1 /*
2 * Copyright (C) 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <regex>
18 #include <string>
19
20 #include <libgen.h>
21 #include <stdio.h>
22 #include <stdlib.h>
23 #include <string.h>
24 #include <unistd.h>
25
26 #include <android-base/strings.h>
27
28 #define LOG_TAG "NetUtilsWrapper"
29 #include <log/log.h>
30
31 #include "NetUtilsWrapper.h"
32
33 #define SYSTEM_DIRNAME "/system/bin/"
34
35 #define OEM_IFACE "[^ ]*oem[0-9]+"
36 #define RMNET_IFACE "(r_)?rmnet_(data)?[0-9]+"
37 #define CCMNI_IFACE "cc(3)?mni[0-9]+"
38 #define VENDOR_IFACE "(" OEM_IFACE "|" RMNET_IFACE "|" CCMNI_IFACE ")"
39 #define VENDOR_CHAIN "(oem_.*|nm_.*|qcom_.*)"
40
41 // List of net utils wrapped by this program
42 // The list MUST be in descending order of string length
43 const char *netcmds[] = {
44 "ip6tables",
45 "iptables",
46 "ndc",
47 "tc",
48 "ip",
49 nullptr,
50 };
51
52 // List of regular expressions of expected commands.
53 const char *EXPECTED_REGEXPS[] = {
54 #define CMD "^" SYSTEM_DIRNAME
55 // Create, delete, and manage OEM networks.
56 CMD "ndc network (create|destroy) (oem|handle)[0-9]+( |$)",
57 CMD "ndc network interface (add|remove) (oem|handle)[0-9]+ " VENDOR_IFACE,
58 CMD "ndc network route (add|remove) (oem|handle)[0-9]+ ",
59 CMD "ndc ipfwd (enable|disable) ",
60 CMD "ndc ipfwd (add|remove) .*" VENDOR_IFACE,
61
62 // Manage vendor iptables rules.
63 CMD "ip(6)?tables -w.* (-A|-D|-F|-I|-N|-X) " VENDOR_CHAIN,
64 CMD "ip(6)?tables -w.* (-i|-o) " VENDOR_IFACE,
65
66 // Manage IPsec state.
67 CMD "ip xfrm .*",
68
69 // Manage vendor interfaces.
70 CMD "tc .* dev " VENDOR_IFACE,
71 CMD "ip( -4| -6)? (addr|address) (add|del|delete|flush).* dev " VENDOR_IFACE,
72
73 // Other activities observed on current devices. In future releases, these should be supported
74 // in a way that is less likely to interfere with general Android networking behaviour.
75 CMD "tc qdisc del dev root",
76 CMD "ip( -4| -6)? rule .* goto 13000 prio 11999",
77 CMD "ip( -4| -6)? rule .* prio 25000",
78 CMD "ip(6)?tables -w .* -j " VENDOR_CHAIN,
79 CMD "iptables -w -t mangle -[AD] PREROUTING -m socket --nowildcard --restore-skmark -j ACCEPT",
80 CMD "ndc network interface (add|remove) oem[0-9]+$", // Invalid command: no interface removed.
81 #undef CMD
82 };
83
checkExpectedCommand(int argc,char ** argv)84 bool checkExpectedCommand(int argc, char **argv) {
85 static bool loggedError = false;
86 std::vector<const char*> allArgs(argc);
87 for (int i = 0; i < argc; i++) {
88 allArgs[i] = argv[i];
89 }
90 std::string fullCmd = android::base::Join(allArgs, ' ');
91 for (size_t i = 0; i < ARRAY_SIZE(EXPECTED_REGEXPS); i++) {
92 const std::regex expectedRegexp(EXPECTED_REGEXPS[i], std::regex_constants::extended);
93 if (std::regex_search(fullCmd, expectedRegexp)) {
94 return true;
95 }
96 }
97 if (!loggedError) {
98 ALOGI("Unexpected command: %s", fullCmd.c_str());
99 fprintf(stderr, LOG_TAG ": Unexpected command: %s\n", fullCmd.c_str());
100 loggedError = true;
101 }
102 return false;
103 }
104
105
106 // This is the only gateway for vendor programs to reach net utils.
doMain(int argc,char ** argv)107 int doMain(int argc, char **argv) {
108 char *progname = argv[0];
109 char *basename = nullptr;
110
111 basename = strrchr(progname, '/');
112 basename = basename ? basename + 1 : progname;
113
114 for (int i = 0; netcmds[i]; ++i) {
115 size_t len = strlen(netcmds[i]);
116 if (!strncmp(basename, netcmds[i], len)) {
117 // truncate to match netcmds[i]
118 basename[len] = '\0';
119
120 // hardcode the path to /system so it cannot be overwritten
121 char *cmd;
122 if (asprintf(&cmd, "%s%s", SYSTEM_DIRNAME, basename) == -1) {
123 perror("asprintf");
124 exit(EXIT_FAILURE);
125 }
126 argv[0] = cmd;
127 if (checkExpectedCommand(argc, argv)) {
128 execv(cmd, argv);
129 }
130 }
131 }
132
133 // Invalid command. Reject and fail.
134 exit(EXIT_FAILURE);
135 }
136