1 /* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #pragma once 18 19 #include "InterfaceController.h" // getParameter 20 #include "NetdConstants.h" // IptablesTarget 21 #include "Network.h" // UidRangeMap 22 #include "Permission.h" 23 24 #include <android-base/thread_annotations.h> 25 26 #include <linux/netlink.h> 27 #include <sys/types.h> 28 #include <map> 29 #include <mutex> 30 31 namespace android::net { 32 33 // clang-format off 34 constexpr int32_t RULE_PRIORITY_VPN_OVERRIDE_SYSTEM = 10000; 35 constexpr int32_t RULE_PRIORITY_VPN_OVERRIDE_OIF = 11000; 36 constexpr int32_t RULE_PRIORITY_VPN_OUTPUT_TO_LOCAL = 12000; 37 constexpr int32_t RULE_PRIORITY_SECURE_VPN = 13000; 38 constexpr int32_t RULE_PRIORITY_PROHIBIT_NON_VPN = 14000; 39 // Rules used when applications explicitly select a network that they have permission to use only 40 // because they are in the list of UID ranges for that network. 41 // 42 // Sockets from these UIDs will not match RULE_PRIORITY_EXPLICIT_NETWORK rules because they will 43 // not have the necessary permission bits in the fwmark. We cannot just give any socket on any of 44 // these networks the permission bits, because if the UID that created the socket loses access to 45 // the network, then the socket must not match any rule that selects that network. 46 constexpr int32_t RULE_PRIORITY_UID_EXPLICIT_NETWORK = 15000; 47 constexpr int32_t RULE_PRIORITY_EXPLICIT_NETWORK = 16000; 48 constexpr int32_t RULE_PRIORITY_OUTPUT_INTERFACE = 17000; 49 constexpr int32_t RULE_PRIORITY_LEGACY_SYSTEM = 18000; 50 constexpr int32_t RULE_PRIORITY_LEGACY_NETWORK = 19000; 51 constexpr int32_t RULE_PRIORITY_LOCAL_NETWORK = 20000; 52 constexpr int32_t RULE_PRIORITY_TETHERING = 21000; 53 // Implicit rules for sockets that connected on a given network because the network was the default 54 // network for the UID. 55 constexpr int32_t RULE_PRIORITY_UID_IMPLICIT_NETWORK = 22000; 56 constexpr int32_t RULE_PRIORITY_IMPLICIT_NETWORK = 23000; 57 constexpr int32_t RULE_PRIORITY_BYPASSABLE_VPN_NO_LOCAL_EXCLUSION = 24000; 58 // Sets of rules used for excluding local routes from the VPN. Look up tables 59 // that contain directly-connected local routes taken from the default network. 60 // The first set is used for apps that have a per-UID default network. The rule 61 // UID ranges match those of the per-UID default network rule for that network. 62 // The second set has no UID ranges and is used for apps whose default network 63 // is the system default network network. 64 constexpr int32_t RULE_PRIORITY_UID_LOCAL_ROUTES = 25000; 65 constexpr int32_t RULE_PRIORITY_LOCAL_ROUTES = 26000; 66 constexpr int32_t RULE_PRIORITY_BYPASSABLE_VPN_LOCAL_EXCLUSION = 27000; 67 constexpr int32_t RULE_PRIORITY_VPN_FALLTHROUGH = 28000; 68 constexpr int32_t RULE_PRIORITY_UID_DEFAULT_NETWORK = 29000; 69 // Rule used when framework wants to disable default network from specified applications. There will 70 // be a small interval the same uid range exists in both UID_DEFAULT_UNREACHABLE and 71 // UID_DEFAULT_NETWORK when framework is switching user preferences. 72 // 73 // framework --> netd 74 // step 1: set uid to unreachable network 75 // step 2: remove uid from OEM-paid network list 76 // or 77 // step 1: add uid to OEM-paid network list 78 // step 2: remove uid from unreachable network 79 // 80 // The priority is lower than UID_DEFAULT_NETWORK. Otherwise, the app will be told by 81 // ConnectivityService that it has a network in step 1 of the second case. But if it tries to use 82 // the network, it will not work. That will potentially cause a user-visible error. 83 constexpr int32_t RULE_PRIORITY_UID_DEFAULT_UNREACHABLE = 30000; 84 constexpr int32_t RULE_PRIORITY_DEFAULT_NETWORK = 31000; 85 constexpr int32_t RULE_PRIORITY_UNREACHABLE = 32000; 86 // clang-format on 87 88 class UidRanges; 89 90 class RouteController { 91 public: 92 // How the routing table number is determined for route modification requests. 93 enum TableType { 94 INTERFACE, // Compute the table number based on the interface index. 95 LOCAL_NETWORK, // A fixed table used for routes to directly-connected clients/peers. 96 LEGACY_NETWORK, // Use a fixed table that's used to override the default network. 97 LEGACY_SYSTEM, // A fixed table, only modifiable by system apps; overrides VPNs too. 98 }; 99 100 static const int ROUTE_TABLE_OFFSET_FROM_INDEX = 1000; 101 // Offset for the table of virtual local network created from the physical interface. 102 static const int ROUTE_TABLE_OFFSET_FROM_INDEX_FOR_LOCAL = 1000000000; 103 104 static constexpr const char* INTERFACE_LOCAL_SUFFIX = "_local"; 105 static constexpr const char* RT_TABLES_PATH = "/data/misc/net/rt_tables"; 106 static const char* const LOCAL_MANGLE_INPUT; 107 108 [[nodiscard]] static int Init(unsigned localNetId); 109 110 // Returns an ifindex given the interface name, by looking up in sInterfaceToTable. 111 // This is currently only used by NetworkController::addInterfaceToNetwork 112 // and should probabaly be changed to passing the ifindex into RouteController instead. 113 // We do this instead of calling if_nametoindex because the same interface name can 114 // correspond to different interface indices over time. This way, even if the interface 115 // index has changed, we can still free any map entries indexed by the ifindex that was 116 // used to add them. 117 static uint32_t getIfIndex(const char* interface) EXCLUDES(sInterfaceToTableLock); 118 119 [[nodiscard]] static int addInterfaceToLocalNetwork(unsigned netId, const char* interface); 120 [[nodiscard]] static int removeInterfaceFromLocalNetwork(unsigned netId, const char* interface); 121 122 [[nodiscard]] static int addInterfaceToPhysicalNetwork(unsigned netId, const char* interface, 123 Permission permission, 124 const UidRangeMap& uidRangeMap, 125 bool local); 126 [[nodiscard]] static int removeInterfaceFromPhysicalNetwork(unsigned netId, 127 const char* interface, 128 Permission permission, 129 const UidRangeMap& uidRangeMap, 130 bool local); 131 132 [[nodiscard]] static int addInterfaceToVirtualNetwork(unsigned netId, const char* interface, 133 bool secure, 134 const UidRangeMap& uidRangeMap, 135 bool excludeLocalRoutes); 136 [[nodiscard]] static int removeInterfaceFromVirtualNetwork(unsigned netId, 137 const char* interface, bool secure, 138 const UidRangeMap& uidRangeMap, 139 bool excludeLocalRoutes); 140 141 [[nodiscard]] static int modifyPhysicalNetworkPermission(unsigned netId, const char* interface, 142 Permission oldPermission, 143 Permission newPermission, bool local); 144 145 [[nodiscard]] static int addUsersToVirtualNetwork(unsigned netId, const char* interface, 146 bool secure, const UidRangeMap& uidRangeMap, 147 bool excludeLocalRoutes); 148 [[nodiscard]] static int removeUsersFromVirtualNetwork(unsigned netId, const char* interface, 149 bool secure, 150 const UidRangeMap& uidRangeMap, 151 bool excludeLocalRoutes); 152 153 [[nodiscard]] static int addUsersToRejectNonSecureNetworkRule(const UidRanges& uidRanges); 154 [[nodiscard]] static int removeUsersFromRejectNonSecureNetworkRule(const UidRanges& uidRanges); 155 156 [[nodiscard]] static int addInterfaceToDefaultNetwork(const char* interface, 157 Permission permission); 158 [[nodiscard]] static int removeInterfaceFromDefaultNetwork(const char* interface, 159 Permission permission); 160 161 // |nexthop| can be NULL (to indicate a directly-connected route), "unreachable" (to indicate a 162 // route that's blocked), "throw" (to indicate the lack of a match), or a regular IP address. 163 [[nodiscard]] static int addRoute(const char* interface, const char* destination, 164 const char* nexthop, TableType tableType, int mtu, 165 int priority); 166 [[nodiscard]] static int removeRoute(const char* interface, const char* destination, 167 const char* nexthop, TableType tableType, int priority); 168 [[nodiscard]] static int updateRoute(const char* interface, const char* destination, 169 const char* nexthop, TableType tableType, int mtu); 170 171 [[nodiscard]] static int enableTethering(const char* inputInterface, 172 const char* outputInterface); 173 [[nodiscard]] static int disableTethering(const char* inputInterface, 174 const char* outputInterface); 175 176 [[nodiscard]] static int addVirtualNetworkFallthrough(unsigned vpnNetId, 177 const char* physicalInterface, 178 Permission permission); 179 [[nodiscard]] static int removeVirtualNetworkFallthrough(unsigned vpnNetId, 180 const char* physicalInterface, 181 Permission permission); 182 183 [[nodiscard]] static int addUsersToPhysicalNetwork(unsigned netId, const char* interface, 184 const UidRangeMap& uidRangeMap, bool local); 185 186 [[nodiscard]] static int removeUsersFromPhysicalNetwork(unsigned netId, const char* interface, 187 const UidRangeMap& uidRangeMap, 188 bool local); 189 190 [[nodiscard]] static int addUsersToUnreachableNetwork(unsigned netId, 191 const UidRangeMap& uidRangeMap); 192 193 [[nodiscard]] static int removeUsersFromUnreachableNetwork(unsigned netId, 194 const UidRangeMap& uidRangeMap); 195 196 // For testing. 197 static int (*iptablesRestoreCommandFunction)(IptablesTarget, const std::string&, 198 const std::string&, std::string *); 199 static uint32_t (*ifNameToIndexFunction)(const char*); 200 201 private: 202 friend class RouteControllerTest; 203 204 // An expandable array for fixed local prefix though it's only one element now. 205 static constexpr const char* V4_FIXED_LOCAL_PREFIXES[] = { 206 // The multicast range is 224.0.0.0/4 but only limit it to 224.0.0.0/24 since the IPv4 207 // definitions are not as precise as for IPv6, it is the only range that the standards 208 // (RFC 2365 and RFC 5771) specify is link-local and must not be forwarded. 209 "224.0.0.0/24" // Link-local multicast; non-internet routable 210 }; 211 212 static std::mutex sInterfaceToTableLock; 213 static std::map<std::string, uint32_t> sInterfaceToTable GUARDED_BY(sInterfaceToTableLock); 214 215 static int configureDummyNetwork(); 216 [[nodiscard]] static int flushRoutes(const char* interface) EXCLUDES(sInterfaceToTableLock); 217 [[nodiscard]] static int flushRoutes(const char* interface, bool local) 218 EXCLUDES(sInterfaceToTableLock); 219 [[nodiscard]] static int flushRoutes(uint32_t table); 220 static uint32_t getRouteTableForInterfaceLocked(const char* interface, bool local) 221 REQUIRES(sInterfaceToTableLock); 222 static uint32_t getRouteTableForInterface(const char* interface, bool local) 223 EXCLUDES(sInterfaceToTableLock); 224 static int modifyDefaultNetwork(uint16_t action, const char* interface, Permission permission); 225 static int modifyPhysicalNetwork(unsigned netId, const char* interface, 226 const UidRangeMap& uidRangeMap, Permission permission, 227 bool add, bool modifyNonUidBasedRules, bool local); 228 static int modifyUnreachableNetwork(unsigned netId, const UidRangeMap& uidRangeMap, bool add); 229 static int modifyRoute(uint16_t action, uint16_t flags, const char* interface, 230 const char* destination, const char* nexthop, TableType tableType, 231 int mtu, int priority, bool isLocal); 232 static int modifyTetheredNetwork(uint16_t action, const char* inputInterface, 233 const char* outputInterface); 234 static int modifyVpnFallthroughRule(uint16_t action, unsigned vpnNetId, 235 const char* physicalInterface, Permission permission); 236 static int modifyVirtualNetwork(unsigned netId, const char* interface, 237 const UidRangeMap& uidRangeMap, bool secure, bool add, 238 bool modifyNonUidBasedRules, bool excludeLocalRoutes); 239 static void updateTableNamesFile() EXCLUDES(sInterfaceToTableLock); 240 static int modifyVpnLocalExclusionRule(bool add, const char* physicalInterface); 241 242 static int modifyUidLocalNetworkRule(const char* interface, uid_t uidStart, uid_t uidEnd, 243 bool add); 244 static bool isLocalRoute(TableType tableType, const char* destination, const char* nexthop); 245 static bool isWithinIpv4LocalPrefix(const char* addrstr); 246 static int addFixedLocalRoutes(const char* interface); 247 }; 248 249 // Public because they are called by by RouteControllerTest.cpp. 250 // TODO: come up with a scheme of unit testing this code that does not rely on making all its 251 // functions public. 252 [[nodiscard]] int modifyIpRoute(uint16_t action, uint16_t flags, uint32_t table, 253 const char* interface, const char* destination, const char* nexthop, 254 uint32_t mtu, uint32_t priority); 255 uint32_t getRulePriority(const nlmsghdr *nlh); 256 [[nodiscard]] int modifyIncomingPacketMark(unsigned netId, const char* interface, 257 Permission permission, bool add); 258 259 } // namespace android::net 260