1 /**
2 * Copyright (c) 2016, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "Netd"
18
19 #include <cinttypes>
20 #include <numeric>
21 #include <set>
22 #include <string>
23 #include <tuple>
24 #include <vector>
25
26 #include <android-base/file.h>
27 #include <android-base/stringprintf.h>
28 #include <android-base/strings.h>
29 #include <binder/IPCThreadState.h>
30 #include <binder/IServiceManager.h>
31 #include <binder/Status.h>
32 #include <cutils/properties.h>
33 #include <log/log.h>
34 #include <netdutils/DumpWriter.h>
35 #include <netdutils/Utils.h>
36 #include <utils/Errors.h>
37 #include <utils/String16.h>
38
39 #include "Controllers.h"
40 #include "Fwmark.h"
41 #include "InterfaceController.h"
42 #include "NetdNativeService.h"
43 #include "OemNetdListener.h"
44 #include "Permission.h"
45 #include "Process.h"
46 #include "RouteController.h"
47 #include "SockDiag.h"
48 #include "UidRanges.h"
49 #include "android/net/BnNetd.h"
50 #include "binder_utils/BinderUtil.h"
51 #include "binder_utils/NetdPermissions.h"
52 #include "netid_client.h" // NETID_UNSET
53
54 using android::base::StringPrintf;
55 using android::base::WriteStringToFile;
56 using android::net::TetherStatsParcel;
57 using android::net::UidRangeParcel;
58 using android::net::netd::aidl::NativeUidRangeConfig;
59 using android::netdutils::DumpWriter;
60 using android::netdutils::getIfaceNames;
61 using android::netdutils::ScopedIndent;
62 using android::os::ParcelFileDescriptor;
63
64 namespace android {
65 namespace net {
66
67 namespace {
68 const char OPT_SHORT[] = "--short";
69
70 #define ENFORCE_ANY_PERMISSION(...) \
71 do { \
72 binder::Status status = checkAnyPermission({__VA_ARGS__}); \
73 if (!status.isOk()) { \
74 return status; \
75 } \
76 } while (0)
77
78 #define NETD_LOCKING_RPC(lock, ... /* permissions */) \
79 ENFORCE_ANY_PERMISSION(__VA_ARGS__); \
80 std::lock_guard _lock(lock);
81
82 #define NETD_BIG_LOCK_RPC(... /* permissions */) NETD_LOCKING_RPC(gBigNetdLock, __VA_ARGS__)
83
84 #define RETURN_BINDER_STATUS_IF_NOT_OK(logEntry, res) \
85 do { \
86 if (!isOk((res))) { \
87 logErrorStatus((logEntry), (res)); \
88 return asBinderStatus((res)); \
89 } \
90 } while (0)
91
92 #define ENFORCE_NETWORK_STACK_PERMISSIONS() \
93 ENFORCE_ANY_PERMISSION(PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK)
94
logErrorStatus(netdutils::LogEntry & logEntry,const netdutils::Status & status)95 void logErrorStatus(netdutils::LogEntry& logEntry, const netdutils::Status& status) {
96 gLog.log(logEntry.returns(status.code()).withAutomaticDuration());
97 }
98
asBinderStatus(const netdutils::Status & status)99 binder::Status asBinderStatus(const netdutils::Status& status) {
100 if (isOk(status)) {
101 return binder::Status::ok();
102 }
103 return binder::Status::fromServiceSpecificError(status.code(), status.msg().c_str());
104 }
105
106 template <typename T>
asBinderStatus(const base::Result<T> result)107 binder::Status asBinderStatus(const base::Result<T> result) {
108 if (result.ok()) return binder::Status::ok();
109
110 return binder::Status::fromServiceSpecificError(result.error().code(),
111 result.error().message().c_str());
112 }
113
contains(const Vector<String16> & words,const String16 & word)114 bool contains(const Vector<String16>& words, const String16& word) {
115 for (const auto& w : words) {
116 if (w == word) return true;
117 }
118
119 return false;
120 }
121
122 } // namespace
123
NetdNativeService()124 NetdNativeService::NetdNativeService() {
125 // register log callback to BnNetd::logFunc
126 BnNetd::logFunc = [](const auto& log) {
127 binderCallLogFn(log, [](const std::string& msg) { gLog.info("%s", msg.c_str()); });
128 };
129 }
130
start()131 status_t NetdNativeService::start() {
132 IPCThreadState::self()->disableBackgroundScheduling(true);
133 const status_t ret = BinderService<NetdNativeService>::publish();
134 if (ret != android::OK) {
135 return ret;
136 }
137 sp<ProcessState> ps(ProcessState::self());
138 ps->startThreadPool();
139 ps->giveThreadPoolName();
140
141 return android::OK;
142 }
143
dump(int fd,const Vector<String16> & args)144 status_t NetdNativeService::dump(int fd, const Vector<String16> &args) {
145 const binder::Status dump_permission = checkAnyPermission({PERM_DUMP});
146 if (!dump_permission.isOk()) {
147 const String8 msg(dump_permission.toString8());
148 write(fd, msg.c_str(), msg.size());
149 return PERMISSION_DENIED;
150 }
151
152 // This method does not grab any locks. If individual classes need locking
153 // their dump() methods MUST handle locking appropriately.
154
155 DumpWriter dw(fd);
156
157 if (!args.isEmpty() && args[0] == TcpSocketMonitor::DUMP_KEYWORD) {
158 dw.blankline();
159 gCtls->tcpSocketMonitor.dump(dw);
160 dw.blankline();
161 return NO_ERROR;
162 }
163
164 process::dump(dw);
165 dw.blankline();
166 gCtls->netCtrl.dump(dw);
167 dw.blankline();
168
169 gCtls->xfrmCtrl.dump(dw);
170 dw.blankline();
171
172 gCtls->tetherCtrl.dump(dw);
173 dw.blankline();
174
175 {
176 ScopedIndent indentLog(dw);
177 if (contains(args, String16(OPT_SHORT))) {
178 dw.println("Log: <omitted>");
179 } else {
180 dw.println("Log:");
181 ScopedIndent indentLogEntries(dw);
182 gLog.forEachEntry([&dw](const std::string& entry) mutable { dw.println(entry); });
183 }
184 dw.blankline();
185 }
186
187 {
188 ScopedIndent indentLog(dw);
189 if (contains(args, String16(OPT_SHORT))) {
190 dw.println("UnsolicitedLog: <omitted>");
191 } else {
192 dw.println("UnsolicitedLog:");
193 ScopedIndent indentLogEntries(dw);
194 gUnsolicitedLog.forEachEntry(
195 [&dw](const std::string& entry) mutable { dw.println(entry); });
196 }
197 dw.blankline();
198 }
199
200 return NO_ERROR;
201 }
202
isAlive(bool * alive)203 binder::Status NetdNativeService::isAlive(bool *alive) {
204 NETD_BIG_LOCK_RPC(PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
205
206 *alive = true;
207
208 return binder::Status::ok();
209 }
210
firewallReplaceUidChain(const std::string &,bool,const std::vector<int32_t> &,bool *)211 binder::Status NetdNativeService::firewallReplaceUidChain(const std::string&, bool,
212 const std::vector<int32_t>&, bool*) {
213 DEPRECATED;
214 }
215
bandwidthEnableDataSaver(bool enable,bool * ret)216 binder::Status NetdNativeService::bandwidthEnableDataSaver(bool enable, bool *ret) {
217 NETD_LOCKING_RPC(gCtls->bandwidthCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
218 int err = gCtls->bandwidthCtrl.enableDataSaver(enable);
219 *ret = (err == 0);
220 return binder::Status::ok();
221 }
222
bandwidthSetInterfaceQuota(const std::string & ifName,int64_t bytes)223 binder::Status NetdNativeService::bandwidthSetInterfaceQuota(const std::string& ifName,
224 int64_t bytes) {
225 NETD_LOCKING_RPC(gCtls->bandwidthCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
226 int res = gCtls->bandwidthCtrl.setInterfaceQuota(ifName, bytes);
227 return statusFromErrcode(res);
228 }
229
bandwidthRemoveInterfaceQuota(const std::string & ifName)230 binder::Status NetdNativeService::bandwidthRemoveInterfaceQuota(const std::string& ifName) {
231 NETD_LOCKING_RPC(gCtls->bandwidthCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
232 int res = gCtls->bandwidthCtrl.removeInterfaceQuota(ifName);
233 return statusFromErrcode(res);
234 }
235
bandwidthSetInterfaceAlert(const std::string & ifName,int64_t bytes)236 binder::Status NetdNativeService::bandwidthSetInterfaceAlert(const std::string& ifName,
237 int64_t bytes) {
238 NETD_LOCKING_RPC(gCtls->bandwidthCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
239 int res = gCtls->bandwidthCtrl.setInterfaceAlert(ifName, bytes);
240 return statusFromErrcode(res);
241 }
242
bandwidthRemoveInterfaceAlert(const std::string & ifName)243 binder::Status NetdNativeService::bandwidthRemoveInterfaceAlert(const std::string& ifName) {
244 NETD_LOCKING_RPC(gCtls->bandwidthCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
245 int res = gCtls->bandwidthCtrl.removeInterfaceAlert(ifName);
246 return statusFromErrcode(res);
247 }
248
bandwidthSetGlobalAlert(int64_t bytes)249 binder::Status NetdNativeService::bandwidthSetGlobalAlert(int64_t bytes) {
250 NETD_LOCKING_RPC(gCtls->bandwidthCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
251 int res = gCtls->bandwidthCtrl.setGlobalAlert(bytes);
252 return statusFromErrcode(res);
253 }
254
bandwidthAddNaughtyApp(int32_t)255 binder::Status NetdNativeService::bandwidthAddNaughtyApp(int32_t) {
256 DEPRECATED;
257 }
258
bandwidthRemoveNaughtyApp(int32_t)259 binder::Status NetdNativeService::bandwidthRemoveNaughtyApp(int32_t) {
260 DEPRECATED;
261 }
262
bandwidthAddNiceApp(int32_t)263 binder::Status NetdNativeService::bandwidthAddNiceApp(int32_t) {
264 DEPRECATED;
265 }
266
bandwidthRemoveNiceApp(int32_t)267 binder::Status NetdNativeService::bandwidthRemoveNiceApp(int32_t) {
268 DEPRECATED;
269 }
270
271 // TODO: Remove this function when there are no users. Currently, it is still used by DNS resolver
272 // tests.
networkCreatePhysical(int32_t netId,int32_t permission)273 binder::Status NetdNativeService::networkCreatePhysical(int32_t netId, int32_t permission) {
274 ENFORCE_NETWORK_STACK_PERMISSIONS();
275 int ret = gCtls->netCtrl.createPhysicalNetwork(netId, convertPermission(permission),
276 false /* local */);
277 return statusFromErrcode(ret);
278 }
279
280 // TODO: Remove this function when there are no users. Currently, it is still used by DNS resolver
281 // tests.
networkCreateVpn(int32_t netId,bool secure)282 binder::Status NetdNativeService::networkCreateVpn(int32_t netId, bool secure) {
283 ENFORCE_NETWORK_STACK_PERMISSIONS();
284 // The value of vpnType does not matter here, because it is not used in AOSP and is only
285 // implemented by OEMs. Also, the RPC is going to deprecate. Just pick a value defined in INetd
286 // as default.
287 int ret = gCtls->netCtrl.createVirtualNetwork(netId, secure, NativeVpnType::LEGACY,
288 false /* excludeLocalRoutes */);
289 return statusFromErrcode(ret);
290 }
291
networkCreate(const NativeNetworkConfig & config)292 binder::Status NetdNativeService::networkCreate(const NativeNetworkConfig& config) {
293 ENFORCE_NETWORK_STACK_PERMISSIONS();
294 int ret = -EINVAL;
295 if (config.networkType == NativeNetworkType::PHYSICAL) {
296 ret = gCtls->netCtrl.createPhysicalNetwork(
297 config.netId, convertPermission(config.permission), false /* isLocalNetwork */);
298 } else if (config.networkType == NativeNetworkType::PHYSICAL_LOCAL) {
299 ret = gCtls->netCtrl.createPhysicalNetwork(
300 config.netId, convertPermission(config.permission), true /* isLocalNetwork */);
301 } else if (config.networkType == NativeNetworkType::VIRTUAL) {
302 ret = gCtls->netCtrl.createVirtualNetwork(config.netId, config.secure, config.vpnType,
303 config.excludeLocalRoutes);
304 }
305 return statusFromErrcode(ret);
306 }
307
networkDestroy(int32_t netId)308 binder::Status NetdNativeService::networkDestroy(int32_t netId) {
309 ENFORCE_NETWORK_STACK_PERMISSIONS();
310 // NetworkController::destroyNetwork is thread-safe.
311 const int ret = gCtls->netCtrl.destroyNetwork(netId);
312 return statusFromErrcode(ret);
313 }
314
networkAddInterface(int32_t netId,const std::string & iface)315 binder::Status NetdNativeService::networkAddInterface(int32_t netId, const std::string& iface) {
316 ENFORCE_NETWORK_STACK_PERMISSIONS();
317 int ret = gCtls->netCtrl.addInterfaceToNetwork(netId, iface.c_str());
318 return statusFromErrcode(ret);
319 }
320
networkRemoveInterface(int32_t netId,const std::string & iface)321 binder::Status NetdNativeService::networkRemoveInterface(int32_t netId, const std::string& iface) {
322 ENFORCE_NETWORK_STACK_PERMISSIONS();
323 int ret = gCtls->netCtrl.removeInterfaceFromNetwork(netId, iface.c_str());
324 return statusFromErrcode(ret);
325 }
326
networkAddUidRanges(int32_t netId,const std::vector<UidRangeParcel> & uidRangeArray)327 binder::Status NetdNativeService::networkAddUidRanges(
328 int32_t netId, const std::vector<UidRangeParcel>& uidRangeArray) {
329 // NetworkController::addUsersToNetwork is thread-safe.
330 ENFORCE_NETWORK_STACK_PERMISSIONS();
331 int ret = gCtls->netCtrl.addUsersToNetwork(netId, UidRanges(uidRangeArray),
332 UidRanges::SUB_PRIORITY_HIGHEST);
333 return statusFromErrcode(ret);
334 }
335
networkRemoveUidRanges(int32_t netId,const std::vector<UidRangeParcel> & uidRangeArray)336 binder::Status NetdNativeService::networkRemoveUidRanges(
337 int32_t netId, const std::vector<UidRangeParcel>& uidRangeArray) {
338 // NetworkController::removeUsersFromNetwork is thread-safe.
339 ENFORCE_NETWORK_STACK_PERMISSIONS();
340 int ret = gCtls->netCtrl.removeUsersFromNetwork(netId, UidRanges(uidRangeArray),
341 UidRanges::SUB_PRIORITY_HIGHEST);
342 return statusFromErrcode(ret);
343 }
344
networkAddUidRangesParcel(const NativeUidRangeConfig & config)345 binder::Status NetdNativeService::networkAddUidRangesParcel(const NativeUidRangeConfig& config) {
346 ENFORCE_NETWORK_STACK_PERMISSIONS();
347 int ret = gCtls->netCtrl.addUsersToNetwork(config.netId, UidRanges(config.uidRanges),
348 config.subPriority);
349 return statusFromErrcode(ret);
350 }
351
networkRemoveUidRangesParcel(const NativeUidRangeConfig & config)352 binder::Status NetdNativeService::networkRemoveUidRangesParcel(const NativeUidRangeConfig& config) {
353 ENFORCE_NETWORK_STACK_PERMISSIONS();
354 int ret = gCtls->netCtrl.removeUsersFromNetwork(config.netId, UidRanges(config.uidRanges),
355 config.subPriority);
356 return statusFromErrcode(ret);
357 }
358
networkRejectNonSecureVpn(bool add,const std::vector<UidRangeParcel> & uidRangeArray)359 binder::Status NetdNativeService::networkRejectNonSecureVpn(
360 bool add, const std::vector<UidRangeParcel>& uidRangeArray) {
361 // TODO: elsewhere RouteController is only used from the tethering and network controllers, so
362 // it should be possible to use the same lock as NetworkController. However, every call through
363 // the CommandListener "network" command will need to hold this lock too, not just the ones that
364 // read/modify network internal state (that is sufficient for ::dump() because it doesn't
365 // look at routes, but it's not enough here).
366 NETD_BIG_LOCK_RPC(PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
367 UidRanges uidRanges(uidRangeArray);
368
369 int err;
370 if (add) {
371 err = RouteController::addUsersToRejectNonSecureNetworkRule(uidRanges);
372 } else {
373 err = RouteController::removeUsersFromRejectNonSecureNetworkRule(uidRanges);
374 }
375 return statusFromErrcode(err);
376 }
377
socketDestroy(const std::vector<UidRangeParcel> &,const std::vector<int32_t> &)378 binder::Status NetdNativeService::socketDestroy(const std::vector<UidRangeParcel>&,
379 const std::vector<int32_t>&) {
380 DEPRECATED;
381 }
382
tetherApplyDnsInterfaces(bool * ret)383 binder::Status NetdNativeService::tetherApplyDnsInterfaces(bool *ret) {
384 NETD_LOCKING_RPC(gCtls->tetherCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
385 *ret = gCtls->tetherCtrl.applyDnsInterfaces();
386 return binder::Status::ok();
387 }
388
389 namespace {
390
391 constexpr const int UNUSED_IFINDEX = 0;
392
tetherAddStatsByInterface(TetherController::TetherStats * tetherStatsParcel,const TetherController::TetherStats & tetherStats)393 void tetherAddStatsByInterface(TetherController::TetherStats* tetherStatsParcel,
394 const TetherController::TetherStats& tetherStats) {
395 if (tetherStatsParcel->extIface == tetherStats.extIface) {
396 tetherStatsParcel->rxBytes += tetherStats.rxBytes;
397 tetherStatsParcel->rxPackets += tetherStats.rxPackets;
398 tetherStatsParcel->txBytes += tetherStats.txBytes;
399 tetherStatsParcel->txPackets += tetherStats.txPackets;
400 }
401 }
402
toTetherStatsParcel(const TetherController::TetherStats & stats)403 TetherStatsParcel toTetherStatsParcel(const TetherController::TetherStats& stats) {
404 TetherStatsParcel result;
405 result.iface = stats.extIface;
406 result.rxBytes = stats.rxBytes;
407 result.rxPackets = stats.rxPackets;
408 result.txBytes = stats.txBytes;
409 result.txPackets = stats.txPackets;
410 result.ifIndex = UNUSED_IFINDEX;
411 return result;
412 }
413
setTetherStatsParcelVecByInterface(std::vector<TetherStatsParcel> * tetherStatsVec,const TetherController::TetherStatsList & statsList)414 void setTetherStatsParcelVecByInterface(std::vector<TetherStatsParcel>* tetherStatsVec,
415 const TetherController::TetherStatsList& statsList) {
416 std::map<std::string, TetherController::TetherStats> statsMap;
417 for (const auto& stats : statsList) {
418 auto iter = statsMap.find(stats.extIface);
419 if (iter != statsMap.end()) {
420 tetherAddStatsByInterface(&(iter->second), stats);
421 } else {
422 statsMap.insert(
423 std::pair<std::string, TetherController::TetherStats>(stats.extIface, stats));
424 }
425 }
426 for (auto iter = statsMap.begin(); iter != statsMap.end(); iter++) {
427 tetherStatsVec->push_back(toTetherStatsParcel(iter->second));
428 }
429 }
430
431 } // namespace
432
tetherGetStats(std::vector<TetherStatsParcel> * tetherStatsParcelVec)433 binder::Status NetdNativeService::tetherGetStats(
434 std::vector<TetherStatsParcel>* tetherStatsParcelVec) {
435 NETD_LOCKING_RPC(gCtls->tetherCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
436 const auto& statsList = gCtls->tetherCtrl.getTetherStats();
437 if (!isOk(statsList)) {
438 return asBinderStatus(statsList);
439 }
440 setTetherStatsParcelVecByInterface(tetherStatsParcelVec, statsList.value());
441 return binder::Status::ok();
442 }
443
interfaceAddAddress(const std::string & ifName,const std::string & addrString,int prefixLength)444 binder::Status NetdNativeService::interfaceAddAddress(const std::string &ifName,
445 const std::string &addrString, int prefixLength) {
446 ENFORCE_NETWORK_STACK_PERMISSIONS();
447 const int err = InterfaceController::addAddress(
448 ifName.c_str(), addrString.c_str(), prefixLength);
449 if (err != 0) {
450 return binder::Status::fromServiceSpecificError(-err,
451 String8::format("InterfaceController error: %s", strerror(-err)));
452 }
453 return binder::Status::ok();
454 }
455
interfaceDelAddress(const std::string & ifName,const std::string & addrString,int prefixLength)456 binder::Status NetdNativeService::interfaceDelAddress(const std::string &ifName,
457 const std::string &addrString, int prefixLength) {
458 ENFORCE_NETWORK_STACK_PERMISSIONS();
459 const int err = InterfaceController::delAddress(
460 ifName.c_str(), addrString.c_str(), prefixLength);
461 if (err != 0) {
462 return binder::Status::fromServiceSpecificError(-err,
463 String8::format("InterfaceController error: %s", strerror(-err)));
464 }
465 return binder::Status::ok();
466 }
467
468 namespace {
469
getPathComponents(int32_t ipversion,int32_t category)470 std::tuple<binder::Status, const char*, const char*> getPathComponents(int32_t ipversion,
471 int32_t category) {
472 const char* ipversionStr = nullptr;
473 switch (ipversion) {
474 case INetd::IPV4:
475 ipversionStr = "ipv4";
476 break;
477 case INetd::IPV6:
478 ipversionStr = "ipv6";
479 break;
480 default:
481 return {binder::Status::fromServiceSpecificError(EAFNOSUPPORT, "Bad IP version"),
482 nullptr, nullptr};
483 }
484
485 const char* whichStr = nullptr;
486 switch (category) {
487 case INetd::CONF:
488 whichStr = "conf";
489 break;
490 case INetd::NEIGH:
491 whichStr = "neigh";
492 break;
493 default:
494 return {binder::Status::fromServiceSpecificError(EINVAL, "Bad category"), nullptr,
495 nullptr};
496 }
497
498 return {binder::Status::ok(), ipversionStr, whichStr};
499 }
500
501 } // namespace
502
getProcSysNet(int32_t ipversion,int32_t which,const std::string & ifname,const std::string & parameter,std::string * value)503 binder::Status NetdNativeService::getProcSysNet(int32_t ipversion, int32_t which,
504 const std::string& ifname,
505 const std::string& parameter, std::string* value) {
506 ENFORCE_NETWORK_STACK_PERMISSIONS();
507 const auto pathParts = getPathComponents(ipversion, which);
508 const auto& pathStatus = std::get<0>(pathParts);
509 if (!pathStatus.isOk()) {
510 return pathStatus;
511 }
512
513 const int err = InterfaceController::getParameter(std::get<1>(pathParts),
514 std::get<2>(pathParts), ifname.c_str(),
515 parameter.c_str(), value);
516 return statusFromErrcode(err);
517 }
518
setProcSysNet(int32_t ipversion,int32_t which,const std::string & ifname,const std::string & parameter,const std::string & value)519 binder::Status NetdNativeService::setProcSysNet(int32_t ipversion, int32_t which,
520 const std::string& ifname,
521 const std::string& parameter,
522 const std::string& value) {
523 ENFORCE_NETWORK_STACK_PERMISSIONS();
524 const auto pathParts = getPathComponents(ipversion, which);
525 const auto& pathStatus = std::get<0>(pathParts);
526 if (!pathStatus.isOk()) {
527 return pathStatus;
528 }
529
530 const int err = InterfaceController::setParameter(std::get<1>(pathParts),
531 std::get<2>(pathParts), ifname.c_str(),
532 parameter.c_str(), value.c_str());
533 return statusFromErrcode(err);
534 }
535
ipSecSetEncapSocketOwner(const ParcelFileDescriptor & socket,int newUid)536 binder::Status NetdNativeService::ipSecSetEncapSocketOwner(const ParcelFileDescriptor& socket,
537 int newUid) {
538 ENFORCE_NETWORK_STACK_PERMISSIONS();
539
540 uid_t callerUid = IPCThreadState::self()->getCallingUid();
541 return asBinderStatus(
542 gCtls->xfrmCtrl.ipSecSetEncapSocketOwner(socket.get(), newUid, callerUid));
543 }
544
ipSecAllocateSpi(int32_t transformId,const std::string & sourceAddress,const std::string & destinationAddress,int32_t inSpi,int32_t * outSpi)545 binder::Status NetdNativeService::ipSecAllocateSpi(
546 int32_t transformId,
547 const std::string& sourceAddress,
548 const std::string& destinationAddress,
549 int32_t inSpi,
550 int32_t* outSpi) {
551 // Necessary locking done in IpSecService and kernel
552 ENFORCE_NETWORK_STACK_PERMISSIONS();
553 return asBinderStatus(gCtls->xfrmCtrl.ipSecAllocateSpi(
554 transformId,
555 sourceAddress,
556 destinationAddress,
557 inSpi,
558 outSpi));
559 }
560
ipSecAddSecurityAssociation(int32_t transformId,int32_t mode,const std::string & sourceAddress,const std::string & destinationAddress,int32_t underlyingNetId,int32_t spi,int32_t markValue,int32_t markMask,const std::string & authAlgo,const std::vector<uint8_t> & authKey,int32_t authTruncBits,const std::string & cryptAlgo,const std::vector<uint8_t> & cryptKey,int32_t cryptTruncBits,const std::string & aeadAlgo,const std::vector<uint8_t> & aeadKey,int32_t aeadIcvBits,int32_t encapType,int32_t encapLocalPort,int32_t encapRemotePort,int32_t interfaceId)561 binder::Status NetdNativeService::ipSecAddSecurityAssociation(
562 int32_t transformId, int32_t mode, const std::string& sourceAddress,
563 const std::string& destinationAddress, int32_t underlyingNetId, int32_t spi,
564 int32_t markValue, int32_t markMask, const std::string& authAlgo,
565 const std::vector<uint8_t>& authKey, int32_t authTruncBits, const std::string& cryptAlgo,
566 const std::vector<uint8_t>& cryptKey, int32_t cryptTruncBits, const std::string& aeadAlgo,
567 const std::vector<uint8_t>& aeadKey, int32_t aeadIcvBits, int32_t encapType,
568 int32_t encapLocalPort, int32_t encapRemotePort, int32_t interfaceId) {
569 // Necessary locking done in IpSecService and kernel
570 ENFORCE_NETWORK_STACK_PERMISSIONS();
571 return asBinderStatus(gCtls->xfrmCtrl.ipSecAddSecurityAssociation(
572 transformId, mode, sourceAddress, destinationAddress, underlyingNetId, spi, markValue,
573 markMask, authAlgo, authKey, authTruncBits, cryptAlgo, cryptKey, cryptTruncBits,
574 aeadAlgo, aeadKey, aeadIcvBits, encapType, encapLocalPort, encapRemotePort,
575 interfaceId));
576 }
577
ipSecDeleteSecurityAssociation(int32_t transformId,const std::string & sourceAddress,const std::string & destinationAddress,int32_t spi,int32_t markValue,int32_t markMask,int32_t interfaceId)578 binder::Status NetdNativeService::ipSecDeleteSecurityAssociation(
579 int32_t transformId, const std::string& sourceAddress,
580 const std::string& destinationAddress, int32_t spi, int32_t markValue, int32_t markMask,
581 int32_t interfaceId) {
582 // Necessary locking done in IpSecService and kernel
583 ENFORCE_NETWORK_STACK_PERMISSIONS();
584 return asBinderStatus(gCtls->xfrmCtrl.ipSecDeleteSecurityAssociation(
585 transformId, sourceAddress, destinationAddress, spi, markValue, markMask, interfaceId));
586 }
587
ipSecApplyTransportModeTransform(const ParcelFileDescriptor & socket,int32_t transformId,int32_t direction,const std::string & sourceAddress,const std::string & destinationAddress,int32_t spi)588 binder::Status NetdNativeService::ipSecApplyTransportModeTransform(
589 const ParcelFileDescriptor& socket, int32_t transformId, int32_t direction,
590 const std::string& sourceAddress, const std::string& destinationAddress, int32_t spi) {
591 // Necessary locking done in IpSecService and kernel
592 ENFORCE_NETWORK_STACK_PERMISSIONS();
593 return asBinderStatus(gCtls->xfrmCtrl.ipSecApplyTransportModeTransform(
594 socket.get(), transformId, direction, sourceAddress, destinationAddress, spi));
595 }
596
ipSecRemoveTransportModeTransform(const ParcelFileDescriptor & socket)597 binder::Status NetdNativeService::ipSecRemoveTransportModeTransform(
598 const ParcelFileDescriptor& socket) {
599 // Necessary locking done in IpSecService and kernel
600 ENFORCE_NETWORK_STACK_PERMISSIONS();
601 return asBinderStatus(gCtls->xfrmCtrl.ipSecRemoveTransportModeTransform(socket.get()));
602 }
603
ipSecAddSecurityPolicy(int32_t transformId,int32_t selAddrFamily,int32_t direction,const std::string & tmplSrcAddress,const std::string & tmplDstAddress,int32_t spi,int32_t markValue,int32_t markMask,int32_t interfaceId)604 binder::Status NetdNativeService::ipSecAddSecurityPolicy(int32_t transformId, int32_t selAddrFamily,
605 int32_t direction,
606 const std::string& tmplSrcAddress,
607 const std::string& tmplDstAddress,
608 int32_t spi, int32_t markValue,
609 int32_t markMask, int32_t interfaceId) {
610 // Necessary locking done in IpSecService and kernel
611 ENFORCE_NETWORK_STACK_PERMISSIONS();
612 return asBinderStatus(gCtls->xfrmCtrl.ipSecAddSecurityPolicy(
613 transformId, selAddrFamily, direction, tmplSrcAddress, tmplDstAddress, spi, markValue,
614 markMask, interfaceId));
615 }
616
ipSecUpdateSecurityPolicy(int32_t transformId,int32_t selAddrFamily,int32_t direction,const std::string & tmplSrcAddress,const std::string & tmplDstAddress,int32_t spi,int32_t markValue,int32_t markMask,int32_t interfaceId)617 binder::Status NetdNativeService::ipSecUpdateSecurityPolicy(
618 int32_t transformId, int32_t selAddrFamily, int32_t direction,
619 const std::string& tmplSrcAddress, const std::string& tmplDstAddress, int32_t spi,
620 int32_t markValue, int32_t markMask, int32_t interfaceId) {
621 // Necessary locking done in IpSecService and kernel
622 ENFORCE_NETWORK_STACK_PERMISSIONS();
623 return asBinderStatus(gCtls->xfrmCtrl.ipSecUpdateSecurityPolicy(
624 transformId, selAddrFamily, direction, tmplSrcAddress, tmplDstAddress, spi, markValue,
625 markMask, interfaceId));
626 }
627
ipSecDeleteSecurityPolicy(int32_t transformId,int32_t selAddrFamily,int32_t direction,int32_t markValue,int32_t markMask,int32_t interfaceId)628 binder::Status NetdNativeService::ipSecDeleteSecurityPolicy(int32_t transformId,
629 int32_t selAddrFamily,
630 int32_t direction, int32_t markValue,
631 int32_t markMask, int32_t interfaceId) {
632 // Necessary locking done in IpSecService and kernel
633 ENFORCE_NETWORK_STACK_PERMISSIONS();
634 return asBinderStatus(gCtls->xfrmCtrl.ipSecDeleteSecurityPolicy(
635 transformId, selAddrFamily, direction, markValue, markMask, interfaceId));
636 }
637
ipSecAddTunnelInterface(const std::string & deviceName,const std::string & localAddress,const std::string & remoteAddress,int32_t iKey,int32_t oKey,int32_t interfaceId)638 binder::Status NetdNativeService::ipSecAddTunnelInterface(const std::string& deviceName,
639 const std::string& localAddress,
640 const std::string& remoteAddress,
641 int32_t iKey, int32_t oKey,
642 int32_t interfaceId) {
643 // Necessary locking done in IpSecService and kernel
644 ENFORCE_NETWORK_STACK_PERMISSIONS();
645 return asBinderStatus(gCtls->xfrmCtrl.ipSecAddTunnelInterface(
646 deviceName, localAddress, remoteAddress, iKey, oKey, interfaceId, false));
647 }
648
ipSecUpdateTunnelInterface(const std::string & deviceName,const std::string & localAddress,const std::string & remoteAddress,int32_t iKey,int32_t oKey,int32_t interfaceId)649 binder::Status NetdNativeService::ipSecUpdateTunnelInterface(const std::string& deviceName,
650 const std::string& localAddress,
651 const std::string& remoteAddress,
652 int32_t iKey, int32_t oKey,
653 int32_t interfaceId) {
654 // Necessary locking done in IpSecService and kernel
655 ENFORCE_NETWORK_STACK_PERMISSIONS();
656 return asBinderStatus(gCtls->xfrmCtrl.ipSecAddTunnelInterface(
657 deviceName, localAddress, remoteAddress, iKey, oKey, interfaceId, true));
658 }
659
ipSecRemoveTunnelInterface(const std::string & deviceName)660 binder::Status NetdNativeService::ipSecRemoveTunnelInterface(const std::string& deviceName) {
661 // Necessary locking done in IpSecService and kernel
662 ENFORCE_NETWORK_STACK_PERMISSIONS();
663 return asBinderStatus(gCtls->xfrmCtrl.ipSecRemoveTunnelInterface(deviceName));
664 }
665
ipSecMigrate(const IpSecMigrateInfoParcel & migrateInfo)666 binder::Status NetdNativeService::ipSecMigrate(const IpSecMigrateInfoParcel& migrateInfo) {
667 // Necessary locking done in IpSecService and kernel
668 ENFORCE_NETWORK_STACK_PERMISSIONS();
669 return asBinderStatus(gCtls->xfrmCtrl.ipSecMigrate(
670 migrateInfo.requestId, migrateInfo.selAddrFamily, migrateInfo.direction,
671 migrateInfo.oldSourceAddress, migrateInfo.oldDestinationAddress,
672 migrateInfo.newSourceAddress, migrateInfo.newDestinationAddress,
673 migrateInfo.interfaceId));
674 }
675
setIPv6AddrGenMode(const std::string & ifName,int32_t mode)676 binder::Status NetdNativeService::setIPv6AddrGenMode(const std::string& ifName,
677 int32_t mode) {
678 ENFORCE_NETWORK_STACK_PERMISSIONS();
679 return asBinderStatus(InterfaceController::setIPv6AddrGenMode(ifName, mode));
680 }
681
wakeupAddInterface(const std::string & ifName,const std::string & prefix,int32_t mark,int32_t mask)682 binder::Status NetdNativeService::wakeupAddInterface(const std::string& ifName,
683 const std::string& prefix, int32_t mark,
684 int32_t mask) {
685 ENFORCE_NETWORK_STACK_PERMISSIONS();
686 return asBinderStatus(gCtls->wakeupCtrl.addInterface(ifName, prefix, mark, mask));
687 }
688
wakeupDelInterface(const std::string & ifName,const std::string & prefix,int32_t mark,int32_t mask)689 binder::Status NetdNativeService::wakeupDelInterface(const std::string& ifName,
690 const std::string& prefix, int32_t mark,
691 int32_t mask) {
692 ENFORCE_NETWORK_STACK_PERMISSIONS();
693 return asBinderStatus(gCtls->wakeupCtrl.delInterface(ifName, prefix, mark, mask));
694 }
695
trafficSwapActiveStatsMap()696 binder::Status NetdNativeService::trafficSwapActiveStatsMap() {
697 DEPRECATED;
698 }
699
idletimerAddInterface(const std::string & ifName,int32_t timeout,const std::string & classLabel)700 binder::Status NetdNativeService::idletimerAddInterface(const std::string& ifName, int32_t timeout,
701 const std::string& classLabel) {
702 NETD_LOCKING_RPC(gCtls->idletimerCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
703 int res =
704 gCtls->idletimerCtrl.addInterfaceIdletimer(ifName.c_str(), timeout, classLabel.c_str());
705 return statusFromErrcode(res);
706 }
707
idletimerRemoveInterface(const std::string & ifName,int32_t timeout,const std::string & classLabel)708 binder::Status NetdNativeService::idletimerRemoveInterface(const std::string& ifName,
709 int32_t timeout,
710 const std::string& classLabel) {
711 NETD_LOCKING_RPC(gCtls->idletimerCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
712 int res = gCtls->idletimerCtrl.removeInterfaceIdletimer(ifName.c_str(), timeout,
713 classLabel.c_str());
714 return statusFromErrcode(res);
715 }
716
strictUidCleartextPenalty(int32_t uid,int32_t policyPenalty)717 binder::Status NetdNativeService::strictUidCleartextPenalty(int32_t uid, int32_t policyPenalty) {
718 NETD_LOCKING_RPC(gCtls->strictCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
719 StrictPenalty penalty;
720 switch (policyPenalty) {
721 case INetd::PENALTY_POLICY_REJECT:
722 penalty = REJECT;
723 break;
724 case INetd::PENALTY_POLICY_LOG:
725 penalty = LOG;
726 break;
727 case INetd::PENALTY_POLICY_ACCEPT:
728 penalty = ACCEPT;
729 break;
730 default:
731 return statusFromErrcode(-EINVAL);
732 break;
733 }
734 int res = gCtls->strictCtrl.setUidCleartextPenalty((uid_t) uid, penalty);
735 return statusFromErrcode(res);
736 }
737
clatdStart(const std::string &,const std::string &,std::string *)738 binder::Status NetdNativeService::clatdStart(const std::string& /* ifName */,
739 const std::string& /* nat64Prefix */,
740 std::string* /* v6Addr */) {
741 DEPRECATED;
742 }
743
clatdStop(const std::string &)744 binder::Status NetdNativeService::clatdStop(const std::string& /* ifName */) {
745 DEPRECATED;
746 }
747
ipfwdEnabled(bool * status)748 binder::Status NetdNativeService::ipfwdEnabled(bool* status) {
749 NETD_LOCKING_RPC(gCtls->tetherCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
750 *status = (gCtls->tetherCtrl.getIpfwdRequesterList().size() > 0) ? true : false;
751 return binder::Status::ok();
752 }
753
ipfwdGetRequesterList(std::vector<std::string> * requesterList)754 binder::Status NetdNativeService::ipfwdGetRequesterList(std::vector<std::string>* requesterList) {
755 NETD_LOCKING_RPC(gCtls->tetherCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
756 for (const auto& requester : gCtls->tetherCtrl.getIpfwdRequesterList()) {
757 requesterList->push_back(requester);
758 }
759 return binder::Status::ok();
760 }
761
ipfwdEnableForwarding(const std::string & requester)762 binder::Status NetdNativeService::ipfwdEnableForwarding(const std::string& requester) {
763 NETD_LOCKING_RPC(gCtls->tetherCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
764 int res = (gCtls->tetherCtrl.enableForwarding(requester.c_str())) ? 0 : -EREMOTEIO;
765 return statusFromErrcode(res);
766 }
767
ipfwdDisableForwarding(const std::string & requester)768 binder::Status NetdNativeService::ipfwdDisableForwarding(const std::string& requester) {
769 NETD_LOCKING_RPC(gCtls->tetherCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
770 int res = (gCtls->tetherCtrl.disableForwarding(requester.c_str())) ? 0 : -EREMOTEIO;
771 return statusFromErrcode(res);
772 }
773
ipfwdAddInterfaceForward(const std::string & fromIface,const std::string & toIface)774 binder::Status NetdNativeService::ipfwdAddInterfaceForward(const std::string& fromIface,
775 const std::string& toIface) {
776 ENFORCE_NETWORK_STACK_PERMISSIONS();
777 int res = RouteController::enableTethering(fromIface.c_str(), toIface.c_str());
778 return statusFromErrcode(res);
779 }
780
ipfwdRemoveInterfaceForward(const std::string & fromIface,const std::string & toIface)781 binder::Status NetdNativeService::ipfwdRemoveInterfaceForward(const std::string& fromIface,
782 const std::string& toIface) {
783 ENFORCE_NETWORK_STACK_PERMISSIONS();
784 int res = RouteController::disableTethering(fromIface.c_str(), toIface.c_str());
785 return statusFromErrcode(res);
786 }
787
788 namespace {
789
addCurlyBrackets(const std::string & s)790 std::string addCurlyBrackets(const std::string& s) {
791 return "{" + s + "}";
792 }
793
794 } // namespace
795
interfaceGetList(std::vector<std::string> * interfaceListResult)796 binder::Status NetdNativeService::interfaceGetList(std::vector<std::string>* interfaceListResult) {
797 NETD_LOCKING_RPC(InterfaceController::mutex, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
798 const auto& ifaceList = getIfaceNames();
799
800 interfaceListResult->clear();
801 interfaceListResult->reserve(ifaceList.value().size());
802 interfaceListResult->insert(end(*interfaceListResult), begin(ifaceList.value()),
803 end(ifaceList.value()));
804
805 return binder::Status::ok();
806 }
807
interfaceConfigurationParcelToString(const InterfaceConfigurationParcel & cfg)808 std::string interfaceConfigurationParcelToString(const InterfaceConfigurationParcel& cfg) {
809 std::vector<std::string> result{cfg.ifName, cfg.hwAddr, cfg.ipv4Addr,
810 std::to_string(cfg.prefixLength)};
811 result.insert(end(result), begin(cfg.flags), end(cfg.flags));
812 return addCurlyBrackets(base::Join(result, ", "));
813 }
814
interfaceGetCfg(const std::string & ifName,InterfaceConfigurationParcel * interfaceGetCfgResult)815 binder::Status NetdNativeService::interfaceGetCfg(
816 const std::string& ifName, InterfaceConfigurationParcel* interfaceGetCfgResult) {
817 NETD_LOCKING_RPC(InterfaceController::mutex, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
818 auto entry = gLog.newEntry().prettyFunction(__PRETTY_FUNCTION__).arg(ifName);
819
820 const auto& cfgRes = InterfaceController::getCfg(ifName);
821 RETURN_BINDER_STATUS_IF_NOT_OK(entry, cfgRes);
822
823 *interfaceGetCfgResult = cfgRes.value();
824 gLog.log(entry.returns(interfaceConfigurationParcelToString(*interfaceGetCfgResult))
825 .withAutomaticDuration());
826 return binder::Status::ok();
827 }
828
interfaceSetCfg(const InterfaceConfigurationParcel & cfg)829 binder::Status NetdNativeService::interfaceSetCfg(const InterfaceConfigurationParcel& cfg) {
830 NETD_LOCKING_RPC(InterfaceController::mutex, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
831 auto entry = gLog.newEntry()
832 .prettyFunction(__PRETTY_FUNCTION__)
833 .arg(interfaceConfigurationParcelToString(cfg));
834
835 const auto& res = InterfaceController::setCfg(cfg);
836 RETURN_BINDER_STATUS_IF_NOT_OK(entry, res);
837
838 gLog.log(entry.withAutomaticDuration());
839 return binder::Status::ok();
840 }
841
interfaceSetIPv6PrivacyExtensions(const std::string & ifName,bool enable)842 binder::Status NetdNativeService::interfaceSetIPv6PrivacyExtensions(const std::string& ifName,
843 bool enable) {
844 NETD_LOCKING_RPC(InterfaceController::mutex, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
845 int res = InterfaceController::setIPv6PrivacyExtensions(ifName.c_str(), enable);
846 return statusFromErrcode(res);
847 }
848
interfaceClearAddrs(const std::string & ifName)849 binder::Status NetdNativeService::interfaceClearAddrs(const std::string& ifName) {
850 NETD_LOCKING_RPC(InterfaceController::mutex, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
851 int res = InterfaceController::clearAddrs(ifName.c_str());
852 return statusFromErrcode(res);
853 }
854
interfaceSetEnableIPv6(const std::string & ifName,bool enable)855 binder::Status NetdNativeService::interfaceSetEnableIPv6(const std::string& ifName, bool enable) {
856 NETD_LOCKING_RPC(InterfaceController::mutex, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
857 int res = InterfaceController::setEnableIPv6(ifName.c_str(), enable);
858 return statusFromErrcode(res);
859 }
860
interfaceSetMtu(const std::string & ifName,int32_t mtuValue)861 binder::Status NetdNativeService::interfaceSetMtu(const std::string& ifName, int32_t mtuValue) {
862 NETD_LOCKING_RPC(InterfaceController::mutex, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
863 std::string mtu = std::to_string(mtuValue);
864 int res = InterfaceController::setMtu(ifName.c_str(), mtu.c_str());
865 return statusFromErrcode(res);
866 }
867
tetherStart(const std::vector<std::string> & dhcpRanges)868 binder::Status NetdNativeService::tetherStart(const std::vector<std::string>& dhcpRanges) {
869 TetherConfigParcel config;
870 config.usingLegacyDnsProxy = true;
871 config.dhcpRanges = dhcpRanges;
872 return tetherStartWithConfiguration(config);
873 }
874
tetherStartWithConfiguration(const TetherConfigParcel & config)875 binder::Status NetdNativeService::tetherStartWithConfiguration(const TetherConfigParcel& config) {
876 NETD_LOCKING_RPC(gCtls->tetherCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
877 if (config.dhcpRanges.size() % 2 == 1) {
878 return statusFromErrcode(-EINVAL);
879 }
880 // TODO: Pass TetherConfigParcel directly.
881 int res = gCtls->tetherCtrl.startTethering(config.usingLegacyDnsProxy, config.dhcpRanges);
882 return statusFromErrcode(res);
883 }
884
tetherStop()885 binder::Status NetdNativeService::tetherStop() {
886 NETD_LOCKING_RPC(gCtls->tetherCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
887 int res = gCtls->tetherCtrl.stopTethering();
888 return statusFromErrcode(res);
889 }
890
tetherIsEnabled(bool * enabled)891 binder::Status NetdNativeService::tetherIsEnabled(bool* enabled) {
892 NETD_LOCKING_RPC(gCtls->tetherCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
893 *enabled = gCtls->tetherCtrl.isTetheringStarted();
894 return binder::Status::ok();
895 }
896
tetherInterfaceAdd(const std::string & ifName)897 binder::Status NetdNativeService::tetherInterfaceAdd(const std::string& ifName) {
898 NETD_LOCKING_RPC(gCtls->tetherCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
899 int res = gCtls->tetherCtrl.tetherInterface(ifName.c_str());
900 return statusFromErrcode(res);
901 }
902
tetherInterfaceRemove(const std::string & ifName)903 binder::Status NetdNativeService::tetherInterfaceRemove(const std::string& ifName) {
904 NETD_LOCKING_RPC(gCtls->tetherCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
905 int res = gCtls->tetherCtrl.untetherInterface(ifName.c_str());
906 return statusFromErrcode(res);
907 }
908
tetherInterfaceList(std::vector<std::string> * ifList)909 binder::Status NetdNativeService::tetherInterfaceList(std::vector<std::string>* ifList) {
910 NETD_LOCKING_RPC(gCtls->tetherCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
911 for (const auto& ifname : gCtls->tetherCtrl.getTetheredInterfaceList()) {
912 ifList->push_back(ifname);
913 }
914 return binder::Status::ok();
915 }
916
tetherDnsSet(int32_t netId,const std::vector<std::string> & dnsAddrs)917 binder::Status NetdNativeService::tetherDnsSet(int32_t netId,
918 const std::vector<std::string>& dnsAddrs) {
919 NETD_LOCKING_RPC(gCtls->tetherCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
920 int res = gCtls->tetherCtrl.setDnsForwarders(netId, dnsAddrs);
921 return statusFromErrcode(res);
922 }
923
tetherDnsList(std::vector<std::string> * dnsList)924 binder::Status NetdNativeService::tetherDnsList(std::vector<std::string>* dnsList) {
925 NETD_LOCKING_RPC(gCtls->tetherCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
926 for (const auto& fwdr : gCtls->tetherCtrl.getDnsForwarders()) {
927 dnsList->push_back(fwdr);
928 }
929 return binder::Status::ok();
930 }
931
networkAddRouteParcel(int32_t netId,const RouteInfoParcel & route)932 binder::Status NetdNativeService::networkAddRouteParcel(int32_t netId,
933 const RouteInfoParcel& route) {
934 // Public methods of NetworkController are thread-safe.
935 ENFORCE_NETWORK_STACK_PERMISSIONS();
936 bool legacy = false;
937 uid_t uid = 0; // UID is only meaningful for legacy routes.
938
939 // convert Parcel to parameters
940 int res = gCtls->netCtrl.addRoute(netId, route.ifName.c_str(), route.destination.c_str(),
941 route.nextHop.empty() ? nullptr : route.nextHop.c_str(),
942 legacy, uid, route.mtu);
943 return statusFromErrcode(res);
944 }
945
networkUpdateRouteParcel(int32_t netId,const RouteInfoParcel & route)946 binder::Status NetdNativeService::networkUpdateRouteParcel(int32_t netId,
947 const RouteInfoParcel& route) {
948 // Public methods of NetworkController are thread-safe.
949 ENFORCE_NETWORK_STACK_PERMISSIONS();
950 bool legacy = false;
951 uid_t uid = 0; // UID is only meaningful for legacy routes.
952
953 // convert Parcel to parameters
954 int res = gCtls->netCtrl.updateRoute(netId, route.ifName.c_str(), route.destination.c_str(),
955 route.nextHop.empty() ? nullptr : route.nextHop.c_str(),
956 legacy, uid, route.mtu);
957 return statusFromErrcode(res);
958 }
959
networkRemoveRouteParcel(int32_t netId,const RouteInfoParcel & route)960 binder::Status NetdNativeService::networkRemoveRouteParcel(int32_t netId,
961 const RouteInfoParcel& route) {
962 return networkRemoveRoute(netId, route.ifName, route.destination, route.nextHop);
963 }
964
networkAddRoute(int32_t netId,const std::string & ifName,const std::string & destination,const std::string & nextHop)965 binder::Status NetdNativeService::networkAddRoute(int32_t netId, const std::string& ifName,
966 const std::string& destination,
967 const std::string& nextHop) {
968 // Public methods of NetworkController are thread-safe.
969 ENFORCE_NETWORK_STACK_PERMISSIONS();
970 bool legacy = false;
971 uid_t uid = 0; // UID is only meaningful for legacy routes.
972 int res = gCtls->netCtrl.addRoute(netId, ifName.c_str(), destination.c_str(),
973 nextHop.empty() ? nullptr : nextHop.c_str(), legacy, uid, 0);
974 return statusFromErrcode(res);
975 }
976
networkRemoveRoute(int32_t netId,const std::string & ifName,const std::string & destination,const std::string & nextHop)977 binder::Status NetdNativeService::networkRemoveRoute(int32_t netId, const std::string& ifName,
978 const std::string& destination,
979 const std::string& nextHop) {
980 ENFORCE_NETWORK_STACK_PERMISSIONS();
981 bool legacy = false;
982 uid_t uid = 0; // UID is only meaningful for legacy routes.
983 int res = gCtls->netCtrl.removeRoute(netId, ifName.c_str(), destination.c_str(),
984 nextHop.empty() ? nullptr : nextHop.c_str(), legacy, uid);
985 return statusFromErrcode(res);
986 }
987
networkAddLegacyRoute(int32_t netId,const std::string & ifName,const std::string & destination,const std::string & nextHop,int32_t uid)988 binder::Status NetdNativeService::networkAddLegacyRoute(int32_t netId, const std::string& ifName,
989 const std::string& destination,
990 const std::string& nextHop, int32_t uid) {
991 ENFORCE_NETWORK_STACK_PERMISSIONS();
992 bool legacy = true;
993 int res = gCtls->netCtrl.addRoute(netId, ifName.c_str(), destination.c_str(),
994 nextHop.empty() ? nullptr : nextHop.c_str(), legacy,
995 (uid_t)uid, 0);
996 return statusFromErrcode(res);
997 }
998
networkRemoveLegacyRoute(int32_t netId,const std::string & ifName,const std::string & destination,const std::string & nextHop,int32_t uid)999 binder::Status NetdNativeService::networkRemoveLegacyRoute(int32_t netId, const std::string& ifName,
1000 const std::string& destination,
1001 const std::string& nextHop,
1002 int32_t uid) {
1003 ENFORCE_NETWORK_STACK_PERMISSIONS();
1004 bool legacy = true;
1005 int res = gCtls->netCtrl.removeRoute(netId, ifName.c_str(), destination.c_str(),
1006 nextHop.empty() ? nullptr : nextHop.c_str(), legacy,
1007 (uid_t) uid);
1008 return statusFromErrcode(res);
1009 }
1010
networkGetDefault(int32_t * netId)1011 binder::Status NetdNativeService::networkGetDefault(int32_t* netId) {
1012 ENFORCE_NETWORK_STACK_PERMISSIONS();
1013 *netId = gCtls->netCtrl.getDefaultNetwork();
1014 return binder::Status::ok();
1015 }
1016
networkSetDefault(int32_t netId)1017 binder::Status NetdNativeService::networkSetDefault(int32_t netId) {
1018 ENFORCE_NETWORK_STACK_PERMISSIONS();
1019 int res = gCtls->netCtrl.setDefaultNetwork(netId);
1020 return statusFromErrcode(res);
1021 }
1022
networkClearDefault()1023 binder::Status NetdNativeService::networkClearDefault() {
1024 ENFORCE_NETWORK_STACK_PERMISSIONS();
1025 unsigned netId = NETID_UNSET;
1026 int res = gCtls->netCtrl.setDefaultNetwork(netId);
1027 return statusFromErrcode(res);
1028 }
1029
intsToUids(const std::vector<int32_t> & intUids)1030 std::vector<uid_t> NetdNativeService::intsToUids(const std::vector<int32_t>& intUids) {
1031 return {begin(intUids), end(intUids)};
1032 }
1033
convertPermission(int32_t permission)1034 Permission NetdNativeService::convertPermission(int32_t permission) {
1035 switch (permission) {
1036 case INetd::PERMISSION_NETWORK:
1037 return Permission::PERMISSION_NETWORK;
1038 case INetd::PERMISSION_SYSTEM:
1039 return Permission::PERMISSION_SYSTEM;
1040 default:
1041 return Permission::PERMISSION_NONE;
1042 }
1043 }
1044
networkSetPermissionForNetwork(int32_t netId,int32_t permission)1045 binder::Status NetdNativeService::networkSetPermissionForNetwork(int32_t netId,
1046 int32_t permission) {
1047 ENFORCE_NETWORK_STACK_PERMISSIONS();
1048 std::vector<unsigned> netIds = {(unsigned) netId};
1049 int res = gCtls->netCtrl.setPermissionForNetworks(convertPermission(permission), netIds);
1050 return statusFromErrcode(res);
1051 }
1052
networkSetPermissionForUser(int32_t permission,const std::vector<int32_t> & uids)1053 binder::Status NetdNativeService::networkSetPermissionForUser(int32_t permission,
1054 const std::vector<int32_t>& uids) {
1055 ENFORCE_NETWORK_STACK_PERMISSIONS();
1056 gCtls->netCtrl.setPermissionForUsers(convertPermission(permission), intsToUids(uids));
1057 return binder::Status::ok();
1058 }
1059
networkClearPermissionForUser(const std::vector<int32_t> & uids)1060 binder::Status NetdNativeService::networkClearPermissionForUser(const std::vector<int32_t>& uids) {
1061 ENFORCE_NETWORK_STACK_PERMISSIONS();
1062 Permission permission = Permission::PERMISSION_NONE;
1063 gCtls->netCtrl.setPermissionForUsers(permission, intsToUids(uids));
1064 return binder::Status::ok();
1065 }
1066
networkSetProtectAllow(int32_t uid)1067 binder::Status NetdNativeService::networkSetProtectAllow(int32_t uid) {
1068 ENFORCE_NETWORK_STACK_PERMISSIONS();
1069 gCtls->netCtrl.allowProtect((uid_t)uid, NETID_UNSET);
1070 return binder::Status::ok();
1071 }
1072
networkSetProtectDeny(int32_t uid)1073 binder::Status NetdNativeService::networkSetProtectDeny(int32_t uid) {
1074 ENFORCE_NETWORK_STACK_PERMISSIONS();
1075 gCtls->netCtrl.denyProtect((uid_t)uid, NETID_UNSET);
1076 return binder::Status::ok();
1077 }
1078
networkCanProtect(int32_t uid,bool * ret)1079 binder::Status NetdNativeService::networkCanProtect(int32_t uid, bool* ret) {
1080 ENFORCE_NETWORK_STACK_PERMISSIONS();
1081 *ret = gCtls->netCtrl.canProtect((uid_t)uid, NETID_UNSET);
1082 return binder::Status::ok();
1083 }
1084
networkAllowBypassVpnOnNetwork(bool allow,int32_t uid,int32_t netId)1085 binder::Status NetdNativeService::networkAllowBypassVpnOnNetwork(bool allow, int32_t uid,
1086 int32_t netId) {
1087 ENFORCE_NETWORK_STACK_PERMISSIONS();
1088 int err;
1089 if (allow) {
1090 err = gCtls->netCtrl.allowProtect((uid_t)uid, netId);
1091 } else {
1092 err = gCtls->netCtrl.denyProtect((uid_t)uid, netId);
1093 }
1094 return statusFromErrcode(err);
1095 }
1096
trafficSetNetPermForUids(int32_t,const std::vector<int32_t> &)1097 binder::Status NetdNativeService::trafficSetNetPermForUids(int32_t, const std::vector<int32_t>&) {
1098 DEPRECATED;
1099 }
1100
firewallSetFirewallType(int32_t firewallType)1101 binder::Status NetdNativeService::firewallSetFirewallType(int32_t firewallType) {
1102 NETD_LOCKING_RPC(gCtls->firewallCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
1103 auto type = static_cast<FirewallType>(firewallType);
1104
1105 int res = gCtls->firewallCtrl.setFirewallType(type);
1106 return statusFromErrcode(res);
1107 }
1108
firewallSetInterfaceRule(const std::string & ifName,int32_t firewallRule)1109 binder::Status NetdNativeService::firewallSetInterfaceRule(const std::string& ifName,
1110 int32_t firewallRule) {
1111 NETD_LOCKING_RPC(gCtls->firewallCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
1112 auto rule = static_cast<FirewallRule>(firewallRule);
1113
1114 int res = gCtls->firewallCtrl.setInterfaceRule(ifName.c_str(), rule);
1115 return statusFromErrcode(res);
1116 }
1117
firewallSetUidRule(int32_t,int32_t,int32_t)1118 binder::Status NetdNativeService::firewallSetUidRule(int32_t, int32_t, int32_t) {
1119 DEPRECATED;
1120 }
1121
firewallEnableChildChain(int32_t,bool)1122 binder::Status NetdNativeService::firewallEnableChildChain(int32_t, bool) {
1123 DEPRECATED;
1124 }
1125
firewallAddUidInterfaceRules(const std::string &,const std::vector<int32_t> &)1126 binder::Status NetdNativeService::firewallAddUidInterfaceRules(const std::string&,
1127 const std::vector<int32_t>&) {
1128 DEPRECATED;
1129 }
1130
firewallRemoveUidInterfaceRules(const std::vector<int32_t> &)1131 binder::Status NetdNativeService::firewallRemoveUidInterfaceRules(const std::vector<int32_t>&) {
1132 DEPRECATED;
1133 }
1134
tetherAddForward(const std::string & intIface,const std::string & extIface)1135 binder::Status NetdNativeService::tetherAddForward(const std::string& intIface,
1136 const std::string& extIface) {
1137 NETD_LOCKING_RPC(gCtls->tetherCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
1138
1139 int res = gCtls->tetherCtrl.enableNat(intIface.c_str(), extIface.c_str());
1140 return statusFromErrcode(res);
1141 }
1142
tetherRemoveForward(const std::string & intIface,const std::string & extIface)1143 binder::Status NetdNativeService::tetherRemoveForward(const std::string& intIface,
1144 const std::string& extIface) {
1145 NETD_LOCKING_RPC(gCtls->tetherCtrl.lock, PERM_NETWORK_STACK, PERM_MAINLINE_NETWORK_STACK);
1146 int res = gCtls->tetherCtrl.disableNat(intIface.c_str(), extIface.c_str());
1147 return statusFromErrcode(res);
1148 }
1149
setTcpRWmemorySize(const std::string & rmemValues,const std::string & wmemValues)1150 binder::Status NetdNativeService::setTcpRWmemorySize(const std::string& rmemValues,
1151 const std::string& wmemValues) {
1152 ENFORCE_NETWORK_STACK_PERMISSIONS();
1153 if (!WriteStringToFile(rmemValues, TCP_RMEM_PROC_FILE)) {
1154 int ret = -errno;
1155 return statusFromErrcode(ret);
1156 }
1157
1158 if (!WriteStringToFile(wmemValues, TCP_WMEM_PROC_FILE)) {
1159 int ret = -errno;
1160 return statusFromErrcode(ret);
1161 }
1162 return binder::Status::ok();
1163 }
1164
registerUnsolicitedEventListener(const android::sp<android::net::INetdUnsolicitedEventListener> & listener)1165 binder::Status NetdNativeService::registerUnsolicitedEventListener(
1166 const android::sp<android::net::INetdUnsolicitedEventListener>& listener) {
1167 ENFORCE_NETWORK_STACK_PERMISSIONS();
1168 gCtls->eventReporter.registerUnsolEventListener(listener);
1169 return binder::Status::ok();
1170 }
1171
getOemNetd(android::sp<android::IBinder> * listener)1172 binder::Status NetdNativeService::getOemNetd(android::sp<android::IBinder>* listener) {
1173 ENFORCE_NETWORK_STACK_PERMISSIONS();
1174 *listener = com::android::internal::net::OemNetdListener::getListener();
1175
1176 return binder::Status::ok();
1177 }
1178
getFwmarkForNetwork(int32_t netId,MarkMaskParcel * markMask)1179 binder::Status NetdNativeService::getFwmarkForNetwork(int32_t netId, MarkMaskParcel* markMask) {
1180 ENFORCE_NETWORK_STACK_PERMISSIONS();
1181
1182 Fwmark fwmark;
1183 fwmark.netId = netId;
1184 markMask->mask = FWMARK_NET_ID_MASK;
1185 markMask->mark = fwmark.intValue;
1186 return binder::Status::ok();
1187 }
1188
tetherOffloadRuleAdd(const TetherOffloadRuleParcel &)1189 binder::Status NetdNativeService::tetherOffloadRuleAdd(const TetherOffloadRuleParcel& /* rule */) {
1190 DEPRECATED;
1191 }
1192
tetherOffloadRuleRemove(const TetherOffloadRuleParcel &)1193 binder::Status NetdNativeService::tetherOffloadRuleRemove(
1194 const TetherOffloadRuleParcel& /* rule */) {
1195 DEPRECATED;
1196 }
1197
tetherOffloadGetStats(std::vector<TetherStatsParcel> *)1198 binder::Status NetdNativeService::tetherOffloadGetStats(
1199 std::vector<TetherStatsParcel>* /* tetherStatsParcelVec */) {
1200 DEPRECATED;
1201 }
1202
tetherOffloadSetInterfaceQuota(int,int64_t)1203 binder::Status NetdNativeService::tetherOffloadSetInterfaceQuota(int /* ifIndex */,
1204 int64_t /* quotaBytes */) {
1205 DEPRECATED;
1206 }
1207
tetherOffloadGetAndClearStats(int,android::net::TetherStatsParcel *)1208 binder::Status NetdNativeService::tetherOffloadGetAndClearStats(
1209 int /* ifIndex */, android::net::TetherStatsParcel* /* tetherStats */) {
1210 DEPRECATED;
1211 }
1212
setNetworkAllowlist(const std::vector<NativeUidRangeConfig> & rangeConfigs)1213 binder::Status NetdNativeService::setNetworkAllowlist(
1214 const std::vector<NativeUidRangeConfig>& rangeConfigs) {
1215 ENFORCE_NETWORK_STACK_PERMISSIONS();
1216 return statusFromErrcode(gCtls->netCtrl.setNetworkAllowlist(rangeConfigs));
1217 }
1218
1219 } // namespace net
1220 } // namespace android
1221