Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / ef297179bb1611b011d6e0f55e5cb7366a76824a / . / server / NetdNativeService.cpp
blob: 06c934684c54af22a4507506000f57b0dc3c1f6b [file] [log] [blame]
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]1/**
2 * Copyright (c) 2016, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#define LOG_TAG "Netd"
18
Ben Schwartz4204ecf2017-10-02 12:35:48 -0400[diff] [blame]19#include <set>
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]20#include <vector>
21
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]22#include <android-base/stringprintf.h>
Ben Schwartz4204ecf2017-10-02 12:35:48 -0400[diff] [blame]23#include <android-base/strings.h>
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]24#include <cutils/log.h>
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]25#include <cutils/properties.h>
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]26#include <utils/Errors.h>
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]27#include <utils/String16.h>
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]28
29#include <binder/IPCThreadState.h>
30#include <binder/IServiceManager.h>
31#include "android/net/BnNetd.h"
32
Ben Schwartze7601812017-04-28 16:38:29 -0400[diff] [blame]33#include <openssl/base64.h>
34
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]35#include "Controllers.h"
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]36#include "DumpWriter.h"
Michal Karpinskid5440112016-10-06 16:56:04 +0100[diff] [blame]37#include "EventReporter.h"
Erik Kline55b06f82016-07-04 09:57:18 +0900[diff] [blame]38#include "InterfaceController.h"
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]39#include "NetdConstants.h"
40#include "NetdNativeService.h"
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]41#include "RouteController.h"
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]42#include "SockDiag.h"
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]43#include "UidRanges.h"
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]44
45using android::base::StringPrintf;
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]46using android::os::PersistableBundle;
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]47
48namespace android {
49namespace net {
50
51namespace {
52
53const char CONNECTIVITY_INTERNAL[] = "android.permission.CONNECTIVITY_INTERNAL";
Joel Scherpelz08b84cd2017-05-22 13:11:54 +0900[diff] [blame]54const char NETWORK_STACK[] = "android.permission.NETWORK_STACK";
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]55const char DUMP[] = "android.permission.DUMP";
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]56
57binder::Status checkPermission(const char *permission) {
58 pid_t pid;
59 uid_t uid;
60
61 if (checkCallingPermission(String16(permission), (int32_t *) &pid, (int32_t *) &uid)) {
62 return binder::Status::ok();
63 } else {
64 auto err = StringPrintf("UID %d / PID %d lacks permission %s", uid, pid, permission);
65 return binder::Status::fromExceptionCode(binder::Status::EX_SECURITY, String8(err.c_str()));
66 }
67}
68
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]69#define ENFORCE_DEBUGGABLE() { \
70 char value[PROPERTY_VALUE_MAX + 1]; \
71 if (property_get("ro.debuggable", value, NULL) != 1 \
72 || value[0] != '1') { \
73 return binder::Status::fromExceptionCode( \
74 binder::Status::EX_SECURITY, \
75 String8("Not available in production builds.") \
76 ); \
77 } \
78}
79
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]80#define ENFORCE_PERMISSION(permission) { \
81 binder::Status status = checkPermission((permission)); \
82 if (!status.isOk()) { \
83 return status; \
84 } \
85}
86
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]87#define NETD_LOCKING_RPC(permission, lock) \
88 ENFORCE_PERMISSION(permission); \
89 android::RWLock::AutoWLock _lock(lock);
90
91#define NETD_BIG_LOCK_RPC(permission) NETD_LOCKING_RPC((permission), gBigNetdLock)
Lorenzo Colittid33e96d2016-12-15 23:59:01 +0900[diff] [blame]92
93inline binder::Status statusFromErrcode(int ret) {
94 if (ret) {
95 return binder::Status::fromServiceSpecificError(-ret, strerror(-ret));
96 }
97 return binder::Status::ok();
98}
99
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]100} // namespace
101
102
Lorenzo Colittie4851de2016-03-17 13:23:28 +0900[diff] [blame]103status_t NetdNativeService::start() {
104 IPCThreadState::self()->disableBackgroundScheduling(true);
105 status_t ret = BinderService<NetdNativeService>::publish();
106 if (ret != android::OK) {
107 return ret;
108 }
109 sp<ProcessState> ps(ProcessState::self());
110 ps->startThreadPool();
111 ps->giveThreadPoolName();
112 return android::OK;
113}
114
Hugo Benichi7b314e12018-01-15 21:54:00 +0900[diff] [blame]115status_t NetdNativeService::dump(int fd, const Vector<String16> &args) {
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]116 const binder::Status dump_permission = checkPermission(DUMP);
117 if (!dump_permission.isOk()) {
118 const String8 msg(dump_permission.toString8());
119 write(fd, msg.string(), msg.size());
120 return PERMISSION_DENIED;
121 }
122
123 // This method does not grab any locks. If individual classes need locking
124 // their dump() methods MUST handle locking appropriately.
Hugo Benichi7b314e12018-01-15 21:54:00 +0900[diff] [blame]125
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]126 DumpWriter dw(fd);
Hugo Benichi7b314e12018-01-15 21:54:00 +0900[diff] [blame]127
128 if (!args.isEmpty() && args[0] == TcpSocketMonitor::DUMP_KEYWORD) {
129 dw.blankline();
130 gCtls->tcpSocketMonitor.dump(dw);
131 dw.blankline();
132 return NO_ERROR;
133 }
134
Chenbo Fengef297172018-03-26 10:53:33 -0700[diff] [blame^]135 if (!args.isEmpty() && args[0] == TrafficController::DUMP_KEYWORD) {
136 dw.blankline();
137 gCtls->trafficCtrl.dump(dw, true);
138 dw.blankline();
139 return NO_ERROR;
140 }
141
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]142 dw.blankline();
143 gCtls->netCtrl.dump(dw);
144 dw.blankline();
145
Chenbo Fengef297172018-03-26 10:53:33 -0700[diff] [blame^]146 gCtls->trafficCtrl.dump(dw, false);
147 dw.blankline();
148
Erik Kline2d3a1632016-03-15 16:33:48 +0900[diff] [blame]149 return NO_ERROR;
150}
151
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]152binder::Status NetdNativeService::isAlive(bool *alive) {
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]153 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL);
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]154
155 *alive = true;
156 return binder::Status::ok();
157}
158
Erik Klinef52d4522018-03-14 15:01:46 +0900[diff] [blame]159binder::Status NetdNativeService::firewallReplaceUidChain(const std::string& chainName,
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]160 bool isWhitelist, const std::vector<int32_t>& uids, bool *ret) {
161 NETD_LOCKING_RPC(CONNECTIVITY_INTERNAL, gCtls->firewallCtrl.lock);
162
Erik Klinef52d4522018-03-14 15:01:46 +0900[diff] [blame]163 int err = gCtls->firewallCtrl.replaceUidChain(chainName, isWhitelist, uids);
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]164 *ret = (err == 0);
165 return binder::Status::ok();
Lorenzo Colitti89faa342016-02-26 11:38:47 +0900[diff] [blame]166}
Lorenzo Colittidedd2712016-03-22 12:36:29 +0900[diff] [blame]167
168binder::Status NetdNativeService::bandwidthEnableDataSaver(bool enable, bool *ret) {
169 NETD_LOCKING_RPC(CONNECTIVITY_INTERNAL, gCtls->bandwidthCtrl.lock);
170
171 int err = gCtls->bandwidthCtrl.enableDataSaver(enable);
172 *ret = (err == 0);
173 return binder::Status::ok();
174}
175
Lorenzo Colittid33e96d2016-12-15 23:59:01 +0900[diff] [blame]176binder::Status NetdNativeService::networkCreatePhysical(int32_t netId,
177 const std::string& permission) {
178 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
179 int ret = gCtls->netCtrl.createPhysicalNetwork(netId, stringToPermission(permission.c_str()));
180 return statusFromErrcode(ret);
181}
182
183binder::Status NetdNativeService::networkCreateVpn(int32_t netId, bool hasDns, bool secure) {
184 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
185 int ret = gCtls->netCtrl.createVirtualNetwork(netId, hasDns, secure);
186 return statusFromErrcode(ret);
187}
188
189binder::Status NetdNativeService::networkDestroy(int32_t netId) {
Erik Klinec8b6a9c2018-01-15 17:06:48 +0900[diff] [blame]190 ENFORCE_PERMISSION(NETWORK_STACK);
191 // Both of these functions manage their own locking internally.
192 const int ret = gCtls->netCtrl.destroyNetwork(netId);
193 gCtls->resolverCtrl.clearDnsServers(netId);
Lorenzo Colittid33e96d2016-12-15 23:59:01 +0900[diff] [blame]194 return statusFromErrcode(ret);
195}
196
197binder::Status NetdNativeService::networkAddInterface(int32_t netId, const std::string& iface) {
198 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
199 int ret = gCtls->netCtrl.addInterfaceToNetwork(netId, iface.c_str());
200 return statusFromErrcode(ret);
201}
202
203binder::Status NetdNativeService::networkRemoveInterface(int32_t netId, const std::string& iface) {
204 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
205 int ret = gCtls->netCtrl.removeInterfaceFromNetwork(netId, iface.c_str());
206 return statusFromErrcode(ret);
207}
208
209binder::Status NetdNativeService::networkAddUidRanges(int32_t netId,
210 const std::vector<UidRange>& uidRangeArray) {
211 // NetworkController::addUsersToNetwork is thread-safe.
212 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
213 int ret = gCtls->netCtrl.addUsersToNetwork(netId, UidRanges(uidRangeArray));
214 return statusFromErrcode(ret);
215}
216
217binder::Status NetdNativeService::networkRemoveUidRanges(int32_t netId,
218 const std::vector<UidRange>& uidRangeArray) {
219 // NetworkController::removeUsersFromNetwork is thread-safe.
220 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
221 int ret = gCtls->netCtrl.removeUsersFromNetwork(netId, UidRanges(uidRangeArray));
222 return statusFromErrcode(ret);
223}
224
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]225binder::Status NetdNativeService::networkRejectNonSecureVpn(bool add,
226 const std::vector<UidRange>& uidRangeArray) {
227 // TODO: elsewhere RouteController is only used from the tethering and network controllers, so
228 // it should be possible to use the same lock as NetworkController. However, every call through
229 // the CommandListener "network" command will need to hold this lock too, not just the ones that
230 // read/modify network internal state (that is sufficient for ::dump() because it doesn't
231 // look at routes, but it's not enough here).
232 NETD_BIG_LOCK_RPC(CONNECTIVITY_INTERNAL);
233
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]234 UidRanges uidRanges(uidRangeArray);
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]235
236 int err;
237 if (add) {
238 err = RouteController::addUsersToRejectNonSecureNetworkRule(uidRanges);
239 } else {
240 err = RouteController::removeUsersFromRejectNonSecureNetworkRule(uidRanges);
241 }
242
Lorenzo Colittid33e96d2016-12-15 23:59:01 +0900[diff] [blame]243 return statusFromErrcode(err);
Robin Leeb8087362016-03-30 18:43:08 +0100[diff] [blame]244}
245
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]246binder::Status NetdNativeService::socketDestroy(const std::vector<UidRange>& uids,
247 const std::vector<int32_t>& skipUids) {
248
249 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
250
251 SockDiag sd;
252 if (!sd.open()) {
253 return binder::Status::fromServiceSpecificError(EIO,
254 String8("Could not open SOCK_DIAG socket"));
255 }
256
257 UidRanges uidRanges(uids);
Lorenzo Colittie5c3c992016-07-26 17:53:50 +0900[diff] [blame]258 int err = sd.destroySockets(uidRanges, std::set<uid_t>(skipUids.begin(), skipUids.end()),
259 true /* excludeLoopback */);
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]260
261 if (err) {
262 return binder::Status::fromServiceSpecificError(-err,
263 String8::format("destroySockets: %s", strerror(-err)));
264 }
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]265 return binder::Status::ok();
266}
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]267
Ben Schwartz4204ecf2017-10-02 12:35:48 -0400[diff] [blame]268// Parse a base64 encoded string into a vector of bytes.
269// On failure, return an empty vector.
270static std::vector<uint8_t> parseBase64(const std::string& input) {
271 std::vector<uint8_t> decoded;
272 size_t out_len;
273 if (EVP_DecodedLength(&out_len, input.size()) != 1) {
274 return decoded;
275 }
276 // out_len is now an upper bound on the output length.
277 decoded.resize(out_len);
278 if (EVP_DecodeBase64(decoded.data(), &out_len, decoded.size(),
279 reinterpret_cast<const uint8_t*>(input.data()), input.size()) == 1) {
280 // Possibly shrink the vector if the actual output was smaller than the bound.
281 decoded.resize(out_len);
282 } else {
283 decoded.clear();
284 }
285 if (out_len != SHA256_SIZE) {
286 decoded.clear();
287 }
288 return decoded;
289}
290
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]291binder::Status NetdNativeService::setResolverConfiguration(int32_t netId,
292 const std::vector<std::string>& servers, const std::vector<std::string>& domains,
Erik Klinea1476fb2018-03-04 21:01:56 +0900[diff] [blame]293 const std::vector<int32_t>& params, const std::string& tlsName,
294 const std::vector<std::string>& tlsServers,
Ben Schwartz4204ecf2017-10-02 12:35:48 -0400[diff] [blame]295 const std::vector<std::string>& tlsFingerprints) {
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]296 // This function intentionally does not lock within Netd, as Bionic is thread-safe.
297 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
298
Ben Schwartz4204ecf2017-10-02 12:35:48 -0400[diff] [blame]299 std::set<std::vector<uint8_t>> decoded_fingerprints;
300 for (const std::string& fingerprint : tlsFingerprints) {
301 std::vector<uint8_t> decoded = parseBase64(fingerprint);
302 if (decoded.empty()) {
303 return binder::Status::fromServiceSpecificError(EINVAL,
304 String8::format("ResolverController error: bad fingerprint"));
305 }
306 decoded_fingerprints.emplace(decoded);
307 }
308
309 int err = gCtls->resolverCtrl.setResolverConfiguration(netId, servers, domains, params,
Erik Klinea1476fb2018-03-04 21:01:56 +0900[diff] [blame]310 tlsName, tlsServers, decoded_fingerprints);
Pierre Imaibeedec32016-04-13 06:44:51 +0900[diff] [blame]311 if (err != 0) {
312 return binder::Status::fromServiceSpecificError(-err,
313 String8::format("ResolverController error: %s", strerror(-err)));
314 }
315 return binder::Status::ok();
316}
317
318binder::Status NetdNativeService::getResolverInfo(int32_t netId,
319 std::vector<std::string>* servers, std::vector<std::string>* domains,
320 std::vector<int32_t>* params, std::vector<int32_t>* stats) {
321 // This function intentionally does not lock within Netd, as Bionic is thread-safe.
322 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
323
324 int err = gCtls->resolverCtrl.getResolverInfo(netId, servers, domains, params, stats);
325 if (err != 0) {
326 return binder::Status::fromServiceSpecificError(-err,
327 String8::format("ResolverController error: %s", strerror(-err)));
328 }
Lorenzo Colitti563d98b2016-04-24 13:13:14 +0900[diff] [blame]329 return binder::Status::ok();
330}
331
Erik Klinef48e4dd2016-07-18 04:02:07 +0900[diff] [blame]332binder::Status NetdNativeService::tetherApplyDnsInterfaces(bool *ret) {
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]333 NETD_LOCKING_RPC(NETWORK_STACK, gCtls->tetherCtrl.lock)
Erik Klinef48e4dd2016-07-18 04:02:07 +0900[diff] [blame]334
335 *ret = gCtls->tetherCtrl.applyDnsInterfaces();
336 return binder::Status::ok();
337}
338
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]339namespace {
340
341void tetherAddStats(PersistableBundle *bundle, const TetherController::TetherStats& stats) {
342 String16 iface = String16(stats.extIface.c_str());
343 std::vector<int64_t> statsVector(INetd::TETHER_STATS_ARRAY_SIZE);
344
345 bundle->getLongVector(iface, &statsVector);
346 if (statsVector.size() == 0) {
347 for (int i = 0; i < INetd::TETHER_STATS_ARRAY_SIZE; i++) statsVector.push_back(0);
348 }
349
Lorenzo Colitti9a65ac62017-09-04 18:07:56 +0900[diff] [blame]350 statsVector[INetd::TETHER_STATS_RX_BYTES] += stats.rxBytes;
351 statsVector[INetd::TETHER_STATS_RX_PACKETS] += stats.rxPackets;
352 statsVector[INetd::TETHER_STATS_TX_BYTES] += stats.txBytes;
353 statsVector[INetd::TETHER_STATS_TX_PACKETS] += stats.txPackets;
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]354
355 bundle->putLongVector(iface, statsVector);
356}
357
358} // namespace
359
360binder::Status NetdNativeService::tetherGetStats(PersistableBundle *bundle) {
361 NETD_LOCKING_RPC(NETWORK_STACK, gCtls->tetherCtrl.lock)
362
Lorenzo Colitti5192bf72017-09-04 13:30:59 +0900[diff] [blame]363 const auto& statsList = gCtls->tetherCtrl.getTetherStats();
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]364 if (!isOk(statsList)) {
Nathan Harold28ccfef2018-03-16 19:02:47 -0700[diff] [blame]365 return asBinderStatus(statsList);
Lorenzo Colitti9a8a9ff2017-01-31 19:06:59 +0900[diff] [blame]366 }
367
368 for (const auto& stats : statsList.value()) {
369 tetherAddStats(bundle, stats);
370 }
371
372 return binder::Status::ok();
373}
374
Erik Kline53c20882016-08-02 15:22:53 +0900[diff] [blame]375binder::Status NetdNativeService::interfaceAddAddress(const std::string &ifName,
376 const std::string &addrString, int prefixLength) {
377 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
378
379 const int err = InterfaceController::addAddress(
380 ifName.c_str(), addrString.c_str(), prefixLength);
381 if (err != 0) {
382 return binder::Status::fromServiceSpecificError(-err,
383 String8::format("InterfaceController error: %s", strerror(-err)));
384 }
385 return binder::Status::ok();
386}
387
388binder::Status NetdNativeService::interfaceDelAddress(const std::string &ifName,
389 const std::string &addrString, int prefixLength) {
390 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
391
392 const int err = InterfaceController::delAddress(
393 ifName.c_str(), addrString.c_str(), prefixLength);
394 if (err != 0) {
395 return binder::Status::fromServiceSpecificError(-err,
396 String8::format("InterfaceController error: %s", strerror(-err)));
397 }
398 return binder::Status::ok();
399}
400
Erik Kline55b06f82016-07-04 09:57:18 +0900[diff] [blame]401binder::Status NetdNativeService::setProcSysNet(
402 int32_t family, int32_t which, const std::string &ifname, const std::string &parameter,
403 const std::string &value) {
404 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
405
406 const char *familyStr;
407 switch (family) {
408 case INetd::IPV4:
409 familyStr = "ipv4";
410 break;
411 case INetd::IPV6:
412 familyStr = "ipv6";
413 break;
414 default:
415 return binder::Status::fromServiceSpecificError(EAFNOSUPPORT, String8("Bad family"));
416 }
417
418 const char *whichStr;
419 switch (which) {
420 case INetd::CONF:
421 whichStr = "conf";
422 break;
423 case INetd::NEIGH:
424 whichStr = "neigh";
425 break;
426 default:
427 return binder::Status::fromServiceSpecificError(EINVAL, String8("Bad category"));
428 }
429
430 const int err = InterfaceController::setParameter(
431 familyStr, whichStr, ifname.c_str(), parameter.c_str(),
432 value.c_str());
433 if (err != 0) {
434 return binder::Status::fromServiceSpecificError(-err,
435 String8::format("ResolverController error: %s", strerror(-err)));
436 }
437 return binder::Status::ok();
438}
439
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]440binder::Status NetdNativeService::getMetricsReportingLevel(int *reportingLevel) {
441 // This function intentionally does not lock, since the only thing it does is one read from an
442 // atomic_int.
443 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
444 ENFORCE_DEBUGGABLE();
445
Michal Karpinskid5440112016-10-06 16:56:04 +0100[diff] [blame]446 *reportingLevel = gCtls->eventReporter.getMetricsReportingLevel();
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]447 return binder::Status::ok();
448}
449
450binder::Status NetdNativeService::setMetricsReportingLevel(const int reportingLevel) {
451 // This function intentionally does not lock, since the only thing it does is one write to an
452 // atomic_int.
453 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
454 ENFORCE_DEBUGGABLE();
455
Michal Karpinskid5440112016-10-06 16:56:04 +0100[diff] [blame]456 return (gCtls->eventReporter.setMetricsReportingLevel(reportingLevel) == 0)
457 ? binder::Status::ok()
458 : binder::Status::fromExceptionCode(binder::Status::EX_ILLEGAL_ARGUMENT);
Robin Lee2cf56172016-09-13 18:55:42 +0900[diff] [blame]459}
460
Benedict Wongb2daefb2017-12-06 22:05:46 -0800[diff] [blame]461binder::Status NetdNativeService::ipSecSetEncapSocketOwner(const android::base::unique_fd& socket,
462 int newUid) {
463 ENFORCE_PERMISSION(NETWORK_STACK)
464 ALOGD("ipSecSetEncapSocketOwner()");
465
466 uid_t callerUid = IPCThreadState::self()->getCallingUid();
467 return asBinderStatus(gCtls->xfrmCtrl.ipSecSetEncapSocketOwner(socket, newUid, callerUid));
468}
469
470
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]471binder::Status NetdNativeService::ipSecAllocateSpi(
472 int32_t transformId,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]473 const std::string& sourceAddress,
474 const std::string& destinationAddress,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]475 int32_t inSpi,
476 int32_t* outSpi) {
477 // Necessary locking done in IpSecService and kernel
478 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
479 ALOGD("ipSecAllocateSpi()");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]480 return asBinderStatus(gCtls->xfrmCtrl.ipSecAllocateSpi(
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]481 transformId,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]482 sourceAddress,
483 destinationAddress,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]484 inSpi,
485 outSpi));
486}
487
488binder::Status NetdNativeService::ipSecAddSecurityAssociation(
489 int32_t transformId,
490 int32_t mode,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]491 const std::string& sourceAddress,
492 const std::string& destinationAddress,
Benedict Wong96abf482018-01-22 13:56:41 -0800[diff] [blame]493 int32_t underlyingNetId,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]494 int32_t spi,
Di Lu2ccb3e52018-01-03 16:19:20 -0800[diff] [blame]495 int32_t markValue,
496 int32_t markMask,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]497 const std::string& authAlgo, const std::vector<uint8_t>& authKey, int32_t authTruncBits,
498 const std::string& cryptAlgo, const std::vector<uint8_t>& cryptKey, int32_t cryptTruncBits,
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]499 const std::string& aeadAlgo, const std::vector<uint8_t>& aeadKey, int32_t aeadIcvBits,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]500 int32_t encapType,
501 int32_t encapLocalPort,
ludiec836052017-05-20 14:17:05 -0700[diff] [blame]502 int32_t encapRemotePort) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]503 // Necessary locking done in IpSecService and kernel
504 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
505 ALOGD("ipSecAddSecurityAssociation()");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]506 return asBinderStatus(gCtls->xfrmCtrl.ipSecAddSecurityAssociation(
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]507 transformId, mode, sourceAddress, destinationAddress,
Benedict Wong96abf482018-01-22 13:56:41 -0800[diff] [blame]508 underlyingNetId,
Di Lu2ccb3e52018-01-03 16:19:20 -0800[diff] [blame]509 spi, markValue, markMask,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]510 authAlgo, authKey, authTruncBits,
511 cryptAlgo, cryptKey, cryptTruncBits,
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]512 aeadAlgo, aeadKey, aeadIcvBits,
ludiec836052017-05-20 14:17:05 -0700[diff] [blame]513 encapType, encapLocalPort, encapRemotePort));
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]514}
515
516binder::Status NetdNativeService::ipSecDeleteSecurityAssociation(
517 int32_t transformId,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]518 const std::string& sourceAddress,
519 const std::string& destinationAddress,
Di Lu2ccb3e52018-01-03 16:19:20 -0800[diff] [blame]520 int32_t spi,
521 int32_t markValue,
522 int32_t markMask) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]523 // Necessary locking done in IpSecService and kernel
524 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
525 ALOGD("ipSecDeleteSecurityAssociation()");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]526 return asBinderStatus(gCtls->xfrmCtrl.ipSecDeleteSecurityAssociation(
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]527 transformId,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]528 sourceAddress,
529 destinationAddress,
Di Lu2ccb3e52018-01-03 16:19:20 -0800[diff] [blame]530 spi,
531 markValue,
532 markMask));
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]533}
534
535binder::Status NetdNativeService::ipSecApplyTransportModeTransform(
536 const android::base::unique_fd& socket,
537 int32_t transformId,
538 int32_t direction,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]539 const std::string& sourceAddress,
540 const std::string& destinationAddress,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]541 int32_t spi) {
542 // Necessary locking done in IpSecService and kernel
543 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
544 ALOGD("ipSecApplyTransportModeTransform()");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]545 return asBinderStatus(gCtls->xfrmCtrl.ipSecApplyTransportModeTransform(
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]546 socket,
547 transformId,
548 direction,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]549 sourceAddress,
550 destinationAddress,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]551 spi));
552}
553
554binder::Status NetdNativeService::ipSecRemoveTransportModeTransform(
555 const android::base::unique_fd& socket) {
556 // Necessary locking done in IpSecService and kernel
557 ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
558 ALOGD("ipSecRemoveTransportModeTransform()");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]559 return asBinderStatus(gCtls->xfrmCtrl.ipSecRemoveTransportModeTransform(
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]560 socket));
561}
562
Benedict Wong84a8dca2018-01-19 12:12:17 -0800[diff] [blame]563binder::Status NetdNativeService::ipSecAddSecurityPolicy(
564 int32_t transformId,
565 int32_t direction,
566 const std::string& sourceAddress,
567 const std::string& destinationAddress,
568 int32_t spi,
569 int32_t markValue,
570 int32_t markMask){
571 // Necessary locking done in IpSecService and kernel
572 ENFORCE_PERMISSION(NETWORK_STACK);
573 ALOGD("ipSecAddSecurityPolicy()");
574 return asBinderStatus(gCtls->xfrmCtrl.ipSecAddSecurityPolicy(
575 transformId,
576 direction,
577 sourceAddress,
578 destinationAddress,
579 spi,
580 markValue,
581 markMask));
582}
583
584binder::Status NetdNativeService::ipSecUpdateSecurityPolicy(
585 int32_t transformId,
586 int32_t direction,
587 const std::string& sourceAddress,
588 const std::string& destinationAddress,
589 int32_t spi,
590 int32_t markValue,
591 int32_t markMask){
592 // Necessary locking done in IpSecService and kernel
593 ENFORCE_PERMISSION(NETWORK_STACK);
594 ALOGD("ipSecAddSecurityPolicy()");
595 return asBinderStatus(gCtls->xfrmCtrl.ipSecUpdateSecurityPolicy(
596 transformId,
597 direction,
598 sourceAddress,
599 destinationAddress,
600 spi,
601 markValue,
602 markMask));
603}
604
605binder::Status NetdNativeService::ipSecDeleteSecurityPolicy(
606 int32_t transformId,
607 int32_t direction,
608 const std::string& sourceAddress,
609 const std::string& destinationAddress,
610 int32_t markValue,
611 int32_t markMask){
612 // Necessary locking done in IpSecService and kernel
613 ENFORCE_PERMISSION(NETWORK_STACK);
614 ALOGD("ipSecAddSecurityPolicy()");
615 return asBinderStatus(gCtls->xfrmCtrl.ipSecDeleteSecurityPolicy(
616 transformId,
617 direction,
618 sourceAddress,
619 destinationAddress,
620 markValue,
621 markMask));
622}
623
manojboopathi8707f232018-01-02 14:45:47 -0800[diff] [blame]624binder::Status NetdNativeService::addVirtualTunnelInterface(
625 const std::string& deviceName,
626 const std::string& localAddress,
627 const std::string& remoteAddress,
628 int32_t iKey,
629 int32_t oKey) {
630 // Necessary locking done in IpSecService and kernel
631 ENFORCE_PERMISSION(NETWORK_STACK);
632 ALOGD("addVirtualTunnelInterface()");
633 int ret = gCtls->xfrmCtrl.addVirtualTunnelInterface(
634 deviceName,
635 localAddress,
636 remoteAddress,
637 iKey,
638 oKey,
639 false);
640
641 return (ret == 0) ? binder::Status::ok() :
642 asBinderStatus(netdutils::statusFromErrno(
643 ret, "Error in creating virtual tunnel interface."));
644}
645
646binder::Status NetdNativeService::updateVirtualTunnelInterface(
647 const std::string& deviceName,
648 const std::string& localAddress,
649 const std::string& remoteAddress,
650 int32_t iKey,
651 int32_t oKey) {
652 // Necessary locking done in IpSecService and kernel
653 ENFORCE_PERMISSION(NETWORK_STACK);
654 ALOGD("updateVirtualTunnelInterface()");
655 int ret = gCtls->xfrmCtrl.addVirtualTunnelInterface(
656 deviceName,
657 localAddress,
658 remoteAddress,
659 iKey,
660 oKey,
661 true);
662
663 return (ret == 0) ? binder::Status::ok() :
664 asBinderStatus(netdutils::statusFromErrno(
665 ret, "Error in updating virtual tunnel interface."));
666}
667
668binder::Status NetdNativeService::removeVirtualTunnelInterface(const std::string& deviceName) {
669 // Necessary locking done in IpSecService and kernel
670 ENFORCE_PERMISSION(NETWORK_STACK);
671 ALOGD("removeVirtualTunnelInterface()");
672 int ret = gCtls->xfrmCtrl.removeVirtualTunnelInterface(deviceName);
673
674 return (ret == 0) ? binder::Status::ok() :
675 asBinderStatus(netdutils::statusFromErrno(
676 ret, "Error in removing virtual tunnel interface."));
677}
678
Joel Scherpelzde937962017-06-01 13:20:21 +0900[diff] [blame]679binder::Status NetdNativeService::setIPv6AddrGenMode(const std::string& ifName,
680 int32_t mode) {
681 ENFORCE_PERMISSION(NETWORK_STACK);
Nathan Harold28ccfef2018-03-16 19:02:47 -0700[diff] [blame]682 return asBinderStatus(InterfaceController::setIPv6AddrGenMode(ifName, mode));
Joel Scherpelzde937962017-06-01 13:20:21 +0900[diff] [blame]683}
684
Joel Scherpelz08b84cd2017-05-22 13:11:54 +0900[diff] [blame]685binder::Status NetdNativeService::wakeupAddInterface(const std::string& ifName,
686 const std::string& prefix, int32_t mark,
687 int32_t mask) {
688 ENFORCE_PERMISSION(NETWORK_STACK);
Nathan Harold28ccfef2018-03-16 19:02:47 -0700[diff] [blame]689 return asBinderStatus(gCtls->wakeupCtrl.addInterface(ifName, prefix, mark, mask));
Joel Scherpelz08b84cd2017-05-22 13:11:54 +0900[diff] [blame]690}
691
692binder::Status NetdNativeService::wakeupDelInterface(const std::string& ifName,
693 const std::string& prefix, int32_t mark,
694 int32_t mask) {
695 ENFORCE_PERMISSION(NETWORK_STACK);
Nathan Harold28ccfef2018-03-16 19:02:47 -0700[diff] [blame]696 return asBinderStatus(gCtls->wakeupCtrl.delInterface(ifName, prefix, mark, mask));
Joel Scherpelz08b84cd2017-05-22 13:11:54 +0900[diff] [blame]697}
698
Chenbo Feng07d43fe2017-12-21 14:38:51 -0800[diff] [blame]699binder::Status NetdNativeService::trafficCheckBpfStatsEnable(bool* ret) {
700 ENFORCE_PERMISSION(NETWORK_STACK);
701 *ret = gCtls->trafficCtrl.checkBpfStatsEnable();
702 return binder::Status::ok();
703}
704
Lorenzo Colittie4d626e2016-02-02 17:19:04 +0900[diff] [blame]705} // namespace net
706} // namespace android