Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / e6b936ebe8e8a9cbe47b87be0f1b72bb85a8d80d / . / server / NetdNativeService.cpp
blob: e9623623389e498254317161827829f2abbc5fb7 [file] [log] [blame]
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]1/**
2 * Copyright (c) 2016, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#define LOG_TAG "Netd"
18
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]19#include <vector>
20
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]21#include <android-base/stringprintf.h>
22#include <cutils/log.h>
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]23#include <cutils/properties.h>
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]24#include <utils/Errors.h>
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]25#include <utils/String16.h>
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]26
27#include <binder/IPCThreadState.h>
28#include <binder/IServiceManager.h>
29#include "android/net/BnNetd.h"
30
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]31#include "Controllers.h"
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]32#include "DumpWriter.h"
Erik Kline55b06f82016-07-04 09:57:18 +0900[diff] [blame]33#include "InterfaceController.h"
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]34#include "NetdConstants.h"
35#include "NetdNativeService.h"
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]36#include "RouteController.h"
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]37#include "SockDiag.h"
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]38#include "UidRanges.h"
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]39
40using android::base::StringPrintf;
41
42namespace android {
43namespace net {
44
45namespace {
46
47const char CONNECTIVITY_INTERNAL[] = "android.permission.CONNECTIVITY_INTERNAL";
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]48const char DUMP[] = "android.permission.DUMP";
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]49
50binder::Status checkPermission(const char *permission) {
51 pid_t pid;
52 uid_t uid;
53
54 if (checkCallingPermission(String16(permission), (int32_t *) &pid, (int32_t *) &uid)) {
55 return binder::Status::ok();
56 } else {
57 auto err = StringPrintf("UID %d / PID %d lacks permission %s", uid, pid, permission);
58 return binder::Status::fromExceptionCode(binder::Status::EX_SECURITY, String8(err.c_str()));
59 }
60}
61
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]62#define ENFORCE_DEBUGGABLE() { \
63 char value[PROPERTY_VALUE_MAX + 1]; \
64 if (property_get("ro.debuggable", value, NULL) != 1 \
65 || value[0] != '1') { \
66 return binder::Status::fromExceptionCode( \
67 binder::Status::EX_SECURITY, \
68 String8("Not available in production builds.") \
69 ); \
70 } \
71}
72
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]73#define ENFORCE_PERMISSION(permission) { \
74 binder::Status status = checkPermission((permission)); \
75 if (!status.isOk()) { \
76 return status; \
77 } \
78}
79
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]80#define NETD_LOCKING_RPC(permission, lock) \
81 ENFORCE_PERMISSION(permission); \
82 android::RWLock::AutoWLock _lock(lock);
83
84#define NETD_BIG_LOCK_RPC(permission) NETD_LOCKING_RPC((permission), gBigNetdLock)
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]85} // namespace
86
87
Lorenzo Colittie4851de2016-03-17 13:23:28 +0900[diff] [blame]88status_t NetdNativeService::start() {
89 IPCThreadState::self()->disableBackgroundScheduling(true);
90 status_t ret = BinderService<NetdNativeService>::publish();
91 if (ret != android::OK) {
92 return ret;
93 }
94 sp<ProcessState> ps(ProcessState::self());
95 ps->startThreadPool();
96 ps->giveThreadPoolName();
97 return android::OK;
98}
99
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]100status_t NetdNativeService::dump(int fd, const Vector<String16> & /* args */) {
101 const binder::Status dump_permission = checkPermission(DUMP);
102 if (!dump_permission.isOk()) {
103 const String8 msg(dump_permission.toString8());
104 write(fd, msg.string(), msg.size());
105 return PERMISSION_DENIED;
106 }
107
108 // This method does not grab any locks. If individual classes need locking
109 // their dump() methods MUST handle locking appropriately.
110 DumpWriter dw(fd);
111 dw.blankline();
112 gCtls->netCtrl.dump(dw);
113 dw.blankline();
114
115 return NO_ERROR;
116}
117
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]118binder::Status NetdNativeService::isAlive(bool *alive) {
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]119 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL);
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]120
121 *alive = true;
122 return binder::Status::ok();
123}
124
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]125binder::Status NetdNativeService::firewallReplaceUidChain(const android::String16& chainName,
126 bool isWhitelist, const std::vector<int32_t>& uids, bool *ret) {
127 NETD_LOCKING_RPC(CONNECTIVITY_INTERNAL, gCtls->firewallCtrl.lock);
128
129 android::String8 name = android::String8(chainName);
130 int err = gCtls->firewallCtrl.replaceUidChain(name.string(), isWhitelist, uids);
131 *ret = (err == 0);
132 return binder::Status::ok();
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]133}
Lorenzo Colittidedd2712016-03-22 12:36:29 +0900[diff] [blame]134
135binder::Status NetdNativeService::bandwidthEnableDataSaver(bool enable, bool *ret) {
136 NETD_LOCKING_RPC(CONNECTIVITY_INTERNAL, gCtls->bandwidthCtrl.lock);
137
138 int err = gCtls->bandwidthCtrl.enableDataSaver(enable);
139 *ret = (err == 0);
140 return binder::Status::ok();
141}
142
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]143binder::Status NetdNativeService::networkRejectNonSecureVpn(bool add,
144 const std::vector<UidRange>& uidRangeArray) {
145 // TODO: elsewhere RouteController is only used from the tethering and network controllers, so
146 // it should be possible to use the same lock as NetworkController. However, every call through
147 // the CommandListener "network" command will need to hold this lock too, not just the ones that
148 // read/modify network internal state (that is sufficient for ::dump() because it doesn't
149 // look at routes, but it's not enough here).
150 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL);
151
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]152 UidRanges uidRanges(uidRangeArray);
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]153
154 int err;
155 if (add) {
156 err = RouteController::addUsersToRejectNonSecureNetworkRule(uidRanges);
157 } else {
158 err = RouteController::removeUsersFromRejectNonSecureNetworkRule(uidRanges);
159 }
160
161 if (err != 0) {
162 return binder::Status::fromServiceSpecificError(-err,
163 String8::format("RouteController error: %s", strerror(-err)));
164 }
165 return binder::Status::ok();
166}
167
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]168binder::Status NetdNativeService::socketDestroy(const std::vector<UidRange>& uids,
169 const std::vector<int32_t>& skipUids) {
170
171 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
172
173 SockDiag sd;
174 if (!sd.open()) {
175 return binder::Status::fromServiceSpecificError(EIO,
176 String8("Could not open SOCK_DIAG socket"));
177 }
178
179 UidRanges uidRanges(uids);
Lorenzo Colittie5c3c992016-07-26 17:53:50 +0900[diff] [blame]180 int err = sd.destroySockets(uidRanges, std::set<uid_t>(skipUids.begin(), skipUids.end()),
181 true /* excludeLoopback */);
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]182
183 if (err) {
184 return binder::Status::fromServiceSpecificError(-err,
185 String8::format("destroySockets: %s", strerror(-err)));
186 }
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]187 return binder::Status::ok();
188}
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]189
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]190binder::Status NetdNativeService::setResolverConfiguration(int32_t netId,
191 const std::vector<std::string>& servers, const std::vector<std::string>& domains,
192 const std::vector<int32_t>& params) {
193 // This function intentionally does not lock within Netd, as Bionic is thread-safe.
194 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
195
196 int err = gCtls->resolverCtrl.setResolverConfiguration(netId, servers, domains, params);
197 if (err != 0) {
198 return binder::Status::fromServiceSpecificError(-err,
199 String8::format("ResolverController error: %s", strerror(-err)));
200 }
201 return binder::Status::ok();
202}
203
204binder::Status NetdNativeService::getResolverInfo(int32_t netId,
205 std::vector<std::string>* servers, std::vector<std::string>* domains,
206 std::vector<int32_t>* params, std::vector<int32_t>* stats) {
207 // This function intentionally does not lock within Netd, as Bionic is thread-safe.
208 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
209
210 int err = gCtls->resolverCtrl.getResolverInfo(netId, servers, domains, params, stats);
211 if (err != 0) {
212 return binder::Status::fromServiceSpecificError(-err,
213 String8::format("ResolverController error: %s", strerror(-err)));
214 }
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]215 return binder::Status::ok();
216}
217
Erik Klinef48e4dd2016-07-18 04:02:07 +0900[diff] [blame]218binder::Status NetdNativeService::tetherApplyDnsInterfaces(bool *ret) {
219 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL);
220
221 *ret = gCtls->tetherCtrl.applyDnsInterfaces();
222 return binder::Status::ok();
223}
224
Erik Kline53c20882016-08-02 15:22:53 +0900[diff] [blame]225binder::Status NetdNativeService::interfaceAddAddress(const std::string &ifName,
226 const std::string &addrString, int prefixLength) {
227 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
228
229 const int err = InterfaceController::addAddress(
230 ifName.c_str(), addrString.c_str(), prefixLength);
231 if (err != 0) {
232 return binder::Status::fromServiceSpecificError(-err,
233 String8::format("InterfaceController error: %s", strerror(-err)));
234 }
235 return binder::Status::ok();
236}
237
238binder::Status NetdNativeService::interfaceDelAddress(const std::string &ifName,
239 const std::string &addrString, int prefixLength) {
240 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
241
242 const int err = InterfaceController::delAddress(
243 ifName.c_str(), addrString.c_str(), prefixLength);
244 if (err != 0) {
245 return binder::Status::fromServiceSpecificError(-err,
246 String8::format("InterfaceController error: %s", strerror(-err)));
247 }
248 return binder::Status::ok();
249}
250
Erik Kline55b06f82016-07-04 09:57:18 +0900[diff] [blame]251binder::Status NetdNativeService::setProcSysNet(
252 int32_t family, int32_t which, const std::string &ifname, const std::string &parameter,
253 const std::string &value) {
254 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
255
256 const char *familyStr;
257 switch (family) {
258 case INetd::IPV4:
259 familyStr = "ipv4";
260 break;
261 case INetd::IPV6:
262 familyStr = "ipv6";
263 break;
264 default:
265 return binder::Status::fromServiceSpecificError(EAFNOSUPPORT, String8("Bad family"));
266 }
267
268 const char *whichStr;
269 switch (which) {
270 case INetd::CONF:
271 whichStr = "conf";
272 break;
273 case INetd::NEIGH:
274 whichStr = "neigh";
275 break;
276 default:
277 return binder::Status::fromServiceSpecificError(EINVAL, String8("Bad category"));
278 }
279
280 const int err = InterfaceController::setParameter(
281 familyStr, whichStr, ifname.c_str(), parameter.c_str(),
282 value.c_str());
283 if (err != 0) {
284 return binder::Status::fromServiceSpecificError(-err,
285 String8::format("ResolverController error: %s", strerror(-err)));
286 }
287 return binder::Status::ok();
288}
289
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]290binder::Status NetdNativeService::getMetricsReportingLevel(int *reportingLevel) {
291 // This function intentionally does not lock, since the only thing it does is one read from an
292 // atomic_int.
293 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
294 ENFORCE_DEBUGGABLE();
295
296 *reportingLevel = gCtls->netCtrl.getMetricsReportingLevel();
297 return binder::Status::ok();
298}
299
300binder::Status NetdNativeService::setMetricsReportingLevel(const int reportingLevel) {
301 // This function intentionally does not lock, since the only thing it does is one write to an
302 // atomic_int.
303 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
304 ENFORCE_DEBUGGABLE();
305
306 if (int err = gCtls->netCtrl.setMetricsReportingLevel(reportingLevel)) {
307 return binder::Status::fromExceptionCode(binder::Status::EX_ILLEGAL_ARGUMENT);
308 }
309 return binder::Status::ok();
310}
311
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]312} // namespace net
313} // namespace android