1 /** 2 * Copyright (c) 2016, The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.net; 18 19 import android.net.UidRange; 20 21 /** {@hide} */ 22 interface INetd { 23 /** 24 * Returns true if the service is responding. 25 */ isAlive()26 boolean isAlive(); 27 28 /** 29 * Replaces the contents of the specified UID-based firewall chain. 30 * 31 * The chain may be a whitelist chain or a blacklist chain. A blacklist chain contains DROP 32 * rules for the specified UIDs and a RETURN rule at the end. A whitelist chain contains RETURN 33 * rules for the system UID range (0 to {@code UID_APP} - 1), RETURN rules for for the specified 34 * UIDs, and a DROP rule at the end. The chain will be created if it does not exist. 35 * 36 * @param chainName The name of the chain to replace. 37 * @param isWhitelist Whether this is a whitelist or blacklist chain. 38 * @param uids The list of UIDs to allow/deny. 39 * @return true if the chain was successfully replaced, false otherwise. 40 */ firewallReplaceUidChain(String chainName, boolean isWhitelist, in int[] uids)41 boolean firewallReplaceUidChain(String chainName, boolean isWhitelist, in int[] uids); 42 43 /** 44 * Enables or disables data saver mode on costly network interfaces. 45 * 46 * - When disabled, all packets to/from apps in the penalty box chain are rejected on costly 47 * interfaces. Traffic to/from other apps or on other network interfaces is allowed. 48 * - When enabled, only apps that are in the happy box chain and not in the penalty box chain 49 * are allowed network connectivity on costly interfaces. All other packets on these 50 * interfaces are rejected. The happy box chain always contains all system UIDs; to disallow 51 * traffic from system UIDs, place them in the penalty box chain. 52 * 53 * By default, data saver mode is disabled. This command has no effect but might still return an 54 * error) if {@code enable} is the same as the current value. 55 * 56 * @param enable whether to enable or disable data saver mode. 57 * @return true if the if the operation was successful, false otherwise. 58 */ bandwidthEnableDataSaver(boolean enable)59 boolean bandwidthEnableDataSaver(boolean enable); 60 61 /** 62 * Adds or removes one rule for each supplied UID range to prohibit all network activity outside 63 * of secure VPN. 64 * 65 * When a UID is covered by one of these rules, traffic sent through any socket that is not 66 * protected or explicitly overriden by the system will be rejected. The kernel will respond 67 * with an ICMP prohibit message. 68 * 69 * Initially, there are no such rules. Any rules that are added will only last until the next 70 * restart of netd or the device. 71 * 72 * @param add {@code true} if the specified UID ranges should be denied access to any network 73 * which is not secure VPN by adding rules, {@code false} to remove existing rules. 74 * @param uidRanges a set of non-overlapping, contiguous ranges of UIDs to which to apply or 75 * remove this restriction. 76 * <p> Added rules should not overlap with existing rules. Likewise, removed rules should 77 * each correspond to an existing rule. 78 * 79 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 80 * unix errno. 81 */ networkRejectNonSecureVpn(boolean add, in UidRange[] uidRanges)82 void networkRejectNonSecureVpn(boolean add, in UidRange[] uidRanges); 83 84 /** 85 * Administratively closes sockets belonging to the specified UIDs. 86 */ socketDestroy(in UidRange[] uidRanges, in int[] exemptUids)87 void socketDestroy(in UidRange[] uidRanges, in int[] exemptUids); 88 89 // Array indices for resolver parameters. 90 const int RESOLVER_PARAMS_SAMPLE_VALIDITY = 0; 91 const int RESOLVER_PARAMS_SUCCESS_THRESHOLD = 1; 92 const int RESOLVER_PARAMS_MIN_SAMPLES = 2; 93 const int RESOLVER_PARAMS_MAX_SAMPLES = 3; 94 const int RESOLVER_PARAMS_COUNT = 4; 95 96 /** 97 * Sets the name servers, search domains and resolver params for the given network. Flushes the 98 * cache as needed (i.e. when the servers or the number of samples to store changes). 99 * 100 * @param netId the network ID of the network for which information should be configured. 101 * @param servers the DNS servers to configure for the network. 102 * @param domains the search domains to configure. 103 * @param params the params to set. This array contains RESOLVER_PARAMS_COUNT integers that 104 * encode the contents of Bionic's __res_params struct, i.e. sample_validity is stored at 105 * position RESOLVER_PARAMS_SAMPLE_VALIDITY, etc. 106 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 107 * unix errno. 108 */ setResolverConfiguration(int netId, in @utf8InCpp String[] servers, in @utf8InCpp String[] domains, in int[] params)109 void setResolverConfiguration(int netId, in @utf8InCpp String[] servers, 110 in @utf8InCpp String[] domains, in int[] params); 111 112 // Array indices for resolver stats. 113 const int RESOLVER_STATS_SUCCESSES = 0; 114 const int RESOLVER_STATS_ERRORS = 1; 115 const int RESOLVER_STATS_TIMEOUTS = 2; 116 const int RESOLVER_STATS_INTERNAL_ERRORS = 3; 117 const int RESOLVER_STATS_RTT_AVG = 4; 118 const int RESOLVER_STATS_LAST_SAMPLE_TIME = 5; 119 const int RESOLVER_STATS_USABLE = 6; 120 const int RESOLVER_STATS_COUNT = 7; 121 122 /** 123 * Retrieves the name servers, search domains and resolver stats associated with the given 124 * network ID. 125 * 126 * @param netId the network ID of the network for which information should be retrieved. 127 * @param servers the DNS servers that are currently configured for the network. 128 * @param domains the search domains currently configured. 129 * @param params the resolver parameters configured, i.e. the contents of __res_params in order. 130 * @param stats the stats for each server in the order specified by RESOLVER_STATS_XXX 131 * constants, serialized as an int array. The contents of this array are the number of 132 * <ul> 133 * <li> successes, 134 * <li> errors, 135 * <li> timeouts, 136 * <li> internal errors, 137 * <li> the RTT average, 138 * <li> the time of the last recorded sample, 139 * <li> and an integer indicating whether the server is usable (1) or broken (0). 140 * </ul> 141 * in this order. For example, the timeout counter for server N is stored at position 142 * RESOLVER_STATS_COUNT*N + RESOLVER_STATS_TIMEOUTS 143 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 144 * unix errno. 145 */ getResolverInfo(int netId, out @utf8InCpp String[] servers, out @utf8InCpp String[] domains, out int[] params, out int[] stats)146 void getResolverInfo(int netId, out @utf8InCpp String[] servers, 147 out @utf8InCpp String[] domains, out int[] params, out int[] stats); 148 149 // Private DNS function error codes. 150 const int PRIVATE_DNS_SUCCESS = 0; 151 const int PRIVATE_DNS_BAD_ADDRESS = 1; 152 const int PRIVATE_DNS_BAD_PORT = 2; 153 const int PRIVATE_DNS_UNKNOWN_ALGORITHM = 3; 154 const int PRIVATE_DNS_BAD_FINGERPRINT = 4; 155 156 /** 157 * Adds a server to the list of DNS resolvers that support DNS over TLS. After this action 158 * succeeds, any subsequent call to setResolverConfiguration will opportunistically use DNS 159 * over TLS if the specified server is on this list and is reachable on that network. 160 * 161 * @param server the DNS server's IP address. If a private DNS server is already configured 162 * with this IP address, it will be overwritten. 163 * @param port the port on which the server is listening, typically 853. 164 * @param fingerprintAlgorithm the hash algorithm used to compute the fingerprints. This should 165 * be a name in MessageDigest's format. Currently "SHA-256" is the only supported 166 * algorithm. Set this to the empty string to disable fingerprint validation. 167 * @param fingerprints the server's public key fingerprints as Base64 strings. 168 * These can be generated using MessageDigest and android.util.Base64.encodeToString. 169 * Currently "SHA-256" is the only supported algorithm. Set this to empty to disable 170 * fingerprint validation. 171 * @throws ServiceSpecificException in case of failure, with an error code indicating the 172 * cause of the the failure. 173 */ addPrivateDnsServer(in @tf8InCpp String server, int port, in @utf8InCpp String fingerprintAlgorithm, in @utf8InCpp String[] fingerprints)174 void addPrivateDnsServer(in @utf8InCpp String server, int port, 175 in @utf8InCpp String fingerprintAlgorithm, in @utf8InCpp String[] fingerprints); 176 177 /** 178 * Remove a server from the list of DNS resolvers that support DNS over TLS. 179 * 180 * @param server the DNS server's IP address. 181 * @throws ServiceSpecificException in case of failure, with an error code indicating the 182 * cause of the the failure. 183 */ removePrivateDnsServer(in @tf8InCpp String server)184 void removePrivateDnsServer(in @utf8InCpp String server); 185 186 /** 187 * Instruct the tethering DNS server to reevaluated serving interfaces. 188 * This is needed to for the DNS server to observe changes in the set 189 * of potential listening IP addresses. (Listening on wildcard addresses 190 * can turn the device into an open resolver; b/7530468) 191 * 192 * TODO: Return something richer than just a boolean. 193 */ tetherApplyDnsInterfaces()194 boolean tetherApplyDnsInterfaces(); 195 196 /** 197 * Add/Remove and IP address from an interface. 198 * 199 * @param ifName the interface name 200 * @param addrString the IP address to add/remove as a string literal 201 * @param prefixLength the prefix length associated with this IP address 202 * 203 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 204 * unix errno. 205 */ interfaceAddAddress(in @tf8InCpp String ifName, in @utf8InCpp String addrString, int prefixLength)206 void interfaceAddAddress(in @utf8InCpp String ifName, in @utf8InCpp String addrString, 207 int prefixLength); interfaceDelAddress(in @tf8InCpp String ifName, in @utf8InCpp String addrString, int prefixLength)208 void interfaceDelAddress(in @utf8InCpp String ifName, in @utf8InCpp String addrString, 209 int prefixLength); 210 211 /** 212 * Set and get /proc/sys/net interface configuration parameters. 213 * 214 * @param family One of IPV4/IPV6 integers, indicating the desired address family directory. 215 * @param which One of CONF/NEIGH integers, indicating the desired parameter category directory. 216 * @param ifname The interface name portion of the path; may also be "all" or "default". 217 * @param parameter The parameter name portion of the path. 218 * @param value The value string to be written into the assembled path. 219 */ 220 221 const int IPV4 = 4; 222 const int IPV6 = 6; 223 const int CONF = 1; 224 const int NEIGH = 2; setProcSysNet(int family, int which, in @utf8InCpp String ifname, in @utf8InCpp String parameter, in @utf8InCpp String value)225 void setProcSysNet(int family, int which, in @utf8InCpp String ifname, 226 in @utf8InCpp String parameter, in @utf8InCpp String value); 227 // TODO: add corresponding getProcSysNet(). 228 229 /** 230 * Get/Set metrics reporting level. 231 * 232 * Reporting level is one of: 233 * 0 (NONE) 234 * 1 (METRICS) 235 * 2 (FULL) 236 */ getMetricsReportingLevel()237 int getMetricsReportingLevel(); setMetricsReportingLevel(int level)238 void setMetricsReportingLevel(int level); 239 240 /** 241 * Reserve an SPI from the kernel 242 * 243 * @param transformId a unique identifier for allocated resources 244 * @param direction DIRECTION_IN or DIRECTION_OUT 245 * @param localAddress InetAddress as string for the local endpoint 246 * @param remoteAddress InetAddress as string for the remote endpoint 247 * @param spi a requested 32-bit unique ID or 0 to request random allocation 248 * @return the SPI that was allocated or 0 if failed 249 */ ipSecAllocateSpi( int transformId, int direction, in @utf8InCpp String localAddress, in @utf8InCpp String remoteAddress, int spi)250 int ipSecAllocateSpi( 251 int transformId, 252 int direction, 253 in @utf8InCpp String localAddress, 254 in @utf8InCpp String remoteAddress, 255 int spi); 256 257 /** 258 * Create an IpSec Security Association describing how ip(v6) traffic will be encrypted 259 * or decrypted. 260 * 261 * @param transformId a unique identifier for allocated resources 262 * @param mode either Transport or Tunnel mode 263 * @param direction DIRECTION_IN or DIRECTION_OUT 264 * @param localAddress InetAddress as string for the local endpoint 265 * @param remoteAddress InetAddress as string for the remote endpoint 266 * @param underlyingNetworkHandle the networkHandle of the network to which the SA is applied 267 * @param spi a 32-bit unique ID allocated to the user 268 * @param authAlgo a string identifying the authentication algorithm to be used 269 * @param authKey a byte array containing the authentication key 270 * @param authTruncBits the truncation length of the MAC produced by the authentication algorithm 271 * @param cryptAlgo a string identifying the encryption algorithm to be used 272 * @param cryptKey a byte arrray containing the encryption key 273 * @param cryptTruncBits unused parameter 274 * @param encapType encapsulation type used (if any) for the udp encap socket 275 * @param encapLocalPort the port number on the host to be used in encap packets 276 * @param encapRemotePort the port number of the remote to be used for encap packets 277 */ ipSecAddSecurityAssociation( int transformId, int mode, int direction, in @utf8InCpp String localAddress, in @utf8InCpp String remoteAddress, long underlyingNetworkHandle, int spi, in @utf8InCpp String authAlgo, in byte[] authKey, in int authTruncBits, in @utf8InCpp String cryptAlgo, in byte[] cryptKey, in int cryptTruncBits, int encapType, int encapLocalPort, int encapRemotePort)278 void ipSecAddSecurityAssociation( 279 int transformId, 280 int mode, 281 int direction, 282 in @utf8InCpp String localAddress, 283 in @utf8InCpp String remoteAddress, 284 long underlyingNetworkHandle, 285 int spi, 286 in @utf8InCpp String authAlgo, in byte[] authKey, in int authTruncBits, 287 in @utf8InCpp String cryptAlgo, in byte[] cryptKey, in int cryptTruncBits, 288 int encapType, 289 int encapLocalPort, 290 int encapRemotePort); 291 292 /** 293 * Delete a previously created security association identified by the provided parameters 294 * 295 * @param transformId a unique identifier for allocated resources 296 * @param direction DIRECTION_IN or DIRECTION_OUT 297 * @param localAddress InetAddress as string for the local endpoint 298 * @param remoteAddress InetAddress as string for the remote endpoint 299 * @param spi a requested 32-bit unique ID allocated to the user 300 */ ipSecDeleteSecurityAssociation( int transformId, int direction, in @utf8InCpp String localAddress, in @utf8InCpp String remoteAddress, int spi)301 void ipSecDeleteSecurityAssociation( 302 int transformId, 303 int direction, 304 in @utf8InCpp String localAddress, 305 in @utf8InCpp String remoteAddress, 306 int spi); 307 308 /** 309 * Apply a previously created SA to a specified socket, starting IPsec on that socket 310 * 311 * @param socket a user-provided socket that will have IPsec applied 312 * @param transformId a unique identifier for allocated resources 313 * @param direction DIRECTION_IN or DIRECTION_OUT 314 * @param localAddress InetAddress as string for the local endpoint 315 * @param remoteAddress InetAddress as string for the remote endpoint 316 * @param spi a 32-bit unique ID allocated to the user (socket owner) 317 */ ipSecApplyTransportModeTransform( in FileDescriptor socket, int transformId, int direction, in @utf8InCpp String localAddress, in @utf8InCpp String remoteAddress, int spi)318 void ipSecApplyTransportModeTransform( 319 in FileDescriptor socket, 320 int transformId, 321 int direction, 322 in @utf8InCpp String localAddress, 323 in @utf8InCpp String remoteAddress, 324 int spi); 325 326 /** 327 * Remove an IPsec SA from a given socket. This will allow unencrypted traffic to flow 328 * on that socket if a transform had been previously applied. 329 * 330 * @param socket a user-provided socket from which to remove any IPsec configuration 331 */ ipSecRemoveTransportModeTransform( in FileDescriptor socket)332 void ipSecRemoveTransportModeTransform( 333 in FileDescriptor socket); 334 335 /** 336 * Request notification of wakeup packets arriving on an interface. Notifications will be 337 * delivered to INetdEventListener.onWakeupEvent(). 338 * 339 * @param ifName the interface 340 * @param prefix arbitrary string used to identify wakeup sources in onWakeupEvent 341 */ wakeupAddInterface(in @tf8InCpp String ifName, in @utf8InCpp String prefix, int mark, int mask)342 void wakeupAddInterface(in @utf8InCpp String ifName, in @utf8InCpp String prefix, int mark, int mask); 343 344 /** 345 * Stop notification of wakeup packets arriving on an interface. 346 * 347 * @param ifName the interface 348 * @param prefix arbitrary string used to identify wakeup sources in onWakeupEvent 349 */ wakeupDelInterface(in @tf8InCpp String ifName, in @utf8InCpp String prefix, int mark, int mask)350 void wakeupDelInterface(in @utf8InCpp String ifName, in @utf8InCpp String prefix, int mark, int mask); 351 352 const int IPV6_ADDR_GEN_MODE_EUI64 = 0; 353 const int IPV6_ADDR_GEN_MODE_NONE = 1; 354 const int IPV6_ADDR_GEN_MODE_STABLE_PRIVACY = 2; 355 const int IPV6_ADDR_GEN_MODE_RANDOM = 3; 356 357 const int IPV6_ADDR_GEN_MODE_DEFAULT = 0; 358 /** 359 * Set IPv6 address generation mode. IPv6 should be disabled before changing mode. 360 * 361 * @param mode SLAAC address generation mechanism to use 362 */ setIPv6AddrGenMode(in @tf8InCpp String ifName, int mode)363 void setIPv6AddrGenMode(in @utf8InCpp String ifName, int mode); 364 } 365