Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / dfe2a6f43de4aba2780c861c750db8e4f1fb22e3 / . / server / NetdNativeService.cpp
blob: 29ed51115459f08c02b09954324fa4690b176b39 [file] [log] [blame]
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]1/**
2 * Copyright (c) 2016, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#define LOG_TAG "Netd"
18
Ben Schwartz4204ecf2017-10-02 12:35:48 -0400[diff] [blame]19#include <set>
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]20#include <vector>
21
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]22#include <android-base/stringprintf.h>
Ben Schwartz4204ecf2017-10-02 12:35:48 -0400[diff] [blame]23#include <android-base/strings.h>
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]24#include <cutils/log.h>
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]25#include <cutils/properties.h>
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]26#include <utils/Errors.h>
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]27#include <utils/String16.h>
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]28
29#include <binder/IPCThreadState.h>
30#include <binder/IServiceManager.h>
31#include "android/net/BnNetd.h"
32
Ben Schwartze7601812017-04-28 16:38:29 -0400[diff] [blame]33#include <openssl/base64.h>
34
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]35#include "Controllers.h"
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]36#include "DumpWriter.h"
Michal Karpinskid5440112016-10-06 16:56:04 +0100[diff] [blame]37#include "EventReporter.h"
Erik Kline55b06f82016-07-04 09:57:18 +0900[diff] [blame]38#include "InterfaceController.h"
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]39#include "NetdConstants.h"
40#include "NetdNativeService.h"
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]41#include "RouteController.h"
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]42#include "SockDiag.h"
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]43#include "UidRanges.h"
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]44
45using android::base::StringPrintf;
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]46using android::os::PersistableBundle;
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]47
48namespace android {
49namespace net {
50
51namespace {
52
53const char CONNECTIVITY_INTERNAL[] = "android.permission.CONNECTIVITY_INTERNAL";
Joel Scherpelz08b84cd2017-05-22 13:11:54 +0900[diff] [blame]54const char NETWORK_STACK[] = "android.permission.NETWORK_STACK";
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]55const char DUMP[] = "android.permission.DUMP";
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]56
Joel Scherpelz08b84cd2017-05-22 13:11:54 +0900[diff] [blame]57binder::Status toBinderStatus(const netdutils::Status s) {
58 if (isOk(s)) {
59 return binder::Status::ok();
60 }
Joel Scherpelzde937962017-06-01 13:20:21 +0900[diff] [blame]61 return binder::Status::fromServiceSpecificError(s.code(), s.msg().c_str());
Joel Scherpelz08b84cd2017-05-22 13:11:54 +0900[diff] [blame]62}
63
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]64binder::Status checkPermission(const char *permission) {
65 pid_t pid;
66 uid_t uid;
67
68 if (checkCallingPermission(String16(permission), (int32_t *) &pid, (int32_t *) &uid)) {
69 return binder::Status::ok();
70 } else {
71 auto err = StringPrintf("UID %d / PID %d lacks permission %s", uid, pid, permission);
72 return binder::Status::fromExceptionCode(binder::Status::EX_SECURITY, String8(err.c_str()));
73 }
74}
75
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]76#define ENFORCE_DEBUGGABLE() { \
77 char value[PROPERTY_VALUE_MAX + 1]; \
78 if (property_get("ro.debuggable", value, NULL) != 1 \
79 || value[0] != '1') { \
80 return binder::Status::fromExceptionCode( \
81 binder::Status::EX_SECURITY, \
82 String8("Not available in production builds.") \
83 ); \
84 } \
85}
86
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]87#define ENFORCE_PERMISSION(permission) { \
88 binder::Status status = checkPermission((permission)); \
89 if (!status.isOk()) { \
90 return status; \
91 } \
92}
93
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]94#define NETD_LOCKING_RPC(permission, lock) \
95 ENFORCE_PERMISSION(permission); \
96 android::RWLock::AutoWLock _lock(lock);
97
98#define NETD_BIG_LOCK_RPC(permission) NETD_LOCKING_RPC((permission), gBigNetdLock)
Lorenzo Colittid33e96d2016-12-15 23:59:01 +0900[diff] [blame]99
100inline binder::Status statusFromErrcode(int ret) {
101 if (ret) {
102 return binder::Status::fromServiceSpecificError(-ret, strerror(-ret));
103 }
104 return binder::Status::ok();
105}
106
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]107} // namespace
108
109
Lorenzo Colittie4851de2016-03-17 13:23:28 +0900[diff] [blame]110status_t NetdNativeService::start() {
111 IPCThreadState::self()->disableBackgroundScheduling(true);
112 status_t ret = BinderService<NetdNativeService>::publish();
113 if (ret != android::OK) {
114 return ret;
115 }
116 sp<ProcessState> ps(ProcessState::self());
117 ps->startThreadPool();
118 ps->giveThreadPoolName();
119 return android::OK;
120}
121
Hugo Benichi7b314e12018-01-15 21:54:00 +0900[diff] [blame]122status_t NetdNativeService::dump(int fd, const Vector<String16> &args) {
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]123 const binder::Status dump_permission = checkPermission(DUMP);
124 if (!dump_permission.isOk()) {
125 const String8 msg(dump_permission.toString8());
126 write(fd, msg.string(), msg.size());
127 return PERMISSION_DENIED;
128 }
129
130 // This method does not grab any locks. If individual classes need locking
131 // their dump() methods MUST handle locking appropriately.
Hugo Benichi7b314e12018-01-15 21:54:00 +0900[diff] [blame]132
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]133 DumpWriter dw(fd);
Hugo Benichi7b314e12018-01-15 21:54:00 +0900[diff] [blame]134
135 if (!args.isEmpty() && args[0] == TcpSocketMonitor::DUMP_KEYWORD) {
136 dw.blankline();
137 gCtls->tcpSocketMonitor.dump(dw);
138 dw.blankline();
139 return NO_ERROR;
140 }
141
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]142 dw.blankline();
143 gCtls->netCtrl.dump(dw);
144 dw.blankline();
145
146 return NO_ERROR;
147}
148
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]149binder::Status NetdNativeService::isAlive(bool *alive) {
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]150 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL);
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]151
152 *alive = true;
153 return binder::Status::ok();
154}
155
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]156binder::Status NetdNativeService::firewallReplaceUidChain(const android::String16& chainName,
157 bool isWhitelist, const std::vector<int32_t>& uids, bool *ret) {
158 NETD_LOCKING_RPC(CONNECTIVITY_INTERNAL, gCtls->firewallCtrl.lock);
159
160 android::String8 name = android::String8(chainName);
161 int err = gCtls->firewallCtrl.replaceUidChain(name.string(), isWhitelist, uids);
162 *ret = (err == 0);
163 return binder::Status::ok();
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]164}
Lorenzo Colittidedd2712016-03-22 12:36:29 +0900[diff] [blame]165
166binder::Status NetdNativeService::bandwidthEnableDataSaver(bool enable, bool *ret) {
167 NETD_LOCKING_RPC(CONNECTIVITY_INTERNAL, gCtls->bandwidthCtrl.lock);
168
169 int err = gCtls->bandwidthCtrl.enableDataSaver(enable);
170 *ret = (err == 0);
171 return binder::Status::ok();
172}
173
Lorenzo Colittid33e96d2016-12-15 23:59:01 +0900[diff] [blame]174binder::Status NetdNativeService::networkCreatePhysical(int32_t netId,
175 const std::string& permission) {
176 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
177 int ret = gCtls->netCtrl.createPhysicalNetwork(netId, stringToPermission(permission.c_str()));
178 return statusFromErrcode(ret);
179}
180
181binder::Status NetdNativeService::networkCreateVpn(int32_t netId, bool hasDns, bool secure) {
182 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
183 int ret = gCtls->netCtrl.createVirtualNetwork(netId, hasDns, secure);
184 return statusFromErrcode(ret);
185}
186
187binder::Status NetdNativeService::networkDestroy(int32_t netId) {
Erik Klinec8b6a9c2018-01-15 17:06:48 +0900[diff] [blame]188 ENFORCE_PERMISSION(NETWORK_STACK);
189 // Both of these functions manage their own locking internally.
190 const int ret = gCtls->netCtrl.destroyNetwork(netId);
191 gCtls->resolverCtrl.clearDnsServers(netId);
Lorenzo Colittid33e96d2016-12-15 23:59:01 +0900[diff] [blame]192 return statusFromErrcode(ret);
193}
194
195binder::Status NetdNativeService::networkAddInterface(int32_t netId, const std::string& iface) {
196 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
197 int ret = gCtls->netCtrl.addInterfaceToNetwork(netId, iface.c_str());
198 return statusFromErrcode(ret);
199}
200
201binder::Status NetdNativeService::networkRemoveInterface(int32_t netId, const std::string& iface) {
202 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
203 int ret = gCtls->netCtrl.removeInterfaceFromNetwork(netId, iface.c_str());
204 return statusFromErrcode(ret);
205}
206
207binder::Status NetdNativeService::networkAddUidRanges(int32_t netId,
208 const std::vector<UidRange>& uidRangeArray) {
209 // NetworkController::addUsersToNetwork is thread-safe.
210 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
211 int ret = gCtls->netCtrl.addUsersToNetwork(netId, UidRanges(uidRangeArray));
212 return statusFromErrcode(ret);
213}
214
215binder::Status NetdNativeService::networkRemoveUidRanges(int32_t netId,
216 const std::vector<UidRange>& uidRangeArray) {
217 // NetworkController::removeUsersFromNetwork is thread-safe.
218 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
219 int ret = gCtls->netCtrl.removeUsersFromNetwork(netId, UidRanges(uidRangeArray));
220 return statusFromErrcode(ret);
221}
222
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]223binder::Status NetdNativeService::networkRejectNonSecureVpn(bool add,
224 const std::vector<UidRange>& uidRangeArray) {
225 // TODO: elsewhere RouteController is only used from the tethering and network controllers, so
226 // it should be possible to use the same lock as NetworkController. However, every call through
227 // the CommandListener "network" command will need to hold this lock too, not just the ones that
228 // read/modify network internal state (that is sufficient for ::dump() because it doesn't
229 // look at routes, but it's not enough here).
230 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL);
231
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]232 UidRanges uidRanges(uidRangeArray);
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]233
234 int err;
235 if (add) {
236 err = RouteController::addUsersToRejectNonSecureNetworkRule(uidRanges);
237 } else {
238 err = RouteController::removeUsersFromRejectNonSecureNetworkRule(uidRanges);
239 }
240
Lorenzo Colittid33e96d2016-12-15 23:59:01 +0900[diff] [blame]241 return statusFromErrcode(err);
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]242}
243
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]244binder::Status NetdNativeService::socketDestroy(const std::vector<UidRange>& uids,
245 const std::vector<int32_t>& skipUids) {
246
247 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
248
249 SockDiag sd;
250 if (!sd.open()) {
251 return binder::Status::fromServiceSpecificError(EIO,
252 String8("Could not open SOCK_DIAG socket"));
253 }
254
255 UidRanges uidRanges(uids);
Lorenzo Colittie5c3c992016-07-26 17:53:50 +0900[diff] [blame]256 int err = sd.destroySockets(uidRanges, std::set<uid_t>(skipUids.begin(), skipUids.end()),
257 true /* excludeLoopback */);
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]258
259 if (err) {
260 return binder::Status::fromServiceSpecificError(-err,
261 String8::format("destroySockets: %s", strerror(-err)));
262 }
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]263 return binder::Status::ok();
264}
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]265
Ben Schwartz4204ecf2017-10-02 12:35:48 -0400[diff] [blame]266// Parse a base64 encoded string into a vector of bytes.
267// On failure, return an empty vector.
268static std::vector<uint8_t> parseBase64(const std::string& input) {
269 std::vector<uint8_t> decoded;
270 size_t out_len;
271 if (EVP_DecodedLength(&out_len, input.size()) != 1) {
272 return decoded;
273 }
274 // out_len is now an upper bound on the output length.
275 decoded.resize(out_len);
276 if (EVP_DecodeBase64(decoded.data(), &out_len, decoded.size(),
277 reinterpret_cast<const uint8_t*>(input.data()), input.size()) == 1) {
278 // Possibly shrink the vector if the actual output was smaller than the bound.
279 decoded.resize(out_len);
280 } else {
281 decoded.clear();
282 }
283 if (out_len != SHA256_SIZE) {
284 decoded.clear();
285 }
286 return decoded;
287}
288
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]289binder::Status NetdNativeService::setResolverConfiguration(int32_t netId,
290 const std::vector<std::string>& servers, const std::vector<std::string>& domains,
Erik Kline50c6dfc2018-03-04 21:01:56 +0900[diff] [blame]291 const std::vector<int32_t>& params, const std::string& tlsName,
292 const std::vector<std::string>& tlsServers,
Ben Schwartz4204ecf2017-10-02 12:35:48 -0400[diff] [blame]293 const std::vector<std::string>& tlsFingerprints) {
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]294 // This function intentionally does not lock within Netd, as Bionic is thread-safe.
295 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
296
Ben Schwartz4204ecf2017-10-02 12:35:48 -0400[diff] [blame]297 std::set<std::vector<uint8_t>> decoded_fingerprints;
298 for (const std::string& fingerprint : tlsFingerprints) {
299 std::vector<uint8_t> decoded = parseBase64(fingerprint);
300 if (decoded.empty()) {
301 return binder::Status::fromServiceSpecificError(EINVAL,
302 String8::format("ResolverController error: bad fingerprint"));
303 }
304 decoded_fingerprints.emplace(decoded);
305 }
306
307 int err = gCtls->resolverCtrl.setResolverConfiguration(netId, servers, domains, params,
Erik Kline50c6dfc2018-03-04 21:01:56 +0900[diff] [blame]308 tlsName, tlsServers, decoded_fingerprints);
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]309 if (err != 0) {
310 return binder::Status::fromServiceSpecificError(-err,
311 String8::format("ResolverController error: %s", strerror(-err)));
312 }
313 return binder::Status::ok();
314}
315
316binder::Status NetdNativeService::getResolverInfo(int32_t netId,
317 std::vector<std::string>* servers, std::vector<std::string>* domains,
318 std::vector<int32_t>* params, std::vector<int32_t>* stats) {
319 // This function intentionally does not lock within Netd, as Bionic is thread-safe.
320 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
321
322 int err = gCtls->resolverCtrl.getResolverInfo(netId, servers, domains, params, stats);
323 if (err != 0) {
324 return binder::Status::fromServiceSpecificError(-err,
325 String8::format("ResolverController error: %s", strerror(-err)));
326 }
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]327 return binder::Status::ok();
328}
329
Erik Klinef48e4dd2016-07-18 04:02:07 +0900[diff] [blame]330binder::Status NetdNativeService::tetherApplyDnsInterfaces(bool *ret) {
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]331 NETD_LOCKING_RPC(NETWORK_STACK, gCtls->tetherCtrl.lock)
Erik Klinef48e4dd2016-07-18 04:02:07 +0900[diff] [blame]332
333 *ret = gCtls->tetherCtrl.applyDnsInterfaces();
334 return binder::Status::ok();
335}
336
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]337namespace {
338
339void tetherAddStats(PersistableBundle *bundle, const TetherController::TetherStats& stats) {
340 String16 iface = String16(stats.extIface.c_str());
341 std::vector<int64_t> statsVector(INetd::TETHER_STATS_ARRAY_SIZE);
342
343 bundle->getLongVector(iface, &statsVector);
344 if (statsVector.size() == 0) {
345 for (int i = 0; i < INetd::TETHER_STATS_ARRAY_SIZE; i++) statsVector.push_back(0);
346 }
347
Lorenzo Colitti9a65ac62017-09-04 18:07:56 +0900[diff] [blame]348 statsVector[INetd::TETHER_STATS_RX_BYTES] += stats.rxBytes;
349 statsVector[INetd::TETHER_STATS_RX_PACKETS] += stats.rxPackets;
350 statsVector[INetd::TETHER_STATS_TX_BYTES] += stats.txBytes;
351 statsVector[INetd::TETHER_STATS_TX_PACKETS] += stats.txPackets;
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]352
353 bundle->putLongVector(iface, statsVector);
354}
355
356} // namespace
357
358binder::Status NetdNativeService::tetherGetStats(PersistableBundle *bundle) {
359 NETD_LOCKING_RPC(NETWORK_STACK, gCtls->tetherCtrl.lock)
360
Lorenzo Colitti5192bf72017-09-04 13:30:59 +0900[diff] [blame]361 const auto& statsList = gCtls->tetherCtrl.getTetherStats();
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]362 if (!isOk(statsList)) {
363 return toBinderStatus(statsList);
364 }
365
366 for (const auto& stats : statsList.value()) {
367 tetherAddStats(bundle, stats);
368 }
369
370 return binder::Status::ok();
371}
372
Erik Kline53c20882016-08-02 15:22:53 +0900[diff] [blame]373binder::Status NetdNativeService::interfaceAddAddress(const std::string &ifName,
374 const std::string &addrString, int prefixLength) {
375 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
376
377 const int err = InterfaceController::addAddress(
378 ifName.c_str(), addrString.c_str(), prefixLength);
379 if (err != 0) {
380 return binder::Status::fromServiceSpecificError(-err,
381 String8::format("InterfaceController error: %s", strerror(-err)));
382 }
383 return binder::Status::ok();
384}
385
386binder::Status NetdNativeService::interfaceDelAddress(const std::string &ifName,
387 const std::string &addrString, int prefixLength) {
388 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
389
390 const int err = InterfaceController::delAddress(
391 ifName.c_str(), addrString.c_str(), prefixLength);
392 if (err != 0) {
393 return binder::Status::fromServiceSpecificError(-err,
394 String8::format("InterfaceController error: %s", strerror(-err)));
395 }
396 return binder::Status::ok();
397}
398
Erik Kline55b06f82016-07-04 09:57:18 +0900[diff] [blame]399binder::Status NetdNativeService::setProcSysNet(
400 int32_t family, int32_t which, const std::string &ifname, const std::string &parameter,
401 const std::string &value) {
402 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
403
404 const char *familyStr;
405 switch (family) {
406 case INetd::IPV4:
407 familyStr = "ipv4";
408 break;
409 case INetd::IPV6:
410 familyStr = "ipv6";
411 break;
412 default:
413 return binder::Status::fromServiceSpecificError(EAFNOSUPPORT, String8("Bad family"));
414 }
415
416 const char *whichStr;
417 switch (which) {
418 case INetd::CONF:
419 whichStr = "conf";
420 break;
421 case INetd::NEIGH:
422 whichStr = "neigh";
423 break;
424 default:
425 return binder::Status::fromServiceSpecificError(EINVAL, String8("Bad category"));
426 }
427
428 const int err = InterfaceController::setParameter(
429 familyStr, whichStr, ifname.c_str(), parameter.c_str(),
430 value.c_str());
431 if (err != 0) {
432 return binder::Status::fromServiceSpecificError(-err,
433 String8::format("ResolverController error: %s", strerror(-err)));
434 }
435 return binder::Status::ok();
436}
437
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]438binder::Status NetdNativeService::getMetricsReportingLevel(int *reportingLevel) {
439 // This function intentionally does not lock, since the only thing it does is one read from an
440 // atomic_int.
441 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
442 ENFORCE_DEBUGGABLE();
443
Michal Karpinskid5440112016-10-06 16:56:04 +0100[diff] [blame]444 *reportingLevel = gCtls->eventReporter.getMetricsReportingLevel();
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]445 return binder::Status::ok();
446}
447
448binder::Status NetdNativeService::setMetricsReportingLevel(const int reportingLevel) {
449 // This function intentionally does not lock, since the only thing it does is one write to an
450 // atomic_int.
451 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
452 ENFORCE_DEBUGGABLE();
453
Michal Karpinskid5440112016-10-06 16:56:04 +0100[diff] [blame]454 return (gCtls->eventReporter.setMetricsReportingLevel(reportingLevel) == 0)
455 ? binder::Status::ok()
456 : binder::Status::fromExceptionCode(binder::Status::EX_ILLEGAL_ARGUMENT);
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]457}
458
Benedict Wongb2daefb2017-12-06 22:05:46 -0800[diff] [blame]459binder::Status NetdNativeService::ipSecSetEncapSocketOwner(const android::base::unique_fd& socket,
460 int newUid) {
461 ENFORCE_PERMISSION(NETWORK_STACK)
462 ALOGD("ipSecSetEncapSocketOwner()");
463
464 uid_t callerUid = IPCThreadState::self()->getCallingUid();
465 return asBinderStatus(gCtls->xfrmCtrl.ipSecSetEncapSocketOwner(socket, newUid, callerUid));
466}
467
468
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]469binder::Status NetdNativeService::ipSecAllocateSpi(
470 int32_t transformId,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]471 const std::string& sourceAddress,
472 const std::string& destinationAddress,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]473 int32_t inSpi,
474 int32_t* outSpi) {
475 // Necessary locking done in IpSecService and kernel
476 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
477 ALOGD("ipSecAllocateSpi()");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]478 return asBinderStatus(gCtls->xfrmCtrl.ipSecAllocateSpi(
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]479 transformId,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]480 sourceAddress,
481 destinationAddress,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]482 inSpi,
483 outSpi));
484}
485
486binder::Status NetdNativeService::ipSecAddSecurityAssociation(
487 int32_t transformId,
488 int32_t mode,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]489 const std::string& sourceAddress,
490 const std::string& destinationAddress,
Benedict Wong96abf482018-01-22 13:56:41 -0800[diff] [blame]491 int32_t underlyingNetId,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]492 int32_t spi,
Di Lu2ccb3e52018-01-03 16:19:20 -0800[diff] [blame]493 int32_t markValue,
494 int32_t markMask,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]495 const std::string& authAlgo, const std::vector<uint8_t>& authKey, int32_t authTruncBits,
496 const std::string& cryptAlgo, const std::vector<uint8_t>& cryptKey, int32_t cryptTruncBits,
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]497 const std::string& aeadAlgo, const std::vector<uint8_t>& aeadKey, int32_t aeadIcvBits,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]498 int32_t encapType,
499 int32_t encapLocalPort,
ludiec836052017-05-20 14:17:05 -0700[diff] [blame]500 int32_t encapRemotePort) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]501 // Necessary locking done in IpSecService and kernel
502 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
503 ALOGD("ipSecAddSecurityAssociation()");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]504 return asBinderStatus(gCtls->xfrmCtrl.ipSecAddSecurityAssociation(
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]505 transformId, mode, sourceAddress, destinationAddress,
Benedict Wong96abf482018-01-22 13:56:41 -0800[diff] [blame]506 underlyingNetId,
Di Lu2ccb3e52018-01-03 16:19:20 -0800[diff] [blame]507 spi, markValue, markMask,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]508 authAlgo, authKey, authTruncBits,
509 cryptAlgo, cryptKey, cryptTruncBits,
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]510 aeadAlgo, aeadKey, aeadIcvBits,
ludiec836052017-05-20 14:17:05 -0700[diff] [blame]511 encapType, encapLocalPort, encapRemotePort));
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]512}
513
514binder::Status NetdNativeService::ipSecDeleteSecurityAssociation(
515 int32_t transformId,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]516 const std::string& sourceAddress,
517 const std::string& destinationAddress,
Di Lu2ccb3e52018-01-03 16:19:20 -0800[diff] [blame]518 int32_t spi,
519 int32_t markValue,
520 int32_t markMask) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]521 // Necessary locking done in IpSecService and kernel
522 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
523 ALOGD("ipSecDeleteSecurityAssociation()");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]524 return asBinderStatus(gCtls->xfrmCtrl.ipSecDeleteSecurityAssociation(
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]525 transformId,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]526 sourceAddress,
527 destinationAddress,
Di Lu2ccb3e52018-01-03 16:19:20 -0800[diff] [blame]528 spi,
529 markValue,
530 markMask));
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]531}
532
533binder::Status NetdNativeService::ipSecApplyTransportModeTransform(
534 const android::base::unique_fd& socket,
535 int32_t transformId,
536 int32_t direction,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]537 const std::string& sourceAddress,
538 const std::string& destinationAddress,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]539 int32_t spi) {
540 // Necessary locking done in IpSecService and kernel
541 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
542 ALOGD("ipSecApplyTransportModeTransform()");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]543 return asBinderStatus(gCtls->xfrmCtrl.ipSecApplyTransportModeTransform(
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]544 socket,
545 transformId,
546 direction,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]547 sourceAddress,
548 destinationAddress,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]549 spi));
550}
551
552binder::Status NetdNativeService::ipSecRemoveTransportModeTransform(
553 const android::base::unique_fd& socket) {
554 // Necessary locking done in IpSecService and kernel
555 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
556 ALOGD("ipSecRemoveTransportModeTransform()");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]557 return asBinderStatus(gCtls->xfrmCtrl.ipSecRemoveTransportModeTransform(
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]558 socket));
559}
560
Benedict Wong84a8dca2018-01-19 12:12:17 -0800[diff] [blame]561binder::Status NetdNativeService::ipSecAddSecurityPolicy(
562 int32_t transformId,
563 int32_t direction,
564 const std::string& sourceAddress,
565 const std::string& destinationAddress,
566 int32_t spi,
567 int32_t markValue,
568 int32_t markMask){
569 // Necessary locking done in IpSecService and kernel
570 ENFORCE_PERMISSION(NETWORK_STACK);
571 ALOGD("ipSecAddSecurityPolicy()");
572 return asBinderStatus(gCtls->xfrmCtrl.ipSecAddSecurityPolicy(
573 transformId,
574 direction,
575 sourceAddress,
576 destinationAddress,
577 spi,
578 markValue,
579 markMask));
580}
581
582binder::Status NetdNativeService::ipSecUpdateSecurityPolicy(
583 int32_t transformId,
584 int32_t direction,
585 const std::string& sourceAddress,
586 const std::string& destinationAddress,
587 int32_t spi,
588 int32_t markValue,
589 int32_t markMask){
590 // Necessary locking done in IpSecService and kernel
591 ENFORCE_PERMISSION(NETWORK_STACK);
592 ALOGD("ipSecAddSecurityPolicy()");
593 return asBinderStatus(gCtls->xfrmCtrl.ipSecUpdateSecurityPolicy(
594 transformId,
595 direction,
596 sourceAddress,
597 destinationAddress,
598 spi,
599 markValue,
600 markMask));
601}
602
603binder::Status NetdNativeService::ipSecDeleteSecurityPolicy(
604 int32_t transformId,
605 int32_t direction,
606 const std::string& sourceAddress,
607 const std::string& destinationAddress,
608 int32_t markValue,
609 int32_t markMask){
610 // Necessary locking done in IpSecService and kernel
611 ENFORCE_PERMISSION(NETWORK_STACK);
612 ALOGD("ipSecAddSecurityPolicy()");
613 return asBinderStatus(gCtls->xfrmCtrl.ipSecDeleteSecurityPolicy(
614 transformId,
615 direction,
616 sourceAddress,
617 destinationAddress,
618 markValue,
619 markMask));
620}
621
manojboopathi8707f232018-01-02 14:45:47 -0800[diff] [blame]622binder::Status NetdNativeService::addVirtualTunnelInterface(
623 const std::string& deviceName,
624 const std::string& localAddress,
625 const std::string& remoteAddress,
626 int32_t iKey,
627 int32_t oKey) {
628 // Necessary locking done in IpSecService and kernel
629 ENFORCE_PERMISSION(NETWORK_STACK);
630 ALOGD("addVirtualTunnelInterface()");
631 int ret = gCtls->xfrmCtrl.addVirtualTunnelInterface(
632 deviceName,
633 localAddress,
634 remoteAddress,
635 iKey,
636 oKey,
637 false);
638
639 return (ret == 0) ? binder::Status::ok() :
640 asBinderStatus(netdutils::statusFromErrno(
641 ret, "Error in creating virtual tunnel interface."));
642}
643
644binder::Status NetdNativeService::updateVirtualTunnelInterface(
645 const std::string& deviceName,
646 const std::string& localAddress,
647 const std::string& remoteAddress,
648 int32_t iKey,
649 int32_t oKey) {
650 // Necessary locking done in IpSecService and kernel
651 ENFORCE_PERMISSION(NETWORK_STACK);
652 ALOGD("updateVirtualTunnelInterface()");
653 int ret = gCtls->xfrmCtrl.addVirtualTunnelInterface(
654 deviceName,
655 localAddress,
656 remoteAddress,
657 iKey,
658 oKey,
659 true);
660
661 return (ret == 0) ? binder::Status::ok() :
662 asBinderStatus(netdutils::statusFromErrno(
663 ret, "Error in updating virtual tunnel interface."));
664}
665
666binder::Status NetdNativeService::removeVirtualTunnelInterface(const std::string& deviceName) {
667 // Necessary locking done in IpSecService and kernel
668 ENFORCE_PERMISSION(NETWORK_STACK);
669 ALOGD("removeVirtualTunnelInterface()");
670 int ret = gCtls->xfrmCtrl.removeVirtualTunnelInterface(deviceName);
671
672 return (ret == 0) ? binder::Status::ok() :
673 asBinderStatus(netdutils::statusFromErrno(
674 ret, "Error in removing virtual tunnel interface."));
675}
676
Joel Scherpelzde937962017-06-01 13:20:21 +0900[diff] [blame]677binder::Status NetdNativeService::setIPv6AddrGenMode(const std::string& ifName,
678 int32_t mode) {
679 ENFORCE_PERMISSION(NETWORK_STACK);
680 return toBinderStatus(InterfaceController::setIPv6AddrGenMode(ifName, mode));
681}
682
Joel Scherpelz08b84cd2017-05-22 13:11:54 +0900[diff] [blame]683binder::Status NetdNativeService::wakeupAddInterface(const std::string& ifName,
684 const std::string& prefix, int32_t mark,
685 int32_t mask) {
686 ENFORCE_PERMISSION(NETWORK_STACK);
687 return toBinderStatus(gCtls->wakeupCtrl.addInterface(ifName, prefix, mark, mask));
688}
689
690binder::Status NetdNativeService::wakeupDelInterface(const std::string& ifName,
691 const std::string& prefix, int32_t mark,
692 int32_t mask) {
693 ENFORCE_PERMISSION(NETWORK_STACK);
694 return toBinderStatus(gCtls->wakeupCtrl.delInterface(ifName, prefix, mark, mask));
695}
696
Chenbo Feng07d43fe2017-12-21 14:38:51 -0800[diff] [blame]697binder::Status NetdNativeService::trafficCheckBpfStatsEnable(bool* ret) {
698 ENFORCE_PERMISSION(NETWORK_STACK);
699 *ret = gCtls->trafficCtrl.checkBpfStatsEnable();
700 return binder::Status::ok();
701}
702
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]703} // namespace net
704} // namespace android