1 /*
2 * Copyright (C) 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "FwmarkServer.h"
18
19 #include "Fwmark.h"
20 #include "FwmarkCommand.h"
21 #include "NetworkController.h"
22 #include "resolv_netid.h"
23
24 #include <sys/socket.h>
25 #include <unistd.h>
26
FwmarkServer(NetworkController * networkController)27 FwmarkServer::FwmarkServer(NetworkController* networkController) :
28 SocketListener("fwmarkd", true), mNetworkController(networkController) {
29 }
30
onDataAvailable(SocketClient * client)31 bool FwmarkServer::onDataAvailable(SocketClient* client) {
32 int socketFd = -1;
33 int error = processClient(client, &socketFd);
34 if (socketFd >= 0) {
35 close(socketFd);
36 }
37
38 // Always send a response even if there were connection errors or read errors, so that we don't
39 // inadvertently cause the client to hang (which always waits for a response).
40 client->sendData(&error, sizeof(error));
41
42 // Always close the client connection (by returning false). This prevents a DoS attack where
43 // the client issues multiple commands on the same connection, never reading the responses,
44 // causing its receive buffer to fill up, and thus causing our client->sendData() to block.
45 return false;
46 }
47
processClient(SocketClient * client,int * socketFd)48 int FwmarkServer::processClient(SocketClient* client, int* socketFd) {
49 FwmarkCommand command;
50
51 iovec iov;
52 iov.iov_base = &command;
53 iov.iov_len = sizeof(command);
54
55 msghdr message;
56 memset(&message, 0, sizeof(message));
57 message.msg_iov = &iov;
58 message.msg_iovlen = 1;
59
60 union {
61 cmsghdr cmh;
62 char cmsg[CMSG_SPACE(sizeof(*socketFd))];
63 } cmsgu;
64
65 memset(cmsgu.cmsg, 0, sizeof(cmsgu.cmsg));
66 message.msg_control = cmsgu.cmsg;
67 message.msg_controllen = sizeof(cmsgu.cmsg);
68
69 int messageLength = TEMP_FAILURE_RETRY(recvmsg(client->getSocket(), &message, 0));
70 if (messageLength <= 0) {
71 return -errno;
72 }
73
74 if (messageLength != sizeof(command)) {
75 return -EBADMSG;
76 }
77
78 cmsghdr* const cmsgh = CMSG_FIRSTHDR(&message);
79 if (cmsgh && cmsgh->cmsg_level == SOL_SOCKET && cmsgh->cmsg_type == SCM_RIGHTS &&
80 cmsgh->cmsg_len == CMSG_LEN(sizeof(*socketFd))) {
81 memcpy(socketFd, CMSG_DATA(cmsgh), sizeof(*socketFd));
82 }
83
84 if (*socketFd < 0) {
85 return -EBADF;
86 }
87
88 Fwmark fwmark;
89 socklen_t fwmarkLen = sizeof(fwmark.intValue);
90 if (getsockopt(*socketFd, SOL_SOCKET, SO_MARK, &fwmark.intValue, &fwmarkLen) == -1) {
91 return -errno;
92 }
93
94 Permission permission = mNetworkController->getPermissionForUser(client->getUid());
95
96 switch (command.cmdId) {
97 case FwmarkCommand::ON_ACCEPT: {
98 // Called after a socket accept(). The kernel would've marked the NetId and necessary
99 // permissions bits, so we just add the rest of the user's permissions here.
100 permission = static_cast<Permission>(permission | fwmark.permission);
101 break;
102 }
103
104 case FwmarkCommand::ON_CONNECT: {
105 // Called before a socket connect() happens. Set an appropriate NetId into the fwmark so
106 // that the socket routes consistently over that network. Do this even if the socket
107 // already has a NetId, so that calling connect() multiple times still works.
108 //
109 // But if the explicit bit was set, the existing NetId was explicitly preferred (and not
110 // a case of connect() being called multiple times). Don't reset the NetId in that case.
111 //
112 // An "appropriate" NetId is the NetId of a bypassable VPN that applies to the user, or
113 // failing that, the default network. We'll never set the NetId of a secure VPN here.
114 // See the comments in the implementation of getNetworkForConnect() for more details.
115 //
116 // If the protect bit is set, this could be either a system proxy (e.g.: the dns proxy
117 // or the download manager) acting on behalf of another user, or a VPN provider. If it's
118 // a proxy, we shouldn't reset the NetId. If it's a VPN provider, we should set the
119 // default network's NetId.
120 //
121 // There's no easy way to tell the difference between a proxy and a VPN app. We can't
122 // use PERMISSION_SYSTEM to identify the proxy because a VPN app may also have those
123 // permissions. So we use the following heuristic:
124 //
125 // If it's a proxy, but the existing NetId is not a VPN, that means the user (that the
126 // proxy is acting on behalf of) is not subject to a VPN, so the proxy must have picked
127 // the default network's NetId. So, it's okay to replace that with the current default
128 // network's NetId (which in all likelihood is the same).
129 //
130 // Conversely, if it's a VPN provider, the existing NetId cannot be a VPN. The only time
131 // we set a VPN's NetId into a socket without setting the explicit bit is here, in
132 // ON_CONNECT, but we won't do that if the socket has the protect bit set. If the VPN
133 // provider connect()ed (and got the VPN NetId set) and then called protect(), we
134 // would've unset the NetId in PROTECT_FROM_VPN below.
135 //
136 // So, overall (when the explicit bit is not set but the protect bit is set), if the
137 // existing NetId is a VPN, don't reset it. Else, set the default network's NetId.
138 if (!fwmark.explicitlySelected) {
139 if (!fwmark.protectedFromVpn) {
140 fwmark.netId = mNetworkController->getNetworkForConnect(client->getUid());
141 } else if (!mNetworkController->isVirtualNetwork(fwmark.netId)) {
142 fwmark.netId = mNetworkController->getDefaultNetwork();
143 }
144 }
145 break;
146 }
147
148 case FwmarkCommand::SELECT_NETWORK: {
149 fwmark.netId = command.netId;
150 if (command.netId == NETID_UNSET) {
151 fwmark.explicitlySelected = false;
152 fwmark.protectedFromVpn = false;
153 permission = PERMISSION_NONE;
154 } else {
155 if (int ret = mNetworkController->checkUserNetworkAccess(client->getUid(),
156 command.netId)) {
157 return ret;
158 }
159 fwmark.explicitlySelected = true;
160 fwmark.protectedFromVpn = mNetworkController->canProtect(client->getUid());
161 }
162 break;
163 }
164
165 case FwmarkCommand::PROTECT_FROM_VPN: {
166 if (!mNetworkController->canProtect(client->getUid())) {
167 return -EPERM;
168 }
169 // If a bypassable VPN's provider app calls connect() and then protect(), it will end up
170 // with a socket that looks like that of a system proxy but is not (see comments for
171 // ON_CONNECT above). So, reset the NetId.
172 //
173 // In any case, it's appropriate that if the socket has an implicit VPN NetId mark, the
174 // PROTECT_FROM_VPN command should unset it.
175 if (!fwmark.explicitlySelected && mNetworkController->isVirtualNetwork(fwmark.netId)) {
176 fwmark.netId = mNetworkController->getDefaultNetwork();
177 }
178 fwmark.protectedFromVpn = true;
179 permission = static_cast<Permission>(permission | fwmark.permission);
180 break;
181 }
182
183 case FwmarkCommand::SELECT_FOR_USER: {
184 if ((permission & PERMISSION_SYSTEM) != PERMISSION_SYSTEM) {
185 return -EPERM;
186 }
187 fwmark.netId = mNetworkController->getNetworkForUser(command.uid);
188 fwmark.protectedFromVpn = true;
189 break;
190 }
191
192 default: {
193 // unknown command
194 return -EPROTO;
195 }
196 }
197
198 fwmark.permission = permission;
199
200 if (setsockopt(*socketFd, SOL_SOCKET, SO_MARK, &fwmark.intValue,
201 sizeof(fwmark.intValue)) == -1) {
202 return -errno;
203 }
204
205 return 0;
206 }
207