1 /* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #pragma once 18 19 #include "InterfaceController.h" // getParameter 20 #include "NetdConstants.h" // IptablesTarget 21 #include "Network.h" // UidRangeMap 22 #include "Permission.h" 23 24 #include <android-base/thread_annotations.h> 25 26 #include <linux/netlink.h> 27 #include <sys/types.h> 28 #include <map> 29 #include <mutex> 30 31 namespace android::net { 32 33 // clang-format off 34 constexpr int32_t RULE_PRIORITY_VPN_OVERRIDE_SYSTEM = 10000; 35 constexpr int32_t RULE_PRIORITY_VPN_OVERRIDE_OIF = 11000; 36 constexpr int32_t RULE_PRIORITY_VPN_OUTPUT_TO_LOCAL = 12000; 37 constexpr int32_t RULE_PRIORITY_SECURE_VPN = 13000; 38 constexpr int32_t RULE_PRIORITY_PROHIBIT_NON_VPN = 14000; 39 // Rules used when applications explicitly select a network that they have permission to use only 40 // because they are in the list of UID ranges for that network. 41 // 42 // Sockets from these UIDs will not match RULE_PRIORITY_EXPLICIT_NETWORK rules because they will 43 // not have the necessary permission bits in the fwmark. We cannot just give any socket on any of 44 // these networks the permission bits, because if the UID that created the socket loses access to 45 // the network, then the socket must not match any rule that selects that network. 46 constexpr int32_t RULE_PRIORITY_UID_EXPLICIT_NETWORK = 15000; 47 constexpr int32_t RULE_PRIORITY_EXPLICIT_NETWORK = 16000; 48 constexpr int32_t RULE_PRIORITY_OUTPUT_INTERFACE = 17000; 49 constexpr int32_t RULE_PRIORITY_LEGACY_SYSTEM = 18000; 50 constexpr int32_t RULE_PRIORITY_LEGACY_NETWORK = 19000; 51 constexpr int32_t RULE_PRIORITY_LOCAL_NETWORK = 20000; 52 constexpr int32_t RULE_PRIORITY_TETHERING = 21000; 53 // Implicit rules for sockets that connected on a given network because the network was the default 54 // network for the UID. 55 constexpr int32_t RULE_PRIORITY_UID_IMPLICIT_NETWORK = 22000; 56 constexpr int32_t RULE_PRIORITY_IMPLICIT_NETWORK = 23000; 57 constexpr int32_t RULE_PRIORITY_BYPASSABLE_VPN_NO_LOCAL_EXCLUSION = 24000; 58 // Sets of rules used for excluding local routes from the VPN. Look up tables 59 // that contain directly-connected local routes taken from the default network. 60 // The first set is used for apps that have a per-UID default network. The rule 61 // UID ranges match those of the per-UID default network rule for that network. 62 // The second set has no UID ranges and is used for apps whose default network 63 // is the system default network network. 64 constexpr int32_t RULE_PRIORITY_UID_LOCAL_ROUTES = 25000; 65 constexpr int32_t RULE_PRIORITY_LOCAL_ROUTES = 26000; 66 constexpr int32_t RULE_PRIORITY_BYPASSABLE_VPN_LOCAL_EXCLUSION = 27000; 67 constexpr int32_t RULE_PRIORITY_VPN_FALLTHROUGH = 28000; 68 constexpr int32_t RULE_PRIORITY_UID_DEFAULT_NETWORK = 29000; 69 // Rule used when framework wants to disable default network from specified applications. There will 70 // be a small interval the same uid range exists in both UID_DEFAULT_UNREACHABLE and 71 // UID_DEFAULT_NETWORK when framework is switching user preferences. 72 // 73 // framework --> netd 74 // step 1: set uid to unreachable network 75 // step 2: remove uid from OEM-paid network list 76 // or 77 // step 1: add uid to OEM-paid network list 78 // step 2: remove uid from unreachable network 79 // 80 // The priority is lower than UID_DEFAULT_NETWORK. Otherwise, the app will be told by 81 // ConnectivityService that it has a network in step 1 of the second case. But if it tries to use 82 // the network, it will not work. That will potentially cause a user-visible error. 83 constexpr int32_t RULE_PRIORITY_UID_DEFAULT_UNREACHABLE = 30000; 84 constexpr int32_t RULE_PRIORITY_DEFAULT_NETWORK = 31000; 85 constexpr int32_t RULE_PRIORITY_UNREACHABLE = 32000; 86 // clang-format on 87 88 static const char* V4_FIXED_LOCAL_PREFIXES[] = { 89 // The multicast range is 224.0.0.0/4 but only limit it to 224.0.0.0/24 since the IPv4 90 // definitions are not as precise as for IPv6, it is the only range that the standards 91 // (RFC 2365 and RFC 5771) specify is link-local and must not be forwarded. 92 "224.0.0.0/24" // Link-local multicast; non-internet routable 93 }; 94 95 class UidRanges; 96 97 class RouteController { 98 public: 99 // How the routing table number is determined for route modification requests. 100 enum TableType { 101 INTERFACE, // Compute the table number based on the interface index. 102 LOCAL_NETWORK, // A fixed table used for routes to directly-connected clients/peers. 103 LEGACY_NETWORK, // Use a fixed table that's used to override the default network. 104 LEGACY_SYSTEM, // A fixed table, only modifiable by system apps; overrides VPNs too. 105 }; 106 107 static const int ROUTE_TABLE_OFFSET_FROM_INDEX = 1000; 108 // Offset for the table of virtual local network created from the physical interface. 109 static const int ROUTE_TABLE_OFFSET_FROM_INDEX_FOR_LOCAL = 1000000000; 110 111 static constexpr const char* INTERFACE_LOCAL_SUFFIX = "_local"; 112 static constexpr const char* RT_TABLES_PATH = "/data/misc/net/rt_tables"; 113 static const char* const LOCAL_MANGLE_INPUT; 114 115 [[nodiscard]] static int Init(unsigned localNetId); 116 117 // Returns an ifindex given the interface name, by looking up in sInterfaceToTable. 118 // This is currently only used by NetworkController::addInterfaceToNetwork 119 // and should probabaly be changed to passing the ifindex into RouteController instead. 120 // We do this instead of calling if_nametoindex because the same interface name can 121 // correspond to different interface indices over time. This way, even if the interface 122 // index has changed, we can still free any map entries indexed by the ifindex that was 123 // used to add them. 124 static uint32_t getIfIndex(const char* interface) EXCLUDES(sInterfaceToTableLock); 125 126 [[nodiscard]] static int addInterfaceToLocalNetwork(unsigned netId, const char* interface); 127 [[nodiscard]] static int removeInterfaceFromLocalNetwork(unsigned netId, const char* interface); 128 129 [[nodiscard]] static int addInterfaceToPhysicalNetwork(unsigned netId, const char* interface, 130 Permission permission, 131 const UidRangeMap& uidRangeMap); 132 [[nodiscard]] static int removeInterfaceFromPhysicalNetwork(unsigned netId, 133 const char* interface, 134 Permission permission, 135 const UidRangeMap& uidRangeMap); 136 137 [[nodiscard]] static int addInterfaceToVirtualNetwork(unsigned netId, const char* interface, 138 bool secure, 139 const UidRangeMap& uidRangeMap, 140 bool excludeLocalRoutes); 141 [[nodiscard]] static int removeInterfaceFromVirtualNetwork(unsigned netId, 142 const char* interface, bool secure, 143 const UidRangeMap& uidRangeMap, 144 bool excludeLocalRoutes); 145 146 [[nodiscard]] static int modifyPhysicalNetworkPermission(unsigned netId, const char* interface, 147 Permission oldPermission, 148 Permission newPermission); 149 150 [[nodiscard]] static int addUsersToVirtualNetwork(unsigned netId, const char* interface, 151 bool secure, const UidRangeMap& uidRangeMap, 152 bool excludeLocalRoutes); 153 [[nodiscard]] static int removeUsersFromVirtualNetwork(unsigned netId, const char* interface, 154 bool secure, 155 const UidRangeMap& uidRangeMap, 156 bool excludeLocalRoutes); 157 158 [[nodiscard]] static int addUsersToRejectNonSecureNetworkRule(const UidRanges& uidRanges); 159 [[nodiscard]] static int removeUsersFromRejectNonSecureNetworkRule(const UidRanges& uidRanges); 160 161 [[nodiscard]] static int addInterfaceToDefaultNetwork(const char* interface, 162 Permission permission); 163 [[nodiscard]] static int removeInterfaceFromDefaultNetwork(const char* interface, 164 Permission permission); 165 166 // |nexthop| can be NULL (to indicate a directly-connected route), "unreachable" (to indicate a 167 // route that's blocked), "throw" (to indicate the lack of a match), or a regular IP address. 168 [[nodiscard]] static int addRoute(const char* interface, const char* destination, 169 const char* nexthop, TableType tableType, int mtu, 170 int priority); 171 [[nodiscard]] static int removeRoute(const char* interface, const char* destination, 172 const char* nexthop, TableType tableType, int priority); 173 [[nodiscard]] static int updateRoute(const char* interface, const char* destination, 174 const char* nexthop, TableType tableType, int mtu); 175 176 [[nodiscard]] static int enableTethering(const char* inputInterface, 177 const char* outputInterface); 178 [[nodiscard]] static int disableTethering(const char* inputInterface, 179 const char* outputInterface); 180 181 [[nodiscard]] static int addVirtualNetworkFallthrough(unsigned vpnNetId, 182 const char* physicalInterface, 183 Permission permission); 184 [[nodiscard]] static int removeVirtualNetworkFallthrough(unsigned vpnNetId, 185 const char* physicalInterface, 186 Permission permission); 187 188 [[nodiscard]] static int addUsersToPhysicalNetwork(unsigned netId, const char* interface, 189 const UidRangeMap& uidRangeMap); 190 191 [[nodiscard]] static int removeUsersFromPhysicalNetwork(unsigned netId, const char* interface, 192 const UidRangeMap& uidRangeMap); 193 194 [[nodiscard]] static int addUsersToUnreachableNetwork(unsigned netId, 195 const UidRangeMap& uidRangeMap); 196 197 [[nodiscard]] static int removeUsersFromUnreachableNetwork(unsigned netId, 198 const UidRangeMap& uidRangeMap); 199 200 // For testing. 201 static int (*iptablesRestoreCommandFunction)(IptablesTarget, const std::string&, 202 const std::string&, std::string *); 203 static uint32_t (*ifNameToIndexFunction)(const char*); 204 205 private: 206 friend class RouteControllerTest; 207 208 static std::mutex sInterfaceToTableLock; 209 static std::map<std::string, uint32_t> sInterfaceToTable GUARDED_BY(sInterfaceToTableLock); 210 211 static int configureDummyNetwork(); 212 [[nodiscard]] static int flushRoutes(const char* interface) EXCLUDES(sInterfaceToTableLock); 213 [[nodiscard]] static int flushRoutes(const char* interface, bool local) 214 EXCLUDES(sInterfaceToTableLock); 215 [[nodiscard]] static int flushRoutes(uint32_t table); 216 static uint32_t getRouteTableForInterfaceLocked(const char* interface, bool local) 217 REQUIRES(sInterfaceToTableLock); 218 static uint32_t getRouteTableForInterface(const char* interface, bool local) 219 EXCLUDES(sInterfaceToTableLock); 220 static int modifyDefaultNetwork(uint16_t action, const char* interface, Permission permission); 221 static int modifyPhysicalNetwork(unsigned netId, const char* interface, 222 const UidRangeMap& uidRangeMap, Permission permission, 223 bool add, bool modifyNonUidBasedRules); 224 static int modifyUnreachableNetwork(unsigned netId, const UidRangeMap& uidRangeMap, bool add); 225 static int modifyRoute(uint16_t action, uint16_t flags, const char* interface, 226 const char* destination, const char* nexthop, TableType tableType, 227 int mtu, int priority, bool isLocal); 228 static int modifyTetheredNetwork(uint16_t action, const char* inputInterface, 229 const char* outputInterface); 230 static int modifyVpnFallthroughRule(uint16_t action, unsigned vpnNetId, 231 const char* physicalInterface, Permission permission); 232 static int modifyVirtualNetwork(unsigned netId, const char* interface, 233 const UidRangeMap& uidRangeMap, bool secure, bool add, 234 bool modifyNonUidBasedRules, bool excludeLocalRoutes); 235 static void updateTableNamesFile() EXCLUDES(sInterfaceToTableLock); 236 static int modifyVpnLocalExclusionRule(bool add, const char* physicalInterface); 237 238 static int modifyUidLocalNetworkRule(const char* interface, uid_t uidStart, uid_t uidEnd, 239 bool add); 240 static bool isLocalRoute(TableType tableType, const char* destination, const char* nexthop); 241 static bool isWithinIpv4LocalPrefix(const char* addrstr); 242 static int addFixedLocalRoutes(const char* interface); 243 }; 244 245 // Public because they are called by by RouteControllerTest.cpp. 246 // TODO: come up with a scheme of unit testing this code that does not rely on making all its 247 // functions public. 248 [[nodiscard]] int modifyIpRoute(uint16_t action, uint16_t flags, uint32_t table, 249 const char* interface, const char* destination, const char* nexthop, 250 uint32_t mtu, uint32_t priority); 251 uint32_t getRulePriority(const nlmsghdr *nlh); 252 [[nodiscard]] int modifyIncomingPacketMark(unsigned netId, const char* interface, 253 Permission permission, bool add); 254 255 } // namespace android::net 256