Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / c60c6bd7bd12f5c9ccdaff7537d60da2d240fe22 / . / server / NetdNativeService.cpp
blob: 7e555f540fda5bde1566cd7c88d1a38044631362 [file] [log] [blame]
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]1/**
2 * Copyright (c) 2016, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#define LOG_TAG "Netd"
18
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]19#include <vector>
20
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]21#include <android-base/stringprintf.h>
22#include <cutils/log.h>
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]23#include <cutils/properties.h>
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]24#include <utils/Errors.h>
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]25#include <utils/String16.h>
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]26
27#include <binder/IPCThreadState.h>
28#include <binder/IServiceManager.h>
29#include "android/net/BnNetd.h"
30
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]31#include "Controllers.h"
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]32#include "DumpWriter.h"
Michal Karpinskid5440112016-10-06 16:56:04 +0100[diff] [blame]33#include "EventReporter.h"
Erik Kline55b06f82016-07-04 09:57:18 +0900[diff] [blame]34#include "InterfaceController.h"
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]35#include "NetdConstants.h"
36#include "NetdNativeService.h"
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]37#include "RouteController.h"
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]38#include "SockDiag.h"
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]39#include "UidRanges.h"
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]40
41using android::base::StringPrintf;
42
43namespace android {
44namespace net {
45
46namespace {
47
48const char CONNECTIVITY_INTERNAL[] = "android.permission.CONNECTIVITY_INTERNAL";
Joel Scherpelz08b84cd2017-05-22 13:11:54 +0900[diff] [blame]49const char NETWORK_STACK[] = "android.permission.NETWORK_STACK";
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]50const char DUMP[] = "android.permission.DUMP";
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]51
Joel Scherpelz08b84cd2017-05-22 13:11:54 +0900[diff] [blame]52binder::Status toBinderStatus(const netdutils::Status s) {
53 if (isOk(s)) {
54 return binder::Status::ok();
55 }
56 return binder::Status::fromExceptionCode(s.code(), s.msg().c_str());
57}
58
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]59binder::Status checkPermission(const char *permission) {
60 pid_t pid;
61 uid_t uid;
62
63 if (checkCallingPermission(String16(permission), (int32_t *) &pid, (int32_t *) &uid)) {
64 return binder::Status::ok();
65 } else {
66 auto err = StringPrintf("UID %d / PID %d lacks permission %s", uid, pid, permission);
67 return binder::Status::fromExceptionCode(binder::Status::EX_SECURITY, String8(err.c_str()));
68 }
69}
70
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]71binder::Status getXfrmStatus(int xfrmCode) {
72 switch(xfrmCode) {
73 case 0:
74 return binder::Status::ok();
75 case -ENOENT:
76 return binder::Status::fromServiceSpecificError(xfrmCode);
77 }
78 return binder::Status::fromExceptionCode(xfrmCode);
79}
80
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]81#define ENFORCE_DEBUGGABLE() { \
82 char value[PROPERTY_VALUE_MAX + 1]; \
83 if (property_get("ro.debuggable", value, NULL) != 1 \
84 || value[0] != '1') { \
85 return binder::Status::fromExceptionCode( \
86 binder::Status::EX_SECURITY, \
87 String8("Not available in production builds.") \
88 ); \
89 } \
90}
91
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]92#define ENFORCE_PERMISSION(permission) { \
93 binder::Status status = checkPermission((permission)); \
94 if (!status.isOk()) { \
95 return status; \
96 } \
97}
98
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]99#define NETD_LOCKING_RPC(permission, lock) \
100 ENFORCE_PERMISSION(permission); \
101 android::RWLock::AutoWLock _lock(lock);
102
103#define NETD_BIG_LOCK_RPC(permission) NETD_LOCKING_RPC((permission), gBigNetdLock)
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]104} // namespace
105
106
Lorenzo Colittie4851de2016-03-17 13:23:28 +0900[diff] [blame]107status_t NetdNativeService::start() {
108 IPCThreadState::self()->disableBackgroundScheduling(true);
109 status_t ret = BinderService<NetdNativeService>::publish();
110 if (ret != android::OK) {
111 return ret;
112 }
113 sp<ProcessState> ps(ProcessState::self());
114 ps->startThreadPool();
115 ps->giveThreadPoolName();
116 return android::OK;
117}
118
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]119status_t NetdNativeService::dump(int fd, const Vector<String16> & /* args */) {
120 const binder::Status dump_permission = checkPermission(DUMP);
121 if (!dump_permission.isOk()) {
122 const String8 msg(dump_permission.toString8());
123 write(fd, msg.string(), msg.size());
124 return PERMISSION_DENIED;
125 }
126
127 // This method does not grab any locks. If individual classes need locking
128 // their dump() methods MUST handle locking appropriately.
129 DumpWriter dw(fd);
130 dw.blankline();
131 gCtls->netCtrl.dump(dw);
132 dw.blankline();
133
134 return NO_ERROR;
135}
136
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]137binder::Status NetdNativeService::isAlive(bool *alive) {
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]138 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL);
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]139
140 *alive = true;
141 return binder::Status::ok();
142}
143
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]144binder::Status NetdNativeService::firewallReplaceUidChain(const android::String16& chainName,
145 bool isWhitelist, const std::vector<int32_t>& uids, bool *ret) {
146 NETD_LOCKING_RPC(CONNECTIVITY_INTERNAL, gCtls->firewallCtrl.lock);
147
148 android::String8 name = android::String8(chainName);
149 int err = gCtls->firewallCtrl.replaceUidChain(name.string(), isWhitelist, uids);
150 *ret = (err == 0);
151 return binder::Status::ok();
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]152}
Lorenzo Colittidedd2712016-03-22 12:36:29 +0900[diff] [blame]153
154binder::Status NetdNativeService::bandwidthEnableDataSaver(bool enable, bool *ret) {
155 NETD_LOCKING_RPC(CONNECTIVITY_INTERNAL, gCtls->bandwidthCtrl.lock);
156
157 int err = gCtls->bandwidthCtrl.enableDataSaver(enable);
158 *ret = (err == 0);
159 return binder::Status::ok();
160}
161
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]162binder::Status NetdNativeService::networkRejectNonSecureVpn(bool add,
163 const std::vector<UidRange>& uidRangeArray) {
164 // TODO: elsewhere RouteController is only used from the tethering and network controllers, so
165 // it should be possible to use the same lock as NetworkController. However, every call through
166 // the CommandListener "network" command will need to hold this lock too, not just the ones that
167 // read/modify network internal state (that is sufficient for ::dump() because it doesn't
168 // look at routes, but it's not enough here).
169 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL);
170
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]171 UidRanges uidRanges(uidRangeArray);
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]172
173 int err;
174 if (add) {
175 err = RouteController::addUsersToRejectNonSecureNetworkRule(uidRanges);
176 } else {
177 err = RouteController::removeUsersFromRejectNonSecureNetworkRule(uidRanges);
178 }
179
180 if (err != 0) {
181 return binder::Status::fromServiceSpecificError(-err,
182 String8::format("RouteController error: %s", strerror(-err)));
183 }
184 return binder::Status::ok();
185}
186
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]187binder::Status NetdNativeService::socketDestroy(const std::vector<UidRange>& uids,
188 const std::vector<int32_t>& skipUids) {
189
190 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
191
192 SockDiag sd;
193 if (!sd.open()) {
194 return binder::Status::fromServiceSpecificError(EIO,
195 String8("Could not open SOCK_DIAG socket"));
196 }
197
198 UidRanges uidRanges(uids);
Lorenzo Colittie5c3c992016-07-26 17:53:50 +0900[diff] [blame]199 int err = sd.destroySockets(uidRanges, std::set<uid_t>(skipUids.begin(), skipUids.end()),
200 true /* excludeLoopback */);
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]201
202 if (err) {
203 return binder::Status::fromServiceSpecificError(-err,
204 String8::format("destroySockets: %s", strerror(-err)));
205 }
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]206 return binder::Status::ok();
207}
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]208
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]209binder::Status NetdNativeService::setResolverConfiguration(int32_t netId,
210 const std::vector<std::string>& servers, const std::vector<std::string>& domains,
211 const std::vector<int32_t>& params) {
212 // This function intentionally does not lock within Netd, as Bionic is thread-safe.
213 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
214
215 int err = gCtls->resolverCtrl.setResolverConfiguration(netId, servers, domains, params);
216 if (err != 0) {
217 return binder::Status::fromServiceSpecificError(-err,
218 String8::format("ResolverController error: %s", strerror(-err)));
219 }
220 return binder::Status::ok();
221}
222
223binder::Status NetdNativeService::getResolverInfo(int32_t netId,
224 std::vector<std::string>* servers, std::vector<std::string>* domains,
225 std::vector<int32_t>* params, std::vector<int32_t>* stats) {
226 // This function intentionally does not lock within Netd, as Bionic is thread-safe.
227 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
228
229 int err = gCtls->resolverCtrl.getResolverInfo(netId, servers, domains, params, stats);
230 if (err != 0) {
231 return binder::Status::fromServiceSpecificError(-err,
232 String8::format("ResolverController error: %s", strerror(-err)));
233 }
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]234 return binder::Status::ok();
235}
236
Erik Klinef48e4dd2016-07-18 04:02:07 +0900[diff] [blame]237binder::Status NetdNativeService::tetherApplyDnsInterfaces(bool *ret) {
238 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL);
239
240 *ret = gCtls->tetherCtrl.applyDnsInterfaces();
241 return binder::Status::ok();
242}
243
Erik Kline53c20882016-08-02 15:22:53 +0900[diff] [blame]244binder::Status NetdNativeService::interfaceAddAddress(const std::string &ifName,
245 const std::string &addrString, int prefixLength) {
246 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
247
248 const int err = InterfaceController::addAddress(
249 ifName.c_str(), addrString.c_str(), prefixLength);
250 if (err != 0) {
251 return binder::Status::fromServiceSpecificError(-err,
252 String8::format("InterfaceController error: %s", strerror(-err)));
253 }
254 return binder::Status::ok();
255}
256
257binder::Status NetdNativeService::interfaceDelAddress(const std::string &ifName,
258 const std::string &addrString, int prefixLength) {
259 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
260
261 const int err = InterfaceController::delAddress(
262 ifName.c_str(), addrString.c_str(), prefixLength);
263 if (err != 0) {
264 return binder::Status::fromServiceSpecificError(-err,
265 String8::format("InterfaceController error: %s", strerror(-err)));
266 }
267 return binder::Status::ok();
268}
269
Erik Kline55b06f82016-07-04 09:57:18 +0900[diff] [blame]270binder::Status NetdNativeService::setProcSysNet(
271 int32_t family, int32_t which, const std::string &ifname, const std::string &parameter,
272 const std::string &value) {
273 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
274
275 const char *familyStr;
276 switch (family) {
277 case INetd::IPV4:
278 familyStr = "ipv4";
279 break;
280 case INetd::IPV6:
281 familyStr = "ipv6";
282 break;
283 default:
284 return binder::Status::fromServiceSpecificError(EAFNOSUPPORT, String8("Bad family"));
285 }
286
287 const char *whichStr;
288 switch (which) {
289 case INetd::CONF:
290 whichStr = "conf";
291 break;
292 case INetd::NEIGH:
293 whichStr = "neigh";
294 break;
295 default:
296 return binder::Status::fromServiceSpecificError(EINVAL, String8("Bad category"));
297 }
298
299 const int err = InterfaceController::setParameter(
300 familyStr, whichStr, ifname.c_str(), parameter.c_str(),
301 value.c_str());
302 if (err != 0) {
303 return binder::Status::fromServiceSpecificError(-err,
304 String8::format("ResolverController error: %s", strerror(-err)));
305 }
306 return binder::Status::ok();
307}
308
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]309binder::Status NetdNativeService::getMetricsReportingLevel(int *reportingLevel) {
310 // This function intentionally does not lock, since the only thing it does is one read from an
311 // atomic_int.
312 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
313 ENFORCE_DEBUGGABLE();
314
Michal Karpinskid5440112016-10-06 16:56:04 +0100[diff] [blame]315 *reportingLevel = gCtls->eventReporter.getMetricsReportingLevel();
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]316 return binder::Status::ok();
317}
318
319binder::Status NetdNativeService::setMetricsReportingLevel(const int reportingLevel) {
320 // This function intentionally does not lock, since the only thing it does is one write to an
321 // atomic_int.
322 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
323 ENFORCE_DEBUGGABLE();
324
Michal Karpinskid5440112016-10-06 16:56:04 +0100[diff] [blame]325 return (gCtls->eventReporter.setMetricsReportingLevel(reportingLevel) == 0)
326 ? binder::Status::ok()
327 : binder::Status::fromExceptionCode(binder::Status::EX_ILLEGAL_ARGUMENT);
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]328}
329
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]330binder::Status NetdNativeService::ipSecAllocateSpi(
331 int32_t transformId,
332 int32_t direction,
333 const std::string& localAddress,
334 const std::string& remoteAddress,
335 int32_t inSpi,
336 int32_t* outSpi) {
337 // Necessary locking done in IpSecService and kernel
338 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
339 ALOGD("ipSecAllocateSpi()");
340 return getXfrmStatus(gCtls->xfrmCtrl.ipSecAllocateSpi(
341 transformId,
342 direction,
343 localAddress,
344 remoteAddress,
345 inSpi,
346 outSpi));
347}
348
349binder::Status NetdNativeService::ipSecAddSecurityAssociation(
350 int32_t transformId,
351 int32_t mode,
352 int32_t direction,
353 const std::string& localAddress,
354 const std::string& remoteAddress,
355 int64_t underlyingNetworkHandle,
356 int32_t spi,
357 const std::string& authAlgo, const std::vector<uint8_t>& authKey, int32_t authTruncBits,
358 const std::string& cryptAlgo, const std::vector<uint8_t>& cryptKey, int32_t cryptTruncBits,
359 int32_t encapType,
360 int32_t encapLocalPort,
361 int32_t encapRemotePort,
362 int32_t* allocatedSpi) {
363 // Necessary locking done in IpSecService and kernel
364 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
365 ALOGD("ipSecAddSecurityAssociation()");
366 return getXfrmStatus(gCtls->xfrmCtrl.ipSecAddSecurityAssociation(
367 transformId, mode, direction, localAddress, remoteAddress,
368 underlyingNetworkHandle,
369 spi,
370 authAlgo, authKey, authTruncBits,
371 cryptAlgo, cryptKey, cryptTruncBits,
372 encapType, encapLocalPort, encapRemotePort,
373 allocatedSpi));
374}
375
376binder::Status NetdNativeService::ipSecDeleteSecurityAssociation(
377 int32_t transformId,
378 int32_t direction,
379 const std::string& localAddress,
380 const std::string& remoteAddress,
381 int32_t spi) {
382 // Necessary locking done in IpSecService and kernel
383 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
384 ALOGD("ipSecDeleteSecurityAssociation()");
385 return getXfrmStatus(gCtls->xfrmCtrl.ipSecDeleteSecurityAssociation(
386 transformId,
387 direction,
388 localAddress,
389 remoteAddress,
390 spi));
391}
392
393binder::Status NetdNativeService::ipSecApplyTransportModeTransform(
394 const android::base::unique_fd& socket,
395 int32_t transformId,
396 int32_t direction,
397 const std::string& localAddress,
398 const std::string& remoteAddress,
399 int32_t spi) {
400 // Necessary locking done in IpSecService and kernel
401 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
402 ALOGD("ipSecApplyTransportModeTransform()");
403 return getXfrmStatus(gCtls->xfrmCtrl.ipSecApplyTransportModeTransform(
404 socket,
405 transformId,
406 direction,
407 localAddress,
408 remoteAddress,
409 spi));
410}
411
412binder::Status NetdNativeService::ipSecRemoveTransportModeTransform(
413 const android::base::unique_fd& socket) {
414 // Necessary locking done in IpSecService and kernel
415 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
416 ALOGD("ipSecRemoveTransportModeTransform()");
417 return getXfrmStatus(gCtls->xfrmCtrl.ipSecRemoveTransportModeTransform(
418 socket));
419}
420
Joel Scherpelz08b84cd2017-05-22 13:11:54 +0900[diff] [blame]421binder::Status NetdNativeService::wakeupAddInterface(const std::string& ifName,
422 const std::string& prefix, int32_t mark,
423 int32_t mask) {
424 ENFORCE_PERMISSION(NETWORK_STACK);
425 return toBinderStatus(gCtls->wakeupCtrl.addInterface(ifName, prefix, mark, mask));
426}
427
428binder::Status NetdNativeService::wakeupDelInterface(const std::string& ifName,
429 const std::string& prefix, int32_t mark,
430 int32_t mask) {
431 ENFORCE_PERMISSION(NETWORK_STACK);
432 return toBinderStatus(gCtls->wakeupCtrl.delInterface(ifName, prefix, mark, mask));
433}
434
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]435} // namespace net
436} // namespace android