/* * Copyright (C) 2017 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.android.server; import static android.Manifest.permission.DUMP; import static android.Manifest.permission.NETWORK_SETTINGS; import static android.net.IpSecManager.FEATURE_IPSEC_TUNNEL_MIGRATION; import static android.net.IpSecManager.INVALID_RESOURCE_ID; import static android.system.OsConstants.AF_INET; import static android.system.OsConstants.AF_INET6; import static android.system.OsConstants.AF_UNSPEC; import static android.system.OsConstants.EINVAL; import static android.system.OsConstants.IPPROTO_UDP; import static android.system.OsConstants.SOCK_DGRAM; import android.annotation.NonNull; import android.app.AppOpsManager; import android.content.Context; import android.content.pm.PackageManager; import android.net.ConnectivityManager; import android.net.IIpSecService; import android.net.INetd; import android.net.InetAddresses; import android.net.IpSecAlgorithm; import android.net.IpSecConfig; import android.net.IpSecManager; import android.net.IpSecMigrateInfoParcel; import android.net.IpSecSpiResponse; import android.net.IpSecTransform; import android.net.IpSecTransformResponse; import android.net.IpSecTransformState; import android.net.IpSecTunnelInterfaceResponse; import android.net.IpSecUdpEncapResponse; import android.net.LinkAddress; import android.net.LinkProperties; import android.net.Network; import android.net.TrafficStats; import android.os.Binder; import android.os.IBinder; import android.os.ParcelFileDescriptor; import android.os.Process; import android.os.RemoteException; import android.os.ServiceSpecificException; import android.system.ErrnoException; import android.system.Os; import android.system.OsConstants; import android.text.TextUtils; import android.util.Log; import android.util.Range; import android.util.SparseArray; import android.util.SparseBooleanArray; import com.android.internal.annotations.GuardedBy; import com.android.internal.annotations.VisibleForTesting; import com.android.internal.util.Preconditions; import com.android.modules.utils.build.SdkLevel; import com.android.net.module.util.BinderUtils; import com.android.net.module.util.NetdUtils; import com.android.net.module.util.PermissionUtils; import com.android.net.module.util.netlink.xfrm.XfrmNetlinkNewSaMessage; import libcore.io.IoUtils; import java.io.FileDescriptor; import java.io.IOException; import java.io.PrintWriter; import java.net.Inet4Address; import java.net.Inet6Address; import java.net.InetAddress; import java.net.InetSocketAddress; import java.net.UnknownHostException; import java.util.ArrayList; import java.util.List; import java.util.Objects; /** * A service to manage multiple clients that want to access the IpSec API. The service is * responsible for maintaining a list of clients and managing the resources (and related quotas) * that each of them own. * *

Synchronization in IpSecService is done on all entrypoints due to potential race conditions at * the kernel/xfrm level. Further, this allows the simplifying assumption to be made that only one * thread is ever running at a time. * * @hide */ public class IpSecService extends IIpSecService.Stub { private static final String TAG = "IpSecService"; private static final boolean DBG = Log.isLoggable(TAG, Log.DEBUG); private static final int[] ADDRESS_FAMILIES = new int[] {OsConstants.AF_INET, OsConstants.AF_INET6}; private static final int NETD_FETCH_TIMEOUT_MS = 5000; // ms private static final InetAddress INADDR_ANY; private static final InetAddress IN6ADDR_ANY; @VisibleForTesting static final int MAX_PORT_BIND_ATTEMPTS = 10; private final INetd mNetd; private final IpSecXfrmController mIpSecXfrmCtrl; static { try { INADDR_ANY = InetAddress.getByAddress(new byte[] {0, 0, 0, 0}); IN6ADDR_ANY = InetAddress.getByAddress( new byte[] {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}); } catch (UnknownHostException e) { throw new RuntimeException(e); } } static final int FREE_PORT_MIN = 1024; // ports 1-1023 are reserved static final int PORT_MAX = 0xFFFF; // ports are an unsigned 16-bit integer /* Binder context for this service */ private final Context mContext; private final Dependencies mDeps; /** * The next non-repeating global ID for tracking resources between users, this service, and * kernel data structures. Accessing this variable is not thread safe, so it is only read or * modified within blocks synchronized on IpSecService.this. We want to avoid -1 * (INVALID_RESOURCE_ID) and 0 (we probably forgot to initialize it). */ @GuardedBy("IpSecService.this") private int mNextResourceId = 1; /** * Dependencies of IpSecService, for injection in tests. */ @VisibleForTesting public static class Dependencies { /** * Get a reference to INetd. */ public INetd getNetdInstance(Context context) throws RemoteException { final INetd netd = INetd.Stub.asInterface((IBinder) context.getSystemService(Context.NETD_SERVICE)); if (netd == null) { throw new RemoteException("Failed to Get Netd Instance"); } return netd; } /** Get a instance of IpSecXfrmController */ public IpSecXfrmController getIpSecXfrmController() { return new IpSecXfrmController(); } } final UidFdTagger mUidFdTagger; /** * Interface for user-reference and kernel-resource cleanup. * *

This interface must be implemented for a resource to be reference counted. */ @VisibleForTesting public interface IResource { /** * Invalidates a IResource object, ensuring it is invalid for the purposes of allocating new * objects dependent on it. * *

Implementations of this method are expected to remove references to the IResource * object from the IpSecService's tracking arrays. The removal from the arrays ensures that * the resource is considered invalid for user access or allocation or use in other * resources. * *

References to the IResource object may be held by other RefcountedResource objects, * and as such, the underlying resources and quota may not be cleaned up. */ void invalidate() throws RemoteException; /** * Releases underlying resources and related quotas. * *

Implementations of this method are expected to remove all system resources that are * tracked by the IResource object. Due to other RefcountedResource objects potentially * having references to the IResource object, freeUnderlyingResources may not always be * called from releaseIfUnreferencedRecursively(). */ void freeUnderlyingResources() throws RemoteException; } /** * RefcountedResource manages references and dependencies in an exclusively acyclic graph. * *

RefcountedResource implements both explicit and implicit resource management. Creating a * RefcountedResource object creates an explicit reference that must be freed by calling * userRelease(). Additionally, adding this object as a child of another RefcountedResource * object will add an implicit reference. * *

Resources are cleaned up when all references, both implicit and explicit, are released * (ie, when userRelease() is called and when all parents have called releaseReference() on this * object.) */ @VisibleForTesting public class RefcountedResource implements IBinder.DeathRecipient { private final T mResource; private final List mChildren; int mRefCount = 1; // starts at 1 for user's reference. IBinder mBinder; RefcountedResource(T resource, IBinder binder, RefcountedResource... children) { synchronized (IpSecService.this) { this.mResource = resource; this.mChildren = new ArrayList<>(children.length); this.mBinder = binder; for (RefcountedResource child : children) { mChildren.add(child); child.mRefCount++; } try { mBinder.linkToDeath(this, 0); } catch (RemoteException e) { binderDied(); e.rethrowFromSystemServer(); } } } /** * If the Binder object dies, this function is called to free the system resources that are * being tracked by this record and to subsequently release this record for garbage * collection */ @Override public void binderDied() { synchronized (IpSecService.this) { try { userRelease(); } catch (Exception e) { Log.e(TAG, "Failed to release resource: " + e); } } } public T getResource() { return mResource; } /** * Unlinks from binder and performs IpSecService resource cleanup (removes from resource * arrays) * *

If this method has been previously called, the RefcountedResource's binder field will * be null, and the method will return without performing the cleanup a second time. * *

Note that calling this function does not imply that kernel resources will be freed at * this time, or that the related quota will be returned. Such actions will only be * performed upon the reference count reaching zero. */ @GuardedBy("IpSecService.this") public void userRelease() throws RemoteException { // Prevent users from putting reference counts into a bad state by calling // userRelease() multiple times. if (mBinder == null) { return; } mBinder.unlinkToDeath(this, 0); mBinder = null; mResource.invalidate(); releaseReference(); } /** * Removes a reference to this resource. If the resultant reference count is zero, the * underlying resources are freed, and references to all child resources are also dropped * recursively (resulting in them freeing their resources and children, etcetera) * *

This method also sets the reference count to an invalid value (-1) to signify that it * has been fully released. Any subsequent calls to this method will result in an * IllegalStateException being thrown due to resource already having been previously * released */ @VisibleForTesting @GuardedBy("IpSecService.this") public void releaseReference() throws RemoteException { mRefCount--; if (mRefCount > 0) { return; } else if (mRefCount < 0) { throw new IllegalStateException( "Invalid operation - resource has already been released."); } // Cleanup own resources mResource.freeUnderlyingResources(); // Cleanup child resources as needed for (RefcountedResource child : mChildren) { child.releaseReference(); } // Enforce that resource cleanup can only be called once // By decrementing the refcount (from 0 to -1), the next call will throw an // IllegalStateException - it has already been released fully. mRefCount--; } @Override public String toString() { return new StringBuilder() .append("{mResource=") .append(mResource) .append(", mRefCount=") .append(mRefCount) .append(", mChildren=") .append(mChildren) .append("}") .toString(); } } /** * Very simple counting class that looks much like a counting semaphore * *

This class is not thread-safe, and expects that that users of this class will ensure * synchronization and thread safety by holding the IpSecService.this instance lock. */ @VisibleForTesting static class ResourceTracker { private final int mMax; int mCurrent; ResourceTracker(int max) { mMax = max; mCurrent = 0; } boolean isAvailable() { return (mCurrent < mMax); } void take() { if (!isAvailable()) { Log.wtf(TAG, "Too many resources allocated!"); } mCurrent++; } void give() { if (mCurrent <= 0) { Log.wtf(TAG, "We've released this resource too many times"); } mCurrent--; } @Override public String toString() { return new StringBuilder() .append("{mCurrent=") .append(mCurrent) .append(", mMax=") .append(mMax) .append("}") .toString(); } } @VisibleForTesting static final class UserRecord { /* Maximum number of each type of resource that a single UID may possess */ // Up to 4 active VPNs/IWLAN with potential soft handover. public static final int MAX_NUM_TUNNEL_INTERFACES = 8; public static final int MAX_NUM_ENCAP_SOCKETS = 16; // SPIs and Transforms are both cheap, and are 1:1 correlated. public static final int MAX_NUM_TRANSFORMS = 64; public static final int MAX_NUM_SPIS = 64; /** * Store each of the OwnedResource types in an (thinly wrapped) sparse array for indexing * and explicit (user) reference management. * *

These are stored in separate arrays to improve debuggability and dump output clarity. * *

Resources are removed from this array when the user releases their explicit reference * by calling one of the releaseResource() methods. */ final RefcountedResourceArray mSpiRecords = new RefcountedResourceArray<>(SpiRecord.class.getSimpleName()); final RefcountedResourceArray mTransformRecords = new RefcountedResourceArray<>(TransformRecord.class.getSimpleName()); final RefcountedResourceArray mEncapSocketRecords = new RefcountedResourceArray<>(EncapSocketRecord.class.getSimpleName()); final RefcountedResourceArray mTunnelInterfaceRecords = new RefcountedResourceArray<>(TunnelInterfaceRecord.class.getSimpleName()); /** * Trackers for quotas for each of the OwnedResource types. * *

These trackers are separate from the resource arrays, since they are incremented and * decremented at different points in time. Specifically, quota is only returned upon final * resource deallocation (after all explicit and implicit references are released). Note * that it is possible that calls to releaseResource() will not return the used quota if * there are other resources that depend on (are parents of) the resource being released. */ final ResourceTracker mSpiQuotaTracker = new ResourceTracker(MAX_NUM_SPIS); final ResourceTracker mTransformQuotaTracker = new ResourceTracker(MAX_NUM_TRANSFORMS); final ResourceTracker mSocketQuotaTracker = new ResourceTracker(MAX_NUM_ENCAP_SOCKETS); final ResourceTracker mTunnelQuotaTracker = new ResourceTracker(MAX_NUM_TUNNEL_INTERFACES); void removeSpiRecord(int resourceId) { mSpiRecords.remove(resourceId); } void removeTransformRecord(int resourceId) { mTransformRecords.remove(resourceId); } void removeTunnelInterfaceRecord(int resourceId) { mTunnelInterfaceRecords.remove(resourceId); } void removeEncapSocketRecord(int resourceId) { mEncapSocketRecords.remove(resourceId); } @Override public String toString() { return new StringBuilder() .append("{mSpiQuotaTracker=") .append(mSpiQuotaTracker) .append(", mTransformQuotaTracker=") .append(mTransformQuotaTracker) .append(", mSocketQuotaTracker=") .append(mSocketQuotaTracker) .append(", mTunnelQuotaTracker=") .append(mTunnelQuotaTracker) .append(", mSpiRecords=") .append(mSpiRecords) .append(", mTransformRecords=") .append(mTransformRecords) .append(", mEncapSocketRecords=") .append(mEncapSocketRecords) .append(", mTunnelInterfaceRecords=") .append(mTunnelInterfaceRecords) .append("}") .toString(); } } /** * This class is not thread-safe, and expects that that users of this class will ensure * synchronization and thread safety by holding the IpSecService.this instance lock. */ @VisibleForTesting static final class UserResourceTracker { private final SparseArray mUserRecords = new SparseArray<>(); /** Lazy-initialization/getter that populates or retrieves the UserRecord as needed */ public UserRecord getUserRecord(int uid) { checkCallerUid(uid); UserRecord r = mUserRecords.get(uid); if (r == null) { r = new UserRecord(); mUserRecords.put(uid, r); } return r; } /** Safety method; guards against access of other user's UserRecords */ private void checkCallerUid(int uid) { if (uid != Binder.getCallingUid() && Process.SYSTEM_UID != Binder.getCallingUid()) { throw new SecurityException("Attempted access of unowned resources"); } } @Override public String toString() { return mUserRecords.toString(); } } @VisibleForTesting final UserResourceTracker mUserResourceTracker = new UserResourceTracker(); /** * The OwnedResourceRecord class provides a facility to cleanly and reliably track system * resources. It relies on a provided resourceId that should uniquely identify the kernel * resource. To use this class, the user should implement the invalidate() and * freeUnderlyingResources() methods that are responsible for cleaning up IpSecService resource * tracking arrays and kernel resources, respectively. * *

This class associates kernel resources with the UID that owns and controls them. */ private abstract class OwnedResourceRecord implements IResource { final int mPid; final int mUid; protected final int mResourceId; OwnedResourceRecord(int resourceId) { super(); if (resourceId == INVALID_RESOURCE_ID) { throw new IllegalArgumentException("Resource ID must not be INVALID_RESOURCE_ID"); } mResourceId = resourceId; mPid = Binder.getCallingPid(); mUid = Binder.getCallingUid(); getResourceTracker().take(); } @Override public abstract void invalidate() throws RemoteException; /** Convenience method; retrieves the user resource record for the stored UID. */ protected UserRecord getUserRecord() { return mUserResourceTracker.getUserRecord(mUid); } @Override public abstract void freeUnderlyingResources() throws RemoteException; /** Get the resource tracker for this resource */ protected abstract ResourceTracker getResourceTracker(); @Override public String toString() { return new StringBuilder() .append("{mResourceId=") .append(mResourceId) .append(", pid=") .append(mPid) .append(", uid=") .append(mUid) .append("}") .toString(); } }; /** * Thin wrapper over SparseArray to ensure resources exist, and simplify generic typing. * *

RefcountedResourceArray prevents null insertions, and throws an IllegalArgumentException * if a key is not found during a retrieval process. */ static class RefcountedResourceArray { SparseArray> mArray = new SparseArray<>(); private final String mTypeName; RefcountedResourceArray(String typeName) { this.mTypeName = typeName; } /** * Accessor method to get inner resource object. * * @throws IllegalArgumentException if no resource with provided key is found. */ T getResourceOrThrow(int key) { return getRefcountedResourceOrThrow(key).getResource(); } /** * Accessor method to get reference counting wrapper. * * @throws IllegalArgumentException if no resource with provided key is found. */ RefcountedResource getRefcountedResourceOrThrow(int key) { RefcountedResource resource = mArray.get(key); if (resource == null) { throw new IllegalArgumentException( String.format("No such %s found for given id: %d", mTypeName, key)); } return resource; } void put(int key, RefcountedResource obj) { Objects.requireNonNull(obj, "Null resources cannot be added"); mArray.put(key, obj); } void remove(int key) { mArray.remove(key); } @Override public String toString() { return mArray.toString(); } } /** * Tracks an SA in the kernel, and manages cleanup paths. Once a TransformRecord is created, the * SpiRecord that originally tracked the SAs will reliquish the responsibility of freeing the * underlying SA to this class via the mOwnedByTransform flag. * *

This class is not thread-safe, and expects that that users of this class will ensure * synchronization and thread safety by holding the IpSecService.this instance lock */ private final class TransformRecord extends OwnedResourceRecord { private final IpSecConfig mConfig; private final SpiRecord mSpi; private final EncapSocketRecord mSocket; private String mNewSourceAddress = null; private String mNewDestinationAddress = null; TransformRecord( int resourceId, IpSecConfig config, SpiRecord spi, EncapSocketRecord socket) { super(resourceId); mConfig = config; mSpi = spi; mSocket = socket; spi.setOwnedByTransform(); } public IpSecConfig getConfig() { return mConfig; } public SpiRecord getSpiRecord() { return mSpi; } public EncapSocketRecord getSocketRecord() { return mSocket; } @GuardedBy("IpSecService.this") public String getNewSourceAddress() { return mNewSourceAddress; } @GuardedBy("IpSecService.this") public String getNewDestinationAddress() { return mNewDestinationAddress; } private void verifyTunnelModeOrThrow() { if (mConfig.getMode() != IpSecTransform.MODE_TUNNEL) { throw new UnsupportedOperationException( "Migration requested/called on non-tunnel-mode transform"); } } /** Start migrating this transform to new source and destination addresses */ @GuardedBy("IpSecService.this") public void startMigration(String newSourceAddress, String newDestinationAddress) { verifyTunnelModeOrThrow(); Objects.requireNonNull(newSourceAddress, "newSourceAddress was null"); Objects.requireNonNull(newDestinationAddress, "newDestinationAddress was null"); mNewSourceAddress = newSourceAddress; mNewDestinationAddress = newDestinationAddress; } /** Finish migration and update addresses. */ @GuardedBy("IpSecService.this") public void finishMigration() { verifyTunnelModeOrThrow(); mConfig.setSourceAddress(mNewSourceAddress); mConfig.setDestinationAddress(mNewDestinationAddress); mNewSourceAddress = null; mNewDestinationAddress = null; } /** Return if this transform is going to be migrated. */ @GuardedBy("IpSecService.this") public boolean isMigrating() { verifyTunnelModeOrThrow(); return mNewSourceAddress != null; } /** always guarded by IpSecService#this */ @Override public void freeUnderlyingResources() { int spi = mSpi.getSpi(); try { mNetd.ipSecDeleteSecurityAssociation( mUid, mConfig.getSourceAddress(), mConfig.getDestinationAddress(), spi, mConfig.getMarkValue(), mConfig.getMarkMask(), mConfig.getXfrmInterfaceId()); } catch (RemoteException | ServiceSpecificException e) { Log.e(TAG, "Failed to delete SA with ID: " + mResourceId, e); } getResourceTracker().give(); } @Override public void invalidate() throws RemoteException { getUserRecord().removeTransformRecord(mResourceId); } @Override protected ResourceTracker getResourceTracker() { return getUserRecord().mTransformQuotaTracker; } @Override public String toString() { StringBuilder strBuilder = new StringBuilder(); strBuilder .append("{super=") .append(super.toString()) .append(", mSocket=") .append(mSocket) .append(", mSpi.mResourceId=") .append(mSpi.mResourceId) .append(", mConfig=") .append(mConfig) .append("}"); return strBuilder.toString(); } } /** * Tracks a single SA in the kernel, and manages cleanup paths. Once used in a Transform, the * responsibility for cleaning up underlying resources will be passed to the TransformRecord * object */ private final class SpiRecord extends OwnedResourceRecord { private final String mSourceAddress; private final String mDestinationAddress; private int mSpi; private boolean mOwnedByTransform = false; SpiRecord(int resourceId, String sourceAddress, String destinationAddress, int spi) { super(resourceId); mSourceAddress = sourceAddress; mDestinationAddress = destinationAddress; mSpi = spi; } /** always guarded by IpSecService#this */ @Override public void freeUnderlyingResources() { try { if (!mOwnedByTransform) { mNetd.ipSecDeleteSecurityAssociation( mUid, mSourceAddress, mDestinationAddress, mSpi, 0 /* mark */, 0 /* mask */, 0 /* if_id */); } } catch (ServiceSpecificException | RemoteException e) { Log.e(TAG, "Failed to delete SPI reservation with ID: " + mResourceId, e); } mSpi = IpSecManager.INVALID_SECURITY_PARAMETER_INDEX; getResourceTracker().give(); } public int getSpi() { return mSpi; } public String getDestinationAddress() { return mDestinationAddress; } public void setOwnedByTransform() { if (mOwnedByTransform) { // Programming error throw new IllegalStateException("Cannot own an SPI twice!"); } mOwnedByTransform = true; } public boolean getOwnedByTransform() { return mOwnedByTransform; } @Override public void invalidate() throws RemoteException { getUserRecord().removeSpiRecord(mResourceId); } @Override protected ResourceTracker getResourceTracker() { return getUserRecord().mSpiQuotaTracker; } @Override public String toString() { StringBuilder strBuilder = new StringBuilder(); strBuilder .append("{super=") .append(super.toString()) .append(", mSpi=") .append(mSpi) .append(", mSourceAddress=") .append(mSourceAddress) .append(", mDestinationAddress=") .append(mDestinationAddress) .append(", mOwnedByTransform=") .append(mOwnedByTransform) .append("}"); return strBuilder.toString(); } } private final SparseBooleanArray mTunnelNetIds = new SparseBooleanArray(); final Range mNetIdRange = ConnectivityManager.getIpSecNetIdRange(); private int mNextTunnelNetId = mNetIdRange.getLower(); /** * Reserves a netId within the range of netIds allocated for IPsec tunnel interfaces * *

This method should only be called from Binder threads. Do not call this from within the * system server as it will crash the system on failure. * * @return an integer key within the netId range, if successful * @throws IllegalStateException if unsuccessful (all netId are currently reserved) */ @VisibleForTesting int reserveNetId() { final int range = mNetIdRange.getUpper() - mNetIdRange.getLower() + 1; synchronized (mTunnelNetIds) { for (int i = 0; i < range; i++) { final int netId = mNextTunnelNetId; if (++mNextTunnelNetId > mNetIdRange.getUpper()) { mNextTunnelNetId = mNetIdRange.getLower(); } if (!mTunnelNetIds.get(netId)) { mTunnelNetIds.put(netId, true); return netId; } } } throw new IllegalStateException("No free netIds to allocate"); } @VisibleForTesting void releaseNetId(int netId) { synchronized (mTunnelNetIds) { mTunnelNetIds.delete(netId); } } /** * Tracks an tunnel interface, and manages cleanup paths. * *

This class is not thread-safe, and expects that that users of this class will ensure * synchronization and thread safety by holding the IpSecService.this instance lock */ @VisibleForTesting final class TunnelInterfaceRecord extends OwnedResourceRecord { private final String mInterfaceName; // outer addresses private final String mLocalAddress; private final String mRemoteAddress; private final int mIkey; private final int mOkey; private final int mIfId; private Network mUnderlyingNetwork; TunnelInterfaceRecord( int resourceId, String interfaceName, Network underlyingNetwork, String localAddr, String remoteAddr, int ikey, int okey, int intfId) { super(resourceId); mInterfaceName = interfaceName; mUnderlyingNetwork = underlyingNetwork; mLocalAddress = localAddr; mRemoteAddress = remoteAddr; mIkey = ikey; mOkey = okey; mIfId = intfId; } /** always guarded by IpSecService#this */ @Override public void freeUnderlyingResources() { // Calls to netd // Teardown VTI // Delete global policies try { mNetd.ipSecRemoveTunnelInterface(mInterfaceName); for (int selAddrFamily : ADDRESS_FAMILIES) { mNetd.ipSecDeleteSecurityPolicy( mUid, selAddrFamily, IpSecManager.DIRECTION_OUT, mOkey, 0xffffffff, mIfId); mNetd.ipSecDeleteSecurityPolicy( mUid, selAddrFamily, IpSecManager.DIRECTION_IN, mIkey, 0xffffffff, mIfId); mNetd.ipSecDeleteSecurityPolicy( mUid, selAddrFamily, IpSecManager.DIRECTION_FWD, mIkey, 0xffffffff, mIfId); } } catch (ServiceSpecificException | RemoteException e) { Log.e( TAG, "Failed to delete VTI with interface name: " + mInterfaceName + " and id: " + mResourceId, e); } getResourceTracker().give(); releaseNetId(mIkey); releaseNetId(mOkey); } @GuardedBy("IpSecService.this") public void setUnderlyingNetwork(Network underlyingNetwork) { // When #applyTunnelModeTransform is called, this new underlying network will be used to // update the output mark of the input transform. mUnderlyingNetwork = underlyingNetwork; } @GuardedBy("IpSecService.this") public Network getUnderlyingNetwork() { return mUnderlyingNetwork; } public String getInterfaceName() { return mInterfaceName; } /** Returns the local, outer address for the tunnelInterface */ public String getLocalAddress() { return mLocalAddress; } /** Returns the remote, outer address for the tunnelInterface */ public String getRemoteAddress() { return mRemoteAddress; } public int getIkey() { return mIkey; } public int getOkey() { return mOkey; } public int getIfId() { return mIfId; } @Override protected ResourceTracker getResourceTracker() { return getUserRecord().mTunnelQuotaTracker; } @Override public void invalidate() { getUserRecord().removeTunnelInterfaceRecord(mResourceId); } @Override public String toString() { return new StringBuilder() .append("{super=") .append(super.toString()) .append(", mInterfaceName=") .append(mInterfaceName) .append(", mUnderlyingNetwork=") .append(mUnderlyingNetwork) .append(", mLocalAddress=") .append(mLocalAddress) .append(", mRemoteAddress=") .append(mRemoteAddress) .append(", mIkey=") .append(mIkey) .append(", mOkey=") .append(mOkey) .append("}") .toString(); } } /** * Tracks a UDP encap socket, and manages cleanup paths * *

While this class does not manage non-kernel resources, race conditions around socket * binding require that the service creates the encap socket, binds it and applies the socket * policy before handing it to a user. */ private final class EncapSocketRecord extends OwnedResourceRecord { private FileDescriptor mSocket; private final int mPort; private final int mFamily; // TODO: what about IPV6_ADDRFORM? EncapSocketRecord(int resourceId, FileDescriptor socket, int port, int family) { super(resourceId); mSocket = socket; mPort = port; mFamily = family; } /** always guarded by IpSecService#this */ @Override public void freeUnderlyingResources() { Log.d(TAG, "Closing port " + mPort); IoUtils.closeQuietly(mSocket); mSocket = null; getResourceTracker().give(); } public int getPort() { return mPort; } public FileDescriptor getFileDescriptor() { return mSocket; } public int getFamily() { return mFamily; } @Override protected ResourceTracker getResourceTracker() { return getUserRecord().mSocketQuotaTracker; } @Override public void invalidate() { getUserRecord().removeEncapSocketRecord(mResourceId); } @Override public String toString() { return new StringBuilder() .append("{super=") .append(super.toString()) .append(", mSocket=") .append(mSocket) .append(", mPort=") .append(mPort) .append("}") .toString(); } } /** * Constructs a new IpSecService instance * * @param context Binder context for this service */ public IpSecService(Context context) { this(context, new Dependencies()); } @NonNull private AppOpsManager getAppOpsManager() { AppOpsManager appOps = (AppOpsManager) mContext.getSystemService(Context.APP_OPS_SERVICE); if (appOps == null) throw new RuntimeException("System Server couldn't get AppOps"); return appOps; } /** @hide */ @VisibleForTesting public IpSecService(Context context, Dependencies deps) { this( context, deps, (fd, uid) -> { try { TrafficStats.setThreadStatsUid(uid); TrafficStats.tagFileDescriptor(fd); } finally { TrafficStats.clearThreadStatsUid(); } }); } /** @hide */ @VisibleForTesting public IpSecService(Context context, Dependencies deps, UidFdTagger uidFdTagger) { mContext = context; mDeps = Objects.requireNonNull(deps, "Missing dependencies."); mUidFdTagger = uidFdTagger; mIpSecXfrmCtrl = mDeps.getIpSecXfrmController(); try { mNetd = mDeps.getNetdInstance(mContext); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } } /** * Checks that the provided InetAddress is valid for use in an IPsec SA. The address must not be * a wildcard address and must be in a numeric form such as 1.2.3.4 or 2001::1. */ private static void checkInetAddress(String inetAddress) { if (TextUtils.isEmpty(inetAddress)) { throw new IllegalArgumentException("Unspecified address"); } InetAddress checkAddr = InetAddresses.parseNumericAddress(inetAddress); if (checkAddr.isAnyLocalAddress()) { throw new IllegalArgumentException("Inappropriate wildcard address: " + inetAddress); } } /** * Checks the user-provided direction field and throws an IllegalArgumentException if it is not * DIRECTION_IN or DIRECTION_OUT */ private void checkDirection(int direction) { switch (direction) { case IpSecManager.DIRECTION_OUT: case IpSecManager.DIRECTION_IN: return; case IpSecManager.DIRECTION_FWD: // Only NETWORK_STACK or MAINLINE_NETWORK_STACK allowed to use forward policies PermissionUtils.enforceNetworkStackPermission(mContext); return; } throw new IllegalArgumentException("Invalid Direction: " + direction); } /** Get a new SPI and maintain the reservation in the system server */ @Override public synchronized IpSecSpiResponse allocateSecurityParameterIndex( String destinationAddress, int requestedSpi, IBinder binder) throws RemoteException { checkInetAddress(destinationAddress); // RFC 4303 Section 2.1 - 0=local, 1-255=reserved. if (requestedSpi > 0 && requestedSpi < 256) { throw new IllegalArgumentException("ESP SPI must not be in the range of 0-255."); } Objects.requireNonNull(binder, "Null Binder passed to allocateSecurityParameterIndex"); int callingUid = Binder.getCallingUid(); UserRecord userRecord = mUserResourceTracker.getUserRecord(callingUid); final int resourceId = mNextResourceId++; int spi = IpSecManager.INVALID_SECURITY_PARAMETER_INDEX; try { if (!userRecord.mSpiQuotaTracker.isAvailable()) { return new IpSecSpiResponse( IpSecManager.Status.RESOURCE_UNAVAILABLE, INVALID_RESOURCE_ID, spi); } spi = mNetd.ipSecAllocateSpi(callingUid, "", destinationAddress, requestedSpi); Log.d(TAG, "Allocated SPI " + spi); userRecord.mSpiRecords.put( resourceId, new RefcountedResource( new SpiRecord(resourceId, "", destinationAddress, spi), binder)); } catch (ServiceSpecificException e) { if (e.errorCode == OsConstants.ENOENT) { return new IpSecSpiResponse( IpSecManager.Status.SPI_UNAVAILABLE, INVALID_RESOURCE_ID, spi); } throw e; } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } return new IpSecSpiResponse(IpSecManager.Status.OK, resourceId, spi); } /* This method should only be called from Binder threads. Do not call this from * within the system server as it will crash the system on failure. */ private void releaseResource(RefcountedResourceArray resArray, int resourceId) throws RemoteException { resArray.getRefcountedResourceOrThrow(resourceId).userRelease(); } /** Release a previously allocated SPI that has been registered with the system server */ @Override public synchronized void releaseSecurityParameterIndex(int resourceId) throws RemoteException { UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); releaseResource(userRecord.mSpiRecords, resourceId); } /** * This function finds and forcibly binds to a random system port, ensuring that the port cannot * be unbound. * *

A socket cannot be un-bound from a port if it was bound to that port by number. To select * a random open port and then bind by number, this function creates a temp socket, binds to a * random port (specifying 0), gets that port number, and then uses is to bind the user's UDP * Encapsulation Socket forcibly, so that it cannot be un-bound by the user with the returned * FileHandle. * *

The loop in this function handles the inherent race window between un-binding to a port * and re-binding, during which the system could *technically* hand that port out to someone * else. */ private int bindToRandomPort(FileDescriptor sockFd, int family, InetAddress localAddr) throws IOException { for (int i = MAX_PORT_BIND_ATTEMPTS; i > 0; i--) { try { FileDescriptor probeSocket = Os.socket(family, SOCK_DGRAM, IPPROTO_UDP); Os.bind(probeSocket, localAddr, 0); int port = ((InetSocketAddress) Os.getsockname(probeSocket)).getPort(); Os.close(probeSocket); Log.v(TAG, "Binding to port " + port); Os.bind(sockFd, localAddr, port); return port; } catch (ErrnoException e) { // Someone miraculously claimed the port just after we closed probeSocket. if (e.errno == OsConstants.EADDRINUSE) { continue; } throw e.rethrowAsIOException(); } } throw new IOException("Failed " + MAX_PORT_BIND_ATTEMPTS + " attempts to bind to a port"); } /** * Functional interface to do traffic tagging of given sockets to UIDs. * *

Specifically used by openUdpEncapsulationSocket to ensure data usage on the UDP encap * sockets are billed to the UID that the UDP encap socket was created on behalf of. * *

Separate class so that the socket tagging logic can be mocked; TrafficStats uses static * methods that cannot be easily mocked/tested. */ @VisibleForTesting public interface UidFdTagger { /** * Sets socket tag to assign all traffic to the provided UID. * *

Since the socket is created on behalf of an unprivileged application, all traffic * should be accounted to the UID of the unprivileged application. */ void tag(FileDescriptor fd, int uid) throws IOException; } /** * Open a socket via the system server and bind it to the specified port (random if port=0). * This will return a PFD to the user that represent a bound UDP socket. The system server will * cache the socket and a record of its owner so that it can and must be freed when no longer * needed. */ @Override public synchronized IpSecUdpEncapResponse openUdpEncapsulationSocket(int port, IBinder binder) throws RemoteException { // Experimental support for IPv6 UDP encap. final int family; final InetAddress localAddr; if (SdkLevel.isAtLeastU() && port >= 65536) { PermissionUtils.enforceNetworkStackPermissionOr(mContext, NETWORK_SETTINGS); port -= 65536; family = AF_INET6; localAddr = IN6ADDR_ANY; } else { family = AF_INET; localAddr = INADDR_ANY; } if (port != 0 && (port < FREE_PORT_MIN || port > PORT_MAX)) { throw new IllegalArgumentException( "Specified port number must be a valid non-reserved UDP port"); } Objects.requireNonNull(binder, "Null Binder passed to openUdpEncapsulationSocket"); int callingUid = Binder.getCallingUid(); UserRecord userRecord = mUserResourceTracker.getUserRecord(callingUid); final int resourceId = mNextResourceId++; ParcelFileDescriptor pFd = null; try { if (!userRecord.mSocketQuotaTracker.isAvailable()) { return new IpSecUdpEncapResponse(IpSecManager.Status.RESOURCE_UNAVAILABLE); } FileDescriptor sockFd = null; try { sockFd = Os.socket(family, SOCK_DGRAM, IPPROTO_UDP); pFd = ParcelFileDescriptor.dup(sockFd); } finally { IoUtils.closeQuietly(sockFd); } mUidFdTagger.tag(pFd.getFileDescriptor(), callingUid); // This code is common to both the unspecified and specified port cases Os.setsockoptInt( pFd.getFileDescriptor(), OsConstants.IPPROTO_UDP, OsConstants.UDP_ENCAP, OsConstants.UDP_ENCAP_ESPINUDP); mNetd.ipSecSetEncapSocketOwner(pFd, callingUid); if (port != 0) { Log.v(TAG, "Binding to port " + port); Os.bind(pFd.getFileDescriptor(), localAddr, port); } else { port = bindToRandomPort(pFd.getFileDescriptor(), family, localAddr); } userRecord.mEncapSocketRecords.put( resourceId, new RefcountedResource( new EncapSocketRecord(resourceId, pFd.getFileDescriptor(), port, family), binder)); return new IpSecUdpEncapResponse(IpSecManager.Status.OK, resourceId, port, pFd.getFileDescriptor()); } catch (IOException | ErrnoException e) { try { if (pFd != null) { pFd.close(); } } catch (IOException ex) { // Nothing can be done at this point Log.e(TAG, "Failed to close pFd."); } } // If we make it to here, then something has gone wrong and we couldn't open a socket. // The only reasonable condition that would cause that is resource unavailable. return new IpSecUdpEncapResponse(IpSecManager.Status.RESOURCE_UNAVAILABLE); } /** close a socket that has been been allocated by and registered with the system server */ @Override public synchronized void closeUdpEncapsulationSocket(int resourceId) throws RemoteException { UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); releaseResource(userRecord.mEncapSocketRecords, resourceId); } /** * Create a tunnel interface for use in IPSec tunnel mode. The system server will cache the * tunnel interface and a record of its owner so that it can and must be freed when no longer * needed. */ @Override public synchronized IpSecTunnelInterfaceResponse createTunnelInterface( String localAddr, String remoteAddr, Network underlyingNetwork, IBinder binder, String callingPackage) { enforceTunnelFeatureAndPermissions(callingPackage); Objects.requireNonNull(binder, "Null Binder passed to createTunnelInterface"); Objects.requireNonNull(underlyingNetwork, "No underlying network was specified"); checkInetAddress(localAddr); checkInetAddress(remoteAddr); // TODO: Check that underlying network exists, and IP addresses not assigned to a different // network (b/72316676). int callerUid = Binder.getCallingUid(); UserRecord userRecord = mUserResourceTracker.getUserRecord(callerUid); if (!userRecord.mTunnelQuotaTracker.isAvailable()) { return new IpSecTunnelInterfaceResponse(IpSecManager.Status.RESOURCE_UNAVAILABLE); } final int resourceId = mNextResourceId++; final int ikey = reserveNetId(); final int okey = reserveNetId(); String intfName = String.format("%s%d", INetd.IPSEC_INTERFACE_PREFIX, resourceId); try { // Calls to netd: // Create VTI // Add inbound/outbound global policies // (use reqid = 0) mNetd.ipSecAddTunnelInterface(intfName, localAddr, remoteAddr, ikey, okey, resourceId); BinderUtils.withCleanCallingIdentity(() -> { NetdUtils.setInterfaceUp(mNetd, intfName); }); for (int selAddrFamily : ADDRESS_FAMILIES) { // Always send down correct local/remote addresses for template. mNetd.ipSecAddSecurityPolicy( callerUid, selAddrFamily, IpSecManager.DIRECTION_OUT, localAddr, remoteAddr, 0, okey, 0xffffffff, resourceId); mNetd.ipSecAddSecurityPolicy( callerUid, selAddrFamily, IpSecManager.DIRECTION_IN, remoteAddr, localAddr, 0, ikey, 0xffffffff, resourceId); // Add a forwarding policy on the tunnel interface. In order to support forwarding // the IpSecTunnelInterface must have a forwarding policy matching the incoming SA. // // Unless a IpSecTransform is also applied against this interface in DIRECTION_FWD, // forwarding will be blocked by default (as would be the case if this policy was // absent). // // This is necessary only on the tunnel interface, and not any the interface to // which traffic will be forwarded to. mNetd.ipSecAddSecurityPolicy( callerUid, selAddrFamily, IpSecManager.DIRECTION_FWD, remoteAddr, localAddr, 0, ikey, 0xffffffff, resourceId); } userRecord.mTunnelInterfaceRecords.put( resourceId, new RefcountedResource( new TunnelInterfaceRecord( resourceId, intfName, underlyingNetwork, localAddr, remoteAddr, ikey, okey, resourceId), binder)); return new IpSecTunnelInterfaceResponse(IpSecManager.Status.OK, resourceId, intfName); } catch (RemoteException e) { // Release keys if we got an error. releaseNetId(ikey); releaseNetId(okey); throw e.rethrowFromSystemServer(); } catch (Throwable t) { // Release keys if we got an error. releaseNetId(ikey); releaseNetId(okey); throw t; } } /** * Adds a new local address to the tunnel interface. This allows packets to be sent and received * from multiple local IP addresses over the same tunnel. */ @Override public synchronized void addAddressToTunnelInterface( int tunnelResourceId, LinkAddress localAddr, String callingPackage) { enforceTunnelFeatureAndPermissions(callingPackage); UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); // Get tunnelInterface record; if no such interface is found, will throw // IllegalArgumentException TunnelInterfaceRecord tunnelInterfaceInfo = userRecord.mTunnelInterfaceRecords.getResourceOrThrow(tunnelResourceId); try { // We can assume general validity of the IP address, since we get them as a // LinkAddress, which does some validation. mNetd.interfaceAddAddress( tunnelInterfaceInfo.mInterfaceName, localAddr.getAddress().getHostAddress(), localAddr.getPrefixLength()); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } } /** * Remove a new local address from the tunnel interface. After removal, the address will no * longer be available to send from, or receive on. */ @Override public synchronized void removeAddressFromTunnelInterface( int tunnelResourceId, LinkAddress localAddr, String callingPackage) { enforceTunnelFeatureAndPermissions(callingPackage); UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); // Get tunnelInterface record; if no such interface is found, will throw // IllegalArgumentException TunnelInterfaceRecord tunnelInterfaceInfo = userRecord.mTunnelInterfaceRecords.getResourceOrThrow(tunnelResourceId); try { // We can assume general validity of the IP address, since we get them as a // LinkAddress, which does some validation. mNetd.interfaceDelAddress( tunnelInterfaceInfo.mInterfaceName, localAddr.getAddress().getHostAddress(), localAddr.getPrefixLength()); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } } /** Set TunnelInterface to use a specific underlying network. */ @Override public synchronized void setNetworkForTunnelInterface( int tunnelResourceId, Network underlyingNetwork, String callingPackage) { enforceTunnelFeatureAndPermissions(callingPackage); Objects.requireNonNull(underlyingNetwork, "No underlying network was specified"); final UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); // Get tunnelInterface record; if no such interface is found, will throw // IllegalArgumentException. userRecord.mTunnelInterfaceRecords is never null final TunnelInterfaceRecord tunnelInterfaceInfo = userRecord.mTunnelInterfaceRecords.getResourceOrThrow(tunnelResourceId); final ConnectivityManager connectivityManager = mContext.getSystemService(ConnectivityManager.class); final LinkProperties lp = connectivityManager.getLinkProperties(underlyingNetwork); if (lp == null) { throw new IllegalArgumentException( "LinkProperties is null. The underlyingNetwork may not be functional"); } if (tunnelInterfaceInfo.getInterfaceName().equals(lp.getInterfaceName())) { throw new IllegalArgumentException( "Underlying network cannot be the network being exposed by this tunnel"); } // It is meaningless to check if the network exists or is valid because the network might // disconnect at any time after it passes the check. tunnelInterfaceInfo.setUnderlyingNetwork(underlyingNetwork); } /** * Delete a TunnelInterface that has been been allocated by and registered with the system * server */ @Override public synchronized void deleteTunnelInterface( int resourceId, String callingPackage) throws RemoteException { enforceTunnelFeatureAndPermissions(callingPackage); UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); releaseResource(userRecord.mTunnelInterfaceRecords, resourceId); } @VisibleForTesting void validateAlgorithms(IpSecConfig config) throws IllegalArgumentException { IpSecAlgorithm auth = config.getAuthentication(); IpSecAlgorithm crypt = config.getEncryption(); IpSecAlgorithm aead = config.getAuthenticatedEncryption(); // Validate the algorithm set Preconditions.checkArgument( aead != null || crypt != null || auth != null, "No Encryption or Authentication algorithms specified"); Preconditions.checkArgument( auth == null || auth.isAuthentication(), "Unsupported algorithm for Authentication"); Preconditions.checkArgument( crypt == null || crypt.isEncryption(), "Unsupported algorithm for Encryption"); Preconditions.checkArgument( aead == null || aead.isAead(), "Unsupported algorithm for Authenticated Encryption"); Preconditions.checkArgument( aead == null || (auth == null && crypt == null), "Authenticated Encryption is mutually exclusive with other Authentication " + "or Encryption algorithms"); } private int getFamily(String inetAddress) { int family = AF_UNSPEC; InetAddress checkAddress = InetAddresses.parseNumericAddress(inetAddress); if (checkAddress instanceof Inet4Address) { family = AF_INET; } else if (checkAddress instanceof Inet6Address) { family = AF_INET6; } return family; } /** * Checks an IpSecConfig parcel to ensure that the contents are valid and throws an * IllegalArgumentException if they are not. */ private void checkIpSecConfig(IpSecConfig config) { UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); EncapSocketRecord encapSocketRecord = null; switch (config.getEncapType()) { case IpSecTransform.ENCAP_NONE: break; case IpSecTransform.ENCAP_ESPINUDP: case IpSecTransform.ENCAP_ESPINUDP_NON_IKE: // Retrieve encap socket record; will throw IllegalArgumentException if not found encapSocketRecord = userRecord.mEncapSocketRecords.getResourceOrThrow( config.getEncapSocketResourceId()); int port = config.getEncapRemotePort(); if (port <= 0 || port > 0xFFFF) { throw new IllegalArgumentException("Invalid remote UDP port: " + port); } break; default: throw new IllegalArgumentException("Invalid Encap Type: " + config.getEncapType()); } validateAlgorithms(config); // Retrieve SPI record; will throw IllegalArgumentException if not found SpiRecord s = userRecord.mSpiRecords.getResourceOrThrow(config.getSpiResourceId()); // Check to ensure that SPI has not already been used. if (s.getOwnedByTransform()) { throw new IllegalStateException("SPI already in use; cannot be used in new Transforms"); } // If no remote address is supplied, then use one from the SPI. if (TextUtils.isEmpty(config.getDestinationAddress())) { config.setDestinationAddress(s.getDestinationAddress()); } // All remote addresses must match if (!config.getDestinationAddress().equals(s.getDestinationAddress())) { throw new IllegalArgumentException("Mismatched remote addresseses."); } // This check is technically redundant due to the chain of custody between the SPI and // the IpSecConfig, but in the future if the dest is allowed to be set explicitly in // the transform, this will prevent us from messing up. checkInetAddress(config.getDestinationAddress()); // Require a valid source address for all transforms. checkInetAddress(config.getSourceAddress()); // Check to ensure source and destination have the same address family. String sourceAddress = config.getSourceAddress(); String destinationAddress = config.getDestinationAddress(); int sourceFamily = getFamily(sourceAddress); int destinationFamily = getFamily(destinationAddress); if (sourceFamily != destinationFamily) { throw new IllegalArgumentException( "Source address (" + sourceAddress + ") and destination address (" + destinationAddress + ") have different address families."); } if (encapSocketRecord != null && encapSocketRecord.getFamily() != destinationFamily) { throw new IllegalArgumentException( "UDP encapsulation socket and destination address families must match"); } switch (config.getMode()) { case IpSecTransform.MODE_TRANSPORT: break; case IpSecTransform.MODE_TUNNEL: break; default: throw new IllegalArgumentException( "Invalid IpSecTransform.mode: " + config.getMode()); } config.setMarkValue(0); config.setMarkMask(0); } private static final String TUNNEL_OP = AppOpsManager.OPSTR_MANAGE_IPSEC_TUNNELS; private void enforceTunnelFeatureAndPermissions(String callingPackage) { if (!mContext.getPackageManager().hasSystemFeature(PackageManager.FEATURE_IPSEC_TUNNELS)) { throw new UnsupportedOperationException( "IPsec Tunnel Mode requires PackageManager.FEATURE_IPSEC_TUNNELS"); } Objects.requireNonNull(callingPackage, "Null calling package cannot create IpSec tunnels"); // OP_MANAGE_IPSEC_TUNNELS will return MODE_ERRORED by default, including for the system // server. If the appop is not granted, require that the caller has the MANAGE_IPSEC_TUNNELS // permission or is the System Server. if (AppOpsManager.MODE_ALLOWED == getAppOpsManager().noteOpNoThrow( TUNNEL_OP, Binder.getCallingUid(), callingPackage)) { return; } mContext.enforceCallingOrSelfPermission( android.Manifest.permission.MANAGE_IPSEC_TUNNELS, "IpSecService"); } private void enforceMigrateFeature() { if (!mContext.getPackageManager().hasSystemFeature(FEATURE_IPSEC_TUNNEL_MIGRATION)) { throw new UnsupportedOperationException( "IPsec Tunnel migration requires" + " PackageManager.FEATURE_IPSEC_TUNNEL_MIGRATION"); } } private void createOrUpdateTransform( IpSecConfig c, int resourceId, SpiRecord spiRecord, EncapSocketRecord socketRecord) throws RemoteException { int encapType = c.getEncapType(), encapLocalPort = 0, encapRemotePort = 0; if (encapType != IpSecTransform.ENCAP_NONE) { encapLocalPort = socketRecord.getPort(); encapRemotePort = c.getEncapRemotePort(); } IpSecAlgorithm auth = c.getAuthentication(); IpSecAlgorithm crypt = c.getEncryption(); IpSecAlgorithm authCrypt = c.getAuthenticatedEncryption(); String cryptName; if (crypt == null) { cryptName = (authCrypt == null) ? IpSecAlgorithm.CRYPT_NULL : ""; } else { cryptName = crypt.getName(); } mNetd.ipSecAddSecurityAssociation( Binder.getCallingUid(), c.getMode(), c.getSourceAddress(), c.getDestinationAddress(), (c.getNetwork() != null) ? c.getNetwork().getNetId() : 0, spiRecord.getSpi(), c.getMarkValue(), c.getMarkMask(), (auth != null) ? auth.getName() : "", (auth != null) ? auth.getKey() : new byte[] {}, (auth != null) ? auth.getTruncationLengthBits() : 0, cryptName, (crypt != null) ? crypt.getKey() : new byte[] {}, (crypt != null) ? crypt.getTruncationLengthBits() : 0, (authCrypt != null) ? authCrypt.getName() : "", (authCrypt != null) ? authCrypt.getKey() : new byte[] {}, (authCrypt != null) ? authCrypt.getTruncationLengthBits() : 0, encapType, encapLocalPort, encapRemotePort, c.getXfrmInterfaceId()); } /** * Create a IPsec transform, which represents a single security association in the kernel. The * transform will be cached by the system server and must be freed when no longer needed. It is * possible to free one, deleting the SA from underneath sockets that are using it, which will * result in all of those sockets becoming unable to send or receive data. */ @Override public synchronized IpSecTransformResponse createTransform( IpSecConfig c, IBinder binder, String callingPackage) throws RemoteException { Objects.requireNonNull(c); if (c.getMode() == IpSecTransform.MODE_TUNNEL) { enforceTunnelFeatureAndPermissions(callingPackage); } checkIpSecConfig(c); Objects.requireNonNull(binder, "Null Binder passed to createTransform"); final int resourceId = mNextResourceId++; UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); List dependencies = new ArrayList<>(); if (!userRecord.mTransformQuotaTracker.isAvailable()) { return new IpSecTransformResponse(IpSecManager.Status.RESOURCE_UNAVAILABLE); } EncapSocketRecord socketRecord = null; if (c.getEncapType() != IpSecTransform.ENCAP_NONE) { RefcountedResource refcountedSocketRecord = userRecord.mEncapSocketRecords.getRefcountedResourceOrThrow( c.getEncapSocketResourceId()); dependencies.add(refcountedSocketRecord); socketRecord = refcountedSocketRecord.getResource(); } RefcountedResource refcountedSpiRecord = userRecord.mSpiRecords.getRefcountedResourceOrThrow(c.getSpiResourceId()); dependencies.add(refcountedSpiRecord); SpiRecord spiRecord = refcountedSpiRecord.getResource(); createOrUpdateTransform(c, resourceId, spiRecord, socketRecord); // SA was created successfully, time to construct a record and lock it away userRecord.mTransformRecords.put( resourceId, new RefcountedResource( new TransformRecord(resourceId, c, spiRecord, socketRecord), binder, dependencies.toArray(new RefcountedResource[dependencies.size()]))); return new IpSecTransformResponse(IpSecManager.Status.OK, resourceId); } /** * Migrate an active Tunnel Mode IPsec Transform to new source/destination addresses. * *

Begins the process of migrating a transform and cache the new addresses. To complete the * migration once started, callers MUST apply the same transform to the appropriate tunnel using * {@link #applyTunnelModeTransform}. Otherwise, the address update will not be committed and * the transform will still only process traffic between the current source and destination * address. One common use case is that the control plane will start the migration process and * then hand off the transform to the IPsec caller to perform the actual migration when the * tunnel is ready. * *

If this method is called multiple times before {@link #applyTunnelModeTransform} is * called, when the transform is applied, it will be migrated to the addresses from the last * call. * *

The provided source and destination addresses MUST share the same address family, but they * can have a different family from the current addresses. * *

Transform migration is only supported for tunnel mode transforms. Calling this method on * other types of transforms will throw an {@code UnsupportedOperationException}. */ @Override public synchronized void migrateTransform( int transformId, String newSourceAddress, String newDestinationAddress, String callingPackage) { Objects.requireNonNull(newSourceAddress, "newSourceAddress was null"); Objects.requireNonNull(newDestinationAddress, "newDestinationAddress was null"); enforceTunnelFeatureAndPermissions(callingPackage); enforceMigrateFeature(); UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); TransformRecord transformInfo = userRecord.mTransformRecords.getResourceOrThrow(transformId); transformInfo.startMigration(newSourceAddress, newDestinationAddress); } /** * Delete a transport mode transform that was previously allocated by + registered with the * system server. If this is called on an inactive (or non-existent) transform, it will not * return an error. It's safe to de-allocate transforms that may have already been deleted for * other reasons. */ @Override public synchronized void deleteTransform(int resourceId) throws RemoteException { UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); releaseResource(userRecord.mTransformRecords, resourceId); } @Override public synchronized IpSecTransformState getTransformState(int transformId) throws IllegalStateException, RemoteException { mContext.enforceCallingOrSelfPermission( android.Manifest.permission.ACCESS_NETWORK_STATE, "IpsecService#getTransformState"); if (transformId == INVALID_RESOURCE_ID) { throw new IllegalStateException("This transform is already closed"); } UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid()); TransformRecord transformInfo = userRecord.mTransformRecords.getResourceOrThrow(transformId); final int spi = transformInfo.getSpiRecord().getSpi(); final InetAddress destAddress = InetAddresses.parseNumericAddress( transformInfo.getConfig().getDestinationAddress()); Log.d(TAG, "getTransformState for spi " + spi + " destAddress " + destAddress); // Make netlink call final XfrmNetlinkNewSaMessage xfrmNewSaMsg; try { xfrmNewSaMsg = mIpSecXfrmCtrl.ipSecGetSa(destAddress, Integer.toUnsignedLong(spi)); } catch (ErrnoException | IOException e) { Log.e(TAG, "getTransformState: failed to get IpSecTransformState" + e.toString()); throw new IllegalStateException("Failed to get IpSecTransformState", e); } // Keep the netlink socket open to save time for the next call. It is cheap to have a // persistent netlink socket in the system server if (xfrmNewSaMsg == null) { Log.e(TAG, "getTransformState: failed to get IpSecTransformState xfrmNewSaMsg is null"); throw new IllegalStateException("Failed to get IpSecTransformState"); } return new IpSecTransformState.Builder() .setTxHighestSequenceNumber(xfrmNewSaMsg.getTxSequenceNumber()) .setRxHighestSequenceNumber(xfrmNewSaMsg.getRxSequenceNumber()) .setPacketCount(xfrmNewSaMsg.getPacketCount()) .setByteCount(xfrmNewSaMsg.getByteCount()) .setReplayBitmap(xfrmNewSaMsg.getBitmap()) .build(); } /** * Apply an active transport mode transform to a socket, which will apply the IPsec security * association as a correspondent policy to the provided socket */ @Override public synchronized void applyTransportModeTransform( ParcelFileDescriptor socket, int direction, int resourceId) throws RemoteException { int callingUid = Binder.getCallingUid(); UserRecord userRecord = mUserResourceTracker.getUserRecord(callingUid); checkDirection(direction); // Get transform record; if no transform is found, will throw IllegalArgumentException TransformRecord info = userRecord.mTransformRecords.getResourceOrThrow(resourceId); // TODO: make this a function. if (info.mPid != getCallingPid() || info.mUid != callingUid) { throw new SecurityException("Only the owner of an IpSec Transform may apply it!"); } // Get config and check that to-be-applied transform has the correct mode IpSecConfig c = info.getConfig(); Preconditions.checkArgument( c.getMode() == IpSecTransform.MODE_TRANSPORT, "Transform mode was not Transport mode; cannot be applied to a socket"); mNetd.ipSecApplyTransportModeTransform( socket, callingUid, direction, c.getSourceAddress(), c.getDestinationAddress(), info.getSpiRecord().getSpi()); } /** * Remove transport mode transforms from a socket, applying the default (empty) policy. This * ensures that NO IPsec policy is applied to the socket (would be the equivalent of applying a * policy that performs no IPsec). Today the resourceId parameter is passed but not used: * reserved for future improved input validation. */ @Override public synchronized void removeTransportModeTransforms(ParcelFileDescriptor socket) throws RemoteException { mNetd.ipSecRemoveTransportModeTransform(socket); } /** * Apply an active tunnel mode transform to a TunnelInterface, which will apply the IPsec * security association as a correspondent policy to the provided interface. * *

If the transform is migrating, migrate the IPsec security association to new * source/destination addresses, and mark the migration as finished. */ @Override public synchronized void applyTunnelModeTransform( int tunnelResourceId, int direction, int transformResourceId, String callingPackage) throws RemoteException { enforceTunnelFeatureAndPermissions(callingPackage); checkDirection(direction); int callingUid = Binder.getCallingUid(); UserRecord userRecord = mUserResourceTracker.getUserRecord(callingUid); // Get transform record; if no transform is found, will throw IllegalArgumentException TransformRecord transformInfo = userRecord.mTransformRecords.getResourceOrThrow(transformResourceId); // Get tunnelInterface record; if no such interface is found, will throw // IllegalArgumentException TunnelInterfaceRecord tunnelInterfaceInfo = userRecord.mTunnelInterfaceRecords.getResourceOrThrow(tunnelResourceId); // Get config and check that to-be-applied transform has the correct mode IpSecConfig c = transformInfo.getConfig(); Preconditions.checkArgument( c.getMode() == IpSecTransform.MODE_TUNNEL, "Transform mode was not Tunnel mode; cannot be applied to a tunnel interface"); EncapSocketRecord socketRecord = null; if (c.getEncapType() != IpSecTransform.ENCAP_NONE) { socketRecord = userRecord.mEncapSocketRecords.getResourceOrThrow(c.getEncapSocketResourceId()); } SpiRecord spiRecord = transformInfo.getSpiRecord(); int mark = (direction == IpSecManager.DIRECTION_OUT) ? tunnelInterfaceInfo.getOkey() : tunnelInterfaceInfo.getIkey(); // Ikey also used for FWD policies try { // Default to using the invalid SPI of 0 for inbound SAs. This allows policies to skip // SPI matching as part of the template resolution. int spi = IpSecManager.INVALID_SECURITY_PARAMETER_INDEX; c.setXfrmInterfaceId(tunnelInterfaceInfo.getIfId()); // TODO: enable this when UPDSA supports updating marks. Adding kernel support upstream // (and backporting) would allow us to narrow the mark space, and ensure that the SA // and SPs have matching marks (as VTI are meant to be built). // Currently update does nothing with marks. Leave empty (defaulting to 0) to ensure the // config matches the actual allocated resources in the kernel. // All SAs will have zero marks (from creation time), and any policy that matches the // same src/dst could match these SAs. Non-IpSecService governed processes that // establish floating policies with the same src/dst may result in undefined // behavior. This is generally limited to vendor code due to the permissions // (CAP_NET_ADMIN) required. // // c.setMarkValue(mark); // c.setMarkMask(0xffffffff); if (direction == IpSecManager.DIRECTION_OUT) { // Set output mark via underlying network (output only) c.setNetwork(tunnelInterfaceInfo.getUnderlyingNetwork()); // Set outbound SPI only. We want inbound to use any valid SA (old, new) on rekeys, // but want to guarantee outbound packets are sent over the new SA. spi = spiRecord.getSpi(); } // Always update the policy with the relevant XFRM_IF_ID for (int selAddrFamily : ADDRESS_FAMILIES) { mNetd.ipSecUpdateSecurityPolicy( callingUid, selAddrFamily, direction, transformInfo.getConfig().getSourceAddress(), transformInfo.getConfig().getDestinationAddress(), spi, // If outbound, also add SPI to the policy. mark, // Must always set policy mark; ikey/okey for VTIs 0xffffffff, c.getXfrmInterfaceId()); } // Update SA with tunnel mark (ikey or okey based on direction) createOrUpdateTransform(c, transformResourceId, spiRecord, socketRecord); if (transformInfo.isMigrating()) { if (!mContext.getPackageManager() .hasSystemFeature(FEATURE_IPSEC_TUNNEL_MIGRATION)) { Log.wtf( TAG, "Attempted to migrate a transform without" + " FEATURE_IPSEC_TUNNEL_MIGRATION"); } for (int selAddrFamily : ADDRESS_FAMILIES) { final IpSecMigrateInfoParcel migrateInfo = new IpSecMigrateInfoParcel( Binder.getCallingUid(), selAddrFamily, direction, c.getSourceAddress(), c.getDestinationAddress(), transformInfo.getNewSourceAddress(), transformInfo.getNewDestinationAddress(), c.getXfrmInterfaceId()); mNetd.ipSecMigrate(migrateInfo); } transformInfo.finishMigration(); } } catch (ServiceSpecificException e) { if (e.errorCode == EINVAL) { throw new IllegalArgumentException(e.toString()); } else { throw e; } } } @Override protected synchronized void dump(FileDescriptor fd, PrintWriter pw, String[] args) { mContext.enforceCallingOrSelfPermission(DUMP, TAG); pw.println("IpSecService dump:"); pw.println(); pw.println("mUserResourceTracker:"); pw.println(mUserResourceTracker); } }