Status NetdNativeService::ipSecDeleteSecurityAssociation(
504 int32_t transformId,
505 int32_t direction,
506 const std::string& localAddress,
507 const std::string& remoteAddress,
508 int32_t spi) {
509 // Necessary locking done in IpSecService and kernel
510 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
511 ALOGD("ipSecDeleteSecurityAssociation()");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]512 return asBinderStatus(gCtls->xfrmCtrl.ipSecDeleteSecurityAssociation(
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]513 transformId,
514 direction,
515 localAddress,
516 remoteAddress,
517 spi));
518}
519
520binder::Status NetdNativeService::ipSecApplyTransportModeTransform(
521 const android::base::unique_fd& socket,
522 int32_t transformId,
523 int32_t direction,
524 const std::string& localAddress,
525 const std::string& remoteAddress,
526 int32_t spi) {
527 // Necessary locking done in IpSecService and kernel
528 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
529 ALOGD("ipSecApplyTransportModeTransform()");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]530 return asBinderStatus(gCtls->xfrmCtrl.ipSecApplyTransportModeTransform(
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]531 socket,
532 transformId,
533 direction,
534 localAddress,
535 remoteAddress,
536 spi));
537}
538
539binder::Status NetdNativeService::ipSecRemoveTransportModeTransform(
540 const android::base::unique_fd& socket) {
541 // Necessary locking done in IpSecService and kernel
542 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
543 ALOGD("ipSecRemoveTransportModeTransform()");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]544 return asBinderStatus(gCtls->xfrmCtrl.ipSecRemoveTransportModeTransform(
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]545 socket));
546}
547
Joel Scherpelzde937962017-06-01 13:20:21 +0900[diff] [blame]548binder::Status NetdNativeService::setIPv6AddrGenMode(const std::string& ifName,
549 int32_t mode) {
550 ENFORCE_PERMISSION(NETWORK_STACK);
551 return toBinderStatus(InterfaceController::setIPv6AddrGenMode(ifName, mode));
552}
553
Joel Scherpelz08b84cd2017-05-22 13:11:54 +0900[diff] [blame]554binder::Status NetdNativeService::wakeupAddInterface(const std::string& ifName,
555 const std::string& prefix, int32_t mark,
556 int32_t mask) {
557 ENFORCE_PERMISSION(NETWORK_STACK);
558 return toBinderStatus(gCtls->wakeupCtrl.addInterface(ifName, prefix, mark, mask));
559}
560
561binder::Status NetdNativeService::wakeupDelInterface(const std::string& ifName,
562 const std::string& prefix, int32_t mark,
563 int32_t mask) {
564 ENFORCE_PERMISSION(NETWORK_STACK);
565 return toBinderStatus(gCtls->wakeupCtrl.delInterface(ifName, prefix, mark, mask));
566}
567
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]568} // namespace net
569} // namespace android